Rebuild

Apply suggestions from code review
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
2026-06-04 04:44:50 +00:00 · 2026-06-02 15:13:54 +02:00 · 2026-06-01 20:23:20 +02:00 · 2026-06-01 20:19:50 +02:00 · 2026-06-01 18:44:55 +02:00 · 2026-06-01 18:33:23 +02:00
128 changed files with 1062 additions and 525 deletions
@@ -16,13 +16,13 @@ runs:
      shell: bash

    - name: Set up Node
-      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      uses: actions/setup-node@v6
      with:
        node-version: 24
        cache: 'npm'

    - name: Set up Python
-      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      uses: actions/setup-python@v6
      with:
        python-version: '3.12'

@@ -74,13 +74,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -72,7 +72,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -92,7 +92,7 @@ jobs:
          post-processed-sarif-path: '${{ runner.temp }}/post-processed'

      - name: Upload SARIF files
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: |
            analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
@@ -100,7 +100,7 @@ jobs:
          retention-days: 7

      - name: Upload post-processed SARIF
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: |
            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
@@ -110,7 +110,7 @@ jobs:

      - name: Check quality query does not appear in security SARIF
        if: contains(matrix.analysis-kinds, 'code-scanning')
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        env:
          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
          EXPECT_PRESENT: 'false'
@@ -118,7 +118,7 @@ jobs:
          script: ${{ env.CHECK_SCRIPT }}
      - name: Check quality query appears in quality SARIF
        if: contains(matrix.analysis-kinds, 'code-quality')
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        env:
          SARIF_PATH: '${{ runner.temp }}/results/javascript.quality.sarif'
          EXPECT_PRESENT: 'true'
@@ -70,13 +70,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -64,9 +64,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Prepare test
@@ -66,9 +66,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        uses: actions/setup-java@v5
        with:
          java-version: ${{ inputs.java-version || '17' }}
          distribution: temurin
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -66,9 +66,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        uses: actions/setup-java@v5
        with:
          java-version: ${{ inputs.java-version || '17' }}
          distribution: temurin
@@ -70,13 +70,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -62,7 +62,7 @@ jobs:
        run: npm install @actions/tool-cache@3
      - name: Check toolcache contains CodeQL
        continue-on-error: true
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        with:
          script: |
            const toolcache = require('@actions/tool-cache');
@@ -75,7 +75,7 @@ jobs:
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Check CodeQL is installed within the toolcache
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        with:
          script: |
            const toolcache = require('@actions/tool-cache');
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -63,7 +63,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        with:
          script: |
            const fs = require('fs');
@@ -73,7 +73,7 @@ jobs:
      - name: Install @actions/tool-cache
        run: npm install @actions/tool-cache@3
      - name: Check toolcache does not contain CodeQL
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        with:
          script: |
            const toolcache = require('@actions/tool-cache');
@@ -92,7 +92,7 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Check CodeQL is installed within the toolcache
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        with:
          script: |
            const toolcache = require('@actions/tool-cache');
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -63,7 +63,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        with:
          script: |
            const fs = require('fs');
@@ -82,13 +82,13 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: ${{ matrix.os }}-zstd-bundle.sarif
          path: ${{ runner.temp }}/results/javascript.sarif
          retention-days: 7
      - name: Check diagnostic with expected tools URL appears in SARIF
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        env:
          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
        with:
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -70,13 +70,13 @@ jobs:
          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: '${{ runner.temp }}/results/javascript.sarif'
          retention-days: 7
      - name: Check config properties appear in SARIF
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        env:
          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
        with:
@@ -50,9 +50,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@v6
        with:
          node-version: 20.x
          cache: npm
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -81,13 +81,13 @@ jobs:
          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: '${{ runner.temp }}/results/javascript.sarif'
          retention-days: 7
      - name: Check diagnostics appear in SARIF
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        env:
          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
        with:
@@ -74,13 +74,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -102,7 +102,7 @@ jobs:
        with:
          output: '${{ runner.temp }}/results'
      - name: Upload SARIF
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: '${{ runner.temp }}/results/javascript.sarif'
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -72,13 +72,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -60,9 +60,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -78,7 +78,7 @@ jobs:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      # Deliberately change Go after the `init` step
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@v6
        with:
          go-version: '1.20'
      - name: Build code
@@ -88,7 +88,7 @@ jobs:
          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Check diagnostic appears in SARIF
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        env:
          SARIF_PATH: '${{ runner.temp }}/results/go.sarif'
        with:
@@ -60,9 +60,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -89,7 +89,7 @@ jobs:
          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Check diagnostic appears in SARIF
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
        env:
          SARIF_PATH: '${{ runner.temp }}/results/go.sarif'
        with:
@@ -60,9 +60,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -80,9 +80,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -80,9 +80,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -80,9 +80,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -67,7 +67,7 @@ jobs:
        with:
          output: '${{ runner.temp }}/results'
      - name: Upload SARIF
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: '${{ runner.temp }}/results/javascript.sarif'
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -70,13 +70,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -104,13 +104,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -125,7 +125,7 @@ jobs:
        # We need Python 3.13 for older CLI versions because they are not compatible with Python 3.14 or newer.
        # See https://github.com/github/codeql-action/pull/3212
        if: matrix.version != 'nightly-latest' && matrix.version != 'linked'
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@v6
        with:
          python-version: '3.13'

@@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -74,18 +74,18 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Install Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@v6
        with:
          node-version: 20.x
          cache: npm
@@ -74,18 +74,18 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Install Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@v6
        with:
          node-version: 20.x
          cache: npm
@@ -74,18 +74,18 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Install Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@v6
        with:
          node-version: 20.x
          cache: npm
@@ -74,18 +74,18 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Install Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@v6
        with:
          node-version: 20.x
          cache: npm
@@ -72,13 +72,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -59,7 +59,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Set up Ruby
-        uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
+        uses: ruby/setup-ruby@6aaa311d81eba98ae12eaffbcb63296ace0efcde # v1.307.0
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
@@ -60,7 +60,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -58,7 +58,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -80,13 +80,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -62,7 +62,7 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@v6
      - uses: ./init
        with:
          languages: javascript
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -74,13 +74,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -72,13 +72,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -70,13 +70,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -77,13 +77,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -71,13 +71,13 @@ jobs:
    steps:
      # This ensures we don't accidentally use the original checkout for any part of the test.
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -96,7 +96,7 @@ jobs:
          rm -rf ./* .github .git
      # Check out the actions repo again, but at a different location.
      # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@v6
        with:
          ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
          path: x/y/z/some-path
@@ -26,7 +26,7 @@ jobs:

    steps:
      - name: Checkout CodeQL Action
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Check Expected Release Files
        run: |
          bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"
@@ -35,7 +35,7 @@ jobs:
      security-events: read

    steps:
-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@v6
    - name: Set up default CodeQL bundle
      id: setup-default
      uses: ./setup-codeql
@@ -87,7 +87,7 @@ jobs:

    steps:
    - name: Checkout
-      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      uses: actions/checkout@v6
    - name: Initialize CodeQL
      uses: ./init
      id: init
@@ -124,7 +124,7 @@ jobs:

    steps:
    - name: Checkout
-      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      uses: actions/checkout@v6
    - name: Initialize CodeQL
      uses: ./init
      with:
@@ -59,10 +59,10 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      uses: actions/checkout@v6

