Rebuild

Update changelog and version after v4.36.1
Fixed tests due to stale language.ts obscuring language/index.ts import when done at module level
2026-06-01 11:24:30 +00:00 · 2026-05-25 14:36:28 +00:00 · 2026-05-25 14:36:15 +00:00 · 2026-05-25 16:33:01 +02:00 · 2026-05-25 13:27:20 +02:00 · 2026-05-25 11:10:26 +00:00
40 changed files with 971 additions and 205 deletions
@@ -59,7 +59,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Set up Ruby
-        uses: ruby/setup-ruby@6aaa311d81eba98ae12eaffbcb63296ace0efcde # v1.307.0
+        uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
@@ -6,6 +6,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

 No user facing changes.

+## v4.36.1 - 25 May 2026
+
+This release rolls back 4.36.0 due to issues with that release. It is identical to 0.0.0.
+
 ## 4.36.0 - 22 May 2026

 - _Breaking change_: Bump the minimum required CodeQL bundle version to 2.19.4. [#3894](https://github.com/github/codeql-action/pull/3894)
@@ -1218,3 +1222,4 @@ No user facing changes.
 - Add this changelog file. [#507](https://github.com/github/codeql-action/pull/507)
 - Improve grouping of analysis logs. Add a new log group containing a summary of metrics and diagnostics, if they were produced by CodeQL builtin queries. [#515](https://github.com/github/codeql-action/pull/515)
 - Add metrics and diagnostics summaries from custom query suites to the analysis summary log group. [#532](https://github.com/github/codeql-action/pull/532)
+
@@ -125031,7 +125031,7 @@ var require_tmp = __commonJS({
            cb(null, path28.join(parentDir, path28.basename(pathToResolve)));
          });
        } else {
-          fs30.realpath(pathToResolve, cb);
+          fs30.realpath(path28, cb);
        }
      });
    }
@@ -125063,31 +125063,16 @@ var require_tmp = __commonJS({
      ].join("");
      return path28.join(tmpDir, opts.dir, name);
    }
-    function _assertPath(option, value) {
-      if (typeof value !== "string") {
-        throw new Error(`${option} option must be a string, got "${typeof value}".`);
-      }
-      if (value.includes("..")) {
-        throw new Error("Relative value not allowed");
-      }
-      return value;
-    }
    function _assertOptionsBase(options) {
      if (!_isUndefined(options.name)) {
        const name = options.name;
        if (path28.isAbsolute(name)) throw new Error(`name option must not contain an absolute path, found "${name}".`);
        const basename2 = path28.basename(name);
-        if (basename2 === ".." || basename2 === "." || basename2 !== name) {
+        if (basename2 === ".." || basename2 === "." || basename2 !== name)
          throw new Error(`name option must not contain a path, found "${name}".`);
-        }
      }
-      if (!_isUndefined(options.template)) {
-        if (typeof options.template !== "string") {
-          throw new Error(`template option must be a string, got "${typeof options.template}".`);
-        }
-        if (!options.template.match(TEMPLATE_PATTERN)) {
-          throw new Error(`Invalid template, found "${options.template}".`);
-        }
+      if (!_isUndefined(options.template) && !options.template.match(TEMPLATE_PATTERN)) {
+        throw new Error(`Invalid template, found "${options.template}".`);
      }
      if (!_isUndefined(options.tries) && isNaN(options.tries) || options.tries < 0) {
        throw new Error(`Invalid tries, found "${options.tries}".`);
@@ -125097,16 +125082,15 @@ var require_tmp = __commonJS({
      options.detachDescriptor = !!options.detachDescriptor;
      options.discardDescriptor = !!options.discardDescriptor;
      options.unsafeCleanup = !!options.unsafeCleanup;
-      options.prefix = _isUndefined(options.prefix) ? "" : _assertPath("prefix", options.prefix);
-      options.postfix = _isUndefined(options.postfix) ? "" : _assertPath("postfix", options.postfix);
-      options.template = _isUndefined(options.template) ? void 0 : _assertPath("template", options.template);
+      options.prefix = _isUndefined(options.prefix) ? "" : options.prefix;
+      options.postfix = _isUndefined(options.postfix) ? "" : options.postfix;
    }
    function _getRelativePath(option, name, tmpDir, cb) {
      if (_isUndefined(name)) return cb(null);
      _resolvePath(name, tmpDir, function(err, resolvedPath) {
        if (err) return cb(err);
        const relativePath = path28.relative(tmpDir, resolvedPath);
-        if (relativePath.startsWith("..") || path28.isAbsolute(relativePath)) {
+        if (!resolvedPath.startsWith(tmpDir)) {
          return cb(new Error(`${option} option must be relative to "${tmpDir}", found "${relativePath}".`));
        }
        cb(null, relativePath);
@@ -125116,7 +125100,7 @@ var require_tmp = __commonJS({
      if (_isUndefined(name)) return;
      const resolvedPath = _resolvePathSync(name, tmpDir);
      const relativePath = path28.relative(tmpDir, resolvedPath);
-      if (relativePath.startsWith("..") || path28.isAbsolute(relativePath)) {
+      if (!resolvedPath.startsWith(tmpDir)) {
        throw new Error(`${option} option must be relative to "${tmpDir}", found "${relativePath}".`);
      }
      return relativePath;
@@ -147682,7 +147666,7 @@ var safeDump = renamed("safeDump", "dump");
 var semver = __toESM(require_semver2());

 // src/api-compatibility.json
-var maximumVersion = "3.22";
+var maximumVersion = "3.21";
 var minimumVersion = "3.16";

 // src/json/index.ts
@@ -148366,7 +148350,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.36.1";
+  return "4.36.2";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -150410,11 +150394,13 @@ function getUnknownLanguagesError(languages) {
 }

 // src/feature-flags/properties.ts
+var github2 = __toESM(require_github());
 var GITHUB_CODEQL_PROPERTY_PREFIX = "github-codeql-";
 var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
+  RepositoryPropertyName2["TOOLS"] = "github-codeql-tools";
  return RepositoryPropertyName2;
 })(RepositoryPropertyName || {});
 function isString2(value) {
@@ -150432,7 +150418,8 @@ var booleanProperty = {
 var repositoryPropertyParsers = {
  ["github-codeql-disable-overlay" /* DISABLE_OVERLAY */]: booleanProperty,
  ["github-codeql-extra-queries" /* EXTRA_QUERIES */]: stringProperty,
-  ["github-codeql-file-coverage-on-prs" /* FILE_COVERAGE_ON_PRS */]: booleanProperty
+  ["github-codeql-file-coverage-on-prs" /* FILE_COVERAGE_ON_PRS */]: booleanProperty,
+  ["github-codeql-tools" /* TOOLS */]: stringProperty
 };
 async function loadPropertiesFromApi(logger, repositoryNwo) {
  try {
@@ -150485,6 +150472,26 @@ async function loadPropertiesFromApi(logger, repositoryNwo) {
    );
  }
 }
+async function loadRepositoryProperties(repositoryNwo, logger) {
+  const repositoryOwnerType = github2.context.payload.repository?.owner.type;
+  logger.debug(
+    `Repository owner type is '${repositoryOwnerType ?? "unknown"}'.`
+  );
+  if (repositoryOwnerType === "User") {
+    logger.debug(
+      "Skipping loading repository properties because the repository is owned by a user and therefore cannot have repository properties."
+    );
+    return new Success({});
+  }
+  try {
+    return new Success(await loadPropertiesFromApi(logger, repositoryNwo));
+  } catch (error3) {
+    logger.warning(
+      `Failed to load repository properties: ${getErrorMessage(error3)}`
+    );
+    return new Failure(error3);
+  }
+}
 function setProperty2(properties, name, value, logger) {
  const propertyOptions = repositoryPropertyParsers[name];
  if (propertyOptions.validate(value)) {
@@ -153376,7 +153383,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, useO
        );
      } else {
        if (allowToolcacheValueFF) {
-          logger.warning(
+          logger.info(
            `Ignoring 'tools: ${toolsInput}' because the workflow was not triggered dynamically.`
          );
        } else {
@@ -156717,7 +156724,7 @@ var fs19 = __toESM(require("fs"));
 var path17 = __toESM(require("path"));
 var core14 = __toESM(require_core());
 var toolrunner4 = __toESM(require_toolrunner());
-var github2 = __toESM(require_github());
+var github3 = __toESM(require_github());
 var io6 = __toESM(require_io());
 async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) {
  logger.startGroup("Setup CodeQL tools");
@@ -156921,7 +156928,7 @@ function logFileCoverageOnPrsDeprecationWarning(logger) {
  if (process.env["CODEQL_ACTION_DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION" /* DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION */]) {
    return;
  }
-  const repositoryOwnerType = github2.context.payload.repository?.owner.type;
+  const repositoryOwnerType = github3.context.payload.repository?.owner.type;
  let message = "Starting April 2026, the CodeQL Action will skip computing file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses.";
  const envVarOptOut = "set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true`.";
  const repoPropertyOptOut = 'create a custom repository property with the name `github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to `true` in the repository\'s settings.';
@@ -158705,10 +158712,25 @@ async function runWrapper3() {
 var fs27 = __toESM(require("fs"));
 var path23 = __toESM(require("path"));
 var core21 = __toESM(require_core());
-var github3 = __toESM(require_github());
 var io7 = __toESM(require_io());
 var semver10 = __toESM(require_semver2());

