Update changelog and version after v4.31.11

Restore condition for enablement
Use stdin for files to query attributes of
2026-05-03 12:20:09 +00:00 · 2026-01-19 13:28:30 +00:00 · 2026-01-19 13:19:48 +00:00 · 2026-01-19 13:18:48 +00:00 · 2026-01-19 13:09:15 +00:00 · 2026-01-19 13:04:30 +00:00
182 changed files with 278448 additions and 230687 deletions
@@ -16,9 +16,9 @@ runs:
      shell: bash

    - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@v6
      with:
-        python-version: 3.12
+        python-version: '3.12'

    - name: Install dependencies
      run: |
@@ -0,0 +1,6 @@
+name: Verify that the best-effort debug artifact scan completed
+description: Verifies that the best-effort debug artifact scan completed successfully during tests
+runs:
+  using: node24
+  main: index.js
+  post: post.js
@@ -0,0 +1,2 @@
+// The main step is a no-op, since we can only verify artifact scan completion in the post step.
+console.log("Will verify artifact scan completion in the post step.");
@@ -0,0 +1,11 @@
+// Post step - runs after the workflow completes, when artifact scan has finished
+const process = require("process");
+
+const scanFinished = process.env.CODEQL_ACTION_ARTIFACT_SCAN_FINISHED;
+
+if (scanFinished !== "true") {
+  console.error("Error: Best-effort artifact scan did not complete. Expected CODEQL_ACTION_ARTIFACT_SCAN_FINISHED=true");
+  process.exit(1);
+}
+
+console.log("✓ Best-effort artifact scan completed successfully");
@@ -18,14 +18,25 @@ For internal use only. Please select the risk level of this change:

 #### Which use cases does this change impact?

-<!-- Delete options that don't apply. -->
+<!-- Delete options that don't apply. If in doubt, do not delete an option. -->

- **Advanced setup** - Impacts users who have custom workflows.
- **Default setup** - Impacts users who use default setup.
- **Code Scanning** - Impacts Code Scanning (i.e. `analysis-kinds: code-scanning`).
- **Code Quality** - Impacts Code Quality (i.e. `analysis-kinds: code-quality`).
- **Third-party analyses** - Impacts third-party analyses (i.e. `upload-sarif`).
- **GHES** - Impacts GitHub Enterprise Server.
+Workflow types:
+
+- **Advanced setup** - Impacts users who have custom CodeQL workflows.
+- **Managed** - Impacts users with `dynamic` workflows (Default Setup, CCR, ...).
+
+Products:
+
+- **Code Scanning** - The changes impact analyses when `analysis-kinds: code-scanning`.
+- **Code Quality** - The changes impact analyses when `analysis-kinds: code-quality`.
+- **CCR** - The changes impact analyses for Copilot Code Reviews.
+- **Third-party analyses** - The changes affect the `upload-sarif` action.
+
+Environments:
+
+- **Dotcom** - Impacts CodeQL workflows on `github.com` and/or GitHub Enterprise Cloud with Data Residency.
+- **GHES** - Impacts CodeQL workflows on GitHub Enterprise Server.
+- **Testing/None** - This change does not impact any CodeQL workflows in production.

 #### How did/will you validate this change?

@@ -54,6 +65,15 @@ For internal use only. Please select the risk level of this change:
    - **Alerts** - New or existing monitors will trip if something goes wrong with this change.
 - **Other** - Please provide details.

+#### Are there any special considerations for merging or releasing this change?
+
+<!--
+    Consider whether this change depends on a different change in another repository that should be released first.
+-->
+
+- **No special considerations** - This change can be merged at any time.
+- **Special considerations** - This change should only be merged once certain preconditions are met. Please provide details of those or link to this PR from an internal issue.
+
 ### Merge / deployment checklist