    - name: Set up Node.js
-      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      uses: actions/setup-node@v6
      with:
        node-version: 24
        cache: 'npm'
@@ -53,17 +53,17 @@ jobs:
      - name: Dump GitHub event
        run: cat "${GITHUB_EVENT_PATH}"
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@v6
        with:
          go-version: ^1.13.1
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: '9.x'
      - name: Assert best-effort artifact scan completed
@@ -94,7 +94,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@v8
      - name: Check expected artifacts exist
        run: |
          LANGUAGES="cpp csharp go java javascript python"
@@ -49,17 +49,17 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@v6
        with:
          go-version: ^1.13.1
      - name: Install .NET
-        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: '9.x'
      - name: Assert best-effort artifact scan completed
@@ -87,7 +87,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@v8
      - name: Check expected artifacts exist
        run: |
          VERSIONS="stable-v2.20.3 default linked nightly-latest"
@@ -44,14 +44,14 @@ jobs:
          GITHUB_CONTEXT: '${{ toJson(github) }}'
        run: echo "${GITHUB_CONTEXT}"

-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@v6
        with:
          fetch-depth: 0  # ensure we have all tags and can push commits
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      - uses: actions/setup-node@v6
        with:
          node-version: 24
          cache: 'npm'
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - uses: actions/setup-python@v6
        with:
          python-version: '3.12'

@@ -134,7 +134,7 @@ jobs:
          echo "::endgroup::"

      - name: Generate token
-        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+        uses: actions/create-github-app-token@v3.2.0
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -42,10 +42,10 @@ jobs:
        if: runner.os == 'Windows'
        run: git config --global core.autocrlf false

-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@v6

      - name: Set up Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@v6
        with:
          node-version: ${{ matrix.node-version }}
          cache: 'npm'
@@ -91,10 +91,10 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6

      - name: Set up Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@v6
        with:
          node-version: 24
          cache: 'npm'
@@ -155,7 +155,7 @@ jobs:

      - name: Upload repo size comment
        if: steps.fetch-base.outcome == 'success'
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: repo-size-comment
          path: ${{ runner.temp }}/repo-size/
@@ -164,7 +164,7 @@ jobs:
      - name: 'Backport: Check out base ref'
        id: checkout-base
        if: ${{ startsWith(github.head_ref, 'backport-') }}
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
        with:
          ref: ${{ github.base_ref }}

@@ -203,7 +203,7 @@ jobs:

    steps:
      - name: Download repo size comment
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@v8
        with:
          name: repo-size-comment
          path: repo-size-comment
@@ -44,7 +44,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0 # Need full history for calculation of diffs

@@ -20,8 +20,8 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6

      - name: Publish immutable release
        id: publish
-        uses: actions/publish-immutable-action@4bc8754ffc40f27910afb20287dbbbb675a4e978 # v0.0.4
+        uses: actions/publish-immutable-action@v0.0.4
@@ -35,11 +35,11 @@ jobs:
    runs-on: windows-latest

    steps:
-    - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+    - uses: actions/setup-python@v6
      with:
        python-version: 3.12

-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@v6

    - name: Prepare test
      uses: ./.github/actions/prepare-test
@@ -35,10 +35,10 @@ jobs:
      contents: read # This permission is needed to allow the GitHub Actions workflow to read the contents of the repository.
    steps:
    - name: Check out repository
-      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      uses: actions/checkout@v6

    - name: Install Node.js
-      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      uses: actions/setup-node@v6
      with:
        node-version: 24
        cache: npm
@@ -24,13 +24,13 @@ jobs:
      pull-requests: write # needed to comment on the PR
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0
          ref: ${{ env.HEAD_REF }}

      - name: Set up Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@v6
        with:
          node-version: 24
          cache: 'npm'
@@ -52,7 +52,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0 # Need full history for calculation of diffs

@@ -136,7 +136,7 @@ jobs:

      - name: Generate token
        if: github.event_name == 'workflow_dispatch'
-        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+        uses: actions/create-github-app-token@v3.2.0
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -43,7 +43,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      uses: actions/checkout@v6
    - name: Prepare test
      id: prepare-test
      uses: ./.github/actions/prepare-test
@@ -51,7 +51,7 @@ jobs:
        version: ${{ matrix.version }}
        use-all-platform-bundle: true
    - name: Install .NET
-      uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+      uses: actions/setup-dotnet@v5
      with:
        dotnet-version: '9.x'
    - id: init
@@ -33,7 +33,7 @@ jobs:
          GITHUB_CONTEXT: '${{ toJson(github) }}'
        run: echo "$GITHUB_CONTEXT"

-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@v6

      - name: Update git config
        run: |
@@ -41,12 +41,12 @@ jobs:
          git config --global user.name "github-actions[bot]"

      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@v6
        with:
          python-version: '3.12'

      - name: Set up Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@v6
        with:
          node-version: 24
          cache: 'npm'
@@ -38,7 +38,7 @@ jobs:
      contents: write # needed to push commits
      pull-requests: write # needed to create pull request
    steps:
-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@v6
      with:
        fetch-depth: 0  # Need full history for calculation of diffs
    - uses: ./.github/actions/release-initialise
@@ -94,14 +94,14 @@ jobs:
      pull-requests: write # needed to create pull request
    steps:
    - name: Generate token
-      uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      uses: actions/create-github-app-token@v3.2.0
      id: app-token
      with:
        app-id: ${{ vars.AUTOMATION_APP_ID }}
        private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}

