Add FF to force JGit-based Git backend

2026-06-02 20:04:28 +00:00 · 2026-06-01 15:20:13 +01:00
35 changed files with 123 additions and 802 deletions
@@ -4,7 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

 ## [UNRELEASED]

- Organizations can create a custom repository property named `github-codeql-tools` to set a default CodeQL CLI tools value. You can optionally set `github-codeql-tools-mode` to control scope: use `enforce` (default) to apply to all workflows, or `dynamic` to apply only to dynamic workflows. If a workflow provides an explicit `tools:` input, that input takes precedence. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization), [Repository properties for Code Scanning](https://docs.github.com/en/code-security/concepts/code-scanning/repository-properties) and [Customizing your advanced setup for code scanning](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning).
+No user facing changes.

 ## 4.36.0 - 22 May 2026

@@ -149396,6 +149396,11 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: void 0
  },
+  ["force_jgit" /* ForceJGit */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_FORCE_JGIT",
+    minimumVersion: void 0
+  },
  ["force_nightly" /* ForceNightly */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_FORCE_NIGHTLY",
@@ -150410,14 +150415,11 @@ function getUnknownLanguagesError(languages) {
 }

 // src/feature-flags/properties.ts
-var github2 = __toESM(require_github());
 var GITHUB_CODEQL_PROPERTY_PREFIX = "github-codeql-";
 var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
-  RepositoryPropertyName2["TOOLS"] = "github-codeql-tools";
-  RepositoryPropertyName2["TOOLS_MODE"] = "github-codeql-tools-mode";
  return RepositoryPropertyName2;
 })(RepositoryPropertyName || {});
 function isString2(value) {
@@ -150435,12 +150437,7 @@ var booleanProperty = {
 var repositoryPropertyParsers = {
  ["github-codeql-disable-overlay" /* DISABLE_OVERLAY */]: booleanProperty,
  ["github-codeql-extra-queries" /* EXTRA_QUERIES */]: stringProperty,
-  ["github-codeql-file-coverage-on-prs" /* FILE_COVERAGE_ON_PRS */]: booleanProperty,
-  ["github-codeql-tools" /* TOOLS */]: stringProperty,
-  ["github-codeql-tools-mode" /* TOOLS_MODE */]: {
-    validate: isString2,
-    parse: parseToolsModeRepositoryProperty
-  }
+  ["github-codeql-file-coverage-on-prs" /* FILE_COVERAGE_ON_PRS */]: booleanProperty
 };
 async function loadPropertiesFromApi(logger, repositoryNwo) {
  try {
@@ -150493,26 +150490,6 @@ async function loadPropertiesFromApi(logger, repositoryNwo) {
    );
  }
 }
-async function loadRepositoryProperties(repositoryNwo, logger) {
-  const repositoryOwnerType = github2.context.payload.repository?.owner.type;
-  logger.debug(
-    `Repository owner type is '${repositoryOwnerType ?? "unknown"}'.`
-  );
-  if (repositoryOwnerType === "User") {
-    logger.debug(
-      "Skipping loading repository properties because the repository is owned by a user and therefore cannot have repository properties."
-    );
-    return new Success({});
-  }
-  try {
-    return new Success(await loadPropertiesFromApi(logger, repositoryNwo));
-  } catch (error3) {
-    logger.info(
-      `Failed to load repository properties: ${getErrorMessage(error3)}`
-    );
-    return new Failure(error3);
-  }
-}
 function setProperty2(properties, name, value, logger) {
  const propertyOptions = repositoryPropertyParsers[name];
  if (propertyOptions.validate(value)) {
@@ -150534,15 +150511,6 @@ function parseBooleanRepositoryProperty(name, value, logger) {
 function parseStringRepositoryProperty(_name, value) {
  return value;
 }
-function parseToolsModeRepositoryProperty(name, value, logger) {
-  if (value !== "dynamic" /* Dynamic */ && value !== "enforce" /* Enforce */) {
-    logger.warning(
-      `Repository property '${name}' has unexpected value '${value}'. Expected 'dynamic' or 'enforce'. Defaulting to 'enforce'.`
-    );
-    return "enforce" /* Enforce */;
-  }
-  return value;
-}
 var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
  Object.values(RepositoryPropertyName)
 );
@@ -153413,7 +153381,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, useO
        );
      } else {
        if (allowToolcacheValueFF) {
-          logger.info(
+          logger.warning(
            `Ignoring 'tools: ${toolsInput}' because the workflow was not triggered dynamically.`
          );
        } else {
@@ -156754,7 +156722,7 @@ var fs19 = __toESM(require("fs"));
 var path17 = __toESM(require("path"));
 var core14 = __toESM(require_core());
 var toolrunner4 = __toESM(require_toolrunner());
-var github3 = __toESM(require_github());
+var github2 = __toESM(require_github());
 var io6 = __toESM(require_io());
 async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) {
  logger.startGroup("Setup CodeQL tools");
@@ -156958,7 +156926,7 @@ function logFileCoverageOnPrsDeprecationWarning(logger) {
  if (process.env["CODEQL_ACTION_DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION" /* DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION */]) {
    return;
  }
-  const repositoryOwnerType = github3.context.payload.repository?.owner.type;
+  const repositoryOwnerType = github2.context.payload.repository?.owner.type;
  let message = "Starting April 2026, the CodeQL Action will skip computing file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses.";
  const envVarOptOut = "set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true`.";
  const repoPropertyOptOut = 'create a custom repository property with the name `github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to `true` in the repository\'s settings.';
@@ -158742,50 +158710,10 @@ async function runWrapper3() {
 var fs27 = __toESM(require("fs"));
 var path23 = __toESM(require("path"));
 var core21 = __toESM(require_core());
+var github3 = __toESM(require_github());
 var io7 = __toESM(require_io());
 var semver10 = __toESM(require_semver2());