 - Confirm this change is backwards compatible with existing workflows.
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -61,7 +71,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -74,6 +84,10 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - id: init
        uses: ./../action/init
        with:
@@ -32,6 +32,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -44,6 +49,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -67,7 +77,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -85,6 +95,10 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -21,9 +21,19 @@ on:
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
-    inputs: {}
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
-    inputs: {}
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -51,7 +61,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -59,6 +69,10 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          languages: csharp
@@ -63,7 +63,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -47,7 +47,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -63,7 +63,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -57,7 +67,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -70,6 +80,10 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        id: init
        with:
@@ -49,7 +49,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -47,7 +47,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -47,7 +47,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -51,7 +51,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -51,7 +51,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -79,7 +79,7 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
        with:
          name: ${{ matrix.os }}-zstd-bundle.sarif
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -47,7 +47,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -49,7 +49,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -67,7 +67,7 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
        with:
          name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -47,7 +47,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Install Node.js
        uses: actions/setup-node@v6
        with:
@@ -51,7 +51,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -49,7 +49,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -51,7 +51,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -49,7 +49,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -78,7 +78,7 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
        with:
          name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -61,7 +71,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -74,6 +84,10 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        id: init
        with:
@@ -85,7 +99,7 @@ jobs:
        with:
          output: ${{ runner.temp }}/results
      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
        with:
          name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -47,7 +47,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -61,7 +61,7 @@ jobs:
          apt install -y gh
        env: {}
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -76,6 +76,7 @@ jobs:
      - uses: ./../action/analyze
    env:
      https_proxy: http://squid-proxy:3128
+      CODEQL_ACTION_TOLERATE_MISSING_GIT_VERSION: true
      CODEQL_ACTION_TEST_MODE: true
    container:
      image: ubuntu:22.04
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -59,7 +69,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -72,6 +82,10 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          languages: go
@@ -57,7 +57,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -57,7 +57,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -57,7 +57,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -91,7 +91,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -91,7 +91,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -91,7 +91,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -8,9 +8,6 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
-  push:
-    paths:
-      - .github/workflows/__go.yml
  workflow_dispatch:
    inputs:
      go-version:
@@ -18,6 +15,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 jobs:
  go-custom-queries:
    name: 'Go: Custom queries'
@@ -27,6 +29,7 @@ jobs:
    uses: ./.github/workflows/__go-custom-queries.yml
    with:
      go-version: ${{ inputs.go-version }}
+      dotnet-version: ${{ inputs.dotnet-version }}
  go-indirect-tracing-workaround-diagnostic:
    name: 'Go: diagnostic when Go is changed after init step'
    permissions:
@@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -51,7 +51,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -47,7 +47,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -64,7 +64,7 @@ jobs:
        with:
          output: ${{ runner.temp }}/results
      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
        with:
          name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -47,7 +47,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -32,6 +32,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -44,6 +49,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -67,7 +77,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -85,6 +95,10 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Fetch latest CodeQL bundle
        run: |
          wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst
@@ -32,6 +32,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -44,6 +49,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -101,7 +111,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -119,6 +129,10 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Use Xcode 16
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"
@@ -49,7 +49,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -32,6 +32,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -44,6 +49,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -71,7 +81,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Install Node.js
        uses: actions/setup-node@v6
        with:
@@ -96,6 +106,10 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging3.yml
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -61,7 +71,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Install Node.js
        uses: actions/setup-node@v6
        with:
@@ -81,6 +91,10 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging3.yml
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -61,7 +71,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Install Node.js
        uses: actions/setup-node@v6
        with:
@@ -81,6 +91,10 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging.yml
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -61,7 +71,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Install Node.js
        uses: actions/setup-node@v6
        with:
@@ -81,6 +91,10 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging2.yml
@@ -63,7 +63,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -83,7 +83,7 @@ jobs:
          post-processed-sarif-path: ${{ runner.temp }}/post-processed
      - name: Upload security SARIF
        if: contains(matrix.analysis-kinds, 'code-scanning')
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
        with:
          name: |
            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
@@ -91,14 +91,14 @@ jobs:
          retention-days: 7
      - name: Upload quality SARIF
        if: contains(matrix.analysis-kinds, 'code-quality')
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
        with:
          name: |
            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
          path: ${{ runner.temp }}/results/javascript.quality.sarif
          retention-days: 7
      - name: Upload post-processed SARIF
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
        with:
          name: |
            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
@@ -32,6 +32,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -44,6 +49,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -69,7 +79,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -87,6 +97,10 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -51,7 +51,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -47,7 +47,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -56,7 +56,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Set up Ruby
-        uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
+        uses: ruby/setup-ruby@675dd7ba1b06c8786a1480d89c384f5620a42647 # v1.281.0
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
@@ -57,7 +57,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -55,7 +55,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -67,7 +77,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -80,6 +90,10 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging3.yml
@@ -51,7 +51,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -60,7 +60,7 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
      - uses: ./init
        with:
          languages: javascript
@@ -47,7 +47,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -61,7 +71,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -74,6 +84,10 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Use Xcode 16
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"
@@ -32,6 +32,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -44,6 +49,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -69,7 +79,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -87,6 +97,10 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        id: init
        with:
@@ -32,6 +32,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -44,6 +49,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -67,7 +77,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -85,6 +95,10 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -32,6 +32,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -44,6 +49,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -74,7 +84,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -92,6 +102,10 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -32,6 +32,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -44,6 +49,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -67,7 +77,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -85,6 +95,10 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Delete original checkout
        run: |
          # delete the original checkout so we don't accidentally use it.
@@ -93,7 +107,7 @@ jobs:
          rm -rf ./* .github .git
  # Check out the actions repo again, but at a different location.
  # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
        with:
          ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
          path: x/y/z/some-path
@@ -15,14 +15,14 @@ defaults:

