Enable only code-scanning

Bump fast-xml-builder from 1.1.5 to 1.2.0

CHANGELOG.md

@@ -4,7 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 ## [UNRELEASED]
 
-No user facing changes.
+- If multiple inputs are provided for the GitHub-internal `analysis-kinds` input, only `code-scanning` will be enabled. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#3892](https://github.com/github/codeql-action/pull/3892)
 
 ## 4.35.4 - 07 May 2026
 

lib/analyze-action-post.js

@@ -127358,65 +127358,8 @@ var fs4 = __toESM(require("fs"));
 var path5 = __toESM(require("path"));
 var core9 = __toESM(require_core());
 
-// src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
-  AnalysisKind2["CodeScanning"] = "code-scanning";
-  AnalysisKind2["CodeQuality"] = "code-quality";
-  AnalysisKind2["RiskAssessment"] = "risk-assessment";
-  return AnalysisKind2;
-})(AnalysisKind || {});
-var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
-
-// src/caching-utils.ts
-var core6 = __toESM(require_core());
-
-// src/config/db-config.ts
-var jsonschema = __toESM(require_lib2());
-var semver2 = __toESM(require_semver2());
-
-// src/feature-flags/properties.ts
-var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
-  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
-  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
-  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
-  return RepositoryPropertyName2;
-})(RepositoryPropertyName || {});
-var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
-  Object.values(RepositoryPropertyName)
-);
-
-// src/config/db-config.ts
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
-
-// src/logging.ts
-var core7 = __toESM(require_core());
-function getActionsLogger() {
-  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
-  };
-}
-function withGroup(groupName, f) {
-  core7.startGroup(groupName);
-  try {
-    return f();
-  } finally {
-    core7.endGroup();
-  }
-}
-
 // src/feature-flags.ts
-var semver5 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());
 
 // src/overlay/index.ts
 var fs3 = __toESM(require("fs"));
@@ -127425,14 +127368,14 @@ var path4 = __toESM(require("path"));
 // src/git-utils.ts
 var fs2 = __toESM(require("fs"));
 var path3 = __toESM(require("path"));
-var core8 = __toESM(require_core());
+var core6 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
-var semver3 = __toESM(require_semver2());
+var semver2 = __toESM(require_semver2());
 var runGitCommand = async function(workingDirectory, args, customErrorMessage, options) {
   let stdout = "";
   let stderr = "";
-  core8.debug(`Running git command: git ${args.join(" ")}`);
+  core6.debug(`Running git command: git ${args.join(" ")}`);
   try {
     await new toolrunner2.ToolRunner(await io3.which("git", true), args, {
       silent: true,
@@ -127453,7 +127396,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage, o
     if (stderr.includes("not a git repository")) {
       reason = "The checkout path provided to the action does not appear to be a git repository.";
     }
-    core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
+    core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
     throw error3;
   }
 };
@@ -127582,7 +127525,7 @@ async function getRef() {
   ) !== head;
   if (hasChangedRef) {
     const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
-    core8.debug(
+    core6.debug(
       `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`
     );
     return newRef;
@@ -127719,17 +127662,22 @@ async function getDiffRangeFilePaths(sourceRoot, logger) {
 }
 
 // src/tools-features.ts
-var semver4 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 function isSupportedToolsFeature(versionInfo, feature) {
   return !!versionInfo.features && versionInfo.features[feature];
 }
 var SafeArtifactUploadVersion = "2.20.3";
 function isSafeArtifactUpload(codeQlVersion) {
-  return !codeQlVersion ? true : semver4.gte(codeQlVersion, SafeArtifactUploadVersion);
+  return !codeQlVersion ? true : semver3.gte(codeQlVersion, SafeArtifactUploadVersion);
 }
 
 // src/feature-flags.ts
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
   ["allow_toolcache_input" /* AllowToolcacheInput */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -127938,6 +127886,63 @@ var featureConfig = {
   }
 };
 
+// src/analyses.ts
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
+  AnalysisKind2["CodeScanning"] = "code-scanning";
+  AnalysisKind2["CodeQuality"] = "code-quality";
+  AnalysisKind2["RiskAssessment"] = "risk-assessment";
+  return AnalysisKind2;
+})(AnalysisKind || {});
+var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+
+// src/caching-utils.ts
+var core7 = __toESM(require_core());
+
+// src/config/db-config.ts
+var jsonschema = __toESM(require_lib2());
+var semver5 = __toESM(require_semver2());
+
+// src/feature-flags/properties.ts
+var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
+  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
+  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
+  return RepositoryPropertyName2;
+})(RepositoryPropertyName || {});
+var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
+  Object.values(RepositoryPropertyName)
+);
+
+// src/config/db-config.ts
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
+// src/logging.ts
+var core8 = __toESM(require_core());
+function getActionsLogger() {
+  return {
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
+  };
+}
+function withGroup(groupName, f) {
+  core8.startGroup(groupName);
+  try {
+    return f();
+  } finally {
+    core8.endGroup();
+  }
+}
+
 // src/languages/builtin.json
 var builtin_default = {
   languages: [

lib/autobuild-action.js

@@ -86171,59 +86171,10 @@ var fs5 = __toESM(require("fs"));
 var path6 = __toESM(require("path"));
 var core9 = __toESM(require_core());
 
-// src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
-  AnalysisKind2["CodeScanning"] = "code-scanning";
-  AnalysisKind2["CodeQuality"] = "code-quality";
-  AnalysisKind2["RiskAssessment"] = "risk-assessment";
-  return AnalysisKind2;
-})(AnalysisKind || {});
-var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
-
-// src/caching-utils.ts
-var core6 = __toESM(require_core());
-
-// src/config/db-config.ts
-var jsonschema = __toESM(require_lib2());
-var semver2 = __toESM(require_semver2());
-
-// src/feature-flags/properties.ts
-var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
-  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
-  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
-  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
-  return RepositoryPropertyName2;
-})(RepositoryPropertyName || {});
-var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
-  Object.values(RepositoryPropertyName)
-);
-
-// src/config/db-config.ts
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
-
-// src/logging.ts
-var core7 = __toESM(require_core());
-function getActionsLogger() {
-  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
-  };
-}
-
 // src/feature-flags.ts
 var fs4 = __toESM(require("fs"));
 var path5 = __toESM(require("path"));
-var semver5 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
 var bundleVersion = "codeql-bundle-v2.25.4";
@@ -86236,14 +86187,14 @@ var path4 = __toESM(require("path"));
 // src/git-utils.ts
 var fs2 = __toESM(require("fs"));
 var path3 = __toESM(require("path"));
-var core8 = __toESM(require_core());
+var core6 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
-var semver3 = __toESM(require_semver2());
+var semver2 = __toESM(require_semver2());
 var runGitCommand = async function(workingDirectory, args, customErrorMessage, options) {
   let stdout = "";
   let stderr = "";
-  core8.debug(`Running git command: git ${args.join(" ")}`);
+  core6.debug(`Running git command: git ${args.join(" ")}`);
   try {
     await new toolrunner2.ToolRunner(await io3.which("git", true), args, {
       silent: true,
@@ -86264,7 +86215,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage, o
     if (stderr.includes("not a git repository")) {
       reason = "The checkout path provided to the action does not appear to be a git repository.";
     }
-    core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
+    core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
     throw error3;
   }
 };
@@ -86393,7 +86344,7 @@ async function getRef() {
   ) !== head;
   if (hasChangedRef) {
     const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
-    core8.debug(
+    core6.debug(
       `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`
     );
     return newRef;
@@ -86530,7 +86481,7 @@ async function getDiffRangeFilePaths(sourceRoot, logger) {
 }
 
 // src/tools-features.ts
-var semver4 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 function isSupportedToolsFeature(versionInfo, feature) {
   return !!versionInfo.features && versionInfo.features[feature];
 }
@@ -86539,6 +86490,11 @@ function isSupportedToolsFeature(versionInfo, feature) {
 var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_";
 var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
   ["allow_toolcache_input" /* AllowToolcacheInput */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -86915,7 +86871,7 @@ var GitHubFeatureFlags = class {
       DEFAULT_VERSION_FEATURE_FLAG_PREFIX.length,
       f.length - DEFAULT_VERSION_FEATURE_FLAG_SUFFIX.length
     ).replace(/_/g, ".");
-    if (!semver5.valid(version)) {
+    if (!semver4.valid(version)) {
       this.logger.warning(
         `Ignoring feature flag ${f} as it does not specify a valid CodeQL version.`
       );
@@ -87074,6 +87030,55 @@ function initFeatures(gitHubVersion, repositoryNwo, tempDir, logger) {
   }
 }
 
