Merge pull request #3826 from github/backport-v3.35.2-95e58e9a2

Merge releases/v4 into releases/v3
Rebuild
2026-05-09 15:20:28 +00:00 · 2026-04-15 12:51:20 +01:00 · 2026-04-15 11:30:55 +00:00 · 2026-04-15 11:26:58 +00:00 · 2026-04-15 11:26:57 +00:00 · 2026-04-15 11:26:56 +00:00
83 changed files with 10616 additions and 15030 deletions
@@ -16,5 +16,5 @@ inputs:
      Comma separated list of query ids that should NOT be included in this SARIF file.

 runs:
-  using: node24
+  using: node20
  main: index.js
@@ -1,6 +1,6 @@
 name: Verify that the best-effort debug artifact scan completed
 description: Verifies that the best-effort debug artifact scan completed successfully during tests
 runs:
-  using: node24
+  using: node20
  main: index.js
  post: post.js
@@ -1,5 +1,5 @@
 name: "CodeQL config"
-queries:
+queries: 
  - name: Run custom queries
    uses: ./queries
  # Run all extra query suites, both because we want to
@@ -13,5 +13,3 @@ queries:
 paths-ignore:
  - lib
  - tests
-  - "**/*.test.ts"
-  - "**/testing-util.ts"
@@ -59,7 +59,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Set up Ruby
-        uses: ruby/setup-ruby@0cb964fd540e0a24c900370abf38a33466142735 # v1.305.0
+        uses: ruby/setup-ruby@4c56a21280b36d862b5fc31348f463d60bdc55d5 # v1.301.0
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
@@ -1,106 +0,0 @@
-# Workflow runs on main, on a release branch, and that were triggered as part of a merge group have
-# already passed CI before being merged. Therefore if they fail, we should make sure that there
-# wasn't a transient failure by rerunning the failed jobs once before investigating further.
-name: Deflake
-
-on:
-  workflow_run:
-    types: [completed]
-    # Exclude workflows that have significant side effects, like publishing releases. It's OK to
-    # retry CodeQL analysis.
-    workflows:
-      - Check Expected Release Files
-      - Code-Scanning config CLI tests
-      - CodeQL action
-      - Manual Check - go
-      - "PR Check - All-platform bundle"
-      - "PR Check - Analysis kinds"
-      - "PR Check - Analyze: 'ref' and 'sha' from inputs"
-      - "PR Check - autobuild-action"
-      - "PR Check - Autobuild direct tracing (custom working directory)"
-      - "PR Check - Autobuild working directory"
-      - "PR Check - Build mode autobuild"
-      - "PR Check - Build mode manual"
-      - "PR Check - Build mode none"
-      - "PR Check - Build mode rollback"
-      - "PR Check - Bundle: Caching checks"
-      - "PR Check - Bundle: From nightly"
-      - "PR Check - Bundle: From toolcache"
-      - "PR Check - Bundle: Zstandard checks"
-      - "PR Check - C/C\\+\\+: autoinstalling dependencies (Linux)"
-      - "PR Check - C/C\\+\\+: autoinstalling dependencies is skipped (macOS)"
-      - "PR Check - C/C\\+\\+: disabling autoinstalling dependencies (Linux)"
-      - "PR Check - Clean up database cluster directory"
-      - "PR Check - CodeQL Bundle All"
-      - "PR Check - Config export"
-      - "PR Check - Config input"
-      - "PR Check - Custom source root"
-      - "PR Check - Debug artifact upload"
-      - "PR Check - Debug artifacts after failure"
-      - "PR Check - Diagnostic export"
-      - "PR Check - Export file baseline information"
-      - "PR Check - Extractor ram and threads options test"
-      - "PR Check - Go: Custom queries"
-      - "PR Check - Go: diagnostic when Go is changed after init step"
-      - "PR Check - Go: diagnostic when `file` is not installed"
-      - "PR Check - Go: tracing with autobuilder step"
-      - "PR Check - Go: tracing with custom build steps"
-      - "PR Check - Go: tracing with legacy workflow"
-      - "PR Check - Go: workaround for indirect tracing"
-      - "PR Check - Job run UUID added to SARIF"
-      - "PR Check - Language aliases"
-      - "PR Check - Local CodeQL bundle"
-      - "PR Check - Multi-language repository"
-      - "PR Check - Overlay database init fallback"
-      - "PR Check - Packaging: Action input"
-      - "PR Check - Packaging: Config and input"
-      - "PR Check - Packaging: Config and input passed to the CLI"
-      - "PR Check - Packaging: Config file"
-      - "PR Check - Packaging: Download using registries"
-      - "PR Check - Proxy test"
-      - "PR Check - Remote config file"
-      - "PR Check - Resolve environment"
-      - "PR Check - RuboCop multi-language"
-      - "PR Check - Ruby analysis"
-      - "PR Check - Rust analysis"
-      - "PR Check - Split workflow"
-      - "PR Check - Start proxy"
-      - "PR Check - Submit SARIF after failure"
-      - "PR Check - Swift analysis using a custom build command"
-      - "PR Check - Swift analysis using autobuild"
-      - "PR Check - Test different uses of `upload-sarif`"
-      - "PR Check - Test unsetting environment variables"
-      - "PR Check - Upload-sarif: ref and sha from inputs"
-      - "PR Check - Use a custom `checkout_path`"
-      - PR Checks
-      - Query filters tests
-      - Test that the workaround for python 3.12 on windows works
-
-jobs:
-  rerun-on-failure:
-    name: Rerun failed jobs
-    if: >-
-      github.event.workflow_run.conclusion == 'failure' &&
-      github.event.workflow_run.run_attempt == 1 &&
-      (
-        github.event.workflow_run.head_branch == 'main' ||
-        startsWith(github.event.workflow_run.head_branch, 'releases/') ||
-        github.event.workflow_run.event == 'merge_group'
-      )
-    runs-on: ubuntu-slim
-    permissions:
-      actions: write
-    steps:
-      - name: Rerun failed jobs in ${{ github.event.workflow_run.name }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-          GH_REPO: ${{ github.repository }}
-          RUN_ID: ${{ github.event.workflow_run.id }}
-          RUN_NAME: ${{ github.event.workflow_run.name }}
-          RUN_URL: ${{ github.event.workflow_run.html_url }}
-        run: |
-          echo "Rerunning failed jobs for workflow run ${RUN_ID}"
-          gh run rerun "${RUN_ID}" --failed
-          echo "### Reran failed jobs :recycle:" >> "$GITHUB_STEP_SUMMARY"
-          echo "" >> "$GITHUB_STEP_SUMMARY"
-          echo "Workflow: [${RUN_NAME}](${RUN_URL})" >> "$GITHUB_STEP_SUMMARY"
@@ -63,10 +63,13 @@ jobs:
        with:
          tools: https://github.com/github/codeql-action/releases/download/${{ github.event.release.tag_name }}/codeql-bundle-linux64.tar.gz

-      - name: Update built-in languages
-        run: npx tsx pr-checks/update-builtin-languages.ts "$CODEQL_PATH"
+      - name: Update language aliases
        env:
          CODEQL_PATH: ${{ steps.setup-codeql.outputs.codeql-path }}
+        run: |
+          "$CODEQL_PATH" resolve languages --format=betterjson --extractor-include-aliases \
+            | jq -S '.aliases // {}' \
+            > src/known-language-aliases.json

      - name: Bump Action minor version if new CodeQL minor version series
        id: bump-action-version
@@ -2,19 +2,7 @@

 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.

-## [UNRELEASED]
-
-No user facing changes.
-
-## 4.35.3 - 01 May 2026
-
- _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. [#3837](https://github.com/github/codeql-action/pull/3837)
- Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. [#3850](https://github.com/github/codeql-action/pull/3850)
- Best-effort connection tests for private registries now use `GET` requests instead of `HEAD` for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. [#3853](https://github.com/github/codeql-action/pull/3853)
- Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. [#3852](https://github.com/github/codeql-action/pull/3852)
- Update default CodeQL bundle version to [2.25.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.3). [#3865](https://github.com/github/codeql-action/pull/3865)
-
-## 4.35.2 - 15 Apr 2026
+## 3.35.2 - 15 Apr 2026

 - The undocumented TRAP cache cleanup feature that could be enabled using the `CODEQL_ACTION_CLEANUP_TRAP_CACHES` environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the `trap-caching: false` input to the `init` Action. [#3795](https://github.com/github/codeql-action/pull/3795)
 - The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. [#3789](https://github.com/github/codeql-action/pull/3789)
@@ -22,29 +10,28 @@ No user facing changes.
 - Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. [#3807](https://github.com/github/codeql-action/pull/3807)
 - Update default CodeQL bundle version to [2.25.2](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.2). [#3823](https://github.com/github/codeql-action/pull/3823)

-## 4.35.1 - 27 Mar 2026
+## 3.35.1 - 27 Mar 2026

 - Fix incorrect minimum required Git version for [improved incremental analysis](https://github.com/github/roadmap/issues/1158): it should have been 2.36.0, not 2.11.0. [#3781](https://github.com/github/codeql-action/pull/3781)

-## 4.35.0 - 27 Mar 2026
+## 3.35.0 - 27 Mar 2026

 - Reduced the minimum Git version required for [improved incremental analysis](https://github.com/github/roadmap/issues/1158) from 2.38.0 to 2.11.0. [#3767](https://github.com/github/codeql-action/pull/3767)
 - Update default CodeQL bundle version to [2.25.1](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1). [#3773](https://github.com/github/codeql-action/pull/3773)

-## 4.34.1 - 20 Mar 2026
+## 3.34.1 - 20 Mar 2026

 - Downgrade default CodeQL bundle version to [2.24.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3) due to issues with a small percentage of Actions and JavaScript analyses. [#3762](https://github.com/github/codeql-action/pull/3762)

-## 4.34.0 - 20 Mar 2026
+## 3.34.0 - 20 Mar 2026

 - Added an experimental change which disables TRAP caching when [improved incremental analysis](https://github.com/github/roadmap/issues/1158) is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. [#3569](https://github.com/github/codeql-action/pull/3569)
 - We are rolling out improved incremental analysis to C/C++ analyses that use build mode `none`. We expect this rollout to be complete by the end of April 2026. [#3584](https://github.com/github/codeql-action/pull/3584)
 - Update default CodeQL bundle version to [2.25.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0). [#3585](https://github.com/github/codeql-action/pull/3585)

-## 4.33.0 - 16 Mar 2026
+## 3.33.0 - 16 Mar 2026

 - Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. [#3562](https://github.com/github/codeql-action/pull/3562)
-
  To opt out of this change:
  - **Repositories owned by an organization:** Create a custom repository property with the name `github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to `true` in the repository's settings. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). Alternatively, if you are using an advanced setup workflow, you can set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
  - **User-owned repositories using default setup:** Switch to an advanced setup workflow and set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
@@ -55,11 +42,11 @@ No user facing changes.
 - Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". [#3564](https://github.com/github/codeql-action/pull/3564)
 - A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. [#3570](https://github.com/github/codeql-action/pull/3570)

-## 4.32.6 - 05 Mar 2026
+## 3.32.6 - 05 Mar 2026

 - Update default CodeQL bundle version to [2.24.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3). [#3548](https://github.com/github/codeql-action/pull/3548)

-## 4.32.5 - 02 Mar 2026
+## 3.32.5 - 02 Mar 2026

 - Repositories owned by an organization can now set up the `github-codeql-disable-overlay` custom repository property to disable [improved incremental analysis for CodeQL](https://github.com/github/roadmap/issues/1158). First, create a custom repository property with the name `github-codeql-disable-overlay` and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to `true` to disable improved incremental analysis. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). This feature is not yet available on GitHub Enterprise Server. [#3507](https://github.com/github/codeql-action/pull/3507)
 - Added an experimental change so that when [improved incremental analysis](https://github.com/github/roadmap/issues/1158) fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. [#3487](https://github.com/github/codeql-action/pull/3487)
@@ -69,7 +56,7 @@ No user facing changes.
 - Added an experimental change which allows the `start-proxy` action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. [#3512](https://github.com/github/codeql-action/pull/3512)
 - The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. [#3503](https://github.com/github/codeql-action/pull/3503), [#3504](https://github.com/github/codeql-action/pull/3504)

-## 4.32.4 - 20 Feb 2026
+## 3.32.4 - 20 Feb 2026

 - Update default CodeQL bundle version to [2.24.2](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2). [#3493](https://github.com/github/codeql-action/pull/3493)
 - Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when [private package registries are configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries). This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. [#3473](https://github.com/github/codeql-action/pull/3473)
@@ -77,88 +64,88 @@ No user facing changes.
 - Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. [#3485](https://github.com/github/codeql-action/pull/3485)
 - Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a [nightly CodeQL CLI release](https://github.com/dsp-testing/codeql-cli-nightlies) instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. [#3484](https://github.com/github/codeql-action/pull/3484)

-## 4.32.3 - 13 Feb 2026
+## 3.32.3 - 13 Feb 2026

 - Added experimental support for testing connections to [private package registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries). This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. [#3466](https://github.com/github/codeql-action/pull/3466)

-## 4.32.2 - 05 Feb 2026
+## 3.32.2 - 05 Feb 2026

 - Update default CodeQL bundle version to [2.24.1](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.1). [#3460](https://github.com/github/codeql-action/pull/3460)

-## 4.32.1 - 02 Feb 2026
+## 3.32.1 - 02 Feb 2026

 - A warning is now shown in Default Setup workflow logs if a [private package registry is configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) using a GitHub Personal Access Token (PAT), but no username is configured. [#3422](https://github.com/github/codeql-action/pull/3422)
 - Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. [#3421](https://github.com/github/codeql-action/pull/3421)

-## 4.32.0 - 26 Jan 2026
+## 3.32.0 - 26 Jan 2026

 - Update default CodeQL bundle version to [2.24.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0). [#3425](https://github.com/github/codeql-action/pull/3425)

-## 4.31.11 - 23 Jan 2026
+## 3.31.11 - 23 Jan 2026

 - When running a Default Setup workflow with [Actions debugging enabled](https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging), the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. [#3409](https://github.com/github/codeql-action/pull/3409)
 - Improved error handling throughout the CodeQL Action. [#3415](https://github.com/github/codeql-action/pull/3415)
 - Added experimental support for automatically excluding [generated files](https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github) from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. [#3318](https://github.com/github/codeql-action/pull/3318)
 - The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. [#3403](https://github.com/github/codeql-action/pull/3403)

-## 4.31.10 - 12 Jan 2026
+## 3.31.10 - 12 Jan 2026

 - Update default CodeQL bundle version to 2.23.9. [#3393](https://github.com/github/codeql-action/pull/3393)

-## 4.31.9 - 16 Dec 2025
+## 3.31.9 - 16 Dec 2025

 No user facing changes.

-## 4.31.8 - 11 Dec 2025
+## 3.31.8 - 11 Dec 2025

 - Update default CodeQL bundle version to 2.23.8. [#3354](https://github.com/github/codeql-action/pull/3354)

-## 4.31.7 - 05 Dec 2025
+## 3.31.7 - 05 Dec 2025

 - Update default CodeQL bundle version to 2.23.7. [#3343](https://github.com/github/codeql-action/pull/3343)

-## 4.31.6 - 01 Dec 2025
+## 3.31.6 - 01 Dec 2025

 No user facing changes.

-## 4.31.5 - 24 Nov 2025
+## 3.31.5 - 24 Nov 2025

 - Update default CodeQL bundle version to 2.23.6. [#3321](https://github.com/github/codeql-action/pull/3321)

-## 4.31.4 - 18 Nov 2025
+## 3.31.4 - 18 Nov 2025

 No user facing changes.

-## 4.31.3 - 13 Nov 2025
+## 3.31.3 - 13 Nov 2025

 - CodeQL Action v3 will be deprecated in December 2026.  The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see [Upcoming deprecation of CodeQL Action v3](https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/).
 - Update default CodeQL bundle version to 2.23.5. [#3288](https://github.com/github/codeql-action/pull/3288)

-## 4.31.2 - 30 Oct 2025
+## 3.31.2 - 30 Oct 2025

 No user facing changes.

-## 4.31.1 - 30 Oct 2025
+## 3.31.1 - 30 Oct 2025

 - The `add-snippets` input has been removed from the `analyze` action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced.

-## 4.31.0 - 24 Oct 2025
+## 3.31.0 - 24 Oct 2025

 - Bump minimum CodeQL bundle version to 2.17.6. [#3223](https://github.com/github/codeql-action/pull/3223)
 - When SARIF files are uploaded by the `analyze` or `upload-sarif` actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the `upload-sarif` action. For `analyze`, this may affect Advanced Setup for CodeQL users who specify a value other than `always` for the `upload` input. [#3222](https://github.com/github/codeql-action/pull/3222)

-## 4.30.9 - 17 Oct 2025
+## 3.30.9 - 17 Oct 2025

 - Update default CodeQL bundle version to 2.23.3. [#3205](https://github.com/github/codeql-action/pull/3205)
 - Experimental: A new `setup-codeql` action has been added which is similar to `init`, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#3204](https://github.com/github/codeql-action/pull/3204)

-## 4.30.8 - 10 Oct 2025
+## 3.30.8 - 10 Oct 2025

 No user facing changes.

-## 4.30.7 - 06 Oct 2025
+## 3.30.7 - 06 Oct 2025

- [v4+ only] The CodeQL Action now runs on Node.js v24. [#3169](https://github.com/github/codeql-action/pull/3169)
+No user facing changes.

 ## 3.30.6 - 02 Oct 2025

@@ -394,17 +381,13 @@ No user facing changes.
 ## 3.26.12 - 07 Oct 2024

 - _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.14.5 and earlier. These versions of CodeQL were discontinued on 24 September 2024 alongside GitHub Enterprise Server 3.10, and will be unsupported by CodeQL Action versions 3.27.0 and later and versions 2.27.0 and later. [#2520](https://github.com/github/codeql-action/pull/2520)
-
  - If you are using one of these versions, please update to CodeQL CLI version 2.14.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.
-
  - Alternatively, if you want to continue using a version of the CodeQL CLI between 2.13.5 and 2.14.5, you can replace `github/codeql-action/*@v3` by `github/codeql-action/*@v3.26.11` and `github/codeql-action/*@v2` by `github/codeql-action/*@v2.26.11` in your code scanning workflow to ensure you continue using this version of the CodeQL Action.

 ## 3.26.11 - 03 Oct 2024

 - _Upcoming breaking change_: Add support for using `actions/download-artifact@v4` to programmatically consume CodeQL Action debug artifacts.
-
  Starting November 30, 2024, GitHub.com customers will [no longer be able to use `actions/download-artifact@v3`](https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/). Therefore, to avoid breakage, customers who programmatically download the CodeQL Action debug artifacts should set the `CODEQL_ACTION_ARTIFACT_V4_UPGRADE` environment variable to `true` and bump `actions/download-artifact@v3` to `actions/download-artifact@v4` in their workflows. The CodeQL Action will enable this behavior by default in early November and workflows that have not yet bumped `actions/download-artifact@v3` to `actions/download-artifact@v4` will begin failing then.
-
  This change is currently unavailable for GitHub Enterprise Server customers, as `actions/upload-artifact@v4` and `actions/download-artifact@v4` are not yet compatible with GHES.
 - Update default CodeQL bundle version to 2.19.1. [#2519](https://github.com/github/codeql-action/pull/2519)

@@ -527,12 +510,9 @@ No user facing changes.
 ## 3.25.0 - 15 Apr 2024

 - The deprecated feature for extracting dependencies for a Python analysis has been removed. [#2224](https://github.com/github/codeql-action/pull/2224)
-
  As a result, the following inputs and environment variables are now ignored:
-
  - The `setup-python-dependencies` input to the `init` Action
  - The `CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION` environment variable
-
  We recommend removing any references to these from your workflows. For more information, see the release notes for CodeQL Action v3.23.0 and v2.23.0.
 - Automatically overwrite an existing database if found on the filesystem. [#2229](https://github.com/github/codeql-action/pull/2229)
 - Bump the minimum CodeQL bundle version to 2.12.6. [#2232](https://github.com/github/codeql-action/pull/2232)
@@ -72,7 +72,6 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n

