Merge remote-tracking branch 'origin/releases/v4' into backport-v3.32.5-c793b717b

.github/pull_request_template.md

@@ -23,13 +23,13 @@ For internal use only. Please select the risk level of this change:
 Workflow types:
 
 - **Advanced setup** - Impacts users who have custom CodeQL workflows.
-- **Managed** - Impacts users with `dynamic` workflows (Default Setup, CCR, ...).
+- **Managed** - Impacts users with `dynamic` workflows (Default Setup, Code Quality, ...).
 
 Products:
 
 - **Code Scanning** - The changes impact analyses when `analysis-kinds: code-scanning`.
 - **Code Quality** - The changes impact analyses when `analysis-kinds: code-quality`.
-- **CCR** - The changes impact analyses for Copilot Code Reviews.
+- **Other first-party** - The changes impact other first-party analyses.
 - **Third-party analyses** - The changes affect the `upload-sarif` action.
 
 Environments:
@@ -54,6 +54,7 @@ Environments:
 
 - **Feature flags** - All new or changed code paths can be fully disabled with corresponding feature flags.
 - **Rollback** - Change can only be disabled by rolling back the release or releasing a new version with a fix.
+- **Development/testing only** - This change cannot cause any failures in production.
 - **Other** - Please provide details.
 
 #### How will you know if something goes wrong after this change is released?

.github/workflows/__all-platform-bundle.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__analysis-kinds.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__analyze-ref-input.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__autobuild-action.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__autobuild-direct-tracing-with-working-dir.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__autobuild-working-dir.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__build-mode-autobuild.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__build-mode-manual.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__build-mode-none.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__build-mode-rollback.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__bundle-from-nightly.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__bundle-from-toolcache.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__bundle-toolcache.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__bundle-zstd.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__ccr.yml

@@ -1,87 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - CCR
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ccr-${{github.ref}}
-jobs:
-  ccr:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: stable-v2.18.4
-          - os: ubuntu-latest
-            version: stable-v2.19.4
-          - os: ubuntu-latest
-            version: stable-v2.20.7
-          - os: ubuntu-latest
-            version: stable-v2.21.4
-          - os: ubuntu-latest
-            version: stable-v2.22.4
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: CCR
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        id: init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - uses: ./../action/analyze
-        id: analysis
-        with:
-          upload-database: false
-
-    env:
-      CODEQL_ACTION_ANALYSIS_KEY: dynamic/copilot-pull-request-reviewer/codeql-action-test
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__cleanup-db-cluster-dir.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__config-export.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__config-input.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__cpp-deptrace-disabled.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__cpp-deptrace-enabled-on-macos.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__cpp-deptrace-enabled.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__diagnostics-export.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__export-file-baseline-information.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__extractor-ram-threads.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__global-proxy.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__go-custom-queries.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__go-indirect-tracing-workaround.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__go-tracing-autobuilder.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__go-tracing-custom-build-steps.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__go-tracing-legacy-workflow.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__init-with-registries.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__javascript-source-root.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__job-run-uuid-sarif.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__language-aliases.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__local-bundle.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__multi-language-autodetect.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__overlay-init-fallback.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__packaging-codescanning-config-inputs-js.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__packaging-config-inputs-js.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__packaging-config-js.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__packaging-inputs-js.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__remote-config.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__resolve-environment-action.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__rubocop-multi-language.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__ruby.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__rust.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__split-workflow.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__start-proxy.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__submit-sarif-failure.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__swift-autobuild.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__swift-custom-build.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__unset-environment.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__upload-ref-sha-input.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__upload-sarif.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/__with-checkout-path.yml

@@ -18,6 +18,9 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:

.github/workflows/codeql.yml

@@ -7,6 +7,8 @@ on:
     # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
     # by other workflows.
     types: [opened, synchronize, reopened, ready_for_review]
+  merge_group:
+    types: [checks_requested]
   schedule:
     # Weekly on Sunday.
     - cron: '30 1 * * 0'
@@ -64,7 +66,7 @@ jobs:
         #
         # If we're running on push or schedule, then we can skip running with `tools: linked` when it would be
         # the same as running with `tools: null`.
-        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
+        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$GITHUB_EVENT_NAME" != "merge_group" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
           VERSIONS_JSON='[null]'
         else
           VERSIONS_JSON='[null, "linked"]'
@@ -108,7 +110,7 @@ jobs:
       uses: ./analyze
       with:
         category: "/language:javascript"
-        upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && 'always') || 'never' }}
+        upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && github.event_name != 'merge_group' && 'always' ) || 'never' }}
 
   analyze-other:
     if: github.triggering_actor != 'dependabot[bot]'
@@ -143,3 +145,4 @@ jobs:
       uses: ./analyze
       with:
         category: "/language:${{ matrix.language }}"
+        upload: ${{ (github.event_name != 'merge_group' && 'always') || 'never' }}

.github/workflows/codescanning-config-cli.yml

@@ -23,9 +23,11 @@ on:
     - synchronize
     - reopened
     - ready_for_review
+  merge_group:
+    types: [checks_requested]
   schedule:
     - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
 
 defaults:
   run:

.github/workflows/debug-artifacts-failure-safe.yml

@@ -14,9 +14,11 @@ on:
     - synchronize
     - reopened
     - ready_for_review
+  merge_group:
+    types: [checks_requested]
   schedule:
     - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
 
 defaults:
   run:

.github/workflows/debug-artifacts-safe.yml

@@ -13,9 +13,11 @@ on:
     - synchronize
     - reopened
     - ready_for_review
+  merge_group:
+    types: [checks_requested]
   schedule:
     - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
 
 defaults:
   run:

.github/workflows/label-pr-size.yml

@@ -17,6 +17,7 @@ jobs:
   sizeup:
     name: Label PR with size
     runs-on: ubuntu-slim
+    if: github.event.pull_request.merged != true
 
     steps:
       - name: Run sizeup

.github/workflows/pr-checks.yml

@@ -6,6 +6,8 @@ on:
     # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
     # by other workflows.
     types: [opened, synchronize, reopened, ready_for_review]
+  merge_group:
+    types: [checks_requested]
   workflow_dispatch:
 
 defaults:
@@ -80,7 +82,7 @@ jobs:
           category: eslint
 
   check-node-version:
-    if: github.event.pull_request && github.triggering_actor != 'dependabot[bot]'
+    if: github.triggering_actor != 'dependabot[bot]'
     name: Check Action Node versions
     runs-on: ubuntu-latest
     timeout-minutes: 45

.github/workflows/python312-windows.yml

@@ -7,6 +7,8 @@ on:
     # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
     # by other workflows.
     types: [opened, synchronize, reopened, ready_for_review]
+  merge_group:
+    types: [checks_requested]
   schedule:
     # Weekly on Monday.
     - cron: '0 0 * * 1'

.github/workflows/query-filters.yml

@@ -11,9 +11,11 @@ on:
     - synchronize
     - reopened
     - ready_for_review
+  merge_group:
+    types: [checks_requested]
   schedule:
     - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
 
 defaults:
   run:

.github/workflows/script/update-required-checks.sh

@@ -29,7 +29,7 @@ fi
 echo "Getting checks for $GITHUB_SHA"
 
 # Ignore any checks with "https://", CodeQL, LGTM, Update, and ESLint checks.
-CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") or . == "Agent" or . == "Cleanup artifacts" or . == "Prepare" or . == "Upload results" | not)] | unique | sort')"
+CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") or . == "Agent" or . == "Cleanup artifacts" or . == "Prepare" or . == "Upload results" or . == "Label PR with size" | not)] | unique | sort')"
 
 echo "$CHECKS" | jq
 

.github/workflows/test-codeql-bundle-all.yml

@@ -13,9 +13,11 @@ on:
     - synchronize
     - reopened
     - ready_for_review
+  merge_group:
+    types: [checks_requested]
   schedule:
     - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
 defaults:
   run:
     shell: bash