+// src/resolve-tools-input.ts
+function resolveToolsInput(toolsWorkflowInput, repositoryProperties, logger) {
+  if (toolsWorkflowInput) {
+    logger.info(`Setting tools: ${toolsWorkflowInput} based on workflow input.`);
+    return toolsWorkflowInput;
+  }
+  const toolsPropertyValue = repositoryProperties["github-codeql-tools" /* TOOLS */];
+  if (toolsPropertyValue) {
+    logger.info(
+      `Setting tools: ${toolsPropertyValue} based on the '${"github-codeql-tools" /* TOOLS */}' repository property.`
+    );
+    return toolsPropertyValue;
+  }
+  return void 0;
+}
+
 // src/workflow.ts
 var fs26 = __toESM(require("fs"));
 var path22 = __toESM(require("path"));
@@ -158999,7 +159021,7 @@ async function sendStartingStatusReport(startedAt, config, logger) {
    await sendStatusReport(statusReportBase);
  }
 }
-async function sendCompletedStatusReport2(startedAt, config, configFile, toolsDownloadStatusReport, toolsFeatureFlagsValid, toolsSource, toolsVersion, overlayBaseDatabaseStats, dependencyCachingResults, logger, error3) {
+async function sendCompletedStatusReport2(startedAt, config, configFile, toolsDownloadStatusReport, toolsFeatureFlagsValid, toolsSource, toolsVersion, effectiveToolsInput, overlayBaseDatabaseStats, dependencyCachingResults, logger, error3) {
  const statusReportBase = await createStatusReportBase(
    "init" /* Init */,
    getActionsStatus(error3),
@@ -159017,6 +159039,7 @@ async function sendCompletedStatusReport2(startedAt, config, configFile, toolsDo
  const initStatusReport = {
    ...statusReportBase,
    tools_input: getOptionalInput("tools") || "",
+    effective_tools_input: effectiveToolsInput || "",
    tools_resolved_version: toolsVersion,
    tools_source: toolsSource || "UNKNOWN" /* Unknown */,
    workflow_languages: workflowLanguages || ""
@@ -159060,6 +159083,7 @@ async function run3(startedAt) {
  let toolsSource;
  let toolsVersion;
  let zstdAvailability;
+  let effectiveToolsInput;
  try {
    initializeEnvironment(getActionVersion());
    persistInputs();
@@ -159083,6 +159107,7 @@ async function run3(startedAt) {
      repositoryNwo,
      logger
    );
+    const repositoryProperties = repositoryPropertiesResult.orElse({});
    const jobRunUuid = v4_default();
    logger.info(`Job run UUID is ${jobRunUuid}.`);
    core21.exportVariable("JOB_RUN_UUID" /* JOB_RUN_UUID */, jobRunUuid);
@@ -159108,12 +159133,17 @@ async function run3(startedAt) {
    }
    const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type);
    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
+    effectiveToolsInput = resolveToolsInput(
+      getOptionalInput("tools"),
+      repositoryProperties,
+      logger
+    );
    const rawLanguages = getRawLanguagesNoAutodetect(
      getOptionalInput("languages")
    );
    const useOverlayAwareDefaultCliVersion = analysisKinds?.length === 1 && analysisKinds[0] === "code-scanning" /* CodeScanning */;
    const initCodeQLResult = await initCodeQL(
-      getOptionalInput("tools"),
+      effectiveToolsInput,
      apiDetails,
      getTemporaryDirectory(),
      gitHubVersion.type,
@@ -159149,7 +159179,6 @@ async function run3(startedAt) {
    }
    analysisKinds = await getAnalysisKinds(logger, features);
    const debugMode = getOptionalInput("debug") === "true" || core21.isDebug();
-    const repositoryProperties = repositoryPropertiesResult.orElse({});
    const fileCoverageResult = await getFileCoverageInformationEnabled(
      debugMode,
      codeql,
@@ -159447,6 +159476,7 @@ exec ${goBinaryPath} "$@"`
      toolsFeatureFlagsValid,
      toolsSource,
      toolsVersion,
+      effectiveToolsInput,
      overlayBaseDatabaseStats,
      dependencyCachingStatus,
      logger,
@@ -159464,31 +159494,12 @@ exec ${goBinaryPath} "$@"`
    toolsFeatureFlagsValid,
    toolsSource,
    toolsVersion,
+    effectiveToolsInput,
    overlayBaseDatabaseStats,
    dependencyCachingStatus,
    logger
  );
 }
-async function loadRepositoryProperties(repositoryNwo, logger) {
-  const repositoryOwnerType = github3.context.payload.repository?.owner.type;
-  logger.debug(
-    `Repository owner type is '${repositoryOwnerType ?? "unknown"}'.`
-  );
-  if (repositoryOwnerType === "User") {
-    logger.debug(
-      "Skipping loading repository properties because the repository is owned by a user and therefore cannot have repository properties."
-    );
-    return new Success({});
-  }
-  try {
-    return new Success(await loadPropertiesFromApi(logger, repositoryNwo));
-  } catch (error3) {
-    logger.warning(
-      `Failed to load repository properties: ${getErrorMessage(error3)}`
-    );
-    return new Failure(error3);
-  }
-}
 async function recordZstdAvailability(config, zstdAvailability) {
  addNoLanguageDiagnostic(
    config,
@@ -160057,7 +160068,7 @@ async function runWrapper6() {

