Generate UserConfig from schema ... ish

Add command for turning JSON schemas into TypeScript typings
2026-05-12 08:40:13 +00:00 · 2025-10-17 16:19:12 +01:00 · 2025-10-17 16:12:28 +01:00
137 changed files with 78621 additions and 75665 deletions
@@ -16,9 +16,9 @@ runs:
      shell: bash

    - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@v5
      with:
-        python-version: '3.12'
+        python-version: 3.12

    - name: Install dependencies
      run: |
@@ -1,55 +0,0 @@
-labeling:
-  applyCategoryLabels: true
-  categoryLabelPrefix: "size/"
-
-commenting:
-  addCommentWhenScoreThresholdHasBeenExceeded: false
-
-sizeup:
-  categories:
-    - name: extra small
-      lte: 25
-      label:
-        name: XS
-        description: Should be very easy to review
-        color: 3cbf00
-    - name: small
-      lte: 100
-      label:
-        name: S
-        description: Should be easy to review
-        color: 5d9801
-    - name: medium
-      lte: 250
-      label:
-        name: M
-        description: Should be of average difficulty to review
-        color: 7f7203
-    - name: large
-      lte: 500
-      label:
-        name: L
-        description: May be hard to review
-        color: a14c05
-    - name: extra large
-      lte: 1000
-      label:
-        name: XL
-        description: May be very hard to review
-        color: c32607
-    - name: extra extra large
-      label:
-        name: XXL
-        description: May be extremely hard to review
-        color: e50009
-  ignoredFilePatterns:
-    - ".github/workflows/__*"
-    - "lib/**/*"
-    - "package-lock.json"
-  testFilePatterns:
-    - "**/*.test.ts"
-  scoring:
-    # This formula and the aliases below it are written in prefix notation.
-    # For an explanation of how this works, please see:
-    # https://github.com/lerebear/sizeup-core/blob/main/README.md#prefix-notation
-    formula: "- - + additions deletions comments whitespace"
@@ -27,11 +27,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -39,11 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -84,10 +74,6 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - id: init
        uses: ./../action/init
        with:
@@ -32,11 +32,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -49,11 +44,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -95,10 +85,6 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -21,19 +21,9 @@ on:
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
-    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
+    inputs: {}
  workflow_call:
-    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
+    inputs: {}
 defaults:
  run:
    shell: bash
@@ -69,10 +59,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          languages: csharp
@@ -27,11 +27,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -39,11 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -80,10 +70,6 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        id: init
        with:
@@ -79,7 +79,7 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.os }}-zstd-bundle.sarif
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -67,7 +67,7 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
        with:
          name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -49,7 +49,7 @@ jobs:
      - name: Check out repository
        uses: actions/checkout@v5
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: 20.x
          cache: npm
@@ -78,7 +78,7 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
        with:
          name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -27,11 +27,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -39,11 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -84,10 +74,6 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        id: init
        with:
@@ -99,7 +85,7 @@ jobs:
        with:
          output: ${{ runner.temp }}/results
      - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
        with:
          name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -27,11 +27,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -39,11 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -82,10 +72,6 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          languages: go
@@ -8,6 +8,9 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    paths:
+      - .github/workflows/__go.yml
  workflow_dispatch:
    inputs:
      go-version:
@@ -15,11 +18,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 jobs:
  go-custom-queries:
    name: 'Go: Custom queries'
@@ -29,7 +27,6 @@ jobs:
    uses: ./.github/workflows/__go-custom-queries.yml
    with:
      go-version: ${{ inputs.go-version }}
-      dotnet-version: ${{ inputs.dotnet-version }}
  go-indirect-tracing-workaround-diagnostic:
    name: 'Go: diagnostic when Go is changed after init step'
    permissions:
@@ -64,7 +64,7 @@ jobs:
        with:
          output: ${{ runner.temp }}/results
      - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -32,11 +32,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -49,11 +44,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -95,10 +85,6 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Fetch latest CodeQL bundle
        run: |
          wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst
@@ -32,11 +32,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -49,11 +44,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -129,10 +119,6 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Use Xcode 16
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"
@@ -32,11 +32,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -49,11 +44,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -83,7 +73,7 @@ jobs:
      - name: Check out repository
        uses: actions/checkout@v5
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: 20.x
          cache: npm
@@ -106,10 +96,6 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging3.yml
@@ -27,11 +27,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -39,11 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -73,7 +63,7 @@ jobs:
      - name: Check out repository
        uses: actions/checkout@v5
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: 20.x
          cache: npm
@@ -91,10 +81,6 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging3.yml
@@ -27,11 +27,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -39,11 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -73,7 +63,7 @@ jobs:
      - name: Check out repository
        uses: actions/checkout@v5
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: 20.x
          cache: npm
@@ -91,10 +81,6 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging.yml
@@ -27,11 +27,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -39,11 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -73,7 +63,7 @@ jobs:
      - name: Check out repository
        uses: actions/checkout@v5
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: 20.x
          cache: npm
@@ -91,10 +81,6 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging2.yml
@@ -80,10 +80,9 @@ jobs:
        with:
          output: ${{ runner.temp }}/results
          upload-database: false
-          post-processed-sarif-path: ${{ runner.temp }}/post-processed
      - name: Upload security SARIF
        if: contains(matrix.analysis-kinds, 'code-scanning')
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
        with:
          name: |
            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
@@ -91,20 +90,12 @@ jobs:
          retention-days: 7
      - name: Upload quality SARIF
        if: contains(matrix.analysis-kinds, 'code-quality')
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
        with:
          name: |
            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
          path: ${{ runner.temp }}/results/javascript.quality.sarif
          retention-days: 7
-      - name: Upload post-processed SARIF
-        uses: actions/upload-artifact@v5
-        with:
-          name: |
-            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
-          path: ${{ runner.temp }}/post-processed
-          retention-days: 7
-          if-no-files-found: error
      - name: Check quality query does not appear in security SARIF
        if: contains(matrix.analysis-kinds, 'code-scanning')
        uses: actions/github-script@v8
@@ -32,11 +32,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -49,11 +44,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -97,10 +87,6 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -56,7 +56,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Set up Ruby
-        uses: ruby/setup-ruby@d5126b9b3579e429dd52e51e68624dda2e05be25 # v1.267.0
+        uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
@@ -27,11 +27,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -39,11 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -90,10 +80,6 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging3.yml
@@ -27,11 +27,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -39,11 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -84,10 +74,6 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Use Xcode 16
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"
@@ -32,11 +32,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -49,11 +44,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -97,10 +87,6 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        id: init
        with:
@@ -32,11 +32,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -49,11 +44,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -95,10 +85,6 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -32,11 +32,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -49,11 +44,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -102,10 +92,6 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -32,11 +32,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -49,11 +44,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -95,10 +85,6 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Delete original checkout
        run: |
          # delete the original checkout so we don't accidentally use it.
@@ -15,7 +15,7 @@ defaults:

 jobs:
  check-expected-release-files:
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest

    permissions:
      contents: read
@@ -81,7 +81,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-14,macos-15]
+        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-13,macos-14,macos-15]
        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
    runs-on: ${{ matrix.os }}

@@ -56,7 +56,7 @@ jobs:
      uses: actions/checkout@v5

    - name: Set up Node.js
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@v5
      with:
        node-version: 24
        cache: 'npm'
@@ -54,10 +54,6 @@ jobs:
      - uses: actions/setup-go@v6
        with:
          go-version: ^1.13.1
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: '9.x'
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -83,7 +79,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v5
      - name: Check expected artifacts exist
        run: |
          LANGUAGES="cpp csharp go java javascript python"
@@ -50,10 +50,6 @@ jobs:
      - uses: actions/setup-go@v6
        with:
          go-version: ^1.13.1
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: '9.x'
      - uses: ./../action/init
        id: init
        with:
@@ -77,7 +73,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v5
      - name: Check expected artifacts exist
        run: |
          VERSIONS="stable-v2.20.3 default linked nightly-latest"
@@ -1,26 +0,0 @@
-name: Label PR with size
-
-on:
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - edited
-      - ready_for_review
-
-permissions:
-  contents: read
-  pull-requests: write
-
-jobs:
-  sizeup:
-    name: Label PR with size
-    runs-on: ubuntu-slim
-
-    steps:
-      - name: Run sizeup
-        uses: lerebear/sizeup-action@b7beb3dd273e36039e16e48e7bc690c189e61951 # 0.8.12
-        with:
-          token: "${{ secrets.GITHUB_TOKEN }}"
-          configuration-file-path: ".github/sizeup.yml"
@@ -24,7 +24,7 @@ defaults:

 jobs:
  merge-back:
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    environment: Automation
    if: github.repository == 'github/codeql-action'
    env:
@@ -47,10 +47,7 @@ jobs:
      - uses: actions/checkout@v5
        with:
          fetch-depth: 0  # ensure we have all tags and can push commits
-      - uses: actions/setup-node@v6
-      - uses: actions/setup-python@v6
-        with:
-          python-version: '3.12'
+      - uses: actions/setup-node@v5

