Update changelog and version after v4.35.5

2026-05-25 16:04:52 +00:00 · 2026-05-14 23:23:03 +00:00
101 changed files with 1141048 additions and 33363 deletions
@@ -41,38 +41,7 @@ runs:
        git add .
        git commit -m "Update changelog and version after ${VERSION}"

-    # Update the build artifacts with the new version number
-    - name: Rebuild the Action
-      shell: bash
-      run: |
-        set -exu
-        npm ci
-        npm run build
-
-    - name: Check for rebuild changes
-      id: rebuild_changes
-      shell: bash
-      run: |
-        set -exu
-        git add --all
-        if git diff --cached --quiet; then
-          echo "has_changes=false" >> "${GITHUB_OUTPUT}"
-        else
-          echo "has_changes=true" >> "${GITHUB_OUTPUT}"
-        fi
-
-    - name: Commit rebuild
-      if: steps.rebuild_changes.outputs.has_changes == 'true'
-      shell: bash
-      run: |
-        set -exu
-        git commit -m "Rebuild"
-
-    - name: Push mergeback branch
-      shell: bash
-      env:
-        NEW_BRANCH: "${{ inputs.branch }}"
-      run: git push origin "${NEW_BRANCH}"
+        git push origin "${NEW_BRANCH}"

    - name: Create PR
      shell: bash
@@ -91,6 +60,8 @@ runs:

          Please do the following:

+          - [ ] Remove and re-add the "Rebuild" label to the PR to trigger just this workflow.
+          - [ ] Wait for the "Rebuild" workflow to push a commit updating the distribution files.
          - [ ] Mark the PR as ready for review to trigger the full set of PR checks.
          - [ ] Approve and merge the PR. When merging the PR, make sure "Create a merge commit" is
                selected rather than "Squash and merge" or "Rebase and merge".
@@ -103,6 +74,7 @@ runs:
          --head "${NEW_BRANCH}" \
          --base "${BASE_BRANCH}" \
          --title "${pr_title}" \
+          --label "Rebuild" \
          --body "${pr_body}" \
          --assignee "${GITHUB_ACTOR}" \
          --draft
@@ -18,7 +18,7 @@ runs:
    - name: Set up Node
      uses: actions/setup-node@v6
      with:
-        node-version: 24
+        node-version: 20
        cache: 'npm'

    - name: Set up Python
@@ -16,27 +16,12 @@ No user facing changes.
 """

 # NB: This exact commit message is used to find commits for reverting during backports.
-# Changing it requires a transition period where both old and new versions are supported.
+# Changing it requires a transition period where both old and new versions are supported.
 BACKPORT_COMMIT_MESSAGE = 'Update version and changelog for v'

-# Commit message used for rebuild commits, both those produced by this script and those produced
-# by the `Rebuild Action` workflow (`.github/workflows/rebuild.yml`).
-REBUILD_COMMIT_MESSAGE = 'Rebuild'
-
 # Name of the remote
 ORIGIN = 'origin'

-# Environment variables to check for a GitHub API token.
-TOKEN_ENVIRONMENT_VARIABLES = ('GH_TOKEN', 'GITHUB_TOKEN')
-
-# Gets a GitHub API token from one of the supported environment variables.
-def get_github_token():
-  for variable_name in TOKEN_ENVIRONMENT_VARIABLES:
-    token = os.environ.get(variable_name, '').strip()
-    if token:
-      return token
-  raise Exception('Missing GitHub token. Set GITHUB_TOKEN or GH_TOKEN.')
-
 # Runs git with the given args and returns the stdout.
 # Raises an error if git does not exit successfully (unless passed
 # allow_non_zero_exit_code=True).
@@ -47,28 +32,6 @@ def run_git(*args, allow_non_zero_exit_code=False):
    raise Exception(f'Call to {" ".join(cmd)} exited with code {p.returncode} stderr: {p.stderr.decode("ascii")}.')
  return p.stdout.decode('ascii')

-# Runs the given command, streaming output to the console.
-# Raises an error if the command does not exit successfully.
-def run_command(*args):
-  cmd = list(args)
-  print(f'Running `{" ".join(cmd)}`.')
-  subprocess.run(cmd, check=True)
-
-# Rebuilds the action and commits any changes.
-def rebuild_action():
-  # For backports, the only source-level change vs the source branch is the new version number,
-  # so we just need to refresh the version embedded in `lib/`.
-  run_command('npm', 'ci')
-  run_command('npm', 'run', 'build')
-
-  run_git('add', '--all')
-  # `git diff --cached --quiet` exits 0 if there are no staged changes, 1 if there are.
-  if subprocess.run(['git', 'diff', '--cached', '--quiet']).returncode == 0:
-    print('Rebuild produced no changes; skipping Rebuild commit.')
-  else:
-    run_git('commit', '-m', REBUILD_COMMIT_MESSAGE)
-    print('Created Rebuild commit.')
-
 # Returns true if the given branch exists on the origin remote
 def branch_exists_on_remote(branch_name):
  return run_git('ls-remote', '--heads', ORIGIN, branch_name).strip() != ''
@@ -124,11 +87,9 @@ def open_pr(
  body.append('Please do the following:')
  if len(conflicted_files) > 0:
    body.append(' - [ ] Ensure `package.json` file contains the correct version.')
-    body.append(' - [ ] Add a commit to this branch to resolve the merge conflicts ' +
+    body.append(' - [ ] Add commits to this branch to resolve the merge conflicts ' +
      'in the following files:')
-    body.extend([f'    - `{file}`' for file in conflicted_files])
-    body.append(' - [ ] Rebuild the Action locally (`npm run build`) and push any changes to the ' +
-      f'built output in `lib` as a separate commit named exactly `{REBUILD_COMMIT_MESSAGE}`.')
+    body.extend([f'    - [ ] `{file}`' for file in conflicted_files])
    body.append(' - [ ] Ensure another maintainer has reviewed the additional commits you added to this ' +
      'branch to resolve the merge conflicts.')
  body.append(' - [ ] Ensure the CHANGELOG displays the correct version and date.')
@@ -136,6 +97,10 @@ def open_pr(
  body.append(f' - [ ] Check that there are not any unexpected commits being merged into the `{target_branch}` branch.')
  body.append(' - [ ] Ensure the docs team is aware of any documentation changes that need to be released.')

+  if not is_primary_release:
+    body.append(' - [ ] Remove and re-add the "Rebuild" label to the PR to trigger just this workflow.')
+    body.append(' - [ ] Wait for the "Rebuild" workflow to push a commit updating the distribution files.')
+
  body.append(' - [ ] Mark the PR as ready for review to trigger the full set of PR checks.')
  body.append(' - [ ] Approve and merge this PR. Make sure `Create a merge commit` is selected rather than `Squash and merge` or `Rebase and merge`.')

@@ -144,11 +109,13 @@ def open_pr(
    body.append(' - [ ] Merge all backport PRs to older release branches, that will automatically be created once this PR is merged.')

  title = f'Merge {source_branch} into {target_branch}'
+  labels = ['Rebuild'] if not is_primary_release else []

  # Create the pull request
  # PR checks won't be triggered on PRs created by Actions. Therefore mark the PR as draft so that
  # a maintainer can take the PR out of draft, thereby triggering the PR checks.
  pr = repo.create_pull(title=title, body='\n'.join(body), head=new_branch_name, base=target_branch, draft=True)
+  pr.add_to_labels(*labels)
  print(f'Created PR #{str(pr.number)}')

  # Assign the conductor
@@ -303,6 +270,12 @@ def update_changelog(version):
 def main():
  parser = argparse.ArgumentParser('update-release-branch.py')

+  parser.add_argument(
+    '--github-token',
+    type=str,
+    required=True,
+    help='GitHub token, typically from GitHub Actions.'
+  )
  parser.add_argument(
    '--repository-nwo',
    type=str,
@@ -340,7 +313,7 @@ def main():
  target_branch = args.target_branch
  is_primary_release = args.is_primary_release

-  repo = Github(get_github_token()).get_repo(args.repository_nwo)
+  repo = Github(args.github_token).get_repo(args.repository_nwo)

  # the target branch will be of the form releases/vN, where N is the major version number
  target_branch_major_version = target_branch.strip('releases/v')
@@ -407,9 +380,8 @@ def main():
      # releases.
      run_git('revert', vOlder_update_commits[0], '--no-edit')

-      # Also revert the "Rebuild" commit, whether created by this script or by the
-      # `Rebuild Action` workflow.
-      rebuild_commit = run_git('log', '--grep', f'^{REBUILD_COMMIT_MESSAGE}$', '--format=%H').split()[0]
+      # Also revert the "Rebuild" commit created by Actions.
+      rebuild_commit = run_git('log', '--grep', '^Rebuild$', '--format=%H').split()[0]
      print(f'  Reverting {rebuild_commit}')
      run_git('revert', rebuild_commit, '--no-edit')

@@ -424,10 +396,9 @@ def main():
      run_git('add', '.')
      run_git('commit', '--no-edit')

-    # Migrate the package version number from a vLatest version number to a vOlder version number.
-    # `package-lock.json` is updated as part of the subsequent rebuild step (see `rebuild_action`).
+    # Migrate the package version number from a vLatest version number to a vOlder version number
    print(f'Setting version number to {version} in package.json')
-    replace_version_package_json(get_current_version(), version)
+    replace_version_package_json(get_current_version(), version) # We rely on the `Rebuild` workflow to update package-lock.json
    run_git('add', 'package.json')

    # Migrate the changelog notes from vLatest version numbers to vOlder version numbers
@@ -450,13 +421,6 @@ def main():
    run_git('add', 'CHANGELOG.md')
    run_git('commit', '-m', f'Update changelog for v{version}')

-  if not is_primary_release:
-    if len(conflicted_files) == 0:
-      print('Rebuilding the Action.')
-      rebuild_action()
-    else:
-      print(f'Skipping automatic rebuild because the merge produced conflicts in {conflicted_files}.')
-
  run_git('push', ORIGIN, new_branch_name)

  # Open a PR to update the branch
@@ -49,6 +49,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
+          - os: ubuntu-latest
+            version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
          - os: ubuntu-latest
@@ -57,10 +61,6 @@ jobs:
            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
-          - os: ubuntu-latest
-            version: stable-v2.23.9
-          - os: ubuntu-latest
-            version: stable-v2.24.3
          - os: ubuntu-latest
            version: default
          - os: ubuntu-latest
@@ -49,6 +49,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
+          - os: ubuntu-latest
+            version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
          - os: ubuntu-latest
@@ -57,10 +61,6 @@ jobs:
            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
-          - os: ubuntu-latest
-            version: stable-v2.23.9
-          - os: ubuntu-latest
-            version: stable-v2.24.3
          - os: ubuntu-latest
            version: default
          - os: ubuntu-latest
@@ -49,6 +49,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
+          - os: ubuntu-latest
+            version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
          - os: ubuntu-latest
@@ -57,10 +61,6 @@ jobs:
            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
-          - os: ubuntu-latest
-            version: stable-v2.23.9
-          - os: ubuntu-latest
-            version: stable-v2.24.3
          - os: ubuntu-latest
            version: default
          - os: ubuntu-latest
@@ -59,41 +59,41 @@ jobs:
      fail-fast: false
      matrix:
        include:
+          - os: ubuntu-latest
+            version: stable-v2.17.6
+          - os: macos-latest
+            version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: stable-v2.18.4
+          - os: macos-latest
+            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
-          - os: macos-latest-xlarge
+          - os: macos-latest
            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
-          - os: macos-latest-xlarge
+          - os: macos-latest
            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
-          - os: macos-latest-xlarge
+          - os: macos-latest
            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
-          - os: macos-latest-xlarge
+          - os: macos-latest
            version: stable-v2.22.4
-          - os: ubuntu-latest
-            version: stable-v2.23.9
-          - os: macos-latest-xlarge
-            version: stable-v2.23.9
-          - os: ubuntu-latest
-            version: stable-v2.24.3
-          - os: macos-latest-xlarge
-            version: stable-v2.24.3
          - os: ubuntu-latest
            version: default
-          - os: macos-latest-xlarge
+          - os: macos-latest
            version: default
          - os: ubuntu-latest
            version: linked
-          - os: macos-latest-xlarge
+          - os: macos-latest
            version: linked
          - os: ubuntu-latest
            version: nightly-latest
-          - os: macos-latest-xlarge
+          - os: macos-latest
            version: nightly-latest
    name: Multi-language repository
    if: github.triggering_actor != 'dependabot[bot]'
@@ -40,7 +40,7 @@ jobs:
      matrix:
        include:
          - os: ubuntu-latest
-            version: stable-v2.19.4
+            version: stable-v2.19.3
          - os: ubuntu-latest
            version: stable-v2.22.1
          - os: ubuntu-latest
@@ -39,7 +39,7 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: macos-latest-xlarge
+          - os: macos-latest
            version: nightly-latest
    name: Swift analysis using autobuild
    if: github.triggering_actor != 'dependabot[bot]'
@@ -9,10 +9,6 @@ on:
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]

-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
  run:
    shell: bash
@@ -77,7 +77,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-14-xlarge,macos-15-xlarge]
+        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-14,macos-15]
        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
    runs-on: ${{ matrix.os }}

@@ -24,10 +24,6 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:

-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
  run:
    shell: bash
@@ -20,10 +20,6 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:

-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
  run:
    shell: bash
@@ -19,10 +19,6 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:

-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
  run:
    shell: bash
@@ -48,9 +48,6 @@ jobs:
        with:
          fetch-depth: 0  # ensure we have all tags and can push commits
      - uses: actions/setup-node@v6
-        with:
-          node-version: 24
-          cache: 'npm'
      - uses: actions/setup-python@v6
        with:
          python-version: '3.12'
@@ -10,10 +10,6 @@ on:
    types: [checks_requested]
  workflow_dispatch:

-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
  run:
    shell: bash
@@ -33,10 +29,6 @@ jobs:
    runs-on: ${{ matrix.os }}
    timeout-minutes: 45

-    concurrency:
-      cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-      group: pr-checks-unit-tests-${{ github.ref }}-${{ github.event_name }}-${{ matrix.os }}-node${{ matrix['node-version'] }}
-
    steps:
      - name: Prepare git (Windows)
        if: runner.os == 'Windows'
@@ -75,21 +67,22 @@ jobs:
          sarif_file: eslint.sarif
          category: eslint

-  # These checks do not need to be run as part of the same matrix that we use for the `unit-tests`
-  # job.
-  other-checks:
-    name: Other checks
+  # Verifying the PR checks are up-to-date requires Node 24. The PR checks are not dependent
+  # on the main codebase and therefore do not need to be run as part of the same matrix that
+  # we use for the `unit-tests` job.
+  verify-pr-checks:
+    name: Verify PR checks
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    timeout-minutes: 10

