Initial plan

2026-06-04 12:54:26 +00:00 · 2026-05-04 15:42:49 +00:00
199 changed files with 1464934 additions and 74670 deletions
@@ -41,38 +41,7 @@ runs:
        git add .
        git commit -m "Update changelog and version after ${VERSION}"

-    # Update the build artifacts with the new version number
-    - name: Rebuild the Action
-      shell: bash
-      run: |
-        set -exu
-        npm ci
-        npm run build
-
-    - name: Check for rebuild changes
-      id: rebuild_changes
-      shell: bash
-      run: |
-        set -exu
-        git add --all
-        if git diff --cached --quiet; then
-          echo "has_changes=false" >> "${GITHUB_OUTPUT}"
-        else
-          echo "has_changes=true" >> "${GITHUB_OUTPUT}"
-        fi
-
-    - name: Commit rebuild
-      if: steps.rebuild_changes.outputs.has_changes == 'true'
-      shell: bash
-      run: |
-        set -exu
-        git commit -m "Rebuild"
-
-    - name: Push mergeback branch
-      shell: bash
-      env:
-        NEW_BRANCH: "${{ inputs.branch }}"
-      run: git push origin "${NEW_BRANCH}"
+        git push origin "${NEW_BRANCH}"

    - name: Create PR
      shell: bash
@@ -91,6 +60,8 @@ runs:

          Please do the following:

+          - [ ] Remove and re-add the "Rebuild" label to the PR to trigger just this workflow.
+          - [ ] Wait for the "Rebuild" workflow to push a commit updating the distribution files.
          - [ ] Mark the PR as ready for review to trigger the full set of PR checks.
          - [ ] Approve and merge the PR. When merging the PR, make sure "Create a merge commit" is
                selected rather than "Squash and merge" or "Rebase and merge".
@@ -103,6 +74,7 @@ runs:
          --head "${NEW_BRANCH}" \
          --base "${BASE_BRANCH}" \
          --title "${pr_title}" \
+          --label "Rebuild" \
          --body "${pr_body}" \
          --assignee "${GITHUB_ACTOR}" \
          --draft
@@ -16,13 +16,13 @@ runs:
      shell: bash

    - name: Set up Node
-      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      uses: actions/setup-node@v6
      with:
-        node-version: 24
+        node-version: 20
        cache: 'npm'

    - name: Set up Python
-      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      uses: actions/setup-python@v6
      with:
        python-version: '3.12'

@@ -16,27 +16,12 @@ No user facing changes.
 """

 # NB: This exact commit message is used to find commits for reverting during backports.
-# Changing it requires a transition period where both old and new versions are supported.
+# Changing it requires a transition period where both old and new versions are supported.
 BACKPORT_COMMIT_MESSAGE = 'Update version and changelog for v'

-# Commit message used for rebuild commits, both those produced by this script and those produced
-# by the `Rebuild Action` workflow (`.github/workflows/rebuild.yml`).
-REBUILD_COMMIT_MESSAGE = 'Rebuild'
-
 # Name of the remote
 ORIGIN = 'origin'

-# Environment variables to check for a GitHub API token.
-TOKEN_ENVIRONMENT_VARIABLES = ('GH_TOKEN', 'GITHUB_TOKEN')
-
-# Gets a GitHub API token from one of the supported environment variables.
-def get_github_token():
-  for variable_name in TOKEN_ENVIRONMENT_VARIABLES:
-    token = os.environ.get(variable_name, '').strip()
-    if token:
-      return token
-  raise Exception('Missing GitHub token. Set GITHUB_TOKEN or GH_TOKEN.')
-
 # Runs git with the given args and returns the stdout.
 # Raises an error if git does not exit successfully (unless passed
 # allow_non_zero_exit_code=True).
@@ -47,28 +32,6 @@ def run_git(*args, allow_non_zero_exit_code=False):
    raise Exception(f'Call to {" ".join(cmd)} exited with code {p.returncode} stderr: {p.stderr.decode("ascii")}.')
  return p.stdout.decode('ascii')

-# Runs the given command, streaming output to the console.
-# Raises an error if the command does not exit successfully.
-def run_command(*args):
-  cmd = list(args)
-  print(f'Running `{" ".join(cmd)}`.')
-  subprocess.run(cmd, check=True)
-
-# Rebuilds the action and commits any changes.
-def rebuild_action():
-  # For backports, the only source-level change vs the source branch is the new version number,
-  # so we just need to refresh the version embedded in `lib/`.
-  run_command('npm', 'ci')
-  run_command('npm', 'run', 'build')
-
-  run_git('add', '--all')
-  # `git diff --cached --quiet` exits 0 if there are no staged changes, 1 if there are.
-  if subprocess.run(['git', 'diff', '--cached', '--quiet']).returncode == 0:
-    print('Rebuild produced no changes; skipping Rebuild commit.')
-  else:
-    run_git('commit', '-m', REBUILD_COMMIT_MESSAGE)
-    print('Created Rebuild commit.')
-
 # Returns true if the given branch exists on the origin remote
 def branch_exists_on_remote(branch_name):
  return run_git('ls-remote', '--heads', ORIGIN, branch_name).strip() != ''
@@ -124,11 +87,9 @@ def open_pr(
  body.append('Please do the following:')
  if len(conflicted_files) > 0:
    body.append(' - [ ] Ensure `package.json` file contains the correct version.')
-    body.append(' - [ ] Add a commit to this branch to resolve the merge conflicts ' +
+    body.append(' - [ ] Add commits to this branch to resolve the merge conflicts ' +
      'in the following files:')
-    body.extend([f'    - `{file}`' for file in conflicted_files])
-    body.append(' - [ ] Rebuild the Action locally (`npm run build`) and push any changes to the ' +
-      f'built output in `lib` as a separate commit named exactly `{REBUILD_COMMIT_MESSAGE}`.')
+    body.extend([f'    - [ ] `{file}`' for file in conflicted_files])
    body.append(' - [ ] Ensure another maintainer has reviewed the additional commits you added to this ' +
      'branch to resolve the merge conflicts.')
  body.append(' - [ ] Ensure the CHANGELOG displays the correct version and date.')
@@ -136,6 +97,10 @@ def open_pr(
  body.append(f' - [ ] Check that there are not any unexpected commits being merged into the `{target_branch}` branch.')
  body.append(' - [ ] Ensure the docs team is aware of any documentation changes that need to be released.')

