PoC: switch esbuild bundles to ESM with code splitting + minify

Bundles each entry point as ESM with esbuild's splitting:true so
shared transitive dependencies (Azure storage, undici, octokit, ...)
live in shared chunk files under lib/chunks/ instead of being
duplicated into every entry bundle.

A small banner is injected so bundled CommonJS deps that call
require(), __filename or __dirname at runtime still work. A
lib/package.json with { "type": "module" } is written by the build
so the bundles can keep the .js extension while being loaded as ESM
by Node; this scope avoids touching the tsc output in build/ and the
action.yml entrypoints stay unchanged.

On a measured tar.gz of the working tree this takes the repo from
~9.5 MB to ~2.6 MB compressed (lib/ alone: 8.0 MB -> 0.7 MB).

.github/actions/prepare-mergeback-branch/action.yml

@@ -41,38 +41,7 @@ runs:
         git add .
         git commit -m "Update changelog and version after ${VERSION}"
 
-    # Update the build artifacts with the new version number
-    - name: Rebuild the Action
-      shell: bash
-      run: |
-        set -exu
-        npm ci
-        npm run build
-
-    - name: Check for rebuild changes
-      id: rebuild_changes
-      shell: bash
-      run: |
-        set -exu
-        git add --all
-        if git diff --cached --quiet; then
-          echo "has_changes=false" >> "${GITHUB_OUTPUT}"
-        else
-          echo "has_changes=true" >> "${GITHUB_OUTPUT}"
-        fi
-
-    - name: Commit rebuild
-      if: steps.rebuild_changes.outputs.has_changes == 'true'
-      shell: bash
-      run: |
-        set -exu
-        git commit -m "Rebuild"
-
-    - name: Push mergeback branch
-      shell: bash
-      env:
-        NEW_BRANCH: "${{ inputs.branch }}"
-      run: git push origin "${NEW_BRANCH}"
+        git push origin "${NEW_BRANCH}"
 
     - name: Create PR
       shell: bash
@@ -91,6 +60,8 @@ runs:
 
           Please do the following:
 
+          - [ ] Remove and re-add the "Rebuild" label to the PR to trigger just this workflow.
+          - [ ] Wait for the "Rebuild" workflow to push a commit updating the distribution files.
           - [ ] Mark the PR as ready for review to trigger the full set of PR checks.
           - [ ] Approve and merge the PR. When merging the PR, make sure "Create a merge commit" is
                 selected rather than "Squash and merge" or "Rebase and merge".
@@ -103,6 +74,7 @@ runs:
           --head "${NEW_BRANCH}" \
           --base "${BASE_BRANCH}" \
           --title "${pr_title}" \
+          --label "Rebuild" \
           --body "${pr_body}" \
           --assignee "${GITHUB_ACTOR}" \
           --draft

.github/actions/release-initialise/action.yml

@@ -18,7 +18,7 @@ runs:
     - name: Set up Node
       uses: actions/setup-node@v6
       with:
-        node-version: 24
+        node-version: 20
         cache: 'npm'
 
     - name: Set up Python

.github/update-release-branch.py

@@ -16,27 +16,12 @@ No user facing changes.
 """
 
 # NB: This exact commit message is used to find commits for reverting during backports.
-# Changing it requires a transition period where both old and new versions are supported.
+# Changing it requires a transition period where both old and new versions are supported.
 BACKPORT_COMMIT_MESSAGE = 'Update version and changelog for v'
 
-# Commit message used for rebuild commits, both those produced by this script and those produced
-# by the `Rebuild Action` workflow (`.github/workflows/rebuild.yml`).
-REBUILD_COMMIT_MESSAGE = 'Rebuild'
-
 # Name of the remote
 ORIGIN = 'origin'
 
-# Environment variables to check for a GitHub API token.
-TOKEN_ENVIRONMENT_VARIABLES = ('GH_TOKEN', 'GITHUB_TOKEN')
-
-# Gets a GitHub API token from one of the supported environment variables.
-def get_github_token():
-  for variable_name in TOKEN_ENVIRONMENT_VARIABLES:
-    token = os.environ.get(variable_name, '').strip()
-    if token:
-      return token
-  raise Exception('Missing GitHub token. Set GITHUB_TOKEN or GH_TOKEN.')
-
 # Runs git with the given args and returns the stdout.
 # Raises an error if git does not exit successfully (unless passed
 # allow_non_zero_exit_code=True).
@@ -47,28 +32,6 @@ def run_git(*args, allow_non_zero_exit_code=False):
     raise Exception(f'Call to {" ".join(cmd)} exited with code {p.returncode} stderr: {p.stderr.decode("ascii")}.')
   return p.stdout.decode('ascii')
 
-# Runs the given command, streaming output to the console.
-# Raises an error if the command does not exit successfully.
-def run_command(*args):
-  cmd = list(args)
-  print(f'Running `{" ".join(cmd)}`.')
-  subprocess.run(cmd, check=True)
-
-# Rebuilds the action and commits any changes.
-def rebuild_action():
-  # For backports, the only source-level change vs the source branch is the new version number,
-  # so we just need to refresh the version embedded in `lib/`.
-  run_command('npm', 'ci')
-  run_command('npm', 'run', 'build')
-
-  run_git('add', '--all')
-  # `git diff --cached --quiet` exits 0 if there are no staged changes, 1 if there are.
-  if subprocess.run(['git', 'diff', '--cached', '--quiet']).returncode == 0:
-    print('Rebuild produced no changes; skipping Rebuild commit.')
-  else:
-    run_git('commit', '-m', REBUILD_COMMIT_MESSAGE)
-    print('Created Rebuild commit.')
-
 # Returns true if the given branch exists on the origin remote
 def branch_exists_on_remote(branch_name):
   return run_git('ls-remote', '--heads', ORIGIN, branch_name).strip() != ''
@@ -124,11 +87,9 @@ def open_pr(
   body.append('Please do the following:')
   if len(conflicted_files) > 0:
     body.append(' - [ ] Ensure `package.json` file contains the correct version.')
-    body.append(' - [ ] Add a commit to this branch to resolve the merge conflicts ' +
+    body.append(' - [ ] Add commits to this branch to resolve the merge conflicts ' +
       'in the following files:')
-    body.extend([f'    - `{file}`' for file in conflicted_files])
-    body.append(' - [ ] Rebuild the Action locally (`npm run build`) and push any changes to the ' +
-      f'built output in `lib` as a separate commit named exactly `{REBUILD_COMMIT_MESSAGE}`.')
+    body.extend([f'    - [ ] `{file}`' for file in conflicted_files])
     body.append(' - [ ] Ensure another maintainer has reviewed the additional commits you added to this ' +
       'branch to resolve the merge conflicts.')
   body.append(' - [ ] Ensure the CHANGELOG displays the correct version and date.')
@@ -136,6 +97,10 @@ def open_pr(
   body.append(f' - [ ] Check that there are not any unexpected commits being merged into the `{target_branch}` branch.')
   body.append(' - [ ] Ensure the docs team is aware of any documentation changes that need to be released.')
 
+  if not is_primary_release:
+    body.append(' - [ ] Remove and re-add the "Rebuild" label to the PR to trigger just this workflow.')
+    body.append(' - [ ] Wait for the "Rebuild" workflow to push a commit updating the distribution files.')
+
   body.append(' - [ ] Mark the PR as ready for review to trigger the full set of PR checks.')
   body.append(' - [ ] Approve and merge this PR. Make sure `Create a merge commit` is selected rather than `Squash and merge` or `Rebase and merge`.')
 
@@ -144,11 +109,13 @@ def open_pr(
     body.append(' - [ ] Merge all backport PRs to older release branches, that will automatically be created once this PR is merged.')
 
   title = f'Merge {source_branch} into {target_branch}'
+  labels = ['Rebuild'] if not is_primary_release else []
 
   # Create the pull request
   # PR checks won't be triggered on PRs created by Actions. Therefore mark the PR as draft so that
   # a maintainer can take the PR out of draft, thereby triggering the PR checks.
   pr = repo.create_pull(title=title, body='\n'.join(body), head=new_branch_name, base=target_branch, draft=True)
+  pr.add_to_labels(*labels)
   print(f'Created PR #{str(pr.number)}')
 
   # Assign the conductor
@@ -303,6 +270,12 @@ def update_changelog(version):
 def main():
   parser = argparse.ArgumentParser('update-release-branch.py')
 
+  parser.add_argument(
+    '--github-token',
+    type=str,
+    required=True,
+    help='GitHub token, typically from GitHub Actions.'
+  )
   parser.add_argument(
     '--repository-nwo',
     type=str,
@@ -340,7 +313,7 @@ def main():
   target_branch = args.target_branch
   is_primary_release = args.is_primary_release
 
-  repo = Github(get_github_token()).get_repo(args.repository_nwo)
+  repo = Github(args.github_token).get_repo(args.repository_nwo)
 
   # the target branch will be of the form releases/vN, where N is the major version number
   target_branch_major_version = target_branch.strip('releases/v')
@@ -407,9 +380,8 @@ def main():
       # releases.
       run_git('revert', vOlder_update_commits[0], '--no-edit')
 
-      # Also revert the "Rebuild" commit, whether created by this script or by the
-      # `Rebuild Action` workflow.
-      rebuild_commit = run_git('log', '--grep', f'^{REBUILD_COMMIT_MESSAGE}$', '--format=%H').split()[0]
+      # Also revert the "Rebuild" commit created by Actions.
+      rebuild_commit = run_git('log', '--grep', '^Rebuild$', '--format=%H').split()[0]
       print(f'  Reverting {rebuild_commit}')
       run_git('revert', rebuild_commit, '--no-edit')
 
@@ -424,10 +396,9 @@ def main():
       run_git('add', '.')
       run_git('commit', '--no-edit')
 
-    # Migrate the package version number from a vLatest version number to a vOlder version number.
-    # `package-lock.json` is updated as part of the subsequent rebuild step (see `rebuild_action`).
+    # Migrate the package version number from a vLatest version number to a vOlder version number
     print(f'Setting version number to {version} in package.json')
-    replace_version_package_json(get_current_version(), version)
+    replace_version_package_json(get_current_version(), version) # We rely on the `Rebuild` workflow to update package-lock.json
     run_git('add', 'package.json')
 
     # Migrate the changelog notes from vLatest version numbers to vOlder version numbers
@@ -450,13 +421,6 @@ def main():
     run_git('add', 'CHANGELOG.md')
     run_git('commit', '-m', f'Update changelog for v{version}')
 
-  if not is_primary_release:
-    if len(conflicted_files) == 0:
-      print('Rebuilding the Action.')
-      rebuild_action()
-    else:
-      print(f'Skipping automatic rebuild because the merge produced conflicts in {conflicted_files}.')
-
   run_git('push', ORIGIN, new_branch_name)
 
   # Open a PR to update the branch

.github/workflows/__go-tracing-autobuilder.yml

@@ -49,6 +49,10 @@ jobs:
       fail-fast: false
       matrix:
         include:
+          - os: ubuntu-latest
+            version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: stable-v2.18.4
           - os: ubuntu-latest
             version: stable-v2.19.4
           - os: ubuntu-latest
@@ -57,10 +61,6 @@ jobs:
             version: stable-v2.21.4
           - os: ubuntu-latest
             version: stable-v2.22.4
-          - os: ubuntu-latest
-            version: stable-v2.23.9
-          - os: ubuntu-latest
-            version: stable-v2.24.3
           - os: ubuntu-latest
             version: default
           - os: ubuntu-latest

.github/workflows/__go-tracing-custom-build-steps.yml

@@ -49,6 +49,10 @@ jobs:
       fail-fast: false
       matrix:
         include:
+          - os: ubuntu-latest
+            version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: stable-v2.18.4
           - os: ubuntu-latest
             version: stable-v2.19.4
           - os: ubuntu-latest
@@ -57,10 +61,6 @@ jobs:
             version: stable-v2.21.4
           - os: ubuntu-latest
             version: stable-v2.22.4
-          - os: ubuntu-latest
-            version: stable-v2.23.9
-          - os: ubuntu-latest
-            version: stable-v2.24.3
           - os: ubuntu-latest
             version: default
           - os: ubuntu-latest

.github/workflows/__go-tracing-legacy-workflow.yml

@@ -49,6 +49,10 @@ jobs:
       fail-fast: false
       matrix:
         include:
+          - os: ubuntu-latest
+            version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: stable-v2.18.4
           - os: ubuntu-latest
             version: stable-v2.19.4
           - os: ubuntu-latest
@@ -57,10 +61,6 @@ jobs:
             version: stable-v2.21.4
           - os: ubuntu-latest
             version: stable-v2.22.4
-          - os: ubuntu-latest
-            version: stable-v2.23.9
-          - os: ubuntu-latest
-            version: stable-v2.24.3
           - os: ubuntu-latest
             version: default
           - os: ubuntu-latest

.github/workflows/__multi-language-autodetect.yml

@@ -59,41 +59,41 @@ jobs:
       fail-fast: false
       matrix:
         include:
+          - os: ubuntu-latest
+            version: stable-v2.17.6
+          - os: macos-latest
+            version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: stable-v2.18.4
+          - os: macos-latest
+            version: stable-v2.18.4
           - os: ubuntu-latest
             version: stable-v2.19.4
-          - os: macos-latest-xlarge
+          - os: macos-latest
             version: stable-v2.19.4
           - os: ubuntu-latest
             version: stable-v2.20.7
-          - os: macos-latest-xlarge
+          - os: macos-latest
             version: stable-v2.20.7
           - os: ubuntu-latest
             version: stable-v2.21.4
-          - os: macos-latest-xlarge
+          - os: macos-latest
             version: stable-v2.21.4
           - os: ubuntu-latest
             version: stable-v2.22.4
-          - os: macos-latest-xlarge
+          - os: macos-latest
             version: stable-v2.22.4
-          - os: ubuntu-latest
-            version: stable-v2.23.9
-          - os: macos-latest-xlarge
-            version: stable-v2.23.9
-          - os: ubuntu-latest
-            version: stable-v2.24.3
-          - os: macos-latest-xlarge
-            version: stable-v2.24.3
           - os: ubuntu-latest
             version: default
-          - os: macos-latest-xlarge
+          - os: macos-latest
             version: default
           - os: ubuntu-latest
             version: linked
-          - os: macos-latest-xlarge
+          - os: macos-latest
             version: linked
           - os: ubuntu-latest
             version: nightly-latest
-          - os: macos-latest-xlarge
+          - os: macos-latest
             version: nightly-latest
     name: Multi-language repository
     if: github.triggering_actor != 'dependabot[bot]'

.github/workflows/__rust.yml

@@ -40,7 +40,7 @@ jobs:
       matrix:
         include:
           - os: ubuntu-latest
-            version: stable-v2.19.4
+            version: stable-v2.19.3
           - os: ubuntu-latest
             version: stable-v2.22.1
           - os: ubuntu-latest

.github/workflows/__swift-autobuild.yml

@@ -39,7 +39,7 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: macos-latest-xlarge
+          - os: macos-latest
             version: nightly-latest
     name: Swift analysis using autobuild
     if: github.triggering_actor != 'dependabot[bot]'

.github/workflows/check-expected-release-files.yml

@@ -9,10 +9,6 @@ on:
     # by other workflows.
     types: [opened, synchronize, reopened, ready_for_review]
 
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
   run:
     shell: bash

.github/workflows/codeql.yml

@@ -77,7 +77,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-14-xlarge,macos-15-xlarge]
+        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-14,macos-15]
         tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
     runs-on: ${{ matrix.os }}
 

.github/workflows/codescanning-config-cli.yml

@@ -6,6 +6,13 @@ env:
   # Diff informed queries add an additional query filter which is not yet
   # taken into account by these tests.
   CODEQL_ACTION_DIFF_INFORMED_QUERIES: false
+  # Specify overlay enablement manually to ensure stability around the exclude-from-incremental
+  # query filter. Here we only enable for the default code scanning suite.
+  CODEQL_ACTION_OVERLAY_ANALYSIS: true
+  CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT: false
+  CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT: true
+  CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_CHECK: false
+  CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS: true
 
 on:
   push:
@@ -24,10 +31,6 @@ on:
     - cron: '0 5 * * *'
   workflow_dispatch:
 
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
   run:
     shell: bash
@@ -76,13 +79,33 @@ jobs:
       with:
         version: ${{ matrix.version }}
 
-    - name: Empty file
+    # On PRs, overlay analysis may change the config that is passed to the CLI.
+    # Therefore, we have two variants of the following test, one for PRs and one for other events.
+    - name: Empty file (non-PR)
+      if: github.event_name != 'pull_request'
       uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: "{}"
         languages: javascript
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
+    - name: Empty file (PR)
+      if: github.event_name == 'pull_request'
+      uses: ./../action/.github/actions/check-codescanning-config
+      with:
+        expected-config-file-contents: |
+          {
+            "query-filters": [
+              {
+                "exclude": {
+                  "tags": "exclude-from-incremental"
+                }
+              }
+            ]
+          }
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+
     - name: Packs from input
       if: success() || failure()
       uses: ./../action/.github/actions/check-codescanning-config

.github/workflows/debug-artifacts-failure-safe.yml

@@ -20,10 +20,6 @@ on:
     - cron: '0 5 * * *'
   workflow_dispatch:
 
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
   run:
     shell: bash

.github/workflows/debug-artifacts-safe.yml

@@ -19,10 +19,6 @@ on:
     - cron: '0 5 * * *'
   workflow_dispatch:
 
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
   run:
     shell: bash

.github/workflows/post-release-mergeback.yml

@@ -48,9 +48,6 @@ jobs:
         with:
           fetch-depth: 0  # ensure we have all tags and can push commits
       - uses: actions/setup-node@v6
-        with:
-          node-version: 24
-          cache: 'npm'
       - uses: actions/setup-python@v6
         with:
           python-version: '3.12'

.github/workflows/pr-checks.yml

@@ -10,10 +10,6 @@ on:
     types: [checks_requested]
   workflow_dispatch:
 
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
   run:
     shell: bash
@@ -33,10 +29,6 @@ jobs:
     runs-on: ${{ matrix.os }}
     timeout-minutes: 45
 
-    concurrency:
-      cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-      group: pr-checks-unit-tests-${{ github.ref }}-${{ github.event_name }}-${{ matrix.os }}-node${{ matrix['node-version'] }}
-
     steps:
       - name: Prepare git (Windows)
         if: runner.os == 'Windows'
@@ -75,21 +67,22 @@ jobs:
           sarif_file: eslint.sarif
           category: eslint
 
-  # These checks do not need to be run as part of the same matrix that we use for the `unit-tests`
-  # job.
-  other-checks:
-    name: Other checks
+  # Verifying the PR checks are up-to-date requires Node 24. The PR checks are not dependent
+  # on the main codebase and therefore do not need to be run as part of the same matrix that
+  # we use for the `unit-tests` job.
+  verify-pr-checks:
+    name: Verify PR checks
     if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     timeout-minutes: 10
 
-    concurrency:
-      cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-      group: pr-checks-pr-checks-${{ github.ref }}-${{ github.event_name }}
-
     steps:
+      - name: Prepare git (Windows)
+        if: runner.os == 'Windows'
+        run: git config --global core.autocrlf false
+
       - name: Checkout repository
         uses: actions/checkout@v6
 
@@ -100,22 +93,34 @@ jobs:
           cache: 'npm'
 
       - name: Install dependencies
-        id: install-deps
         run: npm ci
 
       - name: Verify PR checks up to date
-        if: ${{ !cancelled() && steps.install-deps.outcome == 'success' }}
+        if: always()
         run: .github/workflows/script/verify-pr-checks.sh
 
       - name: Run pr-checks tests
-        if: ${{ !cancelled() && steps.install-deps.outcome == 'success' }}
+        if: always()
         working-directory: pr-checks
         run: npx tsx --test
 
-      - name: Verify all Actions use the same Node version
-        id: head-version
+  check-node-version:
+    if: github.triggering_actor != 'dependabot[bot]'
+    name: Check Action Node versions
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+    env:
+      BASE_REF: ${{ github.base_ref }}
+
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v6
+      - id: head-version
+        name: Verify all Actions use the same Node version
         run: |
-          NODE_VERSION=$(find . -path "*/node_modules" -prune -o -name "action.yml" -exec yq -o=json '.runs.using' {} \; | jq -rs '[.[] | select(. != null and startswith("node"))] | unique | .[]')
+          NODE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
           echo "NODE_VERSION: ${NODE_VERSION}"
           if [[ $(echo "$NODE_VERSION" | wc -l) -gt 1 ]]; then
             echo "::error::More than one node version used in 'action.yml' files."
@@ -123,111 +128,22 @@ jobs:
           fi
           echo "node_version=${NODE_VERSION}" >> $GITHUB_OUTPUT
 
-      - name: Fetch base commit
-        id: fetch-base
-        # Forks and Dependabot PRs don't have permission to write comments, so skip the repo size
-        # check in those cases.
-        if: >-
-          github.event_name == 'pull_request' &&
-          github.event.pull_request.head.repo.full_name == github.repository &&
-          github.event.pull_request.user.login != 'dependabot[bot]'
-        env:
-          BASE_SHA: ${{ github.event.pull_request.base.sha }}
-          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          # Compare against the merge base so the size delta reflects only the commits actually
-          # added by this PR, ignoring any changes that have landed on the base branch since the
-          # PR branched off.
-          merge_base=$(gh api "repos/$GITHUB_REPOSITORY/compare/$BASE_SHA...$HEAD_SHA" --jq '.merge_base_commit.sha')
-          echo "merge_base=$merge_base" >> "$GITHUB_OUTPUT"
-          git fetch --no-tags --depth=1 origin "$merge_base" "$HEAD_SHA"
-
-      - name: Check repo size
-        if: steps.fetch-base.outcome == 'success'
-        working-directory: pr-checks
-        env:
-          BASE_REF: ${{ github.event.pull_request.base.ref }}
-          BASE_SHA: ${{ steps.fetch-base.outputs.merge_base }}
-          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-        run: npx tsx check-repo-size.ts --output-dir "$RUNNER_TEMP/repo-size"
-
-      - name: Upload repo size comment
-        if: steps.fetch-base.outcome == 'success'
-        uses: actions/upload-artifact@v7
-        with:
-          name: repo-size-comment
-          path: ${{ runner.temp }}/repo-size/
-          if-no-files-found: error
-
-      - name: 'Backport: Check out base ref'
-        id: checkout-base
+      - id: checkout-base
+        name: 'Backport: Check out base ref'
         if: ${{ startsWith(github.head_ref, 'backport-') }}
         uses: actions/checkout@v6
         with:
-          ref: ${{ github.base_ref }}
+          ref: ${{ env.BASE_REF }}
 
       - name: 'Backport: Verify Node versions unchanged'
         if: steps.checkout-base.outcome == 'success'
         env:
           HEAD_VERSION: ${{ steps.head-version.outputs.node_version }}
         run: |
-          BASE_VERSION=$(find . -path "*/node_modules" -prune -o -name "action.yml" -exec yq -o=json '.runs.using' {} \; | jq -rs '[.[] | select(. != null and startswith("node"))] | unique | .[]')
+          BASE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
           echo "HEAD_VERSION: ${HEAD_VERSION}"
           echo "BASE_VERSION: ${BASE_VERSION}"
           if [[ "$BASE_VERSION" != "$HEAD_VERSION" ]]; then
             echo "::error::Cannot change the Node version of an Action in a backport PR."
             exit 1
           fi
-
-  post-repo-size-comment:
-    name: Post repo size comment
-    needs: other-checks
-    # Keep write permissions isolated from the job that checks out and tests PR code. This job only
-    # posts the candidate comment body produced by the read-only `pr-checks` job.
-    if: >-
-      github.event_name == 'pull_request' &&
-      github.event.pull_request.head.repo.full_name == github.repository &&
-      github.event.pull_request.user.login != 'dependabot[bot]' &&
-      needs.other-checks.result == 'success'
-    permissions:
-      contents: read
-      pull-requests: write
-    runs-on: ubuntu-slim
-    timeout-minutes: 10
-
-    concurrency:
-      cancel-in-progress: true
-      group: check-repo-size-${{ github.event.pull_request.number }}
-
-    steps:
-      - name: Download repo size comment
-        uses: actions/download-artifact@v8
-        with:
-          name: repo-size-comment
-          path: repo-size-comment
-
-      - name: Post repo size comment
-        env:
-          COMMENT_MARKER: "<!-- repo-size-diff-bot -->"
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          significant=$(jq -r '.significant' repo-size-comment/metadata.json)
-          comment_id=$(
-            gh api "repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/comments" \
-              --paginate \
-              --jq ".[] | select(.body | contains(\"$COMMENT_MARKER\")) | .id" \
-              | head -n 1
-          )
-
-          if [[ -n "$comment_id" ]]; then
-            echo "Updating existing comment $comment_id."
-            gh api --method PATCH "repos/$GITHUB_REPOSITORY/issues/comments/$comment_id" --field body=@repo-size-comment/body.md
-          elif [[ "$significant" == "true" ]]; then
-            echo "Creating new repo size comment."
-            gh api --method POST "repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/comments" --field body=@repo-size-comment/body.md
-          else
-            echo "Skipping repo size comment because the delta is below the threshold and no sticky comment exists."
-          fi

.github/workflows/python312-windows.yml

@@ -14,10 +14,6 @@ on:
     - cron: '0 0 * * 1'
   workflow_dispatch:
 
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
   run:
     shell: bash

.github/workflows/query-filters.yml

@@ -17,10 +17,6 @@ on:
     - cron: '0 5 * * *'
   workflow_dispatch:
 
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
   run:
     shell: bash

.github/workflows/test-codeql-bundle-all.yml

@@ -18,11 +18,6 @@ on:
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
-
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
   run:
     shell: bash

.github/workflows/update-release-branch.yml

@@ -64,12 +64,11 @@ jobs:
 
     - name: Update current release branch
       if: github.event_name == 'workflow_dispatch'
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
         echo SOURCE_BRANCH=${REF_NAME}
         echo TARGET_BRANCH=releases/${MAJOR_VERSION}
         python .github/update-release-branch.py \
+          --github-token ${{ secrets.GITHUB_TOKEN }} \
           --repository-nwo ${{ github.repository }} \
           --source-branch '${{ env.REF_NAME }}' \
           --target-branch 'releases/${{ env.MAJOR_VERSION }}' \
@@ -108,12 +107,11 @@ jobs:
     - uses: ./.github/actions/release-initialise
 
     - name: Update older release branch
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
         echo SOURCE_BRANCH=${SOURCE_BRANCH}
         echo TARGET_BRANCH=${TARGET_BRANCH}
         python .github/update-release-branch.py \
+          --github-token ${{ secrets.GITHUB_TOKEN }} \
           --repository-nwo ${{ github.repository }} \
           --source-branch ${SOURCE_BRANCH} \
           --target-branch ${TARGET_BRANCH} \

CHANGELOG.md

@@ -4,13 +4,6 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 ## [UNRELEASED]
 
-- _Breaking change_: Bump the minimum required CodeQL bundle version to 2.19.4. [#3894](https://github.com/github/codeql-action/pull/3894)
-- Add support for SHA-256 Git object IDs. [#3893](https://github.com/github/codeql-action/pull/3893)
-
-## 4.35.5 - 15 May 2026
-
-- We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. [#3899](https://github.com/github/codeql-action/pull/3899)
-- For performance and accuracy reasons, [improved incremental analysis](https://github.com/github/roadmap/issues/1158) will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. [#3791](https://github.com/github/codeql-action/pull/3791)
 - If multiple inputs are provided for the GitHub-internal `analysis-kinds` input, only `code-scanning` will be enabled. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#3892](https://github.com/github/codeql-action/pull/3892)
 - Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. [#3880](https://github.com/github/codeql-action/pull/3880)
 

CONTRIBUTING.md

@@ -71,7 +71,7 @@ Once the mergeback and backport pull request have been merged, the release is co
 
 Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred required jobs that need to pass in order for a PR to turn green. It would be too tedious to maintain that list manually. You can regenerate the set of required checks automatically by running the [sync-checks.ts](pr-checks/sync-checks.ts) script:
 
-- At a minimum, you must provide a token with permissions to update branch protection rules. For example, `gh auth token | pr-checks/sync-checks.ts --token-stdin` uses the same token that `gh` uses. You can also set the `GH_TOKEN` or `GITHUB_TOKEN` environment variable. If no token is provided or the token has insufficient permissions, the script will fail.
+- At a minimum, you must provide an argument for the `--token` input. For example, `--token "$(gh auth token)"` to use the same token that `gh` uses. If no token is provided or the token has insufficient permissions, the script will fail.
 - By default, the script performs a dry run and outputs information about the changes it would make to the branch protection rules. To actually apply the changes, specify the `--apply` flag.
 - If you run the script without any other arguments, it will retrieve the set of workflows that ran for the latest commit on `main`.
 - You can specify a different git ref with the `--ref` input. You will likely want to use this if you have a PR that removes or adds PR checks. For example, `--ref "some/branch/name"` to use the HEAD of the `some/branch/name` branch.

