Enable only code-scanning

Add changelog entry
Throw error if multiple analysis kinds are specified
2026-05-12 17:00:15 +00:00 · 2026-05-12 15:46:28 +01:00 · 2026-05-12 15:03:58 +01:00 · 2026-05-12 14:54:11 +01:00 · 2026-05-11 14:59:28 +00:00 · 2026-05-08 19:05:11 +00:00
33 changed files with 4969 additions and 6977 deletions
@@ -4,7 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

 ## [UNRELEASED]

- Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. [#3880](https://github.com/github/codeql-action/pull/3880)
+- If multiple inputs are provided for the GitHub-internal `analysis-kinds` input, only `code-scanning` will be enabled. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#3892](https://github.com/github/codeql-action/pull/3892)

 ## 4.35.4 - 07 May 2026

@@ -26352,11 +26352,11 @@ var require_valid = __commonJS({
  "node_modules/semver/functions/valid.js"(exports2, module2) {
    "use strict";
    var parse2 = require_parse2();
-    var valid4 = (version, options) => {
+    var valid3 = (version, options) => {
      const v = parse2(version, options);
      return v ? v.version : null;
    };
-    module2.exports = valid4;
+    module2.exports = valid3;
  }
 });

@@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
    var compare2 = require_compare();
-    var rcompare3 = (a, b, loose) => compare2(b, a, loose);
-    module2.exports = rcompare3;
+    var rcompare = (a, b, loose) => compare2(b, a, loose);
+    module2.exports = rcompare;
  }
 });

@@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({
    var SemVer = require_semver();
    var identifiers = require_identifiers();
    var parse2 = require_parse2();
-    var valid4 = require_valid();
+    var valid3 = require_valid();
    var clean3 = require_clean();
    var inc = require_inc();
    var diff = require_diff();
@@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({
    var patch = require_patch();
    var prerelease = require_prerelease();
    var compare2 = require_compare();
-    var rcompare3 = require_rcompare();
+    var rcompare = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
    var sort = require_sort();
@@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({
    var subset = require_subset();
    module2.exports = {
      parse: parse2,
-      valid: valid4,
+      valid: valid3,
      clean: clean3,
      inc,
      diff,
@@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({
      patch,
      prerelease,
      compare: compare2,
-      rcompare: rcompare3,
+      rcompare,
      compareLoose,
      compareBuild,
      sort,
@@ -29553,16 +29553,16 @@ var require_attribute = __commonJS({
      var result = new ValidatorResult(instance, schema2, options, ctx);
      var self2 = this;
      schema2.allOf.forEach(function(v, i) {
-        var valid4 = self2.validateSchema(instance, v, options, ctx);
-        if (!valid4.valid) {
+        var valid3 = self2.validateSchema(instance, v, options, ctx);
+        if (!valid3.valid) {
          var id = v.$id || v.id;
          var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]";
          result.addError({
            name: "allOf",
-            argument: { id: msg, length: valid4.errors.length, valid: valid4 },
-            message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:"
+            argument: { id: msg, length: valid3.errors.length, valid: valid3 },
+            message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:"
          });
-          result.importErrors(valid4);
+          result.importErrors(valid3);
        }
      });
      return result;
@@ -29851,8 +29851,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMinimum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid4 = instance > schema2.exclusiveMinimum;
-      if (!valid4) {
+      var valid3 = instance > schema2.exclusiveMinimum;
+      if (!valid3) {
        result.addError({
          name: "exclusiveMinimum",
          argument: schema2.exclusiveMinimum,
@@ -29865,8 +29865,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMaximum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid4 = instance < schema2.exclusiveMaximum;
-      if (!valid4) {
+      var valid3 = instance < schema2.exclusiveMaximum;
+      if (!valid3) {
        result.addError({
          name: "exclusiveMaximum",
          argument: schema2.exclusiveMaximum,
@@ -32649,8 +32649,8 @@ var require_semver3 = __commonJS({
        return null;
      }
    }
-    exports2.valid = valid4;
-    function valid4(version, options) {
+    exports2.valid = valid3;
+    function valid3(version, options) {
      var v = parse2(version, options);
      return v ? v.version : null;
    }
@@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({
      var versionB = new SemVer(b, loose);
      return versionA.compare(versionB) || versionA.compareBuild(versionB);
    }
-    exports2.rcompare = rcompare3;
-    function rcompare3(a, b, loose) {
+    exports2.rcompare = rcompare;
+    function rcompare(a, b, loose) {
      return compare2(b, a, loose);
    }
    exports2.sort = sort;
@@ -33779,7 +33779,7 @@ var require_cacheUtils = __commonJS({
    var crypto2 = __importStar2(require("crypto"));
    var fs9 = __importStar2(require("fs"));
    var path9 = __importStar2(require("path"));
-    var semver10 = __importStar2(require_semver3());
+    var semver9 = __importStar2(require_semver3());
    var util = __importStar2(require("util"));
    var constants_1 = require_constants7();
    var versionSalt = "1.0";
@@ -33872,7 +33872,7 @@ var require_cacheUtils = __commonJS({
    function getCompressionMethod() {
      return __awaiter2(this, void 0, void 0, function* () {
        const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver10.clean(versionOutput);
+        const version = semver9.clean(versionOutput);
        core15.debug(`zstd version: ${version}`);
        if (versionOutput === "") {
          return constants_1.CompressionMethod.Gzip;
@@ -75278,7 +75278,7 @@ var require_cacheHttpClient = __commonJS({
    exports2.getCacheEntry = getCacheEntry;
    exports2.downloadCache = downloadCache;
    exports2.reserveCache = reserveCache;
-    exports2.saveCache = saveCache5;
+    exports2.saveCache = saveCache4;
    var core15 = __importStar2(require_core());
    var http_client_1 = require_lib();
    var auth_1 = require_auth();
@@ -75455,7 +75455,7 @@ Other caches with similar key:`);
        }));
      });
    }
-    function saveCache5(cacheId, archivePath, signedUploadURL, options) {
+    function saveCache4(cacheId, archivePath, signedUploadURL, options) {
      return __awaiter2(this, void 0, void 0, function* () {
        const uploadOptions = (0, options_1.getUploadOptions)(options);
        if (uploadOptions.useAzureSdk) {
@@ -80955,8 +80955,8 @@ var require_cache4 = __commonJS({
    Object.defineProperty(exports2, "__esModule", { value: true });
    exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0;
    exports2.isFeatureAvailable = isFeatureAvailable;
-    exports2.restoreCache = restoreCache5;
-    exports2.saveCache = saveCache5;
+    exports2.restoreCache = restoreCache4;
+    exports2.saveCache = saveCache4;
    var core15 = __importStar2(require_core());
    var path9 = __importStar2(require("path"));
    var utils = __importStar2(require_cacheUtils());
@@ -81013,7 +81013,7 @@ var require_cache4 = __commonJS({
          return !!process.env["ACTIONS_CACHE_URL"];
      }
    }
-    function restoreCache5(paths_1, primaryKey_1, restoreKeys_1, options_1) {
+    function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81157,7 +81157,7 @@ var require_cache4 = __commonJS({
        return void 0;
      });
    }
-    function saveCache5(paths_1, key_1, options_1) {
+    function saveCache4(paths_1, key_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81394,7 +81394,7 @@ var require_manifest = __commonJS({
    exports2._findMatch = _findMatch;
    exports2._getOsVersion = _getOsVersion;
    exports2._readLinuxVersionFile = _readLinuxVersionFile;
-    var semver10 = __importStar2(require_semver2());
+    var semver9 = __importStar2(require_semver2());
    var core_1 = require_core();
    var os2 = require("os");
    var cp = require("child_process");
@@ -81408,7 +81408,7 @@ var require_manifest = __commonJS({
        for (const candidate of candidates) {
          const version = candidate.version;
          (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
            file = candidate.files.find((item) => {
              (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
              let chk = item.arch === archFilter && item.platform === platFilter;
@@ -81417,7 +81417,7 @@ var require_manifest = __commonJS({
                if (osVersion === item.platform_version) {
                  chk = true;
                } else {
-                  chk = semver10.satisfies(osVersion, item.platform_version);
+                  chk = semver9.satisfies(osVersion, item.platform_version);
                }
              }
              return chk;
@@ -81677,7 +81677,7 @@ var require_tool_cache = __commonJS({
    var os2 = __importStar2(require("os"));
    var path9 = __importStar2(require("path"));
    var httpm = __importStar2(require_lib());
-    var semver10 = __importStar2(require_semver2());
+    var semver9 = __importStar2(require_semver2());
    var stream = __importStar2(require("stream"));
    var util = __importStar2(require("util"));
    var assert_1 = require("assert");
@@ -81950,7 +81950,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheDir(sourceDir, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver10.clean(version) || version;
+        version = semver9.clean(version) || version;
        arch = arch || os2.arch();
        core15.debug(`Caching tool ${tool} ${version} ${arch}`);
        core15.debug(`source dir: ${sourceDir}`);
@@ -81968,7 +81968,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheFile(sourceFile, targetFile, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver10.clean(version) || version;
+        version = semver9.clean(version) || version;
        arch = arch || os2.arch();
        core15.debug(`Caching tool ${tool} ${version} ${arch}`);
        core15.debug(`source file: ${sourceFile}`);
@@ -81998,7 +81998,7 @@ var require_tool_cache = __commonJS({
      }
      let toolPath = "";
      if (versionSpec) {
-        versionSpec = semver10.clean(versionSpec) || "";
+        versionSpec = semver9.clean(versionSpec) || "";
        const cachePath = path9.join(_getCacheDirectory(), toolName, versionSpec, arch);
        core15.debug(`checking cache: ${cachePath}`);
        if (fs9.existsSync(cachePath) && fs9.existsSync(`${cachePath}.complete`)) {
@@ -82078,7 +82078,7 @@ var require_tool_cache = __commonJS({
    }
    function _createToolPath(tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
+        const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
        core15.debug(`destination ${folderPath}`);
        const markerPath = `${folderPath}.complete`;
        yield io6.rmRF(folderPath);
@@ -82088,30 +82088,30 @@ var require_tool_cache = __commonJS({
      });
    }
    function _completeToolPath(tool, version, arch) {
-      const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
+      const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
      const markerPath = `${folderPath}.complete`;
      fs9.writeFileSync(markerPath, "");
      core15.debug("finished caching tool");
    }
    function isExplicitVersion(versionSpec) {
-      const c = semver10.clean(versionSpec) || "";
+      const c = semver9.clean(versionSpec) || "";
      core15.debug(`isExplicit: ${c}`);
-      const valid4 = semver10.valid(c) != null;
-      core15.debug(`explicit? ${valid4}`);
-      return valid4;
+      const valid3 = semver9.valid(c) != null;
+      core15.debug(`explicit? ${valid3}`);
+      return valid3;
    }
    function evaluateVersions(versions, versionSpec) {
      let version = "";
      core15.debug(`evaluating ${versions.length} versions`);
      versions = versions.sort((a, b) => {
-        if (semver10.gt(a, b)) {
+        if (semver9.gt(a, b)) {
          return 1;
        }
        return -1;
      });
      for (let i = versions.length - 1; i >= 0; i--) {
        const potential = versions[i];
-        const satisfied = semver10.satisfies(potential, versionSpec);
+        const satisfied = semver9.satisfies(potential, versionSpec);
        if (satisfied) {
          version = potential;
          break;
@@ -89825,7 +89825,7 @@ var require_stream_writable = __commonJS({
      pna.nextTick(cb, er);
    }
    function validChunk(stream, state, chunk, cb) {
-      var valid4 = true;
+      var valid3 = true;
      var er = false;
      if (chunk === null) {
        er = new TypeError("May not write null values to stream");
@@ -89835,9 +89835,9 @@ var require_stream_writable = __commonJS({
      if (er) {
        stream.emit("error", er);
        pna.nextTick(cb, er);
-        valid4 = false;
+        valid3 = false;
      }
-      return valid4;
+      return valid3;
    }
    Writable.prototype.write = function(chunk, encoding, cb) {
      var state = this._writableState;
@@ -127358,65 +127358,8 @@ var fs4 = __toESM(require("fs"));
 var path5 = __toESM(require("path"));
 var core9 = __toESM(require_core());