 | Minimum CodeQL Action | Minimum CodeQL Bundle Version | GitHub Environment | Notes |
 |-----------------------|-------------------------------|--------------------|-------|
-| `v4.33.0` | `2.24.3` | Enterprise Server 3.21 | |
 | `v4.31.10` | `2.23.9` | Enterprise Server 3.20 | |
 | `v3.29.11` | `2.22.4` | Enterprise Server 3.19 | |
 | `v3.28.21` | `2.21.3` | Enterprise Server 3.18 | |
@@ -94,6 +94,6 @@ outputs:
  sarif-id:
    description: The ID of the uploaded SARIF file.
 runs:
-  using: node24
+  using: node20
  main: "../lib/analyze-action.js"
  post: "../lib/analyze-action-post.js"
@@ -15,5 +15,5 @@ inputs:
      $GITHUB_WORKSPACE as its working directory.
    required: false
 runs:
-  using: node24
+  using: node20
  main: '../lib/autobuild-action.js'
@@ -170,6 +170,6 @@ outputs:
  codeql-version:
    description: The version of the CodeQL binary used for analysis
 runs:
-  using: node24
+  using: node20
  main: '../lib/init-action.js'
  post: '../lib/init-action-post.js'
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.3",
-  "cliVersion": "2.25.3",
-  "priorBundleVersion": "codeql-bundle-v2.25.2",
-  "priorCliVersion": "2.25.2"
+  "bundleVersion": "codeql-bundle-v2.25.2",
+  "cliVersion": "2.25.2",
+  "priorBundleVersion": "codeql-bundle-v2.25.1",
+  "priorCliVersion": "2.25.1"
 }
@@ -1,12 +1,12 @@
 {
  "name": "codeql",
-  "version": "4.35.4",
+  "version": "4.35.2",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "codeql",
-      "version": "4.35.4",
+      "version": "4.35.2",
      "license": "MIT",
      "workspaces": [
        "pr-checks"
@@ -25,7 +25,7 @@
        "@octokit/plugin-retry": "^8.1.0",
        "archiver": "^7.0.1",
        "fast-deep-equal": "^3.1.3",
-        "follow-redirects": "^1.16.0",
+        "follow-redirects": "^1.15.11",
        "get-folder-size": "^5.0.0",
        "https-proxy-agent": "^7.0.6",
        "js-yaml": "^4.1.1",
@@ -33,11 +33,11 @@
        "long": "^5.3.2",
        "node-forge": "^1.4.0",
        "semver": "^7.7.4",
-        "uuid": "^14.0.0"
+        "uuid": "^13.0.0"
      },
      "devDependencies": {
-        "@ava/typescript": "7.0.0",
-        "@eslint/compat": "^2.0.5",
+        "@ava/typescript": "6.0.0",
+        "@eslint/compat": "^2.0.4",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^16.0.0",
        "@types/archiver": "^7.0.0",
@@ -51,17 +51,17 @@
        "ava": "^7.0.0",
        "esbuild": "^0.28.0",
        "eslint": "^9.39.2",
-        "eslint-import-resolver-typescript": "^4.4.4",
+        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-github": "^6.0.0",
        "eslint-plugin-import-x": "^4.16.2",
        "eslint-plugin-jsdoc": "^62.9.0",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        "glob": "^11.1.0",
-        "globals": "^17.5.0",
+        "globals": "^17.4.0",
        "nock": "^14.0.12",
-        "sinon": "^21.1.2",
+        "sinon": "^21.0.3",
        "typescript": "^6.0.2",
-        "typescript-eslint": "^8.58.2"
+        "typescript-eslint": "^8.58.0"
      }
    },
    "node_modules/@aashutoshrathi/word-wrap": {
@@ -468,17 +468,16 @@
      }
    },
    "node_modules/@ava/typescript": {
-      "version": "7.0.0",
-      "resolved": "https://registry.npmjs.org/@ava/typescript/-/typescript-7.0.0.tgz",
-      "integrity": "sha512-0ktzq4/9ya2QoAuVWzl3McpLV9W//Tj+oMonQ4ucgm5l6tQ46aaju/rJL9kzeY5MkG6wzXvFt/MmaLqf9uNC9w==",
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/@ava/typescript/-/typescript-6.0.0.tgz",
+      "integrity": "sha512-+8oDYc4J5cCaWZh1VUbyc+cegGplJO9FqHpqR4LVAVx8fRLVRaYlC4yyA6cqHJ1vWP23Ff/ECS5U68Zz6OLZlg==",
      "dev": true,
-      "license": "MIT",
      "dependencies": {
        "escape-string-regexp": "^5.0.0",
-        "execa": "^9.6.1"
+        "execa": "^9.6.0"
      },
      "engines": {
-        "node": "^22.20 || ^24.12 || >=25"
+        "node": "^20.8 || ^22 || >=24"
      }
    },
    "node_modules/@ava/typescript/node_modules/escape-string-regexp": {
@@ -1334,13 +1333,13 @@
      }
    },
    "node_modules/@eslint/compat": {
-      "version": "2.0.5",
-      "resolved": "https://registry.npmjs.org/@eslint/compat/-/compat-2.0.5.tgz",
-      "integrity": "sha512-IbHDbHJfkVNv6xjlET8AIVo/K1NQt7YT4Rp6ok/clyBGcpRx1l6gv0Rq3vBvYfPJIZt6ODf66Zq08FJNDpnzgg==",
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/@eslint/compat/-/compat-2.0.4.tgz",
+      "integrity": "sha512-o598tCGstJv9Kk4XapwP+oDij9HD9Qr3V37ABzTfdzVvbFciV+sfg9zSW6olj6G/IXj7p89SwSzPnZ+JUEPIPg==",
      "dev": true,
      "license": "Apache-2.0",
      "dependencies": {
-        "@eslint/core": "^1.2.1"
+        "@eslint/core": "^1.2.0"
      },
      "engines": {
        "node": "^20.19.0 || ^22.13.0 || >=24"
@@ -1989,18 +1988,6 @@
        "@tybys/wasm-util": "^0.10.0"
      }
    },
-    "node_modules/@nodable/entities": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/@nodable/entities/-/entities-2.1.0.tgz",
-      "integrity": "sha512-nyT7T3nbMyBI/lvr6L5TyWbFJAI9FTgVRakNoBqCD+PmID8DzFrrNdLLtHMwMszOtqZa8PAOV24ZqDnQrhQINA==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/nodable"
-        }
-      ],
-      "license": "MIT"
-    },
    "node_modules/@nodelib/fs.scandir": {
      "version": "2.1.5",
      "dev": true,
@@ -2033,6 +2020,15 @@
        "node": ">= 8"
      }
    },
+    "node_modules/@nolyfill/is-core-module": {
+      "version": "1.0.39",
+      "resolved": "https://registry.npmjs.org/@nolyfill/is-core-module/-/is-core-module-1.0.39.tgz",
+      "integrity": "sha512-nn5ozdjYQpUCZlWGuxcJY/KpxkWQs4DcbMCmKojjyrYDEAGy4Ce19NN4v5MduafTwJlbKc99UA8YhSVqq9yPZA==",
+      "dev": true,
+      "engines": {
+        "node": ">=12.4.0"
+      }
+    },
    "node_modules/@octokit/auth-token": {
      "version": "6.0.0",
      "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-6.0.0.tgz",
@@ -2366,8 +2362,7 @@
      "version": "0.4.1",
      "resolved": "https://registry.npmjs.org/@sec-ant/readable-stream/-/readable-stream-0.4.1.tgz",
      "integrity": "sha512-831qok9r2t8AlxLko40y2ebgSDhenenCatLVeW/uBtnHPyhHOvG0C7TvfgecV+wHzIm5KUICgzmVpWS+IMEAeg==",
-      "dev": true,
-      "license": "MIT"
+      "dev": true
    },
    "node_modules/@sindresorhus/base62": {
      "version": "1.0.0",
@@ -2405,9 +2400,9 @@
      }
    },
    "node_modules/@sinonjs/fake-timers": {
-      "version": "15.3.2",
-      "resolved": "https://registry.npmjs.org/@sinonjs/fake-timers/-/fake-timers-15.3.2.tgz",
-      "integrity": "sha512-mrn35Jl2pCpns+mE3HaZa1yPN5EYCRgiMI+135COjr2hr8Cls9DXqIZ57vZe2cz7y2XVSq92tcs6kGQcT1J8Rw==",
+      "version": "15.1.1",
+      "resolved": "https://registry.npmjs.org/@sinonjs/fake-timers/-/fake-timers-15.1.1.tgz",
+      "integrity": "sha512-cO5W33JgAPbOh07tvZjUOJ7oWhtaqGHiZw+11DPbyqh2kHTBc3eF/CjJDeQ4205RLQsX6rxCuYOroFQwl7JDRw==",
      "dev": true,
      "license": "BSD-3-Clause",
      "dependencies": {
@@ -2415,9 +2410,9 @@
      }
    },
    "node_modules/@sinonjs/samsam": {
-      "version": "10.0.2",
-      "resolved": "https://registry.npmjs.org/@sinonjs/samsam/-/samsam-10.0.2.tgz",
-      "integrity": "sha512-8lVwD1Df1BmzoaOLhMcGGcz/Jyr5QY2KSB75/YK1QgKzoabTeLdIVyhXNZK9ojfSKSdirbXqdbsXXqP9/Ve8+A==",
+      "version": "9.0.3",
+      "resolved": "https://registry.npmjs.org/@sinonjs/samsam/-/samsam-9.0.3.tgz",
+      "integrity": "sha512-ZgYY7Dc2RW+OUdnZ1DEHg00lhRt+9BjymPKHog4PRFzr1U3MbK57+djmscWyKxzO1qfunHqs4N45WWyKIFKpiQ==",
      "dev": true,
      "license": "BSD-3-Clause",
      "dependencies": {
@@ -2554,17 +2549,17 @@
      "license": "MIT"
    },
    "node_modules/@typescript-eslint/eslint-plugin": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.58.2.tgz",
-      "integrity": "sha512-aC2qc5thQahutKjP+cl8cgN9DWe3ZUqVko30CMSZHnFEHyhOYoZSzkGtAI2mcwZ38xeImDucI4dnqsHiOYuuCw==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.58.0.tgz",
+      "integrity": "sha512-RLkVSiNuUP1C2ROIWfqX+YcUfLaSnxGE/8M+Y57lopVwg9VTYYfhuz15Yf1IzCKgZj6/rIbYTmJCUSqr76r0Wg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@eslint-community/regexpp": "^4.12.2",
-        "@typescript-eslint/scope-manager": "8.58.2",
-        "@typescript-eslint/type-utils": "8.58.2",
-        "@typescript-eslint/utils": "8.58.2",
-        "@typescript-eslint/visitor-keys": "8.58.2",
+        "@typescript-eslint/scope-manager": "8.58.0",
+        "@typescript-eslint/type-utils": "8.58.0",
+        "@typescript-eslint/utils": "8.58.0",
+        "@typescript-eslint/visitor-keys": "8.58.0",
        "ignore": "^7.0.5",
        "natural-compare": "^1.4.0",
        "ts-api-utils": "^2.5.0"
@@ -2577,7 +2572,7 @@
        "url": "https://opencollective.com/typescript-eslint"
      },
      "peerDependencies": {
-        "@typescript-eslint/parser": "^8.58.2",
+        "@typescript-eslint/parser": "^8.58.0",
        "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
        "typescript": ">=4.8.4 <6.1.0"
      }
@@ -2593,16 +2588,16 @@
      }
    },
    "node_modules/@typescript-eslint/parser": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.58.2.tgz",
-      "integrity": "sha512-/Zb/xaIDfxeJnvishjGdcR4jmr7S+bda8PKNhRGdljDM+elXhlvN0FyPSsMnLmJUrVG9aPO6dof80wjMawsASg==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.58.0.tgz",
+      "integrity": "sha512-rLoGZIf9afaRBYsPUMtvkDWykwXwUPL60HebR4JgTI8mxfFe2cQTu3AGitANp4b9B2QlVru6WzjgB2IzJKiCSA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/scope-manager": "8.58.2",
-        "@typescript-eslint/types": "8.58.2",
-        "@typescript-eslint/typescript-estree": "8.58.2",
-        "@typescript-eslint/visitor-keys": "8.58.2",
+        "@typescript-eslint/scope-manager": "8.58.0",
+        "@typescript-eslint/types": "8.58.0",
+        "@typescript-eslint/typescript-estree": "8.58.0",
+        "@typescript-eslint/visitor-keys": "8.58.0",
        "debug": "^4.4.3"
      },
      "engines": {
@@ -2636,14 +2631,14 @@
      }
    },
    "node_modules/@typescript-eslint/project-service": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.58.2.tgz",
-      "integrity": "sha512-Cq6UfpZZk15+r87BkIh5rDpi38W4b+Sjnb8wQCPPDDweS/LRCFjCyViEbzHk5Ck3f2QDfgmlxqSa7S7clDtlfg==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.58.0.tgz",
+      "integrity": "sha512-8Q/wBPWLQP1j16NxoPNIKpDZFMaxl7yWIoqXWYeWO+Bbd2mjgvoF0dxP2jKZg5+x49rgKdf7Ck473M8PC3V9lg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/tsconfig-utils": "^8.58.2",
-        "@typescript-eslint/types": "^8.58.2",
+        "@typescript-eslint/tsconfig-utils": "^8.58.0",
+        "@typescript-eslint/types": "^8.58.0",
        "debug": "^4.4.3"
      },
      "engines": {
@@ -2676,14 +2671,14 @@
      }
    },
    "node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.58.2.tgz",
-      "integrity": "sha512-SgmyvDPexWETQek+qzZnrG6844IaO02UVyOLhI4wpo82dpZJY9+6YZCKAMFzXb7qhx37mFK1QcPQ18tud+vo6Q==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.58.0.tgz",
+      "integrity": "sha512-W1Lur1oF50FxSnNdGp3Vs6P+yBRSmZiw4IIjEeYxd8UQJwhUF0gDgDD/W/Tgmh73mxgEU3qX0Bzdl/NGuSPEpQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.58.2",
-        "@typescript-eslint/visitor-keys": "8.58.2"
+        "@typescript-eslint/types": "8.58.0",
+        "@typescript-eslint/visitor-keys": "8.58.0"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2694,9 +2689,9 @@
      }
    },
    "node_modules/@typescript-eslint/tsconfig-utils": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.58.2.tgz",
-      "integrity": "sha512-3SR+RukipDvkkKp/d0jP0dyzuls3DbGmwDpVEc5wqk5f38KFThakqAAO0XMirWAE+kT00oTauTbzMFGPoAzB0A==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.58.0.tgz",
+      "integrity": "sha512-doNSZEVJsWEu4htiVC+PR6NpM+pa+a4ClH9INRWOWCUzMst/VA9c4gXq92F8GUD1rwhNvRLkgjfYtFXegXQF7A==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2711,15 +2706,15 @@
      }
    },
    "node_modules/@typescript-eslint/type-utils": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.58.2.tgz",
-      "integrity": "sha512-Z7EloNR/B389FvabdGeTo2XMs4W9TjtPiO9DAsmT0yom0bwlPyRjkJ1uCdW1DvrrrYP50AJZ9Xc3sByZA9+dcg==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.58.0.tgz",
+      "integrity": "sha512-aGsCQImkDIqMyx1u4PrVlbi/krmDsQUs4zAcCV6M7yPcPev+RqVlndsJy9kJ8TLihW9TZ0kbDAzctpLn5o+lOg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.58.2",
-        "@typescript-eslint/typescript-estree": "8.58.2",
-        "@typescript-eslint/utils": "8.58.2",
+        "@typescript-eslint/types": "8.58.0",
+        "@typescript-eslint/typescript-estree": "8.58.0",
+        "@typescript-eslint/utils": "8.58.0",
        "debug": "^4.4.3",
        "ts-api-utils": "^2.5.0"
      },
@@ -2754,9 +2749,9 @@
      }
    },
    "node_modules/@typescript-eslint/types": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.58.2.tgz",
-      "integrity": "sha512-9TukXyATBQf/Jq9AMQXfvurk+G5R2MwfqQGDR2GzGz28HvY/lXNKGhkY+6IOubwcquikWk5cjlgPvD2uAA7htQ==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.58.0.tgz",
+      "integrity": "sha512-O9CjxypDT89fbHxRfETNoAnHj/i6IpRK0CvbVN3qibxlLdo5p5hcLmUuCCrHMpxiWSwKyI8mCP7qRNYuOJ0Uww==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2768,16 +2763,16 @@
      }
    },
    "node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.58.2.tgz",
-      "integrity": "sha512-ELGuoofuhhoCvNbQjFFiobFcGgcDCEm0ThWdmO4Z0UzLqPXS3KFvnEZ+SHewwOYHjM09tkzOWXNTv9u6Gqtyuw==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.58.0.tgz",
+      "integrity": "sha512-7vv5UWbHqew/dvs+D3e1RvLv1v2eeZ9txRHPnEEBUgSNLx5ghdzjHa0sgLWYVKssH+lYmV0JaWdoubo0ncGYLA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/project-service": "8.58.2",
-        "@typescript-eslint/tsconfig-utils": "8.58.2",
-        "@typescript-eslint/types": "8.58.2",
-        "@typescript-eslint/visitor-keys": "8.58.2",
+        "@typescript-eslint/project-service": "8.58.0",
+        "@typescript-eslint/tsconfig-utils": "8.58.0",
+        "@typescript-eslint/types": "8.58.0",
+        "@typescript-eslint/visitor-keys": "8.58.0",
        "debug": "^4.4.3",
        "minimatch": "^10.2.2",
        "semver": "^7.7.3",
@@ -2853,16 +2848,16 @@
      }
    },
    "node_modules/@typescript-eslint/utils": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.58.2.tgz",
-      "integrity": "sha512-QZfjHNEzPY8+l0+fIXMvuQ2sJlplB4zgDZvA+NmvZsZv3EQwOcc1DuIU1VJUTWZ/RKouBMhDyNaBMx4sWvrzRA==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.58.0.tgz",
+      "integrity": "sha512-RfeSqcFeHMHlAWzt4TBjWOAtoW9lnsAGiP3GbaX9uVgTYYrMbVnGONEfUCiSss+xMHFl+eHZiipmA8WkQ7FuNA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@eslint-community/eslint-utils": "^4.9.1",
-        "@typescript-eslint/scope-manager": "8.58.2",
-        "@typescript-eslint/types": "8.58.2",
-        "@typescript-eslint/typescript-estree": "8.58.2"
+        "@typescript-eslint/scope-manager": "8.58.0",
+        "@typescript-eslint/types": "8.58.0",
+        "@typescript-eslint/typescript-estree": "8.58.0"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2877,13 +2872,13 @@
      }
    },
    "node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.58.2.tgz",
-      "integrity": "sha512-f1WO2Lx8a9t8DARmcWAUPJbu0G20bJlj8L4z72K00TMeJAoyLr/tHhI/pzYBLrR4dXWkcxO1cWYZEOX8DKHTqA==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.58.0.tgz",
+      "integrity": "sha512-XJ9UD9+bbDo4a4epraTwG3TsNPeiB9aShrUneAVXy8q4LuwowN+qu89/6ByLMINqvIMeI9H9hOHQtg/ijrYXzQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.58.2",
+        "@typescript-eslint/types": "8.58.0",
        "eslint-visitor-keys": "^5.0.0"
      },
      "engines": {
@@ -4482,9 +4477,9 @@
      }
    },
    "node_modules/diff": {
-      "version": "8.0.4",
-      "resolved": "https://registry.npmjs.org/diff/-/diff-8.0.4.tgz",
-      "integrity": "sha512-DPi0FmjiSU5EvQV0++GFDOJ9ASQUVFh5kD+OzOnYdi7n3Wpm9hWWGfB/O2blfHcMVTL5WkQXSnRiK9makhrcnw==",
+      "version": "8.0.3",
+      "resolved": "https://registry.npmjs.org/diff/-/diff-8.0.3.tgz",
+      "integrity": "sha512-qejHi7bcSD4hQAZE0tNAawRK1ZtafHDmMTMkrrIGgSLl7hTnQHmKCeB45xAcbfTqK2zowkM3j3bHt/4b/ARbYQ==",
      "dev": true,
      "license": "BSD-3-Clause",
      "engines": {
@@ -4545,6 +4540,19 @@
      "version": "8.0.0",
      "license": "MIT"
    },
+    "node_modules/enhanced-resolve": {
+      "version": "5.17.1",
+      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.17.1.tgz",
+      "integrity": "sha512-LMHl3dXhTcfv8gM4kEzIUeTQ+7fpdA0l2tUf34BddXPkz2A5xJ5L/Pchd5BL6rdccM9QGvu0sWZzK1Z1t4wwyg==",
+      "dev": true,
+      "dependencies": {
+        "graceful-fs": "^4.2.4",
+        "tapable": "^2.2.0"
+      },
+      "engines": {
+        "node": ">=10.13.0"
+      }
+    },
    "node_modules/es-abstract": {
      "version": "1.24.1",
      "resolved": "https://registry.npmjs.org/es-abstract/-/es-abstract-1.24.1.tgz",
@@ -4865,25 +4873,24 @@
      }
    },
    "node_modules/eslint-import-resolver-typescript": {
-      "version": "4.4.4",
-      "resolved": "https://registry.npmjs.org/eslint-import-resolver-typescript/-/eslint-import-resolver-typescript-4.4.4.tgz",
-      "integrity": "sha512-1iM2zeBvrYmUNTj2vSC/90JTHDth+dfOfiNKkxApWRsTJYNrc8rOdxxIf5vazX+BiAXTeOT0UvWpGI/7qIWQOw==",
+      "version": "3.8.7",
+      "resolved": "https://registry.npmjs.org/eslint-import-resolver-typescript/-/eslint-import-resolver-typescript-3.8.7.tgz",
+      "integrity": "sha512-U7k84gOzrfl09c33qrIbD3TkWTWu3nt3dK5sDajHSekfoLlYGusIwSdPlPzVeA6TFpi0Wpj+ZdBD8hX4hxPoww==",
      "dev": true,
-      "license": "ISC",
      "dependencies": {
-        "debug": "^4.4.1",
-        "eslint-import-context": "^0.1.8",
-        "get-tsconfig": "^4.10.1",
-        "is-bun-module": "^2.0.0",
-        "stable-hash-x": "^0.2.0",
-        "tinyglobby": "^0.2.14",
-        "unrs-resolver": "^1.7.11"
+        "@nolyfill/is-core-module": "1.0.39",
+        "debug": "^4.3.7",
+        "enhanced-resolve": "^5.15.0",
+        "get-tsconfig": "^4.10.0",
+        "is-bun-module": "^1.0.2",
+        "stable-hash": "^0.0.4",
+        "tinyglobby": "^0.2.12"
      },
      "engines": {
-        "node": "^16.17.0 || >=18.6.0"
+        "node": "^14.18.0 || >=16.0.0"
      },
      "funding": {
-        "url": "https://opencollective.com/eslint-import-resolver-typescript"
+        "url": "https://opencollective.com/unts/projects/eslint-import-resolver-ts"
      },
      "peerDependencies": {
        "eslint": "*",
@@ -5609,11 +5616,10 @@
      }
    },
    "node_modules/execa": {
-      "version": "9.6.1",
-      "resolved": "https://registry.npmjs.org/execa/-/execa-9.6.1.tgz",
-      "integrity": "sha512-9Be3ZoN4LmYR90tUoVu2te2BsbzHfhJyfEiAVfz7N5/zv+jduIfLrV2xdQXOHbaD6KgpGdO9PRPM1Y4Q9QkPkA==",
+      "version": "9.6.0",
+      "resolved": "https://registry.npmjs.org/execa/-/execa-9.6.0.tgz",
+      "integrity": "sha512-jpWzZ1ZhwUmeWRhS7Qv3mhpOhLfwI+uAX4e5fOcXqwMR7EcJ0pj2kV1CVzHVMX/LphnKWD3LObjZCoJ71lKpHw==",
      "dev": true,
-      "license": "MIT",
      "dependencies": {
        "@sindresorhus/merge-streams": "^4.0.0",
        "cross-spawn": "^7.0.6",
@@ -5694,9 +5700,9 @@
      "license": "MIT"
    },
    "node_modules/fast-xml-builder": {
-      "version": "1.1.5",
-      "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.5.tgz",
-      "integrity": "sha512-4TJn/8FKLeslLAH3dnohXqE3QSoxkhvaMzepOIZytwJXZO69Bfz0HBdDHzOTOon6G59Zrk6VQ2bEiv1t61rfkA==",
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.4.tgz",
+      "integrity": "sha512-f2jhpN4Eccy0/Uz9csxh3Nu6q4ErKxf0XIsasomfOihuSUa3/xw6w8dnOtCDgEItQFJG8KyXPzQXzcODDrrbOg==",
      "funding": [
        {
          "type": "github",
@@ -5709,9 +5715,9 @@
      }
    },
    "node_modules/fast-xml-parser": {
-      "version": "5.7.1",
-      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.7.1.tgz",
-      "integrity": "sha512-8Cc3f8GUGUULg34pBch/KGyPLglS+OFs05deyOlY7fL2MTagYPKrVQNmR1fLF/yJ9PH5ZSTd3YDF6pnmeZU+zA==",
+      "version": "5.5.7",
+      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.5.7.tgz",
+      "integrity": "sha512-LteOsISQ2GEiDHZch6L9hB0+MLoYVLToR7xotrzU0opCICBkxOPgHAy1HxAvtxfJNXDJpgAsQN30mkrfpO2Prg==",
      "funding": [
        {
          "type": "github",
@@ -5720,10 +5726,9 @@
      ],
      "license": "MIT",
      "dependencies": {
-        "@nodable/entities": "^2.1.0",
-        "fast-xml-builder": "^1.1.5",
-        "path-expression-matcher": "^1.5.0",
-        "strnum": "^2.2.3"
+        "fast-xml-builder": "^1.1.4",
+        "path-expression-matcher": "^1.1.3",
+        "strnum": "^2.2.0"
      },
      "bin": {
        "fxparser": "src/cli/cli.js"
@@ -5836,9 +5841,9 @@
      "license": "ISC"
    },
    "node_modules/follow-redirects": {
-      "version": "1.16.0",
-      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.16.0.tgz",
-      "integrity": "sha512-y5rN/uOsadFT/JfYwhxRS5R7Qce+g3zG97+JrtFZlC9klX/W5hD7iiLzScI4nZqUS7DNUdhPgw4xI8W2LuXlUw==",
+      "version": "1.15.11",
+      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.11.tgz",
+      "integrity": "sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==",
      "funding": [
        {
          "type": "individual",
@@ -6028,7 +6033,6 @@
      "resolved": "https://registry.npmjs.org/get-stream/-/get-stream-9.0.1.tgz",
      "integrity": "sha512-kVCxPF3vQM/N0B1PmoqVUqgHP+EeVjmZSQn+1oCRPxd2P21P2F19lIgbR3HBosbB1PUhOAoctJnfEn2GbN2eZA==",
      "dev": true,
-      "license": "MIT",
      "dependencies": {
        "@sec-ant/readable-stream": "^0.4.1",
        "is-stream": "^4.0.1"
@@ -6144,9 +6148,9 @@
      }
    },
    "node_modules/globals": {
-      "version": "17.5.0",
-      "resolved": "https://registry.npmjs.org/globals/-/globals-17.5.0.tgz",
-      "integrity": "sha512-qoV+HK2yFl/366t2/Cb3+xxPUo5BuMynomoDmiaZBIdbs+0pYbjfZU+twLhGKp4uCZ/+NbtpVepH5bGCxRyy2g==",
+      "version": "17.4.0",
+      "resolved": "https://registry.npmjs.org/globals/-/globals-17.4.0.tgz",
+      "integrity": "sha512-hjrNztw/VajQwOLsMNT1cbJiH2muO3OROCHnbehc8eY5JyD2gqz4AcMHPqgaOR59DjgUjYAYLeH699g/eWi2jw==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -6389,7 +6393,6 @@
      "resolved": "https://registry.npmjs.org/human-signals/-/human-signals-8.0.1.tgz",
      "integrity": "sha512-eKCa6bwnJhvxj14kZk5NCPc6Hb6BdsU9DZcOnmQKSnO1VKrfV0zCvtttPZUsBvjmNDn8rpcJfpwSYnHBjc95MQ==",
      "dev": true,
-      "license": "Apache-2.0",
      "engines": {
        "node": ">=18.18.0"
      }
@@ -6578,13 +6581,12 @@
      }
    },
    "node_modules/is-bun-module": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/is-bun-module/-/is-bun-module-2.0.0.tgz",
-      "integrity": "sha512-gNCGbnnnnFAUGKeZ9PdbyeGYJqewpmc2aKHUEMO5nQPWU9lOmv7jcmQIv+qHD8fXW6W7qfuCwX4rY9LNRjXrkQ==",
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/is-bun-module/-/is-bun-module-1.1.0.tgz",
+      "integrity": "sha512-4mTAVPlrXpaN3jtF0lsnPCMGnq4+qZjVIKq0HCpfcqf8OC1SM5oATCIAPM5V5FN05qp2NNnFndphmdZS9CV3hA==",
      "dev": true,
-      "license": "MIT",
      "dependencies": {
-        "semver": "^7.7.1"
+        "semver": "^7.6.3"
      }
    },
    "node_modules/is-callable": {
@@ -6787,7 +6789,6 @@
      "resolved": "https://registry.npmjs.org/is-plain-obj/-/is-plain-obj-4.1.0.tgz",
      "integrity": "sha512-+Pgi+vMuUNkJyExiMBt5IlFoMyKnr5zhJ4Uspz58WOhBF5QoIZkFyNHIbBAtHwzVAgk5RtndVNsDRN61/mmDqg==",
      "dev": true,
-      "license": "MIT",
      "engines": {
        "node": ">=12"
      },
@@ -6862,7 +6863,6 @@
      "resolved": "https://registry.npmjs.org/is-stream/-/is-stream-4.0.1.tgz",
      "integrity": "sha512-Dnz92NInDqYckGEUJv689RbRiTSEHCQ7wOVeALbkOz999YpqT46yMRIGtSNl2iCL1waAZSx40+h59NV/EwzV/A==",
      "dev": true,
-      "license": "MIT",
      "engines": {
        "node": ">=18"
      },
@@ -7571,7 +7571,6 @@
      "resolved": "https://registry.npmjs.org/npm-run-path/-/npm-run-path-6.0.0.tgz",
      "integrity": "sha512-9qny7Z9DsQU8Ou39ERsPU4OZQlSTP47ShQzuKZ6PRXpYLtIFgl/DEBYEXKlvcEa+9tHVcK8CF81Y2V72qaZhWA==",
      "dev": true,
-      "license": "MIT",
      "dependencies": {
        "path-key": "^4.0.0",
        "unicorn-magic": "^0.3.0"
@@ -7588,7 +7587,6 @@
      "resolved": "https://registry.npmjs.org/path-key/-/path-key-4.0.0.tgz",
      "integrity": "sha512-haREypq7xkM7ErfgIyA0z+Bj4AGKlMSdlQE2jvJo6huWD1EdkKYV+G/T4nq0YEF2vgTT8kqMFKo1uHn950r4SQ==",
      "dev": true,
-      "license": "MIT",
      "engines": {
        "node": ">=12"
      },
@@ -7862,9 +7860,9 @@
      }
    },
    "node_modules/path-expression-matcher": {
-      "version": "1.5.0",
-      "resolved": "https://registry.npmjs.org/path-expression-matcher/-/path-expression-matcher-1.5.0.tgz",
-      "integrity": "sha512-cbrerZV+6rvdQrrD+iGMcZFEiiSrbv9Tfdkvnusy6y0x0GKBXREFg/Y65GhIfm0tnLntThhzCnfKwp1WRjeCyQ==",
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/path-expression-matcher/-/path-expression-matcher-1.1.3.tgz",
+      "integrity": "sha512-qdVgY8KXmVdJZRSS1JdEPOKPdTiEK/pi0RkcT2sw1RhXxohdujUlJFPuS1TSkevZ9vzd3ZlL7ULl1MHGTApKzQ==",
      "funding": [
        {
          "type": "github",
@@ -8534,16 +8532,17 @@
      }
    },
    "node_modules/sinon": {
-      "version": "21.1.2",
-      "resolved": "https://registry.npmjs.org/sinon/-/sinon-21.1.2.tgz",
-      "integrity": "sha512-FS6mN+/bx7e2ajpXkEmOcWB6xBzWiuNoAQT18/+a20SS4U7FSYl8Ms7N6VTUxN/1JAjkx7aXp+THMC8xdpp0gA==",
+      "version": "21.0.3",
+      "resolved": "https://registry.npmjs.org/sinon/-/sinon-21.0.3.tgz",
+      "integrity": "sha512-0x8TQFr8EjADhSME01u1ZK31yv2+bd6Z5NrBCHVM+n4qL1wFqbxftmeyi3bwlr49FbbzRfrqSFOpyHCOh/YmYA==",
      "dev": true,
      "license": "BSD-3-Clause",
      "dependencies": {
        "@sinonjs/commons": "^3.0.1",
-        "@sinonjs/fake-timers": "^15.3.2",
-        "@sinonjs/samsam": "^10.0.2",
-        "diff": "^8.0.4"
+        "@sinonjs/fake-timers": "^15.1.1",
+        "@sinonjs/samsam": "^9.0.3",
+        "diff": "^8.0.3",
+        "supports-color": "^7.2.0"
      },
      "funding": {
        "type": "opencollective",
@@ -8627,6 +8626,13 @@
      "integrity": "sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==",
      "dev": true
    },
+    "node_modules/stable-hash": {
+      "version": "0.0.4",
+      "resolved": "https://registry.npmjs.org/stable-hash/-/stable-hash-0.0.4.tgz",
+      "integrity": "sha512-LjdcbuBeLcdETCrPn9i8AYAZ1eCtu4ECAWtP7UleOiZ9LzVxRzzUZEoZ8zB24nhkQnDWyET0I+3sWokSDS3E7g==",
+      "dev": true,
+      "license": "MIT"
+    },
    "node_modules/stable-hash-x": {
      "version": "0.2.0",
      "resolved": "https://registry.npmjs.org/stable-hash-x/-/stable-hash-x-0.2.0.tgz",
@@ -8838,7 +8844,6 @@
      "resolved": "https://registry.npmjs.org/strip-final-newline/-/strip-final-newline-4.0.0.tgz",
      "integrity": "sha512-aulFJcD6YK8V1G7iRB5tigAP4TsHBZZrOV8pjV++zdUwmeV8uzbY7yn6h9MswN62adStNZFuCIx4haBnRuMDaw==",
      "dev": true,
-      "license": "MIT",
      "engines": {
        "node": ">=18"
      },
@@ -8858,9 +8863,9 @@
      }
    },
    "node_modules/strnum": {
-      "version": "2.2.3",
-      "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.2.3.tgz",
-      "integrity": "sha512-oKx6RUCuHfT3oyVjtnrmn19H1SiCqgJSg+54XqURKp5aCMbrXrhLjRN9TjuwMjiYstZ0MzDrHqkGZ5dFTKd+zg==",
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.2.1.tgz",
+      "integrity": "sha512-BwRvNd5/QoAtyW1na1y1LsJGQNvRlkde6Q/ipqqEaivoMdV+B1OMOTVdwR+N/cwVUcIt9PYyHmV8HyexCZSupg==",
      "funding": [
        {
          "type": "github",
@@ -8983,6 +8988,15 @@
        "url": "https://opencollective.com/unts"
      }
    },
+    "node_modules/tapable": {
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.2.1.tgz",
+      "integrity": "sha512-GNzQvQTOIP6RyTfE2Qxb8ZVlNmw0n88vp1szwWRimP02mnTsx3Wtn5qRdqY9w2XduFNUgvOwhNnQsjwCp+kqaQ==",
+      "dev": true,
+      "engines": {
+        "node": ">=6"
+      }
+    },
    "node_modules/tar": {
      "version": "7.5.11",
      "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.11.tgz",
@@ -9811,16 +9825,16 @@
      }
    },
    "node_modules/typescript-eslint": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.58.2.tgz",
-      "integrity": "sha512-V8iSng9mRbdZjl54VJ9NKr6ZB+dW0J3TzRXRGcSbLIej9jV86ZRtlYeTKDR/QLxXykocJ5icNzbsl2+5TzIvcQ==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.58.0.tgz",
+      "integrity": "sha512-e2TQzKfaI85fO+F3QywtX+tCTsu/D3WW5LVU6nz8hTFKFZ8yBJ6mSYRpXqdR3mFjPWmO0eWsTa5f+UpAOe/FMA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/eslint-plugin": "8.58.2",
-        "@typescript-eslint/parser": "8.58.2",
-        "@typescript-eslint/typescript-estree": "8.58.2",
-        "@typescript-eslint/utils": "8.58.2"
+        "@typescript-eslint/eslint-plugin": "8.58.0",
+        "@typescript-eslint/parser": "8.58.0",
+        "@typescript-eslint/typescript-estree": "8.58.0",
+        "@typescript-eslint/utils": "8.58.0"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -9876,7 +9890,6 @@
      "resolved": "https://registry.npmjs.org/unicorn-magic/-/unicorn-magic-0.3.0.tgz",
      "integrity": "sha512-+QBBXBCvifc56fsbuxZQ6Sic3wqqc3WWaqxs58gvJrcOuN83HGTCwz3oS5phzU9LthRNE9VrJCFCLUgHeeFnfA==",
      "dev": true,
-      "license": "MIT",
      "engines": {
        "node": ">=18"
      },
@@ -9986,9 +9999,9 @@
      "license": "MIT"
    },
    "node_modules/uuid": {
-      "version": "14.0.0",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-14.0.0.tgz",
-      "integrity": "sha512-Qo+uWgilfSmAhXCMav1uYFynlQO7fMFiMVZsQqZRMIXp0O7rR7qjkj+cPvBHLgBqi960QCoo/PH2/6ZtVqKvrg==",
+      "version": "13.0.0",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-13.0.0.tgz",
+      "integrity": "sha512-XQegIaBTVUjSHliKqcnFqYypAd4S+WCYt5NIeRs6w/UAry7z8Y9j5ZwRRL4kzq9U3sD6v+85er9FvkEaBpji2w==",
      "funding": [
        "https://github.com/sponsors/broofa",
        "https://github.com/sponsors/ctavan"
@@ -10380,11 +10393,10 @@
      }
    },
    "node_modules/yoctocolors": {
-      "version": "2.1.2",
-      "resolved": "https://registry.npmjs.org/yoctocolors/-/yoctocolors-2.1.2.tgz",
-      "integrity": "sha512-CzhO+pFNo8ajLM2d2IW/R93ipy99LWjtwblvC1RsoSUMZgyLbYFr221TnSNT7GjGdYui6P459mw9JH/g/zW2ug==",
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/yoctocolors/-/yoctocolors-2.1.1.tgz",
+      "integrity": "sha512-GQHQqAopRhwU8Kt1DDM8NjibDXHC8eoh1erhGAJPEyveY9qqVeXvVikNKrDz69sHowPMorbPUrH/mx8c50eiBQ==",
      "dev": true,
-      "license": "MIT",
      "engines": {
        "node": ">=18"
      },
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "4.35.4",
+  "version": "3.35.2",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -12,7 +12,7 @@
    "ava": "npm run transpile && ava --verbose",
    "test": "npm run ava -- src/",
    "test-debug": "npm run test -- --timeout=20m",
-    "transpile": "tsc --build --verbose tsconfig.json"
+    "transpile": "tsc --build --verbose"
  },
  "license": "MIT",
  "workspaces": [
@@ -32,7 +32,7 @@
    "@octokit/plugin-retry": "^8.1.0",
    "archiver": "^7.0.1",
    "fast-deep-equal": "^3.1.3",
-    "follow-redirects": "^1.16.0",
+    "follow-redirects": "^1.15.11",
    "get-folder-size": "^5.0.0",
    "https-proxy-agent": "^7.0.6",
    "js-yaml": "^4.1.1",
@@ -40,11 +40,11 @@
    "long": "^5.3.2",
    "node-forge": "^1.4.0",
    "semver": "^7.7.4",
-    "uuid": "^14.0.0"
+    "uuid": "^13.0.0"
  },
  "devDependencies": {
-    "@ava/typescript": "7.0.0",
-    "@eslint/compat": "^2.0.5",
+    "@ava/typescript": "6.0.0",
+    "@eslint/compat": "^2.0.4",
    "@microsoft/eslint-formatter-sarif": "^3.1.0",
    "@octokit/types": "^16.0.0",
    "@types/archiver": "^7.0.0",
@@ -58,17 +58,17 @@
    "ava": "^7.0.0",
    "esbuild": "^0.28.0",
    "eslint": "^9.39.2",
-    "eslint-import-resolver-typescript": "^4.4.4",
+    "eslint-import-resolver-typescript": "^3.8.7",
    "eslint-plugin-github": "^6.0.0",
    "eslint-plugin-import-x": "^4.16.2",
    "eslint-plugin-jsdoc": "^62.9.0",
    "eslint-plugin-no-async-foreach": "^0.1.1",
    "glob": "^11.1.0",
-    "globals": "^17.5.0",
+    "globals": "^17.4.0",
    "nock": "^14.0.12",
-    "sinon": "^21.1.2",
+    "sinon": "^21.0.3",
    "typescript": "^6.0.2",
-    "typescript-eslint": "^8.58.2"
+    "typescript-eslint": "^8.58.0"
  },
  "overrides": {
    "@actions/tool-cache": {
@@ -5,7 +5,7 @@ versions:
  - default
 steps:
  - name: Set up Ruby
-    uses: ruby/setup-ruby@0cb964fd540e0a24c900370abf38a33466142735 # v1.305.0
+    uses: ruby/setup-ruby@4c56a21280b36d862b5fc31348f463d60bdc55d5 # v1.301.0
    with:
      ruby-version: 2.6
  - name: Install Code Scanning integration
@@ -11,13 +11,3 @@ export const PR_CHECK_EXCLUDED_FILE = path.join(PR_CHECKS_DIR, "excluded.yml");

