Merge remote-tracking branch 'origin/main' into sam-robson/overlay-fallback

* origin/main: (40 commits) Bump the npm-minor group across 1 directory with 3 updates Bump actions/create-github-app-token Nit: Tweak JSDoc for `getRawLanguagesNoAutodetect` Enable only `code-scanning` Use overlay-aware version for code scanning exclusively Add changelog entry Rebuild Bump five transitive dependencies Throw error if multiple analysis kinds are specified Bump fast-xml-builder from 1.1.5 to 1.2.0 Improve tests Improve error message Remove dead code Remove `makeOverlayMatchFeatures` indirection Add JSDoc for `getRawLanguagesNoAutodetect` Enable overlay-aware version selection in `setup-codeql` Minor: Introduce constant to avoid duplication Improve changelog note Rebuild Update changelog and version after v4.35.4 ... # Conflicts: # lib/init-action.js # src/diff-informed-analysis-utils.test.ts
2026-05-17 08:40:16 +00:00 · 2026-05-14 13:39:44 +01:00
parent 9d6b456c59 ea37b337cd
commit 9d7243005b
54 changed files with 7608 additions and 5374 deletions
@@ -59,7 +59,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Set up Ruby
-        uses: ruby/setup-ruby@0cb964fd540e0a24c900370abf38a33466142735 # v1.305.0
+        uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
@@ -131,7 +131,7 @@ jobs:
          echo "::endgroup::"

      - name: Generate token
-        uses: actions/create-github-app-token@v3.1.1
+        uses: actions/create-github-app-token@v3.2.0
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -136,7 +136,7 @@ jobs:

      - name: Generate token
        if: github.event_name == 'workflow_dispatch'
-        uses: actions/create-github-app-token@v3.1.1
+        uses: actions/create-github-app-token@v3.2.0
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -93,7 +93,7 @@ jobs:
      pull-requests: write # needed to create pull request
    steps:
    - name: Generate token
-      uses: actions/create-github-app-token@v3.1.1
+      uses: actions/create-github-app-token@v3.2.0
      id: app-token
      with:
        app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -19,7 +19,7 @@
    "scope": "javascript, typescript",
    "prefix": "testMacro",
    "body": [
-      "const ${1:nameMacro} = test.macro({",
+      "const ${1:nameMacro} = makeMacro({",
      "  exec: async (t: ExecutionContext<unknown>) => {},",
      "",
      "  title: (providedTitle = \"\") => `${2:common title} - \\${providedTitle}`,",
@@ -5,6 +5,12 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 ## [UNRELEASED]

 - For performance and accuracy reasons, [improved incremental analysis](https://github.com/github/roadmap/issues/1158) will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. [#3791](https://github.com/github/codeql-action/pull/3791)
+- If multiple inputs are provided for the GitHub-internal `analysis-kinds` input, only `code-scanning` will be enabled. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#3892](https://github.com/github/codeql-action/pull/3892)
+- Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. [#3880](https://github.com/github/codeql-action/pull/3880)
+
+## 4.35.4 - 07 May 2026
+
+- Update default CodeQL bundle version to [2.25.4](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4). [#3881](https://github.com/github/codeql-action/pull/3881)

 ## 4.35.3 - 01 May 2026

@@ -26352,11 +26352,11 @@ var require_valid = __commonJS({
  "node_modules/semver/functions/valid.js"(exports2, module2) {
    "use strict";
    var parse2 = require_parse2();
-    var valid3 = (version, options) => {
+    var valid4 = (version, options) => {
      const v = parse2(version, options);
      return v ? v.version : null;
    };
-    module2.exports = valid3;
+    module2.exports = valid4;
  }
 });

@@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
    var compare2 = require_compare();
-    var rcompare = (a, b, loose) => compare2(b, a, loose);
-    module2.exports = rcompare;
+    var rcompare3 = (a, b, loose) => compare2(b, a, loose);
+    module2.exports = rcompare3;
  }
 });

@@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({
    var SemVer = require_semver();
    var identifiers = require_identifiers();
    var parse2 = require_parse2();
-    var valid3 = require_valid();
+    var valid4 = require_valid();
    var clean3 = require_clean();
    var inc = require_inc();
    var diff = require_diff();
@@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({
    var patch = require_patch();
    var prerelease = require_prerelease();
    var compare2 = require_compare();
-    var rcompare = require_rcompare();
+    var rcompare3 = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
    var sort = require_sort();
@@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({
    var subset = require_subset();
    module2.exports = {
      parse: parse2,
-      valid: valid3,
+      valid: valid4,
      clean: clean3,
      inc,
      diff,
@@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({
      patch,
      prerelease,
      compare: compare2,
-      rcompare,
+      rcompare: rcompare3,
      compareLoose,
      compareBuild,
      sort,
@@ -29553,16 +29553,16 @@ var require_attribute = __commonJS({
      var result = new ValidatorResult(instance, schema2, options, ctx);
      var self2 = this;
      schema2.allOf.forEach(function(v, i) {
-        var valid3 = self2.validateSchema(instance, v, options, ctx);
-        if (!valid3.valid) {
+        var valid4 = self2.validateSchema(instance, v, options, ctx);
+        if (!valid4.valid) {
          var id = v.$id || v.id;
          var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]";
          result.addError({
            name: "allOf",
-            argument: { id: msg, length: valid3.errors.length, valid: valid3 },
-            message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:"
+            argument: { id: msg, length: valid4.errors.length, valid: valid4 },
+            message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:"
          });
-          result.importErrors(valid3);
+          result.importErrors(valid4);
        }
      });
      return result;
@@ -29851,8 +29851,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMinimum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid3 = instance > schema2.exclusiveMinimum;
-      if (!valid3) {
+      var valid4 = instance > schema2.exclusiveMinimum;
+      if (!valid4) {
        result.addError({
          name: "exclusiveMinimum",
          argument: schema2.exclusiveMinimum,
@@ -29865,8 +29865,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMaximum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid3 = instance < schema2.exclusiveMaximum;
-      if (!valid3) {
+      var valid4 = instance < schema2.exclusiveMaximum;
+      if (!valid4) {
        result.addError({
          name: "exclusiveMaximum",
          argument: schema2.exclusiveMaximum,
@@ -32649,8 +32649,8 @@ var require_semver3 = __commonJS({
        return null;
      }
    }
-    exports2.valid = valid3;
-    function valid3(version, options) {
+    exports2.valid = valid4;
+    function valid4(version, options) {
      var v = parse2(version, options);
      return v ? v.version : null;
    }
@@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({
      var versionB = new SemVer(b, loose);
      return versionA.compare(versionB) || versionA.compareBuild(versionB);
    }
-    exports2.rcompare = rcompare;
-    function rcompare(a, b, loose) {
+    exports2.rcompare = rcompare3;
+    function rcompare3(a, b, loose) {
      return compare2(b, a, loose);
    }
    exports2.sort = sort;
@@ -33779,7 +33779,7 @@ var require_cacheUtils = __commonJS({
    var crypto2 = __importStar2(require("crypto"));
    var fs9 = __importStar2(require("fs"));
    var path9 = __importStar2(require("path"));
-    var semver9 = __importStar2(require_semver3());
+    var semver10 = __importStar2(require_semver3());
    var util = __importStar2(require("util"));
    var constants_1 = require_constants7();
    var versionSalt = "1.0";
@@ -33872,7 +33872,7 @@ var require_cacheUtils = __commonJS({
    function getCompressionMethod() {
      return __awaiter2(this, void 0, void 0, function* () {
        const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver9.clean(versionOutput);
+        const version = semver10.clean(versionOutput);
        core15.debug(`zstd version: ${version}`);
        if (versionOutput === "") {
          return constants_1.CompressionMethod.Gzip;
@@ -75278,7 +75278,7 @@ var require_cacheHttpClient = __commonJS({
    exports2.getCacheEntry = getCacheEntry;
    exports2.downloadCache = downloadCache;
    exports2.reserveCache = reserveCache;
-    exports2.saveCache = saveCache4;
+    exports2.saveCache = saveCache5;
    var core15 = __importStar2(require_core());
    var http_client_1 = require_lib();
    var auth_1 = require_auth();
@@ -75455,7 +75455,7 @@ Other caches with similar key:`);
        }));
      });
    }
-    function saveCache4(cacheId, archivePath, signedUploadURL, options) {
+    function saveCache5(cacheId, archivePath, signedUploadURL, options) {
      return __awaiter2(this, void 0, void 0, function* () {
        const uploadOptions = (0, options_1.getUploadOptions)(options);
        if (uploadOptions.useAzureSdk) {
@@ -80955,8 +80955,8 @@ var require_cache4 = __commonJS({
    Object.defineProperty(exports2, "__esModule", { value: true });
    exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0;
    exports2.isFeatureAvailable = isFeatureAvailable;
-    exports2.restoreCache = restoreCache4;
-    exports2.saveCache = saveCache4;
+    exports2.restoreCache = restoreCache5;
+    exports2.saveCache = saveCache5;
    var core15 = __importStar2(require_core());
    var path9 = __importStar2(require("path"));
    var utils = __importStar2(require_cacheUtils());
@@ -81013,7 +81013,7 @@ var require_cache4 = __commonJS({
          return !!process.env["ACTIONS_CACHE_URL"];
      }
    }
-    function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) {
+    function restoreCache5(paths_1, primaryKey_1, restoreKeys_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81157,7 +81157,7 @@ var require_cache4 = __commonJS({
        return void 0;
      });
    }
-    function saveCache4(paths_1, key_1, options_1) {
+    function saveCache5(paths_1, key_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81394,7 +81394,7 @@ var require_manifest = __commonJS({
    exports2._findMatch = _findMatch;
    exports2._getOsVersion = _getOsVersion;
    exports2._readLinuxVersionFile = _readLinuxVersionFile;
-    var semver9 = __importStar2(require_semver2());
+    var semver10 = __importStar2(require_semver2());
    var core_1 = require_core();
    var os2 = require("os");
    var cp = require("child_process");
@@ -81408,7 +81408,7 @@ var require_manifest = __commonJS({
        for (const candidate of candidates) {
          const version = candidate.version;
          (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
            file = candidate.files.find((item) => {
              (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
              let chk = item.arch === archFilter && item.platform === platFilter;
@@ -81417,7 +81417,7 @@ var require_manifest = __commonJS({
                if (osVersion === item.platform_version) {
                  chk = true;
                } else {
-                  chk = semver9.satisfies(osVersion, item.platform_version);
+                  chk = semver10.satisfies(osVersion, item.platform_version);
                }
              }
              return chk;
@@ -81677,7 +81677,7 @@ var require_tool_cache = __commonJS({
    var os2 = __importStar2(require("os"));
    var path9 = __importStar2(require("path"));
    var httpm = __importStar2(require_lib());
-    var semver9 = __importStar2(require_semver2());
+    var semver10 = __importStar2(require_semver2());
    var stream = __importStar2(require("stream"));
    var util = __importStar2(require("util"));
    var assert_1 = require("assert");
@@ -81950,7 +81950,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheDir(sourceDir, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver10.clean(version) || version;
        arch = arch || os2.arch();
        core15.debug(`Caching tool ${tool} ${version} ${arch}`);
        core15.debug(`source dir: ${sourceDir}`);
@@ -81968,7 +81968,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheFile(sourceFile, targetFile, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver10.clean(version) || version;
        arch = arch || os2.arch();
        core15.debug(`Caching tool ${tool} ${version} ${arch}`);
        core15.debug(`source file: ${sourceFile}`);
@@ -81998,7 +81998,7 @@ var require_tool_cache = __commonJS({
      }
      let toolPath = "";
      if (versionSpec) {
-        versionSpec = semver9.clean(versionSpec) || "";
+        versionSpec = semver10.clean(versionSpec) || "";
        const cachePath = path9.join(_getCacheDirectory(), toolName, versionSpec, arch);
        core15.debug(`checking cache: ${cachePath}`);
        if (fs9.existsSync(cachePath) && fs9.existsSync(`${cachePath}.complete`)) {
@@ -82078,7 +82078,7 @@ var require_tool_cache = __commonJS({
    }
    function _createToolPath(tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
+        const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
        core15.debug(`destination ${folderPath}`);
        const markerPath = `${folderPath}.complete`;
        yield io6.rmRF(folderPath);
@@ -82088,30 +82088,30 @@ var require_tool_cache = __commonJS({
      });
    }
    function _completeToolPath(tool, version, arch) {
-      const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
+      const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
      const markerPath = `${folderPath}.complete`;
      fs9.writeFileSync(markerPath, "");
      core15.debug("finished caching tool");
    }
    function isExplicitVersion(versionSpec) {
-      const c = semver9.clean(versionSpec) || "";
+      const c = semver10.clean(versionSpec) || "";
      core15.debug(`isExplicit: ${c}`);
-      const valid3 = semver9.valid(c) != null;
-      core15.debug(`explicit? ${valid3}`);
-      return valid3;
+      const valid4 = semver10.valid(c) != null;
+      core15.debug(`explicit? ${valid4}`);
+      return valid4;
    }
    function evaluateVersions(versions, versionSpec) {
      let version = "";
      core15.debug(`evaluating ${versions.length} versions`);
      versions = versions.sort((a, b) => {
-        if (semver9.gt(a, b)) {
+        if (semver10.gt(a, b)) {
          return 1;
        }
        return -1;
      });
      for (let i = versions.length - 1; i >= 0; i--) {
        const potential = versions[i];
-        const satisfied = semver9.satisfies(potential, versionSpec);
+        const satisfied = semver10.satisfies(potential, versionSpec);
        if (satisfied) {
          version = potential;
          break;
@@ -85670,13 +85670,15 @@ var require_brace_expansion2 = __commonJS({
      parts.push.apply(parts, p);
      return parts;
    }
-    function expandTop(str2) {
+    function expandTop(str2, options) {
      if (!str2)
        return [];
+      options = options || {};
+      var max = options.max == null ? Infinity : options.max;
      if (str2.substr(0, 2) === "{}") {
        str2 = "\\{\\}" + str2.substr(2);
      }
-      return expand2(escapeBraces(str2), true).map(unescapeBraces);
+      return expand2(escapeBraces(str2), max, true).map(unescapeBraces);
    }
    function embrace(str2) {
      return "{" + str2 + "}";
@@ -85690,14 +85692,14 @@ var require_brace_expansion2 = __commonJS({
    function gte6(i, y) {
      return i >= y;
    }
-    function expand2(str2, isTop) {
+    function expand2(str2, max, isTop) {
      var expansions = [];
      var m = balanced("{", "}", str2);
      if (!m) return [str2];
      var pre = m.pre;
-      var post = m.post.length ? expand2(m.post, false) : [""];
+      var post = m.post.length ? expand2(m.post, max, false) : [""];
      if (/\$$/.test(m.pre)) {
-        for (var k = 0; k < post.length; k++) {
+        for (var k = 0; k < post.length && k < max; k++) {
          var expansion = pre + "{" + m.body + "}" + post[k];
          expansions.push(expansion);
        }
@@ -85709,7 +85711,7 @@ var require_brace_expansion2 = __commonJS({
        if (!isSequence && !isOptions) {
          if (m.post.match(/,(?!,).*\}/)) {
            str2 = m.pre + "{" + m.body + escClose + m.post;
-            return expand2(str2);
+            return expand2(str2, max, true);
          }
          return [str2];
        }
@@ -85719,7 +85721,7 @@ var require_brace_expansion2 = __commonJS({
        } else {
          n = parseCommaParts(m.body);
          if (n.length === 1) {
-            n = expand2(n[0], false).map(embrace);
+            n = expand2(n[0], max, false).map(embrace);
            if (n.length === 1) {
              return post.map(function(p) {
                return m.pre + n[0] + p;
@@ -85732,7 +85734,7 @@ var require_brace_expansion2 = __commonJS({
          var x = numeric(n[0]);
          var y = numeric(n[1]);
          var width = Math.max(n[0].length, n[1].length);
-          var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1;
+          var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1;
          var test = lte;
          var reverse = y < x;
          if (reverse) {
@@ -85765,11 +85767,11 @@ var require_brace_expansion2 = __commonJS({
        } else {
          N = [];
          for (var j = 0; j < n.length; j++) {
-            N.push.apply(N, expand2(n[j], false));
+            N.push.apply(N, expand2(n[j], max, false));
          }
        }
        for (var j = 0; j < N.length; j++) {
-          for (var k = 0; k < post.length; k++) {
+          for (var k = 0; k < post.length && expansions.length < max; k++) {
            var expansion = pre + N[j] + post[k];
            if (!isTop || isSequence || expansion)
              expansions.push(expansion);
@@ -89825,7 +89827,7 @@ var require_stream_writable = __commonJS({
      pna.nextTick(cb, er);
    }
    function validChunk(stream, state, chunk, cb) {
-      var valid3 = true;
+      var valid4 = true;
      var er = false;
      if (chunk === null) {
        er = new TypeError("May not write null values to stream");
@@ -89835,9 +89837,9 @@ var require_stream_writable = __commonJS({
      if (er) {
        stream.emit("error", er);
        pna.nextTick(cb, er);
-        valid3 = false;
+        valid4 = false;
      }
-      return valid3;
+      return valid4;
    }
    Writable.prototype.write = function(chunk, encoding, cb) {
      var state = this._writableState;
@@ -126877,7 +126879,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.4";
+  return "4.35.5";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -127358,65 +127360,8 @@ var fs4 = __toESM(require("fs"));
 var path5 = __toESM(require("path"));
 var core9 = __toESM(require_core());

-// src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
-  AnalysisKind2["CodeScanning"] = "code-scanning";
-  AnalysisKind2["CodeQuality"] = "code-quality";
-  AnalysisKind2["RiskAssessment"] = "risk-assessment";
-  return AnalysisKind2;
-})(AnalysisKind || {});
-var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
-
-// src/caching-utils.ts
-var core6 = __toESM(require_core());
-
-// src/config/db-config.ts
-var jsonschema = __toESM(require_lib2());
-var semver2 = __toESM(require_semver2());
-
-// src/feature-flags/properties.ts
-var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
-  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
-  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
-  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
-  return RepositoryPropertyName2;
-})(RepositoryPropertyName || {});
-var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
-  Object.values(RepositoryPropertyName)
-);
-
-// src/config/db-config.ts
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
-
-// src/logging.ts
-var core7 = __toESM(require_core());
-function getActionsLogger() {
-  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
-  };
-}
-function withGroup(groupName, f) {
-  core7.startGroup(groupName);
-  try {
-    return f();
-  } finally {
-    core7.endGroup();
-  }
-}
-
 // src/feature-flags.ts
-var semver5 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());

 // src/overlay/index.ts
 var fs3 = __toESM(require("fs"));
@@ -127425,14 +127370,14 @@ var path4 = __toESM(require("path"));
 // src/git-utils.ts
 var fs2 = __toESM(require("fs"));
 var path3 = __toESM(require("path"));
-var core8 = __toESM(require_core());
+var core6 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
-var semver3 = __toESM(require_semver2());
+var semver2 = __toESM(require_semver2());
 var runGitCommand = async function(workingDirectory, args, customErrorMessage, options) {
  let stdout = "";
  let stderr = "";
-  core8.debug(`Running git command: git ${args.join(" ")}`);
+  core6.debug(`Running git command: git ${args.join(" ")}`);
  try {
    await new toolrunner2.ToolRunner(await io3.which("git", true), args, {
      silent: true,
@@ -127453,7 +127398,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage, o
    if (stderr.includes("not a git repository")) {
      reason = "The checkout path provided to the action does not appear to be a git repository.";
    }
-    core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
+    core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
    throw error3;
  }
 };
@@ -127582,7 +127527,7 @@ async function getRef() {
  ) !== head;
  if (hasChangedRef) {
    const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
-    core8.debug(
+    core6.debug(
      `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`
    );
    return newRef;
@@ -127719,17 +127664,22 @@ async function getDiffRangeFilePaths(sourceRoot, logger) {
 }

 // src/tools-features.ts
-var semver4 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 function isSupportedToolsFeature(versionInfo, feature) {
  return !!versionInfo.features && versionInfo.features[feature];
 }
 var SafeArtifactUploadVersion = "2.20.3";
 function isSafeArtifactUpload(codeQlVersion) {
-  return !codeQlVersion ? true : semver4.gte(codeQlVersion, SafeArtifactUploadVersion);
+  return !codeQlVersion ? true : semver3.gte(codeQlVersion, SafeArtifactUploadVersion);
 }

 // src/feature-flags.ts
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -127883,6 +127833,16 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
    minimumVersion: void 0
  },
+  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
+    minimumVersion: void 0
+  },
+  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
+    minimumVersion: void 0
+  },
  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -127938,6 +127898,63 @@ var featureConfig = {
  }
 };

+// src/analyses.ts
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
+  AnalysisKind2["CodeScanning"] = "code-scanning";
+  AnalysisKind2["CodeQuality"] = "code-quality";
+  AnalysisKind2["RiskAssessment"] = "risk-assessment";
+  return AnalysisKind2;
+})(AnalysisKind || {});
+var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+
+// src/caching-utils.ts
+var core7 = __toESM(require_core());
+
+// src/config/db-config.ts
+var jsonschema = __toESM(require_lib2());
+var semver5 = __toESM(require_semver2());
+
+// src/feature-flags/properties.ts
+var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
+  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
+  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
+  return RepositoryPropertyName2;
+})(RepositoryPropertyName || {});
+var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
+  Object.values(RepositoryPropertyName)
+);
+
+// src/config/db-config.ts
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
+// src/logging.ts
+var core8 = __toESM(require_core());
+function getActionsLogger() {
+  return {
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
+  };
+}
+function withGroup(groupName, f) {
+  core8.startGroup(groupName);
+  try {
+    return f();
+  } finally {
+    core8.endGroup();
+  }
+}
+
 // src/languages/builtin.json
 var builtin_default = {
  languages: [
@@ -128044,20 +128061,26 @@ function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
 // src/setup-codeql.ts
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver8 = __toESM(require_semver2());
+var semver9 = __toESM(require_semver2());
+
+// src/overlay/caching.ts
+var actionsCache3 = __toESM(require_cache4());
+var semver6 = __toESM(require_semver2());
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;

 // src/tar.ts
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver6 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());

 // src/tools-download.ts
 var core10 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver7 = __toESM(require_semver2());
+var semver8 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;

 // src/tracer-config.ts
@@ -128654,7 +128677,7 @@ var core12 = __toESM(require_core());

 // src/dependency-caching.ts
 var import_path = require("path");
-var actionsCache3 = __toESM(require_cache4());
+var actionsCache4 = __toESM(require_cache4());
 var glob = __toESM(require_glob());
 function getJavaTempDependencyDir() {
  return (0, import_path.join)(getTemporaryDirectory(), "codeql_java", "repository");
@@ -128728,6 +128751,9 @@ async function scanArchiveFile(archivePath, relativeArchivePath, extractDir, log
      `Maximum archive extraction depth (${MAX_DEPTH}) reached for ${archivePath}`
    );
  }
+  if (process.platform === "win32") {
+    throw new Error("Scanning archives is not supported on Windows.");
+  }
  const result = {
    scannedFiles: 0,
    findings: []
@@ -26352,11 +26352,11 @@ var require_valid = __commonJS({
  "node_modules/semver/functions/valid.js"(exports2, module2) {
    "use strict";
    var parse2 = require_parse2();
-    var valid3 = (version, options) => {
+    var valid4 = (version, options) => {
      const v = parse2(version, options);
      return v ? v.version : null;
    };
-    module2.exports = valid3;
+    module2.exports = valid4;
  }
 });

@@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
    var compare2 = require_compare();
-    var rcompare = (a, b, loose) => compare2(b, a, loose);
-    module2.exports = rcompare;
+    var rcompare3 = (a, b, loose) => compare2(b, a, loose);
+    module2.exports = rcompare3;
  }
 });

@@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({
    var SemVer = require_semver();
    var identifiers = require_identifiers();
    var parse2 = require_parse2();
-    var valid3 = require_valid();
+    var valid4 = require_valid();
    var clean3 = require_clean();
    var inc = require_inc();
    var diff = require_diff();
@@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({
    var patch = require_patch();
    var prerelease = require_prerelease();
    var compare2 = require_compare();
-    var rcompare = require_rcompare();
+    var rcompare3 = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
    var sort = require_sort();
@@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({
    var subset = require_subset();
    module2.exports = {
      parse: parse2,
-      valid: valid3,
+      valid: valid4,
      clean: clean3,
      inc,
      diff,
@@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({
      patch,
      prerelease,
      compare: compare2,
-      rcompare,
+      rcompare: rcompare3,
      compareLoose,
      compareBuild,
      sort,
@@ -29553,16 +29553,16 @@ var require_attribute = __commonJS({
      var result = new ValidatorResult(instance, schema2, options, ctx);
      var self2 = this;
      schema2.allOf.forEach(function(v, i) {
-        var valid3 = self2.validateSchema(instance, v, options, ctx);
-        if (!valid3.valid) {
+        var valid4 = self2.validateSchema(instance, v, options, ctx);
+        if (!valid4.valid) {
          var id = v.$id || v.id;
          var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]";
          result.addError({
            name: "allOf",
-            argument: { id: msg, length: valid3.errors.length, valid: valid3 },
-            message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:"
+            argument: { id: msg, length: valid4.errors.length, valid: valid4 },
+            message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:"
          });
-          result.importErrors(valid3);
+          result.importErrors(valid4);
        }
      });
      return result;
@@ -29851,8 +29851,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMinimum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid3 = instance > schema2.exclusiveMinimum;
-      if (!valid3) {
+      var valid4 = instance > schema2.exclusiveMinimum;
+      if (!valid4) {
        result.addError({
          name: "exclusiveMinimum",
          argument: schema2.exclusiveMinimum,
@@ -29865,8 +29865,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMaximum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid3 = instance < schema2.exclusiveMaximum;
-      if (!valid3) {
+      var valid4 = instance < schema2.exclusiveMaximum;
+      if (!valid4) {
        result.addError({
          name: "exclusiveMaximum",
          argument: schema2.exclusiveMaximum,
@@ -32649,8 +32649,8 @@ var require_semver3 = __commonJS({
        return null;
      }
    }
-    exports2.valid = valid3;
-    function valid3(version, options) {
+    exports2.valid = valid4;
+    function valid4(version, options) {
      var v = parse2(version, options);
      return v ? v.version : null;
    }
@@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({
      var versionB = new SemVer(b, loose);
      return versionA.compare(versionB) || versionA.compareBuild(versionB);
    }
-    exports2.rcompare = rcompare;
-    function rcompare(a, b, loose) {
+    exports2.rcompare = rcompare3;
+    function rcompare3(a, b, loose) {
      return compare2(b, a, loose);
    }
    exports2.sort = sort;
@@ -33779,7 +33779,7 @@ var require_cacheUtils = __commonJS({
    var crypto2 = __importStar2(require("crypto"));
    var fs8 = __importStar2(require("fs"));
    var path9 = __importStar2(require("path"));
-    var semver9 = __importStar2(require_semver3());
+    var semver10 = __importStar2(require_semver3());
    var util = __importStar2(require("util"));
    var constants_1 = require_constants7();
    var versionSalt = "1.0";
@@ -33872,7 +33872,7 @@ var require_cacheUtils = __commonJS({
    function getCompressionMethod() {
      return __awaiter2(this, void 0, void 0, function* () {
        const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver9.clean(versionOutput);
+        const version = semver10.clean(versionOutput);
        core15.debug(`zstd version: ${version}`);
        if (versionOutput === "") {
          return constants_1.CompressionMethod.Gzip;
@@ -75278,7 +75278,7 @@ var require_cacheHttpClient = __commonJS({
    exports2.getCacheEntry = getCacheEntry;
    exports2.downloadCache = downloadCache;
    exports2.reserveCache = reserveCache;
-    exports2.saveCache = saveCache3;
+    exports2.saveCache = saveCache4;
    var core15 = __importStar2(require_core());
    var http_client_1 = require_lib();
    var auth_1 = require_auth();
@@ -75455,7 +75455,7 @@ Other caches with similar key:`);
        }));
      });
    }
-    function saveCache3(cacheId, archivePath, signedUploadURL, options) {
+    function saveCache4(cacheId, archivePath, signedUploadURL, options) {
      return __awaiter2(this, void 0, void 0, function* () {
        const uploadOptions = (0, options_1.getUploadOptions)(options);
        if (uploadOptions.useAzureSdk) {
@@ -80955,8 +80955,8 @@ var require_cache4 = __commonJS({
    Object.defineProperty(exports2, "__esModule", { value: true });
    exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0;
    exports2.isFeatureAvailable = isFeatureAvailable;
-    exports2.restoreCache = restoreCache3;
-    exports2.saveCache = saveCache3;
+    exports2.restoreCache = restoreCache4;
+    exports2.saveCache = saveCache4;
    var core15 = __importStar2(require_core());
    var path9 = __importStar2(require("path"));
    var utils = __importStar2(require_cacheUtils());
@@ -81013,7 +81013,7 @@ var require_cache4 = __commonJS({
          return !!process.env["ACTIONS_CACHE_URL"];
      }
    }
-    function restoreCache3(paths_1, primaryKey_1, restoreKeys_1, options_1) {
+    function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81157,7 +81157,7 @@ var require_cache4 = __commonJS({
        return void 0;
      });
    }
-    function saveCache3(paths_1, key_1, options_1) {
+    function saveCache4(paths_1, key_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81394,7 +81394,7 @@ var require_manifest = __commonJS({
    exports2._findMatch = _findMatch;
    exports2._getOsVersion = _getOsVersion;
    exports2._readLinuxVersionFile = _readLinuxVersionFile;
-    var semver9 = __importStar2(require_semver2());
+    var semver10 = __importStar2(require_semver2());
    var core_1 = require_core();
    var os2 = require("os");
    var cp = require("child_process");
@@ -81408,7 +81408,7 @@ var require_manifest = __commonJS({
        for (const candidate of candidates) {
          const version = candidate.version;
          (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
            file = candidate.files.find((item) => {
              (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
              let chk = item.arch === archFilter && item.platform === platFilter;
@@ -81417,7 +81417,7 @@ var require_manifest = __commonJS({
                if (osVersion === item.platform_version) {
                  chk = true;
                } else {
-                  chk = semver9.satisfies(osVersion, item.platform_version);
+                  chk = semver10.satisfies(osVersion, item.platform_version);
                }
              }
              return chk;
@@ -81677,7 +81677,7 @@ var require_tool_cache = __commonJS({
    var os2 = __importStar2(require("os"));
    var path9 = __importStar2(require("path"));
    var httpm = __importStar2(require_lib());
-    var semver9 = __importStar2(require_semver2());
+    var semver10 = __importStar2(require_semver2());
    var stream = __importStar2(require("stream"));
    var util = __importStar2(require("util"));
    var assert_1 = require("assert");
@@ -81950,7 +81950,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheDir(sourceDir, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver10.clean(version) || version;
        arch = arch || os2.arch();
        core15.debug(`Caching tool ${tool} ${version} ${arch}`);
        core15.debug(`source dir: ${sourceDir}`);
@@ -81968,7 +81968,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheFile(sourceFile, targetFile, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver10.clean(version) || version;
        arch = arch || os2.arch();
        core15.debug(`Caching tool ${tool} ${version} ${arch}`);
        core15.debug(`source file: ${sourceFile}`);
@@ -81998,7 +81998,7 @@ var require_tool_cache = __commonJS({
      }
      let toolPath = "";
      if (versionSpec) {
-        versionSpec = semver9.clean(versionSpec) || "";
+        versionSpec = semver10.clean(versionSpec) || "";
        const cachePath = path9.join(_getCacheDirectory(), toolName, versionSpec, arch);
        core15.debug(`checking cache: ${cachePath}`);
        if (fs8.existsSync(cachePath) && fs8.existsSync(`${cachePath}.complete`)) {
@@ -82078,7 +82078,7 @@ var require_tool_cache = __commonJS({
    }
    function _createToolPath(tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
+        const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
        core15.debug(`destination ${folderPath}`);
        const markerPath = `${folderPath}.complete`;
        yield io5.rmRF(folderPath);
@@ -82088,30 +82088,30 @@ var require_tool_cache = __commonJS({
      });
    }
    function _completeToolPath(tool, version, arch) {
-      const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
+      const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
      const markerPath = `${folderPath}.complete`;
      fs8.writeFileSync(markerPath, "");
      core15.debug("finished caching tool");
    }
    function isExplicitVersion(versionSpec) {
-      const c = semver9.clean(versionSpec) || "";
+      const c = semver10.clean(versionSpec) || "";
      core15.debug(`isExplicit: ${c}`);
-      const valid3 = semver9.valid(c) != null;
-      core15.debug(`explicit? ${valid3}`);
-      return valid3;
+      const valid4 = semver10.valid(c) != null;
+      core15.debug(`explicit? ${valid4}`);
+      return valid4;
    }
    function evaluateVersions(versions, versionSpec) {
      let version = "";
      core15.debug(`evaluating ${versions.length} versions`);
      versions = versions.sort((a, b) => {
-        if (semver9.gt(a, b)) {
+        if (semver10.gt(a, b)) {
          return 1;
        }
        return -1;
      });
      for (let i = versions.length - 1; i >= 0; i--) {
        const potential = versions[i];
-        const satisfied = semver9.satisfies(potential, versionSpec);
+        const satisfied = semver10.satisfies(potential, versionSpec);
        if (satisfied) {
          version = potential;
          break;
@@ -85608,7 +85608,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.4";
+  return "4.35.5";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -86171,63 +86171,14 @@ var fs5 = __toESM(require("fs"));
 var path6 = __toESM(require("path"));
 var core9 = __toESM(require_core());

