Remove RegExp.escape call

Build: Generate shared entrypoint
Reduces tarred repo size from 8.5 MB to 2.2 MB
2026-05-30 10:24:41 +00:00 · 2026-05-14 16:33:36 +01:00 · 2026-05-14 16:29:39 +01:00 · 2026-05-14 14:09:36 +00:00 · 2026-05-14 14:47:33 +01:00 · 2026-05-14 14:47:13 +01:00
57 changed files with 164456 additions and 1176316 deletions
@@ -59,7 +59,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Set up Ruby
-        uses: ruby/setup-ruby@0cb964fd540e0a24c900370abf38a33466142735 # v1.305.0
+        uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
@@ -131,7 +131,7 @@ jobs:
          echo "::endgroup::"
      - name: Generate token
-        uses: actions/create-github-app-token@v3.1.1
+        uses: actions/create-github-app-token@v3.2.0
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -136,7 +136,7 @@ jobs:
      - name: Generate token
        if: github.event_name == 'workflow_dispatch'
-        uses: actions/create-github-app-token@v3.1.1
+        uses: actions/create-github-app-token@v3.2.0
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -93,7 +93,7 @@ jobs:
      pull-requests: write # needed to create pull request
    steps:
    - name: Generate token
-      uses: actions/create-github-app-token@v3.1.1
+      uses: actions/create-github-app-token@v3.2.0
      id: app-token
      with:
        app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -19,7 +19,7 @@
    "scope": "javascript, typescript",
    "prefix": "testMacro",
    "body": [
-      "const ${1:nameMacro} = test.macro({",
+      "const ${1:nameMacro} = makeMacro({",
      "  exec: async (t: ExecutionContext<unknown>) => {},",
      "",
      "  title: (providedTitle = \"\") => `${2:common title} - \\${providedTitle}`,",
@@ -4,7 +4,12 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 ## [UNRELEASED]
-No user facing changes.
+- If multiple inputs are provided for the GitHub-internal `analysis-kinds` input, only `code-scanning` will be enabled. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#3892](https://github.com/github/codeql-action/pull/3892)
 - Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. [#3880](https://github.com/github/codeql-action/pull/3880)
 ## 4.35.4 - 07 May 2026
 - Update default CodeQL bundle version to [2.25.4](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4). [#3881](https://github.com/github/codeql-action/pull/3881)
 ## 4.35.3 - 01 May 2026
@@ -1,5 +1,5 @@
 import { copyFile, rm, writeFile } from "node:fs/promises";
-import { dirname, join } from "node:path";
+import { basename, dirname, join } from "node:path";
 import { fileURLToPath } from "node:url";
 import * as esbuild from "esbuild";
@@ -13,6 +13,72 @@ const __dirname = dirname(__filename);
 const SRC_DIR = join(__dirname, "src");
 const OUT_DIR = join(__dirname, "lib");
 /**
 * Name of the shared entrypoint file that imports each Action's code. By introducing a single
 * entrypoint for all the Actions, we avoid duplicating code across each Action's bundle.
 */
 const SHARED_ENTRYPOINT = "actions-entrypoint";
 /** The names of all the Action entry points (as referenced by `action.yml`s). */
 function findActionNames() {
  return globSync([
    `${SRC_DIR}/*-action.ts`,
    `${SRC_DIR}/*-action-post.ts`,
  ])
    .map((p) => basename(p, ".ts"))
    .sort();
 }
 const ACTION_NAMES = findActionNames();
 /**
 * Generate the source for the shared entry point. The generated module dispatches at runtime to the
 * Action selected by `CODEQL_ACTION_ENTRYPOINT`, using `require()` to incorporate each Action's
 * code without executing the top-level side effects.
 */
 function generateEntrypointTypescriptSource() {
  const cases = ACTION_NAMES
    .map(
      (name) =>
        `  case ${JSON.stringify(name)}:\n    require("./${name}");\n    break;`,
    )
    .join("\n");
  return `const entrypoint = process.env.CODEQL_ACTION_ENTRYPOINT;
 switch (entrypoint) {
 ${cases}
  default:
    throw new Error(
      \`Unknown CodeQL Action entrypoint: \${JSON.stringify(entrypoint)}. \` +
        "This file is intended to be invoked via the generated stubs in lib/.",
    );
 }
 `;
 }
 /**
 * Resolve the virtual shared entry point and provide its generated source to esbuild without
 * writing it to disk.
 *
 * @type {esbuild.Plugin}
 */
 const virtualEntrypointPlugin = {
  name: "virtual-actions-entrypoint",
  setup(build) {
    const namespace = "actions-entrypoint";
    // Ideally, we'd `RegExp.escape` the entrypoint here, but that API isn't supported in Node 20. Since we're dealing with a hardcoded string, this isn't too much of a problem.
    build.onResolve({ filter: new RegExp(`^${SHARED_ENTRYPOINT}$`) }, () => ({
      path: SHARED_ENTRYPOINT,
      namespace,
    }));
    // Restrict using the namespace. The path filter does not need to discriminate any further.
    build.onLoad({ filter: /.*/, namespace }, () => ({
      contents: generateEntrypointTypescriptSource(),
      resolveDir: SRC_DIR,
      loader: "ts",
    }));
  },
 };
 /**
 * Clean the output directory before building.
 *
@@ -62,18 +128,48 @@ const onEndPlugin = {
  },
 };
 /**
 * Emit a tiny stub file for each Action entrypoint. Each stub sets an environment variable
 * identifying which action was invoked and then `require()`s the shared bundle, which dispatches to
 * the correct Action's code.
 *
 * @type {esbuild.Plugin}
 */
 const emitActionStubsPlugin = {
  name: "emit-action-stubs",
  setup(build) {
    build.onEnd(async () => {
      await Promise.all(
        ACTION_NAMES.map(async (name) => {
          const stub =
            `"use strict";\n` +
            `process.env.CODEQL_ACTION_ENTRYPOINT = ${JSON.stringify(name)};\n` +
            `require("./${SHARED_ENTRYPOINT}.js");\n`;
          await writeFile(join(OUT_DIR, `${name}.js`), stub);
        }),
      );
    });
  },
 };
 const context = await esbuild.context({
-  // Include upload-lib.ts as an entry point for use in testing environments.
+  // Bundle every action together via the shared entry point. We also keep
-  entryPoints: globSync([
+  // `upload-lib.ts` as a separate entry point for use in testing environments.
-    `${SRC_DIR}/*-action.ts`,
+  entryPoints: [
-    `${SRC_DIR}/*-action-post.ts`,
+    { in: SHARED_ENTRYPOINT, out: SHARED_ENTRYPOINT },
-    "src/upload-lib.ts",
+    join(SRC_DIR, "upload-lib.ts"),
-  ]),
+  ],
  bundle: true,
  format: "cjs",
  outdir: OUT_DIR,
  platform: "node",
-  plugins: [cleanPlugin, copyDefaultsPlugin, onEndPlugin],
+  plugins: [
    cleanPlugin,
    copyDefaultsPlugin,
    virtualEntrypointPlugin,
    emitActionStubsPlugin,
    onEndPlugin,
  ],
  target: ["node20"],
  define: {
    __CODEQL_ACTION_VERSION__: JSON.stringify(pkg.version),
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.3",
+  "bundleVersion": "codeql-bundle-v2.25.4",
-  "cliVersion": "2.25.3",
+  "cliVersion": "2.25.4",
-  "priorBundleVersion": "codeql-bundle-v2.25.2",
+  "priorBundleVersion": "codeql-bundle-v2.25.3",
-  "priorCliVersion": "2.25.2"
+  "priorCliVersion": "2.25.3"
 }
@@ -1,12 +1,12 @@
 {
  "name": "codeql",
-  "version": "4.35.4",
+  "version": "4.35.5",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "codeql",
-      "version": "4.35.4",
+      "version": "4.35.5",
      "license": "MIT",
      "workspaces": [
        "pr-checks"
@@ -43,25 +43,25 @@
        "@types/archiver": "^7.0.0",
        "@types/follow-redirects": "^1.14.4",
        "@types/js-yaml": "^4.0.9",
-        "@types/node": "^20.19.9",
+        "@types/node": "^20.19.39",
        "@types/node-forge": "^1.3.14",
        "@types/sarif": "^2.1.7",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^21.0.1",
        "ava": "^7.0.0",
        "esbuild": "^0.28.0",
-        "eslint": "^9.39.2",
+        "eslint": "^9.39.4",
        "eslint-import-resolver-typescript": "^4.4.4",
        "eslint-plugin-github": "^6.0.0",
        "eslint-plugin-import-x": "^4.16.2",
        "eslint-plugin-jsdoc": "^62.9.0",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        "glob": "^11.1.0",
-        "globals": "^17.5.0",
+        "globals": "^17.6.0",
        "nock": "^14.0.12",
        "sinon": "^21.1.2",
-        "typescript": "^6.0.2",
+        "typescript": "^6.0.3",
-        "typescript-eslint": "^8.58.2"
+        "typescript-eslint": "^8.59.2"
      }
    },
    "node_modules/@aashutoshrathi/word-wrap": {
@@ -1337,15 +1337,15 @@
      }
    },
    "node_modules/@eslint/config-array": {
-      "version": "0.21.1",
+      "version": "0.21.2",
-      "resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.21.1.tgz",
+      "resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.21.2.tgz",
-      "integrity": "sha512-aw1gNayWpdI/jSYVgzN5pL0cfzU02GT3NBpeT/DXbx1/1x7ZKxFPd9bwrzygx/qiwIQiJ1sw/zD8qY/kRvlGHA==",
+      "integrity": "sha512-nJl2KGTlrf9GjLimgIru+V/mzgSK0ABCDQRvxw5BjURL7WfH5uoWmizbH7QB6MmnMBd8cIC9uceWnezL1VZWWw==",
      "dev": true,
      "license": "Apache-2.0",
      "dependencies": {
        "@eslint/object-schema": "^2.1.7",
        "debug": "^4.3.1",
-        "minimatch": "^3.1.2"
+        "minimatch": "^3.1.5"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -1391,20 +1391,20 @@
      }
    },
    "node_modules/@eslint/eslintrc": {
-      "version": "3.3.3",
+      "version": "3.3.5",
-      "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-3.3.3.tgz",
+      "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-3.3.5.tgz",
-      "integrity": "sha512-Kr+LPIUVKz2qkx1HAMH8q1q6azbqBAsXJUxBl/ODDuVPX45Z9DfwB8tPjTi6nNZ8BuM3nbJxC5zCAg5elnBUTQ==",
+      "integrity": "sha512-4IlJx0X0qftVsN5E+/vGujTRIFtwuLbNsVUe7TO6zYPDR1O6nFwvwhIKEKSrl6dZchmYBITazxKoUYOjdtjlRg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "ajv": "^6.12.4",
+        "ajv": "^6.14.0",
        "debug": "^4.3.2",
        "espree": "^10.0.1",
        "globals": "^14.0.0",
        "ignore": "^5.2.0",
        "import-fresh": "^3.2.1",
        "js-yaml": "^4.1.1",
-        "minimatch": "^3.1.2",
+        "minimatch": "^3.1.5",
        "strip-json-comments": "^3.1.1"
      },
      "engines": {
@@ -1427,9 +1427,9 @@
      }
    },
    "node_modules/@eslint/js": {
-      "version": "9.39.2",
+      "version": "9.39.4",
-      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.39.2.tgz",
+      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.39.4.tgz",
-      "integrity": "sha512-q1mjIoW1VX4IvSocvM/vbTiveKC4k9eLrajNEuSsmjymSDEbpGddtpfOoN7YGAqBK3NG+uqo8ia4PDTt8buCYA==",
+      "integrity": "sha512-nE7DEIchvtiFTwBw4Lfbu59PG+kCofhjsKaCWzxTpt4lfRjRMqG6uMBzKXuEcyXhOHoUp9riAm7/aWYGhXZ9cw==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2469,9 +2469,9 @@
      "license": "MIT"
    },
    "node_modules/@types/node": {
-      "version": "20.19.9",
+      "version": "20.19.39",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.9.tgz",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.39.tgz",
-      "integrity": "sha512-cuVNgarYWZqxRJDQHEB58GEONhOK79QVR/qYx4S7kcUObQvUwvFnYxJuuHUKm2aieN9X3yZB4LZsuYNU1Qphsw==",
+      "integrity": "sha512-orrrD74MBUyK8jOAD/r0+lfa1I2MO6I+vAkmAWzMYbCcgrN4lCrmK52gRFQq/JRxfYPfonkr4b0jcY7Olqdqbw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -2528,17 +2528,17 @@
      "license": "MIT"
    },
    "node_modules/@typescript-eslint/eslint-plugin": {
-      "version": "8.58.2",
+      "version": "8.59.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.58.2.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.59.2.tgz",
-      "integrity": "sha512-aC2qc5thQahutKjP+cl8cgN9DWe3ZUqVko30CMSZHnFEHyhOYoZSzkGtAI2mcwZ38xeImDucI4dnqsHiOYuuCw==",
+      "integrity": "sha512-j/bwmkBvHUtPNxzuWe5z6BEk3q54YRyGlBXkSsmfoih7zNrBvl5A9A98anlp/7JbyZcWIJ8KXo/3Tq/DjFLtuQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@eslint-community/regexpp": "^4.12.2",
-        "@typescript-eslint/scope-manager": "8.58.2",
+        "@typescript-eslint/scope-manager": "8.59.2",
-        "@typescript-eslint/type-utils": "8.58.2",
+        "@typescript-eslint/type-utils": "8.59.2",
-        "@typescript-eslint/utils": "8.58.2",
+        "@typescript-eslint/utils": "8.59.2",
-        "@typescript-eslint/visitor-keys": "8.58.2",
+        "@typescript-eslint/visitor-keys": "8.59.2",
        "ignore": "^7.0.5",
        "natural-compare": "^1.4.0",
        "ts-api-utils": "^2.5.0"
@@ -2551,7 +2551,7 @@
        "url": "https://opencollective.com/typescript-eslint"
      },
      "peerDependencies": {
-        "@typescript-eslint/parser": "^8.58.2",
+        "@typescript-eslint/parser": "^8.59.2",
        "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
        "typescript": ">=4.8.4 <6.1.0"
      }
@@ -2567,16 +2567,16 @@
      }
    },
    "node_modules/@typescript-eslint/parser": {
-      "version": "8.58.2",
+      "version": "8.59.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.58.2.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.59.2.tgz",
-      "integrity": "sha512-/Zb/xaIDfxeJnvishjGdcR4jmr7S+bda8PKNhRGdljDM+elXhlvN0FyPSsMnLmJUrVG9aPO6dof80wjMawsASg==",
+      "integrity": "sha512-plR3pp6D+SSUn1HM7xvSkx12/DhoHInI2YF35KAcVFNZvlC0gtrWqx7Qq1oH2Ssgi0vlFRCTbP+DZc7B9+TtsQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/scope-manager": "8.58.2",
+        "@typescript-eslint/scope-manager": "8.59.2",
-        "@typescript-eslint/types": "8.58.2",
+        "@typescript-eslint/types": "8.59.2",
-        "@typescript-eslint/typescript-estree": "8.58.2",
+        "@typescript-eslint/typescript-estree": "8.59.2",
-        "@typescript-eslint/visitor-keys": "8.58.2",
+        "@typescript-eslint/visitor-keys": "8.59.2",
        "debug": "^4.4.3"
      },
      "engines": {
@@ -2610,14 +2610,14 @@
      }
    },
    "node_modules/@typescript-eslint/project-service": {
-      "version": "8.58.2",
+      "version": "8.59.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.58.2.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.59.2.tgz",
-      "integrity": "sha512-Cq6UfpZZk15+r87BkIh5rDpi38W4b+Sjnb8wQCPPDDweS/LRCFjCyViEbzHk5Ck3f2QDfgmlxqSa7S7clDtlfg==",
+      "integrity": "sha512-+2hqvEkeyf/0FBor67duF0Ll7Ot8jyKzDQOSrxazF/danillRq2DwR9dLptsXpoZQqxE1UisSmoZewrlPas9Vw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/tsconfig-utils": "^8.58.2",
+        "@typescript-eslint/tsconfig-utils": "^8.59.2",
-        "@typescript-eslint/types": "^8.58.2",
+        "@typescript-eslint/types": "^8.59.2",
        "debug": "^4.4.3"
      },
      "engines": {
@@ -2650,14 +2650,14 @@
      }
    },
    "node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.58.2",
+      "version": "8.59.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.58.2.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.59.2.tgz",
-      "integrity": "sha512-SgmyvDPexWETQek+qzZnrG6844IaO02UVyOLhI4wpo82dpZJY9+6YZCKAMFzXb7qhx37mFK1QcPQ18tud+vo6Q==",
+      "integrity": "sha512-JzfyEpEtOU89CcFSwyNS3mu4MLvLSXqnmX05+aKBDM+TdR5jzcGOEBwxwGNxrEQ7p/z6kK2WyioCGBf2zZBnvg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.58.2",
+        "@typescript-eslint/types": "8.59.2",
-        "@typescript-eslint/visitor-keys": "8.58.2"
+        "@typescript-eslint/visitor-keys": "8.59.2"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2668,9 +2668,9 @@
      }
    },
    "node_modules/@typescript-eslint/tsconfig-utils": {
-      "version": "8.58.2",
+      "version": "8.59.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.58.2.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.59.2.tgz",
-      "integrity": "sha512-3SR+RukipDvkkKp/d0jP0dyzuls3DbGmwDpVEc5wqk5f38KFThakqAAO0XMirWAE+kT00oTauTbzMFGPoAzB0A==",
+      "integrity": "sha512-BKK4alN7oi4C/zv4VqHQ+uRU+lTa6JGIZ7s1juw7b3RHo9OfKB+bKX3u0iVZetdsUCBBkSbdWbarJbmN0fTeSw==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2685,15 +2685,15 @@
      }
    },
    "node_modules/@typescript-eslint/type-utils": {
-      "version": "8.58.2",
+      "version": "8.59.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.58.2.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.59.2.tgz",