 /** The path to the esbuild metadata file. */
 export const BUNDLE_METADATA_FILE = path.join(PR_CHECKS_DIR, "..", "meta.json");
-
-/** The `src` directory. */
-const SOURCE_ROOT = path.join(PR_CHECKS_DIR, "..", "src");
-
-/** The path to the built-in languages file. */
-export const BUILTIN_LANGUAGES_FILE = path.join(
-  SOURCE_ROOT,
-  "languages",
-  "builtin.json",
-);
@@ -5,7 +5,7 @@ import * as path from "path";

 import * as yaml from "yaml";

-import { BuiltInLanguage } from "../src/languages";
+import { KnownLanguage } from "../src/languages";

 /** Known workflow input names. */
 enum KnownInputName {
@@ -91,8 +91,8 @@ interface LanguageSetup {
  steps: Step[];
 }

-/** Describes partial mappings from built-in languages to their specific setup information. */
-type LanguageSetups = Partial<Record<BuiltInLanguage, LanguageSetup>>;
+/** Describes partial mappings from known languages to their specific setup information. */
+type LanguageSetups = Partial<Record<KnownLanguage, LanguageSetup>>;

 // The default set of CodeQL Bundle versions to use for the PR checks.
 const defaultTestVersions = [
@@ -125,7 +125,7 @@ const defaultLanguageVersions = {
  java: "17",
  python: "3.13",
  csharp: "9.x",
-} as const satisfies Partial<Record<BuiltInLanguage, string>>;
+} as const satisfies Partial<Record<KnownLanguage, string>>;

 /** A mapping from known input names to their specifications. */
 const inputSpecs: WorkflowInputs = {
@@ -364,7 +364,7 @@ function getSetupSteps(checkSpecification: JobSpecification): {
  const inputs: Array<Set<KnownInputName>> = [];
  const steps: Step[] = [];

-  for (const language of Object.values(BuiltInLanguage).sort()) {
+  for (const language of Object.values(KnownLanguage).sort()) {
    const setupSpec = languageSetups[language];

    if (
@@ -1,131 +0,0 @@
-#!/usr/bin/env npx tsx
-
-/*
- * Updates src/languages/builtin.json by querying the CodeQL CLI for:
- * - Languages that have default queries (via codeql-extractor.yml)
- * - Language aliases (via `codeql resolve languages --format=betterjson --extractor-include-aliases`)
- *
- * Usage:
- *   npx tsx pr-checks/update-builtin-languages.ts [path-to-codeql]
- *
- * If no path is given, falls back to "codeql".
- */
-
-import { execFileSync } from "node:child_process";
-import * as fs from "node:fs";
-import * as path from "node:path";
-
-import * as yaml from "yaml";
-
-import { EnvVar } from "../src/environment";
-
-import { BUILTIN_LANGUAGES_FILE } from "./config";
-
-/** Resolve all known language extractor directories. */
-function resolveLanguages(codeqlPath: string): Record<string, string[]> {
-  return JSON.parse(
-    execFileSync(codeqlPath, ["resolve", "languages", "--format=json"], {
-      encoding: "utf8",
-      env: {
-        ...process.env,
-        [EnvVar.EXPERIMENTAL_FEATURES]: "true", // include experimental languages
-      },
-    }),
-  ) as Record<string, string[]>;
-}
-
-/**
- * Return the sorted list of languages whose extractors ship default queries.
- *
- * @param extractorDirs - Map from language to list of extractor directories
- */
-function findLanguagesWithDefaultQueries(
-  extractorDirs: Record<string, string[]>,
-): string[] {
-  const languages: string[] = [];
-
-  for (const [language, dirs] of Object.entries(extractorDirs)) {
-    if (dirs.length !== 1) {
-      throw new Error(
-        `Expected exactly one extractor directory for language '${language}', but found ${dirs.length}: ${dirs.join(
-          ", ",
-        )}`,
-      );
-    }
-
-    const extractorYmlPath = path.join(dirs[0], "codeql-extractor.yml");
-
-    if (!fs.existsSync(extractorYmlPath)) {
-      throw new Error(
-        `Extractor YAML not found for language '${language}' at expected path: ${extractorYmlPath}`,
-      );
-    }
-
-    const extractorYml = yaml.parse(fs.readFileSync(extractorYmlPath, "utf8"));
-    const defaultQueries: unknown[] | undefined = extractorYml.default_queries;
-
-    if (Array.isArray(defaultQueries) && defaultQueries.length > 0) {
-      console.log(
-        `  ✅ ${language}: included (default queries: ${JSON.stringify(defaultQueries)})`,
-      );
-      languages.push(language);
-    } else {
-      console.log(`  ❌ ${language}: excluded (no default queries)`);
-    }
-  }
-
-  return languages.sort();
-}
-
-/**
- * Resolve language aliases from the CodeQL CLI, keeping only those whose
- * target is in the given set of included languages.
- */
-function resolveAliases(
-  codeqlPath: string,
-  includedLanguages: Set<string>,
-): Record<string, string> {
-  const betterjsonOutput = JSON.parse(
-    execFileSync(
-      codeqlPath,
-      [
-        "resolve",
-        "languages",
-        "--format=betterjson",
-        "--extractor-include-aliases",
-      ],
-      { encoding: "utf8" },
-    ),
-  );
-
-  return Object.fromEntries(
-    Object.entries((betterjsonOutput.aliases ?? {}) as Record<string, string>)
-      .filter(([, target]) => includedLanguages.has(target))
-      .sort(([a], [b]) => a.localeCompare(b)),
-  );
-}
-
-/** Write the built-in languages data to disk. */
-function writeBuiltinLanguages(
-  languages: string[],
-  aliases: Record<string, string>,
-): void {
-  const content = `${JSON.stringify({ languages, aliases }, null, 2)}\n`;
-  fs.mkdirSync(path.dirname(BUILTIN_LANGUAGES_FILE), { recursive: true });
-  fs.writeFileSync(BUILTIN_LANGUAGES_FILE, content);
-
-  console.log(`\nWrote ${BUILTIN_LANGUAGES_FILE}`);
-  console.log(`  Languages: ${languages.join(", ")}`);
-  console.log(`  Aliases: ${Object.keys(aliases).join(", ")}`);
-}
-
-function main(): void {
-  const codeqlPath = process.argv[2] || "codeql";
-
-  const extractorDirs = resolveLanguages(codeqlPath);
-  const languages = findLanguagesWithDefaultQueries(extractorDirs);
-  const aliases = resolveAliases(codeqlPath, new Set(languages));
-  writeBuiltinLanguages(languages, aliases);
-}
-
-main();
@@ -21,5 +21,5 @@ outputs:
  environment:
    description: The inferred build environment configuration.
 runs:
-  using: node24
+  using: node20
  main: '../lib/resolve-environment-action.js'
@@ -35,5 +35,5 @@ outputs:
  codeql-version:
    description: The version of the CodeQL binary that was installed.
 runs:
-  using: node24
+  using: node20
  main: '../lib/setup-codeql-action.js'
@@ -30,7 +30,7 @@ import {
 } from "./dependency-caching";
 import { EnvVar } from "./environment";
 import { initFeatures } from "./feature-flags";
-import { BuiltInLanguage } from "./languages";
+import { KnownLanguage } from "./languages";
 import { getActionsLogger, Logger } from "./logging";
 import { cleanupAndUploadOverlayBaseDatabaseToCache } from "./overlay/caching";
 import { getRepositoryNwo } from "./repository";
@@ -135,13 +135,9 @@ function hasBadExpectErrorInput(): boolean {
 function doesGoExtractionOutputExist(config: Config): boolean {
  const golangDbDirectory = util.getCodeQLDatabasePath(
    config,
-    BuiltInLanguage.go,
-  );
-  const trapDirectory = path.join(
-    golangDbDirectory,
-    "trap",
-    BuiltInLanguage.go,
+    KnownLanguage.go,
  );
+  const trapDirectory = path.join(golangDbDirectory, "trap", KnownLanguage.go);
  return (
    fs.existsSync(trapDirectory) &&
    fs
@@ -173,7 +169,7 @@ function doesGoExtractionOutputExist(config: Config): boolean {
 * whether any extraction output already exists for Go.
 */
 async function runAutobuildIfLegacyGoWorkflow(config: Config, logger: Logger) {
-  if (!config.languages.includes(BuiltInLanguage.go)) {
+  if (!config.languages.includes(KnownLanguage.go)) {
    return;
  }
  if (config.buildMode) {
@@ -186,7 +182,7 @@ async function runAutobuildIfLegacyGoWorkflow(config: Config, logger: Logger) {
    logger.debug("Won't run Go autobuild since it has already been run.");
    return;
  }
-  if (dbIsFinalized(config, BuiltInLanguage.go, logger)) {
+  if (dbIsFinalized(config, KnownLanguage.go, logger)) {
    logger.debug(
      "Won't run Go autobuild since there is already a finalized database for Go.",
    );
@@ -209,7 +205,7 @@ async function runAutobuildIfLegacyGoWorkflow(config: Config, logger: Logger) {
  logger.debug(
    "Running Go autobuild because extraction output (TRAP files) for Go code has not been found.",
  );
-  await runAutobuild(config, BuiltInLanguage.go, logger);
+  await runAutobuild(config, KnownLanguage.go, logger);
 }

 async function run(startedAt: Date) {
@@ -14,7 +14,7 @@ import {
 } from "./analyze";
 import { createStubCodeQL } from "./codeql";
 import { Feature } from "./feature-flags";
-import { BuiltInLanguage } from "./languages";
+import { KnownLanguage } from "./languages";
 import { getRunnerLogger } from "./logging";
 import {
  setupTests,
@@ -41,7 +41,7 @@ test.serial("status report fields", async (t) => {
    const threadsFlag = "";
    sinon.stub(uploadLib, "validateSarifFileSchema");

-    for (const language of Object.values(BuiltInLanguage)) {
+    for (const language of Object.values(KnownLanguage)) {
      const codeql = createStubCodeQL({
        databaseRunQueries: async () => {},
        databaseInterpretResults: async (
@@ -130,13 +130,13 @@ test.serial("status report fields", async (t) => {
 test("resolveQuerySuiteAlias", (t) => {
  // default query suite names should resolve to something language-specific ending in `.qls`.
  for (const suite of defaultSuites) {
-    const resolved = resolveQuerySuiteAlias(BuiltInLanguage.go, suite);
+    const resolved = resolveQuerySuiteAlias(KnownLanguage.go, suite);
    t.assert(
      path.extname(resolved) === ".qls",
      "Resolved default suite doesn't end in .qls",
    );
    t.assert(
-      resolved.indexOf(BuiltInLanguage.go) >= 0,
+      resolved.indexOf(KnownLanguage.go) >= 0,
      "Resolved default suite doesn't contain language name",
    );
  }
@@ -145,12 +145,12 @@ test("resolveQuerySuiteAlias", (t) => {
  const names = ["foo", "bar", "codeql/go-queries@1.0"];

  for (const name of names) {
-    t.deepEqual(resolveQuerySuiteAlias(BuiltInLanguage.go, name), name);
+    t.deepEqual(resolveQuerySuiteAlias(KnownLanguage.go, name), name);
  }
 });

 test("addSarifExtension", (t) => {
-  for (const language of Object.values(BuiltInLanguage)) {
+  for (const language of Object.values(KnownLanguage)) {
    t.deepEqual(addSarifExtension(CodeScanning, language), `${language}.sarif`);
    t.deepEqual(
      addSarifExtension(CodeQuality, language),
@@ -21,7 +21,7 @@ import {
 } from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
 import { FeatureEnablement, Feature } from "./feature-flags";
-import { BuiltInLanguage, Language } from "./languages";
+import { KnownLanguage, Language } from "./languages";
 import { Logger, withGroupAsync } from "./logging";
 import { OverlayDatabaseMode } from "./overlay/overlay-database-mode";
 import type * as sarif from "./sarif";
@@ -41,7 +41,7 @@ export class CodeQLAnalysisError extends Error {
  }
 }

-type BuiltInLanguageKey = keyof typeof BuiltInLanguage;
+type KnownLanguageKey = keyof typeof KnownLanguage;

 type RunQueriesDurationStatusReport = {
  /**
@@ -50,12 +50,12 @@ type RunQueriesDurationStatusReport = {
   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
   * taken to run _all_ the queries.
   */
-  [L in BuiltInLanguageKey as `analyze_builtin_queries_${L}_duration_ms`]?: number;
+  [L in KnownLanguageKey as `analyze_builtin_queries_${L}_duration_ms`]?: number;
 };

 type InterpretResultsDurationStatusReport = {
  /** Time taken in ms to interpret results for the language (or undefined if this language was not analyzed). */
-  [L in BuiltInLanguageKey as `interpret_results_${L}_duration_ms`]?: number;
+  [L in KnownLanguageKey as `interpret_results_${L}_duration_ms`]?: number;
 };

 export interface QueriesStatusReport
@@ -115,12 +115,12 @@ export async function runExtraction(

    if (await shouldExtractLanguage(codeql, config, language)) {
      logger.startGroup(`Extracting ${language}`);
-      if (language === BuiltInLanguage.python) {
+      if (language === KnownLanguage.python) {
        await setupPythonExtractor(logger);
      }
      if (config.buildMode) {
        if (
-          language === BuiltInLanguage.cpp &&
+          language === KnownLanguage.cpp &&
          config.buildMode === BuildMode.Autobuild
        ) {
          await setupCppAutobuild(codeql, logger);
@@ -131,14 +131,14 @@ export async function runExtraction(
        // a stable path that caches can be restored into and that we can cache at the
        // end of the workflow (i.e. that does not get removed when the scratch directory is).
        if (
-          language === BuiltInLanguage.java &&
+          language === KnownLanguage.java &&
          config.buildMode === BuildMode.None
        ) {
          process.env["CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_DEPENDENCY_DIR"] =
            getJavaTempDependencyDir();
        }
        if (
-          language === BuiltInLanguage.csharp &&
+          language === KnownLanguage.csharp &&
          config.buildMode === BuildMode.None &&
          (await features.getValue(Feature.CsharpCacheBuildModeNone))
        ) {
@@ -251,9 +251,16 @@ export async function setupDiffInformedQueryRun(
        diffRanges,
        checkoutPath,
      );
-      logger.info(
-        `Successfully created diff range extension pack at ${packDir}.`,
-      );
+      if (packDir === undefined) {
+        logger.warning(
+          "Cannot create diff range extension pack for diff-informed queries; " +
+            "reverting to performing full analysis.",
+        );
+      } else {
+        logger.info(
+          `Successfully created diff range extension pack at ${packDir}.`,
+        );
+      }
      return packDir;
    },
  );
@@ -307,13 +314,18 @@ extensions:
 * @param ranges The file line ranges, as returned by
 * `getPullRequestEditedDiffRanges`.
 * @param checkoutPath The path at which the repository was checked out.
- * @returns The absolute path of the directory containing the extension pack.
+ * @returns The absolute path of the directory containing the extension pack, or
+ * `undefined` if no extension pack was created.
 */
 function writeDiffRangeDataExtensionPack(
  logger: Logger,
-  ranges: DiffThunkRange[],
+  ranges: DiffThunkRange[] | undefined,
  checkoutPath: string,
-): string {
+): string | undefined {
+  if (ranges === undefined) {
+    return undefined;
+  }
+
  if (ranges.length === 0) {
    // An empty diff range means that there are no added or modified lines in
    // the pull request. But the `restrictAlertsTo` extensible predicate
@@ -686,7 +698,7 @@ export async function warnIfGoInstalledAfterInit(

      addDiagnostic(
        config,
-        BuiltInLanguage.go,
+        KnownLanguage.go,
        makeDiagnostic(
          "go/workflow/go-installed-after-codeql-init",
          "Go was installed after the `codeql-action/init` Action was run",
@@ -1 +1 @@
-{"maximumVersion": "3.21", "minimumVersion": "3.16"}
+{"maximumVersion": "3.21", "minimumVersion": "3.14"}
@@ -7,7 +7,7 @@ import * as configUtils from "./config-utils";
 import { DocUrl } from "./doc-url";
 import { EnvVar } from "./environment";
 import { Feature, featureConfig, initFeatures } from "./feature-flags";
-import { BuiltInLanguage, Language } from "./languages";
+import { KnownLanguage, Language } from "./languages";
 import { Logger } from "./logging";
 import { getRepositoryNwo } from "./repository";
 import { asyncFilter, BuildMode } from "./util";
@@ -72,7 +72,7 @@ export async function determineAutobuildLanguages(
   * version of the CodeQL Action.
   */
  const autobuildLanguagesWithoutGo = autobuildLanguages.filter(
-    (l) => l !== BuiltInLanguage.go,
+    (l) => l !== KnownLanguage.go,
  );

  const languages: Language[] = [];
@@ -84,7 +84,7 @@ export async function determineAutobuildLanguages(
  // If Go is requested, run the Go autobuilder last to ensure it doesn't
  // interfere with the other autobuilder.
  if (autobuildLanguages.length !== autobuildLanguagesWithoutGo.length) {
-    languages.push(BuiltInLanguage.go);
+    languages.push(KnownLanguage.go);
  }

  logger.debug(`Will autobuild ${languages.join(" and ")}.`);
@@ -156,7 +156,7 @@ export async function runAutobuild(
 ) {
  logger.startGroup(`Attempting to automatically build ${language} code`);
  const codeQL = await getCodeQL(config.codeQLCmd);
-  if (language === BuiltInLanguage.cpp) {
+  if (language === KnownLanguage.cpp) {
    await setupCppAutobuild(codeQL, logger);
  }
  if (config.buildMode) {
@@ -164,7 +164,7 @@ export async function runAutobuild(
  } else {
    await codeQL.runAutobuild(config, language);
  }
-  if (language === BuiltInLanguage.go) {
+  if (language === KnownLanguage.go) {
    core.exportVariable(EnvVar.DID_AUTOBUILD_GOLANG, "true");
  }
  logger.endGroup();
@@ -21,7 +21,7 @@ import {
 import type { Config } from "./config-utils";
 import * as defaults from "./defaults.json";
 import { DocUrl } from "./doc-url";
-import { BuiltInLanguage } from "./languages";
+import { KnownLanguage } from "./languages";
 import { getRunnerLogger } from "./logging";
 import { ToolsSource } from "./setup-codeql";
 import {
@@ -46,7 +46,7 @@ test.beforeEach(() => {
  initializeEnvironment("1.2.3");

  stubConfig = createTestConfig({
-    languages: [BuiltInLanguage.cpp],
+    languages: [KnownLanguage.cpp],
  });
 });

@@ -115,7 +115,7 @@ async function stubCodeql(): Promise<codeql.CodeQL> {
  sinon.stub(codeqlObject, "getVersion").resolves(makeVersionInfo("2.17.6"));
  sinon
    .stub(codeqlObject, "isTracedLanguage")
-    .withArgs(BuiltInLanguage.cpp)
+    .withArgs(KnownLanguage.cpp)
    .resolves(true);
  return codeqlObject;
 }
@@ -956,8 +956,7 @@ test.serial("runTool summarizes autobuilder errors", async (t) => {
  sinon.stub(io, "which").resolves("");

  await t.throwsAsync(
-    async () =>
-      await codeqlObject.runAutobuild(stubConfig, BuiltInLanguage.java),
+    async () => await codeqlObject.runAutobuild(stubConfig, KnownLanguage.java),
    {
      instanceOf: util.ConfigurationError,
      message:
@@ -983,8 +982,7 @@ test.serial("runTool truncates long autobuilder errors", async (t) => {
  sinon.stub(io, "which").resolves("");

  await t.throwsAsync(
-    async () =>
-      await codeqlObject.runAutobuild(stubConfig, BuiltInLanguage.java),
+    async () => await codeqlObject.runAutobuild(stubConfig, KnownLanguage.java),
    {
      instanceOf: util.ConfigurationError,
      message:
@@ -282,17 +282,17 @@ const CODEQL_MINIMUM_VERSION = "2.17.6";
 /**
 * This version will shortly become the oldest version of CodeQL that the Action will run with.
 */
-const CODEQL_NEXT_MINIMUM_VERSION = "2.19.4";
+const CODEQL_NEXT_MINIMUM_VERSION = "2.17.6";

 /**
 * This is the version of GHES that was most recently deprecated.
 */
-const GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15";
+const GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.13";

 /**
 * This is the deprecation date for the version of GHES that was most recently deprecated.
 */
-const GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09";
+const GHES_MOST_RECENT_DEPRECATION_DATE = "2025-06-19";

 /** The CLI verbosity level to use for extraction in debug mode. */
 const EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
@@ -18,7 +18,7 @@ import { Feature } from "./feature-flags";
 import { RepositoryProperties } from "./feature-flags/properties";
 import * as gitUtils from "./git-utils";
 import { GitVersionInfo } from "./git-utils";
-import { BuiltInLanguage, Language } from "./languages";
+import { KnownLanguage, Language } from "./languages";
 import { getRunnerLogger } from "./logging";
 import { CODEQL_OVERLAY_MINIMUM_VERSION } from "./overlay";
 import { OverlayDisabledReason } from "./overlay/diagnostics";
@@ -215,7 +215,7 @@ test.serial("load code quality config", async (t) => {
    // And the config we expect it to result in
    const expectedConfig = createTestConfig({
      analysisKinds: [AnalysisKind.CodeQuality],
-      languages: [BuiltInLanguage.actions],
+      languages: [KnownLanguage.actions],
      // This gets set because we only have `AnalysisKind.CodeQuality`
      computedConfig: {
        "disable-default-queries": true,
@@ -268,7 +268,7 @@ test.serial(

      const expectedConfig = createTestConfig({
        analysisKinds: [AnalysisKind.CodeQuality],
-        languages: [BuiltInLanguage.javascript],
+        languages: [KnownLanguage.javascript],
        codeQLCmd: codeql.getPath(),
        computedConfig,
        dbLocation: path.resolve(tempDir, "codeql_databases"),
@@ -518,7 +518,7 @@ test.serial("load non-empty input", async (t) => {

    // And the config we expect it to parse to
    const expectedConfig = createTestConfig({
-      languages: [BuiltInLanguage.javascript],
+      languages: [KnownLanguage.javascript],
      buildMode: BuildMode.None,
      originalUserInput: userConfig,
      computedConfig: userConfig,
@@ -892,10 +892,10 @@ const mockRepositoryNwo = parseRepositoryNwo("owner/repo");
      betterResolveLanguages: (options) =>
        Promise.resolve({
          aliases: {
-            "c#": BuiltInLanguage.csharp,
-            c: BuiltInLanguage.cpp,
-            kotlin: BuiltInLanguage.java,
-            typescript: BuiltInLanguage.javascript,
+            "c#": KnownLanguage.csharp,
+            c: KnownLanguage.cpp,
+            kotlin: KnownLanguage.java,
+            typescript: KnownLanguage.javascript,
          },
          extractors: {
            cpp: [stubExtractorEntry],
@@ -944,12 +944,12 @@ const mockRepositoryNwo = parseRepositoryNwo("owner/repo");
 for (const { displayName, language, feature } of [
  {
    displayName: "Java",
-    language: BuiltInLanguage.java,
+    language: KnownLanguage.java,
    feature: Feature.DisableJavaBuildlessEnabled,
  },
  {
    displayName: "C#",
-    language: BuiltInLanguage.csharp,
+    language: KnownLanguage.csharp,
    feature: Feature.DisableCsharpBuildless,
  },
 ]) {
@@ -969,7 +969,7 @@ for (const { displayName, language, feature } of [
    const messages: LoggedMessage[] = [];
    const buildMode = await configUtils.parseBuildModeInput(
      "none",
-      [BuiltInLanguage.python],
+      [KnownLanguage.python],
      createFeatures([feature]),
      getRecordingLogger(messages),
    );
@@ -1019,7 +1019,7 @@ const defaultOverlayDatabaseModeTestSetup: OverlayDatabaseModeTestSetup = {
  isPullRequest: false,
  isDefaultBranch: false,
  buildMode: BuildMode.None,
-  languages: [BuiltInLanguage.javascript],
+  languages: [KnownLanguage.javascript],
  codeqlVersion: CODEQL_OVERLAY_MINIMUM_VERSION,
  gitRoot: "/some/git/root",
  gitVersion: new GitVersionInfo("2.39.0", "2.39.0"),
@@ -1091,7 +1091,7 @@ const checkOverlayEnablementMacro = test.macro({
        sinon
          .stub(codeql, "isTracedLanguage")
          .callsFake(async (lang: Language) => {
-            return lang === BuiltInLanguage.java;
+            return [KnownLanguage.java].includes(lang as KnownLanguage);
          });