-// src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
-  AnalysisKind2["CodeScanning"] = "code-scanning";
-  AnalysisKind2["CodeQuality"] = "code-quality";
-  AnalysisKind2["RiskAssessment"] = "risk-assessment";
-  return AnalysisKind2;
-})(AnalysisKind || {});
-var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
-
-// src/caching-utils.ts
-var core6 = __toESM(require_core());
-
-// src/config/db-config.ts
-var jsonschema = __toESM(require_lib2());
-var semver2 = __toESM(require_semver2());
-
-// src/feature-flags/properties.ts
-var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
-  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
-  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
-  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
-  return RepositoryPropertyName2;
-})(RepositoryPropertyName || {});
-var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
-  Object.values(RepositoryPropertyName)
-);
-
-// src/config/db-config.ts
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
-
-// src/logging.ts
-var core7 = __toESM(require_core());
-function getActionsLogger() {
-  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
-  };
-}
-
 // src/feature-flags.ts
 var fs4 = __toESM(require("fs"));
 var path5 = __toESM(require("path"));
-var semver5 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());

 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.25.3";
-var cliVersion = "2.25.3";
+var bundleVersion = "codeql-bundle-v2.25.4";
+var cliVersion = "2.25.4";

 // src/overlay/index.ts
 var fs3 = __toESM(require("fs"));
@@ -86236,14 +86187,14 @@ var path4 = __toESM(require("path"));
 // src/git-utils.ts
 var fs2 = __toESM(require("fs"));
 var path3 = __toESM(require("path"));
-var core8 = __toESM(require_core());
+var core6 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
-var semver3 = __toESM(require_semver2());
+var semver2 = __toESM(require_semver2());
 var runGitCommand = async function(workingDirectory, args, customErrorMessage, options) {
  let stdout = "";
  let stderr = "";
-  core8.debug(`Running git command: git ${args.join(" ")}`);
+  core6.debug(`Running git command: git ${args.join(" ")}`);
  try {
    await new toolrunner2.ToolRunner(await io3.which("git", true), args, {
      silent: true,
@@ -86264,7 +86215,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage, o
    if (stderr.includes("not a git repository")) {
      reason = "The checkout path provided to the action does not appear to be a git repository.";
    }
-    core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
+    core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
    throw error3;
  }
 };
@@ -86393,7 +86344,7 @@ async function getRef() {
  ) !== head;
  if (hasChangedRef) {
    const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
-    core8.debug(
+    core6.debug(
      `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`
    );
    return newRef;
@@ -86530,7 +86481,7 @@ async function getDiffRangeFilePaths(sourceRoot, logger) {
 }

 // src/tools-features.ts
-var semver4 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 function isSupportedToolsFeature(versionInfo, feature) {
  return !!versionInfo.features && versionInfo.features[feature];
 }
@@ -86538,7 +86489,16 @@ function isSupportedToolsFeature(versionInfo, feature) {
 // src/feature-flags.ts
 var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_";
 var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
+var LINKED_CODEQL_VERSION = {
+  cliVersion,
+  tagName: bundleVersion
+};
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -86692,6 +86652,16 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
    minimumVersion: void 0
  },
+  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
+    minimumVersion: void 0
+  },
+  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
+    minimumVersion: void 0
+  },
  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -86752,10 +86722,9 @@ var OfflineFeatures = class {
    this.logger = logger;
  }
  logger;
-  async getDefaultCliVersion(_variant) {
+  async getEnabledDefaultCliVersions(_variant) {
    return {
-      cliVersion,
-      tagName: bundleVersion
+      enabledVersions: [LINKED_CODEQL_VERSION]
    };
  }
  /**
@@ -86860,11 +86829,11 @@ var Features = class extends OfflineFeatures {
      logger
    );
  }
-  async getDefaultCliVersion(variant) {
+  async getEnabledDefaultCliVersions(variant) {
    if (supportsFeatureFlags(variant)) {
-      return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags();
+      return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags();
    }
-    return super.getDefaultCliVersion(variant);
+    return super.getEnabledDefaultCliVersions(variant);
  }
  /**
   *
@@ -86915,7 +86884,7 @@ var GitHubFeatureFlags = class {
      DEFAULT_VERSION_FEATURE_FLAG_PREFIX.length,
      f.length - DEFAULT_VERSION_FEATURE_FLAG_SUFFIX.length
    ).replace(/_/g, ".");
-    if (!semver5.valid(version)) {
+    if (!semver4.valid(version)) {
      this.logger.warning(
        `Ignoring feature flag ${f} as it does not specify a valid CodeQL version.`
      );
@@ -86923,34 +86892,36 @@ var GitHubFeatureFlags = class {
    }
    return version;
  }
-  async getDefaultCliVersionFromFlags() {
+  /**
+   * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature
+   * flags, sorted from highest to lowest. Falls back to the version pinned in
+   * `defaults.json` if no such flags are enabled.
+   */
+  async getEnabledDefaultCliVersionsFromFlags() {
    const response = await this.getAllFeatures();
-    const enabledFeatureFlagCliVersions = Object.entries(response).map(
+    const sortedCliVersions = Object.entries(response).map(
      ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0
-    ).filter((f) => f !== void 0);
-    if (enabledFeatureFlagCliVersions.length === 0) {
+    ).filter((f) => f !== void 0).sort(semver4.rcompare);
+    if (sortedCliVersions.length === 0) {
      this.logger.warning(
        `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.`
      );
      const result = {
-        cliVersion,
-        tagName: bundleVersion
+        enabledVersions: [LINKED_CODEQL_VERSION]
      };
      if (this.hasAccessedRemoteFeatureFlags) {
        result.toolsFeatureFlagsValid = false;
      }
      return result;
    }
-    const maxCliVersion = enabledFeatureFlagCliVersions.reduce(
-      (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion,
-      enabledFeatureFlagCliVersions[0]
-    );
    this.logger.debug(
-      `Derived default CLI version of ${maxCliVersion} from feature flags.`
+      `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.`
    );
    return {
-      cliVersion: maxCliVersion,
-      tagName: `codeql-bundle-v${maxCliVersion}`,
+      enabledVersions: sortedCliVersions.map((cliVersion2) => ({
+        cliVersion: cliVersion2,
+        tagName: `codeql-bundle-v${cliVersion2}`
+      })),
      toolsFeatureFlagsValid: true
    };
  }
@@ -87074,6 +87045,55 @@ function initFeatures(gitHubVersion, repositoryNwo, tempDir, logger) {
  }
 }

+// src/analyses.ts
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
+  AnalysisKind2["CodeScanning"] = "code-scanning";
+  AnalysisKind2["CodeQuality"] = "code-quality";
+  AnalysisKind2["RiskAssessment"] = "risk-assessment";
+  return AnalysisKind2;
+})(AnalysisKind || {});
+var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+
+// src/caching-utils.ts
+var core7 = __toESM(require_core());
+
+// src/config/db-config.ts
+var jsonschema = __toESM(require_lib2());
+var semver5 = __toESM(require_semver2());
+
+// src/feature-flags/properties.ts
+var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
+  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
+  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
+  return RepositoryPropertyName2;
+})(RepositoryPropertyName || {});
+var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
+  Object.values(RepositoryPropertyName)
+);
+
+// src/config/db-config.ts
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
+// src/logging.ts
+var core8 = __toESM(require_core());
+function getActionsLogger() {
+  return {
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
+  };
+}
+
 // src/languages/builtin.json
 var builtin_default = {
  languages: [
@@ -87180,20 +87200,26 @@ function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
 // src/setup-codeql.ts
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver8 = __toESM(require_semver2());
+var semver9 = __toESM(require_semver2());
+
+// src/overlay/caching.ts
+var actionsCache3 = __toESM(require_cache4());
+var semver6 = __toESM(require_semver2());
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;

 // src/tar.ts
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver6 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());

 // src/tools-download.ts
 var core10 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver7 = __toESM(require_semver2());
+var semver8 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;

 // src/tracer-config.ts
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.3",
-  "cliVersion": "2.25.3",
-  "priorBundleVersion": "codeql-bundle-v2.25.2",
-  "priorCliVersion": "2.25.2"
+  "bundleVersion": "codeql-bundle-v2.25.4",
+  "cliVersion": "2.25.4",
+  "priorBundleVersion": "codeql-bundle-v2.25.3",
+  "priorCliVersion": "2.25.3"
 }
@@ -26352,11 +26352,11 @@ var require_valid = __commonJS({
  "node_modules/semver/functions/valid.js"(exports2, module2) {
    "use strict";
    var parse2 = require_parse2();
-    var valid3 = (version, options) => {
+    var valid4 = (version, options) => {
      const v = parse2(version, options);
      return v ? v.version : null;
    };
-    module2.exports = valid3;
+    module2.exports = valid4;
  }
 });

@@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
    var compare2 = require_compare();
-    var rcompare = (a, b, loose) => compare2(b, a, loose);
-    module2.exports = rcompare;
+    var rcompare3 = (a, b, loose) => compare2(b, a, loose);
+    module2.exports = rcompare3;
  }
 });

@@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({
    var SemVer = require_semver();
    var identifiers = require_identifiers();
    var parse2 = require_parse2();
-    var valid3 = require_valid();
+    var valid4 = require_valid();
    var clean3 = require_clean();
    var inc = require_inc();
    var diff = require_diff();
@@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({
    var patch = require_patch();
    var prerelease = require_prerelease();
    var compare2 = require_compare();
-    var rcompare = require_rcompare();
+    var rcompare3 = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
    var sort = require_sort();
@@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({
    var subset = require_subset();
    module2.exports = {
      parse: parse2,
-      valid: valid3,
+      valid: valid4,
      clean: clean3,
      inc,
      diff,
@@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({
      patch,
      prerelease,
      compare: compare2,
-      rcompare,
+      rcompare: rcompare3,
      compareLoose,
      compareBuild,
      sort,
@@ -29553,16 +29553,16 @@ var require_attribute = __commonJS({
      var result = new ValidatorResult(instance, schema2, options, ctx);
      var self2 = this;
      schema2.allOf.forEach(function(v, i) {
-        var valid3 = self2.validateSchema(instance, v, options, ctx);
-        if (!valid3.valid) {
+        var valid4 = self2.validateSchema(instance, v, options, ctx);
+        if (!valid4.valid) {
          var id = v.$id || v.id;
          var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]";
          result.addError({
            name: "allOf",
-            argument: { id: msg, length: valid3.errors.length, valid: valid3 },
-            message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:"
+            argument: { id: msg, length: valid4.errors.length, valid: valid4 },
+            message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:"
          });
-          result.importErrors(valid3);
+          result.importErrors(valid4);
        }
      });
      return result;
@@ -29851,8 +29851,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMinimum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid3 = instance > schema2.exclusiveMinimum;
-      if (!valid3) {
+      var valid4 = instance > schema2.exclusiveMinimum;
+      if (!valid4) {
        result.addError({
          name: "exclusiveMinimum",
          argument: schema2.exclusiveMinimum,
@@ -29865,8 +29865,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMaximum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid3 = instance < schema2.exclusiveMaximum;
-      if (!valid3) {
+      var valid4 = instance < schema2.exclusiveMaximum;
+      if (!valid4) {
        result.addError({
          name: "exclusiveMaximum",
          argument: schema2.exclusiveMaximum,
@@ -32649,8 +32649,8 @@ var require_semver3 = __commonJS({
        return null;
      }
    }
-    exports2.valid = valid3;
-    function valid3(version, options) {
+    exports2.valid = valid4;
+    function valid4(version, options) {
      var v = parse2(version, options);
      return v ? v.version : null;
    }
@@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({
      var versionB = new SemVer(b, loose);
      return versionA.compare(versionB) || versionA.compareBuild(versionB);
    }
-    exports2.rcompare = rcompare;
-    function rcompare(a, b, loose) {
+    exports2.rcompare = rcompare3;
+    function rcompare3(a, b, loose) {
      return compare2(b, a, loose);
    }
    exports2.sort = sort;
@@ -33779,7 +33779,7 @@ var require_cacheUtils = __commonJS({
    var crypto2 = __importStar2(require("crypto"));
    var fs6 = __importStar2(require("fs"));
    var path7 = __importStar2(require("path"));
-    var semver9 = __importStar2(require_semver3());
+    var semver10 = __importStar2(require_semver3());
    var util = __importStar2(require("util"));
    var constants_1 = require_constants7();
    var versionSalt = "1.0";
@@ -33872,7 +33872,7 @@ var require_cacheUtils = __commonJS({
    function getCompressionMethod() {
      return __awaiter2(this, void 0, void 0, function* () {
        const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver9.clean(versionOutput);
+        const version = semver10.clean(versionOutput);
        core14.debug(`zstd version: ${version}`);
        if (versionOutput === "") {
          return constants_1.CompressionMethod.Gzip;
@@ -75278,7 +75278,7 @@ var require_cacheHttpClient = __commonJS({
    exports2.getCacheEntry = getCacheEntry;
    exports2.downloadCache = downloadCache;
    exports2.reserveCache = reserveCache;
-    exports2.saveCache = saveCache3;
+    exports2.saveCache = saveCache4;
    var core14 = __importStar2(require_core());
    var http_client_1 = require_lib();
    var auth_1 = require_auth();
@@ -75455,7 +75455,7 @@ Other caches with similar key:`);
        }));
      });
    }
-    function saveCache3(cacheId, archivePath, signedUploadURL, options) {
+    function saveCache4(cacheId, archivePath, signedUploadURL, options) {
      return __awaiter2(this, void 0, void 0, function* () {
        const uploadOptions = (0, options_1.getUploadOptions)(options);
        if (uploadOptions.useAzureSdk) {
@@ -80955,8 +80955,8 @@ var require_cache4 = __commonJS({
    Object.defineProperty(exports2, "__esModule", { value: true });
    exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0;
    exports2.isFeatureAvailable = isFeatureAvailable;
-    exports2.restoreCache = restoreCache3;
-    exports2.saveCache = saveCache3;
+    exports2.restoreCache = restoreCache4;
+    exports2.saveCache = saveCache4;
    var core14 = __importStar2(require_core());
    var path7 = __importStar2(require("path"));
    var utils = __importStar2(require_cacheUtils());
@@ -81013,7 +81013,7 @@ var require_cache4 = __commonJS({
          return !!process.env["ACTIONS_CACHE_URL"];
      }
    }
-    function restoreCache3(paths_1, primaryKey_1, restoreKeys_1, options_1) {
+    function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core14.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81157,7 +81157,7 @@ var require_cache4 = __commonJS({
        return void 0;
      });
    }
-    function saveCache3(paths_1, key_1, options_1) {
+    function saveCache4(paths_1, key_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core14.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81394,7 +81394,7 @@ var require_manifest = __commonJS({
    exports2._findMatch = _findMatch;
    exports2._getOsVersion = _getOsVersion;
    exports2._readLinuxVersionFile = _readLinuxVersionFile;
-    var semver9 = __importStar2(require_semver2());
+    var semver10 = __importStar2(require_semver2());
    var core_1 = require_core();
    var os2 = require("os");
    var cp = require("child_process");
@@ -81408,7 +81408,7 @@ var require_manifest = __commonJS({
        for (const candidate of candidates) {
          const version = candidate.version;
          (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
            file = candidate.files.find((item) => {
              (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
              let chk = item.arch === archFilter && item.platform === platFilter;
@@ -81417,7 +81417,7 @@ var require_manifest = __commonJS({
                if (osVersion === item.platform_version) {
                  chk = true;
                } else {
-                  chk = semver9.satisfies(osVersion, item.platform_version);
+                  chk = semver10.satisfies(osVersion, item.platform_version);
                }
              }
              return chk;
@@ -81677,7 +81677,7 @@ var require_tool_cache = __commonJS({
    var os2 = __importStar2(require("os"));
    var path7 = __importStar2(require("path"));
    var httpm = __importStar2(require_lib());
-    var semver9 = __importStar2(require_semver2());
+    var semver10 = __importStar2(require_semver2());
    var stream = __importStar2(require("stream"));
    var util = __importStar2(require("util"));
    var assert_1 = require("assert");
@@ -81950,7 +81950,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheDir(sourceDir, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver10.clean(version) || version;
        arch = arch || os2.arch();
        core14.debug(`Caching tool ${tool} ${version} ${arch}`);
        core14.debug(`source dir: ${sourceDir}`);
@@ -81968,7 +81968,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheFile(sourceFile, targetFile, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver10.clean(version) || version;
        arch = arch || os2.arch();
        core14.debug(`Caching tool ${tool} ${version} ${arch}`);
        core14.debug(`source file: ${sourceFile}`);
@@ -81998,7 +81998,7 @@ var require_tool_cache = __commonJS({
      }
      let toolPath = "";
      if (versionSpec) {
-        versionSpec = semver9.clean(versionSpec) || "";
+        versionSpec = semver10.clean(versionSpec) || "";
        const cachePath = path7.join(_getCacheDirectory(), toolName, versionSpec, arch);
        core14.debug(`checking cache: ${cachePath}`);
        if (fs6.existsSync(cachePath) && fs6.existsSync(`${cachePath}.complete`)) {
@@ -82078,7 +82078,7 @@ var require_tool_cache = __commonJS({
    }
    function _createToolPath(tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path7.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
+        const folderPath = path7.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
        core14.debug(`destination ${folderPath}`);
        const markerPath = `${folderPath}.complete`;
        yield io5.rmRF(folderPath);
@@ -82088,30 +82088,30 @@ var require_tool_cache = __commonJS({
      });
    }
    function _completeToolPath(tool, version, arch) {
-      const folderPath = path7.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
+      const folderPath = path7.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
      const markerPath = `${folderPath}.complete`;
      fs6.writeFileSync(markerPath, "");
      core14.debug("finished caching tool");
    }
    function isExplicitVersion(versionSpec) {
-      const c = semver9.clean(versionSpec) || "";
+      const c = semver10.clean(versionSpec) || "";
      core14.debug(`isExplicit: ${c}`);
-      const valid3 = semver9.valid(c) != null;
-      core14.debug(`explicit? ${valid3}`);
-      return valid3;
+      const valid4 = semver10.valid(c) != null;
+      core14.debug(`explicit? ${valid4}`);
+      return valid4;
    }
    function evaluateVersions(versions, versionSpec) {
      let version = "";
      core14.debug(`evaluating ${versions.length} versions`);
      versions = versions.sort((a, b) => {
-        if (semver9.gt(a, b)) {
+        if (semver10.gt(a, b)) {
          return 1;
        }
        return -1;
      });
      for (let i = versions.length - 1; i >= 0; i--) {
        const potential = versions[i];
-        const satisfied = semver9.satisfies(potential, versionSpec);
+        const satisfied = semver10.satisfies(potential, versionSpec);
        if (satisfied) {
          version = potential;
          break;
@@ -85616,7 +85616,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.4";
+  return "4.35.5";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -86170,57 +86170,8 @@ var fs4 = __toESM(require("fs"));
 var path5 = __toESM(require("path"));
 var core9 = __toESM(require_core());

-// src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
-  AnalysisKind2["CodeScanning"] = "code-scanning";
-  AnalysisKind2["CodeQuality"] = "code-quality";
-  AnalysisKind2["RiskAssessment"] = "risk-assessment";
-  return AnalysisKind2;
-})(AnalysisKind || {});
-var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
-
-// src/caching-utils.ts
-var core6 = __toESM(require_core());
-
-// src/config/db-config.ts
-var jsonschema = __toESM(require_lib2());
-var semver2 = __toESM(require_semver2());
-
-// src/feature-flags/properties.ts
-var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
-  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
-  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
-  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
-  return RepositoryPropertyName2;
-})(RepositoryPropertyName || {});
-var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
-  Object.values(RepositoryPropertyName)
-);
-
-// src/config/db-config.ts
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
-
-// src/logging.ts
-var core7 = __toESM(require_core());
-function getActionsLogger() {
-  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
-  };
-}
-
 // src/feature-flags.ts
-var semver5 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());

 // src/overlay/index.ts
 var fs3 = __toESM(require("fs"));
@@ -86229,14 +86180,14 @@ var path4 = __toESM(require("path"));
 // src/git-utils.ts
 var fs2 = __toESM(require("fs"));
 var path3 = __toESM(require("path"));
-var core8 = __toESM(require_core());
+var core6 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
-var semver3 = __toESM(require_semver2());
+var semver2 = __toESM(require_semver2());
 var runGitCommand = async function(workingDirectory, args, customErrorMessage, options) {
  let stdout = "";
  let stderr = "";
-  core8.debug(`Running git command: git ${args.join(" ")}`);
+  core6.debug(`Running git command: git ${args.join(" ")}`);
  try {
    await new toolrunner2.ToolRunner(await io3.which("git", true), args, {
      silent: true,
@@ -86257,7 +86208,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage, o
    if (stderr.includes("not a git repository")) {
      reason = "The checkout path provided to the action does not appear to be a git repository.";
    }
-    core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
+    core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
    throw error3;
  }
 };
@@ -86386,7 +86337,7 @@ async function getRef() {
  ) !== head;
  if (hasChangedRef) {
    const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
-    core8.debug(
+    core6.debug(
      `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`
    );
    return newRef;
@@ -86523,13 +86474,18 @@ async function getDiffRangeFilePaths(sourceRoot, logger) {
 }

 // src/tools-features.ts
-var semver4 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 function isSupportedToolsFeature(versionInfo, feature) {
  return !!versionInfo.features && versionInfo.features[feature];
 }

 // src/feature-flags.ts
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -86683,6 +86639,16 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
    minimumVersion: void 0
  },
+  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
+    minimumVersion: void 0
+  },
+  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
+    minimumVersion: void 0
+  },
  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -86738,6 +86704,55 @@ var featureConfig = {
  }
 };

+// src/analyses.ts
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
+  AnalysisKind2["CodeScanning"] = "code-scanning";
+  AnalysisKind2["CodeQuality"] = "code-quality";
+  AnalysisKind2["RiskAssessment"] = "risk-assessment";
+  return AnalysisKind2;
+})(AnalysisKind || {});
+var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+
+// src/caching-utils.ts
+var core7 = __toESM(require_core());
+
+// src/config/db-config.ts
+var jsonschema = __toESM(require_lib2());
+var semver5 = __toESM(require_semver2());
+
+// src/feature-flags/properties.ts
+var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
+  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
+  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
+  return RepositoryPropertyName2;
+})(RepositoryPropertyName || {});
+var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
+  Object.values(RepositoryPropertyName)
+);
+
+// src/config/db-config.ts
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
+// src/logging.ts
+var core8 = __toESM(require_core());
+function getActionsLogger() {
+  return {
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
+  };
+}
+
 // src/languages/builtin.json
 var builtin_default = {
  languages: [
@@ -86850,20 +86865,26 @@ var toolrunner3 = __toESM(require_toolrunner());
 // src/setup-codeql.ts
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver8 = __toESM(require_semver2());
+var semver9 = __toESM(require_semver2());
+
+// src/overlay/caching.ts
+var actionsCache3 = __toESM(require_cache4());
+var semver6 = __toESM(require_semver2());
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;

 // src/tar.ts
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver6 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());

 // src/tools-download.ts
 var core10 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver7 = __toESM(require_semver2());
+var semver8 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;

 // src/tracer-config.ts
@@ -26352,11 +26352,11 @@ var require_valid = __commonJS({
  "node_modules/semver/functions/valid.js"(exports2, module2) {
    "use strict";
    var parse2 = require_parse2();
-    var valid3 = (version, options) => {
+    var valid4 = (version, options) => {
      const v = parse2(version, options);
      return v ? v.version : null;
    };
-    module2.exports = valid3;
+    module2.exports = valid4;
  }
 });

@@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
    var compare2 = require_compare();
-    var rcompare = (a, b, loose) => compare2(b, a, loose);
-    module2.exports = rcompare;
+    var rcompare3 = (a, b, loose) => compare2(b, a, loose);
+    module2.exports = rcompare3;
  }
 });