    - name: Checkout
-      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      uses: actions/checkout@v6
      with:
        fetch-depth: 0  # Need full history for calculation of diffs
        token: ${{ steps.app-token.outputs.token }}
@@ -23,13 +23,13 @@ jobs:

    steps:
      - name: Setup Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@v6
        with:
          python-version: "3.13"
      - name: Checkout CodeQL Action
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
      - name: Checkout Enterprise Releases
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v6
        with:
          repository: github/enterprise-releases
          token: ${{ secrets.ENTERPRISE_RELEASE_TOKEN }}
@@ -4,11 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

 ## [UNRELEASED]

-No user facing changes.
-
-## 4.36.1 - 02 Jun 2026
-
-No user facing changes.
+- Organizations can create a custom repository property named `github-codeql-tools` to set a default CodeQL CLI tools value. You can optionally set `github-codeql-tools-mode` to control scope: use `enforce` (default) to apply to all workflows, or `dynamic` to apply only to dynamic workflows. If a workflow provides an explicit `tools:` input, that input takes precedence. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization), [Repository properties for Code Scanning](https://docs.github.com/en/code-security/concepts/code-scanning/repository-properties) and [Customizing your advanced setup for code scanning](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning).

 ## 4.36.0 - 22 May 2026

@@ -148366,7 +148366,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.36.2";
+  return "4.36.1";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -150410,11 +150410,14 @@ function getUnknownLanguagesError(languages) {
 }

 // src/feature-flags/properties.ts
+var github2 = __toESM(require_github());
 var GITHUB_CODEQL_PROPERTY_PREFIX = "github-codeql-";
 var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
+  RepositoryPropertyName2["TOOLS"] = "github-codeql-tools";
+  RepositoryPropertyName2["TOOLS_MODE"] = "github-codeql-tools-mode";
  return RepositoryPropertyName2;
 })(RepositoryPropertyName || {});
 function isString2(value) {
@@ -150432,7 +150435,12 @@ var booleanProperty = {
 var repositoryPropertyParsers = {
  ["github-codeql-disable-overlay" /* DISABLE_OVERLAY */]: booleanProperty,
  ["github-codeql-extra-queries" /* EXTRA_QUERIES */]: stringProperty,
-  ["github-codeql-file-coverage-on-prs" /* FILE_COVERAGE_ON_PRS */]: booleanProperty
+  ["github-codeql-file-coverage-on-prs" /* FILE_COVERAGE_ON_PRS */]: booleanProperty,
+  ["github-codeql-tools" /* TOOLS */]: stringProperty,
+  ["github-codeql-tools-mode" /* TOOLS_MODE */]: {
+    validate: isString2,
+    parse: parseToolsModeRepositoryProperty
+  }
 };
 async function loadPropertiesFromApi(logger, repositoryNwo) {
  try {
@@ -150485,6 +150493,26 @@ async function loadPropertiesFromApi(logger, repositoryNwo) {
    );
  }
 }
+async function loadRepositoryProperties(repositoryNwo, logger) {
+  const repositoryOwnerType = github2.context.payload.repository?.owner.type;
+  logger.debug(
+    `Repository owner type is '${repositoryOwnerType ?? "unknown"}'.`
+  );
+  if (repositoryOwnerType === "User") {
+    logger.debug(
+      "Skipping loading repository properties because the repository is owned by a user and therefore cannot have repository properties."
+    );
+    return new Success({});
+  }
+  try {
+    return new Success(await loadPropertiesFromApi(logger, repositoryNwo));
+  } catch (error3) {
+    logger.info(
+      `Failed to load repository properties: ${getErrorMessage(error3)}`
+    );
+    return new Failure(error3);
+  }
+}
 function setProperty2(properties, name, value, logger) {
  const propertyOptions = repositoryPropertyParsers[name];
  if (propertyOptions.validate(value)) {
@@ -150506,6 +150534,15 @@ function parseBooleanRepositoryProperty(name, value, logger) {
 function parseStringRepositoryProperty(_name, value) {
  return value;
 }
+function parseToolsModeRepositoryProperty(name, value, logger) {
+  if (value !== "dynamic" /* Dynamic */ && value !== "enforce" /* Enforce */) {
+    logger.warning(
+      `Repository property '${name}' has unexpected value '${value}'. Expected 'dynamic' or 'enforce'. Defaulting to 'enforce'.`
+    );
+    return "enforce" /* Enforce */;
+  }
+  return value;
+}
 var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
  Object.values(RepositoryPropertyName)
 );
@@ -151711,7 +151748,6 @@ async function initActionState({
    extraQueryExclusions: [],
    overlayDatabaseMode: "none" /* None */,
    useOverlayDatabaseCaching: false,
-    overlayModeSetExplicitly: false,
    repositoryProperties,
    enableFileCoverageInformation
  };
@@ -151840,7 +151876,6 @@ async function checkOverlayEnablement(codeql, features, languages, sourceRoot, b
    return validateOverlayDatabaseMode(
      modeEnv,
      false,
-      true,
      codeql,
      languages,
      sourceRoot,
@@ -151915,7 +151950,6 @@ async function checkOverlayEnablement(codeql, features, languages, sourceRoot, b
  return validateOverlayDatabaseMode(
    overlayDatabaseMode,
    true,
-    false,
    codeql,
    languages,
    sourceRoot,
@@ -151924,7 +151958,7 @@ async function checkOverlayEnablement(codeql, features, languages, sourceRoot, b
    logger
  );
 }
-async function validateOverlayDatabaseMode(overlayDatabaseMode, useOverlayDatabaseCaching, overlayModeSetExplicitly, codeql, languages, sourceRoot, buildMode, gitVersion, logger) {
+async function validateOverlayDatabaseMode(overlayDatabaseMode, useOverlayDatabaseCaching, codeql, languages, sourceRoot, buildMode, gitVersion, logger) {
  if (buildMode !== "none" /* None */ && (await Promise.all(
    languages.map(
      async (l) => l !== "go" /* go */ && // Workaround to allow overlay analysis for Go with any build
@@ -151968,8 +152002,7 @@ async function validateOverlayDatabaseMode(overlayDatabaseMode, useOverlayDataba
  }
  return new Success({
    overlayDatabaseMode,
-    useOverlayDatabaseCaching,
-    overlayModeSetExplicitly
+    useOverlayDatabaseCaching
  });
 }
 async function isTrapCachingEnabled(features, overlayDatabaseMode) {
@@ -152007,7 +152040,7 @@ function hasQueryCustomisation(userConfig) {
  return isDefined2(userConfig["disable-default-queries"]) || isDefined2(userConfig.queries) || isDefined2(userConfig["query-filters"]);
 }
 async function applyIncrementalAnalysisSettings(config, hasDiffRanges, codeql, logger) {
-  if (config.overlayDatabaseMode === "overlay" /* Overlay */ && !hasDiffRanges && !config.overlayModeSetExplicitly) {
+  if (config.overlayDatabaseMode === "overlay" /* Overlay */ && !hasDiffRanges) {
    logger.info(
      `Reverting overlay database mode to ${"none" /* None */} because the PR diff ranges could not be computed.`
    );
@@ -152115,17 +152148,12 @@ async function initConfig(features, inputs) {
    logger
  );
  if (overlayDatabaseModeResult.isSuccess()) {
-    const {
-      overlayDatabaseMode,
-      useOverlayDatabaseCaching,
-      overlayModeSetExplicitly
-    } = overlayDatabaseModeResult.value;
+    const { overlayDatabaseMode, useOverlayDatabaseCaching } = overlayDatabaseModeResult.value;
    logger.info(
      `Using overlay database mode: ${overlayDatabaseMode} ${useOverlayDatabaseCaching ? "with" : "without"} caching.`
    );
    config.overlayDatabaseMode = overlayDatabaseMode;
    config.useOverlayDatabaseCaching = useOverlayDatabaseCaching;
-    config.overlayModeSetExplicitly = overlayModeSetExplicitly;
  } else {
    const overlayDisabledReason = overlayDatabaseModeResult.value;
    logger.info(
@@ -153385,7 +153413,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, useO
        );
      } else {
        if (allowToolcacheValueFF) {
-          logger.warning(
+          logger.info(
            `Ignoring 'tools: ${toolsInput}' because the workflow was not triggered dynamically.`
          );
        } else {
@@ -156726,7 +156754,7 @@ var fs19 = __toESM(require("fs"));
 var path17 = __toESM(require("path"));
 var core14 = __toESM(require_core());
 var toolrunner4 = __toESM(require_toolrunner());
-var github2 = __toESM(require_github());
+var github3 = __toESM(require_github());
 var io6 = __toESM(require_io());
 async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) {
  logger.startGroup("Setup CodeQL tools");
@@ -156930,7 +156958,7 @@ function logFileCoverageOnPrsDeprecationWarning(logger) {
  if (process.env["CODEQL_ACTION_DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION" /* DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION */]) {
    return;
  }
-  const repositoryOwnerType = github2.context.payload.repository?.owner.type;
+  const repositoryOwnerType = github3.context.payload.repository?.owner.type;
  let message = "Starting April 2026, the CodeQL Action will skip computing file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses.";
  const envVarOptOut = "set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true`.";
  const repoPropertyOptOut = 'create a custom repository property with the name `github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to `true` in the repository\'s settings.';
@@ -158714,10 +158742,50 @@ async function runWrapper3() {
 var fs27 = __toESM(require("fs"));
 var path23 = __toESM(require("path"));
 var core21 = __toESM(require_core());
-var github3 = __toESM(require_github());
 var io7 = __toESM(require_io());
 var semver10 = __toESM(require_semver2());

