Fixed tests due to stale language.ts obscuring language/index.ts import when done at module level

Bump the npm-minor group across 1 directory with 6 updates

.github/workflows/pr-checks.yml

@@ -33,6 +33,10 @@ jobs:
     runs-on: ${{ matrix.os }}
     timeout-minutes: 45
 
+    concurrency:
+      cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+      group: pr-checks-unit-tests-${{ github.ref }}-${{ github.event_name }}-${{ matrix.os }}-node${{ matrix['node-version'] }}
+
     steps:
       - name: Prepare git (Windows)
         if: runner.os == 'Windows'
@@ -71,22 +75,21 @@ jobs:
           sarif_file: eslint.sarif
           category: eslint
 
-  # Verifying the PR checks are up-to-date requires Node 24. The PR checks are not dependent
-  # on the main codebase and therefore do not need to be run as part of the same matrix that
-  # we use for the `unit-tests` job.
-  verify-pr-checks:
-    name: Verify PR checks
+  # These checks do not need to be run as part of the same matrix that we use for the `unit-tests`
+  # job.
+  other-checks:
+    name: Other checks
     if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
     timeout-minutes: 10
 
-    steps:
-      - name: Prepare git (Windows)
-        if: runner.os == 'Windows'
-        run: git config --global core.autocrlf false
+    concurrency:
+      cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+      group: pr-checks-pr-checks-${{ github.ref }}-${{ github.event_name }}
 
+    steps:
       - name: Checkout repository
         uses: actions/checkout@v6
 
@@ -97,34 +100,22 @@ jobs:
           cache: 'npm'
 
       - name: Install dependencies
+        id: install-deps
         run: npm ci
 
       - name: Verify PR checks up to date
-        if: always()
+        if: ${{ !cancelled() && steps.install-deps.outcome == 'success' }}
         run: .github/workflows/script/verify-pr-checks.sh
 
       - name: Run pr-checks tests
-        if: always()
+        if: ${{ !cancelled() && steps.install-deps.outcome == 'success' }}
         working-directory: pr-checks
         run: npx tsx --test
 
-  check-node-version:
-    if: github.triggering_actor != 'dependabot[bot]'
-    name: Check Action Node versions
-    runs-on: ubuntu-latest
-    timeout-minutes: 45
-    env:
-      BASE_REF: ${{ github.base_ref }}
-
-    permissions:
-      contents: read
-
-    steps:
-      - uses: actions/checkout@v6
-      - id: head-version
-        name: Verify all Actions use the same Node version
+      - name: Verify all Actions use the same Node version
+        id: head-version
         run: |
-          NODE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
+          NODE_VERSION=$(find . -path "*/node_modules" -prune -o -name "action.yml" -exec yq -o=json '.runs.using' {} \; | jq -rs '[.[] | select(. != null and startswith("node"))] | unique | .[]')
           echo "NODE_VERSION: ${NODE_VERSION}"
           if [[ $(echo "$NODE_VERSION" | wc -l) -gt 1 ]]; then
             echo "::error::More than one node version used in 'action.yml' files."
@@ -132,22 +123,111 @@ jobs:
           fi
           echo "node_version=${NODE_VERSION}" >> $GITHUB_OUTPUT
 
-      - id: checkout-base
-        name: 'Backport: Check out base ref'
+      - name: Fetch base commit
+        id: fetch-base
+        # Forks and Dependabot PRs don't have permission to write comments, so skip the repo size
+        # check in those cases.
+        if: >-
+          github.event_name == 'pull_request' &&
+          github.event.pull_request.head.repo.full_name == github.repository &&
+          github.event.pull_request.user.login != 'dependabot[bot]'
+        env:
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Compare against the merge base so the size delta reflects only the commits actually
+          # added by this PR, ignoring any changes that have landed on the base branch since the
+          # PR branched off.
+          merge_base=$(gh api "repos/$GITHUB_REPOSITORY/compare/$BASE_SHA...$HEAD_SHA" --jq '.merge_base_commit.sha')
+          echo "merge_base=$merge_base" >> "$GITHUB_OUTPUT"
+          git fetch --no-tags --depth=1 origin "$merge_base" "$HEAD_SHA"
+
+      - name: Check repo size
+        if: steps.fetch-base.outcome == 'success'
+        working-directory: pr-checks
+        env:
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
+          BASE_SHA: ${{ steps.fetch-base.outputs.merge_base }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+        run: npx tsx check-repo-size.ts --output-dir "$RUNNER_TEMP/repo-size"
+
+      - name: Upload repo size comment
+        if: steps.fetch-base.outcome == 'success'
+        uses: actions/upload-artifact@v7
+        with:
+          name: repo-size-comment
+          path: ${{ runner.temp }}/repo-size/
+          if-no-files-found: error
+
+      - name: 'Backport: Check out base ref'
+        id: checkout-base
         if: ${{ startsWith(github.head_ref, 'backport-') }}
         uses: actions/checkout@v6
         with:
-          ref: ${{ env.BASE_REF }}
+          ref: ${{ github.base_ref }}
 
       - name: 'Backport: Verify Node versions unchanged'
         if: steps.checkout-base.outcome == 'success'
         env:
           HEAD_VERSION: ${{ steps.head-version.outputs.node_version }}
         run: |
-          BASE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
+          BASE_VERSION=$(find . -path "*/node_modules" -prune -o -name "action.yml" -exec yq -o=json '.runs.using' {} \; | jq -rs '[.[] | select(. != null and startswith("node"))] | unique | .[]')
           echo "HEAD_VERSION: ${HEAD_VERSION}"
           echo "BASE_VERSION: ${BASE_VERSION}"
           if [[ "$BASE_VERSION" != "$HEAD_VERSION" ]]; then
             echo "::error::Cannot change the Node version of an Action in a backport PR."
             exit 1
           fi
+
+  post-repo-size-comment:
+    name: Post repo size comment
+    needs: other-checks
+    # Keep write permissions isolated from the job that checks out and tests PR code. This job only
+    # posts the candidate comment body produced by the read-only `pr-checks` job.
+    if: >-
+      github.event_name == 'pull_request' &&
+      github.event.pull_request.head.repo.full_name == github.repository &&
+      github.event.pull_request.user.login != 'dependabot[bot]' &&
+      needs.other-checks.result == 'success'
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-slim
+    timeout-minutes: 10
+
+    concurrency:
+      cancel-in-progress: true
+      group: check-repo-size-${{ github.event.pull_request.number }}
+
+    steps:
+      - name: Download repo size comment
+        uses: actions/download-artifact@v8
+        with:
+          name: repo-size-comment
+          path: repo-size-comment
+
+      - name: Post repo size comment
+        env:
+          COMMENT_MARKER: "<!-- repo-size-diff-bot -->"
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          significant=$(jq -r '.significant' repo-size-comment/metadata.json)
+          comment_id=$(
+            gh api "repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/comments" \
+              --paginate \
+              --jq ".[] | select(.body | contains(\"$COMMENT_MARKER\")) | .id" \
+              | head -n 1
+          )
+
+          if [[ -n "$comment_id" ]]; then
+            echo "Updating existing comment $comment_id."
+            gh api --method PATCH "repos/$GITHUB_REPOSITORY/issues/comments/$comment_id" --field body=@repo-size-comment/body.md
+          elif [[ "$significant" == "true" ]]; then
+            echo "Creating new repo size comment."
+            gh api --method POST "repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/comments" --field body=@repo-size-comment/body.md
+          else
+            echo "Skipping repo size comment because the delta is below the threshold and no sticky comment exists."
+          fi

CHANGELOG.md

@@ -4,8 +4,13 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 ## [UNRELEASED]
 
+- Organizations can now create a custom repository property with the name `github-codeql-tools` to set the default CodeQL CLI tools value for their repositories. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) and [Customizing your advanced setup for code scanning](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning).
+
+## 4.36.0 - 22 May 2026
+
 - _Breaking change_: Bump the minimum required CodeQL bundle version to 2.19.4. [#3894](https://github.com/github/codeql-action/pull/3894)
 - Add support for SHA-256 Git object IDs. [#3893](https://github.com/github/codeql-action/pull/3893)
+- Update default CodeQL bundle version to [2.25.5](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.5). [#3926](https://github.com/github/codeql-action/pull/3926)
 
 ## 4.35.5 - 15 May 2026
 

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.4",
-  "cliVersion": "2.25.4",
-  "priorBundleVersion": "codeql-bundle-v2.25.3",
-  "priorCliVersion": "2.25.3"
+  "bundleVersion": "codeql-bundle-v2.25.5",
+  "cliVersion": "2.25.5",
+  "priorBundleVersion": "codeql-bundle-v2.25.4",
+  "priorCliVersion": "2.25.4"
 }

lib/entry-points.js

@@ -26704,6 +26704,47 @@ var require_coerce = __commonJS({
   }
 });
 
+// node_modules/semver/functions/truncate.js
+var require_truncate = __commonJS({
+  "node_modules/semver/functions/truncate.js"(exports2, module2) {
+    "use strict";
+    var parse2 = require_parse2();
+    var constants = require_constants6();
+    var SemVer = require_semver();
+    var truncate = (version, truncation, options) => {
+      if (!constants.RELEASE_TYPES.includes(truncation)) {
+        return null;
+      }
+      const clonedVersion = cloneInputVersion(version, options);
+      return clonedVersion && doTruncation(clonedVersion, truncation);
+    };
+    var cloneInputVersion = (version, options) => {
+      const versionStringToParse = version instanceof SemVer ? version.version : version;
+      return parse2(versionStringToParse, options);
+    };
+    var doTruncation = (version, truncation) => {
+      if (isPrerelease(truncation)) {
+        return version.version;
+      }
+      version.prerelease = [];
+      switch (truncation) {
+        case "major":
+          version.minor = 0;
+          version.patch = 0;
+          break;
+        case "minor":
+          version.patch = 0;
+          break;
+      }
+      return version.format();
+    };
+    var isPrerelease = (type2) => {
+      return type2.startsWith("pre");
+    };
+    module2.exports = truncate;
+  }
+});
+
 // node_modules/semver/internal/lrucache.js
 var require_lrucache = __commonJS({
   "node_modules/semver/internal/lrucache.js"(exports2, module2) {
@@ -27738,6 +27779,7 @@ var require_semver2 = __commonJS({
     var lte = require_lte();
     var cmp = require_cmp();
     var coerce3 = require_coerce();
+    var truncate = require_truncate();
     var Comparator = require_comparator();
     var Range2 = require_range();
     var satisfies2 = require_satisfies();
@@ -27776,6 +27818,7 @@ var require_semver2 = __commonJS({
       lte,
       cmp,
       coerce: coerce3,
+      truncate,
       Comparator,
       Range: Range2,
       satisfies: satisfies2,
@@ -148307,7 +148350,7 @@ function getDiffRangesJsonFilePath() {
   return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.36.0";
+  return "4.36.1";
 }
 function getWorkflowEventName() {
   return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -148871,8 +148914,8 @@ function wrapApiConfigurationError(e) {
 }
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.25.4";
-var cliVersion = "2.25.4";
+var bundleVersion = "codeql-bundle-v2.25.5";
+var cliVersion = "2.25.5";
 
 // src/overlay/index.ts
 var fs4 = __toESM(require("fs"));
@@ -150351,11 +150394,13 @@ function getUnknownLanguagesError(languages) {
 }
 