      - name: Update git config
        run: |
@@ -35,7 +35,7 @@ jobs:
      - uses: actions/checkout@v5

      - name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: ${{ matrix.node-version }}
          cache: 'npm'
@@ -29,7 +29,7 @@ defaults:
 jobs:
  prepare:
    name: "Prepare release"
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    if: github.repository == 'github/codeql-action'

    permissions:
@@ -1,10 +1,8 @@
 name: 'Publish Immutable Action Version'

 on:
-  push:
-    tags:
-      # Match version tags, but not the major version tags.
-      - 'v[0-9]+.**'
+  release:
+    types: [published]

 defaults:
  run:
@@ -12,16 +10,30 @@ defaults:

 jobs:
  publish:
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
      packages: write

    steps:
-      - name: Checkout repository
+      - name: Check release name
+        id: check
+        env:
+          RELEASE_NAME: ${{ github.event.release.name }}
+        run: |
+          echo "Release name: ${{ github.event.release.name }}"
+          if [[ $RELEASE_NAME == v* ]]; then
+            echo "This is a CodeQL Action release. Create an Immutable Action"
+            echo "is-action-release=true" >> $GITHUB_OUTPUT
+          else
+            echo "This is a CodeQL Bundle release. Do not create an Immutable Action"
+            echo "is-action-release=false" >> $GITHUB_OUTPUT
+          fi
+      - name: Checking out
+        if: steps.check.outputs.is-action-release == 'true'
        uses: actions/checkout@v5
-
-      - name: Publish immutable release
+      - name: Publish
+        if: steps.check.outputs.is-action-release == 'true'
        id: publish
        uses: actions/publish-immutable-action@v0.0.4
@@ -32,7 +32,7 @@ jobs:
      uses: actions/checkout@v5

    - name: Install Node.js
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@v5
      with:
        node-version: 24
        cache: npm
@@ -1,18 +0,0 @@
-import os
-import re
-
-# Get the PR number from the PR URL.
-pr_number = os.environ['PR_URL'].split('/')[-1]
-changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
-
-# If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
-with open('CHANGELOG.md', 'r') as f:
-    changelog = f.read()
-
-changelog = changelog.replace('## [UNRELEASED]\n\nNo user facing changes.', '## [UNRELEASED]\n')
-
-# Add the changelog note to the bottom of the "[UNRELEASED]" section.
-changelog = re.sub(r'\n## (\d+\.\d+\.\d+)', f'{changelog_note}\n\n## \\1', changelog, count=1)
-
-with open('CHANGELOG.md', 'w') as f:
-    f.write(changelog)
@@ -29,7 +29,7 @@ fi
 echo "Getting checks for $GITHUB_SHA"

 # Ignore any checks with "https://", CodeQL, LGTM, Update, and ESLint checks.
-CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") or . == "Agent" or . == "Cleanup artifacts" or . == "Prepare" or . == "Upload results" | not)] | unique | sort')"
+CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") | not)] | unique | sort')"

 echo "$CHECKS" | jq

@@ -43,10 +43,6 @@ jobs:
      with:
        version: ${{ matrix.version }}
        use-all-platform-bundle: true
-    - name: Install .NET
-      uses: actions/setup-dotnet@v5
-      with:
-        dotnet-version: '9.x'
    - id: init
      uses: ./../action/init
      with:
@@ -20,7 +20,7 @@ defaults:
 jobs:
  update-bundle:
    if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    permissions:
      contents: write # needed to push commits
      pull-requests: write # needed to create pull requests
@@ -40,13 +40,8 @@ jobs:
          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git config --global user.name "github-actions[bot]"

-      - name: Set up Python
-        uses: actions/setup-python@v6
-        with:
-          python-version: '3.12'
-
      - name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: 24
          cache: 'npm'
@@ -83,8 +78,28 @@ jobs:
          echo "PR_URL=$pr_url" | tee -a "$GITHUB_ENV"

      - name: Create changelog note
+        shell: python
        run: |
-          python .github/workflows/script/bundle_changelog.py
+          import os
+          import re
+
+          # Get the PR number from the PR URL.
+          pr_number = os.environ['PR_URL'].split('/')[-1]
+          changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
+
+          # If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
+          # Use perl to avoid having to escape the newline character.
+
+          with open('CHANGELOG.md', 'r') as f:
+              changelog = f.read()
+
+          changelog = changelog.replace('## [UNRELEASED]\n\nNo user facing changes.', '## [UNRELEASED]\n')
+
+          # Add the changelog note to the bottom of the "[UNRELEASED]" section.
+          changelog = re.sub(r'\n## (\d+\.\d+\.\d+)', f'{changelog_note}\n\n## \\1', changelog, count=1)
+
+          with open('CHANGELOG.md', 'w') as f:
+              f.write(changelog)

      - name: Push changelog note
        run: |
@@ -26,7 +26,7 @@ jobs:

  update:
    timeout-minutes: 45
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    if: github.event_name == 'workflow_dispatch'
    needs: [prepare]
    env:
@@ -77,7 +77,7 @@ jobs:

  backport:
    timeout-minutes: 45
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    environment: Automation
    needs: [prepare]
    if: ${{ (github.event_name == 'push') && needs.prepare.outputs.backport_target_branches != '[]' }}
@@ -4,18 +4,12 @@ on:
  schedule:
    - cron: "0 0 * * *"
  workflow_dispatch:
-  pull_request:
-    branches:
-      - main
-    paths:
-      - .github/workflows/update-supported-enterprise-server-versions.yml
-      - .github/workflows/update-supported-enterprise-server-versions/update.py

 jobs:
  update-supported-enterprise-server-versions:
    name: Update Supported Enterprise Server Versions
    timeout-minutes: 45
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    if: github.repository == 'github/codeql-action'
    permissions:
      contents: write # needed to push commits
@@ -34,7 +28,6 @@ jobs:
          repository: github/enterprise-releases
          token: ${{ secrets.ENTERPRISE_RELEASE_TOKEN }}
          path: ${{ github.workspace }}/enterprise-releases/
-          sparse-checkout: releases.json
      - name: Update Supported Enterprise Server Versions
        run: |
          cd ./.github/workflows/update-supported-enterprise-server-versions/
@@ -42,7 +35,6 @@ jobs:
          pipenv install
          pipenv run ./update.py
          rm --recursive "$ENTERPRISE_RELEASES_PATH"
-          npm ci
          npm run build
        env:
          ENTERPRISE_RELEASES_PATH: ${{ github.workspace }}/enterprise-releases/
@@ -52,33 +44,25 @@ jobs:
          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git config --global user.name "github-actions[bot]"

-      - name: Commit changes
-        id: prepare-commit
+      - name: Commit changes and open PR
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          if [[ -z $(git status --porcelain) ]]; then
            echo "No changes to commit"
-            echo "committed=false" >> $GITHUB_OUTPUT
          else
            git checkout -b update-supported-enterprise-server-versions
            git add .
            git commit --message "Update supported GitHub Enterprise Server versions"
+            git push origin update-supported-enterprise-server-versions