 // src/setup-codeql-action.ts
 var core24 = __toESM(require_core());
-async function sendCompletedStatusReport3(startedAt, toolsDownloadStatusReport, toolsFeatureFlagsValid, toolsSource, toolsVersion, logger, error3) {
+async function sendCompletedStatusReport3(startedAt, toolsDownloadStatusReport, toolsFeatureFlagsValid, toolsSource, toolsVersion, effectiveToolsInput, logger, error3) {
  const statusReportBase = await createStatusReportBase(
    "setup-codeql" /* SetupCodeQL */,
    getActionsStatus(error3),
@@ -160074,6 +160085,7 @@ async function sendCompletedStatusReport3(startedAt, toolsDownloadStatusReport,
  const initStatusReport = {
    ...statusReportBase,
    tools_input: getOptionalInput("tools") || "",
+    effective_tools_input: effectiveToolsInput || "",
    tools_resolved_version: toolsVersion,
    tools_source: toolsSource || "UNKNOWN" /* Unknown */,
    workflow_languages: ""
@@ -160094,6 +160106,7 @@ async function run6(startedAt) {
  let toolsFeatureFlagsValid;
  let toolsSource;
  let toolsVersion;
+  let effectiveToolsInput;
  try {
    initializeEnvironment(getActionVersion());
    const apiDetails = {
@@ -160128,12 +160141,22 @@ async function run6(startedAt) {
    }
    const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type);
    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
+    const repositoryPropertiesResult = await loadRepositoryProperties(
+      repositoryNwo,
+      logger
+    );
+    const repositoryProperties = repositoryPropertiesResult.orElse({});
+    effectiveToolsInput = resolveToolsInput(
+      getOptionalInput("tools"),
+      repositoryProperties,
+      logger
+    );
    const rawLanguages = getRawLanguagesNoAutodetect(
      getOptionalInput("languages")
    );
    const analysisKinds = await getAnalysisKinds(logger, features);
    const initCodeQLResult = await initCodeQL(
-      getOptionalInput("tools"),
+      effectiveToolsInput,
      apiDetails,
      getTemporaryDirectory(),
      gitHubVersion.type,
@@ -160174,6 +160197,7 @@ async function run6(startedAt) {
    toolsFeatureFlagsValid,
    toolsSource,
    toolsVersion,
+    effectiveToolsInput,
    logger
  );
 }
@@ -1,12 +1,12 @@
 {
  "name": "codeql",
-  "version": "4.36.1",
+  "version": "4.36.2",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "codeql",
-      "version": "4.36.1",
+      "version": "4.36.2",
      "license": "MIT",
      "workspaces": [
        "pr-checks"
@@ -61,7 +61,7 @@
        "nock": "^14.0.15",
        "sinon": "^22.0.0",
        "typescript": "^6.0.3",
-        "typescript-eslint": "^8.59.4"
+        "typescript-eslint": "^8.59.3"
      }
    },
    "node_modules/@aashutoshrathi/word-wrap": {
@@ -2528,17 +2528,17 @@
      "license": "MIT"
    },
    "node_modules/@typescript-eslint/eslint-plugin": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.59.4.tgz",
-      "integrity": "sha512-PegsU+XfyJJNjd4+u/k6f9yTyp0lEXXiPopUNobZcIAUJFGICFLN+sP0Rb3JehVmiij1Ph0dFGYqODoRo/2+6A==",
+      "version": "8.59.3",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.59.3.tgz",
+      "integrity": "sha512-PwFvSKsXGShKGW6n5bZOhGHEcCZXM8HofLK9fNsEwZXzFRjoY+XT1Vsf1zgyXdwTr0ZYz1/2tkZ0DBTT9jZjhw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@eslint-community/regexpp": "^4.12.2",
-        "@typescript-eslint/scope-manager": "8.59.4",
-        "@typescript-eslint/type-utils": "8.59.4",
-        "@typescript-eslint/utils": "8.59.4",
-        "@typescript-eslint/visitor-keys": "8.59.4",
+        "@typescript-eslint/scope-manager": "8.59.3",
+        "@typescript-eslint/type-utils": "8.59.3",
+        "@typescript-eslint/utils": "8.59.3",
+        "@typescript-eslint/visitor-keys": "8.59.3",
        "ignore": "^7.0.5",
        "natural-compare": "^1.4.0",
        "ts-api-utils": "^2.5.0"
@@ -2551,7 +2551,7 @@
        "url": "https://opencollective.com/typescript-eslint"
      },
      "peerDependencies": {
-        "@typescript-eslint/parser": "^8.59.4",
+        "@typescript-eslint/parser": "^8.59.3",
        "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
        "typescript": ">=4.8.4 <6.1.0"
      }
@@ -2567,16 +2567,16 @@
      }
    },
    "node_modules/@typescript-eslint/parser": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.59.4.tgz",
-      "integrity": "sha512-zORHqO/tuhxY1zWuTvMUqddRxpiFJ72xVfcNoWpqdLjs6lfPbuQBJuW4pk+49/uBMy7Ssr4bzgjiKmmDB1UbZQ==",
+      "version": "8.59.3",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.59.3.tgz",
+      "integrity": "sha512-HPwA+hVkfcriajbNvTmZv4VRauibay+cWArYUYq7u7W7PmGShMxbPxLvrwDme55a6d5alG3nrYfhyJ/G28XlLg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/scope-manager": "8.59.4",
-        "@typescript-eslint/types": "8.59.4",
-        "@typescript-eslint/typescript-estree": "8.59.4",
-        "@typescript-eslint/visitor-keys": "8.59.4",
+        "@typescript-eslint/scope-manager": "8.59.3",
+        "@typescript-eslint/types": "8.59.3",
+        "@typescript-eslint/typescript-estree": "8.59.3",
+        "@typescript-eslint/visitor-keys": "8.59.3",
        "debug": "^4.4.3"
      },
      "engines": {
@@ -2610,14 +2610,14 @@
      }
    },
    "node_modules/@typescript-eslint/project-service": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.59.4.tgz",
-      "integrity": "sha512-Ly00Vu4oAacfDeHp2Zg85ioNG6l8HG+tN1D7J+xTHSxu9y0awYKJ2zH1rFBn8ZSfuGK+7FxK3Cgl3uAz0aZZLg==",
+      "version": "8.59.3",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.59.3.tgz",
+      "integrity": "sha512-ECiUWa/KYRGDFUqTNehaRgzDshnJfkTABJxVemHk4ko22gcr0ukloKjWvyQ64g8YCV/UI47kN1dbmjf/GaQYng==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/tsconfig-utils": "^8.59.4",
-        "@typescript-eslint/types": "^8.59.4",
+        "@typescript-eslint/tsconfig-utils": "^8.59.3",
+        "@typescript-eslint/types": "^8.59.3",
        "debug": "^4.4.3"
      },
      "engines": {
@@ -2650,14 +2650,14 @@
      }
    },
    "node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.59.4.tgz",
-      "integrity": "sha512-mUeR/3H1WrTAddJrwut8OoPjfauaztMQmRwV5fQTUyNVJCLiUXXe4lGEyYIL2oFDpP7UtgbGJXCt72wT0z2S3Q==",
+      "version": "8.59.3",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.59.3.tgz",
+      "integrity": "sha512-t2LvZnoEfzKtnPjgeEu41xw5gxq9mQVfYy4OoZ4Vlt0sk3JwxmhCca/AR7DwOiHrjWgjAj6as4AhRLKSDfvZIA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.59.4",
-        "@typescript-eslint/visitor-keys": "8.59.4"
+        "@typescript-eslint/types": "8.59.3",
+        "@typescript-eslint/visitor-keys": "8.59.3"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2668,9 +2668,9 @@
      }
    },
    "node_modules/@typescript-eslint/tsconfig-utils": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.59.4.tgz",
-      "integrity": "sha512-DLCpnKgD4alVxTBSKulK+gU1KCqOgUXfDRDXh2mZgzokQKa/70ax93I2uVO3m/LLvIAtWZIFoiifudmIqAxpMA==",
+      "version": "8.59.3",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.59.3.tgz",
+      "integrity": "sha512-PcIJHjmaREXLgIAIzLnSY9VucEzz8FKXsRgFa1DmdGCK/5tJpW03TKJF01Q6VZd1lLdz2sIKPWaDUZN9dp//dw==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2685,15 +2685,15 @@
      }
    },
    "node_modules/@typescript-eslint/type-utils": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.59.4.tgz",
-      "integrity": "sha512-uonTuPAAKr9XaBGqJ3LjYTh72zy5DyGesljO9gtmk/eFW0W1fRHjnwVYKB35Lm8d5Q5CluEW3gPHjTvZTmgrfA==",
+      "version": "8.59.3",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.59.3.tgz",
+      "integrity": "sha512-g71d8QD8UaiHGvrJwyIS1hCX5r63w6Jll+4VEYhEAHXTDIqX1JgxhTAbEHtKntL9kuc4jRo7/GWw5xfCepSccQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.59.4",
-        "@typescript-eslint/typescript-estree": "8.59.4",
-        "@typescript-eslint/utils": "8.59.4",
+        "@typescript-eslint/types": "8.59.3",
+        "@typescript-eslint/typescript-estree": "8.59.3",
+        "@typescript-eslint/utils": "8.59.3",
        "debug": "^4.4.3",
        "ts-api-utils": "^2.5.0"
      },
@@ -2728,9 +2728,9 @@
      }
    },
    "node_modules/@typescript-eslint/types": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.59.4.tgz",
-      "integrity": "sha512-F1o7WJcCq+bc8dwcO/YsSEOudAH8RDtaOhM6wcAQhcUsFhnWQl81JKy48q1hoxAU0qrzM89+31GYh1515Zde3Q==",
+      "version": "8.59.3",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.59.3.tgz",
+      "integrity": "sha512-ePFoH0g4ludssdRFqqDxQePCxU4WQyRa9+XVwjm7yLn0FKhMeoetC+qBEEI1Eyb1pGSDveTIT09Bvw2WhlGayg==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2742,16 +2742,16 @@
      }
    },
    "node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.59.4.tgz",
-      "integrity": "sha512-F+RuOmcDXo4+TPdfd/TCLS3m2nw8gE9XXyZLrA3JBfaA5tz9TtdkyD3YJFmPxulyc2cKbEok/CvFE3MgSLWnag==",
+      "version": "8.59.3",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.59.3.tgz",
+      "integrity": "sha512-CbRjVRAf7Lr9Kr8RopKcbY45p2VfmmHrm0ygOCYFi7oU8q19m0Fs/6iHS7kNOmwpp+ob07ZVcAqlxUod9lYdmg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/project-service": "8.59.4",
-        "@typescript-eslint/tsconfig-utils": "8.59.4",
-        "@typescript-eslint/types": "8.59.4",
-        "@typescript-eslint/visitor-keys": "8.59.4",
+        "@typescript-eslint/project-service": "8.59.3",
+        "@typescript-eslint/tsconfig-utils": "8.59.3",
+        "@typescript-eslint/types": "8.59.3",
+        "@typescript-eslint/visitor-keys": "8.59.3",
        "debug": "^4.4.3",
        "minimatch": "^10.2.2",
        "semver": "^7.7.3",
@@ -2827,16 +2827,16 @@
      }
    },
    "node_modules/@typescript-eslint/utils": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.59.4.tgz",