 // src/feature-flags/properties.ts
+var github2 = __toESM(require_github());
 var GITHUB_CODEQL_PROPERTY_PREFIX = "github-codeql-";
 var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
   RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
   RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
   RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
+  RepositoryPropertyName2["TOOLS"] = "github-codeql-tools";
   return RepositoryPropertyName2;
 })(RepositoryPropertyName || {});
 function isString2(value) {
@@ -150373,7 +150418,8 @@ var booleanProperty = {
 var repositoryPropertyParsers = {
   ["github-codeql-disable-overlay" /* DISABLE_OVERLAY */]: booleanProperty,
   ["github-codeql-extra-queries" /* EXTRA_QUERIES */]: stringProperty,
-  ["github-codeql-file-coverage-on-prs" /* FILE_COVERAGE_ON_PRS */]: booleanProperty
+  ["github-codeql-file-coverage-on-prs" /* FILE_COVERAGE_ON_PRS */]: booleanProperty,
+  ["github-codeql-tools" /* TOOLS */]: stringProperty
 };
 async function loadPropertiesFromApi(logger, repositoryNwo) {
   try {
@@ -150426,6 +150472,26 @@ async function loadPropertiesFromApi(logger, repositoryNwo) {
     );
   }
 }
+async function loadRepositoryProperties(repositoryNwo, logger) {
+  const repositoryOwnerType = github2.context.payload.repository?.owner.type;
+  logger.debug(
+    `Repository owner type is '${repositoryOwnerType ?? "unknown"}'.`
+  );
+  if (repositoryOwnerType === "User") {
+    logger.debug(
+      "Skipping loading repository properties because the repository is owned by a user and therefore cannot have repository properties."
+    );
+    return new Success({});
+  }
+  try {
+    return new Success(await loadPropertiesFromApi(logger, repositoryNwo));
+  } catch (error3) {
+    logger.warning(
+      `Failed to load repository properties: ${getErrorMessage(error3)}`
+    );
+    return new Failure(error3);
+  }
+}
 function setProperty2(properties, name, value, logger) {
   const propertyOptions = repositoryPropertyParsers[name];
   if (propertyOptions.validate(value)) {
@@ -153317,7 +153383,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, useO
         );
       } else {
         if (allowToolcacheValueFF) {
-          logger.warning(
+          logger.info(
             `Ignoring 'tools: ${toolsInput}' because the workflow was not triggered dynamically.`
           );
         } else {
@@ -156658,7 +156724,7 @@ var fs19 = __toESM(require("fs"));
 var path17 = __toESM(require("path"));
 var core14 = __toESM(require_core());
 var toolrunner4 = __toESM(require_toolrunner());
-var github2 = __toESM(require_github());
+var github3 = __toESM(require_github());
 var io6 = __toESM(require_io());
 async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) {
   logger.startGroup("Setup CodeQL tools");
@@ -156862,7 +156928,7 @@ function logFileCoverageOnPrsDeprecationWarning(logger) {
   if (process.env["CODEQL_ACTION_DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION" /* DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION */]) {
     return;
   }
-  const repositoryOwnerType = github2.context.payload.repository?.owner.type;
+  const repositoryOwnerType = github3.context.payload.repository?.owner.type;
   let message = "Starting April 2026, the CodeQL Action will skip computing file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses.";
   const envVarOptOut = "set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true`.";
   const repoPropertyOptOut = 'create a custom repository property with the name `github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to `true` in the repository\'s settings.';
@@ -158646,10 +158712,25 @@ async function runWrapper3() {
 var fs27 = __toESM(require("fs"));
 var path23 = __toESM(require("path"));
 var core21 = __toESM(require_core());
-var github3 = __toESM(require_github());
 var io7 = __toESM(require_io());
 var semver10 = __toESM(require_semver2());
 
+// src/resolve-tools-input.ts
+function resolveToolsInput(toolsWorkflowInput, repositoryProperties, logger) {
+  if (toolsWorkflowInput) {
+    logger.info(`Setting tools: ${toolsWorkflowInput} based on workflow input.`);
+    return toolsWorkflowInput;
+  }
+  const toolsPropertyValue = repositoryProperties["github-codeql-tools" /* TOOLS */];
+  if (toolsPropertyValue) {
+    logger.info(
+      `Setting tools: ${toolsPropertyValue} based on the '${"github-codeql-tools" /* TOOLS */}' repository property.`
+    );
+    return toolsPropertyValue;
+  }
+  return void 0;
+}
+
 // src/workflow.ts
 var fs26 = __toESM(require("fs"));
 var path22 = __toESM(require("path"));
@@ -158940,7 +159021,7 @@ async function sendStartingStatusReport(startedAt, config, logger) {
     await sendStatusReport(statusReportBase);
   }
 }
-async function sendCompletedStatusReport2(startedAt, config, configFile, toolsDownloadStatusReport, toolsFeatureFlagsValid, toolsSource, toolsVersion, overlayBaseDatabaseStats, dependencyCachingResults, logger, error3) {
+async function sendCompletedStatusReport2(startedAt, config, configFile, toolsDownloadStatusReport, toolsFeatureFlagsValid, toolsSource, toolsVersion, effectiveToolsInput, overlayBaseDatabaseStats, dependencyCachingResults, logger, error3) {
   const statusReportBase = await createStatusReportBase(
     "init" /* Init */,
     getActionsStatus(error3),
@@ -158958,6 +159039,7 @@ async function sendCompletedStatusReport2(startedAt, config, configFile, toolsDo
   const initStatusReport = {
     ...statusReportBase,
     tools_input: getOptionalInput("tools") || "",
+    effective_tools_input: effectiveToolsInput || "",
     tools_resolved_version: toolsVersion,
     tools_source: toolsSource || "UNKNOWN" /* Unknown */,
     workflow_languages: workflowLanguages || ""
@@ -159001,6 +159083,7 @@ async function run3(startedAt) {
   let toolsSource;
   let toolsVersion;
   let zstdAvailability;
+  let effectiveToolsInput;
   try {
     initializeEnvironment(getActionVersion());
     persistInputs();
@@ -159024,6 +159107,7 @@ async function run3(startedAt) {
       repositoryNwo,
       logger
     );
+    const repositoryProperties = repositoryPropertiesResult.orElse({});
     const jobRunUuid = v4_default();
     logger.info(`Job run UUID is ${jobRunUuid}.`);
     core21.exportVariable("JOB_RUN_UUID" /* JOB_RUN_UUID */, jobRunUuid);
@@ -159049,12 +159133,17 @@ async function run3(startedAt) {
     }
     const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type);
     toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
+    effectiveToolsInput = resolveToolsInput(
+      getOptionalInput("tools"),
+      repositoryProperties,
+      logger
+    );
     const rawLanguages = getRawLanguagesNoAutodetect(
       getOptionalInput("languages")
     );
     const useOverlayAwareDefaultCliVersion = analysisKinds?.length === 1 && analysisKinds[0] === "code-scanning" /* CodeScanning */;
     const initCodeQLResult = await initCodeQL(
-      getOptionalInput("tools"),
+      effectiveToolsInput,
       apiDetails,
       getTemporaryDirectory(),
       gitHubVersion.type,
@@ -159090,7 +159179,6 @@ async function run3(startedAt) {
     }
     analysisKinds = await getAnalysisKinds(logger, features);
     const debugMode = getOptionalInput("debug") === "true" || core21.isDebug();
-    const repositoryProperties = repositoryPropertiesResult.orElse({});
     const fileCoverageResult = await getFileCoverageInformationEnabled(
       debugMode,
       codeql,
@@ -159388,6 +159476,7 @@ exec ${goBinaryPath} "$@"`
       toolsFeatureFlagsValid,
       toolsSource,
       toolsVersion,
+      effectiveToolsInput,
       overlayBaseDatabaseStats,
       dependencyCachingStatus,
       logger,
@@ -159405,31 +159494,12 @@ exec ${goBinaryPath} "$@"`
     toolsFeatureFlagsValid,
     toolsSource,
     toolsVersion,
+    effectiveToolsInput,
     overlayBaseDatabaseStats,
     dependencyCachingStatus,
     logger
   );
 }
-async function loadRepositoryProperties(repositoryNwo, logger) {
-  const repositoryOwnerType = github3.context.payload.repository?.owner.type;
-  logger.debug(
-    `Repository owner type is '${repositoryOwnerType ?? "unknown"}'.`
-  );
-  if (repositoryOwnerType === "User") {
-    logger.debug(
-      "Skipping loading repository properties because the repository is owned by a user and therefore cannot have repository properties."
-    );
-    return new Success({});
-  }
-  try {
-    return new Success(await loadPropertiesFromApi(logger, repositoryNwo));
-  } catch (error3) {
-    logger.warning(
-      `Failed to load repository properties: ${getErrorMessage(error3)}`
-    );
-    return new Failure(error3);
-  }
-}
 async function recordZstdAvailability(config, zstdAvailability) {
   addNoLanguageDiagnostic(
     config,
@@ -159998,7 +160068,7 @@ async function runWrapper6() {
 
 // src/setup-codeql-action.ts
 var core24 = __toESM(require_core());
-async function sendCompletedStatusReport3(startedAt, toolsDownloadStatusReport, toolsFeatureFlagsValid, toolsSource, toolsVersion, logger, error3) {
+async function sendCompletedStatusReport3(startedAt, toolsDownloadStatusReport, toolsFeatureFlagsValid, toolsSource, toolsVersion, effectiveToolsInput, logger, error3) {
   const statusReportBase = await createStatusReportBase(
     "setup-codeql" /* SetupCodeQL */,
     getActionsStatus(error3),
@@ -160015,6 +160085,7 @@ async function sendCompletedStatusReport3(startedAt, toolsDownloadStatusReport,
   const initStatusReport = {
     ...statusReportBase,
     tools_input: getOptionalInput("tools") || "",
+    effective_tools_input: effectiveToolsInput || "",
     tools_resolved_version: toolsVersion,
     tools_source: toolsSource || "UNKNOWN" /* Unknown */,
     workflow_languages: ""
@@ -160035,6 +160106,7 @@ async function run6(startedAt) {
   let toolsFeatureFlagsValid;
   let toolsSource;
   let toolsVersion;
+  let effectiveToolsInput;
   try {
     initializeEnvironment(getActionVersion());
     const apiDetails = {
@@ -160069,12 +160141,22 @@ async function run6(startedAt) {
     }
     const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type);
     toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
+    const repositoryPropertiesResult = await loadRepositoryProperties(
+      repositoryNwo,
+      logger
+    );
+    const repositoryProperties = repositoryPropertiesResult.orElse({});
+    effectiveToolsInput = resolveToolsInput(
+      getOptionalInput("tools"),
+      repositoryProperties,
+      logger
+    );
     const rawLanguages = getRawLanguagesNoAutodetect(
       getOptionalInput("languages")
     );
     const analysisKinds = await getAnalysisKinds(logger, features);
     const initCodeQLResult = await initCodeQL(
-      getOptionalInput("tools"),
+      effectiveToolsInput,
       apiDetails,
       getTemporaryDirectory(),
       gitHubVersion.type,
@@ -160115,6 +160197,7 @@ async function run6(startedAt) {
     toolsFeatureFlagsValid,
     toolsSource,
     toolsVersion,
+    effectiveToolsInput,
     logger
   );
 }