@@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({
    var SemVer = require_semver();
    var identifiers = require_identifiers();
    var parse2 = require_parse2();
-    var valid3 = require_valid();
+    var valid4 = require_valid();
    var clean3 = require_clean();
    var inc = require_inc();
    var diff = require_diff();
@@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({
    var patch = require_patch();
    var prerelease = require_prerelease();
    var compare2 = require_compare();
-    var rcompare = require_rcompare();
+    var rcompare3 = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
    var sort = require_sort();
@@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({
    var subset = require_subset();
    module2.exports = {
      parse: parse2,
-      valid: valid3,
+      valid: valid4,
      clean: clean3,
      inc,
      diff,
@@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({
      patch,
      prerelease,
      compare: compare2,
-      rcompare,
+      rcompare: rcompare3,
      compareLoose,
      compareBuild,
      sort,
@@ -29553,16 +29553,16 @@ var require_attribute = __commonJS({
      var result = new ValidatorResult(instance, schema2, options, ctx);
      var self2 = this;
      schema2.allOf.forEach(function(v, i) {
-        var valid3 = self2.validateSchema(instance, v, options, ctx);
-        if (!valid3.valid) {
+        var valid4 = self2.validateSchema(instance, v, options, ctx);
+        if (!valid4.valid) {
          var id = v.$id || v.id;
          var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]";
          result.addError({
            name: "allOf",
-            argument: { id: msg, length: valid3.errors.length, valid: valid3 },
-            message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:"
+            argument: { id: msg, length: valid4.errors.length, valid: valid4 },
+            message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:"
          });
-          result.importErrors(valid3);
+          result.importErrors(valid4);
        }
      });
      return result;
@@ -29851,8 +29851,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMinimum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid3 = instance > schema2.exclusiveMinimum;
-      if (!valid3) {
+      var valid4 = instance > schema2.exclusiveMinimum;
+      if (!valid4) {
        result.addError({
          name: "exclusiveMinimum",
          argument: schema2.exclusiveMinimum,
@@ -29865,8 +29865,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMaximum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid3 = instance < schema2.exclusiveMaximum;
-      if (!valid3) {
+      var valid4 = instance < schema2.exclusiveMaximum;
+      if (!valid4) {
        result.addError({
          name: "exclusiveMaximum",
          argument: schema2.exclusiveMaximum,
@@ -32649,8 +32649,8 @@ var require_semver3 = __commonJS({
        return null;
      }
    }
-    exports2.valid = valid3;
-    function valid3(version, options) {
+    exports2.valid = valid4;
+    function valid4(version, options) {
      var v = parse2(version, options);
      return v ? v.version : null;
    }
@@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({
      var versionB = new SemVer(b, loose);
      return versionA.compare(versionB) || versionA.compareBuild(versionB);
    }
-    exports2.rcompare = rcompare;
-    function rcompare(a, b, loose) {
+    exports2.rcompare = rcompare3;
+    function rcompare3(a, b, loose) {
      return compare2(b, a, loose);
    }
    exports2.sort = sort;
@@ -33779,7 +33779,7 @@ var require_cacheUtils = __commonJS({
    var crypto2 = __importStar2(require("crypto"));
    var fs3 = __importStar2(require("fs"));
    var path4 = __importStar2(require("path"));
-    var semver9 = __importStar2(require_semver3());
+    var semver10 = __importStar2(require_semver3());
    var util = __importStar2(require("util"));
    var constants_1 = require_constants7();
    var versionSalt = "1.0";
@@ -33872,7 +33872,7 @@ var require_cacheUtils = __commonJS({
    function getCompressionMethod() {
      return __awaiter2(this, void 0, void 0, function* () {
        const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver9.clean(versionOutput);
+        const version = semver10.clean(versionOutput);
        core15.debug(`zstd version: ${version}`);
        if (versionOutput === "") {
          return constants_1.CompressionMethod.Gzip;
@@ -75278,7 +75278,7 @@ var require_cacheHttpClient = __commonJS({
    exports2.getCacheEntry = getCacheEntry;
    exports2.downloadCache = downloadCache;
    exports2.reserveCache = reserveCache;
-    exports2.saveCache = saveCache4;
+    exports2.saveCache = saveCache5;
    var core15 = __importStar2(require_core());
    var http_client_1 = require_lib();
    var auth_1 = require_auth();
@@ -75455,7 +75455,7 @@ Other caches with similar key:`);
        }));
      });
    }
-    function saveCache4(cacheId, archivePath, signedUploadURL, options) {
+    function saveCache5(cacheId, archivePath, signedUploadURL, options) {
      return __awaiter2(this, void 0, void 0, function* () {
        const uploadOptions = (0, options_1.getUploadOptions)(options);
        if (uploadOptions.useAzureSdk) {
@@ -80955,8 +80955,8 @@ var require_cache4 = __commonJS({
    Object.defineProperty(exports2, "__esModule", { value: true });
    exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0;
    exports2.isFeatureAvailable = isFeatureAvailable;
-    exports2.restoreCache = restoreCache4;
-    exports2.saveCache = saveCache4;
+    exports2.restoreCache = restoreCache5;
+    exports2.saveCache = saveCache5;
    var core15 = __importStar2(require_core());
    var path4 = __importStar2(require("path"));
    var utils = __importStar2(require_cacheUtils());
@@ -81013,7 +81013,7 @@ var require_cache4 = __commonJS({
          return !!process.env["ACTIONS_CACHE_URL"];
      }
    }
-    function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) {
+    function restoreCache5(paths_1, primaryKey_1, restoreKeys_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81157,7 +81157,7 @@ var require_cache4 = __commonJS({
        return void 0;
      });
    }
-    function saveCache4(paths_1, key_1, options_1) {
+    function saveCache5(paths_1, key_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -84282,13 +84282,15 @@ var require_brace_expansion2 = __commonJS({
      parts.push.apply(parts, p);
      return parts;
    }
-    function expandTop(str2) {
+    function expandTop(str2, options) {
      if (!str2)
        return [];
+      options = options || {};
+      var max = options.max == null ? Infinity : options.max;
      if (str2.substr(0, 2) === "{}") {
        str2 = "\\{\\}" + str2.substr(2);
      }
-      return expand2(escapeBraces(str2), true).map(unescapeBraces);
+      return expand2(escapeBraces(str2), max, true).map(unescapeBraces);
    }
    function embrace(str2) {
      return "{" + str2 + "}";
@@ -84302,14 +84304,14 @@ var require_brace_expansion2 = __commonJS({
    function gte6(i, y) {
      return i >= y;
    }
-    function expand2(str2, isTop) {
+    function expand2(str2, max, isTop) {
      var expansions = [];
      var m = balanced("{", "}", str2);
      if (!m) return [str2];
      var pre = m.pre;
-      var post = m.post.length ? expand2(m.post, false) : [""];
+      var post = m.post.length ? expand2(m.post, max, false) : [""];
      if (/\$$/.test(m.pre)) {
-        for (var k = 0; k < post.length; k++) {
+        for (var k = 0; k < post.length && k < max; k++) {
          var expansion = pre + "{" + m.body + "}" + post[k];
          expansions.push(expansion);
        }
@@ -84321,7 +84323,7 @@ var require_brace_expansion2 = __commonJS({
        if (!isSequence && !isOptions) {
          if (m.post.match(/,(?!,).*\}/)) {
            str2 = m.pre + "{" + m.body + escClose + m.post;
-            return expand2(str2);
+            return expand2(str2, max, true);
          }
          return [str2];
        }
@@ -84331,7 +84333,7 @@ var require_brace_expansion2 = __commonJS({
        } else {
          n = parseCommaParts(m.body);
          if (n.length === 1) {
-            n = expand2(n[0], false).map(embrace);
+            n = expand2(n[0], max, false).map(embrace);
            if (n.length === 1) {
              return post.map(function(p) {
                return m.pre + n[0] + p;
@@ -84344,7 +84346,7 @@ var require_brace_expansion2 = __commonJS({
          var x = numeric(n[0]);
          var y = numeric(n[1]);
          var width = Math.max(n[0].length, n[1].length);
-          var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1;
+          var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1;
          var test = lte;
          var reverse = y < x;
          if (reverse) {
@@ -84377,11 +84379,11 @@ var require_brace_expansion2 = __commonJS({
        } else {
          N = [];
          for (var j = 0; j < n.length; j++) {
-            N.push.apply(N, expand2(n[j], false));
+            N.push.apply(N, expand2(n[j], max, false));
          }
        }
        for (var j = 0; j < N.length; j++) {
-          for (var k = 0; k < post.length; k++) {
+          for (var k = 0; k < post.length && expansions.length < max; k++) {
            var expansion = pre + N[j] + post[k];
            if (!isTop || isSequence || expansion)
              expansions.push(expansion);
@@ -88437,7 +88439,7 @@ var require_stream_writable = __commonJS({
      pna.nextTick(cb, er);
    }
    function validChunk(stream, state, chunk, cb) {
-      var valid3 = true;
+      var valid4 = true;
      var er = false;
      if (chunk === null) {
        er = new TypeError("May not write null values to stream");
@@ -88447,9 +88449,9 @@ var require_stream_writable = __commonJS({
      if (er) {
        stream.emit("error", er);
        pna.nextTick(cb, er);
-        valid3 = false;
+        valid4 = false;
      }
-      return valid3;
+      return valid4;
    }
    Writable.prototype.write = function(chunk, encoding, cb) {
      var state = this._writableState;
@@ -122745,7 +122747,7 @@ var require_manifest = __commonJS({
    exports2._findMatch = _findMatch;
    exports2._getOsVersion = _getOsVersion;
    exports2._readLinuxVersionFile = _readLinuxVersionFile;
-    var semver9 = __importStar2(require_semver2());
+    var semver10 = __importStar2(require_semver2());
    var core_1 = require_core();
    var os2 = require("os");
    var cp = require("child_process");
@@ -122759,7 +122761,7 @@ var require_manifest = __commonJS({
        for (const candidate of candidates) {
          const version = candidate.version;
          (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
            file = candidate.files.find((item) => {
              (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
              let chk = item.arch === archFilter && item.platform === platFilter;
@@ -122768,7 +122770,7 @@ var require_manifest = __commonJS({
                if (osVersion === item.platform_version) {
                  chk = true;
                } else {
-                  chk = semver9.satisfies(osVersion, item.platform_version);
+                  chk = semver10.satisfies(osVersion, item.platform_version);
                }
              }
              return chk;
@@ -123028,7 +123030,7 @@ var require_tool_cache = __commonJS({
    var os2 = __importStar2(require("os"));
    var path4 = __importStar2(require("path"));
    var httpm = __importStar2(require_lib());
-    var semver9 = __importStar2(require_semver2());
+    var semver10 = __importStar2(require_semver2());
    var stream = __importStar2(require("stream"));
    var util = __importStar2(require("util"));
    var assert_1 = require("assert");
@@ -123301,7 +123303,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheDir(sourceDir, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver10.clean(version) || version;
        arch = arch || os2.arch();
        core15.debug(`Caching tool ${tool} ${version} ${arch}`);
        core15.debug(`source dir: ${sourceDir}`);
@@ -123319,7 +123321,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheFile(sourceFile, targetFile, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver10.clean(version) || version;
        arch = arch || os2.arch();
        core15.debug(`Caching tool ${tool} ${version} ${arch}`);
        core15.debug(`source file: ${sourceFile}`);
@@ -123349,7 +123351,7 @@ var require_tool_cache = __commonJS({
      }
      let toolPath = "";
      if (versionSpec) {
-        versionSpec = semver9.clean(versionSpec) || "";
+        versionSpec = semver10.clean(versionSpec) || "";
        const cachePath = path4.join(_getCacheDirectory(), toolName, versionSpec, arch);
        core15.debug(`checking cache: ${cachePath}`);
        if (fs3.existsSync(cachePath) && fs3.existsSync(`${cachePath}.complete`)) {
@@ -123429,7 +123431,7 @@ var require_tool_cache = __commonJS({
    }
    function _createToolPath(tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path4.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
+        const folderPath = path4.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
        core15.debug(`destination ${folderPath}`);
        const markerPath = `${folderPath}.complete`;
        yield io6.rmRF(folderPath);
@@ -123439,30 +123441,30 @@ var require_tool_cache = __commonJS({
      });
    }
    function _completeToolPath(tool, version, arch) {
-      const folderPath = path4.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
+      const folderPath = path4.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
      const markerPath = `${folderPath}.complete`;
      fs3.writeFileSync(markerPath, "");
      core15.debug("finished caching tool");
    }
    function isExplicitVersion(versionSpec) {
-      const c = semver9.clean(versionSpec) || "";
+      const c = semver10.clean(versionSpec) || "";
      core15.debug(`isExplicit: ${c}`);
-      const valid3 = semver9.valid(c) != null;
-      core15.debug(`explicit? ${valid3}`);
-      return valid3;
+      const valid4 = semver10.valid(c) != null;
+      core15.debug(`explicit? ${valid4}`);
+      return valid4;
    }
    function evaluateVersions(versions, versionSpec) {
      let version = "";
      core15.debug(`evaluating ${versions.length} versions`);
      versions = versions.sort((a, b) => {
-        if (semver9.gt(a, b)) {
+        if (semver10.gt(a, b)) {
          return 1;
        }
        return -1;
      });
      for (let i = versions.length - 1; i >= 0; i--) {
        const potential = versions[i];
-        const satisfied = semver9.satisfies(potential, versionSpec);
+        const satisfied = semver10.satisfies(potential, versionSpec);
        if (satisfied) {
          version = potential;
          break;
@@ -126824,7 +126826,7 @@ function getTemporaryDirectory() {
  return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP");
 }
 function getActionVersion() {
-  return "4.35.4";
+  return "4.35.5";
 }
 var persistedInputsKey = "persisted_inputs";
 var restoreInputs = function() {
@@ -126977,63 +126979,14 @@ var fs = __toESM(require("fs"));
 var path = __toESM(require("path"));
 var core9 = __toESM(require_core());

-// src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
-  AnalysisKind2["CodeScanning"] = "code-scanning";
-  AnalysisKind2["CodeQuality"] = "code-quality";
-  AnalysisKind2["RiskAssessment"] = "risk-assessment";
-  return AnalysisKind2;
-})(AnalysisKind || {});
-var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
-
-// src/caching-utils.ts
-var core6 = __toESM(require_core());
-
-// src/config/db-config.ts
-var jsonschema = __toESM(require_lib2());
-var semver2 = __toESM(require_semver2());
-
-// src/feature-flags/properties.ts
-var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
-  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
-  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
-  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
-  return RepositoryPropertyName2;
-})(RepositoryPropertyName || {});
-var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
-  Object.values(RepositoryPropertyName)
-);
-
-// src/config/db-config.ts
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
-
-// src/logging.ts
-var core7 = __toESM(require_core());
-function getActionsLogger() {
-  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
-  };
-}
-
 // src/feature-flags.ts
-var semver5 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());

 // src/git-utils.ts
-var core8 = __toESM(require_core());
+var core6 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
-var semver3 = __toESM(require_semver2());
+var semver2 = __toESM(require_semver2());

 // src/overlay/index.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8";
@@ -127046,10 +126999,15 @@ var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9";
 var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9";

 // src/tools-features.ts
-var semver4 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());

 // src/feature-flags.ts
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -127203,6 +127161,16 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
    minimumVersion: void 0
  },
+  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
+    minimumVersion: void 0
+  },
+  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
+    minimumVersion: void 0
+  },
  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -127258,6 +127226,55 @@ var featureConfig = {
  }
 };

+// src/analyses.ts
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
+  AnalysisKind2["CodeScanning"] = "code-scanning";
+  AnalysisKind2["CodeQuality"] = "code-quality";
+  AnalysisKind2["RiskAssessment"] = "risk-assessment";
+  return AnalysisKind2;
+})(AnalysisKind || {});
+var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+
+// src/caching-utils.ts
+var core7 = __toESM(require_core());
+
+// src/config/db-config.ts
+var jsonschema = __toESM(require_lib2());
+var semver5 = __toESM(require_semver2());
+
+// src/feature-flags/properties.ts
+var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
+  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
+  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
+  return RepositoryPropertyName2;
+})(RepositoryPropertyName || {});
+var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
+  Object.values(RepositoryPropertyName)
+);
+
+// src/config/db-config.ts
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
+// src/logging.ts
+var core8 = __toESM(require_core());
+function getActionsLogger() {
+  return {
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
+  };
+}
+
 // src/languages/builtin.json
 var builtin_default = {
  languages: [
@@ -127505,24 +127522,30 @@ var cliErrorsConfig = {
 // src/setup-codeql.ts
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver8 = __toESM(require_semver2());
+var semver9 = __toESM(require_semver2());
+
+// src/overlay/caching.ts
+var actionsCache3 = __toESM(require_cache4());
+var semver6 = __toESM(require_semver2());
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;

 // src/tar.ts
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver6 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());

 // src/tools-download.ts
 var core10 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver7 = __toESM(require_semver2());
+var semver8 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;

 // src/dependency-caching.ts
-var actionsCache3 = __toESM(require_cache4());
+var actionsCache4 = __toESM(require_cache4());
 var glob = __toESM(require_glob());

 // src/artifact-scanner.ts
@@ -127590,6 +127613,9 @@ async function scanArchiveFile(archivePath, relativeArchivePath, extractDir, log
      `Maximum archive extraction depth (${MAX_DEPTH}) reached for ${archivePath}`
    );
  }
+  if (process.platform === "win32") {
+    throw new Error("Scanning archives is not supported on Windows.");
+  }
  const result = {
    scannedFiles: 0,
    findings: []
@@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
    var compare = require_compare();
-    var rcompare = (a, b, loose) => compare(b, a, loose);
-    module2.exports = rcompare;
+    var rcompare2 = (a, b, loose) => compare(b, a, loose);
+    module2.exports = rcompare2;
  }
 });

@@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({
    var patch = require_patch();
    var prerelease = require_prerelease();
    var compare = require_compare();
-    var rcompare = require_rcompare();
+    var rcompare2 = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
    var sort = require_sort();
@@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({
      patch,
      prerelease,
      compare,
-      rcompare,
+      rcompare: rcompare2,
      compareLoose,
      compareBuild,
      sort,
@@ -33772,8 +33772,8 @@ var require_semver3 = __commonJS({
      var versionB = new SemVer(b, loose);
      return versionA.compare(versionB) || versionA.compareBuild(versionB);
    }
-    exports2.rcompare = rcompare;
-    function rcompare(a, b, loose) {
+    exports2.rcompare = rcompare2;
+    function rcompare2(a, b, loose) {
      return compare(b, a, loose);
    }
    exports2.sort = sort;
@@ -102813,7 +102813,7 @@ function getTemporaryDirectory() {
  return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP");
 }
 function getActionVersion() {
-  return "4.35.4";
+  return "4.35.5";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -103064,8 +103064,8 @@ var path = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());

 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.25.3";
-var cliVersion = "2.25.3";
+var bundleVersion = "codeql-bundle-v2.25.4";
+var cliVersion = "2.25.4";

 // src/git-utils.ts
 var core6 = __toESM(require_core());
@@ -103177,7 +103177,16 @@ var semver3 = __toESM(require_semver2());
 // src/feature-flags.ts
 var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_";
 var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
+var LINKED_CODEQL_VERSION = {
+  cliVersion,
+  tagName: bundleVersion
+};
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -103331,6 +103340,16 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
    minimumVersion: void 0
  },
+  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
+    minimumVersion: void 0
+  },
+  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
+    minimumVersion: void 0
+  },
  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -103391,10 +103410,9 @@ var OfflineFeatures = class {
    this.logger = logger;
  }
  logger;
-  async getDefaultCliVersion(_variant) {
+  async getEnabledDefaultCliVersions(_variant) {
    return {
-      cliVersion,
-      tagName: bundleVersion
+      enabledVersions: [LINKED_CODEQL_VERSION]
    };
  }
  /**
@@ -103499,11 +103517,11 @@ var Features = class extends OfflineFeatures {
      logger
    );
  }
-  async getDefaultCliVersion(variant) {
+  async getEnabledDefaultCliVersions(variant) {
    if (supportsFeatureFlags(variant)) {
-      return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags();
+      return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags();
    }
-    return super.getDefaultCliVersion(variant);
+    return super.getEnabledDefaultCliVersions(variant);
  }
  /**
   *
@@ -103562,34 +103580,36 @@ var GitHubFeatureFlags = class {
    }
    return version;
  }
-  async getDefaultCliVersionFromFlags() {
+  /**
+   * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature
+   * flags, sorted from highest to lowest. Falls back to the version pinned in
+   * `defaults.json` if no such flags are enabled.
+   */
+  async getEnabledDefaultCliVersionsFromFlags() {
    const response = await this.getAllFeatures();
-    const enabledFeatureFlagCliVersions = Object.entries(response).map(
+    const sortedCliVersions = Object.entries(response).map(
      ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0
-    ).filter((f) => f !== void 0);
-    if (enabledFeatureFlagCliVersions.length === 0) {
+    ).filter((f) => f !== void 0).sort(semver4.rcompare);
+    if (sortedCliVersions.length === 0) {
      this.logger.warning(
        `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.`
      );
      const result = {
-        cliVersion,
-        tagName: bundleVersion
+        enabledVersions: [LINKED_CODEQL_VERSION]
      };
      if (this.hasAccessedRemoteFeatureFlags) {
        result.toolsFeatureFlagsValid = false;
      }
      return result;
    }
-    const maxCliVersion = enabledFeatureFlagCliVersions.reduce(
-      (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion,
-      enabledFeatureFlagCliVersions[0]
-    );
    this.logger.debug(
-      `Derived default CLI version of ${maxCliVersion} from feature flags.`
+      `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.`
    );
    return {
-      cliVersion: maxCliVersion,
-      tagName: `codeql-bundle-v${maxCliVersion}`,
+      enabledVersions: sortedCliVersions.map((cliVersion2) => ({
+        cliVersion: cliVersion2,
+        tagName: `codeql-bundle-v${cliVersion2}`
+      })),
      toolsFeatureFlagsValid: true
    };
  }
@@ -104469,7 +104489,7 @@ async function getReleaseByVersion(version) {
 }
 async function getCliVersionFromFeatures(features) {
  const gitHubVersion = await getGitHubVersion();
-  return await features.getDefaultCliVersion(gitHubVersion.type);
+  return await features.getEnabledDefaultCliVersions(gitHubVersion.type);
 }
 async function getDownloadUrl(logger, features) {
  const proxyPackage = getProxyPackage();
@@ -104477,7 +104497,7 @@ async function getDownloadUrl(logger, features) {
    const useFeaturesToDetermineCLI = await features.getValue(
      "start_proxy_use_features_release" /* StartProxyUseFeaturesRelease */
    );
-    const versionInfo = useFeaturesToDetermineCLI ? await getCliVersionFromFeatures(features) : {
+    const versionInfo = useFeaturesToDetermineCLI ? (await getCliVersionFromFeatures(features)).enabledVersions[0] : {
      cliVersion,
      tagName: bundleVersion
    };
@@ -26352,11 +26352,11 @@ var require_valid = __commonJS({
  "node_modules/semver/functions/valid.js"(exports2, module2) {
    "use strict";
    var parse2 = require_parse2();
-    var valid3 = (version, options) => {
+    var valid4 = (version, options) => {
      const v = parse2(version, options);
      return v ? v.version : null;
    };
-    module2.exports = valid3;
+    module2.exports = valid4;
  }
 });

@@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
    var compare2 = require_compare();
-    var rcompare = (a, b, loose) => compare2(b, a, loose);
-    module2.exports = rcompare;
+    var rcompare3 = (a, b, loose) => compare2(b, a, loose);
+    module2.exports = rcompare3;
  }
 });

@@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({
    var SemVer = require_semver();
    var identifiers = require_identifiers();
    var parse2 = require_parse2();
-    var valid3 = require_valid();
+    var valid4 = require_valid();
    var clean3 = require_clean();
    var inc = require_inc();
    var diff = require_diff();
@@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({
    var patch = require_patch();
    var prerelease = require_prerelease();
    var compare2 = require_compare();
-    var rcompare = require_rcompare();
+    var rcompare3 = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
    var sort = require_sort();
@@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({
    var subset = require_subset();
    module2.exports = {
      parse: parse2,
-      valid: valid3,
+      valid: valid4,
      clean: clean3,
      inc,
      diff,
@@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({
      patch,
      prerelease,
      compare: compare2,
-      rcompare,
+      rcompare: rcompare3,
      compareLoose,
      compareBuild,
      sort,
@@ -76458,13 +76458,15 @@ var require_brace_expansion = __commonJS({
      parts.push.apply(parts, p);
      return parts;
    }
-    function expandTop(str2) {
+    function expandTop(str2, options) {
      if (!str2)
        return [];
+      options = options || {};
+      var max = options.max == null ? Infinity : options.max;
      if (str2.substr(0, 2) === "{}") {
        str2 = "\\{\\}" + str2.substr(2);
      }
-      return expand2(escapeBraces(str2), true).map(unescapeBraces);
+      return expand2(escapeBraces(str2), max, true).map(unescapeBraces);
    }
    function embrace(str2) {
      return "{" + str2 + "}";
@@ -76478,14 +76480,14 @@ var require_brace_expansion = __commonJS({
    function gte6(i, y) {
      return i >= y;
    }
-    function expand2(str2, isTop) {
+    function expand2(str2, max, isTop) {
      var expansions = [];
      var m = balanced("{", "}", str2);
      if (!m) return [str2];
      var pre = m.pre;
-      var post = m.post.length ? expand2(m.post, false) : [""];
+      var post = m.post.length ? expand2(m.post, max, false) : [""];
      if (/\$$/.test(m.pre)) {
-        for (var k = 0; k < post.length; k++) {
+        for (var k = 0; k < post.length && k < max; k++) {
          var expansion = pre + "{" + m.body + "}" + post[k];
          expansions.push(expansion);
        }
@@ -76497,7 +76499,7 @@ var require_brace_expansion = __commonJS({
        if (!isSequence && !isOptions) {
          if (m.post.match(/,(?!,).*\}/)) {
            str2 = m.pre + "{" + m.body + escClose + m.post;
-            return expand2(str2);
+            return expand2(str2, max, true);
          }
          return [str2];
        }
@@ -76507,7 +76509,7 @@ var require_brace_expansion = __commonJS({
        } else {
          n = parseCommaParts(m.body);
          if (n.length === 1) {
-            n = expand2(n[0], false).map(embrace);
+            n = expand2(n[0], max, false).map(embrace);
            if (n.length === 1) {
              return post.map(function(p) {
                return m.pre + n[0] + p;
@@ -76520,7 +76522,7 @@ var require_brace_expansion = __commonJS({
          var x = numeric(n[0]);
          var y = numeric(n[1]);
          var width = Math.max(n[0].length, n[1].length);
-          var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1;
+          var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1;
          var test = lte;
          var reverse = y < x;
          if (reverse) {
@@ -76553,11 +76555,11 @@ var require_brace_expansion = __commonJS({
        } else {
          N = [];
          for (var j = 0; j < n.length; j++) {
-            N.push.apply(N, expand2(n[j], false));
+            N.push.apply(N, expand2(n[j], max, false));
          }
        }
        for (var j = 0; j < N.length; j++) {
-          for (var k = 0; k < post.length; k++) {
+          for (var k = 0; k < post.length && expansions.length < max; k++) {
            var expansion = pre + N[j] + post[k];
            if (!isTop || isSequence || expansion)
              expansions.push(expansion);
@@ -80613,7 +80615,7 @@ var require_stream_writable = __commonJS({
      pna.nextTick(cb, er);
    }
    function validChunk(stream, state, chunk, cb) {
-      var valid3 = true;
+      var valid4 = true;
      var er = false;
      if (chunk === null) {
        er = new TypeError("May not write null values to stream");
@@ -80623,9 +80625,9 @@ var require_stream_writable = __commonJS({
      if (er) {
        stream.emit("error", er);
        pna.nextTick(cb, er);
-        valid3 = false;
+        valid4 = false;
      }
-      return valid3;
+      return valid4;
    }
    Writable.prototype.write = function(chunk, encoding, cb) {
      var state = this._writableState;
@@ -115281,16 +115283,16 @@ var require_attribute = __commonJS({
      var result = new ValidatorResult(instance, schema2, options, ctx);
      var self2 = this;
      schema2.allOf.forEach(function(v, i) {
-        var valid3 = self2.validateSchema(instance, v, options, ctx);
-        if (!valid3.valid) {
+        var valid4 = self2.validateSchema(instance, v, options, ctx);
+        if (!valid4.valid) {
          var id = v.$id || v.id;
          var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]";
          result.addError({
            name: "allOf",
-            argument: { id: msg, length: valid3.errors.length, valid: valid3 },
-            message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:"
+            argument: { id: msg, length: valid4.errors.length, valid: valid4 },
+            message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:"
          });
-          result.importErrors(valid3);
+          result.importErrors(valid4);
        }
      });
      return result;
@@ -115579,8 +115581,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMinimum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid3 = instance > schema2.exclusiveMinimum;
-      if (!valid3) {
+      var valid4 = instance > schema2.exclusiveMinimum;
+      if (!valid4) {
        result.addError({
          name: "exclusiveMinimum",
          argument: schema2.exclusiveMinimum,
@@ -115593,8 +115595,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMaximum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid3 = instance < schema2.exclusiveMaximum;
-      if (!valid3) {
+      var valid4 = instance < schema2.exclusiveMaximum;
+      if (!valid4) {
        result.addError({
          name: "exclusiveMaximum",
          argument: schema2.exclusiveMaximum,
@@ -118322,8 +118324,8 @@ var require_semver3 = __commonJS({
        return null;
      }
    }
-    exports2.valid = valid3;
-    function valid3(version, options) {
+    exports2.valid = valid4;
+    function valid4(version, options) {
      var v = parse2(version, options);
      return v ? v.version : null;
    }
@@ -118623,8 +118625,8 @@ var require_semver3 = __commonJS({
      var versionB = new SemVer(b, loose);
      return versionA.compare(versionB) || versionA.compareBuild(versionB);
    }
-    exports2.rcompare = rcompare;
-    function rcompare(a, b, loose) {
+    exports2.rcompare = rcompare3;
+    function rcompare3(a, b, loose) {
      return compare2(b, a, loose);
    }
    exports2.sort = sort;
@@ -119452,7 +119454,7 @@ var require_cacheUtils = __commonJS({
    var crypto2 = __importStar2(require("crypto"));
    var fs3 = __importStar2(require("fs"));
    var path3 = __importStar2(require("path"));
-    var semver9 = __importStar2(require_semver3());
+    var semver10 = __importStar2(require_semver3());
    var util = __importStar2(require("util"));
    var constants_1 = require_constants14();
    var versionSalt = "1.0";
@@ -119545,7 +119547,7 @@ var require_cacheUtils = __commonJS({
    function getCompressionMethod() {
      return __awaiter2(this, void 0, void 0, function* () {
        const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver9.clean(versionOutput);
+        const version = semver10.clean(versionOutput);
        core15.debug(`zstd version: ${version}`);
        if (versionOutput === "") {
          return constants_1.CompressionMethod.Gzip;
@@ -120855,7 +120857,7 @@ var require_cacheHttpClient = __commonJS({
    exports2.getCacheEntry = getCacheEntry;
    exports2.downloadCache = downloadCache;
    exports2.reserveCache = reserveCache;
-    exports2.saveCache = saveCache4;
+    exports2.saveCache = saveCache5;
    var core15 = __importStar2(require_core());
    var http_client_1 = require_lib();
    var auth_1 = require_auth();
@@ -121032,7 +121034,7 @@ Other caches with similar key:`);
        }));
      });
    }
-    function saveCache4(cacheId, archivePath, signedUploadURL, options) {
+    function saveCache5(cacheId, archivePath, signedUploadURL, options) {
      return __awaiter2(this, void 0, void 0, function* () {
        const uploadOptions = (0, options_1.getUploadOptions)(options);
        if (uploadOptions.useAzureSdk) {
@@ -122306,8 +122308,8 @@ var require_cache4 = __commonJS({
    Object.defineProperty(exports2, "__esModule", { value: true });
    exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0;
    exports2.isFeatureAvailable = isFeatureAvailable;
-    exports2.restoreCache = restoreCache4;
-    exports2.saveCache = saveCache4;
+    exports2.restoreCache = restoreCache5;
+    exports2.saveCache = saveCache5;
    var core15 = __importStar2(require_core());
    var path3 = __importStar2(require("path"));
    var utils = __importStar2(require_cacheUtils());
@@ -122364,7 +122366,7 @@ var require_cache4 = __commonJS({
          return !!process.env["ACTIONS_CACHE_URL"];
      }
    }
-    function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) {
+    function restoreCache5(paths_1, primaryKey_1, restoreKeys_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -122508,7 +122510,7 @@ var require_cache4 = __commonJS({
        return void 0;
      });
    }
-    function saveCache4(paths_1, key_1, options_1) {
+    function saveCache5(paths_1, key_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -122745,7 +122747,7 @@ var require_manifest = __commonJS({
    exports2._findMatch = _findMatch;
    exports2._getOsVersion = _getOsVersion;
    exports2._readLinuxVersionFile = _readLinuxVersionFile;
-    var semver9 = __importStar2(require_semver2());
+    var semver10 = __importStar2(require_semver2());
    var core_1 = require_core();
    var os2 = require("os");
    var cp = require("child_process");
@@ -122759,7 +122761,7 @@ var require_manifest = __commonJS({
        for (const candidate of candidates) {
          const version = candidate.version;
          (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
            file = candidate.files.find((item) => {
              (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
              let chk = item.arch === archFilter && item.platform === platFilter;
@@ -122768,7 +122770,7 @@ var require_manifest = __commonJS({
                if (osVersion === item.platform_version) {
                  chk = true;
                } else {
-                  chk = semver9.satisfies(osVersion, item.platform_version);
+                  chk = semver10.satisfies(osVersion, item.platform_version);
                }
              }
              return chk;
@@ -123028,7 +123030,7 @@ var require_tool_cache = __commonJS({
    var os2 = __importStar2(require("os"));
    var path3 = __importStar2(require("path"));
    var httpm = __importStar2(require_lib());
-    var semver9 = __importStar2(require_semver2());
+    var semver10 = __importStar2(require_semver2());
    var stream = __importStar2(require("stream"));
    var util = __importStar2(require("util"));
    var assert_1 = require("assert");
@@ -123301,7 +123303,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheDir(sourceDir, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver10.clean(version) || version;
        arch = arch || os2.arch();
        core15.debug(`Caching tool ${tool} ${version} ${arch}`);
        core15.debug(`source dir: ${sourceDir}`);
@@ -123319,7 +123321,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheFile(sourceFile, targetFile, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver10.clean(version) || version;
        arch = arch || os2.arch();
        core15.debug(`Caching tool ${tool} ${version} ${arch}`);
        core15.debug(`source file: ${sourceFile}`);
@@ -123349,7 +123351,7 @@ var require_tool_cache = __commonJS({
      }
      let toolPath = "";
      if (versionSpec) {
-        versionSpec = semver9.clean(versionSpec) || "";
+        versionSpec = semver10.clean(versionSpec) || "";
        const cachePath = path3.join(_getCacheDirectory(), toolName, versionSpec, arch);
        core15.debug(`checking cache: ${cachePath}`);
        if (fs3.existsSync(cachePath) && fs3.existsSync(`${cachePath}.complete`)) {
@@ -123429,7 +123431,7 @@ var require_tool_cache = __commonJS({
    }
    function _createToolPath(tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path3.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
+        const folderPath = path3.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
        core15.debug(`destination ${folderPath}`);
        const markerPath = `${folderPath}.complete`;
        yield io6.rmRF(folderPath);
@@ -123439,30 +123441,30 @@ var require_tool_cache = __commonJS({
      });
    }
    function _completeToolPath(tool, version, arch) {
-      const folderPath = path3.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
+      const folderPath = path3.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
      const markerPath = `${folderPath}.complete`;
      fs3.writeFileSync(markerPath, "");
      core15.debug("finished caching tool");
    }
    function isExplicitVersion(versionSpec) {
-      const c = semver9.clean(versionSpec) || "";
+      const c = semver10.clean(versionSpec) || "";
      core15.debug(`isExplicit: ${c}`);
-      const valid3 = semver9.valid(c) != null;
-      core15.debug(`explicit? ${valid3}`);
-      return valid3;
+      const valid4 = semver10.valid(c) != null;
+      core15.debug(`explicit? ${valid4}`);
+      return valid4;
    }
    function evaluateVersions(versions, versionSpec) {
      let version = "";
      core15.debug(`evaluating ${versions.length} versions`);
      versions = versions.sort((a, b) => {
-        if (semver9.gt(a, b)) {
+        if (semver10.gt(a, b)) {
          return 1;
        }
        return -1;
      });
      for (let i = versions.length - 1; i >= 0; i--) {
        const potential = versions[i];
-        const satisfied = semver9.satisfies(potential, versionSpec);
+        const satisfied = semver10.satisfies(potential, versionSpec);
        if (satisfied) {
          version = potential;
          break;
@@ -126824,7 +126826,7 @@ function getTemporaryDirectory() {
  return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP");
 }
 function getActionVersion() {
-  return "4.35.4";
+  return "4.35.5";
 }
 var persistedInputsKey = "persisted_inputs";
 var restoreInputs = function() {
@@ -126983,6 +126985,257 @@ var import_archiver = __toESM(require_archiver());
 // src/analyze.ts
 var io5 = __toESM(require_io());