-      "integrity": "sha512-cYXeNAUsG4lJo5dbc1FcKm+JwIWrj1/UpTORsC6tGMjEZ81DYcvIr9/ueikhMa/Y/gDQYGp+YX9/xQrXje5BJw==",
+      "version": "8.59.3",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.59.3.tgz",
+      "integrity": "sha512-JAvT14goBzRzzzZyqq3P9BLArIxTtQURUtFgQ/V7FO+eU+Gg6ES+5ymOPP1wRxXcxAYeivCk4uS3jCKWI1K8Zg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@eslint-community/eslint-utils": "^4.9.1",
-        "@typescript-eslint/scope-manager": "8.59.4",
-        "@typescript-eslint/types": "8.59.4",
-        "@typescript-eslint/typescript-estree": "8.59.4"
+        "@typescript-eslint/scope-manager": "8.59.3",
+        "@typescript-eslint/types": "8.59.3",
+        "@typescript-eslint/typescript-estree": "8.59.3"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2851,13 +2851,13 @@
      }
    },
    "node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.59.4.tgz",
-      "integrity": "sha512-U3gxVaDVnuZKhSspW/MzMxE1kq7zOdc072FcSNoqA1I9p8HyKbBFfEHoWckBAMgNMph4MamwS5iTVzFmrnt8TQ==",
+      "version": "8.59.3",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.59.3.tgz",
+      "integrity": "sha512-f1UQF7ggd42YiwI5wGrRaPsa+P0CINBlrkLPmGfpq/u/I/oVtecoEIfFR9ag/oa1sLOsRNZ6xehf6qMZhQGBDg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.59.4",
+        "@typescript-eslint/types": "8.59.3",
        "eslint-visitor-keys": "^5.0.0"
      },
      "engines": {
@@ -9047,9 +9047,9 @@
      }
    },
    "node_modules/tmp": {
-      "version": "0.2.7",
-      "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.7.tgz",
-      "integrity": "sha512-e0votIpp4Uo2AJYSzVHV6xCcawuiez3DzqDAbrTc3YxBkplN6e+dM13ZeIcZnDg/QpSuU2zfZ3rzwY8ukEnaXw==",
+      "version": "0.2.4",
+      "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.4.tgz",
+      "integrity": "sha512-UdiSoX6ypifLmrfQ/XfiawN6hkjSBpCjhKxxZcWlUUmoXLaCKQU0bx4HF/tdDK2uzRuchf1txGvrWBzYREssoQ==",
      "license": "MIT",
      "engines": {
        "node": ">=14.14"
@@ -9140,13 +9140,14 @@
      "license": "0BSD"
    },
    "node_modules/tsx": {
-      "version": "4.22.3",
-      "resolved": "https://registry.npmjs.org/tsx/-/tsx-4.22.3.tgz",
-      "integrity": "sha512-mdoNxBC/cSQObGGVQ5Bpn5i+yv7j68gk3Nfm3wFjcJg3Z0Mix9jzAFfP12prmm5eVGmDKtp0yyArrs0Q+8gZHg==",
+      "version": "4.21.0",
+      "resolved": "https://registry.npmjs.org/tsx/-/tsx-4.21.0.tgz",
+      "integrity": "sha512-5C1sg4USs1lfG0GFb2RLXsdpXqBSEhAaA/0kPL01wxzpMqLILNxIxIOKiILz+cdg/pLnOUxFYOR5yhHU666wbw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "esbuild": "~0.28.0"
+        "esbuild": "~0.27.0",
+        "get-tsconfig": "^4.7.5"
      },
      "bin": {
        "tsx": "dist/cli.mjs"
@@ -9158,6 +9159,490 @@
        "fsevents": "~2.3.3"
      }
    },
+    "node_modules/tsx/node_modules/@esbuild/aix-ppc64": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.7.tgz",
+      "integrity": "sha512-EKX3Qwmhz1eMdEJokhALr0YiD0lhQNwDqkPYyPhiSwKrh7/4KRjQc04sZ8db+5DVVnZ1LmbNDI1uAMPEUBnQPg==",
+      "cpu": [
+        "ppc64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "aix"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tsx/node_modules/@esbuild/android-arm": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.7.tgz",
+      "integrity": "sha512-jbPXvB4Yj2yBV7HUfE2KHe4GJX51QplCN1pGbYjvsyCZbQmies29EoJbkEc+vYuU5o45AfQn37vZlyXy4YJ8RQ==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tsx/node_modules/@esbuild/android-arm64": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.7.tgz",
+      "integrity": "sha512-62dPZHpIXzvChfvfLJow3q5dDtiNMkwiRzPylSCfriLvZeq0a1bWChrGx/BbUbPwOrsWKMn8idSllklzBy+dgQ==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tsx/node_modules/@esbuild/android-x64": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.7.tgz",
+      "integrity": "sha512-x5VpMODneVDb70PYV2VQOmIUUiBtY3D3mPBG8NxVk5CogneYhkR7MmM3yR/uMdITLrC1ml/NV1rj4bMJuy9MCg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tsx/node_modules/@esbuild/darwin-arm64": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.7.tgz",
+      "integrity": "sha512-5lckdqeuBPlKUwvoCXIgI2D9/ABmPq3Rdp7IfL70393YgaASt7tbju3Ac+ePVi3KDH6N2RqePfHnXkaDtY9fkw==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tsx/node_modules/@esbuild/darwin-x64": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.7.tgz",
+      "integrity": "sha512-rYnXrKcXuT7Z+WL5K980jVFdvVKhCHhUwid+dDYQpH+qu+TefcomiMAJpIiC2EM3Rjtq0sO3StMV/+3w3MyyqQ==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tsx/node_modules/@esbuild/freebsd-arm64": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.7.tgz",
+      "integrity": "sha512-B48PqeCsEgOtzME2GbNM2roU29AMTuOIN91dsMO30t+Ydis3z/3Ngoj5hhnsOSSwNzS+6JppqWsuhTp6E82l2w==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tsx/node_modules/@esbuild/freebsd-x64": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.7.tgz",
+      "integrity": "sha512-jOBDK5XEjA4m5IJK3bpAQF9/Lelu/Z9ZcdhTRLf4cajlB+8VEhFFRjWgfy3M1O4rO2GQ/b2dLwCUGpiF/eATNQ==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tsx/node_modules/@esbuild/linux-arm": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.7.tgz",
+      "integrity": "sha512-RkT/YXYBTSULo3+af8Ib0ykH8u2MBh57o7q/DAs3lTJlyVQkgQvlrPTnjIzzRPQyavxtPtfg0EopvDyIt0j1rA==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tsx/node_modules/@esbuild/linux-arm64": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.7.tgz",
+      "integrity": "sha512-RZPHBoxXuNnPQO9rvjh5jdkRmVizktkT7TCDkDmQ0W2SwHInKCAV95GRuvdSvA7w4VMwfCjUiPwDi0ZO6Nfe9A==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tsx/node_modules/@esbuild/linux-ia32": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.7.tgz",
+      "integrity": "sha512-GA48aKNkyQDbd3KtkplYWT102C5sn/EZTY4XROkxONgruHPU72l+gW+FfF8tf2cFjeHaRbWpOYa/uRBz/Xq1Pg==",
+      "cpu": [
+        "ia32"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tsx/node_modules/@esbuild/linux-loong64": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.7.tgz",
+      "integrity": "sha512-a4POruNM2oWsD4WKvBSEKGIiWQF8fZOAsycHOt6JBpZ+JN2n2JH9WAv56SOyu9X5IqAjqSIPTaJkqN8F7XOQ5Q==",
+      "cpu": [
+        "loong64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tsx/node_modules/@esbuild/linux-mips64el": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.7.tgz",
+      "integrity": "sha512-KabT5I6StirGfIz0FMgl1I+R1H73Gp0ofL9A3nG3i/cYFJzKHhouBV5VWK1CSgKvVaG4q1RNpCTR2LuTVB3fIw==",
+      "cpu": [
+        "mips64el"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tsx/node_modules/@esbuild/linux-ppc64": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.7.tgz",
+      "integrity": "sha512-gRsL4x6wsGHGRqhtI+ifpN/vpOFTQtnbsupUF5R5YTAg+y/lKelYR1hXbnBdzDjGbMYjVJLJTd2OFmMewAgwlQ==",
+      "cpu": [
+        "ppc64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tsx/node_modules/@esbuild/linux-riscv64": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.7.tgz",
+      "integrity": "sha512-hL25LbxO1QOngGzu2U5xeXtxXcW+/GvMN3ejANqXkxZ/opySAZMrc+9LY/WyjAan41unrR3YrmtTsUpwT66InQ==",
+      "cpu": [
+        "riscv64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tsx/node_modules/@esbuild/linux-s390x": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.7.tgz",
+      "integrity": "sha512-2k8go8Ycu1Kb46vEelhu1vqEP+UeRVj2zY1pSuPdgvbd5ykAw82Lrro28vXUrRmzEsUV0NzCf54yARIK8r0fdw==",
+      "cpu": [
+        "s390x"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tsx/node_modules/@esbuild/linux-x64": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.7.tgz",
+      "integrity": "sha512-hzznmADPt+OmsYzw1EE33ccA+HPdIqiCRq7cQeL1Jlq2gb1+OyWBkMCrYGBJ+sxVzve2ZJEVeePbLM2iEIZSxA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tsx/node_modules/@esbuild/netbsd-arm64": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.7.tgz",
+      "integrity": "sha512-b6pqtrQdigZBwZxAn1UpazEisvwaIDvdbMbmrly7cDTMFnw/+3lVxxCTGOrkPVnsYIosJJXAsILG9XcQS+Yu6w==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "netbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tsx/node_modules/@esbuild/netbsd-x64": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.7.tgz",
+      "integrity": "sha512-OfatkLojr6U+WN5EDYuoQhtM+1xco+/6FSzJJnuWiUw5eVcicbyK3dq5EeV/QHT1uy6GoDhGbFpprUiHUYggrw==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "netbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tsx/node_modules/@esbuild/openbsd-arm64": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.7.tgz",
+      "integrity": "sha512-AFuojMQTxAz75Fo8idVcqoQWEHIXFRbOc1TrVcFSgCZtQfSdc1RXgB3tjOn/krRHENUB4j00bfGjyl2mJrU37A==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tsx/node_modules/@esbuild/openbsd-x64": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.7.tgz",
+      "integrity": "sha512-+A1NJmfM8WNDv5CLVQYJ5PshuRm/4cI6WMZRg1by1GwPIQPCTs1GLEUHwiiQGT5zDdyLiRM/l1G0Pv54gvtKIg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tsx/node_modules/@esbuild/openharmony-arm64": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.7.tgz",
+      "integrity": "sha512-+KrvYb/C8zA9CU/g0sR6w2RBw7IGc5J2BPnc3dYc5VJxHCSF1yNMxTV5LQ7GuKteQXZtspjFbiuW5/dOj7H4Yw==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openharmony"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tsx/node_modules/@esbuild/sunos-x64": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.7.tgz",
+      "integrity": "sha512-ikktIhFBzQNt/QDyOL580ti9+5mL/YZeUPKU2ivGtGjdTYoqz6jObj6nOMfhASpS4GU4Q/Clh1QtxWAvcYKamA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "sunos"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tsx/node_modules/@esbuild/win32-arm64": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.7.tgz",
