Default to StartProxyRemoveUnusedRegistries behaviour

2026-05-24 08:08:36 +00:00 · 2026-05-18 16:17:15 +01:00
30 changed files with 94146 additions and 1215 deletions
@@ -41,38 +41,7 @@ runs:
        git add .
        git commit -m "Update changelog and version after ${VERSION}"

-    # Update the build artifacts with the new version number
-    - name: Rebuild the Action
-      shell: bash
-      run: |
-        set -exu
-        npm ci
-        npm run build
-
-    - name: Check for rebuild changes
-      id: rebuild_changes
-      shell: bash
-      run: |
-        set -exu
-        git add --all
-        if git diff --cached --quiet; then
-          echo "has_changes=false" >> "${GITHUB_OUTPUT}"
-        else
-          echo "has_changes=true" >> "${GITHUB_OUTPUT}"
-        fi
-
-    - name: Commit rebuild
-      if: steps.rebuild_changes.outputs.has_changes == 'true'
-      shell: bash
-      run: |
-        set -exu
-        git commit -m "Rebuild"
-
-    - name: Push mergeback branch
-      shell: bash
-      env:
-        NEW_BRANCH: "${{ inputs.branch }}"
-      run: git push origin "${NEW_BRANCH}"
+        git push origin "${NEW_BRANCH}"

    - name: Create PR
      shell: bash
@@ -91,6 +60,8 @@ runs:

          Please do the following:

+          - [ ] Remove and re-add the "Rebuild" label to the PR to trigger just this workflow.
+          - [ ] Wait for the "Rebuild" workflow to push a commit updating the distribution files.
          - [ ] Mark the PR as ready for review to trigger the full set of PR checks.
          - [ ] Approve and merge the PR. When merging the PR, make sure "Create a merge commit" is
                selected rather than "Squash and merge" or "Rebase and merge".
@@ -103,6 +74,7 @@ runs:
          --head "${NEW_BRANCH}" \
          --base "${BASE_BRANCH}" \
          --title "${pr_title}" \
+          --label "Rebuild" \
          --body "${pr_body}" \
          --assignee "${GITHUB_ACTOR}" \
          --draft
@@ -18,7 +18,7 @@ runs:
    - name: Set up Node
      uses: actions/setup-node@v6
      with:
-        node-version: 24
+        node-version: 20
        cache: 'npm'

    - name: Set up Python
@@ -19,10 +19,6 @@ No user facing changes.
 # Changing it requires a transition period where both old and new versions are supported.
 BACKPORT_COMMIT_MESSAGE = 'Update version and changelog for v'

-# Commit message used for rebuild commits, both those produced by this script and those produced
-# by the `Rebuild Action` workflow (`.github/workflows/rebuild.yml`).
-REBUILD_COMMIT_MESSAGE = 'Rebuild'
-
 # Name of the remote
 ORIGIN = 'origin'

@@ -47,28 +43,6 @@ def run_git(*args, allow_non_zero_exit_code=False):
    raise Exception(f'Call to {" ".join(cmd)} exited with code {p.returncode} stderr: {p.stderr.decode("ascii")}.')
  return p.stdout.decode('ascii')

-# Runs the given command, streaming output to the console.
-# Raises an error if the command does not exit successfully.
-def run_command(*args):
-  cmd = list(args)
-  print(f'Running `{" ".join(cmd)}`.')
-  subprocess.run(cmd, check=True)
-
-# Rebuilds the action and commits any changes.
-def rebuild_action():
-  # For backports, the only source-level change vs the source branch is the new version number,
-  # so we just need to refresh the version embedded in `lib/`.
-  run_command('npm', 'ci')
-  run_command('npm', 'run', 'build')
-
-  run_git('add', '--all')
-  # `git diff --cached --quiet` exits 0 if there are no staged changes, 1 if there are.
-  if subprocess.run(['git', 'diff', '--cached', '--quiet']).returncode == 0:
-    print('Rebuild produced no changes; skipping Rebuild commit.')
-  else:
-    run_git('commit', '-m', REBUILD_COMMIT_MESSAGE)
-    print('Created Rebuild commit.')
-
 # Returns true if the given branch exists on the origin remote
 def branch_exists_on_remote(branch_name):
  return run_git('ls-remote', '--heads', ORIGIN, branch_name).strip() != ''
@@ -124,11 +98,9 @@ def open_pr(
  body.append('Please do the following:')
  if len(conflicted_files) > 0:
    body.append(' - [ ] Ensure `package.json` file contains the correct version.')
-    body.append(' - [ ] Add a commit to this branch to resolve the merge conflicts ' +
+    body.append(' - [ ] Add commits to this branch to resolve the merge conflicts ' +
      'in the following files:')
-    body.extend([f'    - `{file}`' for file in conflicted_files])
-    body.append(' - [ ] Rebuild the Action locally (`npm run build`) and push any changes to the ' +
-      f'built output in `lib` as a separate commit named exactly `{REBUILD_COMMIT_MESSAGE}`.')
+    body.extend([f'    - [ ] `{file}`' for file in conflicted_files])
    body.append(' - [ ] Ensure another maintainer has reviewed the additional commits you added to this ' +
      'branch to resolve the merge conflicts.')
  body.append(' - [ ] Ensure the CHANGELOG displays the correct version and date.')
@@ -136,6 +108,10 @@ def open_pr(
  body.append(f' - [ ] Check that there are not any unexpected commits being merged into the `{target_branch}` branch.')
  body.append(' - [ ] Ensure the docs team is aware of any documentation changes that need to be released.')

+  if not is_primary_release:
+    body.append(' - [ ] Remove and re-add the "Rebuild" label to the PR to trigger just this workflow.')
+    body.append(' - [ ] Wait for the "Rebuild" workflow to push a commit updating the distribution files.')
+
  body.append(' - [ ] Mark the PR as ready for review to trigger the full set of PR checks.')
  body.append(' - [ ] Approve and merge this PR. Make sure `Create a merge commit` is selected rather than `Squash and merge` or `Rebase and merge`.')

@@ -144,11 +120,13 @@ def open_pr(
    body.append(' - [ ] Merge all backport PRs to older release branches, that will automatically be created once this PR is merged.')

  title = f'Merge {source_branch} into {target_branch}'
+  labels = ['Rebuild'] if not is_primary_release else []

  # Create the pull request
  # PR checks won't be triggered on PRs created by Actions. Therefore mark the PR as draft so that
  # a maintainer can take the PR out of draft, thereby triggering the PR checks.
  pr = repo.create_pull(title=title, body='\n'.join(body), head=new_branch_name, base=target_branch, draft=True)
+  pr.add_to_labels(*labels)
  print(f'Created PR #{str(pr.number)}')

  # Assign the conductor
@@ -407,9 +385,8 @@ def main():
      # releases.
      run_git('revert', vOlder_update_commits[0], '--no-edit')

-      # Also revert the "Rebuild" commit, whether created by this script or by the
-      # `Rebuild Action` workflow.
-      rebuild_commit = run_git('log', '--grep', f'^{REBUILD_COMMIT_MESSAGE}$', '--format=%H').split()[0]
+      # Also revert the "Rebuild" commit created by Actions.
+      rebuild_commit = run_git('log', '--grep', '^Rebuild$', '--format=%H').split()[0]
      print(f'  Reverting {rebuild_commit}')
      run_git('revert', rebuild_commit, '--no-edit')

@@ -424,10 +401,9 @@ def main():
      run_git('add', '.')
      run_git('commit', '--no-edit')

-    # Migrate the package version number from a vLatest version number to a vOlder version number.
-    # `package-lock.json` is updated as part of the subsequent rebuild step (see `rebuild_action`).
+    # Migrate the package version number from a vLatest version number to a vOlder version number
    print(f'Setting version number to {version} in package.json')
-    replace_version_package_json(get_current_version(), version)
+    replace_version_package_json(get_current_version(), version) # We rely on the `Rebuild` workflow to update package-lock.json
    run_git('add', 'package.json')

    # Migrate the changelog notes from vLatest version numbers to vOlder version numbers
@@ -450,13 +426,6 @@ def main():
    run_git('add', 'CHANGELOG.md')
    run_git('commit', '-m', f'Update changelog for v{version}')

-  if not is_primary_release:
-    if len(conflicted_files) == 0:
-      print('Rebuilding the Action.')
-      rebuild_action()
-    else:
-      print(f'Skipping automatic rebuild because the merge produced conflicts in {conflicted_files}.')
-
  run_git('push', ORIGIN, new_branch_name)

  # Open a PR to update the branch
@@ -9,10 +9,6 @@ on:
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]

-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
  run:
    shell: bash
@@ -24,10 +24,6 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:

-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
  run:
    shell: bash
@@ -20,10 +20,6 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:

-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
  run:
    shell: bash
@@ -19,10 +19,6 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:

-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
  run:
    shell: bash
@@ -48,9 +48,6 @@ jobs:
        with:
          fetch-depth: 0  # ensure we have all tags and can push commits
      - uses: actions/setup-node@v6
-        with:
-          node-version: 24
-          cache: 'npm'
      - uses: actions/setup-python@v6
        with:
          python-version: '3.12'
@@ -10,10 +10,6 @@ on:
    types: [checks_requested]
  workflow_dispatch:

-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
  run:
    shell: bash
@@ -33,10 +29,6 @@ jobs:
    runs-on: ${{ matrix.os }}
    timeout-minutes: 45

-    concurrency:
-      cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-      group: pr-checks-unit-tests-${{ github.ref }}-${{ github.event_name }}-${{ matrix.os }}-node${{ matrix['node-version'] }}
-
    steps:
      - name: Prepare git (Windows)
        if: runner.os == 'Windows'
@@ -75,21 +67,22 @@ jobs:
          sarif_file: eslint.sarif
          category: eslint

-  # These checks do not need to be run as part of the same matrix that we use for the `unit-tests`
-  # job.
-  other-checks:
-    name: Other checks
+  # Verifying the PR checks are up-to-date requires Node 24. The PR checks are not dependent
+  # on the main codebase and therefore do not need to be run as part of the same matrix that
+  # we use for the `unit-tests` job.
+  verify-pr-checks:
+    name: Verify PR checks
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    timeout-minutes: 10

-    concurrency:
-      cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-      group: pr-checks-pr-checks-${{ github.ref }}-${{ github.event_name }}
-
    steps:
+      - name: Prepare git (Windows)
+        if: runner.os == 'Windows'
+        run: git config --global core.autocrlf false
+
      - name: Checkout repository
        uses: actions/checkout@v6

@@ -100,22 +93,34 @@ jobs:
          cache: 'npm'

      - name: Install dependencies
-        id: install-deps
        run: npm ci

      - name: Verify PR checks up to date
-        if: ${{ !cancelled() && steps.install-deps.outcome == 'success' }}
+        if: always()
        run: .github/workflows/script/verify-pr-checks.sh

      - name: Run pr-checks tests
-        if: ${{ !cancelled() && steps.install-deps.outcome == 'success' }}
+        if: always()
        working-directory: pr-checks
        run: npx tsx --test

-      - name: Verify all Actions use the same Node version
-        id: head-version
+  check-node-version:
+    if: github.triggering_actor != 'dependabot[bot]'
+    name: Check Action Node versions
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+    env:
+      BASE_REF: ${{ github.base_ref }}
+
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v6
+      - id: head-version
+        name: Verify all Actions use the same Node version
        run: |
-          NODE_VERSION=$(find . -path "*/node_modules" -prune -o -name "action.yml" -exec yq -o=json '.runs.using' {} \; | jq -rs '[.[] | select(. != null and startswith("node"))] | unique | .[]')
+          NODE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
          echo "NODE_VERSION: ${NODE_VERSION}"
          if [[ $(echo "$NODE_VERSION" | wc -l) -gt 1 ]]; then
            echo "::error::More than one node version used in 'action.yml' files."
@@ -123,111 +128,22 @@ jobs:
          fi
          echo "node_version=${NODE_VERSION}" >> $GITHUB_OUTPUT