-            echo "committed=true" >> $GITHUB_OUTPUT
+            body="This PR updates the list of supported GitHub Enterprise Server versions, either because a new "
+            body+="version is about to be feature frozen, or because an old release has been deprecated."
+            body+=$'\n\n'
+            body+="If an old release has been deprecated, please follow the instructions in CONTRIBUTING.md to "
+            body+="deprecate the corresponding version of CodeQL."
+
+            gh pr create --draft \
+              --title "Update supported GitHub Enterprise Server versions" \
+              --body "$body"
          fi
-
-      - name: Open PR
-        if: github.event_name != 'pull_request' && steps.prepare-commit.outputs.committed == 'true'
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          git push origin update-supported-enterprise-server-versions
-
-          body="This PR updates the list of supported GitHub Enterprise Server versions, either because a new "
-          body+="version is about to be feature frozen, or because an old release has been deprecated."
-          body+=$'\n\n'
-          body+="If an old release has been deprecated, please follow the instructions in CONTRIBUTING.md to "
-          body+="deprecate the corresponding version of CodeQL."
-
-          gh pr create --draft \
-            --title "Update supported GitHub Enterprise Server versions" \
-            --body "$body"
@@ -4,24 +4,6 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

 ## [UNRELEASED]

- CodeQL Action v3 will be deprecated in December 2026.  The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see [Upcoming deprecation of CodeQL Action v3](https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/).
- Update default CodeQL bundle version to 2.23.5. [#3288](https://github.com/github/codeql-action/pull/3288)
-
-## 4.31.2 - 30 Oct 2025
-
-No user facing changes.
-
-## 4.31.1 - 30 Oct 2025
-
- The `add-snippets` input has been removed from the `analyze` action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced.
-
-## 4.31.0 - 24 Oct 2025
-
- Bump minimum CodeQL bundle version to 2.17.6. [#3223](https://github.com/github/codeql-action/pull/3223)
- When SARIF files are uploaded by the `analyze` or `upload-sarif` actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the `upload-sarif` action. For `analyze`, this may affect Advanced Setup for CodeQL users who specify a value other than `always` for the `upload` input. [#3222](https://github.com/github/codeql-action/pull/3222)
-
-## 4.30.9 - 17 Oct 2025
-
 - Update default CodeQL bundle version to 2.23.3. [#3205](https://github.com/github/codeql-action/pull/3205)
 - Experimental: A new `setup-codeql` action has been added which is similar to `init`, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#3204](https://github.com/github/codeql-action/pull/3204)

@@ -6,7 +6,7 @@ inputs:
    description: The name of the check run to add text to.
    required: false
  output:
-    description: The path of the directory in which to save the SARIF results from the CodeQL CLI.
+    description: The path of the directory in which to save the SARIF results
    required: false
    default: "../results"
  upload:
@@ -32,10 +32,14 @@ inputs:
      and 13GB for macOS).
    required: false
  add-snippets:
-    description: Does not have any effect.
+    description: Specify whether or not to add code snippets to the output sarif file.
    required: false
+    default: "false"
    deprecationMessage: >-
-      The input "add-snippets" has been removed and no longer has any effect.
+      The input "add-snippets" is deprecated and will be removed on the first release in August 2025.
+      When this input is set to true it is expected to add code snippets with an alert to the SARIF file.
+      However, since Code Scanning ignores code snippets provided as part of a SARIF file this is currently
+      a no operation. No alternative is available.
  skip-queries:
    description: If this option is set, the CodeQL database will be built but no queries will be run on it. Thus, no results will be produced.
    required: false
@@ -66,12 +70,6 @@ inputs:
    description: Whether to upload the resulting CodeQL database
    required: false
    default: "true"
-  post-processed-sarif-path:
-    description: >-
-      Before uploading the SARIF files produced by the CodeQL CLI, the CodeQL Action may perform some post-processing
-      on them. Ordinarily, these post-processed SARIF files are not saved to disk. However, if a path is provided as an
-      argument for this input, they are written to the specified directory.
-    required: false
  wait-for-processing:
    description: If true, the Action will wait for the uploaded SARIF to be processed before completing.
    required: true
@@ -12,7 +12,6 @@ import filenames from "eslint-plugin-filenames";
 import github from "eslint-plugin-github";
 import _import from "eslint-plugin-import";
 import noAsyncForeach from "eslint-plugin-no-async-foreach";
-import jsdoc from "eslint-plugin-jsdoc";
 import globals from "globals";

 const __filename = fileURLToPath(import.meta.url);
@@ -53,7 +52,6 @@ export default [
      github: fixupPluginRules(github),
      import: fixupPluginRules(_import),
      "no-async-foreach": noAsyncForeach,
-      "jsdoc": jsdoc,
    },