+// src/analyses.ts
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
+  AnalysisKind2["CodeScanning"] = "code-scanning";
+  AnalysisKind2["CodeQuality"] = "code-quality";
+  AnalysisKind2["RiskAssessment"] = "risk-assessment";
+  return AnalysisKind2;
+})(AnalysisKind || {});
+var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+
+// src/caching-utils.ts
+var core7 = __toESM(require_core());
+
+// src/config/db-config.ts
+var jsonschema = __toESM(require_lib2());
+var semver5 = __toESM(require_semver2());
+
+// src/feature-flags/properties.ts
+var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
+  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
+  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
+  return RepositoryPropertyName2;
+})(RepositoryPropertyName || {});
+var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
+  Object.values(RepositoryPropertyName)
+);
+
+// src/config/db-config.ts
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
+// src/logging.ts
+var core8 = __toESM(require_core());
+function getActionsLogger() {
+  return {
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
+  };
+}
+
 // src/languages/builtin.json
 var builtin_default = {
   languages: [

lib/init-action-post.js

@@ -130716,189 +130716,10 @@ var fs8 = __toESM(require("fs"));
 var path8 = __toESM(require("path"));
 var core9 = __toESM(require_core());
 
-// src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
-  AnalysisKind2["CodeScanning"] = "code-scanning";
-  AnalysisKind2["CodeQuality"] = "code-quality";
-  AnalysisKind2["RiskAssessment"] = "risk-assessment";
-  return AnalysisKind2;
-})(AnalysisKind || {});
-var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
-var CodeScanning = {
-  kind: "code-scanning" /* CodeScanning */,
-  name: "code scanning",
-  target: "PUT /repos/:owner/:repo/code-scanning/analysis" /* CODE_SCANNING */,
-  sarifExtension: ".sarif",
-  sarifPredicate: (name) => name.endsWith(CodeScanning.sarifExtension) && !CodeQuality.sarifPredicate(name) && !RiskAssessment.sarifPredicate(name),
-  fixCategory: (_2, category) => category,
-  sentinelPrefix: "CODEQL_UPLOAD_SARIF_",
-  transformPayload: (payload) => payload
-};
-var CodeQuality = {
-  kind: "code-quality" /* CodeQuality */,
-  name: "code quality",
-  target: "PUT /repos/:owner/:repo/code-quality/analysis" /* CODE_QUALITY */,
-  sarifExtension: ".quality.sarif",
-  sarifPredicate: (name) => name.endsWith(CodeQuality.sarifExtension),
-  fixCategory: fixCodeQualityCategory,
-  sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_",
-  transformPayload: (payload) => payload
-};
-function addAssessmentId(payload) {
-  const rawAssessmentId = getRequiredEnvParam("CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */);
-  const assessmentId = parseInt(rawAssessmentId, 10);
-  if (Number.isNaN(assessmentId)) {
-    throw new Error(
-      `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be NaN: ${rawAssessmentId}`
-    );
-  }
-  if (assessmentId < 0) {
-    throw new Error(
-      `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be negative: ${rawAssessmentId}`
-    );
-  }
-  return { sarif: payload.sarif, assessment_id: assessmentId };
-}
-var RiskAssessment = {
-  kind: "risk-assessment" /* RiskAssessment */,
-  name: "code scanning risk assessment",
-  target: "PUT /repos/:owner/:repo/code-scanning/risk-assessment" /* RISK_ASSESSMENT */,
-  sarifExtension: ".csra.sarif",
-  sarifPredicate: (name) => name.endsWith(RiskAssessment.sarifExtension),
-  fixCategory: (_2, category) => category,
-  sentinelPrefix: "CODEQL_UPLOAD_CSRA_SARIF_",
-  transformPayload: addAssessmentId
-};
-
-// src/config/db-config.ts
-var jsonschema = __toESM(require_lib2());
-var semver2 = __toESM(require_semver2());
-
-// src/feature-flags/properties.ts
-var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
-  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
-  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
-  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
-  return RepositoryPropertyName2;
-})(RepositoryPropertyName || {});
-var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
-  Object.values(RepositoryPropertyName)
-);
-
-// src/config/db-config.ts
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
-
-// src/diagnostics.ts
-var import_fs = require("fs");
-var import_path = __toESM(require("path"));
-
-// src/logging.ts
-var core7 = __toESM(require_core());
-function getActionsLogger() {
-  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
-  };
-}
-function withGroup(groupName, f) {
-  core7.startGroup(groupName);
-  try {
-    return f();
-  } finally {
-    core7.endGroup();
-  }
-}
-function formatDuration(durationMs) {
-  if (durationMs < 1e3) {
-    return `${durationMs}ms`;
-  }
-  if (durationMs < 60 * 1e3) {
-    return `${(durationMs / 1e3).toFixed(1)}s`;
-  }
-  const minutes = Math.floor(durationMs / (60 * 1e3));
-  const seconds = Math.floor(durationMs % (60 * 1e3) / 1e3);
-  return `${minutes}m${seconds}s`;
-}
-
-// src/diagnostics.ts
-var unwrittenDiagnostics = [];
-var unwrittenDefaultLanguageDiagnostics = [];
-var diagnosticCounter = 0;
-function makeDiagnostic(id, name, data = void 0) {
-  return {
-    ...data,
-    timestamp: data?.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(),
-    source: { ...data?.source, id, name }
-  };
-}
-function addDiagnostic(config, language, diagnostic) {
-  const logger = getActionsLogger();
-  const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation;
-  if ((0, import_fs.existsSync)(databasePath)) {
-    writeDiagnostic(config, language, diagnostic);
-  } else {
-    logger.debug(
-      `Writing a diagnostic for ${language}, but the database at ${databasePath} does not exist yet.`
-    );
-    unwrittenDiagnostics.push({ diagnostic, language });
-  }
-}
-function addNoLanguageDiagnostic(config, diagnostic) {
-  if (config !== void 0) {
-    addDiagnostic(
-      config,
-      // Arbitrarily choose the first language. We could also choose all languages, but that
-      // increases the risk of misinterpreting the data.
-      config.languages[0],
-      diagnostic
-    );
-  } else {
-    unwrittenDefaultLanguageDiagnostics.push(diagnostic);
-  }
-}
-function writeDiagnostic(config, language, diagnostic) {
-  const logger = getActionsLogger();
-  const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation;
-  const diagnosticsPath = import_path.default.resolve(
-    databasePath,
-    "diagnostic",
-    "codeql-action"
-  );
-  try {
-    (0, import_fs.mkdirSync)(diagnosticsPath, { recursive: true });
-    const uniqueSuffix = (diagnosticCounter++).toString();
-    const sanitizedTimestamp = diagnostic.timestamp.replace(
-      /[^a-zA-Z0-9.-]/g,
-      ""
-    );
-    const jsonPath = import_path.default.resolve(
-      diagnosticsPath,
-      `codeql-action-${sanitizedTimestamp}-${uniqueSuffix}.json`
-    );
-    (0, import_fs.writeFileSync)(jsonPath, JSON.stringify(diagnostic));
-  } catch (err) {
-    logger.warning(`Unable to write diagnostic message to database: ${err}`);
-    logger.debug(JSON.stringify(diagnostic));
-  }
-}
-
-// src/diff-informed-analysis-utils.ts
-var fs6 = __toESM(require("fs"));
-
 // src/feature-flags.ts
 var fs5 = __toESM(require("fs"));
-var path6 = __toESM(require("path"));
-var semver5 = __toESM(require_semver2());
+var path5 = __toESM(require("path"));
+var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
 var bundleVersion = "codeql-bundle-v2.25.4";
@@ -130906,19 +130727,19 @@ var cliVersion = "2.25.4";
 