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "4.36.0",
+  "version": "4.36.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "4.36.0",
+      "version": "4.36.1",
       "license": "MIT",
       "workspaces": [
         "pr-checks"
@@ -32,18 +32,18 @@
         "jsonschema": "1.5.0",
         "long": "^5.3.2",
         "node-forge": "^1.4.0",
-        "semver": "^7.7.4",
+        "semver": "^7.8.0",
         "uuid": "^14.0.0"
       },
       "devDependencies": {
         "@ava/typescript": "6.0.0",
-        "@eslint/compat": "^2.0.5",
+        "@eslint/compat": "^2.1.0",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^16.0.0",
         "@types/archiver": "^7.0.0",
         "@types/follow-redirects": "^1.14.4",
         "@types/js-yaml": "^4.0.9",
-        "@types/node": "^20.19.39",
+        "@types/node": "^20.19.41",
         "@types/node-forge": "^1.3.14",
         "@types/sarif": "^2.1.7",
         "@types/semver": "^7.7.1",
@@ -58,10 +58,10 @@
         "eslint-plugin-no-async-foreach": "^0.1.1",
         "glob": "^11.1.0",
         "globals": "^17.6.0",
-        "nock": "^14.0.12",
+        "nock": "^14.0.15",
         "sinon": "^22.0.0",
         "typescript": "^6.0.3",
-        "typescript-eslint": "^8.59.2"
+        "typescript-eslint": "^8.59.3"
       }
     },
     "node_modules/@aashutoshrathi/word-wrap": {
@@ -1316,9 +1316,9 @@
       }
     },
     "node_modules/@eslint/compat": {
-      "version": "2.0.5",
-      "resolved": "https://registry.npmjs.org/@eslint/compat/-/compat-2.0.5.tgz",
-      "integrity": "sha512-IbHDbHJfkVNv6xjlET8AIVo/K1NQt7YT4Rp6ok/clyBGcpRx1l6gv0Rq3vBvYfPJIZt6ODf66Zq08FJNDpnzgg==",
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/@eslint/compat/-/compat-2.1.0.tgz",
+      "integrity": "sha512-LgaSCymEpw7tF53xvDw9SNsraPb1IBHxpdABIOM0hW8UAlP8znrjYtuxfR58FSJ3L9BhwD+FaPRFQpZq84Nh6g==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -2469,9 +2469,9 @@
       "license": "MIT"
     },
     "node_modules/@types/node": {
-      "version": "20.19.39",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.39.tgz",
-      "integrity": "sha512-orrrD74MBUyK8jOAD/r0+lfa1I2MO6I+vAkmAWzMYbCcgrN4lCrmK52gRFQq/JRxfYPfonkr4b0jcY7Olqdqbw==",
+      "version": "20.19.41",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.41.tgz",
+      "integrity": "sha512-ECymXOukMnOoVkC2bb1Vc/w/836DXncOg5m8Xj1RH7xSHZJWNYY6Zh7EH477vcnD5egKNNfy2RpNOmuChhFPgQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -2528,17 +2528,17 @@
       "license": "MIT"
     },
     "node_modules/@typescript-eslint/eslint-plugin": {
-      "version": "8.59.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.59.2.tgz",
-      "integrity": "sha512-j/bwmkBvHUtPNxzuWe5z6BEk3q54YRyGlBXkSsmfoih7zNrBvl5A9A98anlp/7JbyZcWIJ8KXo/3Tq/DjFLtuQ==",
+      "version": "8.59.3",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.59.3.tgz",
+      "integrity": "sha512-PwFvSKsXGShKGW6n5bZOhGHEcCZXM8HofLK9fNsEwZXzFRjoY+XT1Vsf1zgyXdwTr0ZYz1/2tkZ0DBTT9jZjhw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@eslint-community/regexpp": "^4.12.2",
-        "@typescript-eslint/scope-manager": "8.59.2",
-        "@typescript-eslint/type-utils": "8.59.2",
-        "@typescript-eslint/utils": "8.59.2",
-        "@typescript-eslint/visitor-keys": "8.59.2",
+        "@typescript-eslint/scope-manager": "8.59.3",
+        "@typescript-eslint/type-utils": "8.59.3",
+        "@typescript-eslint/utils": "8.59.3",
+        "@typescript-eslint/visitor-keys": "8.59.3",
         "ignore": "^7.0.5",
         "natural-compare": "^1.4.0",
         "ts-api-utils": "^2.5.0"
@@ -2551,7 +2551,7 @@
         "url": "https://opencollective.com/typescript-eslint"
       },
       "peerDependencies": {
-        "@typescript-eslint/parser": "^8.59.2",
+        "@typescript-eslint/parser": "^8.59.3",
         "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
         "typescript": ">=4.8.4 <6.1.0"
       }
@@ -2567,16 +2567,16 @@
       }
     },
     "node_modules/@typescript-eslint/parser": {
-      "version": "8.59.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.59.2.tgz",
-      "integrity": "sha512-plR3pp6D+SSUn1HM7xvSkx12/DhoHInI2YF35KAcVFNZvlC0gtrWqx7Qq1oH2Ssgi0vlFRCTbP+DZc7B9+TtsQ==",
+      "version": "8.59.3",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.59.3.tgz",
+      "integrity": "sha512-HPwA+hVkfcriajbNvTmZv4VRauibay+cWArYUYq7u7W7PmGShMxbPxLvrwDme55a6d5alG3nrYfhyJ/G28XlLg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/scope-manager": "8.59.2",
-        "@typescript-eslint/types": "8.59.2",
-        "@typescript-eslint/typescript-estree": "8.59.2",
-        "@typescript-eslint/visitor-keys": "8.59.2",
+        "@typescript-eslint/scope-manager": "8.59.3",
+        "@typescript-eslint/types": "8.59.3",
+        "@typescript-eslint/typescript-estree": "8.59.3",
+        "@typescript-eslint/visitor-keys": "8.59.3",
         "debug": "^4.4.3"
       },
       "engines": {
@@ -2610,14 +2610,14 @@
       }
     },
     "node_modules/@typescript-eslint/project-service": {
-      "version": "8.59.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.59.2.tgz",
-      "integrity": "sha512-+2hqvEkeyf/0FBor67duF0Ll7Ot8jyKzDQOSrxazF/danillRq2DwR9dLptsXpoZQqxE1UisSmoZewrlPas9Vw==",
+      "version": "8.59.3",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.59.3.tgz",
+      "integrity": "sha512-ECiUWa/KYRGDFUqTNehaRgzDshnJfkTABJxVemHk4ko22gcr0ukloKjWvyQ64g8YCV/UI47kN1dbmjf/GaQYng==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/tsconfig-utils": "^8.59.2",
-        "@typescript-eslint/types": "^8.59.2",
+        "@typescript-eslint/tsconfig-utils": "^8.59.3",
+        "@typescript-eslint/types": "^8.59.3",
         "debug": "^4.4.3"
       },
       "engines": {
@@ -2650,14 +2650,14 @@
       }
     },
     "node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.59.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.59.2.tgz",
-      "integrity": "sha512-JzfyEpEtOU89CcFSwyNS3mu4MLvLSXqnmX05+aKBDM+TdR5jzcGOEBwxwGNxrEQ7p/z6kK2WyioCGBf2zZBnvg==",
+      "version": "8.59.3",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.59.3.tgz",
+      "integrity": "sha512-t2LvZnoEfzKtnPjgeEu41xw5gxq9mQVfYy4OoZ4Vlt0sk3JwxmhCca/AR7DwOiHrjWgjAj6as4AhRLKSDfvZIA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.59.2",
-        "@typescript-eslint/visitor-keys": "8.59.2"
+        "@typescript-eslint/types": "8.59.3",
+        "@typescript-eslint/visitor-keys": "8.59.3"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2668,9 +2668,9 @@
       }
     },
     "node_modules/@typescript-eslint/tsconfig-utils": {
-      "version": "8.59.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.59.2.tgz",
-      "integrity": "sha512-BKK4alN7oi4C/zv4VqHQ+uRU+lTa6JGIZ7s1juw7b3RHo9OfKB+bKX3u0iVZetdsUCBBkSbdWbarJbmN0fTeSw==",
+      "version": "8.59.3",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.59.3.tgz",
+      "integrity": "sha512-PcIJHjmaREXLgIAIzLnSY9VucEzz8FKXsRgFa1DmdGCK/5tJpW03TKJF01Q6VZd1lLdz2sIKPWaDUZN9dp//dw==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2685,15 +2685,15 @@
       }
     },
     "node_modules/@typescript-eslint/type-utils": {
-      "version": "8.59.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.59.2.tgz",
-      "integrity": "sha512-nhqaj1nmTdVVl/BP5omXNRGO38jn5iosis2vbdmupF2txCf8ylWT8lx+JlvMYYVqzGVKtjojUFoQ3JRWK+mfzQ==",
+      "version": "8.59.3",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.59.3.tgz",
+      "integrity": "sha512-g71d8QD8UaiHGvrJwyIS1hCX5r63w6Jll+4VEYhEAHXTDIqX1JgxhTAbEHtKntL9kuc4jRo7/GWw5xfCepSccQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.59.2",
-        "@typescript-eslint/typescript-estree": "8.59.2",
-        "@typescript-eslint/utils": "8.59.2",
+        "@typescript-eslint/types": "8.59.3",
+        "@typescript-eslint/typescript-estree": "8.59.3",
+        "@typescript-eslint/utils": "8.59.3",
         "debug": "^4.4.3",
         "ts-api-utils": "^2.5.0"
       },
@@ -2728,9 +2728,9 @@
       }
     },
     "node_modules/@typescript-eslint/types": {
-      "version": "8.59.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.59.2.tgz",
-      "integrity": "sha512-e82GVOE8Ps3E++Egvb6Y3Dw0S10u8NkQ9KXmtRhCWJJ8kDhOJTvtMAWnFL16kB1583goCWXsr0NieKCZMs2/0Q==",
+      "version": "8.59.3",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.59.3.tgz",
+      "integrity": "sha512-ePFoH0g4ludssdRFqqDxQePCxU4WQyRa9+XVwjm7yLn0FKhMeoetC+qBEEI1Eyb1pGSDveTIT09Bvw2WhlGayg==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2742,16 +2742,16 @@
       }
     },
     "node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.59.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.59.2.tgz",
-      "integrity": "sha512-o0XPGNwcWw+FIwStOWn+BwBuEmL6QXP0rsvAFg7ET1dey1Nr6Wb1ac8p5HEsK0ygO/6mUxlk+YWQD9xcb/nnXg==",
+      "version": "8.59.3",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.59.3.tgz",
+      "integrity": "sha512-CbRjVRAf7Lr9Kr8RopKcbY45p2VfmmHrm0ygOCYFi7oU8q19m0Fs/6iHS7kNOmwpp+ob07ZVcAqlxUod9lYdmg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/project-service": "8.59.2",
-        "@typescript-eslint/tsconfig-utils": "8.59.2",
-        "@typescript-eslint/types": "8.59.2",
-        "@typescript-eslint/visitor-keys": "8.59.2",
+        "@typescript-eslint/project-service": "8.59.3",
+        "@typescript-eslint/tsconfig-utils": "8.59.3",
+        "@typescript-eslint/types": "8.59.3",
+        "@typescript-eslint/visitor-keys": "8.59.3",
         "debug": "^4.4.3",
         "minimatch": "^10.2.2",
         "semver": "^7.7.3",
@@ -2827,16 +2827,16 @@
       }
     },
     "node_modules/@typescript-eslint/utils": {
-      "version": "8.59.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.59.2.tgz",
-      "integrity": "sha512-Juw3EinkXqjaffxz6roowvV7GZT/kET5vSKKZT6upl5TXdWkLkYmNPXwDDL2Vkt2DPn0nODIS4egC/0AGxKo/Q==",
+      "version": "8.59.3",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.59.3.tgz",
+      "integrity": "sha512-JAvT14goBzRzzzZyqq3P9BLArIxTtQURUtFgQ/V7FO+eU+Gg6ES+5ymOPP1wRxXcxAYeivCk4uS3jCKWI1K8Zg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.9.1",
-        "@typescript-eslint/scope-manager": "8.59.2",
-        "@typescript-eslint/types": "8.59.2",
-        "@typescript-eslint/typescript-estree": "8.59.2"
+        "@typescript-eslint/scope-manager": "8.59.3",
+        "@typescript-eslint/types": "8.59.3",
+        "@typescript-eslint/typescript-estree": "8.59.3"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2851,13 +2851,13 @@
       }
     },
     "node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.59.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.59.2.tgz",
-      "integrity": "sha512-NwjLUnGy8/Zfx23fl50tRC8rYaYnM52xNRYFAXvmiil9yh1+K6aRVQMnzW6gQB/1DLgWt977lYQn7C+wtgXZiA==",
+      "version": "8.59.3",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.59.3.tgz",
+      "integrity": "sha512-f1UQF7ggd42YiwI5wGrRaPsa+P0CINBlrkLPmGfpq/u/I/oVtecoEIfFR9ag/oa1sLOsRNZ6xehf6qMZhQGBDg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.59.2",
+        "@typescript-eslint/types": "8.59.3",
         "eslint-visitor-keys": "^5.0.0"
       },
       "engines": {
@@ -7415,9 +7415,9 @@
       "license": "MIT"
     },
     "node_modules/nock": {
-      "version": "14.0.12",
-      "resolved": "https://registry.npmjs.org/nock/-/nock-14.0.12.tgz",
-      "integrity": "sha512-kZM3bHV0KzhHH6E2eRszHyML/w87AUzLBwupNTHohtYWP9fZYgUPmCbSKq6ITfEEmHqN4/p0MscvUipT4P5Qsg==",
+      "version": "14.0.15",
+      "resolved": "https://registry.npmjs.org/nock/-/nock-14.0.15.tgz",
+      "integrity": "sha512-S0a47C9pLvcYx/Ugf0H30BVBEcUgMMBDk9VJIDlJ8XGrfH2QDUD4Tgdp45qDIiHttokBG+IbsOtsvIjGR/j3bg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -8311,9 +8311,9 @@
       }
     },
     "node_modules/semver": {
-      "version": "7.7.4",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.4.tgz",
-      "integrity": "sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA==",
+      "version": "7.8.0",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.0.tgz",
+      "integrity": "sha512-AcM7dV/5ul4EekoQ29Agm5vri8JNqRyj39o0qpX6vDF2GZrtutZl5RwgD1XnZjiTAfncsJhMI48QQH3sN87YNA==",
       "license": "ISC",
       "bin": {
         "semver": "bin/semver.js"
@@ -9777,16 +9777,16 @@
       }
     },
     "node_modules/typescript-eslint": {
-      "version": "8.59.2",
-      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.59.2.tgz",
-      "integrity": "sha512-pJw051uomb3ZeCzGTpRb8RbEqB5Y4WWet8gl/GcTlU35BSx0PVdZ86/bqkQCyKKuraVQEK7r6kBHQXF+fBhkoQ==",
+      "version": "8.59.3",
+      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.59.3.tgz",
+      "integrity": "sha512-KgusgyDgG4LI8Ih/sWaCtZ06tckLAS5CvT5A4D1Q7bYVoAAyzwiZvE4BmwDHkhRVkvhRBepKeASoFzQetha7Fg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/eslint-plugin": "8.59.2",
-        "@typescript-eslint/parser": "8.59.2",
-        "@typescript-eslint/typescript-estree": "8.59.2",
-        "@typescript-eslint/utils": "8.59.2"
+        "@typescript-eslint/eslint-plugin": "8.59.3",
+        "@typescript-eslint/parser": "8.59.3",
+        "@typescript-eslint/typescript-estree": "8.59.3",
+        "@typescript-eslint/utils": "8.59.3"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -10212,9 +10212,9 @@
       }
     },
     "node_modules/yaml": {
-      "version": "2.8.4",
-      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.4.tgz",
-      "integrity": "sha512-ml/JPOj9fOQK8RNnWojA67GbZ0ApXAUlN2UQclwv2eVgTgn7O9gg9o7paZWKMp4g0H3nTLtS9LVzhkpOFIKzog==",
+      "version": "2.9.0",
+      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.9.0.tgz",
+      "integrity": "sha512-2AvhNX3mb8zd6Zy7INTtSpl1F15HW6Wnqj0srWlkKLcpYl/gMIMJiyuGq2KeI2YFxUPjdlB+3Lc10seMLtL4cA==",
       "license": "ISC",
       "bin": {
         "yaml": "bin.mjs"
@@ -10302,10 +10302,10 @@
         "@octokit/core": "^7.0.6",
         "@octokit/plugin-paginate-rest": ">=9.2.2",
         "@octokit/plugin-rest-endpoint-methods": "^17.0.0",
-        "yaml": "^2.8.4"
+        "yaml": "^2.9.0"
       },
       "devDependencies": {
-        "@types/node": "^20.19.39",
+        "@types/node": "^20.19.41",
         "tsx": "^4.21.0"
       }
     }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "4.36.0",
+  "version": "4.36.1",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
@@ -40,18 +40,18 @@
     "jsonschema": "1.5.0",
     "long": "^5.3.2",
     "node-forge": "^1.4.0",
-    "semver": "^7.7.4",
+    "semver": "^7.8.0",
     "uuid": "^14.0.0"
   },
   "devDependencies": {
     "@ava/typescript": "6.0.0",
-    "@eslint/compat": "^2.0.5",
+    "@eslint/compat": "^2.1.0",
     "@microsoft/eslint-formatter-sarif": "^3.1.0",
     "@octokit/types": "^16.0.0",
     "@types/archiver": "^7.0.0",
     "@types/follow-redirects": "^1.14.4",
     "@types/js-yaml": "^4.0.9",
-    "@types/node": "^20.19.39",
+    "@types/node": "^20.19.41",
     "@types/node-forge": "^1.3.14",
     "@types/sarif": "^2.1.7",
     "@types/semver": "^7.7.1",
@@ -66,10 +66,10 @@
     "eslint-plugin-no-async-foreach": "^0.1.1",
     "glob": "^11.1.0",
     "globals": "^17.6.0",
-    "nock": "^14.0.12",
+    "nock": "^14.0.15",
     "sinon": "^22.0.0",
     "typescript": "^6.0.3",
-    "typescript-eslint": "^8.59.2"
+    "typescript-eslint": "^8.59.3"
   },
   "overrides": {
     "@actions/tool-cache": {