+      "integrity": "sha512-7yRhbHvPqSpRUV7Q20VuDwbjW5kIMwTHpptuUzV+AA46kiPze5Z7qgt6CLCK3pWFrHeNfDd1VKgyP4O+ng17CA==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tsx/node_modules/@esbuild/win32-ia32": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.7.tgz",
+      "integrity": "sha512-SmwKXe6VHIyZYbBLJrhOoCJRB/Z1tckzmgTLfFYOfpMAx63BJEaL9ExI8x7v0oAO3Zh6D/Oi1gVxEYr5oUCFhw==",
+      "cpu": [
+        "ia32"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tsx/node_modules/@esbuild/win32-x64": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.7.tgz",
+      "integrity": "sha512-56hiAJPhwQ1R4i+21FVF7V8kSD5zZTdHcVuRFMW0hn753vVfQN8xlx4uOPT4xoGH0Z/oVATuR82AiqSTDIpaHg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tsx/node_modules/esbuild": {
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.7.tgz",
+      "integrity": "sha512-IxpibTjyVnmrIQo5aqNpCgoACA/dTKLTlhMHihVHhdkxKyPO1uBBthumT0rdHmcsk9uMonIWS0m4FljWzILh3w==",
+      "dev": true,
+      "hasInstallScript": true,
+      "license": "MIT",
+      "bin": {
+        "esbuild": "bin/esbuild"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "optionalDependencies": {
+        "@esbuild/aix-ppc64": "0.27.7",
+        "@esbuild/android-arm": "0.27.7",
+        "@esbuild/android-arm64": "0.27.7",
+        "@esbuild/android-x64": "0.27.7",
+        "@esbuild/darwin-arm64": "0.27.7",
+        "@esbuild/darwin-x64": "0.27.7",
+        "@esbuild/freebsd-arm64": "0.27.7",
+        "@esbuild/freebsd-x64": "0.27.7",
+        "@esbuild/linux-arm": "0.27.7",
+        "@esbuild/linux-arm64": "0.27.7",
+        "@esbuild/linux-ia32": "0.27.7",
+        "@esbuild/linux-loong64": "0.27.7",
+        "@esbuild/linux-mips64el": "0.27.7",
+        "@esbuild/linux-ppc64": "0.27.7",
+        "@esbuild/linux-riscv64": "0.27.7",
+        "@esbuild/linux-s390x": "0.27.7",
+        "@esbuild/linux-x64": "0.27.7",
+        "@esbuild/netbsd-arm64": "0.27.7",
+        "@esbuild/netbsd-x64": "0.27.7",
+        "@esbuild/openbsd-arm64": "0.27.7",
+        "@esbuild/openbsd-x64": "0.27.7",
+        "@esbuild/openharmony-arm64": "0.27.7",
+        "@esbuild/sunos-x64": "0.27.7",
+        "@esbuild/win32-arm64": "0.27.7",
+        "@esbuild/win32-ia32": "0.27.7",
+        "@esbuild/win32-x64": "0.27.7"
+      }
+    },
    "node_modules/tunnel": {
      "version": "0.0.6",
      "license": "MIT",
@@ -9292,16 +9777,16 @@
      }
    },
    "node_modules/typescript-eslint": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.59.4.tgz",
-      "integrity": "sha512-Rw6+44QNFaXtgHSjPy+Kw8hrJniMYzR85E9yLmOLcfZ91/rz+JXQbDTCmc6ccxMPY6K6PgAq26f0JCBfR7LIPQ==",
+      "version": "8.59.3",
+      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.59.3.tgz",
+      "integrity": "sha512-KgusgyDgG4LI8Ih/sWaCtZ06tckLAS5CvT5A4D1Q7bYVoAAyzwiZvE4BmwDHkhRVkvhRBepKeASoFzQetha7Fg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/eslint-plugin": "8.59.4",
-        "@typescript-eslint/parser": "8.59.4",
-        "@typescript-eslint/typescript-estree": "8.59.4",
-        "@typescript-eslint/utils": "8.59.4"
+        "@typescript-eslint/eslint-plugin": "8.59.3",
+        "@typescript-eslint/parser": "8.59.3",
+        "@typescript-eslint/typescript-estree": "8.59.3",
+        "@typescript-eslint/utils": "8.59.3"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -9821,7 +10306,7 @@
      },
      "devDependencies": {
        "@types/node": "^20.19.41",
-        "tsx": "^4.22.3"
+        "tsx": "^4.21.0"
      }
    }
  }
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "4.36.1",
+  "version": "4.36.2",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -69,7 +69,7 @@
    "nock": "^14.0.15",
    "sinon": "^22.0.0",
    "typescript": "^6.0.3",
-    "typescript-eslint": "^8.59.4"
+    "typescript-eslint": "^8.59.3"
  },
  "overrides": {
    "@actions/tool-cache": {
@@ -5,7 +5,7 @@ versions:
  - default
 steps:
  - name: Set up Ruby
-    uses: ruby/setup-ruby@6aaa311d81eba98ae12eaffbcb63296ace0efcde # v1.307.0
+    uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0
    with:
      ruby-version: 2.6
  - name: Install Code Scanning integration
@@ -11,6 +11,6 @@
  },
  "devDependencies": {
    "@types/node": "^20.19.41",
-    "tsx": "^4.22.3"
+    "tsx": "^4.21.0"
  }
 }
@@ -30,7 +30,7 @@ import {
 } from "./dependency-caching";
 import { EnvVar } from "./environment";
 import { initFeatures } from "./feature-flags";
-import { BuiltInLanguage } from "./languages";
+import { BuiltInLanguage } from "./languages/index";
 import { getActionsLogger, Logger } from "./logging";
 import { cleanupAndUploadOverlayBaseDatabaseToCache } from "./overlay/caching";
 import { getRepositoryNwo } from "./repository";
@@ -14,7 +14,7 @@ import {
 } from "./analyze";
 import { createStubCodeQL } from "./codeql";
 import { Feature } from "./feature-flags";
-import { BuiltInLanguage } from "./languages";
+import { BuiltInLanguage } from "./languages/index";
 import { getRunnerLogger } from "./logging";
 import {
  setupTests,
@@ -21,7 +21,7 @@ import {
 } from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
 import { FeatureEnablement, Feature } from "./feature-flags";
-import { BuiltInLanguage, Language } from "./languages";
+import { BuiltInLanguage, Language } from "./languages/index";
 import { Logger, withGroupAsync } from "./logging";
 import { OverlayDatabaseMode } from "./overlay/overlay-database-mode";
 import type * as sarif from "./sarif";
@@ -1 +1 @@
-{"maximumVersion": "3.22", "minimumVersion": "3.16"}
+{"maximumVersion": "3.21", "minimumVersion": "3.16"}
@@ -10,7 +10,7 @@ import { determineAutobuildLanguages, runAutobuild } from "./autobuild";
 import { getCodeQL } from "./codeql";
 import { Config, getConfig } from "./config-utils";
 import { EnvVar } from "./environment";
-import { Language } from "./languages";
+import { Language } from "./languages/index";
 import { Logger, getActionsLogger } from "./logging";
 import {
  StatusReportBase,
@@ -7,7 +7,7 @@ import * as configUtils from "./config-utils";
 import { DocUrl } from "./doc-url";
 import { EnvVar } from "./environment";
 import { Feature, featureConfig, initFeatures } from "./feature-flags";
-import { BuiltInLanguage, Language } from "./languages";
+import { BuiltInLanguage, Language } from "./languages/index";
 import { Logger } from "./logging";
 import { getRepositoryNwo } from "./repository";
 import { asyncFilter, BuildMode } from "./util";
@@ -21,7 +21,7 @@ import {
 import type { Config } from "./config-utils";
 import * as defaults from "./defaults.json";
 import { DocUrl } from "./doc-url";
-import { BuiltInLanguage } from "./languages";
+import { BuiltInLanguage } from "./languages/index";
 import { getRunnerLogger } from "./logging";
 import { ToolsSource } from "./setup-codeql";
 import {
@@ -22,7 +22,7 @@ import {
  FeatureEnablement,
 } from "./feature-flags";
 import { isAnalyzingDefaultBranch } from "./git-utils";
-import { Language } from "./languages";
+import { Language } from "./languages/index";
 import { Logger } from "./logging";
 import { writeBaseDatabaseOidsFile, writeOverlayChangesFile } from "./overlay";
 import { OverlayDatabaseMode } from "./overlay/overlay-database-mode";
@@ -18,7 +18,7 @@ import { Feature } from "./feature-flags";
 import { RepositoryProperties } from "./feature-flags/properties";
 import * as gitUtils from "./git-utils";
 import { GitVersionInfo } from "./git-utils";
-import { BuiltInLanguage, Language } from "./languages";
+import { BuiltInLanguage, Language } from "./languages/index";
 import { getRunnerLogger } from "./logging";
 import { CODEQL_OVERLAY_MINIMUM_VERSION } from "./overlay";
 import * as overlayDiagnostics from "./overlay/diagnostics";
@@ -48,7 +48,7 @@ import {
  hasSubmodules,
  isAnalyzingDefaultBranch,
 } from "./git-utils";
-import { BuiltInLanguage, Language } from "./languages";
+import { BuiltInLanguage, Language } from "./languages/index";
 import { Logger } from "./logging";
 import { CODEQL_OVERLAY_MINIMUM_VERSION } from "./overlay";
 import {
@@ -12,7 +12,7 @@ import { createStubCodeQL } from "./codeql";
 import { Config } from "./config-utils";
 import { cleanupAndUploadDatabases } from "./database-upload";
 import * as gitUtils from "./git-utils";
-import { BuiltInLanguage } from "./languages";
+import { BuiltInLanguage } from "./languages/index";
 import { RepositoryNwo } from "./repository";
 import {
  checkExpectedLogMessages,
@@ -13,7 +13,7 @@ import { type CodeQL } from "./codeql";
 import { Config } from "./config-utils";
 import { EnvVar } from "./environment";
 import * as json from "./json";
-import { Language } from "./languages";
+import { Language } from "./languages/index";
 import { Logger, withGroup } from "./logging";
 import {
  isSafeArtifactUpload,
@@ -27,7 +27,7 @@ import {
  CacheStoreResult,
 } from "./dependency-caching";
 import { Feature } from "./feature-flags";
-import { BuiltInLanguage } from "./languages";
+import { BuiltInLanguage } from "./languages/index";
 import {
  setupTests,
  createFeatures,
@@ -11,7 +11,7 @@ import { CodeQL } from "./codeql";
 import { Config } from "./config-utils";
 import { EnvVar } from "./environment";
 import { Feature, FeatureEnablement } from "./feature-flags";
-import { BuiltInLanguage, Language } from "./languages";
+import { BuiltInLanguage, Language } from "./languages/index";
 import { Logger } from "./logging";
 import { getErrorMessage, getRequiredEnvParam } from "./util";