 // src/overlay/index.ts
 var fs4 = __toESM(require("fs"));
-var path5 = __toESM(require("path"));
+var path4 = __toESM(require("path"));
 
 // src/git-utils.ts
 var fs3 = __toESM(require("fs"));
-var path4 = __toESM(require("path"));
-var core8 = __toESM(require_core());
+var path3 = __toESM(require("path"));
+var core7 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
-var semver3 = __toESM(require_semver2());
+var semver2 = __toESM(require_semver2());
 var runGitCommand = async function(workingDirectory, args, customErrorMessage, options) {
   let stdout = "";
   let stderr = "";
-  core8.debug(`Running git command: git ${args.join(" ")}`);
+  core7.debug(`Running git command: git ${args.join(" ")}`);
   try {
     await new toolrunner2.ToolRunner(await io3.which("git", true), args, {
       silent: true,
@@ -130939,7 +130760,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage, o
     if (stderr.includes("not a git repository")) {
       reason = "The checkout path provided to the action does not appear to be a git repository.";
     }
-    core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
+    core7.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
     throw error3;
   }
 };
@@ -131035,7 +130856,7 @@ var getGitRoot = async function(sourceRoot) {
   }
 };
 function hasSubmodules(gitRoot) {
-  return fs3.existsSync(path4.join(gitRoot, ".gitmodules"));
+  return fs3.existsSync(path3.join(gitRoot, ".gitmodules"));
 }
 var getFileOidsUnderPath = async function(basePath) {
   const gitRoot = await getGitRoot(basePath);
@@ -131102,7 +130923,7 @@ async function getRef() {
   ) !== head;
   if (hasChangedRef) {
     const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
-    core8.debug(
+    core7.debug(
       `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`
     );
     return newRef;
@@ -131167,7 +130988,7 @@ async function writeOverlayChangesFile(config, sourceRoot, logger) {
   const diffRangeFiles = await getDiffRangeFilePaths(sourceRoot, logger);
   const changedFiles = [.../* @__PURE__ */ new Set([...oidChangedFiles, ...diffRangeFiles])];
   const changedFilesJson = JSON.stringify({ changes: changedFiles });
-  const overlayChangesFile = path5.join(
+  const overlayChangesFile = path4.join(
     getTemporaryDirectory(),
     "overlay-changes.json"
   );
@@ -131233,19 +131054,19 @@ async function getDiffRangeFilePaths(sourceRoot, logger) {
     return [...new Set(diffRanges.map((r) => r.path))];
   }
   const relativePaths = diffRanges.map(
-    (r) => path5.relative(sourceRoot, path5.join(repoRoot, r.path)).replaceAll(path5.sep, "/")
+    (r) => path4.relative(sourceRoot, path4.join(repoRoot, r.path)).replaceAll(path4.sep, "/")
   ).filter((rel) => !rel.startsWith(".."));
   return [...new Set(relativePaths)];
 }
 
 // src/tools-features.ts
-var semver4 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 function isSupportedToolsFeature(versionInfo, feature) {
   return !!versionInfo.features && versionInfo.features[feature];
 }
 var SafeArtifactUploadVersion = "2.20.3";
 function isSafeArtifactUpload(codeQlVersion) {
-  return !codeQlVersion ? true : semver4.gte(codeQlVersion, SafeArtifactUploadVersion);
+  return !codeQlVersion ? true : semver3.gte(codeQlVersion, SafeArtifactUploadVersion);
 }
 
 // src/feature-flags.ts
@@ -131253,6 +131074,11 @@ var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_";
 var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
 var CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0";
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
   ["allow_toolcache_input" /* AllowToolcacheInput */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -131570,7 +131396,7 @@ var Features = class extends OfflineFeatures {
     super(logger);
     this.gitHubFeatureFlags = new GitHubFeatureFlags(
       repositoryNwo,
-      path6.join(tempDir, FEATURE_FLAGS_FILE_NAME),
+      path5.join(tempDir, FEATURE_FLAGS_FILE_NAME),
       logger
     );
   }
@@ -131629,7 +131455,7 @@ var GitHubFeatureFlags = class {
       DEFAULT_VERSION_FEATURE_FLAG_PREFIX.length,
       f.length - DEFAULT_VERSION_FEATURE_FLAG_SUFFIX.length
     ).replace(/_/g, ".");
-    if (!semver5.valid(version)) {
+    if (!semver4.valid(version)) {
       this.logger.warning(
         `Ignoring feature flag ${f} as it does not specify a valid CodeQL version.`
       );
@@ -131788,7 +131614,184 @@ function initFeatures(gitHubVersion, repositoryNwo, tempDir, logger) {
   }
 }
 
+// src/analyses.ts
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
+  AnalysisKind2["CodeScanning"] = "code-scanning";
+  AnalysisKind2["CodeQuality"] = "code-quality";
+  AnalysisKind2["RiskAssessment"] = "risk-assessment";
+  return AnalysisKind2;
+})(AnalysisKind || {});
+var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+var CodeScanning = {
+  kind: "code-scanning" /* CodeScanning */,
+  name: "code scanning",
+  target: "PUT /repos/:owner/:repo/code-scanning/analysis" /* CODE_SCANNING */,
+  sarifExtension: ".sarif",
+  sarifPredicate: (name) => name.endsWith(CodeScanning.sarifExtension) && !CodeQuality.sarifPredicate(name) && !RiskAssessment.sarifPredicate(name),
+  fixCategory: (_2, category) => category,
+  sentinelPrefix: "CODEQL_UPLOAD_SARIF_",
+  transformPayload: (payload) => payload
+};
+var CodeQuality = {
+  kind: "code-quality" /* CodeQuality */,
+  name: "code quality",
+  target: "PUT /repos/:owner/:repo/code-quality/analysis" /* CODE_QUALITY */,
+  sarifExtension: ".quality.sarif",
+  sarifPredicate: (name) => name.endsWith(CodeQuality.sarifExtension),
+  fixCategory: fixCodeQualityCategory,
+  sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_",
+  transformPayload: (payload) => payload
+};
+function addAssessmentId(payload) {
+  const rawAssessmentId = getRequiredEnvParam("CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */);
+  const assessmentId = parseInt(rawAssessmentId, 10);
+  if (Number.isNaN(assessmentId)) {
+    throw new Error(
+      `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be NaN: ${rawAssessmentId}`
+    );
+  }
+  if (assessmentId < 0) {
+    throw new Error(
+      `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be negative: ${rawAssessmentId}`
+    );
+  }
+  return { sarif: payload.sarif, assessment_id: assessmentId };
+}
+var RiskAssessment = {
+  kind: "risk-assessment" /* RiskAssessment */,
+  name: "code scanning risk assessment",
+  target: "PUT /repos/:owner/:repo/code-scanning/risk-assessment" /* RISK_ASSESSMENT */,
+  sarifExtension: ".csra.sarif",
+  sarifPredicate: (name) => name.endsWith(RiskAssessment.sarifExtension),
+  fixCategory: (_2, category) => category,
+  sentinelPrefix: "CODEQL_UPLOAD_CSRA_SARIF_",
+  transformPayload: addAssessmentId
+};
+
+// src/config/db-config.ts
+var jsonschema = __toESM(require_lib2());
+var semver5 = __toESM(require_semver2());
+
+// src/feature-flags/properties.ts
+var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
+  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
+  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
+  return RepositoryPropertyName2;
+})(RepositoryPropertyName || {});
+var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
+  Object.values(RepositoryPropertyName)
+);
+
+// src/config/db-config.ts
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
+// src/diagnostics.ts
+var import_fs = require("fs");
+var import_path = __toESM(require("path"));
+
+// src/logging.ts
+var core8 = __toESM(require_core());
+function getActionsLogger() {
+  return {
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
+  };
+}
+function withGroup(groupName, f) {
+  core8.startGroup(groupName);
+  try {
+    return f();
+  } finally {
+    core8.endGroup();
+  }
+}
+function formatDuration(durationMs) {
+  if (durationMs < 1e3) {
+    return `${durationMs}ms`;
+  }
+  if (durationMs < 60 * 1e3) {
+    return `${(durationMs / 1e3).toFixed(1)}s`;
+  }
+  const minutes = Math.floor(durationMs / (60 * 1e3));
+  const seconds = Math.floor(durationMs % (60 * 1e3) / 1e3);
+  return `${minutes}m${seconds}s`;
+}
+
+// src/diagnostics.ts
+var unwrittenDiagnostics = [];
+var unwrittenDefaultLanguageDiagnostics = [];
+var diagnosticCounter = 0;
+function makeDiagnostic(id, name, data = void 0) {
+  return {
+    ...data,
+    timestamp: data?.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(),
+    source: { ...data?.source, id, name }
+  };
+}
+function addDiagnostic(config, language, diagnostic) {
+  const logger = getActionsLogger();
+  const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation;
+  if ((0, import_fs.existsSync)(databasePath)) {
+    writeDiagnostic(config, language, diagnostic);
+  } else {
+    logger.debug(
+      `Writing a diagnostic for ${language}, but the database at ${databasePath} does not exist yet.`
+    );
+    unwrittenDiagnostics.push({ diagnostic, language });
+  }
+}
+function addNoLanguageDiagnostic(config, diagnostic) {
+  if (config !== void 0) {
+    addDiagnostic(
+      config,
+      // Arbitrarily choose the first language. We could also choose all languages, but that
+      // increases the risk of misinterpreting the data.
+      config.languages[0],
+      diagnostic
+    );
+  } else {
+    unwrittenDefaultLanguageDiagnostics.push(diagnostic);
+  }
+}
+function writeDiagnostic(config, language, diagnostic) {
+  const logger = getActionsLogger();
+  const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation;
+  const diagnosticsPath = import_path.default.resolve(
+    databasePath,
+    "diagnostic",
+    "codeql-action"
+  );
+  try {
+    (0, import_fs.mkdirSync)(diagnosticsPath, { recursive: true });
+    const uniqueSuffix = (diagnosticCounter++).toString();
+    const sanitizedTimestamp = diagnostic.timestamp.replace(
+      /[^a-zA-Z0-9.-]/g,
+      ""
+    );
+    const jsonPath = import_path.default.resolve(
+      diagnosticsPath,
+      `codeql-action-${sanitizedTimestamp}-${uniqueSuffix}.json`
+    );
+    (0, import_fs.writeFileSync)(jsonPath, JSON.stringify(diagnostic));
+  } catch (err) {
+    logger.warning(`Unable to write diagnostic message to database: ${err}`);
+    logger.debug(JSON.stringify(diagnostic));
+  }
+}
+
 // src/diff-informed-analysis-utils.ts
+var fs6 = __toESM(require("fs"));
 function readDiffRangesJsonFile(logger) {
   const jsonFilePath = getDiffRangesJsonFilePath();
   if (!fs6.existsSync(jsonFilePath)) {