pr-checks/check-repo-size.test.ts

@@ -0,0 +1,259 @@
+#!/usr/bin/env npx tsx
+
+/*
+Tests for check-repo-size.ts.
+*/
+
+import * as assert from "node:assert/strict";
+import { execFileSync } from "node:child_process";
+import { randomBytes } from "node:crypto";
+import * as fs from "node:fs";
+import * as os from "node:os";
+import * as path from "node:path";
+import { afterEach, beforeEach, describe, it } from "node:test";
+
+import {
+  COMMENT_MARKER,
+  DEFAULT_BASE_REF,
+  buildCommentBody,
+  formatBytes,
+  formatPercent,
+  isDeltaSignificant,
+  measureArchiveSize,
+  readArgs,
+} from "./check-repo-size";
+
+describe("formatBytes", async () => {
+  const cases: Array<[number, boolean, string]> = [
+    // Unsigned values, including sub-KiB amounts which round to 0.00.
+    [0, false, "0.00 KiB"],
+    [512, false, "0.50 KiB"],
+    [1024, false, "1.00 KiB"],
+    [1024 * 1024, false, "1024.00 KiB"],
+    [2 * 1024 * 1024, false, "2048.00 KiB"],
+    // Negative values always use a leading minus.
+    [-2 * 1024 * 1024, false, "-2048.00 KiB"],
+    // signed=true prepends a + to non-negative values.
+    [0, true, "+0.00 KiB"],
+    [2 * 1024 * 1024, true, "+2048.00 KiB"],
+    [-2 * 1024 * 1024, true, "-2048.00 KiB"],
+  ];
+  for (const [bytes, signed, expected] of cases) {
+    await it(`formats ${bytes} (signed=${signed}) as ${expected}`, () => {
+      assert.equal(formatBytes(bytes, signed), expected);
+    });
+  }
+});
+
+describe("formatPercent", async () => {
+  await it("formats positive fractions with a leading +", () => {
+    assert.equal(formatPercent(0.1), "+10.00%");
+    assert.equal(formatPercent(0.0123), "+1.23%");
+  });
+
+  await it("formats negative fractions with a leading -", () => {
+    assert.equal(formatPercent(-0.1), "-10.00%");
+  });
+
+  await it("formats zero without a sign", () => {
+    assert.equal(formatPercent(0), "0.00%");
+  });
+});
+
+describe("isDeltaSignificant", async () => {
+  const cases: Array<[number, number, number, boolean]> = [
+    // At and above threshold (both signs).
+    [100, 1000, 0.1, true],
+    [101, 1000, 0.1, true],
+    [-100, 1000, 0.1, true],
+    // Below threshold (both signs, plus exact zero).
+    [99, 1000, 0.1, false],
+    [-99, 1000, 0.1, false],
+    [0, 1000, 0.1, false],
+  ];
+  for (const [delta, base, fraction, expected] of cases) {
+    await it(`returns ${expected} for delta=${delta}, base=${base}, fraction=${fraction}`, () => {
+      assert.equal(isDeltaSignificant(delta, base, fraction), expected);
+    });
+  }
+});
+
+describe("buildCommentBody", async () => {
+  await it("includes the marker, the base/PR/delta rows, and the run URL", () => {
+    const body = buildCommentBody({
+      baseRef: "main",
+      baseSize: 2_000_000,
+      prSize: 2_300_000,
+      runUrl: "https://example.test/run",
+    });
+
+    assert.match(body, new RegExp(`^${escapeRegExp(COMMENT_MARKER)}`));
+    assert.match(body, /Base \(`main`\) \| 1953\.13 KiB \(2000000 bytes\)/);
+    assert.match(body, /This PR \| 2246\.09 KiB \(2300000 bytes\)/);
+    assert.match(
+      body,
+      /\*\*Delta\*\* \| \*\*\+292\.97 KiB \(\+300000 bytes, \+15\.00%\)\*\*/,
+    );
+    assert.match(body, /\[workflow run\]\(https:\/\/example\.test\/run\)/);
+  });
+
+  await it("formats negative deltas with a leading minus and omits the run URL when missing", () => {
+    const body = buildCommentBody({
+      baseRef: "main",
+      baseSize: 2_000_000,
+      prSize: 1_800_000,
+    });
+    assert.match(
+      body,
+      /\*\*Delta\*\* \| \*\*-195\.31 KiB \(-200000 bytes, -10\.00%\)\*\*/,
+    );
+    assert.doesNotMatch(body, /workflow run/);
+  });
+});
+
+describe("readArgs", async () => {
+  await it("defaults the base ref and head commit for local runs", () => {
+    const originalEnv = process.env;
+    const originalArgv = process.argv;
+
+    try {
+      process.env = {};
+      process.argv = ["node", "check-repo-size.ts", "--output-dir", "/tmp/out"];
+
+      const args = readArgs();
+
+      assert.equal(args.baseRef, DEFAULT_BASE_REF);
+      assert.equal(args.baseCommitish, `origin/${DEFAULT_BASE_REF}`);
+      assert.equal(args.headCommitish, "HEAD");
+      assert.equal(args.outputDir, "/tmp/out");
+      assert.equal(args.runUrl, undefined);
+    } finally {
+      process.env = originalEnv;
+      process.argv = originalArgv;
+    }
+  });
+
+  await it("uses the base and head SHAs when provided by the workflow", () => {
+    const originalEnv = process.env;
+    const originalArgv = process.argv;
+
+    try {
+      process.env = {
+        BASE_REF: "main",
+        BASE_SHA: "abc123",
+        HEAD_SHA: "def456",
+        RUN_URL: "https://example.test/run",
+      };
+      process.argv = ["node", "check-repo-size.ts", "--output-dir", "/tmp/out"];
+
+      const args = readArgs();
+
+      assert.equal(args.baseRef, "main");
+      assert.equal(args.baseCommitish, "abc123");
+      assert.equal(args.headCommitish, "def456");
+      assert.equal(args.outputDir, "/tmp/out");
+      assert.equal(args.runUrl, "https://example.test/run");
+    } finally {
+      process.env = originalEnv;
+      process.argv = originalArgv;
+    }
+  });
+
+  await it("throws when --output-dir is missing", () => {
+    const originalEnv = process.env;
+    const originalArgv = process.argv;
+
+    try {
+      process.env = {};
+      process.argv = ["node", "check-repo-size.ts"];
+      assert.throws(() => readArgs(), /--output-dir is required/);
+    } finally {
+      process.env = originalEnv;
+      process.argv = originalArgv;
+    }
+  });
+});
+
+let repoDir: string;
+
+beforeEach(() => {
+  repoDir = fs.mkdtempSync(path.join(os.tmpdir(), "check-repo-size-test-"));
+  execFileSync("git", ["init", "--initial-branch=main", "-q"], {
+    cwd: repoDir,
+  });
+  execFileSync("git", ["config", "user.email", "test@example.test"], {
+    cwd: repoDir,
+  });
+  execFileSync("git", ["config", "user.name", "Test"], { cwd: repoDir });
+  execFileSync("git", ["config", "commit.gpgsign", "false"], { cwd: repoDir });
+});
+
+afterEach(() => {
+  fs.rmSync(repoDir, { recursive: true, force: true });
+});
+
+function commit(name: string, content: string, message: string) {
+  fs.writeFileSync(path.join(repoDir, name), content);
+  execFileSync("git", ["add", name], { cwd: repoDir });
+  execFileSync("git", ["commit", "-q", "-m", message], { cwd: repoDir });
+}
+
+describe("measureArchiveSize", async () => {
+  await it("returns a positive byte count for a non-empty repo", async () => {
+    commit("a.txt", "hello world\n", "first");
+    const size = await measureArchiveSize("HEAD", repoDir);
+    assert.ok(size > 0, `expected size > 0, got ${size}`);
+  });
+
+  await it("returns the same size on repeated runs (deterministic)", async () => {
+    commit("a.txt", "hello world\n", "first");
+    const a = await measureArchiveSize("HEAD", repoDir);
+    const b = await measureArchiveSize("HEAD", repoDir);
+    assert.equal(a, b);
+  });
+
+  await it("returns a larger size when more content is added", async () => {
+    commit("a.txt", "hello world\n", "first");
+    const small = await measureArchiveSize("HEAD", repoDir);
+
+    // Use random bytes so the new content is incompressible and the archive
+    // is guaranteed to grow even after gzip.
+    commit("b.bin", randomBytes(8192).toString("base64"), "second");
+    const big = await measureArchiveSize("HEAD", repoDir);
+    assert.ok(
+      big > small,
+      `expected ${big} > ${small} after adding more content`,
+    );
+  });
+
+  await it("ignores untracked files (e.g. node_modules)", async () => {
+    commit("a.txt", "hello\n", "first");
+    commit(".gitignore", "node_modules/\n", "ignore node_modules");
+    const sizeBefore = await measureArchiveSize("HEAD", repoDir);
+
+    fs.mkdirSync(path.join(repoDir, "node_modules"));
+    fs.writeFileSync(
+      path.join(repoDir, "node_modules", "huge.bin"),
+      "x".repeat(1_000_000),
+    );
+
+    const sizeAfter = await measureArchiveSize("HEAD", repoDir);
+    assert.equal(
+      sizeAfter,
+      sizeBefore,
+      "untracked node_modules should not affect the archive size",
+    );
+  });
+
+  await it("rejects when the ref does not exist", async () => {
+    commit("a.txt", "hello\n", "first");
+    await assert.rejects(
+      () => measureArchiveSize("does-not-exist", repoDir),
+      /git archive does-not-exist exited with code/,
+    );
+  });
+});
+
+function escapeRegExp(s: string): string {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}

