Support skipping checks based on changed files

.github/actions/changed-files/action.yml

@@ -0,0 +1,53 @@
+name: Get changed files
+description: Outputs a stringified JSON array of changed files for a PR
+inputs:
+  github-token:
+    description: GitHub token
+    required: true
+  pattern:
+    description: "The glob pattern to use to check for changed files"
+    required: true
+    default: "${{ github.workspace }}/**/*"
+  exclude:
+    description: "A stringified JSON array of files to exclude"
+    required: false
+    default: "[]"
+outputs:
+  files:
+    description: Stringified JSON array of changed file paths
+    value: ${{ steps.changed-files.outputs.files }}
+runs:
+  using: "composite"
+  steps:
+    - name: Get changed files
+      id: changed-files
+      uses: actions/github-script@v7
+      env:
+        PATTERN: ${{ inputs.pattern }}
+        EXCLUDE: ${{ inputs.exclude }}
+      with:
+        github-token: ${{ inputs.github-token }}
+        script: |
+          const exclude = JSON.parse(process.env['EXCLUDE']);
+          const path = require('path');
+          const pr = context.payload.pull_request;
+          if (!pr) {
+            core.setOutput('files', JSON.stringify([]));
+            return;
+          }
+          const files = await github.paginate(
+            github.rest.pulls.listFiles,
+            {
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: pr.number,
+              per_page: 100
+            }
+          );
+          const results = files
+            .filter(f => path.matchesGlob(
+              f.filename, process.env['PATTERN']
+            ) && !exclude.includes(f.filename))
+            .map(f => f.filename);
+          console.debug(results);
+          core.setOutput('files', JSON.stringify(results));

.github/actions/release-branches/action.yml

@@ -22,8 +22,7 @@ runs:
         MAJOR_VERSION: ${{ inputs.major_version }}
         LATEST_TAG: ${{ inputs.latest_tag }}
       run: |
-        npm ci
-        npx tsx ./pr-checks/release-branches.ts \
+        python ${{ github.action_path }}/release-branches.py \
             --major-version "$MAJOR_VERSION" \
             --latest-tag "$LATEST_TAG"
       shell: bash

.github/actions/release-branches/release-branches.py

@@ -0,0 +1,55 @@
+import argparse
+import json
+import os
+import configparser
+
+# Name of the remote
+ORIGIN = 'origin'
+
+script_dir = os.path.dirname(os.path.realpath(__file__))
+grandparent_dir = os.path.dirname(os.path.dirname(script_dir))
+
+config = configparser.ConfigParser()
+with open(os.path.join(grandparent_dir, 'releases.ini')) as stream:
+    config.read_string('[default]\n' + stream.read())
+
+OLDEST_SUPPORTED_MAJOR_VERSION = int(config['default']['OLDEST_SUPPORTED_MAJOR_VERSION'])
+
+def main():
+
+  parser = argparse.ArgumentParser()
+  parser.add_argument("--major-version", required=True, type=str, help="The major version of the release")
+  parser.add_argument("--latest-tag", required=True, type=str, help="The most recent tag published to the repository")
+  args = parser.parse_args()
+
+  major_version = args.major_version
+  latest_tag = args.latest_tag
+
+  print("major_version: " + major_version)
+  print("latest_tag: " + latest_tag)
+
+  # If this is a primary release, we backport to all supported branches,
+  # so we check whether the major_version taken from the package.json
+  # is greater than or equal to the latest tag pulled from the repo.
+  # For example...
+  #     'v1' >= 'v2' is False # we're operating from an older release branch and should not backport
+  #     'v2' >= 'v2' is True  # the normal case where we're updating the current version
+  #     'v3' >= 'v2' is True  # in this case we are making the first release of a new major version
+  consider_backports = ( major_version >= latest_tag.split(".")[0] )
+
+  with open(os.environ["GITHUB_OUTPUT"], "a") as f:
+
+    f.write(f"backport_source_branch=releases/{major_version}\n")
+
+    backport_target_branches = []
+
+    if consider_backports:
+      for i in range(int(major_version.strip("v"))-1, 0, -1):
+        branch_name = f"releases/v{i}"
+        if i >= OLDEST_SUPPORTED_MAJOR_VERSION:
+          backport_target_branches.append(branch_name)
+
+    f.write("backport_target_branches="+json.dumps(backport_target_branches)+"\n")
+
+if __name__ == "__main__":
+  main()

.github/actions/release-initialise/action.yml

@@ -15,12 +15,6 @@ runs:
       run: echo "$GITHUB_CONTEXT"
       shell: bash
 
-    - name: Set up Node
-      uses: actions/setup-node@v6
-      with:
-        node-version: 20
-        cache: 'npm'
-
     - name: Set up Python
       uses: actions/setup-python@v6
       with:

.github/codeql/codeql-config-javascript.yml

@@ -1,5 +1,5 @@
 name: "CodeQL config"
-queries:
+queries: 
   - name: Run custom queries
     uses: ./queries
   # Run all extra query suites, both because we want to
@@ -13,5 +13,3 @@ queries:
 paths-ignore:
   - lib
   - tests
-  - "**/*.test.ts"
-  - "**/testing-util.ts"

.github/dependabot.yml

@@ -1,9 +1,7 @@
 version: 2
 updates:
   - package-ecosystem: npm
-    directories:
-      - "/"
-      - "/pr-checks"
+    directory: "/"
     schedule:
       interval: weekly
     cooldown:

.github/releases.ini

@@ -0,0 +1 @@
+OLDEST_SUPPORTED_MAJOR_VERSION=3

.github/workflows/__all-platform-bundle.yml

@@ -54,6 +54,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: all-platform-bundle-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
+  should-run-all-platform-bundle:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   all-platform-bundle:
     strategy:
       fail-fast: false
@@ -66,7 +92,9 @@ jobs:
           - os: windows-latest
             version: nightly-latest
     name: All-platform bundle
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-all-platform-bundle
+    if: needs.should-run-all-platform-bundle.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -102,3 +130,23 @@ jobs:
       - uses: ./../action/analyze
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-all-platform-bundle:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
+    name: All-platform bundle
+    needs:
+      - should-run-all-platform-bundle
+    if: needs.should-run-all-platform-bundle.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__analysis-kinds.yml

@@ -34,6 +34,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: analysis-kinds-${{github.ref}}
 jobs:
+  should-run-analysis-kinds:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   analysis-kinds:
     strategy:
       fail-fast: false
@@ -64,7 +90,9 @@ jobs:
             version: nightly-latest
             analysis-kinds: risk-assessment
     name: Analysis kinds
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-analysis-kinds
+    if: needs.should-run-analysis-kinds.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -92,7 +120,7 @@ jobs:
           post-processed-sarif-path: '${{ runner.temp }}/post-processed'
 
       - name: Upload SARIF files
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v6
         with:
           name: |
             analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
@@ -100,7 +128,7 @@ jobs:
           retention-days: 7
 
       - name: Upload post-processed SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v6
         with:
           name: |
             post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
@@ -150,3 +178,41 @@ jobs:
           core.setFailed(`${ found ? "Found" : "Didn't find" } rule ${targetId}`);
         }
       CODEQL_ACTION_TEST_MODE: true
+  skip-analysis-kinds:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+            analysis-kinds: code-scanning
+          - os: ubuntu-latest
+            version: linked
+            analysis-kinds: code-quality
+          - os: ubuntu-latest
+            version: linked
+            analysis-kinds: code-scanning,code-quality
+          - os: ubuntu-latest
+            version: linked
+            analysis-kinds: risk-assessment
+          - os: ubuntu-latest
+            version: nightly-latest
+            analysis-kinds: code-scanning
+          - os: ubuntu-latest
+            version: nightly-latest
+            analysis-kinds: code-quality
+          - os: ubuntu-latest
+            version: nightly-latest
+            analysis-kinds: code-scanning,code-quality
+          - os: ubuntu-latest
+            version: nightly-latest
+            analysis-kinds: risk-assessment
+    name: Analysis kinds
+    needs:
+      - should-run-analysis-kinds
+    if: needs.should-run-analysis-kinds.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__analyze-ref-input.yml

@@ -35,6 +35,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       dotnet-version:
@@ -47,13 +52,44 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
 concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: analyze-ref-input-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group: analyze-ref-input-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
 jobs:
+  should-run-analyze-ref-input:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   analyze-ref-input:
     strategy:
       fail-fast: false
@@ -62,7 +98,9 @@ jobs:
           - os: ubuntu-latest
             version: default
     name: "Analyze: 'ref' and 'sha' from inputs"
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-analyze-ref-input
+    if: needs.should-run-analyze-ref-input.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -80,6 +118,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest' || !matrix.version
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -100,3 +143,19 @@ jobs:
           sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-analyze-ref-input:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: default
+    name: "Analyze: 'ref' and 'sha' from inputs"
+    needs:
+      - should-run-analyze-ref-input
+    if: needs.should-run-analyze-ref-input.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__autobuild-action.yml

@@ -44,6 +44,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: autobuild-action-${{github.ref}}-${{inputs.dotnet-version}}
 jobs:
+  should-run-autobuild-action:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   autobuild-action:
     strategy:
       fail-fast: false
@@ -56,7 +82,9 @@ jobs:
           - os: windows-latest
             version: linked
     name: autobuild-action
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-autobuild-action
+    if: needs.should-run-autobuild-action.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -99,3 +127,23 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-autobuild-action:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+    name: autobuild-action
+    needs:
+      - should-run-autobuild-action
+    if: needs.should-run-autobuild-action.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__autobuild-direct-tracing-with-working-dir.yml

@@ -44,6 +44,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: autobuild-direct-tracing-with-working-dir-${{github.ref}}-${{inputs.java-version}}
 jobs:
+  should-run-autobuild-direct-tracing-with-working-dir:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   autobuild-direct-tracing-with-working-dir:
     strategy:
       fail-fast: false
@@ -58,7 +84,9 @@ jobs:
           - os: windows-latest
             version: nightly-latest
     name: Autobuild direct tracing (custom working directory)
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-autobuild-direct-tracing-with-working-dir
+    if: needs.should-run-autobuild-direct-tracing-with-working-dir.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -104,3 +132,25 @@ jobs:
     env:
       CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
       CODEQL_ACTION_TEST_MODE: true
+  skip-autobuild-direct-tracing-with-working-dir:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
+    name: Autobuild direct tracing (custom working directory)
+    needs:
+      - should-run-autobuild-direct-tracing-with-working-dir
+    if: needs.should-run-autobuild-direct-tracing-with-working-dir.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__autobuild-working-dir.yml

@@ -34,6 +34,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: autobuild-working-dir-${{github.ref}}
 jobs:
+  should-run-autobuild-working-dir:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   autobuild-working-dir:
     strategy:
       fail-fast: false
@@ -42,7 +68,9 @@ jobs:
           - os: ubuntu-latest
             version: linked
     name: Autobuild working directory
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-autobuild-working-dir
+    if: needs.should-run-autobuild-working-dir.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -81,3 +109,19 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-autobuild-working-dir:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+    name: Autobuild working directory
+    needs:
+      - should-run-autobuild-working-dir
+    if: needs.should-run-autobuild-working-dir.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__build-mode-autobuild.yml

@@ -44,6 +44,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: build-mode-autobuild-${{github.ref}}-${{inputs.java-version}}
 jobs:
+  should-run-build-mode-autobuild:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   build-mode-autobuild:
     strategy:
       fail-fast: false
@@ -58,7 +84,9 @@ jobs:
           - os: windows-latest
             version: nightly-latest
     name: Build mode autobuild
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-build-mode-autobuild
+    if: needs.should-run-build-mode-autobuild.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -121,3 +149,25 @@ jobs:
       - uses: ./../action/analyze
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-build-mode-autobuild:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
+    name: Build mode autobuild
+    needs:
+      - should-run-build-mode-autobuild
+    if: needs.should-run-build-mode-autobuild.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__build-mode-manual.yml