-      "integrity": "sha512-Z7EloNR/B389FvabdGeTo2XMs4W9TjtPiO9DAsmT0yom0bwlPyRjkJ1uCdW1DvrrrYP50AJZ9Xc3sByZA9+dcg==",
+      "integrity": "sha512-nhqaj1nmTdVVl/BP5omXNRGO38jn5iosis2vbdmupF2txCf8ylWT8lx+JlvMYYVqzGVKtjojUFoQ3JRWK+mfzQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.58.2",
+        "@typescript-eslint/types": "8.59.2",
-        "@typescript-eslint/typescript-estree": "8.58.2",
+        "@typescript-eslint/typescript-estree": "8.59.2",
-        "@typescript-eslint/utils": "8.58.2",
+        "@typescript-eslint/utils": "8.59.2",
        "debug": "^4.4.3",
        "ts-api-utils": "^2.5.0"
      },
@@ -2728,9 +2728,9 @@
      }
    },
    "node_modules/@typescript-eslint/types": {
-      "version": "8.58.2",
+      "version": "8.59.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.58.2.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.59.2.tgz",
-      "integrity": "sha512-9TukXyATBQf/Jq9AMQXfvurk+G5R2MwfqQGDR2GzGz28HvY/lXNKGhkY+6IOubwcquikWk5cjlgPvD2uAA7htQ==",
+      "integrity": "sha512-e82GVOE8Ps3E++Egvb6Y3Dw0S10u8NkQ9KXmtRhCWJJ8kDhOJTvtMAWnFL16kB1583goCWXsr0NieKCZMs2/0Q==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2742,16 +2742,16 @@
      }
    },
    "node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.58.2",
+      "version": "8.59.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.58.2.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.59.2.tgz",
-      "integrity": "sha512-ELGuoofuhhoCvNbQjFFiobFcGgcDCEm0ThWdmO4Z0UzLqPXS3KFvnEZ+SHewwOYHjM09tkzOWXNTv9u6Gqtyuw==",
+      "integrity": "sha512-o0XPGNwcWw+FIwStOWn+BwBuEmL6QXP0rsvAFg7ET1dey1Nr6Wb1ac8p5HEsK0ygO/6mUxlk+YWQD9xcb/nnXg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/project-service": "8.58.2",
+        "@typescript-eslint/project-service": "8.59.2",
-        "@typescript-eslint/tsconfig-utils": "8.58.2",
+        "@typescript-eslint/tsconfig-utils": "8.59.2",
-        "@typescript-eslint/types": "8.58.2",
+        "@typescript-eslint/types": "8.59.2",
-        "@typescript-eslint/visitor-keys": "8.58.2",
+        "@typescript-eslint/visitor-keys": "8.59.2",
        "debug": "^4.4.3",
        "minimatch": "^10.2.2",
        "semver": "^7.7.3",
@@ -2780,9 +2780,9 @@
      }
    },
    "node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion": {
-      "version": "5.0.5",
+      "version": "5.0.6",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.6.tgz",
-      "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==",
+      "integrity": "sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -2827,16 +2827,16 @@
      }
    },
    "node_modules/@typescript-eslint/utils": {
-      "version": "8.58.2",
+      "version": "8.59.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.58.2.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.59.2.tgz",
-      "integrity": "sha512-QZfjHNEzPY8+l0+fIXMvuQ2sJlplB4zgDZvA+NmvZsZv3EQwOcc1DuIU1VJUTWZ/RKouBMhDyNaBMx4sWvrzRA==",
+      "integrity": "sha512-Juw3EinkXqjaffxz6roowvV7GZT/kET5vSKKZT6upl5TXdWkLkYmNPXwDDL2Vkt2DPn0nODIS4egC/0AGxKo/Q==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@eslint-community/eslint-utils": "^4.9.1",
-        "@typescript-eslint/scope-manager": "8.58.2",
+        "@typescript-eslint/scope-manager": "8.59.2",
-        "@typescript-eslint/types": "8.58.2",
+        "@typescript-eslint/types": "8.59.2",
-        "@typescript-eslint/typescript-estree": "8.58.2"
+        "@typescript-eslint/typescript-estree": "8.59.2"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2851,13 +2851,13 @@
      }
    },
    "node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.58.2",
+      "version": "8.59.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.58.2.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.59.2.tgz",
-      "integrity": "sha512-f1WO2Lx8a9t8DARmcWAUPJbu0G20bJlj8L4z72K00TMeJAoyLr/tHhI/pzYBLrR4dXWkcxO1cWYZEOX8DKHTqA==",
+      "integrity": "sha512-NwjLUnGy8/Zfx23fl50tRC8rYaYnM52xNRYFAXvmiil9yh1+K6aRVQMnzW6gQB/1DLgWt977lYQn7C+wtgXZiA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.58.2",
+        "@typescript-eslint/types": "8.59.2",
        "eslint-visitor-keys": "^5.0.0"
      },
      "engines": {
@@ -3271,7 +3271,9 @@
      }
    },
    "node_modules/ajv": {
-      "version": "6.12.6",
+      "version": "6.15.0",
      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.15.0.tgz",
      "integrity": "sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -4725,25 +4727,25 @@
      }
    },
    "node_modules/eslint": {
-      "version": "9.39.2",
+      "version": "9.39.4",
-      "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.39.2.tgz",
+      "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.39.4.tgz",
-      "integrity": "sha512-LEyamqS7W5HB3ujJyvi0HQK/dtVINZvd5mAAp9eT5S/ujByGjiZLCzPcHVzuXbpJDJF/cxwHlfceVUDZ2lnSTw==",
+      "integrity": "sha512-XoMjdBOwe/esVgEvLmNsD3IRHkm7fbKIUGvrleloJXUZgDHig2IPWNniv+GwjyJXzuNqVjlr5+4yVUZjycJwfQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@eslint-community/eslint-utils": "^4.8.0",
        "@eslint-community/regexpp": "^4.12.1",
-        "@eslint/config-array": "^0.21.1",
+        "@eslint/config-array": "^0.21.2",
        "@eslint/config-helpers": "^0.4.2",
        "@eslint/core": "^0.17.0",
-        "@eslint/eslintrc": "^3.3.1",
+        "@eslint/eslintrc": "^3.3.5",
-        "@eslint/js": "9.39.2",
+        "@eslint/js": "9.39.4",
        "@eslint/plugin-kit": "^0.4.1",
        "@humanfs/node": "^0.16.6",
        "@humanwhocodes/module-importer": "^1.0.1",
        "@humanwhocodes/retry": "^0.4.2",
        "@types/estree": "^1.0.6",
-        "ajv": "^6.12.4",
+        "ajv": "^6.14.0",
        "chalk": "^4.0.0",
        "cross-spawn": "^7.0.6",
        "debug": "^4.3.2",
@@ -4762,7 +4764,7 @@
        "is-glob": "^4.0.0",
        "json-stable-stringify-without-jsonify": "^1.0.1",
        "lodash.merge": "^4.6.2",
-        "minimatch": "^3.1.2",
+        "minimatch": "^3.1.5",
        "natural-compare": "^1.4.0",
        "optionator": "^0.9.3"
      },
@@ -5668,9 +5670,9 @@
      "license": "MIT"
    },
    "node_modules/fast-xml-builder": {
-      "version": "1.1.5",
+      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.5.tgz",
+      "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.2.0.tgz",
-      "integrity": "sha512-4TJn/8FKLeslLAH3dnohXqE3QSoxkhvaMzepOIZytwJXZO69Bfz0HBdDHzOTOon6G59Zrk6VQ2bEiv1t61rfkA==",
+      "integrity": "sha512-00aAWieqff+ZJhsXA4g1g7M8k+7AYoMUUHF+/zFb5U6Uv/P0Vl4QZo84/IcufzYalLuEj9928bXN9PbbFzMF0Q==",
      "funding": [
        {
          "type": "github",
@@ -5679,7 +5681,8 @@
      ],
      "license": "MIT",
      "dependencies": {
-        "path-expression-matcher": "^1.1.3"
+        "path-expression-matcher": "^1.5.0",
        "xml-naming": "^0.1.0"
      }
    },
    "node_modules/fast-xml-parser": {
@@ -5803,9 +5806,9 @@
      }
    },
    "node_modules/flatted": {
-      "version": "3.3.3",
+      "version": "3.4.2",
-      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.3.tgz",
+      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
-      "integrity": "sha512-GX+ysw4PBCz0PzosHDepZGANEuFCMLrnRTiEy9McGjmkCQYwRq4A/X786G/fjM/+OjsWSU1ZrY5qyARZmO/uwg==",
+      "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
      "dev": true,
      "license": "ISC"
    },
@@ -6118,9 +6121,9 @@
      }
    },
    "node_modules/globals": {
-      "version": "17.5.0",
+      "version": "17.6.0",
-      "resolved": "https://registry.npmjs.org/globals/-/globals-17.5.0.tgz",
+      "resolved": "https://registry.npmjs.org/globals/-/globals-17.6.0.tgz",
-      "integrity": "sha512-qoV+HK2yFl/366t2/Cb3+xxPUo5BuMynomoDmiaZBIdbs+0pYbjfZU+twLhGKp4uCZ/+NbtpVepH5bGCxRyy2g==",
+      "integrity": "sha512-sepffkT8stwnIYbsMBpoCHJuJM5l98FUF2AnE07hfvE0m/qp3R586hw4jF4uadbhvg1ooIdzuu7CsfD2jzCaNA==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -7338,9 +7341,9 @@
      }
    },
    "node_modules/micromatch/node_modules/picomatch": {
-      "version": "2.3.1",
+      "version": "2.3.2",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
-      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -7886,9 +7889,9 @@
      "license": "ISC"
    },
    "node_modules/picomatch": {
-      "version": "4.0.3",
+      "version": "4.0.4",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
-      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -8061,9 +8064,9 @@
      }
    },
    "node_modules/readdir-glob/node_modules/brace-expansion": {
-      "version": "2.0.2",
+      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz",
-      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+      "integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==",
      "license": "MIT",
      "dependencies": {
        "balanced-match": "^1.0.0"
@@ -8880,10 +8883,11 @@
      }
    },
    "node_modules/supertap/node_modules/js-yaml": {
-      "version": "3.14.1",
+      "version": "3.14.2",
-      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.1.tgz",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.2.tgz",
-      "integrity": "sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g==",
+      "integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "argparse": "^1.0.7",
        "esprima": "^4.0.0"
@@ -9771,9 +9775,9 @@
      }
    },
    "node_modules/typescript": {
-      "version": "6.0.2",
+      "version": "6.0.3",
-      "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.2.tgz",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.3.tgz",
-      "integrity": "sha512-bGdAIrZ0wiGDo5l8c++HWtbaNCWTS4UTv7RaTH/ThVIgjkveJt83m74bBHMJkuCbslY8ixgLBVZJIOiQlQTjfQ==",
+      "integrity": "sha512-y2TvuxSZPDyQakkFRPZHKFm+KKVqIisdg9/CZwm9ftvKXLP8NRWj38/ODjNbr43SsoXqNuAisEf1GdCxqWcdBw==",
      "dev": true,
      "license": "Apache-2.0",
      "bin": {
@@ -9785,16 +9789,16 @@
      }
    },
    "node_modules/typescript-eslint": {
-      "version": "8.58.2",
+      "version": "8.59.2",
-      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.58.2.tgz",
+      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.59.2.tgz",
-      "integrity": "sha512-V8iSng9mRbdZjl54VJ9NKr6ZB+dW0J3TzRXRGcSbLIej9jV86ZRtlYeTKDR/QLxXykocJ5icNzbsl2+5TzIvcQ==",
+      "integrity": "sha512-pJw051uomb3ZeCzGTpRb8RbEqB5Y4WWet8gl/GcTlU35BSx0PVdZ86/bqkQCyKKuraVQEK7r6kBHQXF+fBhkoQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/eslint-plugin": "8.58.2",
+        "@typescript-eslint/eslint-plugin": "8.59.2",
-        "@typescript-eslint/parser": "8.58.2",
+        "@typescript-eslint/parser": "8.59.2",
-        "@typescript-eslint/typescript-estree": "8.58.2",
+        "@typescript-eslint/typescript-estree": "8.59.2",
-        "@typescript-eslint/utils": "8.58.2"
+        "@typescript-eslint/utils": "8.59.2"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -10221,6 +10225,21 @@
        "node": "^20.17.0 || >=22.9.0"
      }
    },
    "node_modules/xml-naming": {
      "version": "0.1.0",
      "resolved": "https://registry.npmjs.org/xml-naming/-/xml-naming-0.1.0.tgz",
      "integrity": "sha512-k8KO9hrMyNk6tUWqUfkTEZbezRRpONVOzUTnc97VnCvyj6Tf9lyUR9EDAIeiVLv56jsMcoXEwjW8Kv5yPY52lw==",
      "funding": [
        {
          "type": "github",
          "url": "https://github.com/sponsors/NaturalIntelligence"
        }
      ],
      "license": "MIT",
      "engines": {
        "node": ">=16.0.0"
      }
    },
    "node_modules/y18n": {
      "version": "5.0.8",
      "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz",
@@ -10242,9 +10261,9 @@
      }
    },
    "node_modules/yaml": {
-      "version": "2.8.3",
+      "version": "2.8.4",
-      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.3.tgz",
+      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.4.tgz",
-      "integrity": "sha512-AvbaCLOO2Otw/lW5bmh9d/WEdcDFdQp2Z2ZUH3pX9U2ihyUY0nvLv7J6TrWowklRGPYbB/IuIMfYgxaCPg5Bpg==",
+      "integrity": "sha512-ml/JPOj9fOQK8RNnWojA67GbZ0ApXAUlN2UQclwv2eVgTgn7O9gg9o7paZWKMp4g0H3nTLtS9LVzhkpOFIKzog==",
      "license": "ISC",
      "bin": {
        "yaml": "bin.mjs"
@@ -10385,10 +10404,10 @@
        "@octokit/core": "^7.0.6",
        "@octokit/plugin-paginate-rest": ">=9.2.2",
        "@octokit/plugin-rest-endpoint-methods": "^17.0.0",
-        "yaml": "^2.8.3"
+        "yaml": "^2.8.4"
      },
      "devDependencies": {
-        "@types/node": "^20.19.9",
+        "@types/node": "^20.19.39",
        "tsx": "^4.21.0"
      }
    }
@@ -1,11 +1,11 @@
 {
  "name": "codeql",
-  "version": "4.35.4",
+  "version": "4.35.5",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
    "_build_comment": "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'",
-    "build": "./scripts/check-node-modules.sh && npm run transpile && node build.mjs && npx tsx ./pr-checks/bundle-metadata.ts",
+    "build": "./scripts/check-node-modules.sh && npm run transpile && node build.mjs",
    "lint": "eslint --report-unused-disable-directives --max-warnings=0 .",
    "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
    "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
@@ -50,25 +50,25 @@
    "@types/archiver": "^7.0.0",
    "@types/follow-redirects": "^1.14.4",
    "@types/js-yaml": "^4.0.9",
-    "@types/node": "^20.19.9",
+    "@types/node": "^20.19.39",
    "@types/node-forge": "^1.3.14",
    "@types/sarif": "^2.1.7",
    "@types/semver": "^7.7.1",
    "@types/sinon": "^21.0.1",
    "ava": "^7.0.0",
    "esbuild": "^0.28.0",
-    "eslint": "^9.39.2",
+    "eslint": "^9.39.4",
    "eslint-import-resolver-typescript": "^4.4.4",
    "eslint-plugin-github": "^6.0.0",
    "eslint-plugin-import-x": "^4.16.2",
    "eslint-plugin-jsdoc": "^62.9.0",
    "eslint-plugin-no-async-foreach": "^0.1.1",
    "glob": "^11.1.0",
-    "globals": "^17.5.0",
+    "globals": "^17.6.0",
    "nock": "^14.0.12",
    "sinon": "^21.1.2",
-    "typescript": "^6.0.2",
+    "typescript": "^6.0.3",
-    "typescript-eslint": "^8.58.2"
+    "typescript-eslint": "^8.59.2"
  },
  "overrides": {
    "@actions/tool-cache": {
@@ -89,7 +89,6 @@
    "eslint-plugin-jsx-a11y": {
      "semver": ">=6.3.1"
    },
    "brace-expansion@2.0.1": "2.0.2",
    "glob": "^11.1.0",
    "undici": "^6.24.0"
  }
@@ -5,7 +5,7 @@ versions:
  - default
 steps:
  - name: Set up Ruby
-    uses: ruby/setup-ruby@0cb964fd540e0a24c900370abf38a33466142735 # v1.305.0
+    uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0
    with:
      ruby-version: 2.6
  - name: Install Code Scanning integration
@@ -7,10 +7,10 @@
    "@octokit/core": "^7.0.6",
    "@octokit/plugin-paginate-rest": ">=9.2.2",
    "@octokit/plugin-rest-endpoint-methods": "^17.0.0",
-    "yaml": "^2.8.3"
+    "yaml": "^2.8.4"
  },
  "devDependencies": {
-    "@types/node": "^20.19.9",
+    "@types/node": "^20.19.39",
    "tsx": "^4.21.0"
  }
 }
@@ -19,6 +19,25 @@ inputs:
      If not specified, the Action will check in several places until it finds
      the CodeQL tools.
    required: false
  languages:
    description: >-
      A comma-separated list of CodeQL languages that will be analyzed in subsequent
      `github/codeql-action/init` and `github/codeql-action/analyze` invocations. If specified, the
      Action may use this list to select a CodeQL CLI version that is best suited to analyzing those
      languages, for example by preferring a version that has a cached overlay-base database for the
      specified languages. This input is not remembered and must also be passed to
      `github/codeql-action/init`.
    required: false
  analysis-kinds:
    description: >-
      [Internal] A comma-separated list of analysis kinds that subsequent
      `github/codeql-action/init` invocations will enable. If specified, the Action may use this
      list to select a CodeQL CLI version that is best suited to those analysis kinds. This input is
      not remembered and must also be passed to `github/codeql-action/init`.