-    concurrency:
-      cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-      group: pr-checks-pr-checks-${{ github.ref }}-${{ github.event_name }}
-
    steps:
+      - name: Prepare git (Windows)
+        if: runner.os == 'Windows'
+        run: git config --global core.autocrlf false
+
      - name: Checkout repository
        uses: actions/checkout@v6

@@ -100,22 +93,34 @@ jobs:
          cache: 'npm'

      - name: Install dependencies
-        id: install-deps
        run: npm ci

      - name: Verify PR checks up to date
-        if: ${{ !cancelled() && steps.install-deps.outcome == 'success' }}
+        if: always()
        run: .github/workflows/script/verify-pr-checks.sh

      - name: Run pr-checks tests
-        if: ${{ !cancelled() && steps.install-deps.outcome == 'success' }}
+        if: always()
        working-directory: pr-checks
        run: npx tsx --test

-      - name: Verify all Actions use the same Node version
-        id: head-version
+  check-node-version:
+    if: github.triggering_actor != 'dependabot[bot]'
+    name: Check Action Node versions
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+    env:
+      BASE_REF: ${{ github.base_ref }}
+
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v6
+      - id: head-version
+        name: Verify all Actions use the same Node version
        run: |
-          NODE_VERSION=$(find . -path "*/node_modules" -prune -o -name "action.yml" -exec yq -o=json '.runs.using' {} \; | jq -rs '[.[] | select(. != null and startswith("node"))] | unique | .[]')
+          NODE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
          echo "NODE_VERSION: ${NODE_VERSION}"
          if [[ $(echo "$NODE_VERSION" | wc -l) -gt 1 ]]; then
            echo "::error::More than one node version used in 'action.yml' files."
@@ -123,111 +128,22 @@ jobs:
          fi
          echo "node_version=${NODE_VERSION}" >> $GITHUB_OUTPUT

-      - name: Fetch base commit
-        id: fetch-base
-        # Forks and Dependabot PRs don't have permission to write comments, so skip the repo size
-        # check in those cases.
-        if: >-
-          github.event_name == 'pull_request' &&
-          github.event.pull_request.head.repo.full_name == github.repository &&
-          github.event.pull_request.user.login != 'dependabot[bot]'
-        env:
-          BASE_SHA: ${{ github.event.pull_request.base.sha }}
-          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          # Compare against the merge base so the size delta reflects only the commits actually
-          # added by this PR, ignoring any changes that have landed on the base branch since the
-          # PR branched off.
-          merge_base=$(gh api "repos/$GITHUB_REPOSITORY/compare/$BASE_SHA...$HEAD_SHA" --jq '.merge_base_commit.sha')
-          echo "merge_base=$merge_base" >> "$GITHUB_OUTPUT"
-          git fetch --no-tags --depth=1 origin "$merge_base" "$HEAD_SHA"
-
-      - name: Check repo size
-        if: steps.fetch-base.outcome == 'success'
-        working-directory: pr-checks
-        env:
-          BASE_REF: ${{ github.event.pull_request.base.ref }}
-          BASE_SHA: ${{ steps.fetch-base.outputs.merge_base }}
-          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-        run: npx tsx check-repo-size.ts --output-dir "$RUNNER_TEMP/repo-size"
-
-      - name: Upload repo size comment
-        if: steps.fetch-base.outcome == 'success'
-        uses: actions/upload-artifact@v7
-        with:
-          name: repo-size-comment
-          path: ${{ runner.temp }}/repo-size/
-          if-no-files-found: error
-
-      - name: 'Backport: Check out base ref'
-        id: checkout-base
+      - id: checkout-base
+        name: 'Backport: Check out base ref'
        if: ${{ startsWith(github.head_ref, 'backport-') }}
        uses: actions/checkout@v6
        with:
-          ref: ${{ github.base_ref }}
+          ref: ${{ env.BASE_REF }}

      - name: 'Backport: Verify Node versions unchanged'
        if: steps.checkout-base.outcome == 'success'
        env:
          HEAD_VERSION: ${{ steps.head-version.outputs.node_version }}
        run: |
-          BASE_VERSION=$(find . -path "*/node_modules" -prune -o -name "action.yml" -exec yq -o=json '.runs.using' {} \; | jq -rs '[.[] | select(. != null and startswith("node"))] | unique | .[]')
+          BASE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
          echo "HEAD_VERSION: ${HEAD_VERSION}"
          echo "BASE_VERSION: ${BASE_VERSION}"
          if [[ "$BASE_VERSION" != "$HEAD_VERSION" ]]; then
            echo "::error::Cannot change the Node version of an Action in a backport PR."
            exit 1
          fi
-
-  post-repo-size-comment:
-    name: Post repo size comment
-    needs: other-checks
-    # Keep write permissions isolated from the job that checks out and tests PR code. This job only
-    # posts the candidate comment body produced by the read-only `pr-checks` job.
-    if: >-
-      github.event_name == 'pull_request' &&
-      github.event.pull_request.head.repo.full_name == github.repository &&
-      github.event.pull_request.user.login != 'dependabot[bot]' &&
-      needs.other-checks.result == 'success'
-    permissions:
-      contents: read
-      pull-requests: write
-    runs-on: ubuntu-slim
-    timeout-minutes: 10
-
-    concurrency:
-      cancel-in-progress: true
-      group: check-repo-size-${{ github.event.pull_request.number }}
-
-    steps:
-      - name: Download repo size comment
-        uses: actions/download-artifact@v8
-        with:
-          name: repo-size-comment
-          path: repo-size-comment
-
-      - name: Post repo size comment
-        env:
-          COMMENT_MARKER: "<!-- repo-size-diff-bot -->"
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          significant=$(jq -r '.significant' repo-size-comment/metadata.json)
-          comment_id=$(
-            gh api "repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/comments" \
-              --paginate \
-              --jq ".[] | select(.body | contains(\"$COMMENT_MARKER\")) | .id" \
-              | head -n 1
-          )
-
-          if [[ -n "$comment_id" ]]; then
-            echo "Updating existing comment $comment_id."
-            gh api --method PATCH "repos/$GITHUB_REPOSITORY/issues/comments/$comment_id" --field body=@repo-size-comment/body.md
-          elif [[ "$significant" == "true" ]]; then
-            echo "Creating new repo size comment."
-            gh api --method POST "repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/comments" --field body=@repo-size-comment/body.md
-          else
-            echo "Skipping repo size comment because the delta is below the threshold and no sticky comment exists."
-          fi
@@ -14,10 +14,6 @@ on:
    - cron: '0 0 * * 1'
  workflow_dispatch:

-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
  run:
    shell: bash
@@ -17,10 +17,6 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:

-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
  run:
    shell: bash
@@ -18,11 +18,6 @@ on:
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
-
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-
 defaults:
  run:
    shell: bash
@@ -64,12 +64,11 @@ jobs:

    - name: Update current release branch
      if: github.event_name == 'workflow_dispatch'
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
        echo SOURCE_BRANCH=${REF_NAME}
        echo TARGET_BRANCH=releases/${MAJOR_VERSION}
        python .github/update-release-branch.py \
+          --github-token ${{ secrets.GITHUB_TOKEN }} \
          --repository-nwo ${{ github.repository }} \
          --source-branch '${{ env.REF_NAME }}' \
          --target-branch 'releases/${{ env.MAJOR_VERSION }}' \
@@ -108,12 +107,11 @@ jobs:
    - uses: ./.github/actions/release-initialise

    - name: Update older release branch
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
        echo SOURCE_BRANCH=${SOURCE_BRANCH}
        echo TARGET_BRANCH=${TARGET_BRANCH}
        python .github/update-release-branch.py \
+          --github-token ${{ secrets.GITHUB_TOKEN }} \
          --repository-nwo ${{ github.repository }} \
          --source-branch ${SOURCE_BRANCH} \
          --target-branch ${TARGET_BRANCH} \
@@ -6,18 +6,9 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

 No user facing changes.

-## 4.36.0 - 22 May 2026
+## v4.35.5 - 14 May 2026

- _Breaking change_: Bump the minimum required CodeQL bundle version to 2.19.4. [#3894](https://github.com/github/codeql-action/pull/3894)
- Add support for SHA-256 Git object IDs. [#3893](https://github.com/github/codeql-action/pull/3893)
- Update default CodeQL bundle version to [2.25.5](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.5). [#3926](https://github.com/github/codeql-action/pull/3926)
-
-## 4.35.5 - 15 May 2026
-
- We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. [#3899](https://github.com/github/codeql-action/pull/3899)
- For performance and accuracy reasons, [improved incremental analysis](https://github.com/github/roadmap/issues/1158) will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. [#3791](https://github.com/github/codeql-action/pull/3791)
- If multiple inputs are provided for the GitHub-internal `analysis-kinds` input, only `code-scanning` will be enabled. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#3892](https://github.com/github/codeql-action/pull/3892)
- Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. [#3880](https://github.com/github/codeql-action/pull/3880)
+This release rolls back 4.35.4 due to issues with that release. It is identical to 0.0.0.

 ## 4.35.4 - 07 May 2026

@@ -1218,3 +1209,4 @@ No user facing changes.
 - Add this changelog file. [#507](https://github.com/github/codeql-action/pull/507)
 - Improve grouping of analysis logs. Add a new log group containing a summary of metrics and diagnostics, if they were produced by CodeQL builtin queries. [#515](https://github.com/github/codeql-action/pull/515)
 - Add metrics and diagnostics summaries from custom query suites to the analysis summary log group. [#532](https://github.com/github/codeql-action/pull/532)
+
@@ -71,7 +71,7 @@ Once the mergeback and backport pull request have been merged, the release is co

 Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred required jobs that need to pass in order for a PR to turn green. It would be too tedious to maintain that list manually. You can regenerate the set of required checks automatically by running the [sync-checks.ts](pr-checks/sync-checks.ts) script:

- At a minimum, you must provide a token with permissions to update branch protection rules. For example, `gh auth token | pr-checks/sync-checks.ts --token-stdin` uses the same token that `gh` uses. You can also set the `GH_TOKEN` or `GITHUB_TOKEN` environment variable. If no token is provided or the token has insufficient permissions, the script will fail.
+- At a minimum, you must provide an argument for the `--token` input. For example, `--token "$(gh auth token)"` to use the same token that `gh` uses. If no token is provided or the token has insufficient permissions, the script will fail.
 - By default, the script performs a dry run and outputs information about the changes it would make to the branch protection rules. To actually apply the changes, specify the `--apply` flag.
 - If you run the script without any other arguments, it will retrieve the set of workflows that ran for the latest commit on `main`.
 - You can specify a different git ref with the `--ref` input. You will likely want to use this if you have a PR that removes or adds PR checks. For example, `--ref "some/branch/name"` to use the HEAD of the `some/branch/name` branch.
@@ -78,6 +78,8 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n
 | `v3.28.21` | `2.21.3` | Enterprise Server 3.18 | |
 | `v3.28.12` | `2.20.7` | Enterprise Server 3.17 | |
 | `v3.28.6` | `2.20.3` | Enterprise Server 3.16 | |
+| `v3.28.6` | `2.20.3` | Enterprise Server 3.15 | |
+| `v3.28.6` | `2.20.3` | Enterprise Server 3.14 | |

 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).

@@ -95,5 +95,5 @@ outputs:
    description: The ID of the uploaded SARIF file.
 runs:
  using: node24
-  main: "../lib/analyze-entry.js"
-  post: "../lib/analyze-post-entry.js"
+  main: "../lib/analyze-action.js"
+  post: "../lib/analyze-action-post.js"
@@ -16,4 +16,4 @@ inputs:
    required: false
 runs:
  using: node24
-  main: '../lib/autobuild-entry.js'
+  main: '../lib/autobuild-action.js'
@@ -1,5 +1,5 @@
-import { copyFile, readFile, rm, writeFile } from "node:fs/promises";
-import { basename, dirname, join } from "node:path";
+import { copyFile, rm, writeFile } from "node:fs/promises";
+import { dirname, join } from "node:path";
 import { fileURLToPath } from "node:url";

 import * as esbuild from "esbuild";
@@ -62,153 +62,18 @@ const onEndPlugin = {
  },
 };