@@ -54,6 +54,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: build-mode-manual-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
+  should-run-build-mode-manual:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   build-mode-manual:
     strategy:
       fail-fast: false
@@ -62,7 +88,9 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Build mode manual
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-build-mode-manual
+    if: needs.should-run-build-mode-manual.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -110,3 +138,19 @@ jobs:
       - uses: ./../action/analyze
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-build-mode-manual:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Build mode manual
+    needs:
+      - should-run-build-mode-manual
+    if: needs.should-run-build-mode-manual.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__build-mode-none.yml

@@ -34,6 +34,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: build-mode-none-${{github.ref}}
 jobs:
+  should-run-build-mode-none:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   build-mode-none:
     strategy:
       fail-fast: false
@@ -44,7 +70,9 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Build mode none
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-build-mode-none
+    if: needs.should-run-build-mode-none.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -84,3 +112,21 @@ jobs:
       - uses: ./../action/analyze
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-build-mode-none:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Build mode none
+    needs:
+      - should-run-build-mode-none
+    if: needs.should-run-build-mode-none.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__build-mode-rollback.yml

@@ -34,6 +34,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: build-mode-rollback-${{github.ref}}
 jobs:
+  should-run-build-mode-rollback:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   build-mode-rollback:
     strategy:
       fail-fast: false
@@ -42,7 +68,9 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Build mode rollback
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-build-mode-rollback
+    if: needs.should-run-build-mode-rollback.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -85,3 +113,19 @@ jobs:
     env:
       CODEQL_ACTION_DISABLE_JAVA_BUILDLESS: true
       CODEQL_ACTION_TEST_MODE: true
+  skip-build-mode-rollback:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Build mode rollback
+    needs:
+      - should-run-build-mode-rollback
+    if: needs.should-run-build-mode-rollback.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__bundle-from-nightly.yml

@@ -34,6 +34,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: bundle-from-nightly-${{github.ref}}
 jobs:
+  should-run-bundle-from-nightly:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   bundle-from-nightly:
     strategy:
       fail-fast: false
@@ -42,7 +68,9 @@ jobs:
           - os: ubuntu-latest
             version: linked
     name: 'Bundle: From nightly'
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-bundle-from-nightly
+    if: needs.should-run-bundle-from-nightly.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -70,3 +98,19 @@ jobs:
         run: exit 1
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-bundle-from-nightly:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+    name: 'Bundle: From nightly'
+    needs:
+      - should-run-bundle-from-nightly
+    if: needs.should-run-bundle-from-nightly.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__bundle-from-toolcache.yml

@@ -34,6 +34,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: bundle-from-toolcache-${{github.ref}}
 jobs:
+  should-run-bundle-from-toolcache:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   bundle-from-toolcache:
     strategy:
       fail-fast: false
@@ -42,7 +68,9 @@ jobs:
           - os: ubuntu-latest
             version: toolcache
     name: 'Bundle: From toolcache'
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-bundle-from-toolcache
+    if: needs.should-run-bundle-from-toolcache.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -86,3 +114,19 @@ jobs:
             }
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-bundle-from-toolcache:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: toolcache
+    name: 'Bundle: From toolcache'
+    needs:
+      - should-run-bundle-from-toolcache
+    if: needs.should-run-bundle-from-toolcache.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__bundle-toolcache.yml

@@ -34,19 +34,47 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: bundle-toolcache-${{github.ref}}
 jobs:
+  should-run-bundle-toolcache:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   bundle-toolcache:
     strategy:
       fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
           - os: macos-latest
             version: linked
+          - os: ubuntu-latest
+            version: linked
           - os: windows-latest
             version: linked
     name: 'Bundle: Caching checks'
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-bundle-toolcache
+    if: needs.should-run-bundle-toolcache.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -106,3 +134,23 @@ jobs:
             }
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-bundle-toolcache:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+    name: 'Bundle: Caching checks'
+    needs:
+      - should-run-bundle-toolcache
+    if: needs.should-run-bundle-toolcache.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__bundle-zstd.yml

@@ -34,19 +34,47 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: bundle-zstd-${{github.ref}}
 jobs:
+  should-run-bundle-zstd:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   bundle-zstd:
     strategy:
       fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
           - os: macos-latest
             version: linked
+          - os: ubuntu-latest
+            version: linked
           - os: windows-latest
             version: linked
     name: 'Bundle: Zstandard checks'
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-bundle-zstd
+    if: needs.should-run-bundle-zstd.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -82,7 +110,7 @@ jobs:
           output: ${{ runner.temp }}/results
           upload-database: false
       - name: Upload SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v6
         with:
           name: ${{ matrix.os }}-zstd-bundle.sarif
           path: ${{ runner.temp }}/results/javascript.sarif
@@ -123,3 +151,23 @@ jobs:
             }
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-bundle-zstd:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+    name: 'Bundle: Zstandard checks'
+    needs:
+      - should-run-bundle-zstd
+    if: needs.should-run-bundle-zstd.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__cleanup-db-cluster-dir.yml

@@ -34,6 +34,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: cleanup-db-cluster-dir-${{github.ref}}
 jobs:
+  should-run-cleanup-db-cluster-dir:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   cleanup-db-cluster-dir:
     strategy:
       fail-fast: false
@@ -42,7 +68,9 @@ jobs:
           - os: ubuntu-latest
             version: linked
     name: Clean up database cluster directory
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-cleanup-db-cluster-dir
+    if: needs.should-run-cleanup-db-cluster-dir.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -80,3 +108,19 @@ jobs:
           echo "File was cleaned up"
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-cleanup-db-cluster-dir:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+    name: Clean up database cluster directory
+    needs:
+      - should-run-cleanup-db-cluster-dir
+    if: needs.should-run-cleanup-db-cluster-dir.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__config-export.yml

@@ -34,6 +34,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: config-export-${{github.ref}}
 jobs:
+  should-run-config-export:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   config-export:
     strategy:
       fail-fast: false
@@ -44,7 +70,9 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Config export
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-config-export
+    if: needs.should-run-config-export.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -70,7 +98,7 @@ jobs:
           output: '${{ runner.temp }}/results'
           upload-database: false
       - name: Upload SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v6
         with:
           name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: '${{ runner.temp }}/results/javascript.sarif'
@@ -103,3 +131,21 @@ jobs:
             core.info('Finished config export tests.');
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-config-export:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Config export
+    needs:
+      - should-run-config-export
+    if: needs.should-run-config-export.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__config-input.yml

@@ -34,6 +34,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: config-input-${{github.ref}}
 jobs:
+  should-run-config-input:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   config-input:
     strategy:
       fail-fast: false
@@ -42,7 +68,9 @@ jobs:
           - os: ubuntu-latest
             version: linked
     name: Config input
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-config-input
+    if: needs.should-run-config-input.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -95,3 +123,19 @@ jobs:
           queries-not-run: javascript/codeql-action/default-setup-context-properties
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-config-input:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+    name: Config input
+    needs:
+      - should-run-config-input
+    if: needs.should-run-config-input.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__cpp-deptrace-disabled.yml

@@ -34,6 +34,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: cpp-deptrace-disabled-${{github.ref}}
 jobs:
+  should-run-cpp-deptrace-disabled:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   cpp-deptrace-disabled:
     strategy:
       fail-fast: false
@@ -46,7 +72,9 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: 'C/C++: disabling autoinstalling dependencies (Linux)'
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-cpp-deptrace-disabled
+    if: needs.should-run-cpp-deptrace-disabled.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -82,3 +110,23 @@ jobs:
     env:
       DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
       CODEQL_ACTION_TEST_MODE: true
+  skip-cpp-deptrace-disabled:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: default
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: 'C/C++: disabling autoinstalling dependencies (Linux)'
+    needs:
+      - should-run-cpp-deptrace-disabled
+    if: needs.should-run-cpp-deptrace-disabled.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__cpp-deptrace-enabled-on-macos.yml

@@ -34,6 +34,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: cpp-deptrace-enabled-on-macos-${{github.ref}}
 jobs:
+  should-run-cpp-deptrace-enabled-on-macos:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   cpp-deptrace-enabled-on-macos:
     strategy:
       fail-fast: false
@@ -44,7 +70,9 @@ jobs:
           - os: macos-latest
             version: nightly-latest
     name: 'C/C++: autoinstalling dependencies is skipped (macOS)'
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-cpp-deptrace-enabled-on-macos
+    if: needs.should-run-cpp-deptrace-enabled-on-macos.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -82,3 +110,21 @@ jobs:
     env:
       DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
       CODEQL_ACTION_TEST_MODE: true
+  skip-cpp-deptrace-enabled-on-macos:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: macos-latest
+            version: linked
+          - os: macos-latest
+            version: nightly-latest
+    name: 'C/C++: autoinstalling dependencies is skipped (macOS)'
+    needs:
+      - should-run-cpp-deptrace-enabled-on-macos
+    if: needs.should-run-cpp-deptrace-enabled-on-macos.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__cpp-deptrace-enabled.yml

@@ -34,6 +34,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: cpp-deptrace-enabled-${{github.ref}}
 jobs:
+  should-run-cpp-deptrace-enabled:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   cpp-deptrace-enabled:
     strategy:
       fail-fast: false
@@ -46,7 +72,9 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: 'C/C++: autoinstalling dependencies (Linux)'
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-cpp-deptrace-enabled
+    if: needs.should-run-cpp-deptrace-enabled.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -82,3 +110,23 @@ jobs:
     env:
       DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
       CODEQL_ACTION_TEST_MODE: true
+  skip-cpp-deptrace-enabled:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: default
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: 'C/C++: autoinstalling dependencies (Linux)'
+    needs:
+      - should-run-cpp-deptrace-enabled
+    if: needs.should-run-cpp-deptrace-enabled.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__diagnostics-export.yml

@@ -34,6 +34,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: diagnostics-export-${{github.ref}}
 jobs:
+  should-run-diagnostics-export:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   diagnostics-export:
     strategy:
       fail-fast: false
@@ -44,7 +70,9 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Diagnostic export
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-diagnostics-export
+    if: needs.should-run-diagnostics-export.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -81,7 +109,7 @@ jobs:
           output: '${{ runner.temp }}/results'
           upload-database: false
       - name: Upload SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v6
         with:
           name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: '${{ runner.temp }}/results/javascript.sarif'
@@ -139,3 +167,21 @@ jobs:
     env:
       CODEQL_ACTION_EXPORT_DIAGNOSTICS: true
       CODEQL_ACTION_TEST_MODE: true
+  skip-diagnostics-export:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Diagnostic export
+    needs:
+      - should-run-diagnostics-export
+    if: needs.should-run-diagnostics-export.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__export-file-baseline-information.yml

@@ -54,6 +54,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: export-file-baseline-information-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
+  should-run-export-file-baseline-information:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   export-file-baseline-information:
     strategy:
       fail-fast: false
@@ -66,7 +92,9 @@ jobs:
           - os: windows-latest
             version: nightly-latest
     name: Export file baseline information
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-export-file-baseline-information
+    if: needs.should-run-export-file-baseline-information.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -102,7 +130,7 @@ jobs:
         with:
           output: '${{ runner.temp }}/results'
       - name: Upload SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v6
         with:
           name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: '${{ runner.temp }}/results/javascript.sarif'
@@ -130,3 +158,23 @@ jobs:
       CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS: false
       CODEQL_ACTION_SUBLANGUAGE_FILE_COVERAGE: true
       CODEQL_ACTION_TEST_MODE: true
+  skip-export-file-baseline-information:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
+    name: Export file baseline information
+    needs:
+      - should-run-export-file-baseline-information
+    if: needs.should-run-export-file-baseline-information.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__extractor-ram-threads.yml