      Available options are the same as for the `analysis-kinds` input on the `init` Action.
    default: 'code-scanning'
    required: true
  token:
    description: GitHub token to use for authenticating with this instance of GitHub.
    default: ${{ github.token }}
@@ -16,7 +16,7 @@ import {
 } from "./analyses";
 import { EnvVar } from "./environment";
 import { getRunnerLogger } from "./logging";
-import { setupTests } from "./testing-utils";
+import { createFeatures, RecordingLogger, setupTests } from "./testing-utils";
 import { AssessmentPayload } from "./upload-lib/types";
 import { ConfigurationError } from "./util";
@@ -53,24 +53,56 @@ test("Parsing analysis kinds requires at least one analysis kind", async (t) =>
 test.serial(
  "getAnalysisKinds - returns expected analysis kinds for `analysis-kinds` input",
  async (t) => {
    process.env[EnvVar.TEST_MODE] = "true";
    const features = createFeatures([]);
    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
    requiredInputStub
      .withArgs("analysis-kinds")
      .returns("code-scanning,code-quality");
-    const result = await getAnalysisKinds(getRunnerLogger(true), true);
+    const result = await getAnalysisKinds(
      getRunnerLogger(true),
      features,
      true,
    );
    t.assert(result.includes(AnalysisKind.CodeScanning));
    t.assert(result.includes(AnalysisKind.CodeQuality));
  },
 );
 test.serial(
  "getAnalysisKinds - only use `code-scanning` for multiple analysis kinds outside of test mode",
  async (t) => {
    process.env[EnvVar.TEST_MODE] = "false";
    const features = createFeatures([]);
    const logger = new RecordingLogger();
    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
    requiredInputStub
      .withArgs("analysis-kinds")
      .returns("code-scanning,code-quality");
    const result = await getAnalysisKinds(logger, features, true);
    t.deepEqual(result, [AnalysisKind.CodeScanning]);
    t.assert(
      logger.hasMessage(
        "Continuing with only `analysis-kinds: code-scanning`.",
      ),
    );
  },
 );
 test.serial(
  "getAnalysisKinds - includes `code-quality` when deprecated `quality-queries` input is used",
  async (t) => {
    process.env[EnvVar.TEST_MODE] = "true";
    const features = createFeatures([]);
    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
    requiredInputStub.withArgs("analysis-kinds").returns("code-scanning");
    const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
    optionalInputStub.withArgs("quality-queries").returns("code-quality");
-    const result = await getAnalysisKinds(getRunnerLogger(true), true);
+    const result = await getAnalysisKinds(
      getRunnerLogger(true),
      features,
      true,
    );
    t.assert(result.includes(AnalysisKind.CodeScanning));
    t.assert(result.includes(AnalysisKind.CodeQuality));
  },
@@ -79,9 +111,12 @@ test.serial(
 test.serial(
  "getAnalysisKinds - throws if `analysis-kinds` input is invalid",
  async (t) => {
    const features = createFeatures([]);
    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
    requiredInputStub.withArgs("analysis-kinds").returns("no-such-thing");
-    await t.throwsAsync(getAnalysisKinds(getRunnerLogger(true), true));
+    await t.throwsAsync(
      getAnalysisKinds(getRunnerLogger(true), features, true),
    );
  },
 );
@@ -98,11 +133,17 @@ for (let i = 0; i < analysisKinds.length; i++) {
      test.serial(
        `getAnalysisKinds - allows ${analysisKind} with ${otherAnalysis}`,
        async (t) => {
          process.env[EnvVar.TEST_MODE] = "true";
          const features = createFeatures([]);
          const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
          requiredInputStub
            .withArgs("analysis-kinds")
            .returns([analysisKind, otherAnalysis].join(","));
-          const result = await getAnalysisKinds(getRunnerLogger(true), true);
+          const result = await getAnalysisKinds(
            getRunnerLogger(true),
            features,
            true,
          );
          t.is(result.length, 2);
        },
      );
@@ -110,14 +151,18 @@ for (let i = 0; i < analysisKinds.length; i++) {
      test.serial(
        `getAnalysisKinds - throws if ${analysisKind} is enabled with ${otherAnalysis}`,
        async (t) => {
          const features = createFeatures([]);
          const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
          requiredInputStub
            .withArgs("analysis-kinds")
            .returns([analysisKind, otherAnalysis].join(","));
-          await t.throwsAsync(getAnalysisKinds(getRunnerLogger(true), true), {
+          await t.throwsAsync(
-            instanceOf: ConfigurationError,
+            getAnalysisKinds(getRunnerLogger(true), features, true),
-            message: `${analysisKind} and ${otherAnalysis} cannot be enabled at the same time`,
+            {
-          });
+              instanceOf: ConfigurationError,
              message: `${analysisKind} and ${otherAnalysis} cannot be enabled at the same time`,
            },
          );
        },
      );
    }
@@ -4,13 +4,14 @@ import {
  getRequiredInput,
 } from "./actions-util";
 import { EnvVar } from "./environment";
 import { Feature, FeatureEnablement } from "./feature-flags";
 import { Logger } from "./logging";
 import {
  AssessmentPayload,
  BasePayload,
  UploadPayload,
 } from "./upload-lib/types";
-import { ConfigurationError, getRequiredEnvParam } from "./util";
+import { ConfigurationError, getRequiredEnvParam, isInTestMode } from "./util";
 export enum AnalysisKind {
  CodeScanning = "code-scanning",
@@ -77,6 +78,7 @@ let cachedAnalysisKinds: AnalysisKind[] | undefined;
 */
 export async function getAnalysisKinds(
  logger: Logger,
  features: FeatureEnablement,
  skipCache: boolean = false,
 ): Promise<AnalysisKind[]> {
  if (!skipCache && cachedAnalysisKinds !== undefined) {
@@ -120,6 +122,25 @@ export async function getAnalysisKinds(
    }
  }
  // Log an error if we have multiple inputs for `analysis-kinds` outside of test mode,
  // and enable only `code-scanning`.
  if (
    !isInTestMode() &&
    analysisKinds.length > 1 &&
    !(await features.getValue(Feature.AllowMultipleAnalysisKinds))
  ) {
    logger.error(
      "The `analysis-kinds` input is experimental and for GitHub-internal use only. " +
        "Its behaviour may change at any time or be removed entirely. " +
        "Specifying multiple values as input is no longer supported. " +
        "Continuing with only `analysis-kinds: code-scanning`.",
    );
    // Only enable Code Scanning.
    cachedAnalysisKinds = [AnalysisKind.CodeScanning];
    return cachedAnalysisKinds;
  }
  // Cache the analysis kinds and return them.
  cachedAnalysisKinds = analysisKinds;
  return cachedAnalysisKinds;
@@ -141,9 +141,9 @@ test("scanArtifactsForTokens handles files without tokens", async (t) => {
  }
 });
 // `scanArchiveFile` does not support Windows, so we skip this test there.
 if (os.platform() !== "win32") {
  test("scanArtifactsForTokens finds token in debug artifacts", async (t) => {
    t.timeout(15000); // 15 seconds
    const messages: LoggedMessage[] = [];
    const logger = getRecordingLogger(messages, { logToConsole: false });
    // The zip here is a regression test based on
@@ -156,6 +156,10 @@ async function scanArchiveFile(
    );
  }
  if (process.platform === "win32") {
    throw new Error("Scanning archives is not supported on Windows.");
  }
  const result: ScanResult = {
    scannedFiles: 0,
    findings: [],
@@ -33,6 +33,7 @@ import {
  mockBundleDownloadApi,
  makeVersionInfo,
  createTestConfig,
  makeMacro,
 } from "./testing-utils";
 import { ToolsDownloadStatusReport } from "./tools-download";
 import * as util from "./util";
@@ -70,8 +71,10 @@ async function installIntoToolcache({
    tmpDir,
    util.GitHubVariant.GHES,
    cliVersion !== undefined
-      ? { cliVersion, tagName }
+      ? { enabledVersions: [{ cliVersion, tagName }] }
      : SAMPLE_DEFAULT_CLI_VERSION,
    undefined, // rawLanguages
    false, // useOverlayAwareDefaultCliVersion
    createFeatures([]),
    getRunnerLogger(true),
    false,
@@ -143,6 +146,8 @@ test.serial(
          tmpDir,
          util.GitHubVariant.DOTCOM,
          SAMPLE_DEFAULT_CLI_VERSION,
          undefined, // rawLanguages
          false, // useOverlayAwareDefaultCliVersion
          features,
          getRunnerLogger(true),
          false,
@@ -175,6 +180,8 @@ test.serial(
        tmpDir,
        util.GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
        undefined, // rawLanguages
        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -214,6 +221,8 @@ test.serial(
        tmpDir,
        util.GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
        undefined, // rawLanguages
        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -264,6 +273,8 @@ for (const {
          tmpDir,
          util.GitHubVariant.DOTCOM,
          SAMPLE_DEFAULT_CLI_VERSION,
          undefined, // rawLanguages
          false, // useOverlayAwareDefaultCliVersion
          features,
          getRunnerLogger(true),
          false,
@@ -284,11 +295,11 @@ for (const {
 for (const toolcacheVersion of [
  // Test that we use the tools from the toolcache when `SAMPLE_DEFAULT_CLI_VERSION` is requested
  // and `SAMPLE_DEFAULT_CLI_VERSION-` is in the toolcache.
-  SAMPLE_DEFAULT_CLI_VERSION.cliVersion,
+  SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion,
-  `${SAMPLE_DEFAULT_CLI_VERSION.cliVersion}-20230101`,
+  `${SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion}-20230101`,
 ]) {
  test.serial(
-    `uses tools from toolcache when ${SAMPLE_DEFAULT_CLI_VERSION.cliVersion} is requested and ` +
+    `uses tools from toolcache when ${SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion} is requested and ` +
      `${toolcacheVersion} is installed`,
    async (t) => {
      const features = createFeatures([]);
@@ -308,11 +319,16 @@ for (const toolcacheVersion of [
          tmpDir,
          util.GitHubVariant.DOTCOM,
          SAMPLE_DEFAULT_CLI_VERSION,
          undefined, // rawLanguages
          false, // useOverlayAwareDefaultCliVersion
          features,
          getRunnerLogger(true),
          false,
        );
-        t.is(result.toolsVersion, SAMPLE_DEFAULT_CLI_VERSION.cliVersion);
+        t.is(
          result.toolsVersion,
          SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion,
        );
        t.is(result.toolsSource, ToolsSource.Toolcache);
        t.is(result.toolsDownloadStatusReport?.combinedDurationMs, undefined);
        t.is(result.toolsDownloadStatusReport?.downloadDurationMs, undefined);
@@ -342,9 +358,15 @@ test.serial(
        tmpDir,
        util.GitHubVariant.GHES,
        {
-          cliVersion: defaults.cliVersion,
+          enabledVersions: [
-          tagName: defaults.bundleVersion,
+            {
              cliVersion: defaults.cliVersion,
              tagName: defaults.bundleVersion,
            },
          ],
        },
        undefined, // rawLanguages
        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -384,9 +406,15 @@ test.serial(
        tmpDir,
        util.GitHubVariant.GHES,
        {
-          cliVersion: defaults.cliVersion,
+          enabledVersions: [
-          tagName: defaults.bundleVersion,
+            {
              cliVersion: defaults.cliVersion,
              tagName: defaults.bundleVersion,
            },
          ],
        },
        undefined, // rawLanguages
        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -426,6 +454,8 @@ test.serial(
        tmpDir,
        util.GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
        undefined, // rawLanguages
        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -467,6 +497,8 @@ test.serial(
        tmpDir,
        util.GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
        undefined, // rawLanguages
        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -540,7 +572,7 @@ test.serial("getExtraOptions throws for bad content", (t) => {
 });
 // Test macro for ensuring different variants of injected augmented configurations
-const injectedConfigMacro = test.macro({
+const injectedConfigMacro = makeMacro({
  exec: async (
    t: ExecutionContext<unknown>,
    augmentationProperties: AugmentationProperties,
@@ -590,9 +622,8 @@ const injectedConfigMacro = test.macro({
    `databaseInitCluster() injected config: ${providedTitle}`,
 });
-test.serial(
+injectedConfigMacro.serial(
  "basic",
  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
  },
@@ -600,9 +631,8 @@ test.serial(
  {},
 );
-test.serial(
+injectedConfigMacro.serial(
  "injected packs from input",
  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    packsInput: ["xxx", "yyy"],
@@ -613,9 +643,8 @@ test.serial(
  },
 );
-test.serial(
+injectedConfigMacro.serial(
  "injected packs from input with existing packs combines",
  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    packsInputCombines: true,
@@ -635,9 +664,8 @@ test.serial(
  },
 );
-test.serial(
+injectedConfigMacro.serial(
  "injected packs from input with existing packs overrides",
  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    packsInput: ["xxx", "yyy"],
@@ -655,9 +683,8 @@ test.serial(
 );
 // similar, but with queries
-test.serial(
+injectedConfigMacro.serial(
  "injected queries from input",
  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    queriesInput: [{ uses: "xxx" }, { uses: "yyy" }],
@@ -675,9 +702,8 @@ test.serial(
  },
 );
-test.serial(
+injectedConfigMacro.serial(
  "injected queries from input overrides",
  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    queriesInput: [{ uses: "xxx" }, { uses: "yyy" }],
@@ -699,9 +725,8 @@ test.serial(
  },
 );
-test.serial(
+injectedConfigMacro.serial(
  "injected queries from input combines",
  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    queriesInputCombines: true,
@@ -727,9 +752,8 @@ test.serial(
  },
 );
-test.serial(
+injectedConfigMacro.serial(
  "injected queries from input combines 2",
  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    queriesInputCombines: true,
@@ -749,9 +773,8 @@ test.serial(
  },
 );
-test.serial(
+injectedConfigMacro.serial(
  "injected queries and packs, but empty",
  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    queriesInputCombines: true,
@@ -768,9 +791,8 @@ test.serial(
  {},
 );
-test.serial(
+injectedConfigMacro.serial(
  "repo property queries have the highest precedence",
  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    queriesInputCombines: true,
@@ -790,9 +812,8 @@ test.serial(
  },
 );
-test.serial(
+injectedConfigMacro.serial(
  "repo property queries combines with queries input",
  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    queriesInputCombines: false,
@@ -817,9 +838,8 @@ test.serial(
  },
 );
-test.serial(
+injectedConfigMacro.serial(
  "repo property queries combines everything else",
  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    queriesInputCombines: true,
@@ -305,6 +305,8 @@ const EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
 * @param tempDir
 * @param variant
 * @param defaultCliVersion
 * @param rawLanguages Raw set of languages.
 * @param useOverlayAwareDefaultCliVersion Whether to select an overlay-aware default CLI version.
 * @param features Information about the features that are enabled.
 * @param logger
 * @param checkVersion Whether to check that CodeQL CLI meets the minimum
@@ -317,6 +319,8 @@ export async function setupCodeQL(
  tempDir: string,
  variant: util.GitHubVariant,
  defaultCliVersion: CodeQLDefaultVersionInfo,
  rawLanguages: string[] | undefined,
  useOverlayAwareDefaultCliVersion: boolean,
  features: FeatureEnablement,
  logger: Logger,
  checkVersion: boolean,
@@ -340,6 +344,8 @@ export async function setupCodeQL(
      tempDir,
      variant,
      defaultCliVersion,
      rawLanguages,
      useOverlayAwareDefaultCliVersion,
      features,
      logger,
    );
@@ -34,6 +34,7 @@ import {
  LoggedMessage,
  mockCodeQLVersion,
  createTestConfig,
  makeMacro,
 } from "./testing-utils";
 import {
  GitHubVariant,
@@ -1034,10 +1035,9 @@ const defaultOverlayDatabaseModeTestSetup: OverlayDatabaseModeTestSetup = {
  repositoryProperties: {},
 };
-const checkOverlayEnablementMacro = test.macro({
+const checkOverlayEnablementMacro = makeMacro({
  exec: async (
    t: ExecutionContext,
    _title: string,
    setupOverrides: Partial<OverlayDatabaseModeTestSetup>,
    expected:
      | {
@@ -1131,11 +1131,10 @@ const checkOverlayEnablementMacro = test.macro({
      }
    });
  },
-  title: (_, title) => `checkOverlayEnablement: ${title}`,
+  title: (title) => `checkOverlayEnablement: ${title}`,
 });
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Environment variable override - Overlay",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1146,8 +1145,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Environment variable override - OverlayBase",
  {
    overlayDatabaseEnvVar: "overlay-base",
@@ -1158,8 +1156,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Environment variable override - None",
  {
    overlayDatabaseEnvVar: "none",
@@ -1169,8 +1166,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Ignore invalid environment variable",
  {
    overlayDatabaseEnvVar: "invalid-mode",
@@ -1180,8 +1176,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Ignore feature flag when analyzing non-default branch",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1192,8 +1187,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Overlay-base database on default branch when feature enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1206,15 +1200,14 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Overlay-base database on default branch when feature enabled with custom analysis",
  {
    languages: [BuiltInLanguage.javascript],
    features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript],
    codeScanningConfig: {
      packs: ["some-custom-pack@1.0.0"],
-    } as UserConfig,
+    },
    isDefaultBranch: true,
  },
  {
@@ -1223,8 +1216,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Overlay-base database on default branch when code-scanning feature enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1240,8 +1232,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "No overlay-base database on default branch if runner disk space is too low",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1260,8 +1251,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "No overlay-base database on default branch if we can't determine runner disk space",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1277,8 +1267,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Overlay-base database on default branch if runner disk space is too low and skip resource checks flag is enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1299,8 +1288,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "No overlay-base database on default branch if runner disk space is below v2 limit and v2 resource checks enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1320,8 +1308,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Overlay-base database on default branch if runner disk space is between v2 and v1 limits and v2 resource checks enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1342,8 +1329,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "No overlay-base database on default branch if runner disk space is between v2 and v1 limits and v2 resource checks not enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1362,8 +1348,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "No overlay-base database on default branch if memory flag is too low",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1379,8 +1364,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Overlay-base database on default branch if memory flag is too low but CodeQL >= 2.24.3",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1398,8 +1382,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Overlay-base database on default branch if memory flag is too low and skip resource checks flag is enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1417,8 +1400,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "No overlay-base database on default branch when cached status indicates previous failure",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1435,8 +1417,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "No overlay analysis on PR when cached status indicates previous failure",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1453,8 +1434,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "No overlay-base database on default branch when code-scanning feature enabled with disable-default-queries",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1464,7 +1444,7 @@ test.serial(
    ],
    codeScanningConfig: {
      "disable-default-queries": true,
-    } as UserConfig,
+    },
    isDefaultBranch: true,
  },
  {
@@ -1472,8 +1452,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "No overlay-base database on default branch when code-scanning feature enabled with packs",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1483,7 +1462,7 @@ test.serial(
    ],
    codeScanningConfig: {
      packs: ["some-custom-pack@1.0.0"],
-    } as UserConfig,
+    },
    isDefaultBranch: true,
  },
  {
@@ -1491,8 +1470,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "No overlay-base database on default branch when code-scanning feature enabled with queries",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1502,7 +1480,7 @@ test.serial(
    ],
    codeScanningConfig: {
      queries: [{ uses: "some-query.ql" }],
-    } as UserConfig,
+    },
    isDefaultBranch: true,
  },
  {
@@ -1510,8 +1488,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "No overlay-base database on default branch when code-scanning feature enabled with query-filters",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1521,7 +1498,7 @@ test.serial(
    ],
    codeScanningConfig: {
      "query-filters": [{ include: { "security-severity": "high" } }],
-    } as UserConfig,
+    },
    isDefaultBranch: true,
  },
  {
@@ -1529,8 +1506,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "No overlay-base database on default branch when only language-specific feature enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1542,8 +1518,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "No overlay-base database on default branch when only code-scanning feature enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1555,8 +1530,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "No overlay-base database on default branch when language-specific feature disabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1568,8 +1542,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Overlay analysis on PR when feature enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1582,15 +1555,14 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Overlay analysis on PR when feature enabled with custom analysis",
  {
    languages: [BuiltInLanguage.javascript],
    features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript],
    codeScanningConfig: {
      packs: ["some-custom-pack@1.0.0"],
-    } as UserConfig,
+    },
    isPullRequest: true,
  },
  {
@@ -1599,8 +1571,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Overlay analysis on PR when code-scanning feature enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1616,8 +1587,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "No overlay analysis on PR if runner disk space is too low",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1636,8 +1606,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Overlay analysis on PR if runner disk space is too low and skip resource checks flag is enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1658,8 +1627,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "No overlay analysis on PR if we can't determine runner disk space",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1675,8 +1643,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "No overlay analysis on PR if memory flag is too low",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1692,8 +1659,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Overlay analysis on PR if memory flag is too low but CodeQL >= 2.24.3",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1711,8 +1677,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Overlay analysis on PR if memory flag is too low and skip resource checks flag is enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1730,8 +1695,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "No overlay analysis on PR when code-scanning feature enabled with disable-default-queries",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1741,7 +1705,7 @@ test.serial(
    ],
    codeScanningConfig: {
      "disable-default-queries": true,
-    } as UserConfig,
+    },
    isPullRequest: true,
  },
  {
@@ -1749,8 +1713,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "No overlay analysis on PR when code-scanning feature enabled with packs",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1760,7 +1723,7 @@ test.serial(
    ],
    codeScanningConfig: {
      packs: ["some-custom-pack@1.0.0"],
-    } as UserConfig,
+    },
    isPullRequest: true,
  },
  {
@@ -1768,8 +1731,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "No overlay analysis on PR when code-scanning feature enabled with queries",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1779,7 +1741,7 @@ test.serial(
    ],
    codeScanningConfig: {
      queries: [{ uses: "some-query.ql" }],
-    } as UserConfig,
+    },
    isPullRequest: true,
  },
  {
@@ -1787,8 +1749,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "No overlay analysis on PR when code-scanning feature enabled with query-filters",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1798,7 +1759,7 @@ test.serial(
    ],
    codeScanningConfig: {
      "query-filters": [{ include: { "security-severity": "high" } }],
-    } as UserConfig,
+    },
    isPullRequest: true,
  },
  {
@@ -1806,8 +1767,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "No overlay analysis on PR when only language-specific feature enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1819,8 +1779,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "No overlay analysis on PR when only code-scanning feature enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1832,8 +1791,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "No overlay analysis on PR when language-specific feature disabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1845,8 +1803,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Overlay PR analysis by env",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1857,8 +1814,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Overlay PR analysis by env on a runner with low disk space",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1870,8 +1826,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Overlay PR analysis by feature flag",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1884,8 +1839,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Fallback due to autobuild with traced language",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1897,8 +1851,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Fallback due to no build mode with traced language",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1910,8 +1863,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Fallback due to old CodeQL version",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1922,8 +1874,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Fallback due to missing git root",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1934,8 +1885,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Fallback due to old git version with submodules",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1947,8 +1897,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Fallback when git version cannot be determined and repo has submodules",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1960,8 +1909,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Overlay enabled when git version cannot be determined and repo has no submodules",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1974,8 +1922,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "No overlay when disabled via repository property",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1990,8 +1937,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Overlay not disabled when repository property is false",
  {
    languages: [BuiltInLanguage.javascript],
@@ -2007,8 +1953,7 @@ test.serial(
  },
 );
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "Environment variable override takes precedence over repository property",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -2024,8 +1969,7 @@ test.serial(
 // Exercise language-specific overlay analysis features code paths
 for (const language in BuiltInLanguage) {
-  test.serial(
+  checkOverlayEnablementMacro.serial(
    checkOverlayEnablementMacro,
    `Check default overlay analysis feature for ${language}`,
    {
      languages: [language],
@@ -2042,8 +1986,7 @@ for (const language in BuiltInLanguage) {
 // overlay analysis enabled, even when the base overlay feature flag is on.