-// src/config/resolve-tools-input.ts
-function resolveToolsInputWithMetadata(toolsWorkflowInput, isDynamicWorkflow2, repositoryProperties, logger) {
-  if (toolsWorkflowInput) {
-    logger.info(
-      `Setting tools: ${toolsWorkflowInput} based on workflow input.`
-    );
-    return {
-      effectiveToolsInput: toolsWorkflowInput,
-      effectiveToolsInputSource: "workflow-input" /* WorkflowInput */,
-      toolsRepoPropertyMode: void 0
-    };
-  }
-  const toolsPropertyValue = repositoryProperties["github-codeql-tools" /* TOOLS */];
-  const toolsMode = repositoryProperties["github-codeql-tools-mode" /* TOOLS_MODE */] ?? "enforce" /* Enforce */;
-  if (toolsPropertyValue && toolsMode === "dynamic" /* Dynamic */ && !isDynamicWorkflow2) {
-    logger.info(
-      `Ignoring '${"github-codeql-tools" /* TOOLS */}' repository property because '${"github-codeql-tools-mode" /* TOOLS_MODE */}' is set to '${toolsMode}' and this is not a dynamic workflow.`
-    );
-    return {
-      effectiveToolsInput: void 0,
-      effectiveToolsInputSource: "none" /* None */,
-      toolsRepoPropertyMode: toolsMode
-    };
-  }
-  if (toolsPropertyValue) {
-    logger.info(
-      `Setting tools: ${toolsPropertyValue} based on the '${"github-codeql-tools" /* TOOLS */}' repository property (mode: '${toolsMode}').`
-    );
-    return {
-      effectiveToolsInput: toolsPropertyValue,
-      effectiveToolsInputSource: "repository-property" /* RepositoryProperty */,
-      toolsRepoPropertyMode: toolsMode
-    };
-  }
-  return {
-    effectiveToolsInput: void 0,
-    effectiveToolsInputSource: "none" /* None */,
-    toolsRepoPropertyMode: void 0
-  };
-}
-
 // src/workflow.ts
 var fs26 = __toESM(require("fs"));
 var path22 = __toESM(require("path"));
@@ -159076,7 +159004,7 @@ async function sendStartingStatusReport(startedAt, config, logger) {
    await sendStatusReport(statusReportBase);
  }
 }
-async function sendCompletedStatusReport2(startedAt, config, configFile, toolsDownloadStatusReport, toolsFeatureFlagsValid, toolsSource, toolsVersion, effectiveToolsInput, effectiveToolsInputSource, toolsRepoPropertyMode, overlayBaseDatabaseStats, dependencyCachingResults, logger, error3) {
+async function sendCompletedStatusReport2(startedAt, config, configFile, toolsDownloadStatusReport, toolsFeatureFlagsValid, toolsSource, toolsVersion, overlayBaseDatabaseStats, dependencyCachingResults, logger, error3) {
  const statusReportBase = await createStatusReportBase(
    "init" /* Init */,
    getActionsStatus(error3),
@@ -159094,9 +159022,6 @@ async function sendCompletedStatusReport2(startedAt, config, configFile, toolsDo
  const initStatusReport = {
    ...statusReportBase,
    tools_input: getOptionalInput("tools") || "",
-    effective_tools_input: effectiveToolsInput || "",
-    effective_tools_input_source: effectiveToolsInputSource,
-    tools_repo_property_mode: toolsRepoPropertyMode || "",
    tools_resolved_version: toolsVersion,
    tools_source: toolsSource || "UNKNOWN" /* Unknown */,
    workflow_languages: workflowLanguages || ""
@@ -159140,9 +159065,6 @@ async function run3(startedAt) {
  let toolsSource;
  let toolsVersion;
  let zstdAvailability;
-  let effectiveToolsInput;
-  let effectiveToolsInputSource;
-  let toolsRepoPropertyMode;
  try {
    initializeEnvironment(getActionVersion());
    persistInputs();
@@ -159166,7 +159088,6 @@ async function run3(startedAt) {
      repositoryNwo,
      logger
    );
-    const repositoryProperties = repositoryPropertiesResult.orElse({});
    const jobRunUuid = v4_default();
    logger.info(`Job run UUID is ${jobRunUuid}.`);
    core21.exportVariable("JOB_RUN_UUID" /* JOB_RUN_UUID */, jobRunUuid);
@@ -159192,21 +159113,12 @@ async function run3(startedAt) {
    }
    const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type);
    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
-    const resolvedToolsInput = resolveToolsInputWithMetadata(
-      getOptionalInput("tools"),
-      isDynamicWorkflow(),
-      repositoryProperties,
-      logger
-    );
-    effectiveToolsInput = resolvedToolsInput.effectiveToolsInput;
-    effectiveToolsInputSource = resolvedToolsInput.effectiveToolsInputSource;
-    toolsRepoPropertyMode = resolvedToolsInput.toolsRepoPropertyMode;
    const rawLanguages = getRawLanguagesNoAutodetect(
      getOptionalInput("languages")
    );
    const useOverlayAwareDefaultCliVersion = analysisKinds?.length === 1 && analysisKinds[0] === "code-scanning" /* CodeScanning */;
    const initCodeQLResult = await initCodeQL(
-      effectiveToolsInput,
+      getOptionalInput("tools"),
      apiDetails,
      getTemporaryDirectory(),
      gitHubVersion.type,
@@ -159242,6 +159154,7 @@ async function run3(startedAt) {
    }
    analysisKinds = await getAnalysisKinds(logger, features);
    const debugMode = getOptionalInput("debug") === "true" || core21.isDebug();
+    const repositoryProperties = repositoryPropertiesResult.orElse({});
    const fileCoverageResult = await getFileCoverageInformationEnabled(
      debugMode,
      codeql,
@@ -159440,6 +159353,9 @@ exec ${goBinaryPath} "$@"`
    if (await features.getValue("disable_kotlin_analysis_enabled" /* DisableKotlinAnalysisEnabled */)) {
      core21.exportVariable("CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN", "true");
    }
+    if (await features.getValue("force_jgit" /* ForceJGit */)) {
+      core21.exportVariable("CODEQL_GIT_BACKEND", "jgit");
+    }
    const kotlinLimitVar = "CODEQL_EXTRACTOR_KOTLIN_OVERRIDE_MAXIMUM_VERSION_LIMIT";
    if (await codeQlVersionAtLeast(codeql, "2.20.3") && !await codeQlVersionAtLeast(codeql, "2.20.4")) {
      core21.exportVariable(kotlinLimitVar, "2.1.20");
@@ -159539,9 +159455,6 @@ exec ${goBinaryPath} "$@"`
      toolsFeatureFlagsValid,
      toolsSource,
      toolsVersion,
-      effectiveToolsInput,
-      effectiveToolsInputSource,
-      toolsRepoPropertyMode,
      overlayBaseDatabaseStats,
      dependencyCachingStatus,
      logger,
@@ -159559,14 +159472,31 @@ exec ${goBinaryPath} "$@"`
    toolsFeatureFlagsValid,
    toolsSource,
    toolsVersion,
-    effectiveToolsInput,
-    effectiveToolsInputSource,
-    toolsRepoPropertyMode,
    overlayBaseDatabaseStats,
    dependencyCachingStatus,
    logger
  );
 }
+async function loadRepositoryProperties(repositoryNwo, logger) {
+  const repositoryOwnerType = github3.context.payload.repository?.owner.type;
+  logger.debug(
+    `Repository owner type is '${repositoryOwnerType ?? "unknown"}'.`
+  );
+  if (repositoryOwnerType === "User") {
+    logger.debug(
+      "Skipping loading repository properties because the repository is owned by a user and therefore cannot have repository properties."
+    );
+    return new Success({});
+  }
+  try {
+    return new Success(await loadPropertiesFromApi(logger, repositoryNwo));
+  } catch (error3) {
+    logger.warning(
+      `Failed to load repository properties: ${getErrorMessage(error3)}`
+    );
+    return new Failure(error3);
+  }
+}
 async function recordZstdAvailability(config, zstdAvailability) {
  addNoLanguageDiagnostic(
    config,
@@ -160135,7 +160065,7 @@ async function runWrapper6() {