    languageOptions: {
@@ -133,18 +131,7 @@ export default [
      "no-sequences": "error",
      "no-shadow": "off",
      "@typescript-eslint/no-shadow": "error",
-      "@typescript-eslint/prefer-optional-chain": "error",
      "one-var": ["error", "never"],
-
-      // Check param names to ensure that we don't have outdated JSDocs.
-      "jsdoc/check-param-names": [
-        "error",
-        {
-          // We don't currently require full JSDoc coverage, so this rule
-          // should not error on missing @param annotations.
-          disableMissingParamChecks: true,
-        }
-      ],
    },
  },
  {
@@ -0,0 +1,29 @@
+import fs from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+
+import { globSync } from "glob";
+import { compileFromFile } from 'json-schema-to-typescript';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+const SRC_DIR = path.join(__dirname, "schemas");
+const OUT_DIR = path.join(__dirname, "src");
+
+async function generateTypings() {
+  const schemas = globSync(`${SRC_DIR}/*.json`);
+  for (const schema of schemas) {
+    const outPath = path.join(
+      OUT_DIR,
+      `${path.basename(schema, ".json")}.d.ts`,
+    );
+    const ts = await compileFromFile(schema, {
+      bannerComment:
+        "/* This file was automatically generated by `npm run generate:schemas`. Do not edit by hand. */",
+    });
+    fs.writeFileSync(outPath, ts, "utf-8");
+  }
+}
+
+await generateTypings();
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.5",
-  "cliVersion": "2.23.5",
-  "priorBundleVersion": "codeql-bundle-v2.23.3",
-  "priorCliVersion": "2.23.3"
+  "bundleVersion": "codeql-bundle-v2.23.3",
+  "cliVersion": "2.23.3",
+  "priorBundleVersion": "codeql-bundle-v2.23.2",
+  "priorCliVersion": "2.23.2"
 }
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "4.31.3",
+  "version": "4.30.9",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -12,7 +12,8 @@
    "ava": "npm run transpile && ava --serial --verbose",
    "test": "npm run ava -- src/",
    "test-debug": "npm run test -- --timeout=20m",
-    "transpile": "tsc --build --verbose"
+    "transpile": "npm run generate:schemas && tsc --build --verbose",
+    "generate:schemas": "node json-schemas.mjs"
  },
  "ava": {
    "typescript": {
@@ -24,20 +25,23 @@
  },
  "license": "MIT",
  "dependencies": {
-    "@actions/artifact": "^4.0.0",
+    "@actions/artifact": "^2.3.1",
    "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2",
    "@actions/cache": "^4.1.0",
    "@actions/core": "^1.11.1",
    "@actions/exec": "^1.1.1",
    "@actions/github": "^6.0.0",
    "@actions/glob": "^0.5.0",
-    "@actions/http-client": "^3.0.0",
-    "@actions/io": "^2.0.0",
+    "@actions/http-client": "^2.2.3",
+    "@actions/io": "^1.1.3",
    "@actions/tool-cache": "^2.0.2",
    "@octokit/plugin-retry": "^6.0.0",
-    "@octokit/request-error": "^7.0.2",
+    "@octokit/request-error": "^7.0.1",
    "@schemastore/package": "0.0.10",
    "archiver": "^7.0.1",
+    "check-disk-space": "^3.4.0",
+    "console-log-level": "^1.4.1",
+    "del": "^8.0.0",
    "fast-deep-equal": "^3.1.3",
    "follow-redirects": "^1.15.11",
    "get-folder-size": "^5.0.0",
@@ -45,36 +49,37 @@
    "jsonschema": "1.4.1",
    "long": "^5.3.2",
    "node-forge": "^1.3.1",
-    "octokit": "^5.0.5",
+    "octokit": "^5.0.3",
    "semver": "^7.7.3",
    "uuid": "^13.0.0"
  },
  "devDependencies": {
    "@ava/typescript": "6.0.0",
-    "@eslint/compat": "^1.4.1",
+    "@eslint/compat": "^1.4.0",
    "@eslint/eslintrc": "^3.3.1",
-    "@eslint/js": "^9.39.1",
+    "@eslint/js": "^9.37.0",
    "@microsoft/eslint-formatter-sarif": "^3.1.0",
-    "@octokit/types": "^16.0.0",
-    "@types/archiver": "^7.0.0",
+    "@octokit/types": "^15.0.0",
+    "@types/archiver": "^6.0.3",
+    "@types/console-log-level": "^1.4.5",
    "@types/follow-redirects": "^1.14.4",
    "@types/js-yaml": "^4.0.9",
    "@types/node": "20.19.9",
    "@types/node-forge": "^1.3.14",
    "@types/semver": "^7.7.1",
    "@types/sinon": "^17.0.4",
-    "@typescript-eslint/eslint-plugin": "^8.46.4",
+    "@typescript-eslint/eslint-plugin": "^8.46.0",
    "@typescript-eslint/parser": "^8.41.0",
    "ava": "^6.4.1",
-    "esbuild": "^0.27.0",
+    "esbuild": "^0.25.10",
    "eslint": "^8.57.1",
    "eslint-import-resolver-typescript": "^3.8.7",
    "eslint-plugin-filenames": "^1.3.2",
    "eslint-plugin-github": "^5.1.8",
    "eslint-plugin-import": "2.29.1",
-    "eslint-plugin-jsdoc": "^61.1.12",
    "eslint-plugin-no-async-foreach": "^0.1.1",
    "glob": "^11.0.3",
+    "json-schema-to-typescript": "^15.0.4",
    "nock": "^14.0.10",
    "sinon": "^21.0.0",
    "typescript": "^5.9.3"
@@ -4,7 +4,6 @@ operatingSystems: ["ubuntu", "macos", "windows"]
 versions: ["nightly-latest"]
 useAllPlatformBundle: "true"
 installGo: true
-installDotNet: true
 steps:
  - id: init
    uses: ./../action/init
@@ -3,7 +3,6 @@ description: "Checks that specifying 'ref' and 'sha' as inputs works"
 versions: ["default"]
 installGo: true
 installPython: true
-installDotNet: true
 steps:
  - uses: ./../action/init
    with:
@@ -2,7 +2,6 @@ name: "autobuild-action"
 description: "Tests that the C# autobuild action works"
 operatingSystems: ["ubuntu", "macos", "windows"]
 versions: ["linked"]
-installDotNet: true
 steps:
  - uses: ./../action/init
    with:
@@ -2,7 +2,6 @@ name: "Build mode manual"
 description: "An end-to-end integration test of a Java repository built using 'build-mode: manual'"
 versions: ["nightly-latest"]
 installGo: true
-installDotNet: true
 steps:
  - uses: ./../action/init
    id: init
@@ -27,7 +27,7 @@ steps:
      output: ${{ runner.temp }}/results
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
    with:
      name: ${{ matrix.os }}-zstd-bundle.sarif
      path: ${{ runner.temp }}/results/javascript.sarif
@@ -12,7 +12,7 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
    with:
      name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -25,7 +25,7 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
    with:
      name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -3,7 +3,6 @@ description: "Tests that file baseline information is exported when the feature
 operatingSystems: ["ubuntu", "macos", "windows"]
 versions: ["nightly-latest"]
 installGo: true
-installDotNet: true
 env:
  CODEQL_ACTION_SUBLANGUAGE_FILE_COVERAGE: true
 steps:
@@ -18,7 +17,7 @@ steps:
    with:
      output: "${{ runner.temp }}/results"
  - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
    with:
      name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -7,7 +7,6 @@ versions:
  - linked
  - nightly-latest
 installGo: true
-installDotNet: true
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
@@ -11,7 +11,7 @@ steps:
    with:
      output: "${{ runner.temp }}/results"
  - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
    with:
      name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -3,7 +3,6 @@ description: "Tests using a CodeQL bundle from a local file rather than a URL"
 versions: ["linked"]
 installGo: true
 installPython: true
-installDotNet: true
 steps:
  - name: Fetch latest CodeQL bundle
    run: |
@@ -5,7 +5,6 @@ env:
  CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
 installGo: true
 installPython: true
-installDotNet: true
 steps:
  - name: Use Xcode 16
    if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
@@ -4,7 +4,6 @@ versions: ["linked", "default", "nightly-latest"] # This feature is not compatib
 installGo: true
 installNode: true
 installPython: true
-installDotNet: true
 steps:
  - uses: ./../action/init
    with:
@@ -3,7 +3,6 @@ description: "Checks that specifying packages using a combination of a config fi
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
 installNode: true
-installDotNet: true
 steps:
  - uses: ./../action/init
    with:
@@ -3,7 +3,6 @@ description: "Checks that specifying packages using only a config file works"
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
 installNode: true
-installDotNet: true
 steps:
  - uses: ./../action/init
    with:
@@ -3,7 +3,6 @@ description: "Checks that specifying packages using the input to the Action work
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
 installNode: true
-installDotNet: true
 steps:
  - uses: ./../action/init
    with:
@@ -36,10 +36,9 @@ steps:
    with:
      output: "${{ runner.temp }}/results"
      upload-database: false
-      post-processed-sarif-path: "${{ runner.temp }}/post-processed"
  - name: Upload security SARIF
    if: contains(matrix.analysis-kinds, 'code-scanning')
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
    with:
      name: |
        quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
@@ -47,20 +46,12 @@ steps:
      retention-days: 7
  - name: Upload quality SARIF
    if: contains(matrix.analysis-kinds, 'code-quality')
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
    with:
      name: |
        quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
      path: "${{ runner.temp }}/results/javascript.quality.sarif"
      retention-days: 7
-  - name: Upload post-processed SARIF
-    uses: actions/upload-artifact@v5
-    with:
-      name: |
-        post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
-      path: "${{ runner.temp }}/post-processed"
-      retention-days: 7
-      if-no-files-found: error
  - name: Check quality query does not appear in security SARIF
    if: contains(matrix.analysis-kinds, 'code-scanning')
    uses: actions/github-script@v8
@@ -7,7 +7,6 @@ versions:
  - nightly-latest
 installGo: true
 installPython: true
-installDotNet: true
 steps:
  - uses: ./../action/init
    with:
@@ -4,7 +4,7 @@ description: "Tests using RuboCop to analyze a multi-language repository and the
 versions: ["default"]
 steps:
  - name: Set up Ruby
-    uses: ruby/setup-ruby@d5126b9b3579e429dd52e51e68624dda2e05be25 # v1.267.0
+    uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
    with:
      ruby-version: 2.6
  - name: Install Code Scanning integration
@@ -3,7 +3,6 @@ description: "Tests a split-up workflow in which we first build a database and l
 operatingSystems: ["ubuntu", "macos"]
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
-installDotNet: true
 steps:
  - uses: ./../action/init
    with:
@@ -3,7 +3,6 @@ description: "Tests creation of a Swift database using custom build"
 versions: ["linked", "default", "nightly-latest"]
 operatingSystems: ["macos"]
 installGo: true
-installDotNet: true
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
@@ -7,7 +7,6 @@ versions:
  - nightly-latest
 installGo: true
 installPython: true
-installDotNet: true
 steps:
  - uses: ./../action/init
    id: init
@@ -3,7 +3,6 @@ description: "Checks that specifying 'ref' and 'sha' as inputs works"
 versions: ["default"]
 installGo: true
 installPython: true
-installDotNet: true
 steps:
  - uses: ./../action/init
    with:
@@ -4,7 +4,6 @@ versions: ["default"]
 analysisKinds: ["code-scanning", "code-quality", "code-scanning,code-quality"]
 installGo: true
 installPython: true
-installDotNet: true
 steps:
  - uses: ./../action/init
    with:
@@ -3,7 +3,6 @@ description: "Checks that a custom `checkout_path` will find the proper commit_o
 versions: ["linked"]
 installGo: true
 installPython: true
-installDotNet: true
 steps:
  # This ensures we don't accidentally use the original checkout for any part of the test.
  - name: Delete original checkout
@@ -117,7 +117,7 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
        steps.extend([
            {
                'name': 'Install Node.js',
-                'uses': 'actions/setup-node@v6',
+                'uses': 'actions/setup-node@v5',
                'with': {
                    'node-version': '20.x',
                    'cache': 'npm',
@@ -204,25 +204,6 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
            }
        })