 // Using swift here as it doesn't currently have overlay support — update this if
 // swift gains overlay support.
-test.serial(
+checkOverlayEnablementMacro.serial(
  checkOverlayEnablementMacro,
  "No overlay analysis for language without per-language overlay feature flag",
  {
    languages: [BuiltInLanguage.swift],
@@ -407,6 +407,7 @@ export async function getLanguages(
  return languages;
 }
 /** Splits the `languages` input into a list of raw languages without checking if they are supported by CodeQL. */
 export function getRawLanguagesNoAutodetect(
  languagesInput: string | undefined,
 ): string[] {
@@ -7,6 +7,7 @@ import {
  checkExpectedLogMessages,
  getRecordingLogger,
  LoggedMessage,
  makeMacro,
 } from "../testing-utils";
 import { ConfigurationError, prettyPrintPack } from "../util";
@@ -15,7 +16,7 @@ import * as dbConfig from "./db-config";
 /**
 * Test macro for ensuring the packs block is valid
 */
-const parsePacksMacro = test.macro({
+const parsePacksMacro = makeMacro({
  exec: (
    t: ExecutionContext<unknown>,
    packsInput: string,
@@ -33,7 +34,7 @@ const parsePacksMacro = test.macro({
 /**
 * Test macro for testing when the packs block is invalid
 */
-const parsePacksErrorMacro = test.macro({
+const parsePacksErrorMacro = makeMacro({
  exec: (
    t: ExecutionContext<unknown>,
    packsInput: string,
@@ -49,34 +50,32 @@ const parsePacksErrorMacro = test.macro({
 /**
 * Test macro for testing when the packs block is invalid
 */
-const invalidPackNameMacro = test.macro({
+const invalidPackNameMacro = makeMacro({
-  exec: (t: ExecutionContext, name: string) =>
+  exec: (t: ExecutionContext, arg: string) =>
-    parsePacksErrorMacro.exec(
+    parsePacksErrorMacro.fn(
      t,
-      name,
+      arg,
      [BuiltInLanguage.cpp],
-      new RegExp(`^"${name}" is not a valid pack$`),
+      new RegExp(`^"${arg}" is not a valid pack$`),
    ),
  title: (_providedTitle: string | undefined, arg: string | undefined) =>
    `Invalid pack string: ${arg}`,
 });
-test("no packs", parsePacksMacro, "", [], undefined);
+parsePacksMacro("no packs", "", [], undefined);
-test("two packs", parsePacksMacro, "a/b,c/d@1.2.3", [BuiltInLanguage.cpp], {
+parsePacksMacro("two packs", "a/b,c/d@1.2.3", [BuiltInLanguage.cpp], {
  [BuiltInLanguage.cpp]: ["a/b", "c/d@1.2.3"],
 });
-test(
+parsePacksMacro(
  "two packs with spaces",
  parsePacksMacro,
  " a/b , c/d@1.2.3 ",
  [BuiltInLanguage.cpp],
  {
    [BuiltInLanguage.cpp]: ["a/b", "c/d@1.2.3"],
  },
 );
-test(
+parsePacksErrorMacro(
  "two packs with language",
  parsePacksErrorMacro,
  "a/b,c/d@1.2.3",
  [BuiltInLanguage.cpp, BuiltInLanguage.java],
  new RegExp(
@@ -85,9 +84,8 @@ test(
  ),
 );
-test(
+parsePacksMacro(
  "packs with other valid names",
  parsePacksMacro,
  [
    // ranges are ok
    "c/d@1.0",
@@ -123,23 +121,23 @@ test(
  },
 );
-test(invalidPackNameMacro, "c"); // all packs require at least a scope and a name
+invalidPackNameMacro.test("c"); // all packs require at least a scope and a name
-test(invalidPackNameMacro, "c-/d");
+invalidPackNameMacro.test("c-/d");
-test(invalidPackNameMacro, "-c/d");
+invalidPackNameMacro.test("-c/d");
-test(invalidPackNameMacro, "c/d_d");
+invalidPackNameMacro.test("c/d_d");
-test(invalidPackNameMacro, "c/d@@");
+invalidPackNameMacro.test("c/d@@");
-test(invalidPackNameMacro, "c/d@1.0.0:");
+invalidPackNameMacro.test("c/d@1.0.0:");
-test(invalidPackNameMacro, "c/d:");
+invalidPackNameMacro.test("c/d:");
-test(invalidPackNameMacro, "c/d:/a");
+invalidPackNameMacro.test("c/d:/a");
-test(invalidPackNameMacro, "@1.0.0:a");
+invalidPackNameMacro.test("@1.0.0:a");
-test(invalidPackNameMacro, "c/d@../a");
+invalidPackNameMacro.test("c/d@../a");
-test(invalidPackNameMacro, "c/d@b/../a");
+invalidPackNameMacro.test("c/d@b/../a");
-test(invalidPackNameMacro, "c/d:z@1");
+invalidPackNameMacro.test("c/d:z@1");
 /**
 * Test macro for pretty printing pack specs
 */
-const packSpecPrettyPrintingMacro = test.macro({
+const packSpecPrettyPrintingMacro = makeMacro({
  exec: (t: ExecutionContext, packStr: string, packObj: dbConfig.Pack) => {
    const parsed = dbConfig.parsePacksSpecification(packStr);
    t.deepEqual(parsed, packObj, "parsed pack spec is correct");
@@ -163,36 +161,35 @@ const packSpecPrettyPrintingMacro = test.macro({
  ) => `Prettyprint pack spec: '${packStr}'`,
 });
-test(packSpecPrettyPrintingMacro, "a/b", {
+packSpecPrettyPrintingMacro.test("a/b", {
  name: "a/b",
  version: undefined,
  path: undefined,
 });
-test(packSpecPrettyPrintingMacro, "a/b@~1.2.3", {
+packSpecPrettyPrintingMacro.test("a/b@~1.2.3", {
  name: "a/b",
  version: "~1.2.3",
  path: undefined,
 });
-test(packSpecPrettyPrintingMacro, "a/b@~1.2.3:abc/def", {
+packSpecPrettyPrintingMacro.test("a/b@~1.2.3:abc/def", {
  name: "a/b",
  version: "~1.2.3",
  path: "abc/def",
 });
-test(packSpecPrettyPrintingMacro, "a/b:abc/def", {
+packSpecPrettyPrintingMacro.test("a/b:abc/def", {
  name: "a/b",
  version: undefined,
  path: "abc/def",
 });
-test(packSpecPrettyPrintingMacro, "    a/b:abc/def    ", {
+packSpecPrettyPrintingMacro.test("    a/b:abc/def    ", {
  name: "a/b",
  version: undefined,
  path: "abc/def",
 });
-const calculateAugmentationMacro = test.macro({
+const calculateAugmentationMacro = makeMacro({
  exec: async (
    t: ExecutionContext,
    _title: string,
    rawPacksInput: string | undefined,
    rawQueriesInput: string | undefined,
    languages: Language[],
@@ -207,11 +204,10 @@ const calculateAugmentationMacro = test.macro({
    );
    t.deepEqual(actualAugmentationProperties, expectedAugmentationProperties);
  },
-  title: (_, title) => `Calculate Augmentation: ${title}`,
+  title: (title) => `Calculate Augmentation: ${title}`,
 });
-test(
+calculateAugmentationMacro(
  calculateAugmentationMacro,
  "All empty",
  undefined,
  undefined,
@@ -222,8 +218,7 @@ test(
  },
 );
-test(
+calculateAugmentationMacro(
  calculateAugmentationMacro,
  "With queries",
  undefined,
  " a, b , c, d",
@@ -235,8 +230,7 @@ test(
  },
 );
-test(
+calculateAugmentationMacro(
  calculateAugmentationMacro,
  "With queries combining",
  undefined,
  "   +   a, b , c, d ",
@@ -249,8 +243,7 @@ test(
  },
 );
-test(
+calculateAugmentationMacro(
  calculateAugmentationMacro,
  "With packs",
  "   codeql/a , codeql/b   , codeql/c  , codeql/d  ",
  undefined,
@@ -262,8 +255,7 @@ test(
  },
 );
-test(
+calculateAugmentationMacro(
  calculateAugmentationMacro,
  "With packs combining",
  "   +   codeql/a, codeql/b, codeql/c, codeql/d",
  undefined,
@@ -276,8 +268,7 @@ test(
  },
 );
-test(
+calculateAugmentationMacro(
  calculateAugmentationMacro,
  "With repo property queries",
  undefined,
  undefined,
@@ -294,8 +285,7 @@ test(
  },
 );
-test(
+calculateAugmentationMacro(
  calculateAugmentationMacro,
  "With repo property queries combining",
  undefined,
  undefined,
@@ -312,10 +302,9 @@ test(
  },
 );
-const calculateAugmentationErrorMacro = test.macro({
+const calculateAugmentationErrorMacro = makeMacro({
  exec: async (
    t: ExecutionContext,
    _title: string,
    rawPacksInput: string | undefined,
    rawQueriesInput: string | undefined,
    languages: Language[],
@@ -333,11 +322,10 @@ const calculateAugmentationErrorMacro = test.macro({
      { message: expectedError },
    );
  },
-  title: (_, title) => `Calculate Augmentation Error: ${title}`,
+  title: (title) => `Calculate Augmentation Error: ${title}`,
 });
-test(
+calculateAugmentationErrorMacro(
  calculateAugmentationErrorMacro,
  "Plus (+) with nothing else (queries)",
  undefined,
  "   +   ",
@@ -346,8 +334,7 @@ test(
  /The workflow property "queries" is invalid/,
 );
-test(
+calculateAugmentationErrorMacro(
  calculateAugmentationErrorMacro,
  "Plus (+) with nothing else (packs)",
  "   +   ",
  undefined,
@@ -356,8 +343,7 @@ test(
  /The workflow property "packs" is invalid/,
 );
-test(
+calculateAugmentationErrorMacro(
  calculateAugmentationErrorMacro,
  "Plus (+) with nothing else (repo property queries)",
  undefined,
  undefined,
@@ -368,8 +354,7 @@ test(
  /The repository property "github-codeql-extra-queries" is invalid/,
 );
-test(
+calculateAugmentationErrorMacro(
  calculateAugmentationErrorMacro,
  "Packs input with multiple languages",
  "   +  a/b, c/d ",
  undefined,
@@ -378,8 +363,7 @@ test(
  /Cannot specify a 'packs' input in a multi-language analysis/,
 );
-test(
+calculateAugmentationErrorMacro(
  calculateAugmentationErrorMacro,
  "Packs input with no languages",
  "   +  a/b, c/d ",
  undefined,
@@ -388,8 +372,7 @@ test(
  /No languages specified/,
 );
-test(
+calculateAugmentationErrorMacro(
  calculateAugmentationErrorMacro,
  "Invalid packs",
  " a-pack-without-a-scope ",
  undefined,
@@ -263,7 +263,7 @@ export function getArtifactSuffix(matrix: string | undefined): string {
    try {
      const matrixObject = JSON.parse(matrix);
      if (json.isObject(matrixObject)) {
-        for (const matrixKey of Object.keys(matrixObject as object).sort())
+        for (const matrixKey of Object.keys(matrixObject).sort())
          suffix += `-${matrixObject[matrixKey]}`;
      } else {
        core.warning("User-specified `matrix` input is not an object.");
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.3",
+  "bundleVersion": "codeql-bundle-v2.25.4",
-  "cliVersion": "2.25.3",
+  "cliVersion": "2.25.4",
-  "priorBundleVersion": "codeql-bundle-v2.25.2",
+  "priorBundleVersion": "codeql-bundle-v2.25.3",
-  "priorCliVersion": "2.25.2"
+  "priorCliVersion": "2.25.3"
 }
@@ -16,6 +16,7 @@ import {
  mockCodeQLVersion,
  mockFeatureFlagApiEndpoint,
  setupActionsVars,
  makeMacro,
 } from "./testing-utils";
 import { GitHubVariant, withTmpDir } from "./util";
 import type { GitHubVersion } from "./util";
@@ -42,10 +43,9 @@ const defaultTestCase: DiffInformedAnalysisTestCase = {
  codeQLVersion: "2.21.0",
 };
-const testShouldPerformDiffInformedAnalysis = test.macro({
+const testShouldPerformDiffInformedAnalysis = makeMacro({
  exec: async (
    t: ExecutionContext,
    _title: string,
    partialTestCase: Partial<DiffInformedAnalysisTestCase>,
    expectedResult: boolean,
  ) => {
@@ -94,18 +94,16 @@ const testShouldPerformDiffInformedAnalysis = test.macro({
      getPullRequestBranchesStub.restore();
    });
  },
-  title: (_, title) => `shouldPerformDiffInformedAnalysis: ${title}`,
+  title: (title) => `shouldPerformDiffInformedAnalysis: ${title}`,
 });
-test.serial(
+testShouldPerformDiffInformedAnalysis.serial(
  testShouldPerformDiffInformedAnalysis,
  "returns true in the default test case",
  {},
  true,
 );
-test.serial(
+testShouldPerformDiffInformedAnalysis.serial(
  testShouldPerformDiffInformedAnalysis,
  "returns false when feature flag is disabled from the API",
  {
    featureEnabled: false,
@@ -113,8 +111,7 @@ test.serial(
  false,
 );
-test.serial(
+testShouldPerformDiffInformedAnalysis.serial(
  testShouldPerformDiffInformedAnalysis,
  "returns false when CODEQL_ACTION_DIFF_INFORMED_QUERIES is set to false",
  {
    featureEnabled: true,
@@ -123,8 +120,7 @@ test.serial(
  false,
 );
-test.serial(
+testShouldPerformDiffInformedAnalysis.serial(
  testShouldPerformDiffInformedAnalysis,
  "returns true when CODEQL_ACTION_DIFF_INFORMED_QUERIES is set to true",
  {
    featureEnabled: false,
@@ -133,8 +129,7 @@ test.serial(
  true,
 );
-test.serial(
+testShouldPerformDiffInformedAnalysis.serial(
  testShouldPerformDiffInformedAnalysis,
  "returns false for CodeQL version 2.20.0",
  {
    codeQLVersion: "2.20.0",
@@ -142,8 +137,7 @@ test.serial(
  false,
 );
-test.serial(
+testShouldPerformDiffInformedAnalysis.serial(
  testShouldPerformDiffInformedAnalysis,
  "returns false for invalid GHES version",
  {
    gitHubVersion: {
@@ -154,8 +148,7 @@ test.serial(
  false,
 );
-test.serial(
+testShouldPerformDiffInformedAnalysis.serial(
  testShouldPerformDiffInformedAnalysis,
  "returns false for GHES version 3.18.5",
  {
    gitHubVersion: {
@@ -166,8 +159,7 @@ test.serial(
  false,
 );
-test.serial(
+testShouldPerformDiffInformedAnalysis.serial(
  testShouldPerformDiffInformedAnalysis,
  "returns true for GHES version 3.19.0",
  {
    gitHubVersion: {
@@ -178,8 +170,7 @@ test.serial(
  true,
 );
-test.serial(
+testShouldPerformDiffInformedAnalysis.serial(
  testShouldPerformDiffInformedAnalysis,
  "returns false when not a pull request",
  {
    pullRequestBranches: undefined,
@@ -451,12 +451,16 @@ test.serial(`selects CLI from defaults.json on GHES`, async (t) => {
  await withTmpDir(async (tmpDir) => {
    const features = setUpFeatureFlagTests(tmpDir);
-    const defaultCliVersion = await features.getDefaultCliVersion(
+    const defaultCliVersion = await features.getEnabledDefaultCliVersions(
      GitHubVariant.GHES,
    );
    t.deepEqual(defaultCliVersion, {
-      cliVersion: defaults.cliVersion,
+      enabledVersions: [
-      tagName: defaults.bundleVersion,
+        {
          cliVersion: defaults.cliVersion,
          tagName: defaults.bundleVersion,
        },
      ],
    });
  });
 });
@@ -482,10 +486,13 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) {
          false;
        mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement);
-        const defaultCliVersion = await features.getDefaultCliVersion(variant);
+        const defaultCliVersion =
          await features.getEnabledDefaultCliVersions(variant);
        t.deepEqual(defaultCliVersion, {
-          cliVersion: "2.20.1",
+          enabledVersions: [
-          tagName: "codeql-bundle-v2.20.1",
+            { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
            { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" },
          ],
          toolsFeatureFlagsValid: true,
        });
      });
@@ -500,10 +507,15 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) {
        const expectedFeatureEnablement = initializeFeatures(true);
        mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement);
-        const defaultCliVersion = await features.getDefaultCliVersion(variant);
+        const defaultCliVersion =
          await features.getEnabledDefaultCliVersions(variant);
        t.deepEqual(defaultCliVersion, {
-          cliVersion: defaults.cliVersion,
+          enabledVersions: [
-          tagName: defaults.bundleVersion,
+            {
              cliVersion: defaults.cliVersion,
              tagName: defaults.bundleVersion,
            },
          ],
          toolsFeatureFlagsValid: false,
        });
      });
@@ -529,10 +541,13 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) {
        ] = true;
        mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement);
-        const defaultCliVersion = await features.getDefaultCliVersion(variant);
+        const defaultCliVersion =
          await features.getEnabledDefaultCliVersions(variant);
        t.deepEqual(defaultCliVersion, {
-          cliVersion: "2.20.1",
+          enabledVersions: [
-          tagName: "codeql-bundle-v2.20.1",
+            { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
            { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" },
          ],
          toolsFeatureFlagsValid: true,
        });
@@ -29,9 +29,32 @@ const DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
 */
 export const CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0";
-export interface CodeQLDefaultVersionInfo {
+const LINKED_CODEQL_VERSION: CodeQLVersionInfo = {
  cliVersion: defaults.cliVersion,
  tagName: defaults.bundleVersion,
 };
 export interface CodeQLVersionInfo {
  /** The version number of the CodeQL CLI, e.g. `2.19.0`. */
  cliVersion: string;
  /**
   * The tag name of the CodeQL Bundle associated with this version, e.g. `codeql-bundle-v2.19.0`.