README.md

@@ -78,6 +78,8 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n
 | `v3.28.21` | `2.21.3` | Enterprise Server 3.18 | |
 | `v3.28.12` | `2.20.7` | Enterprise Server 3.17 | |
 | `v3.28.6` | `2.20.3` | Enterprise Server 3.16 | |
+| `v3.28.6` | `2.20.3` | Enterprise Server 3.15 | |
+| `v3.28.6` | `2.20.3` | Enterprise Server 3.14 | |
 
 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).
 

analyze/action.yml

@@ -95,5 +95,5 @@ outputs:
     description: The ID of the uploaded SARIF file.
 runs:
   using: node24
-  main: "../lib/analyze-entry.js"
-  post: "../lib/analyze-post-entry.js"
+  main: "../lib/analyze-action.js"
+  post: "../lib/analyze-action-post.js"

autobuild/action.yml

@@ -16,4 +16,4 @@ inputs:
     required: false
 runs:
   using: node24
-  main: '../lib/autobuild-entry.js'
+  main: '../lib/autobuild-action.js'

build.mjs

@@ -1,5 +1,5 @@
-import { copyFile, readFile, rm, writeFile } from "node:fs/promises";
-import { basename, dirname, join } from "node:path";
+import { copyFile, rm, writeFile } from "node:fs/promises";
+import { dirname, join } from "node:path";
 import { fileURLToPath } from "node:url";
 
 import * as esbuild from "esbuild";
@@ -47,6 +47,27 @@ const copyDefaultsPlugin = {
   },
 };
 
+/**
+ * Mark `lib/` as an ESM scope by writing `lib/package.json` with
+ * `{ "type": "module" }`. This lets the bundles use the regular `.js`
+ * extension while still being loaded as ESM by Node, without affecting
+ * the rest of the repo (the root package.json stays CJS so the tsc
+ * output in `build/` and any other consumers are unchanged).
+ *
+ * @type {esbuild.Plugin}
+ */
+const writeLibPackageJsonPlugin = {
+  name: "write-lib-package-json",
+  setup(build) {
+    build.onEnd(async () => {
+      await writeFile(
+        join(OUT_DIR, "package.json"),
+        JSON.stringify({ type: "module" }) + "\n",
+      );
+    });
+  },
+};
+
 /**
  * Log when the build ends.
  *
@@ -62,153 +83,45 @@ const onEndPlugin = {
   },
 };
 
-/** The name of the virtual `entry-points` module. */
-const SHARED_ENTRYPOINT = "entry-points";
-
-/** The property name under which `upload-lib`'s namespace is exposed in `entry-points`. */
-const UPLOAD_LIB_EXPORT = "uploadLib";
-
-/** The relative source path of the `upload-lib` module that we re-export from `entry-points`. */
-const UPLOAD_LIB_SRC = "./src/upload-lib";
-
-/**
- * This plugin finds all source files that contain Action entry points. It then generates the
- * virtual `entry-points` module which imports all identified files, and re-exports their
- * `runWrapper` functions with suitable aliases.
- *
- * The virtual module additionally re-exports `upload-lib` under the `uploadLib` namespace so that
- * external consumers can access it via the small `lib/upload-lib.js` stub emitted below.
- * 
- * A tiny stub file is emitted for each Action entrypoint, and one for `upload-lib`. Each stub
- * imports the shared bundle and calls/re-exports from the respective entry point.
- *
- * @type {esbuild.Plugin}
- */
-const entryPointsPlugin = {
-  name: "entry-points",
-  setup(build) {
-    const namespace = "actions";
-    const actions = [];
-
-    const toPascal = (s) =>
-      s.replace(/(^|-)([a-z0-9])/gi, (_, __, c) => c.toUpperCase());
-
-    // Find the source files containing Action entry points.
-    build.onStart(() => {
-      const actionFiles = globSync("src/*-action{,-post}.ts");
-      for (const actionFile of actionFiles) {
-        const match = basename(actionFile).match(/(.*)-action(-post)?/);
-
-        if (match.length < 2) {
-          throw new Error(`'${actionFile}' didn't match expected pattern.`);
-        }
-
-        const actionName = match[1];
-        const isPost = match[2] !== undefined;
-
-        actions.push({
-          path: actionFile,
-          name: actionName,
-          isPost,
-          pascalCaseName: `${toPascal(actionName)}${isPost ? "Post" : ""}Action`,
-        });
-      }
-    });
-
-    // Resolve the virtual `entry-points` file and set the corresponding namespace.
-    // Ideally, we'd `RegExp.escape` the entrypoint here, but that API isn't supported in Node 20.
-    // Since we're dealing with a hardcoded string, this isn't too much of a problem.
-    build.onResolve({ filter: new RegExp(`^${SHARED_ENTRYPOINT}$`) }, () => {
-      return { path: SHARED_ENTRYPOINT, namespace };
-    });
-
-    // Generate the virtual `entry-points` file based on the Actions we discovered.
-    // Restrict using the namespace. The path filter does not need to discriminate any further.
-    build.onLoad({ filter: /.*/, namespace }, async () => {
-      const wrapperTemplatePath = "entry-wrapper.js.tpl";
-      const wrapperTemplate = await readFile(
-        join(SRC_DIR, wrapperTemplatePath),
-        "utf-8",
-      );
-
-      const actionsSorted = actions.sort((a, b) =>
-        a.name.localeCompare(b.name),
-      );
-      const imports = actionsSorted
-        .map(
-          (action) =>
-            `import * as ${action.pascalCaseName} from "./src/${basename(action.path)}";`,
-        )
-        .join("\n");
-      const wrappers = actionsSorted
-        .map((action) =>
-          wrapperTemplate.replaceAll("__ACTION__", action.pascalCaseName),
-        )
-        .join("\n\n");
-
-      // Also re-export the `upload-lib` namespace so that external consumers can reach it
-      // via the `lib/upload-lib.js` stub without us having to bundle a second copy.
-      const uploadLibReExport = `export * as ${UPLOAD_LIB_EXPORT} from "${UPLOAD_LIB_SRC}";`;
-
-      return {
-        contents: `"use strict";\n${imports}\n\n${uploadLibReExport}\n\n${wrappers}\n`,
-        resolveDir: ".",
-        loader: "ts",
-      };
-    });
-
-    // Emit entry point stubs for each Action using the entry template.
-    build.onEnd(async () => {
-      const makeHeader = (templatePath, sourceFile) =>
-        `// Automatically generated from '${templatePath}' for 'src/${basename(sourceFile)}'.\n\n`;
-
-      // Read the entry point template.
-      const actionTemplatePath = "action-entry.js.tpl";
-      const actionTemplate = await readFile(
-        join(SRC_DIR, actionTemplatePath),
-        "utf-8",
-      );
-
-      // Write entry point stubs for each Action.
-      for (const action of actions) {
-        await writeFile(
-          join(
-            OUT_DIR,
-            `${action.name}${action.isPost ? "-post" : ""}-entry.js`,
-          ),
-          makeHeader(actionTemplatePath, action.path) +
-            actionTemplate.replaceAll("__ACTION__", action.pascalCaseName),
-        );
-      }
-
-      // Write a small stub for `upload-lib` that re-exports it from the shared bundle.
-      // External callers (e.g. internal testing environments) `require("./lib/upload-lib")`
-      // and expect the same shape as before, so we expose the namespace as `module.exports`.
-      const uploadLibStubTemplatePath = "upload-lib-stub.js.tpl";
-      const uploadLibStubTemplate = await readFile(
-        join(SRC_DIR, uploadLibStubTemplatePath),
-        "utf-8",
-      );
-      await writeFile(
-        join(OUT_DIR, "upload-lib.js"),
-        makeHeader(uploadLibStubTemplatePath, `${UPLOAD_LIB_SRC}.ts`) +
-          uploadLibStubTemplate.replaceAll(
-            "__UPLOAD_LIB_EXPORT__",
-            UPLOAD_LIB_EXPORT,
-          ),
-      );
-    });
-  },
-};
+// Banner injected into every emitted ESM file so that bundled CommonJS
+// dependencies which call `require(...)` at runtime (e.g. parts of the
+// Azure SDK + undici stack pulled in transitively by `@actions/cache` and
+// `@actions/artifact`), or read `__filename` / `__dirname`, keep working.
+const esmCompatBanner = [
+  `import { createRequire as __codeqlCreateRequire } from "module";`,
+  `import { fileURLToPath as __codeqlFileURLToPath } from "url";`,
+  `import { dirname as __codeqlDirname } from "path";`,
+  `var require = __codeqlCreateRequire(import.meta.url);`,
+  `var __filename = __codeqlFileURLToPath(import.meta.url);`,
+  `var __dirname = __codeqlDirname(__filename);`,
+].join("");
 
 const context = await esbuild.context({
-  entryPoints: [{ in: SHARED_ENTRYPOINT, out: SHARED_ENTRYPOINT }],
+  // Include upload-lib.ts as an entry point for use in testing environments.
+  entryPoints: globSync([
+    `${SRC_DIR}/*-action.ts`,
+    `${SRC_DIR}/*-action-post.ts`,
+    "src/upload-lib.ts",
+  ]),
   bundle: true,
-  format: "cjs",
+  // Use ESM with code splitting so shared modules (Azure storage, undici,
+  // octokit, ...) live in shared chunk files instead of being duplicated
+  // into every entry bundle. Node treats these `.js` files as ESM because
+  // `writeLibPackageJsonPlugin` writes `lib/package.json` with
+  // `"type": "module"`.
+  format: "esm",
+  splitting: true,
+  minify: true,
+  chunkNames: "chunks/chunk-[hash]",
+  banner: { js: esmCompatBanner },
   outdir: OUT_DIR,
   platform: "node",
-  external: ["./entry-points"],
-  plugins: [cleanPlugin, copyDefaultsPlugin, entryPointsPlugin, onEndPlugin],
+  plugins: [
+    cleanPlugin,
+    copyDefaultsPlugin,
+    writeLibPackageJsonPlugin,
+    onEndPlugin,
+  ],
   target: ["node20"],
   define: {
     __CODEQL_ACTION_VERSION__: JSON.stringify(pkg.version),

init/action.yml

@@ -171,5 +171,5 @@ outputs:
     description: The version of the CodeQL binary used for analysis
 runs:
   using: node24
-  main: '../lib/init-entry.js'
-  post: '../lib/init-post-entry.js'
+  main: '../lib/init-action.js'
+  post: '../lib/init-action-post.js'

lib/analyze-action-post.js

@@ -0,0 +1,2 @@
+import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
+import{b as y}from"./chunks/chunk-WKICWMYU.js";import"./chunks/chunk-5ZRYQL45.js";import"./chunks/chunk-U2JW7LOC.js";import"./chunks/chunk-GX7WDUZJ.js";import{a as d,b as g}from"./chunks/chunk-HIJVM6IW.js";import{h as f}from"./chunks/chunk-LYJYPMC2.js";import{J as n,La as a,Ta as c,c as b,cc as p,fa as t,k as A,ta as s,zb as m}from"./chunks/chunk-V6LGBXSF.js";var u=b(A());import*as o from"fs";async function C(){try{a();let e=m(),l=await c();if(n(l,e),process.env.CODEQL_ACTION_INIT_HAS_RUN==="true"){let r=await p(s(),e);if(r!==void 0){let v=await(await f(r.codeQLCmd)).getVersion();await y(e,r.gitHubVersion.type,v.version)}}let D=[d(),g()];for(let r of D)if(o.existsSync(r))try{o.rmSync(r,{recursive:!0})}catch(i){e.info(`Failed to remove temporary dependencies directory: ${t(i)}`)}}catch(e){u.setFailed(`analyze post-action step failed: ${t(e)}`)}}C();

lib/analyze-entry.js

@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/analyze-action.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runAnalyzeAction)();

lib/analyze-post-entry.js

@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/analyze-action-post.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runAnalyzePostAction)();

lib/autobuild-action.js

@@ -0,0 +1,2 @@
+import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
+import{a as B,c as U}from"./chunks/chunk-U2JW7LOC.js";import{c as V,e as f,f as p,h as _}from"./chunks/chunk-B34OPX2S.js";import{e as D,h as k}from"./chunks/chunk-LYJYPMC2.js";import{J as w,L as b,O as C,Ta as S,c as H,cc as E,ea as h,fa as y,ga as d,ha as L,k as I,sa as A,ta as R,ua as g,zb as l}from"./chunks/chunk-V6LGBXSF.js";var s=H(I());async function F(o,t,e,c,r,i){b(g());let a=V(i,r),n=await f("autobuild",a,e,o,await d(t),t,i?.message,i?.stack);if(n!==void 0){let u={...n,autobuild_languages:c.join(","),autobuild_failure:r};await p(u)}}async function T(o){let t=l(),e,c,r;try{let i=await f("autobuild","starting",o,e,await d(t),t);i!==void 0&&await p(i);let a=await S();if(w(a,t),L(g(),a),e=await E(R(),t),e===void 0)throw new C("Config file could not be found at expected location. Has the 'init' action been called?");let n=await k(e.codeQLCmd);if(r=await B(n,e,t),r!==void 0){let u=A("working-directory");u&&(t.info(`Changing autobuilder working directory to ${u}`),process.chdir(u));for(let m of r)c=m,await U(e,m,t)}await D(n,e,t)}catch(i){let a=h(i);s.setFailed(`We were unable to automatically build your code. Please replace the call to the autobuild action with your custom build steps. ${a.message}`),await F(e,t,o,r??[],c,a);return}s.exportVariable("CODEQL_ACTION_AUTOBUILD_DID_COMPLETE_SUCCESSFULLY","true"),await F(e,t,o,r??[])}async function v(){let o=new Date,t=l();try{await T(o)}catch(e){s.setFailed(`autobuild action failed. ${y(e)}`),await _("autobuild",o,e,t)}}v();

lib/autobuild-entry.js

@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/autobuild-action.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runAutobuildAction)();

lib/chunks/chunk-2R674E4A.js

@@ -0,0 +1,10 @@
+import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
+import{g as E}from"./chunk-LYJYPMC2.js";import{$b as v,Bb as L,Da as w,Fa as d,H as g,Ma as C,O as m,c as p,ec as P,fa as c,h as A,i as F,k as V,m as $,n as h,sa as b}from"./chunk-V6LGBXSF.js";var R=p(V()),k=p(F()),S=p($()),O=p(A());import*as n from"fs";import*as l from"path";async function ne(e,o,t,r,i,a,u,s,f){f.startGroup("Setup CodeQL tools");let{codeql:y,toolsDownloadStatusReport:D,toolsSource:I,toolsVersion:_,zstdAvailability:T}=await E(e,o,t,r,i,a,u,s,f,!0);return await y.printVersion(),f.endGroup(),{codeql:y,toolsDownloadStatusReport:D,toolsSource:I,toolsVersion:_,zstdAvailability:T}}async function ie(e,o){return await L("Load language configuration",async()=>await v(e,o))}async function ae(e,o,t,r,i,a,u){n.mkdirSync(t.dbLocation,{recursive:!0}),await P(e,async()=>await o.databaseInitCluster(t,r,i,a,u))}async function se(e,o,t){let r=(await e.getVersion()).overlayVersion;if(r===void 0)return t.warning("The CodeQL CLI does not support overlay analysis."),!1;for(let i of o.languages){let a=g(o,i);if((await e.resolveQueriesStartingPacks([a])).some(s=>!Q(s,r,t)))return!1}return!0}function Q(e,o,t){try{let r=l.join(e,"qlpack.yml");if(n.existsSync(r)||(r=l.join(e,"codeql-pack.yml")),!h(n.readFileSync(r,"utf8")).buildMetadata)return!0;let a=l.join(e,".packinfo");if(!n.existsSync(a))return t.warning(`The query pack at ${e} does not have a .packinfo file, so it cannot support overlay analysis. Recompiling the query pack with the latest CodeQL CLI should solve this problem.`),!1;let s=JSON.parse(n.readFileSync(a,"utf8")).overlayVersion;if(typeof s!="number")return t.warning(`The .packinfo file for the query pack at ${e} does not have the overlayVersion field, which indicates that the pack is not compatible with overlay analysis.`),!1;if(s!==o)return t.warning(`The query pack at ${e} was compiled with overlay version ${s}, but the CodeQL CLI supports overlay version ${o}. The query pack needs to be recompiled to support overlay analysis.`),!1}catch(r){return t.warning(`Error while checking pack at ${e} for overlay compatibility: ${c(r)}`),!1}return!0}async function le(e,o){if(e.includes("python")&&process.platform==="win32"&&!(await o.getVersion()).features?.supportsPython312){let t=l.resolve(__dirname,"../python-setup","check_python12.ps1");await new k.ToolRunner(await O.which("powershell",!0),[t]).exec()}}function ue(e,o,t={},r=n.rmSync){if(n.existsSync(e.dbLocation)&&(n.statSync(e.dbLocation).isFile()||n.readdirSync(e.dbLocation).length>0)){t.disableExistingDirectoryWarning||o.warning(`The database cluster directory ${e.dbLocation} must be empty. Attempting to clean it up.`);try{r(e.dbLocation,{force:!0,maxRetries:3,recursive:!0}),o.info(`Cleaned up database cluster directory ${e.dbLocation}.`)}catch(i){let a=`The CodeQL Action requires an empty database cluster directory. ${b("db-location")?`This is currently configured to be ${e.dbLocation}. `:`By default, this is located at ${e.dbLocation}. You can customize it using the 'db-location' input to the init Action. `}An attempt was made to clean up the directory, but this failed.`;throw w()?new m(`${a} This can happen if another process is using the directory or the directory is owned by a different user. Please clean up the directory manually and rerun the job. Details: ${c(i)}`):new Error(`${a} This shouldn't typically happen on hosted runners. If you are using an advanced setup, please check your workflow, otherwise we recommend rerunning the job. Details: ${c(i)}`)}}}async function pe(e,o,t,r){return e?{enabled:!0,enabledByRepositoryProperty:!1,showDeprecationWarning:!1}:C()?(process.env.CODEQL_ACTION_FILE_COVERAGE_ON_PRS||"").toLocaleLowerCase()==="true"?{enabled:!0,enabledByRepositoryProperty:!1,showDeprecationWarning:!1}:r["github-codeql-file-coverage-on-prs"]===!0?{enabled:!0,enabledByRepositoryProperty:!0,showDeprecationWarning:!1}:await t.getValue("skip_file_coverage_on_prs",o)?{enabled:!1,enabledByRepositoryProperty:!1,showDeprecationWarning:!1}:{enabled:!0,enabledByRepositoryProperty:!1,showDeprecationWarning:!0}:{enabled:!0,enabledByRepositoryProperty:!1,showDeprecationWarning:!1}}function ce(e){if(process.env.CODEQL_ACTION_DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION)return;let o=S.context.payload.repository?.owner.type,t="Starting April 2026, the CodeQL Action will skip computing file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses.",r="set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true`.",i='create a custom repository property with the name `github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to `true` in the repository\'s settings.';o==="Organization"?d()?t+=`
+
+To opt out of this change, ${i}`:t+=`
+
+To opt out of this change, ${r} Alternatively, ${i}`:d()?t+=`
+
+To opt out of this change, switch to an advanced setup workflow and ${r}`:t+=`
+
+To opt out of this change, ${r}`,e.warning(t),R.exportVariable("CODEQL_ACTION_DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION","true")}export{ne as a,ie as b,ae as c,se as d,le as e,ue as f,pe as g,ce as h};

lib/chunks/chunk-3ABJF3VX.js

@@ -0,0 +1,2 @@
+import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
+import{g as n,k as p,l as d,n as f}from"./chunk-XFYKKQKY.js";import{oa as l,rb as e}from"./chunk-V6LGBXSF.js";async function w(s,u,m,i,c,y,P){let b=await n(s,c),o={};for(let[t,g]of l(b)){let a=e(t),r=await p(s,u,i,g,y,a);await d(s,P,a,r),m==="always"&&(o[t]=await f(s,i,a,r))}return o}export{w as a};