 jobs:
  check-expected-release-files:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim

    permissions:
      contents: read

    steps:
      - name: Checkout CodeQL Action
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Check Expected Release Files
        run: |
          bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"
@@ -4,7 +4,6 @@ on:
  push:
    branches: [main, releases/v*]
  pull_request:
-    branches: [main, releases/v*]
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
@@ -32,7 +31,7 @@ jobs:
      contents: read

    steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
    - name: Init with default CodeQL bundle from the VM image
      id: init-default
      uses: ./init
@@ -81,7 +80,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-13,macos-14,macos-15]
+        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-14,macos-15]
        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
    runs-on: ${{ matrix.os }}

@@ -91,7 +90,7 @@ jobs:

    steps:
    - name: Checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
    - name: Initialize CodeQL
      uses: ./init
      id: init
@@ -128,7 +127,7 @@ jobs:

    steps:
    - name: Checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
    - name: Initialize CodeQL
      uses: ./init
      with:
@@ -6,6 +6,11 @@ env:
  # Diff informed queries add an additional query filter which is not yet
  # taken into account by these tests.
  CODEQL_ACTION_DIFF_INFORMED_QUERIES: false
+  # Specify overlay enablement manually to ensure stability around the exclude-from-incremental
+  # query filter. Here we only enable for the default code scanning suite.
+  CODEQL_ACTION_OVERLAY_ANALYSIS: true
+  CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT: false
+  CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT: true

 on:
  push:
@@ -53,7 +58,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6

    - name: Set up Node.js
      uses: actions/setup-node@v6
@@ -70,13 +75,33 @@ jobs:
      with:
        version: ${{ matrix.version }}

-    - name: Empty file
+    # On PRs, overlay analysis may change the config that is passed to the CLI.
+    # Therefore, we have two variants of the following test, one for PRs and one for other events.
+    - name: Empty file (non-PR)
+      if: github.event_name != 'pull_request'
      uses: ./../action/.github/actions/check-codescanning-config
      with:
        expected-config-file-contents: "{}"
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}

+    - name: Empty file (PR)
+      if: github.event_name == 'pull_request'
+      uses: ./../action/.github/actions/check-codescanning-config
+      with:
+        expected-config-file-contents: |
+          {
+            "query-filters": [
+              {
+                "exclude": {
+                  "tags": "exclude-from-incremental"
+                }
+              }
+            ]
+          }
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+
    - name: Packs from input
      if: success() || failure()
      uses: ./../action/.github/actions/check-codescanning-config
@@ -45,7 +45,7 @@ jobs:
      - name: Dump GitHub event
        run: cat "${GITHUB_EVENT_PATH}"
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -54,6 +54,12 @@ jobs:
      - uses: actions/setup-go@v6
        with:
          go-version: ^1.13.1
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: '9.x'
+      - name: Assert best-effort artifact scan completed
+        uses: ./../action/.github/actions/verify-debug-artifact-scan-completed
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -79,7 +85,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v7
      - name: Check expected artifacts exist
        run: |
          LANGUAGES="cpp csharp go java javascript python"
@@ -41,7 +41,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -50,6 +50,12 @@ jobs:
      - uses: actions/setup-go@v6
        with:
          go-version: ^1.13.1
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: '9.x'
+      - name: Assert best-effort artifact scan completed
+        uses: ./../action/.github/actions/verify-debug-artifact-scan-completed
      - uses: ./../action/init
        id: init
        with:
@@ -73,7 +79,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v7
      - name: Check expected artifacts exist
        run: |
          VERSIONS="stable-v2.20.3 default linked nightly-latest"
@@ -16,7 +16,7 @@ permissions:
 jobs:
  sizeup:
    name: Label PR with size
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim

    steps:
      - name: Run sizeup
@@ -24,7 +24,7 @@ defaults:

 jobs:
  merge-back:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    environment: Automation
    if: github.repository == 'github/codeql-action'
    env:
@@ -44,10 +44,13 @@ jobs:
          GITHUB_CONTEXT: '${{ toJson(github) }}'
        run: echo "${GITHUB_CONTEXT}"