   */
  tagName: string;
 }
 export interface CodeQLDefaultVersionInfo {
  /**
   * CodeQL CLI versions that are enabled as defaults, sorted from highest to lowest.
   *
   * Guaranteed to be non-empty. When feature flags are unavailable, this falls back to a single
   * entry containing the version pinned in `defaults.json`.
   */
  enabledVersions: CodeQLVersionInfo[];
  /**
   * If accessed, whether the tools feature flags are valid, i.e. contain at least one enabled
   * version.
   */
  toolsFeatureFlagsValid?: boolean;
 }
@@ -44,6 +67,8 @@ export interface CodeQLDefaultVersionInfo {
 * Legacy features should end with `_enabled`.
 */
 export enum Feature {
  /** Controls whether we allow multiple values for the `analysis-kinds` input. */
  AllowMultipleAnalysisKinds = "allow_multiple_analysis_kinds",
  AllowToolcacheInput = "allow_toolcache_input",
  CleanupTrapCaches = "cleanup_trap_caches",
  CppDependencyInstallation = "cpp_dependency_installation_enabled",
@@ -72,6 +97,19 @@ export enum Feature {
  OverlayAnalysisGo = "overlay_analysis_go",
  OverlayAnalysisJava = "overlay_analysis_java",
  OverlayAnalysisJavascript = "overlay_analysis_javascript",
  /**
   * When set, chooses the default CodeQL CLI version as the highest version that is both enabled by
   * feature flags and present as an overlay-base database in the Actions cache for the configured
   * languages. Falls back to the highest feature flagged version if no intersecting overlay-base
   * database exists in the cache.
   */
  OverlayAnalysisMatchCodeqlVersion = "overlay_analysis_match_codeql_version",
  /**
   * Like `OverlayAnalysisMatchCodeqlVersion`, but only logs a diagnostic with the version that
   * would have been chosen instead of actually changing the default CodeQL CLI version.
   * `OverlayAnalysisMatchCodeqlVersion` overrides this flag.
   */
  OverlayAnalysisMatchCodeqlVersionDryRun = "overlay_analysis_match_codeql_version_dry_run",
  OverlayAnalysisPython = "overlay_analysis_python",
  /**
   * Controls whether lower disk space requirements are used for overlay hardware checks.
@@ -124,6 +162,11 @@ export type FeatureConfig = {
 };
 export const featureConfig = {
  [Feature.AllowMultipleAnalysisKinds]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
    minimumVersion: undefined,
  },
  [Feature.AllowToolcacheInput]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -277,6 +320,16 @@ export const featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
    minimumVersion: undefined,
  },
  [Feature.OverlayAnalysisMatchCodeqlVersion]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
    minimumVersion: undefined,
  },
  [Feature.OverlayAnalysisMatchCodeqlVersionDryRun]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
    minimumVersion: undefined,
  },
  [Feature.OverlayAnalysisResourceChecksV2]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -346,8 +399,12 @@ export type FeatureWithoutCLI = {
 }[keyof typeof featureConfig];
 export interface FeatureEnablement {
-  /** Gets the default version of the CodeQL tools. */
+  /**
-  getDefaultCliVersion(
+   * Returns the set of default CodeQL CLI versions to consider, sorted from
   * highest to lowest. The first entry is the version that the CodeQL Action
   * will use by default. The list is always non-empty.
   */
  getEnabledDefaultCliVersions(
    variant: util.GitHubVariant,
  ): Promise<CodeQLDefaultVersionInfo>;
  getValue(feature: FeatureWithoutCLI): Promise<boolean>;
@@ -371,12 +428,11 @@ export const FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
 class OfflineFeatures implements FeatureEnablement {
  constructor(protected readonly logger: Logger) {}
-  async getDefaultCliVersion(
+  async getEnabledDefaultCliVersions(
    _variant: util.GitHubVariant,
  ): Promise<CodeQLDefaultVersionInfo> {
    return {
-      cliVersion: defaults.cliVersion,
+      enabledVersions: [LINKED_CODEQL_VERSION],
      tagName: defaults.bundleVersion,
    };
  }
@@ -386,7 +442,7 @@ class OfflineFeatures implements FeatureEnablement {
  getFeatureConfig(feature: Feature): FeatureConfig {
    // Narrow the type to FeatureConfig to avoid type errors. To avoid unsafe use of `as`, we
    // check that the required properties exist using `satisfies`.
-    return featureConfig[feature] satisfies FeatureConfig as FeatureConfig;
+    return featureConfig[feature] satisfies FeatureConfig;
  }
  /**
@@ -518,13 +574,13 @@ class Features extends OfflineFeatures {
    );
  }
-  async getDefaultCliVersion(
+  async getEnabledDefaultCliVersions(
    variant: util.GitHubVariant,
  ): Promise<CodeQLDefaultVersionInfo> {
    if (supportsFeatureFlags(variant)) {
-      return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags();
+      return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags();
    }
-    return super.getDefaultCliVersion(variant);
+    return super.getEnabledDefaultCliVersions(variant);
  }
  /**
@@ -600,16 +656,22 @@ class GitHubFeatureFlags {
    return version;
  }
-  async getDefaultCliVersionFromFlags(): Promise<CodeQLDefaultVersionInfo> {
+  /**
   * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature
   * flags, sorted from highest to lowest. Falls back to the version pinned in
   * `defaults.json` if no such flags are enabled.
   */
  async getEnabledDefaultCliVersionsFromFlags(): Promise<CodeQLDefaultVersionInfo> {
    const response = await this.getAllFeatures();
-    const enabledFeatureFlagCliVersions = Object.entries(response)
+    const sortedCliVersions = Object.entries(response)
      .map(([f, isEnabled]) =>
        isEnabled ? this.getCliVersionFromFeatureFlag(f) : undefined,
      )
-      .filter((f): f is string => f !== undefined);
+      .filter((f): f is string => f !== undefined)
      .sort(semver.rcompare);
-    if (enabledFeatureFlagCliVersions.length === 0) {
+    if (sortedCliVersions.length === 0) {
      // We expect at least one default CLI version to be enabled on Dotcom at any time. However if
      // the feature flags are misconfigured, rather than crashing, we fall back to the CLI version
      // shipped with the Action in defaults.json. This has the effect of immediately rolling out
@@ -625,8 +687,7 @@ class GitHubFeatureFlags {
          `shipped with the Action. This is ${defaults.cliVersion}.`,
      );
      const result: CodeQLDefaultVersionInfo = {
-        cliVersion: defaults.cliVersion,
+        enabledVersions: [LINKED_CODEQL_VERSION],
        tagName: defaults.bundleVersion,
      };
      if (this.hasAccessedRemoteFeatureFlags) {
        result.toolsFeatureFlagsValid = false;
@@ -634,17 +695,14 @@ class GitHubFeatureFlags {
      return result;
    }
    const maxCliVersion = enabledFeatureFlagCliVersions.reduce(
      (maxVersion, currentVersion) =>
        currentVersion > maxVersion ? currentVersion : maxVersion,
      enabledFeatureFlagCliVersions[0],
    );
    this.logger.debug(
-      `Derived default CLI version of ${maxCliVersion} from feature flags.`,
+      `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.`,
    );
    return {
-      cliVersion: maxCliVersion,
+      enabledVersions: sortedCliVersions.map((cliVersion) => ({
-      tagName: `codeql-bundle-v${maxCliVersion}`,
+        cliVersion,
        tagName: `codeql-bundle-v${cliVersion}`,
      })),
      toolsFeatureFlagsValid: true,
    };
  }
@@ -19,6 +19,7 @@ import {
  createFeatures,
  createTestConfig,
  DEFAULT_ACTIONS_VARS,
  makeMacro,
  makeVersionInfo,
  RecordingLogger,
  setupActionsVars,
@@ -601,7 +602,7 @@ async function testFailedSarifUpload(
  uploadFiles.resolves({
    sarifID: "42",
    statusReport: { raw_upload_size_bytes: 20, zipped_upload_size_bytes: 10 },
-  } as uploadLib.UploadResult);
+  });
  const waitForProcessing = sinon.stub(uploadLib, "waitForProcessing");
  const features = [] as Feature[];
@@ -796,7 +797,7 @@ test.serial(
  },
 );
-const skippedUploadTest = test.macro({
+const skippedUploadTest = makeMacro({
  exec: async (
    t: ExecutionContext<unknown>,
    config: Partial<configUtils.Config>,
@@ -823,9 +824,8 @@ const skippedUploadTest = test.macro({
    `tryUploadSarifIfRunFailed - skips upload ${providedTitle}`,
 });
-test.serial(
+skippedUploadTest.serial(
  "without CodeQL command",
  skippedUploadTest,
  // No codeQLCmd
  {
    analysisKinds: [AnalysisKind.RiskAssessment],
@@ -834,9 +834,8 @@ test.serial(
  "CodeQL command not found",
 );
-test.serial(
+skippedUploadTest.serial(
  "if no language is configured",
  skippedUploadTest,
  // No explicit language configuration
  {
    analysisKinds: [AnalysisKind.RiskAssessment],
@@ -845,9 +844,8 @@ test.serial(
  "Unexpectedly, the configuration is not for a single language.",
 );
-test.serial(
+skippedUploadTest.serial(
  "if multiple languages is configured",
  skippedUploadTest,
  // Multiple explicit languages configured
  {
    analysisKinds: [AnalysisKind.RiskAssessment],
@@ -281,7 +281,7 @@ async function run(startedAt: Date) {
    // successful, the results are cached so that we don't duplicate the work in normal runs.