-      - name: Fetch base commit
-        id: fetch-base
-        # Forks and Dependabot PRs don't have permission to write comments, so skip the repo size
-        # check in those cases.
-        if: >-
-          github.event_name == 'pull_request' &&
-          github.event.pull_request.head.repo.full_name == github.repository &&
-          github.event.pull_request.user.login != 'dependabot[bot]'
-        env:
-          BASE_SHA: ${{ github.event.pull_request.base.sha }}
-          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          # Compare against the merge base so the size delta reflects only the commits actually
-          # added by this PR, ignoring any changes that have landed on the base branch since the
-          # PR branched off.
-          merge_base=$(gh api "repos/$GITHUB_REPOSITORY/compare/$BASE_SHA...$HEAD_SHA" --jq '.merge_base_commit.sha')
-          echo "merge_base=$merge_base" >> "$GITHUB_OUTPUT"
-          git fetch --no-tags --depth=1 origin "$merge_base" "$HEAD_SHA"
-
-      - name: Check repo size
-        if: steps.fetch-base.outcome == 'success'
-        working-directory: pr-checks
-        env:
-          BASE_REF: ${{ github.event.pull_request.base.ref }}
-          BASE_SHA: ${{ steps.fetch-base.outputs.merge_base }}
-          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-        run: npx tsx check-repo-size.ts --output-dir "$RUNNER_TEMP/repo-size"
-
-      - name: Upload repo size comment
-        if: steps.fetch-base.outcome == 'success'
-        uses: actions/upload-artifact@v7
-        with:
-          name: repo-size-comment
-          path: ${{ runner.temp }}/repo-size/
-          if-no-files-found: error
-
-      - name: 'Backport: Check out base ref'
-        id: checkout-base
+      - id: checkout-base
+        name: 'Backport: Check out base ref'
        if: ${{ startsWith(github.head_ref, 'backport-') }}
        uses: actions/checkout@v6
        with:
-          ref: ${{ github.base_ref }}
+          ref: ${{ env.BASE_REF }}

      - name: 'Backport: Verify Node versions unchanged'
        if: steps.checkout-base.outcome == 'success'
        env:
          HEAD_VERSION: ${{ steps.head-version.outputs.node_version }}
        run: |
-          BASE_VERSION=$(find . -path "*/node_modules" -prune -o -name "action.yml" -exec yq -o=json '.runs.using' {} \; | jq -rs '[.[] | select(. != null and startswith("node"))] | unique | .[]')
+          BASE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
          echo "HEAD_VERSION: ${HEAD_VERSION}"
          echo "BASE_VERSION: ${BASE_VERSION}"
          if [[ "$BASE_VERSION" != "$HEAD_VERSION" ]]; then
            echo "::error::Cannot change the Node version of an Action in a backport PR."
            exit 1
          fi
-
-  post-repo-size-comment:
-    name: Post repo size comment
-    needs: other-checks
-    # Keep write permissions isolated from the job that checks out and tests PR code. This job only
-    # posts the candidate comment body produced by the read-only `pr-checks` job.
-    if: >-
-      github.event_name == 'pull_request' &&
-      github.event.pull_request.head.repo.full_name == github.repository &&
-      github.event.pull_request.user.login != 'dependabot[bot]' &&
-      needs.other-checks.result == 'success'
-    permissions:
-      contents: read
-      pull-requests: write
-    runs-on: ubuntu-slim
-    timeout-minutes: 10
-
-    concurrency:
-      cancel-in-progress: true
-      group: check-repo-size-${{ github.event.pull_request.number }}
-
-    steps:
-      - name: Download repo size comment
-        uses: actions/download-artifact@v8
-        with:
-          name: repo-size-comment
-          path: repo-size-comment
-
-      - name: Post repo size comment
-        env:
-          COMMENT_MARKER: "<!-- repo-size-diff-bot -->"
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          significant=$(jq -r '.significant' repo-size-comment/metadata.json)
-          comment_id=$(
-            gh api "repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/comments" \
-              --paginate \
-              --jq ".[] | select(.body | contains(\"$COMMENT_MARKER\")) | .id" \
-              | head -n 1
-          )
-
-          if [[ -n "$comment_id" ]]; then
-            echo "Updating existing comment $comment_id."
-            gh api --method PATCH "repos/$GITHUB_REPOSITORY/issues/comments/$comment_id" --field body=@repo-size-comment/body.md
-          elif [[ "$significant" == "true" ]]; then
-            echo "Creating new repo size comment."
-            gh api --method POST "repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/comments" --field body=@repo-size-comment/body.md
-          else
-            echo "Skipping repo size comment because the delta is below the threshold and no sticky comment exists."
-          fi
@@ -14,10 +14,6 @@ on:
    - cron: '0 0 * * 1'
  workflow_dispatch:

-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
  run:
    shell: bash
@@ -17,10 +17,6 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:

-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
  run:
    shell: bash
@@ -18,11 +18,6 @@ on:
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
-
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
  run:
    shell: bash
@@ -65,22 +65,12 @@ const onEndPlugin = {
 /** The name of the virtual `entry-points` module. */
 const SHARED_ENTRYPOINT = "entry-points";

-/** The property name under which `upload-lib`'s namespace is exposed in `entry-points`. */
-const UPLOAD_LIB_EXPORT = "uploadLib";
-
-/** The relative source path of the `upload-lib` module that we re-export from `entry-points`. */
-const UPLOAD_LIB_SRC = "./src/upload-lib";
-
 /**
- * This plugin finds all source files that contain Action entry points. It then generates the
- * virtual `entry-points` module which imports all identified files, and re-exports their
- * `runWrapper` functions with suitable aliases.
- *
- * The virtual module additionally re-exports `upload-lib` under the `uploadLib` namespace so that
- * external consumers can access it via the small `lib/upload-lib.js` stub emitted below.
- * 
- * A tiny stub file is emitted for each Action entrypoint, and one for `upload-lib`. Each stub
- * imports the shared bundle and calls/re-exports from the respective entry point.
+ * This plugin finds all source files that contain Action entry points.
+ * It then generates the virtual `entry-points` module which imports all identified files,
+ * and re-exports their `runWrapper` functions with suitable aliases.
+ * A tiny stub file is emitted for each Action entrypoint. Each stub imports the shared bundle
+ * and calls the respective entry point.
 *
 * @type {esbuild.Plugin}
 */
@@ -146,28 +136,21 @@ const entryPointsPlugin = {
        )
        .join("\n\n");

-      // Also re-export the `upload-lib` namespace so that external consumers can reach it
-      // via the `lib/upload-lib.js` stub without us having to bundle a second copy.
-      const uploadLibReExport = `export * as ${UPLOAD_LIB_EXPORT} from "${UPLOAD_LIB_SRC}";`;
-
      return {
-        contents: `"use strict";\n${imports}\n\n${uploadLibReExport}\n\n${wrappers}\n`,
+        contents: `"use strict";\n${imports}\n\n${wrappers}\n`,
        resolveDir: ".",
        loader: "ts",
      };
    });

    // Emit entry point stubs for each Action using the entry template.
-    build.onEnd(async () => {
-      const makeHeader = (templatePath, sourceFile) =>
-        `// Automatically generated from '${templatePath}' for 'src/${basename(sourceFile)}'.\n\n`;
-
+    build.onEnd(async (result) => {
      // Read the entry point template.
-      const actionTemplatePath = "action-entry.js.tpl";
-      const actionTemplate = await readFile(
-        join(SRC_DIR, actionTemplatePath),
-        "utf-8",
-      );
+      const templatePath = "action-entry.js.tpl";
+      const template = await readFile(join(SRC_DIR, templatePath), "utf-8");
+
+      const makeHeader = (sourceFile) =>
+        `// Automatically generated from '${templatePath}' for 'src/${basename(sourceFile)}'.\n\n`;

      // Write entry point stubs for each Action.
      for (const action of actions) {
@@ -176,33 +159,20 @@ const entryPointsPlugin = {
            OUT_DIR,
            `${action.name}${action.isPost ? "-post" : ""}-entry.js`,
          ),
-          makeHeader(actionTemplatePath, action.path) +
-            actionTemplate.replaceAll("__ACTION__", action.pascalCaseName),
+          makeHeader(action.path) +
+            template.replaceAll("__ACTION__", action.pascalCaseName),
        );
      }
-
-      // Write a small stub for `upload-lib` that re-exports it from the shared bundle.
-      // External callers (e.g. internal testing environments) `require("./lib/upload-lib")`
-      // and expect the same shape as before, so we expose the namespace as `module.exports`.
-      const uploadLibStubTemplatePath = "upload-lib-stub.js.tpl";
-      const uploadLibStubTemplate = await readFile(
-        join(SRC_DIR, uploadLibStubTemplatePath),
-        "utf-8",
-      );
-      await writeFile(
-        join(OUT_DIR, "upload-lib.js"),
-        makeHeader(uploadLibStubTemplatePath, `${UPLOAD_LIB_SRC}.ts`) +
-          uploadLibStubTemplate.replaceAll(
-            "__UPLOAD_LIB_EXPORT__",
-            UPLOAD_LIB_EXPORT,
-          ),
-      );
    });
  },
 };

 const context = await esbuild.context({
-  entryPoints: [{ in: SHARED_ENTRYPOINT, out: SHARED_ENTRYPOINT }],
+  // Include upload-lib.ts as an entry point for use in testing environments.
+  entryPoints: [
+    { in: SHARED_ENTRYPOINT, out: SHARED_ENTRYPOINT },
+    join(SRC_DIR, "upload-lib.ts"),
+  ],
  bundle: true,
  format: "cjs",
  outdir: OUT_DIR,
@@ -31025,15 +31025,13 @@ var require_brace_expansion = __commonJS({
      parts.push.apply(parts, p);
      return parts;
    }
-    function expandTop(str2, options) {
+    function expandTop(str2) {
      if (!str2)
        return [];
-      options = options || {};
-      var max = options.max == null ? Infinity : options.max;
      if (str2.substr(0, 2) === "{}") {
        str2 = "\\{\\}" + str2.substr(2);
      }
-      return expand2(escapeBraces(str2), max, true).map(unescapeBraces);
+      return expand2(escapeBraces(str2), true).map(unescapeBraces);
    }
    function embrace(str2) {
      return "{" + str2 + "}";
@@ -31047,7 +31045,7 @@ var require_brace_expansion = __commonJS({
    function gte6(i, y) {
      return i >= y;
    }
-    function expand2(str2, max, isTop) {
+    function expand2(str2, isTop) {
      var expansions = [];
      var m = balanced("{", "}", str2);
      if (!m || /\$$/.test(m.pre)) return [str2];
@@ -31058,7 +31056,7 @@ var require_brace_expansion = __commonJS({
      if (!isSequence && !isOptions) {
        if (m.post.match(/,(?!,).*\}/)) {
          str2 = m.pre + "{" + m.body + escClose + m.post;
-          return expand2(str2, max, true);
+          return expand2(str2);
        }
        return [str2];
      }
@@ -31068,9 +31066,9 @@ var require_brace_expansion = __commonJS({
      } else {
        n = parseCommaParts(m.body);
        if (n.length === 1) {
-          n = expand2(n[0], max, false).map(embrace);
+          n = expand2(n[0], false).map(embrace);
          if (n.length === 1) {
-            var post = m.post.length ? expand2(m.post, max, false) : [""];
+            var post = m.post.length ? expand2(m.post, false) : [""];
            return post.map(function(p) {
              return m.pre + n[0] + p;
            });
@@ -31078,7 +31076,7 @@ var require_brace_expansion = __commonJS({
        }
      }
      var pre = m.pre;
-      var post = m.post.length ? expand2(m.post, max, false) : [""];
+      var post = m.post.length ? expand2(m.post, false) : [""];
      var N;
      if (isSequence) {
        var x = numeric(n[0]);
@@ -31116,11 +31114,11 @@ var require_brace_expansion = __commonJS({
        }
      } else {
        N = concatMap(n, function(el) {
-          return expand2(el, max, false);
+          return expand2(el, false);
        });
      }
      for (var j = 0; j < N.length; j++) {
-        for (var k = 0; k < post.length && expansions.length < max; k++) {
+        for (var k = 0; k < post.length; k++) {
          var expansion = pre + N[j] + post[k];
          if (!isTop || isSequence || expansion)
            expansions.push(expansion);
@@ -102246,7 +102244,7 @@ var require_commonjs19 = __commonJS({
          }
          const pad = n.some(isPadded);
          N = [];
-          for (let i = x; test(i, y) && N.length < max; i += incr) {
+          for (let i = x; test(i, y); i += incr) {
            let c;
            if (isAlphaSequence) {
              c = String.fromCharCode(i);
@@ -144950,8 +144948,7 @@ __export(entry_points_exports, {
  runStartProxyAction: () => runStartProxyAction,
  runStartProxyPostAction: () => runStartProxyPostAction,
  runUploadSarifAction: () => runUploadSarifAction,
-  runUploadSarifPostAction: () => runUploadSarifPostAction,
-  uploadLib: () => upload_lib_exports
+  runUploadSarifPostAction: () => runUploadSarifPostAction
 });
 module.exports = __toCommonJS(entry_points_exports);