+// src/feature-flags.ts
+var semver4 = __toESM(require_semver2());
+
+// src/git-utils.ts
+var core6 = __toESM(require_core());
+var toolrunner2 = __toESM(require_toolrunner());
+var io3 = __toESM(require_io());
+var semver2 = __toESM(require_semver2());
+
+// src/overlay/index.ts
+var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8";
+var CODEQL_OVERLAY_MINIMUM_VERSION_CPP = "2.25.0";
+var CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP = "2.24.1";
+var CODEQL_OVERLAY_MINIMUM_VERSION_GO = "2.24.2";
+var CODEQL_OVERLAY_MINIMUM_VERSION_JAVA = "2.23.8";
+var CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT = "2.23.9";
+var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9";
+var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9";
+
+// src/tools-features.ts
+var semver3 = __toESM(require_semver2());
+var SafeArtifactUploadVersion = "2.20.3";
+function isSafeArtifactUpload(codeQlVersion) {
+  return !codeQlVersion ? true : semver3.gte(codeQlVersion, SafeArtifactUploadVersion);
+}
+
+// src/feature-flags.ts
+var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
+  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
+    minimumVersion: void 0
+  },
+  ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
+    minimumVersion: void 0
+  },
+  ["cpp_dependency_installation_enabled" /* CppDependencyInstallation */]: {
+    defaultValue: false,
+    envVar: "CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES",
+    legacyApi: true,
+    minimumVersion: "2.15.0"
+  },
+  ["csharp_cache_bmn" /* CsharpCacheBuildModeNone */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_CACHE_BMN",
+    minimumVersion: void 0
+  },
+  ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
+    minimumVersion: void 0
+  },
+  ["diff_informed_queries" /* DiffInformedQueries */]: {
+    defaultValue: true,
+    envVar: "CODEQL_ACTION_DIFF_INFORMED_QUERIES",
+    minimumVersion: "2.21.0"
+  },
+  ["disable_csharp_buildless" /* DisableCsharpBuildless */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_DISABLE_CSHARP_BUILDLESS",
+    minimumVersion: void 0
+  },
+  ["disable_java_buildless_enabled" /* DisableJavaBuildlessEnabled */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_DISABLE_JAVA_BUILDLESS",
+    legacyApi: true,
+    minimumVersion: void 0
+  },
+  ["disable_kotlin_analysis_enabled" /* DisableKotlinAnalysisEnabled */]: {
+    defaultValue: false,
+    envVar: "CODEQL_DISABLE_KOTLIN_ANALYSIS",
+    legacyApi: true,
+    minimumVersion: void 0
+  },
+  ["export_diagnostics_enabled" /* ExportDiagnosticsEnabled */]: {
+    defaultValue: true,
+    envVar: "CODEQL_ACTION_EXPORT_DIAGNOSTICS",
+    legacyApi: true,
+    minimumVersion: void 0
+  },
+  ["force_nightly" /* ForceNightly */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_FORCE_NIGHTLY",
+    minimumVersion: void 0
+  },
+  ["ignore_generated_files" /* IgnoreGeneratedFiles */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES",
+    minimumVersion: void 0
+  },
+  ["java_network_debugging" /* JavaNetworkDebugging */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING",
+    minimumVersion: void 0
+  },
+  ["overlay_analysis" /* OverlayAnalysis */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION
+  },
+  // Per-language overlay feature flags. Each has minimumVersion set to the
+  // minimum CLI version that supports overlay analysis for that language.
+  // Only languages that are GA or in staff-ship should have feature flags here.
+  ["overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CPP",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CPP
+  },
+  ["overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CSHARP",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
+  },
+  ["overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_GO",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
+  },
+  ["overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVA",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
+  },
+  ["overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
+  },
+  ["overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_PYTHON",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
+  },
+  ["overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUBY",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
+  },
+  ["overlay_analysis_cpp" /* OverlayAnalysisCpp */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CPP",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CPP
+  },
+  ["overlay_analysis_csharp" /* OverlayAnalysisCsharp */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CSHARP",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
+  },
+  ["overlay_analysis_go" /* OverlayAnalysisGo */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
+  },
+  ["overlay_analysis_java" /* OverlayAnalysisJava */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVA",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
+  },
+  ["overlay_analysis_javascript" /* OverlayAnalysisJavascript */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
+  },
+  ["overlay_analysis_python" /* OverlayAnalysisPython */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
+  },
+  ["overlay_analysis_ruby" /* OverlayAnalysisRuby */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUBY",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
+  },
+  // Other overlay-related feature flags
+  ["overlay_analysis_disable_trap_caching" /* OverlayAnalysisDisableTrapCaching */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
+    minimumVersion: void 0
+  },
+  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
+    minimumVersion: void 0
+  },
+  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
+    minimumVersion: void 0
+  },
+  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
+    minimumVersion: void 0
+  },
+  ["overlay_analysis_status_check" /* OverlayAnalysisStatusCheck */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_CHECK",
+    minimumVersion: void 0
+  },
+  ["overlay_analysis_status_save" /* OverlayAnalysisStatusSave */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_SAVE",
+    minimumVersion: void 0
+  },
+  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    minimumVersion: void 0
+  },
+  ["qa_telemetry_enabled" /* QaTelemetryEnabled */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_QA_TELEMETRY",
+    legacyApi: true,
+    minimumVersion: void 0
+  },
+  ["skip_file_coverage_on_prs" /* SkipFileCoverageOnPrs */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS",
+    minimumVersion: void 0,
+    toolsFeature: "suppressesMissingFileBaselineWarning" /* SuppressesMissingFileBaselineWarning */
+  },
+  ["start_proxy_remove_unused_registries" /* StartProxyRemoveUnusedRegistries */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_START_PROXY_REMOVE_UNUSED_REGISTRIES",
+    minimumVersion: void 0
+  },
+  ["start_proxy_use_features_release" /* StartProxyUseFeaturesRelease */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_START_PROXY_USE_FEATURES_RELEASE",
+    minimumVersion: void 0
+  },
+  ["upload_overlay_db_to_api" /* UploadOverlayDbToApi */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_UPLOAD_OVERLAY_DB_TO_API",
+    minimumVersion: void 0,
+    toolsFeature: "bundleSupportsOverlay" /* BundleSupportsOverlay */
+  },
+  ["validate_db_config" /* ValidateDbConfig */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_VALIDATE_DB_CONFIG",
+    minimumVersion: void 0
+  }
+};
+
 // src/analyses.ts
 var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
  AnalysisKind2["CodeScanning"] = "code-scanning";
@@ -127145,11 +127398,11 @@ var cliErrorsConfig = {
 var core9 = __toESM(require_core());

 // src/caching-utils.ts
-var core6 = __toESM(require_core());
+var core7 = __toESM(require_core());

 // src/config/db-config.ts
 var jsonschema = __toESM(require_lib5());
-var semver2 = __toESM(require_semver2());
+var semver5 = __toESM(require_semver2());

 // src/feature-flags/properties.ts
 var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
@@ -127171,263 +127424,27 @@ var PACK_IDENTIFIER_PATTERN = (function() {
 })();

 // src/logging.ts
-var core7 = __toESM(require_core());
+var core8 = __toESM(require_core());
 function getActionsLogger() {
  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
  };
 }
 function withGroup(groupName, f) {
-  core7.startGroup(groupName);
+  core8.startGroup(groupName);
  try {
    return f();
  } finally {
-    core7.endGroup();
+    core8.endGroup();
  }
 }

-// src/feature-flags.ts
-var semver5 = __toESM(require_semver2());
-
-// src/git-utils.ts
-var core8 = __toESM(require_core());
-var toolrunner2 = __toESM(require_toolrunner());
-var io3 = __toESM(require_io());
-var semver3 = __toESM(require_semver2());
-
-// src/overlay/index.ts
-var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8";
-var CODEQL_OVERLAY_MINIMUM_VERSION_CPP = "2.25.0";
-var CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP = "2.24.1";
-var CODEQL_OVERLAY_MINIMUM_VERSION_GO = "2.24.2";
-var CODEQL_OVERLAY_MINIMUM_VERSION_JAVA = "2.23.8";
-var CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT = "2.23.9";
-var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9";
-var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9";
-
-// src/tools-features.ts
-var semver4 = __toESM(require_semver2());
-var SafeArtifactUploadVersion = "2.20.3";
-function isSafeArtifactUpload(codeQlVersion) {
-  return !codeQlVersion ? true : semver4.gte(codeQlVersion, SafeArtifactUploadVersion);
-}
-
-// src/feature-flags.ts
-var featureConfig = {
-  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
-    minimumVersion: void 0
-  },
-  ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
-    minimumVersion: void 0
-  },
-  ["cpp_dependency_installation_enabled" /* CppDependencyInstallation */]: {
-    defaultValue: false,
-    envVar: "CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES",
-    legacyApi: true,
-    minimumVersion: "2.15.0"
-  },
-  ["csharp_cache_bmn" /* CsharpCacheBuildModeNone */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_CSHARP_CACHE_BMN",
-    minimumVersion: void 0
-  },
-  ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
-    minimumVersion: void 0
-  },
-  ["diff_informed_queries" /* DiffInformedQueries */]: {
-    defaultValue: true,
-    envVar: "CODEQL_ACTION_DIFF_INFORMED_QUERIES",
-    minimumVersion: "2.21.0"
-  },
-  ["disable_csharp_buildless" /* DisableCsharpBuildless */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_DISABLE_CSHARP_BUILDLESS",
-    minimumVersion: void 0
-  },
-  ["disable_java_buildless_enabled" /* DisableJavaBuildlessEnabled */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_DISABLE_JAVA_BUILDLESS",
-    legacyApi: true,
-    minimumVersion: void 0
-  },
-  ["disable_kotlin_analysis_enabled" /* DisableKotlinAnalysisEnabled */]: {
-    defaultValue: false,
-    envVar: "CODEQL_DISABLE_KOTLIN_ANALYSIS",
-    legacyApi: true,
-    minimumVersion: void 0
-  },
-  ["export_diagnostics_enabled" /* ExportDiagnosticsEnabled */]: {
-    defaultValue: true,
-    envVar: "CODEQL_ACTION_EXPORT_DIAGNOSTICS",
-    legacyApi: true,
-    minimumVersion: void 0
-  },
-  ["force_nightly" /* ForceNightly */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_FORCE_NIGHTLY",
-    minimumVersion: void 0
-  },
-  ["ignore_generated_files" /* IgnoreGeneratedFiles */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES",
-    minimumVersion: void 0
-  },
-  ["java_network_debugging" /* JavaNetworkDebugging */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis" /* OverlayAnalysis */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION
-  },
-  // Per-language overlay feature flags. Each has minimumVersion set to the
-  // minimum CLI version that supports overlay analysis for that language.
-  // Only languages that are GA or in staff-ship should have feature flags here.
-  ["overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CPP",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CPP
-  },
-  ["overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CSHARP",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
-  },
-  ["overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_GO",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
-  },
-  ["overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVA",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
-  },
-  ["overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
-  },
-  ["overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_PYTHON",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
-  },
-  ["overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUBY",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
-  },
-  ["overlay_analysis_cpp" /* OverlayAnalysisCpp */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CPP",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CPP
-  },
-  ["overlay_analysis_csharp" /* OverlayAnalysisCsharp */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CSHARP",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
-  },
-  ["overlay_analysis_go" /* OverlayAnalysisGo */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
-  },
-  ["overlay_analysis_java" /* OverlayAnalysisJava */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVA",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
-  },
-  ["overlay_analysis_javascript" /* OverlayAnalysisJavascript */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
-  },
-  ["overlay_analysis_python" /* OverlayAnalysisPython */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
-  },
-  ["overlay_analysis_ruby" /* OverlayAnalysisRuby */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUBY",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
-  },
-  // Other overlay-related feature flags
-  ["overlay_analysis_disable_trap_caching" /* OverlayAnalysisDisableTrapCaching */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_status_check" /* OverlayAnalysisStatusCheck */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_CHECK",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_status_save" /* OverlayAnalysisStatusSave */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_SAVE",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
-    minimumVersion: void 0
-  },
-  ["qa_telemetry_enabled" /* QaTelemetryEnabled */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_QA_TELEMETRY",
-    legacyApi: true,
-    minimumVersion: void 0
-  },
-  ["skip_file_coverage_on_prs" /* SkipFileCoverageOnPrs */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS",
-    minimumVersion: void 0,
-    toolsFeature: "suppressesMissingFileBaselineWarning" /* SuppressesMissingFileBaselineWarning */
-  },
-  ["start_proxy_remove_unused_registries" /* StartProxyRemoveUnusedRegistries */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_START_PROXY_REMOVE_UNUSED_REGISTRIES",
-    minimumVersion: void 0
-  },
-  ["start_proxy_use_features_release" /* StartProxyUseFeaturesRelease */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_START_PROXY_USE_FEATURES_RELEASE",
-    minimumVersion: void 0
-  },
-  ["upload_overlay_db_to_api" /* UploadOverlayDbToApi */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_UPLOAD_OVERLAY_DB_TO_API",
-    minimumVersion: void 0,
-    toolsFeature: "bundleSupportsOverlay" /* BundleSupportsOverlay */
-  },
-  ["validate_db_config" /* ValidateDbConfig */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_VALIDATE_DB_CONFIG",
-    minimumVersion: void 0
-  }
-};
-
 // src/languages/builtin.json
 var builtin_default = {
  languages: [
@@ -127492,24 +127509,30 @@ var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
 // src/setup-codeql.ts
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver8 = __toESM(require_semver2());
+var semver9 = __toESM(require_semver2());
+
+// src/overlay/caching.ts
+var actionsCache3 = __toESM(require_cache4());
+var semver6 = __toESM(require_semver2());
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;

 // src/tar.ts
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver6 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());

 // src/tools-download.ts
 var core10 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver7 = __toESM(require_semver2());
+var semver8 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;

 // src/dependency-caching.ts
-var actionsCache3 = __toESM(require_cache4());
+var actionsCache4 = __toESM(require_cache4());
 var glob = __toESM(require_glob2());