@@ -34,6 +34,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: extractor-ram-threads-${{github.ref}}
 jobs:
+  should-run-extractor-ram-threads:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   extractor-ram-threads:
     strategy:
       fail-fast: false
@@ -42,7 +68,9 @@ jobs:
           - os: ubuntu-latest
             version: linked
     name: Extractor ram and threads options test
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-extractor-ram-threads
+    if: needs.should-run-extractor-ram-threads.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -83,3 +111,19 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-extractor-ram-threads:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+    name: Extractor ram and threads options test
+    needs:
+      - should-run-extractor-ram-threads
+    if: needs.should-run-extractor-ram-threads.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__global-proxy.yml

@@ -34,6 +34,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: global-proxy-${{github.ref}}
 jobs:
+  should-run-global-proxy:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   global-proxy:
     strategy:
       fail-fast: false
@@ -44,7 +70,9 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Proxy test
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-global-proxy
+    if: needs.should-run-global-proxy.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -76,3 +104,21 @@ jobs:
         image: ubuntu/squid:latest
         ports:
           - 3128:3128
+  skip-global-proxy:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Proxy test
+    needs:
+      - should-run-global-proxy
+    if: needs.should-run-global-proxy.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__go-custom-queries.yml

@@ -54,6 +54,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: go-custom-queries-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
+  should-run-go-custom-queries:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   go-custom-queries:
     strategy:
       fail-fast: false
@@ -64,7 +90,9 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: 'Go: Custom queries'
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-go-custom-queries
+    if: needs.should-run-go-custom-queries.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -100,3 +128,21 @@ jobs:
     env:
       DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
       CODEQL_ACTION_TEST_MODE: true
+  skip-go-custom-queries:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: 'Go: Custom queries'
+    needs:
+      - should-run-go-custom-queries
+    if: needs.should-run-go-custom-queries.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml

@@ -44,6 +44,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: go-indirect-tracing-workaround-diagnostic-${{github.ref}}-${{inputs.go-version}}
 jobs:
+  should-run-go-indirect-tracing-workaround-diagnostic:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   go-indirect-tracing-workaround-diagnostic:
     strategy:
       fail-fast: false
@@ -52,7 +78,9 @@ jobs:
           - os: ubuntu-latest
             version: default
     name: 'Go: diagnostic when Go is changed after init step'
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-go-indirect-tracing-workaround-diagnostic
+    if: needs.should-run-go-indirect-tracing-workaround-diagnostic.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -112,3 +140,19 @@ jobs:
             }
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-go-indirect-tracing-workaround-diagnostic:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: default
+    name: 'Go: diagnostic when Go is changed after init step'
+    needs:
+      - should-run-go-indirect-tracing-workaround-diagnostic
+    if: needs.should-run-go-indirect-tracing-workaround-diagnostic.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml

@@ -44,6 +44,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: go-indirect-tracing-workaround-no-file-program-${{github.ref}}-${{inputs.go-version}}
 jobs:
+  should-run-go-indirect-tracing-workaround-no-file-program:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   go-indirect-tracing-workaround-no-file-program:
     strategy:
       fail-fast: false
@@ -52,7 +78,9 @@ jobs:
           - os: ubuntu-latest
             version: default
     name: 'Go: diagnostic when `file` is not installed'
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-go-indirect-tracing-workaround-no-file-program
+    if: needs.should-run-go-indirect-tracing-workaround-no-file-program.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -113,3 +141,19 @@ jobs:
             }
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-go-indirect-tracing-workaround-no-file-program:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: default
+    name: 'Go: diagnostic when `file` is not installed'
+    needs:
+      - should-run-go-indirect-tracing-workaround-no-file-program
+    if: needs.should-run-go-indirect-tracing-workaround-no-file-program.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__go-indirect-tracing-workaround.yml

@@ -44,6 +44,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: go-indirect-tracing-workaround-${{github.ref}}-${{inputs.go-version}}
 jobs:
+  should-run-go-indirect-tracing-workaround:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   go-indirect-tracing-workaround:
     strategy:
       fail-fast: false
@@ -52,7 +78,9 @@ jobs:
           - os: ubuntu-latest
             version: default
     name: 'Go: workaround for indirect tracing'
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-go-indirect-tracing-workaround
+    if: needs.should-run-go-indirect-tracing-workaround.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -107,3 +135,19 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-go-indirect-tracing-workaround:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: default
+    name: 'Go: workaround for indirect tracing'
+    needs:
+      - should-run-go-indirect-tracing-workaround
+    if: needs.should-run-go-indirect-tracing-workaround.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__go-tracing-autobuilder.yml

@@ -44,6 +44,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: go-tracing-autobuilder-${{github.ref}}-${{inputs.go-version}}
 jobs:
+  should-run-go-tracing-autobuilder:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   go-tracing-autobuilder:
     strategy:
       fail-fast: false
@@ -51,18 +77,32 @@ jobs:
         include:
           - os: ubuntu-latest
             version: stable-v2.17.6
+          - os: macos-latest
+            version: stable-v2.17.6
           - os: ubuntu-latest
             version: stable-v2.18.4
+          - os: macos-latest
+            version: stable-v2.18.4
           - os: ubuntu-latest
             version: stable-v2.19.4
+          - os: macos-latest
+            version: stable-v2.19.4
           - os: ubuntu-latest
             version: stable-v2.20.7
+          - os: macos-latest
+            version: stable-v2.20.7
           - os: ubuntu-latest
             version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.21.4
           - os: ubuntu-latest
             version: stable-v2.22.4
+          - os: macos-latest
+            version: stable-v2.22.4
           - os: ubuntu-latest
             version: default
+          - os: macos-latest
+            version: default
           - os: ubuntu-latest
             version: linked
           - os: macos-latest
@@ -72,7 +112,9 @@ jobs:
           - os: macos-latest
             version: nightly-latest
     name: 'Go: tracing with autobuilder step'
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-go-tracing-autobuilder
+    if: needs.should-run-go-tracing-autobuilder.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -113,3 +155,53 @@ jobs:
     env:
       DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
       CODEQL_ACTION_TEST_MODE: true
+  skip-go-tracing-autobuilder:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: stable-v2.17.6
+          - os: macos-latest
+            version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: stable-v2.18.4
+          - os: macos-latest
+            version: stable-v2.18.4
+          - os: ubuntu-latest
+            version: stable-v2.19.4
+          - os: macos-latest
+            version: stable-v2.19.4
+          - os: ubuntu-latest
+            version: stable-v2.20.7
+          - os: macos-latest
+            version: stable-v2.20.7
+          - os: ubuntu-latest
+            version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.21.4
+          - os: ubuntu-latest
+            version: stable-v2.22.4
+          - os: macos-latest
+            version: stable-v2.22.4
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: default
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+    name: 'Go: tracing with autobuilder step'
+    needs:
+      - should-run-go-tracing-autobuilder
+    if: needs.should-run-go-tracing-autobuilder.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__go-tracing-custom-build-steps.yml

@@ -44,6 +44,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: go-tracing-custom-build-steps-${{github.ref}}-${{inputs.go-version}}
 jobs:
+  should-run-go-tracing-custom-build-steps:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   go-tracing-custom-build-steps:
     strategy:
       fail-fast: false
@@ -51,18 +77,32 @@ jobs:
         include:
           - os: ubuntu-latest
             version: stable-v2.17.6
+          - os: macos-latest
+            version: stable-v2.17.6
           - os: ubuntu-latest
             version: stable-v2.18.4
+          - os: macos-latest
+            version: stable-v2.18.4
           - os: ubuntu-latest
             version: stable-v2.19.4
+          - os: macos-latest
+            version: stable-v2.19.4
           - os: ubuntu-latest
             version: stable-v2.20.7
+          - os: macos-latest
+            version: stable-v2.20.7
           - os: ubuntu-latest
             version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.21.4
           - os: ubuntu-latest
             version: stable-v2.22.4
+          - os: macos-latest
+            version: stable-v2.22.4
           - os: ubuntu-latest
             version: default
+          - os: macos-latest
+            version: default
           - os: ubuntu-latest
             version: linked
           - os: macos-latest
@@ -72,7 +112,9 @@ jobs:
           - os: macos-latest
             version: nightly-latest
     name: 'Go: tracing with custom build steps'
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-go-tracing-custom-build-steps
+    if: needs.should-run-go-tracing-custom-build-steps.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -116,3 +158,53 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-go-tracing-custom-build-steps:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: stable-v2.17.6
+          - os: macos-latest
+            version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: stable-v2.18.4
+          - os: macos-latest
+            version: stable-v2.18.4
+          - os: ubuntu-latest
+            version: stable-v2.19.4
+          - os: macos-latest
+            version: stable-v2.19.4
+          - os: ubuntu-latest
+            version: stable-v2.20.7
+          - os: macos-latest
+            version: stable-v2.20.7
+          - os: ubuntu-latest
+            version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.21.4
+          - os: ubuntu-latest
+            version: stable-v2.22.4
+          - os: macos-latest
+            version: stable-v2.22.4
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: default
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+    name: 'Go: tracing with custom build steps'
+    needs:
+      - should-run-go-tracing-custom-build-steps
+    if: needs.should-run-go-tracing-custom-build-steps.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__go-tracing-legacy-workflow.yml

@@ -44,6 +44,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: go-tracing-legacy-workflow-${{github.ref}}-${{inputs.go-version}}
 jobs:
+  should-run-go-tracing-legacy-workflow:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   go-tracing-legacy-workflow:
     strategy:
       fail-fast: false
@@ -51,18 +77,32 @@ jobs:
         include:
           - os: ubuntu-latest
             version: stable-v2.17.6
+          - os: macos-latest
+            version: stable-v2.17.6
           - os: ubuntu-latest
             version: stable-v2.18.4
+          - os: macos-latest
+            version: stable-v2.18.4
           - os: ubuntu-latest
             version: stable-v2.19.4
+          - os: macos-latest
+            version: stable-v2.19.4
           - os: ubuntu-latest
             version: stable-v2.20.7
+          - os: macos-latest
+            version: stable-v2.20.7
           - os: ubuntu-latest
             version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.21.4
           - os: ubuntu-latest
             version: stable-v2.22.4
+          - os: macos-latest
+            version: stable-v2.22.4
           - os: ubuntu-latest
             version: default
+          - os: macos-latest
+            version: default
           - os: ubuntu-latest
             version: linked
           - os: macos-latest
@@ -72,7 +112,9 @@ jobs:
           - os: macos-latest
             version: nightly-latest
     name: 'Go: tracing with legacy workflow'
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-go-tracing-legacy-workflow
+    if: needs.should-run-go-tracing-legacy-workflow.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -107,3 +149,53 @@ jobs:
     env:
       DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
       CODEQL_ACTION_TEST_MODE: true
+  skip-go-tracing-legacy-workflow:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: stable-v2.17.6
+          - os: macos-latest
+            version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: stable-v2.18.4
+          - os: macos-latest
+            version: stable-v2.18.4
+          - os: ubuntu-latest
+            version: stable-v2.19.4
+          - os: macos-latest
+            version: stable-v2.19.4
+          - os: ubuntu-latest
+            version: stable-v2.20.7
+          - os: macos-latest
+            version: stable-v2.20.7
+          - os: ubuntu-latest
+            version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.21.4
+          - os: ubuntu-latest
+            version: stable-v2.22.4
+          - os: macos-latest
+            version: stable-v2.22.4
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: default
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+    name: 'Go: tracing with legacy workflow'
+    needs:
+      - should-run-go-tracing-legacy-workflow
+    if: needs.should-run-go-tracing-legacy-workflow.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__init-with-registries.yml