-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
        with:
          fetch-depth: 0  # ensure we have all tags and can push commits
      - uses: actions/setup-node@v6
+      - uses: actions/setup-python@v6
+        with:
+          python-version: '3.12'

      - name: Update git config
        run: |
@@ -128,18 +131,8 @@ jobs:
          cat $PARTIAL_CHANGELOG
          echo "::endgroup::"

-      - name: Create mergeback branch and PR
-        if: ${{ steps.check.outputs.exists != 'true' && endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }}
-        uses: ./.github/actions/prepare-mergeback-branch
-        with:
-          base: "${{ env.BASE_BRANCH }}"
-          head: "${{ env.HEAD_BRANCH }}"
-          branch: "${{ steps.getVersion.outputs.newBranch }}"
-          version: "${{ steps.getVersion.outputs.version }}"
-          token: "${{ secrets.GITHUB_TOKEN }}"
-
      - name: Generate token
-        uses: actions/create-github-app-token@v2.1.4
+        uses: actions/create-github-app-token@v2.2.1
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -158,3 +151,13 @@ jobs:
            --latest=false \
            --title "$VERSION" \
            --notes-file "$PARTIAL_CHANGELOG"
+
+      - name: Create mergeback branch and PR
+        if: ${{ endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }}
+        uses: ./.github/actions/prepare-mergeback-branch
+        with:
+          base: "${{ env.BASE_BRANCH }}"
+          head: "${{ env.HEAD_BRANCH }}"
+          branch: "${{ steps.getVersion.outputs.newBranch }}"
+          version: "${{ steps.getVersion.outputs.version }}"
+          token: "${{ secrets.GITHUB_TOKEN }}"
@@ -32,7 +32,7 @@ jobs:
        if: runner.os == 'Windows'
        run: git config --global core.autocrlf false

-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6

      - name: Set up Node.js
        uses: actions/setup-node@v6
@@ -91,7 +91,7 @@ jobs:
      contents: read

    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
      - id: head-version
        name: Verify all Actions use the same Node version
        run: |
@@ -106,7 +106,7 @@ jobs:
      - id: checkout-base
        name: 'Backport: Check out base ref'
        if: ${{ startsWith(github.head_ref, 'backport-') }}
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          ref: ${{ env.BASE_REF }}

@@ -29,7 +29,7 @@ defaults:
 jobs:
  prepare:
    name: "Prepare release"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    if: github.repository == 'github/codeql-action'

    permissions:
@@ -44,7 +44,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0 # Need full history for calculation of diffs

@@ -1,8 +1,10 @@
 name: 'Publish Immutable Action Version'

 on:
-  release:
-    types: [published]
+  push:
+    tags:
+      # Match version tags, but not the major version tags.
+      - 'v[0-9]+.**'

 defaults:
  run:
@@ -10,30 +12,16 @@ defaults:

 jobs:
  publish:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    permissions:
      contents: read
      id-token: write
      packages: write

    steps:
-      - name: Check release name
-        id: check
-        env:
-          RELEASE_NAME: ${{ github.event.release.name }}
-        run: |
-          echo "Release name: ${{ github.event.release.name }}"
-          if [[ $RELEASE_NAME == v* ]]; then
-            echo "This is a CodeQL Action release. Create an Immutable Action"
-            echo "is-action-release=true" >> $GITHUB_OUTPUT
-          else
-            echo "This is a CodeQL Bundle release. Do not create an Immutable Action"
-            echo "is-action-release=false" >> $GITHUB_OUTPUT
-          fi
-      - name: Checking out
-        if: steps.check.outputs.is-action-release == 'true'
-        uses: actions/checkout@v5
-      - name: Publish
-        if: steps.check.outputs.is-action-release == 'true'
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Publish immutable release
        id: publish
        uses: actions/publish-immutable-action@v0.0.4
@@ -31,7 +31,7 @@ jobs:
      with:
        python-version: 3.12