 // src/artifact-scanner.ts
@@ -127577,6 +127600,9 @@ async function scanArchiveFile(archivePath, relativeArchivePath, extractDir, log
      `Maximum archive extraction depth (${MAX_DEPTH}) reached for ${archivePath}`
    );
  }
+  if (process.platform === "win32") {
+    throw new Error("Scanning archives is not supported on Windows.");
+  }
  const result = {
    scannedFiles: 0,
    findings: []
@@ -1,12 +1,12 @@
 {
  "name": "codeql",
-  "version": "4.35.4",
+  "version": "4.35.5",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "codeql",
-      "version": "4.35.4",
+      "version": "4.35.5",
      "license": "MIT",
      "workspaces": [
        "pr-checks"
@@ -43,25 +43,25 @@
        "@types/archiver": "^7.0.0",
        "@types/follow-redirects": "^1.14.4",
        "@types/js-yaml": "^4.0.9",
-        "@types/node": "^20.19.9",
+        "@types/node": "^20.19.39",
        "@types/node-forge": "^1.3.14",
        "@types/sarif": "^2.1.7",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^21.0.1",
        "ava": "^7.0.0",
        "esbuild": "^0.28.0",
-        "eslint": "^9.39.2",
+        "eslint": "^9.39.4",
        "eslint-import-resolver-typescript": "^4.4.4",
        "eslint-plugin-github": "^6.0.0",
        "eslint-plugin-import-x": "^4.16.2",
        "eslint-plugin-jsdoc": "^62.9.0",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        "glob": "^11.1.0",
-        "globals": "^17.5.0",
+        "globals": "^17.6.0",
        "nock": "^14.0.12",
        "sinon": "^21.1.2",
-        "typescript": "^6.0.2",
-        "typescript-eslint": "^8.58.2"
+        "typescript": "^6.0.3",
+        "typescript-eslint": "^8.59.2"
      }
    },
    "node_modules/@aashutoshrathi/word-wrap": {
@@ -1337,15 +1337,15 @@
      }
    },
    "node_modules/@eslint/config-array": {
-      "version": "0.21.1",
-      "resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.21.1.tgz",
-      "integrity": "sha512-aw1gNayWpdI/jSYVgzN5pL0cfzU02GT3NBpeT/DXbx1/1x7ZKxFPd9bwrzygx/qiwIQiJ1sw/zD8qY/kRvlGHA==",
+      "version": "0.21.2",
+      "resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.21.2.tgz",
+      "integrity": "sha512-nJl2KGTlrf9GjLimgIru+V/mzgSK0ABCDQRvxw5BjURL7WfH5uoWmizbH7QB6MmnMBd8cIC9uceWnezL1VZWWw==",
      "dev": true,
      "license": "Apache-2.0",
      "dependencies": {
        "@eslint/object-schema": "^2.1.7",
        "debug": "^4.3.1",
-        "minimatch": "^3.1.2"
+        "minimatch": "^3.1.5"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -1391,20 +1391,20 @@
      }
    },
    "node_modules/@eslint/eslintrc": {
-      "version": "3.3.3",
-      "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-3.3.3.tgz",
-      "integrity": "sha512-Kr+LPIUVKz2qkx1HAMH8q1q6azbqBAsXJUxBl/ODDuVPX45Z9DfwB8tPjTi6nNZ8BuM3nbJxC5zCAg5elnBUTQ==",
+      "version": "3.3.5",
+      "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-3.3.5.tgz",
+      "integrity": "sha512-4IlJx0X0qftVsN5E+/vGujTRIFtwuLbNsVUe7TO6zYPDR1O6nFwvwhIKEKSrl6dZchmYBITazxKoUYOjdtjlRg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "ajv": "^6.12.4",
+        "ajv": "^6.14.0",
        "debug": "^4.3.2",
        "espree": "^10.0.1",
        "globals": "^14.0.0",
        "ignore": "^5.2.0",
        "import-fresh": "^3.2.1",
        "js-yaml": "^4.1.1",
-        "minimatch": "^3.1.2",
+        "minimatch": "^3.1.5",
        "strip-json-comments": "^3.1.1"
      },
      "engines": {
@@ -1427,9 +1427,9 @@
      }
    },
    "node_modules/@eslint/js": {
-      "version": "9.39.2",
-      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.39.2.tgz",
-      "integrity": "sha512-q1mjIoW1VX4IvSocvM/vbTiveKC4k9eLrajNEuSsmjymSDEbpGddtpfOoN7YGAqBK3NG+uqo8ia4PDTt8buCYA==",
+      "version": "9.39.4",
+      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.39.4.tgz",
+      "integrity": "sha512-nE7DEIchvtiFTwBw4Lfbu59PG+kCofhjsKaCWzxTpt4lfRjRMqG6uMBzKXuEcyXhOHoUp9riAm7/aWYGhXZ9cw==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2469,9 +2469,9 @@
      "license": "MIT"
    },
    "node_modules/@types/node": {
-      "version": "20.19.9",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.9.tgz",
-      "integrity": "sha512-cuVNgarYWZqxRJDQHEB58GEONhOK79QVR/qYx4S7kcUObQvUwvFnYxJuuHUKm2aieN9X3yZB4LZsuYNU1Qphsw==",
+      "version": "20.19.39",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.39.tgz",
+      "integrity": "sha512-orrrD74MBUyK8jOAD/r0+lfa1I2MO6I+vAkmAWzMYbCcgrN4lCrmK52gRFQq/JRxfYPfonkr4b0jcY7Olqdqbw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -2528,17 +2528,17 @@
      "license": "MIT"
    },
    "node_modules/@typescript-eslint/eslint-plugin": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.58.2.tgz",
-      "integrity": "sha512-aC2qc5thQahutKjP+cl8cgN9DWe3ZUqVko30CMSZHnFEHyhOYoZSzkGtAI2mcwZ38xeImDucI4dnqsHiOYuuCw==",
+      "version": "8.59.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.59.2.tgz",
+      "integrity": "sha512-j/bwmkBvHUtPNxzuWe5z6BEk3q54YRyGlBXkSsmfoih7zNrBvl5A9A98anlp/7JbyZcWIJ8KXo/3Tq/DjFLtuQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@eslint-community/regexpp": "^4.12.2",
-        "@typescript-eslint/scope-manager": "8.58.2",
-        "@typescript-eslint/type-utils": "8.58.2",
-        "@typescript-eslint/utils": "8.58.2",
-        "@typescript-eslint/visitor-keys": "8.58.2",
+        "@typescript-eslint/scope-manager": "8.59.2",
+        "@typescript-eslint/type-utils": "8.59.2",
+        "@typescript-eslint/utils": "8.59.2",
+        "@typescript-eslint/visitor-keys": "8.59.2",
        "ignore": "^7.0.5",
        "natural-compare": "^1.4.0",
        "ts-api-utils": "^2.5.0"
@@ -2551,7 +2551,7 @@
        "url": "https://opencollective.com/typescript-eslint"
      },
      "peerDependencies": {
-        "@typescript-eslint/parser": "^8.58.2",
+        "@typescript-eslint/parser": "^8.59.2",
        "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
        "typescript": ">=4.8.4 <6.1.0"
      }
@@ -2567,16 +2567,16 @@
      }
    },
    "node_modules/@typescript-eslint/parser": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.58.2.tgz",
-      "integrity": "sha512-/Zb/xaIDfxeJnvishjGdcR4jmr7S+bda8PKNhRGdljDM+elXhlvN0FyPSsMnLmJUrVG9aPO6dof80wjMawsASg==",
+      "version": "8.59.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.59.2.tgz",
+      "integrity": "sha512-plR3pp6D+SSUn1HM7xvSkx12/DhoHInI2YF35KAcVFNZvlC0gtrWqx7Qq1oH2Ssgi0vlFRCTbP+DZc7B9+TtsQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/scope-manager": "8.58.2",
-        "@typescript-eslint/types": "8.58.2",
-        "@typescript-eslint/typescript-estree": "8.58.2",
-        "@typescript-eslint/visitor-keys": "8.58.2",
+        "@typescript-eslint/scope-manager": "8.59.2",
+        "@typescript-eslint/types": "8.59.2",
+        "@typescript-eslint/typescript-estree": "8.59.2",
+        "@typescript-eslint/visitor-keys": "8.59.2",
        "debug": "^4.4.3"
      },
      "engines": {
@@ -2610,14 +2610,14 @@
      }
    },
    "node_modules/@typescript-eslint/project-service": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.58.2.tgz",
-      "integrity": "sha512-Cq6UfpZZk15+r87BkIh5rDpi38W4b+Sjnb8wQCPPDDweS/LRCFjCyViEbzHk5Ck3f2QDfgmlxqSa7S7clDtlfg==",
+      "version": "8.59.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.59.2.tgz",
+      "integrity": "sha512-+2hqvEkeyf/0FBor67duF0Ll7Ot8jyKzDQOSrxazF/danillRq2DwR9dLptsXpoZQqxE1UisSmoZewrlPas9Vw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/tsconfig-utils": "^8.58.2",
-        "@typescript-eslint/types": "^8.58.2",
+        "@typescript-eslint/tsconfig-utils": "^8.59.2",
+        "@typescript-eslint/types": "^8.59.2",
        "debug": "^4.4.3"
      },
      "engines": {
@@ -2650,14 +2650,14 @@
      }
    },
    "node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.58.2.tgz",
-      "integrity": "sha512-SgmyvDPexWETQek+qzZnrG6844IaO02UVyOLhI4wpo82dpZJY9+6YZCKAMFzXb7qhx37mFK1QcPQ18tud+vo6Q==",
+      "version": "8.59.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.59.2.tgz",
+      "integrity": "sha512-JzfyEpEtOU89CcFSwyNS3mu4MLvLSXqnmX05+aKBDM+TdR5jzcGOEBwxwGNxrEQ7p/z6kK2WyioCGBf2zZBnvg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.58.2",
-        "@typescript-eslint/visitor-keys": "8.58.2"
+        "@typescript-eslint/types": "8.59.2",
+        "@typescript-eslint/visitor-keys": "8.59.2"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2668,9 +2668,9 @@
      }
    },
    "node_modules/@typescript-eslint/tsconfig-utils": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.58.2.tgz",
-      "integrity": "sha512-3SR+RukipDvkkKp/d0jP0dyzuls3DbGmwDpVEc5wqk5f38KFThakqAAO0XMirWAE+kT00oTauTbzMFGPoAzB0A==",
+      "version": "8.59.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.59.2.tgz",
+      "integrity": "sha512-BKK4alN7oi4C/zv4VqHQ+uRU+lTa6JGIZ7s1juw7b3RHo9OfKB+bKX3u0iVZetdsUCBBkSbdWbarJbmN0fTeSw==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2685,15 +2685,15 @@
      }
    },
    "node_modules/@typescript-eslint/type-utils": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.58.2.tgz",
-      "integrity": "sha512-Z7EloNR/B389FvabdGeTo2XMs4W9TjtPiO9DAsmT0yom0bwlPyRjkJ1uCdW1DvrrrYP50AJZ9Xc3sByZA9+dcg==",
+      "version": "8.59.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.59.2.tgz",
+      "integrity": "sha512-nhqaj1nmTdVVl/BP5omXNRGO38jn5iosis2vbdmupF2txCf8ylWT8lx+JlvMYYVqzGVKtjojUFoQ3JRWK+mfzQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.58.2",
-        "@typescript-eslint/typescript-estree": "8.58.2",
-        "@typescript-eslint/utils": "8.58.2",
+        "@typescript-eslint/types": "8.59.2",
+        "@typescript-eslint/typescript-estree": "8.59.2",
+        "@typescript-eslint/utils": "8.59.2",
        "debug": "^4.4.3",
        "ts-api-utils": "^2.5.0"
      },
@@ -2728,9 +2728,9 @@
      }
    },
    "node_modules/@typescript-eslint/types": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.58.2.tgz",
-      "integrity": "sha512-9TukXyATBQf/Jq9AMQXfvurk+G5R2MwfqQGDR2GzGz28HvY/lXNKGhkY+6IOubwcquikWk5cjlgPvD2uAA7htQ==",
+      "version": "8.59.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.59.2.tgz",
+      "integrity": "sha512-e82GVOE8Ps3E++Egvb6Y3Dw0S10u8NkQ9KXmtRhCWJJ8kDhOJTvtMAWnFL16kB1583goCWXsr0NieKCZMs2/0Q==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2742,16 +2742,16 @@
      }
    },
    "node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.58.2.tgz",
-      "integrity": "sha512-ELGuoofuhhoCvNbQjFFiobFcGgcDCEm0ThWdmO4Z0UzLqPXS3KFvnEZ+SHewwOYHjM09tkzOWXNTv9u6Gqtyuw==",
+      "version": "8.59.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.59.2.tgz",
+      "integrity": "sha512-o0XPGNwcWw+FIwStOWn+BwBuEmL6QXP0rsvAFg7ET1dey1Nr6Wb1ac8p5HEsK0ygO/6mUxlk+YWQD9xcb/nnXg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/project-service": "8.58.2",
-        "@typescript-eslint/tsconfig-utils": "8.58.2",
-        "@typescript-eslint/types": "8.58.2",
-        "@typescript-eslint/visitor-keys": "8.58.2",
+        "@typescript-eslint/project-service": "8.59.2",
+        "@typescript-eslint/tsconfig-utils": "8.59.2",
+        "@typescript-eslint/types": "8.59.2",
+        "@typescript-eslint/visitor-keys": "8.59.2",
        "debug": "^4.4.3",
        "minimatch": "^10.2.2",
        "semver": "^7.7.3",
@@ -2780,9 +2780,9 @@
      }
    },
    "node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion": {
-      "version": "5.0.5",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz",
-      "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==",
+      "version": "5.0.6",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.6.tgz",
+      "integrity": "sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -2827,16 +2827,16 @@
      }
    },
    "node_modules/@typescript-eslint/utils": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.58.2.tgz",
-      "integrity": "sha512-QZfjHNEzPY8+l0+fIXMvuQ2sJlplB4zgDZvA+NmvZsZv3EQwOcc1DuIU1VJUTWZ/RKouBMhDyNaBMx4sWvrzRA==",
+      "version": "8.59.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.59.2.tgz",
+      "integrity": "sha512-Juw3EinkXqjaffxz6roowvV7GZT/kET5vSKKZT6upl5TXdWkLkYmNPXwDDL2Vkt2DPn0nODIS4egC/0AGxKo/Q==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@eslint-community/eslint-utils": "^4.9.1",
-        "@typescript-eslint/scope-manager": "8.58.2",
-        "@typescript-eslint/types": "8.58.2",
-        "@typescript-eslint/typescript-estree": "8.58.2"
+        "@typescript-eslint/scope-manager": "8.59.2",
+        "@typescript-eslint/types": "8.59.2",
+        "@typescript-eslint/typescript-estree": "8.59.2"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2851,13 +2851,13 @@
      }
    },
    "node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.58.2.tgz",
-      "integrity": "sha512-f1WO2Lx8a9t8DARmcWAUPJbu0G20bJlj8L4z72K00TMeJAoyLr/tHhI/pzYBLrR4dXWkcxO1cWYZEOX8DKHTqA==",
+      "version": "8.59.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.59.2.tgz",
+      "integrity": "sha512-NwjLUnGy8/Zfx23fl50tRC8rYaYnM52xNRYFAXvmiil9yh1+K6aRVQMnzW6gQB/1DLgWt977lYQn7C+wtgXZiA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.58.2",
+        "@typescript-eslint/types": "8.59.2",
        "eslint-visitor-keys": "^5.0.0"
      },
      "engines": {
@@ -3271,7 +3271,9 @@
      }
    },
    "node_modules/ajv": {
-      "version": "6.12.6",
+      "version": "6.15.0",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.15.0.tgz",
+      "integrity": "sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -4725,25 +4727,25 @@
      }
    },
    "node_modules/eslint": {
-      "version": "9.39.2",
-      "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.39.2.tgz",
-      "integrity": "sha512-LEyamqS7W5HB3ujJyvi0HQK/dtVINZvd5mAAp9eT5S/ujByGjiZLCzPcHVzuXbpJDJF/cxwHlfceVUDZ2lnSTw==",
+      "version": "9.39.4",
+      "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.39.4.tgz",
+      "integrity": "sha512-XoMjdBOwe/esVgEvLmNsD3IRHkm7fbKIUGvrleloJXUZgDHig2IPWNniv+GwjyJXzuNqVjlr5+4yVUZjycJwfQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@eslint-community/eslint-utils": "^4.8.0",
        "@eslint-community/regexpp": "^4.12.1",
-        "@eslint/config-array": "^0.21.1",
+        "@eslint/config-array": "^0.21.2",
        "@eslint/config-helpers": "^0.4.2",
        "@eslint/core": "^0.17.0",
-        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "9.39.2",
+        "@eslint/eslintrc": "^3.3.5",
+        "@eslint/js": "9.39.4",
        "@eslint/plugin-kit": "^0.4.1",
        "@humanfs/node": "^0.16.6",
        "@humanwhocodes/module-importer": "^1.0.1",
        "@humanwhocodes/retry": "^0.4.2",
        "@types/estree": "^1.0.6",
-        "ajv": "^6.12.4",
+        "ajv": "^6.14.0",
        "chalk": "^4.0.0",
        "cross-spawn": "^7.0.6",
        "debug": "^4.3.2",
@@ -4762,7 +4764,7 @@
        "is-glob": "^4.0.0",
        "json-stable-stringify-without-jsonify": "^1.0.1",
        "lodash.merge": "^4.6.2",
-        "minimatch": "^3.1.2",
+        "minimatch": "^3.1.5",
        "natural-compare": "^1.4.0",
        "optionator": "^0.9.3"
      },
@@ -5668,9 +5670,9 @@
      "license": "MIT"
    },
    "node_modules/fast-xml-builder": {
-      "version": "1.1.5",
-      "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.5.tgz",
-      "integrity": "sha512-4TJn/8FKLeslLAH3dnohXqE3QSoxkhvaMzepOIZytwJXZO69Bfz0HBdDHzOTOon6G59Zrk6VQ2bEiv1t61rfkA==",
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.2.0.tgz",
+      "integrity": "sha512-00aAWieqff+ZJhsXA4g1g7M8k+7AYoMUUHF+/zFb5U6Uv/P0Vl4QZo84/IcufzYalLuEj9928bXN9PbbFzMF0Q==",
      "funding": [
        {
          "type": "github",
@@ -5679,7 +5681,8 @@
      ],
      "license": "MIT",
      "dependencies": {
-        "path-expression-matcher": "^1.1.3"
+        "path-expression-matcher": "^1.5.0",
+        "xml-naming": "^0.1.0"
      }
    },
    "node_modules/fast-xml-parser": {
@@ -5803,9 +5806,9 @@
      }
    },
    "node_modules/flatted": {
-      "version": "3.3.3",
-      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.3.tgz",
-      "integrity": "sha512-GX+ysw4PBCz0PzosHDepZGANEuFCMLrnRTiEy9McGjmkCQYwRq4A/X786G/fjM/+OjsWSU1ZrY5qyARZmO/uwg==",
+      "version": "3.4.2",
+      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
+      "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
      "dev": true,
      "license": "ISC"
    },
@@ -6118,9 +6121,9 @@
      }
    },
    "node_modules/globals": {
-      "version": "17.5.0",
-      "resolved": "https://registry.npmjs.org/globals/-/globals-17.5.0.tgz",
-      "integrity": "sha512-qoV+HK2yFl/366t2/Cb3+xxPUo5BuMynomoDmiaZBIdbs+0pYbjfZU+twLhGKp4uCZ/+NbtpVepH5bGCxRyy2g==",
+      "version": "17.6.0",
+      "resolved": "https://registry.npmjs.org/globals/-/globals-17.6.0.tgz",
+      "integrity": "sha512-sepffkT8stwnIYbsMBpoCHJuJM5l98FUF2AnE07hfvE0m/qp3R586hw4jF4uadbhvg1ooIdzuu7CsfD2jzCaNA==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -7338,9 +7341,9 @@
      }
    },
    "node_modules/micromatch/node_modules/picomatch": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -7886,9 +7889,9 @@
      "license": "ISC"
    },
    "node_modules/picomatch": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -8061,9 +8064,9 @@
      }
    },
    "node_modules/readdir-glob/node_modules/brace-expansion": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz",
+      "integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==",
      "license": "MIT",
      "dependencies": {
        "balanced-match": "^1.0.0"
@@ -8880,10 +8883,11 @@
      }
    },
    "node_modules/supertap/node_modules/js-yaml": {
-      "version": "3.14.1",
-      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.1.tgz",
-      "integrity": "sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g==",
+      "version": "3.14.2",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.2.tgz",
+      "integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==",
      "dev": true,
+      "license": "MIT",
      "dependencies": {
        "argparse": "^1.0.7",
        "esprima": "^4.0.0"
@@ -9771,9 +9775,9 @@
      }
    },
    "node_modules/typescript": {
-      "version": "6.0.2",
-      "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.2.tgz",
-      "integrity": "sha512-bGdAIrZ0wiGDo5l8c++HWtbaNCWTS4UTv7RaTH/ThVIgjkveJt83m74bBHMJkuCbslY8ixgLBVZJIOiQlQTjfQ==",
+      "version": "6.0.3",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.3.tgz",
+      "integrity": "sha512-y2TvuxSZPDyQakkFRPZHKFm+KKVqIisdg9/CZwm9ftvKXLP8NRWj38/ODjNbr43SsoXqNuAisEf1GdCxqWcdBw==",
      "dev": true,
      "license": "Apache-2.0",
      "bin": {
@@ -9785,16 +9789,16 @@
      }
    },
    "node_modules/typescript-eslint": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.58.2.tgz",
-      "integrity": "sha512-V8iSng9mRbdZjl54VJ9NKr6ZB+dW0J3TzRXRGcSbLIej9jV86ZRtlYeTKDR/QLxXykocJ5icNzbsl2+5TzIvcQ==",
+      "version": "8.59.2",
+      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.59.2.tgz",
+      "integrity": "sha512-pJw051uomb3ZeCzGTpRb8RbEqB5Y4WWet8gl/GcTlU35BSx0PVdZ86/bqkQCyKKuraVQEK7r6kBHQXF+fBhkoQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/eslint-plugin": "8.58.2",
-        "@typescript-eslint/parser": "8.58.2",
-        "@typescript-eslint/typescript-estree": "8.58.2",
-        "@typescript-eslint/utils": "8.58.2"
+        "@typescript-eslint/eslint-plugin": "8.59.2",
+        "@typescript-eslint/parser": "8.59.2",
+        "@typescript-eslint/typescript-estree": "8.59.2",
+        "@typescript-eslint/utils": "8.59.2"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -10221,6 +10225,21 @@
        "node": "^20.17.0 || >=22.9.0"
      }
    },
+    "node_modules/xml-naming": {
+      "version": "0.1.0",
+      "resolved": "https://registry.npmjs.org/xml-naming/-/xml-naming-0.1.0.tgz",
+      "integrity": "sha512-k8KO9hrMyNk6tUWqUfkTEZbezRRpONVOzUTnc97VnCvyj6Tf9lyUR9EDAIeiVLv56jsMcoXEwjW8Kv5yPY52lw==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/NaturalIntelligence"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=16.0.0"
+      }
+    },
    "node_modules/y18n": {
      "version": "5.0.8",
      "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz",
@@ -10242,9 +10261,9 @@
      }
    },
    "node_modules/yaml": {
-      "version": "2.8.3",
-      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.3.tgz",
-      "integrity": "sha512-AvbaCLOO2Otw/lW5bmh9d/WEdcDFdQp2Z2ZUH3pX9U2ihyUY0nvLv7J6TrWowklRGPYbB/IuIMfYgxaCPg5Bpg==",
+      "version": "2.8.4",
+      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.4.tgz",
+      "integrity": "sha512-ml/JPOj9fOQK8RNnWojA67GbZ0ApXAUlN2UQclwv2eVgTgn7O9gg9o7paZWKMp4g0H3nTLtS9LVzhkpOFIKzog==",
      "license": "ISC",
      "bin": {
        "yaml": "bin.mjs"
@@ -10385,10 +10404,10 @@
        "@octokit/core": "^7.0.6",
        "@octokit/plugin-paginate-rest": ">=9.2.2",
        "@octokit/plugin-rest-endpoint-methods": "^17.0.0",
-        "yaml": "^2.8.3"
+        "yaml": "^2.8.4"
      },
      "devDependencies": {
-        "@types/node": "^20.19.9",
+        "@types/node": "^20.19.39",
        "tsx": "^4.21.0"
      }
    }
@@ -1,11 +1,11 @@
 {
  "name": "codeql",
-  "version": "4.35.4",
+  "version": "4.35.5",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
    "_build_comment": "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'",
-    "build": "./scripts/check-node-modules.sh && npm run transpile && node build.mjs && npx tsx ./pr-checks/bundle-metadata.ts",
+    "build": "./scripts/check-node-modules.sh && npm run transpile && node build.mjs",
    "lint": "eslint --report-unused-disable-directives --max-warnings=0 .",
    "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
    "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
@@ -50,25 +50,25 @@
    "@types/archiver": "^7.0.0",
    "@types/follow-redirects": "^1.14.4",
    "@types/js-yaml": "^4.0.9",
-    "@types/node": "^20.19.9",
+    "@types/node": "^20.19.39",
    "@types/node-forge": "^1.3.14",
    "@types/sarif": "^2.1.7",
    "@types/semver": "^7.7.1",
    "@types/sinon": "^21.0.1",
    "ava": "^7.0.0",
    "esbuild": "^0.28.0",
-    "eslint": "^9.39.2",
+    "eslint": "^9.39.4",
    "eslint-import-resolver-typescript": "^4.4.4",
    "eslint-plugin-github": "^6.0.0",
    "eslint-plugin-import-x": "^4.16.2",
    "eslint-plugin-jsdoc": "^62.9.0",
    "eslint-plugin-no-async-foreach": "^0.1.1",
    "glob": "^11.1.0",
-    "globals": "^17.5.0",
+    "globals": "^17.6.0",
    "nock": "^14.0.12",
    "sinon": "^21.1.2",
-    "typescript": "^6.0.2",
-    "typescript-eslint": "^8.58.2"
+    "typescript": "^6.0.3",
+    "typescript-eslint": "^8.59.2"
  },
  "overrides": {
    "@actions/tool-cache": {
@@ -89,7 +89,6 @@
    "eslint-plugin-jsx-a11y": {
      "semver": ">=6.3.1"
    },
-    "brace-expansion@2.0.1": "2.0.2",
    "glob": "^11.1.0",
    "undici": "^6.24.0"
  }
@@ -5,7 +5,7 @@ versions:
  - default
 steps:
  - name: Set up Ruby
-    uses: ruby/setup-ruby@0cb964fd540e0a24c900370abf38a33466142735 # v1.305.0
+    uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0
    with:
      ruby-version: 2.6
  - name: Install Code Scanning integration
@@ -7,10 +7,10 @@
    "@octokit/core": "^7.0.6",
    "@octokit/plugin-paginate-rest": ">=9.2.2",
    "@octokit/plugin-rest-endpoint-methods": "^17.0.0",
-    "yaml": "^2.8.3"
+    "yaml": "^2.8.4"
  },
  "devDependencies": {
-    "@types/node": "^20.19.9",
+    "@types/node": "^20.19.39",
    "tsx": "^4.21.0"
  }
 }
@@ -19,6 +19,25 @@ inputs:
      If not specified, the Action will check in several places until it finds
      the CodeQL tools.
    required: false
+  languages:
+    description: >-
+      A comma-separated list of CodeQL languages that will be analyzed in subsequent
+      `github/codeql-action/init` and `github/codeql-action/analyze` invocations. If specified, the
+      Action may use this list to select a CodeQL CLI version that is best suited to analyzing those
+      languages, for example by preferring a version that has a cached overlay-base database for the
+      specified languages. This input is not remembered and must also be passed to
+      `github/codeql-action/init`.
+    required: false
+  analysis-kinds:
+    description: >-
+      [Internal] A comma-separated list of analysis kinds that subsequent
+      `github/codeql-action/init` invocations will enable. If specified, the Action may use this
+      list to select a CodeQL CLI version that is best suited to those analysis kinds. This input is
+      not remembered and must also be passed to `github/codeql-action/init`.
+
+      Available options are the same as for the `analysis-kinds` input on the `init` Action.
+    default: 'code-scanning'
+    required: true
  token:
    description: GitHub token to use for authenticating with this instance of GitHub.
    default: ${{ github.token }}
@@ -16,7 +16,7 @@ import {
 } from "./analyses";
 import { EnvVar } from "./environment";
 import { getRunnerLogger } from "./logging";
-import { setupTests } from "./testing-utils";
+import { createFeatures, RecordingLogger, setupTests } from "./testing-utils";
 import { AssessmentPayload } from "./upload-lib/types";
 import { ConfigurationError } from "./util";

@@ -53,24 +53,56 @@ test("Parsing analysis kinds requires at least one analysis kind", async (t) =>
 test.serial(
  "getAnalysisKinds - returns expected analysis kinds for `analysis-kinds` input",
  async (t) => {
+    process.env[EnvVar.TEST_MODE] = "true";
+    const features = createFeatures([]);
    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
    requiredInputStub
      .withArgs("analysis-kinds")
      .returns("code-scanning,code-quality");
-    const result = await getAnalysisKinds(getRunnerLogger(true), true);
+    const result = await getAnalysisKinds(
+      getRunnerLogger(true),
+      features,
+      true,
+    );
    t.assert(result.includes(AnalysisKind.CodeScanning));
    t.assert(result.includes(AnalysisKind.CodeQuality));
  },
 );

+test.serial(
+  "getAnalysisKinds - only use `code-scanning` for multiple analysis kinds outside of test mode",
+  async (t) => {
+    process.env[EnvVar.TEST_MODE] = "false";
+    const features = createFeatures([]);
+    const logger = new RecordingLogger();
+    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+    requiredInputStub
+      .withArgs("analysis-kinds")
+      .returns("code-scanning,code-quality");
+    const result = await getAnalysisKinds(logger, features, true);
+    t.deepEqual(result, [AnalysisKind.CodeScanning]);
+    t.assert(
+      logger.hasMessage(
+        "Continuing with only `analysis-kinds: code-scanning`.",
+      ),
+    );
+  },
+);
+
 test.serial(
  "getAnalysisKinds - includes `code-quality` when deprecated `quality-queries` input is used",
  async (t) => {
+    process.env[EnvVar.TEST_MODE] = "true";
+    const features = createFeatures([]);
    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
    requiredInputStub.withArgs("analysis-kinds").returns("code-scanning");
    const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
    optionalInputStub.withArgs("quality-queries").returns("code-quality");
-    const result = await getAnalysisKinds(getRunnerLogger(true), true);
+    const result = await getAnalysisKinds(
+      getRunnerLogger(true),
+      features,
+      true,
+    );
    t.assert(result.includes(AnalysisKind.CodeScanning));
    t.assert(result.includes(AnalysisKind.CodeQuality));
  },
@@ -79,9 +111,12 @@ test.serial(
 test.serial(
  "getAnalysisKinds - throws if `analysis-kinds` input is invalid",
  async (t) => {
+    const features = createFeatures([]);
    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
    requiredInputStub.withArgs("analysis-kinds").returns("no-such-thing");
-    await t.throwsAsync(getAnalysisKinds(getRunnerLogger(true), true));
+    await t.throwsAsync(
+      getAnalysisKinds(getRunnerLogger(true), features, true),
+    );
  },
 );

@@ -98,11 +133,17 @@ for (let i = 0; i < analysisKinds.length; i++) {
      test.serial(
        `getAnalysisKinds - allows ${analysisKind} with ${otherAnalysis}`,
        async (t) => {
+          process.env[EnvVar.TEST_MODE] = "true";
+          const features = createFeatures([]);
          const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
          requiredInputStub
            .withArgs("analysis-kinds")
            .returns([analysisKind, otherAnalysis].join(","));
-          const result = await getAnalysisKinds(getRunnerLogger(true), true);
+          const result = await getAnalysisKinds(
+            getRunnerLogger(true),
+            features,
+            true,
+          );
          t.is(result.length, 2);
        },
      );
@@ -110,14 +151,18 @@ for (let i = 0; i < analysisKinds.length; i++) {
      test.serial(
        `getAnalysisKinds - throws if ${analysisKind} is enabled with ${otherAnalysis}`,
        async (t) => {
+          const features = createFeatures([]);
          const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
          requiredInputStub
            .withArgs("analysis-kinds")
            .returns([analysisKind, otherAnalysis].join(","));
-          await t.throwsAsync(getAnalysisKinds(getRunnerLogger(true), true), {
-            instanceOf: ConfigurationError,
-            message: `${analysisKind} and ${otherAnalysis} cannot be enabled at the same time`,
-          });
+          await t.throwsAsync(
+            getAnalysisKinds(getRunnerLogger(true), features, true),
+            {
+              instanceOf: ConfigurationError,
+              message: `${analysisKind} and ${otherAnalysis} cannot be enabled at the same time`,
+            },
+          );
        },
      );
    }
@@ -4,13 +4,14 @@ import {
  getRequiredInput,
 } from "./actions-util";
 import { EnvVar } from "./environment";
+import { Feature, FeatureEnablement } from "./feature-flags";
 import { Logger } from "./logging";
 import {
  AssessmentPayload,
  BasePayload,
  UploadPayload,
 } from "./upload-lib/types";
-import { ConfigurationError, getRequiredEnvParam } from "./util";
+import { ConfigurationError, getRequiredEnvParam, isInTestMode } from "./util";

 export enum AnalysisKind {
  CodeScanning = "code-scanning",
@@ -77,6 +78,7 @@ let cachedAnalysisKinds: AnalysisKind[] | undefined;
 */
 export async function getAnalysisKinds(
  logger: Logger,
+  features: FeatureEnablement,
  skipCache: boolean = false,
 ): Promise<AnalysisKind[]> {
  if (!skipCache && cachedAnalysisKinds !== undefined) {
@@ -120,6 +122,25 @@ export async function getAnalysisKinds(
    }
  }

+  // Log an error if we have multiple inputs for `analysis-kinds` outside of test mode,
+  // and enable only `code-scanning`.
+  if (
+    !isInTestMode() &&
+    analysisKinds.length > 1 &&
+    !(await features.getValue(Feature.AllowMultipleAnalysisKinds))
+  ) {
+    logger.error(
+      "The `analysis-kinds` input is experimental and for GitHub-internal use only. " +
+        "Its behaviour may change at any time or be removed entirely. " +
+        "Specifying multiple values as input is no longer supported. " +
+        "Continuing with only `analysis-kinds: code-scanning`.",
+    );
+
+    // Only enable Code Scanning.
+    cachedAnalysisKinds = [AnalysisKind.CodeScanning];
+    return cachedAnalysisKinds;
+  }
+
  // Cache the analysis kinds and return them.
  cachedAnalysisKinds = analysisKinds;
  return cachedAnalysisKinds;
@@ -141,7 +141,12 @@ test("scanArtifactsForTokens handles files without tokens", async (t) => {
  }
 });

-if (os.platform() !== "win32") {
+// This test is slow (extracts and scans a zip artifact), so by default we only run it in CI. Set
+// RUN_SLOW_TESTS=1 to run it locally.
+if (
+  os.platform() !== "win32" &&
+  (process.env.CI === "true" || process.env.RUN_SLOW_TESTS === "1")
+) {
  test("scanArtifactsForTokens finds token in debug artifacts", async (t) => {
    t.timeout(15000); // 15 seconds
    const messages: LoggedMessage[] = [];
@@ -156,6 +156,10 @@ async function scanArchiveFile(
    );
  }

+  if (process.platform === "win32") {
+    throw new Error("Scanning archives is not supported on Windows.");
+  }
+
  const result: ScanResult = {
    scannedFiles: 0,
    findings: [],
@@ -33,6 +33,7 @@ import {
  mockBundleDownloadApi,
  makeVersionInfo,
  createTestConfig,
+  makeMacro,
 } from "./testing-utils";
 import { ToolsDownloadStatusReport } from "./tools-download";
 import * as util from "./util";
@@ -70,8 +71,10 @@ async function installIntoToolcache({
    tmpDir,
    util.GitHubVariant.GHES,
    cliVersion !== undefined
-      ? { cliVersion, tagName }
+      ? { enabledVersions: [{ cliVersion, tagName }] }
      : SAMPLE_DEFAULT_CLI_VERSION,
+    undefined, // rawLanguages
+    false, // useOverlayAwareDefaultCliVersion
    createFeatures([]),
    getRunnerLogger(true),
    false,
@@ -143,6 +146,8 @@ test.serial(
          tmpDir,
          util.GitHubVariant.DOTCOM,
          SAMPLE_DEFAULT_CLI_VERSION,
+          undefined, // rawLanguages
+          false, // useOverlayAwareDefaultCliVersion
          features,
          getRunnerLogger(true),
          false,
@@ -175,6 +180,8 @@ test.serial(
        tmpDir,
        util.GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -214,6 +221,8 @@ test.serial(
        tmpDir,
        util.GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -264,6 +273,8 @@ for (const {
          tmpDir,
          util.GitHubVariant.DOTCOM,
          SAMPLE_DEFAULT_CLI_VERSION,
+          undefined, // rawLanguages
+          false, // useOverlayAwareDefaultCliVersion
          features,
          getRunnerLogger(true),
          false,
@@ -284,11 +295,11 @@ for (const {
 for (const toolcacheVersion of [
  // Test that we use the tools from the toolcache when `SAMPLE_DEFAULT_CLI_VERSION` is requested
  // and `SAMPLE_DEFAULT_CLI_VERSION-` is in the toolcache.
-  SAMPLE_DEFAULT_CLI_VERSION.cliVersion,
-  `${SAMPLE_DEFAULT_CLI_VERSION.cliVersion}-20230101`,
+  SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion,
+  `${SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion}-20230101`,
 ]) {
  test.serial(
-    `uses tools from toolcache when ${SAMPLE_DEFAULT_CLI_VERSION.cliVersion} is requested and ` +
+    `uses tools from toolcache when ${SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion} is requested and ` +
      `${toolcacheVersion} is installed`,
    async (t) => {
      const features = createFeatures([]);
@@ -308,11 +319,16 @@ for (const toolcacheVersion of [
          tmpDir,
          util.GitHubVariant.DOTCOM,
          SAMPLE_DEFAULT_CLI_VERSION,
+          undefined, // rawLanguages
+          false, // useOverlayAwareDefaultCliVersion
          features,
          getRunnerLogger(true),
          false,
        );
-        t.is(result.toolsVersion, SAMPLE_DEFAULT_CLI_VERSION.cliVersion);
+        t.is(
+          result.toolsVersion,
+          SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion,
+        );
        t.is(result.toolsSource, ToolsSource.Toolcache);
        t.is(result.toolsDownloadStatusReport?.combinedDurationMs, undefined);
        t.is(result.toolsDownloadStatusReport?.downloadDurationMs, undefined);
@@ -342,9 +358,15 @@ test.serial(
        tmpDir,
        util.GitHubVariant.GHES,
        {
-          cliVersion: defaults.cliVersion,
-          tagName: defaults.bundleVersion,
+          enabledVersions: [
+            {
+              cliVersion: defaults.cliVersion,
+              tagName: defaults.bundleVersion,
+            },
+          ],
        },
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -384,9 +406,15 @@ test.serial(
        tmpDir,
        util.GitHubVariant.GHES,
        {
-          cliVersion: defaults.cliVersion,
-          tagName: defaults.bundleVersion,
+          enabledVersions: [
+            {
+              cliVersion: defaults.cliVersion,
+              tagName: defaults.bundleVersion,
+            },
+          ],
        },
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -426,6 +454,8 @@ test.serial(
        tmpDir,
        util.GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -467,6 +497,8 @@ test.serial(
        tmpDir,
        util.GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -540,7 +572,7 @@ test.serial("getExtraOptions throws for bad content", (t) => {
 });