    let analysisKinds: AnalysisKind[] | undefined;
    try {
-      analysisKinds = await getAnalysisKinds(logger);
+      analysisKinds = await getAnalysisKinds(logger, features);
    } catch (err) {
      logger.debug(
        `Failed to parse analysis kinds for 'starting' status report: ${getErrorMessage(err)}`,
@@ -298,16 +298,23 @@ async function run(startedAt: Date) {
      );
    }
-    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
+    const codeQLDefaultVersionInfo =
-      gitHubVersion.type,
+      await features.getEnabledDefaultCliVersions(gitHubVersion.type);
    );
    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
    const rawLanguages = configUtils.getRawLanguagesNoAutodetect(
      getOptionalInput("languages"),
    );
    const useOverlayAwareDefaultCliVersion =
      analysisKinds?.length === 1 &&
      analysisKinds[0] === AnalysisKind.CodeScanning;
    const initCodeQLResult = await initCodeQL(
      getOptionalInput("tools"),
      apiDetails,
      getTemporaryDirectory(),
      gitHubVersion.type,
      codeQLDefaultVersionInfo,
      rawLanguages,
      useOverlayAwareDefaultCliVersion,
      features,
      logger,
    );
@@ -346,7 +353,7 @@ async function run(startedAt: Date) {
      }
    }
-    analysisKinds = await getAnalysisKinds(logger);
+    analysisKinds = await getAnalysisKinds(logger, features);
    const debugMode = getOptionalInput("debug") === "true" || core.isDebug();
    const repositoryProperties = repositoryPropertiesResult.orElse({});
    const fileCoverageResult = await getFileCoverageInformationEnabled(
@@ -22,6 +22,7 @@ import {
  createTestConfig,
  getRecordingLogger,
  setupTests,
  makeMacro,
 } from "./testing-utils";
 import { ConfigurationError, withTmpDir } from "./util";
@@ -158,10 +159,9 @@ type PackInfo = {
  qlpackFileName?: string;
 };
-const testCheckPacksForOverlayCompatibility = test.macro({
+const testCheckPacksForOverlayCompatibility = makeMacro({
  exec: async (
    t: ExecutionContext,
    _title: string,
    {
      cliOverlayVersion,
      languages,
@@ -234,11 +234,10 @@ const testCheckPacksForOverlayCompatibility = test.macro({
      );
    });
  },
-  title: (_, title) => `checkPacksForOverlayCompatibility: ${title}`,
+  title: (title) => `checkPacksForOverlayCompatibility: ${title}`,
 });
-test(
+testCheckPacksForOverlayCompatibility(
  testCheckPacksForOverlayCompatibility,
  "returns false when CLI does not support overlay",
  {
    cliOverlayVersion: undefined,
@@ -253,8 +252,7 @@ test(
  },
 );
-test(
+testCheckPacksForOverlayCompatibility(
  testCheckPacksForOverlayCompatibility,
  "returns true when there are no query packs",
  {
    cliOverlayVersion: 2,
@@ -264,8 +262,7 @@ test(
  },
 );
-test(
+testCheckPacksForOverlayCompatibility(
  testCheckPacksForOverlayCompatibility,
  "returns true when query pack has not been compiled",
  {
    cliOverlayVersion: 2,
@@ -281,8 +278,7 @@ test(
  },
 );
-test(
+testCheckPacksForOverlayCompatibility(
  testCheckPacksForOverlayCompatibility,
  "returns true when query pack has expected overlay version",
  {
    cliOverlayVersion: 2,
@@ -297,8 +293,7 @@ test(
  },
 );
-test(
+testCheckPacksForOverlayCompatibility(
  testCheckPacksForOverlayCompatibility,
  "returns true when query packs for all languages to analyze are compatible",
  {
    cliOverlayVersion: 2,
@@ -317,8 +312,7 @@ test(
  },
 );
-test(
+testCheckPacksForOverlayCompatibility(
  testCheckPacksForOverlayCompatibility,
  "returns true when query pack for a language not analyzed is incompatible",
  {
    cliOverlayVersion: 2,
@@ -337,8 +331,7 @@ test(
  },
 );
-test(
+testCheckPacksForOverlayCompatibility(
  testCheckPacksForOverlayCompatibility,
  "returns false when query pack for a language to analyze is incompatible",
  {
    cliOverlayVersion: 2,
@@ -357,8 +350,7 @@ test(
  },
 );
-test(
+testCheckPacksForOverlayCompatibility(
  testCheckPacksForOverlayCompatibility,
  "returns false when query pack is missing .packinfo",
  {
    cliOverlayVersion: 2,
@@ -377,8 +369,7 @@ test(
  },
 );
-test(
+testCheckPacksForOverlayCompatibility(
  testCheckPacksForOverlayCompatibility,
  "returns false when query pack has different overlay version",
  {
    cliOverlayVersion: 2,
@@ -397,8 +388,7 @@ test(
  },
 );
-test(
+testCheckPacksForOverlayCompatibility(
  testCheckPacksForOverlayCompatibility,
  "returns false when query pack is missing overlayVersion in .packinfo",
  {
    cliOverlayVersion: 2,
@@ -417,8 +407,7 @@ test(
  },
 );
-test(
+testCheckPacksForOverlayCompatibility(
  testCheckPacksForOverlayCompatibility,
  "returns false when .packinfo is not valid JSON",
  {
    cliOverlayVersion: 2,
@@ -437,8 +426,7 @@ test(
  },
 );
-test(
+testCheckPacksForOverlayCompatibility(
  testCheckPacksForOverlayCompatibility,
  "returns true when query pack uses codeql-pack.yml filename",
  {
    cliOverlayVersion: 2,
@@ -39,6 +39,8 @@ export async function initCodeQL(
  tempDir: string,
  variant: util.GitHubVariant,
  defaultCliVersion: CodeQLDefaultVersionInfo,
  rawLanguages: string[] | undefined,
  useOverlayAwareDefaultCliVersion: boolean,
  features: FeatureEnablement,
  logger: Logger,
 ): Promise<{
@@ -61,6 +63,8 @@ export async function initCodeQL(
    tempDir,
    variant,
    defaultCliVersion,
    rawLanguages,
    useOverlayAwareDefaultCliVersion,
    features,
    logger,
    true,
@@ -13,6 +13,7 @@ import { BuiltInLanguage } from "../languages";
 import { getRunnerLogger } from "../logging";
 import {
  createTestConfig,
  makeMacro,
  mockCodeQLVersion,
  setupTests,
 } from "../testing-utils";
@@ -51,10 +52,9 @@ const defaultDownloadTestCase: DownloadOverlayBaseDatabaseTestCase = {
  resolveDatabaseOutput: { overlayBaseSpecifier: "20250626:XXX" },
 };
-const testDownloadOverlayBaseDatabaseFromCache = test.macro({
+const testDownloadOverlayBaseDatabaseFromCache = makeMacro({
  exec: async (
    t,
    _title: string,
    partialTestCase: Partial<DownloadOverlayBaseDatabaseTestCase>,
    expectDownloadSuccess: boolean,
  ) => {
@@ -142,18 +142,16 @@ const testDownloadOverlayBaseDatabaseFromCache = test.macro({
      }
    });
  },
-  title: (_, title) => `downloadOverlayBaseDatabaseFromCache: ${title}`,
+  title: (title) => `downloadOverlayBaseDatabaseFromCache: ${title}`,
 });
-test.serial(
+testDownloadOverlayBaseDatabaseFromCache.serial(
  testDownloadOverlayBaseDatabaseFromCache,
  "returns stats when successful",
  {},
  true,
 );
-test.serial(
+testDownloadOverlayBaseDatabaseFromCache.serial(
  testDownloadOverlayBaseDatabaseFromCache,
  "returns undefined when mode is OverlayDatabaseMode.OverlayBase",
  {
    overlayDatabaseMode: OverlayDatabaseMode.OverlayBase,
@@ -161,8 +159,7 @@ test.serial(
  false,
 );
-test.serial(
+testDownloadOverlayBaseDatabaseFromCache.serial(
  testDownloadOverlayBaseDatabaseFromCache,
  "returns undefined when mode is OverlayDatabaseMode.None",
  {
    overlayDatabaseMode: OverlayDatabaseMode.None,
@@ -170,8 +167,7 @@ test.serial(
  false,
 );
-test.serial(
+testDownloadOverlayBaseDatabaseFromCache.serial(
  testDownloadOverlayBaseDatabaseFromCache,
  "returns undefined when caching is disabled",
  {
    useOverlayDatabaseCaching: false,
@@ -179,8 +175,7 @@ test.serial(
  false,
 );
-test.serial(
+testDownloadOverlayBaseDatabaseFromCache.serial(
  testDownloadOverlayBaseDatabaseFromCache,
  "returns undefined in test mode",
  {
    isInTestMode: true,
@@ -188,8 +183,7 @@ test.serial(
  false,
 );
-test.serial(
+testDownloadOverlayBaseDatabaseFromCache.serial(
  testDownloadOverlayBaseDatabaseFromCache,
  "returns undefined when cache miss",
  {
    restoreCacheResult: undefined,
@@ -197,8 +191,7 @@ test.serial(
  false,
 );
-test.serial(
+testDownloadOverlayBaseDatabaseFromCache.serial(
  testDownloadOverlayBaseDatabaseFromCache,
  "returns undefined when download fails",
  {
    restoreCacheResult: new Error("Download failed"),
@@ -206,8 +199,7 @@ test.serial(
  false,
 );
-test.serial(
+testDownloadOverlayBaseDatabaseFromCache.serial(
  testDownloadOverlayBaseDatabaseFromCache,
  "returns undefined when downloaded database is invalid",
  {
    hasBaseDatabaseOidsFile: false,
@@ -215,8 +207,7 @@ test.serial(
  false,
 );
-test.serial(
+testDownloadOverlayBaseDatabaseFromCache.serial(
  testDownloadOverlayBaseDatabaseFromCache,
  "returns undefined when downloaded database doesn't have an overlayBaseSpecifier",
  {
    resolveDatabaseOutput: {},
@@ -224,8 +215,7 @@ test.serial(
  false,
 );
-test.serial(
+testDownloadOverlayBaseDatabaseFromCache.serial(
  testDownloadOverlayBaseDatabaseFromCache,
  "returns undefined when resolving database metadata fails",
  {
    resolveDatabaseOutput: new Error("Failed to resolve database metadata"),
@@ -233,8 +223,7 @@ test.serial(
  false,
 );
-test.serial(
+testDownloadOverlayBaseDatabaseFromCache.serial(
  testDownloadOverlayBaseDatabaseFromCache,
  "returns undefined when filesystem error occurs",
  {
    tryGetFolderBytesSucceeds: false,
@@ -391,6 +380,32 @@ test.serial(
  },
 );
 test.serial(
  "getCodeQlVersionsForOverlayBaseDatabases de-duplicates resolved language aliases",
  async (t) => {
    const logger = getRunnerLogger(true);
    sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
    const listActionsCachesStub = sinon
      .stub(apiClient, "listActionsCaches")
      .resolves([
        {
          key: "codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-2.25.0-abc123-1-1",
        },
      ]);
    const result = await getCodeQlVersionsForOverlayBaseDatabases(
      ["javascript", "typescript", "Python", "python"],
      logger,
    );
    t.deepEqual(result, ["2.25.0"]);
    sinon.assert.calledOnceWithExactly(
      listActionsCachesStub,
      "codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-",
    );
  },
 );
 test.serial(
  "getCodeQlVersionsForOverlayBaseDatabases ignores nightly versions with build metadata",
  async (t) => {
@@ -461,9 +461,10 @@ export async function getCodeQlVersionsForOverlayBaseDatabases(
    );
    return undefined;
  }
-  const cacheKeyPrefix = await getCacheKeyPrefixBase(
+  const dedupedLanguages = [
-    languages.filter((l) => l !== undefined),
+    ...new Set(languages.filter((l) => l !== undefined)),
-  );
+  ];
  const cacheKeyPrefix = await getCacheKeyPrefixBase(dedupedLanguages);
  logger.debug(
    `Searching for overlay-base databases in Actions cache with ` +
@@ -7,8 +7,10 @@ import {
  getRequiredInput,
  getTemporaryDirectory,
 } from "./actions-util";
 import { AnalysisKind, getAnalysisKinds } from "./analyses";
 import { getGitHubVersion } from "./api-client";
 import { CodeQL } from "./codeql";
 import { getRawLanguagesNoAutodetect } from "./config-utils";
 import { EnvVar } from "./environment";
 import { initFeatures } from "./feature-flags";
 import { initCodeQL } from "./init";
@@ -136,16 +138,22 @@ async function run(startedAt: Date): Promise<void> {
    if (statusReportBase !== undefined) {
      await sendStatusReport(statusReportBase);
    }
-    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
+    const codeQLDefaultVersionInfo =
-      gitHubVersion.type,
+      await features.getEnabledDefaultCliVersions(gitHubVersion.type);
    );
    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
    const rawLanguages = getRawLanguagesNoAutodetect(
      getOptionalInput("languages"),
    );
    const analysisKinds = await getAnalysisKinds(logger, features);
    const initCodeQLResult = await initCodeQL(
      getOptionalInput("tools"),
      apiDetails,
      getTemporaryDirectory(),
      gitHubVersion.type,
      codeQLDefaultVersionInfo,
      rawLanguages,
      analysisKinds.length === 1 &&
        analysisKinds[0] === AnalysisKind.CodeScanning,
      features,
      logger,
    );
@@ -7,8 +7,9 @@ import * as sinon from "sinon";
 import * as actionsUtil from "./actions-util";
 import * as api from "./api-client";
-import { Feature, FeatureEnablement } from "./feature-flags";
+import { Feature } from "./feature-flags";
 import { getRunnerLogger } from "./logging";
 import { getCacheRestoreKeyPrefix } from "./overlay/caching";
 import * as setupCodeql from "./setup-codeql";
 import * as tar from "./tar";
 import {
@@ -18,8 +19,9 @@ import {
  SAMPLE_DOTCOM_API_DETAILS,
  checkExpectedLogMessages,
  createFeatures,
  createTestConfig,
  getRecordingLogger,
-  initializeFeatures,
+  makeMacro,
  mockBundleDownloadApi,
  setupActionsVars,
  setupTests,
@@ -33,14 +35,6 @@ import {
 setupTests(test);
 // TODO: Remove when when we no longer need to pass in features (https://github.com/github/codeql-action/issues/2600)
 const expectedFeatureEnablement: FeatureEnablement = initializeFeatures(
  true,
 ) as FeatureEnablement;
 expectedFeatureEnablement.getValue = function (feature: Feature) {
  // eslint-disable-next-line @typescript-eslint/no-unsafe-return
  return expectedFeatureEnablement[feature];
 };
 test.beforeEach(() => {
  initializeEnvironment("1.2.3");
 });
@@ -107,6 +101,8 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        `https://github.com/github/codeql-action/releases/download/${tagName}/codeql-bundle-linux64.tar.gz`,
        SAMPLE_DEFAULT_CLI_VERSION,
        undefined, // rawLanguages
        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -130,6 +126,8 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        "linked",
        SAMPLE_DEFAULT_CLI_VERSION,
        undefined, // rawLanguages
        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -155,6 +153,8 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        "latest",
        SAMPLE_DEFAULT_CLI_VERSION,
        undefined, // rawLanguages
        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -211,6 +211,8 @@ test.serial(
        "tmp/codeql_action_test/",
        GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
        undefined, // rawLanguages
        false, // useOverlayAwareDefaultCliVersion
        features,
        logger,
      );
@@ -266,6 +268,8 @@ test.serial(
        "tmp/codeql_action_test/",
        GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
        undefined, // rawLanguages
        false, // useOverlayAwareDefaultCliVersion
        features,
        logger,
      );
@@ -317,6 +321,8 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        "nightly",
        SAMPLE_DEFAULT_CLI_VERSION,
        undefined, // rawLanguages
        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -378,6 +384,8 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        undefined,
        SAMPLE_DEFAULT_CLI_VERSION,
        undefined, // rawLanguages
        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -432,6 +440,8 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        "toolcache",
        SAMPLE_DEFAULT_CLI_VERSION,
        undefined, // rawLanguages
        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -473,7 +483,7 @@ test.serial(
  },
 );
-const toolcacheInputFallbackMacro = test.macro({
+const toolcacheInputFallbackMacro = makeMacro({
  exec: async (
    t: ExecutionContext<unknown>,
    featureList: Feature[],
@@ -499,6 +509,8 @@ const toolcacheInputFallbackMacro = test.macro({
      const source = await setupCodeql.getCodeQLSource(
        "toolcache",
        SAMPLE_DEFAULT_CLI_VERSION,
        undefined, // rawLanguages
        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -514,7 +526,10 @@ const toolcacheInputFallbackMacro = test.macro({
      // Check that `sourceType` and `toolsVersion` match expectations.
      t.is(source.sourceType, "download");
-      t.is(source.toolsVersion, SAMPLE_DEFAULT_CLI_VERSION.cliVersion);
+      t.is(
        source.toolsVersion,
        SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion,
      );
      // Check that key messages we would expect to find in the log are present.
      for (const expectedMessage of expectedMessages) {
@@ -533,9 +548,8 @@ const toolcacheInputFallbackMacro = test.macro({
    `getCodeQLSource falls back to downloading the CLI if ${providedTitle}`,
 });
-test.serial(
+toolcacheInputFallbackMacro.serial(
  "the toolcache doesn't have a CodeQL CLI when tools == toolcache",
  toolcacheInputFallbackMacro,
  [Feature.AllowToolcacheInput],
  { GITHUB_EVENT_NAME: "dynamic" },
  [],
@@ -545,9 +559,8 @@ test.serial(
  ],
 );
-test.serial(
+toolcacheInputFallbackMacro.serial(
  "the workflow trigger is not `dynamic`",
  toolcacheInputFallbackMacro,
  [Feature.AllowToolcacheInput],
  { GITHUB_EVENT_NAME: "pull_request" },
  [],
@@ -556,9 +569,8 @@ test.serial(
  ],
 );
-test.serial(
+toolcacheInputFallbackMacro.serial(
  "the feature flag is not enabled",
  toolcacheInputFallbackMacro,
  [],
  { GITHUB_EVENT_NAME: "dynamic" },
  [],
@@ -598,3 +610,288 @@ test.serial(
    t.is(setupCodeql.getLatestToolcacheVersion(getRunnerLogger(true)), "3.2.1");
  },
 );
 const overlayMatchEnabledVersions = {
  enabledVersions: [
    { cliVersion: "2.20.2", tagName: "codeql-bundle-v2.20.2" },
    { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
    { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" },
  ],
  toolsFeatureFlagsValid: true,
 };
 async function fakeOverlayBaseCacheKey(
  language: string,
  cliVersion: string,
  suffix: string,
 ): Promise<string> {
  const prefix = await getCacheRestoreKeyPrefix(
    createTestConfig({ languages: [language] }),
    cliVersion,
  );
  return `${prefix}${suffix}`;
 }
 test.serial(
  "getCodeQLSource uses overlay-aware default version when requested for a PR",
  async (t) => {
    await withTmpDir(async (tmpDir) => {
      setupActionsVars(tmpDir, tmpDir);
      process.env["CODE_SCANNING_REF"] = "refs/heads/feature-branch";
      process.env["CODE_SCANNING_BASE_BRANCH"] = "main";
      sinon.stub(api, "getAutomationID").resolves("test/");
      const listStub = sinon.stub(api, "listActionsCaches").resolves([
        {
          key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"),
        },
      ]);
      sinon
        .stub(toolcache, "find")
        .withArgs("CodeQL", "2.20.1")
        .returns("/path/to/codeql-2.20.1");
      const source = await setupCodeql.getCodeQLSource(
        undefined,
        overlayMatchEnabledVersions,
        ["javascript"],
        true,
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
        createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
        getRunnerLogger(true),
      );
      t.assert(listStub.calledOnce);
      t.is(source.sourceType, "toolcache");
      t.is(source.toolsVersion, "2.20.1");
    });
  },
 );
 test.serial(
  "getCodeQLSource skips overlay-aware default version when not requested",
  async (t) => {
    await withTmpDir(async (tmpDir) => {
      setupActionsVars(tmpDir, tmpDir);
      process.env["CODE_SCANNING_REF"] = "refs/heads/feature-branch";
      process.env["CODE_SCANNING_BASE_BRANCH"] = "main";
      sinon.stub(api, "getAutomationID").resolves("test/");
      const listStub = sinon.stub(api, "listActionsCaches").resolves([
        {
          key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"),
        },
      ]);
      sinon
        .stub(toolcache, "find")
        .withArgs("CodeQL", "2.20.2")
        .returns("/path/to/codeql-2.20.2");
      const source = await setupCodeql.getCodeQLSource(
        undefined,
        overlayMatchEnabledVersions,
        ["javascript"],
        false,
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
        createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
        getRunnerLogger(true),
      );
      t.assert(listStub.notCalled);
      t.is(source.sourceType, "toolcache");
      t.is(source.toolsVersion, "2.20.2");
    });
  },
 );
 test.serial(
  "getEnabledVersionsWithOverlayBaseDatabases returns flag-enabled versions present in cache, sorted desc",
  async (t) => {
    sinon.stub(api, "getAutomationID").resolves("test/");
    sinon.stub(api, "listActionsCaches").resolves([
      // Flag-enabled versions present in the cache, listed in non-descending
      // order so the test exercises the sort.
      {
        key: await fakeOverlayBaseCacheKey("javascript", "2.20.0", "ghi-3-1"),
      },
      {
        key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "def-2-1"),
      },
      // Newer than any flag-enabled version: should be filtered out.