        // Mock git root detection
@@ -1184,7 +1184,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "Ignore feature flag when analyzing non-default branch",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript],
  },
  {
@@ -1196,7 +1196,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "Overlay-base database on default branch when feature enabled",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript],
    isDefaultBranch: true,
  },
@@ -1210,7 +1210,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "Overlay-base database on default branch when feature enabled with custom analysis",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript],
    codeScanningConfig: {
      packs: ["some-custom-pack@1.0.0"],
@@ -1227,7 +1227,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "Overlay-base database on default branch when code-scanning feature enabled",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisCodeScanningJavascript,
@@ -1244,7 +1244,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "No overlay-base database on default branch if runner disk space is too low",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisCodeScanningJavascript,
@@ -1264,7 +1264,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "No overlay-base database on default branch if we can't determine runner disk space",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisCodeScanningJavascript,
@@ -1281,7 +1281,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "Overlay-base database on default branch if runner disk space is too low and skip resource checks flag is enabled",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisCodeScanningJavascript,
@@ -1303,7 +1303,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "No overlay-base database on default branch if runner disk space is below v2 limit and v2 resource checks enabled",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisCodeScanningJavascript,
@@ -1324,7 +1324,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "Overlay-base database on default branch if runner disk space is between v2 and v1 limits and v2 resource checks enabled",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisCodeScanningJavascript,
@@ -1346,7 +1346,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "No overlay-base database on default branch if runner disk space is between v2 and v1 limits and v2 resource checks not enabled",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisCodeScanningJavascript,
@@ -1366,7 +1366,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "No overlay-base database on default branch if memory flag is too low",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisCodeScanningJavascript,
@@ -1383,7 +1383,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "Overlay-base database on default branch if memory flag is too low but CodeQL >= 2.24.3",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisCodeScanningJavascript,
@@ -1402,7 +1402,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "Overlay-base database on default branch if memory flag is too low and skip resource checks flag is enabled",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisCodeScanningJavascript,
@@ -1421,7 +1421,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "No overlay-base database on default branch when cached status indicates previous failure",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisJavascript,
@@ -1439,7 +1439,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "No overlay analysis on PR when cached status indicates previous failure",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisJavascript,
@@ -1457,7 +1457,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "No overlay-base database on default branch when code-scanning feature enabled with disable-default-queries",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisCodeScanningJavascript,
@@ -1476,7 +1476,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "No overlay-base database on default branch when code-scanning feature enabled with packs",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisCodeScanningJavascript,
@@ -1495,7 +1495,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "No overlay-base database on default branch when code-scanning feature enabled with queries",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisCodeScanningJavascript,
@@ -1514,7 +1514,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "No overlay-base database on default branch when code-scanning feature enabled with query-filters",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisCodeScanningJavascript,
@@ -1533,7 +1533,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "No overlay-base database on default branch when only language-specific feature enabled",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [Feature.OverlayAnalysisJavascript],
    isDefaultBranch: true,
  },
@@ -1546,7 +1546,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "No overlay-base database on default branch when only code-scanning feature enabled",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [Feature.OverlayAnalysisCodeScanningJavascript],
    isDefaultBranch: true,
  },
@@ -1559,7 +1559,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "No overlay-base database on default branch when language-specific feature disabled",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [Feature.OverlayAnalysis],
    isDefaultBranch: true,
  },
@@ -1572,7 +1572,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "Overlay analysis on PR when feature enabled",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript],
    isPullRequest: true,
  },
@@ -1586,7 +1586,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "Overlay analysis on PR when feature enabled with custom analysis",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript],
    codeScanningConfig: {
      packs: ["some-custom-pack@1.0.0"],
@@ -1603,7 +1603,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "Overlay analysis on PR when code-scanning feature enabled",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisCodeScanningJavascript,
@@ -1620,7 +1620,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "No overlay analysis on PR if runner disk space is too low",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisCodeScanningJavascript,
@@ -1640,7 +1640,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "Overlay analysis on PR if runner disk space is too low and skip resource checks flag is enabled",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisCodeScanningJavascript,
@@ -1662,7 +1662,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "No overlay analysis on PR if we can't determine runner disk space",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisCodeScanningJavascript,
@@ -1679,7 +1679,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "No overlay analysis on PR if memory flag is too low",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisCodeScanningJavascript,
@@ -1696,7 +1696,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "Overlay analysis on PR if memory flag is too low but CodeQL >= 2.24.3",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisCodeScanningJavascript,
@@ -1715,7 +1715,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "Overlay analysis on PR if memory flag is too low and skip resource checks flag is enabled",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisCodeScanningJavascript,
@@ -1734,7 +1734,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "No overlay analysis on PR when code-scanning feature enabled with disable-default-queries",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisCodeScanningJavascript,
@@ -1753,7 +1753,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "No overlay analysis on PR when code-scanning feature enabled with packs",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisCodeScanningJavascript,
@@ -1772,7 +1772,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "No overlay analysis on PR when code-scanning feature enabled with queries",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisCodeScanningJavascript,
@@ -1791,7 +1791,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "No overlay analysis on PR when code-scanning feature enabled with query-filters",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [
      Feature.OverlayAnalysis,
      Feature.OverlayAnalysisCodeScanningJavascript,
@@ -1810,7 +1810,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "No overlay analysis on PR when only language-specific feature enabled",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [Feature.OverlayAnalysisJavascript],
    isPullRequest: true,
  },
@@ -1823,7 +1823,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "No overlay analysis on PR when only code-scanning feature enabled",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [Feature.OverlayAnalysisCodeScanningJavascript],
    isPullRequest: true,
  },
@@ -1836,7 +1836,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "No overlay analysis on PR when language-specific feature disabled",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [Feature.OverlayAnalysis],
    isPullRequest: true,
  },
@@ -1874,7 +1874,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "Overlay PR analysis by feature flag",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript],
    isPullRequest: true,
  },
@@ -1890,7 +1890,7 @@ test.serial(
  {
    overlayDatabaseEnvVar: "overlay",
    buildMode: BuildMode.Autobuild,
-    languages: [BuiltInLanguage.java],
+    languages: [KnownLanguage.java],
  },
  {
    disabledReason: OverlayDisabledReason.IncompatibleBuildMode,
@@ -1903,7 +1903,7 @@ test.serial(
  {
    overlayDatabaseEnvVar: "overlay",
    buildMode: undefined,
-    languages: [BuiltInLanguage.java],
+    languages: [KnownLanguage.java],
  },
  {
    disabledReason: OverlayDisabledReason.IncompatibleBuildMode,
@@ -1978,7 +1978,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "No overlay when disabled via repository property",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript],
    isPullRequest: true,
    repositoryProperties: {
@@ -1994,7 +1994,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "Overlay not disabled when repository property is false",
  {
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript],
    isPullRequest: true,
    repositoryProperties: {
@@ -2023,7 +2023,7 @@ test.serial(
 );

 // Exercise language-specific overlay analysis features code paths
-for (const language in BuiltInLanguage) {
+for (const language in KnownLanguage) {
  test.serial(
    checkOverlayEnablementMacro,
    `Check default overlay analysis feature for ${language}`,
@@ -2046,7 +2046,7 @@ test.serial(
  checkOverlayEnablementMacro,
  "No overlay analysis for language without per-language overlay feature flag",
  {
-    languages: [BuiltInLanguage.swift],
+    languages: [KnownLanguage.swift],
    features: [Feature.OverlayAnalysis],
    isPullRequest: true,
  },
@@ -48,7 +48,7 @@ import {
  hasSubmodules,
  isAnalyzingDefaultBranch,
 } from "./git-utils";
-import { BuiltInLanguage, Language } from "./languages";
+import { KnownLanguage, Language } from "./languages";
 import { Logger } from "./logging";
 import { CODEQL_OVERLAY_MINIMUM_VERSION } from "./overlay";
 import {
@@ -274,10 +274,10 @@ async function getSupportedLanguageMap(
  for (const extractor of Object.keys(resolveResult.extractors)) {
    // If the CLI supports resolving languages with default queries, use these
    // as the set of supported languages. Otherwise, require the language to be
-    // a built-in language.
+    // a known language.
    if (
      resolveSupportedLanguagesUsingCli ||
-      BuiltInLanguage[extractor] !== undefined
+      KnownLanguage[extractor] !== undefined
    ) {
      supportedLanguages[extractor] = extractor;
    }
@@ -947,7 +947,7 @@ async function validateOverlayDatabaseMode(
      await Promise.all(
        languages.map(
          async (l) =>
-            l !== BuiltInLanguage.go && // Workaround to allow overlay analysis for Go with any build
+            l !== KnownLanguage.go && // Workaround to allow overlay analysis for Go with any build
            // mode, since it does not yet support BMN. The Go autobuilder and/or extractor will
            // ensure that overlay-base databases are only created for supported Go build setups,
            // and that we'll fall back to full databases in other cases.
@@ -1036,13 +1036,13 @@ async function setCppTrapCachingEnvironmentVariables(
  config: Config,
  logger: Logger,
 ): Promise<void> {
-  if (config.languages.includes(BuiltInLanguage.cpp)) {
+  if (config.languages.includes(KnownLanguage.cpp)) {
    const envVar = "CODEQL_EXTRACTOR_CPP_TRAP_CACHING";
    if (process.env[envVar]) {
      logger.info(
        `Environment variable ${envVar} already set, leaving it unchanged.`,
      );
-    } else if (config.trapCaches[BuiltInLanguage.cpp]) {
+    } else if (config.trapCaches[KnownLanguage.cpp]) {
      logger.info("Enabling TRAP caching for C/C++.");
      core.exportVariable(envVar, "true");
    } else {
@@ -1539,7 +1539,7 @@ export async function parseBuildModeInput(
  }

  if (
-    languages.includes(BuiltInLanguage.csharp) &&
+    languages.includes(KnownLanguage.csharp) &&
    (await features.getValue(Feature.DisableCsharpBuildless))
  ) {
    logger.warning(
@@ -1549,7 +1549,7 @@ export async function parseBuildModeInput(
  }

  if (
-    languages.includes(BuiltInLanguage.java) &&
+    languages.includes(KnownLanguage.java) &&
    (await features.getValue(Feature.DisableJavaBuildlessEnabled))
  ) {
    logger.warning(
@@ -1,7 +1,7 @@
 import test, { ExecutionContext } from "ava";

 import { RepositoryProperties } from "../feature-flags/properties";
-import { BuiltInLanguage, Language } from "../languages";
+import { KnownLanguage, Language } from "../languages";
 import { getRunnerLogger } from "../logging";
 import {
  checkExpectedLogMessages,
@@ -54,7 +54,7 @@ const invalidPackNameMacro = test.macro({
    parsePacksErrorMacro.exec(
      t,
      name,
-      [BuiltInLanguage.cpp],
+      [KnownLanguage.cpp],
      new RegExp(`^"${name}" is not a valid pack$`),
    ),
  title: (_providedTitle: string | undefined, arg: string | undefined) =>
@@ -62,23 +62,23 @@ const invalidPackNameMacro = test.macro({
 });

 test("no packs", parsePacksMacro, "", [], undefined);
-test("two packs", parsePacksMacro, "a/b,c/d@1.2.3", [BuiltInLanguage.cpp], {
-  [BuiltInLanguage.cpp]: ["a/b", "c/d@1.2.3"],
+test("two packs", parsePacksMacro, "a/b,c/d@1.2.3", [KnownLanguage.cpp], {
+  [KnownLanguage.cpp]: ["a/b", "c/d@1.2.3"],
 });
 test(
  "two packs with spaces",
  parsePacksMacro,
  " a/b , c/d@1.2.3 ",
-  [BuiltInLanguage.cpp],
+  [KnownLanguage.cpp],
  {
-    [BuiltInLanguage.cpp]: ["a/b", "c/d@1.2.3"],
+    [KnownLanguage.cpp]: ["a/b", "c/d@1.2.3"],
  },
 );
 test(
  "two packs with language",
  parsePacksErrorMacro,
  "a/b,c/d@1.2.3",
-  [BuiltInLanguage.cpp, BuiltInLanguage.java],
+  [KnownLanguage.cpp, KnownLanguage.java],
  new RegExp(
    "Cannot specify a 'packs' input in a multi-language analysis. " +
      "Use a codeql-config.yml file instead and specify packs by language.",
@@ -106,9 +106,9 @@ test(
    // (globbing is not done)
    "c/d@1.2.3:+*)_(",
  ].join(","),
-  [BuiltInLanguage.cpp],
+  [KnownLanguage.cpp],
  {
-    [BuiltInLanguage.cpp]: [
+    [KnownLanguage.cpp]: [
      "c/d@1.0",
      "c/d@~1.0.0",
      "c/d@~1.0.0:a/b",
@@ -215,7 +215,7 @@ test(
  "All empty",
  undefined,
  undefined,
-  [BuiltInLanguage.javascript],
+  [KnownLanguage.javascript],
  {},
  {
    ...dbConfig.defaultAugmentationProperties,
@@ -227,7 +227,7 @@ test(
  "With queries",
  undefined,
  " a, b , c, d",
-  [BuiltInLanguage.javascript],
+  [KnownLanguage.javascript],
  {},
  {
    ...dbConfig.defaultAugmentationProperties,
@@ -240,7 +240,7 @@ test(
  "With queries combining",
  undefined,
  "   +   a, b , c, d ",
-  [BuiltInLanguage.javascript],
+  [KnownLanguage.javascript],
  {},
  {
    ...dbConfig.defaultAugmentationProperties,
@@ -254,7 +254,7 @@ test(
  "With packs",
  "   codeql/a , codeql/b   , codeql/c  , codeql/d  ",
  undefined,
-  [BuiltInLanguage.javascript],
+  [KnownLanguage.javascript],
  {},
  {
    ...dbConfig.defaultAugmentationProperties,
@@ -267,7 +267,7 @@ test(
  "With packs combining",
  "   +   codeql/a, codeql/b, codeql/c, codeql/d",
  undefined,
-  [BuiltInLanguage.javascript],
+  [KnownLanguage.javascript],
  {},
  {
    ...dbConfig.defaultAugmentationProperties,
@@ -281,7 +281,7 @@ test(
  "With repo property queries",
  undefined,
  undefined,
-  [BuiltInLanguage.javascript],
+  [KnownLanguage.javascript],
  {
    "github-codeql-extra-queries": "a, b, c, d",
  },
@@ -299,7 +299,7 @@ test(
  "With repo property queries combining",
  undefined,
  undefined,
-  [BuiltInLanguage.javascript],
+  [KnownLanguage.javascript],
  {
    "github-codeql-extra-queries": "+ a, b, c, d",
  },
@@ -341,7 +341,7 @@ test(
  "Plus (+) with nothing else (queries)",
  undefined,
  "   +   ",
-  [BuiltInLanguage.javascript],
+  [KnownLanguage.javascript],
  {},
  /The workflow property "queries" is invalid/,
 );
@@ -351,7 +351,7 @@ test(
  "Plus (+) with nothing else (packs)",
  "   +   ",
  undefined,
-  [BuiltInLanguage.javascript],
+  [KnownLanguage.javascript],
  {},
  /The workflow property "packs" is invalid/,
 );
@@ -361,7 +361,7 @@ test(
  "Plus (+) with nothing else (repo property queries)",
  undefined,
  undefined,
-  [BuiltInLanguage.javascript],
+  [KnownLanguage.javascript],
  {
    "github-codeql-extra-queries": "    + ",
  },
@@ -373,7 +373,7 @@ test(
  "Packs input with multiple languages",
  "   +  a/b, c/d ",
  undefined,
-  [BuiltInLanguage.javascript, BuiltInLanguage.java],
+  [KnownLanguage.javascript, KnownLanguage.java],
  {},
  /Cannot specify a 'packs' input in a multi-language analysis/,
 );
@@ -393,7 +393,7 @@ test(
  "Invalid packs",
  " a-pack-without-a-scope ",
  undefined,
-  [BuiltInLanguage.javascript],
+  [KnownLanguage.javascript],
  {},
  /"a-pack-without-a-scope" is not a valid pack/,
 );
@@ -12,7 +12,7 @@ import { createStubCodeQL } from "./codeql";
 import { Config } from "./config-utils";
 import { cleanupAndUploadDatabases } from "./database-upload";
 import * as gitUtils from "./git-utils";
-import { BuiltInLanguage } from "./languages";
+import { KnownLanguage } from "./languages";
 import { RepositoryNwo } from "./repository";
 import {
  checkExpectedLogMessages,
@@ -45,7 +45,7 @@ const testApiDetails: GitHubApiDetails = {

 function getTestConfig(tmpDir: string): Config {
  return createTestConfig({
-    languages: [BuiltInLanguage.javascript],
+    languages: [KnownLanguage.javascript],
    dbLocation: tmpDir,
  });
 }
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.3",
-  "cliVersion": "2.25.3",
-  "priorBundleVersion": "codeql-bundle-v2.25.2",
-  "priorCliVersion": "2.25.2"
+  "bundleVersion": "codeql-bundle-v2.25.2",
+  "cliVersion": "2.25.2",
+  "priorBundleVersion": "codeql-bundle-v2.25.1",
+  "priorCliVersion": "2.25.1"
 }
@@ -27,7 +27,7 @@ import {
  CacheStoreResult,
 } from "./dependency-caching";
 import { Feature } from "./feature-flags";
-import { BuiltInLanguage } from "./languages";
+import { KnownLanguage } from "./languages";
 import {
  setupTests,
  createFeatures,
@@ -179,7 +179,7 @@ test("checkHashPatterns - logs when no patterns match", async (t) => {
  const result = await checkHashPatterns(
    codeql,
    features,
-    BuiltInLanguage.csharp,
+    KnownLanguage.csharp,
    config,
    "download",
    getRecordingLogger(messages),
@@ -208,7 +208,7 @@ test("checkHashPatterns - returns patterns when patterns match", async (t) => {
    const result = await checkHashPatterns(
      codeql,
      features,
-      BuiltInLanguage.csharp,
+      KnownLanguage.csharp,
      config,
      "upload",
      getRecordingLogger(messages),
@@ -270,7 +270,7 @@ test.serial(
    const keyWithFeature = await cacheKey(
      codeql,
      createFeatures([Feature.CsharpNewCacheKey]),
-      BuiltInLanguage.csharp,
+      KnownLanguage.csharp,
      // Patterns don't matter here because we have stubbed `hashFiles` to always return a specific hash above.
      [],
    );
@@ -288,12 +288,12 @@ test.serial(
    const result = await downloadDependencyCaches(
      codeql,
      createFeatures([]),
-      [BuiltInLanguage.csharp],
+      [KnownLanguage.csharp],
      logger,
    );
    const statusReport = result.statusReport;
    t.is(statusReport.length, 1);
-    t.is(statusReport[0].language, BuiltInLanguage.csharp);
+    t.is(statusReport[0].language, KnownLanguage.csharp);
    t.is(statusReport[0].hit_kind, CacheHitKind.Miss);
    t.deepEqual(result.restoredKeys, []);
    t.assert(restoreCacheStub.calledOnce);
@@ -316,7 +316,7 @@ test.serial(
    const keyWithFeature = await cacheKey(
      codeql,
      features,
-      BuiltInLanguage.csharp,
+      KnownLanguage.csharp,
      // Patterns don't matter here because we have stubbed `hashFiles` to always return a specific hash above.
      [],
    );
@@ -334,14 +334,14 @@ test.serial(
    const result = await downloadDependencyCaches(
      codeql,
      features,
-      [BuiltInLanguage.csharp],
+      [KnownLanguage.csharp],
      logger,
    );

    // Check that the status report for telemetry indicates that one cache was restored with an exact match.
    const statusReport = result.statusReport;
    t.is(statusReport.length, 1);
-    t.is(statusReport[0].language, BuiltInLanguage.csharp);
+    t.is(statusReport[0].language, KnownLanguage.csharp);
    t.is(statusReport[0].hit_kind, CacheHitKind.Exact);

    // Check that the restored key has been returned.
@@ -380,7 +380,7 @@ test.serial(
    const keyWithFeature = await cacheKey(
      codeql,
      features,
-      BuiltInLanguage.csharp,
+      KnownLanguage.csharp,
      // Patterns don't matter here because we have stubbed `hashFiles` to always return a specific hash above.
      [],
    );
@@ -398,14 +398,14 @@ test.serial(
    const result = await downloadDependencyCaches(
      codeql,
      features,
-      [BuiltInLanguage.csharp],
+      [KnownLanguage.csharp],
      logger,
    );

    // Check that the status report for telemetry indicates that one cache was restored with a partial match.
    const statusReport = result.statusReport;
    t.is(statusReport.length, 1);
-    t.is(statusReport[0].language, BuiltInLanguage.csharp);
+    t.is(statusReport[0].language, KnownLanguage.csharp);
    t.is(statusReport[0].hit_kind, CacheHitKind.Partial);

    // Check that the restored key has been returned.
@@ -426,7 +426,7 @@ test("uploadDependencyCaches - skips upload for a language with no cache config"
  const logger = getRecordingLogger(messages);
  const features = createFeatures([]);
  const config = createTestConfig({
-    languages: [BuiltInLanguage.actions],
+    languages: [KnownLanguage.actions],
  });

  const result = await uploadDependencyCaches(codeql, features, config, logger);
@@ -444,7 +444,7 @@ test.serial(
    const logger = getRecordingLogger(messages);
    const features = createFeatures([]);
    const config = createTestConfig({
-      languages: [BuiltInLanguage.go],
+      languages: [KnownLanguage.go],
    });

    const makePatternCheckStub = sinon.stub(internal, "makePatternCheck");
@@ -457,7 +457,7 @@ test.serial(
      logger,
    );
    t.is(result.length, 1);
-    t.is(result[0].language, BuiltInLanguage.go);
+    t.is(result[0].language, KnownLanguage.go);
    t.is(result[0].result, CacheStoreResult.NoHash);
  },
 );
@@ -483,12 +483,12 @@ test.serial(
    const primaryCacheKey = await cacheKey(
      codeql,
      features,
-      BuiltInLanguage.csharp,
+      KnownLanguage.csharp,
      CSHARP_BASE_PATTERNS,
    );

    const config = createTestConfig({
-      languages: [BuiltInLanguage.csharp],
+      languages: [KnownLanguage.csharp],
      dependencyCachingRestoredKeys: [primaryCacheKey],
    });

@@ -499,7 +499,7 @@ test.serial(
      logger,
    );
    t.is(result.length, 1);
-    t.is(result[0].language, BuiltInLanguage.csharp);
+    t.is(result[0].language, KnownLanguage.csharp);
    t.is(result[0].result, CacheStoreResult.Duplicate);
  },
 );
@@ -525,7 +525,7 @@ test.serial(
    sinon.stub(cachingUtils, "getTotalCacheSize").resolves(0);

    const config = createTestConfig({
-      languages: [BuiltInLanguage.csharp],
+      languages: [KnownLanguage.csharp],
    });

    const result = await uploadDependencyCaches(
@@ -535,7 +535,7 @@ test.serial(
      logger,
    );
    t.is(result.length, 1);
-    t.is(result[0].language, BuiltInLanguage.csharp);
+    t.is(result[0].language, KnownLanguage.csharp);
    t.is(result[0].result, CacheStoreResult.Empty);

    checkExpectedLogMessages(t, messages, [
@@ -566,7 +566,7 @@ test.serial(
    sinon.stub(actionsCache, "saveCache").resolves();

    const config = createTestConfig({
-      languages: [BuiltInLanguage.csharp],
+      languages: [KnownLanguage.csharp],
    });

    const result = await uploadDependencyCaches(
@@ -576,7 +576,7 @@ test.serial(
      logger,
    );
    t.is(result.length, 1);
-    t.is(result[0].language, BuiltInLanguage.csharp);
+    t.is(result[0].language, KnownLanguage.csharp);
    t.is(result[0].result, CacheStoreResult.Stored);
    t.is(result[0].upload_size_bytes, 1024);

@@ -608,7 +608,7 @@ test.serial(
      .throws(new actionsCache.ReserveCacheError("Already in use"));

    const config = createTestConfig({
-      languages: [BuiltInLanguage.csharp],
+      languages: [KnownLanguage.csharp],
    });

    await t.notThrowsAsync(async () => {
@@ -619,7 +619,7 @@ test.serial(
        logger,
      );
      t.is(result.length, 1);
-      t.is(result[0].language, BuiltInLanguage.csharp);
+      t.is(result[0].language, KnownLanguage.csharp);
      t.is(result[0].result, CacheStoreResult.Duplicate);

      checkExpectedLogMessages(t, messages, ["Not uploading cache for"]);
@@ -647,7 +647,7 @@ test.serial("uploadDependencyCaches - throws other exceptions", async (t) => {
  sinon.stub(actionsCache, "saveCache").throws();

  const config = createTestConfig({
-    languages: [BuiltInLanguage.csharp],
+    languages: [KnownLanguage.csharp],
  });

  await t.throwsAsync(async () => {
@@ -659,7 +659,7 @@ test("getFeaturePrefix - returns empty string if no features are enabled", async
  const codeql = createStubCodeQL({});
  const features = createFeatures([]);

-  for (const knownLanguage of Object.values(BuiltInLanguage)) {
+  for (const knownLanguage of Object.values(KnownLanguage)) {
    const result = await getFeaturePrefix(codeql, features, knownLanguage);
    t.deepEqual(result, "", `Expected no feature prefix for ${knownLanguage}`);
  }
@@ -669,11 +669,7 @@ test("getFeaturePrefix - C# - returns prefix if CsharpNewCacheKey is enabled", a
  const codeql = createStubCodeQL({});
  const features = createFeatures([Feature.CsharpNewCacheKey]);

-  const result = await getFeaturePrefix(
-    codeql,
-    features,
-    BuiltInLanguage.csharp,
-  );
+  const result = await getFeaturePrefix(codeql, features, KnownLanguage.csharp);
  t.notDeepEqual(result, "");
  t.assert(result.endsWith("-"));
  // Check the length of the prefix, which should correspond to `cacheKeyHashLength` + 1 for the trailing `-`.
@@ -684,9 +680,9 @@ test("getFeaturePrefix - non-C# - returns '' if CsharpNewCacheKey is enabled", a
  const codeql = createStubCodeQL({});
  const features = createFeatures([Feature.CsharpNewCacheKey]);

-  for (const knownLanguage of Object.values(BuiltInLanguage)) {
+  for (const knownLanguage of Object.values(KnownLanguage)) {
    // Skip C# since we expect a result for it, which is tested in the previous test.
-    if (knownLanguage === BuiltInLanguage.csharp) {
+    if (knownLanguage === KnownLanguage.csharp) {
      continue;
    }
    const result = await getFeaturePrefix(codeql, features, knownLanguage);
@@ -698,11 +694,7 @@ test("getFeaturePrefix - C# - returns prefix if CsharpCacheBuildModeNone is enab
  const codeql = createStubCodeQL({});
  const features = createFeatures([Feature.CsharpCacheBuildModeNone]);

-  const result = await getFeaturePrefix(
-    codeql,
-    features,
-    BuiltInLanguage.csharp,
-  );
+  const result = await getFeaturePrefix(codeql, features, KnownLanguage.csharp);
  t.notDeepEqual(result, "");
  t.assert(result.endsWith("-"));
  // Check the length of the prefix, which should correspond to `cacheKeyHashLength` + 1 for the trailing `-`.
@@ -713,9 +705,9 @@ test("getFeaturePrefix - non-C# - returns '' if CsharpCacheBuildModeNone is enab
  const codeql = createStubCodeQL({});
  const features = createFeatures([Feature.CsharpCacheBuildModeNone]);

-  for (const knownLanguage of Object.values(BuiltInLanguage)) {
+  for (const knownLanguage of Object.values(KnownLanguage)) {
    // Skip C# since we expect a result for it, which is tested in the previous test.
-    if (knownLanguage === BuiltInLanguage.csharp) {
+    if (knownLanguage === KnownLanguage.csharp) {
      continue;
    }
    const result = await getFeaturePrefix(codeql, features, knownLanguage);
@@ -11,7 +11,7 @@ import { CodeQL } from "./codeql";
 import { Config } from "./config-utils";
 import { EnvVar } from "./environment";
 import { Feature, FeatureEnablement } from "./feature-flags";
-import { BuiltInLanguage, Language } from "./languages";
+import { KnownLanguage, Language } from "./languages";
 import { Logger } from "./logging";
 import { getErrorMessage, getRequiredEnvParam } from "./util";

@@ -541,7 +541,7 @@ export async function getFeaturePrefix(
    }
  };

-  if (language === BuiltInLanguage.csharp) {
+  if (language === KnownLanguage.csharp) {
    await addFeatureIfEnabled(Feature.CsharpNewCacheKey);
    await addFeatureIfEnabled(Feature.CsharpCacheBuildModeNone);
  }
@@ -72,13 +72,6 @@ let unwrittenDiagnostics: UnwrittenDiagnostic[] = [];
 */
 let unwrittenDefaultLanguageDiagnostics: DiagnosticMessage[] = [];

-/**
- * Counter used to generate a unique suffix for each diagnostic filename, so that
- * two diagnostics produced within the same millisecond do not overwrite each
- * other on disk.
- */
-let diagnosticCounter = 0;
-
 /**
 * Constructs a new diagnostic message with the specified id and name, as well as optional additional data.
 *
@@ -174,18 +167,10 @@ function writeDiagnostic(
    // Create the directory if it doesn't exist yet.
    mkdirSync(diagnosticsPath, { recursive: true });

-    // Include a monotonically increasing suffix to avoid filename collisions
-    // between diagnostics produced within the same millisecond.
-    const uniqueSuffix = (diagnosticCounter++).toString();
-    // We should only need to remove colons, but to be defensive, only allow a restricted set of
-    // characters.
-    const sanitizedTimestamp = diagnostic.timestamp.replace(
-      /[^a-zA-Z0-9.-]/g,
-      "",
-    );
    const jsonPath = path.resolve(
      diagnosticsPath,
-      `codeql-action-${sanitizedTimestamp}-${uniqueSuffix}.json`,
+      // Remove colons from the timestamp as these are not allowed in Windows filenames.
+      `codeql-action-${diagnostic.timestamp.replaceAll(":", "")}.json`,
    );

    writeFileSync(jsonPath, JSON.stringify(diagnostic));
@@ -8,7 +8,6 @@ export enum DocUrl {
  CODEQL_BUILD_MODES = "https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes",
  DEFINE_ENV_VARIABLES = "https://docs.github.com/en/actions/learn-github-actions/variables#defining-environment-variables-for-a-single-workflow",
  DELETE_ACTIONS_CACHE_ENTRIES = "https://docs.github.com/en/actions/how-tos/manage-workflow-runs/manage-caches#deleting-cache-entries",
-  PRIVATE_REGISTRY_LOGS = "https://docs.github.com/en/code-security/reference/code-scanning/code-scanning-logs#diagnostic-information-for-private-package-registries",
  SCANNING_ON_PUSH = "https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push",
  SPECIFY_BUILD_STEPS_MANUALLY = "https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#about-specifying-build-steps-manually",
  SYSTEM_REQUIREMENTS = "https://codeql.github.com/docs/codeql-overview/system-requirements/",
@@ -193,94 +193,6 @@ test.serial(
  },
 );