pr-checks/check-repo-size.ts

@@ -0,0 +1,223 @@
+#!/usr/bin/env npx tsx
+
+/*
+Measures the difference in the `.tar.gz`'d checkout size of the repo between the PR head and the PR
+base. This size is relevant because it corresponds to the duration of the "Download action
+repository" step that happens at the start of every job that uses this Action.
+
+Writes the candidate sticky-comment body and a small metadata file to `--output-dir`. A separate
+workflow job consumes those artifacts and decides whether to create or update a PR comment.
+*/
+
+import { spawn } from "node:child_process";
+import * as fs from "node:fs";
+import * as path from "node:path";
+import { parseArgs } from "node:util";
+
+import { REPO_ROOT } from "./config";
+
+/** Hidden marker used to find the existing sticky comment on a PR. */
+export const COMMENT_MARKER = "<!-- repo-size-diff-bot -->";
+
+export const DEFAULT_BASE_REF = "main";
+
+/**
+ * Fraction of the base archive size at which a delta is considered significant enough to warrant
+ * a new sticky comment. We always update an existing comment regardless, so the comment stays in
+ * sync as the diff evolves.
+ */
+export const SIGNIFICANT_DELTA_FRACTION = 0.1;
+
+/**
+ * Stream `git archive --format=tar.gz <ref>` and count the compressed bytes.
+ *
+ * `git archive` only includes tracked files, so untracked directories like `node_modules` and
+ * `build` aren't counted in the size downloaded when starting up a CodeQL job.
+ */
+export async function measureArchiveSize(
+  ref: string,
+  cwd: string,
+): Promise<number> {
+  const git = spawn("git", ["archive", "--format=tar.gz", ref], { cwd });
+
+  let stderr = "";
+  git.stderr.on("data", (chunk: Buffer) => {
+    stderr += chunk.toString();
+  });
+
+  let size = 0;
+  git.stdout.on("data", (chunk: Buffer) => {
+    size += chunk.length;
+  });
+
+  const exitCode = await new Promise<number>((resolve, reject) => {
+    git.on("error", reject);
+    git.on("close", resolve);
+  });
+
+  if (exitCode !== 0) {
+    throw new Error(
+      `git archive ${ref} exited with code ${exitCode}: ${stderr.trim()}`,
+    );
+  }
+  return size;
+}
+
+/**
+ * Format a byte count as KiB. If `signed` is true, a leading `+` is prepended for non-negative
+ * values so gains and losses are visually distinct.
+ */
+export function formatBytes(bytes: number, signed = false): string {
+  const sign = bytes < 0 ? "-" : signed ? "+" : "";
+  const kib = Math.abs(bytes) / 1024;
+  return `${sign}${kib.toFixed(2)} KiB`;
+}
+
+/** Format a fraction as a signed percentage with 2 decimal places. */
+export function formatPercent(fraction: number): string {
+  const pct = fraction * 100;
+  const sign = pct > 0 ? "+" : "";
+  return `${sign}${pct.toFixed(2)}%`;
+}
+
+export interface CommentBodyOptions {
+  baseRef: string;
+  baseSize: number;
+  prSize: number;
+  /** Optional URL of the workflow run, included in the comment footer. */
+  runUrl?: string;
+}
+
+export function buildCommentBody(opts: CommentBodyOptions): string {
+  const { baseRef, baseSize, prSize, runUrl } = opts;
+  const delta = prSize - baseSize;
+  const signedDelta = delta >= 0 ? `+${delta}` : `${delta}`;
+  const runUrlLine = runUrl
+    ? ` See the [workflow run](${runUrl}) for details.`
+    : "";
+
+  return [
+    COMMENT_MARKER,
+    "### Repository checkout size",
+    "",
+    "| | Compressed archive size |",
+    "|---|---|",
+    `| Base (\`${baseRef}\`) | ${formatBytes(baseSize)} (${baseSize} bytes) |`,
+    `| This PR | ${formatBytes(prSize)} (${prSize} bytes) |`,
+    `| **Delta** | **${formatBytes(delta, true)} (${signedDelta} bytes, ${formatPercent(delta / baseSize)})** |`,
+    "",
+    "Sizes are measured by streaming `git archive --format=tar.gz <ref>`, " +
+      "which includes tracked files and excludes untracked files such as " +
+      "`node_modules`. The compressed checkout is " +
+      "downloaded by every consumer of this Action, so changes here directly " +
+      `affect Action download time.${runUrlLine}`,
+  ].join("\n");
+}
+
+/**
+ * Returns true when the absolute delta is at least `fraction` of the base size. Both increases and
+ * decreases are considered significant, so we report wins as well as losses.
+ */
+export function isDeltaSignificant(
+  delta: number,
+  baseSize: number,
+  fraction: number,
+): boolean {
+  return Math.abs(delta) >= baseSize * fraction;
+}
+
+interface MainArgs {
+  /** Base ref of the PR. Defaults to `main`. Used as the label in the PR comment. */
+  baseRef: string;
+  /** Base commit-ish to archive. Defaults to `origin/<baseRef>` for local runs. */
+  baseCommitish: string;
+  /** Head commit-ish to archive. Defaults to `HEAD` for local runs. */
+  headCommitish: string;
+  /** Optional URL of the workflow run, surfaced in the comment footer. */
+  runUrl?: string;
+  /** Directory where `body.md` and `metadata.json` are written. */
+  outputDir: string;
+}
+
+export function readArgs(): MainArgs {
+  const { values } = parseArgs({
+    options: {
+      "output-dir": { type: "string" },
+    },
+    strict: true,
+  });
+
+  const outputDir = values["output-dir"];
+  if (!outputDir) {
+    throw new Error("--output-dir is required");
+  }
+
+  const baseRef = process.env.BASE_REF ?? DEFAULT_BASE_REF;
+  const baseCommitish = process.env.BASE_SHA ?? `origin/${baseRef}`;
+  const headCommitish = process.env.HEAD_SHA ?? "HEAD";
+
+  return {
+    baseRef,
+    baseCommitish,
+    headCommitish,
+    runUrl: process.env.RUN_URL,
+    outputDir,
+  };
+}
+
+async function main(): Promise<number> {
+  const args = readArgs();
+
+  console.log(`Measuring base archive size for ${args.baseCommitish}...`);
+  const baseSize = await measureArchiveSize(args.baseCommitish, REPO_ROOT);
+  console.log(`  ${baseSize} bytes`);
+
+  console.log(`Measuring PR archive size for ${args.headCommitish}...`);
+  const prSize = await measureArchiveSize(args.headCommitish, REPO_ROOT);
+  console.log(`  ${prSize} bytes`);
+
+  const delta = prSize - baseSize;
+  const significant = isDeltaSignificant(
+    delta,
+    baseSize,
+    SIGNIFICANT_DELTA_FRACTION,
+  );
+  console.log(
+    `Delta: ${delta} bytes (significant=${significant}, threshold=${(
+      SIGNIFICANT_DELTA_FRACTION * 100
+    ).toFixed(2)}%)`,
+  );
+
+  const body = buildCommentBody({
+    baseRef: args.baseRef,
+    baseSize,
+    prSize,
+    runUrl: args.runUrl,
+  });
+
+  fs.mkdirSync(args.outputDir, { recursive: true });
+  fs.writeFileSync(path.join(args.outputDir, "body.md"), body);
+  fs.writeFileSync(
+    path.join(args.outputDir, "metadata.json"),
+    `${JSON.stringify(
+      { significant, baseRef: args.baseRef, baseSize, prSize, delta },
+      null,
+      2,
+    )}\n`,
+  );
+  console.log(`Wrote body.md and metadata.json to ${args.outputDir}.`);
+  return 0;
+}
+
+async function run(): Promise<void> {
+  try {
+    process.exit(await main());
+  } catch (err) {
+    console.error(err instanceof Error ? err.message : String(err));
+    process.exit(1);
+  }
+}
+
+if (require.main === module) {
+  void run();
+}

pr-checks/config.ts

@@ -6,14 +6,17 @@ export const OLDEST_SUPPORTED_MAJOR_VERSION = 3;
 /** The `pr-checks` directory. */
 export const PR_CHECKS_DIR = __dirname;
 