@@ -34,6 +34,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: init-with-registries-${{github.ref}}
 jobs:
+  should-run-init-with-registries:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   init-with-registries:
     strategy:
       fail-fast: false
@@ -46,7 +72,9 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: 'Packaging: Download using registries'
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-init-with-registries
+    if: needs.should-run-init-with-registries.outputs.run-check == 'true'
     permissions:
       contents: read
       packages: read
@@ -122,3 +150,23 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-init-with-registries:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: default
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: 'Packaging: Download using registries'
+    needs:
+      - should-run-init-with-registries
+    if: needs.should-run-init-with-registries.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__javascript-source-root.yml

@@ -34,6 +34,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: javascript-source-root-${{github.ref}}
 jobs:
+  should-run-javascript-source-root:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   javascript-source-root:
     strategy:
       fail-fast: false
@@ -46,7 +72,9 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Custom source root
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-javascript-source-root
+    if: needs.should-run-javascript-source-root.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -83,3 +111,23 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-javascript-source-root:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: default
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Custom source root
+    needs:
+      - should-run-javascript-source-root
+    if: needs.should-run-javascript-source-root.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__job-run-uuid-sarif.yml

@@ -34,6 +34,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: job-run-uuid-sarif-${{github.ref}}
 jobs:
+  should-run-job-run-uuid-sarif:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   job-run-uuid-sarif:
     strategy:
       fail-fast: false
@@ -42,7 +68,9 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Job run UUID added to SARIF
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-job-run-uuid-sarif
+    if: needs.should-run-job-run-uuid-sarif.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -67,7 +95,7 @@ jobs:
         with:
           output: '${{ runner.temp }}/results'
       - name: Upload SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v6
         with:
           name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: '${{ runner.temp }}/results/javascript.sarif'
@@ -84,3 +112,19 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-job-run-uuid-sarif:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Job run UUID added to SARIF
+    needs:
+      - should-run-job-run-uuid-sarif
+    if: needs.should-run-job-run-uuid-sarif.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__language-aliases.yml

@@ -34,6 +34,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: language-aliases-${{github.ref}}
 jobs:
+  should-run-language-aliases:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   language-aliases:
     strategy:
       fail-fast: false
@@ -42,7 +68,9 @@ jobs:
           - os: ubuntu-latest
             version: linked
     name: Language aliases
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-language-aliases
+    if: needs.should-run-language-aliases.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -60,12 +88,12 @@ jobs:
           setup-kotlin: 'true'
       - uses: ./../action/init
         with:
-          languages: C#,java-kotlin,typescript
+          languages: C#,java-kotlin,swift,typescript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
 
       - name: 'Check languages'
         run: |
-          expected_languages="csharp,java,javascript"
+          expected_languages="csharp,java,swift,javascript"
           actual_languages=$(jq -r '.languages | join(",")' "$RUNNER_TEMP"/config)
 
           if [ "$expected_languages" != "$actual_languages" ]; then
@@ -75,3 +103,19 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-language-aliases:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+    name: Language aliases
+    needs:
+      - should-run-language-aliases
+    if: needs.should-run-language-aliases.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__local-bundle.yml

@@ -35,6 +35,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       dotnet-version:
@@ -47,13 +52,44 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
 concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: local-bundle-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group: local-bundle-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
 jobs:
+  should-run-local-bundle:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   local-bundle:
     strategy:
       fail-fast: false
@@ -62,7 +98,9 @@ jobs:
           - os: ubuntu-latest
             version: linked
     name: Local CodeQL bundle
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-local-bundle
+    if: needs.should-run-local-bundle.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -80,6 +118,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest' || !matrix.version
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -101,3 +144,19 @@ jobs:
       - uses: ./../action/analyze
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-local-bundle:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+    name: Local CodeQL bundle
+    needs:
+      - should-run-local-bundle
+    if: needs.should-run-local-bundle.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__multi-language-autodetect.yml

@@ -35,6 +35,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       dotnet-version:
@@ -47,56 +52,89 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
 concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: multi-language-autodetect-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group: multi-language-autodetect-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
 jobs:
+  should-run-multi-language-autodetect:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   multi-language-autodetect:
     strategy:
       fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: stable-v2.17.6
           - os: macos-latest
             version: stable-v2.17.6
           - os: ubuntu-latest
-            version: stable-v2.18.4
+            version: stable-v2.17.6
           - os: macos-latest
             version: stable-v2.18.4
           - os: ubuntu-latest
-            version: stable-v2.19.4
+            version: stable-v2.18.4
           - os: macos-latest
             version: stable-v2.19.4
           - os: ubuntu-latest
-            version: stable-v2.20.7
+            version: stable-v2.19.4
           - os: macos-latest
             version: stable-v2.20.7
           - os: ubuntu-latest
-            version: stable-v2.21.4
+            version: stable-v2.20.7
           - os: macos-latest
             version: stable-v2.21.4
           - os: ubuntu-latest
-            version: stable-v2.22.4
+            version: stable-v2.21.4
           - os: macos-latest
             version: stable-v2.22.4
           - os: ubuntu-latest
-            version: default
+            version: stable-v2.22.4
           - os: macos-latest
             version: default
           - os: ubuntu-latest
-            version: linked
+            version: default
           - os: macos-latest
             version: linked
           - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
             version: nightly-latest
-          - os: macos-latest
+          - os: ubuntu-latest
             version: nightly-latest
     name: Multi-language repository
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-multi-language-autodetect
+    if: needs.should-run-multi-language-autodetect.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -114,6 +152,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest' || !matrix.version
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -121,14 +164,6 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - name: Install Python 3.13 for older CLI versions
-        # We need Python 3.13 for older CLI versions because they are not compatible with Python 3.14 or newer.
-        # See https://github.com/github/codeql-action/pull/3212
-        if: matrix.version != 'nightly-latest' && matrix.version != 'linked'
-        uses: actions/setup-python@v6
-        with:
-          python-version: '3.13'
-
       - name: Use Xcode 16
         if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
         run: sudo xcode-select -s "/Applications/Xcode_16.app"
@@ -197,3 +232,53 @@ jobs:
     env:
       CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
       CODEQL_ACTION_TEST_MODE: true
+  skip-multi-language-autodetect:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: macos-latest
+            version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: stable-v2.17.6
+          - os: macos-latest
+            version: stable-v2.18.4
+          - os: ubuntu-latest
+            version: stable-v2.18.4
+          - os: macos-latest
+            version: stable-v2.19.4
+          - os: ubuntu-latest
+            version: stable-v2.19.4
+          - os: macos-latest
+            version: stable-v2.20.7
+          - os: ubuntu-latest
+            version: stable-v2.20.7
+          - os: macos-latest
+            version: stable-v2.21.4
+          - os: ubuntu-latest
+            version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.22.4
+          - os: ubuntu-latest
+            version: stable-v2.22.4
+          - os: macos-latest
+            version: default
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: nightly-latest
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Multi-language repository
+    needs:
+      - should-run-multi-language-autodetect
+    if: needs.should-run-multi-language-autodetect.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__overlay-init-fallback.yml

@@ -34,6 +34,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: overlay-init-fallback-${{github.ref}}
 jobs:
+  should-run-overlay-init-fallback:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   overlay-init-fallback:
     strategy:
       fail-fast: false
@@ -44,7 +70,9 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Overlay database init fallback
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-overlay-init-fallback
+    if: needs.should-run-overlay-init-fallback.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -79,3 +107,21 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-overlay-init-fallback:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Overlay database init fallback
+    needs:
+      - should-run-overlay-init-fallback
+    if: needs.should-run-overlay-init-fallback.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__packaging-codescanning-config-inputs-js.yml

@@ -35,6 +35,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       dotnet-version:
@@ -47,13 +52,44 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
 concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group: packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
 jobs:
+  should-run-packaging-codescanning-config-inputs-js:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   packaging-codescanning-config-inputs-js:
     strategy:
       fail-fast: false
@@ -66,7 +102,9 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: 'Packaging: Config and input passed to the CLI'
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-packaging-codescanning-config-inputs-js
+    if: needs.should-run-packaging-codescanning-config-inputs-js.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -91,6 +129,11 @@ jobs:
           cache: npm
       - name: Install dependencies
         run: npm ci
+      - name: Install Python
+        if: matrix.version != 'nightly-latest' || !matrix.version
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -133,3 +176,23 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-packaging-codescanning-config-inputs-js:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: default
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: 'Packaging: Config and input passed to the CLI'
+    needs:
+      - should-run-packaging-codescanning-config-inputs-js
+    if: needs.should-run-packaging-codescanning-config-inputs-js.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__packaging-config-inputs-js.yml

@@ -54,6 +54,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: packaging-config-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
+  should-run-packaging-config-inputs-js:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   packaging-config-inputs-js:
     strategy:
       fail-fast: false
@@ -66,7 +92,9 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: 'Packaging: Config and input'
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-packaging-config-inputs-js
+    if: needs.should-run-packaging-config-inputs-js.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -133,3 +161,23 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-packaging-config-inputs-js:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: default
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: 'Packaging: Config and input'
+    needs:
+      - should-run-packaging-config-inputs-js
+    if: needs.should-run-packaging-config-inputs-js.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__packaging-config-js.yml

@@ -54,6 +54,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: packaging-config-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
+  should-run-packaging-config-js:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   packaging-config-js:
     strategy:
       fail-fast: false
@@ -66,7 +92,9 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: 'Packaging: Config file'
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-packaging-config-js
+    if: needs.should-run-packaging-config-js.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -132,3 +160,23 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-packaging-config-js:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: default
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: 'Packaging: Config file'
+    needs:
+      - should-run-packaging-config-js
+    if: needs.should-run-packaging-config-js.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__packaging-inputs-js.yml

@@ -54,6 +54,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: packaging-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
+  should-run-packaging-inputs-js:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   packaging-inputs-js:
     strategy:
       fail-fast: false
@@ -66,7 +92,9 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: 'Packaging: Action input'
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-packaging-inputs-js
+    if: needs.should-run-packaging-inputs-js.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -132,3 +160,23 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-packaging-inputs-js:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: default
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: 'Packaging: Action input'
+    needs:
+      - should-run-packaging-inputs-js
+    if: needs.should-run-packaging-inputs-js.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__remote-config.yml

@@ -35,6 +35,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       dotnet-version:
@@ -47,13 +52,44 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
 concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: remote-config-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group: remote-config-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
 jobs:
+  should-run-remote-config:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   remote-config:
     strategy:
       fail-fast: false
@@ -64,7 +100,9 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Remote config file
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-remote-config
+    if: needs.should-run-remote-config.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -82,6 +120,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest' || !matrix.version
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -99,3 +142,21 @@ jobs:
       - uses: ./../action/analyze
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-remote-config:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Remote config file
+    needs:
+      - should-run-remote-config
+    if: needs.should-run-remote-config.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__resolve-environment-action.yml

@@ -34,19 +34,47 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: resolve-environment-action-${{github.ref}}
 jobs:
+  should-run-resolve-environment-action:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   resolve-environment-action:
     strategy:
       fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
           - os: ubuntu-latest
             version: default
+          - os: ubuntu-latest
+            version: linked
           - os: ubuntu-latest
             version: nightly-latest
     name: Resolve environment
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-resolve-environment-action
+    if: needs.should-run-resolve-environment-action.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -88,3 +116,23 @@ jobs:
         run: exit 1
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-resolve-environment-action:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: default
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Resolve environment
+    needs:
+      - should-run-resolve-environment-action
+    if: needs.should-run-resolve-environment-action.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__rubocop-multi-language.yml