@@ -149478,11 +149475,6 @@ var featureConfig = {
    minimumVersion: void 0,
    toolsFeature: "suppressesMissingFileBaselineWarning" /* SuppressesMissingFileBaselineWarning */
  },
-  ["start_proxy_remove_unused_registries" /* StartProxyRemoveUnusedRegistries */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_START_PROXY_REMOVE_UNUSED_REGISTRIES",
-    minimumVersion: void 0
-  },
  ["start_proxy_use_features_release" /* StartProxyUseFeaturesRelease */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_START_PROXY_USE_FEATURES_RELEASE",
@@ -149859,12 +149851,6 @@ async function parseAnalysisKinds(input) {
  );
 }
 var cachedAnalysisKinds;
-function isOnlyCodeScanningEnabled(analysisKinds) {
-  return analysisKinds.length === 1 && analysisKinds[0] === "code-scanning" /* CodeScanning */;
-}
-function makeAnalysisKindUsageError(message) {
-  return `The \`analysis-kinds\` input is experimental and for GitHub-internal use only. Its behaviour may change at any time or be removed entirely. ${message}`;
-}
 async function getAnalysisKinds(logger, features, skipCache = false) {
  if (!skipCache && cachedAnalysisKinds !== void 0) {
    return cachedAnalysisKinds;
@@ -149872,14 +149858,6 @@ async function getAnalysisKinds(logger, features, skipCache = false) {
  const analysisKinds = await parseAnalysisKinds(
    getRequiredInput("analysis-kinds")
  );
-  if (!isInTestMode() && !isDynamicWorkflow() && !isOnlyCodeScanningEnabled(analysisKinds)) {
-    const codeQualityHint = analysisKinds.includes("code-quality" /* CodeQuality */) ? " If your intention is to use quality queries outside of Code Quality, use the `queries` input with `code-quality` instead." : "";
-    logger.error(
-      makeAnalysisKindUsageError(
-        `An analysis kind other than \`code-scanning\` was specified in a custom workflow. This is not supported and will become a fatal error in a future version of the CodeQL Action.${codeQualityHint}`
-      )
-    );
-  }
  const qualityQueriesInput = getOptionalInput("quality-queries");
  if (qualityQueriesInput !== void 0) {
    logger.warning(
@@ -149901,9 +149879,7 @@ async function getAnalysisKinds(logger, features, skipCache = false) {
  }
  if (!isInTestMode() && analysisKinds.length > 1 && !await features.getValue("allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */)) {
    logger.error(
-      makeAnalysisKindUsageError(
-        "Specifying multiple values as input is no longer supported. Continuing with only `analysis-kinds: code-scanning`."
-      )
+      "The `analysis-kinds` input is experimental and for GitHub-internal use only. Its behaviour may change at any time or be removed entirely. Specifying multiple values as input is no longer supported. Continuing with only `analysis-kinds: code-scanning`."
    );
    cachedAnalysisKinds = ["code-scanning" /* CodeScanning */];
    return cachedAnalysisKinds;
@@ -155503,27 +155479,6 @@ async function sendUnhandledErrorStatusReport(actionName, actionStartedAt, error
 }

 // src/upload-lib.ts
-var upload_lib_exports = {};
-__export(upload_lib_exports, {
-  buildPayload: () => buildPayload,
-  filterAlertsByDiffRange: () => filterAlertsByDiffRange,
-  findSarifFilesInDir: () => findSarifFilesInDir,
-  getGroupedSarifFilePaths: () => getGroupedSarifFilePaths,
-  populateRunAutomationDetails: () => populateRunAutomationDetails,
-  postProcessSarifFiles: () => postProcessSarifFiles,
-  readSarifFileOrThrow: () => readSarifFileOrThrow,
-  shouldConsiderConfigurationError: () => shouldConsiderConfigurationError,
-  shouldConsiderInvalidRequest: () => shouldConsiderInvalidRequest,
-  shouldShowCombineSarifFilesDeprecationWarning: () => shouldShowCombineSarifFilesDeprecationWarning,
-  throwIfCombineSarifFilesDisabled: () => throwIfCombineSarifFilesDisabled,
-  uploadFiles: () => uploadFiles,
-  uploadPayload: () => uploadPayload,
-  uploadPostProcessedFiles: () => uploadPostProcessedFiles,
-  validateSarifFileSchema: () => validateSarifFileSchema,
-  validateUniqueCategory: () => validateUniqueCategory,
-  waitForProcessing: () => waitForProcessing,
-  writePostProcessedFiles: () => writePostProcessedFiles
-});
 var fs21 = __toESM(require("fs"));
 var path18 = __toESM(require("path"));
 var url = __toESM(require("url"));
@@ -160391,15 +160346,6 @@ function isPAT(value) {
  ]);
 }
 var LANGUAGE_TO_REGISTRY_TYPE = {
-  java: ["maven_repository"],
-  csharp: ["nuget_feed"],
-  javascript: ["npm_registry"],
-  python: ["python_index"],
-  ruby: ["rubygems_server"],
-  rust: ["cargo_registry"],
-  go: ["goproxy_server", "git_source"]
-};
-var NEW_LANGUAGE_TO_REGISTRY_TYPE = {
  actions: [],
  cpp: [],
  java: ["maven_repository"],
@@ -160428,9 +160374,8 @@ function getRegistryAddress(registry) {
    );
  }
 }
-function getCredentials(logger, registrySecrets, registriesCredentials, language, skipUnusedRegistries = false) {
-  const registryMapping = skipUnusedRegistries ? NEW_LANGUAGE_TO_REGISTRY_TYPE : LANGUAGE_TO_REGISTRY_TYPE;
-  const registryTypeForLanguage = language ? registryMapping[language] : void 0;
+function getCredentials(logger, registrySecrets, registriesCredentials, language) {
+  const registryTypeForLanguage = language ? LANGUAGE_TO_REGISTRY_TYPE[language] : void 0;
  let credentialsStr;
  if (registriesCredentials !== void 0) {
    logger.info(`Using registries_credentials input.`);
@@ -160954,15 +160899,11 @@ async function run7(startedAt) {
    );
    const languageInput = getOptionalInput("language");
    language = languageInput ? parseBuiltInLanguage(languageInput) : void 0;
-    const skipUnusedRegistries = await features.getValue(
-      "start_proxy_remove_unused_registries" /* StartProxyRemoveUnusedRegistries */
-    );
    const credentials = getCredentials(
      logger,
      getOptionalInput("registry_secrets"),
      getOptionalInput("registries_credentials"),
-      language,
-      skipUnusedRegistries
+      language
    );
    if (credentials.length === 0) {
      logger.info("No credentials found, skipping proxy setup.");
@@ -161311,8 +161252,7 @@ async function runUploadSarifPostAction() {
  runStartProxyAction,
  runStartProxyPostAction,
  runUploadSarifAction,
-  runUploadSarifPostAction,
-  uploadLib
+  runUploadSarifPostAction
 });
 /*! Bundled license information:

@@ -36,7 +36,7 @@
        "uuid": "^14.0.0"
      },
      "devDependencies": {
-        "@ava/typescript": "6.0.0",
+        "@ava/typescript": "7.0.0",
        "@eslint/compat": "^2.0.5",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^16.0.0",
@@ -48,7 +48,7 @@
        "@types/sarif": "^2.1.7",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^21.0.1",
-        "ava": "^6.4.1",
+        "ava": "^7.0.0",
        "esbuild": "^0.28.0",
        "eslint": "^9.39.4",
        "eslint-import-resolver-typescript": "^4.4.4",
@@ -450,17 +450,17 @@
      }
    },
    "node_modules/@ava/typescript": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/@ava/typescript/-/typescript-6.0.0.tgz",
-      "integrity": "sha512-+8oDYc4J5cCaWZh1VUbyc+cegGplJO9FqHpqR4LVAVx8fRLVRaYlC4yyA6cqHJ1vWP23Ff/ECS5U68Zz6OLZlg==",
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/@ava/typescript/-/typescript-7.0.0.tgz",
+      "integrity": "sha512-0ktzq4/9ya2QoAuVWzl3McpLV9W//Tj+oMonQ4ucgm5l6tQ46aaju/rJL9kzeY5MkG6wzXvFt/MmaLqf9uNC9w==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "escape-string-regexp": "^5.0.0",
-        "execa": "^9.6.0"
+        "execa": "^9.6.1"
      },
      "engines": {
-        "node": "^20.8 || ^22 || >=24"
+        "node": "^22.20 || ^24.12 || >=25"
      }
    },
    "node_modules/@ava/typescript/node_modules/escape-string-regexp": {
@@ -3172,9 +3172,9 @@
      ]
    },
    "node_modules/@vercel/nft": {
-      "version": "0.29.4",
-      "resolved": "https://registry.npmjs.org/@vercel/nft/-/nft-0.29.4.tgz",
-      "integrity": "sha512-6lLqMNX3TuycBPABycx7A9F1bHQR7kiQln6abjFbPrf5C/05qHM9M5E4PeTE59c7z8g6vHnx1Ioihb2AQl7BTA==",
+      "version": "1.3.2",
+      "resolved": "https://registry.npmjs.org/@vercel/nft/-/nft-1.3.2.tgz",
+      "integrity": "sha512-HC8venRc4Ya7vNeBsJneKHHMDDWpQie7VaKhAIOst3MKO+DES+Y/SbzSp8mFkD7OzwAE2HhHkeSuSmwS20mz3A==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -3185,7 +3185,7 @@
        "async-sema": "^3.1.1",
        "bindings": "^1.4.0",
        "estree-walker": "2.0.2",
-        "glob": "^10.4.5",
+        "glob": "^13.0.0",
        "graceful-fs": "^4.2.9",
        "node-gyp-build": "^4.2.2",
        "picomatch": "^4.0.2",
@@ -3195,7 +3195,7 @@
        "nft": "out/cli.js"
      },
      "engines": {
-        "node": ">=18"
+        "node": ">=20"
      }
    },
    "node_modules/abbrev": {
@@ -3561,58 +3561,57 @@
      "license": "MIT"
    },
    "node_modules/ava": {
-      "version": "6.4.1",
-      "resolved": "https://registry.npmjs.org/ava/-/ava-6.4.1.tgz",
-      "integrity": "sha512-vxmPbi1gZx9zhAjHBgw81w/iEDKcrokeRk/fqDTyA2DQygZ0o+dUGRHFOtX8RA5N0heGJTTsIk7+xYxitDb61Q==",
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/ava/-/ava-7.0.0.tgz",
+      "integrity": "sha512-4sRJO/gehlfAgSbuH02mClDDiyymnuFmirE3KqPXl2pic1FaFTZaAACKqr85WT4o08iLjViMR9gmMkxzbZ3AgA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@vercel/nft": "^0.29.4",
-        "acorn": "^8.15.0",
-        "acorn-walk": "^8.3.4",
-        "ansi-styles": "^6.2.1",
+        "@vercel/nft": "^1.3.2",
+        "acorn": "^8.16.0",
+        "acorn-walk": "^8.3.5",
+        "ansi-styles": "^6.2.3",
        "arrgv": "^1.0.2",
        "arrify": "^3.0.0",
        "callsites": "^4.2.0",
-        "cbor": "^10.0.9",
-        "chalk": "^5.4.1",
+        "cbor": "^10.0.11",
+        "chalk": "^5.6.2",
        "chunkd": "^2.0.1",
-        "ci-info": "^4.3.0",
+        "ci-info": "^4.4.0",
        "ci-parallel-vars": "^1.0.1",
-        "cli-truncate": "^4.0.0",
+        "cli-truncate": "^5.1.1",
        "code-excerpt": "^4.0.0",
        "common-path-prefix": "^3.0.0",
        "concordance": "^5.0.4",
        "currently-unhandled": "^0.4.1",
-        "debug": "^4.4.1",
+        "debug": "^4.4.3",
        "emittery": "^1.2.0",
        "figures": "^6.1.0",
-        "globby": "^14.1.0",
+        "globby": "^16.1.1",
        "ignore-by-default": "^2.1.0",
        "indent-string": "^5.0.0",
        "is-plain-object": "^5.0.0",
        "is-promise": "^4.0.0",
-        "matcher": "^5.0.0",
-        "memoize": "^10.1.0",
+        "matcher": "^6.0.0",
+        "memoize": "^10.2.0",
        "ms": "^2.1.3",
-        "p-map": "^7.0.3",
+        "p-map": "^7.0.4",
        "package-config": "^5.0.0",
-        "picomatch": "^4.0.2",
-        "plur": "^5.1.0",
-        "pretty-ms": "^9.2.0",
+        "picomatch": "^4.0.3",
+        "plur": "^6.0.0",
+        "pretty-ms": "^9.3.0",
        "resolve-cwd": "^3.0.0",
        "stack-utils": "^2.0.6",
-        "strip-ansi": "^7.1.0",
        "supertap": "^3.0.1",
        "temp-dir": "^3.0.0",
-        "write-file-atomic": "^6.0.0",
-        "yargs": "^17.7.2"
+        "write-file-atomic": "^7.0.0",
+        "yargs": "^18.0.0"
      },
      "bin": {
        "ava": "entrypoints/cli.mjs"
      },
      "engines": {
-        "node": "^18.18 || ^20.8 || ^22 || ^23 || >=24"
+        "node": "^20.19 || ^22.20 || ^24.12 || >=25"
      },
      "peerDependencies": {
        "@ava/typescript": "*"
@@ -3623,19 +3622,6 @@
        }
      }
    },
-    "node_modules/ava/node_modules/ansi-regex": {
-      "version": "6.2.2",
-      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.2.2.tgz",
-      "integrity": "sha512-Bq3SmSpyFHaWjPk8If9yc6svM8c56dB5BAtW4Qbw5jHTwwXXcTLoRMkpDJp6VL0XzlWaCHTXrkFURMYmD0sLqg==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=12"
-      },
-      "funding": {
-        "url": "https://github.com/chalk/ansi-regex?sponsor=1"
-      }
-    },
    "node_modules/ava/node_modules/callsites": {
      "version": "4.2.0",
      "resolved": "https://registry.npmjs.org/callsites/-/callsites-4.2.0.tgz",
@@ -3666,22 +3652,6 @@
        }
      }
    },
-    "node_modules/ava/node_modules/strip-ansi": {
-      "version": "7.2.0",
-      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.2.0.tgz",
-      "integrity": "sha512-yDPMNjp4WyfYBkHnjIRLfca1i6KMyGCtsVgoKe/z1+6vukgaENdgGBZt+ZmKPc4gavvEZ5OgHfHdrazhgNyG7w==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "ansi-regex": "^6.2.2"
-      },
-      "engines": {
-        "node": ">=12"
-      },
-      "funding": {
-        "url": "https://github.com/chalk/strip-ansi?sponsor=1"
-      }
-    },
    "node_modules/available-typed-arrays": {
      "version": "1.0.7",
      "resolved": "https://registry.npmjs.org/available-typed-arrays/-/available-typed-arrays-1.0.7.tgz",
@@ -3795,9 +3765,9 @@
      "license": "MIT"
    },
    "node_modules/brace-expansion": {
-      "version": "1.1.14",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz",
-      "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==",
+      "version": "1.1.13",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz",
+      "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==",
      "license": "MIT",
      "dependencies": {
        "balanced-match": "^1.0.0",
@@ -4046,17 +4016,17 @@
      "dev": true
    },
    "node_modules/cli-truncate": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/cli-truncate/-/cli-truncate-4.0.0.tgz",
-      "integrity": "sha512-nPdaFdQ0h/GEigbPClz11D0v/ZJEwxmeVZGeMo3Z5StPtUTkA9o1lD6QwoirYiSDzbcwn2XcjwmCp68W1IS4TA==",
+      "version": "5.2.0",
+      "resolved": "https://registry.npmjs.org/cli-truncate/-/cli-truncate-5.2.0.tgz",
+      "integrity": "sha512-xRwvIOMGrfOAnM1JYtqQImuaNtDEv9v6oIYAs4LIHwTiKee8uwvIi363igssOC0O5U04i4AlENs79LQLu9tEMw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "slice-ansi": "^5.0.0",
-        "string-width": "^7.0.0"
+        "slice-ansi": "^8.0.0",
+        "string-width": "^8.2.0"
      },
      "engines": {
-        "node": ">=18"
+        "node": ">=20"
      },
      "funding": {
        "url": "https://github.com/sponsors/sindresorhus"
@@ -4075,26 +4045,18 @@
        "url": "https://github.com/chalk/ansi-regex?sponsor=1"
      }
    },
-    "node_modules/cli-truncate/node_modules/emoji-regex": {
-      "version": "10.6.0",
-      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-10.6.0.tgz",
-      "integrity": "sha512-toUI84YS5YmxW219erniWD0CIVOo46xGKColeNQRgOzDorgBi1v4D71/OFzgD9GO2UGKIv1C3Sp8DAn0+j5w7A==",
-      "dev": true,
-      "license": "MIT"
-    },
    "node_modules/cli-truncate/node_modules/string-width": {
-      "version": "7.2.0",
-      "resolved": "https://registry.npmjs.org/string-width/-/string-width-7.2.0.tgz",
-      "integrity": "sha512-tsaTIkKW9b4N+AEj+SVA+WhJzV7/zMhcSu78mLKWSk7cXMOSHsBKFWUs0fWwq8QyK3MgJBQRX6Gbi4kYbdvGkQ==",
+      "version": "8.2.0",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-8.2.0.tgz",
+      "integrity": "sha512-6hJPQ8N0V0P3SNmP6h2J99RLuzrWz2gvT7VnK5tKvrNqJoyS9W4/Fb8mo31UiPvy00z7DQXkP2hnKBVav76thw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "emoji-regex": "^10.3.0",
-        "get-east-asian-width": "^1.0.0",
-        "strip-ansi": "^7.1.0"
+        "get-east-asian-width": "^1.5.0",
+        "strip-ansi": "^7.1.2"
      },
      "engines": {
-        "node": ">=18"
+        "node": ">=20"
      },
      "funding": {
        "url": "https://github.com/sponsors/sindresorhus"
@@ -4117,18 +4079,72 @@
      }
    },
    "node_modules/cliui": {
-      "version": "8.0.1",
-      "resolved": "https://registry.npmjs.org/cliui/-/cliui-8.0.1.tgz",
-      "integrity": "sha512-BSeNnyus75C4//NQ9gQt1/csTXyo/8Sb+afLAkzAptFuMsod9HFokGNudZpi/oQV73hnVK+sR+5PVRMd+Dr7YQ==",
+      "version": "9.0.1",
+      "resolved": "https://registry.npmjs.org/cliui/-/cliui-9.0.1.tgz",
+      "integrity": "sha512-k7ndgKhwoQveBL+/1tqGJYNz097I7WOvwbmmU2AR5+magtbjPWQTS1C5vzGkBC8Ym8UWRzfKUzUUqFLypY4Q+w==",
      "dev": true,
      "license": "ISC",
      "dependencies": {
-        "string-width": "^4.2.0",
-        "strip-ansi": "^6.0.1",
-        "wrap-ansi": "^7.0.0"
+        "string-width": "^7.2.0",
+        "strip-ansi": "^7.1.0",
+        "wrap-ansi": "^9.0.0"
+      },
+      "engines": {
+        "node": ">=20"
+      }
+    },
+    "node_modules/cliui/node_modules/ansi-regex": {
+      "version": "6.2.2",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.2.2.tgz",
+      "integrity": "sha512-Bq3SmSpyFHaWjPk8If9yc6svM8c56dB5BAtW4Qbw5jHTwwXXcTLoRMkpDJp6VL0XzlWaCHTXrkFURMYmD0sLqg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/ansi-regex?sponsor=1"
+      }
+    },
+    "node_modules/cliui/node_modules/emoji-regex": {
+      "version": "10.6.0",
+      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-10.6.0.tgz",
+      "integrity": "sha512-toUI84YS5YmxW219erniWD0CIVOo46xGKColeNQRgOzDorgBi1v4D71/OFzgD9GO2UGKIv1C3Sp8DAn0+j5w7A==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/cliui/node_modules/string-width": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-7.2.0.tgz",
+      "integrity": "sha512-tsaTIkKW9b4N+AEj+SVA+WhJzV7/zMhcSu78mLKWSk7cXMOSHsBKFWUs0fWwq8QyK3MgJBQRX6Gbi4kYbdvGkQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "emoji-regex": "^10.3.0",
+        "get-east-asian-width": "^1.0.0",
+        "strip-ansi": "^7.1.0"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/cliui/node_modules/strip-ansi": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.2.0.tgz",
+      "integrity": "sha512-yDPMNjp4WyfYBkHnjIRLfca1i6KMyGCtsVgoKe/z1+6vukgaENdgGBZt+ZmKPc4gavvEZ5OgHfHdrazhgNyG7w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "ansi-regex": "^6.2.2"
      },
      "engines": {
        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/strip-ansi?sponsor=1"
      }
    },
    "node_modules/code-excerpt": {
@@ -5122,9 +5138,9 @@
      }
    },
    "node_modules/eslint-plugin-import-x/node_modules/brace-expansion": {
-      "version": "5.0.6",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.6.tgz",
-      "integrity": "sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==",
+      "version": "5.0.5",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz",
+      "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -5923,9 +5939,9 @@
      }
    },
    "node_modules/get-east-asian-width": {
-      "version": "1.6.0",
-      "resolved": "https://registry.npmjs.org/get-east-asian-width/-/get-east-asian-width-1.6.0.tgz",
-      "integrity": "sha512-QRbvDIbx6YklUe6RxeTeleMR0yv3cYH6PsPZHcnVn7xv7zO1BHN8r0XETu8n6Ye3Q+ahtSarc3WgtNWmehIBfA==",
+      "version": "1.5.0",
+      "resolved": "https://registry.npmjs.org/get-east-asian-width/-/get-east-asian-width-1.5.0.tgz",
+      "integrity": "sha512-CQ+bEO+Tva/qlmw24dCejulK5pMzVnUOFOijVogd3KQs07HnRIgp8TGipvCCRT06xeYEbpbgwaCxglFyiuIcmA==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -6078,9 +6094,9 @@
      }
    },
    "node_modules/glob/node_modules/brace-expansion": {
-      "version": "5.0.6",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.6.tgz",
-      "integrity": "sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==",
+      "version": "5.0.5",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz",
+      "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==",
      "license": "MIT",
      "dependencies": {
        "balanced-match": "^4.0.2"
@@ -6135,34 +6151,21 @@
      }
    },
    "node_modules/globby": {
-      "version": "14.1.0",
-      "resolved": "https://registry.npmjs.org/globby/-/globby-14.1.0.tgz",
-      "integrity": "sha512-0Ia46fDOaT7k4og1PDW4YbodWWr3scS2vAr2lTbsplOt2WkKp0vQbkI9wKis/T5LV/dqPjO3bpS/z6GTJB82LA==",
+      "version": "16.1.1",
+      "resolved": "https://registry.npmjs.org/globby/-/globby-16.1.1.tgz",
+      "integrity": "sha512-dW7vl+yiAJSp6aCekaVnVJxurRv7DCOLyXqEG3RYMYUg7AuJ2jCqPkZTA8ooqC2vtnkaMcV5WfFBMuEnTu1OQg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@sindresorhus/merge-streams": "^2.1.0",
+        "@sindresorhus/merge-streams": "^4.0.0",
        "fast-glob": "^3.3.3",
-        "ignore": "^7.0.3",
-        "path-type": "^6.0.0",
+        "ignore": "^7.0.5",
+        "is-path-inside": "^4.0.0",
        "slash": "^5.1.0",
-        "unicorn-magic": "^0.3.0"
+        "unicorn-magic": "^0.4.0"
      },
      "engines": {
-        "node": ">=18"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
-    },
-    "node_modules/globby/node_modules/@sindresorhus/merge-streams": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/@sindresorhus/merge-streams/-/merge-streams-2.3.0.tgz",
-      "integrity": "sha512-LtoMMhxAlorcGhmFYI+LhPgbPZCkgP6ra1YL604EeF6U98pLlQ3iWIGMdWSC+vWmPBWBNgmDBAhnAobLROJmwg==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=18"
+        "node": ">=20"
      },
      "funding": {
        "url": "https://github.com/sponsors/sindresorhus"
@@ -6178,6 +6181,32 @@
        "node": ">= 4"
      }
    },
+    "node_modules/globby/node_modules/is-path-inside": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/is-path-inside/-/is-path-inside-4.0.0.tgz",