+  if not is_primary_release:
+    body.append(' - [ ] Remove and re-add the "Rebuild" label to the PR to trigger just this workflow.')
+    body.append(' - [ ] Wait for the "Rebuild" workflow to push a commit updating the distribution files.')
+
  body.append(' - [ ] Mark the PR as ready for review to trigger the full set of PR checks.')
  body.append(' - [ ] Approve and merge this PR. Make sure `Create a merge commit` is selected rather than `Squash and merge` or `Rebase and merge`.')

@@ -144,11 +109,13 @@ def open_pr(
    body.append(' - [ ] Merge all backport PRs to older release branches, that will automatically be created once this PR is merged.')

  title = f'Merge {source_branch} into {target_branch}'
+  labels = ['Rebuild'] if not is_primary_release else []

  # Create the pull request
  # PR checks won't be triggered on PRs created by Actions. Therefore mark the PR as draft so that
  # a maintainer can take the PR out of draft, thereby triggering the PR checks.
  pr = repo.create_pull(title=title, body='\n'.join(body), head=new_branch_name, base=target_branch, draft=True)
+  pr.add_to_labels(*labels)
  print(f'Created PR #{str(pr.number)}')

  # Assign the conductor
@@ -303,6 +270,12 @@ def update_changelog(version):
 def main():
  parser = argparse.ArgumentParser('update-release-branch.py')

+  parser.add_argument(
+    '--github-token',
+    type=str,
+    required=True,
+    help='GitHub token, typically from GitHub Actions.'
+  )
  parser.add_argument(
    '--repository-nwo',
    type=str,
@@ -340,7 +313,7 @@ def main():
  target_branch = args.target_branch
  is_primary_release = args.is_primary_release

-  repo = Github(get_github_token()).get_repo(args.repository_nwo)
+  repo = Github(args.github_token).get_repo(args.repository_nwo)

  # the target branch will be of the form releases/vN, where N is the major version number
  target_branch_major_version = target_branch.strip('releases/v')
@@ -407,9 +380,8 @@ def main():
      # releases.
      run_git('revert', vOlder_update_commits[0], '--no-edit')

-      # Also revert the "Rebuild" commit, whether created by this script or by the
-      # `Rebuild Action` workflow.
-      rebuild_commit = run_git('log', '--grep', f'^{REBUILD_COMMIT_MESSAGE}$', '--format=%H').split()[0]
+      # Also revert the "Rebuild" commit created by Actions.
+      rebuild_commit = run_git('log', '--grep', '^Rebuild$', '--format=%H').split()[0]
      print(f'  Reverting {rebuild_commit}')
      run_git('revert', rebuild_commit, '--no-edit')

@@ -424,10 +396,9 @@ def main():
      run_git('add', '.')
      run_git('commit', '--no-edit')

-    # Migrate the package version number from a vLatest version number to a vOlder version number.
-    # `package-lock.json` is updated as part of the subsequent rebuild step (see `rebuild_action`).
+    # Migrate the package version number from a vLatest version number to a vOlder version number
    print(f'Setting version number to {version} in package.json')
-    replace_version_package_json(get_current_version(), version)
+    replace_version_package_json(get_current_version(), version) # We rely on the `Rebuild` workflow to update package-lock.json
    run_git('add', 'package.json')

    # Migrate the changelog notes from vLatest version numbers to vOlder version numbers
@@ -450,13 +421,6 @@ def main():
    run_git('add', 'CHANGELOG.md')
    run_git('commit', '-m', f'Update changelog for v{version}')

-  if not is_primary_release:
-    if len(conflicted_files) == 0:
-      print('Rebuilding the Action.')
-      rebuild_action()
-    else:
-      print(f'Skipping automatic rebuild because the merge produced conflicts in {conflicted_files}.')
-
  run_git('push', ORIGIN, new_branch_name)

  # Open a PR to update the branch
@@ -74,13 +74,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -72,7 +72,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -92,7 +92,7 @@ jobs:
          post-processed-sarif-path: '${{ runner.temp }}/post-processed'

      - name: Upload SARIF files
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: |
            analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
@@ -100,7 +100,7 @@ jobs:
          retention-days: 7

      - name: Upload post-processed SARIF
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: |
            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
@@ -110,7 +110,7 @@ jobs:

      - name: Check quality query does not appear in security SARIF
        if: contains(matrix.analysis-kinds, 'code-scanning')
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        env:
          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
          EXPECT_PRESENT: 'false'
@@ -118,7 +118,7 @@ jobs:
          script: ${{ env.CHECK_SCRIPT }}
      - name: Check quality query appears in quality SARIF
        if: contains(matrix.analysis-kinds, 'code-quality')
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        env:
          SARIF_PATH: '${{ runner.temp }}/results/javascript.quality.sarif'
          EXPECT_PRESENT: 'true'
@@ -70,13 +70,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -64,9 +64,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Prepare test
@@ -66,9 +66,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        uses: actions/setup-java@v5
        with:
          java-version: ${{ inputs.java-version || '17' }}
          distribution: temurin
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -66,9 +66,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        uses: actions/setup-java@v5
        with:
          java-version: ${{ inputs.java-version || '17' }}
          distribution: temurin
@@ -70,13 +70,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -62,7 +62,7 @@ jobs:
        run: npm install @actions/tool-cache@3
      - name: Check toolcache contains CodeQL
        continue-on-error: true
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        with:
          script: |
            const toolcache = require('@actions/tool-cache');
@@ -75,7 +75,7 @@ jobs:
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Check CodeQL is installed within the toolcache
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        with:
          script: |
            const toolcache = require('@actions/tool-cache');
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -63,7 +63,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        with:
          script: |
            const fs = require('fs');
@@ -73,7 +73,7 @@ jobs:
      - name: Install @actions/tool-cache
        run: npm install @actions/tool-cache@3
      - name: Check toolcache does not contain CodeQL
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        with:
          script: |
            const toolcache = require('@actions/tool-cache');
@@ -92,7 +92,7 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Check CodeQL is installed within the toolcache
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        with:
          script: |
            const toolcache = require('@actions/tool-cache');
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -63,7 +63,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        with:
          script: |
            const fs = require('fs');
@@ -82,13 +82,13 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: ${{ matrix.os }}-zstd-bundle.sarif
          path: ${{ runner.temp }}/results/javascript.sarif
          retention-days: 7
      - name: Check diagnostic with expected tools URL appears in SARIF
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        env:
          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
        with:
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -70,13 +70,13 @@ jobs:
          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: '${{ runner.temp }}/results/javascript.sarif'
          retention-days: 7
      - name: Check config properties appear in SARIF
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        env:
          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
        with:
@@ -50,9 +50,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@v6
        with:
          node-version: 20.x
          cache: npm
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -81,13 +81,13 @@ jobs:
          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: '${{ runner.temp }}/results/javascript.sarif'
          retention-days: 7
      - name: Check diagnostics appear in SARIF
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        env:
          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
        with:
@@ -74,13 +74,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -102,7 +102,7 @@ jobs:
        with:
          output: '${{ runner.temp }}/results'
      - name: Upload SARIF
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: '${{ runner.temp }}/results/javascript.sarif'
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -72,13 +72,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -60,9 +60,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -78,7 +78,7 @@ jobs:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      # Deliberately change Go after the `init` step
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@v6
        with:
          go-version: '1.20'
      - name: Build code
@@ -88,7 +88,7 @@ jobs:
          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Check diagnostic appears in SARIF
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        env:
          SARIF_PATH: '${{ runner.temp }}/results/go.sarif'
        with:
@@ -60,9 +60,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -89,7 +89,7 @@ jobs:
          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Check diagnostic appears in SARIF
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        env:
          SARIF_PATH: '${{ runner.temp }}/results/go.sarif'
        with:
@@ -60,9 +60,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -49,6 +49,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
+          - os: ubuntu-latest
+            version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
          - os: ubuntu-latest
@@ -57,10 +61,6 @@ jobs:
            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
-          - os: ubuntu-latest
-            version: stable-v2.23.9
-          - os: ubuntu-latest
-            version: stable-v2.24.3
          - os: ubuntu-latest
            version: default
          - os: ubuntu-latest
@@ -80,9 +80,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -49,6 +49,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
+          - os: ubuntu-latest
+            version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
          - os: ubuntu-latest
@@ -57,10 +61,6 @@ jobs:
            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
-          - os: ubuntu-latest
-            version: stable-v2.23.9
-          - os: ubuntu-latest
-            version: stable-v2.24.3
          - os: ubuntu-latest
            version: default
          - os: ubuntu-latest
@@ -80,9 +80,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -49,6 +49,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
+          - os: ubuntu-latest
+            version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
          - os: ubuntu-latest
@@ -57,10 +61,6 @@ jobs:
            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
-          - os: ubuntu-latest
-            version: stable-v2.23.9
-          - os: ubuntu-latest
-            version: stable-v2.24.3
          - os: ubuntu-latest
            version: default
          - os: ubuntu-latest
@@ -80,9 +80,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -67,7 +67,7 @@ jobs:
        with:
          output: '${{ runner.temp }}/results'
      - name: Upload SARIF
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: '${{ runner.temp }}/results/javascript.sarif'
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -70,13 +70,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -59,41 +59,41 @@ jobs:
      fail-fast: false
      matrix:
        include:
+          - os: ubuntu-latest
+            version: stable-v2.17.6
+          - os: macos-latest
+            version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: stable-v2.18.4
+          - os: macos-latest
+            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
-          - os: macos-latest-xlarge
+          - os: macos-latest
            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
-          - os: macos-latest-xlarge
+          - os: macos-latest
            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
-          - os: macos-latest-xlarge
+          - os: macos-latest
            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
-          - os: macos-latest-xlarge
+          - os: macos-latest
            version: stable-v2.22.4
-          - os: ubuntu-latest
-            version: stable-v2.23.9
-          - os: macos-latest-xlarge
-            version: stable-v2.23.9
-          - os: ubuntu-latest
-            version: stable-v2.24.3
-          - os: macos-latest-xlarge
-            version: stable-v2.24.3
          - os: ubuntu-latest
            version: default
-          - os: macos-latest-xlarge
+          - os: macos-latest
            version: default
          - os: ubuntu-latest
            version: linked
-          - os: macos-latest-xlarge
+          - os: macos-latest
            version: linked
          - os: ubuntu-latest
            version: nightly-latest
-          - os: macos-latest-xlarge
+          - os: macos-latest
            version: nightly-latest
    name: Multi-language repository
    if: github.triggering_actor != 'dependabot[bot]'
@@ -104,13 +104,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -125,7 +125,7 @@ jobs:
        # We need Python 3.13 for older CLI versions because they are not compatible with Python 3.14 or newer.
        # See https://github.com/github/codeql-action/pull/3212
        if: matrix.version != 'nightly-latest' && matrix.version != 'linked'
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@v6
        with:
          python-version: '3.13'