+// src/config/resolve-tools-input.ts
+function resolveToolsInputWithMetadata(toolsWorkflowInput, isDynamicWorkflow2, repositoryProperties, logger) {
+  if (toolsWorkflowInput) {
+    logger.info(
+      `Setting tools: ${toolsWorkflowInput} based on workflow input.`
+    );
+    return {
+      effectiveToolsInput: toolsWorkflowInput,
+      effectiveToolsInputSource: "workflow-input" /* WorkflowInput */,
+      toolsRepoPropertyMode: void 0
+    };
+  }
+  const toolsPropertyValue = repositoryProperties["github-codeql-tools" /* TOOLS */];
+  const toolsMode = repositoryProperties["github-codeql-tools-mode" /* TOOLS_MODE */] ?? "enforce" /* Enforce */;
+  if (toolsPropertyValue && toolsMode === "dynamic" /* Dynamic */ && !isDynamicWorkflow2) {
+    logger.info(
+      `Ignoring '${"github-codeql-tools" /* TOOLS */}' repository property because '${"github-codeql-tools-mode" /* TOOLS_MODE */}' is set to '${toolsMode}' and this is not a dynamic workflow.`
+    );
+    return {
+      effectiveToolsInput: void 0,
+      effectiveToolsInputSource: "none" /* None */,
+      toolsRepoPropertyMode: toolsMode
+    };
+  }
+  if (toolsPropertyValue) {
+    logger.info(
+      `Setting tools: ${toolsPropertyValue} based on the '${"github-codeql-tools" /* TOOLS */}' repository property (mode: '${toolsMode}').`
+    );
+    return {
+      effectiveToolsInput: toolsPropertyValue,
+      effectiveToolsInputSource: "repository-property" /* RepositoryProperty */,
+      toolsRepoPropertyMode: toolsMode
+    };
+  }
+  return {
+    effectiveToolsInput: void 0,
+    effectiveToolsInputSource: "none" /* None */,
+    toolsRepoPropertyMode: void 0
+  };
+}
+
 // src/workflow.ts
 var fs26 = __toESM(require("fs"));
 var path22 = __toESM(require("path"));
@@ -159008,7 +159076,7 @@ async function sendStartingStatusReport(startedAt, config, logger) {
    await sendStatusReport(statusReportBase);
  }
 }
-async function sendCompletedStatusReport2(startedAt, config, configFile, toolsDownloadStatusReport, toolsFeatureFlagsValid, toolsSource, toolsVersion, overlayBaseDatabaseStats, dependencyCachingResults, logger, error3) {
+async function sendCompletedStatusReport2(startedAt, config, configFile, toolsDownloadStatusReport, toolsFeatureFlagsValid, toolsSource, toolsVersion, effectiveToolsInput, effectiveToolsInputSource, toolsRepoPropertyMode, overlayBaseDatabaseStats, dependencyCachingResults, logger, error3) {
  const statusReportBase = await createStatusReportBase(
    "init" /* Init */,
    getActionsStatus(error3),
@@ -159026,6 +159094,9 @@ async function sendCompletedStatusReport2(startedAt, config, configFile, toolsDo
  const initStatusReport = {
    ...statusReportBase,
    tools_input: getOptionalInput("tools") || "",
+    effective_tools_input: effectiveToolsInput || "",
+    effective_tools_input_source: effectiveToolsInputSource,
+    tools_repo_property_mode: toolsRepoPropertyMode || "",
    tools_resolved_version: toolsVersion,
    tools_source: toolsSource || "UNKNOWN" /* Unknown */,
    workflow_languages: workflowLanguages || ""
@@ -159069,6 +159140,9 @@ async function run3(startedAt) {
  let toolsSource;
  let toolsVersion;
  let zstdAvailability;
+  let effectiveToolsInput;
+  let effectiveToolsInputSource;
+  let toolsRepoPropertyMode;
  try {
    initializeEnvironment(getActionVersion());
    persistInputs();
@@ -159092,6 +159166,7 @@ async function run3(startedAt) {
      repositoryNwo,
      logger
    );
+    const repositoryProperties = repositoryPropertiesResult.orElse({});
    const jobRunUuid = v4_default();
    logger.info(`Job run UUID is ${jobRunUuid}.`);
    core21.exportVariable("JOB_RUN_UUID" /* JOB_RUN_UUID */, jobRunUuid);
@@ -159117,12 +159192,21 @@ async function run3(startedAt) {
    }
    const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type);
    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
+    const resolvedToolsInput = resolveToolsInputWithMetadata(
+      getOptionalInput("tools"),
+      isDynamicWorkflow(),
+      repositoryProperties,
+      logger
+    );
+    effectiveToolsInput = resolvedToolsInput.effectiveToolsInput;
+    effectiveToolsInputSource = resolvedToolsInput.effectiveToolsInputSource;
+    toolsRepoPropertyMode = resolvedToolsInput.toolsRepoPropertyMode;
    const rawLanguages = getRawLanguagesNoAutodetect(
      getOptionalInput("languages")
    );
    const useOverlayAwareDefaultCliVersion = analysisKinds?.length === 1 && analysisKinds[0] === "code-scanning" /* CodeScanning */;
    const initCodeQLResult = await initCodeQL(
-      getOptionalInput("tools"),
+      effectiveToolsInput,
      apiDetails,
      getTemporaryDirectory(),
      gitHubVersion.type,
@@ -159158,7 +159242,6 @@ async function run3(startedAt) {
    }
    analysisKinds = await getAnalysisKinds(logger, features);
    const debugMode = getOptionalInput("debug") === "true" || core21.isDebug();
-    const repositoryProperties = repositoryPropertiesResult.orElse({});
    const fileCoverageResult = await getFileCoverageInformationEnabled(
      debugMode,
      codeql,
@@ -159456,6 +159539,9 @@ exec ${goBinaryPath} "$@"`
      toolsFeatureFlagsValid,
      toolsSource,
      toolsVersion,
+      effectiveToolsInput,
+      effectiveToolsInputSource,
+      toolsRepoPropertyMode,
      overlayBaseDatabaseStats,
      dependencyCachingStatus,
      logger,
@@ -159473,31 +159559,14 @@ exec ${goBinaryPath} "$@"`
    toolsFeatureFlagsValid,
    toolsSource,
    toolsVersion,
+    effectiveToolsInput,
+    effectiveToolsInputSource,
+    toolsRepoPropertyMode,
    overlayBaseDatabaseStats,
    dependencyCachingStatus,
    logger
  );
 }
-async function loadRepositoryProperties(repositoryNwo, logger) {
-  const repositoryOwnerType = github3.context.payload.repository?.owner.type;
-  logger.debug(
-    `Repository owner type is '${repositoryOwnerType ?? "unknown"}'.`
-  );
-  if (repositoryOwnerType === "User") {
-    logger.debug(
-      "Skipping loading repository properties because the repository is owned by a user and therefore cannot have repository properties."
-    );
-    return new Success({});
-  }
-  try {
-    return new Success(await loadPropertiesFromApi(logger, repositoryNwo));
-  } catch (error3) {
-    logger.warning(
-      `Failed to load repository properties: ${getErrorMessage(error3)}`
-    );
-    return new Failure(error3);
-  }
-}
 async function recordZstdAvailability(config, zstdAvailability) {
  addNoLanguageDiagnostic(
    config,
@@ -160066,7 +160135,7 @@ async function runWrapper6() {