@@ -34,6 +34,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: rubocop-multi-language-${{github.ref}}
 jobs:
+  should-run-rubocop-multi-language:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   rubocop-multi-language:
     strategy:
       fail-fast: false
@@ -42,7 +68,9 @@ jobs:
           - os: ubuntu-latest
             version: default
     name: RuboCop multi-language
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-rubocop-multi-language
+    if: needs.should-run-rubocop-multi-language.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -59,7 +87,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Set up Ruby
-        uses: ruby/setup-ruby@0cb964fd540e0a24c900370abf38a33466142735 # v1.305.0
+        uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0
         with:
           ruby-version: 2.6
       - name: Install Code Scanning integration
@@ -77,3 +105,19 @@ jobs:
           sarif_file: rubocop.sarif
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-rubocop-multi-language:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: default
+    name: RuboCop multi-language
+    needs:
+      - should-run-rubocop-multi-language
+    if: needs.should-run-rubocop-multi-language.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__ruby.yml

@@ -34,6 +34,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: ruby-${{github.ref}}
 jobs:
+  should-run-ruby:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   ruby:
     strategy:
       fail-fast: false
@@ -52,7 +78,9 @@ jobs:
           - os: macos-latest
             version: nightly-latest
     name: Ruby analysis
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-ruby
+    if: needs.should-run-ruby.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -85,3 +113,29 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-ruby:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: default
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+    name: Ruby analysis
+    needs:
+      - should-run-ruby
+    if: needs.should-run-ruby.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__rust.yml

@@ -34,6 +34,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: rust-${{github.ref}}
 jobs:
+  should-run-rust:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   rust:
     strategy:
       fail-fast: false
@@ -50,7 +76,9 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Rust analysis
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-rust
+    if: needs.should-run-rust.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -83,3 +111,27 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-rust:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: stable-v2.19.3
+          - os: ubuntu-latest
+            version: stable-v2.22.1
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: default
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Rust analysis
+    needs:
+      - should-run-rust
+    if: needs.should-run-rust.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__split-workflow.yml

@@ -54,6 +54,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: split-workflow-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
+  should-run-split-workflow:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   split-workflow:
     strategy:
       fail-fast: false
@@ -72,7 +98,9 @@ jobs:
           - os: macos-latest
             version: nightly-latest
     name: Split workflow
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-split-workflow
+    if: needs.should-run-split-workflow.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -136,3 +164,29 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-split-workflow:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: default
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+    name: Split workflow
+    needs:
+      - should-run-split-workflow
+    if: needs.should-run-split-workflow.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__start-proxy.yml

@@ -34,6 +34,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: start-proxy-${{github.ref}}
 jobs:
+  should-run-start-proxy:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   start-proxy:
     strategy:
       fail-fast: false
@@ -46,7 +72,9 @@ jobs:
           - os: windows-latest
             version: linked
     name: Start proxy
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-start-proxy
+    if: needs.should-run-start-proxy.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -71,17 +99,7 @@ jobs:
         id: proxy
         uses: ./../action/start-proxy
         with:
-          registry_secrets: |
-            [
-              {
-                "type": "maven_repository",
-                "url": "https://repo.maven.apache.org/maven2/"
-              },
-              {
-                "type": "maven_repository",
-                "url": "https://repo1.maven.org/maven2"
-              }
-            ]
+          registry_secrets: '[{ "type": "nuget_feed", "url": "https://api.nuget.org/v3/index.json" }]'
 
       - name: Print proxy outputs
         run: |
@@ -92,12 +110,25 @@ jobs:
       - name: Fail if proxy outputs are not set
         if: (!steps.proxy.outputs.proxy_host) || (!steps.proxy.outputs.proxy_port) || (!steps.proxy.outputs.proxy_ca_certificate) || (!steps.proxy.outputs.proxy_urls)
         run: exit 1
-
-      - name: Fail if proxy_urls does not contain all registries
-        if: |
-          join(fromJSON(steps.proxy.outputs.proxy_urls)[*].type, ',') != 'maven_repository,maven_repository'
-          || !contains(steps.proxy.outputs.proxy_urls, 'https://repo.maven.apache.org/maven2/')
-          || !contains(steps.proxy.outputs.proxy_urls, 'https://repo1.maven.org/maven2')
-        run: exit 1
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-start-proxy:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+    name: Start proxy
+    needs:
+      - should-run-start-proxy
+    if: needs.should-run-start-proxy.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__submit-sarif-failure.yml

@@ -34,6 +34,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: submit-sarif-failure-${{github.ref}}
 jobs:
+  should-run-submit-sarif-failure:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   submit-sarif-failure:
     strategy:
       fail-fast: false
@@ -46,7 +72,9 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Submit SARIF after failure
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-submit-sarif-failure
+    if: needs.should-run-submit-sarif-failure.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: write
@@ -85,3 +113,23 @@ jobs:
       CODEQL_ACTION_UPLOAD_FAILED_SARIF: true
       CODEQL_ACTION_TEST_MODE: false
       CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
+  skip-submit-sarif-failure:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: default
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Submit SARIF after failure
+    needs:
+      - should-run-submit-sarif-failure
+    if: needs.should-run-submit-sarif-failure.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__swift-autobuild.yml

@@ -34,6 +34,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: swift-autobuild-${{github.ref}}
 jobs:
+  should-run-swift-autobuild:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   swift-autobuild:
     strategy:
       fail-fast: false
@@ -42,7 +68,9 @@ jobs:
           - os: macos-latest
             version: nightly-latest
     name: Swift analysis using autobuild
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-swift-autobuild
+    if: needs.should-run-swift-autobuild.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -81,3 +109,19 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-swift-autobuild:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: macos-latest
+            version: nightly-latest
+    name: Swift analysis using autobuild
+    needs:
+      - should-run-swift-autobuild
+    if: needs.should-run-swift-autobuild.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__swift-custom-build.yml

@@ -54,6 +54,32 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
   group: swift-custom-build-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
+  should-run-swift-custom-build:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   swift-custom-build:
     strategy:
       fail-fast: false
@@ -66,7 +92,9 @@ jobs:
           - os: macos-latest
             version: nightly-latest
     name: Swift analysis using a custom build command
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-swift-custom-build
+    if: needs.should-run-swift-custom-build.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -117,3 +145,23 @@ jobs:
     env:
       DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
       CODEQL_ACTION_TEST_MODE: true
+  skip-swift-custom-build:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: macos-latest
+            version: linked
+          - os: macos-latest
+            version: default
+          - os: macos-latest
+            version: nightly-latest
+    name: Swift analysis using a custom build command
+    needs:
+      - should-run-swift-custom-build
+    if: needs.should-run-swift-custom-build.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__unset-environment.yml

@@ -35,6 +35,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       dotnet-version:
@@ -47,13 +52,44 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
 concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: unset-environment-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group: unset-environment-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
 jobs:
+  should-run-unset-environment:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   unset-environment:
     strategy:
       fail-fast: false
@@ -64,7 +100,9 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Test unsetting environment variables
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-unset-environment
+    if: needs.should-run-unset-environment.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -82,6 +120,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest' || !matrix.version
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -141,3 +184,21 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-unset-environment:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Test unsetting environment variables
+    needs:
+      - should-run-unset-environment
+    if: needs.should-run-unset-environment.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__upload-ref-sha-input.yml

@@ -35,6 +35,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       dotnet-version:
@@ -47,13 +52,44 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
 concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: upload-ref-sha-input-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group: upload-ref-sha-input-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
 jobs:
+  should-run-upload-ref-sha-input:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   upload-ref-sha-input:
     strategy:
       fail-fast: false
@@ -62,7 +98,9 @@ jobs:
           - os: ubuntu-latest
             version: default
     name: "Upload-sarif: 'ref' and 'sha' from inputs"
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-upload-ref-sha-input
+    if: needs.should-run-upload-ref-sha-input.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -80,6 +118,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest' || !matrix.version
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -106,3 +149,19 @@ jobs:
           sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-upload-ref-sha-input:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: default
+    name: "Upload-sarif: 'ref' and 'sha' from inputs"
+    needs:
+      - should-run-upload-ref-sha-input
+    if: needs.should-run-upload-ref-sha-input.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__upload-sarif.yml

@@ -35,6 +35,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       dotnet-version:
@@ -47,13 +52,44 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
 concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: upload-sarif-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group: upload-sarif-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
 jobs:
+  should-run-upload-sarif:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   upload-sarif:
     strategy:
       fail-fast: false
@@ -69,7 +105,9 @@ jobs:
             version: default
             analysis-kinds: code-scanning,code-quality
     name: Test different uses of `upload-sarif`
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-upload-sarif
+    if: needs.should-run-upload-sarif.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -87,6 +125,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest' || !matrix.version
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -171,3 +214,26 @@ jobs:
         run: exit 1
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-upload-sarif:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: default
+            analysis-kinds: code-scanning
+          - os: ubuntu-latest
+            version: default
+            analysis-kinds: code-quality
+          - os: ubuntu-latest
+            version: default
+            analysis-kinds: code-scanning,code-quality
+    name: Test different uses of `upload-sarif`
+    needs:
+      - should-run-upload-sarif
+    if: needs.should-run-upload-sarif.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/__with-checkout-path.yml

@@ -35,6 +35,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       dotnet-version:
@@ -47,13 +52,44 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
 concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: with-checkout-path-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group: with-checkout-path-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
 jobs:
+  should-run-with-checkout-path:
+    name: Decide whether to run this check
+    timeout-minutes: 10
+    runs-on: ubuntu-slim
+    if: github.triggering_actor != 'dependabot[bot]'
+    outputs:
+      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
+    steps:
+      - name: Run check if this is not a PR
+        id: event-type-check
+        if: github.event_name != 'pull_request'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
+      - name: Check out repository
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v6
+      - name: Determine changed files
+        id: changed-files
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/changed-files
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: '["README.md"]'
+      - name: Run check because of changed files
+        id: changed-files-check
+        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
+        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   with-checkout-path:
     strategy:
       fail-fast: false
@@ -62,7 +98,9 @@ jobs:
           - os: ubuntu-latest
             version: linked
     name: Use a custom `checkout_path`
-    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - should-run-with-checkout-path
+    if: needs.should-run-with-checkout-path.outputs.run-check == 'true'
     permissions:
       contents: read
       security-events: read
@@ -81,6 +119,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest' || !matrix.version
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -149,3 +192,19 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
+  skip-with-checkout-path:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+    name: Use a custom `checkout_path`
+    needs:
+      - should-run-with-checkout-path
+    if: needs.should-run-with-checkout-path.outputs.run-check != 'true'
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Success
+        run: exit 0

.github/workflows/debug-artifacts-failure-safe.yml

@@ -66,7 +66,6 @@ jobs:
         uses: ./../action/.github/actions/verify-debug-artifact-scan-completed
       - uses: ./../action/init
         with:
-          languages: cpp,csharp,go,java,javascript,python
           tools: ${{ steps.prepare-test.outputs.tools-url }}
           debug: true
           debug-artifact-name: my-debug-artifacts
@@ -90,7 +89,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download all artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@v7
       - name: Check expected artifacts exist
         run: |
           LANGUAGES="cpp csharp go java javascript python"

.github/workflows/debug-artifacts-safe.yml

@@ -83,7 +83,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download all artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@v7
       - name: Check expected artifacts exist
         run: |
           VERSIONS="stable-v2.20.3 default linked nightly-latest"