 // Test macro for ensuring different variants of injected augmented configurations
-const injectedConfigMacro = test.macro({
+const injectedConfigMacro = makeMacro({
  exec: async (
    t: ExecutionContext<unknown>,
    augmentationProperties: AugmentationProperties,
@@ -590,9 +622,8 @@ const injectedConfigMacro = test.macro({
    `databaseInitCluster() injected config: ${providedTitle}`,
 });

-test.serial(
+injectedConfigMacro.serial(
  "basic",
-  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
  },
@@ -600,9 +631,8 @@ test.serial(
  {},
 );

-test.serial(
+injectedConfigMacro.serial(
  "injected packs from input",
-  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    packsInput: ["xxx", "yyy"],
@@ -613,9 +643,8 @@ test.serial(
  },
 );

-test.serial(
+injectedConfigMacro.serial(
  "injected packs from input with existing packs combines",
-  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    packsInputCombines: true,
@@ -635,9 +664,8 @@ test.serial(
  },
 );

-test.serial(
+injectedConfigMacro.serial(
  "injected packs from input with existing packs overrides",
-  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    packsInput: ["xxx", "yyy"],
@@ -655,9 +683,8 @@ test.serial(
 );

 // similar, but with queries
-test.serial(
+injectedConfigMacro.serial(
  "injected queries from input",
-  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    queriesInput: [{ uses: "xxx" }, { uses: "yyy" }],
@@ -675,9 +702,8 @@ test.serial(
  },
 );

-test.serial(
+injectedConfigMacro.serial(
  "injected queries from input overrides",
-  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    queriesInput: [{ uses: "xxx" }, { uses: "yyy" }],
@@ -699,9 +725,8 @@ test.serial(
  },
 );

-test.serial(
+injectedConfigMacro.serial(
  "injected queries from input combines",
-  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    queriesInputCombines: true,
@@ -727,9 +752,8 @@ test.serial(
  },
 );

-test.serial(
+injectedConfigMacro.serial(
  "injected queries from input combines 2",
-  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    queriesInputCombines: true,
@@ -749,9 +773,8 @@ test.serial(
  },
 );

-test.serial(
+injectedConfigMacro.serial(
  "injected queries and packs, but empty",
-  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    queriesInputCombines: true,
@@ -768,9 +791,8 @@ test.serial(
  {},
 );

-test.serial(
+injectedConfigMacro.serial(
  "repo property queries have the highest precedence",
-  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    queriesInputCombines: true,
@@ -790,9 +812,8 @@ test.serial(
  },
 );

-test.serial(
+injectedConfigMacro.serial(
  "repo property queries combines with queries input",
-  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    queriesInputCombines: false,
@@ -817,9 +838,8 @@ test.serial(
  },
 );

-test.serial(
+injectedConfigMacro.serial(
  "repo property queries combines everything else",
-  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    queriesInputCombines: true,
@@ -305,6 +305,8 @@ const EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
 * @param tempDir
 * @param variant
 * @param defaultCliVersion
+ * @param rawLanguages Raw set of languages.
+ * @param useOverlayAwareDefaultCliVersion Whether to select an overlay-aware default CLI version.
 * @param features Information about the features that are enabled.
 * @param logger
 * @param checkVersion Whether to check that CodeQL CLI meets the minimum
@@ -317,6 +319,8 @@ export async function setupCodeQL(
  tempDir: string,
  variant: util.GitHubVariant,
  defaultCliVersion: CodeQLDefaultVersionInfo,
+  rawLanguages: string[] | undefined,
+  useOverlayAwareDefaultCliVersion: boolean,
  features: FeatureEnablement,
  logger: Logger,
  checkVersion: boolean,
@@ -340,6 +344,8 @@ export async function setupCodeQL(
      tempDir,
      variant,
      defaultCliVersion,
+      rawLanguages,
+      useOverlayAwareDefaultCliVersion,
      features,
      logger,
    );
@@ -35,6 +35,7 @@ import {
  LoggedMessage,
  mockCodeQLVersion,
  createTestConfig,
+  makeMacro,
 } from "./testing-utils";
 import {
  GitHubVariant,
@@ -1035,10 +1036,9 @@ const defaultOverlayDatabaseModeTestSetup: OverlayDatabaseModeTestSetup = {
  repositoryProperties: {},
 };

-const checkOverlayEnablementMacro = test.macro({
+const checkOverlayEnablementMacro = makeMacro({
  exec: async (
    t: ExecutionContext,
-    _title: string,
    setupOverrides: Partial<OverlayDatabaseModeTestSetup>,
    expected:
      | {
@@ -1132,11 +1132,10 @@ const checkOverlayEnablementMacro = test.macro({
      }
    });
  },
-  title: (_, title) => `checkOverlayEnablement: ${title}`,
+  title: (title) => `checkOverlayEnablement: ${title}`,
 });

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Environment variable override - Overlay",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1147,8 +1146,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Environment variable override - OverlayBase",
  {
    overlayDatabaseEnvVar: "overlay-base",
@@ -1159,8 +1157,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Environment variable override - None",
  {
    overlayDatabaseEnvVar: "none",
@@ -1170,8 +1167,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Ignore invalid environment variable",
  {
    overlayDatabaseEnvVar: "invalid-mode",
@@ -1181,8 +1177,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Ignore feature flag when analyzing non-default branch",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1193,8 +1188,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Overlay-base database on default branch when feature enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1207,15 +1201,14 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Overlay-base database on default branch when feature enabled with custom analysis",
  {
    languages: [BuiltInLanguage.javascript],
    features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript],
    codeScanningConfig: {
      packs: ["some-custom-pack@1.0.0"],
-    } as UserConfig,
+    },
    isDefaultBranch: true,
  },
  {
@@ -1224,8 +1217,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Overlay-base database on default branch when code-scanning feature enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1241,8 +1233,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "No overlay-base database on default branch if runner disk space is too low",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1261,8 +1252,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "No overlay-base database on default branch if we can't determine runner disk space",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1278,8 +1268,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Overlay-base database on default branch if runner disk space is too low and skip resource checks flag is enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1300,8 +1289,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "No overlay-base database on default branch if runner disk space is below v2 limit and v2 resource checks enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1321,8 +1309,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Overlay-base database on default branch if runner disk space is between v2 and v1 limits and v2 resource checks enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1343,8 +1330,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "No overlay-base database on default branch if runner disk space is between v2 and v1 limits and v2 resource checks not enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1363,8 +1349,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "No overlay-base database on default branch if memory flag is too low",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1380,8 +1365,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Overlay-base database on default branch if memory flag is too low but CodeQL >= 2.24.3",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1399,8 +1383,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Overlay-base database on default branch if memory flag is too low and skip resource checks flag is enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1418,8 +1401,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "No overlay-base database on default branch when cached status indicates previous failure",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1436,8 +1418,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "No overlay analysis on PR when cached status indicates previous failure",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1454,8 +1435,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "No overlay-base database on default branch when code-scanning feature enabled with disable-default-queries",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1465,7 +1445,7 @@ test.serial(
    ],
    codeScanningConfig: {
      "disable-default-queries": true,
-    } as UserConfig,
+    },
    isDefaultBranch: true,
  },
  {
@@ -1473,8 +1453,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "No overlay-base database on default branch when code-scanning feature enabled with packs",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1484,7 +1463,7 @@ test.serial(
    ],
    codeScanningConfig: {
      packs: ["some-custom-pack@1.0.0"],
-    } as UserConfig,
+    },
    isDefaultBranch: true,
  },
  {
@@ -1492,8 +1471,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "No overlay-base database on default branch when code-scanning feature enabled with queries",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1503,7 +1481,7 @@ test.serial(
    ],
    codeScanningConfig: {
      queries: [{ uses: "some-query.ql" }],
-    } as UserConfig,
+    },
    isDefaultBranch: true,
  },
  {
@@ -1511,8 +1489,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "No overlay-base database on default branch when code-scanning feature enabled with query-filters",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1522,7 +1499,7 @@ test.serial(
    ],
    codeScanningConfig: {
      "query-filters": [{ include: { "security-severity": "high" } }],
-    } as UserConfig,
+    },
    isDefaultBranch: true,
  },
  {
@@ -1530,8 +1507,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "No overlay-base database on default branch when only language-specific feature enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1543,8 +1519,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "No overlay-base database on default branch when only code-scanning feature enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1556,8 +1531,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "No overlay-base database on default branch when language-specific feature disabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1569,8 +1543,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Overlay analysis on PR when feature enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1583,15 +1556,14 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Overlay analysis on PR when feature enabled with custom analysis",
  {
    languages: [BuiltInLanguage.javascript],
    features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript],
    codeScanningConfig: {
      packs: ["some-custom-pack@1.0.0"],
-    } as UserConfig,
+    },
    isPullRequest: true,
  },
  {
@@ -1600,8 +1572,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Overlay analysis on PR when code-scanning feature enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1617,8 +1588,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "No overlay analysis on PR if runner disk space is too low",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1637,8 +1607,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Overlay analysis on PR if runner disk space is too low and skip resource checks flag is enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1659,8 +1628,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "No overlay analysis on PR if we can't determine runner disk space",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1676,8 +1644,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "No overlay analysis on PR if memory flag is too low",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1693,8 +1660,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Overlay analysis on PR if memory flag is too low but CodeQL >= 2.24.3",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1712,8 +1678,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Overlay analysis on PR if memory flag is too low and skip resource checks flag is enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1731,8 +1696,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "No overlay analysis on PR when code-scanning feature enabled with disable-default-queries",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1742,7 +1706,7 @@ test.serial(
    ],
    codeScanningConfig: {
      "disable-default-queries": true,
-    } as UserConfig,
+    },
    isPullRequest: true,
  },
  {
@@ -1750,8 +1714,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "No overlay analysis on PR when code-scanning feature enabled with packs",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1761,7 +1724,7 @@ test.serial(
    ],
    codeScanningConfig: {
      packs: ["some-custom-pack@1.0.0"],
-    } as UserConfig,
+    },
    isPullRequest: true,
  },
  {
@@ -1769,8 +1732,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "No overlay analysis on PR when code-scanning feature enabled with queries",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1780,7 +1742,7 @@ test.serial(
    ],
    codeScanningConfig: {
      queries: [{ uses: "some-query.ql" }],
-    } as UserConfig,
+    },
    isPullRequest: true,
  },
  {
@@ -1788,8 +1750,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "No overlay analysis on PR when code-scanning feature enabled with query-filters",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1799,7 +1760,7 @@ test.serial(
    ],
    codeScanningConfig: {
      "query-filters": [{ include: { "security-severity": "high" } }],
-    } as UserConfig,
+    },
    isPullRequest: true,
  },
  {
@@ -1807,8 +1768,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "No overlay analysis on PR when only language-specific feature enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1820,8 +1780,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "No overlay analysis on PR when only code-scanning feature enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1833,8 +1792,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "No overlay analysis on PR when language-specific feature disabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1846,8 +1804,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Overlay PR analysis by env",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1858,8 +1815,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Overlay PR analysis by env on a runner with low disk space",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1871,8 +1827,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Overlay PR analysis by feature flag",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1885,8 +1840,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Fallback due to autobuild with traced language",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1898,8 +1852,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Fallback due to no build mode with traced language",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1911,8 +1864,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Fallback due to old CodeQL version",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1923,8 +1875,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Fallback due to missing git root",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1935,8 +1886,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Fallback due to old git version with submodules",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1948,8 +1898,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Fallback when git version cannot be determined and repo has submodules",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1961,8 +1910,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Overlay enabled when git version cannot be determined and repo has no submodules",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1975,8 +1923,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "No overlay when disabled via repository property",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1991,8 +1938,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Overlay not disabled when repository property is false",
  {
    languages: [BuiltInLanguage.javascript],
@@ -2008,8 +1954,7 @@ test.serial(
  },
 );

-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "Environment variable override takes precedence over repository property",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -2025,8 +1970,7 @@ test.serial(

 // Exercise language-specific overlay analysis features code paths
 for (const language in BuiltInLanguage) {
-  test.serial(
-    checkOverlayEnablementMacro,
+  checkOverlayEnablementMacro.serial(
    `Check default overlay analysis feature for ${language}`,
    {
      languages: [language],
@@ -2043,8 +1987,7 @@ for (const language in BuiltInLanguage) {
 // overlay analysis enabled, even when the base overlay feature flag is on.
 // Using swift here as it doesn't currently have overlay support — update this if
 // swift gains overlay support.
-test.serial(
-  checkOverlayEnablementMacro,
+checkOverlayEnablementMacro.serial(
  "No overlay analysis for language without per-language overlay feature flag",
  {
    languages: [BuiltInLanguage.swift],
@@ -407,6 +407,7 @@ export async function getLanguages(
  return languages;
 }

+/** Splits the `languages` input into a list of raw languages without checking if they are supported by CodeQL. */
 export function getRawLanguagesNoAutodetect(
  languagesInput: string | undefined,
 ): string[] {
@@ -7,6 +7,7 @@ import {
  checkExpectedLogMessages,
  getRecordingLogger,
  LoggedMessage,
+  makeMacro,
 } from "../testing-utils";
 import { ConfigurationError, prettyPrintPack } from "../util";

@@ -15,7 +16,7 @@ import * as dbConfig from "./db-config";
 /**
 * Test macro for ensuring the packs block is valid
 */
-const parsePacksMacro = test.macro({
+const parsePacksMacro = makeMacro({
  exec: (
    t: ExecutionContext<unknown>,
    packsInput: string,
@@ -33,7 +34,7 @@ const parsePacksMacro = test.macro({
 /**
 * Test macro for testing when the packs block is invalid
 */
-const parsePacksErrorMacro = test.macro({
+const parsePacksErrorMacro = makeMacro({
  exec: (
    t: ExecutionContext<unknown>,
    packsInput: string,
@@ -49,34 +50,32 @@ const parsePacksErrorMacro = test.macro({
 /**
 * Test macro for testing when the packs block is invalid
 */
-const invalidPackNameMacro = test.macro({
-  exec: (t: ExecutionContext, name: string) =>
-    parsePacksErrorMacro.exec(
+const invalidPackNameMacro = makeMacro({
+  exec: (t: ExecutionContext, arg: string) =>
+    parsePacksErrorMacro.fn(
      t,
-      name,
+      arg,
      [BuiltInLanguage.cpp],
-      new RegExp(`^"${name}" is not a valid pack$`),
+      new RegExp(`^"${arg}" is not a valid pack$`),
    ),
  title: (_providedTitle: string | undefined, arg: string | undefined) =>
    `Invalid pack string: ${arg}`,
 });

-test("no packs", parsePacksMacro, "", [], undefined);
-test("two packs", parsePacksMacro, "a/b,c/d@1.2.3", [BuiltInLanguage.cpp], {
+parsePacksMacro("no packs", "", [], undefined);
+parsePacksMacro("two packs", "a/b,c/d@1.2.3", [BuiltInLanguage.cpp], {
  [BuiltInLanguage.cpp]: ["a/b", "c/d@1.2.3"],
 });
-test(
+parsePacksMacro(
  "two packs with spaces",
-  parsePacksMacro,
  " a/b , c/d@1.2.3 ",
  [BuiltInLanguage.cpp],
  {
    [BuiltInLanguage.cpp]: ["a/b", "c/d@1.2.3"],
  },
 );
-test(
+parsePacksErrorMacro(
  "two packs with language",
-  parsePacksErrorMacro,
  "a/b,c/d@1.2.3",
  [BuiltInLanguage.cpp, BuiltInLanguage.java],
  new RegExp(
@@ -85,9 +84,8 @@ test(
  ),
 );

-test(
+parsePacksMacro(
  "packs with other valid names",
-  parsePacksMacro,
  [
    // ranges are ok
    "c/d@1.0",
@@ -123,23 +121,23 @@ test(
  },
 );

-test(invalidPackNameMacro, "c"); // all packs require at least a scope and a name
-test(invalidPackNameMacro, "c-/d");
-test(invalidPackNameMacro, "-c/d");
-test(invalidPackNameMacro, "c/d_d");
-test(invalidPackNameMacro, "c/d@@");
-test(invalidPackNameMacro, "c/d@1.0.0:");
-test(invalidPackNameMacro, "c/d:");
-test(invalidPackNameMacro, "c/d:/a");
-test(invalidPackNameMacro, "@1.0.0:a");
-test(invalidPackNameMacro, "c/d@../a");
-test(invalidPackNameMacro, "c/d@b/../a");
-test(invalidPackNameMacro, "c/d:z@1");
+invalidPackNameMacro.test("c"); // all packs require at least a scope and a name
+invalidPackNameMacro.test("c-/d");
+invalidPackNameMacro.test("-c/d");
+invalidPackNameMacro.test("c/d_d");
+invalidPackNameMacro.test("c/d@@");
+invalidPackNameMacro.test("c/d@1.0.0:");
+invalidPackNameMacro.test("c/d:");
+invalidPackNameMacro.test("c/d:/a");
+invalidPackNameMacro.test("@1.0.0:a");
+invalidPackNameMacro.test("c/d@../a");
+invalidPackNameMacro.test("c/d@b/../a");
+invalidPackNameMacro.test("c/d:z@1");

 /**
 * Test macro for pretty printing pack specs
 */
-const packSpecPrettyPrintingMacro = test.macro({
+const packSpecPrettyPrintingMacro = makeMacro({
  exec: (t: ExecutionContext, packStr: string, packObj: dbConfig.Pack) => {
    const parsed = dbConfig.parsePacksSpecification(packStr);
    t.deepEqual(parsed, packObj, "parsed pack spec is correct");
@@ -163,36 +161,35 @@ const packSpecPrettyPrintingMacro = test.macro({
  ) => `Prettyprint pack spec: '${packStr}'`,
 });

-test(packSpecPrettyPrintingMacro, "a/b", {
+packSpecPrettyPrintingMacro.test("a/b", {
  name: "a/b",
  version: undefined,
  path: undefined,
 });
-test(packSpecPrettyPrintingMacro, "a/b@~1.2.3", {
+packSpecPrettyPrintingMacro.test("a/b@~1.2.3", {
  name: "a/b",
  version: "~1.2.3",
  path: undefined,
 });
-test(packSpecPrettyPrintingMacro, "a/b@~1.2.3:abc/def", {
+packSpecPrettyPrintingMacro.test("a/b@~1.2.3:abc/def", {
  name: "a/b",
  version: "~1.2.3",
  path: "abc/def",
 });
-test(packSpecPrettyPrintingMacro, "a/b:abc/def", {
+packSpecPrettyPrintingMacro.test("a/b:abc/def", {
  name: "a/b",
  version: undefined,
  path: "abc/def",
 });
-test(packSpecPrettyPrintingMacro, "    a/b:abc/def    ", {
+packSpecPrettyPrintingMacro.test("    a/b:abc/def    ", {
  name: "a/b",
  version: undefined,
  path: "abc/def",
 });

-const calculateAugmentationMacro = test.macro({
+const calculateAugmentationMacro = makeMacro({
  exec: async (
    t: ExecutionContext,
-    _title: string,
    rawPacksInput: string | undefined,
    rawQueriesInput: string | undefined,
    languages: Language[],
@@ -207,11 +204,10 @@ const calculateAugmentationMacro = test.macro({
    );
    t.deepEqual(actualAugmentationProperties, expectedAugmentationProperties);
  },
-  title: (_, title) => `Calculate Augmentation: ${title}`,
+  title: (title) => `Calculate Augmentation: ${title}`,
 });

-test(
-  calculateAugmentationMacro,
+calculateAugmentationMacro(
  "All empty",
  undefined,
  undefined,
@@ -222,8 +218,7 @@ test(
  },
 );

-test(
-  calculateAugmentationMacro,
+calculateAugmentationMacro(
  "With queries",
  undefined,
  " a, b , c, d",
@@ -235,8 +230,7 @@ test(
  },
 );

-test(
-  calculateAugmentationMacro,
+calculateAugmentationMacro(
  "With queries combining",
  undefined,
  "   +   a, b , c, d ",
@@ -249,8 +243,7 @@ test(
  },
 );

-test(
-  calculateAugmentationMacro,
+calculateAugmentationMacro(
  "With packs",
  "   codeql/a , codeql/b   , codeql/c  , codeql/d  ",
  undefined,
@@ -262,8 +255,7 @@ test(
  },
 );

-test(
-  calculateAugmentationMacro,
+calculateAugmentationMacro(
  "With packs combining",
  "   +   codeql/a, codeql/b, codeql/c, codeql/d",
  undefined,
@@ -276,8 +268,7 @@ test(
  },
 );

-test(
-  calculateAugmentationMacro,
+calculateAugmentationMacro(
  "With repo property queries",
  undefined,
  undefined,
@@ -294,8 +285,7 @@ test(
  },
 );

-test(
-  calculateAugmentationMacro,
+calculateAugmentationMacro(
  "With repo property queries combining",
  undefined,
  undefined,
@@ -312,10 +302,9 @@ test(
  },
 );

-const calculateAugmentationErrorMacro = test.macro({
+const calculateAugmentationErrorMacro = makeMacro({
  exec: async (
    t: ExecutionContext,
-    _title: string,
    rawPacksInput: string | undefined,
    rawQueriesInput: string | undefined,
    languages: Language[],
@@ -333,11 +322,10 @@ const calculateAugmentationErrorMacro = test.macro({
      { message: expectedError },
    );
  },
-  title: (_, title) => `Calculate Augmentation Error: ${title}`,
+  title: (title) => `Calculate Augmentation Error: ${title}`,
 });

-test(
-  calculateAugmentationErrorMacro,
+calculateAugmentationErrorMacro(
  "Plus (+) with nothing else (queries)",
  undefined,
  "   +   ",
@@ -346,8 +334,7 @@ test(
  /The workflow property "queries" is invalid/,
 );

-test(
-  calculateAugmentationErrorMacro,
+calculateAugmentationErrorMacro(
  "Plus (+) with nothing else (packs)",
  "   +   ",
  undefined,
@@ -356,8 +343,7 @@ test(
  /The workflow property "packs" is invalid/,
 );

-test(
-  calculateAugmentationErrorMacro,
+calculateAugmentationErrorMacro(
  "Plus (+) with nothing else (repo property queries)",
  undefined,
  undefined,
@@ -368,8 +354,7 @@ test(
  /The repository property "github-codeql-extra-queries" is invalid/,
 );

-test(
-  calculateAugmentationErrorMacro,
+calculateAugmentationErrorMacro(
  "Packs input with multiple languages",
  "   +  a/b, c/d ",
  undefined,
@@ -378,8 +363,7 @@ test(
  /Cannot specify a 'packs' input in a multi-language analysis/,
 );

-test(
-  calculateAugmentationErrorMacro,
+calculateAugmentationErrorMacro(
  "Packs input with no languages",
  "   +  a/b, c/d ",
  undefined,
@@ -388,8 +372,7 @@ test(
  /No languages specified/,
 );

-test(
-  calculateAugmentationErrorMacro,
+calculateAugmentationErrorMacro(
  "Invalid packs",
  " a-pack-without-a-scope ",
  undefined,
@@ -263,7 +263,7 @@ export function getArtifactSuffix(matrix: string | undefined): string {
    try {
      const matrixObject = JSON.parse(matrix);
      if (json.isObject(matrixObject)) {
-        for (const matrixKey of Object.keys(matrixObject as object).sort())
+        for (const matrixKey of Object.keys(matrixObject).sort())
          suffix += `-${matrixObject[matrixKey]}`;
      } else {
        core.warning("User-specified `matrix` input is not an object.");
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.3",
-  "cliVersion": "2.25.3",
-  "priorBundleVersion": "codeql-bundle-v2.25.2",
-  "priorCliVersion": "2.25.2"
+  "bundleVersion": "codeql-bundle-v2.25.4",
+  "cliVersion": "2.25.4",
+  "priorBundleVersion": "codeql-bundle-v2.25.3",
+  "priorCliVersion": "2.25.3"
 }
@@ -18,6 +18,7 @@ import {
  mockCodeQLVersion,
  mockFeatureFlagApiEndpoint,
  setupActionsVars,
+  makeMacro,
 } from "./testing-utils";
 import { GitHubVariant, withTmpDir } from "./util";
 import type { GitHubVersion } from "./util";
@@ -44,10 +45,9 @@ const defaultTestCase: DiffInformedAnalysisTestCase = {
  codeQLVersion: "2.21.0",
 };

-const testShouldPerformDiffInformedAnalysis = test.macro({
+const testShouldPerformDiffInformedAnalysis = makeMacro({
  exec: async (
    t: ExecutionContext,
-    _title: string,
    partialTestCase: Partial<DiffInformedAnalysisTestCase>,
    expectedResult: boolean,
  ) => {
@@ -96,18 +96,16 @@ const testShouldPerformDiffInformedAnalysis = test.macro({
      getPullRequestBranchesStub.restore();
    });
  },
-  title: (_, title) => `getDiffInformedAnalysisBranches: ${title}`,
+  title: (title) => `getDiffInformedAnalysisBranches: ${title}`,
 });

-test.serial(
-  testShouldPerformDiffInformedAnalysis,
+testShouldPerformDiffInformedAnalysis.serial(
  "returns true in the default test case",
  {},
  true,
 );

-test.serial(
-  testShouldPerformDiffInformedAnalysis,
+testShouldPerformDiffInformedAnalysis.serial(
  "returns false when feature flag is disabled from the API",
  {
    featureEnabled: false,
@@ -115,8 +113,7 @@ test.serial(
  false,
 );

-test.serial(
-  testShouldPerformDiffInformedAnalysis,
+testShouldPerformDiffInformedAnalysis.serial(
  "returns false when CODEQL_ACTION_DIFF_INFORMED_QUERIES is set to false",
  {
    featureEnabled: true,
@@ -125,8 +122,7 @@ test.serial(
  false,
 );

-test.serial(
-  testShouldPerformDiffInformedAnalysis,
+testShouldPerformDiffInformedAnalysis.serial(
  "returns true when CODEQL_ACTION_DIFF_INFORMED_QUERIES is set to true",
  {
    featureEnabled: false,
@@ -135,8 +131,7 @@ test.serial(
  true,
 );

-test.serial(
-  testShouldPerformDiffInformedAnalysis,
+testShouldPerformDiffInformedAnalysis.serial(
  "returns false for CodeQL version 2.20.0",
  {
    codeQLVersion: "2.20.0",
@@ -144,8 +139,7 @@ test.serial(
  false,
 );

-test.serial(
-  testShouldPerformDiffInformedAnalysis,
+testShouldPerformDiffInformedAnalysis.serial(
  "returns false for invalid GHES version",
  {
    gitHubVersion: {
@@ -156,8 +150,7 @@ test.serial(
  false,
 );

-test.serial(
-  testShouldPerformDiffInformedAnalysis,
+testShouldPerformDiffInformedAnalysis.serial(
  "returns false for GHES version 3.18.5",
  {
    gitHubVersion: {
@@ -168,8 +161,7 @@ test.serial(
  false,
 );

-test.serial(
-  testShouldPerformDiffInformedAnalysis,
+testShouldPerformDiffInformedAnalysis.serial(
  "returns true for GHES version 3.19.0",
  {
    gitHubVersion: {
@@ -180,8 +172,7 @@ test.serial(
  true,
 );

-test.serial(
-  testShouldPerformDiffInformedAnalysis,
+testShouldPerformDiffInformedAnalysis.serial(
  "returns false when not a pull request",
  {
    pullRequestBranches: undefined,
@@ -225,7 +216,7 @@ test.serial(
      // unexpected failure when determining whether diff-informed analysis
      // should run.
      const features: FeatureEnablement = {
-        getDefaultCliVersion: async () => {
+        getEnabledDefaultCliVersions: async () => {
          throw new Error("not implemented");
        },
        getValue: async () => {
@@ -451,12 +451,16 @@ test.serial(`selects CLI from defaults.json on GHES`, async (t) => {
  await withTmpDir(async (tmpDir) => {
    const features = setUpFeatureFlagTests(tmpDir);

-    const defaultCliVersion = await features.getDefaultCliVersion(
+    const defaultCliVersion = await features.getEnabledDefaultCliVersions(
      GitHubVariant.GHES,
    );
    t.deepEqual(defaultCliVersion, {
-      cliVersion: defaults.cliVersion,
-      tagName: defaults.bundleVersion,
+      enabledVersions: [
+        {
+          cliVersion: defaults.cliVersion,
+          tagName: defaults.bundleVersion,
+        },
+      ],
    });
  });
 });
@@ -482,10 +486,13 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) {
          false;
        mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement);

-        const defaultCliVersion = await features.getDefaultCliVersion(variant);
+        const defaultCliVersion =
+          await features.getEnabledDefaultCliVersions(variant);
        t.deepEqual(defaultCliVersion, {
-          cliVersion: "2.20.1",
-          tagName: "codeql-bundle-v2.20.1",
+          enabledVersions: [
+            { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
+            { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" },
+          ],
          toolsFeatureFlagsValid: true,
        });
      });
@@ -500,10 +507,15 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) {
        const expectedFeatureEnablement = initializeFeatures(true);
        mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement);