-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6

    - name: Prepare test
      uses: ./.github/actions/prepare-test
@@ -29,7 +29,7 @@ jobs:
      contents: read # This permission is needed to allow the GitHub Actions workflow to read the contents of the repository.
    steps:
    - name: Check out repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6

    - name: Install Node.js
      uses: actions/setup-node@v6
@@ -24,7 +24,7 @@ jobs:
      pull-requests: write # needed to comment on the PR
    steps:
      - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0
          ref: ${{ env.HEAD_REF }}
@@ -52,7 +52,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0 # Need full history for calculation of diffs

@@ -137,7 +137,7 @@ jobs:

      - name: Generate token
        if: github.event_name == 'workflow_dispatch'
-        uses: actions/create-github-app-token@v2.1.4
+        uses: actions/create-github-app-token@v2.2.1
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -0,0 +1,18 @@
+import os
+import re
+
+# Get the PR number from the PR URL.
+pr_number = os.environ['PR_URL'].split('/')[-1]
+changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
+
+# If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
+with open('CHANGELOG.md', 'r') as f:
+    changelog = f.read()
+
+changelog = changelog.replace('## [UNRELEASED]\n\nNo user facing changes.', '## [UNRELEASED]\n')
+
+# Add the changelog note to the bottom of the "[UNRELEASED]" section.
+changelog = re.sub(r'\n## (\d+\.\d+\.\d+)', f'{changelog_note}\n\n## \\1', changelog, count=1)
+
+with open('CHANGELOG.md', 'w') as f:
+    f.write(changelog)
@@ -29,7 +29,7 @@ fi
 echo "Getting checks for $GITHUB_SHA"

 # Ignore any checks with "https://", CodeQL, LGTM, Update, and ESLint checks.
-CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") | not)] | unique | sort')"
+CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") or . == "Agent" or . == "Cleanup artifacts" or . == "Prepare" or . == "Upload results" | not)] | unique | sort')"

 echo "$CHECKS" | jq

@@ -36,13 +36,17 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
    - name: Prepare test
      id: prepare-test
      uses: ./.github/actions/prepare-test
      with:
        version: ${{ matrix.version }}
        use-all-platform-bundle: true
+    - name: Install .NET
+      uses: actions/setup-dotnet@v5
+      with:
+        dotnet-version: '9.x'
    - id: init
      uses: ./../action/init
      with:
@@ -20,7 +20,7 @@ defaults:
 jobs:
  update-bundle:
    if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    permissions:
      contents: write # needed to push commits
      pull-requests: write # needed to create pull requests
@@ -33,13 +33,18 @@ jobs:
          GITHUB_CONTEXT: '${{ toJson(github) }}'
        run: echo "$GITHUB_CONTEXT"

-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6

      - name: Update git config
        run: |
          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git config --global user.name "github-actions[bot]"

+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: '3.12'
+
      - name: Set up Node.js
        uses: actions/setup-node@v6
        with:
@@ -78,28 +83,8 @@ jobs:
          echo "PR_URL=$pr_url" | tee -a "$GITHUB_ENV"

      - name: Create changelog note
-        shell: python
        run: |
-          import os
-          import re
-
-          # Get the PR number from the PR URL.
-          pr_number = os.environ['PR_URL'].split('/')[-1]
-          changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
-
-          # If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
-          # Use perl to avoid having to escape the newline character.
-
-          with open('CHANGELOG.md', 'r') as f:
-              changelog = f.read()
-
-          changelog = changelog.replace('## [UNRELEASED]\n\nNo user facing changes.', '## [UNRELEASED]\n')
-
-          # Add the changelog note to the bottom of the "[UNRELEASED]" section.
-          changelog = re.sub(r'\n## (\d+\.\d+\.\d+)', f'{changelog_note}\n\n## \\1', changelog, count=1)
-
-          with open('CHANGELOG.md', 'w') as f:
-              f.write(changelog)
+          python .github/workflows/script/bundle_changelog.py