-    installDotNet = is_truthy(checkSpecification.get('installDotNet', ''))
-
-    if installDotNet:
-        baseDotNetVersionExpr = '9.x'
-        workflowInputs['dotnet-version'] = {
-            'type': 'string',
-            'description': 'The version of .NET to install',
-            'required': False,
-            'default': baseDotNetVersionExpr,
-        }
-
-        steps.append({
-            'name': 'Install .NET',
-            'uses': 'actions/setup-dotnet@v5',
-            'with': {
-                'dotnet-version': '${{ inputs.dotnet-version || \'' + baseDotNetVersionExpr + '\' }}'
-            }
-        })
-
    # If container initialisation steps are present in the check specification,
    # make sure to execute them first.
    if 'container' in checkSpecification and 'container-init-steps' in checkSpecification:
@@ -356,6 +337,11 @@ for collection_name in collections:
                'GO111MODULE': 'auto'
            },
            'on': {
+                'push': {
+                    'paths': [
+                        f'.github/workflows/__{collection_name}.yml'
+                    ]
+                },
                'workflow_dispatch': {
                    'inputs': combinedInputs
                },
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "title": "CodeQL Database Configuration",
+  "title": "UserConfig",
  "description": "Format of the config file supplied by the user for CodeQL analysis",
  "type": "object",
  "properties": {
@@ -9,15 +9,9 @@ if [ "$GITHUB_ACTIONS" = "true" ]; then
 fi

 # Check if npm install is likely needed before proceeding
-if [ ! -d node_modules ]; then
-  echo "Running 'npm install' because 'node_modules' directory is missing."
-  npm install
-elif [ package.json -nt package-lock.json ]; then
-  echo "Running 'npm install' because 'package-lock.json' appears to be outdated."
-  npm install
-elif [ package-lock.json -nt node_modules/.package-lock.json ]; then
-  echo "Running 'npm install' because 'node_modules/.package-lock.json' appears to be outdated."
+if [ ! -d node_modules ] || [ package-lock.json -nt node_modules/.package-lock.json ]; then
+  echo "Running 'npm install' because 'node_modules/.package-lock.json' appears to be outdated..."
  npm install
 else
-  echo "Skipping 'npm install' because everything appears to be up-to-date."
+  echo "Skipping 'npm install' because 'node_modules/.package-lock.json' appears to be up-to-date."
 fi
@@ -24,9 +24,6 @@ setupTests(test);
 // but the first test would fail.

 test("analyze action with RAM & threads from environment variables", async (t) => {
-  // This test frequently times out on Windows with the default timeout, so we bump
-  // it a bit to 20s.
-  t.timeout(1000 * 20);
  await util.withTmpDir(async (tmpDir) => {
    process.env["GITHUB_SERVER_URL"] = util.GITHUB_DOTCOM_URL;
    process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
@@ -78,7 +75,7 @@ test("analyze action with RAM & threads from environment variables", async (t) =
    t.deepEqual(runFinalizeStub.firstCall.args[1], "--threads=-1");
    t.deepEqual(runFinalizeStub.firstCall.args[2], "--ram=4992");
    t.assert(runQueriesStub.calledOnce);
-    t.deepEqual(runQueriesStub.firstCall.args[2], "--threads=-1");
+    t.deepEqual(runQueriesStub.firstCall.args[3], "--threads=-1");
    t.deepEqual(runQueriesStub.firstCall.args[1], "--ram=4992");
  });
 });
@@ -24,7 +24,6 @@ setupTests(test);
 // but the first test would fail.

 test("analyze action with RAM & threads from action inputs", async (t) => {
-  t.timeout(1000 * 20);
  await util.withTmpDir(async (tmpDir) => {
    process.env["GITHUB_SERVER_URL"] = util.GITHUB_DOTCOM_URL;
    process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
@@ -76,7 +75,7 @@ test("analyze action with RAM & threads from action inputs", async (t) => {
    t.deepEqual(runFinalizeStub.firstCall.args[1], "--threads=-1");
    t.deepEqual(runFinalizeStub.firstCall.args[2], "--ram=3012");
    t.assert(runQueriesStub.calledOnce);
-    t.deepEqual(runQueriesStub.firstCall.args[2], "--threads=-1");
+    t.deepEqual(runQueriesStub.firstCall.args[3], "--threads=-1");
    t.deepEqual(runQueriesStub.firstCall.args[1], "--ram=3012");
  });
 });
@@ -52,7 +52,6 @@ import {
 } from "./trap-caching";
 import * as uploadLib from "./upload-lib";
 import { UploadResult } from "./upload-lib";
-import { postProcessAndUploadSarif } from "./upload-sarif";
 import * as util from "./util";

 interface AnalysisStatusReport
@@ -212,9 +211,7 @@ async function runAutobuildIfLegacyGoWorkflow(config: Config, logger: Logger) {

 async function run() {
  const startedAt = new Date();
-  let uploadResults:
-    | Partial<Record<analyses.AnalysisKind, UploadResult>>
-    | undefined = undefined;
+  let uploadResult: UploadResult | undefined = undefined;
  let runStats: QueriesStatusReport | undefined = undefined;
  let config: Config | undefined = undefined;
  let trapCacheCleanupTelemetry: TrapCacheCleanupStatusReport | undefined =
@@ -324,16 +321,10 @@ async function run() {
    );

    if (actionsUtil.getRequiredInput("skip-queries") !== "true") {
-      // Warn if the removed `add-snippets` input is used.
-      if (actionsUtil.getOptionalInput("add-snippets") !== undefined) {
-        logger.warning(
-          "The `add-snippets` input has been removed and no longer has any effect.",
-        );
-      }
-
      runStats = await runQueries(
        outputDir,
        memory,
+        util.getAddSnippetsFlag(actionsUtil.getRequiredInput("add-snippets")),
        threads,
        diffRangePackDir,
        actionsUtil.getOptionalInput("category"),
@@ -350,67 +341,31 @@ async function run() {
    }
    core.setOutput("db-locations", dbLocations);
    core.setOutput("sarif-output", path.resolve(outputDir));
-    const uploadKind = actionsUtil.getUploadValue(
-      actionsUtil.getOptionalInput("upload"),
-    );
-    if (runStats) {
-      const checkoutPath = actionsUtil.getRequiredInput("checkout_path");
-      const category = actionsUtil.getOptionalInput("category");
-
-      if (await features.getValue(Feature.AnalyzeUseNewUpload)) {
-        uploadResults = await postProcessAndUploadSarif(
-          logger,
-          features,
-          uploadKind,
-          checkoutPath,
+    const uploadInput = actionsUtil.getOptionalInput("upload");
+    if (runStats && actionsUtil.getUploadValue(uploadInput) === "always") {
+      if (isCodeScanningEnabled(config)) {
+        uploadResult = await uploadLib.uploadFiles(
          outputDir,
-          category,
-          actionsUtil.getOptionalInput("post-processed-sarif-path"),
+          actionsUtil.getRequiredInput("checkout_path"),
+          actionsUtil.getOptionalInput("category"),
+          features,
+          logger,
+          analyses.CodeScanning,
        );
-      } else if (uploadKind === "always") {
-        uploadResults = {};
-
-        if (isCodeScanningEnabled(config)) {
-          uploadResults[analyses.AnalysisKind.CodeScanning] =
-            await uploadLib.uploadFiles(
-              outputDir,
-              checkoutPath,
-              category,
-              features,
-              logger,
-              analyses.CodeScanning,
-            );
-        }
-
-        if (isCodeQualityEnabled(config)) {
-          uploadResults[analyses.AnalysisKind.CodeQuality] =
-            await uploadLib.uploadFiles(
-              outputDir,
-              checkoutPath,
-              category,
-              features,
-              logger,
-              analyses.CodeQuality,
-            );
-        }
-      } else {
-        uploadResults = {};
-        logger.info("Not uploading results");
+        core.setOutput("sarif-id", uploadResult.sarifID);
      }