-// src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
-  AnalysisKind2["CodeScanning"] = "code-scanning";
-  AnalysisKind2["CodeQuality"] = "code-quality";
-  AnalysisKind2["RiskAssessment"] = "risk-assessment";
-  return AnalysisKind2;
-})(AnalysisKind || {});
-var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
-
-// src/caching-utils.ts
-var core6 = __toESM(require_core());
-
-// src/config/db-config.ts
-var jsonschema = __toESM(require_lib2());
-var semver2 = __toESM(require_semver2());
-
-// src/feature-flags/properties.ts
-var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
-  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
-  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
-  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
-  return RepositoryPropertyName2;
-})(RepositoryPropertyName || {});
-var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
-  Object.values(RepositoryPropertyName)
-);
-
-// src/config/db-config.ts
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
-
-// src/logging.ts
-var core7 = __toESM(require_core());
-function getActionsLogger() {
-  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
-  };
-}
-function withGroup(groupName, f) {
-  core7.startGroup(groupName);
-  try {
-    return f();
-  } finally {
-    core7.endGroup();
-  }
-}
-
 // src/feature-flags.ts
-var semver5 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());

 // src/overlay/index.ts
 var fs3 = __toESM(require("fs"));
@@ -127425,14 +127368,14 @@ var path4 = __toESM(require("path"));
 // src/git-utils.ts
 var fs2 = __toESM(require("fs"));
 var path3 = __toESM(require("path"));
-var core8 = __toESM(require_core());
+var core6 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
-var semver3 = __toESM(require_semver2());
+var semver2 = __toESM(require_semver2());
 var runGitCommand = async function(workingDirectory, args, customErrorMessage, options) {
  let stdout = "";
  let stderr = "";
-  core8.debug(`Running git command: git ${args.join(" ")}`);
+  core6.debug(`Running git command: git ${args.join(" ")}`);
  try {
    await new toolrunner2.ToolRunner(await io3.which("git", true), args, {
      silent: true,
@@ -127453,7 +127396,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage, o
    if (stderr.includes("not a git repository")) {
      reason = "The checkout path provided to the action does not appear to be a git repository.";
    }
-    core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
+    core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
    throw error3;
  }
 };
@@ -127582,7 +127525,7 @@ async function getRef() {
  ) !== head;
  if (hasChangedRef) {
    const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
-    core8.debug(
+    core6.debug(
      `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`
    );
    return newRef;
@@ -127719,17 +127662,22 @@ async function getDiffRangeFilePaths(sourceRoot, logger) {
 }

 // src/tools-features.ts
-var semver4 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 function isSupportedToolsFeature(versionInfo, feature) {
  return !!versionInfo.features && versionInfo.features[feature];
 }
 var SafeArtifactUploadVersion = "2.20.3";
 function isSafeArtifactUpload(codeQlVersion) {
-  return !codeQlVersion ? true : semver4.gte(codeQlVersion, SafeArtifactUploadVersion);
+  return !codeQlVersion ? true : semver3.gte(codeQlVersion, SafeArtifactUploadVersion);
 }

 // src/feature-flags.ts
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -127883,16 +127831,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
    minimumVersion: void 0
  },
-  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
-    minimumVersion: void 0
-  },
  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -127948,6 +127886,63 @@ var featureConfig = {
  }
 };

+// src/analyses.ts
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
+  AnalysisKind2["CodeScanning"] = "code-scanning";
+  AnalysisKind2["CodeQuality"] = "code-quality";
+  AnalysisKind2["RiskAssessment"] = "risk-assessment";
+  return AnalysisKind2;
+})(AnalysisKind || {});
+var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+
+// src/caching-utils.ts
+var core7 = __toESM(require_core());
+
+// src/config/db-config.ts
+var jsonschema = __toESM(require_lib2());
+var semver5 = __toESM(require_semver2());
+
+// src/feature-flags/properties.ts
+var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
+  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
+  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
+  return RepositoryPropertyName2;
+})(RepositoryPropertyName || {});
+var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
+  Object.values(RepositoryPropertyName)
+);
+
+// src/config/db-config.ts
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
+// src/logging.ts
+var core8 = __toESM(require_core());
+function getActionsLogger() {
+  return {
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
+  };
+}
+function withGroup(groupName, f) {
+  core8.startGroup(groupName);
+  try {
+    return f();
+  } finally {
+    core8.endGroup();
+  }
+}
+
 // src/languages/builtin.json
 var builtin_default = {
  languages: [
@@ -128054,26 +128049,20 @@ function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
 // src/setup-codeql.ts
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver9 = __toESM(require_semver2());
-
-// src/overlay/caching.ts
-var actionsCache3 = __toESM(require_cache4());
-var semver6 = __toESM(require_semver2());
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
+var semver8 = __toESM(require_semver2());