-/** The name of the virtual `entry-points` module. */
-const SHARED_ENTRYPOINT = "entry-points";
-
-/** The property name under which `upload-lib`'s namespace is exposed in `entry-points`. */
-const UPLOAD_LIB_EXPORT = "uploadLib";
-
-/** The relative source path of the `upload-lib` module that we re-export from `entry-points`. */
-const UPLOAD_LIB_SRC = "./src/upload-lib";
-
-/**
- * This plugin finds all source files that contain Action entry points. It then generates the
- * virtual `entry-points` module which imports all identified files, and re-exports their
- * `runWrapper` functions with suitable aliases.
- *
- * The virtual module additionally re-exports `upload-lib` under the `uploadLib` namespace so that
- * external consumers can access it via the small `lib/upload-lib.js` stub emitted below.
- * 
- * A tiny stub file is emitted for each Action entrypoint, and one for `upload-lib`. Each stub
- * imports the shared bundle and calls/re-exports from the respective entry point.
- *
- * @type {esbuild.Plugin}
- */
-const entryPointsPlugin = {
-  name: "entry-points",
-  setup(build) {
-    const namespace = "actions";
-    const actions = [];
-
-    const toPascal = (s) =>
-      s.replace(/(^|-)([a-z0-9])/gi, (_, __, c) => c.toUpperCase());
-
-    // Find the source files containing Action entry points.
-    build.onStart(() => {
-      const actionFiles = globSync("src/*-action{,-post}.ts");
-      for (const actionFile of actionFiles) {
-        const match = basename(actionFile).match(/(.*)-action(-post)?/);
-
-        if (match.length < 2) {
-          throw new Error(`'${actionFile}' didn't match expected pattern.`);
-        }
-
-        const actionName = match[1];
-        const isPost = match[2] !== undefined;
-
-        actions.push({
-          path: actionFile,
-          name: actionName,
-          isPost,
-          pascalCaseName: `${toPascal(actionName)}${isPost ? "Post" : ""}Action`,
-        });
-      }
-    });
-
-    // Resolve the virtual `entry-points` file and set the corresponding namespace.
-    // Ideally, we'd `RegExp.escape` the entrypoint here, but that API isn't supported in Node 20.
-    // Since we're dealing with a hardcoded string, this isn't too much of a problem.
-    build.onResolve({ filter: new RegExp(`^${SHARED_ENTRYPOINT}$`) }, () => {
-      return { path: SHARED_ENTRYPOINT, namespace };
-    });
-
-    // Generate the virtual `entry-points` file based on the Actions we discovered.
-    // Restrict using the namespace. The path filter does not need to discriminate any further.
-    build.onLoad({ filter: /.*/, namespace }, async () => {
-      const wrapperTemplatePath = "entry-wrapper.js.tpl";
-      const wrapperTemplate = await readFile(
-        join(SRC_DIR, wrapperTemplatePath),
-        "utf-8",
-      );
-
-      const actionsSorted = actions.sort((a, b) =>
-        a.name.localeCompare(b.name),
-      );
-      const imports = actionsSorted
-        .map(
-          (action) =>
-            `import * as ${action.pascalCaseName} from "./src/${basename(action.path)}";`,
-        )
-        .join("\n");
-      const wrappers = actionsSorted
-        .map((action) =>
-          wrapperTemplate.replaceAll("__ACTION__", action.pascalCaseName),
-        )
-        .join("\n\n");
-
-      // Also re-export the `upload-lib` namespace so that external consumers can reach it
-      // via the `lib/upload-lib.js` stub without us having to bundle a second copy.
-      const uploadLibReExport = `export * as ${UPLOAD_LIB_EXPORT} from "${UPLOAD_LIB_SRC}";`;
-
-      return {
-        contents: `"use strict";\n${imports}\n\n${uploadLibReExport}\n\n${wrappers}\n`,
-        resolveDir: ".",
-        loader: "ts",
-      };
-    });
-
-    // Emit entry point stubs for each Action using the entry template.
-    build.onEnd(async () => {
-      const makeHeader = (templatePath, sourceFile) =>
-        `// Automatically generated from '${templatePath}' for 'src/${basename(sourceFile)}'.\n\n`;
-
-      // Read the entry point template.
-      const actionTemplatePath = "action-entry.js.tpl";
-      const actionTemplate = await readFile(
-        join(SRC_DIR, actionTemplatePath),
-        "utf-8",
-      );
-
-      // Write entry point stubs for each Action.
-      for (const action of actions) {
-        await writeFile(
-          join(
-            OUT_DIR,
-            `${action.name}${action.isPost ? "-post" : ""}-entry.js`,
-          ),
-          makeHeader(actionTemplatePath, action.path) +
-            actionTemplate.replaceAll("__ACTION__", action.pascalCaseName),
-        );
-      }
-
-      // Write a small stub for `upload-lib` that re-exports it from the shared bundle.
-      // External callers (e.g. internal testing environments) `require("./lib/upload-lib")`
-      // and expect the same shape as before, so we expose the namespace as `module.exports`.
-      const uploadLibStubTemplatePath = "upload-lib-stub.js.tpl";
-      const uploadLibStubTemplate = await readFile(
-        join(SRC_DIR, uploadLibStubTemplatePath),
-        "utf-8",
-      );
-      await writeFile(
-        join(OUT_DIR, "upload-lib.js"),
-        makeHeader(uploadLibStubTemplatePath, `${UPLOAD_LIB_SRC}.ts`) +
-          uploadLibStubTemplate.replaceAll(
-            "__UPLOAD_LIB_EXPORT__",
-            UPLOAD_LIB_EXPORT,
-          ),
-      );
-    });
-  },
-};
-
 const context = await esbuild.context({
-  entryPoints: [{ in: SHARED_ENTRYPOINT, out: SHARED_ENTRYPOINT }],
+  // Include upload-lib.ts as an entry point for use in testing environments.
+  entryPoints: globSync([
+    `${SRC_DIR}/*-action.ts`,
+    `${SRC_DIR}/*-action-post.ts`,
+    "src/upload-lib.ts",
+  ]),
  bundle: true,
  format: "cjs",
  outdir: OUT_DIR,
  platform: "node",
-  external: ["./entry-points"],
-  plugins: [cleanPlugin, copyDefaultsPlugin, entryPointsPlugin, onEndPlugin],
+  plugins: [cleanPlugin, copyDefaultsPlugin, onEndPlugin],
  target: ["node20"],
  define: {
    __CODEQL_ACTION_VERSION__: JSON.stringify(pkg.version),
@@ -171,5 +171,5 @@ outputs:
    description: The version of the CodeQL binary used for analysis
 runs:
  using: node24
-  main: '../lib/init-entry.js'
-  post: '../lib/init-post-entry.js'
+  main: '../lib/init-action.js'
+  post: '../lib/init-action-post.js'
@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/analyze-action.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runAnalyzeAction)();
@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/analyze-action-post.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runAnalyzePostAction)();
@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/autobuild-action.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runAutobuildAction)();
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.5",
-  "cliVersion": "2.25.5",
-  "priorBundleVersion": "codeql-bundle-v2.25.4",
-  "priorCliVersion": "2.25.4"
+  "bundleVersion": "codeql-bundle-v2.25.4",
+  "cliVersion": "2.25.4",
+  "priorBundleVersion": "codeql-bundle-v2.25.3",
+  "priorCliVersion": "2.25.3"
 }
@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/init-action.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runInitAction)();
@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/init-action-post.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runInitPostAction)();
@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/resolve-environment-action.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runResolveEnvironmentAction)();
@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/setup-codeql-action.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runSetupCodeqlAction)();
@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/start-proxy-action.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runStartProxyAction)();
@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/start-proxy-action-post.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runStartProxyPostAction)();
@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/upload-sarif-action.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runUploadSarifAction)();
@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/upload-sarif-action-post.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runUploadSarifPostAction)();
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "4.36.1",
+  "version": "4.35.6",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -12,8 +12,7 @@
    "ava": "npm run transpile && ava --verbose",
    "test": "npm run ava -- src/",
    "test-debug": "npm run test -- --timeout=20m",
-    "transpile": "tsc --build --verbose tsconfig.json",
-    "update-pr-checks": "./pr-checks/sync.sh"
+    "transpile": "tsc --build --verbose tsconfig.json"
  },
  "license": "MIT",
  "workspaces": [
@@ -40,23 +39,23 @@
    "jsonschema": "1.5.0",
    "long": "^5.3.2",
    "node-forge": "^1.4.0",
-    "semver": "^7.8.0",
+    "semver": "^7.7.4",
    "uuid": "^14.0.0"
  },
  "devDependencies": {
-    "@ava/typescript": "6.0.0",
-    "@eslint/compat": "^2.1.0",
+    "@ava/typescript": "7.0.0",
+    "@eslint/compat": "^2.0.5",
    "@microsoft/eslint-formatter-sarif": "^3.1.0",
    "@octokit/types": "^16.0.0",
    "@types/archiver": "^7.0.0",
    "@types/follow-redirects": "^1.14.4",
    "@types/js-yaml": "^4.0.9",
-    "@types/node": "^20.19.41",
+    "@types/node": "^20.19.39",
    "@types/node-forge": "^1.3.14",
    "@types/sarif": "^2.1.7",
    "@types/semver": "^7.7.1",
    "@types/sinon": "^21.0.1",
-    "ava": "^6.4.1",
+    "ava": "^7.0.0",
    "esbuild": "^0.28.0",
    "eslint": "^9.39.4",
    "eslint-import-resolver-typescript": "^4.4.4",
@@ -66,10 +65,10 @@
    "eslint-plugin-no-async-foreach": "^0.1.1",
    "glob": "^11.1.0",
    "globals": "^17.6.0",
-    "nock": "^14.0.15",
-    "sinon": "^22.0.0",
+    "nock": "^14.0.12",
+    "sinon": "^21.1.2",
    "typescript": "^6.0.3",
-    "typescript-eslint": "^8.59.3"
+    "typescript-eslint": "^8.59.2"
  },
  "overrides": {
    "@actions/tool-cache": {
@@ -1,259 +0,0 @@
-#!/usr/bin/env npx tsx
-
-/*
-Tests for check-repo-size.ts.
-*/
-
-import * as assert from "node:assert/strict";
-import { execFileSync } from "node:child_process";
-import { randomBytes } from "node:crypto";
-import * as fs from "node:fs";
-import * as os from "node:os";
-import * as path from "node:path";
-import { afterEach, beforeEach, describe, it } from "node:test";
-
-import {
-  COMMENT_MARKER,
-  DEFAULT_BASE_REF,
-  buildCommentBody,
-  formatBytes,
-  formatPercent,
-  isDeltaSignificant,
-  measureArchiveSize,
-  readArgs,
-} from "./check-repo-size";
-
-describe("formatBytes", async () => {
-  const cases: Array<[number, boolean, string]> = [
-    // Unsigned values, including sub-KiB amounts which round to 0.00.
-    [0, false, "0.00 KiB"],
-    [512, false, "0.50 KiB"],
-    [1024, false, "1.00 KiB"],
-    [1024 * 1024, false, "1024.00 KiB"],
-    [2 * 1024 * 1024, false, "2048.00 KiB"],
-    // Negative values always use a leading minus.
-    [-2 * 1024 * 1024, false, "-2048.00 KiB"],
-    // signed=true prepends a + to non-negative values.
-    [0, true, "+0.00 KiB"],
-    [2 * 1024 * 1024, true, "+2048.00 KiB"],
-    [-2 * 1024 * 1024, true, "-2048.00 KiB"],
-  ];
-  for (const [bytes, signed, expected] of cases) {
-    await it(`formats ${bytes} (signed=${signed}) as ${expected}`, () => {
-      assert.equal(formatBytes(bytes, signed), expected);
-    });
-  }
-});
-
-describe("formatPercent", async () => {
-  await it("formats positive fractions with a leading +", () => {
-    assert.equal(formatPercent(0.1), "+10.00%");
-    assert.equal(formatPercent(0.0123), "+1.23%");
-  });
-
-  await it("formats negative fractions with a leading -", () => {
-    assert.equal(formatPercent(-0.1), "-10.00%");
-  });
-
-  await it("formats zero without a sign", () => {
-    assert.equal(formatPercent(0), "0.00%");
-  });
-});
-
-describe("isDeltaSignificant", async () => {
-  const cases: Array<[number, number, number, boolean]> = [
-    // At and above threshold (both signs).
-    [100, 1000, 0.1, true],
-    [101, 1000, 0.1, true],
-    [-100, 1000, 0.1, true],
-    // Below threshold (both signs, plus exact zero).
-    [99, 1000, 0.1, false],
-    [-99, 1000, 0.1, false],
-    [0, 1000, 0.1, false],
-  ];
-  for (const [delta, base, fraction, expected] of cases) {
-    await it(`returns ${expected} for delta=${delta}, base=${base}, fraction=${fraction}`, () => {
-      assert.equal(isDeltaSignificant(delta, base, fraction), expected);
-    });
-  }
-});
-
-describe("buildCommentBody", async () => {
-  await it("includes the marker, the base/PR/delta rows, and the run URL", () => {
-    const body = buildCommentBody({
-      baseRef: "main",
-      baseSize: 2_000_000,
-      prSize: 2_300_000,
-      runUrl: "https://example.test/run",
-    });
-
-    assert.match(body, new RegExp(`^${escapeRegExp(COMMENT_MARKER)}`));
-    assert.match(body, /Base \(`main`\) \| 1953\.13 KiB \(2000000 bytes\)/);
-    assert.match(body, /This PR \| 2246\.09 KiB \(2300000 bytes\)/);
-    assert.match(
-      body,
-      /\*\*Delta\*\* \| \*\*\+292\.97 KiB \(\+300000 bytes, \+15\.00%\)\*\*/,
-    );
-    assert.match(body, /\[workflow run\]\(https:\/\/example\.test\/run\)/);
-  });
-
-  await it("formats negative deltas with a leading minus and omits the run URL when missing", () => {
-    const body = buildCommentBody({
-      baseRef: "main",
-      baseSize: 2_000_000,
-      prSize: 1_800_000,
-    });
-    assert.match(
-      body,
-      /\*\*Delta\*\* \| \*\*-195\.31 KiB \(-200000 bytes, -10\.00%\)\*\*/,
-    );
-    assert.doesNotMatch(body, /workflow run/);
-  });
-});
-
-describe("readArgs", async () => {
-  await it("defaults the base ref and head commit for local runs", () => {
-    const originalEnv = process.env;
-    const originalArgv = process.argv;
-
-    try {
-      process.env = {};
-      process.argv = ["node", "check-repo-size.ts", "--output-dir", "/tmp/out"];
-
-      const args = readArgs();
-
-      assert.equal(args.baseRef, DEFAULT_BASE_REF);
-      assert.equal(args.baseCommitish, `origin/${DEFAULT_BASE_REF}`);
-      assert.equal(args.headCommitish, "HEAD");
-      assert.equal(args.outputDir, "/tmp/out");
-      assert.equal(args.runUrl, undefined);
-    } finally {
-      process.env = originalEnv;
-      process.argv = originalArgv;
-    }
-  });
-
-  await it("uses the base and head SHAs when provided by the workflow", () => {
-    const originalEnv = process.env;
-    const originalArgv = process.argv;
-
-    try {
-      process.env = {
-        BASE_REF: "main",
-        BASE_SHA: "abc123",
-        HEAD_SHA: "def456",
-        RUN_URL: "https://example.test/run",
-      };
-      process.argv = ["node", "check-repo-size.ts", "--output-dir", "/tmp/out"];
-
-      const args = readArgs();
-
-      assert.equal(args.baseRef, "main");
-      assert.equal(args.baseCommitish, "abc123");
-      assert.equal(args.headCommitish, "def456");
-      assert.equal(args.outputDir, "/tmp/out");
-      assert.equal(args.runUrl, "https://example.test/run");
-    } finally {
-      process.env = originalEnv;
-      process.argv = originalArgv;
-    }
-  });
-
-  await it("throws when --output-dir is missing", () => {
-    const originalEnv = process.env;
-    const originalArgv = process.argv;
-
-    try {
-      process.env = {};
-      process.argv = ["node", "check-repo-size.ts"];
-      assert.throws(() => readArgs(), /--output-dir is required/);
-    } finally {
-      process.env = originalEnv;
-      process.argv = originalArgv;
-    }
-  });
-});
-
-let repoDir: string;
-
-beforeEach(() => {
-  repoDir = fs.mkdtempSync(path.join(os.tmpdir(), "check-repo-size-test-"));
-  execFileSync("git", ["init", "--initial-branch=main", "-q"], {
-    cwd: repoDir,
-  });
-  execFileSync("git", ["config", "user.email", "test@example.test"], {
-    cwd: repoDir,
-  });
-  execFileSync("git", ["config", "user.name", "Test"], { cwd: repoDir });
-  execFileSync("git", ["config", "commit.gpgsign", "false"], { cwd: repoDir });
-});
-
-afterEach(() => {
-  fs.rmSync(repoDir, { recursive: true, force: true });
-});
-
-function commit(name: string, content: string, message: string) {
-  fs.writeFileSync(path.join(repoDir, name), content);
-  execFileSync("git", ["add", name], { cwd: repoDir });
-  execFileSync("git", ["commit", "-q", "-m", message], { cwd: repoDir });
-}
-
-describe("measureArchiveSize", async () => {
-  await it("returns a positive byte count for a non-empty repo", async () => {
-    commit("a.txt", "hello world\n", "first");
-    const size = await measureArchiveSize("HEAD", repoDir);
-    assert.ok(size > 0, `expected size > 0, got ${size}`);
-  });
-
-  await it("returns the same size on repeated runs (deterministic)", async () => {
-    commit("a.txt", "hello world\n", "first");
-    const a = await measureArchiveSize("HEAD", repoDir);
-    const b = await measureArchiveSize("HEAD", repoDir);
-    assert.equal(a, b);
-  });
-
-  await it("returns a larger size when more content is added", async () => {
-    commit("a.txt", "hello world\n", "first");
-    const small = await measureArchiveSize("HEAD", repoDir);
-
-    // Use random bytes so the new content is incompressible and the archive
-    // is guaranteed to grow even after gzip.
-    commit("b.bin", randomBytes(8192).toString("base64"), "second");
-    const big = await measureArchiveSize("HEAD", repoDir);
-    assert.ok(
-      big > small,
-      `expected ${big} > ${small} after adding more content`,
-    );
-  });
-
-  await it("ignores untracked files (e.g. node_modules)", async () => {
-    commit("a.txt", "hello\n", "first");
-    commit(".gitignore", "node_modules/\n", "ignore node_modules");
-    const sizeBefore = await measureArchiveSize("HEAD", repoDir);
-
-    fs.mkdirSync(path.join(repoDir, "node_modules"));
-    fs.writeFileSync(
-      path.join(repoDir, "node_modules", "huge.bin"),
-      "x".repeat(1_000_000),
-    );
-
-    const sizeAfter = await measureArchiveSize("HEAD", repoDir);
-    assert.equal(
-      sizeAfter,
-      sizeBefore,
-      "untracked node_modules should not affect the archive size",
-    );
-  });
-
-  await it("rejects when the ref does not exist", async () => {
-    commit("a.txt", "hello\n", "first");
-    await assert.rejects(
-      () => measureArchiveSize("does-not-exist", repoDir),
-      /git archive does-not-exist exited with code/,
-    );
-  });
-});
-
-function escapeRegExp(s: string): string {
-  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-}
@@ -1,223 +0,0 @@
-#!/usr/bin/env npx tsx
-
-/*
-Measures the difference in the `.tar.gz`'d checkout size of the repo between the PR head and the PR
-base. This size is relevant because it corresponds to the duration of the "Download action
-repository" step that happens at the start of every job that uses this Action.
-
-Writes the candidate sticky-comment body and a small metadata file to `--output-dir`. A separate
-workflow job consumes those artifacts and decides whether to create or update a PR comment.
-*/
-
-import { spawn } from "node:child_process";
-import * as fs from "node:fs";
-import * as path from "node:path";
-import { parseArgs } from "node:util";
-
-import { REPO_ROOT } from "./config";
-
-/** Hidden marker used to find the existing sticky comment on a PR. */
-export const COMMENT_MARKER = "<!-- repo-size-diff-bot -->";
-
-export const DEFAULT_BASE_REF = "main";
-
-/**
- * Fraction of the base archive size at which a delta is considered significant enough to warrant
- * a new sticky comment. We always update an existing comment regardless, so the comment stays in
- * sync as the diff evolves.
- */
-export const SIGNIFICANT_DELTA_FRACTION = 0.1;
-
-/**
- * Stream `git archive --format=tar.gz <ref>` and count the compressed bytes.
- *
- * `git archive` only includes tracked files, so untracked directories like `node_modules` and
- * `build` aren't counted in the size downloaded when starting up a CodeQL job.
- */
-export async function measureArchiveSize(
-  ref: string,
-  cwd: string,
-): Promise<number> {
-  const git = spawn("git", ["archive", "--format=tar.gz", ref], { cwd });
-
-  let stderr = "";
-  git.stderr.on("data", (chunk: Buffer) => {
-    stderr += chunk.toString();
-  });
-
-  let size = 0;
-  git.stdout.on("data", (chunk: Buffer) => {
-    size += chunk.length;
-  });
-
-  const exitCode = await new Promise<number>((resolve, reject) => {
-    git.on("error", reject);
-    git.on("close", resolve);
-  });
-
-  if (exitCode !== 0) {
-    throw new Error(
-      `git archive ${ref} exited with code ${exitCode}: ${stderr.trim()}`,
-    );
-  }
-  return size;
-}
-
-/**
- * Format a byte count as KiB. If `signed` is true, a leading `+` is prepended for non-negative
- * values so gains and losses are visually distinct.
- */
-export function formatBytes(bytes: number, signed = false): string {
-  const sign = bytes < 0 ? "-" : signed ? "+" : "";
-  const kib = Math.abs(bytes) / 1024;
-  return `${sign}${kib.toFixed(2)} KiB`;
-}
-
-/** Format a fraction as a signed percentage with 2 decimal places. */
-export function formatPercent(fraction: number): string {
-  const pct = fraction * 100;
-  const sign = pct > 0 ? "+" : "";
-  return `${sign}${pct.toFixed(2)}%`;
-}
-
-export interface CommentBodyOptions {
-  baseRef: string;
-  baseSize: number;
-  prSize: number;
-  /** Optional URL of the workflow run, included in the comment footer. */
-  runUrl?: string;
-}
-
-export function buildCommentBody(opts: CommentBodyOptions): string {
-  const { baseRef, baseSize, prSize, runUrl } = opts;
-  const delta = prSize - baseSize;
-  const signedDelta = delta >= 0 ? `+${delta}` : `${delta}`;
-  const runUrlLine = runUrl
-    ? ` See the [workflow run](${runUrl}) for details.`
-    : "";
-
-  return [
-    COMMENT_MARKER,
-    "### Repository checkout size",
-    "",
-    "| | Compressed archive size |",
-    "|---|---|",
-    `| Base (\`${baseRef}\`) | ${formatBytes(baseSize)} (${baseSize} bytes) |`,
-    `| This PR | ${formatBytes(prSize)} (${prSize} bytes) |`,
-    `| **Delta** | **${formatBytes(delta, true)} (${signedDelta} bytes, ${formatPercent(delta / baseSize)})** |`,
-    "",
-    "Sizes are measured by streaming `git archive --format=tar.gz <ref>`, " +
-      "which includes tracked files and excludes untracked files such as " +
-      "`node_modules`. The compressed checkout is " +
-      "downloaded by every consumer of this Action, so changes here directly " +
-      `affect Action download time.${runUrlLine}`,
-  ].join("\n");
-}
-
-/**
- * Returns true when the absolute delta is at least `fraction` of the base size. Both increases and
- * decreases are considered significant, so we report wins as well as losses.
- */
-export function isDeltaSignificant(
-  delta: number,
-  baseSize: number,
-  fraction: number,
-): boolean {
-  return Math.abs(delta) >= baseSize * fraction;
-}
-
-interface MainArgs {
-  /** Base ref of the PR. Defaults to `main`. Used as the label in the PR comment. */
-  baseRef: string;
-  /** Base commit-ish to archive. Defaults to `origin/<baseRef>` for local runs. */
-  baseCommitish: string;
-  /** Head commit-ish to archive. Defaults to `HEAD` for local runs. */
-  headCommitish: string;
-  /** Optional URL of the workflow run, surfaced in the comment footer. */
-  runUrl?: string;
-  /** Directory where `body.md` and `metadata.json` are written. */
-  outputDir: string;
-}
-
-export function readArgs(): MainArgs {
-  const { values } = parseArgs({
-    options: {
-      "output-dir": { type: "string" },
-    },
-    strict: true,
-  });
-
-  const outputDir = values["output-dir"];
-  if (!outputDir) {
-    throw new Error("--output-dir is required");
-  }
-
-  const baseRef = process.env.BASE_REF ?? DEFAULT_BASE_REF;
-  const baseCommitish = process.env.BASE_SHA ?? `origin/${baseRef}`;
-  const headCommitish = process.env.HEAD_SHA ?? "HEAD";
-
-  return {
-    baseRef,
-    baseCommitish,
-    headCommitish,
-    runUrl: process.env.RUN_URL,
-    outputDir,
-  };
-}
-
-async function main(): Promise<number> {
-  const args = readArgs();
-
-  console.log(`Measuring base archive size for ${args.baseCommitish}...`);
-  const baseSize = await measureArchiveSize(args.baseCommitish, REPO_ROOT);
-  console.log(`  ${baseSize} bytes`);
-
-  console.log(`Measuring PR archive size for ${args.headCommitish}...`);
-  const prSize = await measureArchiveSize(args.headCommitish, REPO_ROOT);
-  console.log(`  ${prSize} bytes`);
-
-  const delta = prSize - baseSize;
-  const significant = isDeltaSignificant(
-    delta,
-    baseSize,
-    SIGNIFICANT_DELTA_FRACTION,
-  );
-  console.log(
-    `Delta: ${delta} bytes (significant=${significant}, threshold=${(
-      SIGNIFICANT_DELTA_FRACTION * 100
-    ).toFixed(2)}%)`,
-  );
-
-  const body = buildCommentBody({
-    baseRef: args.baseRef,
-    baseSize,
-    prSize,
-    runUrl: args.runUrl,
-  });
-
-  fs.mkdirSync(args.outputDir, { recursive: true });
-  fs.writeFileSync(path.join(args.outputDir, "body.md"), body);
-  fs.writeFileSync(
-    path.join(args.outputDir, "metadata.json"),
-    `${JSON.stringify(
-      { significant, baseRef: args.baseRef, baseSize, prSize, delta },
-      null,
-      2,
-    )}\n`,
-  );
-  console.log(`Wrote body.md and metadata.json to ${args.outputDir}.`);
-  return 0;
-}
-
-async function run(): Promise<void> {
-  try {
-    process.exit(await main());
-  } catch (err) {
-    console.error(err instanceof Error ? err.message : String(err));
-    process.exit(1);
-  }
-}
-
-if (require.main === module) {
-  void run();
-}
@@ -2,8 +2,7 @@ name: "Multi-language repository"
 description: "An end-to-end integration test of a multi-language repository using automatic language detection"
 operatingSystems:
  - ubuntu
-  - os: macos
-    runner-image: macos-latest-xlarge
+  - macos
 env:
  CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
 installGo: true
@@ -2,7 +2,7 @@ name: "Rust analysis"
 description: "Tests creation of a Rust database"
 versions:
  # experimental rust support introduced, requires action to set `CODEQL_ENABLE_EXPERIMENTAL_FEATURES`
-  - stable-v2.19.4
+  - stable-v2.19.3
  # first public preview version
  - stable-v2.22.1
  - linked
@@ -3,8 +3,7 @@ description: "Tests creation of a Swift database using autobuild"
 versions:
  - nightly-latest
 operatingSystems:
-  - os: macos
-    runner-image: macos-latest-xlarge
+  - macos
 steps:
  - uses: ./../action/init
    id: init
@@ -6,17 +6,14 @@ export const OLDEST_SUPPORTED_MAJOR_VERSION = 3;
 /** The `pr-checks` directory. */
 export const PR_CHECKS_DIR = __dirname;