+      "integrity": "sha512-lJJV/5dYS+RcL8uQdBDW9c9uWFLLBNRyFhnAKXw5tVqLlKZ4RMGZKv+YQ/IA3OhD+RpbJa1LLFM1FQPGyIXvOA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/globby/node_modules/unicorn-magic": {
+      "version": "0.4.0",
+      "resolved": "https://registry.npmjs.org/unicorn-magic/-/unicorn-magic-0.4.0.tgz",
+      "integrity": "sha512-wH590V9VNgYH9g3lH9wWjTrUoKsjLF6sGLjhR4sH1LWpLmCOH0Zf7PukhDA8BiS7KHe4oPNkcTHqYkj7SOGUOw==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=20"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
    "node_modules/gopd": {
      "version": "1.2.0",
      "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz",
@@ -6442,13 +6471,16 @@
      }
    },
    "node_modules/irregular-plurals": {
-      "version": "3.5.0",
-      "resolved": "https://registry.npmjs.org/irregular-plurals/-/irregular-plurals-3.5.0.tgz",
-      "integrity": "sha512-1ANGLZ+Nkv1ptFb2pa8oG8Lem4krflKuX/gINiHJHjJUKaJHk/SXk5x6K3J+39/p0h1RQ2saROclJJ+QLvETCQ==",
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/irregular-plurals/-/irregular-plurals-4.2.0.tgz",
+      "integrity": "sha512-bW9UXHL7bnUcNtTo+9ccSngbxc+V40H32IgvdVin0Xs8gbo+AVYD5g/72ce/54Kjfhq66vcZr8H8TKEvsifeOw==",
      "dev": true,
      "license": "MIT",
      "engines": {
-        "node": ">=8"
+        "node": ">=18.20"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
      }
    },
    "node_modules/is-array-buffer": {
@@ -7219,16 +7251,16 @@
      }
    },
    "node_modules/matcher": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/matcher/-/matcher-5.0.0.tgz",
-      "integrity": "sha512-s2EMBOWtXFc8dgqvoAzKJXxNHibcdJMV0gwqKUaw9E2JBJuGUK7DrNKrA6g/i+v72TT16+6sVm5mS3thaMLQUw==",
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/matcher/-/matcher-6.0.0.tgz",
+      "integrity": "sha512-TzDerdcNtI79w7Av4GT57bLdElPA/VAkjqdMZv8yhuc8geU2z0ljW9anXbX/55aHEMTpYypZb1lxsA/46r9oOQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "escape-string-regexp": "^5.0.0"
      },
      "engines": {
-        "node": "^12.20.0 || ^14.13.1 || >=16.0.0"
+        "node": ">=20"
      },
      "funding": {
        "url": "https://github.com/sponsors/sindresorhus"
@@ -7849,19 +7881,6 @@
        "url": "https://github.com/sponsors/isaacs"
      }
    },
-    "node_modules/path-type": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/path-type/-/path-type-6.0.0.tgz",
-      "integrity": "sha512-Vj7sf++t5pBD637NSfkxpHSMfWaeig5+DKWLhcqIYx6mWQz5hdJTGDVMQiJcw1ZYkhs7AazKDGpRVji1LJCZUQ==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=18"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
-    },
    "node_modules/picocolors": {
      "version": "1.1.1",
      "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz",
@@ -7883,16 +7902,16 @@
      }
    },
    "node_modules/plur": {
-      "version": "5.1.0",
-      "resolved": "https://registry.npmjs.org/plur/-/plur-5.1.0.tgz",
-      "integrity": "sha512-VP/72JeXqak2KiOzjgKtQen5y3IZHn+9GOuLDafPv0eXa47xq0At93XahYBs26MsifCQ4enGKwbjBTKgb9QJXg==",
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/plur/-/plur-6.0.0.tgz",
+      "integrity": "sha512-Y9wXQivjRX0REtwpA9+n0bYYypWESn3cWtW2vazymw711qn+AQXxzZjRqhANYGBLIMC1UzVdpwe/1hHQwHfwng==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "irregular-plurals": "^3.3.0"
+        "irregular-plurals": "^4.2.0"
      },
      "engines": {
-        "node": "^12.20.0 || ^14.13.1 || >=16.0.0"
+        "node": ">=20"
      },
      "funding": {
        "url": "https://github.com/sponsors/sindresorhus"
@@ -8109,16 +8128,6 @@
        "url": "https://github.com/sponsors/ljharb"
      }
    },
-    "node_modules/require-directory": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/require-directory/-/require-directory-2.1.1.tgz",
-      "integrity": "sha512-fGxEI7+wsG9xrvdjsrlmL22OMTTiHRwAMroiEeMgq8gzoLC/PQr7RsRDSTLUg/bZAZtF+TVIkHc6/4RIKrui+Q==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
    "node_modules/requireindex": {
      "version": "1.1.0",
      "dev": true,
@@ -8532,30 +8541,33 @@
      }
    },
    "node_modules/slice-ansi": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/slice-ansi/-/slice-ansi-5.0.0.tgz",
-      "integrity": "sha512-FC+lgizVPfie0kkhqUScwRu1O/lF6NOgJmlCgK+/LYxDCTk8sGelYaHDhFcDN+Sn3Cv+3VSa4Byeo+IMCzpMgQ==",
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/slice-ansi/-/slice-ansi-8.0.0.tgz",
+      "integrity": "sha512-stxByr12oeeOyY2BlviTNQlYV5xOj47GirPr4yA1hE9JCtxfQN0+tVbkxwCtYDQWhEKWFHsEK48ORg5jrouCAg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "ansi-styles": "^6.0.0",
-        "is-fullwidth-code-point": "^4.0.0"
+        "ansi-styles": "^6.2.3",
+        "is-fullwidth-code-point": "^5.1.0"
      },
      "engines": {
-        "node": ">=12"
+        "node": ">=20"
      },
      "funding": {
        "url": "https://github.com/chalk/slice-ansi?sponsor=1"
      }
    },
    "node_modules/slice-ansi/node_modules/is-fullwidth-code-point": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-4.0.0.tgz",
-      "integrity": "sha512-O4L094N2/dZ7xqVdrXhh9r1KODPJpFms8B5sGdJLPy664AgvXsreZUyCQQNItZRDlYug4xStLjNp/sz3HvBowQ==",
+      "version": "5.1.0",
+      "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-5.1.0.tgz",
+      "integrity": "sha512-5XHYaSyiqADb4RnZ1Bdad6cPp8Toise4TzEjcOYDHZkTCbKgiUl7WTUCpNWHuxmDt91wnsZBc9xinNzopv3JMQ==",
      "dev": true,
      "license": "MIT",
+      "dependencies": {
+        "get-east-asian-width": "^1.3.1"
+      },
      "engines": {
-        "node": ">=12"
+        "node": ">=18"
      },
      "funding": {
        "url": "https://github.com/sponsors/sindresorhus"
@@ -8950,9 +8962,9 @@
      }
    },
    "node_modules/tar": {
-      "version": "7.5.15",
-      "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.15.tgz",
-      "integrity": "sha512-dzGK0boVlC4W5QFuQN1EFSl3bIDYsk7Tj40U6eIBnK2k/8ml7TZ5agbI5j5+qnoVcAA+rNtBml8SEiLxZpNqRQ==",
+      "version": "7.5.11",
+      "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.11.tgz",
+      "integrity": "sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==",
      "dev": true,
      "license": "BlueOak-1.0.0",
      "dependencies": {
@@ -10092,18 +10104,18 @@
      }
    },
    "node_modules/wrap-ansi": {
-      "version": "7.0.0",
-      "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz",
-      "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==",
+      "version": "9.0.2",
+      "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-9.0.2.tgz",
+      "integrity": "sha512-42AtmgqjV+X1VpdOfyTGOYRi0/zsoLqtXQckTmqTeybT+BDIbM/Guxo7x3pE2vtpr1ok6xRqM9OpBe+Jyoqyww==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "ansi-styles": "^4.0.0",
-        "string-width": "^4.1.0",
-        "strip-ansi": "^6.0.0"
+        "ansi-styles": "^6.2.1",
+        "string-width": "^7.0.0",
+        "strip-ansi": "^7.1.0"
      },
      "engines": {
-        "node": ">=10"
+        "node": ">=18"
      },
      "funding": {
        "url": "https://github.com/chalk/wrap-ansi?sponsor=1"
@@ -10142,20 +10154,58 @@
        "url": "https://github.com/chalk/ansi-styles?sponsor=1"
      }
    },
-    "node_modules/wrap-ansi/node_modules/ansi-styles": {
-      "version": "4.3.0",
-      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
-      "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
+    "node_modules/wrap-ansi/node_modules/ansi-regex": {
+      "version": "6.2.2",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.2.2.tgz",
+      "integrity": "sha512-Bq3SmSpyFHaWjPk8If9yc6svM8c56dB5BAtW4Qbw5jHTwwXXcTLoRMkpDJp6VL0XzlWaCHTXrkFURMYmD0sLqg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/ansi-regex?sponsor=1"
+      }
+    },
+    "node_modules/wrap-ansi/node_modules/emoji-regex": {
+      "version": "10.6.0",
+      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-10.6.0.tgz",
+      "integrity": "sha512-toUI84YS5YmxW219erniWD0CIVOo46xGKColeNQRgOzDorgBi1v4D71/OFzgD9GO2UGKIv1C3Sp8DAn0+j5w7A==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/wrap-ansi/node_modules/string-width": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-7.2.0.tgz",
+      "integrity": "sha512-tsaTIkKW9b4N+AEj+SVA+WhJzV7/zMhcSu78mLKWSk7cXMOSHsBKFWUs0fWwq8QyK3MgJBQRX6Gbi4kYbdvGkQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "color-convert": "^2.0.1"
+        "emoji-regex": "^10.3.0",
+        "get-east-asian-width": "^1.0.0",
+        "strip-ansi": "^7.1.0"
      },
      "engines": {
-        "node": ">=8"
+        "node": ">=18"
      },
      "funding": {
-        "url": "https://github.com/chalk/ansi-styles?sponsor=1"
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/wrap-ansi/node_modules/strip-ansi": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.2.0.tgz",
+      "integrity": "sha512-yDPMNjp4WyfYBkHnjIRLfca1i6KMyGCtsVgoKe/z1+6vukgaENdgGBZt+ZmKPc4gavvEZ5OgHfHdrazhgNyG7w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "ansi-regex": "^6.2.2"
+      },
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/strip-ansi?sponsor=1"
      }
    },
    "node_modules/wrappy": {
@@ -10163,17 +10213,16 @@
      "license": "ISC"
    },
    "node_modules/write-file-atomic": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/write-file-atomic/-/write-file-atomic-6.0.0.tgz",
-      "integrity": "sha512-GmqrO8WJ1NuzJ2DrziEI2o57jKAVIQNf8a18W3nCYU3H7PNWqCCVTeH6/NQE93CIllIgQS98rrmVkYgTX9fFJQ==",
+      "version": "7.0.1",
+      "resolved": "https://registry.npmjs.org/write-file-atomic/-/write-file-atomic-7.0.1.tgz",
+      "integrity": "sha512-OTIk8iR8/aCRWBqvxrzxR0hgxWpnYBblY1S5hDWBQfk/VFmJwzmJgQFN3WsoUKHISv2eAwe+PpbUzyL1CKTLXg==",
      "dev": true,
      "license": "ISC",
      "dependencies": {
-        "imurmurhash": "^0.1.4",
        "signal-exit": "^4.0.1"
      },
      "engines": {
-        "node": "^18.17.0 || >=20.5.0"
+        "node": "^20.17.0 || >=22.9.0"
      }
    },
    "node_modules/xml-naming": {
@@ -10227,32 +10276,85 @@
      }
    },
    "node_modules/yargs": {
-      "version": "17.7.2",
-      "resolved": "https://registry.npmjs.org/yargs/-/yargs-17.7.2.tgz",
-      "integrity": "sha512-7dSzzRQ++CKnNI/krKnYRV7JKKPUXMEh61soaHKg9mrWEhzFWhFnxPxGl+69cD1Ou63C13NUPCnmIcrvqCuM6w==",
+      "version": "18.0.0",
+      "resolved": "https://registry.npmjs.org/yargs/-/yargs-18.0.0.tgz",
+      "integrity": "sha512-4UEqdc2RYGHZc7Doyqkrqiln3p9X2DZVxaGbwhn2pi7MrRagKaOcIKe8L3OxYcbhXLgLFUS3zAYuQjKBQgmuNg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "cliui": "^8.0.1",
+        "cliui": "^9.0.1",
        "escalade": "^3.1.1",
        "get-caller-file": "^2.0.5",
-        "require-directory": "^2.1.1",
-        "string-width": "^4.2.3",
+        "string-width": "^7.2.0",
        "y18n": "^5.0.5",
-        "yargs-parser": "^21.1.1"
+        "yargs-parser": "^22.0.0"
      },
      "engines": {
-        "node": ">=12"
+        "node": "^20.19.0 || ^22.12.0 || >=23"
      }
    },
    "node_modules/yargs-parser": {
-      "version": "21.1.1",
-      "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-21.1.1.tgz",
-      "integrity": "sha512-tVpsJW7DdjecAiFpbIB1e3qxIQsE6NoPc5/eTdrbbIC4h0LVsWhnoa3g+m2HclBIujHzsxZ4VJVA+GUuc2/LBw==",
+      "version": "22.0.0",
+      "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-22.0.0.tgz",
+      "integrity": "sha512-rwu/ClNdSMpkSrUb+d6BRsSkLUq1fmfsY6TOpYzTwvwkg1/NRG85KBy3kq++A8LKQwX6lsu+aWad+2khvuXrqw==",
      "dev": true,
      "license": "ISC",
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=23"
+      }
+    },
+    "node_modules/yargs/node_modules/ansi-regex": {
+      "version": "6.2.2",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.2.2.tgz",
+      "integrity": "sha512-Bq3SmSpyFHaWjPk8If9yc6svM8c56dB5BAtW4Qbw5jHTwwXXcTLoRMkpDJp6VL0XzlWaCHTXrkFURMYmD0sLqg==",
+      "dev": true,
+      "license": "MIT",
      "engines": {
        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/ansi-regex?sponsor=1"
+      }
+    },
+    "node_modules/yargs/node_modules/emoji-regex": {
+      "version": "10.6.0",
+      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-10.6.0.tgz",
+      "integrity": "sha512-toUI84YS5YmxW219erniWD0CIVOo46xGKColeNQRgOzDorgBi1v4D71/OFzgD9GO2UGKIv1C3Sp8DAn0+j5w7A==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/yargs/node_modules/string-width": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-7.2.0.tgz",
+      "integrity": "sha512-tsaTIkKW9b4N+AEj+SVA+WhJzV7/zMhcSu78mLKWSk7cXMOSHsBKFWUs0fWwq8QyK3MgJBQRX6Gbi4kYbdvGkQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "emoji-regex": "^10.3.0",
+        "get-east-asian-width": "^1.0.0",
+        "strip-ansi": "^7.1.0"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/yargs/node_modules/strip-ansi": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.2.0.tgz",
+      "integrity": "sha512-yDPMNjp4WyfYBkHnjIRLfca1i6KMyGCtsVgoKe/z1+6vukgaENdgGBZt+ZmKPc4gavvEZ5OgHfHdrazhgNyG7w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "ansi-regex": "^6.2.2"
+      },
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/strip-ansi?sponsor=1"
      }
    },
    "node_modules/yocto-queue": {
@@ -44,7 +44,7 @@
    "uuid": "^14.0.0"
  },
  "devDependencies": {
-    "@ava/typescript": "6.0.0",
+    "@ava/typescript": "7.0.0",
    "@eslint/compat": "^2.0.5",
    "@microsoft/eslint-formatter-sarif": "^3.1.0",
    "@octokit/types": "^16.0.0",
@@ -56,7 +56,7 @@
    "@types/sarif": "^2.1.7",
    "@types/semver": "^7.7.1",
    "@types/sinon": "^21.0.1",
-    "ava": "^6.4.1",
+    "ava": "^7.0.0",
    "esbuild": "^0.28.0",
    "eslint": "^9.39.4",
    "eslint-import-resolver-typescript": "^4.4.4",
@@ -1,259 +0,0 @@
-#!/usr/bin/env npx tsx
-
-/*
-Tests for check-repo-size.ts.
-*/
-
-import * as assert from "node:assert/strict";
-import { execFileSync } from "node:child_process";
-import { randomBytes } from "node:crypto";
-import * as fs from "node:fs";
-import * as os from "node:os";
-import * as path from "node:path";
-import { afterEach, beforeEach, describe, it } from "node:test";
-
-import {
-  COMMENT_MARKER,
-  DEFAULT_BASE_REF,
-  buildCommentBody,
-  formatBytes,
-  formatPercent,
-  isDeltaSignificant,
-  measureArchiveSize,
-  readArgs,
-} from "./check-repo-size";
-
-describe("formatBytes", async () => {
-  const cases: Array<[number, boolean, string]> = [
-    // Unsigned values, including sub-KiB amounts which round to 0.00.
-    [0, false, "0.00 KiB"],
-    [512, false, "0.50 KiB"],
-    [1024, false, "1.00 KiB"],
-    [1024 * 1024, false, "1024.00 KiB"],
-    [2 * 1024 * 1024, false, "2048.00 KiB"],
-    // Negative values always use a leading minus.
-    [-2 * 1024 * 1024, false, "-2048.00 KiB"],
-    // signed=true prepends a + to non-negative values.