@@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -74,18 +74,18 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Install Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@v6
        with:
          node-version: 20.x
          cache: npm
@@ -74,18 +74,18 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Install Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@v6
        with:
          node-version: 20.x
          cache: npm
@@ -74,18 +74,18 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Install Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@v6
        with:
          node-version: 20.x
          cache: npm
@@ -74,18 +74,18 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Install Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@v6
        with:
          node-version: 20.x
          cache: npm
@@ -72,13 +72,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -59,7 +59,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Set up Ruby
-        uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
+        uses: ruby/setup-ruby@0cb964fd540e0a24c900370abf38a33466142735 # v1.305.0
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
@@ -60,7 +60,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -40,7 +40,7 @@ jobs:
      matrix:
        include:
          - os: ubuntu-latest
-            version: stable-v2.19.4
+            version: stable-v2.19.3
          - os: ubuntu-latest
            version: stable-v2.22.1
          - os: ubuntu-latest
@@ -58,7 +58,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -80,13 +80,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -62,7 +62,7 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@v6
      - uses: ./init
        with:
          languages: javascript
@@ -39,7 +39,7 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: macos-latest-xlarge
+          - os: macos-latest
            version: nightly-latest
    name: Swift analysis using autobuild
    if: github.triggering_actor != 'dependabot[bot]'
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -74,13 +74,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -72,13 +72,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -70,13 +70,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -77,13 +77,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -71,13 +71,13 @@ jobs:
    steps:
      # This ensures we don't accidentally use the original checkout for any part of the test.
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -96,7 +96,7 @@ jobs:
          rm -rf ./* .github .git
      # Check out the actions repo again, but at a different location.
      # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@v6
        with:
          ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
          path: x/y/z/some-path
@@ -9,10 +9,6 @@ on:
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]

-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
  run:
    shell: bash
@@ -26,7 +22,7 @@ jobs:

    steps:
      - name: Checkout CodeQL Action
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Check Expected Release Files
        run: |
          bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"
@@ -35,7 +35,7 @@ jobs:
      security-events: read

    steps:
-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@v6
    - name: Set up default CodeQL bundle
      id: setup-default
      uses: ./setup-codeql
@@ -77,7 +77,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-14-xlarge,macos-15-xlarge]
+        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-14,macos-15]
        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
    runs-on: ${{ matrix.os }}

@@ -87,7 +87,7 @@ jobs:

    steps:
    - name: Checkout
-      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      uses: actions/checkout@v6
    - name: Initialize CodeQL
      uses: ./init
      id: init
@@ -124,7 +124,7 @@ jobs:

    steps:
    - name: Checkout
-      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      uses: actions/checkout@v6
    - name: Initialize CodeQL
      uses: ./init
      with:
@@ -6,6 +6,13 @@ env:
  # Diff informed queries add an additional query filter which is not yet
  # taken into account by these tests.
  CODEQL_ACTION_DIFF_INFORMED_QUERIES: false
+  # Specify overlay enablement manually to ensure stability around the exclude-from-incremental
+  # query filter. Here we only enable for the default code scanning suite.
+  CODEQL_ACTION_OVERLAY_ANALYSIS: true
+  CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT: false
+  CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT: true
+  CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_CHECK: false
+  CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS: true

 on:
  push:
@@ -24,10 +31,6 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:

-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
  run:
    shell: bash
@@ -59,10 +62,10 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      uses: actions/checkout@v6

    - name: Set up Node.js
-      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      uses: actions/setup-node@v6
      with:
        node-version: 24
        cache: 'npm'
@@ -76,13 +79,33 @@ jobs:
      with:
        version: ${{ matrix.version }}

-    - name: Empty file
+    # On PRs, overlay analysis may change the config that is passed to the CLI.
+    # Therefore, we have two variants of the following test, one for PRs and one for other events.
+    - name: Empty file (non-PR)
+      if: github.event_name != 'pull_request'
      uses: ./../action/.github/actions/check-codescanning-config
      with:
        expected-config-file-contents: "{}"
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}

+    - name: Empty file (PR)
+      if: github.event_name == 'pull_request'
+      uses: ./../action/.github/actions/check-codescanning-config
+      with:
+        expected-config-file-contents: |
+          {
+            "query-filters": [
+              {
+                "exclude": {
+                  "tags": "exclude-from-incremental"
+                }
+              }
+            ]
+          }
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+
    - name: Packs from input
      if: success() || failure()
      uses: ./../action/.github/actions/check-codescanning-config
@@ -20,10 +20,6 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:

-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
  run:
    shell: bash
@@ -53,17 +49,17 @@ jobs:
      - name: Dump GitHub event
        run: cat "${GITHUB_EVENT_PATH}"
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@v6
        with:
          go-version: ^1.13.1
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: '9.x'
      - name: Assert best-effort artifact scan completed
@@ -94,7 +90,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@v8
      - name: Check expected artifacts exist
        run: |
          LANGUAGES="cpp csharp go java javascript python"
@@ -19,10 +19,6 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:

-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
  run:
    shell: bash
@@ -49,17 +45,17 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@v6
        with:
          go-version: ^1.13.1
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: '9.x'
      - name: Assert best-effort artifact scan completed
@@ -87,7 +83,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@v8
      - name: Check expected artifacts exist
        run: |
          VERSIONS="stable-v2.20.3 default linked nightly-latest"
@@ -44,14 +44,11 @@ jobs:
          GITHUB_CONTEXT: '${{ toJson(github) }}'
        run: echo "${GITHUB_CONTEXT}"

-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@v6
        with:
          fetch-depth: 0  # ensure we have all tags and can push commits
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
-        with:
-          node-version: 24
-          cache: 'npm'
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - uses: actions/setup-node@v6
+      - uses: actions/setup-python@v6
        with:
          python-version: '3.12'

@@ -134,7 +131,7 @@ jobs:
          echo "::endgroup::"

      - name: Generate token
-        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+        uses: actions/create-github-app-token@v3.1.1
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -10,10 +10,6 @@ on:
    types: [checks_requested]
  workflow_dispatch:

-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
  run:
    shell: bash
@@ -33,19 +29,15 @@ jobs:
    runs-on: ${{ matrix.os }}
    timeout-minutes: 45

-    concurrency:
-      cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-      group: pr-checks-unit-tests-${{ github.ref }}-${{ github.event_name }}-${{ matrix.os }}-node${{ matrix['node-version'] }}
-
    steps:
      - name: Prepare git (Windows)
        if: runner.os == 'Windows'
        run: git config --global core.autocrlf false