CHANGELOG.md

@@ -2,6 +2,16 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
+## 4.32.5 - 02 Mar 2026
+
+- Repositories owned by an organization can now set up the `github-codeql-disable-overlay` custom repository property to disable [improved incremental analysis for CodeQL](https://github.com/github/roadmap/issues/1158). First, create a custom repository property with the name `github-codeql-disable-overlay` and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to `true` to disable improved incremental analysis. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). This feature is not yet available on GitHub Enterprise Server. [#3507](https://github.com/github/codeql-action/pull/3507)
+- Added an experimental change so that when [improved incremental analysis](https://github.com/github/roadmap/issues/1158) fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. [#3487](https://github.com/github/codeql-action/pull/3487)
+- The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. [#3515](https://github.com/github/codeql-action/pull/3515)
+- Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. [#3516](https://github.com/github/codeql-action/pull/3516)
+- Added an experimental change which lowers the minimum disk space requirement for [improved incremental analysis](https://github.com/github/roadmap/issues/1158), enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. [#3498](https://github.com/github/codeql-action/pull/3498)
+- Added an experimental change which allows the `start-proxy` action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. [#3512](https://github.com/github/codeql-action/pull/3512)
+- The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. [#3503](https://github.com/github/codeql-action/pull/3503), [#3504](https://github.com/github/codeql-action/pull/3504)
+
 ## 4.32.4 - 20 Feb 2026
 
 - Update default CodeQL bundle version to [2.24.2](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2). [#3493](https://github.com/github/codeql-action/pull/3493)

README.md

@@ -72,14 +72,22 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n
 
 | Minimum CodeQL Action | Minimum CodeQL Bundle Version | GitHub Environment | Notes |
 |-----------------------|-------------------------------|--------------------|-------|
-| `v3.28.21`  | `2.21.3` | Enterprise Server 3.18 | |
-| `v3.28.12`  | `2.20.7` | Enterprise Server 3.17 | |
-| `v3.28.6`  | `2.20.3` | Enterprise Server 3.16 | |
-| `v3.28.6`  | `2.20.3` | Enterprise Server 3.15 | |
+| `v4.31.10` | `2.23.9` | Enterprise Server 3.20 | |
+| `v3.29.11` | `2.22.4` | Enterprise Server 3.19 | |
+| `v3.28.21` | `2.21.3` | Enterprise Server 3.18 | |
+| `v3.28.12` | `2.20.7` | Enterprise Server 3.17 | |
+| `v3.28.6` | `2.20.3` | Enterprise Server 3.16 | |
+| `v3.28.6` | `2.20.3` | Enterprise Server 3.15 | |
 | `v3.28.6` | `2.20.3` | Enterprise Server 3.14 | |
 
 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).
 
+## Keeping the CodeQL Action up to date in advanced setups
+
+If you are using an [advanced setup](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning), we recommend referencing the CodeQL Action using a major version tag (e.g. `v4`) in your workflow file. This ensures your workflow automatically picks up the latest release within that major version, including bug fixes, new features, and updated CodeQL CLI versions.
+
+If you pin to a specific commit SHA or patch version tag, ensure you keep it updated (e.g. via [Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot)). Some CodeQL Action features are enabled by server-side flags that may be removed over time, which can cause old versions to lose functionality.
+
 ## Troubleshooting
 
 Read about [troubleshooting code scanning](https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning).

eslint.config.mjs

@@ -1,27 +1,14 @@
-// Automatically generated by running npx @eslint/migrate-config .eslintrc.json
-
-import path from "node:path";
-import { fileURLToPath } from "node:url";
-
-import { fixupConfigRules, fixupPluginRules } from "@eslint/compat";
-import { FlatCompat } from "@eslint/eslintrc";
+import { fixupPluginRules } from "@eslint/compat";
 import js from "@eslint/js";
-import typescriptEslint from "@typescript-eslint/eslint-plugin";
-import tsParser from "@typescript-eslint/parser";
-import filenames from "eslint-plugin-filenames";
 import github from "eslint-plugin-github";
-import _import from "eslint-plugin-import";
+import { importX, createNodeResolver } from "eslint-plugin-import-x";
+import { createTypeScriptImportResolver } from "eslint-import-resolver-typescript";
 import noAsyncForeach from "eslint-plugin-no-async-foreach";
 import jsdoc from "eslint-plugin-jsdoc";
+import tseslint from "typescript-eslint";
 import globals from "globals";
 
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = path.dirname(__filename);
-const compat = new FlatCompat({
-  baseDirectory: __dirname,
-  recommendedConfig: js.configs.recommended,
-  allConfig: js.configs.all,
-});
+const githubFlatConfigs = github.getFlatConfigs();
 
 export default [
   {
@@ -36,29 +23,29 @@ export default [
       ".github/**/*",
     ],
   },
-  ...fixupConfigRules(
-    compat.extends(
-      "eslint:recommended",
-      "plugin:@typescript-eslint/recommended",
-      "plugin:@typescript-eslint/recommended-requiring-type-checking",
-      "plugin:github/recommended",
-      "plugin:github/typescript",
-      "plugin:import/typescript",
-    ),
-  ),
+  // eslint recommended config
+  js.configs.recommended,
+  // Type-checked rules from typescript-eslint
+  ...tseslint.configs.recommendedTypeChecked,
+  ...tseslint.configs.strict,
+  // eslint-plugin-github recommended config
+  githubFlatConfigs.recommended,
+  // eslint-plugin-github typescript config
+  ...githubFlatConfigs.typescript,
+  // import-x TypeScript settings
+  // This is needed for import-x rules to properly parse TypeScript files.
+  {
+    settings: importX.flatConfigs.typescript.settings,
+  },
   {
     plugins: {
-      "@typescript-eslint": fixupPluginRules(typescriptEslint),
-      filenames: fixupPluginRules(filenames),
-      github: fixupPluginRules(github),
-      import: fixupPluginRules(_import),
-      "no-async-foreach": noAsyncForeach,
+      "import-x": importX,
+      "no-async-foreach": fixupPluginRules(noAsyncForeach),
       "jsdoc": jsdoc,
     },
 
     languageOptions: {
-      parser: tsParser,
-      ecmaVersion: 5,
+      ecmaVersion: "latest",
       sourceType: "module",
 
       globals: {
@@ -79,10 +66,16 @@ export default [
         typescript: {},
       },
       "import/ignore": ["sinon", "uuid", "@octokit/plugin-retry", "del", "get-folder-size"],
+      "import-x/resolver-next": [
+        createTypeScriptImportResolver(),
+        createNodeResolver({
+          extensions: [".ts", ".js", ".json"],
+        }),
+      ],
     },
 
     rules: {
-      "filenames/match-regex": ["error", "^[a-z0-9-]+(\\.test)?$"],
+      "github/filenames-match-regex": ["error", "^[a-z0-9-]+(\\.test)?$"],
       "i18n-text/no-en": "off",
 
       "import/extensions": [
@@ -94,7 +87,10 @@ export default [
 
       "import/no-amd": "error",
       "import/no-commonjs": "error",
-      "import/no-cycle": "error",
+      // import/no-cycle does not seem to work with ESLint 9.
+      // Use import-x/no-cycle from eslint-plugin-import-x instead.
+      "import/no-cycle": "off",
+      "import-x/no-cycle": "error",
       "import/no-dynamic-require": "error",
 