-/** The repository root. */
-export const REPO_ROOT = path.join(PR_CHECKS_DIR, "..");
-
 /** The path of the file configuring which checks shouldn't be required. */
 export const PR_CHECK_EXCLUDED_FILE = path.join(PR_CHECKS_DIR, "excluded.yml");

 /** The path to the esbuild metadata file. */
-export const BUNDLE_METADATA_FILE = path.join(REPO_ROOT, "meta.json");
+export const BUNDLE_METADATA_FILE = path.join(PR_CHECKS_DIR, "..", "meta.json");

 /** The `src` directory. */
-const SOURCE_ROOT = path.join(REPO_ROOT, "src");
+const SOURCE_ROOT = path.join(PR_CHECKS_DIR, "..", "src");

 /** The path to the built-in languages file. */
 export const BUILTIN_LANGUAGES_FILE = path.join(
@@ -1,17 +1,16 @@
 # PR checks to exclude from required checks
 contains:
-  - "ESLint"
  - "https://"
-  - "test-setup-python-scripts"
-  - "update"
  - "Update"
+  - "ESLint"
+  - "update"
+  - "test-setup-python-scripts"
 is:
-  - "Agent"
-  - "check-expected-release-files"
-  - "Cleanup artifacts"
  - "CodeQL"
  - "Dependabot"
-  - "Label PR with size"
-  - "Post repo size comment"
+  - "check-expected-release-files"
+  - "Agent"
+  - "Cleanup artifacts"
  - "Prepare"
  - "Upload results"
+  - "Label PR with size"
@@ -7,10 +7,10 @@
    "@octokit/core": "^7.0.6",
    "@octokit/plugin-paginate-rest": ">=9.2.2",
    "@octokit/plugin-rest-endpoint-methods": "^17.0.0",
-    "yaml": "^2.9.0"
+    "yaml": "^2.8.4"
  },
  "devDependencies": {
-    "@types/node": "^20.19.41",
+    "@types/node": "^20.19.39",
    "tsx": "^4.21.0"
  }
 }
@@ -7,13 +7,7 @@ Tests for the sync-checks.ts script
 import * as assert from "node:assert/strict";
 import { describe, it } from "node:test";

-import {
-  CheckInfo,
-  Exclusions,
-  Options,
-  removeExcluded,
-  resolveToken,
-} from "./sync-checks";
+import { CheckInfo, Exclusions, Options, removeExcluded } from "./sync-checks";

 const defaultOptions: Options = {
  apply: false,
@@ -64,46 +58,3 @@ describe("removeExcluded", async () => {
    assert.deepEqual(retained, expectedExactMatches);
  });
 });
-
-describe("resolveToken", async () => {
-  await it("reads the token from standard input", async () => {
-    const token = await resolveToken(
-      { tokenStdin: true },
-      { env: {}, readStdin: async () => " stdin-token\n" },
-    );
-    assert.equal(token, "stdin-token");
-  });
-
-  await it("reads the token from the GH_TOKEN environment variable", async () => {
-    const token = await resolveToken(
-      {},
-      { env: { GH_TOKEN: "env-token" }, readStdin: async () => "" },
-    );
-    assert.equal(token, "env-token");
-  });
-
-  await it("reads the token from the GITHUB_TOKEN environment variable", async () => {
-    const token = await resolveToken(
-      {},
-      { env: { GITHUB_TOKEN: "env-token" }, readStdin: async () => "" },
-    );
-    assert.equal(token, "env-token");
-  });
-
-  await it("rejects an empty standard input token", async () => {
-    await assert.rejects(
-      resolveToken(
-        { tokenStdin: true },
-        { env: {}, readStdin: async () => "\n" },
-      ),
-      /No token received on standard input/,
-    );
-  });
-
-  await it("rejects missing token sources", async () => {
-    await assert.rejects(
-      resolveToken({}, { env: {}, readStdin: async () => "" }),
-      /Missing authentication token/,
-    );
-  });
-});
@@ -15,8 +15,8 @@ import {