-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@v6

      - name: Set up Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@v6
        with:
          node-version: ${{ matrix.node-version }}
          cache: 'npm'
@@ -75,47 +67,60 @@ jobs:
          sarif_file: eslint.sarif
          category: eslint

-  # These checks do not need to be run as part of the same matrix that we use for the `unit-tests`
-  # job.
-  other-checks:
-    name: Other checks
+  # Verifying the PR checks are up-to-date requires Node 24. The PR checks are not dependent
+  # on the main codebase and therefore do not need to be run as part of the same matrix that
+  # we use for the `unit-tests` job.
+  verify-pr-checks:
+    name: Verify PR checks
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    timeout-minutes: 10

-    concurrency:
-      cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-      group: pr-checks-pr-checks-${{ github.ref }}-${{ github.event_name }}
-
    steps:
+      - name: Prepare git (Windows)
+        if: runner.os == 'Windows'
+        run: git config --global core.autocrlf false
+
      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6

      - name: Set up Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@v6
        with:
          node-version: 24
          cache: 'npm'

      - name: Install dependencies
-        id: install-deps
        run: npm ci

      - name: Verify PR checks up to date
-        if: ${{ !cancelled() && steps.install-deps.outcome == 'success' }}
+        if: always()
        run: .github/workflows/script/verify-pr-checks.sh

      - name: Run pr-checks tests
-        if: ${{ !cancelled() && steps.install-deps.outcome == 'success' }}
+        if: always()
        working-directory: pr-checks
        run: npx tsx --test

-      - name: Verify all Actions use the same Node version
-        id: head-version
+  check-node-version:
+    if: github.triggering_actor != 'dependabot[bot]'
+    name: Check Action Node versions
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+    env:
+      BASE_REF: ${{ github.base_ref }}
+
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v6
+      - id: head-version
+        name: Verify all Actions use the same Node version
        run: |
-          NODE_VERSION=$(find . -path "*/node_modules" -prune -o -name "action.yml" -exec yq -o=json '.runs.using' {} \; | jq -rs '[.[] | select(. != null and startswith("node"))] | unique | .[]')
+          NODE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
          echo "NODE_VERSION: ${NODE_VERSION}"
          if [[ $(echo "$NODE_VERSION" | wc -l) -gt 1 ]]; then
            echo "::error::More than one node version used in 'action.yml' files."
@@ -123,111 +128,22 @@ jobs:
          fi
          echo "node_version=${NODE_VERSION}" >> $GITHUB_OUTPUT

-      - name: Fetch base commit
-        id: fetch-base
-        # Forks and Dependabot PRs don't have permission to write comments, so skip the repo size
-        # check in those cases.
-        if: >-
-          github.event_name == 'pull_request' &&
-          github.event.pull_request.head.repo.full_name == github.repository &&
-          github.event.pull_request.user.login != 'dependabot[bot]'
-        env:
-          BASE_SHA: ${{ github.event.pull_request.base.sha }}
-          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          # Compare against the merge base so the size delta reflects only the commits actually
-          # added by this PR, ignoring any changes that have landed on the base branch since the
-          # PR branched off.
-          merge_base=$(gh api "repos/$GITHUB_REPOSITORY/compare/$BASE_SHA...$HEAD_SHA" --jq '.merge_base_commit.sha')
-          echo "merge_base=$merge_base" >> "$GITHUB_OUTPUT"
-          git fetch --no-tags --depth=1 origin "$merge_base" "$HEAD_SHA"
-
-      - name: Check repo size
-        if: steps.fetch-base.outcome == 'success'
-        working-directory: pr-checks
-        env:
-          BASE_REF: ${{ github.event.pull_request.base.ref }}
-          BASE_SHA: ${{ steps.fetch-base.outputs.merge_base }}
-          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-        run: npx tsx check-repo-size.ts --output-dir "$RUNNER_TEMP/repo-size"
-
-      - name: Upload repo size comment
-        if: steps.fetch-base.outcome == 'success'
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-        with:
-          name: repo-size-comment
-          path: ${{ runner.temp }}/repo-size/
-          if-no-files-found: error
-
-      - name: 'Backport: Check out base ref'
-        id: checkout-base
+      - id: checkout-base
+        name: 'Backport: Check out base ref'
        if: ${{ startsWith(github.head_ref, 'backport-') }}
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
        with:
-          ref: ${{ github.base_ref }}
+          ref: ${{ env.BASE_REF }}

      - name: 'Backport: Verify Node versions unchanged'
        if: steps.checkout-base.outcome == 'success'
        env:
          HEAD_VERSION: ${{ steps.head-version.outputs.node_version }}
        run: |
-          BASE_VERSION=$(find . -path "*/node_modules" -prune -o -name "action.yml" -exec yq -o=json '.runs.using' {} \; | jq -rs '[.[] | select(. != null and startswith("node"))] | unique | .[]')
+          BASE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
          echo "HEAD_VERSION: ${HEAD_VERSION}"
          echo "BASE_VERSION: ${BASE_VERSION}"
          if [[ "$BASE_VERSION" != "$HEAD_VERSION" ]]; then
            echo "::error::Cannot change the Node version of an Action in a backport PR."
            exit 1
          fi
-
-  post-repo-size-comment:
-    name: Post repo size comment
-    needs: other-checks
-    # Keep write permissions isolated from the job that checks out and tests PR code. This job only
-    # posts the candidate comment body produced by the read-only `pr-checks` job.
-    if: >-
-      github.event_name == 'pull_request' &&
-      github.event.pull_request.head.repo.full_name == github.repository &&
-      github.event.pull_request.user.login != 'dependabot[bot]' &&
-      needs.other-checks.result == 'success'
-    permissions:
-      contents: read
-      pull-requests: write
-    runs-on: ubuntu-slim
-    timeout-minutes: 10
-
-    concurrency:
-      cancel-in-progress: true
-      group: check-repo-size-${{ github.event.pull_request.number }}
-
-    steps:
-      - name: Download repo size comment
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          name: repo-size-comment
-          path: repo-size-comment
-
-      - name: Post repo size comment
-        env:
-          COMMENT_MARKER: "<!-- repo-size-diff-bot -->"
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          significant=$(jq -r '.significant' repo-size-comment/metadata.json)
-          comment_id=$(
-            gh api "repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/comments" \
-              --paginate \
-              --jq ".[] | select(.body | contains(\"$COMMENT_MARKER\")) | .id" \
-              | head -n 1
-          )
-
-          if [[ -n "$comment_id" ]]; then
-            echo "Updating existing comment $comment_id."
-            gh api --method PATCH "repos/$GITHUB_REPOSITORY/issues/comments/$comment_id" --field body=@repo-size-comment/body.md
-          elif [[ "$significant" == "true" ]]; then
-            echo "Creating new repo size comment."
-            gh api --method POST "repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/comments" --field body=@repo-size-comment/body.md
-          else
-            echo "Skipping repo size comment because the delta is below the threshold and no sticky comment exists."
-          fi
@@ -44,7 +44,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0 # Need full history for calculation of diffs