       "import/no-extraneous-dependencies": [
@@ -132,6 +128,8 @@ export default [
       "no-async-foreach/no-async-foreach": "error",
       "no-sequences": "error",
       "no-shadow": "off",
+      // This is overly restrictive with unsetting `EnvVar`s
+      "@typescript-eslint/no-dynamic-delete": "off",
       "@typescript-eslint/no-shadow": "error",
       "@typescript-eslint/prefer-optional-chain": "error",
       "one-var": ["error", "never"],

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "4.32.4",
+  "version": "4.32.5",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
@@ -45,14 +45,12 @@
     "jsonschema": "1.4.1",
     "long": "^5.3.2",
     "node-forge": "^1.3.3",
-    "semver": "^7.7.3",
+    "semver": "^7.7.4",
     "uuid": "^13.0.0"
   },
   "devDependencies": {
     "@ava/typescript": "6.0.0",
     "@eslint/compat": "^2.0.2",
-    "@eslint/eslintrc": "^3.3.3",
-    "@eslint/js": "^9.39.2",
     "@microsoft/eslint-formatter-sarif": "^3.1.0",
     "@octokit/types": "^16.0.0",
     "@types/archiver": "^7.0.0",
@@ -62,21 +60,20 @@
     "@types/node-forge": "^1.3.14",
     "@types/semver": "^7.7.1",
     "@types/sinon": "^21.0.0",
-    "@typescript-eslint/eslint-plugin": "^8.54.0",
-    "@typescript-eslint/parser": "^8.48.0",
     "ava": "^6.4.1",
-    "esbuild": "^0.27.2",
-    "eslint": "^8.57.1",
+    "esbuild": "^0.27.3",
+    "eslint": "^9.39.2",
     "eslint-import-resolver-typescript": "^3.8.7",
-    "eslint-plugin-filenames": "^1.3.2",
-    "eslint-plugin-github": "^5.1.8",
-    "eslint-plugin-import": "2.29.1",
-    "eslint-plugin-jsdoc": "^62.5.0",
+    "eslint-plugin-github": "^6.0.0",
+    "eslint-plugin-import-x": "^4.16.1",
+    "eslint-plugin-jsdoc": "^62.6.0",
     "eslint-plugin-no-async-foreach": "^0.1.1",
     "glob": "^11.1.0",
-    "nock": "^14.0.10",
+    "globals": "^17.3.0",
+    "nock": "^14.0.11",
     "sinon": "^21.0.1",
-    "typescript": "^5.9.3"
+    "typescript": "^5.9.3",
+    "typescript-eslint": "^8.56.0"
   },
   "overrides": {
     "@actions/tool-cache": {

pr-checks/checks/ccr.yml

@@ -1,16 +0,0 @@
-name: "CCR"
-description: "A standard analysis in CCR mode"
-env:
-  CODEQL_ACTION_ANALYSIS_KEY: "dynamic/copilot-pull-request-reviewer/codeql-action-test"
-steps:
-  - uses: ./../action/init
-    id: init
-    with:
-      languages: javascript
-      tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-  - uses: ./../action/analyze
-    id: analysis
-    with:
-      upload-database: false
-

pr-checks/sync.py

@@ -308,6 +308,9 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
                 'pull_request': {
                     'types': ["opened", "synchronize", "reopened", "ready_for_review"]
                 },
+                'merge_group': {
+                    'types': ['checks_requested']
+                },
                 'schedule': [{'cron': SingleQuotedScalarString('0 5 * * *')}],
                 'workflow_dispatch': {
                     'inputs': workflowInputs

src/actions-util.test.ts

@@ -5,7 +5,6 @@ import {
   fixCodeQualityCategory,
   getPullRequestBranches,
   isAnalyzingPullRequest,
-  isCCR,
   isDefaultSetup,
   isDynamicWorkflow,
 } from "./actions-util";
@@ -257,16 +256,8 @@ test("isDynamicWorkflow() returns true if event name is `dynamic`", (t) => {
   t.false(isDynamicWorkflow());
 });
 
-test("isCCR() returns true when expected", (t) => {
-  process.env.GITHUB_EVENT_NAME = "dynamic";
-  process.env[EnvVar.ANALYSIS_KEY] = "dynamic/copilot-pull-request-reviewer";
-  t.assert(isCCR());
-  t.false(isDefaultSetup());
-});
-
 test("isDefaultSetup() returns true when expected", (t) => {
   process.env.GITHUB_EVENT_NAME = "dynamic";
   process.env[EnvVar.ANALYSIS_KEY] = "dynamic/github-code-scanning";
   t.assert(isDefaultSetup());
-  t.false(isCCR());
 });

src/actions-util.ts

@@ -8,7 +8,6 @@ import * as io from "@actions/io";
 import { JSONSchemaForNPMPackageJsonFiles } from "@schemastore/package";
 
 import type { Config } from "./config-utils";
-import { EnvVar } from "./environment";
 import { Logger } from "./logging";
 import {
   doesDirectoryExist,
@@ -255,15 +254,7 @@ export function isDynamicWorkflow(): boolean {
 
 /** Determines whether we are running in default setup. */
 export function isDefaultSetup(): boolean {
-  return isDynamicWorkflow() && !isCCR();
-}
-
-/* The analysis key prefix used for CCR. */
-const CCR_KEY_PREFIX = "dynamic/copilot-pull-request-reviewer";
-
-/** Determines whether we are running in CCR. */
-export function isCCR(): boolean {
-  return process.env[EnvVar.ANALYSIS_KEY]?.startsWith(CCR_KEY_PREFIX) || false;
+  return isDynamicWorkflow();
 }
 
 export function prettyPrintInvocation(cmd: string, args: string[]): string {

src/analyze-action.ts

@@ -30,10 +30,10 @@ import {
 } from "./dependency-caching";
 import { getDiffInformedAnalysisBranches } from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
-import { Features } from "./feature-flags";
+import { initFeatures } from "./feature-flags";
 import { KnownLanguage } from "./languages";
 import { getActionsLogger, Logger } from "./logging";
-import { cleanupAndUploadOverlayBaseDatabaseToCache } from "./overlay-database-utils";
+import { cleanupAndUploadOverlayBaseDatabaseToCache } from "./overlay";
 import { getRepositoryNwo } from "./repository";
 import * as statusReport from "./status-report";
 import {
@@ -293,7 +293,7 @@ async function run(startedAt: Date) {
 
     util.checkActionVersion(actionsUtil.getActionVersion(), gitHubVersion);
 
