Test setting to empty string

Unset DYLD_INSERT_BINARIES when unneeded
Previously, the tracer environment variables were set for the current process, and for future steps, in the init action. In certain scenarios (such as on MacOS ARM runners with System Integrity Protection disabled), these environment variables are not unset by the system. In particular, the `DYLD_INSERT_BINARIES` variable interferes with later system calls. This change unsets the `DYLD_INSERT_BINARIES` variable for the current process in init. It also unsets the variables either at the beginning of autobuild, or analyze, if autobuild has not run.
2026-05-04 04:40:09 +00:00 · 2024-08-14 17:51:42 -07:00 · 2024-08-14 17:28:40 -07:00
10508 changed files with 209970 additions and 2260081 deletions
@@ -0,0 +1,4 @@
+**/webpack.config.js
+lib/**
+src/testdata/**
+tests/**
@@ -2,7 +2,7 @@ name: "Prepare test"
 description: Performs some preparation to run tests
 inputs:
  version:
-    description: "The version of the CodeQL CLI to use. Can be 'linked', 'default', 'nightly-latest', 'nightly-YYYYMMDD', or 'stable-vX.Y.Z"
+    description: "The version of the CodeQL CLI to use. Can be 'linked', 'default', 'nightly-latest', 'nightly-YYYY-MM-DD', or 'stable-YYYY-MM-DD'."
    required: true
  use-all-platform-bundle:
    description: "If true, we output a tools URL with codeql-bundle.tar.gz file rather than platform-specific URL"
@@ -32,28 +32,14 @@ runs:
      run: |
        set -e # Fail this Action if `gh release list` fails.

-        if [[ ${{ inputs.version }} == "linked" ]]; then
-          echo "tools-url=linked" >> "$GITHUB_OUTPUT"
-          exit 0
-        elif [[ ${{ inputs.version }} == "default" ]]; then
-          echo "tools-url=" >> "$GITHUB_OUTPUT"
-          exit 0
-        fi
-
-        if [[ ${{ inputs.version }} == "nightly-latest" ]]; then
-          extension="tar.zst"
-        else
-          extension="tar.gz"
-        fi
-
        if [[ ${{ inputs.use-all-platform-bundle }} == "true" ]]; then
-          artifact_name="codeql-bundle.$extension"
+          artifact_name="codeql-bundle.tar.gz"
        elif [[ "$RUNNER_OS" == "Linux" ]]; then
-          artifact_name="codeql-bundle-linux64.$extension"
+          artifact_name="codeql-bundle-linux64.tar.gz"
        elif [[ "$RUNNER_OS" == "macOS" ]]; then
-          artifact_name="codeql-bundle-osx64.$extension"
+          artifact_name="codeql-bundle-osx64.tar.gz"
        elif [[ "$RUNNER_OS" == "Windows" ]]; then
-          artifact_name="codeql-bundle-win64.$extension"
+          artifact_name="codeql-bundle-win64.tar.gz"
        else
          echo "::error::Unrecognized OS $RUNNER_OS"
          exit 1
@@ -64,10 +50,14 @@ runs:
          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/$tag/$artifact_name" >> $GITHUB_OUTPUT
        elif [[ ${{ inputs.version }} == *"nightly"* ]]; then
          version=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
-          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
+          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$version-manual/$artifact_name" >> $GITHUB_OUTPUT
        elif [[ ${{ inputs.version }} == *"stable"* ]]; then
          version=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
          echo "tools-url=https://github.com/github/codeql-action/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
+        elif [[ ${{ inputs.version }} == "linked" ]]; then
+          echo "tools-url=linked" >> $GITHUB_OUTPUT
+        elif [[ ${{ inputs.version }} == "default" ]]; then
+          echo "tools-url=" >> $GITHUB_OUTPUT
        else
          echo "::error::Unrecognized version specified!"
          exit 1
@@ -11,7 +11,7 @@ runs:
      id: get_swift_version
      if: runner.os == 'Linux'
      shell: bash
-      env:
+      env: 
        CODEQL_PATH: ${{ inputs.codeql-path }}
      run: |
        SWIFT_EXTRACTOR_DIR="$("$CODEQL_PATH" resolve languages --format json | jq -r '.swift[0]')"
@@ -19,7 +19,7 @@ runs:
          VERSION="null"
        else
          VERSION="$("$SWIFT_EXTRACTOR_DIR/tools/linux64/extractor" --version | awk '/version/ { print $3 }')"
-          # Specify 5.x.0, otherwise setup Action will default to latest minor version.
+          # Specify 5.x.0, otherwise setup Action will default to latest minor version. 
          if [ $VERSION = "5.7" ]; then
            VERSION="5.7.0"
          elif [ $VERSION = "5.8" ]; then
@@ -29,11 +29,11 @@ runs:
          # setup-swift does not yet support v5.9.1 Remove this when it does.
          elif [ $VERSION = "5.9.1" ]; then
            VERSION="5.9.0"
-          fi
+          fi 
        fi
        echo "version=$VERSION" | tee -a $GITHUB_OUTPUT

-    - uses: redsun82/setup-swift@362f49f31da2f5f4f851657046bdd1290d03edc8 # Please update the corresponding SHA in the CLI's CodeQL Action Integration Test.
+    - uses: redsun82/setup-swift@b2b6f77ab14f6a9b136b520dc53ec8eca27d2b99 # Please update the corresponding SHA in the CLI's CodeQL Action Integration Test.
      if: runner.os == 'Linux' && steps.get_swift_version.outputs.version != 'null'
      with:
        swift-version: "${{ steps.get_swift_version.outputs.version }}"
@@ -16,10 +16,6 @@ updates:
      # v7 requires ESM
      - dependency-name: "del"
        versions: ["^7.0.0"]
-      # This is broken due to the way configuration files have changed. 
-      # This might be fixed when we move to eslint v9.
-      - dependency-name: "eslint-plugin-import"
-        versions: [">=2.30.0"]
    groups:
      npm:
        patterns:
@@ -38,7 +38,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -42,7 +42,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -42,7 +42,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -44,7 +44,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -44,7 +44,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -38,7 +38,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -38,7 +38,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -40,7 +40,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -38,7 +38,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -38,7 +38,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -48,7 +48,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -38,7 +38,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -42,7 +42,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -38,7 +38,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -42,7 +42,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -48,7 +48,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -42,7 +42,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -38,7 +38,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -28,9 +28,53 @@ jobs:
      matrix:
        include:
          - os: ubuntu-latest
+            version: stable-v2.13.5
+          - os: macos-12
+            version: stable-v2.13.5
+          - os: windows-latest
+            version: stable-v2.13.5
+          - os: ubuntu-latest
+            version: stable-v2.14.6
+          - os: macos-12
+            version: stable-v2.14.6
+          - os: windows-latest
+            version: stable-v2.14.6
+          - os: ubuntu-latest
+            version: stable-v2.15.5
+          - os: macos-latest
+            version: stable-v2.15.5
+          - os: windows-latest
+            version: stable-v2.15.5
+          - os: ubuntu-latest
+            version: stable-v2.16.6
+          - os: macos-latest
+            version: stable-v2.16.6
+          - os: windows-latest
+            version: stable-v2.16.6
+          - os: ubuntu-latest
+            version: stable-v2.17.6
+          - os: macos-latest
+            version: stable-v2.17.6
+          - os: windows-latest
+            version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: default
+          - os: windows-latest
+            version: default
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
            version: linked
          - os: ubuntu-latest
            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
    name: 'Go: Custom queries'
    permissions:
      contents: read
@@ -40,7 +84,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -38,7 +38,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -38,7 +38,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -38,7 +38,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -27,6 +27,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
+          - os: ubuntu-latest
+            version: stable-v2.13.5
+          - os: macos-12
+            version: stable-v2.13.5
          - os: ubuntu-latest
            version: stable-v2.14.6
          - os: macos-12
@@ -43,10 +47,6 @@ jobs:
            version: stable-v2.17.6
          - os: macos-latest
            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
          - os: ubuntu-latest
            version: default
          - os: macos-latest
@@ -68,7 +68,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -82,7 +87,7 @@ jobs:
          setup-kotlin: 'true'
      - uses: actions/setup-go@v5
        with:
-          go-version: ~1.23.0
+          go-version: ~1.22.0
      # to avoid potentially misleading autobuilder results where we expect it to download
      # dependencies successfully, but they actually come from a warm cache
          cache: false
@@ -27,6 +27,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
+          - os: ubuntu-latest
+            version: stable-v2.13.5
+          - os: macos-12
+            version: stable-v2.13.5
          - os: ubuntu-latest
            version: stable-v2.14.6
          - os: macos-12
@@ -43,10 +47,6 @@ jobs:
            version: stable-v2.17.6
          - os: macos-latest
            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
          - os: ubuntu-latest
            version: default
          - os: macos-latest
@@ -68,7 +68,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -82,7 +87,7 @@ jobs:
          setup-kotlin: 'true'
      - uses: actions/setup-go@v5
        with:
-          go-version: ~1.23.0
+          go-version: ~1.22.0
      # to avoid potentially misleading autobuilder results where we expect it to download
      # dependencies successfully, but they actually come from a warm cache
          cache: false
@@ -27,6 +27,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
+          - os: ubuntu-latest
+            version: stable-v2.13.5
+          - os: macos-12
+            version: stable-v2.13.5
          - os: ubuntu-latest
            version: stable-v2.14.6
          - os: macos-12
@@ -43,10 +47,6 @@ jobs:
            version: stable-v2.17.6
          - os: macos-latest
            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
          - os: ubuntu-latest
            version: default
          - os: macos-latest
@@ -68,7 +68,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -82,7 +87,7 @@ jobs:
          setup-kotlin: 'true'
      - uses: actions/setup-go@v5
        with:
-          go-version: ~1.23.0
+          go-version: ~1.22.0
      # to avoid potentially misleading autobuilder results where we expect it to download
      # dependencies successfully, but they actually come from a warm cache
          cache: false
@@ -55,7 +55,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -42,7 +42,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -1,79 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Job run UUID added to SARIF
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  job-run-uuid-sarif:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Job run UUID added to SARIF
-    permissions:
-      contents: read
-      security-events: write
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
-        with:
-          python-version: '3.11'
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        id: init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v3
-        with:
-          name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check results
-        shell: bash
-        run: |
-          cd "$RUNNER_TEMP/results"
-          actual=$(jq -r '.runs[0].properties.jobRunUuid' javascript.sarif)
-          if [[ "$actual" != "$JOB_RUN_UUID" ]]; then
-            echo "Expected SARIF output to contain job run UUID '$JOB_RUN_UUID', but found '$actual'."
-            exit 1
-          else
-            echo "Found job run UUID '$actual'."
-          fi
-    env:
-      CODEQL_ACTION_TEST_MODE: true
@@ -38,7 +38,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -27,6 +27,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
+          - os: macos-12
+            version: stable-v2.13.5
+          - os: ubuntu-latest
+            version: stable-v2.13.5
          - os: macos-12
            version: stable-v2.14.6
          - os: ubuntu-latest
@@ -43,10 +47,6 @@ jobs:
            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.18.4
-          - os: ubuntu-latest
-            version: stable-v2.18.4
          - os: macos-latest
            version: default
          - os: ubuntu-latest
@@ -68,7 +68,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -54,7 +54,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -54,7 +54,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -54,7 +54,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -54,7 +54,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -28,9 +28,53 @@ jobs:
      matrix:
        include:
          - os: ubuntu-latest
+            version: stable-v2.13.5
+          - os: macos-12
+            version: stable-v2.13.5
+          - os: windows-latest
+            version: stable-v2.13.5
+          - os: ubuntu-latest
+            version: stable-v2.14.6
+          - os: macos-12
+            version: stable-v2.14.6
+          - os: windows-latest
+            version: stable-v2.14.6
+          - os: ubuntu-latest
+            version: stable-v2.15.5
+          - os: macos-latest
+            version: stable-v2.15.5
+          - os: windows-latest
+            version: stable-v2.15.5
+          - os: ubuntu-latest
+            version: stable-v2.16.6
+          - os: macos-latest
+            version: stable-v2.16.6
+          - os: windows-latest
+            version: stable-v2.16.6
+          - os: ubuntu-latest
+            version: stable-v2.17.6
+          - os: macos-latest
+            version: stable-v2.17.6
+          - os: windows-latest
+            version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: default
+          - os: windows-latest
+            version: default
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
            version: linked
          - os: ubuntu-latest
            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
    name: Remote config file
    permissions:
      contents: read
@@ -40,7 +84,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -27,6 +27,12 @@ jobs:
      fail-fast: false
      matrix:
        include:
+          - os: ubuntu-latest
+            version: stable-v2.13.5
+          - os: macos-12
+            version: stable-v2.13.5
+          - os: windows-latest
+            version: stable-v2.13.5
          - os: ubuntu-latest
            version: default
          - os: macos-latest
@@ -54,7 +60,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -68,7 +79,8 @@ jobs:
          setup-kotlin: 'true'
      - uses: ./../action/init
        with:
-          languages: go,javascript-typescript
+          languages: ${{ matrix.version == 'stable-v2.13.5' && 'go' || 'go,javascript-typescript'
+            }}
          tools: ${{ steps.prepare-test.outputs.tools-url }}

      - name: Resolve environment for Go
@@ -82,13 +94,14 @@ jobs:
        run: exit 1

      - name: Resolve environment for JavaScript/TypeScript
+        if: matrix.version != 'stable-v2.13.5'
        uses: ./../action/resolve-environment
        id: resolve-environment-js
        with:
          language: javascript-typescript