@@ -20,8 +20,8 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6

      - name: Publish immutable release
        id: publish
-        uses: actions/publish-immutable-action@4bc8754ffc40f27910afb20287dbbbb675a4e978 # v0.0.4
+        uses: actions/publish-immutable-action@v0.0.4
@@ -14,10 +14,6 @@ on:
    - cron: '0 0 * * 1'
  workflow_dispatch:

-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
  run:
    shell: bash
@@ -35,11 +31,11 @@ jobs:
    runs-on: windows-latest

    steps:
-    - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+    - uses: actions/setup-python@v6
      with:
        python-version: 3.12

-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@v6

    - name: Prepare test
      uses: ./.github/actions/prepare-test
@@ -17,10 +17,6 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:

-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
  run:
    shell: bash
@@ -35,10 +31,10 @@ jobs:
      contents: read # This permission is needed to allow the GitHub Actions workflow to read the contents of the repository.
    steps:
    - name: Check out repository
-      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      uses: actions/checkout@v6

    - name: Install Node.js
-      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      uses: actions/setup-node@v6
      with:
        node-version: 24
        cache: npm
@@ -24,13 +24,13 @@ jobs:
      pull-requests: write # needed to comment on the PR
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0
          ref: ${{ env.HEAD_REF }}

      - name: Set up Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@v6
        with:
          node-version: 24
          cache: 'npm'
@@ -52,7 +52,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0 # Need full history for calculation of diffs

@@ -136,7 +136,7 @@ jobs:

      - name: Generate token
        if: github.event_name == 'workflow_dispatch'
-        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+        uses: actions/create-github-app-token@v3.1.1
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -18,11 +18,6 @@ on:
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
-
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
  run:
    shell: bash
@@ -43,7 +38,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      uses: actions/checkout@v6
    - name: Prepare test
      id: prepare-test
      uses: ./.github/actions/prepare-test
@@ -51,7 +46,7 @@ jobs:
        version: ${{ matrix.version }}
        use-all-platform-bundle: true
    - name: Install .NET
-      uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+      uses: actions/setup-dotnet@v5
      with:
        dotnet-version: '9.x'
    - id: init
@@ -33,7 +33,7 @@ jobs:
          GITHUB_CONTEXT: '${{ toJson(github) }}'
        run: echo "$GITHUB_CONTEXT"

-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@v6

      - name: Update git config
        run: |
@@ -41,12 +41,12 @@ jobs:
          git config --global user.name "github-actions[bot]"

      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@v6
        with:
          python-version: '3.12'

      - name: Set up Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@v6
        with:
          node-version: 24
          cache: 'npm'
@@ -38,7 +38,7 @@ jobs:
      contents: write # needed to push commits
      pull-requests: write # needed to create pull request
    steps:
-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@v6
      with:
        fetch-depth: 0  # Need full history for calculation of diffs
    - uses: ./.github/actions/release-initialise
@@ -64,12 +64,11 @@ jobs:

    - name: Update current release branch
      if: github.event_name == 'workflow_dispatch'
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
        echo SOURCE_BRANCH=${REF_NAME}
        echo TARGET_BRANCH=releases/${MAJOR_VERSION}
        python .github/update-release-branch.py \
+          --github-token ${{ secrets.GITHUB_TOKEN }} \
          --repository-nwo ${{ github.repository }} \
          --source-branch '${{ env.REF_NAME }}' \
          --target-branch 'releases/${{ env.MAJOR_VERSION }}' \
@@ -94,26 +93,25 @@ jobs:
      pull-requests: write # needed to create pull request
    steps:
    - name: Generate token
-      uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      uses: actions/create-github-app-token@v3.1.1
      id: app-token
      with:
        app-id: ${{ vars.AUTOMATION_APP_ID }}
        private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}

    - name: Checkout
-      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      uses: actions/checkout@v6
      with:
        fetch-depth: 0  # Need full history for calculation of diffs
        token: ${{ steps.app-token.outputs.token }}
    - uses: ./.github/actions/release-initialise

    - name: Update older release branch
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
        echo SOURCE_BRANCH=${SOURCE_BRANCH}
        echo TARGET_BRANCH=${TARGET_BRANCH}
        python .github/update-release-branch.py \
+          --github-token ${{ secrets.GITHUB_TOKEN }} \
          --repository-nwo ${{ github.repository }} \
          --source-branch ${SOURCE_BRANCH} \
          --target-branch ${TARGET_BRANCH} \
@@ -23,13 +23,13 @@ jobs:

    steps:
      - name: Setup Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@v6
        with:
          python-version: "3.13"
      - name: Checkout CodeQL Action
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Checkout Enterprise Releases
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
        with:
          repository: github/enterprise-releases
          token: ${{ secrets.ENTERPRISE_RELEASE_TOKEN }}
@@ -19,7 +19,7 @@
    "scope": "javascript, typescript",
    "prefix": "testMacro",
    "body": [
-      "const ${1:nameMacro} = makeMacro({",
+      "const ${1:nameMacro} = test.macro({",
      "  exec: async (t: ExecutionContext<unknown>) => {},",
      "",
      "  title: (providedTitle = \"\") => `${2:common title} - \\${providedTitle}`,",
@@ -6,27 +6,6 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

 No user facing changes.