 // src/tar.ts
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver7 = __toESM(require_semver2());
+var semver6 = __toESM(require_semver2());

 // src/tools-download.ts
 var core10 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver8 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;

 // src/tracer-config.ts
@@ -128670,7 +128659,7 @@ var core12 = __toESM(require_core());

 // src/dependency-caching.ts
 var import_path = require("path");
-var actionsCache4 = __toESM(require_cache4());
+var actionsCache3 = __toESM(require_cache4());
 var glob = __toESM(require_glob());
 function getJavaTempDependencyDir() {
  return (0, import_path.join)(getTemporaryDirectory(), "codeql_java", "repository");
@@ -26352,11 +26352,11 @@ var require_valid = __commonJS({
  "node_modules/semver/functions/valid.js"(exports2, module2) {
    "use strict";
    var parse2 = require_parse2();
-    var valid4 = (version, options) => {
+    var valid3 = (version, options) => {
      const v = parse2(version, options);
      return v ? v.version : null;
    };
-    module2.exports = valid4;
+    module2.exports = valid3;
  }
 });

@@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
    var compare2 = require_compare();
-    var rcompare3 = (a, b, loose) => compare2(b, a, loose);
-    module2.exports = rcompare3;
+    var rcompare = (a, b, loose) => compare2(b, a, loose);
+    module2.exports = rcompare;
  }
 });

@@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({
    var SemVer = require_semver();
    var identifiers = require_identifiers();
    var parse2 = require_parse2();
-    var valid4 = require_valid();
+    var valid3 = require_valid();
    var clean3 = require_clean();
    var inc = require_inc();
    var diff = require_diff();
@@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({
    var patch = require_patch();
    var prerelease = require_prerelease();
    var compare2 = require_compare();
-    var rcompare3 = require_rcompare();
+    var rcompare = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
    var sort = require_sort();
@@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({
    var subset = require_subset();
    module2.exports = {
      parse: parse2,
-      valid: valid4,
+      valid: valid3,
      clean: clean3,
      inc,
      diff,
@@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({
      patch,
      prerelease,
      compare: compare2,
-      rcompare: rcompare3,
+      rcompare,
      compareLoose,
      compareBuild,
      sort,
@@ -29553,16 +29553,16 @@ var require_attribute = __commonJS({
      var result = new ValidatorResult(instance, schema2, options, ctx);
      var self2 = this;
      schema2.allOf.forEach(function(v, i) {
-        var valid4 = self2.validateSchema(instance, v, options, ctx);
-        if (!valid4.valid) {
+        var valid3 = self2.validateSchema(instance, v, options, ctx);
+        if (!valid3.valid) {
          var id = v.$id || v.id;
          var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]";
          result.addError({
            name: "allOf",
-            argument: { id: msg, length: valid4.errors.length, valid: valid4 },
-            message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:"
+            argument: { id: msg, length: valid3.errors.length, valid: valid3 },
+            message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:"
          });
-          result.importErrors(valid4);
+          result.importErrors(valid3);
        }
      });
      return result;
@@ -29851,8 +29851,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMinimum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid4 = instance > schema2.exclusiveMinimum;
-      if (!valid4) {
+      var valid3 = instance > schema2.exclusiveMinimum;
+      if (!valid3) {
        result.addError({
          name: "exclusiveMinimum",
          argument: schema2.exclusiveMinimum,
@@ -29865,8 +29865,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMaximum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid4 = instance < schema2.exclusiveMaximum;
-      if (!valid4) {
+      var valid3 = instance < schema2.exclusiveMaximum;
+      if (!valid3) {
        result.addError({
          name: "exclusiveMaximum",
          argument: schema2.exclusiveMaximum,
@@ -32649,8 +32649,8 @@ var require_semver3 = __commonJS({
        return null;
      }
    }
-    exports2.valid = valid4;
-    function valid4(version, options) {
+    exports2.valid = valid3;
+    function valid3(version, options) {
      var v = parse2(version, options);
      return v ? v.version : null;
    }
@@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({
      var versionB = new SemVer(b, loose);
      return versionA.compare(versionB) || versionA.compareBuild(versionB);
    }
-    exports2.rcompare = rcompare3;
-    function rcompare3(a, b, loose) {
+    exports2.rcompare = rcompare;
+    function rcompare(a, b, loose) {
      return compare2(b, a, loose);
    }
    exports2.sort = sort;
@@ -33779,7 +33779,7 @@ var require_cacheUtils = __commonJS({
    var crypto2 = __importStar2(require("crypto"));
    var fs8 = __importStar2(require("fs"));
    var path9 = __importStar2(require("path"));
-    var semver10 = __importStar2(require_semver3());
+    var semver9 = __importStar2(require_semver3());
    var util = __importStar2(require("util"));
    var constants_1 = require_constants7();
    var versionSalt = "1.0";
@@ -33872,7 +33872,7 @@ var require_cacheUtils = __commonJS({
    function getCompressionMethod() {
      return __awaiter2(this, void 0, void 0, function* () {
        const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver10.clean(versionOutput);
+        const version = semver9.clean(versionOutput);
        core15.debug(`zstd version: ${version}`);
        if (versionOutput === "") {
          return constants_1.CompressionMethod.Gzip;
@@ -75278,7 +75278,7 @@ var require_cacheHttpClient = __commonJS({
    exports2.getCacheEntry = getCacheEntry;
    exports2.downloadCache = downloadCache;
    exports2.reserveCache = reserveCache;
-    exports2.saveCache = saveCache4;
+    exports2.saveCache = saveCache3;
    var core15 = __importStar2(require_core());
    var http_client_1 = require_lib();
    var auth_1 = require_auth();
@@ -75455,7 +75455,7 @@ Other caches with similar key:`);
        }));
      });
    }
-    function saveCache4(cacheId, archivePath, signedUploadURL, options) {
+    function saveCache3(cacheId, archivePath, signedUploadURL, options) {
      return __awaiter2(this, void 0, void 0, function* () {
        const uploadOptions = (0, options_1.getUploadOptions)(options);
        if (uploadOptions.useAzureSdk) {
@@ -80955,8 +80955,8 @@ var require_cache4 = __commonJS({
    Object.defineProperty(exports2, "__esModule", { value: true });
    exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0;
    exports2.isFeatureAvailable = isFeatureAvailable;
-    exports2.restoreCache = restoreCache4;
-    exports2.saveCache = saveCache4;
+    exports2.restoreCache = restoreCache3;
+    exports2.saveCache = saveCache3;
    var core15 = __importStar2(require_core());
    var path9 = __importStar2(require("path"));
    var utils = __importStar2(require_cacheUtils());
@@ -81013,7 +81013,7 @@ var require_cache4 = __commonJS({
          return !!process.env["ACTIONS_CACHE_URL"];
      }
    }
-    function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) {
+    function restoreCache3(paths_1, primaryKey_1, restoreKeys_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81157,7 +81157,7 @@ var require_cache4 = __commonJS({
        return void 0;
      });
    }
-    function saveCache4(paths_1, key_1, options_1) {
+    function saveCache3(paths_1, key_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81394,7 +81394,7 @@ var require_manifest = __commonJS({
    exports2._findMatch = _findMatch;
    exports2._getOsVersion = _getOsVersion;
    exports2._readLinuxVersionFile = _readLinuxVersionFile;
-    var semver10 = __importStar2(require_semver2());
+    var semver9 = __importStar2(require_semver2());
    var core_1 = require_core();
    var os2 = require("os");
    var cp = require("child_process");
@@ -81408,7 +81408,7 @@ var require_manifest = __commonJS({
        for (const candidate of candidates) {
          const version = candidate.version;
          (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
            file = candidate.files.find((item) => {
              (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
              let chk = item.arch === archFilter && item.platform === platFilter;
@@ -81417,7 +81417,7 @@ var require_manifest = __commonJS({
                if (osVersion === item.platform_version) {
                  chk = true;
                } else {
-                  chk = semver10.satisfies(osVersion, item.platform_version);
+                  chk = semver9.satisfies(osVersion, item.platform_version);
                }
              }
              return chk;
@@ -81677,7 +81677,7 @@ var require_tool_cache = __commonJS({
    var os2 = __importStar2(require("os"));
    var path9 = __importStar2(require("path"));
    var httpm = __importStar2(require_lib());
-    var semver10 = __importStar2(require_semver2());
+    var semver9 = __importStar2(require_semver2());
    var stream = __importStar2(require("stream"));
    var util = __importStar2(require("util"));
    var assert_1 = require("assert");
@@ -81950,7 +81950,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheDir(sourceDir, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver10.clean(version) || version;
+        version = semver9.clean(version) || version;
        arch = arch || os2.arch();
        core15.debug(`Caching tool ${tool} ${version} ${arch}`);
        core15.debug(`source dir: ${sourceDir}`);
@@ -81968,7 +81968,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheFile(sourceFile, targetFile, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver10.clean(version) || version;
+        version = semver9.clean(version) || version;
        arch = arch || os2.arch();
        core15.debug(`Caching tool ${tool} ${version} ${arch}`);
        core15.debug(`source file: ${sourceFile}`);
@@ -81998,7 +81998,7 @@ var require_tool_cache = __commonJS({
      }
      let toolPath = "";
      if (versionSpec) {
-        versionSpec = semver10.clean(versionSpec) || "";
+        versionSpec = semver9.clean(versionSpec) || "";
        const cachePath = path9.join(_getCacheDirectory(), toolName, versionSpec, arch);
        core15.debug(`checking cache: ${cachePath}`);
        if (fs8.existsSync(cachePath) && fs8.existsSync(`${cachePath}.complete`)) {
@@ -82078,7 +82078,7 @@ var require_tool_cache = __commonJS({
    }
    function _createToolPath(tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
+        const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
        core15.debug(`destination ${folderPath}`);
        const markerPath = `${folderPath}.complete`;
        yield io5.rmRF(folderPath);
@@ -82088,30 +82088,30 @@ var require_tool_cache = __commonJS({
      });
    }
    function _completeToolPath(tool, version, arch) {
-      const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
+      const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
      const markerPath = `${folderPath}.complete`;
      fs8.writeFileSync(markerPath, "");
      core15.debug("finished caching tool");
    }
    function isExplicitVersion(versionSpec) {
-      const c = semver10.clean(versionSpec) || "";
+      const c = semver9.clean(versionSpec) || "";
      core15.debug(`isExplicit: ${c}`);
-      const valid4 = semver10.valid(c) != null;
-      core15.debug(`explicit? ${valid4}`);
-      return valid4;
+      const valid3 = semver9.valid(c) != null;
+      core15.debug(`explicit? ${valid3}`);
+      return valid3;
    }
    function evaluateVersions(versions, versionSpec) {
      let version = "";
      core15.debug(`evaluating ${versions.length} versions`);
      versions = versions.sort((a, b) => {
-        if (semver10.gt(a, b)) {
+        if (semver9.gt(a, b)) {
          return 1;
        }
        return -1;
      });
      for (let i = versions.length - 1; i >= 0; i--) {
        const potential = versions[i];
-        const satisfied = semver10.satisfies(potential, versionSpec);
+        const satisfied = semver9.satisfies(potential, versionSpec);
        if (satisfied) {
          version = potential;
          break;
@@ -86171,59 +86171,10 @@ var fs5 = __toESM(require("fs"));
 var path6 = __toESM(require("path"));
 var core9 = __toESM(require_core());