      - name: Fail if JavaScript/TypeScript configuration present
-        if: 
+        if: matrix.version != 'stable-v2.13.5' && 
          fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
        run: exit 1
    env:
@@ -38,7 +38,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -48,7 +48,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -48,7 +48,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -42,7 +42,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -38,7 +38,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -42,7 +42,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -38,7 +38,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -38,7 +38,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -61,7 +66,7 @@ jobs:
        with:
      # Swift is not supported on Ubuntu so we manually exclude it from the list here
          languages: cpp,csharp,go,java,javascript,python,ruby
-          tools: ./codeql-bundle-linux64.tar.zst
+          tools: ./codeql-bundle-linux64.tar.gz
      - name: Build code
        shell: bash
        run: ./build.sh
@@ -38,7 +38,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -27,6 +27,18 @@ jobs:
      fail-fast: false
      matrix:
        include:
+          - os: ubuntu-latest
+            version: stable-v2.13.5
+          - os: ubuntu-latest
+            version: stable-v2.14.6
+          - os: ubuntu-latest
+            version: stable-v2.15.5
+          - os: ubuntu-latest
+            version: stable-v2.16.6
+          - os: ubuntu-latest
+            version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: default
          - os: ubuntu-latest
            version: linked
          - os: ubuntu-latest
@@ -40,7 +52,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -42,7 +42,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -42,7 +42,12 @@ jobs:
    steps:
      - name: Setup Python on MacOS
        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
        with:
          python-version: '3.11'
      - name: Check out repository
@@ -1,123 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Zstandard bundle fallback
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  zstd-bundle-fallback:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: linked
-    name: Zstandard bundle fallback
-    permissions:
-      contents: read
-      security-events: write
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
-        with:
-          python-version: '3.11'
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const fs = require('fs');
-            const path = require('path');
-            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
-            fs.rmdirSync(codeqlPath, { recursive: true });
-      - id: init
-        uses: ./../action/init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v3
-        with:
-          name: zstd-bundle.sarif
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check expected diagnostics
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
-        with:
-          script: |
-            const fs = require('fs');
-
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
-
-            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
-            const downloadTelemetryNotifications = toolExecutionNotifications.filter(n =>
-              n.descriptor.id === 'codeql-action/bundle-download-telemetry'
-            );
-            if (downloadTelemetryNotifications.length !== 1) {
-              core.setFailed(
-                'Expected exactly one reporting descriptor in the ' +
-                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
-                  `${downloadTelemetryNotifications.length}. All notification reporting descriptors: ` +
-                  `${JSON.stringify(toolExecutionNotifications)}.`
-              );
-            }
-
-            const toolsUrl = downloadTelemetryNotifications[0].properties.attributes.toolsUrl;
-            console.log(`Found tools URL: ${toolsUrl}`);
-
-            if (!toolsUrl.endsWith('.tar.gz')) {
-              core.setFailed(
-                `Expected the tools URL to be a .tar.gz file, but found '${toolsUrl}'.`
-              );
-            }
-
-            const zstdFailureReason = downloadTelemetryNotifications[0].properties.attributes.zstdFailureReason;
-            console.log(`Found zstd failure reason: ${zstdFailureReason}`);
-
-            const expectedZstdFailureReason = 'Failing since CODEQL_ACTION_FORCE_ZSTD_FAILURE is true.';
-            if (zstdFailureReason !== expectedZstdFailureReason) {
-              core.setFailed(
-                `Expected the zstd failure reason to be '${expectedZstdFailureReason}', but found '${zstdFailureReason}'.`
-              );
-            }
-    env:
-      CODEQL_ACTION_ZSTD_BUNDLE: true
-      CODEQL_ACTION_FORCE_ZSTD_FAILURE: true
-      CODEQL_ACTION_TEST_MODE: true
@@ -1,113 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Zstandard bundle (streaming)
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  zstd-bundle-streaming:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: linked
-    name: Zstandard bundle (streaming)
-    permissions:
-      contents: read
-      security-events: write
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
-        with:
-          python-version: '3.11'
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const fs = require('fs');
-            const path = require('path');
-            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
-            fs.rmdirSync(codeqlPath, { recursive: true });
-      - id: init
-        uses: ./../action/init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v3
-        with:
-          name: zstd-bundle.sarif
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check diagnostic with expected tools URL appears in SARIF
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
-        with:
-          script: |
-            const fs = require('fs');
-
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
-
-            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
-            const downloadTelemetryNotifications = toolExecutionNotifications.filter(n =>
-              n.descriptor.id === 'codeql-action/bundle-download-telemetry'
-            );
-            if (downloadTelemetryNotifications.length !== 1) {
-              core.setFailed(
-                'Expected exactly one reporting descriptor in the ' +
-                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
-                  `${downloadTelemetryNotifications.length}. All notification reporting descriptors: ` +
-                  `${JSON.stringify(toolExecutionNotifications)}.`
-              );
-            }
-
-            const toolsUrl = downloadTelemetryNotifications[0].properties.attributes.toolsUrl;
-            console.log(`Found tools URL: ${toolsUrl}`);
-
-            if (!toolsUrl.endsWith('.tar.zst')) {
-              core.setFailed(
-                `Expected the tools URL to be a .tar.zst file, but found ${toolsUrl}.`
-              );
-            }
-    env:
-      CODEQL_ACTION_ZSTD_BUNDLE: true
-      CODEQL_ACTION_ZSTD_BUNDLE_STREAMING_EXTRACTION: true
-      CODEQL_ACTION_TEST_MODE: true
@@ -1,116 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Zstandard bundle
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  zstd-bundle:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-    name: Zstandard bundle
-    permissions:
-      contents: read
-      security-events: write
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
-        with:
-          python-version: '3.11'
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const fs = require('fs');
-            const path = require('path');
-            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
-            fs.rmdirSync(codeqlPath, { recursive: true });
-      - id: init
-        uses: ./../action/init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v3
-        with:
-          name: zstd-bundle.sarif
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check diagnostic with expected tools URL appears in SARIF
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
-        with:
-          script: |
-            const fs = require('fs');
-
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
-
-            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
-            const downloadTelemetryNotifications = toolExecutionNotifications.filter(n =>
-              n.descriptor.id === 'codeql-action/bundle-download-telemetry'
-            );
-            if (downloadTelemetryNotifications.length !== 1) {
-              core.setFailed(
-                'Expected exactly one reporting descriptor in the ' +
-                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
-                  `${downloadTelemetryNotifications.length}. All notification reporting descriptors: ` +
-                  `${JSON.stringify(toolExecutionNotifications)}.`
-              );
-            }
-
-            const toolsUrl = downloadTelemetryNotifications[0].properties.attributes.toolsUrl;
-            console.log(`Found tools URL: ${toolsUrl}`);
-
-            const expectedExtension = process.env['RUNNER_OS'] === 'Windows' ? '.tar.gz' : '.tar.zst';
-
-            if (!toolsUrl.endsWith(expectedExtension)) {
-              core.setFailed(
-                `Expected the tools URL to be a ${expectedExtension} file, but found ${toolsUrl}.`
-              );
-            }
-    env:
-      CODEQL_ACTION_ZSTD_BUNDLE: true
-      CODEQL_ACTION_TEST_MODE: true
@@ -3,7 +3,6 @@
 name: PR Check - Debug artifacts after failure
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  CODEQL_ACTION_ARTIFACT_V4_UPGRADE: true
 on:
  push:
    branches:
@@ -62,7 +61,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v3
      - name: Check expected artifacts exist
        shell: bash
        run: |
@@ -1,99 +0,0 @@
-# Checks logs, SARIF, and database bundle debug artifacts exist and are accessible
-# with download-artifact@v3 when CODEQL_ACTION_ARTIFACT_V4_UPGRADE is set to false.
-name: PR Check - Debug artifact upload using artifact@v2
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  CODEQL_ACTION_ARTIFACT_V4_UPGRADE: false
-on:
-  push:
-    branches:
-    - main
-    - releases/v*
-  pull_request:
-    types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  upload-artifacts:
-    strategy:
-      fail-fast: false
-      matrix:
-        version:
-        - stable-v2.14.6
-        - stable-v2.15.5
-        - stable-v2.16.6
-        - stable-v2.17.6
-        - stable-v2.18.4
-        - default
-        - linked
-        - nightly-latest
-    name: Upload debug artifacts
-    env:
-      CODEQL_ACTION_TEST_MODE: true
-    timeout-minutes: 45
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ^1.13.1
-      - uses: ./../action/init
-        id: init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          debug: true
-          debug-artifact-name: my-debug-artifacts
-          debug-database-name: my-db
-          # We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
-          languages: cpp,csharp,go,java,javascript,python,ruby 
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        id: analysis
-  download-and-check-artifacts:
-    name: Download and check debug artifacts
-    needs: upload-artifacts
-    timeout-minutes: 45
-    runs-on: ubuntu-latest
-    steps:
-      - name: Download all artifacts
-        uses: actions/download-artifact@v3
-      - name: Check expected artifacts exist
-        shell: bash
-        run: |
-          VERSIONS="stable-v2.14.6 stable-v2.15.5 stable-v2.16.6 stable-v2.17.6 stable-v2.18.4 default linked nightly-latest"
-          LANGUAGES="cpp csharp go java javascript python"
-          for version in $VERSIONS; do
-            pushd "./my-debug-artifacts-${version//./}"
-            echo "Artifacts from version $version:"
-            for language in $LANGUAGES; do
-              echo "- Checking $language"
-              if [[ ! -f "$language.sarif" ]] ; then
-                echo "Missing a SARIF file for $language"
-                exit 1
-              fi
-              if [[ ! -f "my-db-$language.zip" ]] ; then
-                echo "Missing a database bundle for $language"
-                exit 1
-              fi
-              if [[ ! -d "$language/log" ]] ; then
-                echo "Missing logs for $language"
-                exit 1
-              fi
-            done
-            popd
-          done
-        env:
-          GO111MODULE: auto
@@ -2,7 +2,6 @@
 name: PR Check - Debug artifact upload
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  CODEQL_ACTION_ARTIFACT_V4_UPGRADE: true
 on:
  push:
    branches:
@@ -23,11 +22,11 @@ jobs:
      fail-fast: false
      matrix:
        version:
+        - stable-v2.13.5
        - stable-v2.14.6
        - stable-v2.15.5
        - stable-v2.16.6
        - stable-v2.17.6
-        - stable-v2.18.4
        - default
        - linked
        - nightly-latest
@@ -68,11 +67,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v3
      - name: Check expected artifacts exist
        shell: bash
        run: |
-          VERSIONS="stable-v2.14.6 stable-v2.15.5 stable-v2.16.6 stable-v2.17.6 stable-v2.18.4 default linked nightly-latest"
+          VERSIONS="stable-v2.13.5 stable-v2.14.6 stable-v2.15.5 stable-v2.16.6 stable-v2.17.6 default linked nightly-latest"
          LANGUAGES="cpp csharp go java javascript python"
          for version in $VERSIONS; do
            pushd "./my-debug-artifacts-${version//./}"
@@ -108,17 +108,6 @@ jobs:
          # - `--force` since we're overwriting the `vN` tag
          git push origin --atomic --force refs/tags/"${VERSION}" refs/tags/"${major_version_tag}"

-      - name: Prepare partial Changelog
-        env:
-          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
-          VERSION: "${{ steps.getVersion.outputs.version }}"
-        run: |
-          python .github/workflows/script/prepare_changelog.py CHANGELOG.md "$VERSION" > $PARTIAL_CHANGELOG
-
-          echo "::group::Partial CHANGELOG"
-          cat $PARTIAL_CHANGELOG
-          echo "::endgroup::"
-
      - name: Create mergeback branch
        if: ${{ steps.check.outputs.exists != 'true' && endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }}
        env:
@@ -161,16 +150,3 @@ jobs:
            --body "${pr_body}" \
            --assignee "${GITHUB_ACTOR}" \
            --draft
-
-      - name: Create the GitHub release
-        env:
-          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
-          VERSION: "${{ steps.getVersion.outputs.version }}"
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          # Do not mark this release as latest. The most recent CLI release must be marked as latest.
-          gh release create \
-            "$VERSION" \
-            --latest=false \
-            --title "$VERSION" \
-            --notes-file "$PARTIAL_CHANGELOG"
@@ -24,16 +24,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Lint
-        id: lint
-        run: npm run-script lint-ci
-
-      - name: Upload sarif
-        uses: github/codeql-action/upload-sarif@v3
-        # Only upload SARIF for the latest version of Node.js
-        if: "!cancelled() && matrix.node-types-version == 'current' && !startsWith(github.head_ref, 'dependabot/')"
-        with:
-          sarif_file: eslint.sarif
-          category: eslint
+        run: npm run-script lint

      - name: Update version of @types/node
        if: matrix.node-types-version != 'current'
@@ -69,8 +69,7 @@ jobs:
          if [ ! -z "$(git status --porcelain)" ]; then
            git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
            git config --global user.name "github-actions[bot]"
-            git add --all
-            git commit -m "Rebuild"
+            git commit -am "Rebuild"
            git push origin "HEAD:$BRANCH"
            echo "Pushed a commit to rebuild the Action." \
              "Please mark the PR as ready for review to trigger PR checks." |
@@ -1,37 +0,0 @@
-import os
-import sys
-
-EMPTY_CHANGELOG = 'No changes.\n\n'
-
-# Prepare the changelog for the new release
-# This function will extract the part of the changelog that
-# we want to include in the new release.
-def extract_changelog_snippet(changelog_file, version_tag):
-  output = ''
-  if (not os.path.exists(changelog_file)):
-    output = EMPTY_CHANGELOG
-
-  else:
-    with open('CHANGELOG.md', 'r') as f:
-      lines = f.readlines()
-
-      # Include everything up to, but excluding the second heading
-      found_first_section = False
-      for i, line in enumerate(lines):
-        if line.startswith('## '):
-          if found_first_section:
-            break
-          found_first_section = True
-        output += line
-
-  output += f"See the full [CHANGELOG.md](https://github.com/github/codeql-action/blob/{version_tag}/CHANGELOG.md) for more information."
-
-  return output
-
-
-if len(sys.argv) < 3:
-  raise Exception('Expecting argument: changelog_file version_tag')
-changelog_file = sys.argv[1]
-version_tag = sys.argv[2]
-
-print(extract_changelog_snippet(changelog_file, version_tag))
@@ -104,7 +104,6 @@ jobs:
  backport:
    timeout-minutes: 45
    runs-on: ubuntu-latest
-    environment: Automation
    needs: [prepare]
    if: ${{ (github.event_name == 'push') && needs.prepare.outputs.backport_target_branches != '[]' }}
    strategy:
@@ -115,18 +114,9 @@ jobs:
      SOURCE_BRANCH: ${{ needs.prepare.outputs.backport_source_branch }}
      TARGET_BRANCH: ${{ matrix.target_branch }}
    steps:
-    - name: Generate token
-      uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69
-      id: app-token
-      with:
-        app-id: ${{ vars.AUTOMATION_APP_ID }}
-        private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
-
-    - name: Checkout
-      uses: actions/checkout@v4
+    - uses: actions/checkout@v4
      with:
        fetch-depth: 0  # Need full history for calculation of diffs
-        token: ${{ steps.app-token.outputs.token }}
    - uses: ./.github/actions/release-initialise

    - name: Update older release branch
@@ -54,8 +54,7 @@ jobs:
            git push origin update-supported-enterprise-server-versions

            body="This PR updates the list of supported GitHub Enterprise Server versions, either because a new "
-            body+="version is about to be feature frozen, or because an old release has been deprecated."
-            body+=$'\n\n'
+            body+="version is about to be feature frozen, or because an old release has been deprecated.\n\n"
            body+="If an old release has been deprecated, please follow the instructions in CONTRIBUTING.md to "
            body+="deprecate the corresponding version of CodeQL."

@@ -5,7 +5,3 @@ node_modules/.cache/
 *.class
 # macOS
 .DS_Store
-# eslint sarif report
-eslint.sarif
-# for local incremental compilation
-tsconfig.tsbuildinfo
@@ -6,65 +6,8 @@ Note that the only difference between `v2` and `v3` of the CodeQL Action is the

 ## [UNRELEASED]

- Bump the minimum CodeQL bundle version to 2.14.6. [#2549](https://github.com/github/codeql-action/pull/2549)
-
-## 3.26.13 - 14 Oct 2024
-
-No user facing changes.
-
-## 3.26.12 - 07 Oct 2024
-
- _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.14.5 and earlier. These versions of CodeQL were discontinued on 24 September 2024 alongside GitHub Enterprise Server 3.10, and will be unsupported by CodeQL Action versions 3.27.0 and later and versions 2.27.0 and later. [#2520](https://github.com/github/codeql-action/pull/2520)
-
-  - If you are using one of these versions, please update to CodeQL CLI version 2.14.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.
-
-  - Alternatively, if you want to continue using a version of the CodeQL CLI between 2.13.5 and 2.14.5, you can replace `github/codeql-action/*@v3` by `github/codeql-action/*@v3.26.11` and `github/codeql-action/*@v2` by `github/codeql-action/*@v2.26.11` in your code scanning workflow to ensure you continue using this version of the CodeQL Action.
-
-## 3.26.11 - 03 Oct 2024
-
- _Upcoming breaking change_: Add support for using `actions/download-artifact@v4` to programmatically consume CodeQL Action debug artifacts. 
-
-  Starting November 30, 2024, GitHub.com customers will [no longer be able to use `actions/download-artifact@v3`](https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/). Therefore, to avoid breakage, customers who programmatically download the CodeQL Action debug artifacts should set the `CODEQL_ACTION_ARTIFACT_V4_UPGRADE` environment variable to `true` and bump `actions/download-artifact@v3` to `actions/download-artifact@v4` in their workflows. The CodeQL Action will enable this behavior by default in early November and workflows that have not yet bumped to `actions/download-artifact@v3` to `actions/download-artifact@v4` will begin failing then.
-  
-  This change is currently unavailable for GitHub Enterprise Server customers, as `actions/upload-artifact@v4` and `actions/download-artifact@v4` are not yet compatible with GHES. 
- Update default CodeQL bundle version to 2.19.1. [#2519](https://github.com/github/codeql-action/pull/2519)
-
-## 3.26.10 - 30 Sep 2024
-
- We are rolling out a feature in September/October 2024 that sets up CodeQL using a bundle compressed with [Zstandard](http://facebook.github.io/zstd/). Our aim is to improve the performance of setting up CodeQL. [#2502](https://github.com/github/codeql-action/pull/2502)
-
-## 3.26.9 - 24 Sep 2024
-
-No user facing changes.
-
-## 3.26.8 - 19 Sep 2024
-
- Update default CodeQL bundle version to 2.19.0. [#2483](https://github.com/github/codeql-action/pull/2483)
-
-## 3.26.7 - 13 Sep 2024
-
- Update default CodeQL bundle version to 2.18.4. [#2471](https://github.com/github/codeql-action/pull/2471)
-
-## 3.26.6 - 29 Aug 2024
-
- Update default CodeQL bundle version to 2.18.3. [#2449](https://github.com/github/codeql-action/pull/2449)
-
-## 3.26.5 - 23 Aug 2024
-
- Fix an issue where the `csrutil` system call used for telemetry would fail on MacOS ARM machines with System Integrity Protection disabled. [#2441](https://github.com/github/codeql-action/pull/2441)
-
-## 3.26.4 - 21 Aug 2024
-
- _Deprecation:_ The `add-snippets` input on the `analyze` Action is deprecated and will be removed in the first release in August 2025. [#2436](https://github.com/github/codeql-action/pull/2436)
- Fix an issue where the disk usage system call used for telemetry would fail on MacOS ARM machines with System Integrity Protection disabled, and then surface a warning. The system call is now disabled for these machines. [#2434](https://github.com/github/codeql-action/pull/2434)
-
-## 3.26.3 - 19 Aug 2024
-
- Fix an issue where the CodeQL Action could not write diagnostic messages on Windows. This issue did not impact analysis quality. [#2430](https://github.com/github/codeql-action/pull/2430)
-
-## 3.26.2 - 14 Aug 2024
-
 - Update default CodeQL bundle version to 2.18.2. [#2417](https://github.com/github/codeql-action/pull/2417)
+- Fix a bug where system calls in the Action, such as `df`, would fail on ARM machines with System Integrity Protection disabled due to injected build tracer environment variables. [#2428](https://github.com/github/codeql-action/pull/2428)

 ## 3.26.1 - 13 Aug 2024

@@ -16,48 +16,10 @@ We recommend using default setup to configure CodeQL analysis for your repositor

 You can also configure advanced setup for a repository to find security vulnerabilities in your code using a highly customizable code scanning configuration. For more information, see "[Configuring advanced setup for code scanning](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)" and "[Customizing your advanced setup for code scanning](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)."