-## 4.36.1 - 02 Jun 2026
-
-No user facing changes.
-
-## 4.36.0 - 22 May 2026
-
- _Breaking change_: Bump the minimum required CodeQL bundle version to 2.19.4. [#3894](https://github.com/github/codeql-action/pull/3894)
- Add support for SHA-256 Git object IDs. [#3893](https://github.com/github/codeql-action/pull/3893)
- Update default CodeQL bundle version to [2.25.5](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.5). [#3926](https://github.com/github/codeql-action/pull/3926)
-
-## 4.35.5 - 15 May 2026
-
- We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. [#3899](https://github.com/github/codeql-action/pull/3899)
- For performance and accuracy reasons, [improved incremental analysis](https://github.com/github/roadmap/issues/1158) will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. [#3791](https://github.com/github/codeql-action/pull/3791)
- If multiple inputs are provided for the GitHub-internal `analysis-kinds` input, only `code-scanning` will be enabled. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#3892](https://github.com/github/codeql-action/pull/3892)
- Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. [#3880](https://github.com/github/codeql-action/pull/3880)
-
-## 4.35.4 - 07 May 2026
-
- Update default CodeQL bundle version to [2.25.4](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4). [#3881](https://github.com/github/codeql-action/pull/3881)
-
 ## 4.35.3 - 01 May 2026

 - _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. [#3837](https://github.com/github/codeql-action/pull/3837)
@@ -71,7 +71,7 @@ Once the mergeback and backport pull request have been merged, the release is co

 Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred required jobs that need to pass in order for a PR to turn green. It would be too tedious to maintain that list manually. You can regenerate the set of required checks automatically by running the [sync-checks.ts](pr-checks/sync-checks.ts) script:

- At a minimum, you must provide a token with permissions to update branch protection rules. For example, `gh auth token | pr-checks/sync-checks.ts --token-stdin` uses the same token that `gh` uses. You can also set the `GH_TOKEN` or `GITHUB_TOKEN` environment variable. If no token is provided or the token has insufficient permissions, the script will fail.
+- At a minimum, you must provide an argument for the `--token` input. For example, `--token "$(gh auth token)"` to use the same token that `gh` uses. If no token is provided or the token has insufficient permissions, the script will fail.
 - By default, the script performs a dry run and outputs information about the changes it would make to the branch protection rules. To actually apply the changes, specify the `--apply` flag.
 - If you run the script without any other arguments, it will retrieve the set of workflows that ran for the latest commit on `main`.
 - You can specify a different git ref with the `--ref` input. You will likely want to use this if you have a PR that removes or adds PR checks. For example, `--ref "some/branch/name"` to use the HEAD of the `some/branch/name` branch.
@@ -78,6 +78,8 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n
 | `v3.28.21` | `2.21.3` | Enterprise Server 3.18 | |
 | `v3.28.12` | `2.20.7` | Enterprise Server 3.17 | |
 | `v3.28.6` | `2.20.3` | Enterprise Server 3.16 | |
+| `v3.28.6` | `2.20.3` | Enterprise Server 3.15 | |
+| `v3.28.6` | `2.20.3` | Enterprise Server 3.14 | |

 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).

@@ -95,5 +95,5 @@ outputs:
    description: The ID of the uploaded SARIF file.
 runs:
  using: node24
-  main: "../lib/analyze-entry.js"
-  post: "../lib/analyze-post-entry.js"
+  main: "../lib/analyze-action.js"
+  post: "../lib/analyze-action-post.js"
@@ -16,4 +16,4 @@ inputs:
    required: false
 runs:
  using: node24
-  main: '../lib/autobuild-entry.js'
+  main: '../lib/autobuild-action.js'
@@ -1,5 +1,5 @@
-import { copyFile, readFile, rm, writeFile } from "node:fs/promises";
-import { basename, dirname, join } from "node:path";
+import { copyFile, rm, writeFile } from "node:fs/promises";
+import { dirname, join } from "node:path";
 import { fileURLToPath } from "node:url";

 import * as esbuild from "esbuild";
@@ -62,153 +62,18 @@ const onEndPlugin = {
  },
 };