lib/resolve-environment-action.js

@@ -86170,57 +86170,8 @@ var fs4 = __toESM(require("fs"));
 var path5 = __toESM(require("path"));
 var core9 = __toESM(require_core());
 
-// src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
-  AnalysisKind2["CodeScanning"] = "code-scanning";
-  AnalysisKind2["CodeQuality"] = "code-quality";
-  AnalysisKind2["RiskAssessment"] = "risk-assessment";
-  return AnalysisKind2;
-})(AnalysisKind || {});
-var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
-
-// src/caching-utils.ts
-var core6 = __toESM(require_core());
-
-// src/config/db-config.ts
-var jsonschema = __toESM(require_lib2());
-var semver2 = __toESM(require_semver2());
-
-// src/feature-flags/properties.ts
-var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
-  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
-  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
-  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
-  return RepositoryPropertyName2;
-})(RepositoryPropertyName || {});
-var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
-  Object.values(RepositoryPropertyName)
-);
-
-// src/config/db-config.ts
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
-
-// src/logging.ts
-var core7 = __toESM(require_core());
-function getActionsLogger() {
-  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
-  };
-}
-
 // src/feature-flags.ts
-var semver5 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());
 
 // src/overlay/index.ts
 var fs3 = __toESM(require("fs"));
@@ -86229,14 +86180,14 @@ var path4 = __toESM(require("path"));
 // src/git-utils.ts
 var fs2 = __toESM(require("fs"));
 var path3 = __toESM(require("path"));
-var core8 = __toESM(require_core());
+var core6 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
-var semver3 = __toESM(require_semver2());
+var semver2 = __toESM(require_semver2());
 var runGitCommand = async function(workingDirectory, args, customErrorMessage, options) {
   let stdout = "";
   let stderr = "";
-  core8.debug(`Running git command: git ${args.join(" ")}`);
+  core6.debug(`Running git command: git ${args.join(" ")}`);
   try {
     await new toolrunner2.ToolRunner(await io3.which("git", true), args, {
       silent: true,
@@ -86257,7 +86208,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage, o
     if (stderr.includes("not a git repository")) {
       reason = "The checkout path provided to the action does not appear to be a git repository.";
     }
-    core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
+    core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
     throw error3;
   }
 };
@@ -86386,7 +86337,7 @@ async function getRef() {
   ) !== head;
   if (hasChangedRef) {
     const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
-    core8.debug(
+    core6.debug(
       `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`
     );
     return newRef;
@@ -86523,13 +86474,18 @@ async function getDiffRangeFilePaths(sourceRoot, logger) {
 }
 
 // src/tools-features.ts
-var semver4 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 function isSupportedToolsFeature(versionInfo, feature) {
   return !!versionInfo.features && versionInfo.features[feature];
 }
 
 // src/feature-flags.ts
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
   ["allow_toolcache_input" /* AllowToolcacheInput */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -86738,6 +86694,55 @@ var featureConfig = {
   }
 };
 
+// src/analyses.ts
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
+  AnalysisKind2["CodeScanning"] = "code-scanning";
+  AnalysisKind2["CodeQuality"] = "code-quality";
+  AnalysisKind2["RiskAssessment"] = "risk-assessment";
+  return AnalysisKind2;
+})(AnalysisKind || {});
+var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+
+// src/caching-utils.ts
+var core7 = __toESM(require_core());
+
+// src/config/db-config.ts
+var jsonschema = __toESM(require_lib2());
+var semver5 = __toESM(require_semver2());
+
+// src/feature-flags/properties.ts
+var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
+  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
+  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
+  return RepositoryPropertyName2;
+})(RepositoryPropertyName || {});
+var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
+  Object.values(RepositoryPropertyName)
+);
+
+// src/config/db-config.ts
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
+// src/logging.ts
+var core8 = __toESM(require_core());
+function getActionsLogger() {
+  return {
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
+  };
+}
+
 // src/languages/builtin.json
 var builtin_default = {
   languages: [

lib/setup-codeql-action.js

@@ -86381,6 +86381,11 @@ var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_";
 var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
 var CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0";
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
   ["allow_toolcache_input" /* AllowToolcacheInput */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",

lib/start-proxy-action-post.js

@@ -126977,63 +126977,14 @@ var fs = __toESM(require("fs"));
 var path = __toESM(require("path"));
 var core9 = __toESM(require_core());
 
-// src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
-  AnalysisKind2["CodeScanning"] = "code-scanning";
-  AnalysisKind2["CodeQuality"] = "code-quality";
-  AnalysisKind2["RiskAssessment"] = "risk-assessment";
-  return AnalysisKind2;
-})(AnalysisKind || {});
-var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
-
-// src/caching-utils.ts
-var core6 = __toESM(require_core());
-
-// src/config/db-config.ts
-var jsonschema = __toESM(require_lib2());
-var semver2 = __toESM(require_semver2());
-
-// src/feature-flags/properties.ts
-var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
-  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
-  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
-  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
-  return RepositoryPropertyName2;
-})(RepositoryPropertyName || {});
-var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
-  Object.values(RepositoryPropertyName)
-);
-
-// src/config/db-config.ts
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
-
-// src/logging.ts
-var core7 = __toESM(require_core());
-function getActionsLogger() {
-  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
-  };
-}
-
 // src/feature-flags.ts
-var semver5 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());
 
 // src/git-utils.ts
-var core8 = __toESM(require_core());
+var core6 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
-var semver3 = __toESM(require_semver2());
+var semver2 = __toESM(require_semver2());
 