-    [0, true, "+0.00 KiB"],
-    [2 * 1024 * 1024, true, "+2048.00 KiB"],
-    [-2 * 1024 * 1024, true, "-2048.00 KiB"],
-  ];
-  for (const [bytes, signed, expected] of cases) {
-    await it(`formats ${bytes} (signed=${signed}) as ${expected}`, () => {
-      assert.equal(formatBytes(bytes, signed), expected);
-    });
-  }
-});
-
-describe("formatPercent", async () => {
-  await it("formats positive fractions with a leading +", () => {
-    assert.equal(formatPercent(0.1), "+10.00%");
-    assert.equal(formatPercent(0.0123), "+1.23%");
-  });
-
-  await it("formats negative fractions with a leading -", () => {
-    assert.equal(formatPercent(-0.1), "-10.00%");
-  });
-
-  await it("formats zero without a sign", () => {
-    assert.equal(formatPercent(0), "0.00%");
-  });
-});
-
-describe("isDeltaSignificant", async () => {
-  const cases: Array<[number, number, number, boolean]> = [
-    // At and above threshold (both signs).
-    [100, 1000, 0.1, true],
-    [101, 1000, 0.1, true],
-    [-100, 1000, 0.1, true],
-    // Below threshold (both signs, plus exact zero).
-    [99, 1000, 0.1, false],
-    [-99, 1000, 0.1, false],
-    [0, 1000, 0.1, false],
-  ];
-  for (const [delta, base, fraction, expected] of cases) {
-    await it(`returns ${expected} for delta=${delta}, base=${base}, fraction=${fraction}`, () => {
-      assert.equal(isDeltaSignificant(delta, base, fraction), expected);
-    });
-  }
-});
-
-describe("buildCommentBody", async () => {
-  await it("includes the marker, the base/PR/delta rows, and the run URL", () => {
-    const body = buildCommentBody({
-      baseRef: "main",
-      baseSize: 2_000_000,
-      prSize: 2_300_000,
-      runUrl: "https://example.test/run",
-    });
-
-    assert.match(body, new RegExp(`^${escapeRegExp(COMMENT_MARKER)}`));
-    assert.match(body, /Base \(`main`\) \| 1953\.13 KiB \(2000000 bytes\)/);
-    assert.match(body, /This PR \| 2246\.09 KiB \(2300000 bytes\)/);
-    assert.match(
-      body,
-      /\*\*Delta\*\* \| \*\*\+292\.97 KiB \(\+300000 bytes, \+15\.00%\)\*\*/,
-    );
-    assert.match(body, /\[workflow run\]\(https:\/\/example\.test\/run\)/);
-  });
-
-  await it("formats negative deltas with a leading minus and omits the run URL when missing", () => {
-    const body = buildCommentBody({
-      baseRef: "main",
-      baseSize: 2_000_000,
-      prSize: 1_800_000,
-    });
-    assert.match(
-      body,
-      /\*\*Delta\*\* \| \*\*-195\.31 KiB \(-200000 bytes, -10\.00%\)\*\*/,
-    );
-    assert.doesNotMatch(body, /workflow run/);
-  });
-});
-
-describe("readArgs", async () => {
-  await it("defaults the base ref and head commit for local runs", () => {
-    const originalEnv = process.env;
-    const originalArgv = process.argv;
-
-    try {
-      process.env = {};
-      process.argv = ["node", "check-repo-size.ts", "--output-dir", "/tmp/out"];
-
-      const args = readArgs();
-
-      assert.equal(args.baseRef, DEFAULT_BASE_REF);
-      assert.equal(args.baseCommitish, `origin/${DEFAULT_BASE_REF}`);
-      assert.equal(args.headCommitish, "HEAD");
-      assert.equal(args.outputDir, "/tmp/out");
-      assert.equal(args.runUrl, undefined);
-    } finally {
-      process.env = originalEnv;
-      process.argv = originalArgv;
-    }
-  });
-
-  await it("uses the base and head SHAs when provided by the workflow", () => {
-    const originalEnv = process.env;
-    const originalArgv = process.argv;
-
-    try {
-      process.env = {
-        BASE_REF: "main",
-        BASE_SHA: "abc123",
-        HEAD_SHA: "def456",
-        RUN_URL: "https://example.test/run",
-      };
-      process.argv = ["node", "check-repo-size.ts", "--output-dir", "/tmp/out"];
-
-      const args = readArgs();
-
-      assert.equal(args.baseRef, "main");
-      assert.equal(args.baseCommitish, "abc123");
-      assert.equal(args.headCommitish, "def456");
-      assert.equal(args.outputDir, "/tmp/out");
-      assert.equal(args.runUrl, "https://example.test/run");
-    } finally {
-      process.env = originalEnv;
-      process.argv = originalArgv;
-    }
-  });
-
-  await it("throws when --output-dir is missing", () => {
-    const originalEnv = process.env;
-    const originalArgv = process.argv;
-
-    try {
-      process.env = {};
-      process.argv = ["node", "check-repo-size.ts"];
-      assert.throws(() => readArgs(), /--output-dir is required/);
-    } finally {
-      process.env = originalEnv;
-      process.argv = originalArgv;
-    }
-  });
-});
-
-let repoDir: string;
-
-beforeEach(() => {
-  repoDir = fs.mkdtempSync(path.join(os.tmpdir(), "check-repo-size-test-"));
-  execFileSync("git", ["init", "--initial-branch=main", "-q"], {
-    cwd: repoDir,
-  });
-  execFileSync("git", ["config", "user.email", "test@example.test"], {
-    cwd: repoDir,
-  });
-  execFileSync("git", ["config", "user.name", "Test"], { cwd: repoDir });
-  execFileSync("git", ["config", "commit.gpgsign", "false"], { cwd: repoDir });
-});
-
-afterEach(() => {
-  fs.rmSync(repoDir, { recursive: true, force: true });
-});
-
-function commit(name: string, content: string, message: string) {
-  fs.writeFileSync(path.join(repoDir, name), content);
-  execFileSync("git", ["add", name], { cwd: repoDir });
-  execFileSync("git", ["commit", "-q", "-m", message], { cwd: repoDir });
-}
-
-describe("measureArchiveSize", async () => {
-  await it("returns a positive byte count for a non-empty repo", async () => {
-    commit("a.txt", "hello world\n", "first");
-    const size = await measureArchiveSize("HEAD", repoDir);
-    assert.ok(size > 0, `expected size > 0, got ${size}`);
-  });
-
-  await it("returns the same size on repeated runs (deterministic)", async () => {
-    commit("a.txt", "hello world\n", "first");
-    const a = await measureArchiveSize("HEAD", repoDir);
-    const b = await measureArchiveSize("HEAD", repoDir);
-    assert.equal(a, b);
-  });
-
-  await it("returns a larger size when more content is added", async () => {
-    commit("a.txt", "hello world\n", "first");
-    const small = await measureArchiveSize("HEAD", repoDir);
-
-    // Use random bytes so the new content is incompressible and the archive
-    // is guaranteed to grow even after gzip.
-    commit("b.bin", randomBytes(8192).toString("base64"), "second");
-    const big = await measureArchiveSize("HEAD", repoDir);
-    assert.ok(
-      big > small,
-      `expected ${big} > ${small} after adding more content`,
-    );
-  });
-
-  await it("ignores untracked files (e.g. node_modules)", async () => {
-    commit("a.txt", "hello\n", "first");
-    commit(".gitignore", "node_modules/\n", "ignore node_modules");
-    const sizeBefore = await measureArchiveSize("HEAD", repoDir);
-
-    fs.mkdirSync(path.join(repoDir, "node_modules"));
-    fs.writeFileSync(
-      path.join(repoDir, "node_modules", "huge.bin"),
-      "x".repeat(1_000_000),
-    );
-
-    const sizeAfter = await measureArchiveSize("HEAD", repoDir);
-    assert.equal(
-      sizeAfter,
-      sizeBefore,
-      "untracked node_modules should not affect the archive size",
-    );
-  });
-
-  await it("rejects when the ref does not exist", async () => {
-    commit("a.txt", "hello\n", "first");
-    await assert.rejects(
-      () => measureArchiveSize("does-not-exist", repoDir),
-      /git archive does-not-exist exited with code/,
-    );
-  });
-});
-
-function escapeRegExp(s: string): string {
-  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-}
@@ -1,223 +0,0 @@
-#!/usr/bin/env npx tsx
-
-/*
-Measures the difference in the `.tar.gz`'d checkout size of the repo between the PR head and the PR
-base. This size is relevant because it corresponds to the duration of the "Download action
-repository" step that happens at the start of every job that uses this Action.
-
-Writes the candidate sticky-comment body and a small metadata file to `--output-dir`. A separate
-workflow job consumes those artifacts and decides whether to create or update a PR comment.
-*/
-
-import { spawn } from "node:child_process";
-import * as fs from "node:fs";
-import * as path from "node:path";
-import { parseArgs } from "node:util";
-
-import { REPO_ROOT } from "./config";
-
-/** Hidden marker used to find the existing sticky comment on a PR. */
-export const COMMENT_MARKER = "<!-- repo-size-diff-bot -->";
-
-export const DEFAULT_BASE_REF = "main";
-
-/**
- * Fraction of the base archive size at which a delta is considered significant enough to warrant
- * a new sticky comment. We always update an existing comment regardless, so the comment stays in
- * sync as the diff evolves.
- */
-export const SIGNIFICANT_DELTA_FRACTION = 0.1;
-
-/**
- * Stream `git archive --format=tar.gz <ref>` and count the compressed bytes.
- *
- * `git archive` only includes tracked files, so untracked directories like `node_modules` and
- * `build` aren't counted in the size downloaded when starting up a CodeQL job.
- */
-export async function measureArchiveSize(
-  ref: string,
-  cwd: string,
-): Promise<number> {
-  const git = spawn("git", ["archive", "--format=tar.gz", ref], { cwd });
-
-  let stderr = "";
-  git.stderr.on("data", (chunk: Buffer) => {
-    stderr += chunk.toString();
-  });
-
-  let size = 0;
-  git.stdout.on("data", (chunk: Buffer) => {
-    size += chunk.length;
-  });
-
-  const exitCode = await new Promise<number>((resolve, reject) => {
-    git.on("error", reject);
-    git.on("close", resolve);
-  });
-
-  if (exitCode !== 0) {
-    throw new Error(
-      `git archive ${ref} exited with code ${exitCode}: ${stderr.trim()}`,
-    );
-  }
-  return size;
-}
-
-/**
- * Format a byte count as KiB. If `signed` is true, a leading `+` is prepended for non-negative
- * values so gains and losses are visually distinct.
- */
-export function formatBytes(bytes: number, signed = false): string {
-  const sign = bytes < 0 ? "-" : signed ? "+" : "";
-  const kib = Math.abs(bytes) / 1024;
-  return `${sign}${kib.toFixed(2)} KiB`;
-}
-
-/** Format a fraction as a signed percentage with 2 decimal places. */
-export function formatPercent(fraction: number): string {
-  const pct = fraction * 100;
-  const sign = pct > 0 ? "+" : "";
-  return `${sign}${pct.toFixed(2)}%`;
-}
-
-export interface CommentBodyOptions {
-  baseRef: string;
-  baseSize: number;
-  prSize: number;
-  /** Optional URL of the workflow run, included in the comment footer. */
-  runUrl?: string;
-}
-
-export function buildCommentBody(opts: CommentBodyOptions): string {
-  const { baseRef, baseSize, prSize, runUrl } = opts;
-  const delta = prSize - baseSize;
-  const signedDelta = delta >= 0 ? `+${delta}` : `${delta}`;
-  const runUrlLine = runUrl
-    ? ` See the [workflow run](${runUrl}) for details.`
-    : "";
-
-  return [
-    COMMENT_MARKER,
-    "### Repository checkout size",
-    "",
-    "| | Compressed archive size |",
-    "|---|---|",
-    `| Base (\`${baseRef}\`) | ${formatBytes(baseSize)} (${baseSize} bytes) |`,
-    `| This PR | ${formatBytes(prSize)} (${prSize} bytes) |`,
-    `| **Delta** | **${formatBytes(delta, true)} (${signedDelta} bytes, ${formatPercent(delta / baseSize)})** |`,
-    "",
-    "Sizes are measured by streaming `git archive --format=tar.gz <ref>`, " +
-      "which includes tracked files and excludes untracked files such as " +
-      "`node_modules`. The compressed checkout is " +
-      "downloaded by every consumer of this Action, so changes here directly " +
-      `affect Action download time.${runUrlLine}`,
-  ].join("\n");
-}
-
-/**
- * Returns true when the absolute delta is at least `fraction` of the base size. Both increases and
- * decreases are considered significant, so we report wins as well as losses.
- */
-export function isDeltaSignificant(
-  delta: number,
-  baseSize: number,
-  fraction: number,
-): boolean {
-  return Math.abs(delta) >= baseSize * fraction;
-}
-
-interface MainArgs {
-  /** Base ref of the PR. Defaults to `main`. Used as the label in the PR comment. */
-  baseRef: string;
-  /** Base commit-ish to archive. Defaults to `origin/<baseRef>` for local runs. */
-  baseCommitish: string;
-  /** Head commit-ish to archive. Defaults to `HEAD` for local runs. */
-  headCommitish: string;
-  /** Optional URL of the workflow run, surfaced in the comment footer. */
-  runUrl?: string;
-  /** Directory where `body.md` and `metadata.json` are written. */
-  outputDir: string;
-}
-
-export function readArgs(): MainArgs {
-  const { values } = parseArgs({
-    options: {
-      "output-dir": { type: "string" },
-    },
-    strict: true,
-  });
-
-  const outputDir = values["output-dir"];
-  if (!outputDir) {
-    throw new Error("--output-dir is required");
-  }
-
-  const baseRef = process.env.BASE_REF ?? DEFAULT_BASE_REF;
-  const baseCommitish = process.env.BASE_SHA ?? `origin/${baseRef}`;
-  const headCommitish = process.env.HEAD_SHA ?? "HEAD";
-
-  return {
-    baseRef,
-    baseCommitish,
-    headCommitish,
-    runUrl: process.env.RUN_URL,
-    outputDir,
-  };
-}
-
-async function main(): Promise<number> {
-  const args = readArgs();
-
-  console.log(`Measuring base archive size for ${args.baseCommitish}...`);
-  const baseSize = await measureArchiveSize(args.baseCommitish, REPO_ROOT);
-  console.log(`  ${baseSize} bytes`);
-
-  console.log(`Measuring PR archive size for ${args.headCommitish}...`);
-  const prSize = await measureArchiveSize(args.headCommitish, REPO_ROOT);
-  console.log(`  ${prSize} bytes`);
-
-  const delta = prSize - baseSize;
-  const significant = isDeltaSignificant(
-    delta,
-    baseSize,
-    SIGNIFICANT_DELTA_FRACTION,
-  );
-  console.log(
-    `Delta: ${delta} bytes (significant=${significant}, threshold=${(
-      SIGNIFICANT_DELTA_FRACTION * 100
-    ).toFixed(2)}%)`,
-  );
-
-  const body = buildCommentBody({
-    baseRef: args.baseRef,
-    baseSize,
-    prSize,
-    runUrl: args.runUrl,
-  });
-
-  fs.mkdirSync(args.outputDir, { recursive: true });
-  fs.writeFileSync(path.join(args.outputDir, "body.md"), body);
-  fs.writeFileSync(
-    path.join(args.outputDir, "metadata.json"),
-    `${JSON.stringify(
-      { significant, baseRef: args.baseRef, baseSize, prSize, delta },
-      null,
-      2,
-    )}\n`,
-  );
-  console.log(`Wrote body.md and metadata.json to ${args.outputDir}.`);
-  return 0;
-}
-
-async function run(): Promise<void> {
-  try {
-    process.exit(await main());
-  } catch (err) {
-    console.error(err instanceof Error ? err.message : String(err));
-    process.exit(1);
-  }
-}
-
-if (require.main === module) {
-  void run();
-}
@@ -6,17 +6,14 @@ export const OLDEST_SUPPORTED_MAJOR_VERSION = 3;
 /** The `pr-checks` directory. */
 export const PR_CHECKS_DIR = __dirname;