 // src/setup-codeql-action.ts
 var core24 = __toESM(require_core());
-async function sendCompletedStatusReport3(startedAt, toolsDownloadStatusReport, toolsFeatureFlagsValid, toolsSource, toolsVersion, effectiveToolsInput, effectiveToolsInputSource, toolsRepoPropertyMode, logger, error3) {
+async function sendCompletedStatusReport3(startedAt, toolsDownloadStatusReport, toolsFeatureFlagsValid, toolsSource, toolsVersion, logger, error3) {
  const statusReportBase = await createStatusReportBase(
    "setup-codeql" /* SetupCodeQL */,
    getActionsStatus(error3),
@@ -160152,9 +160082,6 @@ async function sendCompletedStatusReport3(startedAt, toolsDownloadStatusReport,
  const initStatusReport = {
    ...statusReportBase,
    tools_input: getOptionalInput("tools") || "",
-    effective_tools_input: effectiveToolsInput || "",
-    effective_tools_input_source: effectiveToolsInputSource,
-    tools_repo_property_mode: toolsRepoPropertyMode || "",
    tools_resolved_version: toolsVersion,
    tools_source: toolsSource || "UNKNOWN" /* Unknown */,
    workflow_languages: ""
@@ -160175,9 +160102,6 @@ async function run6(startedAt) {
  let toolsFeatureFlagsValid;
  let toolsSource;
  let toolsVersion;
-  let effectiveToolsInput;
-  let effectiveToolsInputSource;
-  let toolsRepoPropertyMode;
  try {
    initializeEnvironment(getActionVersion());
    const apiDetails = {
@@ -160212,26 +160136,12 @@ async function run6(startedAt) {
    }
    const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type);
    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
-    const repositoryPropertiesResult = await loadRepositoryProperties(
-      repositoryNwo,
-      logger
-    );
-    const repositoryProperties = repositoryPropertiesResult.orElse({});
-    const resolvedToolsInput = resolveToolsInputWithMetadata(
-      getOptionalInput("tools"),
-      isDynamicWorkflow(),
-      repositoryProperties,
-      logger
-    );
-    effectiveToolsInput = resolvedToolsInput.effectiveToolsInput;
-    effectiveToolsInputSource = resolvedToolsInput.effectiveToolsInputSource;
-    toolsRepoPropertyMode = resolvedToolsInput.toolsRepoPropertyMode;
    const rawLanguages = getRawLanguagesNoAutodetect(
      getOptionalInput("languages")
    );
    const analysisKinds = await getAnalysisKinds(logger, features);
    const initCodeQLResult = await initCodeQL(
-      effectiveToolsInput,
+      getOptionalInput("tools"),
      apiDetails,
      getTemporaryDirectory(),
      gitHubVersion.type,
@@ -160272,9 +160182,6 @@ async function run6(startedAt) {
    toolsFeatureFlagsValid,
    toolsSource,
    toolsVersion,
-    effectiveToolsInput,
-    effectiveToolsInputSource,
-    toolsRepoPropertyMode,
    logger
  );
 }
@@ -30,7 +30,7 @@ import {
 } from "./dependency-caching";
 import { EnvVar } from "./environment";
 import { initFeatures } from "./feature-flags";
-import { BuiltInLanguage } from "./languages/index";
+import { BuiltInLanguage } from "./languages";
 import { getActionsLogger, Logger } from "./logging";
 import { cleanupAndUploadOverlayBaseDatabaseToCache } from "./overlay/caching";
 import { getRepositoryNwo } from "./repository";
@@ -14,7 +14,7 @@ import {
 } from "./analyze";
 import { createStubCodeQL } from "./codeql";
 import { Feature } from "./feature-flags";
-import { BuiltInLanguage } from "./languages/index";
+import { BuiltInLanguage } from "./languages";
 import { getRunnerLogger } from "./logging";
 import {
  setupTests,
@@ -21,7 +21,7 @@ import {
 } from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
 import { FeatureEnablement, Feature } from "./feature-flags";
-import { BuiltInLanguage, Language } from "./languages/index";
+import { BuiltInLanguage, Language } from "./languages";
 import { Logger, withGroupAsync } from "./logging";
 import { OverlayDatabaseMode } from "./overlay/overlay-database-mode";
 import type * as sarif from "./sarif";
@@ -10,7 +10,7 @@ import { determineAutobuildLanguages, runAutobuild } from "./autobuild";
 import { getCodeQL } from "./codeql";
 import { Config, getConfig } from "./config-utils";
 import { EnvVar } from "./environment";
-import { Language } from "./languages/index";
+import { Language } from "./languages";
 import { Logger, getActionsLogger } from "./logging";
 import {
  StatusReportBase,
@@ -7,7 +7,7 @@ import * as configUtils from "./config-utils";
 import { DocUrl } from "./doc-url";
 import { EnvVar } from "./environment";
 import { Feature, featureConfig, initFeatures } from "./feature-flags";
-import { BuiltInLanguage, Language } from "./languages/index";
+import { BuiltInLanguage, Language } from "./languages";
 import { Logger } from "./logging";
 import { getRepositoryNwo } from "./repository";
 import { asyncFilter, BuildMode } from "./util";
@@ -21,7 +21,7 @@ import {
 import type { Config } from "./config-utils";
 import * as defaults from "./defaults.json";
 import { DocUrl } from "./doc-url";
-import { BuiltInLanguage } from "./languages/index";
+import { BuiltInLanguage } from "./languages";
 import { getRunnerLogger } from "./logging";
 import { ToolsSource } from "./setup-codeql";
 import {
@@ -22,7 +22,7 @@ import {
  FeatureEnablement,
 } from "./feature-flags";
 import { isAnalyzingDefaultBranch } from "./git-utils";
-import { Language } from "./languages/index";
+import { Language } from "./languages";
 import { Logger } from "./logging";
 import { writeBaseDatabaseOidsFile, writeOverlayChangesFile } from "./overlay";
 import { OverlayDatabaseMode } from "./overlay/overlay-database-mode";
@@ -18,7 +18,7 @@ import { Feature } from "./feature-flags";
 import { RepositoryProperties } from "./feature-flags/properties";
 import * as gitUtils from "./git-utils";
 import { GitVersionInfo } from "./git-utils";
-import { BuiltInLanguage, Language } from "./languages/index";
+import { BuiltInLanguage, Language } from "./languages";
 import { getRunnerLogger } from "./logging";
 import { CODEQL_OVERLAY_MINIMUM_VERSION } from "./overlay";
 import * as overlayDiagnostics from "./overlay/diagnostics";
@@ -48,7 +48,7 @@ import {
  hasSubmodules,
  isAnalyzingDefaultBranch,
 } from "./git-utils";
-import { BuiltInLanguage, Language } from "./languages/index";
+import { BuiltInLanguage, Language } from "./languages";
 import { Logger } from "./logging";
 import { CODEQL_OVERLAY_MINIMUM_VERSION } from "./overlay";
 import {
@@ -1,280 +0,0 @@
-import test from "ava";
-
-import {
-  EffectiveToolsInputSource,
-  resolveToolsInput,
-  resolveToolsInputWithMetadata,
-} from "../config/resolve-tools-input";
-import {
-  RepositoryPropertyName,
-  ToolsModeRepositoryPropertyValue,
-} from "../feature-flags/properties";
-import type { RepositoryProperties } from "../feature-flags/properties";
-import {
-  getRecordingLogger,
-  LoggedMessage,
-  setupTests,
-} from "../testing-utils";
-
-setupTests(test);
-
-test("resolveToolsInput returns undefined when no tools input or repository property is set", (t) => {
-  const loggedMessages: LoggedMessage[] = [];
-  const logger = getRecordingLogger(loggedMessages);
-
-  const result = resolveToolsInput(undefined, false, {}, logger);
-
-  t.is(result, undefined);
-  t.is(loggedMessages.length, 0);
-});
-
-test("resolveToolsInput returns workflow input when only workflow input is provided", (t) => {
-  const loggedMessages: LoggedMessage[] = [];
-  const logger = getRecordingLogger(loggedMessages);
-
-  const result = resolveToolsInput("latest", false, {}, logger);
-
-  t.is(result, "latest");
-  t.is(loggedMessages.length, 1);
-  t.is(
-    loggedMessages[0].message,
-    "Setting tools: latest based on workflow input.",
-  );
-});
-
-test("resolveToolsInput returns repository property when only repository property is provided", (t) => {
-  const loggedMessages: LoggedMessage[] = [];
-  const logger = getRecordingLogger(loggedMessages);
-
-  const repositoryProperties: RepositoryProperties = {
-    [RepositoryPropertyName.TOOLS]: "toolcache",
-  };
-  const result = resolveToolsInput(
-    undefined,
-    false,
-    repositoryProperties,
-    logger,
-  );
-
-  t.is(result, "toolcache");
-  t.is(loggedMessages.length, 1);
-  t.is(
-    loggedMessages[0].message,
-    "Setting tools: toolcache based on the 'github-codeql-tools' repository property (mode: 'enforce').",
-  );
-});
-
-test("resolveToolsInput prioritizes workflow input over repository property", (t) => {
-  const loggedMessages: LoggedMessage[] = [];
-  const logger = getRecordingLogger(loggedMessages);
-
-  const repositoryProperties: RepositoryProperties = {
-    [RepositoryPropertyName.TOOLS]: "toolcache",
-  };
-  const result = resolveToolsInput(
-    "nightly",
-    false,
-    repositoryProperties,
-    logger,
-  );
-
-  t.is(result, "nightly");
-  t.is(loggedMessages.length, 1);
-  t.is(
-    loggedMessages[0].message,
-    "Setting tools: nightly based on workflow input.",
-  );
-});
-
-test("resolveToolsInput treats empty string workflow input as not set", (t) => {
-  const loggedMessages: LoggedMessage[] = [];
-  const logger = getRecordingLogger(loggedMessages);
-
-  const repositoryProperties: RepositoryProperties = {
-    [RepositoryPropertyName.TOOLS]: "toolcache",
-  };
-  const result = resolveToolsInput("", false, repositoryProperties, logger);
-
-  t.is(result, "toolcache");
-  t.is(loggedMessages.length, 1);
-  t.is(
-    loggedMessages[0].message,
-    "Setting tools: toolcache based on the 'github-codeql-tools' repository property (mode: 'enforce').",
-  );
-});
-
-test("resolveToolsInput returns undefined when repository property is undefined", (t) => {
-  const loggedMessages: LoggedMessage[] = [];
-  const logger = getRecordingLogger(loggedMessages);
-
-  const repositoryProperties: RepositoryProperties = {
-    [RepositoryPropertyName.TOOLS]: undefined,
-  };
-  const result = resolveToolsInput(
-    undefined,
-    false,
-    repositoryProperties,