+/** The repository root. */
+export const REPO_ROOT = path.join(PR_CHECKS_DIR, "..");
+
 /** The path of the file configuring which checks shouldn't be required. */
 export const PR_CHECK_EXCLUDED_FILE = path.join(PR_CHECKS_DIR, "excluded.yml");
 
 /** The path to the esbuild metadata file. */
-export const BUNDLE_METADATA_FILE = path.join(PR_CHECKS_DIR, "..", "meta.json");
+export const BUNDLE_METADATA_FILE = path.join(REPO_ROOT, "meta.json");
 
 /** The `src` directory. */
-const SOURCE_ROOT = path.join(PR_CHECKS_DIR, "..", "src");
+const SOURCE_ROOT = path.join(REPO_ROOT, "src");
 
 /** The path to the built-in languages file. */
 export const BUILTIN_LANGUAGES_FILE = path.join(

pr-checks/excluded.yml

@@ -1,16 +1,17 @@
 # PR checks to exclude from required checks
 contains:
-  - "https://"
-  - "Update"
   - "ESLint"
-  - "update"
+  - "https://"
   - "test-setup-python-scripts"
+  - "update"
+  - "Update"
 is:
+  - "Agent"
+  - "check-expected-release-files"
+  - "Cleanup artifacts"
   - "CodeQL"
   - "Dependabot"
-  - "check-expected-release-files"
-  - "Agent"
-  - "Cleanup artifacts"
+  - "Label PR with size"
+  - "Post repo size comment"
   - "Prepare"
   - "Upload results"
-  - "Label PR with size"

pr-checks/package.json

@@ -7,10 +7,10 @@
     "@octokit/core": "^7.0.6",
     "@octokit/plugin-paginate-rest": ">=9.2.2",
     "@octokit/plugin-rest-endpoint-methods": "^17.0.0",
-    "yaml": "^2.8.4"
+    "yaml": "^2.9.0"
   },
   "devDependencies": {
-    "@types/node": "^20.19.39",
+    "@types/node": "^20.19.41",
     "tsx": "^4.21.0"
   }
 }

queries/default-setup-environment-variables.ql

@@ -43,6 +43,7 @@ predicate envVarRead(DataFlow::Node node, string envVar) {
 from DataFlow::Node read, string envVar
 where
   envVarRead(read, envVar) and
+  read.getFile().getRelativePath().matches("src/%") and
   not read.getFile().getBaseName().matches("%.test.ts") and
   not isSafeForDefaultSetup(envVar)
 select read,

src/analyze-action.ts

@@ -30,7 +30,7 @@ import {
 } from "./dependency-caching";
 import { EnvVar } from "./environment";
 import { initFeatures } from "./feature-flags";
-import { BuiltInLanguage } from "./languages";
+import { BuiltInLanguage } from "./languages/index";
 import { getActionsLogger, Logger } from "./logging";
 import { cleanupAndUploadOverlayBaseDatabaseToCache } from "./overlay/caching";
 import { getRepositoryNwo } from "./repository";

src/analyze.test.ts

@@ -14,7 +14,7 @@ import {
 } from "./analyze";
 import { createStubCodeQL } from "./codeql";
 import { Feature } from "./feature-flags";
-import { BuiltInLanguage } from "./languages";
+import { BuiltInLanguage } from "./languages/index";
 import { getRunnerLogger } from "./logging";
 import {
   setupTests,

src/analyze.ts

@@ -21,7 +21,7 @@ import {
 } from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
 import { FeatureEnablement, Feature } from "./feature-flags";
-import { BuiltInLanguage, Language } from "./languages";
+import { BuiltInLanguage, Language } from "./languages/index";
 import { Logger, withGroupAsync } from "./logging";
 import { OverlayDatabaseMode } from "./overlay/overlay-database-mode";
 import type * as sarif from "./sarif";

src/autobuild-action.ts

@@ -10,7 +10,7 @@ import { determineAutobuildLanguages, runAutobuild } from "./autobuild";
 import { getCodeQL } from "./codeql";
 import { Config, getConfig } from "./config-utils";
 import { EnvVar } from "./environment";
-import { Language } from "./languages";
+import { Language } from "./languages/index";
 import { Logger, getActionsLogger } from "./logging";
 import {
   StatusReportBase,

src/autobuild.ts

@@ -7,7 +7,7 @@ import * as configUtils from "./config-utils";
 import { DocUrl } from "./doc-url";
 import { EnvVar } from "./environment";
 import { Feature, featureConfig, initFeatures } from "./feature-flags";
-import { BuiltInLanguage, Language } from "./languages";
+import { BuiltInLanguage, Language } from "./languages/index";
 import { Logger } from "./logging";
 import { getRepositoryNwo } from "./repository";
 import { asyncFilter, BuildMode } from "./util";

src/codeql.test.ts

@@ -21,7 +21,7 @@ import {
 import type { Config } from "./config-utils";
 import * as defaults from "./defaults.json";
 import { DocUrl } from "./doc-url";
-import { BuiltInLanguage } from "./languages";
+import { BuiltInLanguage } from "./languages/index";
 import { getRunnerLogger } from "./logging";
 import { ToolsSource } from "./setup-codeql";
 import {

src/codeql.ts

@@ -22,7 +22,7 @@ import {
   FeatureEnablement,
 } from "./feature-flags";
 import { isAnalyzingDefaultBranch } from "./git-utils";
-import { Language } from "./languages";
+import { Language } from "./languages/index";
 import { Logger } from "./logging";
 import { writeBaseDatabaseOidsFile, writeOverlayChangesFile } from "./overlay";
 import { OverlayDatabaseMode } from "./overlay/overlay-database-mode";

src/config-utils.test.ts

@@ -18,7 +18,7 @@ import { Feature } from "./feature-flags";
 import { RepositoryProperties } from "./feature-flags/properties";
 import * as gitUtils from "./git-utils";
 import { GitVersionInfo } from "./git-utils";
-import { BuiltInLanguage, Language } from "./languages";
+import { BuiltInLanguage, Language } from "./languages/index";
 import { getRunnerLogger } from "./logging";
 import { CODEQL_OVERLAY_MINIMUM_VERSION } from "./overlay";
 import * as overlayDiagnostics from "./overlay/diagnostics";

src/config-utils.ts

@@ -48,7 +48,7 @@ import {
   hasSubmodules,
   isAnalyzingDefaultBranch,
 } from "./git-utils";
-import { BuiltInLanguage, Language } from "./languages";
+import { BuiltInLanguage, Language } from "./languages/index";
 import { Logger } from "./logging";
 import { CODEQL_OVERLAY_MINIMUM_VERSION } from "./overlay";
 import {

src/database-upload.test.ts

@@ -12,7 +12,7 @@ import { createStubCodeQL } from "./codeql";
 import { Config } from "./config-utils";
 import { cleanupAndUploadDatabases } from "./database-upload";
 import * as gitUtils from "./git-utils";
-import { BuiltInLanguage } from "./languages";
+import { BuiltInLanguage } from "./languages/index";
 import { RepositoryNwo } from "./repository";
 import {
   checkExpectedLogMessages,

src/debug-artifacts.ts

@@ -13,7 +13,7 @@ import { type CodeQL } from "./codeql";
 import { Config } from "./config-utils";
 import { EnvVar } from "./environment";
 import * as json from "./json";
-import { Language } from "./languages";
+import { Language } from "./languages/index";
 import { Logger, withGroup } from "./logging";
 import {
   isSafeArtifactUpload,

src/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.4",
-  "cliVersion": "2.25.4",
-  "priorBundleVersion": "codeql-bundle-v2.25.3",
-  "priorCliVersion": "2.25.3"
+  "bundleVersion": "codeql-bundle-v2.25.5",
+  "cliVersion": "2.25.5",
+  "priorBundleVersion": "codeql-bundle-v2.25.4",
+  "priorCliVersion": "2.25.4"
 }

src/dependency-caching.test.ts

@@ -27,7 +27,7 @@ import {
   CacheStoreResult,
 } from "./dependency-caching";
 import { Feature } from "./feature-flags";
-import { BuiltInLanguage } from "./languages";
+import { BuiltInLanguage } from "./languages/index";
 import {
   setupTests,
   createFeatures,

src/dependency-caching.ts

@@ -11,7 +11,7 @@ import { CodeQL } from "./codeql";
 import { Config } from "./config-utils";
 import { EnvVar } from "./environment";
 import { Feature, FeatureEnablement } from "./feature-flags";
-import { BuiltInLanguage, Language } from "./languages";
+import { BuiltInLanguage, Language } from "./languages/index";
 import { Logger } from "./logging";
 import { getErrorMessage, getRequiredEnvParam } from "./util";
 

src/diagnostics.ts

@@ -2,7 +2,7 @@ import { existsSync, mkdirSync, writeFileSync } from "fs";
 import path from "path";
 
 import type { Config } from "./config-utils";
-import { Language } from "./languages";
+import { Language } from "./languages/index";
 import { getActionsLogger } from "./logging";
 import { getCodeQLDatabasePath } from "./util";
 

src/feature-flags/properties.test.ts

@@ -78,6 +78,7 @@ test.serial("loadPropertiesFromApi loads known properties", async (t) => {
     url: "",
     data: [
       { property_name: "github-codeql-extra-queries", value: "+queries" },
+      { property_name: "github-codeql-tools", value: "toolcache" },
       { property_name: "unknown-property", value: "something" },
     ] satisfies properties.GitHubPropertiesResponse,
   });
@@ -87,7 +88,10 @@ test.serial("loadPropertiesFromApi loads known properties", async (t) => {
     logger,
     mockRepositoryNwo,
   );
-  t.deepEqual(response, { "github-codeql-extra-queries": "+queries" });
+  t.deepEqual(response, {
+    "github-codeql-extra-queries": "+queries",
+    "github-codeql-tools": "toolcache",
+  });
 });
 
 test.serial("loadPropertiesFromApi parses true boolean property", async (t) => {

src/feature-flags/properties.ts

@@ -1,7 +1,10 @@
+import * as github from "@actions/github";
+
 import { isDynamicWorkflow } from "../actions-util";
 import { getRepositoryProperties } from "../api-client";
 import { Logger } from "../logging";
 import { RepositoryNwo } from "../repository";
+import { getErrorMessage, Result, Success, Failure } from "../util";
 
 /** The common prefix that we expect all of our repository properties to have. */
 export const GITHUB_CODEQL_PROPERTY_PREFIX = "github-codeql-";
@@ -13,6 +16,7 @@ export enum RepositoryPropertyName {
   DISABLE_OVERLAY = "github-codeql-disable-overlay",
   EXTRA_QUERIES = "github-codeql-extra-queries",
   FILE_COVERAGE_ON_PRS = "github-codeql-file-coverage-on-prs",
+  TOOLS = "github-codeql-tools",
 }
 
 /** Parsed types of the known repository properties. */
@@ -20,6 +24,7 @@ export type AllRepositoryProperties = {
   [RepositoryPropertyName.DISABLE_OVERLAY]: boolean;
   [RepositoryPropertyName.EXTRA_QUERIES]: string;
   [RepositoryPropertyName.FILE_COVERAGE_ON_PRS]: boolean;
+  [RepositoryPropertyName.TOOLS]: string;
 };
 
 /** Parsed repository properties. */
@@ -30,6 +35,7 @@ export type RepositoryPropertyApiType = {
   [RepositoryPropertyName.DISABLE_OVERLAY]: string;
   [RepositoryPropertyName.EXTRA_QUERIES]: string;
   [RepositoryPropertyName.FILE_COVERAGE_ON_PRS]: string;
+  [RepositoryPropertyName.TOOLS]: string;
 };
 