@@ -2,7 +2,7 @@ import { existsSync, mkdirSync, writeFileSync } from "fs";
 import path from "path";

 import type { Config } from "./config-utils";
-import { Language } from "./languages";
+import { Language } from "./languages/index";
 import { getActionsLogger } from "./logging";
 import { getCodeQLDatabasePath } from "./util";

@@ -78,6 +78,7 @@ test.serial("loadPropertiesFromApi loads known properties", async (t) => {
    url: "",
    data: [
      { property_name: "github-codeql-extra-queries", value: "+queries" },
+      { property_name: "github-codeql-tools", value: "toolcache" },
      { property_name: "unknown-property", value: "something" },
    ] satisfies properties.GitHubPropertiesResponse,
  });
@@ -87,7 +88,10 @@ test.serial("loadPropertiesFromApi loads known properties", async (t) => {
    logger,
    mockRepositoryNwo,
  );
-  t.deepEqual(response, { "github-codeql-extra-queries": "+queries" });
+  t.deepEqual(response, {
+    "github-codeql-extra-queries": "+queries",
+    "github-codeql-tools": "toolcache",
+  });
 });

 test.serial("loadPropertiesFromApi parses true boolean property", async (t) => {
@@ -1,7 +1,10 @@
+import * as github from "@actions/github";
+
 import { isDynamicWorkflow } from "../actions-util";
 import { getRepositoryProperties } from "../api-client";
 import { Logger } from "../logging";
 import { RepositoryNwo } from "../repository";
+import { getErrorMessage, Result, Success, Failure } from "../util";

 /** The common prefix that we expect all of our repository properties to have. */
 export const GITHUB_CODEQL_PROPERTY_PREFIX = "github-codeql-";
@@ -13,6 +16,7 @@ export enum RepositoryPropertyName {
  DISABLE_OVERLAY = "github-codeql-disable-overlay",
  EXTRA_QUERIES = "github-codeql-extra-queries",
  FILE_COVERAGE_ON_PRS = "github-codeql-file-coverage-on-prs",
+  TOOLS = "github-codeql-tools",
 }

 /** Parsed types of the known repository properties. */
@@ -20,6 +24,7 @@ export type AllRepositoryProperties = {
  [RepositoryPropertyName.DISABLE_OVERLAY]: boolean;
  [RepositoryPropertyName.EXTRA_QUERIES]: string;
  [RepositoryPropertyName.FILE_COVERAGE_ON_PRS]: boolean;
+  [RepositoryPropertyName.TOOLS]: string;
 };

 /** Parsed repository properties. */
@@ -30,6 +35,7 @@ export type RepositoryPropertyApiType = {
  [RepositoryPropertyName.DISABLE_OVERLAY]: string;
  [RepositoryPropertyName.EXTRA_QUERIES]: string;
  [RepositoryPropertyName.FILE_COVERAGE_ON_PRS]: string;
+  [RepositoryPropertyName.TOOLS]: string;
 };

 /** The type of functions which take the `value` from the API and try to convert it to the type we want. */
@@ -77,6 +83,7 @@ const repositoryPropertyParsers: {
  [RepositoryPropertyName.DISABLE_OVERLAY]: booleanProperty,
  [RepositoryPropertyName.EXTRA_QUERIES]: stringProperty,
  [RepositoryPropertyName.FILE_COVERAGE_ON_PRS]: booleanProperty,
+  [RepositoryPropertyName.TOOLS]: stringProperty,
 };

 /**
@@ -172,6 +179,38 @@ export async function loadPropertiesFromApi(
  }
 }

+/**
+ * Loads [repository properties](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) if applicable.
+ */
+export async function loadRepositoryProperties(
+  repositoryNwo: RepositoryNwo,
+  logger: Logger,
+): Promise<Result<RepositoryProperties, unknown>> {
+  // See if we can skip loading repository properties early. In particular,
+  // repositories owned by users cannot have repository properties, so we can
+  // skip the API call entirely in that case.
+  const repositoryOwnerType = github.context.payload.repository?.owner.type;
+  logger.debug(
+    `Repository owner type is '${repositoryOwnerType ?? "unknown"}'.`,
+  );
+  if (repositoryOwnerType === "User") {
+    logger.debug(
+      "Skipping loading repository properties because the repository is owned by a user and " +
+        "therefore cannot have repository properties.",
+    );
+    return new Success({});
+  }
+
+  try {
+    return new Success(await loadPropertiesFromApi(logger, repositoryNwo));
+  } catch (error) {
+    logger.warning(
+      `Failed to load repository properties: ${getErrorMessage(error)}`,
+    );
+    return new Failure(error);
+  }
+}
+
 /**
 * Validate that `value` has the correct type for `K` and, if so, update the partial set of repository
 * properties with the parsed value of the specified property.
@@ -2,7 +2,6 @@ import * as fs from "fs";
 import * as path from "path";

 import * as core from "@actions/core";
-import * as github from "@actions/github";
 import * as io from "@actions/io";
 import * as semver from "semver";
 import { v4 as uuidV4 } from "uuid";
@@ -39,10 +38,7 @@ import {
 } from "./diagnostics";
 import { EnvVar } from "./environment";
 import { Feature, FeatureEnablement, initFeatures } from "./feature-flags";
-import {
-  loadPropertiesFromApi,
-  RepositoryProperties,
-} from "./feature-flags/properties";
+import { loadRepositoryProperties } from "./feature-flags/properties";
 import {
  checkInstallPython311,
  checkPacksForOverlayCompatibility,
@@ -53,14 +49,15 @@ import {
  initConfig,
  runDatabaseInitCluster,
 } from "./init";
-import { JavaEnvVars, BuiltInLanguage } from "./languages";
+import { JavaEnvVars, BuiltInLanguage } from "./languages/index";
 import { getActionsLogger, Logger, withGroupAsync } from "./logging";
 import {
  downloadOverlayBaseDatabaseFromCache,
  OverlayBaseDatabaseDownloadStats,
 } from "./overlay/caching";
 import { OverlayDatabaseMode } from "./overlay/overlay-database-mode";
-import { getRepositoryNwo, RepositoryNwo } from "./repository";
+import { getRepositoryNwo } from "./repository";
+import { resolveToolsInput } from "./resolve-tools-input";
 import { ToolsSource } from "./setup-codeql";
 import {
  ActionName,
@@ -93,10 +90,7 @@ import {
  checkActionVersion,
  getErrorMessage,
  BuildMode,
-  Result,
  getOptionalEnvVar,
-  Success,
-  Failure,
 } from "./util";
 import { checkWorkflow } from "./workflow";

@@ -140,6 +134,7 @@ async function sendCompletedStatusReport(
  toolsFeatureFlagsValid: boolean | undefined,
  toolsSource: ToolsSource,
  toolsVersion: string,
+  effectiveToolsInput: string | undefined,
  overlayBaseDatabaseStats: OverlayBaseDatabaseDownloadStats | undefined,
  dependencyCachingResults: DependencyCacheRestoreStatusReport | undefined,
  logger: Logger,
@@ -165,6 +160,7 @@ async function sendCompletedStatusReport(
  const initStatusReport: InitStatusReport = {
    ...statusReportBase,
    tools_input: getOptionalInput("tools") || "",
+    effective_tools_input: effectiveToolsInput || "",
    tools_resolved_version: toolsVersion,
    tools_source: toolsSource || ToolsSource.Unknown,
    workflow_languages: workflowLanguages || "",
@@ -219,6 +215,7 @@ async function run(startedAt: Date) {
  let toolsSource: ToolsSource;
  let toolsVersion: string;
  let zstdAvailability: ZstdAvailability | undefined;
+  let effectiveToolsInput: string | undefined;

  try {
    initializeEnvironment(getActionVersion());
@@ -251,6 +248,7 @@ async function run(startedAt: Date) {
      repositoryNwo,
      logger,
    );
+    const repositoryProperties = repositoryPropertiesResult.orElse({});