 /** Represents the command-line options. */
 export interface Options {
-  /** Whether to read the GitHub API token from standard input. */
-  tokenStdin?: boolean;
+  /** The token to use to authenticate to the GitHub API. */
+  token?: string;
  /** The git ref to use the checks for. */
  ref?: string;
  /** Whether to actually apply the changes or not. */
@@ -31,65 +31,6 @@ const codeqlActionRepo = {
  repo: "codeql-action",
 };

-/** Environment variables to check for a GitHub API token. */
-const TOKEN_ENVIRONMENT_VARIABLES = ["GH_TOKEN", "GITHUB_TOKEN"];
-
-/** Represents the sources from which we can retrieve the GitHub API token. */
-interface TokenSource {
-  /** Environment variables to inspect. */
-  env: NodeJS.ProcessEnv;
-  /** Reads a token from standard input. */
-  readStdin: () => Promise<string>;
-}
-
-/** Reads the GitHub API token from standard input. */
-async function readTokenFromStdin(): Promise<string> {
-  let token = "";
-  process.stdin.setEncoding("utf8");
-  for await (const chunk of process.stdin) {
-    token += chunk;
-  }
-  return token.trim();
-}
-
-/** Gets a GitHub API token from one of the supported environment variables. */
-function getTokenFromEnvironment(env: NodeJS.ProcessEnv): string | undefined {
-  for (const variableName of TOKEN_ENVIRONMENT_VARIABLES) {
-    const token = env[variableName]?.trim();
-    if (token) {
-      return token;
-    }
-  }
-  return undefined;
-}
-
-/** Gets the token to use to authenticate to the GitHub API. */
-export async function resolveToken(
-  options: Pick<Options, "tokenStdin">,
-  tokenSource: TokenSource = {
-    env: process.env,
-    readStdin: readTokenFromStdin,
-  },
-): Promise<string> {
-  if (options.tokenStdin) {
-    const token = (await tokenSource.readStdin()).trim();
-    if (token.length === 0) {
-      throw new Error("No token received on standard input.");
-    }
-    return token;
-  }
-
-  const environmentToken = getTokenFromEnvironment(tokenSource.env);
-  if (environmentToken !== undefined) {
-    return environmentToken;
-  }
-
-  throw new Error(
-    "Missing authentication token. Set GH_TOKEN/GITHUB_TOKEN or pipe a token " +
-      "to --token-stdin.",
-  );
-}
-
 /** Represents a configuration of which checks should not be set up as required checks. */
 export interface Exclusions {
  /** A list of strings that, if contained in a check name, are excluded. */
@@ -264,10 +205,9 @@ async function updateBranch(
 async function main(): Promise<void> {
  const { values: options } = parseArgs({
    options: {
-      // Read the token to use to authenticate to the API from standard input.
-      "token-stdin": {
-        type: "boolean",
-        default: false,
+      // The token to use to authenticate to the API.
+      token: {
+        type: "string",
      },
      // The git ref for which to retrieve the check runs.
      ref: {
@@ -288,16 +228,16 @@ async function main(): Promise<void> {
    strict: true,
  });

-  const token = await resolveToken({
-    tokenStdin: options["token-stdin"],
-  });
+  if (options.token === undefined) {
+    throw new Error("Missing --token");
+  }

  console.info(
    `Oldest supported major version is: ${OLDEST_SUPPORTED_MAJOR_VERSION}`,
  );

  // Initialise the API client.
-  const client = getApiClient(token);
+  const client = getApiClient(options.token);

  // Find the check runs for the specified `ref` that we will later set as the required checks
  // for the main and release branches.
@@ -28,24 +28,6 @@ interface WorkflowInput {
 /** A partial mapping from known input names to input definitions. */
 type WorkflowInputs = Partial<Record<KnownInputName, WorkflowInput>>;

-/** An operating system identifier. */
-type OperatingSystemIdentifier = "ubuntu" | "macos" | "windows";
-
-/**
- * Represents an operating system matrix entry for a generated PR check workflow.
- *
- * Either a string containing the OS identifier or an object containing the OS identifier and an
- * optional runner image label.
- */
-type OperatingSystem =
-  | OperatingSystemIdentifier
-  | {
-      /** OS identifier. */
-      os: OperatingSystemIdentifier;
-      /** Optional runner image label. */
-      "runner-image"?: string;
-    };
-
 /**
 * Represents PR check specifications.
 */
@@ -54,8 +36,8 @@ interface Specification extends JobSpecification {
  inputs?: Record<string, WorkflowInput>;
  /** CodeQL bundle versions to test against. Defaults to `DEFAULT_TEST_VERSIONS`. */
  versions?: string[];
-  /** Operating system prefixes, either as strings or with explicit runner image labels. */
-  operatingSystems?: OperatingSystem[];
+  /** Operating system prefixes used to select runner images (e.g. `["ubuntu", "macos"]`). */
+  operatingSystems?: string[];
  /** Per-OS version overrides. If specified for an OS, only those versions are tested on that OS. */
  osCodeQlVersions?: Record<string, string[]>;
  /** Whether to use the all-platform CodeQL bundle. */
@@ -115,6 +97,10 @@ type LanguageSetups = Partial<Record<BuiltInLanguage, LanguageSetup>>;
 // The default set of CodeQL Bundle versions to use for the PR checks.
 const defaultTestVersions = [
  // The oldest supported CodeQL version. If bumping, update `CODEQL_MINIMUM_VERSION` in `codeql.ts`
+  "stable-v2.17.6",
+  // The last CodeQL release in the 2.18 series.
+  "stable-v2.18.4",
+  // The last CodeQL release in the 2.19 series.
  "stable-v2.19.4",
  // The last CodeQL release in the 2.20 series.
  "stable-v2.20.7",
@@ -122,10 +108,6 @@ const defaultTestVersions = [
  "stable-v2.21.4",
  // The last CodeQL release in the 2.22 series.
  "stable-v2.22.4",
-  // The last CodeQL release in the 2.23 series.
-  "stable-v2.23.9",
-  // The last CodeQL release in the 2.24 series.
-  "stable-v2.24.3",
  // The default version of CodeQL for Dotcom, as determined by feature flags.
  "default",
  // The version of CodeQL shipped with the Action in `defaults.json`. During the release process
@@ -329,19 +311,10 @@ function generateJobMatrix(
      );
    }

-    const defaultRunnerImages = [
-      "ubuntu-latest",
-      "macos-latest",
-      "windows-latest",
-    ];
+    const runnerImages = ["ubuntu-latest", "macos-latest", "windows-latest"];
    const operatingSystems = checkSpecification.operatingSystems ?? ["ubuntu"];

-    for (const operatingSystemConfig of operatingSystems) {
-      const operatingSystem =
-        typeof operatingSystemConfig === "string"
-          ? operatingSystemConfig
-          : operatingSystemConfig.os;
-
+    for (const operatingSystem of operatingSystems) {
      // If osCodeQlVersions is set for this OS, only include the specified CodeQL versions.
      const allowedVersions =
        checkSpecification.osCodeQlVersions?.[operatingSystem];
@@ -349,13 +322,9 @@ function generateJobMatrix(
        continue;
      }

-      const runnerImagesForOs =
-        typeof operatingSystemConfig === "string" ||
-        operatingSystemConfig["runner-image"] === undefined
-          ? defaultRunnerImages.filter((image) =>
-              image.startsWith(operatingSystem),
-            )
-          : [operatingSystemConfig["runner-image"]];
+      const runnerImagesForOs = runnerImages.filter((image) =>
+        image.startsWith(operatingSystem),
+      );

      for (const runnerImage of runnerImagesForOs) {
        matrix.push({
@@ -43,7 +43,6 @@ predicate envVarRead(DataFlow::Node node, string envVar) {
 from DataFlow::Node read, string envVar
 where
  envVarRead(read, envVar) and
-  read.getFile().getRelativePath().matches("src/%") and
  not read.getFile().getBaseName().matches("%.test.ts") and
  not isSafeForDefaultSetup(envVar)
 select read,
@@ -22,4 +22,4 @@ outputs:
    description: The inferred build environment configuration.
 runs:
  using: node24
-  main: '../lib/resolve-environment-entry.js'
+  main: '../lib/resolve-environment-action.js'
@@ -55,4 +55,4 @@ outputs:
    description: The version of the CodeQL binary that was installed.
 runs:
  using: node24
-  main: '../lib/setup-codeql-entry.js'
+  main: '../lib/setup-codeql-action.js'
@@ -1,4 +0,0 @@
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.run__ACTION__)();
@@ -16,12 +16,7 @@ import {
 } from "./analyses";
 import { EnvVar } from "./environment";
 import { getRunnerLogger } from "./logging";
-import {
-  createFeatures,
-  RecordingLogger,
-  setupBaseActionsVars,
-  setupTests,
-} from "./testing-utils";
+import { createFeatures, RecordingLogger, setupTests } from "./testing-utils";
 import { AssessmentPayload } from "./upload-lib/types";
 import { ConfigurationError } from "./util";

@@ -77,7 +72,6 @@ test.serial(
 test.serial(
  "getAnalysisKinds - only use `code-scanning` for multiple analysis kinds outside of test mode",
  async (t) => {
-    setupBaseActionsVars();
    process.env[EnvVar.TEST_MODE] = "false";
    const features = createFeatures([]);
    const logger = new RecordingLogger();
@@ -95,40 +89,6 @@ test.serial(
  },
 );

-test.serial(
-  "getAnalysisKinds - logs error for non-default `analysis-kinds` in custom workflow",
-  async (t) => {
-    setupBaseActionsVars({ GITHUB_EVENT_NAME: "push" });
-    process.env[EnvVar.TEST_MODE] = "false";
-    const features = createFeatures([]);
-    const logger = new RecordingLogger();
-    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
-    requiredInputStub.withArgs("analysis-kinds").returns("code-quality");
-    const result = await getAnalysisKinds(logger, features, true);
-    t.deepEqual(result, [AnalysisKind.CodeQuality]);
-    t.assert(
-      logger.hasMessage(
-        "An analysis kind other than `code-scanning` was specified in a custom workflow.",
-      ),
-    );
-  },
-);
-
-test.serial(
-  "getAnalysisKinds - no error for non-default `analysis-kinds` in managed workflow",
-  async (t) => {
-    setupBaseActionsVars({ GITHUB_EVENT_NAME: "dynamic" });
-    process.env[EnvVar.TEST_MODE] = "false";
-    const features = createFeatures([]);
-    const logger = new RecordingLogger();
-    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
-    requiredInputStub.withArgs("analysis-kinds").returns("code-quality");
-    const result = await getAnalysisKinds(logger, features, true);
-    t.deepEqual(result, [AnalysisKind.CodeQuality]);
-    t.deepEqual(logger.messages, []);
-  },
-);
-
 test.serial(
  "getAnalysisKinds - includes `code-quality` when deprecated `quality-queries` input is used",
  async (t) => {
@@ -173,7 +133,6 @@ for (let i = 0; i < analysisKinds.length; i++) {
      test.serial(
        `getAnalysisKinds - allows ${analysisKind} with ${otherAnalysis}`,
        async (t) => {
-          setupBaseActionsVars();
          process.env[EnvVar.TEST_MODE] = "true";
          const features = createFeatures([]);
          const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
@@ -192,7 +151,6 @@ for (let i = 0; i < analysisKinds.length; i++) {
      test.serial(
        `getAnalysisKinds - throws if ${analysisKind} is enabled with ${otherAnalysis}`,
        async (t) => {
-          setupBaseActionsVars();
          const features = createFeatures([]);
          const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
          requiredInputStub
@@ -2,7 +2,6 @@ import {
  fixCodeQualityCategory,
  getOptionalInput,
  getRequiredInput,
-  isDynamicWorkflow,
 } from "./actions-util";
 import { EnvVar } from "./environment";
 import { Feature, FeatureEnablement } from "./feature-flags";
@@ -66,21 +65,6 @@ export async function parseAnalysisKinds(
 // Used to avoid re-parsing the input after we have done it once.
 let cachedAnalysisKinds: AnalysisKind[] | undefined;

-/** Determines whether `code-scanning` is the only enabled analysis kind in `analysisKinds`. */
-function isOnlyCodeScanningEnabled(analysisKinds: AnalysisKind[]) {
-  return (
-    analysisKinds.length === 1 && analysisKinds[0] === AnalysisKind.CodeScanning
-  );
-}
-
-/** Prepends a generic message about the intended usage for `analysis-kinds` to `message`. */
-function makeAnalysisKindUsageError(message: string) {
-  return (
-    "The `analysis-kinds` input is experimental and for GitHub-internal use only. " +
-    `Its behaviour may change at any time or be removed entirely. ${message}`
-  );
-}
-
 /**
 * Initialises the analysis kinds for the analysis based on the `analysis-kinds` input.
 * This function will also use the deprecated `quality-queries` input as an indicator to enable `code-quality`.
@@ -105,26 +89,6 @@ export async function getAnalysisKinds(
    getRequiredInput("analysis-kinds"),
  );

-  // Log an error if we are outside of a GitHub-managed workflow and an analysis kind
-  // other than `code-scanning` is enabled.
-  if (
-    !isInTestMode() &&
-    !isDynamicWorkflow() &&
-    !isOnlyCodeScanningEnabled(analysisKinds)
-  ) {
-    const codeQualityHint = analysisKinds.includes(AnalysisKind.CodeQuality)
-      ? " If your intention is to use quality queries outside of Code Quality, " +
-        "use the `queries` input with `code-quality` instead."
-      : "";
-
-    logger.error(
-      makeAnalysisKindUsageError(
-        "An analysis kind other than `code-scanning` was specified in a custom workflow. " +
-          `This is not supported and will become a fatal error in a future version of the CodeQL Action.${codeQualityHint}`,
-      ),
-    );
-  }
-
  // Warn that `quality-queries` is deprecated if there is an argument for it.
  const qualityQueriesInput = getOptionalInput("quality-queries");