 /** The type of functions which take the `value` from the API and try to convert it to the type we want. */
@@ -77,6 +83,7 @@ const repositoryPropertyParsers: {
   [RepositoryPropertyName.DISABLE_OVERLAY]: booleanProperty,
   [RepositoryPropertyName.EXTRA_QUERIES]: stringProperty,
   [RepositoryPropertyName.FILE_COVERAGE_ON_PRS]: booleanProperty,
+  [RepositoryPropertyName.TOOLS]: stringProperty,
 };
 
 /**
@@ -172,6 +179,38 @@ export async function loadPropertiesFromApi(
   }
 }
 
+/**
+ * Loads [repository properties](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) if applicable.
+ */
+export async function loadRepositoryProperties(
+  repositoryNwo: RepositoryNwo,
+  logger: Logger,
+): Promise<Result<RepositoryProperties, unknown>> {
+  // See if we can skip loading repository properties early. In particular,
+  // repositories owned by users cannot have repository properties, so we can
+  // skip the API call entirely in that case.
+  const repositoryOwnerType = github.context.payload.repository?.owner.type;
+  logger.debug(
+    `Repository owner type is '${repositoryOwnerType ?? "unknown"}'.`,
+  );
+  if (repositoryOwnerType === "User") {
+    logger.debug(
+      "Skipping loading repository properties because the repository is owned by a user and " +
+        "therefore cannot have repository properties.",
+    );
+    return new Success({});
+  }
+
+  try {
+    return new Success(await loadPropertiesFromApi(logger, repositoryNwo));
+  } catch (error) {
+    logger.warning(
+      `Failed to load repository properties: ${getErrorMessage(error)}`,
+    );
+    return new Failure(error);
+  }
+}
+
 /**
  * Validate that `value` has the correct type for `K` and, if so, update the partial set of repository
  * properties with the parsed value of the specified property.

src/init-action.ts

@@ -2,7 +2,6 @@ import * as fs from "fs";
 import * as path from "path";
 
 import * as core from "@actions/core";
-import * as github from "@actions/github";
 import * as io from "@actions/io";
 import * as semver from "semver";
 import { v4 as uuidV4 } from "uuid";
@@ -39,10 +38,7 @@ import {
 } from "./diagnostics";
 import { EnvVar } from "./environment";
 import { Feature, FeatureEnablement, initFeatures } from "./feature-flags";
-import {
-  loadPropertiesFromApi,
-  RepositoryProperties,
-} from "./feature-flags/properties";
+import { loadRepositoryProperties } from "./feature-flags/properties";
 import {
   checkInstallPython311,
   checkPacksForOverlayCompatibility,
@@ -53,14 +49,15 @@ import {
   initConfig,
   runDatabaseInitCluster,
 } from "./init";
-import { JavaEnvVars, BuiltInLanguage } from "./languages";
+import { JavaEnvVars, BuiltInLanguage } from "./languages/index";
 import { getActionsLogger, Logger, withGroupAsync } from "./logging";
 import {
   downloadOverlayBaseDatabaseFromCache,
   OverlayBaseDatabaseDownloadStats,
 } from "./overlay/caching";
 import { OverlayDatabaseMode } from "./overlay/overlay-database-mode";
-import { getRepositoryNwo, RepositoryNwo } from "./repository";
+import { getRepositoryNwo } from "./repository";
+import { resolveToolsInput } from "./resolve-tools-input";
 import { ToolsSource } from "./setup-codeql";
 import {
   ActionName,
@@ -93,10 +90,7 @@ import {
   checkActionVersion,
   getErrorMessage,
   BuildMode,
-  Result,
   getOptionalEnvVar,
-  Success,
-  Failure,
 } from "./util";
 import { checkWorkflow } from "./workflow";
 
@@ -140,6 +134,7 @@ async function sendCompletedStatusReport(
   toolsFeatureFlagsValid: boolean | undefined,
   toolsSource: ToolsSource,
   toolsVersion: string,
+  effectiveToolsInput: string | undefined,
   overlayBaseDatabaseStats: OverlayBaseDatabaseDownloadStats | undefined,
   dependencyCachingResults: DependencyCacheRestoreStatusReport | undefined,
   logger: Logger,
@@ -165,6 +160,7 @@ async function sendCompletedStatusReport(
   const initStatusReport: InitStatusReport = {
     ...statusReportBase,
     tools_input: getOptionalInput("tools") || "",
+    effective_tools_input: effectiveToolsInput || "",
     tools_resolved_version: toolsVersion,
     tools_source: toolsSource || ToolsSource.Unknown,
     workflow_languages: workflowLanguages || "",
@@ -219,6 +215,7 @@ async function run(startedAt: Date) {
   let toolsSource: ToolsSource;
   let toolsVersion: string;
   let zstdAvailability: ZstdAvailability | undefined;
+  let effectiveToolsInput: string | undefined;
 
   try {
     initializeEnvironment(getActionVersion());
@@ -251,6 +248,7 @@ async function run(startedAt: Date) {
       repositoryNwo,
       logger,
     );
+    const repositoryProperties = repositoryPropertiesResult.orElse({});
 
     // Create a unique identifier for this run.
     const jobRunUuid = uuidV4();
@@ -296,6 +294,15 @@ async function run(startedAt: Date) {
     const codeQLDefaultVersionInfo =
       await features.getEnabledDefaultCliVersions(gitHubVersion.type);
     toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
+
+    // Determine the effective tools input.
+    // The explicit `tools` workflow input takes precedence. If none is provided,
+    // fall back to the 'github-codeql-tools' repository property (if set).
+    effectiveToolsInput = resolveToolsInput(
+      getOptionalInput("tools"),
+      repositoryProperties,
+      logger,
+    );
     const rawLanguages = configUtils.getRawLanguagesNoAutodetect(
       getOptionalInput("languages"),
     );
@@ -303,7 +310,7 @@ async function run(startedAt: Date) {
       analysisKinds?.length === 1 &&
       analysisKinds[0] === AnalysisKind.CodeScanning;
     const initCodeQLResult = await initCodeQL(
-      getOptionalInput("tools"),
+      effectiveToolsInput,
       apiDetails,
       getTemporaryDirectory(),
       gitHubVersion.type,
@@ -350,7 +357,6 @@ async function run(startedAt: Date) {
 
     analysisKinds = await getAnalysisKinds(logger, features);
     const debugMode = getOptionalInput("debug") === "true" || core.isDebug();
-    const repositoryProperties = repositoryPropertiesResult.orElse({});
     const fileCoverageResult = await getFileCoverageInformationEnabled(
       debugMode,
       codeql,
@@ -769,6 +775,7 @@ async function run(startedAt: Date) {
       toolsFeatureFlagsValid,
       toolsSource,
       toolsVersion,
+      effectiveToolsInput,
       overlayBaseDatabaseStats,
       dependencyCachingStatus,
       logger,
@@ -786,44 +793,13 @@ async function run(startedAt: Date) {
     toolsFeatureFlagsValid,
     toolsSource,
     toolsVersion,
+    effectiveToolsInput,
     overlayBaseDatabaseStats,
     dependencyCachingStatus,
     logger,
   );
 }
 
-/**
- * Loads [repository properties](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) if applicable.
- */
-async function loadRepositoryProperties(
-  repositoryNwo: RepositoryNwo,
-  logger: Logger,
-): Promise<Result<RepositoryProperties, unknown>> {
-  // See if we can skip loading repository properties early. In particular,
-  // repositories owned by users cannot have repository properties, so we can
-  // skip the API call entirely in that case.
-  const repositoryOwnerType = github.context.payload.repository?.owner.type;
-  logger.debug(
-    `Repository owner type is '${repositoryOwnerType ?? "unknown"}'.`,
-  );
-  if (repositoryOwnerType === "User") {
-    logger.debug(
-      "Skipping loading repository properties because the repository is owned by a user and " +
-        "therefore cannot have repository properties.",
-    );
-    return new Success({});
-  }
-
-  try {
-    return new Success(await loadPropertiesFromApi(logger, repositoryNwo));
-  } catch (error) {
-    logger.warning(
-      `Failed to load repository properties: ${getErrorMessage(error)}`,
-    );
-    return new Failure(error);
-  }
-}
-
 async function recordZstdAvailability(
   config: configUtils.Config,
   zstdAvailability: ZstdAvailability,

src/init.test.ts

@@ -15,7 +15,7 @@ import {
   getFileCoverageInformationEnabled,
   logFileCoverageOnPrsDeprecationWarning,
 } from "./init";
-import { BuiltInLanguage } from "./languages";
+import { BuiltInLanguage } from "./languages/index";
 import {
   createFeatures,
   LoggedMessage,

src/init.ts

@@ -26,7 +26,7 @@ import {
   RepositoryProperties,
   RepositoryPropertyName,
 } from "./feature-flags/properties";
-import { BuiltInLanguage, Language } from "./languages";
+import { BuiltInLanguage, Language } from "./languages/index";
 import { Logger, withGroupAsync } from "./logging";
 import { ToolsSource } from "./setup-codeql";
 import { ZstdAvailability } from "./tar";

src/resolve-tools-input.test.ts

@@ -0,0 +1,171 @@
+import test from "ava";
+
+import { RepositoryPropertyName } from "./feature-flags/properties";
+import type { RepositoryProperties } from "./feature-flags/properties";
+import { resolveToolsInput } from "./resolve-tools-input";
+import { getRecordingLogger, LoggedMessage, setupTests } from "./testing-utils";
+
+setupTests(test);
+
+test(
+  "resolveToolsInput returns undefined when no tools input or repository property is set",
+  (t) => {
+    const loggedMessages: LoggedMessage[] = [];
+    const logger = getRecordingLogger(loggedMessages);
+
+    const result = resolveToolsInput(undefined, {}, logger);
+
+    t.is(result, undefined);
+    t.is(loggedMessages.length, 0);
+  },
+);
+
+test(
+  "resolveToolsInput returns workflow input when only workflow input is provided",
+  (t) => {
+    const loggedMessages: LoggedMessage[] = [];
+    const logger = getRecordingLogger(loggedMessages);
+
+    const result = resolveToolsInput("latest", {}, logger);
+
+    t.is(result, "latest");
+    t.is(loggedMessages.length, 1);
+    t.is(
+      loggedMessages[0].message,
+      "Setting tools: latest based on workflow input.",
+    );
+  },
+);
+
+test(
+  "resolveToolsInput returns repository property when only repository property is provided",
+  (t) => {
+    const loggedMessages: LoggedMessage[] = [];
+    const logger = getRecordingLogger(loggedMessages);
+
+    const repositoryProperties: RepositoryProperties = {
+      [RepositoryPropertyName.TOOLS]: "toolcache",
+    };
+    const result = resolveToolsInput(undefined, repositoryProperties, logger);
+
+    t.is(result, "toolcache");
+    t.is(loggedMessages.length, 1);
+    t.is(
+      loggedMessages[0].message,
+      "Setting tools: toolcache based on the 'github-codeql-tools' repository property.",
+    );
+  },
+);
+
+test(
+  "resolveToolsInput prioritizes workflow input over repository property",
+  (t) => {
+    const loggedMessages: LoggedMessage[] = [];
+    const logger = getRecordingLogger(loggedMessages);
+
+    const repositoryProperties: RepositoryProperties = {
+      [RepositoryPropertyName.TOOLS]: "toolcache",
+    };
+    const result = resolveToolsInput("nightly", repositoryProperties, logger);
+
+    t.is(result, "nightly");
+    t.is(loggedMessages.length, 1);
+    t.is(
+      loggedMessages[0].message,
+      "Setting tools: nightly based on workflow input.",
+    );
+  },
+);
+
+test(
+  "resolveToolsInput treats empty string workflow input as not set",
+  (t) => {
+    const loggedMessages: LoggedMessage[] = [];
+    const logger = getRecordingLogger(loggedMessages);
+
+    const repositoryProperties: RepositoryProperties = {
+      [RepositoryPropertyName.TOOLS]: "toolcache",
+    };
+    const result = resolveToolsInput("", repositoryProperties, logger);
+
+    t.is(result, "toolcache");
+    t.is(loggedMessages.length, 1);
+    t.is(
+      loggedMessages[0].message,
+      "Setting tools: toolcache based on the 'github-codeql-tools' repository property.",
+    );
+  },
+);
+
+test(
+  "resolveToolsInput returns workflow input with URL value",
+  (t) => {
+    const loggedMessages: LoggedMessage[] = [];
+    const logger = getRecordingLogger(loggedMessages);
+
+    const url = "https://example.com/codeql-bundle.tar.gz";
+    const result = resolveToolsInput(url, {}, logger);
+
+    t.is(result, url);
+    t.is(loggedMessages.length, 1);
+    t.is(
+      loggedMessages[0].message,
+      `Setting tools: ${url} based on workflow input.`,
+    );
+  },
+);
+
+test(
+  "resolveToolsInput returns repository property with 'latest' value",
+  (t) => {
+    const loggedMessages: LoggedMessage[] = [];
+    const logger = getRecordingLogger(loggedMessages);
+
+    const repositoryProperties: RepositoryProperties = {
+      [RepositoryPropertyName.TOOLS]: "latest",
+    };
+    const result = resolveToolsInput(undefined, repositoryProperties, logger);
+
+    t.is(result, "latest");
+    t.is(
+      loggedMessages[0].message,
+      "Setting tools: latest based on the 'github-codeql-tools' repository property.",
+    );
+  },
+);
+
+test(
+  "resolveToolsInput returns repository property with specific version",
+  (t) => {
+    const loggedMessages: LoggedMessage[] = [];
+    const logger = getRecordingLogger(loggedMessages);
+
+    const repositoryProperties: RepositoryProperties = {
+      [RepositoryPropertyName.TOOLS]: "2.16.1",
+    };
+    const result = resolveToolsInput(undefined, repositoryProperties, logger);
+
+    t.is(result, "2.16.1");
+    t.is(
+      loggedMessages[0].message,
+      "Setting tools: 2.16.1 based on the 'github-codeql-tools' repository property.",
+    );
+  },
+);
+
+test(
+  "resolveToolsInput returns undefined when repository property is undefined",
+  (t) => {
+    const loggedMessages: LoggedMessage[] = [];
+    const logger = getRecordingLogger(loggedMessages);
+
+    const repositoryProperties: RepositoryProperties = {
+      [RepositoryPropertyName.TOOLS]: undefined,
+    };
+    const result = resolveToolsInput(undefined, repositoryProperties, logger);
+
+    t.is(result, undefined);
+    t.is(loggedMessages.length, 0);
+  },
+);
+