    // Create a unique identifier for this run.
    const jobRunUuid = uuidV4();
@@ -296,6 +294,15 @@ async function run(startedAt: Date) {
    const codeQLDefaultVersionInfo =
      await features.getEnabledDefaultCliVersions(gitHubVersion.type);
    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
+
+    // Determine the effective tools input.
+    // The explicit `tools` workflow input takes precedence. If none is provided,
+    // fall back to the 'github-codeql-tools' repository property (if set).
+    effectiveToolsInput = resolveToolsInput(
+      getOptionalInput("tools"),
+      repositoryProperties,
+      logger,
+    );
    const rawLanguages = configUtils.getRawLanguagesNoAutodetect(
      getOptionalInput("languages"),
    );
@@ -303,7 +310,7 @@ async function run(startedAt: Date) {
      analysisKinds?.length === 1 &&
      analysisKinds[0] === AnalysisKind.CodeScanning;
    const initCodeQLResult = await initCodeQL(
-      getOptionalInput("tools"),
+      effectiveToolsInput,
      apiDetails,
      getTemporaryDirectory(),
      gitHubVersion.type,
@@ -350,7 +357,6 @@ async function run(startedAt: Date) {

    analysisKinds = await getAnalysisKinds(logger, features);
    const debugMode = getOptionalInput("debug") === "true" || core.isDebug();
-    const repositoryProperties = repositoryPropertiesResult.orElse({});
    const fileCoverageResult = await getFileCoverageInformationEnabled(
      debugMode,
      codeql,
@@ -769,6 +775,7 @@ async function run(startedAt: Date) {
      toolsFeatureFlagsValid,
      toolsSource,
      toolsVersion,
+      effectiveToolsInput,
      overlayBaseDatabaseStats,
      dependencyCachingStatus,
      logger,
@@ -786,44 +793,13 @@ async function run(startedAt: Date) {
    toolsFeatureFlagsValid,
    toolsSource,
    toolsVersion,
+    effectiveToolsInput,
    overlayBaseDatabaseStats,
    dependencyCachingStatus,
    logger,
  );
 }

-/**
- * Loads [repository properties](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) if applicable.
- */
-async function loadRepositoryProperties(
-  repositoryNwo: RepositoryNwo,
-  logger: Logger,
-): Promise<Result<RepositoryProperties, unknown>> {
-  // See if we can skip loading repository properties early. In particular,
-  // repositories owned by users cannot have repository properties, so we can
-  // skip the API call entirely in that case.
-  const repositoryOwnerType = github.context.payload.repository?.owner.type;
-  logger.debug(
-    `Repository owner type is '${repositoryOwnerType ?? "unknown"}'.`,
-  );
-  if (repositoryOwnerType === "User") {
-    logger.debug(
-      "Skipping loading repository properties because the repository is owned by a user and " +
-        "therefore cannot have repository properties.",
-    );
-    return new Success({});
-  }
-
-  try {
-    return new Success(await loadPropertiesFromApi(logger, repositoryNwo));
-  } catch (error) {
-    logger.warning(
-      `Failed to load repository properties: ${getErrorMessage(error)}`,
-    );
-    return new Failure(error);
-  }
-}
-
 async function recordZstdAvailability(
  config: configUtils.Config,
  zstdAvailability: ZstdAvailability,
@@ -15,7 +15,7 @@ import {
  getFileCoverageInformationEnabled,
  logFileCoverageOnPrsDeprecationWarning,
 } from "./init";
-import { BuiltInLanguage } from "./languages";
+import { BuiltInLanguage } from "./languages/index";
 import {
  createFeatures,
  LoggedMessage,
@@ -26,7 +26,7 @@ import {
  RepositoryProperties,
  RepositoryPropertyName,
 } from "./feature-flags/properties";
-import { BuiltInLanguage, Language } from "./languages";
+import { BuiltInLanguage, Language } from "./languages/index";
 import { Logger, withGroupAsync } from "./logging";
 import { ToolsSource } from "./setup-codeql";
 import { ZstdAvailability } from "./tar";
@@ -0,0 +1,171 @@
+import test from "ava";
+
+import { RepositoryPropertyName } from "./feature-flags/properties";
+import type { RepositoryProperties } from "./feature-flags/properties";
+import { resolveToolsInput } from "./resolve-tools-input";
+import { getRecordingLogger, LoggedMessage, setupTests } from "./testing-utils";
+
+setupTests(test);
+
+test(
+  "resolveToolsInput returns undefined when no tools input or repository property is set",
+  (t) => {
+    const loggedMessages: LoggedMessage[] = [];
+    const logger = getRecordingLogger(loggedMessages);
+
+    const result = resolveToolsInput(undefined, {}, logger);
+
+    t.is(result, undefined);
+    t.is(loggedMessages.length, 0);
+  },
+);
+
+test(
+  "resolveToolsInput returns workflow input when only workflow input is provided",
+  (t) => {
+    const loggedMessages: LoggedMessage[] = [];
+    const logger = getRecordingLogger(loggedMessages);
+
+    const result = resolveToolsInput("latest", {}, logger);
+
+    t.is(result, "latest");
+    t.is(loggedMessages.length, 1);
+    t.is(
+      loggedMessages[0].message,
+      "Setting tools: latest based on workflow input.",
+    );
+  },
+);
+
+test(
+  "resolveToolsInput returns repository property when only repository property is provided",
+  (t) => {
+    const loggedMessages: LoggedMessage[] = [];
+    const logger = getRecordingLogger(loggedMessages);
+
+    const repositoryProperties: RepositoryProperties = {
+      [RepositoryPropertyName.TOOLS]: "toolcache",
+    };
+    const result = resolveToolsInput(undefined, repositoryProperties, logger);
+
+    t.is(result, "toolcache");
+    t.is(loggedMessages.length, 1);
+    t.is(
+      loggedMessages[0].message,
+      "Setting tools: toolcache based on the 'github-codeql-tools' repository property.",
+    );
+  },
+);
+
+test(
+  "resolveToolsInput prioritizes workflow input over repository property",
+  (t) => {
+    const loggedMessages: LoggedMessage[] = [];
+    const logger = getRecordingLogger(loggedMessages);
+
+    const repositoryProperties: RepositoryProperties = {
+      [RepositoryPropertyName.TOOLS]: "toolcache",
+    };
+    const result = resolveToolsInput("nightly", repositoryProperties, logger);
+
+    t.is(result, "nightly");
+    t.is(loggedMessages.length, 1);
+    t.is(
+      loggedMessages[0].message,
+      "Setting tools: nightly based on workflow input.",
+    );
+  },
+);
+
+test(
+  "resolveToolsInput treats empty string workflow input as not set",
+  (t) => {
+    const loggedMessages: LoggedMessage[] = [];
+    const logger = getRecordingLogger(loggedMessages);
+
+    const repositoryProperties: RepositoryProperties = {
+      [RepositoryPropertyName.TOOLS]: "toolcache",
+    };
+    const result = resolveToolsInput("", repositoryProperties, logger);
+
+    t.is(result, "toolcache");
+    t.is(loggedMessages.length, 1);
+    t.is(
+      loggedMessages[0].message,
+      "Setting tools: toolcache based on the 'github-codeql-tools' repository property.",
+    );
+  },
+);
+
+test(
+  "resolveToolsInput returns workflow input with URL value",
+  (t) => {
+    const loggedMessages: LoggedMessage[] = [];
+    const logger = getRecordingLogger(loggedMessages);
+
+    const url = "https://example.com/codeql-bundle.tar.gz";
+    const result = resolveToolsInput(url, {}, logger);
+
+    t.is(result, url);
+    t.is(loggedMessages.length, 1);
+    t.is(
+      loggedMessages[0].message,
+      `Setting tools: ${url} based on workflow input.`,
+    );
+  },
+);
+
+test(
+  "resolveToolsInput returns repository property with 'latest' value",
+  (t) => {
+    const loggedMessages: LoggedMessage[] = [];
+    const logger = getRecordingLogger(loggedMessages);
+
+    const repositoryProperties: RepositoryProperties = {
+      [RepositoryPropertyName.TOOLS]: "latest",
+    };
+    const result = resolveToolsInput(undefined, repositoryProperties, logger);
+
+    t.is(result, "latest");
+    t.is(
+      loggedMessages[0].message,
+      "Setting tools: latest based on the 'github-codeql-tools' repository property.",
+    );
+  },
+);
+
+test(
+  "resolveToolsInput returns repository property with specific version",
+  (t) => {
+    const loggedMessages: LoggedMessage[] = [];
+    const logger = getRecordingLogger(loggedMessages);
+
+    const repositoryProperties: RepositoryProperties = {
+      [RepositoryPropertyName.TOOLS]: "2.16.1",
+    };
+    const result = resolveToolsInput(undefined, repositoryProperties, logger);
+
+    t.is(result, "2.16.1");
+    t.is(
+      loggedMessages[0].message,
+      "Setting tools: 2.16.1 based on the 'github-codeql-tools' repository property.",
+    );
+  },
+);
+
+test(
+  "resolveToolsInput returns undefined when repository property is undefined",
+  (t) => {
+    const loggedMessages: LoggedMessage[] = [];
+    const logger = getRecordingLogger(loggedMessages);
+
+    const repositoryProperties: RepositoryProperties = {
+      [RepositoryPropertyName.TOOLS]: undefined,
+    };
+    const result = resolveToolsInput(undefined, repositoryProperties, logger);
+
+    t.is(result, undefined);
+    t.is(loggedMessages.length, 0);
+  },
+);
+
@@ -0,0 +1,36 @@
+import {
+  RepositoryProperties,
+  RepositoryPropertyName,
+} from "./feature-flags/properties";
+import { Logger } from "./logging";
+
+/**
+ * Resolves the effective tools input by combining the workflow input and repository properties.
+ * The explicit `tools` workflow input takes precedence. If none is provided,
+ * falls back to the repository property (if set).
+ *
+ * @param toolsWorkflowInput - The value of the `tools` workflow input, if provided.
+ * @param repositoryProperties - The parsed repository properties.
+ * @param logger - Logger for outputting resolution messages.
+ * @returns The effective tools input value.
+ */
+export function resolveToolsInput(
+  toolsWorkflowInput: string | undefined,
+  repositoryProperties: RepositoryProperties,
+  logger: Logger,
+): string | undefined {
+  if (toolsWorkflowInput) {
+    logger.info(`Setting tools: ${toolsWorkflowInput} based on workflow input.`);
+    return toolsWorkflowInput;
+  }
+
+  const toolsPropertyValue = repositoryProperties[RepositoryPropertyName.TOOLS];
+  if (toolsPropertyValue) {
+    logger.info(
+      `Setting tools: ${toolsPropertyValue} based on the '${RepositoryPropertyName.TOOLS}' repository property.`,
+    );
+    return toolsPropertyValue;
+  }
+
+  return undefined;
+}
@@ -13,9 +13,11 @@ import { CodeQL } from "./codeql";
 import { getRawLanguagesNoAutodetect } from "./config-utils";
 import { EnvVar } from "./environment";
 import { initFeatures } from "./feature-flags";
+import { loadRepositoryProperties } from "./feature-flags/properties";
 import { initCodeQL } from "./init";
 import { getActionsLogger, Logger } from "./logging";
 import { getRepositoryNwo } from "./repository";
+import { resolveToolsInput } from "./resolve-tools-input";
 import { ToolsSource } from "./setup-codeql";
 import {
  ActionName,
@@ -48,6 +50,7 @@ async function sendCompletedStatusReport(
  toolsFeatureFlagsValid: boolean | undefined,
  toolsSource: ToolsSource,
  toolsVersion: string,
+  effectiveToolsInput: string | undefined,
  logger: Logger,
  error?: Error,
 ): Promise<void> {
@@ -69,6 +72,7 @@ async function sendCompletedStatusReport(
  const initStatusReport: InitStatusReport = {
    ...statusReportBase,
    tools_input: getOptionalInput("tools") || "",
+    effective_tools_input: effectiveToolsInput || "",
    tools_resolved_version: toolsVersion,
    tools_source: toolsSource || ToolsSource.Unknown,
    workflow_languages: "",
@@ -99,6 +103,7 @@ async function run(startedAt: Date): Promise<void> {
  let toolsFeatureFlagsValid: boolean | undefined;
  let toolsSource: ToolsSource;
  let toolsVersion: string;
+  let effectiveToolsInput: string | undefined;