-    logger,
-  );
-
-  t.is(result, undefined);
-  t.is(loggedMessages.length, 0);
-});
-
-test("resolveToolsInput returns repository property when workflow input is not set", (t) => {
-  const loggedMessages: LoggedMessage[] = [];
-  const logger = getRecordingLogger(loggedMessages);
-
-  const repositoryProperties: RepositoryProperties = {
-    [RepositoryPropertyName.TOOLS]: "toolcache",
-  };
-  const result = resolveToolsInput(
-    undefined,
-    false,
-    repositoryProperties,
-    logger,
-  );
-
-  t.is(result, "toolcache");
-  t.is(loggedMessages.length, 1);
-  t.is(
-    loggedMessages[0].message,
-    "Setting tools: toolcache based on the 'github-codeql-tools' repository property (mode: 'enforce').",
-  );
-});
-
-test("resolveToolsInput does not log when workflow input and repository property are not set", (t) => {
-  const loggedMessages: LoggedMessage[] = [];
-  const logger = getRecordingLogger(loggedMessages);
-
-  const result = resolveToolsInput(undefined, false, {}, logger);
-
-  t.is(result, undefined);
-  t.is(loggedMessages.length, 0);
-});
-
-test("resolveToolsInput applies tools property in enforce mode for static workflows", (t) => {
-  const loggedMessages: LoggedMessage[] = [];
-  const logger = getRecordingLogger(loggedMessages);
-
-  const repositoryProperties: RepositoryProperties = {
-    [RepositoryPropertyName.TOOLS]: "toolcache",
-    [RepositoryPropertyName.TOOLS_MODE]:
-      ToolsModeRepositoryPropertyValue.Enforce,
-  };
-  const result = resolveToolsInput(
-    undefined,
-    false,
-    repositoryProperties,
-    logger,
-  );
-
-  t.is(result, "toolcache");
-  t.is(loggedMessages.length, 1);
-  t.is(
-    loggedMessages[0].message,
-    "Setting tools: toolcache based on the 'github-codeql-tools' repository property (mode: 'enforce').",
-  );
-});
-
-test("resolveToolsInput applies tools property in dynamic mode for dynamic workflows", (t) => {
-  const loggedMessages: LoggedMessage[] = [];
-  const logger = getRecordingLogger(loggedMessages);
-
-  const repositoryProperties: RepositoryProperties = {
-    [RepositoryPropertyName.TOOLS]: "toolcache",
-    [RepositoryPropertyName.TOOLS_MODE]:
-      ToolsModeRepositoryPropertyValue.Dynamic,
-  };
-  const result = resolveToolsInput(
-    undefined,
-    true,
-    repositoryProperties,
-    logger,
-  );
-
-  t.is(result, "toolcache");
-  t.is(loggedMessages.length, 1);
-  t.is(
-    loggedMessages[0].message,
-    "Setting tools: toolcache based on the 'github-codeql-tools' repository property (mode: 'dynamic').",
-  );
-});
-
-test("resolveToolsInput ignores tools property in dynamic mode for static workflows", (t) => {
-  const loggedMessages: LoggedMessage[] = [];
-  const logger = getRecordingLogger(loggedMessages);
-
-  const repositoryProperties: RepositoryProperties = {
-    [RepositoryPropertyName.TOOLS]: "toolcache",
-    [RepositoryPropertyName.TOOLS_MODE]:
-      ToolsModeRepositoryPropertyValue.Dynamic,
-  };
-  const result = resolveToolsInput(
-    undefined,
-    false,
-    repositoryProperties,
-    logger,
-  );
-
-  t.is(result, undefined);
-  t.is(loggedMessages.length, 1);
-  t.is(
-    loggedMessages[0].message,
-    "Ignoring 'github-codeql-tools' repository property because 'github-codeql-tools-mode' is set to 'dynamic' and this is not a dynamic workflow.",
-  );
-});
-
-test("resolveToolsInputWithMetadata reports workflow input source", (t) => {
-  const logger = getRecordingLogger([]);
-
-  const result = resolveToolsInputWithMetadata("latest", false, {}, logger);
-
-  t.is(result.effectiveToolsInput, "latest");
-  t.is(
-    result.effectiveToolsInputSource,
-    EffectiveToolsInputSource.WorkflowInput,
-  );
-  t.is(result.toolsRepoPropertyMode, undefined);
-});
-
-test("resolveToolsInputWithMetadata reports repository property source and mode", (t) => {
-  const logger = getRecordingLogger([]);
-
-  const result = resolveToolsInputWithMetadata(
-    undefined,
-    false,
-    {
-      [RepositoryPropertyName.TOOLS]: "toolcache",
-      [RepositoryPropertyName.TOOLS_MODE]:
-        ToolsModeRepositoryPropertyValue.Enforce,
-    },
-    logger,
-  );
-
-  t.is(result.effectiveToolsInput, "toolcache");
-  t.is(
-    result.effectiveToolsInputSource,
-    EffectiveToolsInputSource.RepositoryProperty,
-  );
-  t.is(result.toolsRepoPropertyMode, ToolsModeRepositoryPropertyValue.Enforce);
-});
-
-test("resolveToolsInputWithMetadata reports dynamic-mode skip on static workflows", (t) => {
-  const logger = getRecordingLogger([]);
-
-  const result = resolveToolsInputWithMetadata(
-    undefined,
-    false,
-    {
-      [RepositoryPropertyName.TOOLS]: "toolcache",
-      [RepositoryPropertyName.TOOLS_MODE]:
-        ToolsModeRepositoryPropertyValue.Dynamic,
-    },
-    logger,
-  );
-
-  t.is(result.effectiveToolsInput, undefined);
-  t.is(result.effectiveToolsInputSource, EffectiveToolsInputSource.None);
-  t.is(result.toolsRepoPropertyMode, ToolsModeRepositoryPropertyValue.Dynamic);
-});
@@ -1,100 +0,0 @@
-import {
-  RepositoryProperties,
-  RepositoryPropertyName,
-  ToolsModeRepositoryPropertyValue,
-} from "../feature-flags/properties";
-import { Logger } from "../logging";
-
-export enum EffectiveToolsInputSource {
-  WorkflowInput = "workflow-input",
-  RepositoryProperty = "repository-property",
-  None = "none",
-}
-
-export type ResolvedToolsInput = {
-  effectiveToolsInput: string | undefined;
-  effectiveToolsInputSource: EffectiveToolsInputSource;
-  toolsRepoPropertyMode: ToolsModeRepositoryPropertyValue | undefined;
-};
-
-/**
- * Resolves the effective tools input by combining the workflow input and repository properties.
- * The explicit `tools` workflow input takes precedence. If none is provided,
- * falls back to the repository property (if set). The optional
- * `github-codeql-tools-mode` repository property controls whether this fallback
- * applies to all workflows (`enforce`) or only dynamic workflows (`dynamic`).
- *
- * @param toolsWorkflowInput - The value of the `tools` workflow input, if provided.
- * @param isDynamicWorkflow - Whether the current workflow is dynamic.
- * @param repositoryProperties - The parsed repository properties.
- * @param logger - Logger for outputting resolution messages.
- * @returns The effective tools input value.
- */
-export function resolveToolsInput(
-  toolsWorkflowInput: string | undefined,
-  isDynamicWorkflow: boolean,
-  repositoryProperties: RepositoryProperties,
-  logger: Logger,
-): string | undefined {
-  return resolveToolsInputWithMetadata(
-    toolsWorkflowInput,
-    isDynamicWorkflow,
-    repositoryProperties,
-    logger,
-  ).effectiveToolsInput;
-}
-
-export function resolveToolsInputWithMetadata(
-  toolsWorkflowInput: string | undefined,
-  isDynamicWorkflow: boolean,
-  repositoryProperties: RepositoryProperties,
-  logger: Logger,
-): ResolvedToolsInput {
-  if (toolsWorkflowInput) {
-    logger.info(
-      `Setting tools: ${toolsWorkflowInput} based on workflow input.`,
-    );
-    return {
-      effectiveToolsInput: toolsWorkflowInput,
-      effectiveToolsInputSource: EffectiveToolsInputSource.WorkflowInput,
-      toolsRepoPropertyMode: undefined,
-    };
-  }
-
-  const toolsPropertyValue = repositoryProperties[RepositoryPropertyName.TOOLS];
-  const toolsMode =
-    repositoryProperties[RepositoryPropertyName.TOOLS_MODE] ??
-    ToolsModeRepositoryPropertyValue.Enforce;
-
-  if (
-    toolsPropertyValue &&
-    toolsMode === ToolsModeRepositoryPropertyValue.Dynamic &&
-    !isDynamicWorkflow
-  ) {
-    logger.info(
-      `Ignoring '${RepositoryPropertyName.TOOLS}' repository property because '${RepositoryPropertyName.TOOLS_MODE}' is set to '${toolsMode}' and this is not a dynamic workflow.`,
-    );
-    return {
-      effectiveToolsInput: undefined,
-      effectiveToolsInputSource: EffectiveToolsInputSource.None,
-      toolsRepoPropertyMode: toolsMode,
-    };
-  }
-
-  if (toolsPropertyValue) {
-    logger.info(
-      `Setting tools: ${toolsPropertyValue} based on the '${RepositoryPropertyName.TOOLS}' repository property (mode: '${toolsMode}').`,
-    );
-    return {
-      effectiveToolsInput: toolsPropertyValue,
-      effectiveToolsInputSource: EffectiveToolsInputSource.RepositoryProperty,
-      toolsRepoPropertyMode: toolsMode,
-    };
-  }
-
-  return {
-    effectiveToolsInput: undefined,
-    effectiveToolsInputSource: EffectiveToolsInputSource.None,
-    toolsRepoPropertyMode: undefined,
-  };
-}
@@ -12,7 +12,7 @@ import { createStubCodeQL } from "./codeql";
 import { Config } from "./config-utils";
 import { cleanupAndUploadDatabases } from "./database-upload";
 import * as gitUtils from "./git-utils";
-import { BuiltInLanguage } from "./languages/index";
+import { BuiltInLanguage } from "./languages";
 import { RepositoryNwo } from "./repository";
 import {
  checkExpectedLogMessages,
@@ -13,7 +13,7 @@ import { type CodeQL } from "./codeql";
 import { Config } from "./config-utils";
 import { EnvVar } from "./environment";
 import * as json from "./json";
-import { Language } from "./languages/index";
+import { Language } from "./languages";
 import { Logger, withGroup } from "./logging";
 import {
  isSafeArtifactUpload,
@@ -27,7 +27,7 @@ import {
  CacheStoreResult,
 } from "./dependency-caching";
 import { Feature } from "./feature-flags";
-import { BuiltInLanguage } from "./languages/index";
+import { BuiltInLanguage } from "./languages";
 import {
  setupTests,
  createFeatures,
@@ -11,7 +11,7 @@ import { CodeQL } from "./codeql";
 import { Config } from "./config-utils";
 import { EnvVar } from "./environment";
 import { Feature, FeatureEnablement } from "./feature-flags";
-import { BuiltInLanguage, Language } from "./languages/index";
+import { BuiltInLanguage, Language } from "./languages";
 import { Logger } from "./logging";
 import { getErrorMessage, getRequiredEnvParam } from "./util";