-/** The name of the virtual `entry-points` module. */
-const SHARED_ENTRYPOINT = "entry-points";
-
-/** The property name under which `upload-lib`'s namespace is exposed in `entry-points`. */
-const UPLOAD_LIB_EXPORT = "uploadLib";
-
-/** The relative source path of the `upload-lib` module that we re-export from `entry-points`. */
-const UPLOAD_LIB_SRC = "./src/upload-lib";
-
-/**
- * This plugin finds all source files that contain Action entry points. It then generates the
- * virtual `entry-points` module which imports all identified files, and re-exports their
- * `runWrapper` functions with suitable aliases.
- *
- * The virtual module additionally re-exports `upload-lib` under the `uploadLib` namespace so that
- * external consumers can access it via the small `lib/upload-lib.js` stub emitted below.
- * 
- * A tiny stub file is emitted for each Action entrypoint, and one for `upload-lib`. Each stub
- * imports the shared bundle and calls/re-exports from the respective entry point.
- *
- * @type {esbuild.Plugin}
- */
-const entryPointsPlugin = {
-  name: "entry-points",
-  setup(build) {
-    const namespace = "actions";
-    const actions = [];
-
-    const toPascal = (s) =>
-      s.replace(/(^|-)([a-z0-9])/gi, (_, __, c) => c.toUpperCase());
-
-    // Find the source files containing Action entry points.
-    build.onStart(() => {
-      const actionFiles = globSync("src/*-action{,-post}.ts");
-      for (const actionFile of actionFiles) {
-        const match = basename(actionFile).match(/(.*)-action(-post)?/);
-
-        if (match.length < 2) {
-          throw new Error(`'${actionFile}' didn't match expected pattern.`);
-        }
-
-        const actionName = match[1];
-        const isPost = match[2] !== undefined;
-
-        actions.push({
-          path: actionFile,
-          name: actionName,
-          isPost,
-          pascalCaseName: `${toPascal(actionName)}${isPost ? "Post" : ""}Action`,
-        });
-      }
-    });
-
-    // Resolve the virtual `entry-points` file and set the corresponding namespace.
-    // Ideally, we'd `RegExp.escape` the entrypoint here, but that API isn't supported in Node 20.
-    // Since we're dealing with a hardcoded string, this isn't too much of a problem.
-    build.onResolve({ filter: new RegExp(`^${SHARED_ENTRYPOINT}$`) }, () => {
-      return { path: SHARED_ENTRYPOINT, namespace };
-    });
-
-    // Generate the virtual `entry-points` file based on the Actions we discovered.
-    // Restrict using the namespace. The path filter does not need to discriminate any further.
-    build.onLoad({ filter: /.*/, namespace }, async () => {
-      const wrapperTemplatePath = "entry-wrapper.js.tpl";
-      const wrapperTemplate = await readFile(
-        join(SRC_DIR, wrapperTemplatePath),
-        "utf-8",
-      );
-
-      const actionsSorted = actions.sort((a, b) =>
-        a.name.localeCompare(b.name),
-      );
-      const imports = actionsSorted
-        .map(
-          (action) =>
-            `import * as ${action.pascalCaseName} from "./src/${basename(action.path)}";`,
-        )
-        .join("\n");
-      const wrappers = actionsSorted
-        .map((action) =>
-          wrapperTemplate.replaceAll("__ACTION__", action.pascalCaseName),
-        )
-        .join("\n\n");
-
-      // Also re-export the `upload-lib` namespace so that external consumers can reach it
-      // via the `lib/upload-lib.js` stub without us having to bundle a second copy.
-      const uploadLibReExport = `export * as ${UPLOAD_LIB_EXPORT} from "${UPLOAD_LIB_SRC}";`;
-
-      return {
-        contents: `"use strict";\n${imports}\n\n${uploadLibReExport}\n\n${wrappers}\n`,
-        resolveDir: ".",
-        loader: "ts",
-      };
-    });
-
-    // Emit entry point stubs for each Action using the entry template.
-    build.onEnd(async () => {
-      const makeHeader = (templatePath, sourceFile) =>
-        `// Automatically generated from '${templatePath}' for 'src/${basename(sourceFile)}'.\n\n`;
-
-      // Read the entry point template.
-      const actionTemplatePath = "action-entry.js.tpl";
-      const actionTemplate = await readFile(
-        join(SRC_DIR, actionTemplatePath),
-        "utf-8",
-      );
-
-      // Write entry point stubs for each Action.
-      for (const action of actions) {
-        await writeFile(
-          join(
-            OUT_DIR,
-            `${action.name}${action.isPost ? "-post" : ""}-entry.js`,
-          ),
-          makeHeader(actionTemplatePath, action.path) +
-            actionTemplate.replaceAll("__ACTION__", action.pascalCaseName),
-        );
-      }
-
-      // Write a small stub for `upload-lib` that re-exports it from the shared bundle.
-      // External callers (e.g. internal testing environments) `require("./lib/upload-lib")`
-      // and expect the same shape as before, so we expose the namespace as `module.exports`.
-      const uploadLibStubTemplatePath = "upload-lib-stub.js.tpl";
-      const uploadLibStubTemplate = await readFile(
-        join(SRC_DIR, uploadLibStubTemplatePath),
-        "utf-8",
-      );
-      await writeFile(
-        join(OUT_DIR, "upload-lib.js"),
-        makeHeader(uploadLibStubTemplatePath, `${UPLOAD_LIB_SRC}.ts`) +
-          uploadLibStubTemplate.replaceAll(
-            "__UPLOAD_LIB_EXPORT__",
-            UPLOAD_LIB_EXPORT,
-          ),
-      );
-    });
-  },
-};
-
 const context = await esbuild.context({
-  entryPoints: [{ in: SHARED_ENTRYPOINT, out: SHARED_ENTRYPOINT }],
+  // Include upload-lib.ts as an entry point for use in testing environments.
+  entryPoints: globSync([
+    `${SRC_DIR}/*-action.ts`,
+    `${SRC_DIR}/*-action-post.ts`,
+    "src/upload-lib.ts",
+  ]),
  bundle: true,
  format: "cjs",
  outdir: OUT_DIR,
  platform: "node",
-  external: ["./entry-points"],
-  plugins: [cleanPlugin, copyDefaultsPlugin, entryPointsPlugin, onEndPlugin],
+  plugins: [cleanPlugin, copyDefaultsPlugin, onEndPlugin],
  target: ["node20"],
  define: {
    __CODEQL_ACTION_VERSION__: JSON.stringify(pkg.version),
@@ -171,5 +171,5 @@ outputs:
    description: The version of the CodeQL binary used for analysis
 runs:
  using: node24
-  main: '../lib/init-entry.js'
-  post: '../lib/init-post-entry.js'
+  main: '../lib/init-action.js'
+  post: '../lib/init-action-post.js'
@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/analyze-action.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runAnalyzeAction)();
@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/analyze-action-post.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runAnalyzePostAction)();
@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/autobuild-action.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runAutobuildAction)();
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.5",
-  "cliVersion": "2.25.5",
-  "priorBundleVersion": "codeql-bundle-v2.25.4",
-  "priorCliVersion": "2.25.4"
+  "bundleVersion": "codeql-bundle-v2.25.3",
+  "cliVersion": "2.25.3",
+  "priorBundleVersion": "codeql-bundle-v2.25.2",
+  "priorCliVersion": "2.25.2"
 }
@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/init-action.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runInitAction)();
@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/init-action-post.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runInitPostAction)();
@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/resolve-environment-action.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runResolveEnvironmentAction)();
@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/setup-codeql-action.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runSetupCodeqlAction)();
--- a/Show More
+++ b/Show More