  try {
    initializeEnvironment(getActionVersion());
@@ -141,12 +146,29 @@ async function run(startedAt: Date): Promise<void> {
    const codeQLDefaultVersionInfo =
      await features.getEnabledDefaultCliVersions(gitHubVersion.type);
    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
+
+    // Fetch the values of known repository properties that affect us.
+    const repositoryPropertiesResult = await loadRepositoryProperties(
+      repositoryNwo,
+      logger,
+    );
+    const repositoryProperties = repositoryPropertiesResult.orElse({});
+
+    // Determine the effective tools input.
+    // The explicit `tools` workflow input takes precedence. If none is provided,
+    // fall back to the 'github-codeql-tools' repository property (if set).
+    effectiveToolsInput = resolveToolsInput(
+      getOptionalInput("tools"),
+      repositoryProperties,
+      logger,
+    );
    const rawLanguages = getRawLanguagesNoAutodetect(
      getOptionalInput("languages"),
    );
    const analysisKinds = await getAnalysisKinds(logger, features);
+
    const initCodeQLResult = await initCodeQL(
-      getOptionalInput("tools"),
+      effectiveToolsInput,
      apiDetails,
      getTemporaryDirectory(),
      gitHubVersion.type,
@@ -191,6 +213,7 @@ async function run(startedAt: Date): Promise<void> {
    toolsFeatureFlagsValid,
    toolsSource,
    toolsVersion,
+    effectiveToolsInput,
    logger,
  );
 }
@@ -559,7 +559,7 @@ export async function getCodeQLSource(
        );
      } else {
        if (allowToolcacheValueFF) {
-          logger.warning(
+          logger.info(
            `Ignoring 'tools: ${toolsInput}' because the workflow was not triggered dynamically.`,
          );
        } else {
@@ -6,7 +6,7 @@ import * as core from "@actions/core";
 import * as actionsUtil from "./actions-util";
 import { getGitHubVersion } from "./api-client";
 import { Feature, FeatureEnablement, initFeatures } from "./feature-flags";
-import { BuiltInLanguage, parseBuiltInLanguage } from "./languages";
+import { BuiltInLanguage, parseBuiltInLanguage } from "./languages/index";
 import { getActionsLogger, Logger } from "./logging";
 import { getRepositoryNwo } from "./repository";
 import {
@@ -10,7 +10,7 @@ import * as defaults from "./defaults.json";
 import { setUpFeatureFlagTests } from "./feature-flags/testing-util";
 import { UnvalidatedObject, validateSchema } from "./json";
 import { makeFromSchema } from "./json/testing-util";
-import { BuiltInLanguage } from "./languages";
+import { BuiltInLanguage } from "./languages/index";
 import { getRunnerLogger, Logger } from "./logging";
 import * as startProxyExports from "./start-proxy";
 import * as statusReport from "./status-report";
@@ -18,7 +18,7 @@ import {
  FeatureEnablement,
 } from "./feature-flags";
 import * as json from "./json";
-import { BuiltInLanguage } from "./languages";
+import { BuiltInLanguage } from "./languages/index";
 import { Logger } from "./logging";
 import {
  Address,
@@ -4,7 +4,7 @@ import * as sinon from "sinon";
 import * as actionsUtil from "./actions-util";
 import { Config } from "./config-utils";
 import { EnvVar } from "./environment";
-import { BuiltInLanguage } from "./languages";
+import { BuiltInLanguage } from "./languages/index";
 import { getRunnerLogger } from "./logging";
 import { ToolsSource } from "./setup-codeql";
 import {
@@ -316,6 +316,7 @@ const testCreateInitWithConfigStatusReport = makeMacro({
        const initStatusReport: InitStatusReport = {
          ...statusReportBase,
          tools_input: "",
+          effective_tools_input: "",
          tools_resolved_version: "foo",
          tools_source: ToolsSource.Unknown,
          workflow_languages: "actions",
@@ -482,6 +482,8 @@ export async function sendStatusReport<S extends StatusReportBase>(
 export interface InitStatusReport extends StatusReportBase {
  /** Value given by the user as the "tools" input. */
  tools_input: string;
+  /** The effective tools input that was used, after applying defaults and repository properties. */
+  effective_tools_input: string;
  /** Version of the bundle used. */
  tools_resolved_version: string;
  /** Where the bundle originated from. */
@@ -6,7 +6,7 @@ import * as sinon from "sinon";

 import { CodeQL, getCodeQLForTesting } from "./codeql";
 import * as configUtils from "./config-utils";
-import { BuiltInLanguage } from "./languages";
+import { BuiltInLanguage } from "./languages/index";
 import { createTestConfig, makeVersionInfo, setupTests } from "./testing-utils";
 import { ToolsFeature } from "./tools-features";
 import { getCombinedTracerConfig } from "./tracer-config";
@@ -15,7 +15,7 @@ import {
 import * as configUtils from "./config-utils";
 import { Feature } from "./feature-flags";
 import * as gitUtils from "./git-utils";
-import { BuiltInLanguage } from "./languages";
+import { BuiltInLanguage } from "./languages/index";
 import { getRunnerLogger } from "./logging";
 import {
  createFeatures,
@@ -10,7 +10,7 @@ import { type Config } from "./config-utils";
 import { DocUrl } from "./doc-url";
 import { Feature, FeatureEnablement } from "./feature-flags";
 import * as gitUtils from "./git-utils";
-import { Language } from "./languages";
+import { Language } from "./languages/index";
 import { Logger } from "./logging";
 import {
  asHTTPError,
@@ -15,7 +15,7 @@ import type { Pack } from "./config/db-config";
 import type { Config } from "./config-utils";
 import { EnvVar } from "./environment";
 import * as json from "./json";
-import { Language } from "./languages";
+import { Language } from "./languages/index";
 import { Logger } from "./logging";

 /**
Author	SHA1	Message	Date
github-actions[bot]	ed103406c8	Rebuild	2026-05-25 14:36:28 +00:00
github-actions[bot]	57624a0615	Update changelog and version after v4.36.1	2026-05-25 14:36:15 +00:00
Óscar San José	7c7926f8df	Fixed tests due to stale language.ts obscuring language/index.ts import when done at module level	2026-05-25 16:33:01 +02:00
Óscar San José	838486a3c3	Merge branch 'main' of https://github.com/github/codeql-action into copilot/add-tools-input-source-repository	2026-05-25 13:27:20 +02:00
copilot-swe-agent[bot]	09a0f62a7a	Refactor resolveToolsInput: accept repository properties as parameter, simplify implementation and tests	2026-05-25 11:10:26 +00:00
Óscar San José	652e91defb	Add repo property to override codeql-cli version	2026-04-16 17:09:34 +02:00