@@ -2,7 +2,7 @@ import { existsSync, mkdirSync, writeFileSync } from "fs";
 import path from "path";

 import type { Config } from "./config-utils";
-import { Language } from "./languages/index";
+import { Language } from "./languages";
 import { getActionsLogger } from "./logging";
 import { getCodeQLDatabasePath } from "./util";

@@ -82,6 +82,11 @@ export enum Feature {
  DisableJavaBuildlessEnabled = "disable_java_buildless_enabled",
  DisableKotlinAnalysisEnabled = "disable_kotlin_analysis_enabled",
  ExportDiagnosticsEnabled = "export_diagnostics_enabled",
+  /**
+   * Emergency override that forces the CodeQL CLI to use the JGit-based Git backend instead of its
+   * default backend selection.
+   */
+  ForceJGit = "force_jgit",
  ForceNightly = "force_nightly",
  IgnoreGeneratedFiles = "ignore_generated_files",
  JavaNetworkDebugging = "java_network_debugging",
@@ -224,6 +229,11 @@ export const featureConfig = {
    legacyApi: true,
    minimumVersion: undefined,
  },
+  [Feature.ForceJGit]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_FORCE_JGIT",
+    minimumVersion: undefined,
+  },
  [Feature.ForceNightly]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_FORCE_NIGHTLY",
@@ -78,8 +78,6 @@ test.serial("loadPropertiesFromApi loads known properties", async (t) => {
    url: "",
    data: [
      { property_name: "github-codeql-extra-queries", value: "+queries" },
-      { property_name: "github-codeql-tools", value: "toolcache" },
-      { property_name: "github-codeql-tools-mode", value: "dynamic" },
      { property_name: "unknown-property", value: "something" },
    ] satisfies properties.GitHubPropertiesResponse,
  });
@@ -89,45 +87,9 @@ test.serial("loadPropertiesFromApi loads known properties", async (t) => {
    logger,
    mockRepositoryNwo,
  );
-  t.deepEqual(response, {
-    "github-codeql-extra-queries": "+queries",
-    "github-codeql-tools": "toolcache",
-    "github-codeql-tools-mode": "dynamic",
-  });
+  t.deepEqual(response, { "github-codeql-extra-queries": "+queries" });
 });

-test.serial(
-  "loadPropertiesFromApi warns if tools mode property has unexpected value",
-  async (t) => {
-    sinon.stub(api, "getRepositoryProperties").resolves({
-      headers: {},
-      status: 200,
-      url: "",
-      data: [
-        {
-          property_name: "github-codeql-tools-mode",
-          value: "all",
-        },
-      ] satisfies properties.GitHubPropertiesResponse,
-    });
-    const logger = getRunnerLogger(true);
-    const warningSpy = sinon.spy(logger, "warning");
-    const mockRepositoryNwo = parseRepositoryNwo("owner/repo");
-    const response = await properties.loadPropertiesFromApi(
-      logger,
-      mockRepositoryNwo,
-    );
-    t.deepEqual(response, {
-      "github-codeql-tools-mode": "enforce",
-    });
-    t.true(warningSpy.calledOnce);
-    t.is(
-      warningSpy.firstCall.args[0],
-      "Repository property 'github-codeql-tools-mode' has unexpected value 'all'. Expected 'dynamic' or 'enforce'. Defaulting to 'enforce'.",
-    );
-  },
-);
-
 test.serial("loadPropertiesFromApi parses true boolean property", async (t) => {
  sinon.stub(api, "getRepositoryProperties").resolves({
    headers: {},
@@ -1,10 +1,7 @@
-import * as github from "@actions/github";
-
 import { isDynamicWorkflow } from "../actions-util";
 import { getRepositoryProperties } from "../api-client";
 import { Logger } from "../logging";
 import { RepositoryNwo } from "../repository";
-import { getErrorMessage, Result, Success, Failure } from "../util";

 /** The common prefix that we expect all of our repository properties to have. */
 export const GITHUB_CODEQL_PROPERTY_PREFIX = "github-codeql-";
@@ -16,13 +13,6 @@ export enum RepositoryPropertyName {
  DISABLE_OVERLAY = "github-codeql-disable-overlay",
  EXTRA_QUERIES = "github-codeql-extra-queries",
  FILE_COVERAGE_ON_PRS = "github-codeql-file-coverage-on-prs",
-  TOOLS = "github-codeql-tools",
-  TOOLS_MODE = "github-codeql-tools-mode",
-}
-
-export enum ToolsModeRepositoryPropertyValue {
-  Dynamic = "dynamic",
-  Enforce = "enforce",
 }

 /** Parsed types of the known repository properties. */
@@ -30,8 +20,6 @@ export type AllRepositoryProperties = {
  [RepositoryPropertyName.DISABLE_OVERLAY]: boolean;
  [RepositoryPropertyName.EXTRA_QUERIES]: string;
  [RepositoryPropertyName.FILE_COVERAGE_ON_PRS]: boolean;
-  [RepositoryPropertyName.TOOLS]: string;
-  [RepositoryPropertyName.TOOLS_MODE]: ToolsModeRepositoryPropertyValue;
 };