 // src/setup-codeql-action.ts
 var core24 = __toESM(require_core());
-async function sendCompletedStatusReport3(startedAt, toolsDownloadStatusReport, toolsFeatureFlagsValid, toolsSource, toolsVersion, logger, error3) {
+async function sendCompletedStatusReport3(startedAt, toolsDownloadStatusReport, toolsFeatureFlagsValid, toolsSource, toolsVersion, effectiveToolsInput, effectiveToolsInputSource, toolsRepoPropertyMode, logger, error3) {
  const statusReportBase = await createStatusReportBase(
    "setup-codeql" /* SetupCodeQL */,
    getActionsStatus(error3),
@@ -160083,6 +160152,9 @@ async function sendCompletedStatusReport3(startedAt, toolsDownloadStatusReport,
  const initStatusReport = {
    ...statusReportBase,
    tools_input: getOptionalInput("tools") || "",
+    effective_tools_input: effectiveToolsInput || "",
+    effective_tools_input_source: effectiveToolsInputSource,
+    tools_repo_property_mode: toolsRepoPropertyMode || "",
    tools_resolved_version: toolsVersion,
    tools_source: toolsSource || "UNKNOWN" /* Unknown */,
    workflow_languages: ""
@@ -160103,6 +160175,9 @@ async function run6(startedAt) {
  let toolsFeatureFlagsValid;
  let toolsSource;
  let toolsVersion;
+  let effectiveToolsInput;
+  let effectiveToolsInputSource;
+  let toolsRepoPropertyMode;
  try {
    initializeEnvironment(getActionVersion());
    const apiDetails = {
@@ -160137,12 +160212,26 @@ async function run6(startedAt) {
    }
    const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type);
    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
+    const repositoryPropertiesResult = await loadRepositoryProperties(
+      repositoryNwo,
+      logger
+    );
+    const repositoryProperties = repositoryPropertiesResult.orElse({});
+    const resolvedToolsInput = resolveToolsInputWithMetadata(
+      getOptionalInput("tools"),
+      isDynamicWorkflow(),
+      repositoryProperties,
+      logger
+    );
+    effectiveToolsInput = resolvedToolsInput.effectiveToolsInput;
+    effectiveToolsInputSource = resolvedToolsInput.effectiveToolsInputSource;
+    toolsRepoPropertyMode = resolvedToolsInput.toolsRepoPropertyMode;
    const rawLanguages = getRawLanguagesNoAutodetect(
      getOptionalInput("languages")
    );
    const analysisKinds = await getAnalysisKinds(logger, features);
    const initCodeQLResult = await initCodeQL(
-      getOptionalInput("tools"),
+      effectiveToolsInput,
      apiDetails,
      getTemporaryDirectory(),
      gitHubVersion.type,
@@ -160183,6 +160272,9 @@ async function run6(startedAt) {
    toolsFeatureFlagsValid,
    toolsSource,
    toolsVersion,
+    effectiveToolsInput,
+    effectiveToolsInputSource,
+    toolsRepoPropertyMode,
    logger
  );
 }
@@ -1,12 +1,12 @@
 {
  "name": "codeql",
-  "version": "4.36.2",
+  "version": "4.36.1",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "codeql",
-      "version": "4.36.2",
+      "version": "4.36.1",
      "license": "MIT",
      "workspaces": [
        "pr-checks"
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "4.36.2",
+  "version": "4.36.1",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -46,7 +46,7 @@ steps:
      post-processed-sarif-path: "${{ runner.temp }}/post-processed"