-      // Set the SARIF id outputs only if we have results for them, to avoid
-      // having keys with empty values in the action output.
-      if (uploadResults[analyses.AnalysisKind.CodeScanning] !== undefined) {
-        core.setOutput(
-          "sarif-id",
-          uploadResults[analyses.AnalysisKind.CodeScanning].sarifID,
-        );
-      }
-      if (uploadResults[analyses.AnalysisKind.CodeQuality] !== undefined) {
-        core.setOutput(
-          "quality-sarif-id",
-          uploadResults[analyses.AnalysisKind.CodeQuality].sarifID,
+      if (isCodeQualityEnabled(config)) {
+        const analysis = analyses.CodeQuality;
+        const qualityUploadResult = await uploadLib.uploadFiles(
+          outputDir,
+          actionsUtil.getRequiredInput("checkout_path"),
+          actionsUtil.getOptionalInput("category"),
+          features,
+          logger,
+          analysis,
        );
+        core.setOutput("quality-sarif-id", qualityUploadResult.sarifID);
      }
    } else {
      logger.info("Not uploading results");
@@ -438,11 +393,14 @@ async function run() {

    // Store dependency cache(s) if dependency caching is enabled.
    if (shouldStoreCache(config.dependencyCachingEnabled)) {
-      dependencyCacheResults = await uploadDependencyCaches(
+      const minimizeJavaJars = await features.getValue(
+        Feature.JavaMinimizeDependencyJars,
        codeql,
-        features,
+      );
+      dependencyCacheResults = await uploadDependencyCaches(
        config,
        logger,
+        minimizeJavaJars,
      );
    }

@@ -450,12 +408,12 @@ async function run() {
    if (util.isInTestMode()) {
      logger.debug("In test mode. Waiting for processing is disabled.");
    } else if (
-      uploadResults?.[analyses.AnalysisKind.CodeScanning] !== undefined &&
+      uploadResult !== undefined &&
      actionsUtil.getRequiredInput("wait-for-processing") === "true"
    ) {
      await uploadLib.waitForProcessing(
        getRepositoryNwo(),
-        uploadResults[analyses.AnalysisKind.CodeScanning].sarifID,
+        uploadResult.sarifID,
        getActionsLogger(),
      );
    }
@@ -492,16 +450,13 @@ async function run() {
    return;
  }

-  if (
-    runStats !== undefined &&
-    uploadResults?.[analyses.AnalysisKind.CodeScanning] !== undefined
-  ) {
+  if (runStats && uploadResult) {
    await sendStatusReport(
      startedAt,
      config,
      {
        ...runStats,
-        ...uploadResults[analyses.AnalysisKind.CodeScanning].statusReport,
+        ...uploadResult.statusReport,
      },
      undefined,
      trapCacheUploadTime,
@@ -511,7 +466,7 @@ async function run() {
      dependencyCacheResults,
      logger,
    );
-  } else if (runStats !== undefined) {
+  } else if (runStats) {
    await sendStatusReport(
      startedAt,
      config,
@@ -4,8 +4,10 @@ import * as path from "path";
 import test from "ava";
 import * as sinon from "sinon";

+import * as actionsUtil from "./actions-util";
 import { CodeQuality, CodeScanning } from "./analyses";
 import {
+  exportedForTesting,
  runQueries,
  defaultSuites,
  resolveQuerySuiteAlias,
@@ -37,6 +39,7 @@ test("status report fields", async (t) => {
    setupActionsVars(tmpDir, tmpDir);

    const memoryFlag = "";
+    const addSnippetsFlag = "";
    const threadsFlag = "";
    sinon.stub(uploadLib, "validateSarifFileSchema");

@@ -102,6 +105,7 @@ test("status report fields", async (t) => {
      const statusReport = await runQueries(
        tmpDir,
        memoryFlag,
+        addSnippetsFlag,
        threadsFlag,
        undefined,
        undefined,
@@ -127,6 +131,204 @@ test("status report fields", async (t) => {
  });
 });

+function runGetDiffRanges(changes: number, patch: string[] | undefined): any {
+  sinon
+    .stub(actionsUtil, "getRequiredInput")
+    .withArgs("checkout_path")
+    .returns("/checkout/path");
+  return exportedForTesting.getDiffRanges(
+    {
+      filename: "test.txt",
+      changes,
+      patch: patch?.join("\n"),
+    },
+    getRunnerLogger(true),
+  );
+}
+
+test("getDiffRanges: file unchanged", async (t) => {
+  const diffRanges = runGetDiffRanges(0, undefined);
+  t.deepEqual(diffRanges, []);
+});
+
+test("getDiffRanges: file diff too large", async (t) => {
+  const diffRanges = runGetDiffRanges(1000000, undefined);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 0,
+      endLine: 0,
+    },
+  ]);
+});
+
+test("getDiffRanges: diff thunk with single addition range", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,6 +50,8 @@",
+    " a",
+    " b",
+    " c",
+    "+1",
+    "+2",
+    " d",
+    " e",
+    " f",
+  ]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 53,
+      endLine: 54,
+    },
+  ]);
+});
+
+test("getDiffRanges: diff thunk with single deletion range", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,8 +50,6 @@",
+    " a",
+    " b",
+    " c",
+    "-1",
+    "-2",
+    " d",
+    " e",
+    " f",
+  ]);
+  t.deepEqual(diffRanges, []);
+});
+
+test("getDiffRanges: diff thunk with single update range", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,7 +50,7 @@",
+    " a",
+    " b",
+    " c",
+    "-1",
+    "+2",
+    " d",
+    " e",
+    " f",
+  ]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 53,
+      endLine: 53,
+    },
+  ]);
+});
+
+test("getDiffRanges: diff thunk with addition ranges", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,7 +50,9 @@",
+    " a",
+    " b",
+    " c",
+    "+1",
+    " c",
+    "+2",
+    " d",
+    " e",
+    " f",
+  ]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 53,
+      endLine: 53,
+    },
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 55,
+      endLine: 55,
+    },
+  ]);
+});
+
+test("getDiffRanges: diff thunk with mixed ranges", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,7 +50,7 @@",
+    " a",
+    " b",
+    " c",
+    "-1",
+    " d",
+    "-2",
+    "+3",
+    " e",
+    " f",
+    "+4",
+    "+5",
+    " g",
+    " h",
+    " i",
+  ]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 54,
+      endLine: 54,
+    },
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 57,
+      endLine: 58,
+    },
+  ]);
+});
+
+test("getDiffRanges: multiple diff thunks", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,6 +50,8 @@",
+    " a",
+    " b",
+    " c",
+    "+1",
+    "+2",
+    " d",
+    " e",
+    " f",
+    "@@ -130,6 +150,8 @@",
+    " a",
+    " b",
+    " c",
+    "+1",
+    "+2",
+    " d",
+    " e",
+    " f",
+  ]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 53,
+      endLine: 54,
+    },
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 153,
+      endLine: 154,
+    },
+  ]);
+});
+
+test("getDiffRanges: no diff context lines", async (t) => {
+  const diffRanges = runGetDiffRanges(2, ["@@ -30 +50,2 @@", "+1", "+2"]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 50,
+      endLine: 51,
+    },
+  ]);
+});
+
+test("getDiffRanges: malformed thunk header", async (t) => {
+  const diffRanges = runGetDiffRanges(2, ["@@ 30 +50,2 @@", "+1", "+2"]);
+  t.deepEqual(diffRanges, undefined);
+});
+
 test("resolveQuerySuiteAlias", (t) => {
  // default query suite names should resolve to something language-specific ending in `.qls`.
  for (const suite of defaultSuites) {
@@ -3,10 +3,16 @@ import * as path from "path";
 import { performance } from "perf_hooks";

 import * as io from "@actions/io";
+import * as del from "del";
 import * as yaml from "js-yaml";

-import { getTemporaryDirectory, PullRequestBranches } from "./actions-util";
+import {
+  getRequiredInput,
+  getTemporaryDirectory,
+  PullRequestBranches,
+} from "./actions-util";
 import * as analyses from "./analyses";
+import { getApiClient } from "./api-client";
 import { setupCppAutobuild } from "./autobuild";
 import { type CodeQL } from "./codeql";
 import * as configUtils from "./config-utils";
@@ -15,13 +21,13 @@ import { addDiagnostic, makeDiagnostic } from "./diagnostics";
 import {
  DiffThunkRange,
  writeDiffRangesJsonFile,
-  getPullRequestEditedDiffRanges,
 } from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
 import { FeatureEnablement, Feature } from "./feature-flags";
 import { KnownLanguage, Language } from "./languages";
 import { Logger, withGroupAsync } from "./logging";
 import { OverlayDatabaseMode } from "./overlay-database-utils";
+import { getRepositoryNwoFromEnv } from "./repository";
 import { DatabaseCreationTimings, EventReport } from "./status-report";
 import { endTracingForCluster } from "./tracer-config";
 import * as util from "./util";
@@ -38,26 +44,89 @@ export class CodeQLAnalysisError extends Error {
  }
 }