-// src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
-  AnalysisKind2["CodeScanning"] = "code-scanning";
-  AnalysisKind2["CodeQuality"] = "code-quality";
-  AnalysisKind2["RiskAssessment"] = "risk-assessment";
-  return AnalysisKind2;
-})(AnalysisKind || {});
-var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
-
-// src/caching-utils.ts
-var core6 = __toESM(require_core());
-
-// src/config/db-config.ts
-var jsonschema = __toESM(require_lib2());
-var semver2 = __toESM(require_semver2());
-
-// src/feature-flags/properties.ts
-var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
-  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
-  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
-  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
-  return RepositoryPropertyName2;
-})(RepositoryPropertyName || {});
-var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
-  Object.values(RepositoryPropertyName)
-);
-
-// src/config/db-config.ts
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
-
-// src/logging.ts
-var core7 = __toESM(require_core());
-function getActionsLogger() {
-  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
-  };
-}
-
 // src/feature-flags.ts
 var fs4 = __toESM(require("fs"));
 var path5 = __toESM(require("path"));
-var semver5 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());

 // src/defaults.json
 var bundleVersion = "codeql-bundle-v2.25.4";
@@ -86236,14 +86187,14 @@ var path4 = __toESM(require("path"));
 // src/git-utils.ts
 var fs2 = __toESM(require("fs"));
 var path3 = __toESM(require("path"));
-var core8 = __toESM(require_core());
+var core6 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
-var semver3 = __toESM(require_semver2());
+var semver2 = __toESM(require_semver2());
 var runGitCommand = async function(workingDirectory, args, customErrorMessage, options) {
  let stdout = "";
  let stderr = "";
-  core8.debug(`Running git command: git ${args.join(" ")}`);
+  core6.debug(`Running git command: git ${args.join(" ")}`);
  try {
    await new toolrunner2.ToolRunner(await io3.which("git", true), args, {
      silent: true,
@@ -86264,7 +86215,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage, o
    if (stderr.includes("not a git repository")) {
      reason = "The checkout path provided to the action does not appear to be a git repository.";
    }
-    core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
+    core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
    throw error3;
  }
 };
@@ -86393,7 +86344,7 @@ async function getRef() {
  ) !== head;
  if (hasChangedRef) {
    const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
-    core8.debug(
+    core6.debug(
      `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`
    );
    return newRef;
@@ -86530,7 +86481,7 @@ async function getDiffRangeFilePaths(sourceRoot, logger) {
 }

 // src/tools-features.ts
-var semver4 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 function isSupportedToolsFeature(versionInfo, feature) {
  return !!versionInfo.features && versionInfo.features[feature];
 }
@@ -86538,11 +86489,12 @@ function isSupportedToolsFeature(versionInfo, feature) {
 // src/feature-flags.ts
 var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_";
 var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
-var LINKED_CODEQL_VERSION = {
-  cliVersion,
-  tagName: bundleVersion
-};
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -86696,16 +86648,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
    minimumVersion: void 0
  },
-  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
-    minimumVersion: void 0
-  },
  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -86766,9 +86708,10 @@ var OfflineFeatures = class {
    this.logger = logger;
  }
  logger;
-  async getEnabledDefaultCliVersions(_variant) {
+  async getDefaultCliVersion(_variant) {
    return {
-      enabledVersions: [LINKED_CODEQL_VERSION]
+      cliVersion,
+      tagName: bundleVersion
    };
  }
  /**
@@ -86873,11 +86816,11 @@ var Features = class extends OfflineFeatures {
      logger
    );
  }
-  async getEnabledDefaultCliVersions(variant) {
+  async getDefaultCliVersion(variant) {
    if (supportsFeatureFlags(variant)) {
-      return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags();
+      return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags();
    }
-    return super.getEnabledDefaultCliVersions(variant);
+    return super.getDefaultCliVersion(variant);
  }
  /**
   *
@@ -86928,7 +86871,7 @@ var GitHubFeatureFlags = class {
      DEFAULT_VERSION_FEATURE_FLAG_PREFIX.length,
      f.length - DEFAULT_VERSION_FEATURE_FLAG_SUFFIX.length
    ).replace(/_/g, ".");
-    if (!semver5.valid(version)) {
+    if (!semver4.valid(version)) {
      this.logger.warning(
        `Ignoring feature flag ${f} as it does not specify a valid CodeQL version.`
      );
@@ -86936,36 +86879,34 @@ var GitHubFeatureFlags = class {
    }
    return version;
  }
-  /**
-   * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature
-   * flags, sorted from highest to lowest. Falls back to the version pinned in
-   * `defaults.json` if no such flags are enabled.
-   */
-  async getEnabledDefaultCliVersionsFromFlags() {
+  async getDefaultCliVersionFromFlags() {
    const response = await this.getAllFeatures();
-    const sortedCliVersions = Object.entries(response).map(
+    const enabledFeatureFlagCliVersions = Object.entries(response).map(
      ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0
-    ).filter((f) => f !== void 0).sort(semver5.rcompare);
-    if (sortedCliVersions.length === 0) {
+    ).filter((f) => f !== void 0);
+    if (enabledFeatureFlagCliVersions.length === 0) {
      this.logger.warning(
        `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.`
      );
      const result = {
-        enabledVersions: [LINKED_CODEQL_VERSION]
+        cliVersion,
+        tagName: bundleVersion
      };
      if (this.hasAccessedRemoteFeatureFlags) {
        result.toolsFeatureFlagsValid = false;
      }
      return result;
    }
+    const maxCliVersion = enabledFeatureFlagCliVersions.reduce(
+      (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion,
+      enabledFeatureFlagCliVersions[0]
+    );
    this.logger.debug(
-      `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.`
+      `Derived default CLI version of ${maxCliVersion} from feature flags.`
    );
    return {
-      enabledVersions: sortedCliVersions.map((cliVersion2) => ({
-        cliVersion: cliVersion2,
-        tagName: `codeql-bundle-v${cliVersion2}`
-      })),
+      cliVersion: maxCliVersion,
+      tagName: `codeql-bundle-v${maxCliVersion}`,
      toolsFeatureFlagsValid: true
    };
  }
@@ -87089,6 +87030,55 @@ function initFeatures(gitHubVersion, repositoryNwo, tempDir, logger) {
  }
 }