 // src/overlay/index.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8";
@@ -127046,10 +126997,15 @@ var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9";
 var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9";
 
 // src/tools-features.ts
-var semver4 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 
 // src/feature-flags.ts
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
   ["allow_toolcache_input" /* AllowToolcacheInput */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -127258,6 +127214,55 @@ var featureConfig = {
   }
 };
 
+// src/analyses.ts
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
+  AnalysisKind2["CodeScanning"] = "code-scanning";
+  AnalysisKind2["CodeQuality"] = "code-quality";
+  AnalysisKind2["RiskAssessment"] = "risk-assessment";
+  return AnalysisKind2;
+})(AnalysisKind || {});
+var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+
+// src/caching-utils.ts
+var core7 = __toESM(require_core());
+
+// src/config/db-config.ts
+var jsonschema = __toESM(require_lib2());
+var semver5 = __toESM(require_semver2());
+
+// src/feature-flags/properties.ts
+var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
+  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
+  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
+  return RepositoryPropertyName2;
+})(RepositoryPropertyName || {});
+var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
+  Object.values(RepositoryPropertyName)
+);
+
+// src/config/db-config.ts
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
+// src/logging.ts
+var core8 = __toESM(require_core());
+function getActionsLogger() {
+  return {
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
+  };
+}
+
 // src/languages/builtin.json
 var builtin_default = {
   languages: [

lib/start-proxy-action.js

@@ -103178,6 +103178,11 @@ var semver3 = __toESM(require_semver2());
 var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_";
 var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
   ["allow_toolcache_input" /* AllowToolcacheInput */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",

lib/upload-sarif-action-post.js

@@ -126983,223 +126983,14 @@ var import_archiver = __toESM(require_archiver());
 // src/analyze.ts
 var io5 = __toESM(require_io());
 
-// src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
-  AnalysisKind2["CodeScanning"] = "code-scanning";
-  AnalysisKind2["CodeQuality"] = "code-quality";
-  AnalysisKind2["RiskAssessment"] = "risk-assessment";
-  return AnalysisKind2;
-})(AnalysisKind || {});
-var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
-
-// src/autobuild.ts
-var core12 = __toESM(require_core());
-
-// src/codeql.ts
-var core11 = __toESM(require_core());
-var toolrunner3 = __toESM(require_toolrunner());
-
-// src/cli-errors.ts
-var cliErrorsConfig = {
-  ["AutobuildError" /* AutobuildError */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("We were unable to automatically build your code")
-    ]
-  },
-  ["CouldNotCreateTempDir" /* CouldNotCreateTempDir */]: {
-    cliErrorMessageCandidates: [new RegExp("Could not create temp directory")]
-  },
-  ["ExternalRepositoryCloneFailed" /* ExternalRepositoryCloneFailed */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("Failed to clone external Git repository")
-    ]
-  },
-  ["GradleBuildFailed" /* GradleBuildFailed */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("\\[autobuild\\] FAILURE: Build failed with an exception.")
-    ]
-  },
-  // Version of CodeQL CLI is incompatible with this version of the CodeQL Action
-  ["IncompatibleWithActionVersion" /* IncompatibleWithActionVersion */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("is not compatible with this CodeQL CLI")
-    ]
-  },
-  ["InitCalledTwice" /* InitCalledTwice */]: {
-    cliErrorMessageCandidates: [
-      new RegExp(
-        "Refusing to create databases .* but could not process any of it"
-      )
-    ],
-    additionalErrorMessageToAppend: `Is the "init" action called twice in the same job?`
-  },
-  ["InvalidConfigFile" /* InvalidConfigFile */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("Config file .* is not valid"),
-      new RegExp("The supplied config file is empty")
-    ]
-  },
-  ["InvalidExternalRepoSpecifier" /* InvalidExternalRepoSpecifier */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("Specifier for external repository is invalid")
-    ]
-  },
-  // Expected source location for database creation does not exist
-  ["InvalidSourceRoot" /* InvalidSourceRoot */]: {
-    cliErrorMessageCandidates: [new RegExp("Invalid source root")]
-  },
-  ["MavenBuildFailed" /* MavenBuildFailed */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("\\[autobuild\\] \\[ERROR\\] Failed to execute goal")
-    ]
-  },
-  ["NoBuildCommandAutodetected" /* NoBuildCommandAutodetected */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("Could not auto-detect a suitable build method")
-    ]
-  },
-  ["NoBuildMethodAutodetected" /* NoBuildMethodAutodetected */]: {
-    cliErrorMessageCandidates: [
-      new RegExp(
-        "Could not detect a suitable build command for the source checkout"
-      )
-    ]
-  },
-  // Usually when a manual build script has failed, or if an autodetected language
-  // was unintended to have CodeQL analysis run on it.
-  ["NoSourceCodeSeen" /* NoSourceCodeSeen */]: {
-    exitCode: 32,
-    cliErrorMessageCandidates: [
-      new RegExp(
-        "CodeQL detected code written in .* but could not process any of it"
-      ),
-      new RegExp(
-        "CodeQL did not detect any code written in languages supported by CodeQL"
-      )
-    ]
-  },
-  ["NoSupportedBuildCommandSucceeded" /* NoSupportedBuildCommandSucceeded */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("No supported build command succeeded")
-    ]
-  },
-  ["NoSupportedBuildSystemDetected" /* NoSupportedBuildSystemDetected */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("No supported build system detected")
-    ]
-  },
-  ["OutOfMemoryOrDisk" /* OutOfMemoryOrDisk */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("CodeQL is out of memory."),
-      new RegExp("out of disk"),
-      new RegExp("No space left on device")
-    ],
-    additionalErrorMessageToAppend: "For more information, see https://gh.io/troubleshooting-code-scanning/out-of-disk-or-memory"
-  },
-  ["PackCannotBeFound" /* PackCannotBeFound */]: {
-    cliErrorMessageCandidates: [
-      new RegExp(
-        "Query pack .* cannot be found\\. Check the spelling of the pack\\."
-      ),
-      new RegExp(
-        "is not a .ql file, .qls file, a directory, or a query pack specification."
-      )
-    ]
-  },
-  ["PackMissingAuth" /* PackMissingAuth */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("GitHub Container registry .* 403 Forbidden"),
-      new RegExp(
-        "Do you need to specify a token to authenticate to the registry?"
-      )
-    ]
-  },
-  ["SwiftBuildFailed" /* SwiftBuildFailed */]: {
-    cliErrorMessageCandidates: [
-      new RegExp(
-        "\\[autobuilder/build\\] \\[build-command-failed\\] `autobuild` failed to run the build command"
-      )
-    ]
-  },
-  ["SwiftIncompatibleOs" /* SwiftIncompatibleOs */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("\\[incompatible-os\\]"),
-      new RegExp("Swift analysis is only supported on macOS")
-    ]
-  },
-  ["UnsupportedBuildMode" /* UnsupportedBuildMode */]: {
-    cliErrorMessageCandidates: [
-      new RegExp(
-        "does not support the .* build mode. Please try using one of the following build modes instead"
-      )
-    ]
-  },
-  ["NotFoundInRegistry" /* NotFoundInRegistry */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("'.*' not found in the registry '.*'")
-    ]
-  }
-};
-
-// src/config-utils.ts
-var core9 = __toESM(require_core());
-
-// src/caching-utils.ts
-var core6 = __toESM(require_core());
-
-// src/config/db-config.ts
-var jsonschema = __toESM(require_lib5());
-var semver2 = __toESM(require_semver2());
-
-// src/feature-flags/properties.ts
-var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
-  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
-  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
-  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
-  return RepositoryPropertyName2;
-})(RepositoryPropertyName || {});
-var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
-  Object.values(RepositoryPropertyName)
-);
-
-// src/config/db-config.ts
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
-
-// src/logging.ts
-var core7 = __toESM(require_core());
-function getActionsLogger() {
-  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
-  };
-}
-function withGroup(groupName, f) {
-  core7.startGroup(groupName);
-  try {
-    return f();
-  } finally {
-    core7.endGroup();
-  }
-}
-
 // src/feature-flags.ts
-var semver5 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());
 