-type KnownLanguageKey = keyof typeof KnownLanguage;
-
-type RunQueriesDurationStatusReport = {
+export interface QueriesStatusReport {
  /**
-   * Time taken in ms to run queries for the language (or undefined if this language was not analyzed).
+   * Time taken in ms to run queries for actions (or undefined if this language was not analyzed).
   *
   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
   * taken to run _all_ the queries.
   */
-  [L in KnownLanguageKey as `analyze_builtin_queries_${L}_duration_ms`]?: number;
-};
+  analyze_builtin_queries_actions_duration_ms?: number;
+  /**
+   * Time taken in ms to run queries for cpp (or undefined if this language was not analyzed).
+   *
+   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
+   * taken to run _all_ the queries.
+   */
+  analyze_builtin_queries_cpp_duration_ms?: number;
+  /**
+   * Time taken in ms to run queries for csharp (or undefined if this language was not analyzed).
+   *
+   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
+   * taken to run _all_ the queries.
+   */
+  analyze_builtin_queries_csharp_duration_ms?: number;
+  /**
+   * Time taken in ms to run queries for go (or undefined if this language was not analyzed).
+   *
+   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
+   * taken to run _all_ the queries.
+   */
+  analyze_builtin_queries_go_duration_ms?: number;
+  /**
+   * Time taken in ms to run queries for java (or undefined if this language was not analyzed).
+   *
+   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
+   * taken to run _all_ the queries.
+   */
+  analyze_builtin_queries_java_duration_ms?: number;
+  /**
+   * Time taken in ms to run queries for javascript (or undefined if this language was not analyzed).
+   *
+   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
+   * taken to run _all_ the queries.
+   */
+  analyze_builtin_queries_javascript_duration_ms?: number;
+  /**
+   * Time taken in ms to run queries for python (or undefined if this language was not analyzed).
+   *
+   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
+   * taken to run _all_ the queries.
+   */
+  analyze_builtin_queries_python_duration_ms?: number;
+  /**
+   * Time taken in ms to run queries for ruby (or undefined if this language was not analyzed).
+   *
+   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
+   * taken to run _all_ the queries.
+   */
+  analyze_builtin_queries_ruby_duration_ms?: number;
+  /** Time taken in ms to run queries for swift (or undefined if this language was not analyzed).
+   *
+   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
+   * taken to run _all_ the queries.
+   */
+  analyze_builtin_queries_swift_duration_ms?: number;

-type InterpretResultsDurationStatusReport = {
-  /** Time taken in ms to interpret results for the language (or undefined if this language was not analyzed). */
-  [L in KnownLanguageKey as `interpret_results_${L}_duration_ms`]?: number;
-};
+  /** Time taken in ms to interpret results for actions (or undefined if this language was not analyzed). */
+  interpret_results_actions_duration_ms?: number;
+  /** Time taken in ms to interpret results for cpp (or undefined if this language was not analyzed). */
+  interpret_results_cpp_duration_ms?: number;
+  /** Time taken in ms to interpret results for csharp (or undefined if this language was not analyzed). */
+  interpret_results_csharp_duration_ms?: number;
+  /** Time taken in ms to interpret results for go (or undefined if this language was not analyzed). */
+  interpret_results_go_duration_ms?: number;
+  /** Time taken in ms to interpret results for java (or undefined if this language was not analyzed). */
+  interpret_results_java_duration_ms?: number;
+  /** Time taken in ms to interpret results for javascript (or undefined if this language was not analyzed). */
+  interpret_results_javascript_duration_ms?: number;
+  /** Time taken in ms to interpret results for python (or undefined if this language was not analyzed). */
+  interpret_results_python_duration_ms?: number;
+  /** Time taken in ms to interpret results for ruby (or undefined if this language was not analyzed). */
+  interpret_results_ruby_duration_ms?: number;
+  /** Time taken in ms to interpret results for swift (or undefined if this language was not analyzed). */
+  interpret_results_swift_duration_ms?: number;

-export interface QueriesStatusReport
-  extends RunQueriesDurationStatusReport,
-    InterpretResultsDurationStatusReport {
  /**
   * Whether the analysis is diff-informed (in the sense that the action generates a diff-range data
   * extension for the analysis, regardless of whether the data extension is actually used by queries).
@@ -244,6 +313,185 @@ export async function setupDiffInformedQueryRun(
  );
 }