-/** The repository root. */
-export const REPO_ROOT = path.join(PR_CHECKS_DIR, "..");
-
 /** The path of the file configuring which checks shouldn't be required. */
 export const PR_CHECK_EXCLUDED_FILE = path.join(PR_CHECKS_DIR, "excluded.yml");

 /** The path to the esbuild metadata file. */
-export const BUNDLE_METADATA_FILE = path.join(REPO_ROOT, "meta.json");
+export const BUNDLE_METADATA_FILE = path.join(PR_CHECKS_DIR, "..", "meta.json");

 /** The `src` directory. */
-const SOURCE_ROOT = path.join(REPO_ROOT, "src");
+const SOURCE_ROOT = path.join(PR_CHECKS_DIR, "..", "src");

 /** The path to the built-in languages file. */
 export const BUILTIN_LANGUAGES_FILE = path.join(
@@ -1,17 +1,16 @@
 # PR checks to exclude from required checks
 contains:
-  - "ESLint"
  - "https://"
-  - "test-setup-python-scripts"
-  - "update"
  - "Update"
+  - "ESLint"
+  - "update"
+  - "test-setup-python-scripts"
 is:
-  - "Agent"
-  - "check-expected-release-files"
-  - "Cleanup artifacts"
  - "CodeQL"
  - "Dependabot"
-  - "Label PR with size"
-  - "Post repo size comment"
+  - "check-expected-release-files"
+  - "Agent"
+  - "Cleanup artifacts"
  - "Prepare"
  - "Upload results"
+  - "Label PR with size"
@@ -43,7 +43,6 @@ predicate envVarRead(DataFlow::Node node, string envVar) {
 from DataFlow::Node read, string envVar
 where
  envVarRead(read, envVar) and
-  read.getFile().getRelativePath().matches("src/%") and
  not read.getFile().getBaseName().matches("%.test.ts") and
  not isSafeForDefaultSetup(envVar)
 select read,
@@ -16,12 +16,7 @@ import {
 } from "./analyses";
 import { EnvVar } from "./environment";
 import { getRunnerLogger } from "./logging";
-import {
-  createFeatures,
-  RecordingLogger,
-  setupBaseActionsVars,
-  setupTests,
-} from "./testing-utils";
+import { createFeatures, RecordingLogger, setupTests } from "./testing-utils";
 import { AssessmentPayload } from "./upload-lib/types";
 import { ConfigurationError } from "./util";

@@ -77,7 +72,6 @@ test.serial(
 test.serial(
  "getAnalysisKinds - only use `code-scanning` for multiple analysis kinds outside of test mode",
  async (t) => {
-    setupBaseActionsVars();
    process.env[EnvVar.TEST_MODE] = "false";
    const features = createFeatures([]);
    const logger = new RecordingLogger();
@@ -95,40 +89,6 @@ test.serial(
  },
 );