-        const defaultCliVersion = await features.getDefaultCliVersion(variant);
+        const defaultCliVersion =
+          await features.getEnabledDefaultCliVersions(variant);
        t.deepEqual(defaultCliVersion, {
-          cliVersion: defaults.cliVersion,
-          tagName: defaults.bundleVersion,
+          enabledVersions: [
+            {
+              cliVersion: defaults.cliVersion,
+              tagName: defaults.bundleVersion,
+            },
+          ],
          toolsFeatureFlagsValid: false,
        });
      });
@@ -529,10 +541,13 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) {
        ] = true;
        mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement);

-        const defaultCliVersion = await features.getDefaultCliVersion(variant);
+        const defaultCliVersion =
+          await features.getEnabledDefaultCliVersions(variant);
        t.deepEqual(defaultCliVersion, {
-          cliVersion: "2.20.1",
-          tagName: "codeql-bundle-v2.20.1",
+          enabledVersions: [
+            { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
+            { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" },
+          ],
          toolsFeatureFlagsValid: true,
        });

@@ -29,9 +29,32 @@ const DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
 */
 export const CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0";

-export interface CodeQLDefaultVersionInfo {
+const LINKED_CODEQL_VERSION: CodeQLVersionInfo = {
+  cliVersion: defaults.cliVersion,
+  tagName: defaults.bundleVersion,
+};
+
+export interface CodeQLVersionInfo {
+  /** The version number of the CodeQL CLI, e.g. `2.19.0`. */
  cliVersion: string;
+  /**
+   * The tag name of the CodeQL Bundle associated with this version, e.g. `codeql-bundle-v2.19.0`.
+   */
  tagName: string;
+}
+
+export interface CodeQLDefaultVersionInfo {
+  /**
+   * CodeQL CLI versions that are enabled as defaults, sorted from highest to lowest.
+   *
+   * Guaranteed to be non-empty. When feature flags are unavailable, this falls back to a single
+   * entry containing the version pinned in `defaults.json`.
+   */
+  enabledVersions: CodeQLVersionInfo[];
+  /**
+   * If accessed, whether the tools feature flags are valid, i.e. contain at least one enabled
+   * version.
+   */
  toolsFeatureFlagsValid?: boolean;
 }

@@ -44,6 +67,8 @@ export interface CodeQLDefaultVersionInfo {
 * Legacy features should end with `_enabled`.
 */
 export enum Feature {
+  /** Controls whether we allow multiple values for the `analysis-kinds` input. */
+  AllowMultipleAnalysisKinds = "allow_multiple_analysis_kinds",
  AllowToolcacheInput = "allow_toolcache_input",
  CleanupTrapCaches = "cleanup_trap_caches",
  CppDependencyInstallation = "cpp_dependency_installation_enabled",
@@ -72,6 +97,19 @@ export enum Feature {
  OverlayAnalysisGo = "overlay_analysis_go",
  OverlayAnalysisJava = "overlay_analysis_java",
  OverlayAnalysisJavascript = "overlay_analysis_javascript",
+  /**
+   * When set, chooses the default CodeQL CLI version as the highest version that is both enabled by
+   * feature flags and present as an overlay-base database in the Actions cache for the configured
+   * languages. Falls back to the highest feature flagged version if no intersecting overlay-base
+   * database exists in the cache.
+   */
+  OverlayAnalysisMatchCodeqlVersion = "overlay_analysis_match_codeql_version",
+  /**
+   * Like `OverlayAnalysisMatchCodeqlVersion`, but only logs a diagnostic with the version that
+   * would have been chosen instead of actually changing the default CodeQL CLI version.
+   * `OverlayAnalysisMatchCodeqlVersion` overrides this flag.
+   */
+  OverlayAnalysisMatchCodeqlVersionDryRun = "overlay_analysis_match_codeql_version_dry_run",
  OverlayAnalysisPython = "overlay_analysis_python",
  /**
   * Controls whether lower disk space requirements are used for overlay hardware checks.
@@ -124,6 +162,11 @@ export type FeatureConfig = {
 };

 export const featureConfig = {
+  [Feature.AllowMultipleAnalysisKinds]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: undefined,
+  },
  [Feature.AllowToolcacheInput]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -277,6 +320,16 @@ export const featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
    minimumVersion: undefined,
  },
+  [Feature.OverlayAnalysisMatchCodeqlVersion]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
+    minimumVersion: undefined,
+  },
+  [Feature.OverlayAnalysisMatchCodeqlVersionDryRun]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
+    minimumVersion: undefined,
+  },
  [Feature.OverlayAnalysisResourceChecksV2]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -346,8 +399,12 @@ export type FeatureWithoutCLI = {
 }[keyof typeof featureConfig];

 export interface FeatureEnablement {
-  /** Gets the default version of the CodeQL tools. */
-  getDefaultCliVersion(
+  /**
+   * Returns the set of default CodeQL CLI versions to consider, sorted from
+   * highest to lowest. The first entry is the version that the CodeQL Action
+   * will use by default. The list is always non-empty.
+   */
+  getEnabledDefaultCliVersions(
    variant: util.GitHubVariant,
  ): Promise<CodeQLDefaultVersionInfo>;
  getValue(feature: FeatureWithoutCLI): Promise<boolean>;
@@ -371,12 +428,11 @@ export const FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
 class OfflineFeatures implements FeatureEnablement {
  constructor(protected readonly logger: Logger) {}

-  async getDefaultCliVersion(
+  async getEnabledDefaultCliVersions(
    _variant: util.GitHubVariant,
  ): Promise<CodeQLDefaultVersionInfo> {
    return {
-      cliVersion: defaults.cliVersion,
-      tagName: defaults.bundleVersion,
+      enabledVersions: [LINKED_CODEQL_VERSION],
    };
  }

@@ -386,7 +442,7 @@ class OfflineFeatures implements FeatureEnablement {
  getFeatureConfig(feature: Feature): FeatureConfig {
    // Narrow the type to FeatureConfig to avoid type errors. To avoid unsafe use of `as`, we
    // check that the required properties exist using `satisfies`.
-    return featureConfig[feature] satisfies FeatureConfig as FeatureConfig;
+    return featureConfig[feature] satisfies FeatureConfig;
  }

  /**
@@ -518,13 +574,13 @@ class Features extends OfflineFeatures {
    );
  }

-  async getDefaultCliVersion(
+  async getEnabledDefaultCliVersions(
    variant: util.GitHubVariant,
  ): Promise<CodeQLDefaultVersionInfo> {
    if (supportsFeatureFlags(variant)) {
-      return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags();
+      return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags();
    }
-    return super.getDefaultCliVersion(variant);
+    return super.getEnabledDefaultCliVersions(variant);
  }

  /**
@@ -600,16 +656,22 @@ class GitHubFeatureFlags {
    return version;
  }

-  async getDefaultCliVersionFromFlags(): Promise<CodeQLDefaultVersionInfo> {
+  /**
+   * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature
+   * flags, sorted from highest to lowest. Falls back to the version pinned in
+   * `defaults.json` if no such flags are enabled.
+   */
+  async getEnabledDefaultCliVersionsFromFlags(): Promise<CodeQLDefaultVersionInfo> {
    const response = await this.getAllFeatures();

-    const enabledFeatureFlagCliVersions = Object.entries(response)
+    const sortedCliVersions = Object.entries(response)
      .map(([f, isEnabled]) =>
        isEnabled ? this.getCliVersionFromFeatureFlag(f) : undefined,
      )
-      .filter((f): f is string => f !== undefined);
+      .filter((f): f is string => f !== undefined)
+      .sort(semver.rcompare);

-    if (enabledFeatureFlagCliVersions.length === 0) {
+    if (sortedCliVersions.length === 0) {
      // We expect at least one default CLI version to be enabled on Dotcom at any time. However if
      // the feature flags are misconfigured, rather than crashing, we fall back to the CLI version
      // shipped with the Action in defaults.json. This has the effect of immediately rolling out
@@ -625,8 +687,7 @@ class GitHubFeatureFlags {
          `shipped with the Action. This is ${defaults.cliVersion}.`,
      );
      const result: CodeQLDefaultVersionInfo = {
-        cliVersion: defaults.cliVersion,
-        tagName: defaults.bundleVersion,
+        enabledVersions: [LINKED_CODEQL_VERSION],
      };
      if (this.hasAccessedRemoteFeatureFlags) {
        result.toolsFeatureFlagsValid = false;
@@ -634,17 +695,14 @@ class GitHubFeatureFlags {
      return result;
    }

-    const maxCliVersion = enabledFeatureFlagCliVersions.reduce(
-      (maxVersion, currentVersion) =>
-        currentVersion > maxVersion ? currentVersion : maxVersion,
-      enabledFeatureFlagCliVersions[0],
-    );
    this.logger.debug(
-      `Derived default CLI version of ${maxCliVersion} from feature flags.`,
+      `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.`,
    );
    return {
-      cliVersion: maxCliVersion,
-      tagName: `codeql-bundle-v${maxCliVersion}`,
+      enabledVersions: sortedCliVersions.map((cliVersion) => ({
+        cliVersion,
+        tagName: `codeql-bundle-v${cliVersion}`,
+      })),
      toolsFeatureFlagsValid: true,
    };
  }
@@ -19,6 +19,7 @@ import {
  createFeatures,
  createTestConfig,
  DEFAULT_ACTIONS_VARS,
+  makeMacro,
  makeVersionInfo,
  RecordingLogger,
  setupActionsVars,
@@ -601,7 +602,7 @@ async function testFailedSarifUpload(
  uploadFiles.resolves({
    sarifID: "42",
    statusReport: { raw_upload_size_bytes: 20, zipped_upload_size_bytes: 10 },
-  } as uploadLib.UploadResult);
+  });
  const waitForProcessing = sinon.stub(uploadLib, "waitForProcessing");

  const features = [] as Feature[];
@@ -796,7 +797,7 @@ test.serial(
  },
 );

-const skippedUploadTest = test.macro({
+const skippedUploadTest = makeMacro({
  exec: async (
    t: ExecutionContext<unknown>,
    config: Partial<configUtils.Config>,
@@ -823,9 +824,8 @@ const skippedUploadTest = test.macro({
    `tryUploadSarifIfRunFailed - skips upload ${providedTitle}`,
 });

-test.serial(
+skippedUploadTest.serial(
  "without CodeQL command",
-  skippedUploadTest,
  // No codeQLCmd
  {
    analysisKinds: [AnalysisKind.RiskAssessment],
@@ -834,9 +834,8 @@ test.serial(
  "CodeQL command not found",
 );

-test.serial(
+skippedUploadTest.serial(
  "if no language is configured",
-  skippedUploadTest,
  // No explicit language configuration
  {
    analysisKinds: [AnalysisKind.RiskAssessment],
@@ -845,9 +844,8 @@ test.serial(
  "Unexpectedly, the configuration is not for a single language.",
 );

-test.serial(
+skippedUploadTest.serial(
  "if multiple languages is configured",
-  skippedUploadTest,
  // Multiple explicit languages configured
  {
    analysisKinds: [AnalysisKind.RiskAssessment],
@@ -276,7 +276,7 @@ async function run(startedAt: Date) {
    // successful, the results are cached so that we don't duplicate the work in normal runs.
    let analysisKinds: AnalysisKind[] | undefined;
    try {
-      analysisKinds = await getAnalysisKinds(logger);
+      analysisKinds = await getAnalysisKinds(logger, features);
    } catch (err) {
      logger.debug(
        `Failed to parse analysis kinds for 'starting' status report: ${getErrorMessage(err)}`,
@@ -293,16 +293,23 @@ async function run(startedAt: Date) {
      );
    }

-    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
-      gitHubVersion.type,
-    );
+    const codeQLDefaultVersionInfo =
+      await features.getEnabledDefaultCliVersions(gitHubVersion.type);
    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
+    const rawLanguages = configUtils.getRawLanguagesNoAutodetect(
+      getOptionalInput("languages"),
+    );
+    const useOverlayAwareDefaultCliVersion =
+      analysisKinds?.length === 1 &&
+      analysisKinds[0] === AnalysisKind.CodeScanning;
    const initCodeQLResult = await initCodeQL(
      getOptionalInput("tools"),
      apiDetails,
      getTemporaryDirectory(),
      gitHubVersion.type,
      codeQLDefaultVersionInfo,
+      rawLanguages,
+      useOverlayAwareDefaultCliVersion,
      features,
      logger,
    );
@@ -341,7 +348,7 @@ async function run(startedAt: Date) {
      }
    }

-    analysisKinds = await getAnalysisKinds(logger);
+    analysisKinds = await getAnalysisKinds(logger, features);
    const debugMode = getOptionalInput("debug") === "true" || core.isDebug();
    const repositoryProperties = repositoryPropertiesResult.orElse({});
    const fileCoverageResult = await getFileCoverageInformationEnabled(
@@ -22,6 +22,7 @@ import {
  createTestConfig,
  getRecordingLogger,
  setupTests,
+  makeMacro,
 } from "./testing-utils";
 import { ConfigurationError, withTmpDir } from "./util";

@@ -158,10 +159,9 @@ type PackInfo = {
  qlpackFileName?: string;
 };

-const testCheckPacksForOverlayCompatibility = test.macro({
+const testCheckPacksForOverlayCompatibility = makeMacro({
  exec: async (
    t: ExecutionContext,
-    _title: string,
    {
      cliOverlayVersion,
      languages,
@@ -234,11 +234,10 @@ const testCheckPacksForOverlayCompatibility = test.macro({
      );
    });
  },
-  title: (_, title) => `checkPacksForOverlayCompatibility: ${title}`,
+  title: (title) => `checkPacksForOverlayCompatibility: ${title}`,
 });

-test(
-  testCheckPacksForOverlayCompatibility,
+testCheckPacksForOverlayCompatibility(
  "returns false when CLI does not support overlay",
  {
    cliOverlayVersion: undefined,
@@ -253,8 +252,7 @@ test(
  },
 );

-test(
-  testCheckPacksForOverlayCompatibility,
+testCheckPacksForOverlayCompatibility(
  "returns true when there are no query packs",
  {
    cliOverlayVersion: 2,
@@ -264,8 +262,7 @@ test(
  },
 );

-test(
-  testCheckPacksForOverlayCompatibility,
+testCheckPacksForOverlayCompatibility(
  "returns true when query pack has not been compiled",
  {
    cliOverlayVersion: 2,
@@ -281,8 +278,7 @@ test(
  },
 );

-test(
-  testCheckPacksForOverlayCompatibility,
+testCheckPacksForOverlayCompatibility(
  "returns true when query pack has expected overlay version",
  {
    cliOverlayVersion: 2,
@@ -297,8 +293,7 @@ test(
  },
 );

-test(
-  testCheckPacksForOverlayCompatibility,
+testCheckPacksForOverlayCompatibility(
  "returns true when query packs for all languages to analyze are compatible",
  {
    cliOverlayVersion: 2,
@@ -317,8 +312,7 @@ test(
  },
 );

-test(
-  testCheckPacksForOverlayCompatibility,
+testCheckPacksForOverlayCompatibility(
  "returns true when query pack for a language not analyzed is incompatible",
  {
    cliOverlayVersion: 2,
@@ -337,8 +331,7 @@ test(
  },
 );

-test(
-  testCheckPacksForOverlayCompatibility,
+testCheckPacksForOverlayCompatibility(
  "returns false when query pack for a language to analyze is incompatible",
  {
    cliOverlayVersion: 2,
@@ -357,8 +350,7 @@ test(
  },
 );

-test(
-  testCheckPacksForOverlayCompatibility,
+testCheckPacksForOverlayCompatibility(
  "returns false when query pack is missing .packinfo",
  {
    cliOverlayVersion: 2,
@@ -377,8 +369,7 @@ test(
  },
 );

-test(
-  testCheckPacksForOverlayCompatibility,
+testCheckPacksForOverlayCompatibility(
  "returns false when query pack has different overlay version",
  {
    cliOverlayVersion: 2,
@@ -397,8 +388,7 @@ test(
  },
 );

-test(
-  testCheckPacksForOverlayCompatibility,
+testCheckPacksForOverlayCompatibility(
  "returns false when query pack is missing overlayVersion in .packinfo",
  {
    cliOverlayVersion: 2,
@@ -417,8 +407,7 @@ test(
  },
 );

-test(
-  testCheckPacksForOverlayCompatibility,
+testCheckPacksForOverlayCompatibility(
  "returns false when .packinfo is not valid JSON",
  {
    cliOverlayVersion: 2,
@@ -437,8 +426,7 @@ test(
  },
 );

-test(
-  testCheckPacksForOverlayCompatibility,
+testCheckPacksForOverlayCompatibility(
  "returns true when query pack uses codeql-pack.yml filename",
  {
    cliOverlayVersion: 2,
@@ -39,6 +39,8 @@ export async function initCodeQL(
  tempDir: string,
  variant: util.GitHubVariant,
  defaultCliVersion: CodeQLDefaultVersionInfo,
+  rawLanguages: string[] | undefined,
+  useOverlayAwareDefaultCliVersion: boolean,
  features: FeatureEnablement,
  logger: Logger,
 ): Promise<{
@@ -61,6 +63,8 @@ export async function initCodeQL(
    tempDir,
    variant,
    defaultCliVersion,
+    rawLanguages,
+    useOverlayAwareDefaultCliVersion,
    features,
    logger,
    true,
@@ -13,6 +13,7 @@ import { BuiltInLanguage } from "../languages";
 import { getRunnerLogger } from "../logging";
 import {
  createTestConfig,
+  makeMacro,
  mockCodeQLVersion,
  setupTests,
 } from "../testing-utils";
@@ -51,10 +52,9 @@ const defaultDownloadTestCase: DownloadOverlayBaseDatabaseTestCase = {
  resolveDatabaseOutput: { overlayBaseSpecifier: "20250626:XXX" },
 };

-const testDownloadOverlayBaseDatabaseFromCache = test.macro({
+const testDownloadOverlayBaseDatabaseFromCache = makeMacro({
  exec: async (
    t,
-    _title: string,
    partialTestCase: Partial<DownloadOverlayBaseDatabaseTestCase>,
    expectDownloadSuccess: boolean,
  ) => {
@@ -142,18 +142,16 @@ const testDownloadOverlayBaseDatabaseFromCache = test.macro({
      }
    });
  },
-  title: (_, title) => `downloadOverlayBaseDatabaseFromCache: ${title}`,
+  title: (title) => `downloadOverlayBaseDatabaseFromCache: ${title}`,
 });

-test.serial(
-  testDownloadOverlayBaseDatabaseFromCache,
+testDownloadOverlayBaseDatabaseFromCache.serial(
  "returns stats when successful",
  {},
  true,
 );

-test.serial(
-  testDownloadOverlayBaseDatabaseFromCache,
+testDownloadOverlayBaseDatabaseFromCache.serial(
  "returns undefined when mode is OverlayDatabaseMode.OverlayBase",
  {
    overlayDatabaseMode: OverlayDatabaseMode.OverlayBase,
@@ -161,8 +159,7 @@ test.serial(
  false,
 );

-test.serial(
-  testDownloadOverlayBaseDatabaseFromCache,
+testDownloadOverlayBaseDatabaseFromCache.serial(
  "returns undefined when mode is OverlayDatabaseMode.None",
  {
    overlayDatabaseMode: OverlayDatabaseMode.None,
@@ -170,8 +167,7 @@ test.serial(
  false,
 );

-test.serial(
-  testDownloadOverlayBaseDatabaseFromCache,
+testDownloadOverlayBaseDatabaseFromCache.serial(
  "returns undefined when caching is disabled",
  {
    useOverlayDatabaseCaching: false,
@@ -179,8 +175,7 @@ test.serial(
  false,
 );

-test.serial(
-  testDownloadOverlayBaseDatabaseFromCache,
+testDownloadOverlayBaseDatabaseFromCache.serial(
  "returns undefined in test mode",
  {
    isInTestMode: true,
@@ -188,8 +183,7 @@ test.serial(
  false,
 );

-test.serial(
-  testDownloadOverlayBaseDatabaseFromCache,
+testDownloadOverlayBaseDatabaseFromCache.serial(
  "returns undefined when cache miss",
  {
    restoreCacheResult: undefined,
@@ -197,8 +191,7 @@ test.serial(
  false,
 );

-test.serial(
-  testDownloadOverlayBaseDatabaseFromCache,
+testDownloadOverlayBaseDatabaseFromCache.serial(
  "returns undefined when download fails",
  {
    restoreCacheResult: new Error("Download failed"),
@@ -206,8 +199,7 @@ test.serial(
  false,
 );

-test.serial(
-  testDownloadOverlayBaseDatabaseFromCache,
+testDownloadOverlayBaseDatabaseFromCache.serial(
  "returns undefined when downloaded database is invalid",
  {
    hasBaseDatabaseOidsFile: false,
@@ -215,8 +207,7 @@ test.serial(
  false,
 );

-test.serial(
-  testDownloadOverlayBaseDatabaseFromCache,
+testDownloadOverlayBaseDatabaseFromCache.serial(
  "returns undefined when downloaded database doesn't have an overlayBaseSpecifier",
  {
    resolveDatabaseOutput: {},
@@ -224,8 +215,7 @@ test.serial(
  false,
 );

-test.serial(
-  testDownloadOverlayBaseDatabaseFromCache,
+testDownloadOverlayBaseDatabaseFromCache.serial(
  "returns undefined when resolving database metadata fails",
  {
    resolveDatabaseOutput: new Error("Failed to resolve database metadata"),
@@ -233,8 +223,7 @@ test.serial(
  false,
 );

-test.serial(
-  testDownloadOverlayBaseDatabaseFromCache,
+testDownloadOverlayBaseDatabaseFromCache.serial(
  "returns undefined when filesystem error occurs",
  {
    tryGetFolderBytesSucceeds: false,
@@ -391,6 +380,32 @@ test.serial(
  },
 );

+test.serial(
+  "getCodeQlVersionsForOverlayBaseDatabases de-duplicates resolved language aliases",
+  async (t) => {
+    const logger = getRunnerLogger(true);
+
+    sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
+    const listActionsCachesStub = sinon
+      .stub(apiClient, "listActionsCaches")
+      .resolves([
+        {
+          key: "codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-2.25.0-abc123-1-1",
+        },
+      ]);
+
+    const result = await getCodeQlVersionsForOverlayBaseDatabases(
+      ["javascript", "typescript", "Python", "python"],
+      logger,
+    );
+    t.deepEqual(result, ["2.25.0"]);
+    sinon.assert.calledOnceWithExactly(
+      listActionsCachesStub,
+      "codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-",
+    );
+  },
+);
+
 test.serial(
  "getCodeQlVersionsForOverlayBaseDatabases ignores nightly versions with build metadata",
  async (t) => {
@@ -461,9 +461,10 @@ export async function getCodeQlVersionsForOverlayBaseDatabases(
    );
    return undefined;
  }
-  const cacheKeyPrefix = await getCacheKeyPrefixBase(
-    languages.filter((l) => l !== undefined),
-  );
+  const dedupedLanguages = [
+    ...new Set(languages.filter((l) => l !== undefined)),
+  ];
+  const cacheKeyPrefix = await getCacheKeyPrefixBase(dedupedLanguages);

  logger.debug(
    `Searching for overlay-base databases in Actions cache with ` +
@@ -7,8 +7,10 @@ import {
  getRequiredInput,
  getTemporaryDirectory,
 } from "./actions-util";
+import { AnalysisKind, getAnalysisKinds } from "./analyses";
 import { getGitHubVersion } from "./api-client";
 import { CodeQL } from "./codeql";
+import { getRawLanguagesNoAutodetect } from "./config-utils";
 import { EnvVar } from "./environment";
 import { initFeatures } from "./feature-flags";
 import { initCodeQL } from "./init";
@@ -136,16 +138,22 @@ async function run(startedAt: Date): Promise<void> {
    if (statusReportBase !== undefined) {
      await sendStatusReport(statusReportBase);
    }
-    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
-      gitHubVersion.type,
-    );
+    const codeQLDefaultVersionInfo =
+      await features.getEnabledDefaultCliVersions(gitHubVersion.type);
    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
+    const rawLanguages = getRawLanguagesNoAutodetect(
+      getOptionalInput("languages"),
+    );
+    const analysisKinds = await getAnalysisKinds(logger, features);
    const initCodeQLResult = await initCodeQL(
      getOptionalInput("tools"),
      apiDetails,
      getTemporaryDirectory(),
      gitHubVersion.type,
      codeQLDefaultVersionInfo,
+      rawLanguages,
+      analysisKinds.length === 1 &&
+        analysisKinds[0] === AnalysisKind.CodeScanning,
      features,
      logger,
    );
@@ -7,8 +7,9 @@ import * as sinon from "sinon";

 import * as actionsUtil from "./actions-util";
 import * as api from "./api-client";
-import { Feature, FeatureEnablement } from "./feature-flags";
+import { Feature } from "./feature-flags";
 import { getRunnerLogger } from "./logging";
+import { getCacheRestoreKeyPrefix } from "./overlay/caching";
 import * as setupCodeql from "./setup-codeql";
 import * as tar from "./tar";
 import {
@@ -18,8 +19,9 @@ import {
  SAMPLE_DOTCOM_API_DETAILS,
  checkExpectedLogMessages,
  createFeatures,
+  createTestConfig,
  getRecordingLogger,
-  initializeFeatures,
+  makeMacro,
  mockBundleDownloadApi,
  setupActionsVars,
  setupTests,
@@ -33,14 +35,6 @@ import {

 setupTests(test);

-// TODO: Remove when when we no longer need to pass in features (https://github.com/github/codeql-action/issues/2600)
-const expectedFeatureEnablement: FeatureEnablement = initializeFeatures(
-  true,
-) as FeatureEnablement;
-expectedFeatureEnablement.getValue = function (feature: Feature) {
-  // eslint-disable-next-line @typescript-eslint/no-unsafe-return
-  return expectedFeatureEnablement[feature];
-};
 test.beforeEach(() => {
  initializeEnvironment("1.2.3");
 });
@@ -107,6 +101,8 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        `https://github.com/github/codeql-action/releases/download/${tagName}/codeql-bundle-linux64.tar.gz`,
        SAMPLE_DEFAULT_CLI_VERSION,
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -130,6 +126,8 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        "linked",
        SAMPLE_DEFAULT_CLI_VERSION,
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -155,6 +153,8 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        "latest",
        SAMPLE_DEFAULT_CLI_VERSION,
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -211,6 +211,8 @@ test.serial(
        "tmp/codeql_action_test/",
        GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        features,
        logger,
      );
@@ -266,6 +268,8 @@ test.serial(
        "tmp/codeql_action_test/",
        GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        features,
        logger,
      );
@@ -317,6 +321,8 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        "nightly",
        SAMPLE_DEFAULT_CLI_VERSION,
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -378,6 +384,8 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        undefined,
        SAMPLE_DEFAULT_CLI_VERSION,
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -432,6 +440,8 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        "toolcache",
        SAMPLE_DEFAULT_CLI_VERSION,
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -473,7 +483,7 @@ test.serial(
  },
 );

-const toolcacheInputFallbackMacro = test.macro({
+const toolcacheInputFallbackMacro = makeMacro({
  exec: async (
    t: ExecutionContext<unknown>,
    featureList: Feature[],
@@ -499,6 +509,8 @@ const toolcacheInputFallbackMacro = test.macro({
      const source = await setupCodeql.getCodeQLSource(
        "toolcache",
        SAMPLE_DEFAULT_CLI_VERSION,
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -514,7 +526,10 @@ const toolcacheInputFallbackMacro = test.macro({

      // Check that `sourceType` and `toolsVersion` match expectations.
      t.is(source.sourceType, "download");
-      t.is(source.toolsVersion, SAMPLE_DEFAULT_CLI_VERSION.cliVersion);
+      t.is(
+        source.toolsVersion,
+        SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion,
+      );

      // Check that key messages we would expect to find in the log are present.
      for (const expectedMessage of expectedMessages) {
@@ -533,9 +548,8 @@ const toolcacheInputFallbackMacro = test.macro({
    `getCodeQLSource falls back to downloading the CLI if ${providedTitle}`,
 });

-test.serial(
+toolcacheInputFallbackMacro.serial(
  "the toolcache doesn't have a CodeQL CLI when tools == toolcache",
-  toolcacheInputFallbackMacro,
  [Feature.AllowToolcacheInput],
  { GITHUB_EVENT_NAME: "dynamic" },
  [],
@@ -545,9 +559,8 @@ test.serial(
  ],
 );

-test.serial(
+toolcacheInputFallbackMacro.serial(
  "the workflow trigger is not `dynamic`",
-  toolcacheInputFallbackMacro,
  [Feature.AllowToolcacheInput],
  { GITHUB_EVENT_NAME: "pull_request" },
  [],
@@ -556,9 +569,8 @@ test.serial(
  ],
 );