+// src/analyses.ts
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
+  AnalysisKind2["CodeScanning"] = "code-scanning";
+  AnalysisKind2["CodeQuality"] = "code-quality";
+  AnalysisKind2["RiskAssessment"] = "risk-assessment";
+  return AnalysisKind2;
+})(AnalysisKind || {});
+var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+
+// src/caching-utils.ts
+var core7 = __toESM(require_core());
+
+// src/config/db-config.ts
+var jsonschema = __toESM(require_lib2());
+var semver5 = __toESM(require_semver2());
+
+// src/feature-flags/properties.ts
+var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
+  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
+  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
+  return RepositoryPropertyName2;
+})(RepositoryPropertyName || {});
+var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
+  Object.values(RepositoryPropertyName)
+);
+
+// src/config/db-config.ts
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
+// src/logging.ts
+var core8 = __toESM(require_core());
+function getActionsLogger() {
+  return {
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
+  };
+}
+
 // src/languages/builtin.json
 var builtin_default = {
  languages: [
@@ -87195,26 +87185,20 @@ function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
 // src/setup-codeql.ts
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver9 = __toESM(require_semver2());
-
-// src/overlay/caching.ts
-var actionsCache3 = __toESM(require_cache4());
-var semver6 = __toESM(require_semver2());
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
+var semver8 = __toESM(require_semver2());

 // src/tar.ts
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver7 = __toESM(require_semver2());
+var semver6 = __toESM(require_semver2());

 // src/tools-download.ts
 var core10 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver8 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;

 // src/tracer-config.ts
@@ -26352,11 +26352,11 @@ var require_valid = __commonJS({
  "node_modules/semver/functions/valid.js"(exports2, module2) {
    "use strict";
    var parse2 = require_parse2();
-    var valid4 = (version, options) => {
+    var valid3 = (version, options) => {
      const v = parse2(version, options);
      return v ? v.version : null;
    };
-    module2.exports = valid4;
+    module2.exports = valid3;
  }
 });

@@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
    var compare2 = require_compare();
-    var rcompare3 = (a, b, loose) => compare2(b, a, loose);
-    module2.exports = rcompare3;
+    var rcompare = (a, b, loose) => compare2(b, a, loose);
+    module2.exports = rcompare;
  }
 });