-test.serial(
-  "getRef() returns merge PR ref if GITHUB_SHA still checked out (SHA-256)",
-  async (t) => {
-    await withTmpDir(async (tmpDir: string) => {
-      setupActionsVars(tmpDir, tmpDir);
-      const expectedRef = "refs/pull/1/merge";
-      const currentSha = "a".repeat(64);
-      process.env["GITHUB_REF"] = expectedRef;
-      process.env["GITHUB_SHA"] = currentSha;
-
-      const callback = sinon.stub(gitUtils, "getCommitOid");
-      callback.withArgs("HEAD").resolves(currentSha);
-
-      const actualRef = await gitUtils.getRef();
-      t.deepEqual(actualRef, expectedRef);
-      callback.restore();
-    });
-  },
-);
-
-test.serial(
-  "getRef() returns merge PR ref if GITHUB_REF still checked out but sha has changed (actions checkout@v1) (SHA-256)",
-  async (t) => {
-    await withTmpDir(async (tmpDir: string) => {
-      setupActionsVars(tmpDir, tmpDir);
-      const expectedRef = "refs/pull/1/merge";
-      process.env["GITHUB_REF"] = expectedRef;
-      process.env["GITHUB_SHA"] = "b".repeat(64);
-      const sha = "a".repeat(64);
-
-      const callback = sinon.stub(gitUtils, "getCommitOid");
-      callback.withArgs("refs/remotes/pull/1/merge").resolves(sha);
-      callback.withArgs("HEAD").resolves(sha);
-
-      const actualRef = await gitUtils.getRef();
-      t.deepEqual(actualRef, expectedRef);
-      callback.restore();
-    });
-  },
-);
-
-test.serial(
-  "getRef() returns head PR ref if GITHUB_REF no longer checked out (SHA-256)",
-  async (t) => {
-    await withTmpDir(async (tmpDir: string) => {
-      setupActionsVars(tmpDir, tmpDir);
-      process.env["GITHUB_REF"] = "refs/pull/1/merge";
-      process.env["GITHUB_SHA"] = "a".repeat(64);
-
-      const callback = sinon.stub(gitUtils, "getCommitOid");
-      callback.withArgs(tmpDir, "refs/pull/1/merge").resolves("a".repeat(64));
-      callback.withArgs(tmpDir, "HEAD").resolves("b".repeat(64));
-
-      const actualRef = await gitUtils.getRef();
-      t.deepEqual(actualRef, "refs/pull/1/head");
-      callback.restore();
-    });
-  },
-);
-
-test.serial(
-  "getRef() returns ref provided as an input and ignores current HEAD (SHA-256)",
-  async (t) => {
-    await withTmpDir(async (tmpDir: string) => {
-      setupActionsVars(tmpDir, tmpDir);
-      const getAdditionalInputStub = sinon.stub(
-        actionsUtil,
-        "getOptionalInput",
-      );
-      getAdditionalInputStub.withArgs("ref").resolves("refs/pull/2/merge");
-      getAdditionalInputStub.withArgs("sha").resolves("b".repeat(64));
-
-      // These values are be ignored
-      process.env["GITHUB_REF"] = "refs/pull/1/merge";
-      process.env["GITHUB_SHA"] = "a".repeat(64);
-
-      const callback = sinon.stub(gitUtils, "getCommitOid");
-      callback.withArgs("refs/pull/1/merge").resolves("b".repeat(64));
-      callback.withArgs("HEAD").resolves("b".repeat(64));
-
-      const actualRef = await gitUtils.getRef();
-      t.deepEqual(actualRef, "refs/pull/2/merge");
-      callback.restore();
-      getAdditionalInputStub.restore();
-    });
-  },
-);
-
 test.serial("isAnalyzingDefaultBranch()", async (t) => {
  process.env["GITHUB_EVENT_NAME"] = "push";
  process.env["CODE_SCANNING_IS_ANALYZING_DEFAULT_BRANCH"] = "true";
@@ -393,25 +305,6 @@ test.serial("determineBaseBranchHeadCommitOid other error", async (t) => {
  infoStub.restore();
 });

-test.serial(
-  "determineBaseBranchHeadCommitOid returns baseOid for SHA-256 merge commit",
-  async (t) => {
-    const mergeSha = "a".repeat(64);
-    const baseOid = "b".repeat(64);
-    const headOid = "c".repeat(64);
-
-    process.env["GITHUB_EVENT_NAME"] = "pull_request";
-    process.env["GITHUB_SHA"] = mergeSha;
-
-    sinon
-      .stub(gitUtils as any, "runGitCommand")
-      .resolves(`commit ${mergeSha}\nparent ${baseOid}\nparent ${headOid}\n`);
-
-    const result = await gitUtils.determineBaseBranchHeadCommitOid(__dirname);
-    t.deepEqual(result, baseOid);
-  },
-);
-
 test.serial("decodeGitFilePath unquoted strings", async (t) => {
  t.deepEqual(gitUtils.decodeGitFilePath("foo"), "foo");
  t.deepEqual(gitUtils.decodeGitFilePath("foo bar"), "foo bar");
@@ -589,61 +482,6 @@ test.serial(
  },
 );

-test.serial(
-  "getFileOidsUnderPath handles SHA-256 OIDs (64-char)",
-  async (t) => {
-    await withTmpDir(async (tmpDir) => {
-      sinon
-        .stub(gitUtils as any, "runGitCommand")
-        .callsFake(async (_cwd: any, args: any) => {
-          if (args[0] === "rev-parse") {
-            return `${tmpDir}\n`;
-          }
-          return (
-            "100644 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2c0d4b7e8f9a1234567890ab 0\tlib/git-utils.js\n" +
-            "100644 aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899 0\tsrc/git-utils.ts"
-          );
-        });
-
-      const result = await gitUtils.getFileOidsUnderPath("/fake/path");
-
-      t.deepEqual(result, {
-        "lib/git-utils.js":
-          "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2c0d4b7e8f9a1234567890ab",
-        "src/git-utils.ts":
-          "aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899",
-      });
-    });
-  },
-);
-
-test.serial(
-  "getFileOidsUnderPath handles mixed SHA-1 and SHA-256 OIDs",
-  async (t) => {
-    await withTmpDir(async (tmpDir) => {
-      sinon
-        .stub(gitUtils as any, "runGitCommand")
-        .callsFake(async (_cwd: any, args: any) => {
-          if (args[0] === "rev-parse") {
-            return `${tmpDir}\n`;
-          }
-          return (
-            "100644 30d998ded095371488be3a729eb61d86ed721a18 0\tlib/sha1-file.js\n" +
-            "100644 aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899 0\tsrc/sha256-file.ts"
-          );
-        });
-
-      const result = await gitUtils.getFileOidsUnderPath("/fake/path");
-
-      t.deepEqual(result, {
-        "lib/sha1-file.js": "30d998ded095371488be3a729eb61d86ed721a18",
-        "src/sha256-file.ts":
-          "aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899",
-      });
-    });
-  },
-);
-
 test.serial(
  "getGitVersionOrThrow returns version for valid git output",
  async (t) => {
@@ -166,8 +166,8 @@ export const determineBaseBranchHeadCommitOid = async function (
    // Let's confirm our assumptions: We had a merge commit and the parsed parent data looks correct
    if (
      commitOid === mergeSha &&
-      (headOid.length === 40 || headOid.length === 64) &&
-      (baseOid.length === 40 || baseOid.length === 64)
+      headOid.length === 40 &&
+      baseOid.length === 40
    ) {
      return baseOid;
    }
@@ -296,7 +296,7 @@ export const getFileOidsUnderPath = async function (
  // 100644 4c51bc1d9e86cd86e01b0f340cb8ce095c33b283 0\tsrc/git-utils.test.ts
  // 100644 6b792ea543ce75d7a8a03df591e3c85311ecb64f 0\tsrc/git-utils.ts
  // The fields are: <mode> <oid> <stage>\t<path>
-  const regex = /^[0-9]+ ([0-9a-f]{40,64}) [0-9]+\t(.+)$/;
+  const regex = /^[0-9]+ ([0-9a-f]{40}) [0-9]+\t(.+)$/;
  for (const line of stdout.split("\n")) {
    if (line) {
      const match = line.match(regex);
@@ -58,7 +58,7 @@ import {
  initConfig,
  runDatabaseInitCluster,
 } from "./init";
-import { JavaEnvVars, BuiltInLanguage } from "./languages";
+import { JavaEnvVars, KnownLanguage } from "./languages";
 import { getActionsLogger, Logger, withGroupAsync } from "./logging";
 import {
  downloadOverlayBaseDatabaseFromCache,
@@ -330,7 +330,7 @@ async function run(startedAt: Date) {
      // requested rust - don't enable it via language autodetection.
      configUtils
        .getRawLanguagesNoAutodetect(getOptionalInput("languages"))
-        .includes(BuiltInLanguage.rust)
+        .includes(KnownLanguage.rust)
    ) {
      const experimental = "2.19.3";
      const publicPreview = "2.22.1";
@@ -390,7 +390,7 @@ async function run(startedAt: Date) {
    });

    if (
-      config.languages.includes(BuiltInLanguage.swift) &&
+      config.languages.includes(KnownLanguage.swift) &&
      process.platform !== "darwin"
    ) {
      throw new ConfigurationError(
@@ -465,23 +465,18 @@ async function run(startedAt: Date) {
      // necessary preparations. So, in that mode, we would assume that
      // everything is in order and let the analysis fail if that turns out not
      // to be the case.
-      await withGroupAsync(
-        "Checking cache for overlay-base database",
-        async () => {
-          overlayBaseDatabaseStats = await downloadOverlayBaseDatabaseFromCache(
-            codeql,
-            config,
-            logger,
-          );
-          if (!overlayBaseDatabaseStats) {
-            config.overlayDatabaseMode = OverlayDatabaseMode.None;
-            logger.info(
-              "No overlay-base database found in cache, " +
-                `reverting overlay database mode to ${OverlayDatabaseMode.None}.`,
-            );
-          }
-        },
+      overlayBaseDatabaseStats = await downloadOverlayBaseDatabaseFromCache(
+        codeql,
+        config,
+        logger,
      );
+      if (!overlayBaseDatabaseStats) {
+        config.overlayDatabaseMode = OverlayDatabaseMode.None;
+        logger.info(
+          "No overlay-base database found in cache, " +
+            `reverting overlay database mode to ${OverlayDatabaseMode.None}.`,
+        );
+      }
    }

    if (config.overlayDatabaseMode !== OverlayDatabaseMode.Overlay) {
@@ -514,7 +509,7 @@ async function run(startedAt: Date) {
    }

    if (
-      config.languages.includes(BuiltInLanguage.go) &&
+      config.languages.includes(KnownLanguage.go) &&
      process.platform === "linux"
    ) {
      try {
@@ -572,7 +567,7 @@ async function run(startedAt: Date) {
        if (e instanceof FileCmdNotFoundError) {
          addDiagnostic(
            config,
-            BuiltInLanguage.go,
+            KnownLanguage.go,
            makeDiagnostic(
              "go/workflow/file-program-unavailable",
              "The `file` program is required on Linux, but does not appear to be installed",
@@ -666,7 +661,7 @@ async function run(startedAt: Date) {
      (await codeQlVersionAtLeast(codeql, CODEQL_VERSION_JAR_MINIMIZATION)) &&
      config.dependencyCachingEnabled &&
      config.buildMode === BuildMode.None &&
-      config.languages.includes(BuiltInLanguage.java)
+      config.languages.includes(KnownLanguage.java)
    ) {
      core.exportVariable(
        EnvVar.JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS,
@@ -15,7 +15,7 @@ import {
  getFileCoverageInformationEnabled,
  logFileCoverageOnPrsDeprecationWarning,
 } from "./init";
-import { BuiltInLanguage } from "./languages";
+import { KnownLanguage } from "./languages";
 import {
  createFeatures,
  LoggedMessage,
@@ -152,7 +152,7 @@ test("cleanupDatabaseClusterDirectory can disable warning with options", async (
 });

 type PackInfo = {
-  language: BuiltInLanguage;
+  language: KnownLanguage;
  packinfoContents: string | undefined;
  sourceOnlyPack?: boolean;
  qlpackFileName?: string;
@@ -169,13 +169,13 @@ const testCheckPacksForOverlayCompatibility = test.macro({
      expectedResult,
    }: {
      cliOverlayVersion: number | undefined;
-      languages: BuiltInLanguage[];
+      languages: KnownLanguage[];
      packs: Record<string, PackInfo>;
      expectedResult: boolean;
    },
  ) => {
    await withTmpDir(async (tmpDir) => {
-      const packDirsByLanguage = new Map<BuiltInLanguage, string[]>();
+      const packDirsByLanguage = new Map<KnownLanguage, string[]>();

      for (const [packName, packInfo] of Object.entries(packs)) {
        const packPath = path.join(tmpDir, packName);
@@ -242,10 +242,10 @@ test(
  "returns false when CLI does not support overlay",
  {
    cliOverlayVersion: undefined,
-    languages: [BuiltInLanguage.java],
+    languages: [KnownLanguage.java],
    packs: {
      "codeql/java-queries": {
-        language: BuiltInLanguage.java,
+        language: KnownLanguage.java,
        packinfoContents: '{"overlayVersion":2}',
      },
    },
@@ -258,7 +258,7 @@ test(
  "returns true when there are no query packs",
  {
    cliOverlayVersion: 2,
-    languages: [BuiltInLanguage.java],
+    languages: [KnownLanguage.java],
    packs: {},
    expectedResult: true,
  },
@@ -269,10 +269,10 @@ test(
  "returns true when query pack has not been compiled",
  {
    cliOverlayVersion: 2,
-    languages: [BuiltInLanguage.java],
+    languages: [KnownLanguage.java],
    packs: {
      "codeql/java-queries": {
-        language: BuiltInLanguage.java,
+        language: KnownLanguage.java,
        packinfoContents: undefined,
        sourceOnlyPack: true,
      },
@@ -286,10 +286,10 @@ test(
  "returns true when query pack has expected overlay version",
  {
    cliOverlayVersion: 2,
-    languages: [BuiltInLanguage.java],
+    languages: [KnownLanguage.java],
    packs: {
      "codeql/java-queries": {
-        language: BuiltInLanguage.java,
+        language: KnownLanguage.java,
        packinfoContents: '{"overlayVersion":2}',
      },
    },
@@ -302,14 +302,14 @@ test(
  "returns true when query packs for all languages to analyze are compatible",
  {
    cliOverlayVersion: 2,
-    languages: [BuiltInLanguage.cpp, BuiltInLanguage.java],
+    languages: [KnownLanguage.cpp, KnownLanguage.java],
    packs: {
      "codeql/cpp-queries": {
-        language: BuiltInLanguage.cpp,
+        language: KnownLanguage.cpp,
        packinfoContents: '{"overlayVersion":2}',
      },
      "codeql/java-queries": {
-        language: BuiltInLanguage.java,
+        language: KnownLanguage.java,
        packinfoContents: '{"overlayVersion":2}',
      },
    },
@@ -322,14 +322,14 @@ test(
  "returns true when query pack for a language not analyzed is incompatible",
  {
    cliOverlayVersion: 2,
-    languages: [BuiltInLanguage.java],
+    languages: [KnownLanguage.java],
    packs: {
      "codeql/cpp-queries": {
-        language: BuiltInLanguage.cpp,
+        language: KnownLanguage.cpp,
        packinfoContents: undefined,
      },
      "codeql/java-queries": {
-        language: BuiltInLanguage.java,
+        language: KnownLanguage.java,
        packinfoContents: '{"overlayVersion":2}',
      },
    },
@@ -342,14 +342,14 @@ test(
  "returns false when query pack for a language to analyze is incompatible",
  {
    cliOverlayVersion: 2,
-    languages: [BuiltInLanguage.cpp, BuiltInLanguage.java],
+    languages: [KnownLanguage.cpp, KnownLanguage.java],
    packs: {
      "codeql/cpp-queries": {
-        language: BuiltInLanguage.cpp,
+        language: KnownLanguage.cpp,
        packinfoContents: '{"overlayVersion":1}',
      },
      "codeql/java-queries": {
-        language: BuiltInLanguage.java,
+        language: KnownLanguage.java,
        packinfoContents: '{"overlayVersion":2}',
      },
    },
@@ -362,14 +362,14 @@ test(
  "returns false when query pack is missing .packinfo",
  {
    cliOverlayVersion: 2,
-    languages: [BuiltInLanguage.java],
+    languages: [KnownLanguage.java],
    packs: {
      "codeql/java-queries": {
-        language: BuiltInLanguage.java,
+        language: KnownLanguage.java,
        packinfoContents: '{"overlayVersion":2}',
      },
      "custom/queries": {
-        language: BuiltInLanguage.java,
+        language: KnownLanguage.java,
        packinfoContents: undefined,
      },
    },
@@ -382,14 +382,14 @@ test(
  "returns false when query pack has different overlay version",
  {
    cliOverlayVersion: 2,
-    languages: [BuiltInLanguage.java],
+    languages: [KnownLanguage.java],
    packs: {
      "codeql/java-queries": {
-        language: BuiltInLanguage.java,
+        language: KnownLanguage.java,
        packinfoContents: '{"overlayVersion":2}',
      },
      "custom/queries": {
-        language: BuiltInLanguage.java,
+        language: KnownLanguage.java,
        packinfoContents: '{"overlayVersion":1}',
      },
    },
@@ -402,14 +402,14 @@ test(
  "returns false when query pack is missing overlayVersion in .packinfo",
  {
    cliOverlayVersion: 2,
-    languages: [BuiltInLanguage.java],
+    languages: [KnownLanguage.java],
    packs: {
      "codeql/java-queries": {
-        language: BuiltInLanguage.java,
+        language: KnownLanguage.java,
        packinfoContents: '{"overlayVersion":2}',
      },
      "custom/queries": {
-        language: BuiltInLanguage.java,
+        language: KnownLanguage.java,
        packinfoContents: "{}",
      },
    },
@@ -422,14 +422,14 @@ test(
  "returns false when .packinfo is not valid JSON",
  {
    cliOverlayVersion: 2,
-    languages: [BuiltInLanguage.java],
+    languages: [KnownLanguage.java],
    packs: {
      "codeql/java-queries": {
-        language: BuiltInLanguage.java,
+        language: KnownLanguage.java,
        packinfoContents: '{"overlayVersion":2}',
      },
      "custom/queries": {
-        language: BuiltInLanguage.java,
+        language: KnownLanguage.java,
        packinfoContents: "this_is_not_valid_json",
      },
    },
@@ -442,10 +442,10 @@ test(
  "returns true when query pack uses codeql-pack.yml filename",
  {
    cliOverlayVersion: 2,
-    languages: [BuiltInLanguage.java],
+    languages: [KnownLanguage.java],
    packs: {
      "codeql/java-queries": {
-        language: BuiltInLanguage.java,
+        language: KnownLanguage.java,
        packinfoContents: '{"overlayVersion":2}',
        qlpackFileName: "codeql-pack.yml",
      },
@@ -26,7 +26,7 @@ import {
  RepositoryProperties,
  RepositoryPropertyName,
 } from "./feature-flags/properties";
-import { BuiltInLanguage, Language } from "./languages";
+import { KnownLanguage, Language } from "./languages";
 import { Logger, withGroupAsync } from "./logging";
 import { ToolsSource } from "./setup-codeql";
 import { ZstdAvailability } from "./tar";
@@ -235,7 +235,7 @@ export async function checkInstallPython311(
  codeql: CodeQL,
 ) {
  if (
-    languages.includes(BuiltInLanguage.python) &&
+    languages.includes(KnownLanguage.python) &&
    process.platform === "win32" &&
    !(await codeql.getVersion()).features?.supportsPython312
  ) {
@@ -1,46 +0,0 @@
-import test from "ava";
-
-import { setupTests } from "../testing-utils";
-
-import * as json from ".";
-
-setupTests(test);
-
-const testSchema = {
-  requiredKey: json.string,
-};
-
-const optionalSchema = {
-  optionalKey: json.optional(json.string),
-};
-
-test("validateSchema - required properties are required", async (t) => {
-  t.false(json.validateSchema(testSchema, {}));
-  t.false(json.validateSchema(testSchema, { requiredKey: undefined }));
-  t.false(json.validateSchema(testSchema, { requiredKey: null }));
-  t.false(json.validateSchema(testSchema, { requiredKey: 0 }));
-  t.false(json.validateSchema(testSchema, { requiredKey: 123 }));
-  t.false(json.validateSchema(testSchema, { requiredKey: false }));
-  t.false(json.validateSchema(testSchema, { requiredKey: true }));
-  t.false(json.validateSchema(testSchema, { requiredKey: [] }));
-  t.false(json.validateSchema(testSchema, { requiredKey: {} }));
-  t.true(json.validateSchema(testSchema, { requiredKey: "" }));
-  t.true(json.validateSchema(testSchema, { requiredKey: "foo" }));
-});
-
-test("validateSchema - optional properties are optional", async (t) => {
-  // Optional fields may be absent
-  t.true(json.validateSchema(optionalSchema, {}));
-  t.true(json.validateSchema(optionalSchema, { optionalKey: undefined }));
-  t.true(json.validateSchema(optionalSchema, { optionalKey: null }));
-
-  // But, if present, should have the expected type
-  t.false(json.validateSchema(optionalSchema, { optionalKey: 0 }));
-  t.false(json.validateSchema(optionalSchema, { optionalKey: 123 }));
-  t.false(json.validateSchema(optionalSchema, { optionalKey: false }));
-  t.false(json.validateSchema(optionalSchema, { optionalKey: true }));
-  t.false(json.validateSchema(optionalSchema, { optionalKey: [] }));
-  t.false(json.validateSchema(optionalSchema, { optionalKey: {} }));
-  t.true(json.validateSchema(optionalSchema, { optionalKey: "" }));
-  t.true(json.validateSchema(optionalSchema, { optionalKey: "foo" }));
-});
@@ -36,82 +36,3 @@ export function isStringOrUndefined(
 ): value is string | undefined {
  return value === undefined || isString(value);
 }
-
-/**
- * Represents a field of type `T` in a schema.
- * Carries a validation function and flag indicating whether the field is required or not.
- */
-export type Validator<T> = {
-  validate: (val: unknown) => val is T;
-  required: boolean;
-};
-
-/** Extracts `T` from `Validator<T>`. */
-export type UnwrapValidator<V> = V extends Validator<infer A> ? A : never;
-
-/** A validator for string fields in schemas. */
-export const string = {
-  validate: isString,
-  required: true,
-} as const satisfies Validator<string>;
-
-/** Transforms a validator to be optional. */
-export function optional<T>(validator: Validator<T>) {
-  return {
-    validate: (val: unknown) => {
-      return val === undefined || val === null || validator.validate(val);
-    },
-    required: false,
-  } as const satisfies Validator<T | undefined | null>;
-}
-
-/** Represents an arbitrary object schema. */
-export type Schema = Record<string, Validator<any>>;
-
-/** Extracts the required keys from `S`. */
-export type RequiredKeys<S extends Schema> = {
-  [K in keyof S]: S[K]["required"] extends true ? K : never;
-}[keyof S];
-
-/** Extracts optional keys from `S`. */
-export type OptionalKeys<S extends Schema> = {
-  [K in keyof S]: S[K]["required"] extends true ? never : K;
-}[keyof S];
-
-/** Constructs an object type corresponding to a schema. */
-export type FromSchema<S extends Schema> = {
-  [K in RequiredKeys<S>]: UnwrapValidator<S[K]>;
-} & { [K in OptionalKeys<S>]?: UnwrapValidator<S[K]> };
-
-/**
- * Validates that `obj` satisfies at least `schema`. Additional keys are accepted.
- *
- * @param schema The schema to validate against.
- * @param obj The object to validate.
- * @returns Asserts that `obj` is of the `schema`'s type if validation is successful.
- */
-export function validateSchema<S extends Schema>(
-  schema: S,
-  obj: UnvalidatedObject<any>,
-): obj is FromSchema<S> {
-  for (const [key, validator] of Object.entries(schema)) {
-    const hasKey = key in obj;
-
-    // If the property is required, but absent, fail.
-    if (validator.required && !hasKey) {
-      return false;
-    }
-
-    // If the property is required, but undefined or null, fail.
-    if (validator.required && (obj[key] === undefined || obj[key] === null)) {
-      return false;
-    }
-
-    // If the property is present, validate it.
-    if (hasKey && !validator.validate(obj[key])) {
-      return false;
-    }
-  }
-
-  return true;
-}
@@ -1,106 +0,0 @@
-import { ExecutionContext } from "ava";
-
-import * as json from ".";
-
-/**
- * Constructs an object based on `schema` for unit tests.
- * Assumes that all keys in `schema` have string values.
- *
- * @param includeOptional Whether to include optional properties.
- * @param schema The schema to base the object on.
- * @returns An object that satisfies `schema`.
- */
-export function makeFromSchema<S extends json.Schema>(
-  includeOptional: boolean,
-  schema: S,
-): json.FromSchema<S> {
-  const result = {};
-  for (const [key, validator] of Object.entries(schema)) {
-    if (!validator.required && !includeOptional) {
-      continue;
-    }
-    result[key] = `value-for-${key}`;
-  }
-  return result as json.FromSchema<S>;
-}
-
-/** Options for `withSchemaMatrix`. */
-export interface SchemaMatrixOptions {
-  /** Whether cases where the properties are entirely absent should be excluded. */
-  excludeAbsent?: boolean;
-}
-
-/**
- * Constructs a test matrix of possible objects for `schema`: all required properties
- * plus all permutations of possible states for the optional properties.
- *
- * @param schema The schema to construct a test matrix for.
- * @param body The test body to call with each value from the test matrix.
- */
-export function withSchemaMatrix<S extends json.Schema>(
-  t: ExecutionContext<any>,
-  schema: S,
-  opts: SchemaMatrixOptions,
-  body: (value: json.FromSchema<S>) => void,
-): void {
-  // Construct a base object that includes all required properties.
-  const required = makeFromSchema(false, schema);
-
-  // Identify optional properties.
-  const optionalKeys: Array<keyof S> = [];
-
-  for (const [key, validator] of Object.entries(schema)) {
-    if (!validator.required) {
-      optionalKeys.push(key);
-    }
-  }
-
-  const optionalValues = (key: keyof S) => [
-    null,
-    undefined,
-    `value-for-${String(key)}`,
-  ];
-
-  // Constructs an array of test objects, starting with `required` and combining it with all
-  // possible states of each optional property. For example, with default settings:
-  //
-  // For { requiredKey: string }, we get: `[{ requiredKey: "some-string-value" }]`
-  //
-  // For { requiredKey: string, optionalKey?: string }, we get:
-  // [ { requiredKey: "some-string-value" },
-  //   { requiredKey: "some-string-value", optionalKey: undefined },
-  //   { requiredKey: "some-string-value", optionalKey: null },
-  //   { requiredKey: "some-string-value", optionalKey: "some-value" },
-  // ]
-  const permutations = (keys: Array<keyof S>) => {
-    if (keys.length === 0) return [required];
-
-    const bases = permutations(keys.slice(1));
-    const result: Array<json.FromSchema<S>> = [];
-
-    const optionalKey = keys[0];
-    for (const base of bases) {
-      if (!opts.excludeAbsent) {
-        // Optional keys can be absent entirely.
-        result.push(base);
-      }
-
-      // Or be present and have one of the `optionalValues`.
-      for (const optionalValue of optionalValues(optionalKey)) {
-        result.push({ ...base, [optionalKey]: optionalValue });
-      }
-    }
-    return result;
-  };
-
-  // Call `body` for all test cases.
-  const testCases = permutations(optionalKeys);
-  for (const testCase of testCases) {
-    try {
-      body(testCase);
-    } catch (err) {
-      t.log(testCase);
-      throw err;
-    }
-  }
-}
@@ -0,0 +1,11 @@
+{
+  "c": "cpp",
+  "c#": "csharp",
+  "c++": "cpp",
+  "c-c++": "cpp",
+  "c-cpp": "cpp",
+  "java-kotlin": "java",
+  "javascript-typescript": "javascript",
+  "kotlin": "java",
+  "typescript": "javascript"
+}
@@ -0,0 +1,29 @@
+/** A language to analyze with CodeQL. */
+export type Language = string;
+
+/**
+ * A language supported by CodeQL that is treated specially by the Action.
+ *
+ * This is not an exhaustive list of languages supported by CodeQL and new
+ * languages do not need to be added here.
+ */
+export enum KnownLanguage {
+  actions = "actions",
+  cpp = "cpp",
+  csharp = "csharp",
+  go = "go",
+  java = "java",
+  javascript = "javascript",
+  python = "python",
+  ruby = "ruby",
+  rust = "rust",
+  swift = "swift",
+}
+
+/** Java-specific environment variable names that we may care about. */
+export enum JavaEnvVars {
+  JAVA_HOME = "JAVA_HOME",
+  JAVA_TOOL_OPTIONS = "JAVA_TOOL_OPTIONS",
+  JDK_JAVA_OPTIONS = "JDK_JAVA_OPTIONS",
+  _JAVA_OPTIONS = "_JAVA_OPTIONS",
+}
@@ -1,25 +0,0 @@
-{
-  "languages": [
-    "actions",
-    "cpp",
-    "csharp",
-    "go",
-    "java",
-    "javascript",
-    "python",
-    "ruby",
-    "rust",
-    "swift"
-  ],
-  "aliases": {
-    "c": "cpp",
-    "c-c++": "cpp",
-    "c-cpp": "cpp",
-    "c#": "csharp",
-    "c++": "cpp",
-    "java-kotlin": "java",
-    "javascript-typescript": "javascript",
-    "kotlin": "java",
-    "typescript": "javascript"
-  }
-}
@@ -1,46 +0,0 @@
-import test from "ava";
-
-import { setupTests } from "../testing-utils";
-
-import knownLanguagesData from "./builtin.json";
-
-import { isBuiltInLanguage, BuiltInLanguage, parseBuiltInLanguage } from ".";
-
-setupTests(test);
-
-test("parseBuiltInLanguage", (t) => {
-  // Exact matches
-  t.is(parseBuiltInLanguage("csharp"), BuiltInLanguage.csharp);
-  t.is(parseBuiltInLanguage("cpp"), BuiltInLanguage.cpp);
-  t.is(parseBuiltInLanguage("go"), BuiltInLanguage.go);
-  t.is(parseBuiltInLanguage("java"), BuiltInLanguage.java);
-  t.is(parseBuiltInLanguage("javascript"), BuiltInLanguage.javascript);
-  t.is(parseBuiltInLanguage("python"), BuiltInLanguage.python);
-  t.is(parseBuiltInLanguage("rust"), BuiltInLanguage.rust);
-
-  // Aliases
-  t.is(parseBuiltInLanguage("  \t\nCsHaRp\t\t"), BuiltInLanguage.csharp);
-  t.is(parseBuiltInLanguage("c"), BuiltInLanguage.cpp);
-  t.is(parseBuiltInLanguage("c++"), BuiltInLanguage.cpp);
-  t.is(parseBuiltInLanguage("kotlin"), BuiltInLanguage.java);
-  t.is(parseBuiltInLanguage("typescript"), BuiltInLanguage.javascript);
-
-  // spaces and case-insensitivity
-  t.is(parseBuiltInLanguage("  \t\nkOtLin\t\t"), BuiltInLanguage.java);
-
-  // Not matches
-  t.is(parseBuiltInLanguage(BuiltInLanguage.python), BuiltInLanguage.python);
-  t.is(parseBuiltInLanguage("foo"), undefined);
-  t.is(parseBuiltInLanguage(" "), undefined);
-  t.is(parseBuiltInLanguage(""), undefined);
-});
-
-test("isBuiltInLanguage matches the curated built-in language set", (t) => {
-  t.true(isBuiltInLanguage(BuiltInLanguage.actions));
-  t.true(isBuiltInLanguage(BuiltInLanguage.swift));
-  t.false(isBuiltInLanguage("typescript"));
-});
-
-test("BuiltInLanguage enum matches builtin.json", (t) => {
-  t.deepEqual(Object.values(BuiltInLanguage), knownLanguagesData.languages);
-});
@@ -1,57 +0,0 @@
-import knownLanguagesData from "./builtin.json";
-
-/** A language to analyze with CodeQL. */
-export type Language = string;
-
-/** A language built into the `defaults.json` CodeQL distribution. */
-export enum BuiltInLanguage {
-  actions = "actions",
-  cpp = "cpp",
-  csharp = "csharp",
-  go = "go",
-  java = "java",
-  javascript = "javascript",
-  python = "python",
-  ruby = "ruby",
-  rust = "rust",
-  swift = "swift",
-}
-
-/** Java-specific environment variable names that we may care about. */
-export enum JavaEnvVars {
-  JAVA_HOME = "JAVA_HOME",
-  JAVA_TOOL_OPTIONS = "JAVA_TOOL_OPTIONS",
-  JDK_JAVA_OPTIONS = "JDK_JAVA_OPTIONS",
-  _JAVA_OPTIONS = "_JAVA_OPTIONS",
-}
-
-const builtInLanguageSet = new Set<string>(knownLanguagesData.languages);
-
-export function isBuiltInLanguage(
-  language: string,
-): language is BuiltInLanguage {
-  return builtInLanguageSet.has(language);
-}
-
-/**
- * Parse a language input corresponding to a built-in language into its canonical CodeQL language
- * name.
- *
- * This uses the language aliases shipped with the Action and will not be able to resolve aliases
- * added by third-party CodeQL language support or versions of the CodeQL CLI newer than the one
- * mentioned in `defaults.json`. Therefore, this function should only be used when the CodeQL CLI is
- * not available.
- */
-export function parseBuiltInLanguage(
-  language: string,
-): BuiltInLanguage | undefined {
-  language = language.trim().toLowerCase();
-  language =
-    knownLanguagesData.aliases[
-      language as keyof typeof knownLanguagesData.aliases
-    ] ?? language;
-  if (isBuiltInLanguage(language)) {
-    return language;
-  }
-  return undefined;
-}
@@ -9,7 +9,7 @@ import * as actionsUtil from "../actions-util";
 import * as apiClient from "../api-client";
 import { ResolveDatabaseOutput } from "../codeql";
 import * as gitUtils from "../git-utils";
-import { BuiltInLanguage } from "../languages";
+import { KnownLanguage } from "../languages";
 import { getRunnerLogger } from "../logging";
 import {
  createTestConfig,
@@ -65,7 +65,7 @@ const testDownloadOverlayBaseDatabaseFromCache = test.macro({
      const testCase = { ...defaultDownloadTestCase, ...partialTestCase };
      const config = createTestConfig({
        dbLocation,
-        languages: [BuiltInLanguage.java],
+        languages: [KnownLanguage.java],
      });