lib/chunks/chunk-5ZRYQL45.js

@@ -0,0 +1,21 @@
+import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
+import{b as Y}from"./chunk-U2JW7LOC.js";import{a as j,b as H}from"./chunk-HIJVM6IW.js";import{e as z}from"./chunk-LYJYPMC2.js";import{Bb as k,Db as U,Eb as q,G as b,H as Q,Lb as B,c as te,ea as A,fa as N,h as ne,hc as v,jc as G,n as x,nb as R,o as O,pb as F,ra as $,ta as M}from"./chunk-V6LGBXSF.js";var K=te(ne());import*as c from"fs";import*as p from"path";import{performance as D}from"perf_hooks";var T=class extends Error{constructor(t,a,r){super(a);this.queriesStatusReport=t;this.message=a;this.error=r;this.name="CodeQLAnalysisError"}queriesStatusReport;message;error};async function ae(n){let e=process.env.CODEQL_PYTHON;e===void 0||e.length===0||n.warning(`The CODEQL_PYTHON environment variable is no longer supported. Please remove it from your workflow. This environment variable was originally used to specify a Python executable that included the dependencies of your Python code, however Python analysis no longer uses these dependencies.
+If you used CODEQL_PYTHON to force the version of Python to analyze as, please use CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION instead, such as 'CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION=2.7' or 'CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION=3.11'.`)}async function re(n,e,t,a){for(let r of t.languages){if(X(t,r,a)){a.debug(`Database for ${r} has already been finalized, skipping extraction.`);continue}await ie(n,t,r)&&(a.startGroup(`Extracting ${r}`),r==="python"&&await ae(a),t.buildMode?(r==="cpp"&&t.buildMode==="autobuild"&&await Y(n,a),r==="java"&&t.buildMode==="none"&&(process.env.CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_DEPENDENCY_DIR=j()),r==="csharp"&&t.buildMode==="none"&&await e.getValue("csharp_cache_bmn")&&(process.env.CODEQL_EXTRACTOR_CSHARP_OPTION_BUILDLESS_DEPENDENCY_DIR=H()),await n.extractUsingBuildMode(t,r)):await n.extractScannedLanguage(t,r),a.endGroup())}}async function ie(n,e,t){return e.buildMode==="none"||e.buildMode==="autobuild"&&process.env.CODEQL_ACTION_AUTOBUILD_DID_COMPLETE_SUCCESSFULLY!=="true"||!e.buildMode&&await n.isScannedLanguage(t)}function X(n,e,t){let a=b(n,e);try{return!("inProgress"in x(c.readFileSync(p.resolve(a,"codeql-database.yml"),"utf8")))}catch{return t.warning(`Could not check whether database for ${e} was finalized. Assuming it is not.`),!1}}async function se(n,e,t,a,r,o){let i=D.now();await re(n,e,t,o);let d=D.now()-i,_=D.now();for(let m of t.languages)X(t,m,o)?o.info(`There is already a finalized database for ${m} at the location where the CodeQL Action places databases, so we did not create one.`):(o.startGroup(`Finalizing ${m}`),await n.finalizeDatabase(b(t,m),a,r,t.debugMode),o.endGroup());let l=D.now()-_;return{scanned_language_extraction_duration_ms:Math.round(d),trap_import_duration_ms:Math.round(l)}}async function Me(n){return await k("Generating diff range extension pack",async()=>{let e=B(n);if(e===void 0){n.info("No precomputed diff ranges found; skipping diff-informed analysis stage.");return}let t=$("checkout_path"),a=ue(n,e,t);return n.info(`Successfully created diff range extension pack at ${a}.`),a})}function oe(n,e){let t=`
+extensions:
+  - addsTo:
+      pack: codeql/util
+      extensible: restrictAlertsTo
+      checkPresence: false
+    data:
+`,a=n.map(r=>{let o=p.join(e,r.path).replaceAll(p.sep,"/");return`      - [${O(o,{forceQuotes:!0}).trim()}, ${r.startLine}, ${r.endLine}]
+`}).join("");return a||(a=`      - ["", 0, 0]
+`),t+a}function ue(n,e,t){e.length===0&&(e=[{path:"",startLine:0,endLine:0}]);let a=p.join(M(),"pr-diff-range");c.mkdirSync(a,{recursive:!0}),c.writeFileSync(p.join(a,"qlpack.yml"),`
+name: codeql-action/pr-diff-range
+version: 0.0.0
+library: true
+extensionTargets:
+  codeql/util: '*'
+dataExtensions:
+  - pr-diff-range.yml
+`);let r=oe(e,t),o=p.join(a,"pr-diff-range.yml");return c.writeFileSync(o,r),n.debug(`Wrote pr-diff-range extension pack to ${o}:
+${r}`),a}var le=new Set(["security-experimental","security-extended","security-and-quality","code-quality","code-scanning"]);function V(n,e){return le.has(e)?`${n}-${e}.qls`:e}function de(n,e){return`${e}${n.sarifExtension}`}async function Fe(n,e,t,a,r,o,i,d,_){let l={},m=[e,t],L=[];i.overlayDatabaseMode!=="overlay-base"&&m.push("--expect-discarded-cache"),l.analysis_is_diff_informed=a!==void 0,a&&(m.push(`--additional-packs=${a}`),m.push("--extension-packs=codeql-action/pr-diff-range"),L.push("diff-informed")),l.analysis_is_overlay=i.overlayDatabaseMode==="overlay",l.analysis_builds_overlay_base_database=i.overlayDatabaseMode==="overlay-base",i.overlayDatabaseMode==="overlay"&&L.push("overlay");let J=L.length>0?`--sarif-run-property=incrementalMode=${L.join(",")}`:void 0,W=G(i);for(let s of i.languages)try{let u=[];if(i.analysisKinds.length>1&&(u.push(Q(i,s)),v(i)))for(let C of R)u.push(V(s,C));d.startGroup(`Running queries for ${s}`);let y=new Date().getTime(),h=b(i,s);await o.databaseRunQueries(h,m,u),d.debug(`Finished running queries for ${s}.`),l[`analyze_builtin_queries_${s}_duration_ms`]=new Date().getTime()-y;let g=new Date,{summary:f,sarifFile:I}=await S(W,s,void 0,i.debugMode),w;i.analysisKinds.length>1&&v(i)&&(w=(await S(F,s,R.map(E=>V(s,E)),i.debugMode)).summary);let P=new Date;if(l[`interpret_results_${s}_duration_ms`]=P.getTime()-g.getTime(),d.endGroup(),f.trim()&&d.info(f),w?.trim()&&d.info(w),i.enableFileCoverageInformation||d.info("To speed up pull request analysis, file coverage information is only enabled when analyzing the default branch and protected branches."),await _.getValue("qa_telemetry_enabled")){let C=ee(I),E={event:"codeql database interpret-results",started_at:g.toISOString(),completed_at:P.toISOString(),exit_status:"success",language:s,properties:{alertCounts:C}};l.event_reports===void 0&&(l.event_reports=[]),l.event_reports.push(E)}}catch(u){throw l.analyze_failure_language=s,new T(l,`Error running analysis for ${s}: ${N(u)}`,A(u))}return l;async function S(s,u,y,h){d.info(`Interpreting ${s.name} results for ${u}`);let g=s.fixCategory(d,r),f=p.join(n,de(s,u));return{summary:await Z(u,y,f,h,g),sarifFile:f}}async function Z(s,u,y,h,g){let f=b(i,s);return await o.databaseInterpretResults(f,u,y,t,h?"-vv":"-v",J,g,i,_)}function ee(s){let u=JSON.parse(c.readFileSync(s,"utf8")),y={};for(let h of u.runs)if(h.results)for(let g of h.results){let f=g.rule?.id||g.ruleId;f&&(y[f]=(y[f]||0)+1)}return y}}async function ke(n,e,t,a,r,o,i){try{await c.promises.rm(e,{force:!0,recursive:!0})}catch(_){if(_?.code!=="ENOENT")throw _}await c.promises.mkdir(e,{recursive:!0});let d=await se(r,n,o,t,a,i);return process.env.CODEQL_ACTION_AUTOBUILD_DID_COMPLETE_SUCCESSFULLY!=="true"&&await z(r,o,i),d}async function Ue(n,e){let t=process.env.CODEQL_ACTION_GO_BINARY;if(process.env.CODEQL_ACTION_DID_AUTOBUILD_GOLANG!=="true"&&t!==void 0){let a=await K.which("go",!0);t!==a&&(e.warning(`Expected \`which go\` to return ${t}, but got ${a}: please ensure that the correct version of Go is installed before the \`codeql-action/init\` Action is used.`),q(n,"go",U("go/workflow/go-installed-after-codeql-init","Go was installed after the `codeql-action/init` Action was run",{markdownMessage:"To avoid interfering with the CodeQL analysis, perform all installation steps before calling the `github/codeql-action/init` Action.",visibility:{statusPage:!0,telemetry:!0,cliSummaryTable:!0},severity:"warning"})))}}export{T as a,X as b,Me as c,Fe as d,ke as e,Ue as f};

lib/chunks/chunk-GX7WDUZJ.js

@@ -0,0 +1,2 @@
+import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
+import{c as F,fa as m,j as k}from"./chunk-V6LGBXSF.js";var l=F(k());import*as d from"fs";import*as h from"os";import*as f from"path";var S={type:"Personal Access Token (Classic)",pattern:/\bghp_[a-zA-Z0-9]{36}\b/g},z={type:"Personal Access Token (Fine-grained)",pattern:/\bgithub_pat_[a-zA-Z0-9_]+\b/g},b=[S,z,{type:"OAuth Access Token",pattern:/\bgho_[a-zA-Z0-9]{36}\b/g},{type:"User-to-Server Token",pattern:/\bghu_[a-zA-Z0-9]{36}\b/g},{type:"Server-to-Server Token",pattern:/\bghs_[a-zA-Z0-9]{36}\b/g},{type:"Refresh Token",pattern:/\bghr_[a-zA-Z0-9]{36}\b/g},{type:"App Installation Access Token",pattern:/\bghs_[a-zA-Z0-9]{255}\b/g}];function R(e,a=b){for(let{type:t,pattern:s}of a)if(e.match(s))return t}function x(e,a,t){let s=[];try{let i=d.readFileSync(e,"utf8");for(let{type:u,pattern:r}of b){let o=i.match(r);if(o){for(let c=0;c<o.length;c++)s.push({tokenType:u,filePath:a});t.debug(`Found ${o.length} ${u}(s) in ${a}`)}}return s}catch(i){return t.debug(`Could not scan file ${e} for tokens: ${m(i)}`),[]}}async function $(e,a,t,s,i=0){if(i>10)throw new Error(`Maximum archive extraction depth (10) reached for ${e}`);if(process.platform==="win32")throw new Error("Scanning archives is not supported on Windows.");let r={scannedFiles:0,findings:[]};try{let o=d.mkdtempSync(f.join(t,`extract-${i}-`)),c=f.basename(e).toLowerCase();if(c.endsWith(".tar.gz")||c.endsWith(".tgz"))s.debug(`Extracting tar.gz file: ${e}`),await l.exec("tar",["-xzf",e,"-C",o],{silent:!0});else if(c.endsWith(".tar.zst"))s.debug(`Extracting tar.zst file: ${e}`),await l.exec("tar",["--zstd","-xf",e,"-C",o],{silent:!0});else if(c.endsWith(".zst")){s.debug(`Extracting zst file: ${e}`);let p=f.join(o,f.basename(e,".zst"));await l.exec("zstd",["-d",e,"-o",p],{silent:!0})}else if(c.endsWith(".gz")){s.debug(`Extracting gz file: ${e}`);let p=f.join(o,f.basename(e,".gz"));await l.exec("gunzip",["-c",e],{outStream:d.createWriteStream(p),silent:!0})}else c.endsWith(".zip")&&(s.debug(`Extracting zip file: ${e}`),await l.exec("unzip",["-q","-o",e,"-d",o],{silent:!0}));let n=await T(o,a,s,i+1);r.scannedFiles+=n.scannedFiles,r.findings.push(...n.findings),d.rmSync(o,{recursive:!0,force:!0})}catch(o){s.debug(`Could not extract or scan archive file ${e}: ${m(o)}`)}return r}async function A(e,a,t,s,i=0){let u={scannedFiles:1,findings:[]},r=f.basename(e).toLowerCase();if(r.endsWith(".zip")||r.endsWith(".tar.gz")||r.endsWith(".tgz")||r.endsWith(".tar.zst")||r.endsWith(".zst")||r.endsWith(".gz")){let n=await $(e,a,t,s,i);u.scannedFiles+=n.scannedFiles,u.findings.push(...n.findings)}let c=x(e,a,s);return u.findings.push(...c),u}async function T(e,a,t,s=0){let i={scannedFiles:0,findings:[]},u=d.readdirSync(e,{withFileTypes:!0});for(let r of u){let o=f.join(e,r.name),c=f.join(a,r.name);if(r.isDirectory()){let n=await T(o,c,t,s);i.scannedFiles+=n.scannedFiles,i.findings.push(...n.findings)}else if(r.isFile()){let n=await A(o,c,f.dirname(o),t,s);i.scannedFiles+=n.scannedFiles,i.findings.push(...n.findings)}}return i}async function _(e,a){a.info("Starting best-effort check for potential GitHub tokens in debug artifacts (for testing purposes only)...");let t={scannedFiles:0,findings:[]},s=d.mkdtempSync(f.join(h.tmpdir(),"artifact-scan-"));try{for(let n of e){let p=d.statSync(n),y=f.basename(n);if(p.isDirectory()){let g=await T(n,y,a);t.scannedFiles+=g.scannedFiles,t.findings.push(...g.findings)}else if(p.isFile()){let g=await A(n,y,s,a);t.scannedFiles+=g.scannedFiles,t.findings.push(...g.findings)}}let i=new Map,u=new Set;for(let n of t.findings)i.set(n.tokenType,(i.get(n.tokenType)||0)+1),u.add(n.filePath);let r=Array.from(i.entries()).map(([n,p])=>`${p} ${n}${p>1?"s":""}`).join(", "),o=`scanned ${t.scannedFiles} files, found ${t.findings.length} potential token(s) in ${u.size} file(s)`,c=r?`${o} (${r})`:o;if(a.info(`Artifact check complete: ${c}`),t.findings.length>0){let n=Array.from(u).join(", ");throw new Error(`Found ${t.findings.length} potential GitHub token(s) (${r}) in debug artifacts at: ${n}. This is a best-effort check for testing purposes only.`)}}finally{try{d.rmSync(s,{recursive:!0,force:!0})}catch(i){a.debug(`Could not clean up temporary scan directory: ${m(i)}`)}}}export{S as a,z as b,R as c,_ as d};

lib/chunks/chunk-HIJVM6IW.js

@@ -0,0 +1,4 @@
+import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
+import{M as w,Pb as F,Vb as H,Ya as E,c as D,fa as b,ta as C,tb as k,wb as _}from"./chunk-V6LGBXSF.js";var h=D(H()),l=D(F());import*as f from"os";import{join as d}from"path";var x="codeql-dependencies",v=1;function Q(){return d(C(),"codeql_java","repository")}async function K(){return[d(f.homedir(),".m2","repository"),d(f.homedir(),".gradle","caches"),Q()]}function U(){return d(C(),"codeql_csharp","repository")}async function A(e,n){let r=[d(f.homedir(),".nuget","packages")];return await n.getValue("csharp_cache_bmn",e)&&r.push(U()),r}async function z(e){if((await(await I(e)).glob()).length!==0)return e}var T=["**/packages.lock.json","**/paket.lock"],j=["**/*.csproj","**/packages.config","**/nuget.config"];async function M(e,n){let r=await m.makePatternCheck(T);if(r!==void 0)return r;if(await n.getValue("csharp_new_cache_key",e))return m.makePatternCheck(j)}var R={java:{getDependencyPaths:K,getHashPatterns:async()=>m.makePatternCheck(["**/pom.xml","**/*.gradle*","**/gradle-wrapper.properties","buildSrc/**/Versions.kt","buildSrc/**/Dependencies.kt","gradle/*.versions.toml","**/versions.properties"])},csharp:{getDependencyPaths:A,getHashPatterns:M},go:{getDependencyPaths:async()=>[d(f.homedir(),"go","pkg","mod")],getHashPatterns:async()=>m.makePatternCheck(["**/go.sum"])}};async function I(e){return l.create(e.join(`
+`))}async function S(e,n,r,t,a,o){let s=await t.getHashPatterns(e,n);return s===void 0&&o.info(`Skipping ${a} of dependency cache for ${r} as we cannot calculate a hash for the cache key.`),s}async function oe(e,n,r,t){let a=[],o=[];for(let s of r){let p=R[s];if(p===void 0){t.info(`Skipping download of dependency cache for ${s} as we have no caching configuration for it.`);continue}let c=await S(e,n,s,p,"download",t);if(c===void 0){a.push({language:s,hit_kind:"no-hash"});continue}let u=await L(e,n,s,c),i=[await $(e,n,s)];t.info(`Downloading cache for ${s} with key ${u} and restore keys ${i.join(", ")}`);let y=performance.now(),g=await h.restoreCache(await p.getDependencyPaths(e,n),u,i),N=Math.round(performance.now()-y);if(g!==void 0){t.info(`Cache hit on key ${g} for ${s}.`);let P="partial";g===u&&(P="exact"),a.push({language:s,hit_kind:P,download_duration_ms:N}),o.push(g)}else a.push({language:s,hit_kind:"miss"}),t.info(`No suitable cache found for ${s}.`)}return{statusReport:a,restoredKeys:o}}async function re(e,n,r,t){let a=[];for(let o of r.languages){let s=R[o];if(s===void 0){t.info(`Skipping upload of dependency cache for ${o} as we have no caching configuration for it.`);continue}let p=await S(e,n,o,s,"upload",t);if(p===void 0){a.push({language:o,result:"no-hash"});continue}let c=await L(e,n,o,p);if(r.dependencyCachingRestoredKeys.includes(c)){a.push({language:o,result:"duplicate"});continue}let u=await k(await s.getDependencyPaths(e,n),t,!0);if(u===0){a.push({language:o,result:"empty"}),t.info(`Skipping upload of dependency cache for ${o} since it is empty.`);continue}t.info(`Uploading cache of size ${u} for ${o} with key ${c}...`);try{let i=performance.now();await h.saveCache(await s.getDependencyPaths(e,n),c);let y=Math.round(performance.now()-i);a.push({language:o,result:"stored",upload_size_bytes:Math.round(u),upload_duration_ms:y})}catch(i){if(i instanceof h.ReserveCacheError)t.info(`Not uploading cache for ${o}, because ${c} is already in use.`),t.debug(i.message),a.push({language:o,result:"duplicate"});else throw i}}return a}async function L(e,n,r,t){let a=await l.hashFiles(t.join(`
+`));return`${await $(e,n,r)}${a}`}async function V(e,n,r){let t=[],a=async o=>{await n.getValue(o,e)&&t.push(o)};return r==="csharp"&&(await a("csharp_new_cache_key"),await a("csharp_cache_bmn")),t.length>0?`${_(t)}-`:""}async function $(e,n,r){let t=w("RUNNER_OS"),a=process.env.CODEQL_ACTION_DEPENDENCY_CACHE_PREFIX,o=x;a!==void 0&&a.length>0&&(o=`${o}-${a}`);let s=await V(e,n,r);return`${o}-${s}${v}-${t}-${r}-`}async function se(e){try{let n=await E(x),r=n.reduce((t,a)=>t+(a.size_in_bytes??0),0);return{count:n.length,size_bytes:r}}catch(n){e.warning(`Unable to retrieve information about dependency cache usage: ${b(n)}`)}}var m={makePatternCheck:z};export{Q as a,U as b,oe as c,re as d,se as e};

lib/chunks/chunk-NENGCOP5.js

@@ -0,0 +1,2 @@
+import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
+import{Ea as C,M as w,Ua as $,X as W,Z as E,c as P,k as L,n as d}from"./chunk-V6LGBXSF.js";var u=P(L());import*as c from"fs";import*as x from"path";import O from"zlib";function T(e){return Object.entries(e).reduce((r,[t,o])=>(r[t]={message:o,code:t},r),{})}var h=T({MissingPushHook:"Please specify an on.push hook to analyze and see code scanning alerts from the default branch on the Security tab.",CheckoutWrongHead:"git checkout HEAD^2 is no longer necessary. Please remove this step as Code Scanning recommends analyzing the merge commit for best results.",InconsistentActionVersion:"Not all workflow steps that use `github/codeql-action` actions use the same version. Please ensure that all such steps use the same version to avoid compatibility issues."});async function j(e,r){let t=await r.betterResolveLanguages();if(!t.aliases)return;let o=t.aliases,n={};for(let s of e){let a=o[s]||s;n[a]||(n[a]=[]),n[a].push(s)}return n}async function S(e,r){let t=[],o=process.env.GITHUB_JOB;if(o){let i=e?.jobs?.[o];if(i?.strategy?.matrix?.language){let f=i.strategy.matrix.language;if(Array.isArray(f)){let y=await j(f,r);if(y!==void 0)for(let[v,b]of Object.entries(y))b.length>1&&t.push({message:`CodeQL language '${v}' is referenced by more than one entry in the 'language' matrix parameter for job '${o}'. This may result in duplicate alerts. Please edit the 'language' matrix parameter to keep only one of the following: ${b.map(A=>`'${A}'`).join(", ")}.`,code:"DuplicateLanguageInMatrix"})}}let g=i?.steps;if(Array.isArray(g)){for(let f of g)if(f?.run==="git checkout HEAD^2"){t.push(h.CheckoutWrongHead);break}}}let n=[];for(let i of Object.values(e?.jobs||{}))if(Array.isArray(i.steps)){for(let g of i.steps)if(g.uses?.startsWith("github/codeql-action/")){let f=g.uses.split("@");f.length>=2&&n.push(f[f.length-1])}}n.length>0&&!n.every(i=>i===n[0])&&t.push(h.InconsistentActionVersion);let s=p("push",e),a=p("pull_request",e),l=p("workflow_call",e);return a&&!s&&!l&&t.push(h.MissingPushHook),t}function p(e,r){return r.on?typeof r.on=="string"?r.on===e:Array.isArray(r.on)?r.on.includes(e):Object.prototype.hasOwnProperty.call(r.on,e):!1}async function I(e,r){let t;try{t=await q(r)}catch(n){return`error: getWorkflow() failed: ${String(n)}`}let o;try{o=await S(t,e)}catch(n){return`error: getWorkflowErrors() failed: ${String(n)}`}if(o.length>0){let n;try{n=_(o)}catch(s){return`error: formatWorkflowErrors() failed: ${String(s)}`}u.warning(n)}return R(o)}function _(e){let r=e.length===1?"issue was":"issues were",t=e.map(o=>o.message).join(" ");return`${e.length} ${r} detected with this workflow: ${t}`}function R(e){if(e.length!==0)return e.map(r=>r.code).join(",")}async function q(e){let r=process.env.CODE_SCANNING_WORKFLOW_FILE;if(r)return e.debug("Using the workflow specified by the CODE_SCANNING_WORKFLOW_FILE environment variable."),d(O.gunzipSync(Buffer.from(r,"base64")).toString());let t=await D(e);return d(c.readFileSync(t,"utf-8"))}async function D(e){let r=await $(),t=x.join(w("GITHUB_WORKSPACE"),r);if(c.existsSync(t))return e.debug(`Derived the following absolute path for the currently executing workflow: ${t}.`),t;throw new Error(`Expected to find a code scanning workflow file at ${t}, but no such file existed. This can happen if the currently running workflow checks out a branch that doesn't contain the corresponding workflow file.`)}function H(e,r){if(e.uses)throw new Error(`Could not get steps calling ${r} since the job calls a reusable workflow.`);let t=e.steps;if(!Array.isArray(t))throw new Error(`Could not get steps calling ${r} since job.steps was not an array.`);return t.filter(o=>o.uses?.includes(r))}function k(e,r,t,o,n){let s=`Could not get ${o} input to ${t} since`;if(!e.jobs)throw new Error(`${s} the workflow has no jobs.`);if(!e.jobs[r])throw new Error(`${s} the workflow has no job named ${r}.`);let a=H(e.jobs[r],t);if(a.length===0)throw new Error(`${s} the ${r} job does not call ${t}.`);if(a.length>1)throw new Error(`${s} the ${r} job calls ${t} multiple times.`);let l=a[0].with?.[o]?.toString();if(l!==void 0&&n!==void 0){l=l.replace(/\${{\s+/,"${{").replace(/\s+}}/,"}}");for(let[i,g]of Object.entries(n))l=l.replace(`\${{matrix.${i}}}`,g)}if(l?.includes("${{"))throw new Error(`Could not get ${o} input to ${t} since it contained an unrecognized dynamic value.`);return l}function m(){return W()||E()==="codeql-action-pr-checks"?"./analyze":"github/codeql-action/analyze"}function M(e,r,t){return k(e,r,m(),"category",t)}function V(e,r,t){return k(e,r,m(),"upload",t)}function X(e,r,t){return k(e,r,m(),"checkout_path",t)||w("GITHUB_WORKSPACE")}async function Y(e,r){if(!C()&&process.env.CODEQL_ACTION_SKIP_WORKFLOW_VALIDATION!=="true"){u.startGroup("Validating workflow");let t=await z.validateWorkflow(r,e);t===void 0?e.info("Detected no issues with the code scanning workflow."):e.debug(`Unable to validate code scanning workflow: ${t}`),u.endGroup()}}var z={validateWorkflow:I};export{q as a,M as b,V as c,X as d,Y as e};

lib/chunks/chunk-U2JW7LOC.js

@@ -0,0 +1,2 @@
+import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
+import{h as b}from"./chunk-LYJYPMC2.js";import{Oa as f,Ta as m,c as g,k as L,kb as p,la as s,lb as c,ta as l,va as d}from"./chunk-V6LGBXSF.js";var r=g(L());async function B(i,e,o){if(e.buildMode==="none"||e.buildMode==="manual"){o.info(`Using build mode "${e.buildMode}", nothing to autobuild. See https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes for more information.`);return}let t=await s(e.languages,async u=>await i.isTracedLanguage(u));if(t.length===0){o.info("None of the languages in this project require extra build steps");return}let n=t.filter(u=>u!=="go"),a=[];return n[0]!==void 0&&a.push(n[0]),t.length!==n.length&&a.push("go"),o.debug(`Will autobuild ${a.join(" and ")}.`),n.length>1&&o.warning(`We will only automatically build ${a.join(" and ")} code. If you wish to scan ${n.slice(1).join(" and ")}, you must replace the autobuild step of your workflow with custom build steps. See https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#about-specifying-build-steps-manually for more information.`),a}async function w(i,e){let o=p.cpp_dependency_installation_enabled.envVar,t="C++ automatic installation of dependencies",n=await m(),a=f();await c(n,a,l(),e).getValue("cpp_dependency_installation_enabled",i)?process.env.RUNNER_ENVIRONMENT==="self-hosted"&&process.env[o]!=="true"?(e.info(`Disabling ${t} as we are on a self-hosted runner.${d()!=="dynamic"?` To override this, set the ${o} environment variable to 'true' in your workflow. See https://docs.github.com/en/actions/learn-github-actions/variables#defining-environment-variables-for-a-single-workflow for more information.`:""}`),r.exportVariable(o,"false")):(e.info(`Enabling ${t}. This can be disabled by setting the ${o} environment variable to 'false'. See https://docs.github.com/en/actions/learn-github-actions/variables#defining-environment-variables-for-a-single-workflow for more information.`),r.exportVariable(o,"true")):(e.info(`Disabling ${t}.`),r.exportVariable(o,"false"))}async function Q(i,e,o){o.startGroup(`Attempting to automatically build ${e} code`);let t=await b(i.codeQLCmd);e==="cpp"&&await w(t,o),i.buildMode?await t.extractUsingBuildMode(i,e):await t.runAutobuild(i,e),e==="go"&&r.exportVariable("CODEQL_ACTION_DID_AUTOBUILD_GOLANG","true"),o.endGroup()}export{B as a,w as b,Q as c};

lib/init-entry.js

@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/init-action.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runInitAction)();

lib/init-post-entry.js

@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/init-action-post.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runInitPostAction)();