@@ -166,10 +130,10 @@ export async function getAnalysisKinds(
    !(await features.getValue(Feature.AllowMultipleAnalysisKinds))
  ) {
    logger.error(
-      makeAnalysisKindUsageError(
+      "The `analysis-kinds` input is experimental and for GitHub-internal use only. " +
+        "Its behaviour may change at any time or be removed entirely. " +
        "Specifying multiple values as input is no longer supported. " +
-          "Continuing with only `analysis-kinds: code-scanning`.",
-      ),
+        "Continuing with only `analysis-kinds: code-scanning`.",
    );

    // Only enable Code Scanning.
@@ -0,0 +1,90 @@
+import test from "ava";
+import * as sinon from "sinon";
+
+import * as actionsUtil from "./actions-util";
+import * as analyze from "./analyze";
+import * as api from "./api-client";
+import * as configUtils from "./config-utils";
+import * as gitUtils from "./git-utils";
+import * as statusReport from "./status-report";
+import {
+  setupTests,
+  setupActionsVars,
+  mockFeatureFlagApiEndpoint,
+} from "./testing-utils";
+import * as util from "./util";
+
+setupTests(test);
+
+// This test needs to be in its own file so that ava would run it in its own
+// nodejs process. The code being tested is in analyze-action.ts, which runs
+// immediately on load. So the file needs to be loaded during part of the test,
+// and that can happen only once per nodejs process. If multiple such tests are
+// in the same test file, ava would run them in the same nodejs process, and all
+// but the first test would fail.
+
+test("analyze action with RAM & threads from environment variables", async (t) => {
+  // This test frequently times out on Windows with the default timeout, so we bump
+  // it a bit to 20s.
+  t.timeout(1000 * 20);
+  await util.withTmpDir(async (tmpDir) => {
+    setupActionsVars(tmpDir, tmpDir);
+    sinon
+      .stub(statusReport, "createStatusReportBase")
+      .resolves({} as statusReport.StatusReportBase);
+    sinon.stub(statusReport, "sendStatusReport").resolves();
+    sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
+
+    const gitHubVersion: util.GitHubVersion = {
+      type: util.GitHubVariant.DOTCOM,
+    };
+    sinon.stub(configUtils, "getConfig").resolves({
+      gitHubVersion,
+      augmentationProperties: {},
+      languages: [],
+      packs: [],
+      trapCaches: {},
+    } as unknown as configUtils.Config);
+    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+    requiredInputStub.withArgs("token").returns("fake-token");
+    requiredInputStub.withArgs("upload-database").returns("false");
+    requiredInputStub.withArgs("output").returns("out");
+    const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
+    optionalInputStub.withArgs("expect-error").returns("false");
+    sinon.stub(api, "getGitHubVersion").resolves(gitHubVersion);
+    mockFeatureFlagApiEndpoint(200, {});
+
+    // When there are no action inputs for RAM and threads, the action uses
+    // environment variables (passed down from the init action) to set RAM and
+    // threads usage.
+    process.env["CODEQL_THREADS"] = "-1";
+    process.env["CODEQL_RAM"] = "4992";
+
+    const runFinalizeStub = sinon.stub(analyze, "runFinalize");
+    const runQueriesStub = sinon.stub(analyze, "runQueries");
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const analyzeAction = require("./analyze-action");
+
+    // When analyze-action.ts loads, it runs an async function from the top
+    // level but does not wait for it to finish. To ensure that calls to
+    // runFinalize and runQueries are correctly captured by spies, we explicitly
+    // wait for the action promise to complete before starting verification.
+    await analyzeAction.runPromise;
+
+    t.assert(
+      runFinalizeStub.calledOnceWith(
+        sinon.match.any,
+        sinon.match.any,
+        "--threads=-1",
+        "--ram=4992",
+      ),
+    );
+    t.assert(
+      runQueriesStub.calledOnceWith(
+        sinon.match.any,
+        "--ram=4992",
+        "--threads=-1",
+      ),
+    );
+  });
+});
@@ -0,0 +1,88 @@
+import test from "ava";
+import * as sinon from "sinon";
+
+import * as actionsUtil from "./actions-util";
+import * as analyze from "./analyze";
+import * as api from "./api-client";
+import * as configUtils from "./config-utils";
+import * as gitUtils from "./git-utils";
+import * as statusReport from "./status-report";
+import {
+  setupTests,
+  setupActionsVars,
+  mockFeatureFlagApiEndpoint,
+} from "./testing-utils";
+import * as util from "./util";
+
+setupTests(test);
+
+// This test needs to be in its own file so that ava would run it in its own
+// nodejs process. The code being tested is in analyze-action.ts, which runs
+// immediately on load. So the file needs to be loaded during part of the test,
+// and that can happen only once per nodejs process. If multiple such tests are
+// in the same test file, ava would run them in the same nodejs process, and all
+// but the first test would fail.
+
+test("analyze action with RAM & threads from action inputs", async (t) => {
+  t.timeout(1000 * 20);
+  await util.withTmpDir(async (tmpDir) => {
+    setupActionsVars(tmpDir, tmpDir);
+    sinon
+      .stub(statusReport, "createStatusReportBase")
+      .resolves({} as statusReport.StatusReportBase);
+    sinon.stub(statusReport, "sendStatusReport").resolves();
+    const gitHubVersion: util.GitHubVersion = {
+      type: util.GitHubVariant.DOTCOM,
+    };
+    sinon.stub(configUtils, "getConfig").resolves({
+      gitHubVersion,
+      augmentationProperties: {},
+      languages: [],
+      packs: [],
+      trapCaches: {},
+    } as unknown as configUtils.Config);
+    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+    requiredInputStub.withArgs("token").returns("fake-token");
+    requiredInputStub.withArgs("upload-database").returns("false");
+    requiredInputStub.withArgs("output").returns("out");
+    const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
+    optionalInputStub.withArgs("expect-error").returns("false");
+    sinon.stub(api, "getGitHubVersion").resolves(gitHubVersion);
+    sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
+    mockFeatureFlagApiEndpoint(200, {});
+
+    process.env["CODEQL_THREADS"] = "1";
+    process.env["CODEQL_RAM"] = "4992";
+
+    // Action inputs have precedence over environment variables.
+    optionalInputStub.withArgs("threads").returns("-1");
+    optionalInputStub.withArgs("ram").returns("3012");
+
+    const runFinalizeStub = sinon.stub(analyze, "runFinalize");
+    const runQueriesStub = sinon.stub(analyze, "runQueries");
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const analyzeAction = require("./analyze-action");
+
+    // When analyze-action.ts loads, it runs an async function from the top
+    // level but does not wait for it to finish. To ensure that calls to
+    // runFinalize and runQueries are correctly captured by spies, we explicitly
+    // wait for the action promise to complete before starting verification.
+    await analyzeAction.runPromise;
+
+    t.assert(
+      runFinalizeStub.calledOnceWith(
+        sinon.match.any,
+        sinon.match.any,
+        "--threads=-1",
+        "--ram=3012",
+      ),
+    );
+    t.assert(
+      runQueriesStub.calledOnceWith(
+        sinon.match.any,
+        "--ram=3012",
+        "--threads=-1",
+      ),
+    );
+  });
+});
@@ -20,7 +20,7 @@ import { EnvVar } from "./environment";
 import { getActionsLogger } from "./logging";
 import { checkGitHubVersionInRange, getErrorMessage } from "./util";

-export async function runWrapper() {
+async function runWrapper() {
  // To capture errors appropriately, keep as much code within the try-catch as
  // possible, and only use safe functions outside.

@@ -72,3 +72,5 @@ export async function runWrapper() {
    );
  }
 }
+
+void runWrapper();
@@ -1,142 +0,0 @@
-import test from "ava";
-import * as sinon from "sinon";
-
-import * as actionsUtil from "./actions-util";
-import * as analyze from "./analyze";
-import { runWrapper } from "./analyze-action";
-import * as api from "./api-client";
-import * as configUtils from "./config-utils";
-import * as gitUtils from "./git-utils";
-import * as statusReport from "./status-report";
-import {
-  setupTests,
-  setupActionsVars,
-  mockFeatureFlagApiEndpoint,
-} from "./testing-utils";
-import * as util from "./util";
-
-setupTests(test);
-
-test.serial(
-  "analyze action with RAM & threads from environment variables",
-  async (t) => {
-    // This test frequently times out on Windows with the default timeout, so we bump
-    // it a bit to 20s.
-    t.timeout(1000 * 20);
-    await util.withTmpDir(async (tmpDir) => {
-      setupActionsVars(tmpDir, tmpDir);
-      sinon
-        .stub(statusReport, "createStatusReportBase")
-        .resolves({} as statusReport.StatusReportBase);
-      sinon.stub(statusReport, "sendStatusReport").resolves();
-      sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
-
-      const gitHubVersion: util.GitHubVersion = {
-        type: util.GitHubVariant.DOTCOM,
-      };
-      sinon.stub(configUtils, "getConfig").resolves({
-        gitHubVersion,
-        augmentationProperties: {},
-        languages: [],
-        packs: [],
-        trapCaches: {},
-      } as unknown as configUtils.Config);
-      const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
-      requiredInputStub.withArgs("token").returns("fake-token");
-      requiredInputStub.withArgs("upload-database").returns("false");
-      requiredInputStub.withArgs("output").returns("out");
-      const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
-      optionalInputStub.withArgs("expect-error").returns("false");
-      sinon.stub(api, "getGitHubVersion").resolves(gitHubVersion);
-      mockFeatureFlagApiEndpoint(200, {});
-
-      // When there are no action inputs for RAM and threads, the action uses
-      // environment variables (passed down from the init action) to set RAM and
-      // threads usage.
-      process.env["CODEQL_THREADS"] = "-1";
-      process.env["CODEQL_RAM"] = "4992";
-
-      const runFinalizeStub = sinon.stub(analyze, "runFinalize");
-      const runQueriesStub = sinon.stub(analyze, "runQueries");
-
-      await runWrapper();
-
-      t.assert(
-        runFinalizeStub.calledOnceWith(
-          sinon.match.any,
-          sinon.match.any,
-          "--threads=-1",
-          "--ram=4992",
-        ),
-      );
-      t.assert(
-        runQueriesStub.calledOnceWith(
-          sinon.match.any,
-          "--ram=4992",
-          "--threads=-1",
-        ),
-      );
-    });
-  },
-);
-
-test.serial(
-  "analyze action with RAM & threads from action inputs",
-  async (t) => {
-    t.timeout(1000 * 20);
-    await util.withTmpDir(async (tmpDir) => {
-      setupActionsVars(tmpDir, tmpDir);
-      sinon
-        .stub(statusReport, "createStatusReportBase")
-        .resolves({} as statusReport.StatusReportBase);
-      sinon.stub(statusReport, "sendStatusReport").resolves();
-      const gitHubVersion: util.GitHubVersion = {
-        type: util.GitHubVariant.DOTCOM,
-      };
-      sinon.stub(configUtils, "getConfig").resolves({
-        gitHubVersion,
-        augmentationProperties: {},
-        languages: [],
-        packs: [],
-        trapCaches: {},
-      } as unknown as configUtils.Config);
-      const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
-      requiredInputStub.withArgs("token").returns("fake-token");
-      requiredInputStub.withArgs("upload-database").returns("false");
-      requiredInputStub.withArgs("output").returns("out");
-      const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
-      optionalInputStub.withArgs("expect-error").returns("false");
-      sinon.stub(api, "getGitHubVersion").resolves(gitHubVersion);
-      sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
-      mockFeatureFlagApiEndpoint(200, {});
-
-      process.env["CODEQL_THREADS"] = "1";
-      process.env["CODEQL_RAM"] = "4992";
-
-      // Action inputs have precedence over environment variables.
-      optionalInputStub.withArgs("threads").returns("-1");
-      optionalInputStub.withArgs("ram").returns("3012");
-
-      const runFinalizeStub = sinon.stub(analyze, "runFinalize");
-      const runQueriesStub = sinon.stub(analyze, "runQueries");
-
-      await runWrapper();
-
-      t.assert(
-        runFinalizeStub.calledOnceWith(
-          sinon.match.any,
-          sinon.match.any,
-          "--threads=-1",
-          "--ram=3012",
-        ),
-      );
-      t.assert(
-        runQueriesStub.calledOnceWith(
-          sinon.match.any,
-          "--ram=3012",
-          "--threads=-1",
-        ),
-      );
-    });
-  },
-);
@@ -523,11 +523,14 @@ async function run(startedAt: Date) {
  }
 }

-export async function runWrapper() {
-  const startedAt = new Date();
+// Module-level startedAt so it can be accessed by runWrapper for error reporting
+const startedAt = new Date();
+export const runPromise = run(startedAt);
+
+async function runWrapper() {
  const logger = getActionsLogger();
  try {
-    await run(startedAt);
+    await runPromise;
  } catch (error) {
    core.setFailed(`analyze action failed: ${util.getErrorMessage(error)}`);
    await sendUnhandledErrorStatusReport(
@@ -539,3 +542,5 @@ export async function runWrapper() {
  }
  await util.checkForTimeout();
 }
+
+void runWrapper();
@@ -142,7 +142,7 @@ async function run(startedAt: Date) {
  await sendCompletedStatusReport(config, logger, startedAt, languages ?? []);
 }

-export async function runWrapper() {
+async function runWrapper() {
  const startedAt = new Date();
  const logger = getActionsLogger();
  try {
@@ -157,3 +157,5 @@ export async function runWrapper() {
    );
  }
 }
+
+void runWrapper();
@@ -1072,7 +1072,7 @@ test.serial(
 );

 test.serial(
-  "Avoids duplicating --force-overwrite flag if specified in CODEQL_ACTION_EXTRA_OPTIONS",
+  "Avoids duplicating --overwrite flag if specified in CODEQL_ACTION_EXTRA_OPTIONS",
  async (t) => {
    const runnerConstructorStub = stubToolRunnerConstructor();
    const codeqlObject = await stubCodeql();
@@ -1080,7 +1080,7 @@ test.serial(
    sinon.stub(io, "which").resolves("");

    process.env["CODEQL_ACTION_EXTRA_OPTIONS"] =
-      '{ "database": { "init": ["--force-overwrite"] } }';
+      '{ "database": { "init": ["--overwrite"] } }';

    await codeqlObject.databaseInitCluster(
      stubConfig,
@@ -1093,9 +1093,9 @@ test.serial(
    t.true(runnerConstructorStub.calledOnce);
    const args = runnerConstructorStub.firstCall.args[1] as string[];
    t.is(
-      args.filter((option: string) => option === "--force-overwrite").length,
+      args.filter((option: string) => option === "--overwrite").length,
      1,
-      "--force-overwrite should only be passed once",
+      "--overwrite should only be passed once",
    );