      config.overlayDatabaseMode = testCase.overlayDatabaseMode;
@@ -6,7 +6,7 @@ import * as core from "@actions/core";
 import * as actionsUtil from "./actions-util";
 import { getGitHubVersion } from "./api-client";
 import { Feature, FeatureEnablement, initFeatures } from "./feature-flags";
-import { BuiltInLanguage, parseBuiltInLanguage } from "./languages";
+import { KnownLanguage } from "./languages";
 import { getActionsLogger, Logger } from "./logging";
 import { getRepositoryNwo } from "./repository";
 import {
@@ -14,6 +14,7 @@ import {
  getCredentials,
  getProxyBinaryPath,
  getSafeErrorMessage,
+  parseLanguage,
  ProxyInfo,
  sendFailedStatusReport,
  sendSuccessStatusReport,
@@ -32,7 +33,7 @@ async function run(startedAt: Date) {

  const logger = getActionsLogger();
  let features: FeatureEnablement | undefined;
-  let language: BuiltInLanguage | undefined;
+  let language: KnownLanguage | undefined;

  try {
    // Make inputs accessible in the `post` step.
@@ -55,7 +56,7 @@ async function run(startedAt: Date) {

    // Get the language input.
    const languageInput = actionsUtil.getOptionalInput("language");
-    language = languageInput ? parseBuiltInLanguage(languageInput) : undefined;
+    language = languageInput ? parseLanguage(languageInput) : undefined;

    // Query the FF for whether we should use the reduced registry mapping.
    const skipUnusedRegistries = await features.getValue(
@@ -111,14 +112,14 @@ async function run(startedAt: Date) {
      logger,
    );

-    // Perform best-effort checks that the private registries are reachable.
+    // Check that the private registries are reachable.
    await checkConnections(logger, proxyInfo);

    // Report success if we have reached this point.
    await sendSuccessStatusReport(
      startedAt,
      {
-        languages: language === undefined ? undefined : [language],
+        languages: language && [language],
      },
      proxyConfig.all_credentials.map((c) => c.type),
      logger,
@@ -198,7 +199,6 @@ async function startProxy(
    .map((credential) => ({
      type: credential.type,
      url: credential.url,
-      "replaces-base": credential["replaces-base"],
    }));
  core.setOutput("proxy_urls", JSON.stringify(registry_urls));

@@ -8,11 +8,10 @@ import sinon from "sinon";
 import * as apiClient from "./api-client";
 import * as defaults from "./defaults.json";
 import { setUpFeatureFlagTests } from "./feature-flags/testing-util";
-import { UnvalidatedObject, validateSchema } from "./json";
-import { makeFromSchema } from "./json/testing-util";
-import { BuiltInLanguage } from "./languages";
+import { KnownLanguage } from "./languages";
 import { getRunnerLogger, Logger } from "./logging";
 import * as startProxyExports from "./start-proxy";
+import { parseLanguage } from "./start-proxy";
 import * as statusReport from "./status-report";
 import {
  assertNotLogged,
@@ -233,7 +232,7 @@ test("getCredentials filters by language when specified", async (t) => {
    getRunnerLogger(true),
    undefined,
    toEncodedJSON(mixedCredentials),
-    BuiltInLanguage.java,
+    KnownLanguage.java,
  );
  t.is(credentials.length, 1);
  t.is(credentials[0].type, "maven_repository");
@@ -244,7 +243,7 @@ test("getCredentials returns all for a language when specified", async (t) => {
    getRunnerLogger(true),
    undefined,
    toEncodedJSON(mixedCredentials),
-    BuiltInLanguage.go,
+    KnownLanguage.go,
  );
  t.is(credentials.length, 2);

@@ -264,7 +263,7 @@ test("getCredentials returns all goproxy_servers for Go when specified", async (
    getRunnerLogger(true),
    undefined,
    toEncodedJSON(multipleGoproxyServers),
-    BuiltInLanguage.go,
+    KnownLanguage.go,
  );
  t.is(credentials.length, 3);

@@ -293,7 +292,7 @@ test("getCredentials returns all maven_repositories for Java when specified", as
    getRunnerLogger(true),
    undefined,
    toEncodedJSON(multipleMavenRepositories),
-    BuiltInLanguage.java,
+    KnownLanguage.java,
  );
  t.is(credentials.length, 2);

@@ -351,67 +350,144 @@ test("getCredentials throws an error when non-printable characters are used", as
  }
 });

-for (const oidcSchemaInfo of startProxyExports.oidcSchemas) {
-  test(`getCredentials throws when non-printable characters are used (${oidcSchemaInfo.name} OIDC)`, (t) => {
-    const validCredential = makeFromSchema(true, oidcSchemaInfo.schema);
-    for (const key of Object.keys(validCredential)) {
-      const invalidAuthConfig = {
-        ...validCredential,
-        [key]: "123\x00",
-      };
-      const invalidCredential: startProxyExports.RawCredential = {
-        type: "nuget_feed",
-        host: `${key}.nuget.pkg.github.com`,
-        ...invalidAuthConfig,
-      };
-      const credentialsInput = toEncodedJSON([invalidCredential]);
+const validAzureCredential: startProxyExports.AzureConfig = {
+  "tenant-id": "12345678-1234-1234-1234-123456789012",
+  "client-id": "abcdef01-2345-6789-abcd-ef0123456789",
+};

-      t.throws(
-        () =>
-          startProxyExports.getCredentials(
-            getRunnerLogger(true),
-            undefined,
-            credentialsInput,
-            undefined,
-          ),
-        {
-          message:
-            "Invalid credentials - fields must contain only printable characters",
-        },
-      );
-    }
-  });
-}
+const validAwsCredential: startProxyExports.AWSConfig = {
+  "aws-region": "us-east-1",
+  "account-id": "123456789012",
+  "role-name": "MY_ROLE",
+  domain: "MY_DOMAIN",
+  "domain-owner": "987654321098",
+  audience: "custom-audience",
+};
+
+const validJFrogCredential: startProxyExports.JFrogConfig = {
+  "jfrog-oidc-provider-name": "MY_PROVIDER",
+  audience: "jfrog-audience",
+  "identity-mapping-name": "my-mapping",
+};
+
+test("getCredentials throws an error when non-printable characters are used for Azure OIDC", (t) => {
+  for (const key of Object.keys(validAzureCredential)) {
+    const invalidAzureCredential = {
+      ...validAzureCredential,
+      [key]: "123\x00",
+    };
+    const invalidCredential: startProxyExports.RawCredential = {
+      type: "nuget_feed",
+      host: `${key}.nuget.pkg.github.com`,
+      ...invalidAzureCredential,
+    };
+    const credentialsInput = toEncodedJSON([invalidCredential]);
+
+    t.throws(
+      () =>
+        startProxyExports.getCredentials(
+          getRunnerLogger(true),
+          undefined,
+          credentialsInput,
+          undefined,
+        ),
+      {
+        message:
+          "Invalid credentials - fields must contain only printable characters",
+      },
+    );
+  }
+});
+
+test("getCredentials throws an error when non-printable characters are used for AWS OIDC", (t) => {
+  for (const key of Object.keys(validAwsCredential)) {
+    const invalidAwsCredential = {
+      ...validAwsCredential,
+      [key]: "123\x00",
+    };
+    const invalidCredential: startProxyExports.RawCredential = {
+      type: "nuget_feed",
+      host: `${key}.nuget.pkg.github.com`,
+      ...invalidAwsCredential,
+    };
+    const credentialsInput = toEncodedJSON([invalidCredential]);
+
+    t.throws(
+      () =>
+        startProxyExports.getCredentials(
+          getRunnerLogger(true),
+          undefined,
+          credentialsInput,
+          undefined,
+        ),
+      {
+        message:
+          "Invalid credentials - fields must contain only printable characters",
+      },
+    );
+  }
+});
+
+test("getCredentials throws an error when non-printable characters are used for JFrog OIDC", (t) => {
+  for (const key of Object.keys(validJFrogCredential)) {
+    const invalidJFrogCredential = {
+      ...validJFrogCredential,
+      [key]: "123\x00",
+    };
+    const invalidCredential: startProxyExports.RawCredential = {
+      type: "nuget_feed",
+      host: `${key}.nuget.pkg.github.com`,
+      ...invalidJFrogCredential,
+    };
+    const credentialsInput = toEncodedJSON([invalidCredential]);
+
+    t.throws(
+      () =>
+        startProxyExports.getCredentials(
+          getRunnerLogger(true),
+          undefined,
+          credentialsInput,
+          undefined,
+        ),
+      {
+        message:
+          "Invalid credentials - fields must contain only printable characters",
+      },
+    );
+  }
+});

 test("getCredentials accepts OIDC configurations", (t) => {
-  const oidcConfigurations = startProxyExports.oidcSchemas.map(
-    (schemaInfo) => ({
+  const oidcConfigurations = [
+    {
      type: "nuget_feed",
-      host: `${schemaInfo.name.toLowerCase()}.pkg.github.com`,
-      ...makeFromSchema(true, schemaInfo.schema),
-    }),
-  );
+      host: "azure.pkg.github.com",
+      ...validAzureCredential,
+    },
+    {
+      type: "nuget_feed",
+      host: "aws.pkg.github.com",
+      ...validAwsCredential,
+    },
+    {
+      type: "nuget_feed",
+      host: "jfrog.pkg.github.com",
+      ...validJFrogCredential,
+    },
+  ];

  const credentials = startProxyExports.getCredentials(
    getRunnerLogger(true),
    undefined,
    toEncodedJSON(oidcConfigurations),
-    BuiltInLanguage.csharp,
+    KnownLanguage.csharp,
  );
-  t.is(credentials.length, startProxyExports.oidcSchemas.length);
+  t.is(credentials.length, 3);

  t.assert(credentials.every((c) => c.type === "nuget_feed"));
-
-  for (const oidcSchemaInfo of startProxyExports.oidcSchemas) {
-    t.assert(
-      credentials.some((c) =>
-        validateSchema(
-          oidcSchemaInfo.schema,
-          c as unknown as UnvalidatedObject<any>,
-        ),
-      ),
-    );
-  }
+  t.assert(credentials.some((c) => startProxyExports.isAzureConfig(c)));
+  t.assert(credentials.some((c) => startProxyExports.isAWSConfig(c)));
+  t.assert(credentials.some((c) => startProxyExports.isJFrogConfig(c)));
 });

 const getCredentialsMacro = test.macro({
@@ -457,7 +533,7 @@ test(
    t.is(results[0].type, "git_server");
    t.is(results[0].host, "https://github.com/");

-    if (startProxyExports.hasUsernameAndPassword(results[0])) {
+    if (startProxyExports.isUsernamePassword(results[0])) {
      t.assert(results[0].password?.startsWith("ghp_"));
    } else {
      t.fail("Expected a `UsernamePassword`-based credential.");
@@ -488,7 +564,7 @@ test(
    t.is(results[0].type, "git_server");
    t.is(results[0].host, "https://github.com/");

-    if (startProxyExports.hasUsernameAndPassword(results[0])) {
+    if (startProxyExports.isUsernamePassword(results[0])) {
      t.assert(results[0].password?.startsWith("ghp_"));
    } else {
      t.fail("Expected a `UsernamePassword`-based credential.");
@@ -564,76 +640,6 @@ test(
  },
 );

-test("getCredentials validates 'replaces-base' correctly", async (t) => {
-  // Valid cases.
-  const credentialsInput = toEncodedJSON([
-    {
-      type: "maven_repository",
-      host: "maven1.pkg.github.com",
-      token: "abc",
-      "replaces-base": false,
-    },
-    {
-      type: "maven_repository",
-      host: "maven2.pkg.github.com",
-      token: "def",
-      "replaces-base": true,
-    },
-    {
-      type: "maven_repository",
-      host: "maven3.pkg.github.com",
-      token: "ghi",
-    },
-  ]);
-
-  const credentials = startProxyExports.getCredentials(
-    getRunnerLogger(true),
-    undefined,
-    credentialsInput,
-    BuiltInLanguage.java,
-    false,
-  );
-
-  t.is(credentials.length, 3);
-  t.true(credentials.some((c) => c["replaces-base"] === true));
-  t.true(credentials.some((c) => c["replaces-base"] === false));
-  t.true(credentials.some((c) => c["replaces-base"] === undefined));
-
-  // Invalid cases.
-  const baseInvalid = {
-    type: "maven_repository",
-    host: "maven4.pkg.github.com",
-    token: "jkl",
-  };
-  t.throws(() =>
-    startProxyExports.getCredentials(
-      getRunnerLogger(true),
-      undefined,
-      toEncodedJSON([{ ...baseInvalid, "replaces-base": null }]),
-      BuiltInLanguage.actions,
-      false,
-    ),
-  );
-  t.throws(() =>
-    startProxyExports.getCredentials(
-      getRunnerLogger(true),
-      undefined,
-      toEncodedJSON([{ ...baseInvalid, "replaces-base": 123 }]),
-      BuiltInLanguage.actions,
-      false,
-    ),
-  );
-  t.throws(() =>
-    startProxyExports.getCredentials(
-      getRunnerLogger(true),
-      undefined,
-      toEncodedJSON([{ ...baseInvalid, "replaces-base": "true" }]),
-      BuiltInLanguage.actions,
-      false,
-    ),
-  );
-});
-
 test("getCredentials returns all credentials for Actions when using LANGUAGE_TO_REGISTRY_TYPE", async (t) => {
  const credentialsInput = toEncodedJSON(mixedCredentials);

@@ -641,7 +647,7 @@ test("getCredentials returns all credentials for Actions when using LANGUAGE_TO_
    getRunnerLogger(true),
    undefined,
    credentialsInput,
-    BuiltInLanguage.actions,
+    KnownLanguage.actions,
    false,
  );
  t.is(credentials.length, mixedCredentials.length);
@@ -654,12 +660,39 @@ test("getCredentials returns no credentials for Actions when using NEW_LANGUAGE_
    getRunnerLogger(true),
    undefined,
    credentialsInput,
-    BuiltInLanguage.actions,
+    KnownLanguage.actions,
    true,
  );
  t.deepEqual(credentials, []);
 });

+test("parseLanguage", async (t) => {
+  // Exact matches
+  t.deepEqual(parseLanguage("csharp"), KnownLanguage.csharp);
+  t.deepEqual(parseLanguage("cpp"), KnownLanguage.cpp);
+  t.deepEqual(parseLanguage("go"), KnownLanguage.go);
+  t.deepEqual(parseLanguage("java"), KnownLanguage.java);
+  t.deepEqual(parseLanguage("javascript"), KnownLanguage.javascript);
+  t.deepEqual(parseLanguage("python"), KnownLanguage.python);
+  t.deepEqual(parseLanguage("rust"), KnownLanguage.rust);
+
+  // Aliases
+  t.deepEqual(parseLanguage("c"), KnownLanguage.cpp);
+  t.deepEqual(parseLanguage("c++"), KnownLanguage.cpp);
+  t.deepEqual(parseLanguage("c#"), KnownLanguage.csharp);
+  t.deepEqual(parseLanguage("kotlin"), KnownLanguage.java);
+  t.deepEqual(parseLanguage("typescript"), KnownLanguage.javascript);
+
+  // spaces and case-insensitivity
+  t.deepEqual(parseLanguage("  \t\nCsHaRp\t\t"), KnownLanguage.csharp);
+  t.deepEqual(parseLanguage("  \t\nkOtLin\t\t"), KnownLanguage.java);
+
+  // Not matches
+  t.deepEqual(parseLanguage("foo"), undefined);
+  t.deepEqual(parseLanguage(" "), undefined);
+  t.deepEqual(parseLanguage(""), undefined);
+});
+
 function mockGetApiClient(endpoints: any) {
  return (
    sinon
@@ -18,18 +18,27 @@ import {
  FeatureEnablement,
 } from "./feature-flags";
 import * as json from "./json";
-import { BuiltInLanguage } from "./languages";
+import * as knownLanguageAliases from "./known-language-aliases.json";
+import { KnownLanguage } from "./languages";
 import { Logger } from "./logging";
 import {
  Address,
  Registry,
  Credential,
-  hasToken,
-  hasUsernameAndPassword,
+  AuthConfig,
+  isToken,
+  isAzureConfig,
+  Token,
+  UsernamePassword,
+  AzureConfig,
+  isAWSConfig,
+  AWSConfig,
+  isJFrogConfig,
+  JFrogConfig,
+  isUsernamePassword,
  hasUsername,
  RawCredential,
 } from "./start-proxy/types";
-import { getAuthConfig } from "./start-proxy/validation";
 import {
  ActionName,
  createStatusReportBase,
@@ -148,7 +157,7 @@ export function getSafeErrorMessage(error: Error): string {
 export async function sendFailedStatusReport(
  logger: Logger,
  startedAt: Date,
-  language: BuiltInLanguage | undefined,
+  language: KnownLanguage | undefined,
  unwrappedError: unknown,
 ) {
  const error = util.wrapError(unwrappedError);
@@ -164,7 +173,7 @@ export async function sendFailedStatusReport(
    getActionsStatus(error),
    startedAt,
    {
-      languages: language === undefined ? undefined : [language],
+      languages: language && [language],
    },
    await util.checkDiskUsage(logger),
    logger,
@@ -180,6 +189,35 @@ export const UPDATEJOB_PROXY_VERSION = "v2.0.20250624110901";
 const UPDATEJOB_PROXY_URL_PREFIX =
  "https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.22.0/";

+/**
+ * Parse the start-proxy language input into its canonical CodeQL language name.
+ *
+ * This uses the language aliases shipped with the Action and will not be able to resolve aliases
+ * added by versions of the CodeQL CLI newer than the one mentioned in `defaults.json`. However,
+ * this is sufficient for the start-proxy Action since we are already specifying proxy
+ * configurations on a per-language basis.
+ */
+export function parseLanguage(language: string): KnownLanguage | undefined {
+  // Normalize to lower case
+  language = language.trim().toLowerCase();
+
+  // See if it's an exact match
+  if (Object.hasOwn(KnownLanguage, language)) {
+    return language as KnownLanguage;
+  }
+
+  // Check language aliases
+  if (Object.hasOwn(knownLanguageAliases, language)) {
+    language =
+      knownLanguageAliases[language as keyof typeof knownLanguageAliases];
+    if (Object.hasOwn(KnownLanguage, language)) {
+      return language as KnownLanguage;
+    }
+  }
+
+  return undefined;
+}
+
 function isPAT(value: string) {
  return artifactScanner.isAuthToken(value, [
    artifactScanner.GITHUB_PAT_CLASSIC_PATTERN,
@@ -187,7 +225,7 @@ function isPAT(value: string) {
  ]);
 }

-type RegistryMapping = Partial<Record<BuiltInLanguage, string[]>>;
+type RegistryMapping = Partial<Record<KnownLanguage, string[]>>;

 const LANGUAGE_TO_REGISTRY_TYPE: RegistryMapping = {
  java: ["maven_repository"],
@@ -243,6 +281,75 @@ function getRegistryAddress(
  }
 }

+/** Extracts an `AuthConfig` value from `config`. */
+export function getAuthConfig(
+  config: json.UnvalidatedObject<AuthConfig>,
+): AuthConfig {
+  // Start by checking for the OIDC configurations, since they have required properties
+  // which we can use to identify them.
+  if (isAzureConfig(config)) {
+    return {
+      "tenant-id": config["tenant-id"],
+      "client-id": config["client-id"],
+    } satisfies AzureConfig;
+  } else if (isAWSConfig(config)) {
+    return {
+      "aws-region": config["aws-region"],
+      "account-id": config["account-id"],
+      "role-name": config["role-name"],
+      domain: config.domain,
+      "domain-owner": config["domain-owner"],
+      audience: config.audience,
+    } satisfies AWSConfig;
+  } else if (isJFrogConfig(config)) {
+    return {
+      "jfrog-oidc-provider-name": config["jfrog-oidc-provider-name"],
+      "identity-mapping-name": config["identity-mapping-name"],
+      audience: config.audience,
+    } satisfies JFrogConfig;
+  } else if (isToken(config)) {
+    // There are three scenarios for non-OIDC authentication based on the registry type:
+    //
+    // 1. `username`+`token`
+    // 2. A `token` that combines the username and actual token, separated by ':'.
+    // 3. `username`+`password`
+    //
+    // In all three cases, all fields are optional. If the `token` field is present,
+    // we accept the configuration as a `Token` typed configuration, with the `token`
+    // value and an optional `username`. Otherwise, we accept the configuration
+    // typed as `UsernamePassword` (in the `else` clause below) with optional
+    // username and password. I.e. a private registry type that uses 1. or 2.,
+    // but has no `token` configured, will get accepted as `UsernamePassword` here.
+
+    if (isDefined(config.token)) {
+      // Mask token to reduce chance of accidental leakage in logs, if we have one.
+      core.setSecret(config.token);
+    }
+
+    return { username: config.username, token: config.token } satisfies Token;
+  } else {
+    let username: string | undefined = undefined;
+    let password: string | undefined = undefined;
+
+    // Both "username" and "password" are optional. If we have reached this point, we need
+    // to validate which of them are present and that they have the correct type if so.
+    if ("password" in config && json.isString(config.password)) {
+      // Mask password to reduce chance of accidental leakage in logs, if we have one.
+      core.setSecret(config.password);
+      password = config.password;
+    }
+    if ("username" in config && json.isString(config.username)) {
+      username = config.username;
+    }
+
+    // Return the `UsernamePassword` object. Both username and password may be undefined.
+    return {
+      username,
+      password,
+    } satisfies UsernamePassword;
+  }
+}
+
 // getCredentials returns registry credentials from action inputs.
 // It prefers `registries_credentials` over `registry_secrets`.
 // If neither is set, it returns an empty array.
@@ -250,7 +357,7 @@ export function getCredentials(
  logger: Logger,
  registrySecrets: string | undefined,
  registriesCredentials: string | undefined,
-  language: BuiltInLanguage | undefined,
+  language: KnownLanguage | undefined,
  skipUnusedRegistries: boolean = false,
 ): Credential[] {
  const registryMapping = skipUnusedRegistries
@@ -331,11 +438,11 @@ export function getCredentials(
    const noUsername =
      !hasUsername(authConfig) || !isDefined(authConfig.username);
    const passwordIsPAT =
-      hasUsernameAndPassword(authConfig) &&
+      isUsernamePassword(authConfig) &&
      isDefined(authConfig.password) &&
      isPAT(authConfig.password);
    const tokenIsPAT =
-      hasToken(authConfig) &&
+      isToken(authConfig) &&
      isDefined(authConfig.token) &&
      isPAT(authConfig.token);

@@ -347,25 +454,8 @@ export function getCredentials(
      );
    }

-    // Construct the base credential object.
-    const baseCredential: Omit<Registry, keyof Address> = { type: e.type };
-
-    // If "replaces-base" is present, it must be a boolean.
-    if ("replaces-base" in e) {
-      if (
-        isDefined(e["replaces-base"]) &&
-        typeof e["replaces-base"] === "boolean"
-      ) {
-        baseCredential["replaces-base"] = e["replaces-base"];
-      } else {
-        throw new ConfigurationError(
-          "Invalid credentials - 'replaces-base' must be a boolean",
-        );
-      }
-    }
-
    out.push({
-      ...baseCredential,
+      type: e.type,
      ...authConfig,
      ...address,
    });
@@ -7,7 +7,7 @@ import * as io from "@actions/io";
 import test, { ExecutionContext } from "ava";
 import sinon from "sinon";