      - name: Push changelog note
        run: |
@@ -26,7 +26,7 @@ jobs:

  update:
    timeout-minutes: 45
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    if: github.event_name == 'workflow_dispatch'
    needs: [prepare]
    env:
@@ -38,7 +38,7 @@ jobs:
      contents: write # needed to push commits
      pull-requests: write # needed to create pull request
    steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
      with:
        fetch-depth: 0  # Need full history for calculation of diffs
    - uses: ./.github/actions/release-initialise
@@ -77,7 +77,7 @@ jobs:

  backport:
    timeout-minutes: 45
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    environment: Automation
    needs: [prepare]
    if: ${{ (github.event_name == 'push') && needs.prepare.outputs.backport_target_branches != '[]' }}
@@ -93,14 +93,14 @@ jobs:
      pull-requests: write # needed to create pull request
    steps:
    - name: Generate token
-      uses: actions/create-github-app-token@v2.1.4
+      uses: actions/create-github-app-token@v2.2.1
      id: app-token
      with:
        app-id: ${{ vars.AUTOMATION_APP_ID }}
        private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}

    - name: Checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
      with:
        fetch-depth: 0  # Need full history for calculation of diffs
        token: ${{ steps.app-token.outputs.token }}
@@ -4,12 +4,18 @@ on:
  schedule:
    - cron: "0 0 * * *"
  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - .github/workflows/update-supported-enterprise-server-versions.yml
+      - .github/workflows/update-supported-enterprise-server-versions/update.py

 jobs:
  update-supported-enterprise-server-versions:
    name: Update Supported Enterprise Server Versions
    timeout-minutes: 45
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    if: github.repository == 'github/codeql-action'
    permissions:
      contents: write # needed to push commits
@@ -21,13 +27,14 @@ jobs:
        with:
          python-version: "3.13"
      - name: Checkout CodeQL Action
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Checkout Enterprise Releases
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          repository: github/enterprise-releases
          token: ${{ secrets.ENTERPRISE_RELEASE_TOKEN }}
          path: ${{ github.workspace }}/enterprise-releases/
+          sparse-checkout: releases.json
      - name: Update Supported Enterprise Server Versions
        run: |
          cd ./.github/workflows/update-supported-enterprise-server-versions/
@@ -35,6 +42,7 @@ jobs:
          pipenv install
          pipenv run ./update.py
          rm --recursive "$ENTERPRISE_RELEASES_PATH"
+          npm ci
          npm run build
        env:
          ENTERPRISE_RELEASES_PATH: ${{ github.workspace }}/enterprise-releases/
@@ -44,25 +52,33 @@ jobs:
          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git config --global user.name "github-actions[bot]"

-      - name: Commit changes and open PR
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Commit changes
+        id: prepare-commit
        run: |
          if [[ -z $(git status --porcelain) ]]; then
            echo "No changes to commit"
+            echo "committed=false" >> $GITHUB_OUTPUT
          else
            git checkout -b update-supported-enterprise-server-versions
            git add .
            git commit --message "Update supported GitHub Enterprise Server versions"
-            git push origin update-supported-enterprise-server-versions

-            body="This PR updates the list of supported GitHub Enterprise Server versions, either because a new "
-            body+="version is about to be feature frozen, or because an old release has been deprecated."
-            body+=$'\n\n'
-            body+="If an old release has been deprecated, please follow the instructions in CONTRIBUTING.md to "
-            body+="deprecate the corresponding version of CodeQL."
-
-            gh pr create --draft \
-              --title "Update supported GitHub Enterprise Server versions" \
-              --body "$body"
+            echo "committed=true" >> $GITHUB_OUTPUT
          fi
+
+      - name: Open PR
+        if: github.event_name != 'pull_request' && steps.prepare-commit.outputs.committed == 'true'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          git push origin update-supported-enterprise-server-versions
+
+          body="This PR updates the list of supported GitHub Enterprise Server versions, either because a new "
+          body+="version is about to be feature frozen, or because an old release has been deprecated."
+          body+=$'\n\n'
+          body+="If an old release has been deprecated, please follow the instructions in CONTRIBUTING.md to "
+          body+="deprecate the corresponding version of CodeQL."
+
+          gh pr create --draft \
+            --title "Update supported GitHub Enterprise Server versions" \
+            --body "$body"
@@ -6,6 +6,51 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

 No user facing changes.