      {
        key: await fakeOverlayBaseCacheKey("javascript", "2.21.0", "abc-1-1"),
      },
    ]);
    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
      overlayMatchEnabledVersions,
      ["javascript"],
      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
      getRunnerLogger(true),
    );
    t.deepEqual(result, [
      { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
      { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" },
    ]);
  },
 );
 test.serial(
  "getEnabledVersionsWithOverlayBaseDatabases returns empty when no cached version is flag-enabled",
  async (t) => {
    sinon.stub(api, "getAutomationID").resolves("test/");
    sinon.stub(api, "listActionsCaches").resolves([
      {
        key: await fakeOverlayBaseCacheKey("javascript", "2.19.0", "abc-1-1"),
      },
    ]);
    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
      overlayMatchEnabledVersions,
      ["javascript"],
      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
      getRunnerLogger(true),
    );
    t.deepEqual(result, []);
  },
 );
 const noLanguagesMacro = makeMacro({
  exec: async (
    t: ExecutionContext<unknown>,
    rawLanguages: string[] | undefined,
  ) => {
    const listStub = sinon.stub(api, "listActionsCaches").resolves([]);
    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
      overlayMatchEnabledVersions,
      rawLanguages,
      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
      getRunnerLogger(true),
    );
    t.deepEqual(result, []);
    t.assert(
      listStub.notCalled,
      "Should not list Actions caches without any rawLanguages.",
    );
  },
  title: (providedTitle = "") =>
    `getEnabledVersionsWithOverlayBaseDatabases does not list caches when rawLanguages is ${providedTitle}`,
 });
 noLanguagesMacro.serial("undefined", undefined);
 noLanguagesMacro.serial("an empty array", []);
 test.serial(
  "getEnabledVersionsWithOverlayBaseDatabases returns empty when listing caches throws",
  async (t) => {
    sinon.stub(api, "getAutomationID").resolves("test/");
    sinon.stub(api, "listActionsCaches").rejects(new Error("listing failed"));
    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
      overlayMatchEnabledVersions,
      ["javascript"],
      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
      getRunnerLogger(true),
    );
    t.deepEqual(result, []);
  },
 );
 test.serial(
  "getEnabledVersionsWithOverlayBaseDatabases returns versions present in the cache",
  async (t) => {
    sinon.stub(api, "getAutomationID").resolves("test/");
    sinon.stub(api, "listActionsCaches").resolves([
      {
        key: await fakeOverlayBaseCacheKey("javascript", "2.20.2", "abc-1-1"),
      },
    ]);
    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
      overlayMatchEnabledVersions,
      ["javascript"],
      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
      getRunnerLogger(true),
    );
    t.deepEqual(result, [
      { cliVersion: "2.20.2", tagName: "codeql-bundle-v2.20.2" },
    ]);
  },
 );
 test.serial(
  "getEnabledVersionsWithOverlayBaseDatabases does not list caches when both gates are off",
  async (t) => {
    const listStub = sinon.stub(api, "listActionsCaches").resolves([]);
    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
      overlayMatchEnabledVersions,
      ["javascript"],
      createFeatures([]),
      getRunnerLogger(true),
    );
    t.deepEqual(result, []);
    t.assert(
      listStub.notCalled,
      "Should not list Actions caches when both gating feature flags are off.",
    );
  },
 );
 test.serial(
  "getEnabledVersionsWithOverlayBaseDatabases dry-run returns empty but lists caches",
  async (t) => {
    sinon.stub(api, "getAutomationID").resolves("test/");
    const listStub = sinon.stub(api, "listActionsCaches").resolves([
      {
        key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"),
      },
    ]);
    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
      overlayMatchEnabledVersions,
      ["javascript"],
      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersionDryRun]),
      getRunnerLogger(true),
    );
    t.deepEqual(
      result,
      [],
      "Dry-run should return an empty list so the caller falls back.",
    );
    t.assert(
      listStub.calledOnce,
      "Dry-run should still list Actions caches to populate the diagnostic.",
    );
  },
 );
 test.serial(
  "getEnabledVersionsWithOverlayBaseDatabases match flag wins over dry-run",
  async (t) => {
    sinon.stub(api, "getAutomationID").resolves("test/");
    sinon.stub(api, "listActionsCaches").resolves([
      {
        key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"),
      },
    ]);
    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
      overlayMatchEnabledVersions,
      ["javascript"],
      createFeatures([
        Feature.OverlayAnalysisMatchCodeqlVersion,
        Feature.OverlayAnalysisMatchCodeqlVersionDryRun,
      ]),
      getRunnerLogger(true),
    );
    t.deepEqual(result, [
      { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
    ]);
  },
 );
@@ -7,17 +7,27 @@ import { default as deepEqual } from "fast-deep-equal";
 import * as semver from "semver";
 import { v4 as uuidV4 } from "uuid";
-import { isDynamicWorkflow, isRunningLocalAction } from "./actions-util";
+import {
  isAnalyzingPullRequest,
  isDynamicWorkflow,
  isRunningLocalAction,
 } from "./actions-util";
 import * as api from "./api-client";
 import * as defaults from "./defaults.json";
-import { addNoLanguageDiagnostic, makeDiagnostic } from "./diagnostics";
+import {
  addNoLanguageDiagnostic,
  makeDiagnostic,
  makeTelemetryDiagnostic,
 } from "./diagnostics";
 import {
  CODEQL_VERSION_ZSTD_BUNDLE,
  CodeQLDefaultVersionInfo,
  CodeQLVersionInfo,
  Feature,
  FeatureEnablement,
 } from "./feature-flags";
 import { Logger } from "./logging";
 import { getCodeQlVersionsForOverlayBaseDatabases } from "./overlay/caching";
 import * as tar from "./tar";
 import {
  downloadAndExtract,
@@ -264,12 +274,131 @@ async function findOverridingToolsInCache(
  return undefined;
 }
 /**
 * Returns the sorted set of enabled versions that have cached overlay-base databases for the
 * given languages, or an empty list if neither the `OverlayAnalysisMatchCodeqlVersion` nor the
 * `OverlayAnalysisMatchCodeqlVersionDryRun` feature flag is enabled. When only the dry-run flag
 * is enabled, this performs the lookup and emits a telemetry diagnostic with the version that
 * would have been chosen, but still returns an empty list so the caller falls back.
 */
 export async function getEnabledVersionsWithOverlayBaseDatabases(
  defaultCliVersion: CodeQLDefaultVersionInfo,
  rawLanguages: string[] | undefined,
  features: FeatureEnablement,
  logger: Logger,
 ): Promise<CodeQLVersionInfo[]> {
  if (rawLanguages === undefined || rawLanguages.length === 0) {
    return [];
  }
  const isEnabled = await features.getValue(
    Feature.OverlayAnalysisMatchCodeqlVersion,
  );
  const isDryRun =
    !isEnabled &&
    (await features.getValue(Feature.OverlayAnalysisMatchCodeqlVersionDryRun));
  if (!isEnabled && !isDryRun) {
    return [];
  }
  let cachedVersions: string[] | undefined;
  try {
    cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases(
      rawLanguages,
      logger,
    );
  } catch (e) {
    logger.warning(
      "Could not list overlay-base databases in the Actions cache while choosing a default " +
        `CodeQL CLI version, falling back to the highest enabled version. Details: ${util.getErrorMessage(e)}`,
    );
    return [];
  }
  if (cachedVersions === undefined || cachedVersions.length === 0) {
    return [];
  }
  const cachedVersionsSet = new Set(cachedVersions);
  const overlayVersions = defaultCliVersion.enabledVersions.filter((v) =>
    cachedVersionsSet.has(v.cliVersion),
  );
  if (overlayVersions.length === 0) {
    return [];
  }
  const isCachedVersionDifferent =
    overlayVersions[0].cliVersion !==
    defaultCliVersion.enabledVersions[0].cliVersion;
  if (isCachedVersionDifferent) {
    addNoLanguageDiagnostic(
      undefined,
      makeTelemetryDiagnostic(
        "codeql-action/overlay-aware-default-codeql-version",
        "Overlay-aware default CodeQL version selection",
        {
          cachedVersions,
          enabledVersions: defaultCliVersion.enabledVersions.map(
            (v) => v.cliVersion,
          ),
          isDryRun,
          overlayAwareVersion: overlayVersions[0].cliVersion,
        },
      ),
    );
  }
  if (isDryRun) {
    logger.debug(
      `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.`,
    );
    return [];
  }
  return overlayVersions;
 }
 /**
 * Resolves the newest enabled default CLI version that has a cached overlay-base database for the
 * relevant languages, if running a Code Scanning analysis for a pull request and one exists.
 * Otherwise, falls back to the newest enabled default CLI version.
 */
 async function resolveDefaultCliVersion(
  defaultCliVersion: CodeQLDefaultVersionInfo,
  rawLanguages: string[] | undefined,
  useOverlayAwareDefaultCliVersion: boolean,
  features: FeatureEnablement,
  logger: Logger,
 ): Promise<CodeQLVersionInfo> {
  if (!useOverlayAwareDefaultCliVersion || !isAnalyzingPullRequest()) {
    return defaultCliVersion.enabledVersions[0];
  }
  const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases(
    defaultCliVersion,
    rawLanguages,
    features,
    logger,
  );
  if (overlayVersions.length > 0) {
    logger.info(
      `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the ` +
        `highest enabled version that has a cached overlay-base database.`,
    );
    return overlayVersions[0];
  }
  return defaultCliVersion.enabledVersions[0];
 }
 /**
 * Determines where the CodeQL CLI we want to use comes from. This can be from a local file,
 * the Actions toolcache, or a download.
 *
 * @param toolsInput The argument provided for the `tools` input, if any.
 * @param defaultCliVersion The default CLI version that's linked to the CodeQL Action.
 * @param rawLanguages Raw set of languages.
 * @param useOverlayAwareDefaultCliVersion Whether to select an overlay-aware default CLI version.
 * @param apiDetails Information about the GitHub API.
 * @param variant The GitHub variant we are running on.
 * @param tarSupportsZstd Whether zstd is supported by `tar`.
@@ -281,6 +410,8 @@ async function findOverridingToolsInCache(
 export async function getCodeQLSource(
  toolsInput: string | undefined,
  defaultCliVersion: CodeQLDefaultVersionInfo,
  rawLanguages: string[] | undefined,
  useOverlayAwareDefaultCliVersion: boolean,
  apiDetails: api.GitHubApiDetails,
  variant: util.GitHubVariant,
  tarSupportsZstd: boolean,
@@ -438,8 +569,15 @@ export async function getCodeQLSource(
        }
      }
-      cliVersion = defaultCliVersion.cliVersion;
+      const version = await resolveDefaultCliVersion(
-      tagName = defaultCliVersion.tagName;
+        defaultCliVersion,
        rawLanguages,
        useOverlayAwareDefaultCliVersion,
        features,
        logger,
      );
      cliVersion = version.cliVersion;
      tagName = version.tagName;
    }
  } else if (toolsInput !== undefined) {
    // If a tools URL was provided, then use that.
@@ -454,9 +592,15 @@ export async function getCodeQLSource(
      }
    }
  } else {
-    // Otherwise, use the default CLI version passed in.
+    const version = await resolveDefaultCliVersion(
-    cliVersion = defaultCliVersion.cliVersion;
+      defaultCliVersion,
-    tagName = defaultCliVersion.tagName;
+      rawLanguages,
      useOverlayAwareDefaultCliVersion,
      features,
      logger,
    );
    cliVersion = version.cliVersion;
    tagName = version.tagName;
  }
  const bundleVersion =
@@ -791,6 +935,8 @@ export async function setupCodeQLBundle(
  tempDir: string,
  variant: util.GitHubVariant,
  defaultCliVersion: CodeQLDefaultVersionInfo,
  rawLanguages: string[] | undefined,
  useOverlayAwareDefaultCliVersion: boolean,
  features: FeatureEnablement,
  logger: Logger,
 ): Promise<SetupCodeQLResult> {
@@ -804,6 +950,8 @@ export async function setupCodeQLBundle(
  const source = await getCodeQLSource(
    toolsInput,
    defaultCliVersion,
    rawLanguages,
    useOverlayAwareDefaultCliVersion,
    apiDetails,
    variant,
    zstdAvailability.available,
@@ -18,6 +18,7 @@ import {
  assertNotLogged,
  checkExpectedLogMessages,
  createFeatures,
  makeMacro,
  makeTestToken,
  RecordingLogger,
  setupTests,
@@ -32,7 +33,7 @@ import {
 setupTests(test);
-const sendFailedStatusReportTest = test.macro({
+const sendFailedStatusReportTest = makeMacro({
  exec: async (
    t: ExecutionContext<unknown>,
    err: Error,
@@ -88,16 +89,14 @@ const sendFailedStatusReportTest = test.macro({
  title: (providedTitle = "") => `sendFailedStatusReport - ${providedTitle}`,
 });
-test.serial(
+sendFailedStatusReportTest.serial(
  "reports generic error message for non-StartProxyError error",
  sendFailedStatusReportTest,
  new Error("Something went wrong today"),
  "Error from start-proxy Action omitted (Error).",
 );
-test.serial(
+sendFailedStatusReportTest.serial(
  "reports generic error message for non-StartProxyError error with safe error message",
  sendFailedStatusReportTest,
  new Error(
    startProxyExports.getStartProxyErrorMessage(
      startProxyExports.StartProxyErrorType.DownloadFailed,
@@ -106,9 +105,8 @@ test.serial(
  "Error from start-proxy Action omitted (Error).",
 );
-test.serial(
+sendFailedStatusReportTest.serial(
  "reports generic error message for ConfigurationError error",
  sendFailedStatusReportTest,
  new ConfigurationError("Something went wrong today"),
  "Error from start-proxy Action omitted (ConfigurationError).",
  "user-error",
@@ -414,7 +412,7 @@ test("getCredentials accepts OIDC configurations", (t) => {
  }
 });
-const getCredentialsMacro = test.macro({
+const getCredentialsMacro = makeMacro({
  exec: async (
    t: ExecutionContext<unknown>,
    credentials: startProxyExports.RawCredential[],
@@ -440,9 +438,8 @@ const getCredentialsMacro = test.macro({
  title: (providedTitle = "") => `getCredentials - ${providedTitle}`,
 });
-test(
+getCredentialsMacro(
  "warns for PAT-like password without a username",
  getCredentialsMacro,
  [
    {
      type: "git_server",
@@ -470,9 +467,8 @@ test(
  },
 );
-test(
+getCredentialsMacro(
  "no warning for PAT-like password with a username",
  getCredentialsMacro,
  [
    {
      type: "git_server",
@@ -502,9 +498,8 @@ test(
  },
 );
-test(
+getCredentialsMacro(
  "warns for PAT-like token without a username",
  getCredentialsMacro,
  [
    {
      type: "git_server",
@@ -532,9 +527,8 @@ test(
  },
 );
-test(
+getCredentialsMacro(
  "no warning for PAT-like token with a username",
  getCredentialsMacro,
  [
    {
      type: "git_server",
@@ -796,7 +790,7 @@ test.serial(
  },
 );
-const wrapFailureTest = test.macro({
+const wrapFailureTest = makeMacro({
  exec: async (
    t: ExecutionContext<unknown>,
    setup: () => void,
@@ -827,9 +821,8 @@ test.serial("downloadProxy - returns file path on success", async (t) => {
  });
 });
-test.serial(
+wrapFailureTest.serial(
  "downloadProxy",
  wrapFailureTest,
  () => {
    sinon.stub(toolcache, "downloadTool").throws();
  },
@@ -848,9 +841,8 @@ test.serial("extractProxy - returns file path on success", async (t) => {
  });
 });
-test.serial(
+wrapFailureTest.serial(
  "extractProxy",
  wrapFailureTest,
  () => {
    sinon.stub(toolcache, "extractTar").throws();
  },
@@ -874,9 +866,8 @@ test.serial("cacheProxy - returns file path on success", async (t) => {
  });
 });
-test.serial(
+wrapFailureTest.serial(
  "cacheProxy",
  wrapFailureTest,
  () => {
    sinon.stub(toolcache, "cacheDir").throws();
  },
@@ -1019,8 +1010,10 @@ test.serial(
        return true;
      });
      const getDefaultCliVersion = sinon
-        .stub(features, "getDefaultCliVersion")
+        .stub(features, "getEnabledDefaultCliVersions")
-        .resolves({ cliVersion: "2.20.1", tagName: expectedTag });
+        .resolves({
          enabledVersions: [{ cliVersion: "2.20.1", tagName: expectedTag }],
        });
      const path = await startProxyExports.getProxyBinaryPath(logger, features);
      t.assert(getDefaultCliVersion.calledOnce);
@@ -415,7 +415,7 @@ async function getCliVersionFromFeatures(
  features: FeatureEnablement,
 ): Promise<CodeQLDefaultVersionInfo> {
  const gitHubVersion = await getGitHubVersion();
-  return await features.getDefaultCliVersion(gitHubVersion.type);
+  return await features.getEnabledDefaultCliVersions(gitHubVersion.type);
 }
 /**
@@ -440,7 +440,7 @@ export async function getDownloadUrl(
    // Retrieve information about the CLI version we should use. This will be either the linked
    // version, or the one enabled by FFs.
    const versionInfo = useFeaturesToDetermineCLI
-      ? await getCliVersionFromFeatures(features)
+      ? (await getCliVersionFromFeatures(features)).enabledVersions[0]
      : {
          cliVersion: defaults.cliVersion,
          tagName: defaults.bundleVersion,
@@ -19,6 +19,7 @@ import {
  setupTests,
  setupActionsVars,
  createTestConfig,
  makeMacro,
 } from "./testing-utils";
 import { BuildMode, ConfigurationError, withTmpDir, wrapError } from "./util";
@@ -291,10 +292,9 @@ test.serial(
  },
 );
-const testCreateInitWithConfigStatusReport = test.macro({
+const testCreateInitWithConfigStatusReport = makeMacro({
  exec: async (
    t,
    _title: string,
    config: Config,
    expectedReportProperties: Partial<InitWithConfigStatusReport>,
  ) => {
@@ -337,11 +337,10 @@ const testCreateInitWithConfigStatusReport = test.macro({
      }
    });
  },
-  title: (_, title) => `createInitWithConfigStatusReport: ${title}`,
+  title: (title) => `createInitWithConfigStatusReport: ${title}`,
 });
-test.serial(
+testCreateInitWithConfigStatusReport.serial(
  testCreateInitWithConfigStatusReport,
  "returns a value",
  createTestConfig({
    buildMode: BuildMode.None,
@@ -355,8 +354,7 @@ test.serial(
  },
 );
-test.serial(
+testCreateInitWithConfigStatusReport.serial(
  testCreateInitWithConfigStatusReport,
  "includes packs for a single language",
  createTestConfig({
    buildMode: BuildMode.None,
@@ -372,8 +370,7 @@ test.serial(
  },
 );
-test.serial(
+testCreateInitWithConfigStatusReport.serial(
  testCreateInitWithConfigStatusReport,
  "includes packs for multiple languages",
  createTestConfig({
    buildMode: BuildMode.None,
@@ -2,7 +2,11 @@ import { TextDecoder } from "node:util";
 import path from "path";
 import * as github from "@actions/github";
-import { ExecutionContext, TestFn } from "ava";
+import test, {
  type ExecutionContext,
  type MacroDeclarationOptions,
  type TestFn,
 } from "ava";
 import nock from "nock";
 import * as sinon from "sinon";
@@ -36,16 +40,20 @@ export const SAMPLE_DOTCOM_API_DETAILS = {
  apiURL: "https://api.github.com",
 };
 export const SAMPLE_DEFAULT_CLI_VERSION: CodeQLDefaultVersionInfo = {
  cliVersion: "2.20.0",
  tagName: "codeql-bundle-v2.20.0",
 };
 export const LINKED_CLI_VERSION = {
  cliVersion: defaults.cliVersion,
  tagName: defaults.bundleVersion,
 };
 export const SAMPLE_DEFAULT_CLI_VERSION: CodeQLDefaultVersionInfo = {
  enabledVersions: [
    {
      cliVersion: "2.20.0",
      tagName: "codeql-bundle-v2.20.0",
    },
  ],
 };
 type TestContext = {
  stdoutWrite: any;
  stderrWrite: any;
@@ -85,8 +93,8 @@ function wrapOutput(context: TestContext) {
  };
 }
-export function setupTests(test: TestFn<any>) {
+export function setupTests(testFn: TestFn<any>) {
-  const typedTest = test as TestFn<TestContext>;
+  const typedTest = testFn as TestFn<TestContext>;
  typedTest.beforeEach((t) => {
    // Set an empty CodeQL object so that all method calls will fail
@@ -139,6 +147,26 @@ export function setupTests(test: TestFn<any>) {
  });
 }
 /**
 * Declare a reusable test implementation, with better type safety than `test.macro`.