 // src/git-utils.ts
-var core8 = __toESM(require_core());
+var core6 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
-var semver3 = __toESM(require_semver2());
+var semver2 = __toESM(require_semver2());
 
 // src/overlay/index.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8";
@@ -127212,14 +127003,19 @@ var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9";
 var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9";
 
 // src/tools-features.ts
-var semver4 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 var SafeArtifactUploadVersion = "2.20.3";
 function isSafeArtifactUpload(codeQlVersion) {
-  return !codeQlVersion ? true : semver4.gte(codeQlVersion, SafeArtifactUploadVersion);
+  return !codeQlVersion ? true : semver3.gte(codeQlVersion, SafeArtifactUploadVersion);
 }
 
 // src/feature-flags.ts
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
   ["allow_toolcache_input" /* AllowToolcacheInput */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -127428,6 +127224,215 @@ var featureConfig = {
   }
 };
 
+// src/analyses.ts
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
+  AnalysisKind2["CodeScanning"] = "code-scanning";
+  AnalysisKind2["CodeQuality"] = "code-quality";
+  AnalysisKind2["RiskAssessment"] = "risk-assessment";
+  return AnalysisKind2;
+})(AnalysisKind || {});
+var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+
+// src/autobuild.ts
+var core12 = __toESM(require_core());
+
+// src/codeql.ts
+var core11 = __toESM(require_core());
+var toolrunner3 = __toESM(require_toolrunner());
+
+// src/cli-errors.ts
+var cliErrorsConfig = {
+  ["AutobuildError" /* AutobuildError */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("We were unable to automatically build your code")
+    ]
+  },
+  ["CouldNotCreateTempDir" /* CouldNotCreateTempDir */]: {
+    cliErrorMessageCandidates: [new RegExp("Could not create temp directory")]
+  },
+  ["ExternalRepositoryCloneFailed" /* ExternalRepositoryCloneFailed */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("Failed to clone external Git repository")
+    ]
+  },
+  ["GradleBuildFailed" /* GradleBuildFailed */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("\\[autobuild\\] FAILURE: Build failed with an exception.")
+    ]
+  },
+  // Version of CodeQL CLI is incompatible with this version of the CodeQL Action
+  ["IncompatibleWithActionVersion" /* IncompatibleWithActionVersion */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("is not compatible with this CodeQL CLI")
+    ]
+  },
+  ["InitCalledTwice" /* InitCalledTwice */]: {
+    cliErrorMessageCandidates: [
+      new RegExp(
+        "Refusing to create databases .* but could not process any of it"
+      )
+    ],
+    additionalErrorMessageToAppend: `Is the "init" action called twice in the same job?`
+  },
+  ["InvalidConfigFile" /* InvalidConfigFile */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("Config file .* is not valid"),
+      new RegExp("The supplied config file is empty")
+    ]
+  },
+  ["InvalidExternalRepoSpecifier" /* InvalidExternalRepoSpecifier */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("Specifier for external repository is invalid")
+    ]
+  },
+  // Expected source location for database creation does not exist
+  ["InvalidSourceRoot" /* InvalidSourceRoot */]: {
+    cliErrorMessageCandidates: [new RegExp("Invalid source root")]
+  },
+  ["MavenBuildFailed" /* MavenBuildFailed */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("\\[autobuild\\] \\[ERROR\\] Failed to execute goal")
+    ]
+  },
+  ["NoBuildCommandAutodetected" /* NoBuildCommandAutodetected */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("Could not auto-detect a suitable build method")
+    ]
+  },
+  ["NoBuildMethodAutodetected" /* NoBuildMethodAutodetected */]: {
+    cliErrorMessageCandidates: [
+      new RegExp(
+        "Could not detect a suitable build command for the source checkout"
+      )
+    ]
+  },
+  // Usually when a manual build script has failed, or if an autodetected language
+  // was unintended to have CodeQL analysis run on it.
+  ["NoSourceCodeSeen" /* NoSourceCodeSeen */]: {
+    exitCode: 32,
+    cliErrorMessageCandidates: [
+      new RegExp(
+        "CodeQL detected code written in .* but could not process any of it"
+      ),
+      new RegExp(
+        "CodeQL did not detect any code written in languages supported by CodeQL"
+      )
+    ]
+  },
+  ["NoSupportedBuildCommandSucceeded" /* NoSupportedBuildCommandSucceeded */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("No supported build command succeeded")
+    ]
+  },
+  ["NoSupportedBuildSystemDetected" /* NoSupportedBuildSystemDetected */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("No supported build system detected")
+    ]
+  },
+  ["OutOfMemoryOrDisk" /* OutOfMemoryOrDisk */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("CodeQL is out of memory."),
+      new RegExp("out of disk"),
+      new RegExp("No space left on device")
+    ],
+    additionalErrorMessageToAppend: "For more information, see https://gh.io/troubleshooting-code-scanning/out-of-disk-or-memory"
+  },
+  ["PackCannotBeFound" /* PackCannotBeFound */]: {
+    cliErrorMessageCandidates: [
+      new RegExp(
+        "Query pack .* cannot be found\\. Check the spelling of the pack\\."
+      ),
+      new RegExp(
+        "is not a .ql file, .qls file, a directory, or a query pack specification."
+      )
+    ]
+  },
+  ["PackMissingAuth" /* PackMissingAuth */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("GitHub Container registry .* 403 Forbidden"),
+      new RegExp(
+        "Do you need to specify a token to authenticate to the registry?"
+      )
+    ]
+  },
+  ["SwiftBuildFailed" /* SwiftBuildFailed */]: {
+    cliErrorMessageCandidates: [
+      new RegExp(
+        "\\[autobuilder/build\\] \\[build-command-failed\\] `autobuild` failed to run the build command"
+      )
+    ]
+  },
+  ["SwiftIncompatibleOs" /* SwiftIncompatibleOs */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("\\[incompatible-os\\]"),
+      new RegExp("Swift analysis is only supported on macOS")
+    ]
+  },
+  ["UnsupportedBuildMode" /* UnsupportedBuildMode */]: {
+    cliErrorMessageCandidates: [
+      new RegExp(
+        "does not support the .* build mode. Please try using one of the following build modes instead"
+      )
+    ]
+  },
+  ["NotFoundInRegistry" /* NotFoundInRegistry */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("'.*' not found in the registry '.*'")
+    ]
+  }
+};
+
+// src/config-utils.ts
+var core9 = __toESM(require_core());
+
+// src/caching-utils.ts
+var core7 = __toESM(require_core());
+
+// src/config/db-config.ts
+var jsonschema = __toESM(require_lib5());
+var semver5 = __toESM(require_semver2());
+
+// src/feature-flags/properties.ts
+var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
+  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
+  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
+  return RepositoryPropertyName2;
+})(RepositoryPropertyName || {});
+var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
+  Object.values(RepositoryPropertyName)
+);
+
+// src/config/db-config.ts
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
+// src/logging.ts
+var core8 = __toESM(require_core());
+function getActionsLogger() {
+  return {
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
+  };
+}
+function withGroup(groupName, f) {
+  core8.startGroup(groupName);
+  try {
+    return f();
+  } finally {
+    core8.endGroup();
+  }
+}
+
 // src/languages/builtin.json
 var builtin_default = {
   languages: [

lib/upload-sarif-action.js

@@ -88693,74 +88693,10 @@ function fixCodeQualityCategory(logger, category) {
   return category;
 }
 