+## v4.31.11 - 19 Jan 2026
+
+This release rolls back 4.31.10 due to issues with that release. It is identical to 0.0.0.
+
+## 4.31.10 - 12 Jan 2026
+
+- Update default CodeQL bundle version to 2.23.9. [#3393](https://github.com/github/codeql-action/pull/3393)
+
+## 4.31.9 - 16 Dec 2025
+
+No user facing changes.
+
+## 4.31.8 - 11 Dec 2025
+
+- Update default CodeQL bundle version to 2.23.8. [#3354](https://github.com/github/codeql-action/pull/3354)
+
+## 4.31.7 - 05 Dec 2025
+
+- Update default CodeQL bundle version to 2.23.7. [#3343](https://github.com/github/codeql-action/pull/3343)
+
+## 4.31.6 - 01 Dec 2025
+
+No user facing changes.
+
+## 4.31.5 - 24 Nov 2025
+
+- Update default CodeQL bundle version to 2.23.6. [#3321](https://github.com/github/codeql-action/pull/3321)
+
+## 4.31.4 - 18 Nov 2025
+
+No user facing changes.
+
+## 4.31.3 - 13 Nov 2025
+
+- CodeQL Action v3 will be deprecated in December 2026.  The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see [Upcoming deprecation of CodeQL Action v3](https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/).
+- Update default CodeQL bundle version to 2.23.5. [#3288](https://github.com/github/codeql-action/pull/3288)
+
+## 4.31.2 - 30 Oct 2025
+
+No user facing changes.
+
+## 4.31.1 - 30 Oct 2025
+
+- The `add-snippets` input has been removed from the `analyze` action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced.
+
 ## 4.31.0 - 24 Oct 2025

 - Bump minimum CodeQL bundle version to 2.17.6. [#3223](https://github.com/github/codeql-action/pull/3223)
@@ -1065,3 +1110,4 @@ No user facing changes.
 - Add this changelog file. [#507](https://github.com/github/codeql-action/pull/507)
 - Improve grouping of analysis logs. Add a new log group containing a summary of metrics and diagnostics, if they were produced by CodeQL builtin queries. [#515](https://github.com/github/codeql-action/pull/515)
 - Add metrics and diagnostics summaries from custom query suites to the analysis summary log group. [#532](https://github.com/github/codeql-action/pull/532)
+
@@ -32,14 +32,10 @@ inputs:
      and 13GB for macOS).
    required: false
  add-snippets:
-    description: Specify whether or not to add code snippets to the output sarif file.
+    description: Does not have any effect.
    required: false
-    default: "false"
    deprecationMessage: >-
-      The input "add-snippets" is deprecated and will be removed on the first release in August 2025.
-      When this input is set to true it is expected to add code snippets with an alert to the SARIF file.
-      However, since Code Scanning ignores code snippets provided as part of a SARIF file this is currently
-      a no operation. No alternative is available.
+      The input "add-snippets" has been removed and no longer has any effect.
  skip-queries:
    description: If this option is set, the CodeQL database will be built but no queries will be run on it. Thus, no results will be produced.
    required: false
@@ -12,6 +12,7 @@ import filenames from "eslint-plugin-filenames";
 import github from "eslint-plugin-github";
 import _import from "eslint-plugin-import";
 import noAsyncForeach from "eslint-plugin-no-async-foreach";
+import jsdoc from "eslint-plugin-jsdoc";
 import globals from "globals";

 const __filename = fileURLToPath(import.meta.url);
@@ -52,6 +53,7 @@ export default [
      github: fixupPluginRules(github),
      import: fixupPluginRules(_import),
      "no-async-foreach": noAsyncForeach,
+      "jsdoc": jsdoc,
    },