-    const features = new Features(
+    const features = initFeatures(
       gitHubVersion,
       repositoryNwo,
       actionsUtil.getTemporaryDirectory(),

src/analyze.ts

@@ -24,7 +24,7 @@ import { EnvVar } from "./environment";
 import { FeatureEnablement, Feature } from "./feature-flags";
 import { KnownLanguage, Language } from "./languages";
 import { Logger, withGroupAsync } from "./logging";
-import { OverlayDatabaseMode } from "./overlay-database-utils";
+import { OverlayDatabaseMode } from "./overlay";
 import { DatabaseCreationTimings, EventReport } from "./status-report";
 import { endTracingForCluster } from "./tracer-config";
 import * as util from "./util";

src/autobuild.ts

@@ -6,7 +6,7 @@ import { CodeQL, getCodeQL } from "./codeql";
 import * as configUtils from "./config-utils";
 import { DocUrl } from "./doc-url";
 import { EnvVar } from "./environment";
-import { Feature, featureConfig, Features } from "./feature-flags";
+import { Feature, featureConfig, initFeatures } from "./feature-flags";
 import { KnownLanguage, Language } from "./languages";
 import { Logger } from "./logging";
 import { getRepositoryNwo } from "./repository";
@@ -117,7 +117,7 @@ export async function setupCppAutobuild(codeql: CodeQL, logger: Logger) {
   const featureName = "C++ automatic installation of dependencies";
   const gitHubVersion = await getGitHubVersion();
   const repositoryNwo = getRepositoryNwo();
-  const features = new Features(
+  const features = initFeatures(
     gitHubVersion,
     repositoryNwo,
     getTemporaryDirectory(),

src/codeql.test.ts

@@ -15,10 +15,10 @@ import { CliError } from "./cli-errors";
 import * as codeql from "./codeql";
 import {
   AugmentationProperties,
-  Config,
-  defaultAugmentationProperties,
   generateCodeScanningConfig,
-} from "./config-utils";
+  defaultAugmentationProperties,
+} from "./config/db-config";
+import type { Config } from "./config-utils";
 import * as defaults from "./defaults.json";
 import { DocUrl } from "./doc-url";
 import { KnownLanguage } from "./languages";

src/codeql.ts

@@ -28,7 +28,7 @@ import {
   OverlayDatabaseMode,
   writeBaseDatabaseOidsFile,
   writeOverlayChangesFile,
-} from "./overlay-database-utils";
+} from "./overlay";
 import * as setupCodeql from "./setup-codeql";
 import { ZstdAvailability } from "./tar";
 import { ToolsDownloadStatusReport } from "./tools-download";
@@ -160,6 +160,7 @@ export interface CodeQL {
     databasePath: string,
     outputFilePath: string,
     dbName: string,
+    includeDiagnostics: boolean,
     alsoIncludeRelativePaths: string[],
   ): Promise<void>;
   /**
@@ -912,15 +913,22 @@ async function getCodeQLForCmd(
       databasePath: string,
       outputFilePath: string,
       databaseName: string,
+      includeDiagnostics: boolean,
       alsoIncludeRelativePaths: string[],
     ): Promise<void> {
+      const includeDiagnosticsArgs = includeDiagnostics
+        ? ["--include-diagnostics"]
+        : [];
       const args = [
         "database",
         "bundle",
         databasePath,
         `--output=${outputFilePath}`,
         `--name=${databaseName}`,
-        ...getExtraOptionsFromEnv(["database", "bundle"]),
+        ...includeDiagnosticsArgs,
+        ...getExtraOptionsFromEnv(["database", "bundle"], {
+          ignoringOptions: includeDiagnosticsArgs,
+        }),
       ];
       if (
         await this.supportsFeature(ToolsFeature.BundleSupportsIncludeOption)

src/config-utils.test.ts

@@ -11,17 +11,18 @@ import { AnalysisKind, supportedAnalysisKinds } from "./analyses";
 import * as api from "./api-client";
 import { CachingKind } from "./caching-utils";
 import { createStubCodeQL } from "./codeql";
+import { UserConfig } from "./config/db-config";
 import * as configUtils from "./config-utils";
 import * as errorMessages from "./error-messages";
 import { Feature } from "./feature-flags";
+import { RepositoryProperties } from "./feature-flags/properties";
 import * as gitUtils from "./git-utils";
 import { GitVersionInfo } from "./git-utils";
 import { KnownLanguage, Language } from "./languages";
 import { getRunnerLogger } from "./logging";
-import {
-  CODEQL_OVERLAY_MINIMUM_VERSION,
-  OverlayDatabaseMode,
-} from "./overlay-database-utils";
+import { CODEQL_OVERLAY_MINIMUM_VERSION, OverlayDatabaseMode } from "./overlay";
+import { OverlayDisabledReason } from "./overlay/diagnostics";
+import * as overlayStatus from "./overlay/status";
 import { parseRepositoryNwo } from "./repository";
 import {
   setupTests,
@@ -248,7 +249,7 @@ test("initActionState doesn't throw if there are queries configured in the repos
     };
 
     // Expected configuration for a CQ-only analysis.
-    const computedConfig: configUtils.UserConfig = {
+    const computedConfig: UserConfig = {
       "disable-default-queries": true,
       queries: [{ uses: "code-quality" }],
       "query-filters": [],
@@ -493,7 +494,7 @@ test("load non-empty input", async (t) => {
 
     fs.mkdirSync(path.join(tempDir, "foo"));
 
-    const userConfig: configUtils.UserConfig = {
+    const userConfig: UserConfig = {
       name: "my config",
       "disable-default-queries": true,
       queries: [{ uses: "./foo" }],
@@ -981,9 +982,11 @@ interface OverlayDatabaseModeTestSetup {
   codeqlVersion: string;
   gitRoot: string | undefined;
   gitVersion: GitVersionInfo | undefined;
-  codeScanningConfig: configUtils.UserConfig;
+  codeScanningConfig: UserConfig;
   diskUsage: DiskUsage | undefined;
   memoryFlagValue: number;
+  shouldSkipOverlayAnalysisDueToCachedStatus: boolean;
+  repositoryProperties: RepositoryProperties;
 }
 
 const defaultOverlayDatabaseModeTestSetup: OverlayDatabaseModeTestSetup = {
@@ -1005,6 +1008,8 @@ const defaultOverlayDatabaseModeTestSetup: OverlayDatabaseModeTestSetup = {
     numTotalBytes: 100_000_000_000,
   },
   memoryFlagValue: 6920,
+  shouldSkipOverlayAnalysisDueToCachedStatus: false,
+  repositoryProperties: {},
 };
 
 const getOverlayDatabaseModeMacro = test.macro({
@@ -1015,6 +1020,7 @@ const getOverlayDatabaseModeMacro = test.macro({
     expected: {
       overlayDatabaseMode: OverlayDatabaseMode;
       useOverlayDatabaseCaching: boolean;
+      disabledReason?: OverlayDisabledReason;
     },
   ) => {
     return await withTmpDir(async (tempDir) => {
@@ -1039,6 +1045,10 @@ const getOverlayDatabaseModeMacro = test.macro({
 
         sinon.stub(util, "checkDiskUsage").resolves(setup.diskUsage);
 
+        sinon
+          .stub(overlayStatus, "shouldSkipOverlayAnalysis")
+          .resolves(setup.shouldSkipOverlayAnalysisDueToCachedStatus);
+
         // Mock feature flags
         const features = createFeatures(setup.features);
 
@@ -1077,10 +1087,15 @@ const getOverlayDatabaseModeMacro = test.macro({
           setup.buildMode,
           undefined,
           setup.codeScanningConfig,
+          setup.repositoryProperties,
           setup.gitVersion,
           logger,
         );
 
+        if (!("disabledReason" in expected)) {
+          expected.disabledReason = undefined;
+        }
+
         t.deepEqual(result, expected);
       } finally {
         // Restore the original environment
@@ -1136,6 +1151,7 @@ test(
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.FeatureNotEnabled,
   },
 );
 
@@ -1174,7 +1190,7 @@ test(
     features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript],
     codeScanningConfig: {
       packs: ["some-custom-pack@1.0.0"],
-    } as configUtils.UserConfig,
+    } as UserConfig,
     isDefaultBranch: true,
   },
   {
@@ -1218,6 +1234,7 @@ test(
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.InsufficientResources,
   },
 );
 
@@ -1236,6 +1253,7 @@ test(
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.InsufficientResources,
   },
 );
 