lib/package.json

@@ -0,0 +1 @@
+{"type":"module"}

lib/resolve-environment-action.js

@@ -0,0 +1,2 @@
+import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
+import{c as A,e as u,f as d,h as V}from"./chunks/chunk-B34OPX2S.js";import{a as C,h as B}from"./chunks/chunk-LYJYPMC2.js";import{J as l,O as f,Ta as h,c as N,ca as g,cc as k,ea as p,fa as v,ga as c,ha as w,k as O,ra as E,sa as R,ta as y,ua as b,zb as m}from"./chunks/chunk-V6LGBXSF.js";var i=N(O());async function $(n,e,t,a){e.startGroup(`Attempting to resolve build environment for ${a}`);let r=await B(n);t!==void 0&&e.info(`Using ${t} as the working directory.`);let o=await r.resolveBuildEnvironment(t,a);return e.endGroup(),o}var F="environment";async function T(n){let e=m(),t;try{let r=await u("resolve-environment","starting",n,t,await c(e),e);r!==void 0&&await d(r);let o=await h();if(l(o,e),w(b(),o),t=await k(y(),e),t===void 0)throw new f("Config file could not be found at expected location. Has the 'init' action been called?");let s=R("working-directory"),L=await $(t.codeQLCmd,e,s,E("language"));i.setOutput(F,L)}catch(r){let o=p(r);if(o instanceof C)i.setOutput(F,{}),e.warning(`Failed to resolve a build environment suitable for automatically building your code. ${o.message}`);else{i.setFailed(`Failed to resolve a build environment suitable for automatically building your code. ${o.message}`);let s=await u("resolve-environment",A(o),n,t,await c(e),e,o.message,o.stack);s!==void 0&&await d(s)}return}let a=await u("resolve-environment","success",n,t,await c(e),e);a!==void 0&&await d(a)}async function U(){let n=new Date,e=m();try{await T(n)}catch(t){i.setFailed(`resolve-environment action failed: ${v(t)}`),await V("resolve-environment",n,t,e)}await g()}U();

lib/resolve-environment-entry.js

@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/resolve-environment-action.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runResolveEnvironmentAction)();

lib/setup-codeql-action.js

@@ -0,0 +1,2 @@
+import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
+import{a as P}from"./chunks/chunk-2R674E4A.js";import{c as H,e as g,f as m,h as O}from"./chunks/chunk-B34OPX2S.js";import{b as N}from"./chunks/chunk-LYJYPMC2.js";import{J as T,L as C,M as R,O as E,Oa as b,Ta as Q,_b as B,c as G,ca as I,ea as v,fa as h,ga as f,ha as k,k as K,lb as F,mb as q,ra as A,sa as d,ta as S,ua as _,zb as D}from"./chunks/chunk-V6LGBXSF.js";var r=G(K());async function M(n,o,e,l,c,u,a){let s=await g("setup-codeql",H(a),n,void 0,await f(u),u,a?.message,a?.stack);if(s===void 0)return;let t={...s,tools_input:d("tools")||"",tools_resolved_version:c,tools_source:l||"UNKNOWN",workflow_languages:""},i={};o?.downloadDurationMs!==void 0&&(i.tools_download_duration_ms=o.downloadDurationMs),e!==void 0&&(i.tools_feature_flags_valid=e),await m({...t,...i})}async function J(n){let o=D(),e,l,c,u,a;try{C(_());let s={auth:A("token"),externalRepoAuth:d("external-repository-token"),url:R("GITHUB_SERVER_URL"),apiURL:R("GITHUB_API_URL")},t=await Q();T(t,o),k(_(),t);let i=b(),w=F(t,i,S(),o),L=N();o.info(`Job run UUID is ${L}.`),r.exportVariable("JOB_RUN_UUID",L);let U=await g("setup-codeql","starting",n,void 0,await f(o),o);U!==void 0&&await m(U);let V=await w.getEnabledDefaultCliVersions(t.type);c=V.toolsFeatureFlagsValid;let x=B(d("languages")),y=await q(o,w),p=await P(d("tools"),s,S(),t.type,V,x,y.length===1&&y[0]==="code-scanning",w,o);e=p.codeql,l=p.toolsDownloadStatusReport,a=p.toolsVersion,u=p.toolsSource,r.setOutput("codeql-path",e.getPath()),r.setOutput("codeql-version",(await e.getVersion()).version),r.exportVariable("CODEQL_ACTION_SETUP_CODEQL_HAS_RUN","true")}catch(s){let t=v(s);r.setFailed(t.message);let i=await g("setup-codeql",t instanceof E?"user-error":"failure",n,void 0,await f(o),o,t.message,t.stack);i!==void 0&&await m(i);return}await M(n,l,c,u,a,o)}async function $(){let n=new Date,o=D();try{await J(n)}catch(e){r.setFailed(`setup-codeql action failed: ${h(e)}`),await O("setup-codeql",n,e,o)}await I()}$();

lib/setup-codeql-entry.js

@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/setup-codeql-action.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runSetupCodeqlAction)();

lib/start-proxy-action-post.js

@@ -0,0 +1,2 @@
+import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
+import{e as l}from"./chunks/chunk-WKICWMYU.js";import"./chunks/chunk-5ZRYQL45.js";import"./chunks/chunk-U2JW7LOC.js";import"./chunks/chunk-GX7WDUZJ.js";import"./chunks/chunk-HIJVM6IW.js";import"./chunks/chunk-LYJYPMC2.js";import{J as a,La as g,Ta as c,c as m,cc as f,fa as s,k as d,ta as r,zb as p}from"./chunks/chunk-V6LGBXSF.js";var o=m(d());async function y(){let t=p();try{g();let i=o.getState("proxy-process-pid");i&&process.kill(Number(i));let e=await f(r(),t);if(e?.debugMode||o.isDebug()){let u=o.getState("proxy-log-file");if(t.info("Debug mode is on. Uploading proxy log as Actions debugging artifact..."),e?.gitHubVersion.type===void 0){t.warning("Did not upload debug artifacts because cannot determine the GitHub variant running.");return}let n=await c();a(n,t),await l(t,[u],r(),"proxy-log-file",n.type)}}catch(i){t.warning(`start-proxy post-action step failed: ${s(i)}`)}}y();

lib/start-proxy-entry.js

@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/start-proxy-action.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runStartProxyAction)();

lib/start-proxy-post-entry.js

@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/start-proxy-action-post.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runStartProxyPostAction)();

lib/upload-lib.js

@@ -1,5 +1,2 @@
-// Automatically generated from 'upload-lib-stub.js.tpl' for 'src/upload-lib.ts'.
-
-"use strict";
-
-module.exports = require("./entry-points").uploadLib;
+import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
+import{b as a,c as b,d as c,e as d,f as e,g as f,h as g,i as h,j as i,k as j,l as k,m as l,n as m,o as n,p as o,q as p,r as q,s as r}from"./chunks/chunk-XFYKKQKY.js";import"./chunks/chunk-2R674E4A.js";import"./chunks/chunk-LYJYPMC2.js";import"./chunks/chunk-V6LGBXSF.js";export{i as buildPayload,r as filterAlertsByDiffRange,e as findSarifFilesInDir,f as getGroupedSarifFilePaths,c as populateRunAutomationDetails,j as postProcessSarifFiles,g as readSarifFileOrThrow,o as shouldConsiderConfigurationError,p as shouldConsiderInvalidRequest,a as shouldShowCombineSarifFilesDeprecationWarning,b as throwIfCombineSarifFilesDisabled,l as uploadFiles,d as uploadPayload,m as uploadPostProcessedFiles,h as validateSarifFileSchema,q as validateUniqueCategory,n as waitForProcessing,k as writePostProcessedFiles};

lib/upload-sarif-action-post.js

@@ -0,0 +1,2 @@
+import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
+import{b as u}from"./chunks/chunk-WKICWMYU.js";import"./chunks/chunk-5ZRYQL45.js";import"./chunks/chunk-U2JW7LOC.js";import"./chunks/chunk-GX7WDUZJ.js";import"./chunks/chunk-HIJVM6IW.js";import"./chunks/chunk-LYJYPMC2.js";import{Ab as c,J as e,La as a,Ta as n,c as f,fa as o,k as p,zb as s}from"./chunks/chunk-V6LGBXSF.js";var r=f(p());async function d(){try{a();let t=s(),i=await n();if(e(i,t),process.env.CODEQL_ACTION_INIT_HAS_RUN!=="true"){if(i.type===void 0){r.warning("Did not upload debug artifacts because cannot determine the GitHub variant running.");return}await c("Uploading combined SARIF debug artifact",()=>u(t,i.type,void 0))}}catch(t){r.setFailed(`upload-sarif post-action step failed: ${o(t)}`)}}d();

lib/upload-sarif-action.js

@@ -0,0 +1,2 @@
+import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
+import{a as O}from"./chunks/chunk-3ABJF3VX.js";import{a as B,o as F}from"./chunks/chunk-XFYKKQKY.js";import"./chunks/chunk-2R674E4A.js";import{a as _,c as v,e as u,f as d,h as N}from"./chunks/chunk-B34OPX2S.js";import"./chunks/chunk-LYJYPMC2.js";import{Ka as k,L as R,O as l,Oa as m,Ta as D,Y as y,c as V,ea as U,fa as h,ga as c,ha as b,k as L,lb as E,ra as p,sa as I,ta as A,ua as g,zb as S}from"./chunks/chunk-V6LGBXSF.js";var i=V(L());async function C(e,t,a){let o=await u("upload-sarif","success",e,void 0,await c(a),a);if(o!==void 0){let r={...o,...t};await d(r)}}async function H(e){let t=S();try{R(g());let a=await D();b(g(),a),k();let o=m(),r=E(a,o,A(),t),s=await u("upload-sarif","starting",e,void 0,await c(t),t);s!==void 0&&await d(s);let w=p("sarif_file"),P=p("checkout_path"),q=I("category"),f=await O(t,r,"always",P,w,q);if(Object.keys(f).length===0)throw new l(`No SARIF files found to upload in "${w}".`);let n=f["code-scanning"];n!==void 0&&i.setOutput("sarif-id",n.sarifID),i.setOutput("sarif-ids",JSON.stringify(f)),y()?i.debug("SARIF upload disabled by an environment variable. Waiting for processing is disabled."):p("wait-for-processing")==="true"&&n!==void 0&&await F(m(),n.sarifID,t),await C(e,n?.statusReport||{},t)}catch(a){let o=_("upload-sarif")&&a instanceof B?new l(a.message):U(a),r=o.message;i.setFailed(r);let s=await u("upload-sarif",v(o),e,void 0,await c(t),t,r,o.stack);s!==void 0&&await d(s);return}}async function T(){let e=new Date,t=S();try{await H(e)}catch(a){i.setFailed(`codeql/upload-sarif action failed: ${h(a)}`),await N("upload-sarif",e,a,t)}}T();

lib/upload-sarif-entry.js

@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/upload-sarif-action.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runUploadSarifAction)();

lib/upload-sarif-post-entry.js

@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/upload-sarif-action-post.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runUploadSarifPostAction)();