-// src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
-  AnalysisKind2["CodeScanning"] = "code-scanning";
-  AnalysisKind2["CodeQuality"] = "code-quality";
-  AnalysisKind2["RiskAssessment"] = "risk-assessment";
-  return AnalysisKind2;
-})(AnalysisKind || {});
-var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
-var CodeScanning = {
-  kind: "code-scanning" /* CodeScanning */,
-  name: "code scanning",
-  target: "PUT /repos/:owner/:repo/code-scanning/analysis" /* CODE_SCANNING */,
-  sarifExtension: ".sarif",
-  sarifPredicate: (name) => name.endsWith(CodeScanning.sarifExtension) && !CodeQuality.sarifPredicate(name) && !RiskAssessment.sarifPredicate(name),
-  fixCategory: (_, category) => category,
-  sentinelPrefix: "CODEQL_UPLOAD_SARIF_",
-  transformPayload: (payload) => payload
-};
-var CodeQuality = {
-  kind: "code-quality" /* CodeQuality */,
-  name: "code quality",
-  target: "PUT /repos/:owner/:repo/code-quality/analysis" /* CODE_QUALITY */,
-  sarifExtension: ".quality.sarif",
-  sarifPredicate: (name) => name.endsWith(CodeQuality.sarifExtension),
-  fixCategory: fixCodeQualityCategory,
-  sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_",
-  transformPayload: (payload) => payload
-};
-function addAssessmentId(payload) {
-  const rawAssessmentId = getRequiredEnvParam("CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */);
-  const assessmentId = parseInt(rawAssessmentId, 10);
-  if (Number.isNaN(assessmentId)) {
-    throw new Error(
-      `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be NaN: ${rawAssessmentId}`
-    );
-  }
-  if (assessmentId < 0) {
-    throw new Error(
-      `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be negative: ${rawAssessmentId}`
-    );
-  }
-  return { sarif: payload.sarif, assessment_id: assessmentId };
-}
-var RiskAssessment = {
-  kind: "risk-assessment" /* RiskAssessment */,
-  name: "code scanning risk assessment",
-  target: "PUT /repos/:owner/:repo/code-scanning/risk-assessment" /* RISK_ASSESSMENT */,
-  sarifExtension: ".csra.sarif",
-  sarifPredicate: (name) => name.endsWith(RiskAssessment.sarifExtension),
-  fixCategory: (_, category) => category,
-  sentinelPrefix: "CODEQL_UPLOAD_CSRA_SARIF_",
-  transformPayload: addAssessmentId
-};
-function getAnalysisConfig(kind) {
-  switch (kind) {
-    case "code-scanning" /* CodeScanning */:
-      return CodeScanning;
-    case "code-quality" /* CodeQuality */:
-      return CodeQuality;
-    case "risk-assessment" /* RiskAssessment */:
-      return RiskAssessment;
-  }
-}
-var SarifScanOrder = [
-  RiskAssessment,
-  CodeQuality,
-  CodeScanning
-];
+// src/feature-flags.ts
+var fs5 = __toESM(require("fs"));
+var path5 = __toESM(require("path"));
+var semver4 = __toESM(require_semver2());
 
 // src/api-client.ts
 var core5 = __toESM(require_core());
@@ -89012,11 +88948,6 @@ function wrapApiConfigurationError(e) {
   return e;
 }
 
-// src/feature-flags.ts
-var fs5 = __toESM(require("fs"));
-var path5 = __toESM(require("path"));
-var semver4 = __toESM(require_semver2());
-
 // src/defaults.json
 var bundleVersion = "codeql-bundle-v2.25.4";
 var cliVersion = "2.25.4";
@@ -89366,6 +89297,11 @@ var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_";
 var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
 var CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0";
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
   ["allow_toolcache_input" /* AllowToolcacheInput */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -89901,6 +89837,75 @@ function initFeatures(gitHubVersion, repositoryNwo, tempDir, logger) {
   }
 }
 
+// src/analyses.ts
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
+  AnalysisKind2["CodeScanning"] = "code-scanning";
+  AnalysisKind2["CodeQuality"] = "code-quality";
+  AnalysisKind2["RiskAssessment"] = "risk-assessment";
+  return AnalysisKind2;
+})(AnalysisKind || {});
+var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+var CodeScanning = {
+  kind: "code-scanning" /* CodeScanning */,
+  name: "code scanning",
+  target: "PUT /repos/:owner/:repo/code-scanning/analysis" /* CODE_SCANNING */,
+  sarifExtension: ".sarif",
+  sarifPredicate: (name) => name.endsWith(CodeScanning.sarifExtension) && !CodeQuality.sarifPredicate(name) && !RiskAssessment.sarifPredicate(name),
+  fixCategory: (_, category) => category,
+  sentinelPrefix: "CODEQL_UPLOAD_SARIF_",
+  transformPayload: (payload) => payload
+};
+var CodeQuality = {
+  kind: "code-quality" /* CodeQuality */,
+  name: "code quality",
+  target: "PUT /repos/:owner/:repo/code-quality/analysis" /* CODE_QUALITY */,
+  sarifExtension: ".quality.sarif",
+  sarifPredicate: (name) => name.endsWith(CodeQuality.sarifExtension),
+  fixCategory: fixCodeQualityCategory,
+  sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_",
+  transformPayload: (payload) => payload
+};
+function addAssessmentId(payload) {
+  const rawAssessmentId = getRequiredEnvParam("CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */);
+  const assessmentId = parseInt(rawAssessmentId, 10);
+  if (Number.isNaN(assessmentId)) {
+    throw new Error(
+      `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be NaN: ${rawAssessmentId}`
+    );
+  }
+  if (assessmentId < 0) {
+    throw new Error(
+      `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be negative: ${rawAssessmentId}`
+    );
+  }
+  return { sarif: payload.sarif, assessment_id: assessmentId };
+}
+var RiskAssessment = {
+  kind: "risk-assessment" /* RiskAssessment */,
+  name: "code scanning risk assessment",
+  target: "PUT /repos/:owner/:repo/code-scanning/risk-assessment" /* RISK_ASSESSMENT */,
+  sarifExtension: ".csra.sarif",
+  sarifPredicate: (name) => name.endsWith(RiskAssessment.sarifExtension),
+  fixCategory: (_, category) => category,
+  sentinelPrefix: "CODEQL_UPLOAD_CSRA_SARIF_",
+  transformPayload: addAssessmentId
+};
+function getAnalysisConfig(kind) {
+  switch (kind) {
+    case "code-scanning" /* CodeScanning */:
+      return CodeScanning;
+    case "code-quality" /* CodeQuality */:
+      return CodeQuality;
+    case "risk-assessment" /* RiskAssessment */:
+      return RiskAssessment;
+  }
+}
+var SarifScanOrder = [
+  RiskAssessment,
+  CodeQuality,
+  CodeScanning
+];
+
 // src/logging.ts
 var core7 = __toESM(require_core());
 function getActionsLogger() {

package-lock.json

@@ -5670,9 +5670,9 @@
       "license": "MIT"
     },
     "node_modules/fast-xml-builder": {
-      "version": "1.1.5",
-      "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.5.tgz",
-      "integrity": "sha512-4TJn/8FKLeslLAH3dnohXqE3QSoxkhvaMzepOIZytwJXZO69Bfz0HBdDHzOTOon6G59Zrk6VQ2bEiv1t61rfkA==",
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.2.0.tgz",
+      "integrity": "sha512-00aAWieqff+ZJhsXA4g1g7M8k+7AYoMUUHF+/zFb5U6Uv/P0Vl4QZo84/IcufzYalLuEj9928bXN9PbbFzMF0Q==",
       "funding": [
         {
           "type": "github",
@@ -5681,7 +5681,8 @@
       ],
       "license": "MIT",
       "dependencies": {
-        "path-expression-matcher": "^1.1.3"
+        "path-expression-matcher": "^1.5.0",
+        "xml-naming": "^0.1.0"
       }
     },
     "node_modules/fast-xml-parser": {
@@ -10223,6 +10224,21 @@
         "node": "^20.17.0 || >=22.9.0"
       }
     },
+    "node_modules/xml-naming": {
+      "version": "0.1.0",
+      "resolved": "https://registry.npmjs.org/xml-naming/-/xml-naming-0.1.0.tgz",
+      "integrity": "sha512-k8KO9hrMyNk6tUWqUfkTEZbezRRpONVOzUTnc97VnCvyj6Tf9lyUR9EDAIeiVLv56jsMcoXEwjW8Kv5yPY52lw==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/NaturalIntelligence"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=16.0.0"
+      }
+    },
     "node_modules/y18n": {
       "version": "5.0.8",
       "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz",

src/analyses.test.ts

@@ -16,7 +16,7 @@ import {
 } from "./analyses";
 import { EnvVar } from "./environment";
 import { getRunnerLogger } from "./logging";
-import { setupTests } from "./testing-utils";
+import { createFeatures, RecordingLogger, setupTests } from "./testing-utils";
 import { AssessmentPayload } from "./upload-lib/types";
 import { ConfigurationError } from "./util";
 