-### Actions
-
-This repository contains several actions that enable you to analyze code in your repository using CodeQL and upload the analysis to GitHub Code Scanning. Actions in this repository also allow you to upload to GitHub analyses generated by any SARIF-producing SAST tool.
-
-Actions for CodeQL analyses:
-
- `init`: Sets up CodeQL for analysis. For information about input parameters, see the [init action definition](https://github.com/github/codeql-action/blob/main/init/action.yml).
- `analyze`: Finalizes the CodeQL database, runs the analysis, and uploads the results to Code Scanning. For information about input parameters, see the [analyze action definition](https://github.com/github/codeql-action/blob/main/analyze/action.yml).
-
-Actions for uploading analyses generated by third-party tools:
-
- `upload-sarif`: Uploads a SARIF file to Code Scanning. If you are using the `analyze` action, there is no reason to use this action as well. For information about input parameters, see the [upload-sarif action definition](https://github.com/github/codeql-action/blob/main/upload-sarif/action.yml).
-
-Actions with special purposes and unlikely to be used directly:
-
- `autobuild`: Attempts to automatically build the code. Only used for analyzing languages that require a build. Use the `build-mode: autobuild` input in the `init` action instead. For information about input parameters, see the [autobuild action definition](https://github.com/github/codeql-action/blob/main/autobuild/action.yml).
- `resolve-environment`: [Experimental] Attempts to infer a build environment suitable for automatic builds. For information about input parameters, see the [resolve-environment action definition](https://github.com/github/codeql-action/blob/main/resolve-environment/action.yml).
- `start-proxy`: [Experimental] Start the HTTP proxy server. Internal use only and will change without notice. For information about input parameters, see the [start-proxy action definition](https://github.com/github/codeql-action/blob/main/start-proxy/action.yml).
-
-### Workflow Permissions
+### Permissions

 All advanced setup code scanning workflows must have the `security-events: write` permission. Workflows in private repositories must additionally have the `contents: read` permission. For more information, see "[Assigning permissions to jobs](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs)."

-### Build Modes
-
-The CodeQL Action supports different build modes for analyzing the source code. The available build modes are:
-
- `none`: The database will be created without building the source code. Available for all interpreted languages and some compiled languages.
- `autobuild`: The database will be created by attempting to automatically build the source code. Available for all compiled languages.
- `manual`: The database will be created by building the source code using a manually specified build command. To use this build mode, specify manual build steps in your workflow between the `init` and `analyze` steps. Available for all compiled languages.
-
-#### Which build mode should I use?
-
-Interpreted languages must use `none` for the build mode.
-
-For compiled languages:
-
- `manual` build mode will typically produce the most precise results, but it is more difficult to set up and will cause the analysis to take slightly more time to run.
- `autobuild` build mode is simpler to set up, but will only work for projects with generic build steps that can be guessed by the heuristics of the autobuild scripts. If `autobuild` fails, then you must switch to `manual` or `none`. If `autobuild` succeeds, then the results and run time will be the same as `manual` mode.
- `none` build mode is also simpler to set up and is slightly faster to run, but there is a possibility that some alerts will be missed. This may happen if your repository does any code generation during compilation or if there are any dependencies downloaded from registries that the workflow does not have access to. `none` is not yet supported by C/C++, Swift, Go, or Kotlin.
-
-
 ## Supported versions of the CodeQL Action

 The following versions of the CodeQL Action are currently supported:
@@ -71,19 +33,20 @@ To provide the best experience to customers using older versions of GitHub Enter

 For more information, see "[Code scanning: deprecation of CodeQL Action v2](https://github.blog/changelog/2024-01-12-code-scanning-deprecation-of-codeql-action-v2/)."

-## Supported versions of the CodeQL Bundle on GitHub Enterprise Server
+## Supported versions of the CodeQL Bundle and GitHub Enterprise Server

 We typically release new minor versions of the CodeQL Action and Bundle when a new minor version of GitHub Enterprise Server (GHES) is released. When a version of GHES is deprecated, the CodeQL Action and Bundle releases that shipped with it are deprecated as well.

-| Minimum CodeQL Action | Minimum CodeQL Bundle Version | GitHub Environment | Notes |
-|-----------------------|-------------------------------|--------------------|-------|
-| `v3.26.6` | `2.18.4` | Enterprise Server 3.15 | |
-| `v3.25.11` | `2.17.6` | Enterprise Server 3.14 | |
-| `v3.24.11` | `2.16.6` | Enterprise Server 3.13 | |
-| `v3.22.12` | `2.15.5` | Enterprise Server 3.12 | |
-| `v2.22.1` | `2.14.6` | Enterprise Server 3.11 | Supports CodeQL Action v3, but did not ship with CodeQL Action v3. For more information, see "[Code scanning: deprecation of CodeQL Action v2](https://github.blog/changelog/2024-01-12-code-scanning-deprecation-of-codeql-action-v2/#users-of-github-enterprise-server-311)." |
+| Recommended CodeQL Action | Recommended CodeQL Bundle Version | GitHub Environment |
+|---------|----------|--------------|
+| `v3` | default (do not pass a `tools` input) | GitHub.com |
+| `v3.25.11` | `2.17.6` | Enterprise Server 3.14 |
+| `v3.24.11` | `2.16.6` | Enterprise Server 3.13 |
+| `v3.22.12` | `2.15.5` | Enterprise Server 3.12 |
+| `v2.22.1` | `2.14.6` | Enterprise Server 3.11 |
+| `v2.20.3` | `2.13.5` | Enterprise Server 3.10 |

-CodeQL Action v2 will stop receiving updates when GHES 3.11 is deprecated.
+CodeQL Action `v2` will stop receiving updates when GHES 3.11 is deprecated.

 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).