.github/workflows/deflake.yml

@@ -1,106 +0,0 @@
-# Workflow runs on main, on a release branch, and that were triggered as part of a merge group have
-# already passed CI before being merged. Therefore if they fail, we should make sure that there
-# wasn't a transient failure by rerunning the failed jobs once before investigating further.
-name: Deflake
-
-on:
-  workflow_run:
-    types: [completed]
-    # Exclude workflows that have significant side effects, like publishing releases. It's OK to
-    # retry CodeQL analysis.
-    workflows:
-      - Check Expected Release Files
-      - Code-Scanning config CLI tests
-      - CodeQL action
-      - Manual Check - go
-      - "PR Check - All-platform bundle"
-      - "PR Check - Analysis kinds"
-      - "PR Check - Analyze: 'ref' and 'sha' from inputs"
-      - "PR Check - autobuild-action"
-      - "PR Check - Autobuild direct tracing (custom working directory)"
-      - "PR Check - Autobuild working directory"
-      - "PR Check - Build mode autobuild"
-      - "PR Check - Build mode manual"
-      - "PR Check - Build mode none"
-      - "PR Check - Build mode rollback"
-      - "PR Check - Bundle: Caching checks"
-      - "PR Check - Bundle: From nightly"
-      - "PR Check - Bundle: From toolcache"
-      - "PR Check - Bundle: Zstandard checks"
-      - "PR Check - C/C\\+\\+: autoinstalling dependencies (Linux)"
-      - "PR Check - C/C\\+\\+: autoinstalling dependencies is skipped (macOS)"
-      - "PR Check - C/C\\+\\+: disabling autoinstalling dependencies (Linux)"
-      - "PR Check - Clean up database cluster directory"
-      - "PR Check - CodeQL Bundle All"
-      - "PR Check - Config export"
-      - "PR Check - Config input"
-      - "PR Check - Custom source root"
-      - "PR Check - Debug artifact upload"
-      - "PR Check - Debug artifacts after failure"
-      - "PR Check - Diagnostic export"
-      - "PR Check - Export file baseline information"
-      - "PR Check - Extractor ram and threads options test"
-      - "PR Check - Go: Custom queries"
-      - "PR Check - Go: diagnostic when Go is changed after init step"
-      - "PR Check - Go: diagnostic when `file` is not installed"
-      - "PR Check - Go: tracing with autobuilder step"
-      - "PR Check - Go: tracing with custom build steps"
-      - "PR Check - Go: tracing with legacy workflow"
-      - "PR Check - Go: workaround for indirect tracing"
-      - "PR Check - Job run UUID added to SARIF"
-      - "PR Check - Language aliases"
-      - "PR Check - Local CodeQL bundle"
-      - "PR Check - Multi-language repository"
-      - "PR Check - Overlay database init fallback"
-      - "PR Check - Packaging: Action input"
-      - "PR Check - Packaging: Config and input"
-      - "PR Check - Packaging: Config and input passed to the CLI"
-      - "PR Check - Packaging: Config file"
-      - "PR Check - Packaging: Download using registries"
-      - "PR Check - Proxy test"
-      - "PR Check - Remote config file"
-      - "PR Check - Resolve environment"
-      - "PR Check - RuboCop multi-language"
-      - "PR Check - Ruby analysis"
-      - "PR Check - Rust analysis"
-      - "PR Check - Split workflow"
-      - "PR Check - Start proxy"
-      - "PR Check - Submit SARIF after failure"
-      - "PR Check - Swift analysis using a custom build command"
-      - "PR Check - Swift analysis using autobuild"
-      - "PR Check - Test different uses of `upload-sarif`"
-      - "PR Check - Test unsetting environment variables"
-      - "PR Check - Upload-sarif: ref and sha from inputs"
-      - "PR Check - Use a custom `checkout_path`"
-      - PR Checks
-      - Query filters tests
-      - Test that the workaround for python 3.12 on windows works
-
-jobs:
-  rerun-on-failure:
-    name: Rerun failed jobs
-    if: >-
-      github.event.workflow_run.conclusion == 'failure' &&
-      github.event.workflow_run.run_attempt == 1 &&
-      (
-        github.event.workflow_run.head_branch == 'main' ||
-        startsWith(github.event.workflow_run.head_branch, 'releases/') ||
-        github.event.workflow_run.event == 'merge_group'
-      )
-    runs-on: ubuntu-slim
-    permissions:
-      actions: write
-    steps:
-      - name: Rerun failed jobs in ${{ github.event.workflow_run.name }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-          GH_REPO: ${{ github.repository }}
-          RUN_ID: ${{ github.event.workflow_run.id }}
-          RUN_NAME: ${{ github.event.workflow_run.name }}
-          RUN_URL: ${{ github.event.workflow_run.html_url }}
-        run: |
-          echo "Rerunning failed jobs for workflow run ${RUN_ID}"
-          gh run rerun "${RUN_ID}" --failed
-          echo "### Reran failed jobs :recycle:" >> "$GITHUB_STEP_SUMMARY"
-          echo "" >> "$GITHUB_STEP_SUMMARY"
-          echo "Workflow: [${RUN_NAME}](${RUN_URL})" >> "$GITHUB_STEP_SUMMARY"

.github/workflows/post-release-mergeback.yml

@@ -24,7 +24,7 @@ defaults:
 
 jobs:
   merge-back:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     environment: Automation
     if: github.repository == 'github/codeql-action'
     env:
@@ -131,7 +131,7 @@ jobs:
           echo "::endgroup::"
 
       - name: Generate token
-        uses: actions/create-github-app-token@v3.1.1
+        uses: actions/create-github-app-token@v2.2.1
         id: app-token
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}

.github/workflows/pr-checks.yml

@@ -52,10 +52,19 @@ jobs:
       - name: Verify compiled JS up to date
         run: .github/workflows/script/check-js.sh
 
+      - name: Verify PR checks up to date
+        if: always()
+        run: .github/workflows/script/verify-pr-checks.sh
+
       - name: Run unit tests
         if: always()
         run: npm test
 
+      - name: Run pr-checks tests
+        if: always()
+        working-directory: pr-checks
+        run: npm ci && npx tsx --test
+
       - name: Lint
         if: always() && matrix.os != 'windows-latest'
         run: npm run lint-ci
@@ -67,43 +76,6 @@ jobs:
           sarif_file: eslint.sarif
           category: eslint
 
-  # Verifying the PR checks are up-to-date requires Node 24. The PR checks are not dependent
-  # on the main codebase and therefore do not need to be run as part of the same matrix that
-  # we use for the `unit-tests` job.
-  verify-pr-checks:
-    name: Verify PR checks
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-    runs-on: ubuntu-slim
-    timeout-minutes: 10
-
-    steps:
-      - name: Prepare git (Windows)
-        if: runner.os == 'Windows'
-        run: git config --global core.autocrlf false
-
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Set up Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: 24
-          cache: 'npm'
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Verify PR checks up to date
-        if: always()
-        run: .github/workflows/script/verify-pr-checks.sh
-
-      - name: Run pr-checks tests
-        if: always()
-        working-directory: pr-checks
-        run: npx tsx --test
-
   check-node-version:
     if: github.triggering_actor != 'dependabot[bot]'
     name: Check Action Node versions

.github/workflows/prepare-release.yml

@@ -29,7 +29,7 @@ defaults:
 jobs:
   prepare:
     name: "Prepare release"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     if: github.repository == 'github/codeql-action'
 
     permissions:

.github/workflows/rebuild.yml

@@ -29,12 +29,6 @@ jobs:
           fetch-depth: 0
           ref: ${{ env.HEAD_REF }}
 
-      - name: Set up Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: 24
-          cache: 'npm'
-
       - name: Remove label
         if: github.event_name == 'pull_request'
         env:
@@ -55,18 +49,9 @@ jobs:
           git fetch origin "$BASE_BRANCH"
 
           # Allow merge conflicts in `lib`, since rebuilding should resolve them.
-          git merge "origin/$BASE_BRANCH"
+          git merge "origin/$BASE_BRANCH" || echo "Merge conflicts detected, continuing."
           MERGE_RESULT=$?
 
-          if [ "$MERGE_RESULT" -eq 0 ]; then
-            echo "Merge succeeded cleanly."
-          elif [ "$MERGE_RESULT" -eq 1 ]; then
-            echo "Merge conflicts detected (exit code $MERGE_RESULT), continuing."
-          else
-            echo "git merge failed with unexpected exit code $MERGE_RESULT."
-            exit 1
-          fi
-
           if [ "$MERGE_RESULT" -ne 0 ]; then
             echo "merge-in-progress=true" >> $GITHUB_OUTPUT
 
@@ -94,7 +79,7 @@ jobs:
         working-directory: pr-checks
         run: |
           npm ci
-          npx tsx sync-back.ts --verbose
+          npx tsx sync_back.ts --verbose
 
       - name: Generate workflows
         working-directory: pr-checks
@@ -119,7 +104,7 @@ jobs:
             # Otherwise, just commit the changes.
             if git rev-parse --verify MERGE_HEAD >/dev/null 2>&1; then
               echo "In progress merge detected, finishing it up."
-              git commit --no-edit
+              git merge --continue --no-edit
             else
               echo "No in-progress merge detected, committing changes."
               git commit -m "Rebuild"

.github/workflows/rollback-release.yml

@@ -136,7 +136,7 @@ jobs:
 
       - name: Generate token
         if: github.event_name == 'workflow_dispatch'
-        uses: actions/create-github-app-token@v3.1.1
+        uses: actions/create-github-app-token@v2.2.1
         id: app-token
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}

.github/workflows/script/update-required-checks.sh

@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+# Update the required checks based on the current branch.
+
+set -euo pipefail
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+REPO_DIR="$(dirname "$SCRIPT_DIR")"
+GRANDPARENT_DIR="$(dirname "$REPO_DIR")"
+source "$GRANDPARENT_DIR/releases.ini"
+
+if ! gh auth status 2>/dev/null; then
+  gh auth status
+  echo "Failed: Not authorized. This script requires admin access to github/codeql-action through the gh CLI."
+  exit 1
+fi
+
+if [ "$#" -eq 1 ]; then
+  # If we were passed an argument, use that as the SHA
+  GITHUB_SHA="$1"
+elif [ "$#" -gt 1 ]; then
+  echo "Usage: $0 [SHA]"
+  echo "Update the required checks based on the SHA, or main."
+  exit 1
+elif [ -z "$GITHUB_SHA" ]; then
+  # If we don't have a SHA, use main
+  GITHUB_SHA="$(git rev-parse main)"
+fi
+
+echo "Getting checks for $GITHUB_SHA"
+
+# Ignore any checks with "https://", CodeQL, LGTM, Update, and ESLint checks.
+CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") or . == "Agent" or . == "Cleanup artifacts" or . == "Prepare" or . == "Upload results" or . == "Label PR with size" | not)] | unique | sort')"
+
+echo "$CHECKS" | jq
+
+# Fail if there are no checks
+if [ -z "$CHECKS" ] || [ "$(echo "$CHECKS" | jq '. | length')" -eq 0 ]; then
+  echo "No checks found for $GITHUB_SHA"
+  exit 1
+fi
+
+echo "{\"contexts\": ${CHECKS}}" > checks.json
+
+echo "Updating main"
+gh api --silent -X "PATCH" "repos/github/codeql-action/branches/main/protection/required_status_checks" --input checks.json
+
+# list all branchs on origin remote matching releases/v*
+BRANCHES="$(git ls-remote --heads origin 'releases/v*' | sed 's?.*refs/heads/??' | sort -V)"
+
+for BRANCH in $BRANCHES; do
+
+  # strip exact 'releases/v' prefix from $BRANCH using count of characters
+  VERSION="${BRANCH:10}"
+
+  if [ "$VERSION" -lt "$OLDEST_SUPPORTED_MAJOR_VERSION" ]; then
+    echo "Skipping $BRANCH"
+    continue
+  fi
+
+  echo "Updating $BRANCH"
+  gh api --silent -X "PATCH" "repos/github/codeql-action/branches/$BRANCH/protection/required_status_checks" --input checks.json
+done
+
+rm checks.json