 /** Parsed repository properties. */
@@ -42,8 +30,6 @@ export type RepositoryPropertyApiType = {
  [RepositoryPropertyName.DISABLE_OVERLAY]: string;
  [RepositoryPropertyName.EXTRA_QUERIES]: string;
  [RepositoryPropertyName.FILE_COVERAGE_ON_PRS]: string;
-  [RepositoryPropertyName.TOOLS]: string;
-  [RepositoryPropertyName.TOOLS_MODE]: string;
 };

 /** The type of functions which take the `value` from the API and try to convert it to the type we want. */
@@ -91,11 +77,6 @@ const repositoryPropertyParsers: {
  [RepositoryPropertyName.DISABLE_OVERLAY]: booleanProperty,
  [RepositoryPropertyName.EXTRA_QUERIES]: stringProperty,
  [RepositoryPropertyName.FILE_COVERAGE_ON_PRS]: booleanProperty,
-  [RepositoryPropertyName.TOOLS]: stringProperty,
-  [RepositoryPropertyName.TOOLS_MODE]: {
-    validate: isString,
-    parse: parseToolsModeRepositoryProperty,
-  },
 };

 /**
@@ -191,38 +172,6 @@ export async function loadPropertiesFromApi(
  }
 }

-/**
- * Loads [repository properties](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) if applicable.
- */
-export async function loadRepositoryProperties(
-  repositoryNwo: RepositoryNwo,
-  logger: Logger,
-): Promise<Result<RepositoryProperties, unknown>> {
-  // See if we can skip loading repository properties early. In particular,
-  // repositories owned by users cannot have repository properties, so we can
-  // skip the API call entirely in that case.
-  const repositoryOwnerType = github.context.payload.repository?.owner.type;
-  logger.debug(
-    `Repository owner type is '${repositoryOwnerType ?? "unknown"}'.`,
-  );
-  if (repositoryOwnerType === "User") {
-    logger.debug(
-      "Skipping loading repository properties because the repository is owned by a user and " +
-        "therefore cannot have repository properties.",
-    );
-    return new Success({});
-  }
-
-  try {
-    return new Success(await loadPropertiesFromApi(logger, repositoryNwo));
-  } catch (error) {
-    logger.info(
-      `Failed to load repository properties: ${getErrorMessage(error)}`,
-    );
-    return new Failure(error);
-  }
-}
-
 /**
 * Validate that `value` has the correct type for `K` and, if so, update the partial set of repository
 * properties with the parsed value of the specified property.
@@ -268,25 +217,6 @@ function parseStringRepositoryProperty(_name: string, value: string): string {
  return value;
 }

-/** Parse the tools mode repository property. */
-function parseToolsModeRepositoryProperty(
-  name: string,
-  value: string,
-  logger: Logger,
-): ToolsModeRepositoryPropertyValue {
-  if (
-    value !== ToolsModeRepositoryPropertyValue.Dynamic &&
-    value !== ToolsModeRepositoryPropertyValue.Enforce
-  ) {
-    logger.warning(
-      `Repository property '${name}' has unexpected value '${value}'. Expected 'dynamic' or 'enforce'. Defaulting to 'enforce'.`,
-    );
-    return ToolsModeRepositoryPropertyValue.Enforce;
-  }
-
-  return value;
-}
-
 /** Set of known repository property names, for fast lookups. */
 const KNOWN_REPOSITORY_PROPERTY_NAMES = new Set<string>(
  Object.values(RepositoryPropertyName),
@@ -2,12 +2,12 @@ import * as fs from "fs";
 import * as path from "path";

 import * as core from "@actions/core";
+import * as github from "@actions/github";
 import * as io from "@actions/io";
 import * as semver from "semver";
 import { v4 as uuidV4 } from "uuid";

 import {
-  isDynamicWorkflow,
  FileCmdNotFoundError,
  getActionVersion,
  getFileType,
@@ -24,10 +24,6 @@ import {
  shouldRestoreCache,
 } from "./caching-utils";
 import { CodeQL } from "./codeql";
-import {
-  EffectiveToolsInputSource,
-  resolveToolsInputWithMetadata,
-} from "./config/resolve-tools-input";
 import * as configUtils from "./config-utils";
 import {
  DependencyCacheRestoreStatusReport,
@@ -44,8 +40,8 @@ import {
 import { EnvVar } from "./environment";
 import { Feature, FeatureEnablement, initFeatures } from "./feature-flags";
 import {
-  loadRepositoryProperties,
-  ToolsModeRepositoryPropertyValue,
+  loadPropertiesFromApi,
+  RepositoryProperties,
 } from "./feature-flags/properties";
 import {
  checkInstallPython311,
@@ -57,14 +53,14 @@ import {
  initConfig,
  runDatabaseInitCluster,
 } from "./init";
-import { JavaEnvVars, BuiltInLanguage } from "./languages/index";
+import { JavaEnvVars, BuiltInLanguage } from "./languages";
 import { getActionsLogger, Logger, withGroupAsync } from "./logging";
 import {
  downloadOverlayBaseDatabaseFromCache,
  OverlayBaseDatabaseDownloadStats,
 } from "./overlay/caching";
 import { OverlayDatabaseMode } from "./overlay/overlay-database-mode";
-import { getRepositoryNwo } from "./repository";
+import { getRepositoryNwo, RepositoryNwo } from "./repository";
 import { ToolsSource } from "./setup-codeql";
 import {
  ActionName,
@@ -97,7 +93,10 @@ import {
  checkActionVersion,
  getErrorMessage,
  BuildMode,
+  Result,
  getOptionalEnvVar,
+  Success,
+  Failure,
 } from "./util";
 import { checkWorkflow } from "./workflow";

@@ -141,9 +140,6 @@ async function sendCompletedStatusReport(
  toolsFeatureFlagsValid: boolean | undefined,
  toolsSource: ToolsSource,
  toolsVersion: string,
-  effectiveToolsInput: string | undefined,
-  effectiveToolsInputSource: EffectiveToolsInputSource,
-  toolsRepoPropertyMode: ToolsModeRepositoryPropertyValue | undefined,
  overlayBaseDatabaseStats: OverlayBaseDatabaseDownloadStats | undefined,
  dependencyCachingResults: DependencyCacheRestoreStatusReport | undefined,
  logger: Logger,
@@ -169,9 +165,6 @@ async function sendCompletedStatusReport(
  const initStatusReport: InitStatusReport = {
    ...statusReportBase,
    tools_input: getOptionalInput("tools") || "",
-    effective_tools_input: effectiveToolsInput || "",
-    effective_tools_input_source: effectiveToolsInputSource,
-    tools_repo_property_mode: toolsRepoPropertyMode || "",
    tools_resolved_version: toolsVersion,
    tools_source: toolsSource || ToolsSource.Unknown,
    workflow_languages: workflowLanguages || "",
@@ -226,9 +219,6 @@ async function run(startedAt: Date) {
  let toolsSource: ToolsSource;
  let toolsVersion: string;
  let zstdAvailability: ZstdAvailability | undefined;
-  let effectiveToolsInput: string | undefined;
-  let effectiveToolsInputSource: EffectiveToolsInputSource;
-  let toolsRepoPropertyMode: ToolsModeRepositoryPropertyValue | undefined;

  try {
    initializeEnvironment(getActionVersion());
@@ -261,7 +251,6 @@ async function run(startedAt: Date) {
      repositoryNwo,
      logger,
    );
-    const repositoryProperties = repositoryPropertiesResult.orElse({});