@@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({
    var SemVer = require_semver();
    var identifiers = require_identifiers();
    var parse2 = require_parse2();
-    var valid4 = require_valid();
+    var valid3 = require_valid();
    var clean3 = require_clean();
    var inc = require_inc();
    var diff = require_diff();
@@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({
    var patch = require_patch();
    var prerelease = require_prerelease();
    var compare2 = require_compare();
-    var rcompare3 = require_rcompare();
+    var rcompare = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
    var sort = require_sort();
@@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({
    var subset = require_subset();
    module2.exports = {
      parse: parse2,
-      valid: valid4,
+      valid: valid3,
      clean: clean3,
      inc,
      diff,
@@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({
      patch,
      prerelease,
      compare: compare2,
-      rcompare: rcompare3,
+      rcompare,
      compareLoose,
      compareBuild,
      sort,
@@ -29553,16 +29553,16 @@ var require_attribute = __commonJS({
      var result = new ValidatorResult(instance, schema2, options, ctx);
      var self2 = this;
      schema2.allOf.forEach(function(v, i) {
-        var valid4 = self2.validateSchema(instance, v, options, ctx);
-        if (!valid4.valid) {
+        var valid3 = self2.validateSchema(instance, v, options, ctx);
+        if (!valid3.valid) {
          var id = v.$id || v.id;
          var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]";
          result.addError({
            name: "allOf",
-            argument: { id: msg, length: valid4.errors.length, valid: valid4 },
-            message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:"
+            argument: { id: msg, length: valid3.errors.length, valid: valid3 },
+            message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:"
          });
-          result.importErrors(valid4);
+          result.importErrors(valid3);
        }
      });
      return result;
@@ -29851,8 +29851,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMinimum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid4 = instance > schema2.exclusiveMinimum;
-      if (!valid4) {
+      var valid3 = instance > schema2.exclusiveMinimum;
+      if (!valid3) {
        result.addError({
          name: "exclusiveMinimum",
          argument: schema2.exclusiveMinimum,
@@ -29865,8 +29865,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMaximum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid4 = instance < schema2.exclusiveMaximum;
-      if (!valid4) {
+      var valid3 = instance < schema2.exclusiveMaximum;
+      if (!valid3) {
        result.addError({
          name: "exclusiveMaximum",
          argument: schema2.exclusiveMaximum,
@@ -32649,8 +32649,8 @@ var require_semver3 = __commonJS({
        return null;
      }
    }
-    exports2.valid = valid4;
-    function valid4(version, options) {
+    exports2.valid = valid3;
+    function valid3(version, options) {
      var v = parse2(version, options);
      return v ? v.version : null;
    }
@@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({
      var versionB = new SemVer(b, loose);
      return versionA.compare(versionB) || versionA.compareBuild(versionB);
    }
-    exports2.rcompare = rcompare3;
-    function rcompare3(a, b, loose) {
+    exports2.rcompare = rcompare;
+    function rcompare(a, b, loose) {
      return compare2(b, a, loose);
    }
    exports2.sort = sort;
@@ -33779,7 +33779,7 @@ var require_cacheUtils = __commonJS({
    var crypto2 = __importStar2(require("crypto"));
    var fs6 = __importStar2(require("fs"));
    var path7 = __importStar2(require("path"));
-    var semver10 = __importStar2(require_semver3());
+    var semver9 = __importStar2(require_semver3());
    var util = __importStar2(require("util"));
    var constants_1 = require_constants7();
    var versionSalt = "1.0";
@@ -33872,7 +33872,7 @@ var require_cacheUtils = __commonJS({
    function getCompressionMethod() {
      return __awaiter2(this, void 0, void 0, function* () {
        const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver10.clean(versionOutput);
+        const version = semver9.clean(versionOutput);
        core14.debug(`zstd version: ${version}`);
        if (versionOutput === "") {
          return constants_1.CompressionMethod.Gzip;
@@ -75278,7 +75278,7 @@ var require_cacheHttpClient = __commonJS({
    exports2.getCacheEntry = getCacheEntry;
    exports2.downloadCache = downloadCache;
    exports2.reserveCache = reserveCache;
-    exports2.saveCache = saveCache4;
+    exports2.saveCache = saveCache3;
    var core14 = __importStar2(require_core());
    var http_client_1 = require_lib();
    var auth_1 = require_auth();
@@ -75455,7 +75455,7 @@ Other caches with similar key:`);
        }));
      });
    }
-    function saveCache4(cacheId, archivePath, signedUploadURL, options) {
+    function saveCache3(cacheId, archivePath, signedUploadURL, options) {
      return __awaiter2(this, void 0, void 0, function* () {
        const uploadOptions = (0, options_1.getUploadOptions)(options);
        if (uploadOptions.useAzureSdk) {
@@ -80955,8 +80955,8 @@ var require_cache4 = __commonJS({
    Object.defineProperty(exports2, "__esModule", { value: true });
    exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0;
    exports2.isFeatureAvailable = isFeatureAvailable;
-    exports2.restoreCache = restoreCache4;
-    exports2.saveCache = saveCache4;
+    exports2.restoreCache = restoreCache3;
+    exports2.saveCache = saveCache3;
    var core14 = __importStar2(require_core());
    var path7 = __importStar2(require("path"));
    var utils = __importStar2(require_cacheUtils());
@@ -81013,7 +81013,7 @@ var require_cache4 = __commonJS({
          return !!process.env["ACTIONS_CACHE_URL"];
      }
    }
-    function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) {
+    function restoreCache3(paths_1, primaryKey_1, restoreKeys_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core14.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81157,7 +81157,7 @@ var require_cache4 = __commonJS({
        return void 0;
      });
    }
-    function saveCache4(paths_1, key_1, options_1) {
+    function saveCache3(paths_1, key_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core14.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81394,7 +81394,7 @@ var require_manifest = __commonJS({
    exports2._findMatch = _findMatch;
    exports2._getOsVersion = _getOsVersion;
    exports2._readLinuxVersionFile = _readLinuxVersionFile;
-    var semver10 = __importStar2(require_semver2());
+    var semver9 = __importStar2(require_semver2());
    var core_1 = require_core();
    var os2 = require("os");
    var cp = require("child_process");
@@ -81408,7 +81408,7 @@ var require_manifest = __commonJS({
        for (const candidate of candidates) {
          const version = candidate.version;
          (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
            file = candidate.files.find((item) => {
              (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
              let chk = item.arch === archFilter && item.platform === platFilter;
@@ -81417,7 +81417,7 @@ var require_manifest = __commonJS({
                if (osVersion === item.platform_version) {
                  chk = true;
                } else {
-                  chk = semver10.satisfies(osVersion, item.platform_version);
+                  chk = semver9.satisfies(osVersion, item.platform_version);
                }
              }
              return chk;
@@ -81677,7 +81677,7 @@ var require_tool_cache = __commonJS({
    var os2 = __importStar2(require("os"));
    var path7 = __importStar2(require("path"));
    var httpm = __importStar2(require_lib());
-    var semver10 = __importStar2(require_semver2());
+    var semver9 = __importStar2(require_semver2());
    var stream = __importStar2(require("stream"));
    var util = __importStar2(require("util"));
    var assert_1 = require("assert");
@@ -81950,7 +81950,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheDir(sourceDir, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver10.clean(version) || version;
+        version = semver9.clean(version) || version;
        arch = arch || os2.arch();
        core14.debug(`Caching tool ${tool} ${version} ${arch}`);
        core14.debug(`source dir: ${sourceDir}`);
@@ -81968,7 +81968,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheFile(sourceFile, targetFile, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver10.clean(version) || version;
+        version = semver9.clean(version) || version;
        arch = arch || os2.arch();
        core14.debug(`Caching tool ${tool} ${version} ${arch}`);
        core14.debug(`source file: ${sourceFile}`);
@@ -81998,7 +81998,7 @@ var require_tool_cache = __commonJS({
      }
      let toolPath = "";
      if (versionSpec) {
-        versionSpec = semver10.clean(versionSpec) || "";
+        versionSpec = semver9.clean(versionSpec) || "";
        const cachePath = path7.join(_getCacheDirectory(), toolName, versionSpec, arch);
        core14.debug(`checking cache: ${cachePath}`);
        if (fs6.existsSync(cachePath) && fs6.existsSync(`${cachePath}.complete`)) {
@@ -82078,7 +82078,7 @@ var require_tool_cache = __commonJS({
    }
    function _createToolPath(tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path7.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
+        const folderPath = path7.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
        core14.debug(`destination ${folderPath}`);
        const markerPath = `${folderPath}.complete`;
        yield io5.rmRF(folderPath);
@@ -82088,30 +82088,30 @@ var require_tool_cache = __commonJS({
      });
    }
    function _completeToolPath(tool, version, arch) {
-      const folderPath = path7.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
+      const folderPath = path7.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
      const markerPath = `${folderPath}.complete`;
      fs6.writeFileSync(markerPath, "");
      core14.debug("finished caching tool");
    }
    function isExplicitVersion(versionSpec) {
-      const c = semver10.clean(versionSpec) || "";
+      const c = semver9.clean(versionSpec) || "";
      core14.debug(`isExplicit: ${c}`);
-      const valid4 = semver10.valid(c) != null;
-      core14.debug(`explicit? ${valid4}`);
-      return valid4;
+      const valid3 = semver9.valid(c) != null;
+      core14.debug(`explicit? ${valid3}`);
+      return valid3;
    }
    function evaluateVersions(versions, versionSpec) {
      let version = "";
      core14.debug(`evaluating ${versions.length} versions`);
      versions = versions.sort((a, b) => {
-        if (semver10.gt(a, b)) {
+        if (semver9.gt(a, b)) {
          return 1;
        }
        return -1;
      });
      for (let i = versions.length - 1; i >= 0; i--) {
        const potential = versions[i];
-        const satisfied = semver10.satisfies(potential, versionSpec);
+        const satisfied = semver9.satisfies(potential, versionSpec);
        if (satisfied) {
          version = potential;
          break;
@@ -86170,57 +86170,8 @@ var fs4 = __toESM(require("fs"));
 var path5 = __toESM(require("path"));
 var core9 = __toESM(require_core());

-// src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
-  AnalysisKind2["CodeScanning"] = "code-scanning";
-  AnalysisKind2["CodeQuality"] = "code-quality";
-  AnalysisKind2["RiskAssessment"] = "risk-assessment";
-  return AnalysisKind2;
-})(AnalysisKind || {});
-var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
-
-// src/caching-utils.ts
-var core6 = __toESM(require_core());
-
-// src/config/db-config.ts
-var jsonschema = __toESM(require_lib2());
-var semver2 = __toESM(require_semver2());
-
-// src/feature-flags/properties.ts
-var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
-  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
-  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
-  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
-  return RepositoryPropertyName2;
-})(RepositoryPropertyName || {});
-var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
-  Object.values(RepositoryPropertyName)
-);
-
-// src/config/db-config.ts
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
-
-// src/logging.ts
-var core7 = __toESM(require_core());
-function getActionsLogger() {
-  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
-  };
-}
-
 // src/feature-flags.ts
-var semver5 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());

 // src/overlay/index.ts
 var fs3 = __toESM(require("fs"));
@@ -86229,14 +86180,14 @@ var path4 = __toESM(require("path"));
 // src/git-utils.ts
 var fs2 = __toESM(require("fs"));
 var path3 = __toESM(require("path"));
-var core8 = __toESM(require_core());
+var core6 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
-var semver3 = __toESM(require_semver2());
+var semver2 = __toESM(require_semver2());
 var runGitCommand = async function(workingDirectory, args, customErrorMessage, options) {
  let stdout = "";
  let stderr = "";
-  core8.debug(`Running git command: git ${args.join(" ")}`);
+  core6.debug(`Running git command: git ${args.join(" ")}`);
  try {
    await new toolrunner2.ToolRunner(await io3.which("git", true), args, {
      silent: true,
@@ -86257,7 +86208,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage, o
    if (stderr.includes("not a git repository")) {
      reason = "The checkout path provided to the action does not appear to be a git repository.";
    }
-    core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
+    core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
    throw error3;
  }
 };
@@ -86386,7 +86337,7 @@ async function getRef() {
  ) !== head;
  if (hasChangedRef) {
    const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
-    core8.debug(
+    core6.debug(
      `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`
    );
    return newRef;
@@ -86523,13 +86474,18 @@ async function getDiffRangeFilePaths(sourceRoot, logger) {
 }

 // src/tools-features.ts
-var semver4 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 function isSupportedToolsFeature(versionInfo, feature) {
  return !!versionInfo.features && versionInfo.features[feature];
 }

 // src/feature-flags.ts
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -86683,16 +86639,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
    minimumVersion: void 0
  },
-  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
-    minimumVersion: void 0
-  },
  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -86748,6 +86694,55 @@ var featureConfig = {
  }
 };