-test.serial(
+toolcacheInputFallbackMacro.serial(
  "the feature flag is not enabled",
-  toolcacheInputFallbackMacro,
  [],
  { GITHUB_EVENT_NAME: "dynamic" },
  [],
@@ -598,3 +610,288 @@ test.serial(
    t.is(setupCodeql.getLatestToolcacheVersion(getRunnerLogger(true)), "3.2.1");
  },
 );
+
+const overlayMatchEnabledVersions = {
+  enabledVersions: [
+    { cliVersion: "2.20.2", tagName: "codeql-bundle-v2.20.2" },
+    { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
+    { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" },
+  ],
+  toolsFeatureFlagsValid: true,
+};
+
+async function fakeOverlayBaseCacheKey(
+  language: string,
+  cliVersion: string,
+  suffix: string,
+): Promise<string> {
+  const prefix = await getCacheRestoreKeyPrefix(
+    createTestConfig({ languages: [language] }),
+    cliVersion,
+  );
+  return `${prefix}${suffix}`;
+}
+
+test.serial(
+  "getCodeQLSource uses overlay-aware default version when requested for a PR",
+  async (t) => {
+    await withTmpDir(async (tmpDir) => {
+      setupActionsVars(tmpDir, tmpDir);
+      process.env["CODE_SCANNING_REF"] = "refs/heads/feature-branch";
+      process.env["CODE_SCANNING_BASE_BRANCH"] = "main";
+
+      sinon.stub(api, "getAutomationID").resolves("test/");
+      const listStub = sinon.stub(api, "listActionsCaches").resolves([
+        {
+          key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"),
+        },
+      ]);
+      sinon
+        .stub(toolcache, "find")
+        .withArgs("CodeQL", "2.20.1")
+        .returns("/path/to/codeql-2.20.1");
+
+      const source = await setupCodeql.getCodeQLSource(
+        undefined,
+        overlayMatchEnabledVersions,
+        ["javascript"],
+        true,
+        SAMPLE_DOTCOM_API_DETAILS,
+        GitHubVariant.DOTCOM,
+        false,
+        createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
+        getRunnerLogger(true),
+      );
+
+      t.assert(listStub.calledOnce);
+      t.is(source.sourceType, "toolcache");
+      t.is(source.toolsVersion, "2.20.1");
+    });
+  },
+);
+
+test.serial(
+  "getCodeQLSource skips overlay-aware default version when not requested",
+  async (t) => {
+    await withTmpDir(async (tmpDir) => {
+      setupActionsVars(tmpDir, tmpDir);
+      process.env["CODE_SCANNING_REF"] = "refs/heads/feature-branch";
+      process.env["CODE_SCANNING_BASE_BRANCH"] = "main";
+
+      sinon.stub(api, "getAutomationID").resolves("test/");
+      const listStub = sinon.stub(api, "listActionsCaches").resolves([
+        {
+          key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"),
+        },
+      ]);
+      sinon
+        .stub(toolcache, "find")
+        .withArgs("CodeQL", "2.20.2")
+        .returns("/path/to/codeql-2.20.2");
+
+      const source = await setupCodeql.getCodeQLSource(
+        undefined,
+        overlayMatchEnabledVersions,
+        ["javascript"],
+        false,
+        SAMPLE_DOTCOM_API_DETAILS,
+        GitHubVariant.DOTCOM,
+        false,
+        createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
+        getRunnerLogger(true),
+      );
+
+      t.assert(listStub.notCalled);
+      t.is(source.sourceType, "toolcache");
+      t.is(source.toolsVersion, "2.20.2");
+    });
+  },
+);
+
+test.serial(
+  "getEnabledVersionsWithOverlayBaseDatabases returns flag-enabled versions present in cache, sorted desc",
+  async (t) => {
+    sinon.stub(api, "getAutomationID").resolves("test/");
+    sinon.stub(api, "listActionsCaches").resolves([
+      // Flag-enabled versions present in the cache, listed in non-descending
+      // order so the test exercises the sort.
+      {
+        key: await fakeOverlayBaseCacheKey("javascript", "2.20.0", "ghi-3-1"),
+      },
+      {
+        key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "def-2-1"),
+      },
+      // Newer than any flag-enabled version: should be filtered out.
+      {
+        key: await fakeOverlayBaseCacheKey("javascript", "2.21.0", "abc-1-1"),
+      },
+    ]);
+
+    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
+      overlayMatchEnabledVersions,
+      ["javascript"],
+      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
+      getRunnerLogger(true),
+    );
+    t.deepEqual(result, [
+      { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
+      { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" },
+    ]);
+  },
+);
+
+test.serial(
+  "getEnabledVersionsWithOverlayBaseDatabases returns empty when no cached version is flag-enabled",
+  async (t) => {
+    sinon.stub(api, "getAutomationID").resolves("test/");
+    sinon.stub(api, "listActionsCaches").resolves([
+      {
+        key: await fakeOverlayBaseCacheKey("javascript", "2.19.0", "abc-1-1"),
+      },
+    ]);
+
+    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
+      overlayMatchEnabledVersions,
+      ["javascript"],
+      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
+      getRunnerLogger(true),
+    );
+    t.deepEqual(result, []);
+  },
+);
+
+const noLanguagesMacro = makeMacro({
+  exec: async (
+    t: ExecutionContext<unknown>,
+    rawLanguages: string[] | undefined,
+  ) => {
+    const listStub = sinon.stub(api, "listActionsCaches").resolves([]);
+
+    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
+      overlayMatchEnabledVersions,
+      rawLanguages,
+      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
+      getRunnerLogger(true),
+    );
+    t.deepEqual(result, []);
+    t.assert(
+      listStub.notCalled,
+      "Should not list Actions caches without any rawLanguages.",
+    );
+  },
+  title: (providedTitle = "") =>
+    `getEnabledVersionsWithOverlayBaseDatabases does not list caches when rawLanguages is ${providedTitle}`,
+});
+
+noLanguagesMacro.serial("undefined", undefined);
+noLanguagesMacro.serial("an empty array", []);
+
+test.serial(
+  "getEnabledVersionsWithOverlayBaseDatabases returns empty when listing caches throws",
+  async (t) => {
+    sinon.stub(api, "getAutomationID").resolves("test/");
+    sinon.stub(api, "listActionsCaches").rejects(new Error("listing failed"));
+
+    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
+      overlayMatchEnabledVersions,
+      ["javascript"],
+      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
+      getRunnerLogger(true),
+    );
+    t.deepEqual(result, []);
+  },
+);
+
+test.serial(
+  "getEnabledVersionsWithOverlayBaseDatabases returns versions present in the cache",
+  async (t) => {
+    sinon.stub(api, "getAutomationID").resolves("test/");
+    sinon.stub(api, "listActionsCaches").resolves([
+      {
+        key: await fakeOverlayBaseCacheKey("javascript", "2.20.2", "abc-1-1"),
+      },
+    ]);
+
+    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
+      overlayMatchEnabledVersions,
+      ["javascript"],
+      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
+      getRunnerLogger(true),
+    );
+    t.deepEqual(result, [
+      { cliVersion: "2.20.2", tagName: "codeql-bundle-v2.20.2" },
+    ]);
+  },
+);
+
+test.serial(
+  "getEnabledVersionsWithOverlayBaseDatabases does not list caches when both gates are off",
+  async (t) => {
+    const listStub = sinon.stub(api, "listActionsCaches").resolves([]);
+
+    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
+      overlayMatchEnabledVersions,
+      ["javascript"],
+      createFeatures([]),
+      getRunnerLogger(true),
+    );
+    t.deepEqual(result, []);
+    t.assert(
+      listStub.notCalled,
+      "Should not list Actions caches when both gating feature flags are off.",
+    );
+  },
+);
+
+test.serial(
+  "getEnabledVersionsWithOverlayBaseDatabases dry-run returns empty but lists caches",
+  async (t) => {
+    sinon.stub(api, "getAutomationID").resolves("test/");
+    const listStub = sinon.stub(api, "listActionsCaches").resolves([
+      {
+        key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"),
+      },
+    ]);
+
+    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
+      overlayMatchEnabledVersions,
+      ["javascript"],
+      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersionDryRun]),
+      getRunnerLogger(true),
+    );
+    t.deepEqual(
+      result,
+      [],
+      "Dry-run should return an empty list so the caller falls back.",
+    );
+    t.assert(
+      listStub.calledOnce,
+      "Dry-run should still list Actions caches to populate the diagnostic.",
+    );
+  },
+);
+
+test.serial(
+  "getEnabledVersionsWithOverlayBaseDatabases match flag wins over dry-run",
+  async (t) => {
+    sinon.stub(api, "getAutomationID").resolves("test/");
+    sinon.stub(api, "listActionsCaches").resolves([
+      {
+        key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"),
+      },
+    ]);
+
+    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
+      overlayMatchEnabledVersions,
+      ["javascript"],
+      createFeatures([
+        Feature.OverlayAnalysisMatchCodeqlVersion,
+        Feature.OverlayAnalysisMatchCodeqlVersionDryRun,
+      ]),
+      getRunnerLogger(true),
+    );
+    t.deepEqual(result, [
+      { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
+    ]);
+  },
+);
@@ -7,17 +7,27 @@ import { default as deepEqual } from "fast-deep-equal";
 import * as semver from "semver";
 import { v4 as uuidV4 } from "uuid";

-import { isDynamicWorkflow, isRunningLocalAction } from "./actions-util";
+import {
+  isAnalyzingPullRequest,
+  isDynamicWorkflow,
+  isRunningLocalAction,
+} from "./actions-util";
 import * as api from "./api-client";
 import * as defaults from "./defaults.json";
-import { addNoLanguageDiagnostic, makeDiagnostic } from "./diagnostics";
+import {
+  addNoLanguageDiagnostic,
+  makeDiagnostic,
+  makeTelemetryDiagnostic,
+} from "./diagnostics";
 import {
  CODEQL_VERSION_ZSTD_BUNDLE,
  CodeQLDefaultVersionInfo,
+  CodeQLVersionInfo,
  Feature,
  FeatureEnablement,
 } from "./feature-flags";
 import { Logger } from "./logging";
+import { getCodeQlVersionsForOverlayBaseDatabases } from "./overlay/caching";
 import * as tar from "./tar";
 import {
  downloadAndExtract,
@@ -264,12 +274,131 @@ async function findOverridingToolsInCache(
  return undefined;
 }

+/**
+ * Returns the sorted set of enabled versions that have cached overlay-base databases for the
+ * given languages, or an empty list if neither the `OverlayAnalysisMatchCodeqlVersion` nor the
+ * `OverlayAnalysisMatchCodeqlVersionDryRun` feature flag is enabled. When only the dry-run flag
+ * is enabled, this performs the lookup and emits a telemetry diagnostic with the version that
+ * would have been chosen, but still returns an empty list so the caller falls back.
+ */
+export async function getEnabledVersionsWithOverlayBaseDatabases(
+  defaultCliVersion: CodeQLDefaultVersionInfo,
+  rawLanguages: string[] | undefined,
+  features: FeatureEnablement,
+  logger: Logger,
+): Promise<CodeQLVersionInfo[]> {
+  if (rawLanguages === undefined || rawLanguages.length === 0) {
+    return [];
+  }
+  const isEnabled = await features.getValue(
+    Feature.OverlayAnalysisMatchCodeqlVersion,
+  );
+  const isDryRun =
+    !isEnabled &&
+    (await features.getValue(Feature.OverlayAnalysisMatchCodeqlVersionDryRun));
+  if (!isEnabled && !isDryRun) {
+    return [];
+  }
+
+  let cachedVersions: string[] | undefined;
+  try {
+    cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases(
+      rawLanguages,
+      logger,
+    );
+  } catch (e) {
+    logger.warning(
+      "Could not list overlay-base databases in the Actions cache while choosing a default " +
+        `CodeQL CLI version, falling back to the highest enabled version. Details: ${util.getErrorMessage(e)}`,
+    );
+    return [];
+  }
+
+  if (cachedVersions === undefined || cachedVersions.length === 0) {
+    return [];
+  }
+
+  const cachedVersionsSet = new Set(cachedVersions);
+  const overlayVersions = defaultCliVersion.enabledVersions.filter((v) =>
+    cachedVersionsSet.has(v.cliVersion),
+  );
+
+  if (overlayVersions.length === 0) {
+    return [];
+  }
+
+  const isCachedVersionDifferent =
+    overlayVersions[0].cliVersion !==
+    defaultCliVersion.enabledVersions[0].cliVersion;
+
+  if (isCachedVersionDifferent) {
+    addNoLanguageDiagnostic(
+      undefined,
+      makeTelemetryDiagnostic(
+        "codeql-action/overlay-aware-default-codeql-version",
+        "Overlay-aware default CodeQL version selection",
+        {
+          cachedVersions,
+          enabledVersions: defaultCliVersion.enabledVersions.map(
+            (v) => v.cliVersion,
+          ),
+          isDryRun,
+          overlayAwareVersion: overlayVersions[0].cliVersion,
+        },
+      ),
+    );
+  }
+
+  if (isDryRun) {
+    logger.debug(
+      `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.`,
+    );
+    return [];
+  }
+
+  return overlayVersions;
+}
+
+/**
+ * Resolves the newest enabled default CLI version that has a cached overlay-base database for the
+ * relevant languages, if running a Code Scanning analysis for a pull request and one exists.
+ * Otherwise, falls back to the newest enabled default CLI version.
+ */
+async function resolveDefaultCliVersion(
+  defaultCliVersion: CodeQLDefaultVersionInfo,
+  rawLanguages: string[] | undefined,
+  useOverlayAwareDefaultCliVersion: boolean,
+  features: FeatureEnablement,
+  logger: Logger,
+): Promise<CodeQLVersionInfo> {
+  if (!useOverlayAwareDefaultCliVersion || !isAnalyzingPullRequest()) {
+    return defaultCliVersion.enabledVersions[0];
+  }
+
+  const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases(
+    defaultCliVersion,
+    rawLanguages,
+    features,
+    logger,
+  );
+  if (overlayVersions.length > 0) {
+    logger.info(
+      `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the ` +
+        `highest enabled version that has a cached overlay-base database.`,
+    );
+    return overlayVersions[0];
+  }
+  return defaultCliVersion.enabledVersions[0];
+}
+
 /**
 * Determines where the CodeQL CLI we want to use comes from. This can be from a local file,
 * the Actions toolcache, or a download.
 *
 * @param toolsInput The argument provided for the `tools` input, if any.
 * @param defaultCliVersion The default CLI version that's linked to the CodeQL Action.
+ * @param rawLanguages Raw set of languages.
+ * @param useOverlayAwareDefaultCliVersion Whether to select an overlay-aware default CLI version.
 * @param apiDetails Information about the GitHub API.
 * @param variant The GitHub variant we are running on.
 * @param tarSupportsZstd Whether zstd is supported by `tar`.
@@ -281,6 +410,8 @@ async function findOverridingToolsInCache(
 export async function getCodeQLSource(
  toolsInput: string | undefined,
  defaultCliVersion: CodeQLDefaultVersionInfo,
+  rawLanguages: string[] | undefined,
+  useOverlayAwareDefaultCliVersion: boolean,
  apiDetails: api.GitHubApiDetails,
  variant: util.GitHubVariant,
  tarSupportsZstd: boolean,
@@ -438,8 +569,15 @@ export async function getCodeQLSource(
        }
      }

-      cliVersion = defaultCliVersion.cliVersion;
-      tagName = defaultCliVersion.tagName;
+      const version = await resolveDefaultCliVersion(
+        defaultCliVersion,
+        rawLanguages,
+        useOverlayAwareDefaultCliVersion,
+        features,
+        logger,
+      );
+      cliVersion = version.cliVersion;
+      tagName = version.tagName;
    }
  } else if (toolsInput !== undefined) {
    // If a tools URL was provided, then use that.
@@ -454,9 +592,15 @@ export async function getCodeQLSource(
      }
    }
  } else {
-    // Otherwise, use the default CLI version passed in.
-    cliVersion = defaultCliVersion.cliVersion;
-    tagName = defaultCliVersion.tagName;
+    const version = await resolveDefaultCliVersion(
+      defaultCliVersion,
+      rawLanguages,
+      useOverlayAwareDefaultCliVersion,
+      features,
+      logger,
+    );
+    cliVersion = version.cliVersion;
+    tagName = version.tagName;
  }

  const bundleVersion =
@@ -791,6 +935,8 @@ export async function setupCodeQLBundle(
  tempDir: string,
  variant: util.GitHubVariant,
  defaultCliVersion: CodeQLDefaultVersionInfo,
+  rawLanguages: string[] | undefined,
+  useOverlayAwareDefaultCliVersion: boolean,
  features: FeatureEnablement,
  logger: Logger,
 ): Promise<SetupCodeQLResult> {
@@ -804,6 +950,8 @@ export async function setupCodeQLBundle(
  const source = await getCodeQLSource(
    toolsInput,
    defaultCliVersion,
+    rawLanguages,
+    useOverlayAwareDefaultCliVersion,
    apiDetails,
    variant,
    zstdAvailability.available,
@@ -18,6 +18,7 @@ import {
  assertNotLogged,
  checkExpectedLogMessages,
  createFeatures,
+  makeMacro,
  makeTestToken,
  RecordingLogger,
  setupTests,
@@ -32,7 +33,7 @@ import {

 setupTests(test);

-const sendFailedStatusReportTest = test.macro({
+const sendFailedStatusReportTest = makeMacro({
  exec: async (
    t: ExecutionContext<unknown>,
    err: Error,
@@ -88,16 +89,14 @@ const sendFailedStatusReportTest = test.macro({
  title: (providedTitle = "") => `sendFailedStatusReport - ${providedTitle}`,
 });

-test.serial(
+sendFailedStatusReportTest.serial(
  "reports generic error message for non-StartProxyError error",
-  sendFailedStatusReportTest,
  new Error("Something went wrong today"),
  "Error from start-proxy Action omitted (Error).",
 );

-test.serial(
+sendFailedStatusReportTest.serial(
  "reports generic error message for non-StartProxyError error with safe error message",
-  sendFailedStatusReportTest,
  new Error(
    startProxyExports.getStartProxyErrorMessage(
      startProxyExports.StartProxyErrorType.DownloadFailed,
@@ -106,9 +105,8 @@ test.serial(
  "Error from start-proxy Action omitted (Error).",
 );

-test.serial(
+sendFailedStatusReportTest.serial(
  "reports generic error message for ConfigurationError error",
-  sendFailedStatusReportTest,
  new ConfigurationError("Something went wrong today"),
  "Error from start-proxy Action omitted (ConfigurationError).",
  "user-error",
@@ -414,7 +412,7 @@ test("getCredentials accepts OIDC configurations", (t) => {
  }
 });

-const getCredentialsMacro = test.macro({
+const getCredentialsMacro = makeMacro({
  exec: async (
    t: ExecutionContext<unknown>,
    credentials: startProxyExports.RawCredential[],
@@ -440,9 +438,8 @@ const getCredentialsMacro = test.macro({
  title: (providedTitle = "") => `getCredentials - ${providedTitle}`,
 });

-test(
+getCredentialsMacro(
  "warns for PAT-like password without a username",
-  getCredentialsMacro,
  [
    {
      type: "git_server",
@@ -470,9 +467,8 @@ test(
  },
 );

-test(
+getCredentialsMacro(
  "no warning for PAT-like password with a username",
-  getCredentialsMacro,
  [
    {
      type: "git_server",
@@ -502,9 +498,8 @@ test(
  },
 );

-test(
+getCredentialsMacro(
  "warns for PAT-like token without a username",
-  getCredentialsMacro,
  [
    {
      type: "git_server",
@@ -532,9 +527,8 @@ test(
  },
 );

-test(
+getCredentialsMacro(
  "no warning for PAT-like token with a username",
-  getCredentialsMacro,
  [
    {
      type: "git_server",
@@ -796,7 +790,7 @@ test.serial(
  },
 );

-const wrapFailureTest = test.macro({
+const wrapFailureTest = makeMacro({
  exec: async (
    t: ExecutionContext<unknown>,
    setup: () => void,
@@ -827,9 +821,8 @@ test.serial("downloadProxy - returns file path on success", async (t) => {
  });
 });

-test.serial(
+wrapFailureTest.serial(
  "downloadProxy",
-  wrapFailureTest,
  () => {
    sinon.stub(toolcache, "downloadTool").throws();
  },
@@ -848,9 +841,8 @@ test.serial("extractProxy - returns file path on success", async (t) => {
  });
 });

-test.serial(
+wrapFailureTest.serial(
  "extractProxy",
-  wrapFailureTest,
  () => {
    sinon.stub(toolcache, "extractTar").throws();
  },
@@ -874,9 +866,8 @@ test.serial("cacheProxy - returns file path on success", async (t) => {
  });
 });

-test.serial(
+wrapFailureTest.serial(
  "cacheProxy",
-  wrapFailureTest,
  () => {
    sinon.stub(toolcache, "cacheDir").throws();
  },
@@ -1019,8 +1010,10 @@ test.serial(
        return true;
      });
      const getDefaultCliVersion = sinon
-        .stub(features, "getDefaultCliVersion")
-        .resolves({ cliVersion: "2.20.1", tagName: expectedTag });
+        .stub(features, "getEnabledDefaultCliVersions")
+        .resolves({
+          enabledVersions: [{ cliVersion: "2.20.1", tagName: expectedTag }],
+        });
      const path = await startProxyExports.getProxyBinaryPath(logger, features);

      t.assert(getDefaultCliVersion.calledOnce);
@@ -415,7 +415,7 @@ async function getCliVersionFromFeatures(
  features: FeatureEnablement,
 ): Promise<CodeQLDefaultVersionInfo> {
  const gitHubVersion = await getGitHubVersion();
-  return await features.getDefaultCliVersion(gitHubVersion.type);
+  return await features.getEnabledDefaultCliVersions(gitHubVersion.type);
 }

 /**
@@ -440,7 +440,7 @@ export async function getDownloadUrl(
    // Retrieve information about the CLI version we should use. This will be either the linked
    // version, or the one enabled by FFs.
    const versionInfo = useFeaturesToDetermineCLI
-      ? await getCliVersionFromFeatures(features)
+      ? (await getCliVersionFromFeatures(features)).enabledVersions[0]
      : {
          cliVersion: defaults.cliVersion,
          tagName: defaults.bundleVersion,
@@ -19,6 +19,7 @@ import {
  setupTests,
  setupActionsVars,
  createTestConfig,
+  makeMacro,
 } from "./testing-utils";
 import { BuildMode, ConfigurationError, withTmpDir, wrapError } from "./util";

@@ -291,10 +292,9 @@ test.serial(
  },
 );

-const testCreateInitWithConfigStatusReport = test.macro({
+const testCreateInitWithConfigStatusReport = makeMacro({
  exec: async (
    t,
-    _title: string,
    config: Config,
    expectedReportProperties: Partial<InitWithConfigStatusReport>,
  ) => {
@@ -337,11 +337,10 @@ const testCreateInitWithConfigStatusReport = test.macro({
      }
    });
  },
-  title: (_, title) => `createInitWithConfigStatusReport: ${title}`,
+  title: (title) => `createInitWithConfigStatusReport: ${title}`,
 });

-test.serial(
-  testCreateInitWithConfigStatusReport,
+testCreateInitWithConfigStatusReport.serial(
  "returns a value",
  createTestConfig({
    buildMode: BuildMode.None,
@@ -355,8 +354,7 @@ test.serial(
  },
 );

-test.serial(
-  testCreateInitWithConfigStatusReport,
+testCreateInitWithConfigStatusReport.serial(
  "includes packs for a single language",
  createTestConfig({
    buildMode: BuildMode.None,
@@ -372,8 +370,7 @@ test.serial(
  },
 );

-test.serial(
-  testCreateInitWithConfigStatusReport,
+testCreateInitWithConfigStatusReport.serial(
  "includes packs for multiple languages",
  createTestConfig({
    buildMode: BuildMode.None,
@@ -2,7 +2,11 @@ import { TextDecoder } from "node:util";
 import path from "path";

 import * as github from "@actions/github";
-import { ExecutionContext, TestFn } from "ava";
+import test, {
+  type ExecutionContext,
+  type MacroDeclarationOptions,
+  type TestFn,
+} from "ava";
 import nock from "nock";
 import * as sinon from "sinon";

@@ -36,16 +40,20 @@ export const SAMPLE_DOTCOM_API_DETAILS = {
  apiURL: "https://api.github.com",
 };

-export const SAMPLE_DEFAULT_CLI_VERSION: CodeQLDefaultVersionInfo = {
-  cliVersion: "2.20.0",
-  tagName: "codeql-bundle-v2.20.0",
-};
-
 export const LINKED_CLI_VERSION = {
  cliVersion: defaults.cliVersion,
  tagName: defaults.bundleVersion,
 };

+export const SAMPLE_DEFAULT_CLI_VERSION: CodeQLDefaultVersionInfo = {
+  enabledVersions: [
+    {
+      cliVersion: "2.20.0",
+      tagName: "codeql-bundle-v2.20.0",
+    },
+  ],
+};
+
 type TestContext = {
  stdoutWrite: any;
  stderrWrite: any;
@@ -85,8 +93,8 @@ function wrapOutput(context: TestContext) {
  };
 }

-export function setupTests(test: TestFn<any>) {
-  const typedTest = test as TestFn<TestContext>;
+export function setupTests(testFn: TestFn<any>) {
+  const typedTest = testFn as TestFn<TestContext>;

  typedTest.beforeEach((t) => {
    // Set an empty CodeQL object so that all method calls will fail
@@ -139,6 +147,26 @@ export function setupTests(test: TestFn<any>) {
  });
 }

+/**
+ * Declare a reusable test implementation, with better type safety than `test.macro`.
+ */
+export function makeMacro<Args extends unknown[]>(
+  decl: MacroDeclarationOptions<Args, unknown>,
+) {
+  const m = test.macro<Args>(decl);
+
+  const wrapper = (name: string, ...args: Args) => test(name, m, ...args);
+  wrapper.test = (...args: Args) => test(m, ...args);
+  wrapper.serial = (name: string, ...args: Args) =>
+    test.serial(name, m, ...args);
+  // Make the implementation available as `fn`. We don't call it `exec` so
+  // that results from this function are not valid arguments to `test`
+  // or `test.serial`.
+  wrapper.fn = decl.exec;
+
+  return wrapper;
+}
+
 /**
 * Default values for environment variables typically set in an Actions
 * environment. Tests can override individual variables by passing them in the
@@ -442,7 +470,7 @@ export function mockCodeQLVersion(
 */
 export function createFeatures(enabledFeatures: Feature[]): FeatureEnablement {
  return {
-    getDefaultCliVersion: async () => {
+    getEnabledDefaultCliVersions: async () => {
      throw new Error("not implemented");
    },
    getValue: async (feature) => {
@@ -156,9 +156,8 @@ async function combineSarifFilesUsingCLI(
      apiURL: getRequiredEnvParam("GITHUB_API_URL"),
    };

-    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
-      gitHubVersion.type,
-    );
+    const codeQLDefaultVersionInfo =
+      await features.getEnabledDefaultCliVersions(gitHubVersion.type);

    const initCodeQLResult = await initCodeQL(
      undefined, // There is no tools input on the upload action
@@ -166,6 +165,8 @@ async function combineSarifFilesUsingCLI(
      tempDir,
      gitHubVersion.type,
      codeQLDefaultVersionInfo,
+      undefined, // rawLanguages: upload-lib does not run analysis
+      false, // useOverlayAwareDefaultCliVersion: upload-lib does not run analysis
      features,
      logger,
    );
@@ -6,7 +6,7 @@ import * as sinon from "sinon";

 import { AnalysisKind, getAnalysisConfig } from "./analyses";
 import { getRunnerLogger } from "./logging";
-import { createFeatures, setupTests } from "./testing-utils";
+import { createFeatures, makeMacro, setupTests } from "./testing-utils";
 import { UploadResult } from "./upload-lib";
 import * as uploadLib from "./upload-lib";
 import { postProcessAndUploadSarif } from "./upload-sarif";
@@ -43,7 +43,7 @@ function mockPostProcessSarifFiles() {
  return postProcessSarifFiles;
 }

-const postProcessAndUploadSarifMacro = test.macro({
+const postProcessAndUploadSarifMacro = makeMacro({
  exec: async (
    t: ExecutionContext<unknown>,
    sarifFiles: string[],
@@ -67,7 +67,7 @@ const postProcessAndUploadSarifMacro = test.macro({
        const analysisConfig = getAnalysisConfig(analysisKind);
        uploadPostProcessedFiles
          .withArgs(logger, sinon.match.any, analysisConfig, sinon.match.any)
-          .resolves(expectedResult[analysisKind as AnalysisKind]?.uploadResult);
+          .resolves(expectedResult[analysisKind]?.uploadResult);
      }

      const fullSarifPaths = sarifFiles.map(toFullPath);
@@ -123,9 +123,8 @@ const postProcessAndUploadSarifMacro = test.macro({
  title: (providedTitle = "") => `processAndUploadSarif - ${providedTitle}`,
 });

-test.serial(
+postProcessAndUploadSarifMacro.serial(
  "SARIF file",
-  postProcessAndUploadSarifMacro,
  ["test.sarif"],
  (tempDir) => path.join(tempDir, "test.sarif"),
  {
@@ -138,9 +137,8 @@ test.serial(
  },
 );

-test.serial(
+postProcessAndUploadSarifMacro.serial(
  "JSON file",
-  postProcessAndUploadSarifMacro,
  ["test.json"],
  (tempDir) => path.join(tempDir, "test.json"),
  {
@@ -153,9 +151,8 @@ test.serial(
  },
 );

-test.serial(
+postProcessAndUploadSarifMacro.serial(
  "Code Scanning files",
-  postProcessAndUploadSarifMacro,
  ["test.json", "test.sarif"],
  undefined,
  {
@@ -169,9 +166,8 @@ test.serial(
  },
 );

-test.serial(
+postProcessAndUploadSarifMacro.serial(
  "Code Quality file",
-  postProcessAndUploadSarifMacro,
  ["test.quality.sarif"],
  (tempDir) => path.join(tempDir, "test.quality.sarif"),
  {
@@ -184,9 +180,8 @@ test.serial(
  },
 );

-test.serial(
+postProcessAndUploadSarifMacro.serial(
  "Mixed files",
-  postProcessAndUploadSarifMacro,
  ["test.sarif", "test.quality.sarif"],
  undefined,
  {
@@ -422,7 +422,7 @@ async function testLanguageAliases(
          ],
        },
      },
-    } as Workflow,
+    },
    codeql,
  );