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "4.36.0",
+  "version": "4.35.5",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "4.36.0",
+      "version": "4.35.5",
       "license": "MIT",
       "workspaces": [
         "pr-checks"
@@ -36,7 +36,7 @@
         "uuid": "^14.0.0"
       },
       "devDependencies": {
-        "@ava/typescript": "6.0.0",
+        "@ava/typescript": "7.0.0",
         "@eslint/compat": "^2.0.5",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^16.0.0",
@@ -48,7 +48,7 @@
         "@types/sarif": "^2.1.7",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.1",
-        "ava": "^6.4.1",
+        "ava": "^7.0.0",
         "esbuild": "^0.28.0",
         "eslint": "^9.39.4",
         "eslint-import-resolver-typescript": "^4.4.4",
@@ -59,7 +59,7 @@
         "glob": "^11.1.0",
         "globals": "^17.6.0",
         "nock": "^14.0.12",
-        "sinon": "^22.0.0",
+        "sinon": "^21.1.2",
         "typescript": "^6.0.3",
         "typescript-eslint": "^8.59.2"
       }
@@ -450,17 +450,17 @@
       }
     },
     "node_modules/@ava/typescript": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/@ava/typescript/-/typescript-6.0.0.tgz",
-      "integrity": "sha512-+8oDYc4J5cCaWZh1VUbyc+cegGplJO9FqHpqR4LVAVx8fRLVRaYlC4yyA6cqHJ1vWP23Ff/ECS5U68Zz6OLZlg==",
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/@ava/typescript/-/typescript-7.0.0.tgz",
+      "integrity": "sha512-0ktzq4/9ya2QoAuVWzl3McpLV9W//Tj+oMonQ4ucgm5l6tQ46aaju/rJL9kzeY5MkG6wzXvFt/MmaLqf9uNC9w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "escape-string-regexp": "^5.0.0",
-        "execa": "^9.6.0"
+        "execa": "^9.6.1"
       },
       "engines": {
-        "node": "^20.8 || ^22 || >=24"
+        "node": "^22.20 || ^24.12 || >=25"
       }
     },
     "node_modules/@ava/typescript/node_modules/escape-string-regexp": {
@@ -2379,9 +2379,9 @@
       }
     },
     "node_modules/@sinonjs/fake-timers": {
-      "version": "15.4.0",
-      "resolved": "https://registry.npmjs.org/@sinonjs/fake-timers/-/fake-timers-15.4.0.tgz",
-      "integrity": "sha512-DsG+8/LscQIQg68J6Ef3dv10u6nVyetYn923s3/sus5eaGfTo1of5WMZSLf0UJc9KDuKPilPH0UDJCjvNbDNCA==",
+      "version": "15.3.2",
+      "resolved": "https://registry.npmjs.org/@sinonjs/fake-timers/-/fake-timers-15.3.2.tgz",
+      "integrity": "sha512-mrn35Jl2pCpns+mE3HaZa1yPN5EYCRgiMI+135COjr2hr8Cls9DXqIZ57vZe2cz7y2XVSq92tcs6kGQcT1J8Rw==",
       "dev": true,
       "license": "BSD-3-Clause",
       "dependencies": {
@@ -3172,9 +3172,9 @@
       ]
     },
     "node_modules/@vercel/nft": {
-      "version": "0.29.4",
-      "resolved": "https://registry.npmjs.org/@vercel/nft/-/nft-0.29.4.tgz",
-      "integrity": "sha512-6lLqMNX3TuycBPABycx7A9F1bHQR7kiQln6abjFbPrf5C/05qHM9M5E4PeTE59c7z8g6vHnx1Ioihb2AQl7BTA==",
+      "version": "1.3.2",
+      "resolved": "https://registry.npmjs.org/@vercel/nft/-/nft-1.3.2.tgz",
+      "integrity": "sha512-HC8venRc4Ya7vNeBsJneKHHMDDWpQie7VaKhAIOst3MKO+DES+Y/SbzSp8mFkD7OzwAE2HhHkeSuSmwS20mz3A==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -3185,7 +3185,7 @@
         "async-sema": "^3.1.1",
         "bindings": "^1.4.0",
         "estree-walker": "2.0.2",
-        "glob": "^10.4.5",
+        "glob": "^13.0.0",
         "graceful-fs": "^4.2.9",
         "node-gyp-build": "^4.2.2",
         "picomatch": "^4.0.2",
@@ -3195,7 +3195,7 @@
         "nft": "out/cli.js"
       },
       "engines": {
-        "node": ">=18"
+        "node": ">=20"
       }
     },
     "node_modules/abbrev": {
@@ -3561,58 +3561,57 @@
       "license": "MIT"
     },
     "node_modules/ava": {
-      "version": "6.4.1",
-      "resolved": "https://registry.npmjs.org/ava/-/ava-6.4.1.tgz",
-      "integrity": "sha512-vxmPbi1gZx9zhAjHBgw81w/iEDKcrokeRk/fqDTyA2DQygZ0o+dUGRHFOtX8RA5N0heGJTTsIk7+xYxitDb61Q==",
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/ava/-/ava-7.0.0.tgz",
+      "integrity": "sha512-4sRJO/gehlfAgSbuH02mClDDiyymnuFmirE3KqPXl2pic1FaFTZaAACKqr85WT4o08iLjViMR9gmMkxzbZ3AgA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@vercel/nft": "^0.29.4",
-        "acorn": "^8.15.0",
-        "acorn-walk": "^8.3.4",
-        "ansi-styles": "^6.2.1",
+        "@vercel/nft": "^1.3.2",
+        "acorn": "^8.16.0",
+        "acorn-walk": "^8.3.5",
+        "ansi-styles": "^6.2.3",
         "arrgv": "^1.0.2",
         "arrify": "^3.0.0",
         "callsites": "^4.2.0",
-        "cbor": "^10.0.9",
-        "chalk": "^5.4.1",
+        "cbor": "^10.0.11",
+        "chalk": "^5.6.2",
         "chunkd": "^2.0.1",
-        "ci-info": "^4.3.0",
+        "ci-info": "^4.4.0",
         "ci-parallel-vars": "^1.0.1",
-        "cli-truncate": "^4.0.0",
+        "cli-truncate": "^5.1.1",
         "code-excerpt": "^4.0.0",
         "common-path-prefix": "^3.0.0",
         "concordance": "^5.0.4",
         "currently-unhandled": "^0.4.1",
-        "debug": "^4.4.1",
+        "debug": "^4.4.3",
         "emittery": "^1.2.0",
         "figures": "^6.1.0",
-        "globby": "^14.1.0",
+        "globby": "^16.1.1",
         "ignore-by-default": "^2.1.0",
         "indent-string": "^5.0.0",
         "is-plain-object": "^5.0.0",
         "is-promise": "^4.0.0",
-        "matcher": "^5.0.0",
-        "memoize": "^10.1.0",
+        "matcher": "^6.0.0",
+        "memoize": "^10.2.0",
         "ms": "^2.1.3",
-        "p-map": "^7.0.3",
+        "p-map": "^7.0.4",
         "package-config": "^5.0.0",
-        "picomatch": "^4.0.2",
-        "plur": "^5.1.0",
-        "pretty-ms": "^9.2.0",
+        "picomatch": "^4.0.3",
+        "plur": "^6.0.0",
+        "pretty-ms": "^9.3.0",
         "resolve-cwd": "^3.0.0",
         "stack-utils": "^2.0.6",
-        "strip-ansi": "^7.1.0",
         "supertap": "^3.0.1",
         "temp-dir": "^3.0.0",
-        "write-file-atomic": "^6.0.0",
-        "yargs": "^17.7.2"
+        "write-file-atomic": "^7.0.0",
+        "yargs": "^18.0.0"
       },
       "bin": {
         "ava": "entrypoints/cli.mjs"
       },
       "engines": {
-        "node": "^18.18 || ^20.8 || ^22 || ^23 || >=24"
+        "node": "^20.19 || ^22.20 || ^24.12 || >=25"
       },
       "peerDependencies": {
         "@ava/typescript": "*"
@@ -3623,19 +3622,6 @@
         }
       }
     },
-    "node_modules/ava/node_modules/ansi-regex": {
-      "version": "6.2.2",
-      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.2.2.tgz",
-      "integrity": "sha512-Bq3SmSpyFHaWjPk8If9yc6svM8c56dB5BAtW4Qbw5jHTwwXXcTLoRMkpDJp6VL0XzlWaCHTXrkFURMYmD0sLqg==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=12"
-      },
-      "funding": {
-        "url": "https://github.com/chalk/ansi-regex?sponsor=1"
-      }
-    },
     "node_modules/ava/node_modules/callsites": {
       "version": "4.2.0",
       "resolved": "https://registry.npmjs.org/callsites/-/callsites-4.2.0.tgz",
@@ -3666,22 +3652,6 @@
         }
       }
     },
-    "node_modules/ava/node_modules/strip-ansi": {
-      "version": "7.2.0",
-      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.2.0.tgz",
-      "integrity": "sha512-yDPMNjp4WyfYBkHnjIRLfca1i6KMyGCtsVgoKe/z1+6vukgaENdgGBZt+ZmKPc4gavvEZ5OgHfHdrazhgNyG7w==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "ansi-regex": "^6.2.2"
-      },
-      "engines": {
-        "node": ">=12"
-      },
-      "funding": {
-        "url": "https://github.com/chalk/strip-ansi?sponsor=1"
-      }
-    },
     "node_modules/available-typed-arrays": {
       "version": "1.0.7",
       "resolved": "https://registry.npmjs.org/available-typed-arrays/-/available-typed-arrays-1.0.7.tgz",
@@ -3795,9 +3765,9 @@
       "license": "MIT"
     },
     "node_modules/brace-expansion": {
-      "version": "1.1.14",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz",
-      "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==",
+      "version": "1.1.13",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz",
+      "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==",
       "license": "MIT",
       "dependencies": {
         "balanced-match": "^1.0.0",
@@ -4046,17 +4016,17 @@
       "dev": true
     },
     "node_modules/cli-truncate": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/cli-truncate/-/cli-truncate-4.0.0.tgz",
-      "integrity": "sha512-nPdaFdQ0h/GEigbPClz11D0v/ZJEwxmeVZGeMo3Z5StPtUTkA9o1lD6QwoirYiSDzbcwn2XcjwmCp68W1IS4TA==",
+      "version": "5.2.0",
+      "resolved": "https://registry.npmjs.org/cli-truncate/-/cli-truncate-5.2.0.tgz",
+      "integrity": "sha512-xRwvIOMGrfOAnM1JYtqQImuaNtDEv9v6oIYAs4LIHwTiKee8uwvIi363igssOC0O5U04i4AlENs79LQLu9tEMw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "slice-ansi": "^5.0.0",
-        "string-width": "^7.0.0"
+        "slice-ansi": "^8.0.0",
+        "string-width": "^8.2.0"
       },
       "engines": {
-        "node": ">=18"
+        "node": ">=20"
       },
       "funding": {
         "url": "https://github.com/sponsors/sindresorhus"
@@ -4075,26 +4045,18 @@
         "url": "https://github.com/chalk/ansi-regex?sponsor=1"
       }
     },
-    "node_modules/cli-truncate/node_modules/emoji-regex": {
-      "version": "10.6.0",
-      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-10.6.0.tgz",
-      "integrity": "sha512-toUI84YS5YmxW219erniWD0CIVOo46xGKColeNQRgOzDorgBi1v4D71/OFzgD9GO2UGKIv1C3Sp8DAn0+j5w7A==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/cli-truncate/node_modules/string-width": {
-      "version": "7.2.0",
-      "resolved": "https://registry.npmjs.org/string-width/-/string-width-7.2.0.tgz",
-      "integrity": "sha512-tsaTIkKW9b4N+AEj+SVA+WhJzV7/zMhcSu78mLKWSk7cXMOSHsBKFWUs0fWwq8QyK3MgJBQRX6Gbi4kYbdvGkQ==",
+      "version": "8.2.0",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-8.2.0.tgz",
+      "integrity": "sha512-6hJPQ8N0V0P3SNmP6h2J99RLuzrWz2gvT7VnK5tKvrNqJoyS9W4/Fb8mo31UiPvy00z7DQXkP2hnKBVav76thw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "emoji-regex": "^10.3.0",
-        "get-east-asian-width": "^1.0.0",
-        "strip-ansi": "^7.1.0"
+        "get-east-asian-width": "^1.5.0",
+        "strip-ansi": "^7.1.2"
       },
       "engines": {
-        "node": ">=18"
+        "node": ">=20"
       },
       "funding": {
         "url": "https://github.com/sponsors/sindresorhus"
@@ -4117,18 +4079,72 @@
       }
     },
     "node_modules/cliui": {
-      "version": "8.0.1",
-      "resolved": "https://registry.npmjs.org/cliui/-/cliui-8.0.1.tgz",
-      "integrity": "sha512-BSeNnyus75C4//NQ9gQt1/csTXyo/8Sb+afLAkzAptFuMsod9HFokGNudZpi/oQV73hnVK+sR+5PVRMd+Dr7YQ==",
+      "version": "9.0.1",
+      "resolved": "https://registry.npmjs.org/cliui/-/cliui-9.0.1.tgz",
+      "integrity": "sha512-k7ndgKhwoQveBL+/1tqGJYNz097I7WOvwbmmU2AR5+magtbjPWQTS1C5vzGkBC8Ym8UWRzfKUzUUqFLypY4Q+w==",
       "dev": true,
       "license": "ISC",
       "dependencies": {
-        "string-width": "^4.2.0",
-        "strip-ansi": "^6.0.1",
-        "wrap-ansi": "^7.0.0"
+        "string-width": "^7.2.0",
+        "strip-ansi": "^7.1.0",
+        "wrap-ansi": "^9.0.0"
+      },
+      "engines": {
+        "node": ">=20"
+      }
+    },
+    "node_modules/cliui/node_modules/ansi-regex": {
+      "version": "6.2.2",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.2.2.tgz",
+      "integrity": "sha512-Bq3SmSpyFHaWjPk8If9yc6svM8c56dB5BAtW4Qbw5jHTwwXXcTLoRMkpDJp6VL0XzlWaCHTXrkFURMYmD0sLqg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/ansi-regex?sponsor=1"
+      }
+    },
+    "node_modules/cliui/node_modules/emoji-regex": {
+      "version": "10.6.0",
+      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-10.6.0.tgz",
+      "integrity": "sha512-toUI84YS5YmxW219erniWD0CIVOo46xGKColeNQRgOzDorgBi1v4D71/OFzgD9GO2UGKIv1C3Sp8DAn0+j5w7A==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/cliui/node_modules/string-width": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-7.2.0.tgz",
+      "integrity": "sha512-tsaTIkKW9b4N+AEj+SVA+WhJzV7/zMhcSu78mLKWSk7cXMOSHsBKFWUs0fWwq8QyK3MgJBQRX6Gbi4kYbdvGkQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "emoji-regex": "^10.3.0",
+        "get-east-asian-width": "^1.0.0",
+        "strip-ansi": "^7.1.0"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/cliui/node_modules/strip-ansi": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.2.0.tgz",
+      "integrity": "sha512-yDPMNjp4WyfYBkHnjIRLfca1i6KMyGCtsVgoKe/z1+6vukgaENdgGBZt+ZmKPc4gavvEZ5OgHfHdrazhgNyG7w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "ansi-regex": "^6.2.2"
       },
       "engines": {
         "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/strip-ansi?sponsor=1"
       }
     },
     "node_modules/code-excerpt": {
@@ -4442,9 +4458,9 @@
       }
     },
     "node_modules/diff": {
-      "version": "9.0.0",
-      "resolved": "https://registry.npmjs.org/diff/-/diff-9.0.0.tgz",
-      "integrity": "sha512-svtcdpS8CgJyqAjEQIXdb3OjhFVVYjzGAPO8WGCmRbrml64SPw/jJD4GoE98aR7r25A0XcgrK3F02yw9R/vhQw==",
+      "version": "8.0.4",
+      "resolved": "https://registry.npmjs.org/diff/-/diff-8.0.4.tgz",
+      "integrity": "sha512-DPi0FmjiSU5EvQV0++GFDOJ9ASQUVFh5kD+OzOnYdi7n3Wpm9hWWGfB/O2blfHcMVTL5WkQXSnRiK9makhrcnw==",
       "dev": true,
       "license": "BSD-3-Clause",
       "engines": {
@@ -5122,9 +5138,9 @@
       }
     },
     "node_modules/eslint-plugin-import-x/node_modules/brace-expansion": {
-      "version": "5.0.6",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.6.tgz",
-      "integrity": "sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==",
+      "version": "5.0.5",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz",
+      "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -5923,9 +5939,9 @@
       }
     },
     "node_modules/get-east-asian-width": {
-      "version": "1.6.0",
-      "resolved": "https://registry.npmjs.org/get-east-asian-width/-/get-east-asian-width-1.6.0.tgz",
-      "integrity": "sha512-QRbvDIbx6YklUe6RxeTeleMR0yv3cYH6PsPZHcnVn7xv7zO1BHN8r0XETu8n6Ye3Q+ahtSarc3WgtNWmehIBfA==",
+      "version": "1.5.0",
+      "resolved": "https://registry.npmjs.org/get-east-asian-width/-/get-east-asian-width-1.5.0.tgz",
+      "integrity": "sha512-CQ+bEO+Tva/qlmw24dCejulK5pMzVnUOFOijVogd3KQs07HnRIgp8TGipvCCRT06xeYEbpbgwaCxglFyiuIcmA==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -6078,9 +6094,9 @@
       }
     },
     "node_modules/glob/node_modules/brace-expansion": {
-      "version": "5.0.6",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.6.tgz",
-      "integrity": "sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==",
+      "version": "5.0.5",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz",
+      "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==",
       "license": "MIT",
       "dependencies": {
         "balanced-match": "^4.0.2"
@@ -6135,34 +6151,21 @@
       }
     },
     "node_modules/globby": {
-      "version": "14.1.0",
-      "resolved": "https://registry.npmjs.org/globby/-/globby-14.1.0.tgz",
-      "integrity": "sha512-0Ia46fDOaT7k4og1PDW4YbodWWr3scS2vAr2lTbsplOt2WkKp0vQbkI9wKis/T5LV/dqPjO3bpS/z6GTJB82LA==",
+      "version": "16.1.1",
+      "resolved": "https://registry.npmjs.org/globby/-/globby-16.1.1.tgz",
+      "integrity": "sha512-dW7vl+yiAJSp6aCekaVnVJxurRv7DCOLyXqEG3RYMYUg7AuJ2jCqPkZTA8ooqC2vtnkaMcV5WfFBMuEnTu1OQg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@sindresorhus/merge-streams": "^2.1.0",
+        "@sindresorhus/merge-streams": "^4.0.0",
         "fast-glob": "^3.3.3",
-        "ignore": "^7.0.3",
-        "path-type": "^6.0.0",
+        "ignore": "^7.0.5",
+        "is-path-inside": "^4.0.0",
         "slash": "^5.1.0",
-        "unicorn-magic": "^0.3.0"
+        "unicorn-magic": "^0.4.0"
       },
       "engines": {
-        "node": ">=18"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
-    },
-    "node_modules/globby/node_modules/@sindresorhus/merge-streams": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/@sindresorhus/merge-streams/-/merge-streams-2.3.0.tgz",
-      "integrity": "sha512-LtoMMhxAlorcGhmFYI+LhPgbPZCkgP6ra1YL604EeF6U98pLlQ3iWIGMdWSC+vWmPBWBNgmDBAhnAobLROJmwg==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=18"
+        "node": ">=20"
       },
       "funding": {
         "url": "https://github.com/sponsors/sindresorhus"
@@ -6178,6 +6181,32 @@
         "node": ">= 4"
       }
     },
+    "node_modules/globby/node_modules/is-path-inside": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/is-path-inside/-/is-path-inside-4.0.0.tgz",
+      "integrity": "sha512-lJJV/5dYS+RcL8uQdBDW9c9uWFLLBNRyFhnAKXw5tVqLlKZ4RMGZKv+YQ/IA3OhD+RpbJa1LLFM1FQPGyIXvOA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/globby/node_modules/unicorn-magic": {
+      "version": "0.4.0",
+      "resolved": "https://registry.npmjs.org/unicorn-magic/-/unicorn-magic-0.4.0.tgz",
+      "integrity": "sha512-wH590V9VNgYH9g3lH9wWjTrUoKsjLF6sGLjhR4sH1LWpLmCOH0Zf7PukhDA8BiS7KHe4oPNkcTHqYkj7SOGUOw==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=20"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/gopd": {
       "version": "1.2.0",
       "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz",
@@ -6442,13 +6471,16 @@
       }
     },
     "node_modules/irregular-plurals": {
-      "version": "3.5.0",
-      "resolved": "https://registry.npmjs.org/irregular-plurals/-/irregular-plurals-3.5.0.tgz",
-      "integrity": "sha512-1ANGLZ+Nkv1ptFb2pa8oG8Lem4krflKuX/gINiHJHjJUKaJHk/SXk5x6K3J+39/p0h1RQ2saROclJJ+QLvETCQ==",
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/irregular-plurals/-/irregular-plurals-4.2.0.tgz",
+      "integrity": "sha512-bW9UXHL7bnUcNtTo+9ccSngbxc+V40H32IgvdVin0Xs8gbo+AVYD5g/72ce/54Kjfhq66vcZr8H8TKEvsifeOw==",
       "dev": true,
       "license": "MIT",
       "engines": {
-        "node": ">=8"
+        "node": ">=18.20"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
       }
     },
     "node_modules/is-array-buffer": {
@@ -7219,16 +7251,16 @@
       }
     },
     "node_modules/matcher": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/matcher/-/matcher-5.0.0.tgz",
-      "integrity": "sha512-s2EMBOWtXFc8dgqvoAzKJXxNHibcdJMV0gwqKUaw9E2JBJuGUK7DrNKrA6g/i+v72TT16+6sVm5mS3thaMLQUw==",
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/matcher/-/matcher-6.0.0.tgz",
+      "integrity": "sha512-TzDerdcNtI79w7Av4GT57bLdElPA/VAkjqdMZv8yhuc8geU2z0ljW9anXbX/55aHEMTpYypZb1lxsA/46r9oOQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "escape-string-regexp": "^5.0.0"
       },
       "engines": {
-        "node": "^12.20.0 || ^14.13.1 || >=16.0.0"
+        "node": ">=20"
       },
       "funding": {
         "url": "https://github.com/sponsors/sindresorhus"
@@ -7849,19 +7881,6 @@
         "url": "https://github.com/sponsors/isaacs"
       }
     },
-    "node_modules/path-type": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/path-type/-/path-type-6.0.0.tgz",
-      "integrity": "sha512-Vj7sf++t5pBD637NSfkxpHSMfWaeig5+DKWLhcqIYx6mWQz5hdJTGDVMQiJcw1ZYkhs7AazKDGpRVji1LJCZUQ==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=18"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
-    },
     "node_modules/picocolors": {
       "version": "1.1.1",
       "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz",
@@ -7883,16 +7902,16 @@
       }
     },
     "node_modules/plur": {
-      "version": "5.1.0",
-      "resolved": "https://registry.npmjs.org/plur/-/plur-5.1.0.tgz",
-      "integrity": "sha512-VP/72JeXqak2KiOzjgKtQen5y3IZHn+9GOuLDafPv0eXa47xq0At93XahYBs26MsifCQ4enGKwbjBTKgb9QJXg==",
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/plur/-/plur-6.0.0.tgz",
+      "integrity": "sha512-Y9wXQivjRX0REtwpA9+n0bYYypWESn3cWtW2vazymw711qn+AQXxzZjRqhANYGBLIMC1UzVdpwe/1hHQwHfwng==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "irregular-plurals": "^3.3.0"
+        "irregular-plurals": "^4.2.0"
       },
       "engines": {
-        "node": "^12.20.0 || ^14.13.1 || >=16.0.0"
+        "node": ">=20"
       },
       "funding": {
         "url": "https://github.com/sponsors/sindresorhus"
@@ -8109,16 +8128,6 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
-    "node_modules/require-directory": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/require-directory/-/require-directory-2.1.1.tgz",
-      "integrity": "sha512-fGxEI7+wsG9xrvdjsrlmL22OMTTiHRwAMroiEeMgq8gzoLC/PQr7RsRDSTLUg/bZAZtF+TVIkHc6/4RIKrui+Q==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
     "node_modules/requireindex": {
       "version": "1.1.0",
       "dev": true,
@@ -8502,16 +8511,16 @@
       }
     },
     "node_modules/sinon": {
-      "version": "22.0.0",
-      "resolved": "https://registry.npmjs.org/sinon/-/sinon-22.0.0.tgz",
-      "integrity": "sha512-sq/6DpdXOrLyfbKlXLg/Usc7xu8YXPeLkOFZRvA3bNUSA2lhbrZ06yuXbH1fkzBPCbz9O10+7hznzUsjaYNm0Q==",
+      "version": "21.1.2",
+      "resolved": "https://registry.npmjs.org/sinon/-/sinon-21.1.2.tgz",
+      "integrity": "sha512-FS6mN+/bx7e2ajpXkEmOcWB6xBzWiuNoAQT18/+a20SS4U7FSYl8Ms7N6VTUxN/1JAjkx7aXp+THMC8xdpp0gA==",
       "dev": true,
       "license": "BSD-3-Clause",
       "dependencies": {
         "@sinonjs/commons": "^3.0.1",
-        "@sinonjs/fake-timers": "^15.4.0",
+        "@sinonjs/fake-timers": "^15.3.2",
         "@sinonjs/samsam": "^10.0.2",
-        "diff": "^9.0.0"
+        "diff": "^8.0.4"
       },
       "funding": {
         "type": "opencollective",
@@ -8532,30 +8541,33 @@
       }
     },
     "node_modules/slice-ansi": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/slice-ansi/-/slice-ansi-5.0.0.tgz",
-      "integrity": "sha512-FC+lgizVPfie0kkhqUScwRu1O/lF6NOgJmlCgK+/LYxDCTk8sGelYaHDhFcDN+Sn3Cv+3VSa4Byeo+IMCzpMgQ==",
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/slice-ansi/-/slice-ansi-8.0.0.tgz",
+      "integrity": "sha512-stxByr12oeeOyY2BlviTNQlYV5xOj47GirPr4yA1hE9JCtxfQN0+tVbkxwCtYDQWhEKWFHsEK48ORg5jrouCAg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "ansi-styles": "^6.0.0",
-        "is-fullwidth-code-point": "^4.0.0"
+        "ansi-styles": "^6.2.3",
+        "is-fullwidth-code-point": "^5.1.0"
       },
       "engines": {
-        "node": ">=12"
+        "node": ">=20"
       },
       "funding": {
         "url": "https://github.com/chalk/slice-ansi?sponsor=1"
       }
     },
     "node_modules/slice-ansi/node_modules/is-fullwidth-code-point": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-4.0.0.tgz",
-      "integrity": "sha512-O4L094N2/dZ7xqVdrXhh9r1KODPJpFms8B5sGdJLPy664AgvXsreZUyCQQNItZRDlYug4xStLjNp/sz3HvBowQ==",
+      "version": "5.1.0",
+      "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-5.1.0.tgz",
+      "integrity": "sha512-5XHYaSyiqADb4RnZ1Bdad6cPp8Toise4TzEjcOYDHZkTCbKgiUl7WTUCpNWHuxmDt91wnsZBc9xinNzopv3JMQ==",
       "dev": true,
       "license": "MIT",
+      "dependencies": {
+        "get-east-asian-width": "^1.3.1"
+      },
       "engines": {
-        "node": ">=12"
+        "node": ">=18"
       },
       "funding": {
         "url": "https://github.com/sponsors/sindresorhus"
@@ -8950,9 +8962,9 @@
       }
     },
     "node_modules/tar": {
-      "version": "7.5.15",
-      "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.15.tgz",
-      "integrity": "sha512-dzGK0boVlC4W5QFuQN1EFSl3bIDYsk7Tj40U6eIBnK2k/8ml7TZ5agbI5j5+qnoVcAA+rNtBml8SEiLxZpNqRQ==",
+      "version": "7.5.11",
+      "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.11.tgz",
+      "integrity": "sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==",
       "dev": true,
       "license": "BlueOak-1.0.0",
       "dependencies": {
@@ -10092,18 +10104,18 @@
       }
     },
     "node_modules/wrap-ansi": {
-      "version": "7.0.0",
-      "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz",
-      "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==",
+      "version": "9.0.2",
+      "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-9.0.2.tgz",
+      "integrity": "sha512-42AtmgqjV+X1VpdOfyTGOYRi0/zsoLqtXQckTmqTeybT+BDIbM/Guxo7x3pE2vtpr1ok6xRqM9OpBe+Jyoqyww==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "ansi-styles": "^4.0.0",
-        "string-width": "^4.1.0",
-        "strip-ansi": "^6.0.0"
+        "ansi-styles": "^6.2.1",
+        "string-width": "^7.0.0",
+        "strip-ansi": "^7.1.0"
       },
       "engines": {
-        "node": ">=10"
+        "node": ">=18"
       },
       "funding": {
         "url": "https://github.com/chalk/wrap-ansi?sponsor=1"
@@ -10142,20 +10154,58 @@
         "url": "https://github.com/chalk/ansi-styles?sponsor=1"
       }
     },
-    "node_modules/wrap-ansi/node_modules/ansi-styles": {
-      "version": "4.3.0",
-      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
-      "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
+    "node_modules/wrap-ansi/node_modules/ansi-regex": {
+      "version": "6.2.2",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.2.2.tgz",
+      "integrity": "sha512-Bq3SmSpyFHaWjPk8If9yc6svM8c56dB5BAtW4Qbw5jHTwwXXcTLoRMkpDJp6VL0XzlWaCHTXrkFURMYmD0sLqg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/ansi-regex?sponsor=1"
+      }
+    },
+    "node_modules/wrap-ansi/node_modules/emoji-regex": {
+      "version": "10.6.0",
+      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-10.6.0.tgz",
+      "integrity": "sha512-toUI84YS5YmxW219erniWD0CIVOo46xGKColeNQRgOzDorgBi1v4D71/OFzgD9GO2UGKIv1C3Sp8DAn0+j5w7A==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/wrap-ansi/node_modules/string-width": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-7.2.0.tgz",
+      "integrity": "sha512-tsaTIkKW9b4N+AEj+SVA+WhJzV7/zMhcSu78mLKWSk7cXMOSHsBKFWUs0fWwq8QyK3MgJBQRX6Gbi4kYbdvGkQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "color-convert": "^2.0.1"
+        "emoji-regex": "^10.3.0",
+        "get-east-asian-width": "^1.0.0",
+        "strip-ansi": "^7.1.0"
       },
       "engines": {
-        "node": ">=8"
+        "node": ">=18"
       },
       "funding": {
-        "url": "https://github.com/chalk/ansi-styles?sponsor=1"
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/wrap-ansi/node_modules/strip-ansi": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.2.0.tgz",
+      "integrity": "sha512-yDPMNjp4WyfYBkHnjIRLfca1i6KMyGCtsVgoKe/z1+6vukgaENdgGBZt+ZmKPc4gavvEZ5OgHfHdrazhgNyG7w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "ansi-regex": "^6.2.2"
+      },
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/strip-ansi?sponsor=1"
       }
     },
     "node_modules/wrappy": {
@@ -10163,17 +10213,16 @@
       "license": "ISC"
     },
     "node_modules/write-file-atomic": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/write-file-atomic/-/write-file-atomic-6.0.0.tgz",
-      "integrity": "sha512-GmqrO8WJ1NuzJ2DrziEI2o57jKAVIQNf8a18W3nCYU3H7PNWqCCVTeH6/NQE93CIllIgQS98rrmVkYgTX9fFJQ==",
+      "version": "7.0.1",
+      "resolved": "https://registry.npmjs.org/write-file-atomic/-/write-file-atomic-7.0.1.tgz",
+      "integrity": "sha512-OTIk8iR8/aCRWBqvxrzxR0hgxWpnYBblY1S5hDWBQfk/VFmJwzmJgQFN3WsoUKHISv2eAwe+PpbUzyL1CKTLXg==",
       "dev": true,
       "license": "ISC",
       "dependencies": {
-        "imurmurhash": "^0.1.4",
         "signal-exit": "^4.0.1"
       },
       "engines": {
-        "node": "^18.17.0 || >=20.5.0"
+        "node": "^20.17.0 || >=22.9.0"
       }
     },
     "node_modules/xml-naming": {
@@ -10227,32 +10276,85 @@
       }
     },
     "node_modules/yargs": {
-      "version": "17.7.2",
-      "resolved": "https://registry.npmjs.org/yargs/-/yargs-17.7.2.tgz",
-      "integrity": "sha512-7dSzzRQ++CKnNI/krKnYRV7JKKPUXMEh61soaHKg9mrWEhzFWhFnxPxGl+69cD1Ou63C13NUPCnmIcrvqCuM6w==",
+      "version": "18.0.0",
+      "resolved": "https://registry.npmjs.org/yargs/-/yargs-18.0.0.tgz",
+      "integrity": "sha512-4UEqdc2RYGHZc7Doyqkrqiln3p9X2DZVxaGbwhn2pi7MrRagKaOcIKe8L3OxYcbhXLgLFUS3zAYuQjKBQgmuNg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "cliui": "^8.0.1",
+        "cliui": "^9.0.1",
         "escalade": "^3.1.1",
         "get-caller-file": "^2.0.5",
-        "require-directory": "^2.1.1",
-        "string-width": "^4.2.3",
+        "string-width": "^7.2.0",
         "y18n": "^5.0.5",
-        "yargs-parser": "^21.1.1"
+        "yargs-parser": "^22.0.0"
       },
       "engines": {
-        "node": ">=12"
+        "node": "^20.19.0 || ^22.12.0 || >=23"
       }
     },
     "node_modules/yargs-parser": {
-      "version": "21.1.1",
-      "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-21.1.1.tgz",
-      "integrity": "sha512-tVpsJW7DdjecAiFpbIB1e3qxIQsE6NoPc5/eTdrbbIC4h0LVsWhnoa3g+m2HclBIujHzsxZ4VJVA+GUuc2/LBw==",
+      "version": "22.0.0",
+      "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-22.0.0.tgz",
+      "integrity": "sha512-rwu/ClNdSMpkSrUb+d6BRsSkLUq1fmfsY6TOpYzTwvwkg1/NRG85KBy3kq++A8LKQwX6lsu+aWad+2khvuXrqw==",
       "dev": true,
       "license": "ISC",
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=23"
+      }
+    },
+    "node_modules/yargs/node_modules/ansi-regex": {
+      "version": "6.2.2",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.2.2.tgz",
+      "integrity": "sha512-Bq3SmSpyFHaWjPk8If9yc6svM8c56dB5BAtW4Qbw5jHTwwXXcTLoRMkpDJp6VL0XzlWaCHTXrkFURMYmD0sLqg==",
+      "dev": true,
+      "license": "MIT",
       "engines": {
         "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/ansi-regex?sponsor=1"
+      }
+    },
+    "node_modules/yargs/node_modules/emoji-regex": {
+      "version": "10.6.0",
+      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-10.6.0.tgz",
+      "integrity": "sha512-toUI84YS5YmxW219erniWD0CIVOo46xGKColeNQRgOzDorgBi1v4D71/OFzgD9GO2UGKIv1C3Sp8DAn0+j5w7A==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/yargs/node_modules/string-width": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-7.2.0.tgz",
+      "integrity": "sha512-tsaTIkKW9b4N+AEj+SVA+WhJzV7/zMhcSu78mLKWSk7cXMOSHsBKFWUs0fWwq8QyK3MgJBQRX6Gbi4kYbdvGkQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "emoji-regex": "^10.3.0",
+        "get-east-asian-width": "^1.0.0",
+        "strip-ansi": "^7.1.0"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/yargs/node_modules/strip-ansi": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.2.0.tgz",
+      "integrity": "sha512-yDPMNjp4WyfYBkHnjIRLfca1i6KMyGCtsVgoKe/z1+6vukgaENdgGBZt+ZmKPc4gavvEZ5OgHfHdrazhgNyG7w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "ansi-regex": "^6.2.2"
+      },
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/strip-ansi?sponsor=1"
       }
     },
     "node_modules/yocto-queue": {

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "4.36.0",
+  "version": "4.35.5",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
@@ -12,8 +12,7 @@
     "ava": "npm run transpile && ava --verbose",
     "test": "npm run ava -- src/",
     "test-debug": "npm run test -- --timeout=20m",
-    "transpile": "tsc --build --verbose tsconfig.json",
-    "update-pr-checks": "./pr-checks/sync.sh"
+    "transpile": "tsc --build --verbose tsconfig.json"
   },
   "license": "MIT",
   "workspaces": [
@@ -44,7 +43,7 @@
     "uuid": "^14.0.0"
   },
   "devDependencies": {
-    "@ava/typescript": "6.0.0",
+    "@ava/typescript": "7.0.0",
     "@eslint/compat": "^2.0.5",
     "@microsoft/eslint-formatter-sarif": "^3.1.0",
     "@octokit/types": "^16.0.0",
@@ -56,7 +55,7 @@
     "@types/sarif": "^2.1.7",
     "@types/semver": "^7.7.1",
     "@types/sinon": "^21.0.1",
-    "ava": "^6.4.1",
+    "ava": "^7.0.0",
     "esbuild": "^0.28.0",
     "eslint": "^9.39.4",
     "eslint-import-resolver-typescript": "^4.4.4",
@@ -67,7 +66,7 @@
     "glob": "^11.1.0",
     "globals": "^17.6.0",
     "nock": "^14.0.12",
-    "sinon": "^22.0.0",
+    "sinon": "^21.1.2",
     "typescript": "^6.0.3",
     "typescript-eslint": "^8.59.2"
   },