  - name: Upload SARIF files
-    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+    uses: actions/upload-artifact@v7
    with:
      name: |
        analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
@@ -54,7 +54,7 @@ steps:
      retention-days: 7

  - name: Upload post-processed SARIF
-    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+    uses: actions/upload-artifact@v7
    with:
      name: |
        post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
@@ -64,7 +64,7 @@ steps:

  - name: Check quality query does not appear in security SARIF
    if: contains(matrix.analysis-kinds, 'code-scanning')
-    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+    uses: actions/github-script@v8
    env:
      SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif"
      EXPECT_PRESENT: "false"
@@ -72,7 +72,7 @@ steps:
      script: ${{ env.CHECK_SCRIPT }}
  - name: Check quality query appears in quality SARIF
    if: contains(matrix.analysis-kinds, 'code-quality')
-    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+    uses: actions/github-script@v8
    env:
      SARIF_PATH: "${{ runner.temp }}/results/javascript.quality.sarif"
      EXPECT_PRESENT: "true"
@@ -7,7 +7,7 @@ steps:
    run: npm install @actions/tool-cache@3
  - name: Check toolcache contains CodeQL
    continue-on-error: true
-    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+    uses: actions/github-script@v8
    with:
      script: |
        const toolcache = require('@actions/tool-cache');
@@ -20,7 +20,7 @@ steps:
    with:
      tools: ${{ steps.prepare-test.outputs.tools-url }}
  - name: Check CodeQL is installed within the toolcache
-    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+    uses: actions/github-script@v8
    with:
      script: |
        const toolcache = require('@actions/tool-cache');
@@ -8,7 +8,7 @@ operatingSystems:
  - windows
 steps:
  - name: Remove CodeQL from toolcache
-    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+    uses: actions/github-script@v8
    with:
      script: |
        const fs = require('fs');
@@ -18,7 +18,7 @@ steps:
  - name: Install @actions/tool-cache
    run: npm install @actions/tool-cache@3
  - name: Check toolcache does not contain CodeQL
-    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+    uses: actions/github-script@v8
    with:
      script: |
        const toolcache = require('@actions/tool-cache');
@@ -37,7 +37,7 @@ steps:
      output: ${{ runner.temp }}/results
      upload-database: false
  - name: Check CodeQL is installed within the toolcache
-    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+    uses: actions/github-script@v8
    with:
      script: |
        const toolcache = require('@actions/tool-cache');
@@ -8,7 +8,7 @@ operatingSystems:
  - windows
 steps:
  - name: Remove CodeQL from toolcache
-    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+    uses: actions/github-script@v8
    with:
      script: |
        const fs = require('fs');
@@ -27,13 +27,13 @@ steps:
      output: ${{ runner.temp }}/results
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+    uses: actions/upload-artifact@v7
    with:
      name: ${{ matrix.os }}-zstd-bundle.sarif
      path: ${{ runner.temp }}/results/javascript.sarif
      retention-days: 7
  - name: Check diagnostic with expected tools URL appears in SARIF
-    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+    uses: actions/github-script@v8
    env:
      SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
    with:
@@ -14,13 +14,13 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+    uses: actions/upload-artifact@v7
    with:
      name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
      retention-days: 7
  - name: Check config properties appear in SARIF
-    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+    uses: actions/github-script@v8
    env:
      SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif"
    with:
@@ -27,13 +27,13 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+    uses: actions/upload-artifact@v7
    with:
      name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
      retention-days: 7
  - name: Check diagnostics appear in SARIF
-    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+    uses: actions/github-script@v8
    env:
      SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif"
    with:
@@ -23,7 +23,7 @@ steps:
    with:
      output: "${{ runner.temp }}/results"
  - name: Upload SARIF
-    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+    uses: actions/upload-artifact@v7
    with:
      name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -12,7 +12,7 @@ steps:
      languages: go
      tools: ${{ steps.prepare-test.outputs.tools-url }}
  # Deliberately change Go after the `init` step
-  - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+  - uses: actions/setup-go@v6
    with:
      go-version: "1.20"
  - name: Build code
@@ -22,7 +22,7 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
  - name: Check diagnostic appears in SARIF
-    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+    uses: actions/github-script@v8
    env:
      SARIF_PATH: "${{ runner.temp }}/results/go.sarif"
    with:
@@ -23,7 +23,7 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
  - name: Check diagnostic appears in SARIF
-    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+    uses: actions/github-script@v8
    env:
      SARIF_PATH: "${{ runner.temp }}/results/go.sarif"
    with:
@@ -12,7 +12,7 @@ steps:
    with:
      output: "${{ runner.temp }}/results"
  - name: Upload SARIF
-    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+    uses: actions/upload-artifact@v7
    with:
      name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -13,7 +13,7 @@ steps:
    # We need Python 3.13 for older CLI versions because they are not compatible with Python 3.14 or newer.
    # See https://github.com/github/codeql-action/pull/3212
    if: matrix.version != 'nightly-latest' && matrix.version != 'linked'
-    uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+    uses: actions/setup-python@v6
    with:
      python-version: "3.13"