    // Clean up
@@ -277,7 +277,7 @@ let cachedCodeQL: CodeQL | undefined = undefined;
 * The version flags below can be used to conditionally enable certain features
 * on versions newer than this.
 */
-const CODEQL_MINIMUM_VERSION = "2.19.4";
+const CODEQL_MINIMUM_VERSION = "2.17.6";

 /**
 * This version will shortly become the oldest version of CodeQL that the Action will run with.
@@ -592,6 +592,13 @@ async function getCodeQLForCmd(
        extraArgs.push(`--qlconfig-file=${qlconfigFile}`);
      }

+      const overwriteFlag = isSupportedToolsFeature(
+        await this.getVersion(),
+        ToolsFeature.ForceOverwrite,
+      )
+        ? "--force-overwrite"
+        : "--overwrite";
+
      const overlayDatabaseMode = config.overlayDatabaseMode;
      if (overlayDatabaseMode === OverlayDatabaseMode.Overlay) {
        const overlayChangesFile = await writeOverlayChangesFile(
@@ -618,7 +625,7 @@ async function getCodeQLForCmd(
          "init",
          ...(overlayDatabaseMode === OverlayDatabaseMode.Overlay
            ? []
-            : ["--force-overwrite"]),
+            : [overwriteFlag]),
          "--db-cluster",
          config.dbLocation,
          `--source-root=${sourceRoot}`,
@@ -629,14 +636,7 @@ async function getCodeQLForCmd(
            // Some user configs specify `--no-calculate-baseline` as an additional
            // argument to `codeql database init`. Therefore ignore the baseline file
            // options here to avoid specifying the same argument twice and erroring.
-            //
-            // Ignore `--overwrite` to avoid passing both `--force-overwrite` and `--overwrite` if
-            // the user has configured `--overwrite`.
-            ignoringOptions: [
-              "--force-overwrite",
-              "--overwrite",
-              ...baselineFilesOptions,
-            ],
+            ignoringOptions: ["--overwrite", ...baselineFilesOptions],
          }),
        ],
        { stdin: externalRepositoryToken },
@@ -853,7 +853,7 @@ async function getCodeQLForCmd(
        "--sarif-group-rules-by-pack",
        "--sarif-include-query-help=always",
        "--sublanguage-file-coverage",
-        ...(await getJobRunUuidSarifOptions()),
+        ...(await getJobRunUuidSarifOptions(this)),
        ...getExtraOptionsFromEnv(["database", "interpret-results"]),
      ];
      if (sarifRunPropertyFlag !== undefined) {
@@ -1283,8 +1283,13 @@ function applyAutobuildAzurePipelinesTimeoutFix() {
  ].join(" ");
 }

-async function getJobRunUuidSarifOptions() {
+async function getJobRunUuidSarifOptions(codeql: CodeQL) {
  const jobRunUuid = process.env[EnvVar.JOB_RUN_UUID];

-  return jobRunUuid ? [`--sarif-run-property=jobRunUuid=${jobRunUuid}`] : [];
+  return jobRunUuid &&
+    (await codeql.supportsFeature(
+      ToolsFeature.DatabaseInterpretResultsSupportsSarifRunProperty,
+    ))
+    ? [`--sarif-run-property=jobRunUuid=${jobRunUuid}`]
+    : [];
 }
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.5",
-  "cliVersion": "2.25.5",
-  "priorBundleVersion": "codeql-bundle-v2.25.4",
-  "priorCliVersion": "2.25.4"
+  "bundleVersion": "codeql-bundle-v2.25.4",
+  "cliVersion": "2.25.4",
+  "priorBundleVersion": "codeql-bundle-v2.25.3",
+  "priorCliVersion": "2.25.3"
 }
@@ -75,10 +75,10 @@ const testShouldPerformDiffInformedAnalysis = makeMacro({
        [Feature.DiffInformedQueries]: testCase.featureEnabled,
      });

-      sinon
+      const getGitHubVersionStub = sinon
        .stub(apiClient, "getGitHubVersion")
        .resolves(testCase.gitHubVersion);
-      sinon
+      const getPullRequestBranchesStub = sinon
        .stub(actionsUtil, "getPullRequestBranches")
        .returns(testCase.pullRequestBranches);

@@ -91,6 +91,9 @@ const testShouldPerformDiffInformedAnalysis = makeMacro({
      t.is(branches !== undefined, expectedResult);

      delete process.env.CODEQL_ACTION_DIFF_INFORMED_QUERIES;
+
+      getGitHubVersionStub.restore();
+      getPullRequestBranchesStub.restore();
    });
  },
  title: (title) => `getDiffInformedAnalysisBranches: ${title}`,
@@ -1,3 +0,0 @@
-export async function run__ACTION__() {
-  return await __ACTION__.runWrapper();
-}
@@ -26,9 +26,6 @@ const DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";

 /**
 * The first version of the CodeQL Bundle that shipped with zstd-compressed bundles.
- *
- * This is now below the minimum version of CodeQL, but we keep this around because we currently set
- * up CodeQL before checking that the version is new enough.
 */
 export const CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0";

@@ -33,6 +33,7 @@ test.serial(

      const actualRef = await gitUtils.getRef();
      t.deepEqual(actualRef, expectedRef);
+      callback.restore();
    });
  },
 );
@@ -53,6 +54,7 @@ test.serial(

      const actualRef = await gitUtils.getRef();
      t.deepEqual(actualRef, expectedRef);
+      callback.restore();
    });
  },
 );
@@ -71,6 +73,7 @@ test.serial(

      const actualRef = await gitUtils.getRef();
      t.deepEqual(actualRef, "refs/pull/1/head");
+      callback.restore();
    });
  },
 );
@@ -97,6 +100,8 @@ test.serial(

      const actualRef = await gitUtils.getRef();
      t.deepEqual(actualRef, "refs/pull/2/merge");
+      callback.restore();
+      getAdditionalInputStub.restore();
    });
  },
 );
@@ -156,6 +161,7 @@ test.serial(
            "Both 'ref' and 'sha' are required if one of them is provided.",
        },
      );
+      getAdditionalInputStub.restore();
    });
  },
 );
@@ -182,6 +188,7 @@ test.serial(
            "Both 'ref' and 'sha' are required if one of them is provided.",
        },
      );
+      getAdditionalInputStub.restore();
    });
  },
 );
@@ -235,6 +242,7 @@ test.serial("isAnalyzingDefaultBranch()", async (t) => {
    process.env["GITHUB_EVENT_NAME"] = "schedule";
    process.env["GITHUB_REF"] = "refs/heads/main";
    t.deepEqual(await gitUtils.isAnalyzingDefaultBranch(), false);
+    getAdditionalInputStub.restore();
  });
 });

@@ -246,6 +254,8 @@ test.serial("determineBaseBranchHeadCommitOid non-pullrequest", async (t) => {
  const result = await gitUtils.determineBaseBranchHeadCommitOid(__dirname);
  t.deepEqual(result, undefined);
  t.deepEqual(0, infoStub.callCount);
+
+  infoStub.restore();
 });

 test.serial(
@@ -266,6 +276,8 @@ test.serial(
      "git call failed. Will calculate the base branch SHA on the server. Error: " +
        "The checkout path provided to the action does not appear to be a git repository.",
    );
+
+    infoStub.restore();
  },
 );

@@ -289,27 +301,10 @@ test.serial("determineBaseBranchHeadCommitOid other error", async (t) => {
      "The checkout path provided to the action does not appear to be a git repository.",
    ),
  );
+
+  infoStub.restore();
 });

-test.serial(
-  "determineBaseBranchHeadCommitOid accepts SHA-256 OIDs",
-  async (t) => {
-    const mergeSha = "a".repeat(64);
-    const baseOid = "b".repeat(64);
-    const headOid = "c".repeat(64);
-
-    process.env["GITHUB_EVENT_NAME"] = "pull_request";
-    process.env["GITHUB_SHA"] = mergeSha;
-
-    sinon
-      .stub(gitUtils as any, "runGitCommand")
-      .resolves(`commit ${mergeSha}\nparent ${baseOid}\nparent ${headOid}\n`);
-
-    const result = await gitUtils.determineBaseBranchHeadCommitOid(__dirname);
-    t.deepEqual(result, baseOid);
-  },
-);
-
 test.serial("decodeGitFilePath unquoted strings", async (t) => {
  t.deepEqual(gitUtils.decodeGitFilePath("foo"), "foo");
  t.deepEqual(gitUtils.decodeGitFilePath("foo bar"), "foo bar");
@@ -441,64 +436,6 @@ test.serial("getFileOidsUnderPath handles quoted paths", async (t) => {
  });
 });

-test.serial("getFileOidsUnderPath handles SHA-256 OIDs", async (t) => {
-  await withTmpDir(async (tmpDir) => {
-    const sha256OidA =
-      "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2c0d4b7e8f9a1234567890ab";
-    const sha256OidB =
-      "aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899";
-
-    sinon
-      .stub(gitUtils as any, "runGitCommand")
-      .callsFake(async (_cwd: any, args: any) => {
-        if (args[0] === "rev-parse") {
-          return `${tmpDir}\n`;
-        }
-        return (
-          `100644 ${sha256OidA} 0\tlib/sha256-file-a.js\n` +
-          `100644 ${sha256OidB} 0\tsrc/sha256-file-b.ts`
-        );
-      });
-
-    const result = await gitUtils.getFileOidsUnderPath("/fake/path");
-
-    t.deepEqual(result, {
-      "lib/sha256-file-a.js": sha256OidA,
-      "src/sha256-file-b.ts": sha256OidB,
-    });
-  });
-});
-
-test.serial(
-  "getFileOidsUnderPath rejects OIDs of unsupported length",
-  async (t) => {
-    await withTmpDir(async (tmpDir) => {
-      // 50-char OID: not a valid SHA-1 (40) or SHA-256 (64) length. The regex
-      // must not accept this even though every character is a valid hex digit.
-      const invalidLine =
-        "100644 30d998ded095371488be3a729eb61d86ed721a1830d998ded0 0\tlib/bad.js";
-      sinon
-        .stub(gitUtils as any, "runGitCommand")
-        .callsFake(async (_cwd: any, args: any) => {
-          if (args[0] === "rev-parse") {
-            return `${tmpDir}\n`;
-          }
-          return invalidLine;
-        });
-
-      await t.throwsAsync(
-        async () => {
-          await gitUtils.getFileOidsUnderPath("/fake/path");
-        },
-        {
-          instanceOf: Error,
-          message: `Unexpected "git ls-files" output: ${invalidLine}`,
-        },
-      );
-    });
-  },
-);
-
 test.serial("getFileOidsUnderPath handles empty output", async (t) => {
  await withTmpDir(async (tmpDir) => {
    sinon
@@ -163,12 +163,11 @@ export const determineBaseBranchHeadCommitOid = async function (
      }
    }

-    // Let's confirm our assumptions: We had a merge commit and the parsed parent
-    // data looks correct. OIDs are either 40 (SHA-1) or 64 (SHA-256) hex characters.
+    // Let's confirm our assumptions: We had a merge commit and the parsed parent data looks correct
    if (
      commitOid === mergeSha &&
-      (headOid.length === 40 || headOid.length === 64) &&
-      (baseOid.length === 40 || baseOid.length === 64)
+      headOid.length === 40 &&
+      baseOid.length === 40
    ) {
      return baseOid;
    }
@@ -297,8 +296,7 @@ export const getFileOidsUnderPath = async function (
  // 100644 4c51bc1d9e86cd86e01b0f340cb8ce095c33b283 0\tsrc/git-utils.test.ts
  // 100644 6b792ea543ce75d7a8a03df591e3c85311ecb64f 0\tsrc/git-utils.ts
  // The fields are: <mode> <oid> <stage>\t<path>
-  // The OID is either 40 (SHA-1) or 64 (SHA-256) hex characters.
-  const regex = /^[0-9]+ ([0-9a-f]{40}|[0-9a-f]{64}) [0-9]+\t(.+)$/;
+  const regex = /^[0-9]+ ([0-9a-f]{40}) [0-9]+\t(.+)$/;
  for (const line of stdout.split("\n")) {
    if (line) {
      const match = line.match(regex);
@@ -207,7 +207,7 @@ function getJobStatusFromEnvironment(): JobStatus | undefined {
  return undefined;
 }

-export async function runWrapper() {
+async function runWrapper() {
  const startedAt = new Date();
  const logger = getActionsLogger();
  try {
@@ -222,3 +222,5 @@ export async function runWrapper() {
    );
  }
 }
+
+void runWrapper();
@@ -838,7 +838,7 @@ async function recordZstdAvailability(
  );
 }

-export async function runWrapper() {
+async function runWrapper() {
  const startedAt = new Date();
  const logger = getActionsLogger();
  try {
@@ -854,3 +854,5 @@ export async function runWrapper() {
  }
  await checkForTimeout();
 }
+
+void runWrapper();
@@ -80,46 +80,65 @@ const testDownloadOverlayBaseDatabaseFromCache = makeMacro({
        await fs.promises.writeFile(baseDatabaseOidsFile, JSON.stringify({}));
      }

-      sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
+      const stubs: sinon.SinonStub[] = [];

-      sinon.stub(utils, "isInTestMode").returns(testCase.isInTestMode);
+      const getAutomationIDStub = sinon
+        .stub(apiClient, "getAutomationID")
+        .resolves("test-automation-id/");
+      stubs.push(getAutomationIDStub);
+
+      const isInTestModeStub = sinon
+        .stub(utils, "isInTestMode")
+        .returns(testCase.isInTestMode);
+      stubs.push(isInTestModeStub);

      if (testCase.restoreCacheResult instanceof Error) {
-        sinon
+        const restoreCacheStub = sinon
          .stub(actionsCache, "restoreCache")
          .rejects(testCase.restoreCacheResult);
+        stubs.push(restoreCacheStub);
      } else {
-        sinon
+        const restoreCacheStub = sinon
          .stub(actionsCache, "restoreCache")
          .resolves(testCase.restoreCacheResult);
+        stubs.push(restoreCacheStub);
      }