@@ -19,7 +19,7 @@ inputs:
    # If changing this, make sure to update workflow.ts accordingly.
    default: "always"
  cleanup-level:
-    description: "Level of cleanup to perform on CodeQL databases at the end of the analyze step. This should either be 'none' to skip cleanup, or be a valid argument for the --cache-cleanup flag of the CodeQL CLI command 'codeql database cleanup' as documented at https://codeql.github.com/docs/codeql-cli/manual/database-cleanup"
+    description: "Level of cleanup to perform on CodeQL databases at the end of the analyze step. This should either be 'none' to skip cleanup, or be a valid argument for the --mode flag of the CodeQL CLI command 'codeql database cleanup' as documented at https://codeql.github.com/docs/codeql-cli/manual/database-cleanup"
    required: false
    default: "brutal"
  ram:
@@ -34,11 +34,6 @@ inputs:
    description: Specify whether or not to add code snippets to the output sarif file.
    required: false
    default: "false"
-    deprecationMessage: >-
-      The input "add-snippets" is deprecated and will be removed on the first release in August 2025.
-      When this input is set to true it is expected to add code snippets with an alert to the SARIF file.
-      However, since Code Scanning ignores code snippets provided as part of a SARIF file this is currently
-      a no operation. No alternative is available.
  skip-queries:
    description: If this option is set, the CodeQL database will be built but no queries will be run on it. Thus, no results will be produced.
    required: false
@@ -74,7 +69,7 @@ inputs:
    required: true
    default: "true"
  token:
-    description: "GitHub token to use for authenticating with this instance of GitHub. The token must be the built-in GitHub Actions token, and the workflow must have the `security-events: write` permission. Most of the time it is advisable to avoid specifying this input so that the workflow falls back to using the default value."
+    description: "GitHub token to use for authenticating with this instance of GitHub. The token needs the `security-events: write` permission."
    required: false
    default: ${{ github.token }}
  matrix:
@@ -1,5 +1,5 @@
 name: 'CodeQL: Autobuild'
-description: 'Attempt to automatically build the code. Only used for analyzing languages that require a build. Use the `build-mode: autobuild` input in the `init` action instead.'
+description: 'Attempt to automatically build code'
 author: 'GitHub'
 inputs:
  token:
@@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
    return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CommandInvocationError = exports.getFileType = exports.FileCmdNotFoundError = exports.determineBaseBranchHeadCommitOid = exports.getCommitOid = exports.getOptionalInput = exports.getRequiredInput = void 0;
+exports.getFileType = exports.FileCmdNotFoundError = exports.determineMergeBaseCommitOid = exports.getCommitOid = exports.getOptionalInput = exports.getRequiredInput = void 0;
 exports.getTemporaryDirectory = getTemporaryDirectory;
 exports.getRef = getRef;
 exports.getActionVersion = getActionVersion;
@@ -37,9 +37,6 @@ exports.getUploadValue = getUploadValue;
 exports.getWorkflowRunID = getWorkflowRunID;
 exports.getWorkflowRunAttempt = getWorkflowRunAttempt;
 exports.isSelfHostedRunner = isSelfHostedRunner;
-exports.prettyPrintInvocation = prettyPrintInvocation;
-exports.ensureEndsInPeriod = ensureEndsInPeriod;
-exports.runTool = runTool;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const core = __importStar(require("@actions/core"));
@@ -79,34 +76,6 @@ function getTemporaryDirectory() {
        ? value
        : (0, util_1.getRequiredEnvParam)("RUNNER_TEMP");
 }
-async function runGitCommand(checkoutPath, args, customErrorMessage) {
-    let stdout = "";
-    let stderr = "";
-    try {
-        await new toolrunner.ToolRunner(await safeWhich.safeWhich("git"), args, {
-            silent: true,
-            listeners: {
-                stdout: (data) => {
-                    stdout += data.toString();
-                },
-                stderr: (data) => {
-                    stderr += data.toString();
-                },
-            },
-            cwd: checkoutPath,
-        }).exec();
-        return stdout;
-    }
-    catch (error) {
-        let reason = stderr;
-        if (stderr.includes("not a git repository")) {
-            reason =
-                "The checkout path provided to the action does not appear to be a git repository.";
-        }
-        core.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
-        throw error;
-    }
-}
 /**
 * Gets the SHA of the commit that is currently checked out.
 */
@@ -118,45 +87,72 @@ const getCommitOid = async function (checkoutPath, ref = "HEAD") {
    // the merge commit, which must mean that git is available.
    // Even if this does go wrong, it's not a huge problem for the alerts to
    // reported on the merge commit.
+    let stderr = "";
    try {
-        const stdout = await runGitCommand(checkoutPath, ["rev-parse", ref], "Continuing with commit SHA from user input or environment.");
-        return stdout.trim();
+        let commitOid = "";
+        await new toolrunner.ToolRunner(await safeWhich.safeWhich("git"), ["rev-parse", ref], {
+            silent: true,
+            listeners: {
+                stdout: (data) => {
+                    commitOid += data.toString();
+                },
+                stderr: (data) => {
+                    stderr += data.toString();
+                },
+            },
+            cwd: checkoutPath,
+        }).exec();
+        return commitOid.trim();
    }
    catch {
+        if (stderr.includes("not a git repository")) {
+            core.info("Could not determine current commit SHA using git. Continuing with data from user input or environment. " +
+                "The checkout path provided to the action does not appear to be a git repository.");
+        }
+        else {
+            core.info(`Could not determine current commit SHA using git. Continuing with data from user input or environment. ${stderr}`);
+        }
        return (0, exports.getOptionalInput)("sha") || (0, util_1.getRequiredEnvParam)("GITHUB_SHA");
    }
 };
 exports.getCommitOid = getCommitOid;
 /**
- * If the action was triggered by a pull request, determine the commit sha at
- * the head of the base branch, using the merge commit that this workflow analyzes.
- * Returns undefined if run by other triggers or the base branch commit cannot be
- * determined.
+ * If the action was triggered by a pull request, determine the commit sha of the merge base.
+ * Returns undefined if run by other triggers or the merge base cannot be determined.
 */
-const determineBaseBranchHeadCommitOid = async function (checkoutPathOverride) {
+const determineMergeBaseCommitOid = async function (checkoutPathOverride) {
    if (getWorkflowEventName() !== "pull_request") {
        return undefined;
    }
    const mergeSha = (0, util_1.getRequiredEnvParam)("GITHUB_SHA");
    const checkoutPath = checkoutPathOverride ?? (0, exports.getOptionalInput)("checkout_path");
+    let stderr = "";
    try {
        let commitOid = "";
        let baseOid = "";
        let headOid = "";
-        const stdout = await runGitCommand(checkoutPath, ["show", "-s", "--format=raw", mergeSha], "Will calculate the base branch SHA on the server.");
-        for (const data of stdout.split("\n")) {
-            if (data.startsWith("commit ") && commitOid === "") {
-                commitOid = data.substring(7);
-            }
-            else if (data.startsWith("parent ")) {
-                if (baseOid === "") {
-                    baseOid = data.substring(7);
-                }
-                else if (headOid === "") {
-                    headOid = data.substring(7);
-                }
-            }
-        }
+        await new toolrunner.ToolRunner(await safeWhich.safeWhich("git"), ["show", "-s", "--format=raw", mergeSha], {
+            silent: true,
+            listeners: {
+                stdline: (data) => {
+                    if (data.startsWith("commit ") && commitOid === "") {
+                        commitOid = data.substring(7);
+                    }
+                    else if (data.startsWith("parent ")) {
+                        if (baseOid === "") {
+                            baseOid = data.substring(7);
+                        }
+                        else if (headOid === "") {
+                            headOid = data.substring(7);
+                        }
+                    }
+                },
+                stderr: (data) => {
+                    stderr += data.toString();
+                },
+            },
+            cwd: checkoutPath,
+        }).exec();
        // Let's confirm our assumptions: We had a merge commit and the parsed parent data looks correct
        if (commitOid === mergeSha &&
            headOid.length === 40 &&
@@ -166,10 +162,18 @@ const determineBaseBranchHeadCommitOid = async function (checkoutPathOverride) {
        return undefined;
    }
    catch {
+        if (stderr.includes("not a git repository")) {
+            core.info("The checkout path provided to the action does not appear to be a git repository. " +
+                "Will calculate the merge base on the server.");
+        }
+        else {
+            core.info(`Failed to call git to determine merge base. Will calculate the merge base on ` +
+                `the server. Reason: ${stderr}`);
+        }
        return undefined;
    }
 };
-exports.determineBaseBranchHeadCommitOid = determineBaseBranchHeadCommitOid;
+exports.determineMergeBaseCommitOid = determineMergeBaseCommitOid;
 /**
 * Get the ref currently being analyzed.
 */
@@ -425,79 +429,4 @@ exports.getFileType = getFileType;
 function isSelfHostedRunner() {
    return process.env.RUNNER_ENVIRONMENT === "self-hosted";
 }
-function prettyPrintInvocation(cmd, args) {
-    return [cmd, ...args].map((x) => (x.includes(" ") ? `'${x}'` : x)).join(" ");
-}
-/**
- * An error from a tool invocation, with associated exit code, stderr, etc.
- */
-class CommandInvocationError extends Error {
-    constructor(cmd, args, exitCode, stderr, stdout) {
-        const prettyCommand = prettyPrintInvocation(cmd, args);
-        const lastLine = ensureEndsInPeriod(stderr.trim().split("\n").pop()?.trim() || "n/a");
-        super(`Failed to run "${prettyCommand}". ` +
-            `Exit code was ${exitCode} and last log line was: ${lastLine} See the logs for more details.`);
-        this.cmd = cmd;
-        this.args = args;
-        this.exitCode = exitCode;
-        this.stderr = stderr;
-        this.stdout = stdout;
-    }
-}
-exports.CommandInvocationError = CommandInvocationError;
-function ensureEndsInPeriod(text) {
-    return text[text.length - 1] === "." ? text : `${text}.`;
-}
-/**
- * A constant defining the maximum number of characters we will keep from
- * the programs stderr for logging.
- *
- * This serves two purposes:
- * 1. It avoids an OOM if a program fails in a way that results it
- *    printing many log lines.
- * 2. It avoids us hitting the limit of how much data we can send in our
- *    status reports on GitHub.com.
- */
-const MAX_STDERR_BUFFER_SIZE = 20000;
-/**
- * Runs a CLI tool.
- *
- * @returns Standard output produced by the tool.
- * @throws A `CommandInvocationError` if the tool exits with a non-zero status code.
- */
-async function runTool(cmd, args = [], opts = {}) {
-    let stdout = "";
-    let stderr = "";
-    if (!opts.noStreamStdout) {
-        process.stdout.write(`[command]${cmd} ${args.join(" ")}\n`);
-    }
-    const exitCode = await new toolrunner.ToolRunner(cmd, args, {
-        ignoreReturnCode: true,
-        listeners: {
-            stdout: (data) => {
-                stdout += data.toString("utf8");
-                if (!opts.noStreamStdout) {
-                    process.stdout.write(data);
-                }
-            },
-            stderr: (data) => {
-                let readStartIndex = 0;
-                // If the error is too large, then we only take the last MAX_STDERR_BUFFER_SIZE characters
-                if (data.length - MAX_STDERR_BUFFER_SIZE > 0) {
-                    // Eg: if we have MAX_STDERR_BUFFER_SIZE the start index should be 2.
-                    readStartIndex = data.length - MAX_STDERR_BUFFER_SIZE + 1;
-                }
-                stderr += data.toString("utf8", readStartIndex);
-                // Mimic the standard behavior of the toolrunner by writing stderr to stdout
-                process.stdout.write(data);
-            },
-        },
-        silent: true,
-        ...(opts.stdin ? { input: Buffer.from(opts.stdin || "") } : {}),
-    }).exec();
-    if (exitCode !== 0) {
-        throw new CommandInvocationError(cmd, args, exitCode, stderr, stdout);
-    }
-    return stdout;
-}
 //# sourceMappingURL=actions-util.js.map
@@ -214,36 +214,34 @@ const util_1 = require("./util");
        getAdditionalInputStub.restore();
    });
 });
-(0, ava_1.default)("determineBaseBranchHeadCommitOid non-pullrequest", async (t) => {
+(0, ava_1.default)("determineMergeBaseCommitOid non-pullrequest", async (t) => {
    const infoStub = sinon.stub(core, "info");
    process.env["GITHUB_EVENT_NAME"] = "hucairz";
    process.env["GITHUB_SHA"] = "100912429fab4cb230e66ffb11e738ac5194e73a";
-    const result = await actionsUtil.determineBaseBranchHeadCommitOid(__dirname);
+    const result = await actionsUtil.determineMergeBaseCommitOid(__dirname);
    t.deepEqual(result, undefined);
    t.deepEqual(0, infoStub.callCount);
    infoStub.restore();
 });
-(0, ava_1.default)("determineBaseBranchHeadCommitOid not git repository", async (t) => {
+(0, ava_1.default)("determineMergeBaseCommitOid no error", async (t) => {
    const infoStub = sinon.stub(core, "info");
    process.env["GITHUB_EVENT_NAME"] = "pull_request";
    process.env["GITHUB_SHA"] = "100912429fab4cb230e66ffb11e738ac5194e73a";
    await (0, util_1.withTmpDir)(async (tmpDir) => {
-        await actionsUtil.determineBaseBranchHeadCommitOid(tmpDir);
+        await actionsUtil.determineMergeBaseCommitOid(tmpDir);
    });
    t.deepEqual(1, infoStub.callCount);
-    t.deepEqual(infoStub.firstCall.args[0], "git call failed. Will calculate the base branch SHA on the server. Error: " +
-        "The checkout path provided to the action does not appear to be a git repository.");
+    t.assert(infoStub.firstCall.args[0].startsWith("The checkout path provided to the action does not appear to be a git repository."));
    infoStub.restore();
 });
-(0, ava_1.default)("determineBaseBranchHeadCommitOid other error", async (t) => {
+(0, ava_1.default)("determineMergeBaseCommitOid other error", async (t) => {
    const infoStub = sinon.stub(core, "info");
    process.env["GITHUB_EVENT_NAME"] = "pull_request";
    process.env["GITHUB_SHA"] = "100912429fab4cb230e66ffb11e738ac5194e73a";
-    const result = await actionsUtil.determineBaseBranchHeadCommitOid(path.join(__dirname, "../../i-dont-exist"));
+    const result = await actionsUtil.determineMergeBaseCommitOid(path.join(__dirname, "../../i-dont-exist"));
    t.deepEqual(result, undefined);
    t.deepEqual(1, infoStub.callCount);
-    t.assert(infoStub.firstCall.args[0].startsWith("git call failed. Will calculate the base branch SHA on the server. Error: "));
-    t.assert(!infoStub.firstCall.args[0].endsWith("The checkout path provided to the action does not appear to be a git repository."));
+    t.assert(infoStub.firstCall.args[0].startsWith("Failed to call git to determine merge base."));
    infoStub.restore();
 });
 //# sourceMappingURL=actions-util.test.js.map
@@ -0,0 +1,44 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.run = run;
+const core = __importStar(require("@actions/core"));
+const actionsUtil = __importStar(require("./actions-util"));
+const config_utils_1 = require("./config-utils");
+const logging_1 = require("./logging");
+async function run(uploadSarifDebugArtifact) {
+    const logger = (0, logging_1.getActionsLogger)();
+    const config = await (0, config_utils_1.getConfig)(actionsUtil.getTemporaryDirectory(), logger);
+    if (config === undefined) {
+        throw new Error("Config file could not be found at expected location. Did the 'init' action fail to start?");
+    }
+    // Upload Actions SARIF artifacts for debugging
+    if (config?.debugMode) {
+        core.info("Debug mode is on. Uploading available SARIF files as Actions debugging artifact...");
+        const outputDir = actionsUtil.getRequiredInput("output");
+        await uploadSarifDebugArtifact(config, outputDir);
+    }
+}
+//# sourceMappingURL=analyze-action-post-helper.js.map
@@ -0,0 +1 @@
+{"version":3,"file":"analyze-action-post-helper.js","sourceRoot":"","sources":["../src/analyze-action-post-helper.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAMA,kBAuBC;AA7BD,oDAAsC;AAEtC,4DAA8C;AAC9C,iDAAmD;AACnD,uCAA6C;AAEtC,KAAK,UAAU,GAAG,CACvB,wBAGkB;IAElB,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAElC,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,WAAW,CAAC,qBAAqB,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5E,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CACb,2FAA2F,CAC5F,CAAC;IACJ,CAAC;IAED,+CAA+C;IAC/C,IAAI,MAAM,EAAE,SAAS,EAAE,CAAC;QACtB,IAAI,CAAC,IAAI,CACP,oFAAoF,CACrF,CAAC;QACF,MAAM,SAAS,GAAG,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QACzD,MAAM,wBAAwB,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IACpD,CAAC;AACH,CAAC"}
@@ -0,0 +1,73 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const ava_1 = __importDefault(require("ava"));
+const sinon = __importStar(require("sinon"));
+const actionsUtil = __importStar(require("./actions-util"));
+const analyzeActionPostHelper = __importStar(require("./analyze-action-post-helper"));