@@ -5,7 +5,7 @@ versions:
  - default
 steps:
  - name: Set up Ruby
-    uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
+    uses: ruby/setup-ruby@6aaa311d81eba98ae12eaffbcb63296ace0efcde # v1.307.0
    with:
      ruby-version: 2.6
  - name: Install Code Scanning integration
@@ -21,7 +21,7 @@ permissions:
  security-events: write # needed to upload the SARIF file

 steps:
-  - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+  - uses: actions/checkout@v6
  - uses: ./init
    with:
      languages: javascript
@@ -14,7 +14,7 @@ steps:
      rm -rf ./* .github .git
  # Check out the actions repo again, but at a different location.
  # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
-  - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+  - uses: actions/checkout@v6
    with:
      ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
      path: x/y/z/some-path
@@ -188,41 +188,6 @@ const steps = [
    const result = updateSyncTs(syncTsPath, actionVersions);
    assert.equal(result, false);
  });
-
-  await it("updates SHA-pinned pinnedUses references", () => {
-    /** Test updating `pinnedUses(...)` references with new SHA and version */
-    const syncTsContent = `
-const steps = [
-  {
-    uses: pinnedUses(
-      "actions/setup-node",
-      "0000000000000000000000000000000000000000",
-      "v6.0.0",
-    ),
-  },
-];
-`;
-
-    fs.writeFileSync(syncTsPath, syncTsContent);
-
-    const actionVersions = {
-      "actions/setup-node": "48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0",
-    };
-
-    const result = updateSyncTs(syncTsPath, actionVersions);
-    assert.equal(result, true);
-
-    const updatedContent = fs.readFileSync(syncTsPath, "utf8");
-
-    assert.ok(
-      updatedContent.includes('"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e"'),
-    );
-    assert.ok(updatedContent.includes('"v6.4.0"'));
-    assert.ok(
-      !updatedContent.includes("0000000000000000000000000000000000000000"),
-    );
-    assert.ok(!updatedContent.includes('"v6.0.0"'));
-  });
 });

 describe("updateTemplateFiles", async () => {
@@ -68,10 +68,6 @@ export function scanGeneratedWorkflows(
 /**
 * Update hardcoded action versions in pr-checks/sync.ts
 *
- * Handles both inline `uses: "owner/action@ref"` strings and SHA-pinned
- * references expressed via the `pinnedUses("owner/action", "<sha>", "version")`
- * helper.
- *
 * @param syncTsPath - Path to sync.ts file
 * @param actionVersions - Map of action names to versions (may include comments)
 * @returns True if the file was modified, false otherwise
@@ -91,36 +87,18 @@ export function updateSyncTs(
  for (const [actionName, versionWithComment] of Object.entries(
    actionVersions,
  )) {
-    // Split the scanned value into the ref (e.g. a commit SHA) and the optional
-    // trailing version comment (e.g. `v6.0.3`).
-    const ref = versionWithComment.includes("#")
+    // Extract just the version part (before any comment) for sync.ts
+    const version = versionWithComment.includes("#")
      ? versionWithComment.split("#")[0].trim()
      : versionWithComment.trim();
-    const versionComment = versionWithComment.includes("#")
-      ? versionWithComment.split("#")[1].trim()
-      : "";
-
-    const escaped = actionName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");

    // Look for patterns like uses: "actions/setup-node@v4"
    // Note that this will break if we store an Action uses reference in a
    // variable - that's a risk we're happy to take since in that case the
    // PR checks will just fail.
-    const usesPattern = new RegExp(`(uses:\\s*")${escaped}@(?:[^"]+)(")`, "g");
-    content = content.replace(usesPattern, `$1${actionName}@${ref}$2`);
-
-    // Look for SHA-pinned references expressed via the `pinnedUses` helper, e.g.
-    // `pinnedUses("actions/checkout", "<sha>", "v6.0.3")`, updating both the
-    // pinned ref and the version comment.
-    const pinnedPattern = new RegExp(
-      `(pinnedUses\\(\\s*")${escaped}("\\s*,\\s*")[^"]*("\\s*,\\s*")([^"]*)(")`,
-      "g",
-    );
-    content = content.replace(
-      pinnedPattern,
-      (_match, p1, p2, p3, oldVersion, p5) =>
-        `${p1}${actionName}${p2}${ref}${p3}${versionComment || oldVersion}${p5}`,
-    );
+    const escaped = actionName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    const pattern = new RegExp(`(uses:\\s*")${escaped}@(?:[^"]+)(")`, "g");
+    content = content.replace(pattern, `$1${actionName}@${version}$2`);
  }

  if (content !== originalContent) {
@@ -7,16 +7,6 @@ import * as yaml from "yaml";

 import { BuiltInLanguage } from "../src/languages";