+// src/analyses.ts
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
+  AnalysisKind2["CodeScanning"] = "code-scanning";
+  AnalysisKind2["CodeQuality"] = "code-quality";
+  AnalysisKind2["RiskAssessment"] = "risk-assessment";
+  return AnalysisKind2;
+})(AnalysisKind || {});
+var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+
+// src/caching-utils.ts
+var core7 = __toESM(require_core());
+
+// src/config/db-config.ts
+var jsonschema = __toESM(require_lib2());
+var semver5 = __toESM(require_semver2());
+
+// src/feature-flags/properties.ts
+var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
+  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
+  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
+  return RepositoryPropertyName2;
+})(RepositoryPropertyName || {});
+var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
+  Object.values(RepositoryPropertyName)
+);
+
+// src/config/db-config.ts
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
+// src/logging.ts
+var core8 = __toESM(require_core());
+function getActionsLogger() {
+  return {
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
+  };
+}
+
 // src/languages/builtin.json
 var builtin_default = {
  languages: [
@@ -86860,26 +86855,20 @@ var toolrunner3 = __toESM(require_toolrunner());
 // src/setup-codeql.ts
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver9 = __toESM(require_semver2());
-
-// src/overlay/caching.ts
-var actionsCache3 = __toESM(require_cache4());
-var semver6 = __toESM(require_semver2());
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
+var semver8 = __toESM(require_semver2());

 // src/tar.ts
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver7 = __toESM(require_semver2());
+var semver6 = __toESM(require_semver2());

 // src/tools-download.ts
 var core10 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver8 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;

 // src/tracer-config.ts
@@ -26352,11 +26352,11 @@ var require_valid = __commonJS({
  "node_modules/semver/functions/valid.js"(exports2, module2) {
    "use strict";
    var parse2 = require_parse2();
-    var valid4 = (version, options) => {
+    var valid3 = (version, options) => {
      const v = parse2(version, options);
      return v ? v.version : null;
    };
-    module2.exports = valid4;
+    module2.exports = valid3;
  }
 });

@@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
    var compare2 = require_compare();
-    var rcompare3 = (a, b, loose) => compare2(b, a, loose);
-    module2.exports = rcompare3;
+    var rcompare = (a, b, loose) => compare2(b, a, loose);
+    module2.exports = rcompare;
  }
 });

@@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({
    var SemVer = require_semver();
    var identifiers = require_identifiers();
    var parse2 = require_parse2();
-    var valid4 = require_valid();
+    var valid3 = require_valid();
    var clean3 = require_clean();
    var inc = require_inc();
    var diff = require_diff();
@@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({
    var patch = require_patch();
    var prerelease = require_prerelease();
    var compare2 = require_compare();
-    var rcompare3 = require_rcompare();
+    var rcompare = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
    var sort = require_sort();
@@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({
    var subset = require_subset();
    module2.exports = {
      parse: parse2,
-      valid: valid4,
+      valid: valid3,
      clean: clean3,
      inc,
      diff,
@@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({
      patch,
      prerelease,
      compare: compare2,
-      rcompare: rcompare3,
+      rcompare,
      compareLoose,
      compareBuild,
      sort,
@@ -29553,16 +29553,16 @@ var require_attribute = __commonJS({
      var result = new ValidatorResult(instance, schema2, options, ctx);
      var self2 = this;
      schema2.allOf.forEach(function(v, i) {
-        var valid4 = self2.validateSchema(instance, v, options, ctx);
-        if (!valid4.valid) {
+        var valid3 = self2.validateSchema(instance, v, options, ctx);
+        if (!valid3.valid) {
          var id = v.$id || v.id;
          var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]";
          result.addError({
            name: "allOf",
-            argument: { id: msg, length: valid4.errors.length, valid: valid4 },
-            message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:"
+            argument: { id: msg, length: valid3.errors.length, valid: valid3 },
+            message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:"
          });
-          result.importErrors(valid4);
+          result.importErrors(valid3);
        }
      });
      return result;
@@ -29851,8 +29851,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMinimum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid4 = instance > schema2.exclusiveMinimum;
-      if (!valid4) {
+      var valid3 = instance > schema2.exclusiveMinimum;
+      if (!valid3) {
        result.addError({
          name: "exclusiveMinimum",
          argument: schema2.exclusiveMinimum,
@@ -29865,8 +29865,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMaximum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid4 = instance < schema2.exclusiveMaximum;
-      if (!valid4) {
+      var valid3 = instance < schema2.exclusiveMaximum;
+      if (!valid3) {
        result.addError({
          name: "exclusiveMaximum",
          argument: schema2.exclusiveMaximum,
@@ -32649,8 +32649,8 @@ var require_semver3 = __commonJS({
        return null;
      }
    }
-    exports2.valid = valid4;
-    function valid4(version, options) {
+    exports2.valid = valid3;
+    function valid3(version, options) {
      var v = parse2(version, options);
      return v ? v.version : null;
    }
@@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({
      var versionB = new SemVer(b, loose);
      return versionA.compare(versionB) || versionA.compareBuild(versionB);
    }
-    exports2.rcompare = rcompare3;
-    function rcompare3(a, b, loose) {
+    exports2.rcompare = rcompare;
+    function rcompare(a, b, loose) {
      return compare2(b, a, loose);
    }
    exports2.sort = sort;
@@ -33779,7 +33779,7 @@ var require_cacheUtils = __commonJS({
    var crypto2 = __importStar2(require("crypto"));
    var fs3 = __importStar2(require("fs"));
    var path4 = __importStar2(require("path"));
-    var semver10 = __importStar2(require_semver3());
+    var semver9 = __importStar2(require_semver3());
    var util = __importStar2(require("util"));
    var constants_1 = require_constants7();
    var versionSalt = "1.0";
@@ -33872,7 +33872,7 @@ var require_cacheUtils = __commonJS({
    function getCompressionMethod() {
      return __awaiter2(this, void 0, void 0, function* () {
        const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver10.clean(versionOutput);
+        const version = semver9.clean(versionOutput);
        core15.debug(`zstd version: ${version}`);
        if (versionOutput === "") {
          return constants_1.CompressionMethod.Gzip;
@@ -75278,7 +75278,7 @@ var require_cacheHttpClient = __commonJS({
    exports2.getCacheEntry = getCacheEntry;
    exports2.downloadCache = downloadCache;
    exports2.reserveCache = reserveCache;
-    exports2.saveCache = saveCache5;
+    exports2.saveCache = saveCache4;
    var core15 = __importStar2(require_core());
    var http_client_1 = require_lib();
    var auth_1 = require_auth();
@@ -75455,7 +75455,7 @@ Other caches with similar key:`);
        }));
      });
    }
-    function saveCache5(cacheId, archivePath, signedUploadURL, options) {
+    function saveCache4(cacheId, archivePath, signedUploadURL, options) {
      return __awaiter2(this, void 0, void 0, function* () {
        const uploadOptions = (0, options_1.getUploadOptions)(options);
        if (uploadOptions.useAzureSdk) {
@@ -80955,8 +80955,8 @@ var require_cache4 = __commonJS({
    Object.defineProperty(exports2, "__esModule", { value: true });
    exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0;
    exports2.isFeatureAvailable = isFeatureAvailable;
-    exports2.restoreCache = restoreCache5;
-    exports2.saveCache = saveCache5;
+    exports2.restoreCache = restoreCache4;
+    exports2.saveCache = saveCache4;
    var core15 = __importStar2(require_core());
    var path4 = __importStar2(require("path"));
    var utils = __importStar2(require_cacheUtils());
@@ -81013,7 +81013,7 @@ var require_cache4 = __commonJS({
          return !!process.env["ACTIONS_CACHE_URL"];
      }
    }
-    function restoreCache5(paths_1, primaryKey_1, restoreKeys_1, options_1) {
+    function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81157,7 +81157,7 @@ var require_cache4 = __commonJS({
        return void 0;
      });
    }
-    function saveCache5(paths_1, key_1, options_1) {
+    function saveCache4(paths_1, key_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -88437,7 +88437,7 @@ var require_stream_writable = __commonJS({
      pna.nextTick(cb, er);
    }
    function validChunk(stream, state, chunk, cb) {
-      var valid4 = true;
+      var valid3 = true;
      var er = false;
      if (chunk === null) {
        er = new TypeError("May not write null values to stream");
@@ -88447,9 +88447,9 @@ var require_stream_writable = __commonJS({
      if (er) {
        stream.emit("error", er);
        pna.nextTick(cb, er);
-        valid4 = false;
+        valid3 = false;
      }
-      return valid4;
+      return valid3;
    }
    Writable.prototype.write = function(chunk, encoding, cb) {
      var state = this._writableState;
@@ -122745,7 +122745,7 @@ var require_manifest = __commonJS({
    exports2._findMatch = _findMatch;
    exports2._getOsVersion = _getOsVersion;
    exports2._readLinuxVersionFile = _readLinuxVersionFile;
-    var semver10 = __importStar2(require_semver2());
+    var semver9 = __importStar2(require_semver2());
    var core_1 = require_core();
    var os2 = require("os");
    var cp = require("child_process");
@@ -122759,7 +122759,7 @@ var require_manifest = __commonJS({
        for (const candidate of candidates) {
          const version = candidate.version;
          (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
            file = candidate.files.find((item) => {
              (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
              let chk = item.arch === archFilter && item.platform === platFilter;
@@ -122768,7 +122768,7 @@ var require_manifest = __commonJS({
                if (osVersion === item.platform_version) {
                  chk = true;
                } else {
-                  chk = semver10.satisfies(osVersion, item.platform_version);
+                  chk = semver9.satisfies(osVersion, item.platform_version);
                }
              }
              return chk;
@@ -123028,7 +123028,7 @@ var require_tool_cache = __commonJS({
    var os2 = __importStar2(require("os"));
    var path4 = __importStar2(require("path"));
    var httpm = __importStar2(require_lib());
-    var semver10 = __importStar2(require_semver2());
+    var semver9 = __importStar2(require_semver2());
    var stream = __importStar2(require("stream"));
    var util = __importStar2(require("util"));
    var assert_1 = require("assert");
@@ -123301,7 +123301,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheDir(sourceDir, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver10.clean(version) || version;
+        version = semver9.clean(version) || version;
        arch = arch || os2.arch();
        core15.debug(`Caching tool ${tool} ${version} ${arch}`);
        core15.debug(`source dir: ${sourceDir}`);
@@ -123319,7 +123319,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheFile(sourceFile, targetFile, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver10.clean(version) || version;
+        version = semver9.clean(version) || version;
        arch = arch || os2.arch();
        core15.debug(`Caching tool ${tool} ${version} ${arch}`);
        core15.debug(`source file: ${sourceFile}`);
@@ -123349,7 +123349,7 @@ var require_tool_cache = __commonJS({
      }
      let toolPath = "";
      if (versionSpec) {
-        versionSpec = semver10.clean(versionSpec) || "";
+        versionSpec = semver9.clean(versionSpec) || "";
        const cachePath = path4.join(_getCacheDirectory(), toolName, versionSpec, arch);
        core15.debug(`checking cache: ${cachePath}`);
        if (fs3.existsSync(cachePath) && fs3.existsSync(`${cachePath}.complete`)) {
@@ -123429,7 +123429,7 @@ var require_tool_cache = __commonJS({
    }
    function _createToolPath(tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path4.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
+        const folderPath = path4.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
        core15.debug(`destination ${folderPath}`);
        const markerPath = `${folderPath}.complete`;
        yield io6.rmRF(folderPath);
@@ -123439,30 +123439,30 @@ var require_tool_cache = __commonJS({
      });
    }
    function _completeToolPath(tool, version, arch) {
-      const folderPath = path4.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
+      const folderPath = path4.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
      const markerPath = `${folderPath}.complete`;
      fs3.writeFileSync(markerPath, "");
      core15.debug("finished caching tool");
    }
    function isExplicitVersion(versionSpec) {
-      const c = semver10.clean(versionSpec) || "";
+      const c = semver9.clean(versionSpec) || "";
      core15.debug(`isExplicit: ${c}`);
-      const valid4 = semver10.valid(c) != null;
-      core15.debug(`explicit? ${valid4}`);
-      return valid4;
+      const valid3 = semver9.valid(c) != null;
+      core15.debug(`explicit? ${valid3}`);
+      return valid3;
    }
    function evaluateVersions(versions, versionSpec) {
      let version = "";
      core15.debug(`evaluating ${versions.length} versions`);
      versions = versions.sort((a, b) => {
-        if (semver10.gt(a, b)) {
+        if (semver9.gt(a, b)) {
          return 1;
        }
        return -1;
      });
      for (let i = versions.length - 1; i >= 0; i--) {
        const potential = versions[i];
-        const satisfied = semver10.satisfies(potential, versionSpec);
+        const satisfied = semver9.satisfies(potential, versionSpec);
        if (satisfied) {
          version = potential;
          break;
@@ -126977,63 +126977,14 @@ var fs = __toESM(require("fs"));
 var path = __toESM(require("path"));
 var core9 = __toESM(require_core());