@@ -1261,6 +1279,73 @@ test(
   },
 );
 
+test(
+  getOverlayDatabaseModeMacro,
+  "No overlay-base database on default branch if runner disk space is below v2 limit and v2 resource checks enabled",
+  {
+    languages: [KnownLanguage.javascript],
+    features: [
+      Feature.OverlayAnalysis,
+      Feature.OverlayAnalysisCodeScanningJavascript,
+      Feature.OverlayAnalysisResourceChecksV2,
+    ],
+    isDefaultBranch: true,
+    diskUsage: {
+      numAvailableBytes: 5_000_000_000,
+      numTotalBytes: 100_000_000_000,
+    },
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.InsufficientResources,
+  },
+);
+
+test(
+  getOverlayDatabaseModeMacro,
+  "Overlay-base database on default branch if runner disk space is between v2 and v1 limits and v2 resource checks enabled",
+  {
+    languages: [KnownLanguage.javascript],
+    features: [
+      Feature.OverlayAnalysis,
+      Feature.OverlayAnalysisCodeScanningJavascript,
+      Feature.OverlayAnalysisResourceChecksV2,
+    ],
+    isDefaultBranch: true,
+    diskUsage: {
+      numAvailableBytes: 15_000_000_000,
+      numTotalBytes: 100_000_000_000,
+    },
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.OverlayBase,
+    useOverlayDatabaseCaching: true,
+  },
+);
+
+test(
+  getOverlayDatabaseModeMacro,
+  "No overlay-base database on default branch if runner disk space is between v2 and v1 limits and v2 resource checks not enabled",
+  {
+    languages: [KnownLanguage.javascript],
+    features: [
+      Feature.OverlayAnalysis,
+      Feature.OverlayAnalysisCodeScanningJavascript,
+    ],
+    isDefaultBranch: true,
+    diskUsage: {
+      numAvailableBytes: 15_000_000_000,
+      numTotalBytes: 100_000_000_000,
+    },
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.InsufficientResources,
+  },
+);
+
 test(
   getOverlayDatabaseModeMacro,
   "No overlay-base database on default branch if memory flag is too low",
@@ -1276,6 +1361,26 @@ test(
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.InsufficientResources,
+  },
+);
+
+test(
+  getOverlayDatabaseModeMacro,
+  "Overlay-base database on default branch if memory flag is too low but CodeQL >= 2.24.3",
+  {
+    languages: [KnownLanguage.javascript],
+    features: [
+      Feature.OverlayAnalysis,
+      Feature.OverlayAnalysisCodeScanningJavascript,
+    ],
+    isDefaultBranch: true,
+    memoryFlagValue: 3072,
+    codeqlVersion: "2.24.3",
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.OverlayBase,
+    useOverlayDatabaseCaching: true,
   },
 );
 
@@ -1298,6 +1403,46 @@ test(
   },
 );
 
+test(
+  getOverlayDatabaseModeMacro,
+  "No overlay-base database on default branch when cached status indicates previous failure",
+  {
+    languages: [KnownLanguage.javascript],
+    features: [
+      Feature.OverlayAnalysis,
+      Feature.OverlayAnalysisJavascript,
+      Feature.OverlayAnalysisStatusCheck,
+    ],
+    isDefaultBranch: true,
+    shouldSkipOverlayAnalysisDueToCachedStatus: true,
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.SkippedDueToCachedStatus,
+  },
+);
+
+test(
+  getOverlayDatabaseModeMacro,
+  "No overlay analysis on PR when cached status indicates previous failure",
+  {
+    languages: [KnownLanguage.javascript],
+    features: [
+      Feature.OverlayAnalysis,
+      Feature.OverlayAnalysisJavascript,
+      Feature.OverlayAnalysisStatusCheck,
+    ],
+    isPullRequest: true,
+    shouldSkipOverlayAnalysisDueToCachedStatus: true,
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.SkippedDueToCachedStatus,
+  },
+);
+
 test(
   getOverlayDatabaseModeMacro,
   "No overlay-base database on default branch when code-scanning feature enabled with disable-default-queries",
@@ -1309,12 +1454,13 @@ test(
     ],
     codeScanningConfig: {
       "disable-default-queries": true,
-    } as configUtils.UserConfig,
+    } as UserConfig,
     isDefaultBranch: true,
   },
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.FeatureNotEnabled,
   },
 );
 
@@ -1329,12 +1475,13 @@ test(
     ],
     codeScanningConfig: {
       packs: ["some-custom-pack@1.0.0"],
-    } as configUtils.UserConfig,
+    } as UserConfig,
     isDefaultBranch: true,
   },
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.FeatureNotEnabled,
   },
 );
 
@@ -1349,12 +1496,13 @@ test(
     ],
     codeScanningConfig: {
       queries: [{ uses: "some-query.ql" }],
-    } as configUtils.UserConfig,
+    } as UserConfig,
     isDefaultBranch: true,
   },
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.FeatureNotEnabled,
   },
 );
 
@@ -1369,12 +1517,13 @@ test(
     ],
     codeScanningConfig: {
       "query-filters": [{ include: { "security-severity": "high" } }],
-    } as configUtils.UserConfig,
+    } as UserConfig,
     isDefaultBranch: true,
   },
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.FeatureNotEnabled,
   },
 );
 
@@ -1389,6 +1538,7 @@ test(
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.FeatureNotEnabled,
   },
 );
 
@@ -1403,6 +1553,7 @@ test(
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.FeatureNotEnabled,
   },
 );
 
@@ -1417,6 +1568,7 @@ test(
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.FeatureNotEnabled,
   },
 );
 
@@ -1442,7 +1594,7 @@ test(
     features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript],
     codeScanningConfig: {
       packs: ["some-custom-pack@1.0.0"],
-    } as configUtils.UserConfig,
+    } as UserConfig,
     isPullRequest: true,
   },
   {
@@ -1486,6 +1638,7 @@ test(
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.InsufficientResources,
   },
 );
 
@@ -1526,6 +1679,7 @@ test(
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.InsufficientResources,
   },
 );
 
@@ -1544,6 +1698,26 @@ test(
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.InsufficientResources,
+  },
+);
+
+test(
+  getOverlayDatabaseModeMacro,
+  "Overlay analysis on PR if memory flag is too low but CodeQL >= 2.24.3",
+  {
+    languages: [KnownLanguage.javascript],
+    features: [
+      Feature.OverlayAnalysis,
+      Feature.OverlayAnalysisCodeScanningJavascript,
+    ],
+    isPullRequest: true,
+    memoryFlagValue: 3072,
+    codeqlVersion: "2.24.3",
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.Overlay,
+    useOverlayDatabaseCaching: true,
   },
 );
 
@@ -1577,12 +1751,13 @@ test(
     ],
     codeScanningConfig: {
       "disable-default-queries": true,
-    } as configUtils.UserConfig,
+    } as UserConfig,
     isPullRequest: true,
   },
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.FeatureNotEnabled,
   },
 );
 
@@ -1597,12 +1772,13 @@ test(
     ],
     codeScanningConfig: {
       packs: ["some-custom-pack@1.0.0"],
-    } as configUtils.UserConfig,
+    } as UserConfig,
     isPullRequest: true,
   },
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.FeatureNotEnabled,
   },
 );
 
@@ -1617,12 +1793,13 @@ test(
     ],
     codeScanningConfig: {
       queries: [{ uses: "some-query.ql" }],
-    } as configUtils.UserConfig,
+    } as UserConfig,
     isPullRequest: true,
   },
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.FeatureNotEnabled,
   },
 );
 