pr-checks/check-repo-size.test.ts

@@ -1,259 +0,0 @@
-#!/usr/bin/env npx tsx
-
-/*
-Tests for check-repo-size.ts.
-*/
-
-import * as assert from "node:assert/strict";
-import { execFileSync } from "node:child_process";
-import { randomBytes } from "node:crypto";
-import * as fs from "node:fs";
-import * as os from "node:os";
-import * as path from "node:path";
-import { afterEach, beforeEach, describe, it } from "node:test";
-
-import {
-  COMMENT_MARKER,
-  DEFAULT_BASE_REF,
-  buildCommentBody,
-  formatBytes,
-  formatPercent,
-  isDeltaSignificant,
-  measureArchiveSize,
-  readArgs,
-} from "./check-repo-size";
-
-describe("formatBytes", async () => {
-  const cases: Array<[number, boolean, string]> = [
-    // Unsigned values, including sub-KiB amounts which round to 0.00.
-    [0, false, "0.00 KiB"],
-    [512, false, "0.50 KiB"],
-    [1024, false, "1.00 KiB"],
-    [1024 * 1024, false, "1024.00 KiB"],
-    [2 * 1024 * 1024, false, "2048.00 KiB"],
-    // Negative values always use a leading minus.
-    [-2 * 1024 * 1024, false, "-2048.00 KiB"],
-    // signed=true prepends a + to non-negative values.
-    [0, true, "+0.00 KiB"],
-    [2 * 1024 * 1024, true, "+2048.00 KiB"],
-    [-2 * 1024 * 1024, true, "-2048.00 KiB"],
-  ];
-  for (const [bytes, signed, expected] of cases) {
-    await it(`formats ${bytes} (signed=${signed}) as ${expected}`, () => {
-      assert.equal(formatBytes(bytes, signed), expected);
-    });
-  }
-});
-
-describe("formatPercent", async () => {
-  await it("formats positive fractions with a leading +", () => {
-    assert.equal(formatPercent(0.1), "+10.00%");
-    assert.equal(formatPercent(0.0123), "+1.23%");
-  });
-
-  await it("formats negative fractions with a leading -", () => {
-    assert.equal(formatPercent(-0.1), "-10.00%");
-  });
-
-  await it("formats zero without a sign", () => {
-    assert.equal(formatPercent(0), "0.00%");
-  });
-});
-
-describe("isDeltaSignificant", async () => {
-  const cases: Array<[number, number, number, boolean]> = [
-    // At and above threshold (both signs).
-    [100, 1000, 0.1, true],
-    [101, 1000, 0.1, true],
-    [-100, 1000, 0.1, true],
-    // Below threshold (both signs, plus exact zero).
-    [99, 1000, 0.1, false],
-    [-99, 1000, 0.1, false],
-    [0, 1000, 0.1, false],
-  ];
-  for (const [delta, base, fraction, expected] of cases) {
-    await it(`returns ${expected} for delta=${delta}, base=${base}, fraction=${fraction}`, () => {
-      assert.equal(isDeltaSignificant(delta, base, fraction), expected);
-    });
-  }
-});
-
-describe("buildCommentBody", async () => {
-  await it("includes the marker, the base/PR/delta rows, and the run URL", () => {
-    const body = buildCommentBody({
-      baseRef: "main",
-      baseSize: 2_000_000,
-      prSize: 2_300_000,
-      runUrl: "https://example.test/run",
-    });
-
-    assert.match(body, new RegExp(`^${escapeRegExp(COMMENT_MARKER)}`));
-    assert.match(body, /Base \(`main`\) \| 1953\.13 KiB \(2000000 bytes\)/);
-    assert.match(body, /This PR \| 2246\.09 KiB \(2300000 bytes\)/);
-    assert.match(
-      body,
-      /\*\*Delta\*\* \| \*\*\+292\.97 KiB \(\+300000 bytes, \+15\.00%\)\*\*/,
-    );
-    assert.match(body, /\[workflow run\]\(https:\/\/example\.test\/run\)/);
-  });
-
-  await it("formats negative deltas with a leading minus and omits the run URL when missing", () => {
-    const body = buildCommentBody({
-      baseRef: "main",
-      baseSize: 2_000_000,
-      prSize: 1_800_000,
-    });
-    assert.match(
-      body,
-      /\*\*Delta\*\* \| \*\*-195\.31 KiB \(-200000 bytes, -10\.00%\)\*\*/,
-    );
-    assert.doesNotMatch(body, /workflow run/);
-  });
-});
-
-describe("readArgs", async () => {
-  await it("defaults the base ref and head commit for local runs", () => {
-    const originalEnv = process.env;
-    const originalArgv = process.argv;
-
-    try {
-      process.env = {};
-      process.argv = ["node", "check-repo-size.ts", "--output-dir", "/tmp/out"];
-
-      const args = readArgs();
-
-      assert.equal(args.baseRef, DEFAULT_BASE_REF);
-      assert.equal(args.baseCommitish, `origin/${DEFAULT_BASE_REF}`);
-      assert.equal(args.headCommitish, "HEAD");
-      assert.equal(args.outputDir, "/tmp/out");
-      assert.equal(args.runUrl, undefined);
-    } finally {
-      process.env = originalEnv;
-      process.argv = originalArgv;
-    }
-  });
-
-  await it("uses the base and head SHAs when provided by the workflow", () => {
-    const originalEnv = process.env;
-    const originalArgv = process.argv;
-
-    try {
-      process.env = {
-        BASE_REF: "main",
-        BASE_SHA: "abc123",
-        HEAD_SHA: "def456",
-        RUN_URL: "https://example.test/run",
-      };
-      process.argv = ["node", "check-repo-size.ts", "--output-dir", "/tmp/out"];
-
-      const args = readArgs();
-
-      assert.equal(args.baseRef, "main");
-      assert.equal(args.baseCommitish, "abc123");
-      assert.equal(args.headCommitish, "def456");
-      assert.equal(args.outputDir, "/tmp/out");
-      assert.equal(args.runUrl, "https://example.test/run");
-    } finally {
-      process.env = originalEnv;
-      process.argv = originalArgv;
-    }
-  });
-
-  await it("throws when --output-dir is missing", () => {
-    const originalEnv = process.env;
-    const originalArgv = process.argv;
-
-    try {
-      process.env = {};
-      process.argv = ["node", "check-repo-size.ts"];
-      assert.throws(() => readArgs(), /--output-dir is required/);
-    } finally {
-      process.env = originalEnv;
-      process.argv = originalArgv;
-    }
-  });
-});
-
-let repoDir: string;
-
-beforeEach(() => {
-  repoDir = fs.mkdtempSync(path.join(os.tmpdir(), "check-repo-size-test-"));
-  execFileSync("git", ["init", "--initial-branch=main", "-q"], {
-    cwd: repoDir,
-  });
-  execFileSync("git", ["config", "user.email", "test@example.test"], {
-    cwd: repoDir,
-  });
-  execFileSync("git", ["config", "user.name", "Test"], { cwd: repoDir });
-  execFileSync("git", ["config", "commit.gpgsign", "false"], { cwd: repoDir });
-});
-
-afterEach(() => {
-  fs.rmSync(repoDir, { recursive: true, force: true });
-});
-
-function commit(name: string, content: string, message: string) {
-  fs.writeFileSync(path.join(repoDir, name), content);
-  execFileSync("git", ["add", name], { cwd: repoDir });
-  execFileSync("git", ["commit", "-q", "-m", message], { cwd: repoDir });
-}
-
-describe("measureArchiveSize", async () => {
-  await it("returns a positive byte count for a non-empty repo", async () => {
-    commit("a.txt", "hello world\n", "first");
-    const size = await measureArchiveSize("HEAD", repoDir);
-    assert.ok(size > 0, `expected size > 0, got ${size}`);
-  });
-
-  await it("returns the same size on repeated runs (deterministic)", async () => {
-    commit("a.txt", "hello world\n", "first");
-    const a = await measureArchiveSize("HEAD", repoDir);
-    const b = await measureArchiveSize("HEAD", repoDir);
-    assert.equal(a, b);
-  });
-
-  await it("returns a larger size when more content is added", async () => {
-    commit("a.txt", "hello world\n", "first");
-    const small = await measureArchiveSize("HEAD", repoDir);
-
-    // Use random bytes so the new content is incompressible and the archive
-    // is guaranteed to grow even after gzip.
-    commit("b.bin", randomBytes(8192).toString("base64"), "second");
-    const big = await measureArchiveSize("HEAD", repoDir);
-    assert.ok(
-      big > small,
-      `expected ${big} > ${small} after adding more content`,
-    );
-  });
-
-  await it("ignores untracked files (e.g. node_modules)", async () => {
-    commit("a.txt", "hello\n", "first");
-    commit(".gitignore", "node_modules/\n", "ignore node_modules");
-    const sizeBefore = await measureArchiveSize("HEAD", repoDir);
-
-    fs.mkdirSync(path.join(repoDir, "node_modules"));
-    fs.writeFileSync(
-      path.join(repoDir, "node_modules", "huge.bin"),
-      "x".repeat(1_000_000),
-    );
-
-    const sizeAfter = await measureArchiveSize("HEAD", repoDir);
-    assert.equal(
-      sizeAfter,
-      sizeBefore,
-      "untracked node_modules should not affect the archive size",
-    );
-  });
-
-  await it("rejects when the ref does not exist", async () => {
-    commit("a.txt", "hello\n", "first");
-    await assert.rejects(
-      () => measureArchiveSize("does-not-exist", repoDir),
-      /git archive does-not-exist exited with code/,
-    );
-  });
-});
-
-function escapeRegExp(s: string): string {
-  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-}

pr-checks/check-repo-size.ts

@@ -1,223 +0,0 @@
-#!/usr/bin/env npx tsx
-
-/*
-Measures the difference in the `.tar.gz`'d checkout size of the repo between the PR head and the PR
-base. This size is relevant because it corresponds to the duration of the "Download action
-repository" step that happens at the start of every job that uses this Action.
-
-Writes the candidate sticky-comment body and a small metadata file to `--output-dir`. A separate
-workflow job consumes those artifacts and decides whether to create or update a PR comment.
-*/
-
-import { spawn } from "node:child_process";
-import * as fs from "node:fs";
-import * as path from "node:path";
-import { parseArgs } from "node:util";
-
-import { REPO_ROOT } from "./config";
-
-/** Hidden marker used to find the existing sticky comment on a PR. */
-export const COMMENT_MARKER = "<!-- repo-size-diff-bot -->";
-
-export const DEFAULT_BASE_REF = "main";
-
-/**
- * Fraction of the base archive size at which a delta is considered significant enough to warrant
- * a new sticky comment. We always update an existing comment regardless, so the comment stays in
- * sync as the diff evolves.
- */
-export const SIGNIFICANT_DELTA_FRACTION = 0.1;
-
-/**
- * Stream `git archive --format=tar.gz <ref>` and count the compressed bytes.
- *
- * `git archive` only includes tracked files, so untracked directories like `node_modules` and
- * `build` aren't counted in the size downloaded when starting up a CodeQL job.
- */
-export async function measureArchiveSize(
-  ref: string,
-  cwd: string,
-): Promise<number> {
-  const git = spawn("git", ["archive", "--format=tar.gz", ref], { cwd });
-
-  let stderr = "";
-  git.stderr.on("data", (chunk: Buffer) => {
-    stderr += chunk.toString();
-  });
-
-  let size = 0;
-  git.stdout.on("data", (chunk: Buffer) => {
-    size += chunk.length;
-  });
-
-  const exitCode = await new Promise<number>((resolve, reject) => {
-    git.on("error", reject);
-    git.on("close", resolve);
-  });
-
-  if (exitCode !== 0) {
-    throw new Error(
-      `git archive ${ref} exited with code ${exitCode}: ${stderr.trim()}`,
-    );
-  }
-  return size;
-}
-
-/**
- * Format a byte count as KiB. If `signed` is true, a leading `+` is prepended for non-negative
- * values so gains and losses are visually distinct.
- */
-export function formatBytes(bytes: number, signed = false): string {
-  const sign = bytes < 0 ? "-" : signed ? "+" : "";
-  const kib = Math.abs(bytes) / 1024;
-  return `${sign}${kib.toFixed(2)} KiB`;
-}
-
-/** Format a fraction as a signed percentage with 2 decimal places. */
-export function formatPercent(fraction: number): string {
-  const pct = fraction * 100;
-  const sign = pct > 0 ? "+" : "";
-  return `${sign}${pct.toFixed(2)}%`;
-}
-
-export interface CommentBodyOptions {
-  baseRef: string;
-  baseSize: number;
-  prSize: number;
-  /** Optional URL of the workflow run, included in the comment footer. */
-  runUrl?: string;
-}
-
-export function buildCommentBody(opts: CommentBodyOptions): string {
-  const { baseRef, baseSize, prSize, runUrl } = opts;
-  const delta = prSize - baseSize;
-  const signedDelta = delta >= 0 ? `+${delta}` : `${delta}`;
-  const runUrlLine = runUrl
-    ? ` See the [workflow run](${runUrl}) for details.`
-    : "";
-
-  return [
-    COMMENT_MARKER,
-    "### Repository checkout size",
-    "",
-    "| | Compressed archive size |",
-    "|---|---|",
-    `| Base (\`${baseRef}\`) | ${formatBytes(baseSize)} (${baseSize} bytes) |`,
-    `| This PR | ${formatBytes(prSize)} (${prSize} bytes) |`,
-    `| **Delta** | **${formatBytes(delta, true)} (${signedDelta} bytes, ${formatPercent(delta / baseSize)})** |`,
-    "",
-    "Sizes are measured by streaming `git archive --format=tar.gz <ref>`, " +
-      "which includes tracked files and excludes untracked files such as " +
-      "`node_modules`. The compressed checkout is " +
-      "downloaded by every consumer of this Action, so changes here directly " +
-      `affect Action download time.${runUrlLine}`,
-  ].join("\n");
-}
-
-/**
- * Returns true when the absolute delta is at least `fraction` of the base size. Both increases and
- * decreases are considered significant, so we report wins as well as losses.
- */
-export function isDeltaSignificant(
-  delta: number,
-  baseSize: number,
-  fraction: number,
-): boolean {
-  return Math.abs(delta) >= baseSize * fraction;
-}
-
-interface MainArgs {
-  /** Base ref of the PR. Defaults to `main`. Used as the label in the PR comment. */
-  baseRef: string;
-  /** Base commit-ish to archive. Defaults to `origin/<baseRef>` for local runs. */
-  baseCommitish: string;
-  /** Head commit-ish to archive. Defaults to `HEAD` for local runs. */
-  headCommitish: string;
-  /** Optional URL of the workflow run, surfaced in the comment footer. */
-  runUrl?: string;
-  /** Directory where `body.md` and `metadata.json` are written. */
-  outputDir: string;
-}
-
-export function readArgs(): MainArgs {
-  const { values } = parseArgs({
-    options: {
-      "output-dir": { type: "string" },
-    },
-    strict: true,
-  });
-
-  const outputDir = values["output-dir"];
-  if (!outputDir) {
-    throw new Error("--output-dir is required");
-  }
-
-  const baseRef = process.env.BASE_REF ?? DEFAULT_BASE_REF;
-  const baseCommitish = process.env.BASE_SHA ?? `origin/${baseRef}`;
-  const headCommitish = process.env.HEAD_SHA ?? "HEAD";
-
-  return {
-    baseRef,
-    baseCommitish,
-    headCommitish,
-    runUrl: process.env.RUN_URL,
-    outputDir,
-  };
-}
-
-async function main(): Promise<number> {
-  const args = readArgs();
-
-  console.log(`Measuring base archive size for ${args.baseCommitish}...`);
-  const baseSize = await measureArchiveSize(args.baseCommitish, REPO_ROOT);
-  console.log(`  ${baseSize} bytes`);
-
-  console.log(`Measuring PR archive size for ${args.headCommitish}...`);
-  const prSize = await measureArchiveSize(args.headCommitish, REPO_ROOT);
-  console.log(`  ${prSize} bytes`);
-
-  const delta = prSize - baseSize;
-  const significant = isDeltaSignificant(
-    delta,
-    baseSize,
-    SIGNIFICANT_DELTA_FRACTION,
-  );
-  console.log(
-    `Delta: ${delta} bytes (significant=${significant}, threshold=${(
-      SIGNIFICANT_DELTA_FRACTION * 100
-    ).toFixed(2)}%)`,
-  );
-
-  const body = buildCommentBody({
-    baseRef: args.baseRef,
-    baseSize,
-    prSize,
-    runUrl: args.runUrl,
-  });
-
-  fs.mkdirSync(args.outputDir, { recursive: true });
-  fs.writeFileSync(path.join(args.outputDir, "body.md"), body);
-  fs.writeFileSync(
-    path.join(args.outputDir, "metadata.json"),
-    `${JSON.stringify(
-      { significant, baseRef: args.baseRef, baseSize, prSize, delta },
-      null,
-      2,
-    )}\n`,
-  );
-  console.log(`Wrote body.md and metadata.json to ${args.outputDir}.`);
-  return 0;
-}
-
-async function run(): Promise<void> {
-  try {
-    process.exit(await main());
-  } catch (err) {
-    console.error(err instanceof Error ? err.message : String(err));
-    process.exit(1);
-  }
-}
-
-if (require.main === module) {
-  void run();
-}

pr-checks/checks/multi-language-autodetect.yml

@@ -2,8 +2,7 @@ name: "Multi-language repository"
 description: "An end-to-end integration test of a multi-language repository using automatic language detection"
 operatingSystems:
   - ubuntu
-  - os: macos
-    runner-image: macos-latest-xlarge
+  - macos
 env:
   CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
 installGo: true

pr-checks/checks/rust.yml

@@ -2,7 +2,7 @@ name: "Rust analysis"
 description: "Tests creation of a Rust database"
 versions:
   # experimental rust support introduced, requires action to set `CODEQL_ENABLE_EXPERIMENTAL_FEATURES`
-  - stable-v2.19.4
+  - stable-v2.19.3
   # first public preview version
   - stable-v2.22.1
   - linked

pr-checks/checks/swift-autobuild.yml

@@ -3,8 +3,7 @@ description: "Tests creation of a Swift database using autobuild"
 versions:
   - nightly-latest
 operatingSystems:
-  - os: macos
-    runner-image: macos-latest-xlarge
+  - macos
 steps:
   - uses: ./../action/init
     id: init

pr-checks/config.ts

@@ -6,17 +6,14 @@ export const OLDEST_SUPPORTED_MAJOR_VERSION = 3;
 /** The `pr-checks` directory. */
 export const PR_CHECKS_DIR = __dirname;
 
-/** The repository root. */
-export const REPO_ROOT = path.join(PR_CHECKS_DIR, "..");
-
 /** The path of the file configuring which checks shouldn't be required. */
 export const PR_CHECK_EXCLUDED_FILE = path.join(PR_CHECKS_DIR, "excluded.yml");
 
 /** The path to the esbuild metadata file. */
-export const BUNDLE_METADATA_FILE = path.join(REPO_ROOT, "meta.json");
+export const BUNDLE_METADATA_FILE = path.join(PR_CHECKS_DIR, "..", "meta.json");
 
 /** The `src` directory. */
-const SOURCE_ROOT = path.join(REPO_ROOT, "src");
+const SOURCE_ROOT = path.join(PR_CHECKS_DIR, "..", "src");
 
 /** The path to the built-in languages file. */
 export const BUILTIN_LANGUAGES_FILE = path.join(

pr-checks/excluded.yml

@@ -1,17 +1,16 @@
 # PR checks to exclude from required checks
 contains:
-  - "ESLint"
   - "https://"
-  - "test-setup-python-scripts"
-  - "update"
   - "Update"
+  - "ESLint"
+  - "update"
+  - "test-setup-python-scripts"
 is:
-  - "Agent"
-  - "check-expected-release-files"
-  - "Cleanup artifacts"
   - "CodeQL"
   - "Dependabot"
-  - "Label PR with size"
-  - "Post repo size comment"
+  - "check-expected-release-files"
+  - "Agent"
+  - "Cleanup artifacts"
   - "Prepare"
   - "Upload results"
+  - "Label PR with size"

pr-checks/sync-checks.test.ts

@@ -7,13 +7,7 @@ Tests for the sync-checks.ts script
 import * as assert from "node:assert/strict";
 import { describe, it } from "node:test";
 
-import {
-  CheckInfo,
-  Exclusions,
-  Options,
-  removeExcluded,
-  resolveToken,
-} from "./sync-checks";
+import { CheckInfo, Exclusions, Options, removeExcluded } from "./sync-checks";
 
 const defaultOptions: Options = {
   apply: false,
@@ -64,46 +58,3 @@ describe("removeExcluded", async () => {
     assert.deepEqual(retained, expectedExactMatches);
   });
 });
-
-describe("resolveToken", async () => {
-  await it("reads the token from standard input", async () => {
-    const token = await resolveToken(
-      { tokenStdin: true },
-      { env: {}, readStdin: async () => " stdin-token\n" },
-    );
-    assert.equal(token, "stdin-token");
-  });
-
-  await it("reads the token from the GH_TOKEN environment variable", async () => {
-    const token = await resolveToken(
-      {},
-      { env: { GH_TOKEN: "env-token" }, readStdin: async () => "" },
-    );
-    assert.equal(token, "env-token");
-  });
-
-  await it("reads the token from the GITHUB_TOKEN environment variable", async () => {
-    const token = await resolveToken(
-      {},
-      { env: { GITHUB_TOKEN: "env-token" }, readStdin: async () => "" },
-    );
-    assert.equal(token, "env-token");
-  });
-
-  await it("rejects an empty standard input token", async () => {
-    await assert.rejects(
-      resolveToken(
-        { tokenStdin: true },
-        { env: {}, readStdin: async () => "\n" },
-      ),
-      /No token received on standard input/,
-    );
-  });
-
-  await it("rejects missing token sources", async () => {
-    await assert.rejects(
-      resolveToken({}, { env: {}, readStdin: async () => "" }),
-      /Missing authentication token/,
-    );
-  });
-});

pr-checks/sync-checks.ts

@@ -15,8 +15,8 @@ import {
 
 /** Represents the command-line options. */
 export interface Options {
-  /** Whether to read the GitHub API token from standard input. */
-  tokenStdin?: boolean;
+  /** The token to use to authenticate to the GitHub API. */
+  token?: string;
   /** The git ref to use the checks for. */
   ref?: string;
   /** Whether to actually apply the changes or not. */
@@ -31,65 +31,6 @@ const codeqlActionRepo = {
   repo: "codeql-action",
 };
 
-/** Environment variables to check for a GitHub API token. */
-const TOKEN_ENVIRONMENT_VARIABLES = ["GH_TOKEN", "GITHUB_TOKEN"];
-
-/** Represents the sources from which we can retrieve the GitHub API token. */
-interface TokenSource {
-  /** Environment variables to inspect. */
-  env: NodeJS.ProcessEnv;
-  /** Reads a token from standard input. */
-  readStdin: () => Promise<string>;
-}
-
-/** Reads the GitHub API token from standard input. */
-async function readTokenFromStdin(): Promise<string> {
-  let token = "";
-  process.stdin.setEncoding("utf8");
-  for await (const chunk of process.stdin) {
-    token += chunk;
-  }
-  return token.trim();
-}
-
-/** Gets a GitHub API token from one of the supported environment variables. */
-function getTokenFromEnvironment(env: NodeJS.ProcessEnv): string | undefined {
-  for (const variableName of TOKEN_ENVIRONMENT_VARIABLES) {
-    const token = env[variableName]?.trim();
-    if (token) {
-      return token;
-    }
-  }
-  return undefined;
-}
-
-/** Gets the token to use to authenticate to the GitHub API. */
-export async function resolveToken(
-  options: Pick<Options, "tokenStdin">,
-  tokenSource: TokenSource = {
-    env: process.env,
-    readStdin: readTokenFromStdin,
-  },
-): Promise<string> {
-  if (options.tokenStdin) {
-    const token = (await tokenSource.readStdin()).trim();
-    if (token.length === 0) {
-      throw new Error("No token received on standard input.");
-    }
-    return token;
-  }
-
-  const environmentToken = getTokenFromEnvironment(tokenSource.env);
-  if (environmentToken !== undefined) {
-    return environmentToken;
-  }
-
-  throw new Error(
-    "Missing authentication token. Set GH_TOKEN/GITHUB_TOKEN or pipe a token " +
-      "to --token-stdin.",
-  );
-}
-
 /** Represents a configuration of which checks should not be set up as required checks. */
 export interface Exclusions {
   /** A list of strings that, if contained in a check name, are excluded. */
@@ -264,10 +205,9 @@ async function updateBranch(
 async function main(): Promise<void> {
   const { values: options } = parseArgs({
     options: {
-      // Read the token to use to authenticate to the API from standard input.
-      "token-stdin": {
-        type: "boolean",
-        default: false,
+      // The token to use to authenticate to the API.
+      token: {
+        type: "string",
       },
       // The git ref for which to retrieve the check runs.
       ref: {
@@ -288,16 +228,16 @@ async function main(): Promise<void> {
     strict: true,
   });
 
-  const token = await resolveToken({
-    tokenStdin: options["token-stdin"],
-  });
+  if (options.token === undefined) {
+    throw new Error("Missing --token");
+  }
 
   console.info(
     `Oldest supported major version is: ${OLDEST_SUPPORTED_MAJOR_VERSION}`,
   );
 
   // Initialise the API client.
-  const client = getApiClient(token);
+  const client = getApiClient(options.token);
 
   // Find the check runs for the specified `ref` that we will later set as the required checks
   // for the main and release branches.

pr-checks/sync.ts

@@ -28,24 +28,6 @@ interface WorkflowInput {
 /** A partial mapping from known input names to input definitions. */
 type WorkflowInputs = Partial<Record<KnownInputName, WorkflowInput>>;
 
-/** An operating system identifier. */
-type OperatingSystemIdentifier = "ubuntu" | "macos" | "windows";
-
-/**
- * Represents an operating system matrix entry for a generated PR check workflow.
- *
- * Either a string containing the OS identifier or an object containing the OS identifier and an
- * optional runner image label.
- */
-type OperatingSystem =
-  | OperatingSystemIdentifier
-  | {
-      /** OS identifier. */
-      os: OperatingSystemIdentifier;
-      /** Optional runner image label. */
-      "runner-image"?: string;
-    };
-
 /**
  * Represents PR check specifications.
  */
@@ -54,8 +36,8 @@ interface Specification extends JobSpecification {
   inputs?: Record<string, WorkflowInput>;
   /** CodeQL bundle versions to test against. Defaults to `DEFAULT_TEST_VERSIONS`. */
   versions?: string[];
-  /** Operating system prefixes, either as strings or with explicit runner image labels. */
-  operatingSystems?: OperatingSystem[];
+  /** Operating system prefixes used to select runner images (e.g. `["ubuntu", "macos"]`). */
+  operatingSystems?: string[];
   /** Per-OS version overrides. If specified for an OS, only those versions are tested on that OS. */
   osCodeQlVersions?: Record<string, string[]>;
   /** Whether to use the all-platform CodeQL bundle. */
@@ -115,6 +97,10 @@ type LanguageSetups = Partial<Record<BuiltInLanguage, LanguageSetup>>;
 // The default set of CodeQL Bundle versions to use for the PR checks.
 const defaultTestVersions = [
   // The oldest supported CodeQL version. If bumping, update `CODEQL_MINIMUM_VERSION` in `codeql.ts`
+  "stable-v2.17.6",
+  // The last CodeQL release in the 2.18 series.
+  "stable-v2.18.4",
+  // The last CodeQL release in the 2.19 series.
   "stable-v2.19.4",
   // The last CodeQL release in the 2.20 series.
   "stable-v2.20.7",
@@ -122,10 +108,6 @@ const defaultTestVersions = [
   "stable-v2.21.4",
   // The last CodeQL release in the 2.22 series.
   "stable-v2.22.4",
-  // The last CodeQL release in the 2.23 series.
-  "stable-v2.23.9",
-  // The last CodeQL release in the 2.24 series.
-  "stable-v2.24.3",
   // The default version of CodeQL for Dotcom, as determined by feature flags.
   "default",
   // The version of CodeQL shipped with the Action in `defaults.json`. During the release process
@@ -329,19 +311,10 @@ function generateJobMatrix(
       );
     }
 