.github/workflows/update-bundle.yml

@@ -20,7 +20,7 @@ defaults:
 jobs:
   update-bundle:
     if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     permissions:
       contents: write # needed to push commits
       pull-requests: write # needed to create pull requests
@@ -57,17 +57,6 @@ jobs:
       - name: Update bundle
         uses: ./.github/actions/update-bundle
 
-      - name: Set up CodeQL CLI from new bundle
-        id: setup-codeql
-        uses: ./setup-codeql
-        with:
-          tools: https://github.com/github/codeql-action/releases/download/${{ github.event.release.tag_name }}/codeql-bundle-linux64.tar.gz
-
-      - name: Update built-in languages
-        run: npx tsx pr-checks/update-builtin-languages.ts "$CODEQL_PATH"
-        env:
-          CODEQL_PATH: ${{ steps.setup-codeql.outputs.codeql-path }}
-
       - name: Bump Action minor version if new CodeQL minor version series
         id: bump-action-version
         run: |

.github/workflows/update-release-branch.yml

@@ -26,7 +26,7 @@ jobs:
 
   update:
     timeout-minutes: 45
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     if: github.event_name == 'workflow_dispatch'
     needs: [prepare]
     env:
@@ -77,7 +77,7 @@ jobs:
 
   backport:
     timeout-minutes: 45
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     environment: Automation
     needs: [prepare]
     if: ${{ (github.event_name == 'push') && needs.prepare.outputs.backport_target_branches != '[]' }}
@@ -93,7 +93,7 @@ jobs:
       pull-requests: write # needed to create pull request
     steps:
     - name: Generate token
-      uses: actions/create-github-app-token@v3.1.1
+      uses: actions/create-github-app-token@v2.2.1
       id: app-token
       with:
         app-id: ${{ vars.AUTOMATION_APP_ID }}

.gitignore

@@ -11,5 +11,3 @@ build/
 eslint.sarif
 # for local incremental compilation
 tsconfig.tsbuildinfo
-# esbuild metadata file
-meta.json

.vscode/tests.code-snippets

@@ -1,30 +0,0 @@
-{
-  // Place your codeql-action workspace snippets here. Each snippet is defined under a snippet name and has a scope, prefix, body and
-  // description. Add comma separated ids of the languages where the snippet is applicable in the scope field. If scope
-  // is left empty or omitted, the snippet gets applied to all languages. The prefix is what is
-  // used to trigger the snippet and the body will be expanded and inserted. Possible variables are:
-  // $1, $2 for tab stops, $0 for the final cursor position, and ${1:label}, ${2:another} for placeholders.
-  // Placeholders with the same ids are connected.
-  // Example:
-  // "Print to console": {
-  // 	"scope": "javascript,typescript",
-  // 	"prefix": "log",
-  // 	"body": [
-  // 		"console.log('$1');",
-  // 		"$2"
-  // 	],
-  // 	"description": "Log output to console"
-  // }
-  "Test Macro": {
-    "scope": "javascript, typescript",
-    "prefix": "testMacro",
-    "body": [
-      "const ${1:nameMacro} = test.macro({",
-      "  exec: async (t: ExecutionContext<unknown>) => {},",
-      "",
-      "  title: (providedTitle = \"\") => `${2:common title} - \\${providedTitle}`,",
-      "});",
-    ],
-    "description": "An Ava test macro",
-  },
-}

CHANGELOG.md

@@ -6,59 +6,6 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 No user facing changes.
 
-## 4.35.3 - 01 May 2026
-
-- _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. [#3837](https://github.com/github/codeql-action/pull/3837)
-- Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. [#3850](https://github.com/github/codeql-action/pull/3850)
-- Best-effort connection tests for private registries now use `GET` requests instead of `HEAD` for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. [#3853](https://github.com/github/codeql-action/pull/3853)
-- Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. [#3852](https://github.com/github/codeql-action/pull/3852)
-- Update default CodeQL bundle version to [2.25.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.3). [#3865](https://github.com/github/codeql-action/pull/3865)
-
-## 4.35.2 - 15 Apr 2026
-
-- The undocumented TRAP cache cleanup feature that could be enabled using the `CODEQL_ACTION_CLEANUP_TRAP_CACHES` environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the `trap-caching: false` input to the `init` Action. [#3795](https://github.com/github/codeql-action/pull/3795)
-- The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. [#3789](https://github.com/github/codeql-action/pull/3789)
-- Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. [#3794](https://github.com/github/codeql-action/pull/3794)
-- Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. [#3807](https://github.com/github/codeql-action/pull/3807)
-- Update default CodeQL bundle version to [2.25.2](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.2). [#3823](https://github.com/github/codeql-action/pull/3823)
-
-## 4.35.1 - 27 Mar 2026
-
-- Fix incorrect minimum required Git version for [improved incremental analysis](https://github.com/github/roadmap/issues/1158): it should have been 2.36.0, not 2.11.0. [#3781](https://github.com/github/codeql-action/pull/3781)
-
-## 4.35.0 - 27 Mar 2026
-
-- Reduced the minimum Git version required for [improved incremental analysis](https://github.com/github/roadmap/issues/1158) from 2.38.0 to 2.11.0. [#3767](https://github.com/github/codeql-action/pull/3767)
-- Update default CodeQL bundle version to [2.25.1](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1). [#3773](https://github.com/github/codeql-action/pull/3773)
-
-## 4.34.1 - 20 Mar 2026
-
-- Downgrade default CodeQL bundle version to [2.24.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3) due to issues with a small percentage of Actions and JavaScript analyses. [#3762](https://github.com/github/codeql-action/pull/3762)
-
-## 4.34.0 - 20 Mar 2026
-
-- Added an experimental change which disables TRAP caching when [improved incremental analysis](https://github.com/github/roadmap/issues/1158) is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. [#3569](https://github.com/github/codeql-action/pull/3569)
-- We are rolling out improved incremental analysis to C/C++ analyses that use build mode `none`. We expect this rollout to be complete by the end of April 2026. [#3584](https://github.com/github/codeql-action/pull/3584)
-- Update default CodeQL bundle version to [2.25.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0). [#3585](https://github.com/github/codeql-action/pull/3585)
-
-## 4.33.0 - 16 Mar 2026
-
-- Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. [#3562](https://github.com/github/codeql-action/pull/3562)
-
-  To opt out of this change:
-  - **Repositories owned by an organization:** Create a custom repository property with the name `github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to `true` in the repository's settings. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). Alternatively, if you are using an advanced setup workflow, you can set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
-  - **User-owned repositories using default setup:** Switch to an advanced setup workflow and set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
-  - **User-owned repositories using advanced setup:** Set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
-- Fixed [a bug](https://github.com/github/codeql-action/issues/3555) which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. [#3557](https://github.com/github/codeql-action/pull/3557)
-- The CodeQL Action now loads [custom repository properties](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) on GitHub Enterprise Server, enabling the customization of features such as `github-codeql-disable-overlay` that was previously only available on GitHub.com. [#3559](https://github.com/github/codeql-action/pull/3559)
-- Once [private package registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. [#3563](https://github.com/github/codeql-action/pull/3563)
-- Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". [#3564](https://github.com/github/codeql-action/pull/3564)
-- A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. [#3570](https://github.com/github/codeql-action/pull/3570)
-
-## 4.32.6 - 05 Mar 2026
-
-- Update default CodeQL bundle version to [2.24.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3). [#3548](https://github.com/github/codeql-action/pull/3548)
-
 ## 4.32.5 - 02 Mar 2026
 
 - Repositories owned by an organization can now set up the `github-codeql-disable-overlay` custom repository property to disable [improved incremental analysis for CodeQL](https://github.com/github/roadmap/issues/1158). First, create a custom repository property with the name `github-codeql-disable-overlay` and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to `true` to disable improved incremental analysis. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). This feature is not yet available on GitHub Enterprise Server. [#3507](https://github.com/github/codeql-action/pull/3507)

CONTRIBUTING.md

@@ -69,14 +69,12 @@ Once the mergeback and backport pull request have been merged, the release is co
 
 ## Keeping the PR checks up to date (admin access required)
 
-Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred required jobs that need to pass in order for a PR to turn green. It would be too tedious to maintain that list manually. You can regenerate the set of required checks automatically by running the [sync-checks.ts](pr-checks/sync-checks.ts) script:
+Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred required jobs that need to pass in order for a PR to turn green. It would be too tedious to maintain that list manually. You can regenerate the set of required checks automatically by running the [update-required-checks.sh](.github/workflows/script/update-required-checks.sh) script:
 
-- At a minimum, you must provide an argument for the `--token` input. For example, `--token "$(gh auth token)"` to use the same token that `gh` uses. If no token is provided or the token has insufficient permissions, the script will fail.
-- By default, the script performs a dry run and outputs information about the changes it would make to the branch protection rules. To actually apply the changes, specify the `--apply` flag.
-- If you run the script without any other arguments, it will retrieve the set of workflows that ran for the latest commit on `main`.
-- You can specify a different git ref with the `--ref` input. You will likely want to use this if you have a PR that removes or adds PR checks. For example, `--ref "some/branch/name"` to use the HEAD of the `some/branch/name` branch.
+- If you run the script without an argument, it will retrieve the set of workflows that ran for the latest commit on `main`. Make sure that your local `main` branch is up to date before running the script.
+- You can specify a commit SHA as argument to retrieve the set of workflows for that commit instead. You will likely want to use this if you have a PR that removes or adds PR checks.
 
-After running, go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules for `main`, `v4`, and any other currently supported major versions have been updated.
+After running, go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules for `main`, `v3`, and any other currently supported major versions have been updated.
 
 Note that any updates to checks on `main` need to be backported to all currently supported major version branches, in order to maintain the same set of names for required checks.
 
@@ -124,7 +122,7 @@ To deprecate an older version of the Action:
    - Implement an Actions warning for customers using the deprecated version.
 1. Wait for the deprecation period to pass.
 1. Upgrade the Actions warning for customers using the deprecated version to a non-fatal error, and mention that this version of the Action is no longer supported.
-1. Make a PR to bump the `OLDEST_SUPPORTED_MAJOR_VERSION` in [config.ts](pr-checks/config.ts).  Once this PR is merged, the release process will no longer backport changes to the deprecated release version.
+1. Make a PR to bump the `OLDEST_SUPPORTED_MAJOR_VERSION` in [releases.ini](.github/releases.ini).  Once this PR is merged, the release process will no longer backport changes to the deprecated release version.
 