@@ -1637,12 +1814,13 @@ test(
     ],
     codeScanningConfig: {
       "query-filters": [{ include: { "security-severity": "high" } }],
-    } as configUtils.UserConfig,
+    } as UserConfig,
     isPullRequest: true,
   },
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.FeatureNotEnabled,
   },
 );
 
@@ -1657,6 +1835,7 @@ test(
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.FeatureNotEnabled,
   },
 );
 
@@ -1671,6 +1850,7 @@ test(
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.FeatureNotEnabled,
   },
 );
 
@@ -1685,6 +1865,7 @@ test(
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.FeatureNotEnabled,
   },
 );
 
@@ -1738,6 +1919,7 @@ test(
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.IncompatibleBuildMode,
   },
 );
 
@@ -1752,6 +1934,7 @@ test(
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.IncompatibleBuildMode,
   },
 );
 
@@ -1765,6 +1948,7 @@ test(
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.IncompatibleCodeQl,
   },
 );
 
@@ -1778,6 +1962,7 @@ test(
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.NoGitRoot,
   },
 );
 
@@ -1791,6 +1976,7 @@ test(
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.IncompatibleGit,
   },
 );
 
@@ -1804,6 +1990,57 @@ test(
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.IncompatibleGit,
+  },
+);
+
+test(
+  getOverlayDatabaseModeMacro,
+  "No overlay when disabled via repository property",
+  {
+    languages: [KnownLanguage.javascript],
+    features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript],
+    isPullRequest: true,
+    repositoryProperties: {
+      "github-codeql-disable-overlay": true,
+    },
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+    disabledReason: OverlayDisabledReason.DisabledByRepositoryProperty,
+  },
+);
+
+test(
+  getOverlayDatabaseModeMacro,
+  "Overlay not disabled when repository property is false",
+  {
+    languages: [KnownLanguage.javascript],
+    features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript],
+    isPullRequest: true,
+    repositoryProperties: {
+      "github-codeql-disable-overlay": false,
+    },
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.Overlay,
+    useOverlayDatabaseCaching: true,
+  },
+);
+
+test(
+  getOverlayDatabaseModeMacro,
+  "Environment variable override takes precedence over repository property",
+  {
+    overlayDatabaseEnvVar: "overlay",
+    repositoryProperties: {
+      "github-codeql-disable-overlay": true,
+    },
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.Overlay,
+    useOverlayDatabaseCaching: false,
   },
 );
 
@@ -1820,6 +2057,7 @@ for (const language in KnownLanguage) {
     {
       overlayDatabaseMode: OverlayDatabaseMode.None,
       useOverlayDatabaseCaching: false,
+      disabledReason: OverlayDisabledReason.FeatureNotEnabled,
     },
   );
 }

src/config-utils.ts

@@ -7,7 +7,7 @@ import * as yaml from "js-yaml";
 import {
   getActionVersion,
   isAnalyzingPullRequest,
-  isCCR,
+  isDynamicWorkflow,
 } from "./actions-util";
 import {
   AnalysisConfig,
@@ -33,7 +33,10 @@ import { shouldPerformDiffInformedAnalysis } from "./diff-informed-analysis-util
 import { EnvVar } from "./environment";
 import * as errorMessages from "./error-messages";
 import { Feature, FeatureEnablement } from "./feature-flags";
-import { RepositoryProperties } from "./feature-flags/properties";
+import {
+  RepositoryProperties,
+  RepositoryPropertyName,
+} from "./feature-flags/properties";
 import {
   getGeneratedFiles,
   getGitRoot,
@@ -44,10 +47,12 @@ import {
 } from "./git-utils";
 import { KnownLanguage, Language } from "./languages";
 import { Logger } from "./logging";
+import { CODEQL_OVERLAY_MINIMUM_VERSION, OverlayDatabaseMode } from "./overlay";
 import {
-  CODEQL_OVERLAY_MINIMUM_VERSION,
-  OverlayDatabaseMode,
-} from "./overlay-database-utils";
+  addOverlayDisablementDiagnostics,
+  OverlayDisabledReason,
+} from "./overlay/diagnostics";
+import { shouldSkipOverlayAnalysis } from "./overlay/status";
 import { RepositoryNwo } from "./repository";
 import { ToolsFeature } from "./tools-features";
 import { downloadTrapCaches } from "./trap-caching";
@@ -63,10 +68,9 @@ import {
   getErrorMessage,
   isInTestMode,
   joinAtMost,
+  DiskUsage,
 } from "./util";
 
-export * from "./config/db-config";
-
 /**
  * The minimum available disk space (in MB) required to perform overlay analysis.
  * If the available disk space on the runner is below the threshold when deciding
@@ -79,13 +83,32 @@ const OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES =
   OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB * 1_000_000;
 
 /**
- * The minimum memory (in MB) that must be available for CodeQL to perform overlay
- * analysis. If CodeQL will be given less memory than this threshold, then the
- * action will not perform overlay analysis unless overlay analysis has been
- * explicitly enabled via environment variable.
+ * The v2 minimum available disk space (in MB) required to perform overlay
+ * analysis. This is a lower threshold than the v1 limit, allowing overlay
+ * analysis to run on runners with less available disk space.
+ */
+const OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB = 14000;
+const OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_BYTES =
+  OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB * 1_000_000;
+
+/**
+ * The minimum memory (in MB) that must be available for CodeQL to perform overlay analysis. If
+ * CodeQL will be given less memory than this threshold, then the action will not perform overlay
+ * analysis unless overlay analysis has been explicitly enabled via environment variable.
+ *
+ * This check is not performed for CodeQL >= `CODEQL_VERSION_REDUCED_OVERLAY_MEMORY_USAGE` since
+ * improved memory usage in that version makes the check unnecessary.
  */
 const OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
 
+/**
+ * Versions 2.24.3+ of CodeQL reduce overlay analysis's peak RAM usage.
+ *
+ * In particular, RAM usage with overlay analysis enabled should generally be no higher than it is
+ * without overlay analysis for these versions.
+ */
+const CODEQL_VERSION_REDUCED_OVERLAY_MEMORY_USAGE = "2.24.3";
+
 export type RegistryConfigWithCredentials = RegistryConfigNoCredentials & {
   // Token to use when downloading packs from this registry.
   token: string;
@@ -670,39 +693,83 @@ async function isOverlayAnalysisFeatureEnabled(
   return true;
 }
 
-/**
- * Checks if the runner supports overlay analysis based on available disk space
- * and the maximum memory CodeQL will be allowed to use.
- */
-async function runnerSupportsOverlayAnalysis(
-  ramInput: string | undefined,
+/** Checks if the runner has enough disk space for overlay analysis. */
+function runnerHasSufficientDiskSpace(
+  diskUsage: DiskUsage | undefined,
   logger: Logger,
-): Promise<boolean> {
-  const diskUsage = await checkDiskUsage(logger);
+  useV2ResourceChecks: boolean,
+): boolean {
+  const minimumDiskSpaceBytes = useV2ResourceChecks
+    ? OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_BYTES
+    : OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES;
   if (
     diskUsage === undefined ||
-    diskUsage.numAvailableBytes < OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES
+    diskUsage.numAvailableBytes < minimumDiskSpaceBytes
   ) {
     const diskSpaceMb =
       diskUsage === undefined
         ? 0
         : Math.round(diskUsage.numAvailableBytes / 1_000_000);
+    const minimumDiskSpaceMb = Math.round(minimumDiskSpaceBytes / 1_000_000);
     logger.info(
       `Setting overlay database mode to ${OverlayDatabaseMode.None} ` +
-        `due to insufficient disk space (${diskSpaceMb} MB).`,
+        `due to insufficient disk space (${diskSpaceMb} MB, needed ${minimumDiskSpaceMb} MB).`,
     );
     return false;
   }
+  return true;
+}
+
+/** Checks if the runner has enough memory for overlay analysis. */
+async function runnerHasSufficientMemory(
+  codeql: CodeQL,
+  ramInput: string | undefined,
+  logger: Logger,
+): Promise<boolean> {
+  if (
+    await codeQlVersionAtLeast(
+      codeql,
+      CODEQL_VERSION_REDUCED_OVERLAY_MEMORY_USAGE,
+    )
+  ) {
+    logger.debug(
+      `Skipping memory check for overlay analysis because CodeQL version is at least ${CODEQL_VERSION_REDUCED_OVERLAY_MEMORY_USAGE}.`,
+    );
+    return true;
+  }
 