-test.serial(
-  "getAnalysisKinds - logs error for non-default `analysis-kinds` in custom workflow",
-  async (t) => {
-    setupBaseActionsVars({ GITHUB_EVENT_NAME: "push" });
-    process.env[EnvVar.TEST_MODE] = "false";
-    const features = createFeatures([]);
-    const logger = new RecordingLogger();
-    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
-    requiredInputStub.withArgs("analysis-kinds").returns("code-quality");
-    const result = await getAnalysisKinds(logger, features, true);
-    t.deepEqual(result, [AnalysisKind.CodeQuality]);
-    t.assert(
-      logger.hasMessage(
-        "An analysis kind other than `code-scanning` was specified in a custom workflow.",
-      ),
-    );
-  },
-);
-
-test.serial(
-  "getAnalysisKinds - no error for non-default `analysis-kinds` in managed workflow",
-  async (t) => {
-    setupBaseActionsVars({ GITHUB_EVENT_NAME: "dynamic" });
-    process.env[EnvVar.TEST_MODE] = "false";
-    const features = createFeatures([]);
-    const logger = new RecordingLogger();
-    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
-    requiredInputStub.withArgs("analysis-kinds").returns("code-quality");
-    const result = await getAnalysisKinds(logger, features, true);
-    t.deepEqual(result, [AnalysisKind.CodeQuality]);
-    t.deepEqual(logger.messages, []);
-  },
-);
-
 test.serial(
  "getAnalysisKinds - includes `code-quality` when deprecated `quality-queries` input is used",
  async (t) => {
@@ -173,7 +133,6 @@ for (let i = 0; i < analysisKinds.length; i++) {
      test.serial(
        `getAnalysisKinds - allows ${analysisKind} with ${otherAnalysis}`,
        async (t) => {
-          setupBaseActionsVars();
          process.env[EnvVar.TEST_MODE] = "true";
          const features = createFeatures([]);
          const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
@@ -192,7 +151,6 @@ for (let i = 0; i < analysisKinds.length; i++) {
      test.serial(
        `getAnalysisKinds - throws if ${analysisKind} is enabled with ${otherAnalysis}`,
        async (t) => {
-          setupBaseActionsVars();
          const features = createFeatures([]);
          const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
          requiredInputStub
@@ -2,7 +2,6 @@ import {
  fixCodeQualityCategory,
  getOptionalInput,
  getRequiredInput,
-  isDynamicWorkflow,
 } from "./actions-util";
 import { EnvVar } from "./environment";
 import { Feature, FeatureEnablement } from "./feature-flags";
@@ -66,21 +65,6 @@ export async function parseAnalysisKinds(
 // Used to avoid re-parsing the input after we have done it once.
 let cachedAnalysisKinds: AnalysisKind[] | undefined;

-/** Determines whether `code-scanning` is the only enabled analysis kind in `analysisKinds`. */
-function isOnlyCodeScanningEnabled(analysisKinds: AnalysisKind[]) {
-  return (
-    analysisKinds.length === 1 && analysisKinds[0] === AnalysisKind.CodeScanning
-  );
-}
-
-/** Prepends a generic message about the intended usage for `analysis-kinds` to `message`. */
-function makeAnalysisKindUsageError(message: string) {
-  return (
-    "The `analysis-kinds` input is experimental and for GitHub-internal use only. " +
-    `Its behaviour may change at any time or be removed entirely. ${message}`
-  );
-}
-
 /**
 * Initialises the analysis kinds for the analysis based on the `analysis-kinds` input.
 * This function will also use the deprecated `quality-queries` input as an indicator to enable `code-quality`.
@@ -105,26 +89,6 @@ export async function getAnalysisKinds(
    getRequiredInput("analysis-kinds"),
  );

-  // Log an error if we are outside of a GitHub-managed workflow and an analysis kind
-  // other than `code-scanning` is enabled.
-  if (
-    !isInTestMode() &&
-    !isDynamicWorkflow() &&
-    !isOnlyCodeScanningEnabled(analysisKinds)
-  ) {
-    const codeQualityHint = analysisKinds.includes(AnalysisKind.CodeQuality)
-      ? " If your intention is to use quality queries outside of Code Quality, " +
-        "use the `queries` input with `code-quality` instead."
-      : "";
-
-    logger.error(
-      makeAnalysisKindUsageError(
-        "An analysis kind other than `code-scanning` was specified in a custom workflow. " +
-          `This is not supported and will become a fatal error in a future version of the CodeQL Action.${codeQualityHint}`,
-      ),
-    );
-  }
-
  // Warn that `quality-queries` is deprecated if there is an argument for it.
  const qualityQueriesInput = getOptionalInput("quality-queries");

@@ -166,10 +130,10 @@ export async function getAnalysisKinds(
    !(await features.getValue(Feature.AllowMultipleAnalysisKinds))
  ) {
    logger.error(
-      makeAnalysisKindUsageError(
+      "The `analysis-kinds` input is experimental and for GitHub-internal use only. " +
+        "Its behaviour may change at any time or be removed entirely. " +
        "Specifying multiple values as input is no longer supported. " +
-          "Continuing with only `analysis-kinds: code-scanning`.",
-      ),
+        "Continuing with only `analysis-kinds: code-scanning`.",
    );

    // Only enable Code Scanning.
@@ -129,7 +129,6 @@ export enum Feature {
  QaTelemetryEnabled = "qa_telemetry_enabled",
  /** Note that this currently only disables baseline file coverage information. */
  SkipFileCoverageOnPrs = "skip_file_coverage_on_prs",
-  StartProxyRemoveUnusedRegistries = "start_proxy_remove_unused_registries",
  StartProxyUseFeaturesRelease = "start_proxy_use_features_release",
  UploadOverlayDbToApi = "upload_overlay_db_to_api",
  ValidateDbConfig = "validate_db_config",
@@ -365,11 +364,6 @@ export const featureConfig = {
    minimumVersion: undefined,
    toolsFeature: ToolsFeature.SuppressesMissingFileBaselineWarning,
  },
-  [Feature.StartProxyRemoveUnusedRegistries]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_START_PROXY_REMOVE_UNUSED_REGISTRIES",
-    minimumVersion: undefined,
-  },
  [Feature.StartProxyUseFeaturesRelease]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_START_PROXY_USE_FEATURES_RELEASE",
@@ -5,7 +5,7 @@ import * as core from "@actions/core";

 import * as actionsUtil from "./actions-util";
 import { getGitHubVersion } from "./api-client";
-import { Feature, FeatureEnablement, initFeatures } from "./feature-flags";
+import { FeatureEnablement, initFeatures } from "./feature-flags";
 import { BuiltInLanguage, parseBuiltInLanguage } from "./languages";
 import { getActionsLogger, Logger } from "./logging";
 import { getRepositoryNwo } from "./repository";
@@ -57,18 +57,12 @@ async function run(startedAt: Date) {
    const languageInput = actionsUtil.getOptionalInput("language");
    language = languageInput ? parseBuiltInLanguage(languageInput) : undefined;

-    // Query the FF for whether we should use the reduced registry mapping.
-    const skipUnusedRegistries = await features.getValue(
-      Feature.StartProxyRemoveUnusedRegistries,
-    );
-
    // Get the registry configurations from one of the inputs.
    const credentials = getCredentials(
      logger,
      actionsUtil.getOptionalInput("registry_secrets"),
      actionsUtil.getOptionalInput("registries_credentials"),
      language,
-      skipUnusedRegistries,
    );

    if (credentials.length === 0) {
@@ -585,7 +585,6 @@ test("getCredentials validates 'replaces-base' correctly", async (t) => {
    undefined,
    credentialsInput,
    BuiltInLanguage.java,
-    false,
  );

  t.is(credentials.length, 3);
@@ -604,8 +603,7 @@ test("getCredentials validates 'replaces-base' correctly", async (t) => {
      getRunnerLogger(true),
      undefined,
      toEncodedJSON([{ ...baseInvalid, "replaces-base": null }]),
-      BuiltInLanguage.actions,
-      false,
+      BuiltInLanguage.java,
    ),
  );
  t.throws(() =>
@@ -613,8 +611,7 @@ test("getCredentials validates 'replaces-base' correctly", async (t) => {
      getRunnerLogger(true),
      undefined,
      toEncodedJSON([{ ...baseInvalid, "replaces-base": 123 }]),
-      BuiltInLanguage.actions,
-      false,
+      BuiltInLanguage.java,
    ),
  );
  t.throws(() =>
@@ -622,13 +619,12 @@ test("getCredentials validates 'replaces-base' correctly", async (t) => {
      getRunnerLogger(true),
      undefined,
      toEncodedJSON([{ ...baseInvalid, "replaces-base": "true" }]),
-      BuiltInLanguage.actions,
-      false,
+      BuiltInLanguage.java,
    ),
  );
 });

-test("getCredentials returns all credentials for Actions when using LANGUAGE_TO_REGISTRY_TYPE", async (t) => {
+test("getCredentials returns no credentials for Actions", async (t) => {
  const credentialsInput = toEncodedJSON(mixedCredentials);

  const credentials = startProxyExports.getCredentials(
@@ -636,20 +632,6 @@ test("getCredentials returns all credentials for Actions when using LANGUAGE_TO_
    undefined,
    credentialsInput,
    BuiltInLanguage.actions,
-    false,
-  );
-  t.is(credentials.length, mixedCredentials.length);
-});
-
-test("getCredentials returns no credentials for Actions when using NEW_LANGUAGE_TO_REGISTRY_TYPE", async (t) => {
-  const credentialsInput = toEncodedJSON(mixedCredentials);
-
-  const credentials = startProxyExports.getCredentials(
-    getRunnerLogger(true),
-    undefined,
-    credentialsInput,
-    BuiltInLanguage.actions,
-    true,
  );
  t.deepEqual(credentials, []);
 });
@@ -189,17 +189,7 @@ function isPAT(value: string) {

 type RegistryMapping = Partial<Record<BuiltInLanguage, string[]>>;

-const LANGUAGE_TO_REGISTRY_TYPE: RegistryMapping = {
-  java: ["maven_repository"],
-  csharp: ["nuget_feed"],
-  javascript: ["npm_registry"],
-  python: ["python_index"],
-  ruby: ["rubygems_server"],
-  rust: ["cargo_registry"],
-  go: ["goproxy_server", "git_source"],
-} as const;
-
-const NEW_LANGUAGE_TO_REGISTRY_TYPE: Required<RegistryMapping> = {
+const LANGUAGE_TO_REGISTRY_TYPE: Required<RegistryMapping> = {
  actions: [],
  cpp: [],
  java: ["maven_repository"],
@@ -251,13 +241,9 @@ export function getCredentials(
  registrySecrets: string | undefined,
  registriesCredentials: string | undefined,
  language: BuiltInLanguage | undefined,
-  skipUnusedRegistries: boolean = false,
 ): Credential[] {
-  const registryMapping = skipUnusedRegistries
-    ? NEW_LANGUAGE_TO_REGISTRY_TYPE
-    : LANGUAGE_TO_REGISTRY_TYPE;
  const registryTypeForLanguage = language
-    ? registryMapping[language]
+    ? LANGUAGE_TO_REGISTRY_TYPE[language]
    : undefined;

  let credentialsStr: string;
@@ -188,37 +188,17 @@ export const DEFAULT_ACTIONS_VARS = {
  RUNNER_OS: "Linux",
 } as const satisfies Record<string, string>;

-/** Partial mappings from GitHub Actions environment variables to values. */
-export type ActionVarOverrides = Partial<
-  Record<keyof typeof DEFAULT_ACTIONS_VARS, string>
->;
-
-/**
- * Sets environment variables that are always available on GitHub Actions,
- * excluding some that are expected to be set to paths. See `setupActionsVars`.
- *
- * @param overrides Overrides for the defaults.
- */
-export function setupBaseActionsVars(overrides?: ActionVarOverrides) {
+// Sets environment variables that make using some libraries designed for
+// use only on actions safe to use outside of actions.
+export function setupActionsVars(
+  tempDir: string,
+  toolsDir: string,
+  overrides?: Partial<Record<keyof typeof DEFAULT_ACTIONS_VARS, string>>,
+) {
  const vars = { ...DEFAULT_ACTIONS_VARS, ...overrides };
  for (const [key, value] of Object.entries(vars)) {
    process.env[key] = value;
  }
-}
-
-/**
- * Sets environment variables that are always available on GitHub Actions.
- *
- * @param tempDir A value for `RUNNER_TEMP` and `GITHUB_WORKSPACE`.
- * @param toolsDir A value for `RUNNER_TOOL_CACHE`.
- * @param overrides Overrides for the defaults.
- */
-export function setupActionsVars(
-  tempDir: string,
-  toolsDir: string,
-  overrides?: ActionVarOverrides,
-) {
-  setupBaseActionsVars(overrides);
  process.env["RUNNER_TEMP"] = tempDir;
  process.env["RUNNER_TOOL_CACHE"] = toolsDir;
  process.env["GITHUB_WORKSPACE"] = tempDir;
@@ -1,3 +0,0 @@
-"use strict";
-
-module.exports = require("./entry-points").__UPLOAD_LIB_EXPORT__;