src/resolve-tools-input.ts

@@ -0,0 +1,36 @@
+import {
+  RepositoryProperties,
+  RepositoryPropertyName,
+} from "./feature-flags/properties";
+import { Logger } from "./logging";
+
+/**
+ * Resolves the effective tools input by combining the workflow input and repository properties.
+ * The explicit `tools` workflow input takes precedence. If none is provided,
+ * falls back to the repository property (if set).
+ *
+ * @param toolsWorkflowInput - The value of the `tools` workflow input, if provided.
+ * @param repositoryProperties - The parsed repository properties.
+ * @param logger - Logger for outputting resolution messages.
+ * @returns The effective tools input value.
+ */
+export function resolveToolsInput(
+  toolsWorkflowInput: string | undefined,
+  repositoryProperties: RepositoryProperties,
+  logger: Logger,
+): string | undefined {
+  if (toolsWorkflowInput) {
+    logger.info(`Setting tools: ${toolsWorkflowInput} based on workflow input.`);
+    return toolsWorkflowInput;
+  }
+
+  const toolsPropertyValue = repositoryProperties[RepositoryPropertyName.TOOLS];
+  if (toolsPropertyValue) {
+    logger.info(
+      `Setting tools: ${toolsPropertyValue} based on the '${RepositoryPropertyName.TOOLS}' repository property.`,
+    );
+    return toolsPropertyValue;
+  }
+
+  return undefined;
+}

src/setup-codeql-action.ts

@@ -13,9 +13,11 @@ import { CodeQL } from "./codeql";
 import { getRawLanguagesNoAutodetect } from "./config-utils";
 import { EnvVar } from "./environment";
 import { initFeatures } from "./feature-flags";
+import { loadRepositoryProperties } from "./feature-flags/properties";
 import { initCodeQL } from "./init";
 import { getActionsLogger, Logger } from "./logging";
 import { getRepositoryNwo } from "./repository";
+import { resolveToolsInput } from "./resolve-tools-input";
 import { ToolsSource } from "./setup-codeql";
 import {
   ActionName,
@@ -48,6 +50,7 @@ async function sendCompletedStatusReport(
   toolsFeatureFlagsValid: boolean | undefined,
   toolsSource: ToolsSource,
   toolsVersion: string,
+  effectiveToolsInput: string | undefined,
   logger: Logger,
   error?: Error,
 ): Promise<void> {
@@ -69,6 +72,7 @@ async function sendCompletedStatusReport(
   const initStatusReport: InitStatusReport = {
     ...statusReportBase,
     tools_input: getOptionalInput("tools") || "",
+    effective_tools_input: effectiveToolsInput || "",
     tools_resolved_version: toolsVersion,
     tools_source: toolsSource || ToolsSource.Unknown,
     workflow_languages: "",
@@ -99,6 +103,7 @@ async function run(startedAt: Date): Promise<void> {
   let toolsFeatureFlagsValid: boolean | undefined;
   let toolsSource: ToolsSource;
   let toolsVersion: string;
+  let effectiveToolsInput: string | undefined;
 
   try {
     initializeEnvironment(getActionVersion());
@@ -141,12 +146,29 @@ async function run(startedAt: Date): Promise<void> {
     const codeQLDefaultVersionInfo =
       await features.getEnabledDefaultCliVersions(gitHubVersion.type);
     toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
+
+    // Fetch the values of known repository properties that affect us.
+    const repositoryPropertiesResult = await loadRepositoryProperties(
+      repositoryNwo,
+      logger,
+    );
+    const repositoryProperties = repositoryPropertiesResult.orElse({});
+
+    // Determine the effective tools input.
+    // The explicit `tools` workflow input takes precedence. If none is provided,
+    // fall back to the 'github-codeql-tools' repository property (if set).
+    effectiveToolsInput = resolveToolsInput(
+      getOptionalInput("tools"),
+      repositoryProperties,
+      logger,
+    );
     const rawLanguages = getRawLanguagesNoAutodetect(
       getOptionalInput("languages"),
     );
     const analysisKinds = await getAnalysisKinds(logger, features);
+
     const initCodeQLResult = await initCodeQL(
-      getOptionalInput("tools"),
+      effectiveToolsInput,
       apiDetails,
       getTemporaryDirectory(),
       gitHubVersion.type,
@@ -191,6 +213,7 @@ async function run(startedAt: Date): Promise<void> {
     toolsFeatureFlagsValid,
     toolsSource,
     toolsVersion,
+    effectiveToolsInput,
     logger,
   );
 }

src/setup-codeql.ts

@@ -559,7 +559,7 @@ export async function getCodeQLSource(
         );
       } else {
         if (allowToolcacheValueFF) {
-          logger.warning(
+          logger.info(
             `Ignoring 'tools: ${toolsInput}' because the workflow was not triggered dynamically.`,
           );
         } else {

src/start-proxy-action.ts

@@ -6,7 +6,7 @@ import * as core from "@actions/core";
 import * as actionsUtil from "./actions-util";
 import { getGitHubVersion } from "./api-client";
 import { Feature, FeatureEnablement, initFeatures } from "./feature-flags";
-import { BuiltInLanguage, parseBuiltInLanguage } from "./languages";
+import { BuiltInLanguage, parseBuiltInLanguage } from "./languages/index";
 import { getActionsLogger, Logger } from "./logging";
 import { getRepositoryNwo } from "./repository";
 import {

src/start-proxy.test.ts

@@ -10,7 +10,7 @@ import * as defaults from "./defaults.json";
 import { setUpFeatureFlagTests } from "./feature-flags/testing-util";
 import { UnvalidatedObject, validateSchema } from "./json";
 import { makeFromSchema } from "./json/testing-util";
-import { BuiltInLanguage } from "./languages";
+import { BuiltInLanguage } from "./languages/index";
 import { getRunnerLogger, Logger } from "./logging";
 import * as startProxyExports from "./start-proxy";
 import * as statusReport from "./status-report";

src/start-proxy.ts

@@ -18,7 +18,7 @@ import {
   FeatureEnablement,
 } from "./feature-flags";
 import * as json from "./json";
-import { BuiltInLanguage } from "./languages";
+import { BuiltInLanguage } from "./languages/index";
 import { Logger } from "./logging";
 import {
   Address,

src/status-report.test.ts

@@ -4,7 +4,7 @@ import * as sinon from "sinon";
 import * as actionsUtil from "./actions-util";
 import { Config } from "./config-utils";
 import { EnvVar } from "./environment";
-import { BuiltInLanguage } from "./languages";
+import { BuiltInLanguage } from "./languages/index";
 import { getRunnerLogger } from "./logging";
 import { ToolsSource } from "./setup-codeql";
 import {
@@ -316,6 +316,7 @@ const testCreateInitWithConfigStatusReport = makeMacro({
         const initStatusReport: InitStatusReport = {
           ...statusReportBase,
           tools_input: "",
+          effective_tools_input: "",
           tools_resolved_version: "foo",
           tools_source: ToolsSource.Unknown,
           workflow_languages: "actions",

src/status-report.ts

@@ -482,6 +482,8 @@ export async function sendStatusReport<S extends StatusReportBase>(
 export interface InitStatusReport extends StatusReportBase {
   /** Value given by the user as the "tools" input. */
   tools_input: string;
+  /** The effective tools input that was used, after applying defaults and repository properties. */
+  effective_tools_input: string;
   /** Version of the bundle used. */
   tools_resolved_version: string;
   /** Where the bundle originated from. */

src/tracer-config.test.ts

@@ -6,7 +6,7 @@ import * as sinon from "sinon";
 
 import { CodeQL, getCodeQLForTesting } from "./codeql";
 import * as configUtils from "./config-utils";
-import { BuiltInLanguage } from "./languages";
+import { BuiltInLanguage } from "./languages/index";
 import { createTestConfig, makeVersionInfo, setupTests } from "./testing-utils";
 import { ToolsFeature } from "./tools-features";
 import { getCombinedTracerConfig } from "./tracer-config";

src/trap-caching.test.ts

@@ -15,7 +15,7 @@ import {
 import * as configUtils from "./config-utils";
 import { Feature } from "./feature-flags";
 import * as gitUtils from "./git-utils";
-import { BuiltInLanguage } from "./languages";
+import { BuiltInLanguage } from "./languages/index";
 import { getRunnerLogger } from "./logging";
 import {
   createFeatures,

src/trap-caching.ts

@@ -10,7 +10,7 @@ import { type Config } from "./config-utils";
 import { DocUrl } from "./doc-url";
 import { Feature, FeatureEnablement } from "./feature-flags";
 import * as gitUtils from "./git-utils";
-import { Language } from "./languages";
+import { Language } from "./languages/index";
 import { Logger } from "./logging";
 import {
   asHTTPError,

src/util.ts

@@ -15,7 +15,7 @@ import type { Pack } from "./config/db-config";
 import type { Config } from "./config-utils";
 import { EnvVar } from "./environment";
 import * as json from "./json";
-import { Language } from "./languages";
+import { Language } from "./languages/index";
 import { Logger } from "./logging";
 
 /**