    // Create a unique identifier for this run.
    const jobRunUuid = uuidV4();
@@ -307,21 +296,6 @@ async function run(startedAt: Date) {
    const codeQLDefaultVersionInfo =
      await features.getEnabledDefaultCliVersions(gitHubVersion.type);
    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
-
-    // Determine the effective tools input.
-    // The explicit `tools` workflow input takes precedence. If none is provided,
-    // fall back to the 'github-codeql-tools' repository property (if set).
-    // If 'github-codeql-tools-mode' is set to 'dynamic', this fallback applies
-    // only to dynamic workflows. Otherwise, it applies to all workflows.
-    const resolvedToolsInput = resolveToolsInputWithMetadata(
-      getOptionalInput("tools"),
-      isDynamicWorkflow(),
-      repositoryProperties,
-      logger,
-    );
-    effectiveToolsInput = resolvedToolsInput.effectiveToolsInput;
-    effectiveToolsInputSource = resolvedToolsInput.effectiveToolsInputSource;
-    toolsRepoPropertyMode = resolvedToolsInput.toolsRepoPropertyMode;
    const rawLanguages = configUtils.getRawLanguagesNoAutodetect(
      getOptionalInput("languages"),
    );
@@ -329,7 +303,7 @@ async function run(startedAt: Date) {
      analysisKinds?.length === 1 &&
      analysisKinds[0] === AnalysisKind.CodeScanning;
    const initCodeQLResult = await initCodeQL(
-      effectiveToolsInput,
+      getOptionalInput("tools"),
      apiDetails,
      getTemporaryDirectory(),
      gitHubVersion.type,
@@ -376,6 +350,7 @@ async function run(startedAt: Date) {

    analysisKinds = await getAnalysisKinds(logger, features);
    const debugMode = getOptionalInput("debug") === "true" || core.isDebug();
+    const repositoryProperties = repositoryPropertiesResult.orElse({});
    const fileCoverageResult = await getFileCoverageInformationEnabled(
      debugMode,
      codeql,
@@ -639,6 +614,11 @@ async function run(startedAt: Date) {
      core.exportVariable("CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN", "true");
    }

+    // Emergency override to force the CodeQL CLI back to the JGit-based Git backend.
+    if (await features.getValue(Feature.ForceJGit)) {
+      core.exportVariable("CODEQL_GIT_BACKEND", "jgit");
+    }
+
    const kotlinLimitVar =
      "CODEQL_EXTRACTOR_KOTLIN_OVERRIDE_MAXIMUM_VERSION_LIMIT";
    if (
@@ -794,9 +774,6 @@ async function run(startedAt: Date) {
      toolsFeatureFlagsValid,
      toolsSource,
      toolsVersion,
-      effectiveToolsInput,
-      effectiveToolsInputSource,
-      toolsRepoPropertyMode,
      overlayBaseDatabaseStats,
      dependencyCachingStatus,
      logger,
@@ -814,15 +791,44 @@ async function run(startedAt: Date) {
    toolsFeatureFlagsValid,
    toolsSource,
    toolsVersion,
-    effectiveToolsInput,
-    effectiveToolsInputSource,
-    toolsRepoPropertyMode,
    overlayBaseDatabaseStats,
    dependencyCachingStatus,
    logger,
  );
 }

+/**
+ * Loads [repository properties](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) if applicable.
+ */
+async function loadRepositoryProperties(
+  repositoryNwo: RepositoryNwo,
+  logger: Logger,
+): Promise<Result<RepositoryProperties, unknown>> {
+  // See if we can skip loading repository properties early. In particular,
+  // repositories owned by users cannot have repository properties, so we can
+  // skip the API call entirely in that case.
+  const repositoryOwnerType = github.context.payload.repository?.owner.type;
+  logger.debug(
+    `Repository owner type is '${repositoryOwnerType ?? "unknown"}'.`,
+  );
+  if (repositoryOwnerType === "User") {
+    logger.debug(
+      "Skipping loading repository properties because the repository is owned by a user and " +
+        "therefore cannot have repository properties.",
+    );
+    return new Success({});
+  }
+
+  try {
+    return new Success(await loadPropertiesFromApi(logger, repositoryNwo));
+  } catch (error) {
+    logger.warning(
+      `Failed to load repository properties: ${getErrorMessage(error)}`,
+    );
+    return new Failure(error);
+  }
+}
+
 async function recordZstdAvailability(
  config: configUtils.Config,
  zstdAvailability: ZstdAvailability,
@@ -15,7 +15,7 @@ import {
  getFileCoverageInformationEnabled,
  logFileCoverageOnPrsDeprecationWarning,
 } from "./init";
-import { BuiltInLanguage } from "./languages/index";
+import { BuiltInLanguage } from "./languages";
 import {
  createFeatures,
  LoggedMessage,
@@ -26,7 +26,7 @@ import {
  RepositoryProperties,
  RepositoryPropertyName,
 } from "./feature-flags/properties";
-import { BuiltInLanguage, Language } from "./languages/index";
+import { BuiltInLanguage, Language } from "./languages";
 import { Logger, withGroupAsync } from "./logging";
 import { ToolsSource } from "./setup-codeql";
 import { ZstdAvailability } from "./tar";
@@ -2,7 +2,6 @@ import * as core from "@actions/core";
 import { v4 as uuidV4 } from "uuid";

 import {
-  isDynamicWorkflow,
  getActionVersion,
  getOptionalInput,
  getRequiredInput,
@@ -11,17 +10,9 @@ import {
 import { AnalysisKind, getAnalysisKinds } from "./analyses";
 import { getGitHubVersion } from "./api-client";
 import { CodeQL } from "./codeql";
-import {
-  EffectiveToolsInputSource,
-  resolveToolsInputWithMetadata,
-} from "./config/resolve-tools-input";
 import { getRawLanguagesNoAutodetect } from "./config-utils";
 import { EnvVar } from "./environment";
 import { initFeatures } from "./feature-flags";
-import {
-  loadRepositoryProperties,
-  ToolsModeRepositoryPropertyValue,
-} from "./feature-flags/properties";
 import { initCodeQL } from "./init";
 import { getActionsLogger, Logger } from "./logging";
 import { getRepositoryNwo } from "./repository";
@@ -57,9 +48,6 @@ async function sendCompletedStatusReport(
  toolsFeatureFlagsValid: boolean | undefined,
  toolsSource: ToolsSource,
  toolsVersion: string,
-  effectiveToolsInput: string | undefined,
-  effectiveToolsInputSource: EffectiveToolsInputSource,
-  toolsRepoPropertyMode: ToolsModeRepositoryPropertyValue | undefined,
  logger: Logger,
  error?: Error,
 ): Promise<void> {
@@ -81,9 +69,6 @@ async function sendCompletedStatusReport(
  const initStatusReport: InitStatusReport = {
    ...statusReportBase,
    tools_input: getOptionalInput("tools") || "",
-    effective_tools_input: effectiveToolsInput || "",
-    effective_tools_input_source: effectiveToolsInputSource,
-    tools_repo_property_mode: toolsRepoPropertyMode || "",
    tools_resolved_version: toolsVersion,
    tools_source: toolsSource || ToolsSource.Unknown,
    workflow_languages: "",
@@ -114,9 +99,6 @@ async function run(startedAt: Date): Promise<void> {
  let toolsFeatureFlagsValid: boolean | undefined;
  let toolsSource: ToolsSource;
  let toolsVersion: string;
-  let effectiveToolsInput: string | undefined;
-  let effectiveToolsInputSource: EffectiveToolsInputSource;
-  let toolsRepoPropertyMode: ToolsModeRepositoryPropertyValue | undefined;