+const configUtils = __importStar(require("./config-utils"));
+const testing_utils_1 = require("./testing-utils");
+const util = __importStar(require("./util"));
+(0, testing_utils_1.setupTests)(ava_1.default);
+(0, ava_1.default)("post: analyze action with debug mode off", async (t) => {
+    return await util.withTmpDir(async (tmpDir) => {
+        process.env["RUNNER_TEMP"] = tmpDir;
+        const gitHubVersion = {
+            type: util.GitHubVariant.DOTCOM,
+        };
+        sinon.stub(configUtils, "getConfig").resolves({
+            debugMode: false,
+            gitHubVersion,
+            languages: [],
+            packs: [],
+        });
+        const uploadSarifSpy = sinon.spy();
+        await analyzeActionPostHelper.run(uploadSarifSpy);
+        t.assert(uploadSarifSpy.notCalled);
+    });
+});
+(0, ava_1.default)("post: analyze action with debug mode on", async (t) => {
+    return await util.withTmpDir(async (tmpDir) => {
+        process.env["RUNNER_TEMP"] = tmpDir;
+        const gitHubVersion = {
+            type: util.GitHubVariant.DOTCOM,
+        };
+        sinon.stub(configUtils, "getConfig").resolves({
+            debugMode: true,
+            gitHubVersion,
+            languages: [],
+            packs: [],
+        });
+        const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+        requiredInputStub.withArgs("output").returns("fake-output-dir");
+        const uploadSarifSpy = sinon.spy();
+        await analyzeActionPostHelper.run(uploadSarifSpy);
+        t.assert(uploadSarifSpy.called);
+    });
+});
+//# sourceMappingURL=analyze-action-post-helper.test.js.map
@@ -0,0 +1 @@
+{"version":3,"file":"analyze-action-post-helper.test.js","sourceRoot":"","sources":["../src/analyze-action-post-helper.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,sFAAwE;AACxE,4DAA8C;AAC9C,mDAA6C;AAC7C,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,IAAA,aAAI,EAAC,0CAA0C,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC3D,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAC5C,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,MAAM,CAAC;QAEpC,MAAM,aAAa,GAAuB;YACxC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;SAChC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC;YAC5C,SAAS,EAAE,KAAK;YAChB,aAAa;YACb,SAAS,EAAE,EAAE;YACb,KAAK,EAAE,EAAE;SACuB,CAAC,CAAC;QAEpC,MAAM,cAAc,GAAG,KAAK,CAAC,GAAG,EAAE,CAAC;QAEnC,MAAM,uBAAuB,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAElD,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,yCAAyC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC1D,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAC5C,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,MAAM,CAAC;QAEpC,MAAM,aAAa,GAAuB;YACxC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;SAChC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC;YAC5C,SAAS,EAAE,IAAI;YACf,aAAa;YACb,SAAS,EAAE,EAAE;YACb,KAAK,EAAE,EAAE;SACuB,CAAC,CAAC;QAEpC,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAEhE,MAAM,cAAc,GAAG,KAAK,CAAC,GAAG,EAAE,CAAC;QAEnC,MAAM,uBAAuB,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAElD,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
@@ -29,33 +29,19 @@ Object.defineProperty(exports, "__esModule", { value: true });
 * other `post:` hooks.
 */
 const core = __importStar(require("@actions/core"));
-const actions_util_1 = require("./actions-util");
-const api_client_1 = require("./api-client");
-const config_utils_1 = require("./config-utils");
+const analyzeActionPostHelper = __importStar(require("./analyze-action-post-helper"));
 const debugArtifacts = __importStar(require("./debug-artifacts"));
-const environment_1 = require("./environment");
-const feature_flags_1 = require("./feature-flags");
-const logging_1 = require("./logging");
-const repository_1 = require("./repository");
+const uploadSarifActionPostHelper = __importStar(require("./upload-sarif-action-post-helper"));
 const util_1 = require("./util");
 async function runWrapper() {
    try {
-        const logger = (0, logging_1.getActionsLogger)();
-        const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
-        (0, util_1.checkGitHubVersionInRange)(gitHubVersion, logger);
-        const repositoryNwo = (0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY"));
-        const features = new feature_flags_1.Features(gitHubVersion, repositoryNwo, (0, actions_util_1.getTemporaryDirectory)(), logger);
-        // Upload SARIF artifacts if we determine that this is a first-party analysis run.
-        // For third-party runs, this artifact will be uploaded in the `upload-sarif-post` step.
-        if (process.env[environment_1.EnvVar.INIT_ACTION_HAS_RUN] === "true") {
-            const config = await (0, config_utils_1.getConfig)((0, actions_util_1.getTemporaryDirectory)(), logger);
-            if (config !== undefined) {
-                await (0, logging_1.withGroup)("Uploading combined SARIF debug artifact", () => debugArtifacts.uploadCombinedSarifArtifacts(logger, config.gitHubVersion.type, features));
-            }
-        }
+        await analyzeActionPostHelper.run(debugArtifacts.uploadSarifDebugArtifact);
+        // Also run the upload-sarif post action since we're potentially running
+        // the same steps in the analyze action.
+        await uploadSarifActionPostHelper.uploadArtifacts(debugArtifacts.uploadDebugArtifacts);
    }
    catch (error) {
-        core.setFailed(`analyze post-action step failed: ${(0, util_1.getErrorMessage)(error)}`);
+        core.setFailed(`analyze post-action step failed: ${(0, util_1.wrapError)(error).message}`);
    }
 }
 void runWrapper();
@@ -1 +1 @@
-{"version":3,"file":"analyze-action-post.js","sourceRoot":"","sources":["../src/analyze-action-post.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;GAIG;AACH,oDAAsC;AAEtC,iDAAuD;AACvD,6CAAgD;AAChD,iDAA2C;AAC3C,kEAAoD;AACpD,+CAAuC;AACvC,mDAA2C;AAC3C,uCAAwD;AACxD,6CAAkD;AAClD,iCAIgB;AAEhB,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,aAAa,GAAG,IAAA,+BAAkB,EACtC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CACzC,CAAC;QACF,MAAM,QAAQ,GAAG,IAAI,wBAAQ,CAC3B,aAAa,EACb,aAAa,EACb,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;QAEF,kFAAkF;QAClF,wFAAwF;QACxF,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAM,CAAC,mBAAmB,CAAC,KAAK,MAAM,EAAE,CAAC;YACvD,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,IAAA,oCAAqB,GAAE,EAAE,MAAM,CAAC,CAAC;YAChE,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,MAAM,IAAA,mBAAS,EAAC,yCAAyC,EAAE,GAAG,EAAE,CAC9D,cAAc,CAAC,4BAA4B,CACzC,MAAM,EACN,MAAM,CAAC,aAAa,CAAC,IAAI,EACzB,QAAQ,CACT,CACF,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CACZ,oCAAoC,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CAC7D,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"analyze-action-post.js","sourceRoot":"","sources":["../src/analyze-action-post.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;GAIG;AACH,oDAAsC;AAEtC,sFAAwE;AACxE,kEAAoD;AACpD,+FAAiF;AACjF,iCAAmC;AAEnC,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,MAAM,uBAAuB,CAAC,GAAG,CAAC,cAAc,CAAC,wBAAwB,CAAC,CAAC;QAE3E,wEAAwE;QACxE,wCAAwC;QACxC,MAAM,2BAA2B,CAAC,eAAe,CAC/C,cAAc,CAAC,oBAAoB,CACpC,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CACZ,oCAAoC,IAAA,gBAAS,EAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAC/D,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
@@ -45,12 +45,13 @@ const logging_1 = require("./logging");
 const repository_1 = require("./repository");
 const statusReport = __importStar(require("./status-report"));
 const status_report_1 = require("./status-report");
+const tracer_config_1 = require("./tracer-config");
 const trap_caching_1 = require("./trap-caching");
 const uploadLib = __importStar(require("./upload-lib"));
 const util = __importStar(require("./util"));
 async function sendStatusReport(startedAt, config, stats, error, trapCacheUploadTime, dbCreationTimings, didUploadTrapCaches, trapCacheCleanup, logger) {
    const status = (0, status_report_1.getActionsStatus)(error, stats?.analyze_failure_language);
-    const statusReportBase = await (0, status_report_1.createStatusReportBase)(status_report_1.ActionName.Analyze, status, startedAt, config, await util.checkDiskUsage(logger), logger, error?.message, error?.stack);
+    const statusReportBase = await (0, status_report_1.createStatusReportBase)(status_report_1.ActionName.Analyze, status, startedAt, config, await util.checkDiskUsage(), logger, error?.message, error?.stack);
    if (statusReportBase !== undefined) {
        const report = {
            ...statusReportBase,
@@ -138,6 +139,10 @@ async function runAutobuildIfLegacyGoWorkflow(config, logger) {
    await (0, autobuild_1.runAutobuild)(config, languages_1.Language.go, logger);
 }
 async function run() {
+    // If the autobuild Action already ran, we have already unset this environment variable.
+    if (process.env[environment_1.EnvVar.AUTOBUILD_DID_COMPLETE_SUCCESSFULLY] !== "true") {
+        (0, tracer_config_1.unsetTracerEnvVarForCurrentProcess)();
+    }
    const startedAt = new Date();
    let uploadResult = undefined;
    let runStats = undefined;
@@ -163,7 +168,6 @@ async function run() {
        }
        const apiDetails = (0, api_client_1.getApiDetails)();
        const outputDir = actionsUtil.getRequiredInput("output");
-        core.exportVariable(environment_1.EnvVar.SARIF_RESULTS_OUTPUT_DIR, outputDir);
        const threads = util.getThreadsFlag(actionsUtil.getOptionalInput("threads") || process.env["CODEQL_THREADS"], logger);
        const repositoryNwo = (0, repository_1.parseRepositoryNwo)(util.getRequiredEnvParam("GITHUB_REPOSITORY"));
        const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
@@ -245,7 +249,7 @@ async function runWrapper() {
        await exports.runPromise;
    }
    catch (error) {
-        core.setFailed(`analyze action failed: ${util.getErrorMessage(error)}`);
+        core.setFailed(`analyze action failed: ${util.wrapError(error).message}`);
    }
    await util.checkForTimeout();
 }
@@ -186,7 +186,7 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
        }
        catch (e) {
            statusReport.analyze_failure_language = language;
-            throw new CodeQLAnalysisError(statusReport, `Error running analysis for ${language}: ${util.getErrorMessage(e)}`, util.wrapError(e));
+            throw new CodeQLAnalysisError(statusReport, `Error running analysis for ${language}: ${util.wrapError(e).message}`, util.wrapError(e));
        }
    }
    return statusReport;
@@ -1 +1 @@
-{ "maximumVersion": "3.15", "minimumVersion": "3.11" }
+{ "maximumVersion": "3.14", "minimumVersion": "3.10" }
@@ -54,6 +54,7 @@ async function run() {
    let currentLanguage;
    let languages;
    try {
+        (0, tracer_config_1.unsetTracerEnvVarForCurrentProcess)();
        const statusReportBase = await (0, status_report_1.createStatusReportBase)(status_report_1.ActionName.Autobuild, "starting", startedAt, config, await (0, util_1.checkDiskUsage)(logger), logger);
        if (statusReportBase !== undefined) {
            await (0, status_report_1.sendStatusReport)(statusReportBase);
@@ -96,7 +97,7 @@ async function runWrapper() {
        await run();
    }
    catch (error) {
-        core.setFailed(`autobuild action failed. ${(0, util_1.getErrorMessage)(error)}`);
+        core.setFailed(`autobuild action failed. ${(0, util_1.wrapError)(error).message}`);
    }
 }
 void runWrapper();
@@ -1 +1 @@
-{"version":3,"file":"autobuild-action.js","sourceRoot":"","sources":["../src/autobuild-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,iDAIwB;AACxB,6CAAgD;AAChD,2CAAwE;AACxE,qCAAqC;AACrC,iDAAmD;AACnD,+CAAuC;AAEvC,uCAAqD;AACrD,mDAMyB;AACzB,mDAAuD;AACvD,iCAOgB;AAShB,KAAK,UAAU,yBAAyB,CACtC,MAA0B,EAC1B,MAAc,EACd,SAAe,EACf,YAAsB,EACtB,eAAwB,EACxB,KAAa;IAEb,IAAA,4BAAqB,EAAC,IAAA,+BAAgB,GAAE,CAAC,CAAC;IAE1C,MAAM,MAAM,GAAG,IAAA,gCAAgB,EAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IACxD,MAAM,gBAAgB,GAAG,MAAM,IAAA,sCAAsB,EACnD,0BAAU,CAAC,SAAS,EACpB,MAAM,EACN,SAAS,EACT,MAAM,EACN,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,MAAM,EACN,KAAK,EAAE,OAAO,EACd,KAAK,EAAE,KAAK,CACb,CAAC;IACF,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;QACnC,MAAM,YAAY,GAA0B;YAC1C,GAAG,gBAAgB;YACnB,mBAAmB,EAAE,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC;YAC3C,iBAAiB,EAAE,eAAe;SACnC,CAAC;QACF,MAAM,IAAA,gCAAgB,EAAC,YAAY,CAAC,CAAC;IACvC,CAAC;AACH,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,IAAI,MAA0B,CAAC;IAC/B,IAAI,eAAqC,CAAC;IAC1C,IAAI,SAAiC,CAAC;IACtC,IAAI,CAAC;QACH,MAAM,gBAAgB,GAAG,MAAM,IAAA,sCAAsB,EACnD,0BAAU,CAAC,SAAS,EACpB,UAAU,EACV,SAAS,EACT,MAAM,EACN,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,MAAM,CACP,CAAC;QACF,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,IAAA,gCAAgB,EAAC,gBAAgB,CAAC,CAAC;QAC3C,CAAC;QAED,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QACjD,IAAA,yBAAkB,EAAC,IAAA,+BAAgB,GAAE,EAAE,aAAa,CAAC,CAAC;QAEtD,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,IAAA,oCAAqB,GAAE,EAAE,MAAM,CAAC,CAAC;QAC1D,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CACb,yFAAyF,CAC1F,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAEjD,SAAS,GAAG,MAAM,IAAA,uCAA2B,EAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;QACtE,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,MAAM,gBAAgB,GAAG,IAAA,+BAAgB,EAAC,mBAAmB,CAAC,CAAC;YAC/D,IAAI,gBAAgB,EAAE,CAAC;gBACrB,MAAM,CAAC,IAAI,CACT,6CAA6C,gBAAgB,EAAE,CAChE,CAAC;gBACF,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;YAClC,CAAC;YACD,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;gBACjC,eAAe,GAAG,QAAQ,CAAC;gBAC3B,MAAM,IAAA,wBAAY,EAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;QAED,+FAA+F;QAC/F,oBAAoB;QACpB,MAAM,IAAA,oCAAoB,EAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IACrD,CAAC;IAAC,OAAO,cAAc,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,IAAA,gBAAS,EAAC,cAAc,CAAC,CAAC;QACxC,IAAI,CAAC,SAAS,CACZ,kIAAkI,KAAK,CAAC,OAAO,EAAE,CAClJ,CAAC;QACF,MAAM,yBAAyB,CAC7B,MAAM,EACN,MAAM,EACN,SAAS,EACT,SAAS,IAAI,EAAE,EACf,eAAe,EACf,KAAK,CACN,CAAC;QACF,OAAO;IACT,CAAC;IAED,IAAI,CAAC,cAAc,CAAC,oBAAM,CAAC,mCAAmC,EAAE,MAAM,CAAC,CAAC;IAExE,MAAM,yBAAyB,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,IAAI,EAAE,CAAC,CAAC;AAC9E,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,MAAM,GAAG,EAAE,CAAC;IACd,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CAAC,4BAA4B,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACvE,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"autobuild-action.js","sourceRoot":"","sources":["../src/autobuild-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,iDAIwB;AACxB,6CAAgD;AAChD,2CAAwE;AACxE,qCAAqC;AACrC,iDAAmD;AACnD,+CAAuC;AAEvC,uCAAqD;AACrD,mDAMyB;AACzB,mDAGyB;AACzB,iCAMgB;AAShB,KAAK,UAAU,yBAAyB,CACtC,MAA0B,EAC1B,MAAc,EACd,SAAe,EACf,YAAsB,EACtB,eAAwB,EACxB,KAAa;IAEb,IAAA,4BAAqB,EAAC,IAAA,+BAAgB,GAAE,CAAC,CAAC;IAE1C,MAAM,MAAM,GAAG,IAAA,gCAAgB,EAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IACxD,MAAM,gBAAgB,GAAG,MAAM,IAAA,sCAAsB,EACnD,0BAAU,CAAC,SAAS,EACpB,MAAM,EACN,SAAS,EACT,MAAM,EACN,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,MAAM,EACN,KAAK,EAAE,OAAO,EACd,KAAK,EAAE,KAAK,CACb,CAAC;IACF,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;QACnC,MAAM,YAAY,GAA0B;YAC1C,GAAG,gBAAgB;YACnB,mBAAmB,EAAE,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC;YAC3C,iBAAiB,EAAE,eAAe;SACnC,CAAC;QACF,MAAM,IAAA,gCAAgB,EAAC,YAAY,CAAC,CAAC;IACvC,CAAC;AACH,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,IAAI,MAA0B,CAAC;IAC/B,IAAI,eAAqC,CAAC;IAC1C,IAAI,SAAiC,CAAC;IACtC,IAAI,CAAC;QACH,IAAA,kDAAkC,GAAE,CAAC;QAErC,MAAM,gBAAgB,GAAG,MAAM,IAAA,sCAAsB,EACnD,0BAAU,CAAC,SAAS,EACpB,UAAU,EACV,SAAS,EACT,MAAM,EACN,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,MAAM,CACP,CAAC;QACF,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,IAAA,gCAAgB,EAAC,gBAAgB,CAAC,CAAC;QAC3C,CAAC;QAED,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QACjD,IAAA,yBAAkB,EAAC,IAAA,+BAAgB,GAAE,EAAE,aAAa,CAAC,CAAC;QAEtD,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,IAAA,oCAAqB,GAAE,EAAE,MAAM,CAAC,CAAC;QAC1D,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CACb,yFAAyF,CAC1F,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAEjD,SAAS,GAAG,MAAM,IAAA,uCAA2B,EAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;QACtE,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,MAAM,gBAAgB,GAAG,IAAA,+BAAgB,EAAC,mBAAmB,CAAC,CAAC;YAC/D,IAAI,gBAAgB,EAAE,CAAC;gBACrB,MAAM,CAAC,IAAI,CACT,6CAA6C,gBAAgB,EAAE,CAChE,CAAC;gBACF,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;YAClC,CAAC;YACD,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;gBACjC,eAAe,GAAG,QAAQ,CAAC;gBAC3B,MAAM,IAAA,wBAAY,EAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;QAED,+FAA+F;QAC/F,oBAAoB;QACpB,MAAM,IAAA,oCAAoB,EAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IACrD,CAAC;IAAC,OAAO,cAAc,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,IAAA,gBAAS,EAAC,cAAc,CAAC,CAAC;QACxC,IAAI,CAAC,SAAS,CACZ,kIAAkI,KAAK,CAAC,OAAO,EAAE,CAClJ,CAAC;QACF,MAAM,yBAAyB,CAC7B,MAAM,EACN,MAAM,EACN,SAAS,EACT,SAAS,IAAI,EAAE,EACf,eAAe,EACf,KAAK,CACN,CAAC;QACF,OAAO;IACT,CAAC;IAED,IAAI,CAAC,cAAc,CAAC,oBAAM,CAAC,mCAAmC,EAAE,MAAM,CAAC,CAAC;IAExE,MAAM,yBAAyB,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,IAAI,EAAE,CAAC,CAAC;AAC9E,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,MAAM,GAAG,EAAE,CAAC;IACd,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CAAC,4BAA4B,IAAA,gBAAS,EAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;IACzE,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
@@ -1,24 +1,26 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.cliErrorsConfig = exports.CliConfigErrorCategory = exports.CliError = void 0;
+exports.cliErrorsConfig = exports.CliConfigErrorCategory = exports.CommandInvocationError = void 0;
 exports.getCliConfigCategoryIfExists = getCliConfigCategoryIfExists;