    languageOptions: {
@@ -133,6 +135,16 @@ export default [
      "@typescript-eslint/no-shadow": "error",
      "@typescript-eslint/prefer-optional-chain": "error",
      "one-var": ["error", "never"],
+
+      // Check param names to ensure that we don't have outdated JSDocs.
+      "jsdoc/check-param-names": [
+        "error",
+        {
+          // We don't currently require full JSDoc coverage, so this rule
+          // should not error on missing @param annotations.
+          disableMissingParamChecks: true,
+        }
+      ],
    },
  },
  {
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.3",
-  "cliVersion": "2.23.3",
-  "priorBundleVersion": "codeql-bundle-v2.23.2",
-  "priorCliVersion": "2.23.2"
+  "bundleVersion": "codeql-bundle-v2.23.9",
+  "cliVersion": "2.23.9",
+  "priorBundleVersion": "codeql-bundle-v2.23.8",
+  "priorCliVersion": "2.23.8"
 }
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "4.31.1",
+  "version": "4.31.12",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -24,62 +24,57 @@
  },
  "license": "MIT",
  "dependencies": {
-    "@actions/artifact": "^2.3.1",
+    "@actions/artifact": "^5.0.2",
    "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2",
-    "@actions/cache": "^4.1.0",
-    "@actions/core": "^1.11.1",
-    "@actions/exec": "^1.1.1",
-    "@actions/github": "^6.0.0",
+    "@actions/cache": "^5.0.2",
+    "@actions/core": "^2.0.2",
+    "@actions/exec": "^2.0.0",
+    "@actions/github": "^6.0.1",
    "@actions/glob": "^0.5.0",
-    "@actions/http-client": "^2.2.3",
-    "@actions/io": "^1.1.3",
-    "@actions/tool-cache": "^2.0.2",
+    "@actions/http-client": "^3.0.0",
+    "@actions/io": "^2.0.0",
+    "@actions/tool-cache": "^3.0.0",
    "@octokit/plugin-retry": "^6.0.0",
-    "@octokit/request-error": "^7.0.1",
    "@schemastore/package": "0.0.10",
    "archiver": "^7.0.1",
-    "check-disk-space": "^3.4.0",
-    "console-log-level": "^1.4.1",
-    "del": "^8.0.0",
    "fast-deep-equal": "^3.1.3",
    "follow-redirects": "^1.15.11",
    "get-folder-size": "^5.0.0",
-    "js-yaml": "^4.1.0",
+    "js-yaml": "^4.1.1",
    "jsonschema": "1.4.1",
    "long": "^5.3.2",
-    "node-forge": "^1.3.1",
-    "octokit": "^5.0.4",
+    "node-forge": "^1.3.3",
    "semver": "^7.7.3",
    "uuid": "^13.0.0"
  },
  "devDependencies": {
    "@ava/typescript": "6.0.0",
-    "@eslint/compat": "^1.4.0",
-    "@eslint/eslintrc": "^3.3.1",
-    "@eslint/js": "^9.38.0",
+    "@eslint/compat": "^2.0.1",
+    "@eslint/eslintrc": "^3.3.3",
+    "@eslint/js": "^9.39.2",
    "@microsoft/eslint-formatter-sarif": "^3.1.0",
-    "@octokit/types": "^15.0.0",
-    "@types/archiver": "^6.0.3",
-    "@types/console-log-level": "^1.4.5",
+    "@octokit/types": "^16.0.0",
+    "@types/archiver": "^7.0.0",
    "@types/follow-redirects": "^1.14.4",
    "@types/js-yaml": "^4.0.9",
-    "@types/node": "20.19.9",
+    "@types/node": "^20.19.9",
    "@types/node-forge": "^1.3.14",
    "@types/semver": "^7.7.1",
-    "@types/sinon": "^17.0.4",
-    "@typescript-eslint/eslint-plugin": "^8.46.1",
-    "@typescript-eslint/parser": "^8.41.0",
+    "@types/sinon": "^21.0.0",
+    "@typescript-eslint/eslint-plugin": "^8.53.0",
+    "@typescript-eslint/parser": "^8.48.0",
    "ava": "^6.4.1",
-    "esbuild": "^0.25.11",
+    "esbuild": "^0.27.2",
    "eslint": "^8.57.1",
    "eslint-import-resolver-typescript": "^3.8.7",
    "eslint-plugin-filenames": "^1.3.2",
    "eslint-plugin-github": "^5.1.8",
    "eslint-plugin-import": "2.29.1",
+    "eslint-plugin-jsdoc": "^62.0.0",
    "eslint-plugin-no-async-foreach": "^0.1.1",
-    "glob": "^11.0.3",
+    "glob": "^11.1.0",
    "nock": "^14.0.10",
-    "sinon": "^21.0.0",
+    "sinon": "^21.0.1",
    "typescript": "^5.9.3"
  },
  "overrides": {
@@ -101,6 +96,7 @@
    "eslint-plugin-jsx-a11y": {
      "semver": ">=6.3.1"
    },
-    "brace-expansion@2.0.1": "2.0.2"
+    "brace-expansion@2.0.1": "2.0.2",
+    "glob": "^11.1.0"
  }
 }
@@ -4,6 +4,7 @@ operatingSystems: ["ubuntu", "macos", "windows"]
 versions: ["nightly-latest"]
 useAllPlatformBundle: "true"
 installGo: true
+installDotNet: true
 steps:
  - id: init
    uses: ./../action/init
--- a/Show More
+++ b/Show More