  try {
    initializeEnvironment(getActionVersion());
@@ -159,35 +141,12 @@ async function run(startedAt: Date): Promise<void> {
    const codeQLDefaultVersionInfo =
      await features.getEnabledDefaultCliVersions(gitHubVersion.type);
    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
-
-    // Fetch the values of known repository properties that affect us.
-    const repositoryPropertiesResult = await loadRepositoryProperties(
-      repositoryNwo,
-      logger,
-    );
-    const repositoryProperties = repositoryPropertiesResult.orElse({});
-
-    // Determine the effective tools input.
-    // The explicit `tools` workflow input takes precedence. If none is provided,
-    // fall back to the 'github-codeql-tools' repository property (if set).
-    // If 'github-codeql-tools-mode' is set to 'dynamic', this fallback applies
-    // only to dynamic workflows. Otherwise, it applies to all workflows.
-    const resolvedToolsInput = resolveToolsInputWithMetadata(
-      getOptionalInput("tools"),
-      isDynamicWorkflow(),
-      repositoryProperties,
-      logger,
-    );
-    effectiveToolsInput = resolvedToolsInput.effectiveToolsInput;
-    effectiveToolsInputSource = resolvedToolsInput.effectiveToolsInputSource;
-    toolsRepoPropertyMode = resolvedToolsInput.toolsRepoPropertyMode;
    const rawLanguages = getRawLanguagesNoAutodetect(
      getOptionalInput("languages"),
    );
    const analysisKinds = await getAnalysisKinds(logger, features);
-
    const initCodeQLResult = await initCodeQL(
-      effectiveToolsInput,
+      getOptionalInput("tools"),
      apiDetails,
      getTemporaryDirectory(),
      gitHubVersion.type,
@@ -232,9 +191,6 @@ async function run(startedAt: Date): Promise<void> {
    toolsFeatureFlagsValid,
    toolsSource,
    toolsVersion,
-    effectiveToolsInput,
-    effectiveToolsInputSource,
-    toolsRepoPropertyMode,
    logger,
  );
 }
@@ -559,7 +559,7 @@ export async function getCodeQLSource(
        );
      } else {
        if (allowToolcacheValueFF) {
-          logger.info(
+          logger.warning(
            `Ignoring 'tools: ${toolsInput}' because the workflow was not triggered dynamically.`,
          );
        } else {
@@ -6,7 +6,7 @@ import * as core from "@actions/core";
 import * as actionsUtil from "./actions-util";
 import { getGitHubVersion } from "./api-client";
 import { Feature, FeatureEnablement, initFeatures } from "./feature-flags";
-import { BuiltInLanguage, parseBuiltInLanguage } from "./languages/index";
+import { BuiltInLanguage, parseBuiltInLanguage } from "./languages";
 import { getActionsLogger, Logger } from "./logging";
 import { getRepositoryNwo } from "./repository";
 import {
@@ -10,7 +10,7 @@ import * as defaults from "./defaults.json";
 import { setUpFeatureFlagTests } from "./feature-flags/testing-util";
 import { UnvalidatedObject, validateSchema } from "./json";
 import { makeFromSchema } from "./json/testing-util";
-import { BuiltInLanguage } from "./languages/index";
+import { BuiltInLanguage } from "./languages";
 import { getRunnerLogger, Logger } from "./logging";
 import * as startProxyExports from "./start-proxy";
 import * as statusReport from "./status-report";
@@ -18,7 +18,7 @@ import {
  FeatureEnablement,
 } from "./feature-flags";
 import * as json from "./json";
-import { BuiltInLanguage } from "./languages/index";
+import { BuiltInLanguage } from "./languages";
 import { Logger } from "./logging";
 import {
  Address,
@@ -2,10 +2,9 @@ import test from "ava";
 import * as sinon from "sinon";

 import * as actionsUtil from "./actions-util";
-import { EffectiveToolsInputSource } from "./config/resolve-tools-input";
 import { Config } from "./config-utils";
 import { EnvVar } from "./environment";
-import { BuiltInLanguage } from "./languages/index";
+import { BuiltInLanguage } from "./languages";
 import { getRunnerLogger } from "./logging";
 import { ToolsSource } from "./setup-codeql";
 import {
@@ -317,9 +316,6 @@ const testCreateInitWithConfigStatusReport = makeMacro({
        const initStatusReport: InitStatusReport = {
          ...statusReportBase,
          tools_input: "",
-          effective_tools_input: "",
-          effective_tools_input_source: EffectiveToolsInputSource.None,
-          tools_repo_property_mode: "",
          tools_resolved_version: "foo",
          tools_source: ToolsSource.Unknown,
          workflow_languages: "actions",
@@ -351,8 +347,6 @@ testCreateInitWithConfigStatusReport.serial(
    languages: [BuiltInLanguage.java, BuiltInLanguage.swift],
  }),
  {
-    effective_tools_input_source: EffectiveToolsInputSource.None,
-    tools_repo_property_mode: "",
    trap_cache_download_size_bytes: 1024,
    registries: "[]",
    query_filters: "[]",
@@ -360,63 +354,6 @@ testCreateInitWithConfigStatusReport.serial(
  },
 );

-test.serial(
-  "createInitWithConfigStatusReport preserves tools telemetry fields",
-  async (t) => {
-    await withTmpDir(async (tmpDir: string) => {
-      setupEnvironmentAndStub(tmpDir);
-
-      const config = createTestConfig({
-        buildMode: BuildMode.None,
-        languages: [BuiltInLanguage.java],
-      });
-
-      const statusReportBase = await createStatusReportBase(
-        ActionName.Init,
-        "failure",
-        new Date("May 19, 2023 05:19:00"),
-        config,
-        { numAvailableBytes: 100, numTotalBytes: 500 },
-        getRunnerLogger(false),
-        "failure cause",
-        "exception stack trace",
-      );
-
-      if (t.truthy(statusReportBase)) {
-        const initStatusReport: InitStatusReport = {
-          ...statusReportBase,
-          tools_input: "",
-          effective_tools_input: "toolcache",
-          effective_tools_input_source:
-            EffectiveToolsInputSource.RepositoryProperty,
-          tools_repo_property_mode: "dynamic",
-          tools_resolved_version: "foo",
-          tools_source: ToolsSource.Unknown,
-          workflow_languages: "actions",
-        };
-
-        const initWithConfigStatusReport =
-          await createInitWithConfigStatusReport(
-            config,
-            initStatusReport,
-            undefined,
-            1024,
-            undefined,
-            undefined,
-          );
-
-        if (t.truthy(initWithConfigStatusReport)) {
-          t.is(
-            initWithConfigStatusReport.effective_tools_input_source,
-            EffectiveToolsInputSource.RepositoryProperty,
-          );
-          t.is(initWithConfigStatusReport.tools_repo_property_mode, "dynamic");
-        }
-      }
-    });
-  },
-);
-
 testCreateInitWithConfigStatusReport.serial(
  "includes packs for a single language",
  createTestConfig({
@@ -12,7 +12,6 @@ import {
  isSelfHostedRunner,
 } from "./actions-util";
 import { getAnalysisKey, getApiClient } from "./api-client";
-import { EffectiveToolsInputSource } from "./config/resolve-tools-input";
 import { parseRegistriesWithoutCredentials, type Config } from "./config-utils";
 import { DependencyCacheRestoreStatusReport } from "./dependency-caching";
 import { DocUrl } from "./doc-url";
@@ -483,12 +482,6 @@ export async function sendStatusReport<S extends StatusReportBase>(
 export interface InitStatusReport extends StatusReportBase {
  /** Value given by the user as the "tools" input. */
  tools_input: string;
-  /** The effective tools input that was used, after applying defaults and repository properties. */
-  effective_tools_input: string;
-  /** Indicates where the effective tools input was resolved from. */
-  effective_tools_input_source: EffectiveToolsInputSource;
-  /** The value of the tools repository property mode, if relevant. */
-  tools_repo_property_mode: string;
  /** Version of the bundle used. */
  tools_resolved_version: string;
  /** Where the bundle originated from. */
@@ -6,7 +6,7 @@ import * as sinon from "sinon";

 import { CodeQL, getCodeQLForTesting } from "./codeql";
 import * as configUtils from "./config-utils";
-import { BuiltInLanguage } from "./languages/index";
+import { BuiltInLanguage } from "./languages";
 import { createTestConfig, makeVersionInfo, setupTests } from "./testing-utils";
 import { ToolsFeature } from "./tools-features";
 import { getCombinedTracerConfig } from "./tracer-config";
@@ -15,7 +15,7 @@ import {
 import * as configUtils from "./config-utils";
 import { Feature } from "./feature-flags";
 import * as gitUtils from "./git-utils";
-import { BuiltInLanguage } from "./languages/index";
+import { BuiltInLanguage } from "./languages";
 import { getRunnerLogger } from "./logging";
 import {
  createFeatures,
@@ -10,7 +10,7 @@ import { type Config } from "./config-utils";
 import { DocUrl } from "./doc-url";
 import { Feature, FeatureEnablement } from "./feature-flags";
 import * as gitUtils from "./git-utils";
-import { Language } from "./languages/index";
+import { Language } from "./languages";
 import { Logger } from "./logging";
 import {
  asHTTPError,
@@ -15,7 +15,7 @@ import type { Pack } from "./config/db-config";
 import type { Config } from "./config-utils";
 import { EnvVar } from "./environment";
 import * as json from "./json";
-import { Language } from "./languages/index";
+import { Language } from "./languages";
 import { Logger } from "./logging";

 /**