 exports.wrapCliConfigurationError = wrapCliConfigurationError;
-const actions_util_1 = require("./actions-util");
 const doc_url_1 = require("./doc-url");
 const util_1 = require("./util");
 /**
- * An error from a CodeQL CLI invocation, with associated exit code, stderr, etc.
+ * A class of Error that we can classify as an error stemming from a CLI
+ * invocation, with associated exit code, stderr,etc.
 */
-class CliError extends Error {
-    constructor({ cmd, args, exitCode, stderr }) {
-        const prettyCommand = (0, actions_util_1.prettyPrintInvocation)(cmd, args);
+class CommandInvocationError extends Error {
+    constructor(cmd, args, exitCode, stderr, stdout) {
+        const prettyCommand = [cmd, ...args]
+            .map((x) => (x.includes(" ") ? `'${x}'` : x))
+            .join(" ");
        const fatalErrors = extractFatalErrors(stderr);
        const autobuildErrors = extractAutobuildErrors(stderr);
        let message;
        if (fatalErrors) {
            message =
                `Encountered a fatal error while running "${prettyCommand}". ` +
-                    `Exit code was ${exitCode} and error was: ${(0, actions_util_1.ensureEndsInPeriod)(fatalErrors.trim())} See the logs for more details.`;
+                    `Exit code was ${exitCode} and error was: ${ensureEndsInPeriod(fatalErrors.trim())} See the logs for more details.`;
        }
        else if (autobuildErrors) {
            message =
@@ -27,7 +29,7 @@ class CliError extends Error {
                    `Encountered the following error: ${autobuildErrors}`;
        }
        else {
-            const lastLine = (0, actions_util_1.ensureEndsInPeriod)(stderr.trim().split("\n").pop()?.trim() || "n/a");
+            const lastLine = ensureEndsInPeriod(stderr.trim().split("\n").pop()?.trim() || "n/a");
            message =
                `Encountered a fatal error while running "${prettyCommand}". ` +
                    `Exit code was ${exitCode} and last log line was: ${lastLine} See the logs for more details.`;
@@ -35,9 +37,10 @@ class CliError extends Error {
        super(message);
        this.exitCode = exitCode;
        this.stderr = stderr;
+        this.stdout = stdout;
    }
 }
-exports.CliError = CliError;
+exports.CommandInvocationError = CommandInvocationError;
 /**
 * Provide a better error message from the stderr of a CLI invocation that failed with a fatal
 * error.
@@ -86,10 +89,10 @@ function extractFatalErrors(error) {
        }
        const isOneLiner = !fatalErrors.some((e) => e.includes("\n"));
        if (isOneLiner) {
-            fatalErrors = fatalErrors.map(actions_util_1.ensureEndsInPeriod);
+            fatalErrors = fatalErrors.map(ensureEndsInPeriod);
        }
        return [
-            (0, actions_util_1.ensureEndsInPeriod)(lastError),
+            ensureEndsInPeriod(lastError),
            "Context:",
            ...fatalErrors.reverse(),
        ].join(isOneLiner ? " " : "\n");
@@ -106,6 +109,9 @@ function extractAutobuildErrors(error) {
    }
    return errorLines.join("\n") || undefined;
 }
+function ensureEndsInPeriod(text) {
+    return text[text.length - 1] === "." ? text : `${text}.`;
+}
 /** Error messages from the CLI that we consider configuration errors and handle specially. */
 var CliConfigErrorCategory;
 (function (CliConfigErrorCategory) {
@@ -261,6 +267,9 @@ function getCliConfigCategoryIfExists(cliError) {
 * simply returns the original error.
 */
 function wrapCliConfigurationError(cliError) {
+    if (!(cliError instanceof CommandInvocationError)) {
+        return cliError;
+    }
    const cliConfigErrorCategory = getCliConfigCategoryIfExists(cliError);
    if (cliConfigErrorCategory === undefined) {
        return cliError;
@@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
    return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CODEQL_VERSION_SUBLANGUAGE_FILE_COVERAGE = exports.CODEQL_VERSION_ANALYSIS_SUMMARY_V2 = void 0;
+exports.CODEQL_VERSION_SUBLANGUAGE_FILE_COVERAGE = exports.CODEQL_VERSION_ANALYSIS_SUMMARY_V2 = exports.CODEQL_VERSION_LANGUAGE_ALIASING = exports.CODEQL_VERSION_LANGUAGE_BASELINE_CONFIG = void 0;
 exports.setupCodeQL = setupCodeQL;
 exports.getCodeQL = getCodeQL;
 exports.setCodeQL = setCodeQL;
@@ -63,19 +63,19 @@ let cachedCodeQL = undefined;
 * The version flags below can be used to conditionally enable certain features
 * on versions newer than this.
 */
-const CODEQL_MINIMUM_VERSION = "2.14.6";
+const CODEQL_MINIMUM_VERSION = "2.13.5";
 /**
 * This version will shortly become the oldest version of CodeQL that the Action will run with.
 */
-const CODEQL_NEXT_MINIMUM_VERSION = "2.14.6";
+const CODEQL_NEXT_MINIMUM_VERSION = "2.13.5";
 /**
 * This is the version of GHES that was most recently deprecated.
 */
-const GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.10";
+const GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.9";
 /**
 * This is the deprecation date for the version of GHES that was most recently deprecated.
 */
-const GHES_MOST_RECENT_DEPRECATION_DATE = "2024-09-24";
+const GHES_MOST_RECENT_DEPRECATION_DATE = "2024-07-09";
 /** The CLI verbosity level to use for extraction in debug mode. */
 const EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
 /*
@@ -85,6 +85,14 @@ const EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
 * For convenience, please keep these in descending order. Once a version
 * flag is older than the oldest supported version above, it may be removed.
 */
+/**
+ * Versions 2.14.2+ of the CodeQL CLI support language-specific baseline configuration.
+ */
+exports.CODEQL_VERSION_LANGUAGE_BASELINE_CONFIG = "2.14.2";
+/**
+ * Versions 2.14.4+ of the CodeQL CLI support language aliasing.
+ */
+exports.CODEQL_VERSION_LANGUAGE_ALIASING = "2.14.4";
 /**
 * Versions 2.15.0+ of the CodeQL CLI support new analysis summaries.
 */
@@ -97,10 +105,6 @@ exports.CODEQL_VERSION_SUBLANGUAGE_FILE_COVERAGE = "2.15.0";
 * Versions 2.15.2+ of the CodeQL CLI support the `--sarif-include-query-help` option.
 */
 const CODEQL_VERSION_INCLUDE_QUERY_HELP = "2.15.2";
-/**
- * Versions 2.17.1+ of the CodeQL CLI support the `--cache-cleanup` option.
- */
-const CODEQL_VERSION_CACHE_CLEANUP = "2.17.1";
 /**
 * Set up CodeQL CLI access.
 *
@@ -114,10 +118,9 @@ const CODEQL_VERSION_CACHE_CLEANUP = "2.17.1";
 *        version requirement. Must be set to true outside tests.
 * @returns a { CodeQL, toolsVersion } object.
 */
-async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) {
+async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger, checkVersion) {
    try {
-        const { codeqlFolder, toolsDownloadStatusReport, toolsSource, toolsVersion, zstdAvailability, } = await setupCodeql.setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger);
-        logger.debug(`Bundle download status report: ${JSON.stringify(toolsDownloadStatusReport)}`);
+        const { codeqlFolder, toolsDownloadStatusReport, toolsSource, toolsVersion, } = await setupCodeql.setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger);
        let codeqlCmd = path.join(codeqlFolder, "codeql", "codeql");
        if (process.platform === "win32") {
            codeqlCmd += ".exe";
@@ -131,11 +134,10 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
            toolsDownloadStatusReport,
            toolsSource,
            toolsVersion,
-            zstdAvailability,
        };
    }
    catch (e) {
-        throw new Error(`Unable to download and extract CodeQL CLI: ${(0, util_1.getErrorMessage)(e)}`);
+        throw new Error(`Unable to download and extract CodeQL CLI: ${(0, util_1.wrapError)(e).message}`);
    }
 }
 /**
@@ -180,7 +182,7 @@ function setCodeQL(partialCodeql) {
        extractUsingBuildMode: resolveFunction(partialCodeql, "extractUsingBuildMode"),
        finalizeDatabase: resolveFunction(partialCodeql, "finalizeDatabase"),
        resolveLanguages: resolveFunction(partialCodeql, "resolveLanguages"),
-        betterResolveLanguages: resolveFunction(partialCodeql, "betterResolveLanguages", async () => ({ aliases: {}, extractors: {} })),
+        betterResolveLanguages: resolveFunction(partialCodeql, "betterResolveLanguages"),
        resolveQueries: resolveFunction(partialCodeql, "resolveQueries"),
        resolveBuildEnvironment: resolveFunction(partialCodeql, "resolveBuildEnvironment"),
        packDownload: resolveFunction(partialCodeql, "packDownload"),
@@ -233,9 +235,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
        async getVersion() {
            let result = util.getCachedCodeQlVersion();
            if (result === undefined) {
-                const output = await runCli(cmd, ["version", "--format=json"], {
-                    noStreamStdout: true,
-                });
+                const output = await runTool(cmd, ["version", "--format=json"]);
                try {
                    result = JSON.parse(output);
                }
@@ -247,7 +247,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            return result;
        },
        async printVersion() {
-            await runCli(cmd, ["version", "--format=json"]);
+            await runTool(cmd, ["version", "--format=json"]);
        },
        async supportsFeature(feature) {
            return (0, tools_features_1.isSupportedToolsFeature)(await this.getVersion(), feature);
@@ -272,7 +272,9 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            if (qlconfigFile !== undefined) {
                extraArgs.push(`--qlconfig-file=${qlconfigFile}`);
            }
-            extraArgs.push("--calculate-language-specific-baseline");
+            if (await util.codeQlVersionAtLeast(this, exports.CODEQL_VERSION_LANGUAGE_BASELINE_CONFIG)) {
+                extraArgs.push("--calculate-language-specific-baseline");
+            }
            if (await isSublanguageFileCoverageEnabled(config, this)) {
                extraArgs.push("--sublanguage-file-coverage");
            }
@@ -282,14 +284,14 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            const overwriteFlag = (0, tools_features_1.isSupportedToolsFeature)(await this.getVersion(), tools_features_1.ToolsFeature.ForceOverwrite)
                ? "--force-overwrite"
                : "--overwrite";
-            await runCli(cmd, [
+            await runTool(cmd, [
                "database",
                "init",
                overwriteFlag,
                "--db-cluster",
                config.dbLocation,
                `--source-root=${sourceRoot}`,
-                "--extractor-include-aliases",
+                ...(await getLanguageAliasingArguments(this)),
                ...extraArgs,
                ...getExtraOptionsFromEnv(["database", "init"], {
                    ignoringOptions: ["--overwrite"],
@@ -317,10 +319,10 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            // When `DYLD_INSERT_LIBRARIES` is set in the environment for a step,
            // the Actions runtime introduces its own workaround for SIP
            // (https://github.com/actions/runner/pull/416).
-            await runCli(autobuildCmd);
+            await runTool(autobuildCmd);
        },
        async extractScannedLanguage(config, language) {
-            await runCli(cmd, [
+            await runTool(cmd, [
                "database",
                "trace-command",
                "--index-traceless-dbs",
@@ -335,7 +337,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                applyAutobuildAzurePipelinesTimeoutFix();
            }
            try {
-                await runCli(cmd, [
+                await runTool(cmd, [
                    "database",
                    "trace-command",
                    "--use-build-mode",
@@ -352,7 +354,10 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                    const prefix = "We were unable to automatically build your code. " +
                        "Please change the build mode for this language to manual and specify build steps " +
                        `for your project. See ${doc_url_1.DocUrl.AUTOMATIC_BUILD_FAILED} for more information.`;
-                    throw new util.ConfigurationError(`${prefix} ${(0, util_1.getErrorMessage)(e)}`);
+                    const ErrorConstructor = e instanceof util.ConfigurationError
+                        ? util.ConfigurationError
+                        : Error;
+                    throw new ErrorConstructor(`${prefix} ${util.wrapError(e).message}`);
                }
                else {
                    throw e;
@@ -370,7 +375,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                ...getExtraOptionsFromEnv(["database", "finalize"]),
                databasePath,
            ];
-            await runCli(cmd, args);
+            await runTool(cmd, args);
        },
        async resolveLanguages() {
            const codeqlArgs = [
@@ -379,7 +384,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                "--format=json",
                ...getExtraOptionsFromEnv(["resolve", "languages"]),
            ];
-            const output = await runCli(cmd, codeqlArgs);
+            const output = await runTool(cmd, codeqlArgs);
            try {
                return JSON.parse(output);
            }
@@ -393,10 +398,10 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                "languages",
                "--format=betterjson",
                "--extractor-options-verbosity=4",
-                "--extractor-include-aliases",
+                ...(await getLanguageAliasingArguments(this)),
                ...getExtraOptionsFromEnv(["resolve", "languages"]),
            ];
-            const output = await runCli(cmd, codeqlArgs);
+            const output = await runTool(cmd, codeqlArgs);
            try {
                return JSON.parse(output);
            }
@@ -415,7 +420,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            if (extraSearchPath !== undefined) {
                codeqlArgs.push("--additional-packs", extraSearchPath);
            }
-            const output = await runCli(cmd, codeqlArgs);
+            const output = await runTool(cmd, codeqlArgs);
            try {
                return JSON.parse(output);
            }
@@ -428,13 +433,13 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                "resolve",
                "build-environment",
                `--language=${language}`,
-                "--extractor-include-aliases",
+                ...(await getLanguageAliasingArguments(this)),
                ...getExtraOptionsFromEnv(["resolve", "build-environment"]),
            ];
            if (workingDir !== undefined) {
                codeqlArgs.push("--working-dir", workingDir);
            }
-            const output = await runCli(cmd, codeqlArgs);
+            const output = await runTool(cmd, codeqlArgs);
            try {
                return JSON.parse(output);
            }
@@ -458,7 +463,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            if (await util.codeQlVersionAtLeast(this, feature_flags_1.CODEQL_VERSION_FINE_GRAINED_PARALLELISM)) {
                codeqlArgs.push("--intra-layer-parallelism");
            }
-            await runCli(cmd, codeqlArgs);
+            await runTool(cmd, codeqlArgs);
        },
        async databaseInterpretResults(databasePath, querySuitePaths, sarifFile, addSnippetsFlag, threadsFlag, verbosityFlag, automationDetailsId, config, features) {
            const shouldExportDiagnostics = await features.getValue(feature_flags_1.Feature.ExportDiagnosticsEnabled, this);
@@ -476,7 +481,6 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                `--sarif-codescanning-config=${getGeneratedCodeScanningConfigPath(config)}`,
                "--sarif-group-rules-by-pack",
                ...(await getCodeScanningQueryHelpArguments(this)),
-                ...(await getJobRunUuidSarifOptions(this)),
                ...getExtraOptionsFromEnv(["database", "interpret-results"]),
            ];
            if (automationDetailsId !== undefined) {
@@ -504,7 +508,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            }
            // Capture the stdout, which contains the analysis summary. Don't stream it to the Actions
            // logs to avoid printing it twice.
-            return await runCli(cmd, codeqlArgs, {
+            return await runTool(cmd, codeqlArgs, {
                noStreamStdout: true,
            });
        },
@@ -515,7 +519,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                ...getExtraOptionsFromEnv(["database", "print-baseline"]),
                databasePath,
            ];
-            return await runCli(cmd, codeqlArgs);
+            return await runTool(cmd, codeqlArgs);
        },
        /**
         * Download specified packs into the package cache. If the specified
@@ -543,7 +547,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                ...getExtraOptionsFromEnv(["pack", "download"]),
                ...packs,
            ];
-            const output = await runCli(cmd, codeqlArgs);
+            const output = await runTool(cmd, codeqlArgs);
            try {
                const parsedOutput = JSON.parse(output);
                if (Array.isArray(parsedOutput.packs) &&
@@ -562,17 +566,14 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            }
        },
        async databaseCleanup(databasePath, cleanupLevel) {
-            const cacheCleanupFlag = (await util.codeQlVersionAtLeast(this, CODEQL_VERSION_CACHE_CLEANUP))
-                ? "--cache-cleanup"
-                : "--mode";
            const codeqlArgs = [
                "database",
                "cleanup",
                databasePath,
-                `${cacheCleanupFlag}=${cleanupLevel}`,
+                `--mode=${cleanupLevel}`,