-/**
- * Returns a `uses` value for `action` pinned to a commit SHA, with the
- * human-readable version recorded in a trailing comment.
- */
-function pinnedUses(action: string, sha: string, version: string): yaml.Scalar {
-  const node = new yaml.Scalar(`${action}@${sha}`);
-  node.comment = ` ${version}`;
-  return node;
-}
-
 /** Known workflow input names. */
 enum KnownInputName {
  GoVersion = "go-version",
@@ -202,11 +192,7 @@ const languageSetups: LanguageSetups = {
    steps: [
      {
        name: "Install Node.js",
-        uses: pinnedUses(
-          "actions/setup-node",
-          "48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e",
-          "v6.4.0",
-        ),
+        uses: "actions/setup-node@v6",
        with: {
          "node-version": defaultLanguageVersions.javascript,
          cache: "npm",
@@ -224,11 +210,7 @@ const languageSetups: LanguageSetups = {
    steps: [
      {
        name: "Install Go",
-        uses: pinnedUses(
-          "actions/setup-go",
-          "4a3601121dd01d1626a1e23e37211e3254c1c06c",
-          "v6.4.0",
-        ),
+        uses: "actions/setup-go@v6",
        with: {
          "go-version": `\${{ inputs.go-version || '${defaultLanguageVersions.go}' }}`,
          // to avoid potentially misleading autobuilder results where we expect it to download
@@ -244,11 +226,7 @@ const languageSetups: LanguageSetups = {
    steps: [
      {
        name: "Install Java",
-        uses: pinnedUses(
-          "actions/setup-java",
-          "be666c2fcd27ec809703dec50e508c2fdc7f6654",
-          "v5.2.0",
-        ),
+        uses: "actions/setup-java@v5",
        with: {
          "java-version": `\${{ inputs.java-version || '${defaultLanguageVersions.java}' }}`,
          distribution: "temurin",
@@ -262,11 +240,7 @@ const languageSetups: LanguageSetups = {
    steps: [
      {
        name: "Install Python",
-        uses: pinnedUses(
-          "actions/setup-python",
-          "a309ff8b426b58ec0e2a45f0f869d46889d02405",
-          "v6.2.0",
-        ),
+        uses: "actions/setup-python@v6",
        with: {
          "python-version": `\${{ inputs.python-version || '${defaultLanguageVersions.python}' }}`,
        },
@@ -279,11 +253,7 @@ const languageSetups: LanguageSetups = {
    steps: [
      {
        name: "Install .NET",
-        uses: pinnedUses(
-          "actions/setup-dotnet",
-          "9a946fdbd5fb07b82b2f5a4466058b876ab72bb2",
-          "v5.3.0",
-        ),
+        uses: "actions/setup-dotnet@v5",
        with: {
          "dotnet-version": `\${{ inputs.dotnet-version || '${defaultLanguageVersions.csharp}' }}`,
        },
@@ -486,11 +456,7 @@ function generateJob(
  const steps: Step[] = [
    {
      name: "Check out repository",
-      uses: pinnedUses(
-        "actions/checkout",
-        "df4cb1c069e1874edd31b4311f1884172cec0e10",
-        "v6.0.3",
-      ),
+      uses: "actions/checkout@v6",
    },
    ...setupInfo.steps,
    {
@@ -30,7 +30,7 @@ import {
 } from "./dependency-caching";
 import { EnvVar } from "./environment";
 import { initFeatures } from "./feature-flags";
-import { BuiltInLanguage } from "./languages";
+import { BuiltInLanguage } from "./languages/index";
 import { getActionsLogger, Logger } from "./logging";
 import { cleanupAndUploadOverlayBaseDatabaseToCache } from "./overlay/caching";
 import { getRepositoryNwo } from "./repository";
@@ -14,7 +14,7 @@ import {
 } from "./analyze";
 import { createStubCodeQL } from "./codeql";
 import { Feature } from "./feature-flags";
-import { BuiltInLanguage } from "./languages";
+import { BuiltInLanguage } from "./languages/index";
 import { getRunnerLogger } from "./logging";
 import {
  setupTests,
@@ -21,7 +21,7 @@ import {
 } from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
 import { FeatureEnablement, Feature } from "./feature-flags";
-import { BuiltInLanguage, Language } from "./languages";
+import { BuiltInLanguage, Language } from "./languages/index";
 import { Logger, withGroupAsync } from "./logging";
 import { OverlayDatabaseMode } from "./overlay/overlay-database-mode";
 import type * as sarif from "./sarif";
@@ -10,7 +10,7 @@ import { determineAutobuildLanguages, runAutobuild } from "./autobuild";
 import { getCodeQL } from "./codeql";
 import { Config, getConfig } from "./config-utils";
 import { EnvVar } from "./environment";
-import { Language } from "./languages";
+import { Language } from "./languages/index";
 import { Logger, getActionsLogger } from "./logging";
 import {
  StatusReportBase,
@@ -7,7 +7,7 @@ import * as configUtils from "./config-utils";
 import { DocUrl } from "./doc-url";
 import { EnvVar } from "./environment";
 import { Feature, featureConfig, initFeatures } from "./feature-flags";
-import { BuiltInLanguage, Language } from "./languages";
+import { BuiltInLanguage, Language } from "./languages/index";
 import { Logger } from "./logging";
 import { getRepositoryNwo } from "./repository";
 import { asyncFilter, BuildMode } from "./util";
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Óscar San José	8c6a2b4d4b	Rebuild	2026-06-02 15:13:54 +02:00
Óscar San José	57b3666b1d	Apply suggestions from code review Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>	2026-06-01 20:23:20 +02:00
Óscar San José	1251f87758	Improve testing	2026-06-01 20:19:50 +02:00
Óscar San José	6963dfbbc5	Add logging and telemetry for mode	2026-06-01 18:44:55 +02:00
Óscar San José	d426d33115	Implement an enforce/dynamic approach	2026-06-01 18:33:23 +02:00
Óscar San José	f22e7a29ce	Merge branch 'main' into copilot/add-tools-input-source-repository	2026-06-01 17:31:14 +02:00
Óscar San José	d8e5e3dbab	Rebuild	2026-06-01 17:26:52 +02:00
copilot-swe-agent[bot]	9b49e27edb	Allow repository tools property fallback in resolveToolsInput	2026-05-29 11:39:28 +00:00
Óscar San José	aeb3e20ace	Rebuild	2026-05-29 13:26:31 +02:00
Óscar San José	d622e410d6	Lint	2026-05-29 13:23:34 +02:00
Óscar San José	fb605661cd	Missing files	2026-05-29 13:18:17 +02:00
Óscar San José	063bb8b614	Move resolve-tools-input.ts and tests to src/config	2026-05-29 13:16:55 +02:00
Óscar San José	3d8236de69	More fixes from CR	2026-05-29 13:14:23 +02:00
Óscar San José	b1eeb13c4c	Lint	2026-05-29 13:08:58 +02:00
Óscar San José	964d328667	More fixes from CR	2026-05-29 13:08:26 +02:00
Óscar San José	f9b6569832	More fixes from CR	2026-05-29 13:07:20 +02:00
Óscar San José	3782e65e9f	Easy fixes from CR	2026-05-29 12:52:51 +02:00
Óscar San José	dafa67e1d3	Rebuild	2026-05-29 10:07:34 +02:00
Óscar San José	0d5f0f55c2	Lint fixes	2026-05-29 10:03:21 +02:00
Óscar San José	7c7926f8df	Fixed tests due to stale language.ts obscuring language/index.ts import when done at module level	2026-05-25 16:33:01 +02:00
Óscar San José	838486a3c3	Merge branch 'main' of https://github.com/github/codeql-action into copilot/add-tools-input-source-repository	2026-05-25 13:27:20 +02:00
copilot-swe-agent[bot]	09a0f62a7a	Refactor resolveToolsInput: accept repository properties as parameter, simplify implementation and tests	2026-05-25 11:10:26 +00:00
Óscar San José	652e91defb	Add repo property to override codeql-cli version	2026-04-16 17:09:34 +02:00