+/**
+ * Return the file line ranges that were added or modified in the pull request.
+ *
+ * @param branches The base and head branches of the pull request.
+ * @param logger
+ * @returns An array of tuples, where each tuple contains the absolute path of a
+ * file, the start line and the end line (both 1-based and inclusive) of an
+ * added or modified range in that file. Returns `undefined` if the action was
+ * not triggered by a pull request or if there was an error.
+ */
+async function getPullRequestEditedDiffRanges(
+  branches: PullRequestBranches,
+  logger: Logger,
+): Promise<DiffThunkRange[] | undefined> {
+  const fileDiffs = await getFileDiffsWithBasehead(branches, logger);
+  if (fileDiffs === undefined) {
+    return undefined;
+  }
+  if (fileDiffs.length >= 300) {
+    // The "compare two commits" API returns a maximum of 300 changed files. If
+    // we see that many changed files, it is possible that there could be more,
+    // with the rest being truncated. In this case, we should not attempt to
+    // compute the diff ranges, as the result would be incomplete.
+    logger.warning(
+      `Cannot retrieve the full diff because there are too many ` +
+        `(${fileDiffs.length}) changed files in the pull request.`,
+    );
+    return undefined;
+  }
+  const results: DiffThunkRange[] = [];
+  for (const filediff of fileDiffs) {
+    const diffRanges = getDiffRanges(filediff, logger);
+    if (diffRanges === undefined) {
+      return undefined;
+    }
+    results.push(...diffRanges);
+  }
+  return results;
+}
+
+/**
+ * This interface is an abbreviated version of the file diff object returned by
+ * the GitHub API.
+ */
+interface FileDiff {
+  filename: string;
+  changes: number;
+  // A patch may be absent if the file is binary, if the file diff is too large,
+  // or if the file is unchanged.
+  patch?: string | undefined;
+}
+
+async function getFileDiffsWithBasehead(
+  branches: PullRequestBranches,
+  logger: Logger,
+): Promise<FileDiff[] | undefined> {
+  // Check CODE_SCANNING_REPOSITORY first. If it is empty or not set, fall back
+  // to GITHUB_REPOSITORY.
+  const repositoryNwo = getRepositoryNwoFromEnv(
+    "CODE_SCANNING_REPOSITORY",
+    "GITHUB_REPOSITORY",
+  );
+  const basehead = `${branches.base}...${branches.head}`;
+  try {
+    const response = await getApiClient().rest.repos.compareCommitsWithBasehead(
+      {
+        owner: repositoryNwo.owner,
+        repo: repositoryNwo.repo,
+        basehead,
+        per_page: 1,
+      },
+    );
+    logger.debug(
+      `Response from compareCommitsWithBasehead(${basehead}):` +
+        `\n${JSON.stringify(response, null, 2)}`,
+    );
+    return response.data.files;
+  } catch (error: any) {
+    if (error.status) {
+      logger.warning(`Error retrieving diff ${basehead}: ${error.message}`);
+      logger.debug(
+        `Error running compareCommitsWithBasehead(${basehead}):` +
+          `\nRequest: ${JSON.stringify(error.request, null, 2)}` +
+          `\nError Response: ${JSON.stringify(error.response, null, 2)}`,
+      );
+      return undefined;
+    } else {
+      throw error;
+    }
+  }
+}
+
+function getDiffRanges(
+  fileDiff: FileDiff,
+  logger: Logger,
+): DiffThunkRange[] | undefined {
+  // Diff-informed queries expect the file path to be absolute. CodeQL always
+  // uses forward slashes as the path separator, so on Windows we need to
+  // replace any backslashes with forward slashes.
+  const filename = path
+    .join(getRequiredInput("checkout_path"), fileDiff.filename)
+    .replaceAll(path.sep, "/");
+
+  if (fileDiff.patch === undefined) {
+    if (fileDiff.changes === 0) {
+      // There are situations where a changed file legitimately has no diff.
+      // For example, the file may be a binary file, or that the file may have
+      // been renamed with no changes to its contents. In these cases, the
+      // file would be reported as having 0 changes, and we can return an empty
+      // array to indicate no diff range in this file.
+      return [];
+    }
+    // If a file is reported to have nonzero changes but no patch, that may be
+    // due to the file diff being too large. In this case, we should fall back
+    // to a special diff range that covers the entire file.
+    return [
+      {
+        path: filename,
+        startLine: 0,
+        endLine: 0,
+      },
+    ];
+  }
+
+  // The 1-based file line number of the current line
+  let currentLine = 0;
+  // The 1-based file line number that starts the current range of added lines
+  let additionRangeStartLine: number | undefined = undefined;
+  const diffRanges: DiffThunkRange[] = [];
+
+  const diffLines = fileDiff.patch.split("\n");
+  // Adding a fake context line at the end ensures that the following loop will
+  // always terminate the last range of added lines.
+  diffLines.push(" ");
+
+  for (const diffLine of diffLines) {
+    if (diffLine.startsWith("-")) {
+      // Ignore deletions completely -- we do not even want to consider them when
+      // calculating consecutive ranges of added lines.
+      continue;
+    }
+    if (diffLine.startsWith("+")) {
+      if (additionRangeStartLine === undefined) {
+        additionRangeStartLine = currentLine;
+      }
+      currentLine++;
+      continue;
+    }
+    if (additionRangeStartLine !== undefined) {
+      // Any line that does not start with a "+" or "-" terminates the current
+      // range of added lines.
+      diffRanges.push({
+        path: filename,
+        startLine: additionRangeStartLine,
+        endLine: currentLine - 1,
+      });
+      additionRangeStartLine = undefined;
+    }
+    if (diffLine.startsWith("@@ ")) {
+      // A new hunk header line resets the current line number.
+      const match = diffLine.match(/^@@ -\d+(?:,\d+)? \+(\d+)(?:,\d+)? @@/);
+      if (match === null) {
+        logger.warning(
+          `Cannot parse diff hunk header for ${fileDiff.filename}: ${diffLine}`,
+        );
+        return undefined;
+      }
+      currentLine = parseInt(match[1], 10);
+      continue;
+    }
+    if (diffLine.startsWith(" ")) {
+      // An unchanged context line advances the current line number.
+      currentLine++;
+      continue;
+    }
+  }
+  return diffRanges;
+}
+
 /**
 * Create an extension pack in the temporary directory that contains the file
 * line ranges that were added or modified in the pull request.
@@ -373,6 +621,7 @@ export function addSarifExtension(
 export async function runQueries(
  sarifFolder: string,
  memoryFlag: string,
+  addSnippetsFlag: string,
  threadsFlag: string,
  diffRangePackDir: string | undefined,
  automationDetailsId: string | undefined,
@@ -562,6 +811,7 @@ export async function runQueries(
      databasePath,
      queries,
      sarifFile,
+      addSnippetsFlag,
      threadsFlag,
      enableDebugLogging ? "-vv" : "-v",
      sarifRunPropertyFlag,
@@ -605,7 +855,7 @@ export async function runFinalize(
  logger: Logger,
 ): Promise<DatabaseCreationTimings> {
  try {
-    await fs.promises.rm(outputDir, { force: true, recursive: true });
+    await del.deleteAsync(outputDir, { force: true });
  } catch (error: any) {
    if (error?.code !== "ENOENT") {
      throw error;
@@ -672,3 +922,7 @@ export async function warnIfGoInstalledAfterInit(
    }
  }
 }
+
+export const exportedForTesting = {
+  getDiffRanges,
+};
@@ -169,32 +169,4 @@ test("wrapApiConfigurationError correctly wraps specific configuration errors",
    res,
    new util.ConfigurationError("Resource not accessible by integration"),
  );
-
-  // Enablement errors.
-  const enablementErrorMessages = [
-    "Code Security must be enabled for this repository to use code scanning",
-    "Advanced Security must be enabled for this repository to use code scanning",
-    "Code Scanning is not enabled for this repository. Please enable code scanning in the repository settings.",
-  ];
-  const transforms = [
-    (msg: string) => msg,
-    (msg: string) => msg.toLowerCase(),
-    (msg: string) => msg.toLocaleUpperCase(),
-  ];
-
-  for (const enablementErrorMessage of enablementErrorMessages) {
-    for (const transform of transforms) {
-      const enablementError = new util.HTTPError(
-        transform(enablementErrorMessage),
-        403,
-      );
-      res = api.wrapApiConfigurationError(enablementError);
-      t.deepEqual(
-        res,
-        new util.ConfigurationError(
-          api.getFeatureEnablementError(enablementError.message),
-        ),
-      );
-    }
-  }
 });
@@ -1,17 +1,18 @@
 import * as core from "@actions/core";
 import * as githubUtils from "@actions/github/lib/utils";
 import * as retry from "@octokit/plugin-retry";
+import consoleLogLevel from "console-log-level";

 import { getActionVersion, getRequiredInput } from "./actions-util";
 import { Logger } from "./logging";
 import { getRepositoryNwo, RepositoryNwo } from "./repository";
 import {
-  asHTTPError,
  ConfigurationError,
  getRequiredEnvParam,
  GITHUB_DOTCOM_URL,
  GitHubVariant,
  GitHubVersion,
+  isHTTPError,
  parseGitHubUrl,
  parseMatrixInput,
 } from "./util";
@@ -49,12 +50,7 @@ function createApiClientWithDetails(
    githubUtils.getOctokitOptions(auth, {
      baseUrl: apiDetails.apiURL,
      userAgent: `CodeQL-Action/${getActionVersion()}`,
-      log: {
-        debug: core.debug,
-        info: core.info,
-        warn: core.warning,
-        error: core.error,
-      },
+      log: consoleLogLevel({ level: "debug" }),
    }),
  );
 }
@@ -283,49 +279,23 @@ export async function getRepositoryProperties(repositoryNwo: RepositoryNwo) {
  });
 }

-function isEnablementError(msg: string) {
-  return [
-    /Code Security must be enabled/i,
-    /Advanced Security must be enabled/i,
-    /Code Scanning is not enabled/i,
-  ].some((pattern) => pattern.test(msg));
-}
-
-// TODO: Move to `error-messages.ts` after refactoring import order to avoid cycle
-// since `error-messages.ts` currently depends on this file.
-export function getFeatureEnablementError(message: string): string {
-  return `Please verify that the necessary features are enabled: ${message}`;
-}
-
 export function wrapApiConfigurationError(e: unknown) {
-  const httpError = asHTTPError(e);
-  if (httpError !== undefined) {
+  if (isHTTPError(e)) {
    if (
-      [
-        /API rate limit exceeded/,
-        /commit not found/,
-        /Resource not accessible by integration/,
-        /ref .* not found in this repository/,
-      ].some((pattern) => pattern.test(httpError.message))
+      e.message.includes("API rate limit exceeded for installation") ||
+      e.message.includes("commit not found") ||
+      e.message.includes("Resource not accessible by integration") ||
+      /ref .* not found in this repository/.test(e.message)
    ) {
-      return new ConfigurationError(httpError.message);
-    }
-    if (
-      httpError.message.includes("Bad credentials") ||
-      httpError.message.includes("Not Found")
+      return new ConfigurationError(e.message);
+    } else if (
+      e.message.includes("Bad credentials") ||
+      e.message.includes("Not Found")
    ) {
      return new ConfigurationError(
        "Please check that your token is valid and has the required permissions: contents: read, security-events: write",
      );
    }
-    if (httpError.status === 403 && isEnablementError(httpError.message)) {
-      return new ConfigurationError(
-        getFeatureEnablementError(httpError.message),
-      );
-    }
-    if (httpError.status === 429) {
-      return new ConfigurationError("API rate limit exceeded");
-    }
  }
  return e;
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Michael B. Gale	0cf61911ea	Generate `UserConfig` from schema ... ish	2025-10-17 16:19:12 +01:00
Michael B. Gale	816fc30181	Add command for turning JSON schemas into TypeScript typings	2025-10-17 16:12:28 +01:00