   const memoryFlagValue = getCodeQLMemoryLimit(ramInput, logger);
   if (memoryFlagValue < OVERLAY_MINIMUM_MEMORY_MB) {
     logger.info(
       `Setting overlay database mode to ${OverlayDatabaseMode.None} ` +
-        `due to insufficient memory for CodeQL analysis (${memoryFlagValue} MB).`,
+        `due to insufficient memory for CodeQL analysis (${memoryFlagValue} MB, needed ${OVERLAY_MINIMUM_MEMORY_MB} MB).`,
     );
     return false;
   }
 
+  logger.debug(
+    `Memory available for CodeQL analysis is ${memoryFlagValue} MB, which is above the minimum of ${OVERLAY_MINIMUM_MEMORY_MB} MB.`,
+  );
+  return true;
+}
+
+/**
+ * Checks if the runner supports overlay analysis based on available disk space
+ * and the maximum memory CodeQL will be allowed to use.
+ */
+async function runnerSupportsOverlayAnalysis(
+  codeql: CodeQL,
+  diskUsage: DiskUsage | undefined,
+  ramInput: string | undefined,
+  logger: Logger,
+  useV2ResourceChecks: boolean,
+): Promise<boolean> {
+  if (!runnerHasSufficientDiskSpace(diskUsage, logger, useV2ResourceChecks)) {
+    return false;
+  }
+  if (!(await runnerHasSufficientMemory(codeql, ramInput, logger))) {
+    return false;
+  }
   return true;
 }
 
@@ -735,14 +802,17 @@ export async function getOverlayDatabaseMode(
   buildMode: BuildMode | undefined,
   ramInput: string | undefined,
   codeScanningConfig: UserConfig,
+  repositoryProperties: RepositoryProperties,
   gitVersion: GitVersionInfo | undefined,
   logger: Logger,
 ): Promise<{
   overlayDatabaseMode: OverlayDatabaseMode;
   useOverlayDatabaseCaching: boolean;
+  disabledReason: OverlayDisabledReason | undefined;
 }> {
   let overlayDatabaseMode = OverlayDatabaseMode.None;
   let useOverlayDatabaseCaching = false;
+  let disabledReason: OverlayDisabledReason | undefined;
 
   const modeEnv = process.env.CODEQL_OVERLAY_DATABASE_MODE;
   // Any unrecognized CODEQL_OVERLAY_DATABASE_MODE value will be ignored and
@@ -757,6 +827,15 @@ export async function getOverlayDatabaseMode(
       `Setting overlay database mode to ${overlayDatabaseMode} ` +
         "from the CODEQL_OVERLAY_DATABASE_MODE environment variable.",
     );
+  } else if (
+    repositoryProperties[RepositoryPropertyName.DISABLE_OVERLAY] === true
+  ) {
+    logger.info(
+      `Setting overlay database mode to ${OverlayDatabaseMode.None} ` +
+        `because the ${RepositoryPropertyName.DISABLE_OVERLAY} repository property is set to true.`,
+    );
+    overlayDatabaseMode = OverlayDatabaseMode.None;
+    disabledReason = OverlayDisabledReason.DisabledByRepositoryProperty;
   } else if (
     await isOverlayAnalysisFeatureEnabled(
       features,
@@ -769,11 +848,46 @@ export async function getOverlayDatabaseMode(
       Feature.OverlayAnalysisSkipResourceChecks,
       codeql,
     ));
+    const useV2ResourceChecks = await features.getValue(
+      Feature.OverlayAnalysisResourceChecksV2,
+    );
+    const checkOverlayStatus = await features.getValue(
+      Feature.OverlayAnalysisStatusCheck,
+    );
+    const diskUsage =
+      performResourceChecks || checkOverlayStatus
+        ? await checkDiskUsage(logger)
+        : undefined;
     if (
       performResourceChecks &&
-      !(await runnerSupportsOverlayAnalysis(ramInput, logger))
+      !(await runnerSupportsOverlayAnalysis(
+        codeql,
+        diskUsage,
+        ramInput,
+        logger,
+        useV2ResourceChecks,
+      ))
     ) {
       overlayDatabaseMode = OverlayDatabaseMode.None;
+      disabledReason = OverlayDisabledReason.InsufficientResources;
+    } else if (checkOverlayStatus && diskUsage === undefined) {
+      logger.warning(
+        `Unable to determine disk usage, therefore setting overlay database mode to ${OverlayDatabaseMode.None}.`,
+      );
+      overlayDatabaseMode = OverlayDatabaseMode.None;
+      disabledReason = OverlayDisabledReason.UnableToDetermineDiskUsage;
+    } else if (
+      checkOverlayStatus &&
+      diskUsage &&
+      (await shouldSkipOverlayAnalysis(codeql, languages, diskUsage, logger))
+    ) {
+      logger.info(
+        `Setting overlay database mode to ${OverlayDatabaseMode.None} ` +
+          "because overlay analysis previously failed with this combination of languages, " +
+          "disk space, and CodeQL version.",
+      );
+      overlayDatabaseMode = OverlayDatabaseMode.None;
+      disabledReason = OverlayDisabledReason.SkippedDueToCachedStatus;
     } else if (isAnalyzingPullRequest()) {
       overlayDatabaseMode = OverlayDatabaseMode.Overlay;
       useOverlayDatabaseCaching = true;
@@ -789,15 +903,18 @@ export async function getOverlayDatabaseMode(
           "with caching because we are analyzing the default branch.",
       );
     }
+  } else {
+    disabledReason = OverlayDisabledReason.FeatureNotEnabled;
   }
 