 ## Resources
 

README.md

@@ -72,7 +72,6 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n
 
 | Minimum CodeQL Action | Minimum CodeQL Bundle Version | GitHub Environment | Notes |
 |-----------------------|-------------------------------|--------------------|-------|
-| `v4.33.0` | `2.24.3` | Enterprise Server 3.21 | |
 | `v4.31.10` | `2.23.9` | Enterprise Server 3.20 | |
 | `v3.29.11` | `2.22.4` | Enterprise Server 3.19 | |
 | `v3.28.21` | `2.21.3` | Enterprise Server 3.18 | |

ava.config.mjs

@@ -1,9 +0,0 @@
-export default {
-  typescript: {
-    rewritePaths: {
-      "src/": "build/",
-    },
-    compile: false,
-  },
-  require: ["./ava.setup.mjs"],
-};

ava.setup.mjs

@@ -1,3 +0,0 @@
-import pkg from "./package.json" with { type: "json" };
-
-globalThis.__CODEQL_ACTION_VERSION__ = pkg.version;

build.mjs

@@ -1,12 +1,10 @@
-import { copyFile, rm, writeFile } from "node:fs/promises";
+import { copyFile, rm } from "node:fs/promises";
 import { dirname, join } from "node:path";
 import { fileURLToPath } from "node:url";
 
 import * as esbuild from "esbuild";
 import { globSync } from "glob";
 
-import pkg from "./package.json" with { type: "json" };
-
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 
@@ -15,7 +13,7 @@ const OUT_DIR = join(__dirname, "lib");
 
 /**
  * Clean the output directory before building.
- *
+ * 
  * @type {esbuild.Plugin}
  */
 const cleanPlugin = {
@@ -29,7 +27,7 @@ const cleanPlugin = {
 
 /**
  * Copy defaults.json to the output directory since other projects depend on it.
- *
+ * 
  * @type {esbuild.Plugin}
  */
 const copyDefaultsPlugin = {
@@ -64,24 +62,14 @@ const onEndPlugin = {
 
 const context = await esbuild.context({
   // Include upload-lib.ts as an entry point for use in testing environments.
-  entryPoints: globSync([
-    `${SRC_DIR}/*-action.ts`,
-    `${SRC_DIR}/*-action-post.ts`,
-    "src/upload-lib.ts",
-  ]),
+  entryPoints: globSync([`${SRC_DIR}/*-action.ts`, `${SRC_DIR}/*-action-post.ts`, "src/upload-lib.ts"]),
   bundle: true,
   format: "cjs",
   outdir: OUT_DIR,
   platform: "node",
   plugins: [cleanPlugin, copyDefaultsPlugin, onEndPlugin],
   target: ["node20"],
-  define: {
-    __CODEQL_ACTION_VERSION__: JSON.stringify(pkg.version),
-  },
-  metafile: true,
 });
 
-const result = await context.rebuild();
-await writeFile(join(__dirname, "meta.json"), JSON.stringify(result.metafile));
-
+await context.rebuild();
 await context.dispose();

eslint.config.mjs

@@ -7,11 +7,7 @@ import noAsyncForeach from "eslint-plugin-no-async-foreach";
 import jsdoc from "eslint-plugin-jsdoc";
 import tseslint from "typescript-eslint";
 import globals from "globals";
-import path from "path";
-import { fileURLToPath } from "url";
 
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = path.dirname(__filename);
 const githubFlatConfigs = github.getFlatConfigs();
 
 export default [
@@ -23,10 +19,9 @@ export default [
       "src/testdata/**/*",
       "tests/**/*",
       "build.mjs",
-      "ava.config.mjs",
-      "ava.setup.mjs",
       "eslint.config.mjs",
       ".github/**/*",
+      "pr-checks/**/*",
     ],
   },
   // eslint recommended config
@@ -47,7 +42,7 @@ export default [
     plugins: {
       "import-x": importX,
       "no-async-foreach": fixupPluginRules(noAsyncForeach),
-      jsdoc: jsdoc,
+      "jsdoc": jsdoc,
     },
 
     languageOptions: {
@@ -71,13 +66,7 @@ export default [
 
         typescript: {},
       },
-      "import/ignore": [
-        "sinon",
-        "uuid",
-        "@octokit/plugin-retry",
-        "del",
-        "get-folder-size",
-      ],
+      "import/ignore": ["sinon", "uuid", "@octokit/plugin-retry", "del", "get-folder-size"],
       "import-x/resolver-next": [
         createTypeScriptImportResolver(),
         createNodeResolver({
@@ -153,7 +142,7 @@ export default [
           // We don't currently require full JSDoc coverage, so this rule
           // should not error on missing @param annotations.
           disableMissingParamChecks: true,
-        },
+        }
       ],
     },
   },
@@ -172,41 +161,10 @@ export default [
       "@typescript-eslint/no-unused-vars": [
         "error",
         {
-          args: "all",
-          argsIgnorePattern: "^_",
-        },
+          "argsIgnorePattern": "^_",
+        }
       ],
       "func-style": "off",
     },
   },
-  {
-    files: ["pr-checks/**/*.ts"],
-
-    languageOptions: {
-      parserOptions: {
-        // Use the correct `tsconfig.json` for `pr-checks`.
-        project: "./pr-checks/tsconfig.json",
-      },
-    },
-
-    rules: {
-      // The scripts in `pr-checks` are expected to output to the console.
-      "no-console": "off",
-
-      "import/no-extraneous-dependencies": [
-        "error",
-        { packageDir: [__dirname, path.resolve(__dirname, "pr-checks")] },
-      ],
-
-      "@typescript-eslint/no-floating-promises": [
-        "error",
-        {
-          allowForKnownSafeCalls: [
-            // Avoid needing explicit `void` in front of `describe` calls in test files.
-            { from: "package", name: ["describe"], package: "node:test" },
-          ],
-        },
-      ],
-    },
-  },
 ];

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.3",
-  "cliVersion": "2.25.3",
-  "priorBundleVersion": "codeql-bundle-v2.25.2",
-  "priorCliVersion": "2.25.2"
+  "bundleVersion": "codeql-bundle-v2.24.2",
+  "cliVersion": "2.24.2",
+  "priorBundleVersion": "codeql-bundle-v2.24.1",
+  "priorCliVersion": "2.24.1"
 }

package.json

@@ -1,23 +1,28 @@
 {
   "name": "codeql",
-  "version": "4.35.4",
+  "version": "4.32.6",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
     "_build_comment": "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'",
-    "build": "./scripts/check-node-modules.sh && npm run transpile && node build.mjs && npx tsx ./pr-checks/bundle-metadata.ts",
+    "build": "./scripts/check-node-modules.sh && npm run transpile && node build.mjs",
     "lint": "eslint --report-unused-disable-directives --max-warnings=0 .",
     "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
     "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
     "ava": "npm run transpile && ava --verbose",
     "test": "npm run ava -- src/",
     "test-debug": "npm run test -- --timeout=20m",
-    "transpile": "tsc --build --verbose tsconfig.json"
+    "transpile": "tsc --build --verbose"
+  },
+  "ava": {
+    "typescript": {
+      "rewritePaths": {
+        "src/": "build/"
+      },
+      "compile": false
+    }
   },
   "license": "MIT",
-  "workspaces": [
-    "pr-checks"
-  ],
   "dependencies": {
     "@actions/artifact": "^5.0.3",
     "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2",
@@ -29,22 +34,23 @@
     "@actions/http-client": "^3.0.0",
     "@actions/io": "^2.0.0",
     "@actions/tool-cache": "^3.0.1",
-    "@octokit/plugin-retry": "^8.1.0",
+    "@octokit/plugin-retry": "^8.0.0",
+    "@schemastore/package": "0.0.10",
     "archiver": "^7.0.1",
     "fast-deep-equal": "^3.1.3",
-    "follow-redirects": "^1.16.0",
+    "follow-redirects": "^1.15.11",
     "get-folder-size": "^5.0.0",
     "https-proxy-agent": "^7.0.6",
     "js-yaml": "^4.1.1",
-    "jsonschema": "1.5.0",
+    "jsonschema": "1.4.1",
     "long": "^5.3.2",
-    "node-forge": "^1.4.0",
+    "node-forge": "^1.3.3",
     "semver": "^7.7.4",
-    "uuid": "^14.0.0"
+    "uuid": "^13.0.0"
   },
   "devDependencies": {
-    "@ava/typescript": "7.0.0",
-    "@eslint/compat": "^2.0.5",
+    "@ava/typescript": "6.0.0",
+    "@eslint/compat": "^2.0.2",
     "@microsoft/eslint-formatter-sarif": "^3.1.0",
     "@octokit/types": "^16.0.0",
     "@types/archiver": "^7.0.0",
@@ -54,21 +60,21 @@
     "@types/node-forge": "^1.3.14",
     "@types/sarif": "^2.1.7",
     "@types/semver": "^7.7.1",
-    "@types/sinon": "^21.0.1",
-    "ava": "^7.0.0",
-    "esbuild": "^0.28.0",
+    "@types/sinon": "^21.0.0",
+    "ava": "^6.4.1",
+    "esbuild": "^0.27.3",
     "eslint": "^9.39.2",
-    "eslint-import-resolver-typescript": "^4.4.4",
+    "eslint-import-resolver-typescript": "^3.8.7",
     "eslint-plugin-github": "^6.0.0",
-    "eslint-plugin-import-x": "^4.16.2",
-    "eslint-plugin-jsdoc": "^62.9.0",
+    "eslint-plugin-import-x": "^4.16.1",
+    "eslint-plugin-jsdoc": "^62.6.0",
     "eslint-plugin-no-async-foreach": "^0.1.1",
     "glob": "^11.1.0",
-    "globals": "^17.5.0",
-    "nock": "^14.0.12",
-    "sinon": "^21.1.2",
-    "typescript": "^6.0.2",
-    "typescript-eslint": "^8.58.2"
+    "globals": "^17.3.0",
+    "nock": "^14.0.11",
+    "sinon": "^21.0.1",
+    "typescript": "^5.9.3",
+    "typescript-eslint": "^8.56.0"
   },
   "overrides": {
     "@actions/tool-cache": {
@@ -90,7 +96,6 @@
       "semver": ">=6.3.1"
     },
     "brace-expansion@2.0.1": "2.0.2",
-    "glob": "^11.1.0",
-    "undici": "^6.24.0"
+    "glob": "^11.1.0"
   }
 }

pr-checks/api-client.ts

@@ -1,13 +0,0 @@
-import * as githubUtils from "@actions/github/lib/utils";
-import { type Octokit } from "@octokit/core";
-import { type PaginateInterface } from "@octokit/plugin-paginate-rest";
-import { type Api } from "@octokit/plugin-rest-endpoint-methods";
-
-/** The type of the Octokit client. */
-export type ApiClient = Octokit & Api & { paginate: PaginateInterface };
-
-/** Constructs an `ApiClient` using `token` for authentication. */
-export function getApiClient(token: string): ApiClient {
-  const opts = githubUtils.getOctokitOptions(token);
-  return new githubUtils.GitHub(opts);
-}

pr-checks/bundle-metadata.ts

@@ -1,48 +0,0 @@
-#!/usr/bin/env npx tsx
-
-import * as fs from "node:fs/promises";
-
-import { BUNDLE_METADATA_FILE } from "./config";
-
-interface InputInfo {
-  bytesInOutput: number;
-}
-
-type Inputs = Record<string, InputInfo>;
-
-interface Output {
-  bytes: number;
-  inputs: Inputs;
-}
-
-interface Metadata {
-  outputs: Record<string, Output>;
-}
-
-function toMB(bytes: number): string {
-  return `${(bytes / (1024 * 1024)).toFixed(2)}MB`;
-}
-
-async function main() {
-  const fileContents = await fs.readFile(BUNDLE_METADATA_FILE);
-  const metadata = JSON.parse(String(fileContents)) as Metadata;
-
-  for (const [outputFile, outputData] of Object.entries(
-    metadata.outputs,
-  ).reverse()) {
-    console.info(`${outputFile}: ${toMB(outputData.bytes)}`);
-
-    for (const [inputName, inputData] of Object.entries(outputData.inputs)) {
-      // Ignore any inputs that make up less than 5% of the output.
-      const percentage = (inputData.bytesInOutput / outputData.bytes) * 100.0;
-      if (percentage < 5.0) continue;
-
-      console.info(`  ${inputName}: ${toMB(inputData.bytesInOutput)}`);
-    }
-  }
-}
-
-// Only call `main` if this script was run directly.
-if (require.main === module) {
-  void main();
-}