-      sinon
+      const tryGetFolderBytesStub = sinon
        .stub(utils, "tryGetFolderBytes")
        .resolves(testCase.tryGetFolderBytesSucceeds ? 1024 * 1024 : undefined);
+      stubs.push(tryGetFolderBytesStub);

      const codeql = mockCodeQLVersion(testCase.codeQLVersion);

      if (testCase.resolveDatabaseOutput instanceof Error) {
-        sinon
+        const resolveDatabaseStub = sinon
          .stub(codeql, "resolveDatabase")
          .rejects(testCase.resolveDatabaseOutput);
+        stubs.push(resolveDatabaseStub);
      } else {
-        sinon
+        const resolveDatabaseStub = sinon
          .stub(codeql, "resolveDatabase")
          .resolves(testCase.resolveDatabaseOutput);
+        stubs.push(resolveDatabaseStub);
      }

-      const result = await downloadOverlayBaseDatabaseFromCache(
-        codeql,
-        config,
-        logger,
-      );
+      try {
+        const result = await downloadOverlayBaseDatabaseFromCache(
+          codeql,
+          config,
+          logger,
+        );

-      if (expectDownloadSuccess) {
-        t.truthy(result);
-      } else {
-        t.is(result, undefined);
+        if (expectDownloadSuccess) {
+          t.truthy(result);
+        } else {
+          t.is(result, undefined);
+        }
+      } finally {
+        for (const stub of stubs) {
+          stub.restore();
+        }
      }
    });
  },
@@ -50,21 +50,31 @@ test.serial(
        "modified.js": "ddd444", // Changed OID
        "added.js": "eee555", // New file
      };
-      sinon.stub(gitUtils, "getFileOidsUnderPath").resolves(currentOids);
+      const getFileOidsStubForOverlay = sinon
+        .stub(gitUtils, "getFileOidsUnderPath")
+        .resolves(currentOids);

      // Write the overlay changes file, which uses the mocked overlay OIDs
      // and the base database OIDs file
      const diffRangeFilePath = path.join(tempDir, "pr-diff-range.json");
-      sinon.stub(actionsUtil, "getTemporaryDirectory").returns(tempDir);
-      sinon
+      const getTempDirStub = sinon
+        .stub(actionsUtil, "getTemporaryDirectory")
+        .returns(tempDir);
+      const getDiffRangesStub = sinon
        .stub(actionsUtil, "getDiffRangesJsonFilePath")
        .returns(diffRangeFilePath);
-      sinon.stub(gitUtils, "getGitRoot").resolves(sourceRoot);
+      const getGitRootStub = sinon
+        .stub(gitUtils, "getGitRoot")
+        .resolves(sourceRoot);
      const changesFilePath = await writeOverlayChangesFile(
        config,
        sourceRoot,
        logger,
      );
+      getFileOidsStubForOverlay.restore();
+      getTempDirStub.restore();
+      getDiffRangesStub.restore();
+      getGitRootStub.restore();

      const fileContent = await fs.promises.readFile(changesFilePath, "utf-8");
      const parsedContent = JSON.parse(fileContent) as { changes: string[] };
@@ -118,14 +128,20 @@ test.serial(
        "modified.js": "ddd444", // Changed OID
        "reverted.js": "eee555", // Same OID as base -- not detected by OID comparison
      };
-      sinon.stub(gitUtils, "getFileOidsUnderPath").resolves(currentOids);
+      const getFileOidsStubForOverlay = sinon
+        .stub(gitUtils, "getFileOidsUnderPath")
+        .resolves(currentOids);

      const diffRangeFilePath = path.join(tempDir, "pr-diff-range.json");
-      sinon.stub(actionsUtil, "getTemporaryDirectory").returns(tempDir);
-      sinon
+      const getTempDirStub = sinon
+        .stub(actionsUtil, "getTemporaryDirectory")
+        .returns(tempDir);
+      const getDiffRangesStub = sinon
        .stub(actionsUtil, "getDiffRangesJsonFilePath")
        .returns(diffRangeFilePath);
-      sinon.stub(gitUtils, "getGitRoot").resolves(sourceRoot);
+      const getGitRootStub = sinon
+        .stub(gitUtils, "getGitRoot")
+        .resolves(sourceRoot);

      // Write a pr-diff-range.json file with diff ranges including
      // "reverted.js" (unchanged OIDs) and "modified.js" (already in OID changes)
@@ -143,6 +159,10 @@ test.serial(
        sourceRoot,
        logger,
      );
+      getFileOidsStubForOverlay.restore();
+      getTempDirStub.restore();
+      getDiffRangesStub.restore();
+      getGitRootStub.restore();

      const fileContent = await fs.promises.readFile(changesFilePath, "utf-8");
      const parsedContent = JSON.parse(fileContent) as { changes: string[] };
@@ -188,14 +208,20 @@ test.serial(
        "unchanged.js": "aaa111",
        "modified.js": "ddd444",
      };
-      sinon.stub(gitUtils, "getFileOidsUnderPath").resolves(currentOids);
+      const getFileOidsStubForOverlay = sinon
+        .stub(gitUtils, "getFileOidsUnderPath")
+        .resolves(currentOids);

      const diffRangeFilePath = path.join(tempDir, "pr-diff-range.json");
-      sinon.stub(actionsUtil, "getTemporaryDirectory").returns(tempDir);
-      sinon
+      const getTempDirStub = sinon
+        .stub(actionsUtil, "getTemporaryDirectory")
+        .returns(tempDir);
+      const getDiffRangesStub = sinon
        .stub(actionsUtil, "getDiffRangesJsonFilePath")
        .returns(diffRangeFilePath);
-      sinon.stub(gitUtils, "getGitRoot").resolves(sourceRoot);
+      const getGitRootStub = sinon
+        .stub(gitUtils, "getGitRoot")
+        .resolves(sourceRoot);

      // No pr-diff-range.json file exists - should work the same as before
      const changesFilePath = await writeOverlayChangesFile(
@@ -203,6 +229,10 @@ test.serial(
        sourceRoot,
        logger,
      );
+      getFileOidsStubForOverlay.restore();
+      getTempDirStub.restore();
+      getDiffRangesStub.restore();
+      getGitRootStub.restore();

      const fileContent = await fs.promises.readFile(changesFilePath, "utf-8");
      const parsedContent = JSON.parse(fileContent) as { changes: string[] };
@@ -251,15 +281,21 @@ test.serial(
        "app.js": "aaa111",
        "lib/util.js": "bbb222",
      };
-      sinon.stub(gitUtils, "getFileOidsUnderPath").resolves(currentOids);
+      const getFileOidsStubForOverlay = sinon
+        .stub(gitUtils, "getFileOidsUnderPath")
+        .resolves(currentOids);

      const diffRangeFilePath = path.join(tempDir, "pr-diff-range.json");
-      sinon.stub(actionsUtil, "getTemporaryDirectory").returns(tempDir);
-      sinon
+      const getTempDirStub = sinon
+        .stub(actionsUtil, "getTemporaryDirectory")
+        .returns(tempDir);
+      const getDiffRangesStub = sinon
        .stub(actionsUtil, "getDiffRangesJsonFilePath")
        .returns(diffRangeFilePath);
      // getGitRoot returns the repo root (parent of sourceRoot)
-      sinon.stub(gitUtils, "getGitRoot").resolves(repoRoot);
+      const getGitRootStub = sinon
+        .stub(gitUtils, "getGitRoot")
+        .resolves(repoRoot);

      // Diff ranges use repo-root-relative paths (as returned by the GitHub compare API)
      await fs.promises.writeFile(
@@ -276,6 +312,10 @@ test.serial(
        sourceRoot,
        logger,
      );
+      getFileOidsStubForOverlay.restore();
+      getTempDirStub.restore();
+      getDiffRangesStub.restore();
+      getGitRootStub.restore();

      const fileContent = await fs.promises.readFile(changesFilePath, "utf-8");
      const parsedContent = JSON.parse(fileContent) as { changes: string[] };
@@ -117,7 +117,7 @@ async function run(startedAt: Date) {
  }
 }

-export async function runWrapper() {
+async function runWrapper() {
  const startedAt = new Date();
  const logger = getActionsLogger();
  try {
@@ -137,3 +137,5 @@ export async function runWrapper() {
  }
  await checkForTimeout();
 }
+
+void runWrapper();
@@ -196,7 +196,7 @@ async function run(startedAt: Date): Promise<void> {
 }

 /** Run the action and catch any unhandled errors. */
-export async function runWrapper(): Promise<void> {
+async function runWrapper(): Promise<void> {
  const startedAt = new Date();
  const logger = getActionsLogger();
  try {
@@ -212,3 +212,5 @@ export async function runWrapper(): Promise<void> {
  }
  await checkForTimeout();
 }
+
+void runWrapper();
@@ -12,7 +12,7 @@ import { uploadArtifacts } from "./debug-artifacts";
 import { getActionsLogger } from "./logging";
 import { checkGitHubVersionInRange, getErrorMessage } from "./util";

-export async function runWrapper() {
+async function runWrapper() {
  // To capture errors appropriately, keep as much code within the try-catch as
  // possible, and only use safe functions outside.

@@ -62,3 +62,5 @@ export async function runWrapper() {
    );
  }
 }
+
+void runWrapper();
@@ -128,7 +128,7 @@ async function run(startedAt: Date) {
  }
 }

-export async function runWrapper() {
+async function runWrapper() {
  const startedAt = new Date();
  const logger = getActionsLogger();

@@ -204,3 +204,5 @@ async function startProxy(

  return { host, port, cert: config.ca.cert, registries: registry_urls };
 }
+
+void runWrapper();
@@ -188,37 +188,17 @@ export const DEFAULT_ACTIONS_VARS = {
  RUNNER_OS: "Linux",
 } as const satisfies Record<string, string>;

-/** Partial mappings from GitHub Actions environment variables to values. */
-export type ActionVarOverrides = Partial<
-  Record<keyof typeof DEFAULT_ACTIONS_VARS, string>
->;
-
-/**
- * Sets environment variables that are always available on GitHub Actions,
- * excluding some that are expected to be set to paths. See `setupActionsVars`.
- *
- * @param overrides Overrides for the defaults.
- */
-export function setupBaseActionsVars(overrides?: ActionVarOverrides) {
+// Sets environment variables that make using some libraries designed for
+// use only on actions safe to use outside of actions.
+export function setupActionsVars(
+  tempDir: string,
+  toolsDir: string,
+  overrides?: Partial<Record<keyof typeof DEFAULT_ACTIONS_VARS, string>>,
+) {
  const vars = { ...DEFAULT_ACTIONS_VARS, ...overrides };
  for (const [key, value] of Object.entries(vars)) {
    process.env[key] = value;
  }
-}
-
-/**
- * Sets environment variables that are always available on GitHub Actions.
- *
- * @param tempDir A value for `RUNNER_TEMP` and `GITHUB_WORKSPACE`.
- * @param toolsDir A value for `RUNNER_TOOL_CACHE`.
- * @param overrides Overrides for the defaults.
- */
-export function setupActionsVars(
-  tempDir: string,
-  toolsDir: string,
-  overrides?: ActionVarOverrides,
-) {
-  setupBaseActionsVars(overrides);
  process.env["RUNNER_TEMP"] = tempDir;
  process.env["RUNNER_TOOL_CACHE"] = toolsDir;
  process.env["GITHUB_WORKSPACE"] = tempDir;
@@ -6,13 +6,9 @@ import { ToolsFeature, isSupportedToolsFeature } from "./tools-features";
 test("isSupportedToolsFeature", async (t) => {
  const versionInfo = makeVersionInfo("1.0.0");

-  t.false(
-    isSupportedToolsFeature(versionInfo, ToolsFeature.BundleSupportsOverlay),
-  );
+  t.false(isSupportedToolsFeature(versionInfo, ToolsFeature.ForceOverwrite));

-  versionInfo.features = { bundleSupportsOverlay: true };
+  versionInfo.features = { forceOverwrite: true };

-  t.true(
-    isSupportedToolsFeature(versionInfo, ToolsFeature.BundleSupportsOverlay),
-  );
+  t.true(isSupportedToolsFeature(versionInfo, ToolsFeature.ForceOverwrite));
 });
@@ -6,6 +6,8 @@ export enum ToolsFeature {
  BuiltinExtractorsSpecifyDefaultQueries = "builtinExtractorsSpecifyDefaultQueries",
  BundleSupportsIncludeOption = "bundleSupportsIncludeOption",
  BundleSupportsOverlay = "bundleSupportsOverlay",
+  DatabaseInterpretResultsSupportsSarifRunProperty = "databaseInterpretResultsSupportsSarifRunProperty",
+  ForceOverwrite = "forceOverwrite",
  IndirectTracingSupportsStaticBinaries = "indirectTracingSupportsStaticBinaries",
  SuppressesMissingFileBaselineWarning = "suppressesMissingFileBaselineWarning",
 }
@@ -1,3 +0,0 @@
-"use strict";
-
-module.exports = require("./entry-points").__UPLOAD_LIB_EXPORT__;
@@ -12,7 +12,7 @@ import { EnvVar } from "./environment";
 import { getActionsLogger, withGroup } from "./logging";
 import { checkGitHubVersionInRange, getErrorMessage } from "./util";

-export async function runWrapper() {
+async function runWrapper() {
  // To capture errors appropriately, keep as much code within the try-catch as
  // possible, and only use safe functions outside.

@@ -48,3 +48,5 @@ export async function runWrapper() {
    );
  }
 }
+
+void runWrapper();
@@ -165,7 +165,7 @@ async function run(startedAt: Date) {
  }
 }

-export async function runWrapper() {
+async function runWrapper() {
  const startedAt = new Date();
  const logger = getActionsLogger();
  try {
@@ -182,3 +182,5 @@ export async function runWrapper() {
    );
  }
 }
+
+void runWrapper();
@@ -418,7 +418,9 @@ for (const [
    `checkActionVersion ${reportErrorDescription} for ${versionsDescription}`,
    async (t) => {
      const warningSpy = sinon.spy(core, "warning");
-      sinon.stub(api, "getGitHubVersion").resolves(githubVersion);
+      const versionStub = sinon
+        .stub(api, "getGitHubVersion")
+        .resolves(githubVersion);

      // call checkActionVersion twice and assert below that warning is reported only once
      util.checkActionVersion(version, await api.getGitHubVersion());
@@ -435,6 +437,7 @@ for (const [
      } else {
        t.false(warningSpy.called);
      }
+      versionStub.restore();
    },
  );
 }
@@ -30,5 +30,5 @@ outputs:
    description: A stringified JSON array of objects containing the types and URLs of the configured registries.
 runs:
  using: node24
-  main: "../lib/start-proxy-entry.js"
-  post: "../lib/start-proxy-post-entry.js"
+  main: "../lib/start-proxy-action.js"
+  post: "../lib/start-proxy-action-post.js"
--- a/Show More
+++ b/Show More