-  const nonOverlayAnalysis = {
+  const disabledResult = (reason: OverlayDisabledReason | undefined) => ({
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
-  };
+    disabledReason: reason,
+  });
 
   if (overlayDatabaseMode === OverlayDatabaseMode.None) {
-    return nonOverlayAnalysis;
+    return disabledResult(disabledReason);
   }
 
   if (
@@ -820,7 +937,7 @@ export async function getOverlayDatabaseMode(
         `build-mode is set to "${buildMode}" instead of "none". ` +
         "Falling back to creating a normal full database instead.",
     );
-    return nonOverlayAnalysis;
+    return disabledResult(OverlayDisabledReason.IncompatibleBuildMode);
   }
   if (!(await codeQlVersionAtLeast(codeql, CODEQL_OVERLAY_MINIMUM_VERSION))) {
     logger.warning(
@@ -828,7 +945,7 @@ export async function getOverlayDatabaseMode(
         `the CodeQL CLI is older than ${CODEQL_OVERLAY_MINIMUM_VERSION}. ` +
         "Falling back to creating a normal full database instead.",
     );
-    return nonOverlayAnalysis;
+    return disabledResult(OverlayDisabledReason.IncompatibleCodeQl);
   }
   if ((await getGitRoot(sourceRoot)) === undefined) {
     logger.warning(
@@ -836,7 +953,7 @@ export async function getOverlayDatabaseMode(
         `the source root "${sourceRoot}" is not inside a git repository. ` +
         "Falling back to creating a normal full database instead.",
     );
-    return nonOverlayAnalysis;
+    return disabledResult(OverlayDisabledReason.NoGitRoot);
   }
   if (gitVersion === undefined) {
     logger.warning(
@@ -844,7 +961,7 @@ export async function getOverlayDatabaseMode(
         "the Git version could not be determined. " +
         "Falling back to creating a normal full database instead.",
     );
-    return nonOverlayAnalysis;
+    return disabledResult(OverlayDisabledReason.IncompatibleGit);
   }
   if (!gitVersion.isAtLeast(GIT_MINIMUM_VERSION_FOR_OVERLAY)) {
     logger.warning(
@@ -852,12 +969,13 @@ export async function getOverlayDatabaseMode(
         `the installed Git version is older than ${GIT_MINIMUM_VERSION_FOR_OVERLAY}. ` +
         "Falling back to creating a normal full database instead.",
     );
-    return nonOverlayAnalysis;
+    return disabledResult(OverlayDisabledReason.IncompatibleGit);
   }
 
   return {
     overlayDatabaseMode,
     useOverlayDatabaseCaching,
+    disabledReason,
   };
 }
 
@@ -964,10 +1082,13 @@ export async function initConfig(
     }
   }
 
-  // If we are in CCR or the corresponding FF is enabled, try to determine
+  // If we are in a dynamic workflow or the corresponding FF is enabled, try to determine
   // which files in the repository are marked as generated and add them to
   // the `paths-ignore` configuration.
-  if ((await features.getValue(Feature.IgnoreGeneratedFiles)) && isCCR()) {
+  if (
+    (await features.getValue(Feature.IgnoreGeneratedFiles)) &&
+    isDynamicWorkflow()
+  ) {
     try {
       const generatedFilesCheckStartedAt = performance.now();
       const generatedFiles = await getGeneratedFiles(inputs.sourceRoot);
@@ -1001,18 +1122,22 @@ export async function initConfig(
   // and queries, which in turn depends on the user config and the augmentation
   // properties. So we need to calculate the overlay database mode after the
   // rest of the config has been populated.
-  const { overlayDatabaseMode, useOverlayDatabaseCaching } =
-    await getOverlayDatabaseMode(
-      inputs.codeql,
-      inputs.features,
-      config.languages,
-      inputs.sourceRoot,
-      config.buildMode,
-      inputs.ramInput,
-      config.computedConfig,
-      gitVersion,
-      logger,
-    );
+  const {
+    overlayDatabaseMode,
+    useOverlayDatabaseCaching,
+    disabledReason: overlayDisabledReason,
+  } = await getOverlayDatabaseMode(
+    inputs.codeql,
+    inputs.features,
+    config.languages,
+    inputs.sourceRoot,
+    config.buildMode,
+    inputs.ramInput,
+    config.computedConfig,
+    config.repositoryProperties,
+    gitVersion,
+    logger,
+  );
   logger.info(
     `Using overlay database mode: ${overlayDatabaseMode} ` +
       `${useOverlayDatabaseCaching ? "with" : "without"} caching.`,
@@ -1020,6 +1145,14 @@ export async function initConfig(
   config.overlayDatabaseMode = overlayDatabaseMode;
   config.useOverlayDatabaseCaching = useOverlayDatabaseCaching;
 
+  if (overlayDisabledReason !== undefined) {
+    await addOverlayDisablementDiagnostics(
+      config,
+      inputs.codeql,
+      overlayDisabledReason,
+    );
+  }
+
   if (
     overlayDatabaseMode === OverlayDatabaseMode.Overlay ||
     (await shouldPerformDiffInformedAnalysis(

src/database-upload.ts

@@ -8,7 +8,7 @@ import { Config } from "./config-utils";
 import { Feature, FeatureEnablement } from "./feature-flags";
 import * as gitUtils from "./git-utils";
 import { Logger, withGroupAsync } from "./logging";
-import { OverlayDatabaseMode } from "./overlay-database-utils";
+import { OverlayDatabaseMode } from "./overlay";
 import { RepositoryNwo } from "./repository";
 import * as util from "./util";
 import { bundleDb, CleanupLevel, parseGitHubUrl } from "./util";
@@ -101,7 +101,9 @@ export async function cleanupAndUploadDatabases(
       // Although we are uploading arbitrary file contents to the API, it's worth
       // noting that it's the API's job to validate that the contents is acceptable.
       // This API method is available to anyone with write access to the repo.
-      const bundledDb = await bundleDb(config, language, codeql, language);
+      const bundledDb = await bundleDb(config, language, codeql, language, {
+        includeDiagnostics: false,
+      });
       bundledDbSize = fs.statSync(bundledDb).size;
       const bundledDbReadStream = fs.createReadStream(bundledDb);
       const commitOid = await gitUtils.getCommitOid(

src/debug-artifacts.ts

@@ -429,6 +429,7 @@ async function createDatabaseBundleCli(
     language,
     codeql,
     `${config.debugDatabaseName}-${language}`,
+    { includeDiagnostics: true },
   );
   return databaseBundlePath;
 }

src/diff-informed-analysis-utils.test.ts

@@ -8,7 +8,7 @@ import {
   shouldPerformDiffInformedAnalysis,
   exportedForTesting,
 } from "./diff-informed-analysis-utils";
-import { Feature, Features } from "./feature-flags";
+import { Feature, initFeatures } from "./feature-flags";
 import { getRunnerLogger } from "./logging";
 import { parseRepositoryNwo } from "./repository";
 import {
@@ -63,7 +63,7 @@ const testShouldPerformDiffInformedAnalysis = test.macro({
         delete process.env.CODEQL_ACTION_DIFF_INFORMED_QUERIES;
       }
 
-      const features = new Features(
+      const features = initFeatures(
         testCase.gitHubVersion,
         parseRepositoryNwo("github/example"),
         tmpDir,

src/doc-url.ts

@@ -5,10 +5,11 @@
 export enum DocUrl {
   ASSIGNING_PERMISSIONS_TO_JOBS = "https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs",
   AUTOMATIC_BUILD_FAILED = "https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning/automatic-build-failed",
+  CODEQL_BUILD_MODES = "https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes",
   DEFINE_ENV_VARIABLES = "https://docs.github.com/en/actions/learn-github-actions/variables#defining-environment-variables-for-a-single-workflow",
+  DELETE_ACTIONS_CACHE_ENTRIES = "https://docs.github.com/en/actions/how-tos/manage-workflow-runs/manage-caches#deleting-cache-entries",
   SCANNING_ON_PUSH = "https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push",
   SPECIFY_BUILD_STEPS_MANUALLY = "https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#about-specifying-build-steps-manually",
-  TRACK_CODE_SCANNING_ALERTS_ACROSS_RUNS = "https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#providing-data-to-track-code-scanning-alerts-across-runs",
-  CODEQL_BUILD_MODES = "https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes",
   SYSTEM_REQUIREMENTS = "https://codeql.github.com/docs/codeql-overview/system-requirements/",
+  TRACK_CODE_SCANNING_ALERTS_ACROSS_RUNS = "https://docs.github.com/en/code-security/reference/code-scanning/sarif-support-for-code-scanning#data-for-preventing-duplicated-alerts",
 }