@@ -53,24 +53,56 @@ test("Parsing analysis kinds requires at least one analysis kind", async (t) =>
 test.serial(
   "getAnalysisKinds - returns expected analysis kinds for `analysis-kinds` input",
   async (t) => {
+    process.env[EnvVar.TEST_MODE] = "true";
+    const features = createFeatures([]);
     const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
     requiredInputStub
       .withArgs("analysis-kinds")
       .returns("code-scanning,code-quality");
-    const result = await getAnalysisKinds(getRunnerLogger(true), true);
+    const result = await getAnalysisKinds(
+      getRunnerLogger(true),
+      features,
+      true,
+    );
     t.assert(result.includes(AnalysisKind.CodeScanning));
     t.assert(result.includes(AnalysisKind.CodeQuality));
   },
 );
 
+test.serial(
+  "getAnalysisKinds - only use `code-scanning` for multiple analysis kinds outside of test mode",
+  async (t) => {
+    process.env[EnvVar.TEST_MODE] = "false";
+    const features = createFeatures([]);
+    const logger = new RecordingLogger();
+    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+    requiredInputStub
+      .withArgs("analysis-kinds")
+      .returns("code-scanning,code-quality");
+    const result = await getAnalysisKinds(logger, features, true);
+    t.deepEqual(result, [AnalysisKind.CodeScanning]);
+    t.assert(
+      logger.hasMessage(
+        "Continuing with only `analysis-kinds: code-scanning`.",
+      ),
+    );
+  },
+);
+
 test.serial(
   "getAnalysisKinds - includes `code-quality` when deprecated `quality-queries` input is used",
   async (t) => {
+    process.env[EnvVar.TEST_MODE] = "true";
+    const features = createFeatures([]);
     const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
     requiredInputStub.withArgs("analysis-kinds").returns("code-scanning");
     const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
     optionalInputStub.withArgs("quality-queries").returns("code-quality");
-    const result = await getAnalysisKinds(getRunnerLogger(true), true);
+    const result = await getAnalysisKinds(
+      getRunnerLogger(true),
+      features,
+      true,
+    );
     t.assert(result.includes(AnalysisKind.CodeScanning));
     t.assert(result.includes(AnalysisKind.CodeQuality));
   },
@@ -79,9 +111,12 @@ test.serial(
 test.serial(
   "getAnalysisKinds - throws if `analysis-kinds` input is invalid",
   async (t) => {
+    const features = createFeatures([]);
     const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
     requiredInputStub.withArgs("analysis-kinds").returns("no-such-thing");
-    await t.throwsAsync(getAnalysisKinds(getRunnerLogger(true), true));
+    await t.throwsAsync(
+      getAnalysisKinds(getRunnerLogger(true), features, true),
+    );
   },
 );
 
@@ -98,11 +133,17 @@ for (let i = 0; i < analysisKinds.length; i++) {
       test.serial(
         `getAnalysisKinds - allows ${analysisKind} with ${otherAnalysis}`,
         async (t) => {
+          process.env[EnvVar.TEST_MODE] = "true";
+          const features = createFeatures([]);
           const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
           requiredInputStub
             .withArgs("analysis-kinds")
             .returns([analysisKind, otherAnalysis].join(","));
-          const result = await getAnalysisKinds(getRunnerLogger(true), true);
+          const result = await getAnalysisKinds(
+            getRunnerLogger(true),
+            features,
+            true,
+          );
           t.is(result.length, 2);
         },
       );
@@ -110,14 +151,18 @@ for (let i = 0; i < analysisKinds.length; i++) {
       test.serial(
         `getAnalysisKinds - throws if ${analysisKind} is enabled with ${otherAnalysis}`,
         async (t) => {
+          const features = createFeatures([]);
           const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
           requiredInputStub
             .withArgs("analysis-kinds")
             .returns([analysisKind, otherAnalysis].join(","));
-          await t.throwsAsync(getAnalysisKinds(getRunnerLogger(true), true), {
-            instanceOf: ConfigurationError,
-            message: `${analysisKind} and ${otherAnalysis} cannot be enabled at the same time`,
-          });
+          await t.throwsAsync(
+            getAnalysisKinds(getRunnerLogger(true), features, true),
+            {
+              instanceOf: ConfigurationError,
+              message: `${analysisKind} and ${otherAnalysis} cannot be enabled at the same time`,
+            },
+          );
         },
       );
     }

src/analyses.ts

@@ -4,13 +4,14 @@ import {
   getRequiredInput,
 } from "./actions-util";
 import { EnvVar } from "./environment";
+import { Feature, FeatureEnablement } from "./feature-flags";
 import { Logger } from "./logging";
 import {
   AssessmentPayload,
   BasePayload,
   UploadPayload,
 } from "./upload-lib/types";
-import { ConfigurationError, getRequiredEnvParam } from "./util";
+import { ConfigurationError, getRequiredEnvParam, isInTestMode } from "./util";
 
 export enum AnalysisKind {
   CodeScanning = "code-scanning",
@@ -77,6 +78,7 @@ let cachedAnalysisKinds: AnalysisKind[] | undefined;
  */
 export async function getAnalysisKinds(
   logger: Logger,
+  features: FeatureEnablement,
   skipCache: boolean = false,
 ): Promise<AnalysisKind[]> {
   if (!skipCache && cachedAnalysisKinds !== undefined) {
@@ -120,6 +122,25 @@ export async function getAnalysisKinds(
     }
   }
 
+  // Log an error if we have multiple inputs for `analysis-kinds` outside of test mode,
+  // and enable only `code-scanning`.
+  if (
+    !isInTestMode() &&
+    analysisKinds.length > 1 &&
+    !(await features.getValue(Feature.AllowMultipleAnalysisKinds))
+  ) {
+    logger.error(
+      "The `analysis-kinds` input is experimental and for GitHub-internal use only. " +
+        "Its behaviour may change at any time or be removed entirely. " +
+        "Specifying multiple values as input is no longer supported. " +
+        "Continuing with only `analysis-kinds: code-scanning`.",
+    );
+
+    // Only enable Code Scanning.
+    cachedAnalysisKinds = [AnalysisKind.CodeScanning];
+    return cachedAnalysisKinds;
+  }
+
   // Cache the analysis kinds and return them.
   cachedAnalysisKinds = analysisKinds;
   return cachedAnalysisKinds;

src/feature-flags.ts

@@ -44,6 +44,8 @@ export interface CodeQLDefaultVersionInfo {
  * Legacy features should end with `_enabled`.
  */
 export enum Feature {
+  /** Controls whether we allow multiple values for the `analysis-kinds` input. */
+  AllowMultipleAnalysisKinds = "allow_multiple_analysis_kinds",
   AllowToolcacheInput = "allow_toolcache_input",
   CleanupTrapCaches = "cleanup_trap_caches",
   CppDependencyInstallation = "cpp_dependency_installation_enabled",
@@ -124,6 +126,11 @@ export type FeatureConfig = {
 };
 
 export const featureConfig = {
+  [Feature.AllowMultipleAnalysisKinds]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: undefined,
+  },
   [Feature.AllowToolcacheInput]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",

src/init-action.ts

@@ -281,7 +281,7 @@ async function run(startedAt: Date) {
     // successful, the results are cached so that we don't duplicate the work in normal runs.
     let analysisKinds: AnalysisKind[] | undefined;
     try {
-      analysisKinds = await getAnalysisKinds(logger);
+      analysisKinds = await getAnalysisKinds(logger, features);
     } catch (err) {
       logger.debug(
         `Failed to parse analysis kinds for 'starting' status report: ${getErrorMessage(err)}`,
@@ -346,7 +346,7 @@ async function run(startedAt: Date) {
       }
     }
 
-    analysisKinds = await getAnalysisKinds(logger);
+    analysisKinds = await getAnalysisKinds(logger, features);
     const debugMode = getOptionalInput("debug") === "true" || core.isDebug();
     const repositoryProperties = repositoryPropertiesResult.orElse({});
     const fileCoverageResult = await getFileCoverageInformationEnabled(