-    const defaultRunnerImages = [
-      "ubuntu-latest",
-      "macos-latest",
-      "windows-latest",
-    ];
+    const runnerImages = ["ubuntu-latest", "macos-latest", "windows-latest"];
     const operatingSystems = checkSpecification.operatingSystems ?? ["ubuntu"];
 
-    for (const operatingSystemConfig of operatingSystems) {
-      const operatingSystem =
-        typeof operatingSystemConfig === "string"
-          ? operatingSystemConfig
-          : operatingSystemConfig.os;
-
+    for (const operatingSystem of operatingSystems) {
       // If osCodeQlVersions is set for this OS, only include the specified CodeQL versions.
       const allowedVersions =
         checkSpecification.osCodeQlVersions?.[operatingSystem];
@@ -349,13 +322,9 @@ function generateJobMatrix(
         continue;
       }
 
-      const runnerImagesForOs =
-        typeof operatingSystemConfig === "string" ||
-        operatingSystemConfig["runner-image"] === undefined
-          ? defaultRunnerImages.filter((image) =>
-              image.startsWith(operatingSystem),
-            )
-          : [operatingSystemConfig["runner-image"]];
+      const runnerImagesForOs = runnerImages.filter((image) =>
+        image.startsWith(operatingSystem),
+      );
 
       for (const runnerImage of runnerImagesForOs) {
         matrix.push({

queries/default-setup-environment-variables.ql

@@ -43,7 +43,6 @@ predicate envVarRead(DataFlow::Node node, string envVar) {
 from DataFlow::Node read, string envVar
 where
   envVarRead(read, envVar) and
-  read.getFile().getRelativePath().matches("src/%") and
   not read.getFile().getBaseName().matches("%.test.ts") and
   not isSafeForDefaultSetup(envVar)
 select read,

resolve-environment/action.yml

@@ -22,4 +22,4 @@ outputs:
     description: The inferred build environment configuration.
 runs:
   using: node24
-  main: '../lib/resolve-environment-entry.js'
+  main: '../lib/resolve-environment-action.js'

setup-codeql/action.yml

@@ -55,4 +55,4 @@ outputs:
     description: The version of the CodeQL binary that was installed.
 runs:
   using: node24
-  main: '../lib/setup-codeql-entry.js'
+  main: '../lib/setup-codeql-action.js'

src/action-entry.js.tpl

@@ -1,4 +0,0 @@
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.run__ACTION__)();

src/analyses.test.ts

@@ -16,12 +16,7 @@ import {
 } from "./analyses";
 import { EnvVar } from "./environment";
 import { getRunnerLogger } from "./logging";
-import {
-  createFeatures,
-  RecordingLogger,
-  setupBaseActionsVars,
-  setupTests,
-} from "./testing-utils";
+import { createFeatures, RecordingLogger, setupTests } from "./testing-utils";
 import { AssessmentPayload } from "./upload-lib/types";
 import { ConfigurationError } from "./util";
 
@@ -77,7 +72,6 @@ test.serial(
 test.serial(
   "getAnalysisKinds - only use `code-scanning` for multiple analysis kinds outside of test mode",
   async (t) => {
-    setupBaseActionsVars();
     process.env[EnvVar.TEST_MODE] = "false";
     const features = createFeatures([]);
     const logger = new RecordingLogger();
@@ -95,40 +89,6 @@ test.serial(
   },
 );
 
-test.serial(
-  "getAnalysisKinds - logs error for non-default `analysis-kinds` in custom workflow",
-  async (t) => {
-    setupBaseActionsVars({ GITHUB_EVENT_NAME: "push" });
-    process.env[EnvVar.TEST_MODE] = "false";
-    const features = createFeatures([]);
-    const logger = new RecordingLogger();
-    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
-    requiredInputStub.withArgs("analysis-kinds").returns("code-quality");
-    const result = await getAnalysisKinds(logger, features, true);
-    t.deepEqual(result, [AnalysisKind.CodeQuality]);
-    t.assert(
-      logger.hasMessage(
-        "An analysis kind other than `code-scanning` was specified in a custom workflow.",
-      ),
-    );
-  },
-);
-
-test.serial(
-  "getAnalysisKinds - no error for non-default `analysis-kinds` in managed workflow",
-  async (t) => {
-    setupBaseActionsVars({ GITHUB_EVENT_NAME: "dynamic" });
-    process.env[EnvVar.TEST_MODE] = "false";
-    const features = createFeatures([]);
-    const logger = new RecordingLogger();
-    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
-    requiredInputStub.withArgs("analysis-kinds").returns("code-quality");
-    const result = await getAnalysisKinds(logger, features, true);
-    t.deepEqual(result, [AnalysisKind.CodeQuality]);
-    t.deepEqual(logger.messages, []);
-  },
-);
-
 test.serial(
   "getAnalysisKinds - includes `code-quality` when deprecated `quality-queries` input is used",
   async (t) => {
@@ -173,7 +133,6 @@ for (let i = 0; i < analysisKinds.length; i++) {
       test.serial(
         `getAnalysisKinds - allows ${analysisKind} with ${otherAnalysis}`,
         async (t) => {
-          setupBaseActionsVars();
           process.env[EnvVar.TEST_MODE] = "true";
           const features = createFeatures([]);
           const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
@@ -192,7 +151,6 @@ for (let i = 0; i < analysisKinds.length; i++) {
       test.serial(
         `getAnalysisKinds - throws if ${analysisKind} is enabled with ${otherAnalysis}`,
         async (t) => {
-          setupBaseActionsVars();
           const features = createFeatures([]);
           const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
           requiredInputStub

src/analyses.ts

@@ -2,7 +2,6 @@ import {
   fixCodeQualityCategory,
   getOptionalInput,
   getRequiredInput,
-  isDynamicWorkflow,
 } from "./actions-util";
 import { EnvVar } from "./environment";
 import { Feature, FeatureEnablement } from "./feature-flags";
@@ -66,21 +65,6 @@ export async function parseAnalysisKinds(
 // Used to avoid re-parsing the input after we have done it once.
 let cachedAnalysisKinds: AnalysisKind[] | undefined;
 
-/** Determines whether `code-scanning` is the only enabled analysis kind in `analysisKinds`. */
-function isOnlyCodeScanningEnabled(analysisKinds: AnalysisKind[]) {
-  return (
-    analysisKinds.length === 1 && analysisKinds[0] === AnalysisKind.CodeScanning
-  );
-}
-
-/** Prepends a generic message about the intended usage for `analysis-kinds` to `message`. */
-function makeAnalysisKindUsageError(message: string) {
-  return (
-    "The `analysis-kinds` input is experimental and for GitHub-internal use only. " +
-    `Its behaviour may change at any time or be removed entirely. ${message}`
-  );
-}
-
 /**
  * Initialises the analysis kinds for the analysis based on the `analysis-kinds` input.
  * This function will also use the deprecated `quality-queries` input as an indicator to enable `code-quality`.
@@ -105,26 +89,6 @@ export async function getAnalysisKinds(
     getRequiredInput("analysis-kinds"),
   );
 
-  // Log an error if we are outside of a GitHub-managed workflow and an analysis kind
-  // other than `code-scanning` is enabled.
-  if (
-    !isInTestMode() &&
-    !isDynamicWorkflow() &&
-    !isOnlyCodeScanningEnabled(analysisKinds)
-  ) {
-    const codeQualityHint = analysisKinds.includes(AnalysisKind.CodeQuality)
-      ? " If your intention is to use quality queries outside of Code Quality, " +
-        "use the `queries` input with `code-quality` instead."
-      : "";
-
-    logger.error(
-      makeAnalysisKindUsageError(
-        "An analysis kind other than `code-scanning` was specified in a custom workflow. " +
-          `This is not supported and will become a fatal error in a future version of the CodeQL Action.${codeQualityHint}`,
-      ),
-    );
-  }
-
   // Warn that `quality-queries` is deprecated if there is an argument for it.
   const qualityQueriesInput = getOptionalInput("quality-queries");
 
@@ -166,10 +130,10 @@ export async function getAnalysisKinds(
     !(await features.getValue(Feature.AllowMultipleAnalysisKinds))
   ) {
     logger.error(
-      makeAnalysisKindUsageError(
+      "The `analysis-kinds` input is experimental and for GitHub-internal use only. " +
+        "Its behaviour may change at any time or be removed entirely. " +
         "Specifying multiple values as input is no longer supported. " +
-          "Continuing with only `analysis-kinds: code-scanning`.",
-      ),
+        "Continuing with only `analysis-kinds: code-scanning`.",
     );
 
     // Only enable Code Scanning.

src/analyze-action-env.test.ts

@@ -0,0 +1,90 @@
+import test from "ava";
+import * as sinon from "sinon";
+
+import * as actionsUtil from "./actions-util";
+import * as analyze from "./analyze";
+import * as api from "./api-client";
+import * as configUtils from "./config-utils";
+import * as gitUtils from "./git-utils";
+import * as statusReport from "./status-report";
+import {
+  setupTests,
+  setupActionsVars,
+  mockFeatureFlagApiEndpoint,
+} from "./testing-utils";
+import * as util from "./util";
+
+setupTests(test);
+
+// This test needs to be in its own file so that ava would run it in its own
+// nodejs process. The code being tested is in analyze-action.ts, which runs
+// immediately on load. So the file needs to be loaded during part of the test,
+// and that can happen only once per nodejs process. If multiple such tests are
+// in the same test file, ava would run them in the same nodejs process, and all
+// but the first test would fail.
+
+test("analyze action with RAM & threads from environment variables", async (t) => {
+  // This test frequently times out on Windows with the default timeout, so we bump
+  // it a bit to 20s.
+  t.timeout(1000 * 20);
+  await util.withTmpDir(async (tmpDir) => {
+    setupActionsVars(tmpDir, tmpDir);
+    sinon
+      .stub(statusReport, "createStatusReportBase")
+      .resolves({} as statusReport.StatusReportBase);
+    sinon.stub(statusReport, "sendStatusReport").resolves();
+    sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
+
+    const gitHubVersion: util.GitHubVersion = {
+      type: util.GitHubVariant.DOTCOM,
+    };
+    sinon.stub(configUtils, "getConfig").resolves({
+      gitHubVersion,
+      augmentationProperties: {},
+      languages: [],
+      packs: [],
+      trapCaches: {},
+    } as unknown as configUtils.Config);
+    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+    requiredInputStub.withArgs("token").returns("fake-token");
+    requiredInputStub.withArgs("upload-database").returns("false");
+    requiredInputStub.withArgs("output").returns("out");
+    const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
+    optionalInputStub.withArgs("expect-error").returns("false");
+    sinon.stub(api, "getGitHubVersion").resolves(gitHubVersion);
+    mockFeatureFlagApiEndpoint(200, {});
+
+    // When there are no action inputs for RAM and threads, the action uses
+    // environment variables (passed down from the init action) to set RAM and
+    // threads usage.
+    process.env["CODEQL_THREADS"] = "-1";
+    process.env["CODEQL_RAM"] = "4992";
+
+    const runFinalizeStub = sinon.stub(analyze, "runFinalize");
+    const runQueriesStub = sinon.stub(analyze, "runQueries");
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const analyzeAction = require("./analyze-action");
+
+    // When analyze-action.ts loads, it runs an async function from the top
+    // level but does not wait for it to finish. To ensure that calls to
+    // runFinalize and runQueries are correctly captured by spies, we explicitly
+    // wait for the action promise to complete before starting verification.
+    await analyzeAction.runPromise;
+
+    t.assert(
+      runFinalizeStub.calledOnceWith(
+        sinon.match.any,
+        sinon.match.any,
+        "--threads=-1",
+        "--ram=4992",
+      ),
+    );
+    t.assert(
+      runQueriesStub.calledOnceWith(
+        sinon.match.any,
+        "--ram=4992",
+        "--threads=-1",
+      ),
+    );
+  });
+});

src/analyze-action-input.test.ts

@@ -0,0 +1,88 @@
+import test from "ava";
+import * as sinon from "sinon";
+
+import * as actionsUtil from "./actions-util";
+import * as analyze from "./analyze";
+import * as api from "./api-client";
+import * as configUtils from "./config-utils";
+import * as gitUtils from "./git-utils";
+import * as statusReport from "./status-report";
+import {
+  setupTests,
+  setupActionsVars,
+  mockFeatureFlagApiEndpoint,
+} from "./testing-utils";
+import * as util from "./util";
+
+setupTests(test);
+
+// This test needs to be in its own file so that ava would run it in its own
+// nodejs process. The code being tested is in analyze-action.ts, which runs
+// immediately on load. So the file needs to be loaded during part of the test,
+// and that can happen only once per nodejs process. If multiple such tests are
+// in the same test file, ava would run them in the same nodejs process, and all
+// but the first test would fail.
+
+test("analyze action with RAM & threads from action inputs", async (t) => {
+  t.timeout(1000 * 20);
+  await util.withTmpDir(async (tmpDir) => {
+    setupActionsVars(tmpDir, tmpDir);
+    sinon
+      .stub(statusReport, "createStatusReportBase")
+      .resolves({} as statusReport.StatusReportBase);
+    sinon.stub(statusReport, "sendStatusReport").resolves();
+    const gitHubVersion: util.GitHubVersion = {
+      type: util.GitHubVariant.DOTCOM,
+    };
+    sinon.stub(configUtils, "getConfig").resolves({
+      gitHubVersion,
+      augmentationProperties: {},
+      languages: [],
+      packs: [],
+      trapCaches: {},
+    } as unknown as configUtils.Config);
+    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+    requiredInputStub.withArgs("token").returns("fake-token");
+    requiredInputStub.withArgs("upload-database").returns("false");
+    requiredInputStub.withArgs("output").returns("out");
+    const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
+    optionalInputStub.withArgs("expect-error").returns("false");
+    sinon.stub(api, "getGitHubVersion").resolves(gitHubVersion);
+    sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
+    mockFeatureFlagApiEndpoint(200, {});
+
+    process.env["CODEQL_THREADS"] = "1";
+    process.env["CODEQL_RAM"] = "4992";
+
+    // Action inputs have precedence over environment variables.
+    optionalInputStub.withArgs("threads").returns("-1");
+    optionalInputStub.withArgs("ram").returns("3012");
+
+    const runFinalizeStub = sinon.stub(analyze, "runFinalize");
+    const runQueriesStub = sinon.stub(analyze, "runQueries");
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const analyzeAction = require("./analyze-action");
+
+    // When analyze-action.ts loads, it runs an async function from the top
+    // level but does not wait for it to finish. To ensure that calls to
+    // runFinalize and runQueries are correctly captured by spies, we explicitly
+    // wait for the action promise to complete before starting verification.
+    await analyzeAction.runPromise;
+
+    t.assert(
+      runFinalizeStub.calledOnceWith(
+        sinon.match.any,
+        sinon.match.any,
+        "--threads=-1",
+        "--ram=3012",
+      ),
+    );
+    t.assert(
+      runQueriesStub.calledOnceWith(
+        sinon.match.any,
+        "--ram=3012",
+        "--threads=-1",
+      ),
+    );
+  });
+});

src/analyze-action-post.ts

@@ -20,7 +20,7 @@ import { EnvVar } from "./environment";
 import { getActionsLogger } from "./logging";
 import { checkGitHubVersionInRange, getErrorMessage } from "./util";
 
-export async function runWrapper() {
+async function runWrapper() {
   // To capture errors appropriately, keep as much code within the try-catch as
   // possible, and only use safe functions outside.
 
@@ -72,3 +72,5 @@ export async function runWrapper() {
     );
   }
 }
+
+void runWrapper();

src/analyze-action.test.ts

@@ -1,142 +0,0 @@
-import test from "ava";
-import * as sinon from "sinon";
-
-import * as actionsUtil from "./actions-util";
-import * as analyze from "./analyze";
-import { runWrapper } from "./analyze-action";
-import * as api from "./api-client";
-import * as configUtils from "./config-utils";
-import * as gitUtils from "./git-utils";
-import * as statusReport from "./status-report";
-import {
-  setupTests,
-  setupActionsVars,
-  mockFeatureFlagApiEndpoint,
-} from "./testing-utils";
-import * as util from "./util";
-
-setupTests(test);
-
-test.serial(
-  "analyze action with RAM & threads from environment variables",
-  async (t) => {
-    // This test frequently times out on Windows with the default timeout, so we bump
-    // it a bit to 20s.
-    t.timeout(1000 * 20);
-    await util.withTmpDir(async (tmpDir) => {
-      setupActionsVars(tmpDir, tmpDir);
-      sinon
-        .stub(statusReport, "createStatusReportBase")
-        .resolves({} as statusReport.StatusReportBase);
-      sinon.stub(statusReport, "sendStatusReport").resolves();
-      sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
-
-      const gitHubVersion: util.GitHubVersion = {
-        type: util.GitHubVariant.DOTCOM,
-      };
-      sinon.stub(configUtils, "getConfig").resolves({
-        gitHubVersion,
-        augmentationProperties: {},
-        languages: [],
-        packs: [],
-        trapCaches: {},
-      } as unknown as configUtils.Config);
-      const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
-      requiredInputStub.withArgs("token").returns("fake-token");
-      requiredInputStub.withArgs("upload-database").returns("false");
-      requiredInputStub.withArgs("output").returns("out");
-      const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
-      optionalInputStub.withArgs("expect-error").returns("false");
-      sinon.stub(api, "getGitHubVersion").resolves(gitHubVersion);
-      mockFeatureFlagApiEndpoint(200, {});
-
-      // When there are no action inputs for RAM and threads, the action uses
-      // environment variables (passed down from the init action) to set RAM and
-      // threads usage.
-      process.env["CODEQL_THREADS"] = "-1";
-      process.env["CODEQL_RAM"] = "4992";
-
-      const runFinalizeStub = sinon.stub(analyze, "runFinalize");
-      const runQueriesStub = sinon.stub(analyze, "runQueries");
-
-      await runWrapper();
-
-      t.assert(
-        runFinalizeStub.calledOnceWith(
-          sinon.match.any,
-          sinon.match.any,
-          "--threads=-1",
-          "--ram=4992",
-        ),
-      );
-      t.assert(
-        runQueriesStub.calledOnceWith(
-          sinon.match.any,
-          "--ram=4992",
-          "--threads=-1",
-        ),
-      );
-    });
-  },
-);
-
-test.serial(
-  "analyze action with RAM & threads from action inputs",
-  async (t) => {
-    t.timeout(1000 * 20);
-    await util.withTmpDir(async (tmpDir) => {
-      setupActionsVars(tmpDir, tmpDir);
-      sinon
-        .stub(statusReport, "createStatusReportBase")
-        .resolves({} as statusReport.StatusReportBase);
-      sinon.stub(statusReport, "sendStatusReport").resolves();
-      const gitHubVersion: util.GitHubVersion = {
-        type: util.GitHubVariant.DOTCOM,
-      };
-      sinon.stub(configUtils, "getConfig").resolves({
-        gitHubVersion,
-        augmentationProperties: {},
-        languages: [],
-        packs: [],
-        trapCaches: {},
-      } as unknown as configUtils.Config);
-      const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
-      requiredInputStub.withArgs("token").returns("fake-token");
-      requiredInputStub.withArgs("upload-database").returns("false");
-      requiredInputStub.withArgs("output").returns("out");
-      const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
-      optionalInputStub.withArgs("expect-error").returns("false");
-      sinon.stub(api, "getGitHubVersion").resolves(gitHubVersion);
-      sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
-      mockFeatureFlagApiEndpoint(200, {});
-
-      process.env["CODEQL_THREADS"] = "1";
-      process.env["CODEQL_RAM"] = "4992";
-
-      // Action inputs have precedence over environment variables.
-      optionalInputStub.withArgs("threads").returns("-1");
-      optionalInputStub.withArgs("ram").returns("3012");
-
-      const runFinalizeStub = sinon.stub(analyze, "runFinalize");
-      const runQueriesStub = sinon.stub(analyze, "runQueries");
-
-      await runWrapper();
-
-      t.assert(
-        runFinalizeStub.calledOnceWith(
-          sinon.match.any,
-          sinon.match.any,
-          "--threads=-1",
-          "--ram=3012",
-        ),
-      );
-      t.assert(
-        runQueriesStub.calledOnceWith(
-          sinon.match.any,
-          "--ram=3012",
-          "--threads=-1",
-        ),
-      );
-    });
-  },
-);

src/analyze-action.ts

@@ -523,11 +523,14 @@ async function run(startedAt: Date) {
   }
 }
 
-export async function runWrapper() {
-  const startedAt = new Date();
+// Module-level startedAt so it can be accessed by runWrapper for error reporting
+const startedAt = new Date();
+export const runPromise = run(startedAt);
+
+async function runWrapper() {
   const logger = getActionsLogger();
   try {
-    await run(startedAt);
+    await runPromise;
   } catch (error) {
     core.setFailed(`analyze action failed: ${util.getErrorMessage(error)}`);
     await sendUnhandledErrorStatusReport(
@@ -539,3 +542,5 @@ export async function runWrapper() {
   }
   await util.checkForTimeout();
 }
+
+void runWrapper();

src/artifact-scanner.test.ts

@@ -141,9 +141,14 @@ test("scanArtifactsForTokens handles files without tokens", async (t) => {
   }
 });
 
-// `scanArchiveFile` does not support Windows, so we skip this test there.
-if (os.platform() !== "win32") {
+// This test is slow (extracts and scans a zip artifact), so by default we only run it in CI. Set
+// RUN_SLOW_TESTS=1 to run it locally.
+if (
+  os.platform() !== "win32" &&
+  (process.env.CI === "true" || process.env.RUN_SLOW_TESTS === "1")
+) {
   test("scanArtifactsForTokens finds token in debug artifacts", async (t) => {
+    t.timeout(15000); // 15 seconds
     const messages: LoggedMessage[] = [];
     const logger = getRecordingLogger(messages, { logToConsole: false });
     // The zip here is a regression test based on

src/autobuild-action.ts

@@ -142,7 +142,7 @@ async function run(startedAt: Date) {
   await sendCompletedStatusReport(config, logger, startedAt, languages ?? []);
 }
 
-export async function runWrapper() {
+async function runWrapper() {
   const startedAt = new Date();
   const logger = getActionsLogger();
   try {
@@ -157,3 +157,5 @@ export async function runWrapper() {
     );
   }
 }
+
+void runWrapper();

src/codeql.test.ts

@@ -1072,7 +1072,7 @@ test.serial(
 );
 
 test.serial(
-  "Avoids duplicating --force-overwrite flag if specified in CODEQL_ACTION_EXTRA_OPTIONS",
+  "Avoids duplicating --overwrite flag if specified in CODEQL_ACTION_EXTRA_OPTIONS",
   async (t) => {
     const runnerConstructorStub = stubToolRunnerConstructor();
     const codeqlObject = await stubCodeql();
@@ -1080,7 +1080,7 @@ test.serial(
     sinon.stub(io, "which").resolves("");
 
     process.env["CODEQL_ACTION_EXTRA_OPTIONS"] =
-      '{ "database": { "init": ["--force-overwrite"] } }';
+      '{ "database": { "init": ["--overwrite"] } }';
 
     await codeqlObject.databaseInitCluster(
       stubConfig,
@@ -1093,9 +1093,9 @@ test.serial(
     t.true(runnerConstructorStub.calledOnce);
     const args = runnerConstructorStub.firstCall.args[1] as string[];
     t.is(
-      args.filter((option: string) => option === "--force-overwrite").length,
+      args.filter((option: string) => option === "--overwrite").length,
       1,
-      "--force-overwrite should only be passed once",
+      "--overwrite should only be passed once",
     );
 
     // Clean up

src/codeql.ts

@@ -277,7 +277,7 @@ let cachedCodeQL: CodeQL | undefined = undefined;
  * The version flags below can be used to conditionally enable certain features
  * on versions newer than this.
  */
-const CODEQL_MINIMUM_VERSION = "2.19.4";
+const CODEQL_MINIMUM_VERSION = "2.17.6";
 
 /**
  * This version will shortly become the oldest version of CodeQL that the Action will run with.
@@ -592,6 +592,13 @@ async function getCodeQLForCmd(
         extraArgs.push(`--qlconfig-file=${qlconfigFile}`);
       }
 
+      const overwriteFlag = isSupportedToolsFeature(
+        await this.getVersion(),
+        ToolsFeature.ForceOverwrite,
+      )
+        ? "--force-overwrite"
+        : "--overwrite";
+
       const overlayDatabaseMode = config.overlayDatabaseMode;
       if (overlayDatabaseMode === OverlayDatabaseMode.Overlay) {
         const overlayChangesFile = await writeOverlayChangesFile(
@@ -618,7 +625,7 @@ async function getCodeQLForCmd(
           "init",
           ...(overlayDatabaseMode === OverlayDatabaseMode.Overlay
             ? []
-            : ["--force-overwrite"]),
+            : [overwriteFlag]),
           "--db-cluster",
           config.dbLocation,
           `--source-root=${sourceRoot}`,
@@ -629,14 +636,7 @@ async function getCodeQLForCmd(
             // Some user configs specify `--no-calculate-baseline` as an additional
             // argument to `codeql database init`. Therefore ignore the baseline file
             // options here to avoid specifying the same argument twice and erroring.
-            //
-            // Ignore `--overwrite` to avoid passing both `--force-overwrite` and `--overwrite` if
-            // the user has configured `--overwrite`.
-            ignoringOptions: [
-              "--force-overwrite",
-              "--overwrite",
-              ...baselineFilesOptions,
-            ],
+            ignoringOptions: ["--overwrite", ...baselineFilesOptions],
           }),
         ],
         { stdin: externalRepositoryToken },
@@ -853,7 +853,7 @@ async function getCodeQLForCmd(
         "--sarif-group-rules-by-pack",
         "--sarif-include-query-help=always",
         "--sublanguage-file-coverage",
-        ...(await getJobRunUuidSarifOptions()),
+        ...(await getJobRunUuidSarifOptions(this)),
         ...getExtraOptionsFromEnv(["database", "interpret-results"]),
       ];
       if (sarifRunPropertyFlag !== undefined) {
@@ -1283,8 +1283,13 @@ function applyAutobuildAzurePipelinesTimeoutFix() {
   ].join(" ");
 }
 