-import { JavaEnvVars, BuiltInLanguage } from "../languages";
+import { JavaEnvVars, KnownLanguage } from "../languages";
 import {
  checkExpectedLogMessages,
  getRecordingLogger,
@@ -182,11 +182,11 @@ test.serial("checkProxyEnvVars - credentials are removed from URLs", (t) => {
 });

 test.serial(
-  "checkProxyEnvironment - includes base checks for all built-in languages",
+  "checkProxyEnvironment - includes base checks for all known languages",
  async (t) => {
    stubToolrunner();

-    for (const language of Object.values(BuiltInLanguage)) {
+    for (const language of Object.values(KnownLanguage)) {
      const messages: LoggedMessage[] = [];
      const logger = getRecordingLogger(messages);

@@ -204,7 +204,7 @@ test.serial(

    stubToolrunner();

-    await checkProxyEnvironment(logger, BuiltInLanguage.java);
+    await checkProxyEnvironment(logger, KnownLanguage.java);
    assertEnvVarLogMessages(t, Object.keys(ProxyEnvVars), messages, false);
    assertEnvVarLogMessages(t, JAVA_PROXY_ENV_VARS, messages, false);
  },
@@ -4,7 +4,7 @@ import * as path from "path";
 import * as toolrunner from "@actions/exec/lib/toolrunner";
 import * as io from "@actions/io";

-import { JavaEnvVars, BuiltInLanguage, Language } from "../languages";
+import { JavaEnvVars, KnownLanguage, Language } from "../languages";
 import { Logger } from "../logging";
 import { getErrorMessage, isDefined } from "../util";

@@ -196,7 +196,7 @@ export async function checkProxyEnvironment(

  // Check language-specific configurations. If we don't know the language,
  // then we perform all checks.
-  if (language === undefined || language === BuiltInLanguage.java) {
+  if (language === undefined || language === KnownLanguage.java) {
    checkJavaEnvVars(logger);

    await showJavaSettings(logger);
@@ -8,7 +8,6 @@ import {
 } from "./../testing-utils";
 import {
  checkConnections,
-  connectionTestConfig,
  ReachabilityBackend,
  ReachabilityError,
 } from "./reachability";
@@ -119,34 +118,3 @@ test("checkConnections - handles invalid URLs", async (t) => {
    `Finished testing connections`,
  ]);
 });
-
-test("checkConnections - appends extra paths", async (t) => {
-  const backend = new MockReachabilityBackend();
-  const checkConnection = sinon.stub(backend, "checkConnection").resolves(200);
-
-  const messages = await withRecordingLoggerAsync(async (logger) => {
-    await checkConnections(
-      logger,
-      {
-        ...proxyInfo,
-        registries: [{ ...nugetFeed, url: "https://api.nuget.org/" }],
-      },
-      backend,
-    );
-  });
-  checkExpectedLogMessages(t, messages, [
-    `Testing connection to https://api.nuget.org/`,
-    `Successfully tested connection to https://api.nuget.org/`,
-    `Finished testing connections`,
-  ]);
-
-  t.true(
-    checkConnection.calledWith(
-      sinon.match(
-        new URL(
-          `https://api.nuget.org/${connectionTestConfig["nuget_feed"]?.path}`,
-        ),
-      ),
-    ),
-  );
-});
@@ -2,41 +2,11 @@ import * as https from "https";

 import { HttpsProxyAgent } from "https-proxy-agent";

-import { DocUrl } from "../doc-url";
 import { Logger } from "../logging";
 import { getErrorMessage } from "../util";

 import { getAddressString, ProxyInfo, Registry } from "./types";

-/** Represents registry-specific connection test configurations. */
-export interface ConnectionTestConfig {
-  /** An optional path to append to the end of the base url. */
-  path?: string;
-}
-
-/** A partial mapping of registry types to extra connection test configurations. */
-export const connectionTestConfig: Partial<
-  Record<string, ConnectionTestConfig>
-> = {
-  nuget_feed: { path: "v3/index.json" },
-};
-
-/**
- * Applies the registry-specific check configuration to the base URL, if any and applicable.
- */
-export function makeTestUrl(
-  config: ConnectionTestConfig | undefined,
-  base: URL,
-): URL {
-  if (config?.path === undefined) {
-    return base;
-  }
-  if (base.pathname.endsWith(config.path)) {
-    return base;
-  }
-  return new URL(config.path, base);
-}
-
 export class ReachabilityError extends Error {
  constructor(public readonly statusCode?: number | undefined) {
    super();
@@ -71,7 +41,7 @@ class NetworkReachabilityBackend implements ReachabilityBackend {
        url,
        {
          agent: this.agent,
-          method: "GET",
+          method: "HEAD",
          ca: this.proxy.cert,
          timeout: 5 * 1000, // 5 seconds
        },
@@ -115,13 +85,6 @@ export async function checkConnections(
  // Don't do anything if there are no registries.
  if (proxy.registries.length === 0) return result;

-  // Start a log group and print a message with a disclaimer with a link to the
-  // relevant documentation that these checks are a best-effort process.
-  logger.startGroup("Testing connections via the proxy");
-  logger.info(
-    `The connection tests performed here are best-effort only and failures here may not affect the subsequent analysis. See ${DocUrl.PRIVATE_REGISTRY_LOGS} for more information.`,
-  );
-
  try {
    // Initialise a networking backend if no backend was provided.
    if (backend === undefined) {
@@ -129,7 +92,6 @@ export async function checkConnections(
    }

    for (const registry of proxy.registries) {
-      const config = connectionTestConfig[registry.type];
      const address = getAddressString(registry);
      const url = URL.parse(address);

@@ -140,11 +102,9 @@ export async function checkConnections(
        continue;
      }

-      const testUrl = makeTestUrl(config, url);
-
      try {
        logger.debug(`Testing connection to ${url}...`);
-        const statusCode = await backend.checkConnection(testUrl);
+        const statusCode = await backend.checkConnection(url);

        logger.info(`Successfully tested connection to ${url} (${statusCode})`);
        result.add(registry);
@@ -166,6 +126,5 @@ export async function checkConnections(
    );
  }

-  logger.endGroup();
  return result;
 }
@@ -1,6 +1,5 @@
 import test from "ava";

-import { makeFromSchema, withSchemaMatrix } from "../json/testing-util";
 import { setupTests } from "../testing-utils";

 import * as types from "./types";
@@ -27,38 +26,6 @@ const validJFrogCredential: types.JFrogConfig = {
  "identity-mapping-name": "my-mapping",
 };

-test("hasUsername", (t) => {
-  // Reject the case where `username` is missing.
-  t.false(types.hasUsername({}));
-
-  // Test all cases where `username` is present.
-  withSchemaMatrix(
-    t,
-    types.usernameSchema,
-    { excludeAbsent: true },
-    (value) => {
-      t.true(types.hasUsername(value));
-    },
-  );
-});
-
-test("hasUsernameAndPassword", (t) => {
-  // Reject cases where `username` or `password` are missing.
-  t.false(types.hasUsernameAndPassword({}));
-  t.false(types.hasUsernameAndPassword({ username: "foo" }));
-  t.false(types.hasUsernameAndPassword({ password: "foo" }));
-
-  // Test all cases where both `username` and `password` are present.
-  withSchemaMatrix(
-    t,
-    types.usernamePasswordSchema,
-    { excludeAbsent: true },
-    (value) => {
-      t.true(types.hasUsernameAndPassword(value));
-    },
-  );
-});
-
 test("credentialToStr - pretty-prints valid username+password configurations", (t) => {
  const secret = "password123";
  const credential: types.Credential = {
@@ -140,46 +107,13 @@ test("credentialToStr - pretty-prints valid JFrog OIDC configurations", (t) => {
  );
 });

-test("credentialToStr - pretty-prints valid Cloudsmith OIDC configurations", (t) => {
-  const credential: types.Credential = {
-    type: "maven_credential",
-    url: "https://localhost",
-    ...(makeFromSchema(
-      true,
-      types.cloudsmithConfigSchema,
-    ) as types.CloudsmithConfig),
-  };
-
-  const str = types.credentialToStr(credential);
-
-  t.is(
-    "Type: maven_credential; Url: https://localhost; Cloudsmith Namespace: value-for-namespace; Cloudsmith Service Slug: value-for-service-slug; Cloudsmith API Host: value-for-api-host;",
-    str,
-  );
-});
-
-test("credentialToStr - pretty-prints valid GCP OIDC configurations", (t) => {
-  const credential: types.Credential = {
-    type: "maven_credential",
-    url: "https://localhost",
-    ...(makeFromSchema(true, types.gcpConfigSchema) as types.GCPConfig),
-  };
-
-  const str = types.credentialToStr(credential);
-
-  t.is(
-    "Type: maven_credential; Url: https://localhost; GCP Workload Identity Provider: value-for-workload-identity-provider; GCP Service Account: value-for-service-account; GCP Audience: value-for-audience;",
-    str,
-  );
-});
-
 test("credentialToStr - hides passwords", (t) => {
  const secret = "password123";
  const credential = {
    type: "maven_credential",
    password: secret,
    url: "https://localhost",
-  } satisfies types.Credential;
+  };

  const str = types.credentialToStr(credential);

@@ -193,7 +127,7 @@ test("credentialToStr - hides tokens", (t) => {
    type: "maven_credential",
    token: secret,
    url: "https://localhost",
-  } satisfies types.Credential;
+  };

  const str = types.credentialToStr(credential);

@@ -9,177 +9,144 @@ import { isDefined } from "../util";
 */
 export type RawCredential = UnvalidatedObject<Credential>;

-/** A schema for credential objects with a username. */
-export const usernameSchema = {
-  /** The username needed to authenticate to the package registry, if any. */
-  username: json.optional(json.string),
-} as const satisfies json.Schema;
-
 /** Usernames may be present for both authentication with tokens or passwords. */
-export type Username = json.FromSchema<typeof usernameSchema>;
+export type Username = {
+  /** The username needed to authenticate to the package registry, if any. */
+  username?: string;
+};

-/**
- * Narrows `config` to `Username` if `config` has a `username` property.
- * Not used for validation. Assumes that `config` is already a validated `AuthConfig`.
- */
+/** Decides whether `config` has a username. */
 export function hasUsername(config: AuthConfig): config is Username {
  return "username" in config;
 }

-/** A schema for credential objects with a username and password. */
-export const usernamePasswordSchema = {
-  /** The password needed to authenticate to the package registry, if any. */
-  password: json.optional(json.string),
-  ...usernameSchema,
-} as const satisfies json.Schema;
-
 /**
 * Fields expected for authentication based on a username and password.
 * Both username and password are optional.
 */
-export type UsernamePassword = json.FromSchema<typeof usernamePasswordSchema>;
+export type UsernamePassword = {
+  /** The password needed to authenticate to the package registry, if any. */
+  password?: string;
+} & Username;

-/**
- * Narrows `config` to `UsernamePassword` if it has a `username` and `password` property.
- * Not used for validation. Assumes that `config` is already a validated `AuthConfig`.
- */
-export function hasUsernameAndPassword(
+/** Decides whether `config` is based on a username and password. */
+export function isUsernamePassword(
  config: AuthConfig,
 ): config is UsernamePassword {
  return hasUsername(config) && "password" in config;
 }

-/** A schema for credential objects for token-based authentication. */
-export const tokenSchema = {
-  /** The token needed to authenticate to the package registry, if any. */
-  token: json.optional(json.string),
-  ...usernameSchema,
-} as const satisfies json.Schema;
-
 /**
 * Fields expected for token-based authentication.
 * Both username and token are optional.
 */
-export type Token = json.FromSchema<typeof tokenSchema>;
-
-/**
- * Narrows `config` to `Token` if it has a `token` property.
- * Not used for validation. Assumes that `config` is already a validated `AuthConfig`.
- */
-export function hasToken(config: AuthConfig): config is Token {
-  return "token" in config;
-}
+export type Token = {
+  /** The token needed to authenticate to the package registry, if any. */
+  token?: string;
+} & Username;

 /** Decides whether `config` is token-based. */
 export function isToken(
  config: UnvalidatedObject<AuthConfig>,
 ): config is Token {
-  return "token" in config && json.validateSchema(tokenSchema, config);
+  // The "username" field is optional, but should be a string if present.
+  if ("username" in config && !json.isStringOrUndefined(config.username)) {
+    return false;
+  }
+
+  // The "token" field is required, and must be a string or undefined.
+  return "token" in config && json.isStringOrUndefined(config.token);
 }

-/** A schema for Azure OIDC configurations. */
-export const azureConfigSchema = {
-  "tenant-id": json.string,
-  "client-id": json.string,
-} as const satisfies json.Schema;
-
 /** Configuration for Azure OIDC. */
-export type AzureConfig = json.FromSchema<typeof azureConfigSchema>;
+export type AzureConfig = { "tenant-id": string; "client-id": string };

 /** Decides whether `config` is an Azure OIDC configuration. */
 export function isAzureConfig(
  config: UnvalidatedObject<AuthConfig>,
 ): config is AzureConfig {
-  return json.validateSchema(azureConfigSchema, config);
+  return (
+    "tenant-id" in config &&
+    "client-id" in config &&
+    isDefined(config["tenant-id"]) &&
+    isDefined(config["client-id"]) &&
+    json.isString(config["tenant-id"]) &&
+    json.isString(config["client-id"])
+  );
 }

-/** A schema for AWS OIDC configurations. */
-export const awsConfigSchema = {
-  "aws-region": json.string,
-  "account-id": json.string,
-  "role-name": json.string,
-  domain: json.string,
-  "domain-owner": json.string,
-  audience: json.optional(json.string),
-} as const satisfies json.Schema;
-
 /** Configuration for AWS OIDC. */
-export type AWSConfig = json.FromSchema<typeof awsConfigSchema>;
+export type AWSConfig = {
+  "aws-region": string;
+  "account-id": string;
+  "role-name": string;
+  domain: string;
+  "domain-owner": string;
+  audience?: string;
+};

 /** Decides whether `config` is an AWS OIDC configuration. */
 export function isAWSConfig(
  config: UnvalidatedObject<AuthConfig>,
 ): config is AWSConfig {
-  return json.validateSchema(awsConfigSchema, config);
+  // All of these properties are required.
+  const requiredProperties = [
+    "aws-region",
+    "account-id",
+    "role-name",
+    "domain",
+    "domain-owner",
+  ];
+
+  for (const property of requiredProperties) {
+    if (
+      !(property in config) ||
+      !isDefined(config[property]) ||
+      !json.isString(config[property])
+    ) {
+      return false;
+    }
+  }
+
+  // The "audience" field is optional, but should be a string if present.
+  if ("audience" in config && !json.isStringOrUndefined(config.audience)) {
+    return false;
+  }
+
+  return true;
 }

-/** A schema for JFrog OIDC configurations. */
-export const jfrogConfigSchema = {
-  "jfrog-oidc-provider-name": json.string,
-  audience: json.optional(json.string),
-  "identity-mapping-name": json.optional(json.string),
-} as const satisfies json.Schema;
-
 /** Configuration for JFrog OIDC. */
-export type JFrogConfig = json.FromSchema<typeof jfrogConfigSchema>;
+export type JFrogConfig = {
+  "jfrog-oidc-provider-name": string;
+  audience?: string;
+  "identity-mapping-name"?: string;
+};

 /** Decides whether `config` is a JFrog OIDC configuration. */
 export function isJFrogConfig(
  config: UnvalidatedObject<AuthConfig>,
 ): config is JFrogConfig {
-  return json.validateSchema(jfrogConfigSchema, config);
+  // The "audience" and "identity-mapping-name" fields are optional, but should be strings if present.
+  if ("audience" in config && !json.isStringOrUndefined(config.audience)) {
+    return false;
+  }
+  if (
+    "identity-mapping-name" in config &&
+    !json.isStringOrUndefined(config["identity-mapping-name"])
+  ) {
+    return false;
+  }
+
+  return (
+    "jfrog-oidc-provider-name" in config &&
+    isDefined(config["jfrog-oidc-provider-name"]) &&
+    json.isString(config["jfrog-oidc-provider-name"])
+  );
 }

-/** A schema for Cloudsmith OIDC configurations. */
-export const cloudsmithConfigSchema = {
-  namespace: json.string,
-  "service-slug": json.string,
-  "api-host": json.string,
-} as const satisfies json.Schema;
-
-/** Configuration for Cloudsmith OIDC. */
-export type CloudsmithConfig = json.FromSchema<typeof cloudsmithConfigSchema>;
-
-/** Decides whether `config` is a Cloudsmith OIDC configuration. */
-export function isCloudsmithConfig(
-  config: UnvalidatedObject<AuthConfig>,
-): config is CloudsmithConfig {
-  return json.validateSchema(cloudsmithConfigSchema, config);
-}
-
-/** A schema for GCP OIDC configurations. */
-export const gcpConfigSchema = {
-  "workload-identity-provider": json.string,
-  "service-account": json.optional(json.string),
-  audience: json.optional(json.string),
-} as const satisfies json.Schema;
-
-/** Configuration for GCP OIDC. */
-export type GCPConfig = json.FromSchema<typeof gcpConfigSchema>;
-
-/** Decides whether `config` is a GCP OIDC configuration. */
-export function isGCPConfig(
-  config: UnvalidatedObject<AuthConfig>,
-): config is GCPConfig {
-  return json.validateSchema(gcpConfigSchema, config);
-}
-
-/** An array of all OIDC configuration schemas along with output-friendly names. */
-export const oidcSchemas = [
-  { schema: azureConfigSchema, name: "Azure" },
-  { schema: awsConfigSchema, name: "AWS" },
-  { schema: jfrogConfigSchema, name: "JFrog" },
-  { schema: cloudsmithConfigSchema, name: "Cloudsmith" },
-  { schema: gcpConfigSchema, name: "GCP" },
-];
-
 /** Represents all supported OIDC configurations. */
-export type OIDC =
-  | AzureConfig
-  | AWSConfig
-  | JFrogConfig
-  | CloudsmithConfig
-  | GCPConfig;
+export type OIDC = AzureConfig | AWSConfig | JFrogConfig;

 /** All authentication-related fields. */
 export type AuthConfig = UsernamePassword | Token | OIDC;
@@ -198,7 +165,7 @@ export type Credential = AuthConfig & Registry;
 export function credentialToStr(credential: Credential): string {
  let result: string = `Type: ${credential.type};`;

-  const appendIfDefined = (name: string, val: string | undefined | null) => {
+  const appendIfDefined = (name: string, val: string | undefined) => {
    if (isDefined(val)) {
      result += ` ${name}: ${val};`;
    }
@@ -217,7 +184,7 @@ export function credentialToStr(credential: Credential): string {
      isDefined(credential.password) ? "***" : undefined,
    );
  }
-  if (hasToken(credential)) {
+  if (isToken(credential)) {
    appendIfDefined("Token", isDefined(credential.token) ? "***" : undefined);
  }

@@ -238,17 +205,6 @@ export function credentialToStr(credential: Credential): string {
      credential["identity-mapping-name"],
    );
    appendIfDefined("JFrog Audience", credential.audience);
-  } else if (isCloudsmithConfig(credential)) {
-    appendIfDefined("Cloudsmith Namespace", credential.namespace);
-    appendIfDefined("Cloudsmith Service Slug", credential["service-slug"]);
-    appendIfDefined("Cloudsmith API Host", credential["api-host"]);
-  } else if (isGCPConfig(credential)) {
-    appendIfDefined(
-      "GCP Workload Identity Provider",
-      credential["workload-identity-provider"],
-    );
-    appendIfDefined("GCP Service Account", credential["service-account"]);
-    appendIfDefined("GCP Audience", credential.audience);
  }

  return result;
@@ -258,8 +214,6 @@ export function credentialToStr(credential: Credential): string {
 export type Registry = {
  /** The type of the package registry. */
  type: string;
-  /** Whether the registry replaces the base registry for the ecosystem. */
-  "replaces-base"?: boolean;
 } & Address;

 // If a registry has an `url`, then that takes precedence over the `host` which may or may
@@ -1,69 +0,0 @@
-import test from "ava";
-
-import * as json from "../json";
-import { makeFromSchema } from "../json/testing-util";
-import { setupTests } from "../testing-utils";
-
-import * as types from "./types";
-import { getAuthConfig } from "./validation";
-
-setupTests(test);
-
-for (const schemaTest of types.oidcSchemas) {
-  for (const includeOptional of [true, false]) {
-    const minimalName = includeOptional ? "full" : "minimal";
-
-    test(`getAuthConfig - ${schemaTest.name} - ${minimalName}`, async (t) => {
-      const config = makeFromSchema(includeOptional, schemaTest.schema);
-
-      t.deepEqual(
-        getAuthConfig({
-          ...config,
-          unexpected: "unexpected-value",
-        } as unknown as json.UnvalidatedObject<types.AuthConfig>),
-        config,
-      );
-    });
-  }
-}
-
-test("getAuthConfig - token", async (t) => {
-  const config = makeFromSchema(true, types.tokenSchema);
-
-  t.deepEqual(
-    getAuthConfig({
-      ...config,
-      unexpected: "unexpected-value",
-    } as json.UnvalidatedObject<types.AuthConfig>),
-    config,
-  );
-});
-
-test("getAuthConfig - username and password", async (t) => {
-  const config = makeFromSchema(true, types.usernamePasswordSchema);
-
-  t.deepEqual(
-    getAuthConfig({
-      ...config,
-      unexpected: "unexpected-value",
-    } as json.UnvalidatedObject<types.AuthConfig>),
-    config,
-  );
-});
-
-test("getAuthConfig - empty", async (t) => {
-  const config = makeFromSchema(false, types.usernamePasswordSchema);
-
-  // Since the purpose of constructing the `AuthConfig` values is for
-  // serialisation to JSON so that they can be passed to the proxy as configuration,
-  // we only care that the stringified JSON representations are the same.
-  t.deepEqual(
-    JSON.stringify(
-      getAuthConfig({
-        ...config,
-        unexpected: "unexpected-value",
-      } as json.UnvalidatedObject<types.AuthConfig>),
-    ),
-    JSON.stringify({}),
-  );
-});
@@ -1,81 +0,0 @@
-import * as core from "@actions/core";
-
-import * as json from "../json";
-import { isDefined } from "../util";
-
-import type { AuthConfig, UsernamePassword } from "./types";
-import * as types from "./types";
-
-/** Constructs a new object from `obj` with only keys that exist in `schema`. */
-export function cloneCredential<S extends json.Schema>(
-  schema: S,
-  obj: json.FromSchema<S>,
-): json.FromSchema<S> {
-  const result = {};
-
-  for (const key of Object.keys(schema)) {
-    // Skip keys that don't exist or don't have a value.
-    if (!isDefined(obj[key])) {
-      continue;
-    }
-    result[key] = obj[key];
-  }
-
-  return result as json.FromSchema<S>;
-}
-
-/** Extracts an `AuthConfig` value from `config`. */
-export function getAuthConfig(
-  config: json.UnvalidatedObject<AuthConfig>,
-): AuthConfig {
-  // Start by checking for the OIDC configurations, since they have required properties
-  // which we can use to identify them.
-  for (const oidcSchema of types.oidcSchemas) {
-    if (json.validateSchema(oidcSchema.schema, config)) {
-      return cloneCredential(oidcSchema.schema, config);
-    }
-  }
-
-  // Otherwise, try the basic configuration types.
-  if (types.isToken(config)) {
-    // There are three scenarios for non-OIDC authentication based on the registry type:
-    //
-    // 1. `username`+`token`
-    // 2. A `token` that combines the username and actual token, separated by ':'.
-    // 3. `username`+`password`
-    //
-    // In all three cases, all fields are optional. If the `token` field is present,
-    // we accept the configuration as a `Token` typed configuration, with the `token`
-    // value and an optional `username`. Otherwise, we accept the configuration
-    // typed as `UsernamePassword` (in the `else` clause below) with optional
-    // username and password. I.e. a private registry type that uses 1. or 2.,
-    // but has no `token` configured, will get accepted as `UsernamePassword` here.
-
-    if (isDefined(config.token)) {
-      // Mask token to reduce chance of accidental leakage in logs, if we have one.
-      core.setSecret(config.token);
-    }
-
-    return cloneCredential(types.tokenSchema, config);
-  } else {
-    let username: string | undefined = undefined;
-    let password: string | undefined = undefined;
-
-    // Both "username" and "password" are optional. If we have reached this point, we need
-    // to validate which of them are present and that they have the correct type if so.
-    if ("password" in config && json.isString(config.password)) {
-      // Mask password to reduce chance of accidental leakage in logs, if we have one.
-      core.setSecret(config.password);
-      password = config.password;
-    }
-    if ("username" in config && json.isString(config.username)) {
-      username = config.username;
-    }
-
-    // Return the `UsernamePassword` object. Both username and password may be undefined.
-    return {
-      username,
-      password,
-    } satisfies UsernamePassword;
-  }
-}
@@ -4,7 +4,7 @@ import * as sinon from "sinon";
 import * as actionsUtil from "./actions-util";
 import { Config } from "./config-utils";
 import { EnvVar } from "./environment";
-import { BuiltInLanguage } from "./languages";
+import { KnownLanguage } from "./languages";
 import { getRunnerLogger } from "./logging";
 import { ToolsSource } from "./setup-codeql";
 import {
@@ -48,7 +48,7 @@ test.serial("createStatusReportBase", async (t) => {
      new Date("May 19, 2023 05:19:00"),
      createTestConfig({
        buildMode: BuildMode.None,
-        languages: [BuiltInLanguage.java, BuiltInLanguage.swift],
+        languages: [KnownLanguage.java, KnownLanguage.swift],
      }),
      { numAvailableBytes: 100, numTotalBytes: 500 },
      getRunnerLogger(false),
@@ -345,7 +345,7 @@ test.serial(
  "returns a value",
  createTestConfig({
    buildMode: BuildMode.None,
-    languages: [BuiltInLanguage.java, BuiltInLanguage.swift],
+    languages: [KnownLanguage.java, KnownLanguage.swift],
  }),
  {
    trap_cache_download_size_bytes: 1024,
@@ -360,7 +360,7 @@ test.serial(
  "includes packs for a single language",
  createTestConfig({
    buildMode: BuildMode.None,
-    languages: [BuiltInLanguage.java],
+    languages: [KnownLanguage.java],
    computedConfig: {
      packs: ["foo", "bar"],
    },
@@ -377,7 +377,7 @@ test.serial(
  "includes packs for multiple languages",
  createTestConfig({
    buildMode: BuildMode.None,
-    languages: [BuiltInLanguage.java, BuiltInLanguage.swift],
+    languages: [KnownLanguage.java, KnownLanguage.swift],
    computedConfig: {
      packs: { java: ["java-foo", "java-bar"], swift: ["swift-bar"] },
    },
@@ -160,9 +160,6 @@ export const DEFAULT_ACTIONS_VARS = {
  RUNNER_OS: "Linux",
 } as const satisfies Record<string, string>;