                ...getExtraOptionsFromEnv(["database", "cleanup"]),
            ];
-            await runCli(cmd, codeqlArgs);
+            await runTool(cmd, codeqlArgs);
        },
        async databaseBundle(databasePath, outputFilePath, databaseName) {
            const args = [
@@ -625,7 +626,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                "extractor",
                "--format=json",
                `--language=${language}`,
-                "--extractor-include-aliases",
+                ...(await getLanguageAliasingArguments(this)),
                ...getExtraOptionsFromEnv(["resolve", "extractor"]),
            ], {
                silent: true,
@@ -654,7 +655,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            if (mergeRunsFromEqualCategory) {
                args.push("--sarif-merge-runs-from-equal-category");
            }
-            await runCli(cmd, args);
+            await runTool(cmd, args);
        },
    };
    // To ensure that status reports include the CodeQL CLI version wherever
@@ -734,16 +735,48 @@ function getExtraOptions(options, paths, pathInfo) {
        : getExtraOptions(options?.[paths[0]], paths?.slice(1), pathInfo.concat(paths[0]));
    return all.concat(specific);
 }
-async function runCli(cmd, args = [], opts = {}) {
-    try {
-        return await (0, actions_util_1.runTool)(cmd, args, opts);
-    }
-    catch (e) {
-        if (e instanceof actions_util_1.CommandInvocationError) {
-            throw (0, cli_errors_1.wrapCliConfigurationError)(new cli_errors_1.CliError(e));
-        }
-        throw e;
+/*
+ * A constant defining the maximum number of characters we will keep from
+ * the programs stderr for logging. This serves two purposes:
+ * (1) It avoids an OOM if a program fails in a way that results it
+ *     printing many log lines.
+ * (2) It avoids us hitting the limit of how much data we can send in our
+ *     status reports on GitHub.com.
+ */
+const maxErrorSize = 20_000;
+async function runTool(cmd, args = [], opts = {}) {
+    let stdout = "";
+    let stderr = "";
+    process.stdout.write(`[command]${cmd} ${args.join(" ")}\n`);
+    const exitCode = await new toolrunner.ToolRunner(cmd, args, {
+        ignoreReturnCode: true,
+        listeners: {
+            stdout: (data) => {
+                stdout += data.toString("utf8");
+                if (!opts.noStreamStdout) {
+                    process.stdout.write(data);
+                }
+            },
+            stderr: (data) => {
+                let readStartIndex = 0;
+                // If the error is too large, then we only take the last 20,000 characters
+                if (data.length - maxErrorSize > 0) {
+                    // Eg: if we have 20,000 the start index should be 2.
+                    readStartIndex = data.length - maxErrorSize + 1;
+                }
+                stderr += data.toString("utf8", readStartIndex);
+                // Mimic the standard behavior of the toolrunner by writing stderr to stdout
+                process.stdout.write(data);
+            },
+        },
+        silent: true,
+        ...(opts.stdin ? { input: Buffer.from(opts.stdin || "") } : {}),
+    }).exec();
+    if (exitCode !== 0) {
+        const e = new cli_errors_1.CommandInvocationError(cmd, args, exitCode, stderr, stdout);
+        throw (0, cli_errors_1.wrapCliConfigurationError)(e);
    }
+    return stdout;
 }
 /**
 * Generates a code scanning configuration that is to be used for a scan.
@@ -826,6 +859,12 @@ async function getTrapCachingExtractorConfigArgsForLang(config, language) {
 function getGeneratedCodeScanningConfigPath(config) {
    return path.resolve(config.tempDir, "user-config.yaml");
 }
+async function getLanguageAliasingArguments(codeql) {
+    if (await util.codeQlVersionAtLeast(codeql, exports.CODEQL_VERSION_LANGUAGE_ALIASING)) {
+        return ["--extractor-include-aliases"];
+    }
+    return [];
+}
 async function isSublanguageFileCoverageEnabled(config, codeql) {
    return (
    // Sub-language file coverage is first supported in GHES 3.12.
@@ -859,11 +898,4 @@ function applyAutobuildAzurePipelinesTimeoutFix() {
        "-Dmaven.wagon.http.pool=false",
    ].join(" ");
 }
-async function getJobRunUuidSarifOptions(codeql) {
-    const jobRunUuid = process.env[environment_1.EnvVar.JOB_RUN_UUID];
-    return jobRunUuid &&
-        (await codeql.supportsFeature(tools_features_1.ToolsFeature.DatabaseInterpretResultsSupportsSarifRunProperty))
-        ? [`--sarif-run-property=jobRunUuid=${jobRunUuid}`]
-        : [];
-}
 //# sourceMappingURL=codeql.js.map
@@ -60,7 +60,7 @@ async function installIntoToolcache({ apiDetails = testing_utils_1.SAMPLE_DOTCOM
    const url = (0, testing_utils_1.mockBundleDownloadApi)({ apiDetails, isPinned, tagName });
    await codeql.setupCodeQL(cliVersion !== undefined ? undefined : url, apiDetails, tmpDir, util.GitHubVariant.GHES, cliVersion !== undefined
        ? { cliVersion, tagName }
-        : testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true), false);
+        : testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
 }
 function mockReleaseApi({ apiDetails = testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, assetNames, tagName, }) {
    return (0, nock_1.default)(apiDetails.apiURL)
@@ -97,10 +97,11 @@ function mockApiDetails(apiDetails) {
                tagName: `codeql-bundle-${version}`,
                isPinned: false,
            });
-            const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true), false);
+            const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
            t.assert(toolcache.find("CodeQL", `0.0.0-${version}`));
            t.is(result.toolsVersion, `0.0.0-${version}`);
            t.is(result.toolsSource, setup_codeql_1.ToolsSource.Download);
+            t.assert(Number.isInteger(result.toolsDownloadStatusReport?.downloadDurationMs));
        }
        t.is(toolcache.findAllVersions("CodeQL").length, 2);
    });
@@ -109,17 +110,15 @@ function mockApiDetails(apiDetails) {
    await util.withTmpDir(async (tmpDir) => {
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
        const url = (0, testing_utils_1.mockBundleDownloadApi)({
-            tagName: `codeql-bundle-v2.15.0`,
+            tagName: `codeql-bundle-v2.14.0`,
            isPinned: false,
        });
-        const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true), false);
+        const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
        t.is(toolcache.findAllVersions("CodeQL").length, 1);
-        t.assert(toolcache.find("CodeQL", `2.15.0`));
-        t.is(result.toolsVersion, `2.15.0`);
+        t.assert(toolcache.find("CodeQL", `2.14.0`));
+        t.is(result.toolsVersion, `2.14.0`);
        t.is(result.toolsSource, setup_codeql_1.ToolsSource.Download);
-        if (result.toolsDownloadStatusReport) {
-            assertDurationsInteger(t, result.toolsDownloadStatusReport);
-        }
+        t.assert(Number.isInteger(result.toolsDownloadStatusReport?.downloadDurationMs));
    });
 });
 (0, ava_1.default)("downloads an explicitly requested bundle even if a different version is cached", async (t) => {
@@ -133,13 +132,11 @@ function mockApiDetails(apiDetails) {
        const url = (0, testing_utils_1.mockBundleDownloadApi)({
            tagName: "codeql-bundle-20200610",
        });
-        const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true), false);
+        const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
        t.assert(toolcache.find("CodeQL", "0.0.0-20200610"));
        t.deepEqual(result.toolsVersion, "0.0.0-20200610");
        t.is(result.toolsSource, setup_codeql_1.ToolsSource.Download);
-        if (result.toolsDownloadStatusReport) {
-            assertDurationsInteger(t, result.toolsDownloadStatusReport);
-        }
+        t.assert(Number.isInteger(result.toolsDownloadStatusReport?.downloadDurationMs));
    });
 });
 const EXPLICITLY_REQUESTED_BUNDLE_TEST_CASES = [
@@ -161,7 +158,7 @@ for (const { tagName, expectedToolcacheVersion, } of EXPLICITLY_REQUESTED_BUNDLE
            const url = (0, testing_utils_1.mockBundleDownloadApi)({
                tagName,
            });
-            const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true), false);
+            const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
            t.assert(toolcache.find("CodeQL", expectedToolcacheVersion));
            t.deepEqual(result.toolsVersion, expectedToolcacheVersion);
            t.is(result.toolsSource, setup_codeql_1.ToolsSource.Download);
@@ -184,12 +181,10 @@ for (const toolcacheVersion of [
                .withArgs("CodeQL", toolcacheVersion)
                .returns("path/to/cached/codeql");
            sinon.stub(toolcache, "findAllVersions").returns([toolcacheVersion]);
-            const result = await codeql.setupCodeQL(undefined, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true), false);
+            const result = await codeql.setupCodeQL(undefined, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
            t.is(result.toolsVersion, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION.cliVersion);
            t.is(result.toolsSource, setup_codeql_1.ToolsSource.Toolcache);
-            t.is(result.toolsDownloadStatusReport?.combinedDurationMs, undefined);
            t.is(result.toolsDownloadStatusReport?.downloadDurationMs, undefined);
-            t.is(result.toolsDownloadStatusReport?.extractionDurationMs, undefined);
        });
    });
 }
@@ -204,12 +199,10 @@ for (const toolcacheVersion of [
        const result = await codeql.setupCodeQL(undefined, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.GHES, {
            cliVersion: defaults.cliVersion,
            tagName: defaults.bundleVersion,
-        }, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true), false);
+        }, (0, logging_1.getRunnerLogger)(true), false);
        t.deepEqual(result.toolsVersion, "0.0.0-20200601");
        t.is(result.toolsSource, setup_codeql_1.ToolsSource.Toolcache);
-        t.is(result.toolsDownloadStatusReport?.combinedDurationMs, undefined);
        t.is(result.toolsDownloadStatusReport?.downloadDurationMs, undefined);
-        t.is(result.toolsDownloadStatusReport?.extractionDurationMs, undefined);
        const cachedVersions = toolcache.findAllVersions("CodeQL");
        t.is(cachedVersions.length, 1);
    });
@@ -228,12 +221,10 @@ for (const toolcacheVersion of [
        const result = await codeql.setupCodeQL(undefined, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.GHES, {
            cliVersion: defaults.cliVersion,
            tagName: defaults.bundleVersion,
-        }, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true), false);
+        }, (0, logging_1.getRunnerLogger)(true), false);
        t.deepEqual(result.toolsVersion, defaults.cliVersion);
        t.is(result.toolsSource, setup_codeql_1.ToolsSource.Download);
-        if (result.toolsDownloadStatusReport) {
-            assertDurationsInteger(t, result.toolsDownloadStatusReport);
-        }
+        t.assert(Number.isInteger(result.toolsDownloadStatusReport?.downloadDurationMs));
        const cachedVersions = toolcache.findAllVersions("CodeQL");
        t.is(cachedVersions.length, 2);
    });
@@ -249,12 +240,10 @@ for (const toolcacheVersion of [
        (0, testing_utils_1.mockBundleDownloadApi)({
            tagName: defaults.bundleVersion,
        });
-        const result = await codeql.setupCodeQL("latest", testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true), false);
+        const result = await codeql.setupCodeQL("latest", testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
        t.deepEqual(result.toolsVersion, defaults.cliVersion);
        t.is(result.toolsSource, setup_codeql_1.ToolsSource.Download);
-        if (result.toolsDownloadStatusReport) {
-            assertDurationsInteger(t, result.toolsDownloadStatusReport);
-        }
+        t.assert(Number.isInteger(result.toolsDownloadStatusReport?.downloadDurationMs));
        const cachedVersions = toolcache.findAllVersions("CodeQL");
        t.is(cachedVersions.length, 2);
    });
@@ -265,7 +254,7 @@ for (const toolcacheVersion of [
        mockApiDetails(testing_utils_1.SAMPLE_DOTCOM_API_DETAILS);
        sinon.stub(actionsUtil, "isRunningLocalAction").returns(true);
        const releasesApiMock = mockReleaseApi({
-            assetNames: ["cli-version-2.14.6.txt"],
+            assetNames: ["cli-version-2.13.5.txt"],
            tagName: "codeql-bundle-20230203",
        });
        (0, testing_utils_1.mockBundleDownloadApi)({
@@ -273,25 +262,16 @@ for (const toolcacheVersion of [
            platformSpecific: false,
            tagName: "codeql-bundle-20230203",
        });
-        const result = await codeql.setupCodeQL("https://github.com/codeql-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz", testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true), false);
+        const result = await codeql.setupCodeQL("https://github.com/codeql-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz", testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
        t.is(result.toolsVersion, "0.0.0-20230203");
        t.is(result.toolsSource, setup_codeql_1.ToolsSource.Download);
-        if (result.toolsDownloadStatusReport) {
-            assertDurationsInteger(t, result.toolsDownloadStatusReport);
-        }
+        t.true(Number.isInteger(result.toolsDownloadStatusReport?.downloadDurationMs));
        const cachedVersions = toolcache.findAllVersions("CodeQL");
        t.is(cachedVersions.length, 1);
        t.is(cachedVersions[0], "0.0.0-20230203");
        t.false(releasesApiMock.isDone());
    });
 });
-function assertDurationsInteger(t, statusReport) {
-    t.assert(Number.isInteger(statusReport?.combinedDurationMs));
-    if (statusReport.downloadDurationMs !== undefined) {
-        t.assert(Number.isInteger(statusReport?.downloadDurationMs));
-        t.assert(Number.isInteger(statusReport?.extractionDurationMs));
-    }
-}
 (0, ava_1.default)("getExtraOptions works for explicit paths", (t) => {
    t.deepEqual(codeql.getExtraOptions({}, ["foo"], []), []);
    t.deepEqual(codeql.getExtraOptions({ foo: [42] }, ["foo"], []), ["42"]);
@@ -611,7 +591,7 @@ for (const { codeqlVersion, flagPassed, githubVersion, negativeFlagPassed, } of
    // safeWhich throws because of the test CodeQL object.
    sinon.stub(safeWhich, "safeWhich").resolves("");
    await t.throwsAsync(async () => await codeqlObject.databaseRunQueries(stubConfig.dbLocation, []), {
-        instanceOf: cli_errors_1.CliError,
+        instanceOf: cli_errors_1.CommandInvocationError,
        message: `Encountered a fatal error while running "codeql-for-testing database run-queries  --expect-discarded-cache --min-disk-free=1024 -v --intra-layer-parallelism". Exit code was 1 and error was: Oops! A fatal internal error occurred. Details:
    com.semmle.util.exception.CatastrophicError: An error occurred while evaluating ControlFlowGraph::ControlFlow::Root.isRootOf/1#dispred#f610e6ed/2@86282cc8
    Severe disk cache trouble (corruption or out of space) at /home/runner/work/_temp/codeql_databases/go/db-go/default/cache/pages/28/33.pack: Failed to write item to disk. See the logs for more details.`,
@@ -34,6 +34,7 @@ exports.getNoLanguagesError = getNoLanguagesError;
 exports.getUnknownLanguagesError = getUnknownLanguagesError;
 exports.getLanguagesInRepo = getLanguagesInRepo;
 exports.getLanguages = getLanguages;
+exports.getLanguageAliases = getLanguageAliases;
 exports.getRawLanguages = getRawLanguages;
 exports.getDefaultConfig = getDefaultConfig;
 exports.calculateAugmentation = calculateAugmentation;
@@ -53,6 +54,7 @@ const perf_hooks_1 = require("perf_hooks");
 const yaml = __importStar(require("js-yaml"));
 const semver = __importStar(require("semver"));
 const api = __importStar(require("./api-client"));
+const codeql_1 = require("./codeql");
 const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
 const trap_caching_1 = require("./trap-caching");
@@ -153,7 +155,7 @@ async function getLanguages(codeQL, languagesInput, repository, logger) {
        logger.info(`Automatically detected languages: ${languages.join(", ")}`);
    }
    else {
-        const aliases = (await codeQL.betterResolveLanguages()).aliases;
+        const aliases = await getLanguageAliases(codeQL);
        if (aliases) {
            languages = languages.map((lang) => aliases[lang] || lang);
        }
@@ -183,6 +185,16 @@ async function getLanguages(codeQL, languagesInput, repository, logger) {
    }
    return parsedLanguages;
 }
+/**
+ * Gets the set of languages supported by CodeQL, along with their aliases if supported by the
+ * version of the CLI.
+ */
+async function getLanguageAliases(codeql) {
+    if (await (0, util_1.codeQlVersionAtLeast)(codeql, codeql_1.CODEQL_VERSION_LANGUAGE_ALIASING)) {
+        return (await codeql.betterResolveLanguages()).aliases;
+    }
+    return undefined;
+}
 /**
 * Gets the set of languages in the current repository without checking to
 * see if these languages are actually supported by CodeQL.
@@ -26,158 +26,25 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.sanitizeArtifactName = sanitizeArtifactName;
-exports.uploadCombinedSarifArtifacts = uploadCombinedSarifArtifacts;
-exports.tryUploadAllAvailableDebugArtifacts = tryUploadAllAvailableDebugArtifacts;
+exports.sanitizeArifactName = sanitizeArifactName;
 exports.uploadDebugArtifacts = uploadDebugArtifacts;
-exports.getArtifactUploaderClient = getArtifactUploaderClient;
+exports.uploadSarifDebugArtifact = uploadSarifDebugArtifact;
+exports.uploadLogsDebugArtifact = uploadLogsDebugArtifact;
+exports.uploadDatabaseBundleDebugArtifact = uploadDatabaseBundleDebugArtifact;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const artifact = __importStar(require("@actions/artifact"));