 */
 export function makeMacro<Args extends unknown[]>(
  decl: MacroDeclarationOptions<Args, unknown>,
 ) {
  const m = test.macro<Args>(decl);
  const wrapper = (name: string, ...args: Args) => test(name, m, ...args);
  wrapper.test = (...args: Args) => test(m, ...args);
  wrapper.serial = (name: string, ...args: Args) =>
    test.serial(name, m, ...args);
  // Make the implementation available as `fn`. We don't call it `exec` so
  // that results from this function are not valid arguments to `test`
  // or `test.serial`.
  wrapper.fn = decl.exec;
  return wrapper;
 }
 /**
 * Default values for environment variables typically set in an Actions
 * environment. Tests can override individual variables by passing them in the
@@ -442,7 +470,7 @@ export function mockCodeQLVersion(
 */
 export function createFeatures(enabledFeatures: Feature[]): FeatureEnablement {
  return {
-    getDefaultCliVersion: async () => {
+    getEnabledDefaultCliVersions: async () => {
      throw new Error("not implemented");
    },
    getValue: async (feature) => {
@@ -156,9 +156,8 @@ async function combineSarifFilesUsingCLI(
      apiURL: getRequiredEnvParam("GITHUB_API_URL"),
    };
-    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
+    const codeQLDefaultVersionInfo =
-      gitHubVersion.type,
+      await features.getEnabledDefaultCliVersions(gitHubVersion.type);
    );
    const initCodeQLResult = await initCodeQL(
      undefined, // There is no tools input on the upload action
@@ -166,6 +165,8 @@ async function combineSarifFilesUsingCLI(
      tempDir,
      gitHubVersion.type,
      codeQLDefaultVersionInfo,
      undefined, // rawLanguages: upload-lib does not run analysis
      false, // useOverlayAwareDefaultCliVersion: upload-lib does not run analysis
      features,
      logger,
    );
@@ -6,7 +6,7 @@ import * as sinon from "sinon";
 import { AnalysisKind, getAnalysisConfig } from "./analyses";
 import { getRunnerLogger } from "./logging";
-import { createFeatures, setupTests } from "./testing-utils";
+import { createFeatures, makeMacro, setupTests } from "./testing-utils";
 import { UploadResult } from "./upload-lib";
 import * as uploadLib from "./upload-lib";
 import { postProcessAndUploadSarif } from "./upload-sarif";
@@ -43,7 +43,7 @@ function mockPostProcessSarifFiles() {
  return postProcessSarifFiles;
 }
-const postProcessAndUploadSarifMacro = test.macro({
+const postProcessAndUploadSarifMacro = makeMacro({
  exec: async (
    t: ExecutionContext<unknown>,
    sarifFiles: string[],
@@ -67,7 +67,7 @@ const postProcessAndUploadSarifMacro = test.macro({
        const analysisConfig = getAnalysisConfig(analysisKind);
        uploadPostProcessedFiles
          .withArgs(logger, sinon.match.any, analysisConfig, sinon.match.any)
-          .resolves(expectedResult[analysisKind as AnalysisKind]?.uploadResult);
+          .resolves(expectedResult[analysisKind]?.uploadResult);
      }
      const fullSarifPaths = sarifFiles.map(toFullPath);
@@ -123,9 +123,8 @@ const postProcessAndUploadSarifMacro = test.macro({
  title: (providedTitle = "") => `processAndUploadSarif - ${providedTitle}`,
 });
-test.serial(
+postProcessAndUploadSarifMacro.serial(
  "SARIF file",
  postProcessAndUploadSarifMacro,
  ["test.sarif"],
  (tempDir) => path.join(tempDir, "test.sarif"),
  {
@@ -138,9 +137,8 @@ test.serial(
  },
 );
-test.serial(
+postProcessAndUploadSarifMacro.serial(
  "JSON file",
  postProcessAndUploadSarifMacro,
  ["test.json"],
  (tempDir) => path.join(tempDir, "test.json"),
  {
@@ -153,9 +151,8 @@ test.serial(
  },
 );
-test.serial(
+postProcessAndUploadSarifMacro.serial(
  "Code Scanning files",
  postProcessAndUploadSarifMacro,
  ["test.json", "test.sarif"],
  undefined,
  {
@@ -169,9 +166,8 @@ test.serial(
  },
 );
-test.serial(
+postProcessAndUploadSarifMacro.serial(
  "Code Quality file",
  postProcessAndUploadSarifMacro,
  ["test.quality.sarif"],
  (tempDir) => path.join(tempDir, "test.quality.sarif"),
  {
@@ -184,9 +180,8 @@ test.serial(
  },
 );
-test.serial(
+postProcessAndUploadSarifMacro.serial(
  "Mixed files",
  postProcessAndUploadSarifMacro,
  ["test.sarif", "test.quality.sarif"],
  undefined,
  {
@@ -422,7 +422,7 @@ async function testLanguageAliases(
          ],
        },
      },
-    } as Workflow,
+    },
    codeql,
  );
Author	SHA1	Message	Date
Henry Mercer	ab95e32825	Remove `RegExp.escape` call	2026-05-14 16:33:36 +01:00
Henry Mercer	3c41d8f998	Build: Generate shared entrypoint Reduces tarred repo size from 8.5 MB to 2.2 MB	2026-05-14 16:29:39 +01:00
Henry Mercer	336884853e	Merge pull request #3901 from github/henrymercer/minify-test-debug-artifacts Minify test debug artifacts	2026-05-14 14:09:36 +00:00
Henry Mercer	4795ef8153	Remove now unnecessary test skipping	2026-05-14 14:47:33 +01:00
Henry Mercer	2e202367c7	Reduce size of test debug artifacts	2026-05-14 14:47:13 +01:00
Henry Mercer	ea37b337cd	Merge pull request #3897 from github/dependabot/npm_and_yarn/npm-minor-afb85bbff8 Bump the npm-minor group across 1 directory with 3 updates	2026-05-14 10:09:31 +00:00
Henry Mercer	ba0a2f91b7	Merge pull request #3896 from github/dependabot/github_actions/dot-github/workflows/actions-minor-9f1c31c749 Bump actions/create-github-app-token from 3.1.1 to 3.2.0 in /.github/workflows in the actions-minor group across 1 directory	2026-05-14 10:06:09 +00:00
dependabot[bot]	4041a11865	Bump the npm-minor group across 1 directory with 3 updates Bumps the npm-minor group with 3 updates in the / directory: [globals](https://github.com/sindresorhus/globals), [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) and [yaml](https://github.com/eemeli/yaml). Updates `globals` from 17.5.0 to 17.6.0 - [Release notes](https://github.com/sindresorhus/globals/releases) - [Commits](https://github.com/sindresorhus/globals/compare/v17.5.0...v17.6.0) Updates `typescript-eslint` from 8.59.1 to 8.59.2 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.59.2/packages/typescript-eslint) Updates `yaml` from 2.8.3 to 2.8.4 - [Release notes](https://github.com/eemeli/yaml/releases) - [Commits](https://github.com/eemeli/yaml/compare/v2.8.3...v2.8.4) --- updated-dependencies: - dependency-name: globals dependency-version: 17.6.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor - dependency-name: typescript-eslint dependency-version: 8.59.2 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor - dependency-name: yaml dependency-version: 2.8.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-13 18:29:17 +00:00
dependabot[bot]	2a6fe1608c	Bump actions/create-github-app-token Bumps the actions-minor group with 1 update in the /.github/workflows directory: [actions/create-github-app-token](https://github.com/actions/create-github-app-token). Updates `actions/create-github-app-token` from 3.1.1 to 3.2.0 - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Changelog](https://github.com/actions/create-github-app-token/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/create-github-app-token/compare/v3.1.1...v3.2.0) --- updated-dependencies: - dependency-name: actions/create-github-app-token dependency-version: 3.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-13 18:28:51 +00:00
Mads Navntoft	3d6ea97f26	Merge pull request #3891 from github/navntoft/dep/remove-brace-expansion-override Bump brace-expansion and 4 dev dependencies	2026-05-13 15:46:57 +00:00
Michael B. Gale	7d25a3e590	Merge pull request #3892 from github/mbg/analysis-kinds/warn-on-multiple Log error and only enable `code-scanning` if multiple analysis kinds are specified	2026-05-13 15:44:21 +00:00
Michael B. Gale	4dc72761a6	Merge remote-tracking branch 'origin/main' into mbg/analysis-kinds/warn-on-multiple	2026-05-13 16:20:45 +01:00
Henry Mercer	c559992c9e	Merge pull request #3880 from github/henrymercer/overlay-match-codeql-version Overlay: Use overlay-aware CLI version when analyzing PRs	2026-05-12 17:36:31 +00:00
Henry Mercer	8d217609b0	Nit: Tweak JSDoc for `getRawLanguagesNoAutodetect`	2026-05-12 16:21:44 +01:00
Michael B. Gale	257b3d3fc8	Enable only `code-scanning`	2026-05-12 15:46:28 +01:00
Henry Mercer	201a96b541	Use overlay-aware version for code scanning exclusively	2026-05-12 15:25:40 +01:00
Michael B. Gale	312a2fee96	Add changelog entry	2026-05-12 15:03:58 +01:00
Mads Navntoft	2ca0fbdca8	Rebuild	2026-05-12 15:59:34 +02:00
Mads Navntoft	12c1d88854	Bump five transitive dependencies Bumps the following to their latest patched versions: brace-expansion (under readdir-glob): 2.0.2 → 2.1.0 picomatch (under micromatch): 2.3.1 → 2.3.2 picomatch (top level): 4.0.3 → 4.0.4 flatted: 3.3.3 → 3.4.2 js-yaml (under supertap): 3.14.1 → 3.14.2 The brace-expansion bump requires removing the brace-expansion override in package.json, which had been pinning resolution below the existing ^2.0.1 constraint declared by readdir-glob.	2026-05-12 15:59:34 +02:00
Michael B. Gale	70419e3273	Throw error if multiple analysis kinds are specified	2026-05-12 14:54:11 +01:00
Michael B. Gale	b62aaa99a5	Merge pull request #3889 from github/dependabot/npm_and_yarn/fast-xml-builder-1.2.0 Bump fast-xml-builder from 1.1.5 to 1.2.0	2026-05-11 14:59:28 +00:00
dependabot[bot]	2f2dbd2e78	Bump fast-xml-builder from 1.1.5 to 1.2.0 Bumps [fast-xml-builder](https://github.com/NaturalIntelligence/fast-xml-builder) from 1.1.5 to 1.2.0. - [Changelog](https://github.com/NaturalIntelligence/fast-xml-builder/blob/main/CHANGELOG.md) - [Commits](https://github.com/NaturalIntelligence/fast-xml-builder/compare/v1.1.5...v1.2.0) --- updated-dependencies: - dependency-name: fast-xml-builder dependency-version: 1.2.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-08 19:05:11 +00:00
Henry Mercer	b4ea7aa65a	Improve tests	2026-05-08 19:16:48 +01:00
Henry Mercer	87ac48dae6	Improve error message	2026-05-08 19:16:47 +01:00
Henry Mercer	42d7f62579	Remove dead code	2026-05-08 19:16:46 +01:00
Henry Mercer	540699dcca	Remove `makeOverlayMatchFeatures` indirection	2026-05-08 19:14:05 +01:00
Henry Mercer	9a85234875	Add JSDoc for `getRawLanguagesNoAutodetect`	2026-05-08 19:14:05 +01:00
Henry Mercer	2a950b930c	Enable overlay-aware version selection in `setup-codeql`	2026-05-08 19:14:05 +01:00
Henry Mercer	4f815a68d3	Minor: Introduce constant to avoid duplication	2026-05-08 19:14:04 +01:00
Henry Mercer	0aedbb71d8	Merge branch 'main' into henrymercer/overlay-match-codeql-version	2026-05-08 19:10:45 +01:00
Henry Mercer	868e2ea564	Merge pull request #3886 from github/mergeback/v4.35.4-to-main-68bde559 Mergeback v4.35.4 refs/heads/releases/v4 into main	2026-05-08 14:25:20 +00:00
Henry Mercer	792c223bc1	Merge pull request #3875 from github/dependabot/npm_and_yarn/npm-minor-c8e071f5f8 Bump the npm-minor group across 1 directory with 4 updates	2026-05-08 14:25:05 +00:00
Henry Mercer	efc9b0a9e3	Improve changelog note Co-authored-by: Michael B. Gale <mbg@github.com>	2026-05-07 18:44:08 +01:00
github-actions[bot]	272ada693f	Rebuild	2026-05-07 15:58:38 +00:00
github-actions[bot]	610a6682b6	Merge remote-tracking branch 'origin/main' into mergeback/v4.35.4-to-main-68bde559	2026-05-07 15:57:56 +00:00
github-actions[bot]	1627096569	Update changelog and version after v4.35.4	2026-05-07 15:54:04 +00:00
Paolo Tranquilli	68bde559de	Merge pull request #3885 from github/update-v4.35.4-803d9e8c3 Merge main into releases/v4	2026-05-07 17:52:37 +02:00
github-actions[bot]	9739ad2d18	Update changelog for v4.35.4	2026-05-07 15:21:52 +00:00
Henry Mercer	b81d0d250f	Merge pull request #3874 from github/henrymercer/slow-tests-ci-only Tests: Run slow `scanArtifactsForTokens` test in CI only by default	2026-05-07 15:04:47 +00:00
Michael B. Gale	a16cb53dd8	Merge pull request #3884 from github/mbg/dev/no-build-metadata Do not run `bundle-metadata.ts` as part of `npm run build`	2026-05-07 15:02:21 +00:00
Michael B. Gale	803d9e8c3c	Merge pull request #3883 from github/mbg/test/macro-wrapper Add more strongly typed wrapper around `test.macro`	2026-05-07 14:46:34 +00:00
Henry Mercer	0c80cee806	Add explicit error on Windows	2026-05-07 15:39:42 +01:00
Michael B. Gale	d032ee8c47	Do not run `bundle-metadata.ts` as part of `npm run build`	2026-05-07 15:38:28 +01:00
Michael B. Gale	0fd9c7d135	Merge pull request #3882 from github/dependabot/github_actions/dot-github/workflows/actions-minor-4a0b9de8bd Bump ruby/setup-ruby from 1.305.0 to 1.306.0 in /.github/workflows in the actions-minor group across 1 directory	2026-05-07 14:17:36 +00:00
Michael B. Gale	922d6fb888	Use `makeMacro` instead of `test.macro`	2026-05-07 14:59:42 +01:00
Michael B. Gale	df77e87896	Update test macro snippet	2026-05-07 14:59:42 +01:00
Michael B. Gale	6e3f985e4f	Add wrapper for `test.macro`	2026-05-07 14:59:42 +01:00
Paolo Tranquilli	e7a347dfb1	Merge pull request #3881 from github/update-bundle/codeql-bundle-v2.25.4 Update default bundle to 2.25.4	2026-05-07 13:41:36 +00:00
github-actions[bot]	17eabb2500	Rebuild	2026-05-07 13:23:54 +00:00
dependabot[bot]	aaef09c48d	Bump ruby/setup-ruby Bumps the actions-minor group with 1 update in the /.github/workflows directory: [ruby/setup-ruby](https://github.com/ruby/setup-ruby). Updates `ruby/setup-ruby` from 1.305.0 to 1.306.0 - [Release notes](https://github.com/ruby/setup-ruby/releases) - [Changelog](https://github.com/ruby/setup-ruby/blob/master/release.rb) - [Commits](https://github.com/ruby/setup-ruby/compare/0cb964fd540e0a24c900370abf38a33466142735...c4e5b1316158f92e3d49443a9d58b31d25ac0f8f) --- updated-dependencies: - dependency-name: ruby/setup-ruby dependency-version: 1.306.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-07 13:21:45 +00:00
github-actions[bot]	ae1b9155d3	Add changelog note	2026-05-07 12:49:22 +00:00
github-actions[bot]	9f82f88f07	Update default bundle to codeql-bundle-v2.25.4	2026-05-07 12:49:13 +00:00
Henry Mercer	7525c68ea1	Nit: Dedupe languages	2026-05-07 11:01:15 +01:00
Henry Mercer	01bc9be56a	Filter to code scanning only	2026-05-07 11:00:54 +01:00
Henry Mercer	817b68489e	Merge branch 'main' into henrymercer/overlay-match-codeql-version	2026-05-06 19:20:52 +01:00
Henry Mercer	1b5632783c	Add changelog note	2026-05-06 19:13:25 +01:00
github-actions[bot]	1848b73afa	Rebuild	2026-05-06 18:01:54 +00:00
dependabot[bot]	d1e9792bc8	Bump the npm-minor group across 1 directory with 4 updates Bumps the npm-minor group with 4 updates in the / directory: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node), [eslint](https://github.com/eslint/eslint), [typescript](https://github.com/microsoft/TypeScript) and [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint). Updates `@types/node` from 20.19.9 to 20.19.39 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `eslint` from 9.39.2 to 9.39.4 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](https://github.com/eslint/eslint/compare/v9.39.2...v9.39.4) Updates `typescript` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/microsoft/TypeScript/releases) - [Commits](https://github.com/microsoft/TypeScript/compare/v6.0.2...v6.0.3) Updates `typescript-eslint` from 8.58.2 to 8.59.1 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.59.1/packages/typescript-eslint) --- updated-dependencies: - dependency-name: "@types/node" dependency-version: 20.19.39 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor - dependency-name: eslint dependency-version: 9.39.4 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor - dependency-name: typescript dependency-version: 6.0.3 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor - dependency-name: typescript-eslint dependency-version: 8.59.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-06 17:59:44 +00:00
Henry Mercer	2c9cd77837	Tests: Run slow `scanArtifactsForTokens` test in CI only by default	2026-05-06 18:45:24 +01:00
Henry Mercer	b967fdfbdc	Add dry run mode so we can dark ship	2026-05-06 18:30:24 +01:00
Henry Mercer	55d6319f96	Match CLI version to cached overlay-base database	2026-05-06 18:01:37 +01:00
Henry Mercer	b0942116d7	Expose all enabled default CLI versions	2026-05-06 17:45:56 +01:00
Henry Mercer	a796e3e4ed	Add OverlayAnalysisMatchCodeqlVersion feature flag	2026-05-06 15:14:04 +01:00