-/** A 64-character SHA-256 Git OID for use in SHA-256 repository test scenarios. */
-export const SHA256_GITHUB_SHA = "0".repeat(64);
-
 // Sets environment variables that make using some libraries designed for
 // use only on actions safe to use outside of actions.
 export function setupActionsVars(
@@ -6,7 +6,7 @@ import * as sinon from "sinon";

 import { CodeQL, getCodeQLForTesting } from "./codeql";
 import * as configUtils from "./config-utils";
-import { BuiltInLanguage } from "./languages";
+import { KnownLanguage } from "./languages";
 import { createTestConfig, makeVersionInfo, setupTests } from "./testing-utils";
 import { ToolsFeature } from "./tools-features";
 import { getCombinedTracerConfig } from "./tracer-config";
@@ -16,7 +16,7 @@ setupTests(test);

 function getTestConfig(tempDir: string): configUtils.Config {
  return createTestConfig({
-    languages: [BuiltInLanguage.java],
+    languages: [KnownLanguage.java],
    tempDir,
    dbLocation: path.resolve(tempDir, "codeql_databases"),
  });
@@ -36,7 +36,7 @@ async function stubCodeql(
    );
  sinon
    .stub(codeqlObject, "isTracedLanguage")
-    .withArgs(BuiltInLanguage.java)
+    .withArgs(KnownLanguage.java)
    .resolves(true);
  return codeqlObject;
 }
@@ -45,7 +45,7 @@ test("getCombinedTracerConfig - return undefined when no languages are traced la
  await util.withTmpDir(async (tmpDir) => {
    const config = getTestConfig(tmpDir);
    // No traced languages
-    config.languages = [BuiltInLanguage.javascript, BuiltInLanguage.python];
+    config.languages = [KnownLanguage.javascript, KnownLanguage.python];
    t.deepEqual(
      await getCombinedTracerConfig(await stubCodeql(), config),
      undefined,
@@ -15,7 +15,7 @@ import {
 import * as configUtils from "./config-utils";
 import { Feature } from "./feature-flags";
 import * as gitUtils from "./git-utils";
-import { BuiltInLanguage } from "./languages";
+import { KnownLanguage } from "./languages";
 import { getRunnerLogger } from "./logging";
 import {
  createFeatures,
@@ -41,7 +41,7 @@ const stubCodeql = createStubCodeQL({
  async betterResolveLanguages() {
    return {
      extractors: {
-        [BuiltInLanguage.javascript]: [
+        [KnownLanguage.javascript]: [
          {
            extractor_root: "some_root",
            extractor_options: {
@@ -65,7 +65,7 @@ const stubCodeql = createStubCodeQL({
            },
          },
        ],
-        [BuiltInLanguage.cpp]: [
+        [KnownLanguage.cpp]: [
          {
            extractor_root: "other_root",
          },
@@ -76,7 +76,7 @@ const stubCodeql = createStubCodeQL({
 });

 const testConfigWithoutTmpDir = createTestConfig({
-  languages: [BuiltInLanguage.javascript, BuiltInLanguage.cpp],
+  languages: [KnownLanguage.javascript, KnownLanguage.cpp],
  trapCaches: {
    javascript: "/some/cache/dir",
  },
@@ -84,7 +84,7 @@ const testConfigWithoutTmpDir = createTestConfig({

 function getTestConfigWithTempDir(tempDir: string): configUtils.Config {
  return createTestConfig({
-    languages: [BuiltInLanguage.javascript, BuiltInLanguage.ruby],
+    languages: [KnownLanguage.javascript, KnownLanguage.ruby],
    tempDir,
    dbLocation: path.resolve(tempDir, "codeql_databases"),
    trapCaches: {
@@ -100,7 +100,7 @@ test.serial("check flags for JS, analyzing default branch", async (t) => {
    sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
    const result = await getTrapCachingExtractorConfigArgsForLang(
      config,
-      BuiltInLanguage.javascript,
+      KnownLanguage.javascript,
    );
    t.deepEqual(result, [
      `-O=javascript.trap.cache.dir=${path.resolve(tmpDir, "jsCache")}`,
@@ -131,10 +131,10 @@ test("get languages that support TRAP caching", async (t) => {
  const logger = getRecordingLogger(loggedMessages);
  const languagesSupportingCaching = await getLanguagesSupportingCaching(
    stubCodeql,
-    [BuiltInLanguage.javascript, BuiltInLanguage.cpp],
+    [KnownLanguage.javascript, KnownLanguage.cpp],
    logger,
  );
-  t.deepEqual(languagesSupportingCaching, [BuiltInLanguage.javascript]);
+  t.deepEqual(languagesSupportingCaching, [KnownLanguage.javascript]);
 });

 test.serial("upload cache key contains right fields", async (t) => {
@@ -180,7 +180,7 @@ test.serial(
      );
      await downloadTrapCaches(
        stubCodeql,
-        [BuiltInLanguage.javascript, BuiltInLanguage.cpp],
+        [KnownLanguage.javascript, KnownLanguage.cpp],
        logger,
      );
      t.assert(
@@ -12,7 +12,7 @@ import * as api from "./api-client";
 import * as diffUtils from "./diff-informed-analysis-utils";
 import { getRunnerLogger, Logger } from "./logging";
 import * as sarif from "./sarif";
-import { setupTests, SHA256_GITHUB_SHA } from "./testing-utils";
+import { setupTests } from "./testing-utils";
 import * as uploadLib from "./upload-lib";
 import { UploadPayload } from "./upload-lib/types";
 import { GitHubVariant, initializeEnvironment, withTmpDir } from "./util";
@@ -110,35 +110,6 @@ test.serial(
  },
 );

-test.serial(
-  "validate correct payload used for PR merge commit with SHA-256 OIDs",
-  async (t) => {
-    process.env["GITHUB_EVENT_NAME"] = "pull_request";
-    process.env["GITHUB_SHA"] = SHA256_GITHUB_SHA;
-    process.env["GITHUB_BASE_REF"] = "master";
-    process.env["GITHUB_EVENT_PATH"] =
-      `${__dirname}/../src/testdata/pull_request.json`;
-
-    const sha256MergeBase = "b".repeat(64);
-    const prMergePayload: any = uploadLib.buildPayload(
-      SHA256_GITHUB_SHA,
-      "refs/pull/123/merge",
-      "key",
-      undefined,
-      "",
-      1234,
-      1,
-      "/opt/src",
-      undefined,
-      ["CodeQL", "eslint"],
-      sha256MergeBase,
-    );
-    // Uploads for a merge commit use the merge base (SHA-256)
-    t.deepEqual(prMergePayload.base_ref, "refs/heads/master");
-    t.deepEqual(prMergePayload.base_sha, sha256MergeBase);
-  },
-);
-
 test.serial("finding SARIF files", async (t) => {
  await withTmpDir(async (tmpDir) => {
    // include a couple of sarif files
@@ -29,6 +29,6 @@ outputs:
  proxy_urls:
    description: A stringified JSON array of objects containing the types and URLs of the configured registries.
 runs:
-  using: node24
+  using: node20
  main: "../lib/start-proxy-action.js"
  post: "../lib/start-proxy-action-post.js"
@@ -8,6 +8,5 @@ packs:
    - codeql-testing/codeql-pack3:other-query.ql

 paths-ignore:
-  - lib
-  - pr-checks
  - tests
+  - lib
@@ -2,6 +2,5 @@ name: Pack testing in the CodeQL Action

 disable-default-queries: true
 paths-ignore:
-  - lib
-  - pr-checks
  - tests
+  - lib
@@ -6,6 +6,5 @@ packs:
    - codeql-testing/codeql-pack2
    - codeql-testing/codeql-pack3:other-query.ql
 paths-ignore:
-  - lib
-  - pr-checks
  - tests
+  - lib
@@ -41,6 +41,6 @@ outputs:

      { "code-scanning": "some-id", "code-quality": "some-other-id" }
 runs:
-  using: node24
+  using: node20
  main: '../lib/upload-sarif-action.js'
  post: '../lib/upload-sarif-action-post.js'
Author	SHA1	Message	Date
Henry Mercer	ce64ddcb0d	Merge pull request #3826 from github/backport-v3.35.2-95e58e9a2 Merge releases/v4 into releases/v3	2026-04-15 12:51:20 +01:00
github-actions[bot]	c186c7b484	Rebuild	2026-04-15 11:30:55 +00:00
github-actions[bot]	8bcc8f23a2	Update version and changelog for v3.35.2	2026-04-15 11:26:58 +00:00
github-actions[bot]	834786ac9b	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.35.2-95e58e9a2	2026-04-15 11:26:57 +00:00
github-actions[bot]	047c547345	Revert "Rebuild" This reverts commit `646729a1e2`.	2026-04-15 11:26:56 +00:00
github-actions[bot]	7ca215887b	Revert "Update version and changelog for v3.35.1" This reverts commit `c983cb8e74`.	2026-04-15 11:26:56 +00:00
Henry Mercer	5c8a8a642e	Merge pull request #3784 from github/backport-v3.35.1-c10b8064d Merge releases/v4 into releases/v3	2026-03-27 16:41:10 +00:00
github-actions[bot]	646729a1e2	Rebuild	2026-03-27 16:19:35 +00:00
github-actions[bot]	c983cb8e74	Update version and changelog for v3.35.1	2026-03-27 16:13:31 +00:00
github-actions[bot]	557b58c47c	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.35.1-c10b8064d	2026-03-27 16:13:29 +00:00
github-actions[bot]	8bb5bdb9fd	Revert "Rebuild" This reverts commit `b1a5f00cf1`.	2026-03-27 16:13:29 +00:00
github-actions[bot]	4d2fde9e07	Revert "Update version and changelog for v3.35.0" This reverts commit `124f6eec3b`.	2026-03-27 16:13:29 +00:00
Óscar San José	13efb23391	Merge pull request #3778 from github/backport-v3.35.0-b8bb9f28b Merge releases/v4 into releases/v3	2026-03-27 17:00:05 +01:00
github-actions[bot]	b1a5f00cf1	Rebuild	2026-03-27 12:23:35 +00:00
github-actions[bot]	124f6eec3b	Update version and changelog for v3.35.0	2026-03-27 12:18:22 +00:00
github-actions[bot]	a88fb3cde0	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.35.0-b8bb9f28b	2026-03-27 12:18:20 +00:00
github-actions[bot]	57d591c67c	Revert "Rebuild" This reverts commit `97fd992228`.	2026-03-27 12:18:20 +00:00
github-actions[bot]	dba1849cf2	Revert "Update version and changelog for v3.34.1" This reverts commit `95a562052b`.	2026-03-27 12:18:20 +00:00
Henry Mercer	ebcb5b36de	Merge pull request #3765 from github/backport-v3.34.1-386975555 Merge releases/v4 into releases/v3	2026-03-20 18:37:00 +00:00
github-actions[bot]	97fd992228	Rebuild	2026-03-20 18:19:37 +00:00
github-actions[bot]	95a562052b	Update version and changelog for v3.34.1	2026-03-20 18:16:44 +00:00
github-actions[bot]	ae8b37eb31	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.34.1-386975555	2026-03-20 18:16:42 +00:00
github-actions[bot]	d75030c604	Revert "Rebuild" This reverts commit `c146cd2193`.	2026-03-20 18:16:42 +00:00
github-actions[bot]	a777590c0f	Revert "Update version and changelog for v3.34.0" This reverts commit `3fef31e9b5`.	2026-03-20 18:16:41 +00:00
Óscar San José	dfad8f8ebc	Merge pull request #3590 from github/backport-v3.34.0-c6f931105 Merge releases/v4 into releases/v3	2026-03-20 16:15:08 +01:00
github-actions[bot]	c146cd2193	Rebuild	2026-03-20 12:03:47 +00:00
github-actions[bot]	3fef31e9b5	Update version and changelog for v3.34.0	2026-03-20 11:59:46 +00:00
github-actions[bot]	3d7478b23a	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.34.0-c6f931105	2026-03-20 11:59:44 +00:00
github-actions[bot]	f874badee7	Revert "Rebuild" This reverts commit `9ed0d758ce`.	2026-03-20 11:59:44 +00:00
github-actions[bot]	1c3843e226	Revert "Update version and changelog for v3.33.0" This reverts commit `2da877a512`.	2026-03-20 11:59:44 +00:00
Michael B. Gale	603b797f8b	Merge pull request #3577 from github/backport-v3.33.0-b1bff8193 Merge releases/v4 into releases/v3	2026-03-16 12:23:22 +00:00
github-actions[bot]	9ed0d758ce	Rebuild	2026-03-16 11:10:08 +00:00
github-actions[bot]	2da877a512	Update version and changelog for v3.33.0	2026-03-16 09:08:36 +00:00
github-actions[bot]	4ccf9a5deb	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.33.0-b1bff8193	2026-03-16 09:08:34 +00:00
github-actions[bot]	e50ab6dc1d	Revert "Rebuild" This reverts commit `dabb34c95a`.	2026-03-16 09:08:33 +00:00
github-actions[bot]	ee6db5e4f5	Revert "Update version and changelog for v3.32.6" This reverts commit `c0e7770e36`.	2026-03-16 09:08:33 +00:00
Óscar San José	820e3160e2	Merge pull request #3553 from github/backport-v3.32.6-0d579ffd0 Merge releases/v4 into releases/v3	2026-03-06 10:44:37 +01:00
github-actions[bot]	dabb34c95a	Rebuild	2026-03-05 19:44:24 +00:00
github-actions[bot]	c0e7770e36	Update version and changelog for v3.32.6	2026-03-05 19:35:55 +00:00
github-actions[bot]	dbc2ac9b7a	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.32.6-0d579ffd0	2026-03-05 19:35:54 +00:00
github-actions[bot]	e61b8b4cf5	Revert "Rebuild" This reverts commit `b58ecf644d`.	2026-03-05 19:35:53 +00:00
github-actions[bot]	b7ebceaf1a	Revert "Update version and changelog for v3.32.5" This reverts commit `e3632d0ee3`.	2026-03-05 19:35:53 +00:00
Henry Mercer	ae9ef3a1d2	Merge pull request #3533 from github/backport-v3.32.5-c793b717b Merge releases/v4 into releases/v3	2026-03-02 12:01:34 +00:00
github-actions[bot]	b58ecf644d	Rebuild	2026-03-02 11:34:55 +00:00
github-actions[bot]	e3632d0ee3	Update version and changelog for v3.32.5	2026-03-02 11:17:26 +00:00
github-actions[bot]	cdcb071e67	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.32.5-c793b717b	2026-03-02 11:17:25 +00:00
github-actions[bot]	177cb24be1	Revert "Rebuild" This reverts commit `a3696cdbdf`.	2026-03-02 11:17:24 +00:00
github-actions[bot]	2427cfc4a9	Revert "Update version and changelog for v3.32.4" This reverts commit `147ec67ee5`.	2026-03-02 11:17:23 +00:00
Michael B. Gale	45580472a5	Merge pull request #3496 from github/backport-v3.32.4-89a39a4e5	2026-02-20 15:34:23 +00:00
github-actions[bot]	a3696cdbdf	Rebuild	2026-02-20 14:52:56 +00:00
github-actions[bot]	147ec67ee5	Update version and changelog for v3.32.4	2026-02-20 14:21:14 +00:00
github-actions[bot]	acb91bd91f	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.32.4-89a39a4e5	2026-02-20 14:21:13 +00:00
github-actions[bot]	88d9aba91d	Revert "Rebuild" This reverts commit `70a71a57dd`.	2026-02-20 14:21:12 +00:00
github-actions[bot]	72edeaa05b	Revert "Update version and changelog for v3.32.3" This reverts commit `676a1ceb5c`.	2026-02-20 14:21:12 +00:00
Henry Mercer	f5c2471be7	Merge pull request #3481 from github/backport-v3.32.3-9e907b5e6 Merge releases/v4 into releases/v3	2026-02-13 12:21:24 +00:00
github-actions[bot]	70a71a57dd	Rebuild	2026-02-13 12:01:04 +00:00
github-actions[bot]	676a1ceb5c	Update version and changelog for v3.32.3	2026-02-13 11:55:54 +00:00
github-actions[bot]	e127ec2647	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.32.3-9e907b5e6	2026-02-13 11:55:52 +00:00
github-actions[bot]	f5e6f52190	Revert "Rebuild" This reverts commit `bb159524f9`.	2026-02-13 11:55:52 +00:00
github-actions[bot]	e2a90d3e23	Revert "Update version and changelog for v3.32.2" This reverts commit `6b68dd5d27`.	2026-02-13 11:55:52 +00:00
Henry Mercer	b5ebac6f4c	Merge pull request #3463 from github/backport-v3.32.2-45cbd0c69 Merge releases/v4 into releases/v3	2026-02-06 11:22:57 +00:00
github-actions[bot]	bb159524f9	Rebuild	2026-02-06 11:00:51 +00:00
github-actions[bot]	6b68dd5d27	Update version and changelog for v3.32.2	2026-02-05 17:12:29 +00:00
github-actions[bot]	24e739f51f	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.32.2-45cbd0c69	2026-02-05 17:12:25 +00:00
github-actions[bot]	e5a63de15c	Revert "Rebuild" This reverts commit `fd13ffa22c`.	2026-02-05 17:12:25 +00:00
github-actions[bot]	c2d57b0fc7	Revert "Update version and changelog for v3.32.1" This reverts commit `ce04bc5815`.	2026-02-05 17:12:24 +00:00
Henry Mercer	2588666de8	Merge pull request #3449 from github/backport-v3.32.1-6bc82e05f Merge releases/v4 into releases/v3	2026-02-02 07:47:27 -08:00
github-actions[bot]	fd13ffa22c	Rebuild	2026-02-02 15:21:36 +00:00
github-actions[bot]	ce04bc5815	Update version and changelog for v3.32.1	2026-02-02 15:14:15 +00:00
github-actions[bot]	27eb5f56eb	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.32.1-6bc82e05f	2026-02-02 15:14:12 +00:00
github-actions[bot]	44f67f0887	Revert "Rebuild" This reverts commit `f5ab452606`.	2026-02-02 15:14:12 +00:00
github-actions[bot]	5d24c86a89	Revert "Update version and changelog for v3.32.0" This reverts commit `56c8e1c8a8`.	2026-02-02 15:14:12 +00:00
Henry Mercer	439137e1b5	Merge pull request #3430 from github/backport-v3.32.0-b20883b0c Merge releases/v4 into releases/v3	2026-01-26 11:23:41 -08:00
github-actions[bot]	f5ab452606	Rebuild	2026-01-26 18:54:38 +00:00
github-actions[bot]	56c8e1c8a8	Update version and changelog for v3.32.0	2026-01-26 18:41:33 +00:00
github-actions[bot]	4f5ca6f9a5	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.32.0-b20883b0c	2026-01-26 18:41:32 +00:00
github-actions[bot]	92f3a2822b	Revert "Rebuild" This reverts commit `c9e0329cc4`.	2026-01-26 18:41:32 +00:00
github-actions[bot]	e9bf22fb0e	Revert "Update version and changelog for v3.31.11" This reverts commit `9ffacc75e8`.	2026-01-26 18:41:32 +00:00
Michael B. Gale	38e701f46e	Merge pull request #3419 from github/backport-v3.31.11-19b2f06db	2026-01-23 15:44:23 +00:00
github-actions[bot]	c9e0329cc4	Rebuild	2026-01-23 15:14:24 +00:00
github-actions[bot]	9ffacc75e8	Update version and changelog for v3.31.11	2026-01-23 13:56:12 +00:00
github-actions[bot]	21961f3b6f	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.31.11-19b2f06db	2026-01-23 13:56:10 +00:00
github-actions[bot]	8233700206	Revert "Rebuild" This reverts commit `6252d140cd`.	2026-01-23 13:56:10 +00:00
github-actions[bot]	23e84a39f0	Revert "Update version and changelog for v3.31.10" This reverts commit `84cf4b44bb`.	2026-01-23 13:56:09 +00:00
Ian Lynagh	4bdb89f480	Merge pull request #3396 from github/backport-v3.31.10-cdefb33c0 Merge releases/v4 into releases/v3	2026-01-12 16:26:37 +00:00
Michael B. Gale	ed629463c0	Set `using: node20` for `verify-debug-artifact-scan-completed` on `releases/v3`	2026-01-12 15:44:23 +00:00
github-actions[bot]	6252d140cd	Rebuild	2026-01-12 15:28:18 +00:00
github-actions[bot]	84cf4b44bb	Update version and changelog for v3.31.10	2026-01-12 14:37:46 +00:00
github-actions[bot]	52cebb523a	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.31.10-cdefb33c0	2026-01-12 14:37:43 +00:00
github-actions[bot]	fc6e643fe1	Revert "Rebuild" This reverts commit `311b632b9d`.	2026-01-12 14:37:43 +00:00
github-actions[bot]	f8ee3fcc9a	Revert "Update version and changelog for v3.31.9" This reverts commit `d300581d5e`.	2026-01-12 14:37:43 +00:00
Henry Mercer	45c373516f	Merge pull request #3373 from github/backport-v3.31.9-5d4e8d1ac Merge releases/v4 into releases/v3	2025-12-16 19:21:59 +00:00
github-actions[bot]	311b632b9d	Rebuild	2025-12-16 18:51:43 +00:00
github-actions[bot]	d300581d5e	Update version and changelog for v3.31.9	2025-12-16 18:34:57 +00:00
github-actions[bot]	7348876640	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.31.9-5d4e8d1ac	2025-12-16 18:34:56 +00:00
github-actions[bot]	4f34645a82	Revert "Rebuild" This reverts commit `74951318a2`.	2025-12-16 18:34:56 +00:00
github-actions[bot]	e7c7a2d323	Revert "Update version and changelog for v3.31.8" This reverts commit `5676d1f64a`.	2025-12-16 18:34:56 +00:00
Óscar San José	f47c8e6a9b	Merge pull request #3357 from github/backport-v3.31.8-1b168cd39 Merge releases/v4 into releases/v3	2025-12-12 10:43:49 +01:00
github-actions[bot]	74951318a2	Rebuild	2025-12-12 08:53:47 +00:00
github-actions[bot]	5676d1f64a	Update version and changelog for v3.31.8	2025-12-12 08:46:33 +00:00
github-actions[bot]	c1bea80e56	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.31.8-1b168cd39	2025-12-12 08:46:32 +00:00
github-actions[bot]	2d9c0b97af	Revert "Rebuild" This reverts commit `817dbfb39b`.	2025-12-12 08:46:32 +00:00
github-actions[bot]	827017f97b	Revert "Update version and changelog for v3.31.7" This reverts commit `793f7006bb`.	2025-12-12 08:46:31 +00:00
Henry Mercer	bffd034ab1	Merge pull request #3346 from github/backport-v3.31.7-cf1bb45a2 Merge releases/v4 into releases/v3	2025-12-09 13:26:37 +00:00
github-actions[bot]	817dbfb39b	Rebuild	2025-12-05 20:45:51 +00:00
github-actions[bot]	793f7006bb	Update version and changelog for v3.31.7	2025-12-05 17:21:20 +00:00
github-actions[bot]	d2e9832330	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.31.7-cf1bb45a2	2025-12-05 17:21:19 +00:00
github-actions[bot]	c2e4b7785f	Revert "Rebuild" This reverts commit `89cb79a131`.	2025-12-05 17:21:18 +00:00
github-actions[bot]	66d7f51a10	Revert "Update version and changelog for v3.31.6" This reverts commit `dbf6819ebd`.	2025-12-05 17:21:18 +00:00
Michael B. Gale	497990dfed	Merge pull request #3338 from github/backport-v3.31.6-fe4161a26 Merge releases/v4 into releases/v3	2025-12-01 10:24:24 +00:00
github-actions[bot]	89cb79a131	Rebuild	2025-12-01 09:59:32 +00:00
github-actions[bot]	dbf6819ebd	Update version and changelog for v3.31.6	2025-12-01 09:52:51 +00:00
github-actions[bot]	5af51f4048	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.31.6-fe4161a26	2025-12-01 09:52:49 +00:00
github-actions[bot]	e439418aab	Revert "Rebuild" This reverts commit `c12d7c1f2d`.	2025-12-01 09:52:49 +00:00
github-actions[bot]	249860e323	Revert "Update version and changelog for v3.31.5" This reverts commit `2e2a1cf1ef`.	2025-12-01 09:52:49 +00:00
Paolo Tranquilli	d3ced5c96c	Merge pull request #3324 from github/backport-v3.31.5-fdbfb4d27 Merge releases/v4 into releases/v3	2025-11-24 12:16:57 +01:00
github-actions[bot]	c12d7c1f2d	Rebuild	2025-11-24 10:56:57 +00:00
github-actions[bot]	2e2a1cf1ef	Update version and changelog for v3.31.5	2025-11-24 09:33:54 +00:00
github-actions[bot]	e2cca77d06	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.31.5-fdbfb4d27	2025-11-24 09:33:53 +00:00
github-actions[bot]	801a18bea6	Revert "Rebuild" This reverts commit `9031cd9330`.	2025-11-24 09:33:52 +00:00
github-actions[bot]	1c715a714c	Revert "Update version and changelog for v3.31.4" This reverts commit `f58938aee2`.	2025-11-24 09:33:52 +00:00
Henry Mercer	c3d42c5d08	Merge pull request #3314 from github/backport-v3.31.4-e12f01789 Merge releases/v4 into releases/v3	2025-11-19 10:02:25 +00:00
github-actions[bot]	9031cd9330	Rebuild	2025-11-18 17:06:56 +00:00
github-actions[bot]	f58938aee2	Update version and changelog for v3.31.4	2025-11-18 16:16:32 +00:00
github-actions[bot]	1f1c162805	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.31.4-e12f01789	2025-11-18 16:16:30 +00:00
github-actions[bot]	7ab96a0e6f	Revert "Rebuild" This reverts commit `e5971bdba6`.	2025-11-18 16:16:30 +00:00
github-actions[bot]	e3cb86275a	Revert "Update version and changelog for v3.31.3" This reverts commit `c5a9d29dc9`.	2025-11-18 16:16:29 +00:00
Michael B. Gale	f94c9befff	Merge pull request #3295 from github/backport-v3.31.3-014f16e7a Merge releases/v4 into releases/v3	2025-11-13 22:45:46 +00:00
github-actions[bot]	e5971bdba6	Rebuild	2025-11-13 22:03:22 +00:00
github-actions[bot]	c5a9d29dc9	Update version and changelog for v3.31.3	2025-11-13 21:57:42 +00:00
github-actions[bot]	9f1109665d	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.31.3-014f16e7a	2025-11-13 21:57:40 +00:00
github-actions[bot]	f8f60f3a2b	Revert "Rebuild" This reverts commit `c6eb09db21`.	2025-11-13 21:57:40 +00:00
github-actions[bot]	f4d10b9ef7	Revert "Update version and changelog for v3.31.2" This reverts commit `09db9044dc`.	2025-11-13 21:57:39 +00:00
Henry Mercer	5d5cd550d3	Merge pull request #3263 from github/backport-v3.31.2-0499de31b Merge releases/v4 into releases/v3	2025-10-30 15:01:09 +00:00
github-actions[bot]	c6eb09db21	Rebuild	2025-10-30 14:37:32 +00:00
github-actions[bot]	09db9044dc	Update version and changelog for v3.31.2	2025-10-30 14:34:26 +00:00
github-actions[bot]	d3cd47d8d6	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.31.2-0499de31b	2025-10-30 14:34:25 +00:00
github-actions[bot]	8e9caa5100	Revert "Rebuild" This reverts commit `c2805e0a04`.	2025-10-30 14:34:25 +00:00
github-actions[bot]	23a6333b88	Revert "Update version and changelog for v3.31.1" This reverts commit `c0d3370b54`.	2025-10-30 14:34:24 +00:00
Henry Mercer	c503cb4fbb	Merge pull request #3254 from github/backport-v3.31.1-5fe9434cd Merge releases/v4 into releases/v3	2025-10-30 11:00:54 +00:00
github-actions[bot]	c2805e0a04	Rebuild	2025-10-30 10:35:44 +00:00
github-actions[bot]	c0d3370b54	Update version and changelog for v3.31.1	2025-10-30 10:31:02 +00:00
github-actions[bot]	ddd0dc746a	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.31.1-5fe9434cd	2025-10-30 10:31:01 +00:00
github-actions[bot]	2f607936ce	Revert "Rebuild" This reverts commit `9e3918e481`.	2025-10-30 10:31:00 +00:00
github-actions[bot]	37e7dfbaa0	Revert "Update version and changelog for v3.31.0" This reverts commit `7dd1575dac`.	2025-10-30 10:31:00 +00:00
Michael B. Gale	d198d2fabf	Merge pull request #3237 from github/backport-v3.31.0-4e94bd11f Merge releases/v4 into releases/v3	2025-10-24 19:30:34 +01:00
github-actions[bot]	9e3918e481	Rebuild	2025-10-24 17:18:40 +00:00
github-actions[bot]	7dd1575dac	Update version and changelog for v3.31.0	2025-10-24 17:11:07 +00:00
github-actions[bot]	28fc48d83c	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.31.0-4e94bd11f	2025-10-24 17:11:06 +00:00
github-actions[bot]	12c6008004	Revert "Rebuild" This reverts commit `5f3f3164ad`.	2025-10-24 17:11:05 +00:00
github-actions[bot]	d3019effb0	Revert "Update version and changelog for v3.30.9" This reverts commit `ba42101490`.	2025-10-24 17:11:05 +00:00
Henry Mercer	42213152a8	Merge pull request #3216 from github/backport-v3.30.9-16140ae1a Merge releases/v4 into releases/v3	2025-10-17 17:09:13 +01:00
Henry Mercer	e677e67801	Run `setup-codeql` on Node 20 for v3	2025-10-17 16:53:18 +01:00
github-actions[bot]	5f3f3164ad	Rebuild	2025-10-17 15:34:40 +00:00
github-actions[bot]	ba42101490	Update version and changelog for v3.30.9	2025-10-17 15:24:34 +00:00
github-actions[bot]	f11af5849b	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.30.9-16140ae1a	2025-10-17 15:24:33 +00:00
github-actions[bot]	ba5430dc86	Revert "Rebuild" This reverts commit `948223fe01`.	2025-10-17 15:24:33 +00:00
github-actions[bot]	13e883e119	Revert "Update version and changelog for v3.30.8" This reverts commit `a37add20d4`.	2025-10-17 15:24:32 +00:00
Michael B. Gale	755f44910c	Merge pull request #3201 from github/backport-v3.30.8-2a6736cca Merge releases/v4 into releases/v3	2025-10-10 18:20:36 +01:00
github-actions[bot]	948223fe01	Rebuild	2025-10-10 16:56:34 +00:00
github-actions[bot]	a37add20d4	Update version and changelog for v3.30.8	2025-10-10 16:50:13 +00:00
github-actions[bot]	ab163cf08b	Merge remote-tracking branch 'origin/releases/v4' into backport-v3.30.8-2a6736cca	2025-10-10 16:50:12 +00:00
github-actions[bot]	319796f085	Revert "Rebuild" This reverts commit `c551c50310`.	2025-10-10 16:50:12 +00:00
github-actions[bot]	bd1ac56295	Revert "Update version and changelog for v3.30.7" This reverts commit `b264e15259`.	2025-10-10 16:50:12 +00:00
Mario Campos	a8d1ac45b9	Merge pull request #3187 from github/backport-v3.30.7-e296a9355 Merge releases/v4 into releases/v3	2025-10-07 10:58:53 -05:00
github-actions[bot]	c551c50310	Rebuild	2025-10-07 15:33:29 +00:00
Mario Campos	01f1a24033	Downgrade action.yml to use Node.js 20 instead of Node.js 24 for v3	2025-10-07 10:29:22 -05:00
github-actions[bot]	b264e15259	Update version and changelog for v3.30.7	2025-10-07 15:23:05 +00:00