-const artifactLegacy = __importStar(require("@actions/artifact-legacy"));
 const core = __importStar(require("@actions/core"));
 const adm_zip_1 = __importDefault(require("adm-zip"));
 const del_1 = __importDefault(require("del"));
 const actions_util_1 = require("./actions-util");
 const analyze_1 = require("./analyze");
 const codeql_1 = require("./codeql");
-const environment_1 = require("./environment");
-const feature_flags_1 = require("./feature-flags");
-const logging_1 = require("./logging");
 const util_1 = require("./util");
-function sanitizeArtifactName(name) {
+function sanitizeArifactName(name) {
    return name.replace(/[^a-zA-Z0-9_\\-]+/g, "");
 }
-/**
- * Upload Actions SARIF artifacts for debugging when CODEQL_ACTION_DEBUG_COMBINED_SARIF
- * environment variable is set
- */
-async function uploadCombinedSarifArtifacts(logger, gitHubVariant, features) {
-    const tempDir = (0, actions_util_1.getTemporaryDirectory)();
-    // Upload Actions SARIF artifacts for debugging when environment variable is set
-    if (process.env["CODEQL_ACTION_DEBUG_COMBINED_SARIF"] === "true") {
-        logger.info("Uploading available combined SARIF files as Actions debugging artifact...");
-        const baseTempDir = path.resolve(tempDir, "combined-sarif");
-        const toUpload = [];
-        if (fs.existsSync(baseTempDir)) {
-            const outputDirs = fs.readdirSync(baseTempDir);
-            for (const outputDir of outputDirs) {
-                const sarifFiles = fs
-                    .readdirSync(path.resolve(baseTempDir, outputDir))
-                    .filter((f) => f.endsWith(".sarif"));
-                for (const sarifFile of sarifFiles) {
-                    toUpload.push(path.resolve(baseTempDir, outputDir, sarifFile));
-                }
-            }
-        }
-        try {
-            await uploadDebugArtifacts(logger, toUpload, baseTempDir, "combined-sarif-artifacts", gitHubVariant, features);
-        }
-        catch (e) {
-            logger.warning(`Failed to upload combined SARIF files as Actions debugging artifact. Reason: ${(0, util_1.getErrorMessage)(e)}`);
-        }
-    }
-}
-/**
- * Try to prepare a SARIF result debug artifact for the given language.
- *
- * @return The path to that debug artifact, or undefined if an error occurs.
- */
-function tryPrepareSarifDebugArtifact(config, language, logger) {
-    try {
-        const analyzeActionOutputDir = process.env[environment_1.EnvVar.SARIF_RESULTS_OUTPUT_DIR];
-        if (analyzeActionOutputDir !== undefined &&
-            fs.existsSync(analyzeActionOutputDir) &&
-            fs.lstatSync(analyzeActionOutputDir).isDirectory()) {
-            const sarifFile = path.resolve(analyzeActionOutputDir, `${language}.sarif`);
-            // Move SARIF to DB location so that they can be uploaded with the same root directory as the other artifacts.
-            if (fs.existsSync(sarifFile)) {
-                const sarifInDbLocation = path.resolve(config.dbLocation, `${language}.sarif`);
-                fs.copyFileSync(sarifFile, sarifInDbLocation);
-                return sarifInDbLocation;
-            }
-        }
-    }
-    catch (e) {
-        logger.warning(`Failed to find SARIF results path for ${language}. Reason: ${(0, util_1.getErrorMessage)(e)}`);
-    }
-    return undefined;
-}
-/**
- * Try to bundle the database for the given language.
- *
- * @return The path to the database bundle, or undefined if an error occurs.
- */
-async function tryBundleDatabase(config, language, logger) {
-    try {
-        if ((0, analyze_1.dbIsFinalized)(config, language, logger)) {
-            try {
-                return await createDatabaseBundleCli(config, language);
-            }
-            catch (e) {
-                logger.warning(`Failed to bundle database for ${language} using the CLI. ` +
-                    `Falling back to a partial bundle. Reason: ${(0, util_1.getErrorMessage)(e)}`);
-            }
-        }
-        return await createPartialDatabaseBundle(config, language);
-    }
-    catch (e) {
-        logger.warning(`Failed to bundle database for ${language}. Reason: ${(0, util_1.getErrorMessage)(e)}`);
-        return undefined;
-    }
-}
-/**
- * Attempt to upload all available debug artifacts.
- *
- * Logs and suppresses any errors that occur.
- */
-async function tryUploadAllAvailableDebugArtifacts(config, logger, features) {
-    const filesToUpload = [];
-    try {
-        for (const language of config.languages) {
-            await (0, logging_1.withGroup)(`Uploading debug artifacts for ${language}`, async () => {
-                logger.info("Preparing SARIF result debug artifact...");
-                const sarifResultDebugArtifact = tryPrepareSarifDebugArtifact(config, language, logger);
-                if (sarifResultDebugArtifact) {
-                    filesToUpload.push(sarifResultDebugArtifact);
-                    logger.info("SARIF result debug artifact ready for upload.");
-                }
-                logger.info("Preparing database logs debug artifact...");
-                const databaseDirectory = (0, util_1.getCodeQLDatabasePath)(config, language);
-                const logsDirectory = path.resolve(databaseDirectory, "log");
-                if ((0, util_1.doesDirectoryExist)(logsDirectory)) {
-                    filesToUpload.push(...(0, util_1.listFolder)(logsDirectory));
-                    logger.info("Database logs debug artifact ready for upload.");
-                }
-                // Multilanguage tracing: there are additional logs in the root of the cluster
-                logger.info("Preparing database cluster logs debug artifact...");
-                const multiLanguageTracingLogsDirectory = path.resolve(config.dbLocation, "log");
-                if ((0, util_1.doesDirectoryExist)(multiLanguageTracingLogsDirectory)) {
-                    filesToUpload.push(...(0, util_1.listFolder)(multiLanguageTracingLogsDirectory));
-                    logger.info("Database cluster logs debug artifact ready for upload.");
-                }
-                // Add database bundle
-                logger.info("Preparing database bundle debug artifact...");
-                const databaseBundle = await tryBundleDatabase(config, language, logger);
-                if (databaseBundle) {
-                    filesToUpload.push(databaseBundle);
-                    logger.info("Database bundle debug artifact ready for upload.");
-                }
-            });
-        }
-    }
-    catch (e) {
-        logger.warning(`Failed to prepare debug artifacts. Reason: ${(0, util_1.getErrorMessage)(e)}`);
-        return;
-    }
-    try {
-        await (0, logging_1.withGroup)("Uploading debug artifacts", async () => uploadDebugArtifacts(logger, filesToUpload, config.dbLocation, config.debugArtifactName, config.gitHubVersion.type, features));
-    }
-    catch (e) {
-        logger.warning(`Failed to upload debug artifacts. Reason: ${(0, util_1.getErrorMessage)(e)}`);
-    }
-}
-async function uploadDebugArtifacts(logger, toUpload, rootDir, artifactName, ghVariant, features) {
+async function uploadDebugArtifacts(toUpload, rootDir, artifactName) {
    if (toUpload.length === 0) {
        return;
    }
@@ -192,9 +59,9 @@ async function uploadDebugArtifacts(logger, toUpload, rootDir, artifactName, ghV
            core.info("Could not parse user-specified `matrix` input into JSON. The debug artifact will not be named with the user's `matrix` input.");
        }
    }
-    const artifactUploader = await getArtifactUploaderClient(logger, ghVariant, features);
    try {
-        await artifactUploader.uploadArtifact(sanitizeArtifactName(`${artifactName}${suffix}`), toUpload.map((file) => path.normalize(file)), path.normalize(rootDir), {
+        await artifact.create().uploadArtifact(sanitizeArifactName(`${artifactName}${suffix}`), toUpload.map((file) => path.normalize(file)), path.normalize(rootDir), {
+            continueOnError: true,
            // ensure we don't keep the debug artifacts around for too long since they can be large.
            retentionDays: 7,
        });
@@ -204,23 +71,34 @@ async function uploadDebugArtifacts(logger, toUpload, rootDir, artifactName, ghV
        core.warning(`Failed to upload debug artifacts: ${e}`);
    }
 }
-// `@actions/artifact@v2` is not yet supported on GHES so the legacy version of the client will be used on GHES
-// until it is supported. We also use the legacy version of the client if the feature flag is disabled.
-// The feature flag is named `ArtifactV4Upgrade` to reduce customer confusion; customers are primarily affected by
-// `actions/download-artifact`, whose upgrade to v4 must be accompanied by the `@actions/artifact@v2` upgrade.
-async function getArtifactUploaderClient(logger, ghVariant, features) {
-    if (ghVariant === util_1.GitHubVariant.GHES) {
-        logger.info("Debug artifacts can be consumed with `actions/download-artifact@v3` because the `v4` version is not yet compatible on GHES.");
-        return artifactLegacy.create();
+async function uploadSarifDebugArtifact(config, outputDir) {
+    if (!(0, util_1.doesDirectoryExist)(outputDir)) {
+        return;
    }
-    else if (!(await features.getValue(feature_flags_1.Feature.ArtifactV4Upgrade))) {
-        logger.info("Debug artifacts can be consumed with `actions/download-artifact@v3`. To use the `actions/download-artifact@v4`, set the `CODEQL_ACTION_ARTIFACT_V4_UPGRADE` environment variable to true.");
-        return artifactLegacy.create();
+    let toUpload = [];
+    for (const lang of config.languages) {
+        const sarifFile = path.resolve(outputDir, `${lang}.sarif`);
+        if (fs.existsSync(sarifFile)) {
+            toUpload = toUpload.concat(sarifFile);
+        }
    }
-    else {
-        logger.info("Debug artifacts can be consumed with `actions/download-artifact@v4`.");
-        return new artifact.DefaultArtifactClient();
+    await uploadDebugArtifacts(toUpload, outputDir, config.debugArtifactName);
+}
+async function uploadLogsDebugArtifact(config) {
+    let toUpload = [];
+    for (const language of config.languages) {
+        const databaseDirectory = (0, util_1.getCodeQLDatabasePath)(config, language);
+        const logsDirectory = path.resolve(databaseDirectory, "log");
+        if ((0, util_1.doesDirectoryExist)(logsDirectory)) {
+            toUpload = toUpload.concat((0, util_1.listFolder)(logsDirectory));
+        }
    }
+    // Multilanguage tracing: there are additional logs in the root of the cluster
+    const multiLanguageTracingLogsDirectory = path.resolve(config.dbLocation, "log");
+    if ((0, util_1.doesDirectoryExist)(multiLanguageTracingLogsDirectory)) {
+        toUpload = toUpload.concat((0, util_1.listFolder)(multiLanguageTracingLogsDirectory));
+    }
+    await uploadDebugArtifacts(toUpload, config.dbLocation, config.debugArtifactName);
 }
 /**
 * If a database has not been finalized, we cannot run the `codeql database bundle`
@@ -244,7 +122,25 @@ async function createPartialDatabaseBundle(config, language) {
 * Runs `codeql database bundle` command and returns the path.
 */
 async function createDatabaseBundleCli(config, language) {
+    // Otherwise run `codeql database bundle` command.
    const databaseBundlePath = await (0, util_1.bundleDb)(config, language, await (0, codeql_1.getCodeQL)(config.codeQLCmd), `${config.debugDatabaseName}-${language}`);
    return databaseBundlePath;
 }
+async function uploadDatabaseBundleDebugArtifact(config, logger) {
+    for (const language of config.languages) {
+        try {
+            let databaseBundlePath;
+            if (!(0, analyze_1.dbIsFinalized)(config, language, logger)) {
+                databaseBundlePath = await createPartialDatabaseBundle(config, language);
+            }
+            else {
+                databaseBundlePath = await createDatabaseBundleCli(config, language);
+            }
+            await uploadDebugArtifacts([databaseBundlePath], config.dbLocation, config.debugArtifactName);
+        }
+        catch (error) {
+            core.info(`Failed to upload database debug bundle for ${config.debugDatabaseName}-${language}: ${error}`);
+        }
+    }
+}
 //# sourceMappingURL=debug-artifacts.js.map
@@ -28,20 +28,14 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 const ava_1 = __importDefault(require("ava"));
 const debugArtifacts = __importStar(require("./debug-artifacts"));
-const feature_flags_1 = require("./feature-flags");
-const logging_1 = require("./logging");
-const testing_utils_1 = require("./testing-utils");
-const util_1 = require("./util");
-(0, ava_1.default)("sanitizeArtifactName", (t) => {
-    t.deepEqual(debugArtifacts.sanitizeArtifactName("hello-world_"), "hello-world_");
-    t.deepEqual(debugArtifacts.sanitizeArtifactName("hello`world`"), "helloworld");
-    t.deepEqual(debugArtifacts.sanitizeArtifactName("hello===123"), "hello123");
-    t.deepEqual(debugArtifacts.sanitizeArtifactName("*m)a&n^y%i££n+v!a:l[i]d"), "manyinvalid");
+(0, ava_1.default)("sanitizeArifactName", (t) => {
+    t.deepEqual(debugArtifacts.sanitizeArifactName("hello-world_"), "hello-world_");
+    t.deepEqual(debugArtifacts.sanitizeArifactName("hello`world`"), "helloworld");
+    t.deepEqual(debugArtifacts.sanitizeArifactName("hello===123"), "hello123");
+    t.deepEqual(debugArtifacts.sanitizeArifactName("*m)a&n^y%i££n+v!a:l[i]d"), "manyinvalid");
 });
 (0, ava_1.default)("uploadDebugArtifacts", async (t) => {
    // Test that no error is thrown if artifacts list is empty.
-    const logger = (0, logging_1.getActionsLogger)();
-    const mockFeature = (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.ArtifactV4Upgrade]);
-    await t.notThrowsAsync(debugArtifacts.uploadDebugArtifacts(logger, [], "rootDir", "artifactName", util_1.GitHubVariant.DOTCOM, mockFeature));
+    await t.notThrowsAsync(debugArtifacts.uploadDebugArtifacts([], "rootDir", "artifactName"));
 });
 //# sourceMappingURL=debug-artifacts.test.js.map
@@ -1 +1 @@
-{"version":3,"file":"debug-artifacts.test.js","sourceRoot":"","sources":["../src/debug-artifacts.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AAEvB,kEAAoD;AACpD,mDAA0C;AAC1C,uCAA6C;AAC7C,mDAAiD;AACjD,iCAAuC;AAEvC,IAAA,aAAI,EAAC,sBAAsB,EAAE,CAAC,CAAC,EAAE,EAAE;IACjC,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,cAAc,CAAC,EACnD,cAAc,CACf,CAAC;IACF,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,cAAc,CAAC,EACnD,YAAY,CACb,CAAC;IACF,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,oBAAoB,CAAC,aAAa,CAAC,EAAE,UAAU,CAAC,CAAC;IAC5E,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,yBAAyB,CAAC,EAC9D,aAAa,CACd,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,sBAAsB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvC,2DAA2D;IAC3D,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,WAAW,GAAG,IAAA,8BAAc,EAAC,CAAC,uBAAO,CAAC,iBAAiB,CAAC,CAAC,CAAC;IAChE,MAAM,CAAC,CAAC,cAAc,CACpB,cAAc,CAAC,oBAAoB,CACjC,MAAM,EACN,EAAE,EACF,SAAS,EACT,cAAc,EACd,oBAAa,CAAC,MAAM,EACpB,WAAW,CACZ,CACF,CAAC;AACJ,CAAC,CAAC,CAAC"}
+{"version":3,"file":"debug-artifacts.test.js","sourceRoot":"","sources":["../src/debug-artifacts.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AAEvB,kEAAoD;AAEpD,IAAA,aAAI,EAAC,qBAAqB,EAAE,CAAC,CAAC,EAAE,EAAE;IAChC,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,mBAAmB,CAAC,cAAc,CAAC,EAClD,cAAc,CACf,CAAC;IACF,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,mBAAmB,CAAC,cAAc,CAAC,EAAE,YAAY,CAAC,CAAC;IAC9E,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,mBAAmB,CAAC,aAAa,CAAC,EAAE,UAAU,CAAC,CAAC;IAC3E,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,mBAAmB,CAAC,yBAAyB,CAAC,EAC7D,aAAa,CACd,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,sBAAsB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvC,2DAA2D;IAC3D,MAAM,CAAC,CAAC,cAAc,CACpB,cAAc,CAAC,oBAAoB,CAAC,EAAE,EAAE,SAAS,EAAE,cAAc,CAAC,CACnE,CAAC;AACJ,CAAC,CAAC,CAAC"}
@@ -1,6 +1,6 @@
 {
-    "bundleVersion": "codeql-bundle-v2.19.1",
-    "cliVersion": "2.19.1",
-    "priorBundleVersion": "codeql-bundle-v2.19.0",
-    "priorCliVersion": "2.19.0"
+    "bundleVersion": "codeql-bundle-v2.18.2",
+    "cliVersion": "2.18.2",
+    "priorBundleVersion": "codeql-bundle-v2.18.1",
+    "priorCliVersion": "2.18.1"
 }
@@ -67,9 +67,7 @@ function writeDiagnostic(config, language, diagnostic) {
    try {
        // Create the directory if it doesn't exist yet.
        (0, fs_1.mkdirSync)(diagnosticsPath, { recursive: true });
-        const jsonPath = path_1.default.resolve(diagnosticsPath, 
-        // Remove colons from the timestamp as these are not allowed in Windows filenames.
-        `codeql-action-${diagnostic.timestamp.replaceAll(":", "")}.json`);
+        const jsonPath = path_1.default.resolve(diagnosticsPath, `codeql-action-${diagnostic.timestamp}.json`);
        (0, fs_1.writeFileSync)(jsonPath, JSON.stringify(diagnostic));
    }
    catch (err) {
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				{"version":3,"file":"analyze-action-post-helper.js","sourceRoot":"","sources":["../src/analyze-action-post-helper.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAMA,kBAuBC;AA7BD,oDAAsC;AAEtC,4DAA8C;AAC9C,iDAAmD;AACnD,uCAA6C;AAEtC,KAAK,UAAU,GAAG,CACvB,wBAGkB;IAElB,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAElC,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,WAAW,CAAC,qBAAqB,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5E,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CACb,2FAA2F,CAC5F,CAAC;IACJ,CAAC;IAED,+CAA+C;IAC/C,IAAI,MAAM,EAAE,SAAS,EAAE,CAAC;QACtB,IAAI,CAAC,IAAI,CACP,oFAAoF,CACrF,CAAC;QACF,MAAM,SAAS,GAAG,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QACzD,MAAM,wBAAwB,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IACpD,CAAC;AACH,CAAC"}