-async function getJobRunUuidSarifOptions() {
+async function getJobRunUuidSarifOptions(codeql: CodeQL) {
   const jobRunUuid = process.env[EnvVar.JOB_RUN_UUID];
 
-  return jobRunUuid ? [`--sarif-run-property=jobRunUuid=${jobRunUuid}`] : [];
+  return jobRunUuid &&
+    (await codeql.supportsFeature(
+      ToolsFeature.DatabaseInterpretResultsSupportsSarifRunProperty,
+    ))
+    ? [`--sarif-run-property=jobRunUuid=${jobRunUuid}`]
+    : [];
 }

src/config-utils.test.ts

@@ -21,7 +21,6 @@ import { GitVersionInfo } from "./git-utils";
 import { BuiltInLanguage, Language } from "./languages";
 import { getRunnerLogger } from "./logging";
 import { CODEQL_OVERLAY_MINIMUM_VERSION } from "./overlay";
-import * as overlayDiagnostics from "./overlay/diagnostics";
 import { OverlayDisabledReason } from "./overlay/diagnostics";
 import { OverlayDatabaseMode } from "./overlay/overlay-database-mode";
 import * as overlayStatus from "./overlay/status";
@@ -2144,87 +2143,3 @@ test.serial(
     });
   },
 );
-
-test("applyIncrementalAnalysisSettings: no-op when mode is not Overlay and diff ranges are unavailable", async (t) => {
-  const config = createTestConfig({});
-  config.overlayDatabaseMode = OverlayDatabaseMode.None;
-  const codeql = createStubCodeQL({});
-  const logger = getRunnerLogger(true);
-
-  await configUtils.applyIncrementalAnalysisSettings(
-    config,
-    false,
-    codeql,
-    logger,
-  );
-
-  t.is(config.overlayDatabaseMode, OverlayDatabaseMode.None);
-  t.deepEqual(config.extraQueryExclusions, []);
-});
-
-test("applyIncrementalAnalysisSettings: keeps overlay mode and adds exclusions when diff ranges are available", async (t) => {
-  const config = createTestConfig({
-    overlayDatabaseMode: OverlayDatabaseMode.Overlay,
-  });
-  const codeql = createStubCodeQL({});
-  const logger = getRunnerLogger(true);
-
-  await configUtils.applyIncrementalAnalysisSettings(
-    config,
-    true,
-    codeql,
-    logger,
-  );
-
-  t.is(config.overlayDatabaseMode, OverlayDatabaseMode.Overlay);
-  t.deepEqual(config.extraQueryExclusions, [
-    { exclude: { tags: "exclude-from-incremental" } },
-  ]);
-});
-
-test("applyIncrementalAnalysisSettings: disables overlay analysis when diff ranges are unavailable", async (t) => {
-  const config = createTestConfig({
-    overlayDatabaseMode: OverlayDatabaseMode.Overlay,
-  });
-  config.useOverlayDatabaseCaching = true;
-  const codeql = createStubCodeQL({});
-  const logger = getRunnerLogger(true);
-  const addDiagnosticsStub = sinon
-    .stub(overlayDiagnostics, "addOverlayDisablementDiagnostics")
-    .resolves();
-
-  await configUtils.applyIncrementalAnalysisSettings(
-    config,
-    false,
-    codeql,
-    logger,
-  );
-
-  t.is(config.overlayDatabaseMode, OverlayDatabaseMode.None);
-  t.is(config.useOverlayDatabaseCaching, false);
-  t.deepEqual(config.extraQueryExclusions, []);
-  t.true(addDiagnosticsStub.calledOnce);
-  t.is(
-    addDiagnosticsStub.firstCall.args[2],
-    OverlayDisabledReason.DiffInformedAnalysisNotEnabled,
-  );
-});
-
-test("applyIncrementalAnalysisSettings: adds exclusions for diff-informed-only runs", async (t) => {
-  const config = createTestConfig({});
-  config.overlayDatabaseMode = OverlayDatabaseMode.None;
-  const codeql = createStubCodeQL({});
-  const logger = getRunnerLogger(true);
-
-  await configUtils.applyIncrementalAnalysisSettings(
-    config,
-    true,
-    codeql,
-    logger,
-  );
-
-  t.is(config.overlayDatabaseMode, OverlayDatabaseMode.None);
-  t.deepEqual(config.extraQueryExclusions, [
-    { exclude: { tags: "exclude-from-incremental" } },
-  ]);
-});

src/config-utils.ts

@@ -31,7 +31,7 @@ import {
   addNoLanguageDiagnostic,
   makeTelemetryDiagnostic,
 } from "./diagnostics";
-import { prepareDiffInformedAnalysis } from "./diff-informed-analysis-utils";
+import { shouldPerformDiffInformedAnalysis } from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
 import * as errorMessages from "./error-messages";
 import { Feature, FeatureEnablement } from "./feature-flags";
@@ -1077,48 +1077,6 @@ function hasQueryCustomisation(userConfig: UserConfig): boolean {
   );
 }
 
-/**
- * Finalize the incremental-analysis configuration for this run.
- *
- * Overlay analysis has only been validated in combination with diff-informed
- * analysis, so if `Overlay` mode was selected for a pull request but the diff
- * ranges could not be computed, fall back to a full non-overlay analysis.
- *
- * Query exclusions for incremental-only queries are then applied whenever the
- * diff ranges are available — which, after the fallback above, is exactly the
- * set of runs where any kind of incremental analysis (overlay or
- * diff-informed) is in effect.
- */
-export async function applyIncrementalAnalysisSettings(
-  config: Config,
-  hasDiffRanges: boolean,
-  codeql: CodeQL,
-  logger: Logger,
-): Promise<void> {
-  if (
-    config.overlayDatabaseMode === OverlayDatabaseMode.Overlay &&
-    !hasDiffRanges
-  ) {
-    logger.info(
-      `Reverting overlay database mode to ${OverlayDatabaseMode.None} ` +
-        "because the PR diff ranges could not be computed.",
-    );
-    config.overlayDatabaseMode = OverlayDatabaseMode.None;
-    config.useOverlayDatabaseCaching = false;
-    await addOverlayDisablementDiagnostics(
-      config,
-      codeql,
-      OverlayDisabledReason.DiffInformedAnalysisNotEnabled,
-    );
-  }
-
-  if (hasDiffRanges) {
-    config.extraQueryExclusions.push({
-      exclude: { tags: "exclude-from-incremental" },
-    });
-  }
-}
-
 /**
  * Load and return the config.
  *
@@ -1273,18 +1231,18 @@ export async function initConfig(
     );
   }
 
-  const hasDiffRanges = await prepareDiffInformedAnalysis(
-    inputs.codeql,
-    inputs.features,
-    logger,
-  );
-
-  await applyIncrementalAnalysisSettings(
-    config,
-    hasDiffRanges,
-    inputs.codeql,
-    logger,
-  );
+  if (
+    config.overlayDatabaseMode === OverlayDatabaseMode.Overlay ||
+    (await shouldPerformDiffInformedAnalysis(
+      inputs.codeql,
+      inputs.features,
+      logger,
+    ))
+  ) {
+    config.extraQueryExclusions.push({
+      exclude: { tags: "exclude-from-incremental" },
+    });
+  }
 
   if (await isTrapCachingEnabled(features, config.overlayDatabaseMode)) {
     const { trapCaches, trapCacheDownloadTime } = await downloadCacheWithTime(

src/diff-informed-analysis-utils.test.ts

@@ -5,16 +5,14 @@ import * as actionsUtil from "./actions-util";
 import type { PullRequestBranches } from "./actions-util";
 import * as apiClient from "./api-client";
 import {
-  getDiffInformedAnalysisBranches,
-  prepareDiffInformedAnalysis,
+  shouldPerformDiffInformedAnalysis,
   exportedForTesting,
 } from "./diff-informed-analysis-utils";
-import { Feature, FeatureEnablement, initFeatures } from "./feature-flags";
+import { Feature, initFeatures } from "./feature-flags";
 import { getRunnerLogger } from "./logging";
 import { parseRepositoryNwo } from "./repository";
 import {
   setupTests,
-  createFeatures,
   mockCodeQLVersion,
   mockFeatureFlagApiEndpoint,
   setupActionsVars,
@@ -75,25 +73,28 @@ const testShouldPerformDiffInformedAnalysis = makeMacro({
         [Feature.DiffInformedQueries]: testCase.featureEnabled,
       });
 
-      sinon
+      const getGitHubVersionStub = sinon
         .stub(apiClient, "getGitHubVersion")
         .resolves(testCase.gitHubVersion);
-      sinon
+      const getPullRequestBranchesStub = sinon
         .stub(actionsUtil, "getPullRequestBranches")
         .returns(testCase.pullRequestBranches);
 
-      const branches = await getDiffInformedAnalysisBranches(
+      const result = await shouldPerformDiffInformedAnalysis(
         codeql,
         features,
         logger,
       );
 
-      t.is(branches !== undefined, expectedResult);
+      t.is(result, expectedResult);
 
       delete process.env.CODEQL_ACTION_DIFF_INFORMED_QUERIES;
+
+      getGitHubVersionStub.restore();
+      getPullRequestBranchesStub.restore();
     });
   },
-  title: (title) => `getDiffInformedAnalysisBranches: ${title}`,
+  title: (title) => `shouldPerformDiffInformedAnalysis: ${title}`,
 });
 
 testShouldPerformDiffInformedAnalysis.serial(
@@ -177,135 +178,6 @@ testShouldPerformDiffInformedAnalysis.serial(
   false,
 );
 
-test.serial(
-  "prepareDiffInformedAnalysis: returns false when not a pull request",
-  async (t) => {
-    await withTmpDir(async (tmpDir) => {
-      setupActionsVars(tmpDir, tmpDir);
-      const logger = getRunnerLogger(true);
-      const codeql = mockCodeQLVersion("2.21.0");
-      const features = createFeatures([Feature.DiffInformedQueries]);
-
-      sinon.stub(actionsUtil, "getPullRequestBranches").returns(undefined);
-      sinon
-        .stub(apiClient, "getGitHubVersion")
-        .resolves({ type: GitHubVariant.DOTCOM });
-
-      const result = await prepareDiffInformedAnalysis(
-        codeql,
-        features,
-        logger,
-      );
-
-      t.false(result);
-    });
-  },
-);
-
-test.serial(
-  "prepareDiffInformedAnalysis: returns false when applicability check throws",
-  async (t) => {
-    await withTmpDir(async (tmpDir) => {
-      setupActionsVars(tmpDir, tmpDir);
-      const logger = getRunnerLogger(true);
-      const codeql = mockCodeQLVersion("2.21.0");
-      // A features implementation whose getValue rejects, simulating an
-      // unexpected failure when determining whether diff-informed analysis
-      // should run.
-      const features: FeatureEnablement = {
-        getEnabledDefaultCliVersions: async () => {
-          throw new Error("not implemented");
-        },
-        getValue: async () => {
-          throw new Error("feature flag lookup failed");
-        },
-      };
-
-      const result = await prepareDiffInformedAnalysis(
-        codeql,
-        features,
-        logger,
-      );
-
-      t.false(result);
-    });
-  },
-);
-
-test.serial(
-  "prepareDiffInformedAnalysis: returns true when the diff is fetched successfully",
-  async (t) => {
-    await withTmpDir(async (tmpDir) => {
-      setupActionsVars(tmpDir, tmpDir);
-      const logger = getRunnerLogger(true);
-      const codeql = mockCodeQLVersion("2.21.0");
-      const features = createFeatures([Feature.DiffInformedQueries]);
-
-      sinon
-        .stub(actionsUtil, "getPullRequestBranches")
-        .returns({ base: "main", head: "feature" });
-      sinon
-        .stub(apiClient, "getGitHubVersion")
-        .resolves({ type: GitHubVariant.DOTCOM });
-      // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
-      sinon.stub(apiClient, "getApiClient").returns({
-        rest: {
-          repos: {
-            compareCommitsWithBasehead: sinon
-              .stub()
-              .resolves({ data: { files: [] } }),
-          },
-        },
-      } as any);
-
-      const result = await prepareDiffInformedAnalysis(
-        codeql,
-        features,
-        logger,
-      );
-
-      t.true(result);
-    });
-  },
-);
-
-test.serial(
-  "prepareDiffInformedAnalysis: returns false when the diff API call fails",
-  async (t) => {
-    await withTmpDir(async (tmpDir) => {
-      setupActionsVars(tmpDir, tmpDir);
-      const logger = getRunnerLogger(true);
-      const codeql = mockCodeQLVersion("2.21.0");
-      const features = createFeatures([Feature.DiffInformedQueries]);
-
-      sinon
-        .stub(actionsUtil, "getPullRequestBranches")
-        .returns({ base: "main", head: "feature" });
-      sinon
-        .stub(apiClient, "getGitHubVersion")
-        .resolves({ type: GitHubVariant.DOTCOM });
-      const notFoundError: any = new Error("Not Found");
-      notFoundError.status = 404;
-      // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
-      sinon.stub(apiClient, "getApiClient").returns({
-        rest: {
-          repos: {
-            compareCommitsWithBasehead: sinon.stub().rejects(notFoundError),
-          },
-        },
-      } as any);
-
-      const result = await prepareDiffInformedAnalysis(
-        codeql,
-        features,
-        logger,
-      );
-
-      t.false(result);
-    });
-  },
-);
-
 function runGetDiffRanges(changes: number, patch: string[] | undefined): any {
   return exportedForTesting.getDiffRanges(
     {

src/diff-informed-analysis-utils.ts

@@ -5,9 +5,9 @@ import type { PullRequestBranches } from "./actions-util";
 import { getApiClient, getGitHubVersion } from "./api-client";
 import type { CodeQL } from "./codeql";
 import { Feature, FeatureEnablement } from "./feature-flags";
-import { Logger, withGroupAsync } from "./logging";
+import { Logger } from "./logging";
 import { getRepositoryNwoFromEnv } from "./repository";
-import { getErrorMessage, GitHubVariant, satisfiesGHESVersion } from "./util";
+import { GitHubVariant, satisfiesGHESVersion } from "./util";
 
 /**
  * This interface is an abbreviated version of the file diff object returned by
@@ -21,6 +21,20 @@ interface FileDiff {
   patch?: string | undefined;
 }
 
+/**
+ * Check if the action should perform diff-informed analysis.
+ */
+export async function shouldPerformDiffInformedAnalysis(
+  codeql: CodeQL,
+  features: FeatureEnablement,
+  logger: Logger,
+): Promise<boolean> {
+  return (
+    (await getDiffInformedAnalysisBranches(codeql, features, logger)) !==
+    undefined
+  );
+}
+
 /**
  * Get the branches to use for diff-informed analysis.
  *
@@ -55,46 +69,6 @@ export async function getDiffInformedAnalysisBranches(
   return branches;
 }
 
-/**
- * Prepares the diff ranges needed for diff-informed analysis for the current
- * run.
- *
- * @returns `true` if the diff ranges were successfully computed and persisted
- *   and are therefore available for use, `false` otherwise.
- */
-export async function prepareDiffInformedAnalysis(
-  codeql: CodeQL,
-  features: FeatureEnablement,
-  logger: Logger,
-): Promise<boolean> {
-  let branches: PullRequestBranches | undefined;
-  try {
-    branches = await getDiffInformedAnalysisBranches(codeql, features, logger);
-  } catch (e) {
-    // If we cannot determine whether diff-informed analysis applies (for
-    // example, because a feature-flag lookup failed), treat it as not
-    // applicable rather than triggering the overlay fallback.
-    logger.warning(
-      `Failed to determine branch information for diff-informed analysis: ${getErrorMessage(e)}`,
-    );
-    return false;
-  }
-  if (!branches) {
-    return false;
-  }
-
-  return await withGroupAsync("Computing PR diff ranges", async () => {
-    try {
-      return await computeAndPersistDiffRanges(branches, logger);
-    } catch (e) {
-      logger.warning(
-        `Failed to compute diff-informed analysis ranges: ${getErrorMessage(e)}`,
-      );
-      return false;
-    }
-  });
-}
-
 export interface DiffThunkRange {
   /** Relative path from the repository root, using forward slashes as separators. */
   path: string;
@@ -177,33 +151,6 @@ export async function getPullRequestEditedDiffRanges(
   return results;
 }
 
-/**
- * Compute and persist the diff ranges for a pull request. This fetches the
- * diff from the GitHub API and writes it to the diff ranges JSON file so that
- * CodeQL can use it for diff-informed analysis.
- *
- * @param branches The base and head branches of the pull request, as returned
- *   by `getDiffInformedAnalysisBranches`.
- * @param logger
- * @returns `true` if the diff ranges were successfully computed and persisted,
- *   otherwise `false`.
- */
-export async function computeAndPersistDiffRanges(
-  branches: PullRequestBranches,
-  logger: Logger,
-): Promise<boolean> {
-  const ranges = await getPullRequestEditedDiffRanges(branches, logger);
-  if (ranges === undefined) {
-    return false;
-  }
-  writeDiffRangesJsonFile(logger, ranges);
-  const distinctFiles = new Set(ranges.map((r) => r.path)).size;
-  logger.info(
-    `Persisted ${ranges.length} diff range(s) across ${distinctFiles} file(s).`,
-  );
-  return true;
-}
-
 async function getFileDiffsWithBasehead(
   branches: PullRequestBranches,
   logger: Logger,

src/entry-wrapper.js.tpl

@@ -1,3 +0,0 @@
-export async function run__ACTION__() {
-  return await __ACTION__.runWrapper();
-}

src/feature-flags.ts

@@ -26,9 +26,6 @@ const DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
 
 /**
  * The first version of the CodeQL Bundle that shipped with zstd-compressed bundles.
- *
- * This is now below the minimum version of CodeQL, but we keep this around because we currently set
- * up CodeQL before checking that the version is new enough.
  */
 export const CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0";
 

src/git-utils.test.ts

@@ -33,6 +33,7 @@ test.serial(
 
       const actualRef = await gitUtils.getRef();
       t.deepEqual(actualRef, expectedRef);
+      callback.restore();
     });
   },
 );
@@ -53,6 +54,7 @@ test.serial(
 
       const actualRef = await gitUtils.getRef();
       t.deepEqual(actualRef, expectedRef);
+      callback.restore();
     });
   },
 );
@@ -71,6 +73,7 @@ test.serial(
 
       const actualRef = await gitUtils.getRef();
       t.deepEqual(actualRef, "refs/pull/1/head");
+      callback.restore();
     });
   },
 );
@@ -97,6 +100,8 @@ test.serial(
 
       const actualRef = await gitUtils.getRef();
       t.deepEqual(actualRef, "refs/pull/2/merge");
+      callback.restore();
+      getAdditionalInputStub.restore();
     });
   },
 );
@@ -156,6 +161,7 @@ test.serial(
             "Both 'ref' and 'sha' are required if one of them is provided.",
         },
       );
+      getAdditionalInputStub.restore();
     });
   },
 );
@@ -182,6 +188,7 @@ test.serial(
             "Both 'ref' and 'sha' are required if one of them is provided.",
         },
       );
+      getAdditionalInputStub.restore();
     });
   },
 );
@@ -235,6 +242,7 @@ test.serial("isAnalyzingDefaultBranch()", async (t) => {
     process.env["GITHUB_EVENT_NAME"] = "schedule";
     process.env["GITHUB_REF"] = "refs/heads/main";
     t.deepEqual(await gitUtils.isAnalyzingDefaultBranch(), false);
+    getAdditionalInputStub.restore();
   });
 });
 
@@ -246,6 +254,8 @@ test.serial("determineBaseBranchHeadCommitOid non-pullrequest", async (t) => {
   const result = await gitUtils.determineBaseBranchHeadCommitOid(__dirname);
   t.deepEqual(result, undefined);
   t.deepEqual(0, infoStub.callCount);
+
+  infoStub.restore();
 });
 
 test.serial(
@@ -266,6 +276,8 @@ test.serial(
       "git call failed. Will calculate the base branch SHA on the server. Error: " +
         "The checkout path provided to the action does not appear to be a git repository.",
     );
+
+    infoStub.restore();
   },
 );
 
@@ -289,27 +301,10 @@ test.serial("determineBaseBranchHeadCommitOid other error", async (t) => {
       "The checkout path provided to the action does not appear to be a git repository.",
     ),
   );
+
+  infoStub.restore();
 });
 
-test.serial(
-  "determineBaseBranchHeadCommitOid accepts SHA-256 OIDs",
-  async (t) => {
-    const mergeSha = "a".repeat(64);
-    const baseOid = "b".repeat(64);
-    const headOid = "c".repeat(64);
-
-    process.env["GITHUB_EVENT_NAME"] = "pull_request";
-    process.env["GITHUB_SHA"] = mergeSha;
-
-    sinon
-      .stub(gitUtils as any, "runGitCommand")
-      .resolves(`commit ${mergeSha}\nparent ${baseOid}\nparent ${headOid}\n`);
-
-    const result = await gitUtils.determineBaseBranchHeadCommitOid(__dirname);
-    t.deepEqual(result, baseOid);
-  },
-);
-
 test.serial("decodeGitFilePath unquoted strings", async (t) => {
   t.deepEqual(gitUtils.decodeGitFilePath("foo"), "foo");
   t.deepEqual(gitUtils.decodeGitFilePath("foo bar"), "foo bar");
@@ -441,64 +436,6 @@ test.serial("getFileOidsUnderPath handles quoted paths", async (t) => {
   });
 });
 
-test.serial("getFileOidsUnderPath handles SHA-256 OIDs", async (t) => {
-  await withTmpDir(async (tmpDir) => {
-    const sha256OidA =
-      "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2c0d4b7e8f9a1234567890ab";
-    const sha256OidB =
-      "aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899";
-
-    sinon
-      .stub(gitUtils as any, "runGitCommand")
-      .callsFake(async (_cwd: any, args: any) => {
-        if (args[0] === "rev-parse") {
-          return `${tmpDir}\n`;
-        }
-        return (
-          `100644 ${sha256OidA} 0\tlib/sha256-file-a.js\n` +
-          `100644 ${sha256OidB} 0\tsrc/sha256-file-b.ts`
-        );
-      });
-
-    const result = await gitUtils.getFileOidsUnderPath("/fake/path");
-
-    t.deepEqual(result, {
-      "lib/sha256-file-a.js": sha256OidA,
-      "src/sha256-file-b.ts": sha256OidB,
-    });
-  });
-});
-
-test.serial(
-  "getFileOidsUnderPath rejects OIDs of unsupported length",
-  async (t) => {
-    await withTmpDir(async (tmpDir) => {
-      // 50-char OID: not a valid SHA-1 (40) or SHA-256 (64) length. The regex
-      // must not accept this even though every character is a valid hex digit.
-      const invalidLine =
-        "100644 30d998ded095371488be3a729eb61d86ed721a1830d998ded0 0\tlib/bad.js";
-      sinon
-        .stub(gitUtils as any, "runGitCommand")
-        .callsFake(async (_cwd: any, args: any) => {
-          if (args[0] === "rev-parse") {
-            return `${tmpDir}\n`;
-          }
-          return invalidLine;
-        });
-
-      await t.throwsAsync(
-        async () => {
-          await gitUtils.getFileOidsUnderPath("/fake/path");
-        },
-        {
-          instanceOf: Error,
-          message: `Unexpected "git ls-files" output: ${invalidLine}`,
-        },
-      );
-    });
-  },
-);
-
 test.serial("getFileOidsUnderPath handles empty output", async (t) => {
   await withTmpDir(async (tmpDir) => {
     sinon

src/git-utils.ts

@@ -163,12 +163,11 @@ export const determineBaseBranchHeadCommitOid = async function (
       }
     }
 
-    // Let's confirm our assumptions: We had a merge commit and the parsed parent
-    // data looks correct. OIDs are either 40 (SHA-1) or 64 (SHA-256) hex characters.
+    // Let's confirm our assumptions: We had a merge commit and the parsed parent data looks correct
     if (
       commitOid === mergeSha &&
-      (headOid.length === 40 || headOid.length === 64) &&
-      (baseOid.length === 40 || baseOid.length === 64)
+      headOid.length === 40 &&
+      baseOid.length === 40
     ) {
       return baseOid;
     }
@@ -297,8 +296,7 @@ export const getFileOidsUnderPath = async function (
   // 100644 4c51bc1d9e86cd86e01b0f340cb8ce095c33b283 0\tsrc/git-utils.test.ts
   // 100644 6b792ea543ce75d7a8a03df591e3c85311ecb64f 0\tsrc/git-utils.ts
   // The fields are: <mode> <oid> <stage>\t<path>
-  // The OID is either 40 (SHA-1) or 64 (SHA-256) hex characters.
-  const regex = /^[0-9]+ ([0-9a-f]{40}|[0-9a-f]{64}) [0-9]+\t(.+)$/;
+  const regex = /^[0-9]+ ([0-9a-f]{40}) [0-9]+\t(.+)$/;
   for (const line of stdout.split("\n")) {
     if (line) {
       const match = line.match(regex);

src/init-action-post.ts

@@ -207,7 +207,7 @@ function getJobStatusFromEnvironment(): JobStatus | undefined {
   return undefined;
 }
 
-export async function runWrapper() {
+async function runWrapper() {
   const startedAt = new Date();
   const logger = getActionsLogger();
   try {
@@ -222,3 +222,5 @@ export async function runWrapper() {
     );
   }
 }
+
+void runWrapper();