-// src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
-  AnalysisKind2["CodeScanning"] = "code-scanning";
-  AnalysisKind2["CodeQuality"] = "code-quality";
-  AnalysisKind2["RiskAssessment"] = "risk-assessment";
-  return AnalysisKind2;
-})(AnalysisKind || {});
-var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
-
-// src/caching-utils.ts
-var core6 = __toESM(require_core());
-
-// src/config/db-config.ts
-var jsonschema = __toESM(require_lib2());
-var semver2 = __toESM(require_semver2());
-
-// src/feature-flags/properties.ts
-var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
-  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
-  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
-  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
-  return RepositoryPropertyName2;
-})(RepositoryPropertyName || {});
-var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
-  Object.values(RepositoryPropertyName)
-);
-
-// src/config/db-config.ts
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
-
-// src/logging.ts
-var core7 = __toESM(require_core());
-function getActionsLogger() {
-  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
-  };
-}
-
 // src/feature-flags.ts
-var semver5 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());

 // src/git-utils.ts
-var core8 = __toESM(require_core());
+var core6 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
-var semver3 = __toESM(require_semver2());
+var semver2 = __toESM(require_semver2());

 // src/overlay/index.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8";
@@ -127046,10 +126997,15 @@ var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9";
 var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9";

 // src/tools-features.ts
-var semver4 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());

 // src/feature-flags.ts
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -127203,16 +127159,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
    minimumVersion: void 0
  },
-  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
-    minimumVersion: void 0
-  },
  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -127268,6 +127214,55 @@ var featureConfig = {
  }
 };

+// src/analyses.ts
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
+  AnalysisKind2["CodeScanning"] = "code-scanning";
+  AnalysisKind2["CodeQuality"] = "code-quality";
+  AnalysisKind2["RiskAssessment"] = "risk-assessment";
+  return AnalysisKind2;
+})(AnalysisKind || {});
+var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+
+// src/caching-utils.ts
+var core7 = __toESM(require_core());
+
+// src/config/db-config.ts
+var jsonschema = __toESM(require_lib2());
+var semver5 = __toESM(require_semver2());
+
+// src/feature-flags/properties.ts
+var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
+  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
+  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
+  return RepositoryPropertyName2;
+})(RepositoryPropertyName || {});
+var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
+  Object.values(RepositoryPropertyName)
+);
+
+// src/config/db-config.ts
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
+// src/logging.ts
+var core8 = __toESM(require_core());
+function getActionsLogger() {
+  return {
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
+  };
+}
+
 // src/languages/builtin.json
 var builtin_default = {
  languages: [
@@ -127515,30 +127510,24 @@ var cliErrorsConfig = {
 // src/setup-codeql.ts
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver9 = __toESM(require_semver2());
-
-// src/overlay/caching.ts
-var actionsCache3 = __toESM(require_cache4());
-var semver6 = __toESM(require_semver2());
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
+var semver8 = __toESM(require_semver2());

 // src/tar.ts
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver7 = __toESM(require_semver2());
+var semver6 = __toESM(require_semver2());

 // src/tools-download.ts
 var core10 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver8 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;

 // src/dependency-caching.ts
-var actionsCache4 = __toESM(require_cache4());
+var actionsCache3 = __toESM(require_cache4());
 var glob = __toESM(require_glob());

 // src/artifact-scanner.ts
@@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
    var compare = require_compare();
-    var rcompare2 = (a, b, loose) => compare(b, a, loose);
-    module2.exports = rcompare2;
+    var rcompare = (a, b, loose) => compare(b, a, loose);
+    module2.exports = rcompare;
  }
 });

@@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({
    var patch = require_patch();
    var prerelease = require_prerelease();
    var compare = require_compare();
-    var rcompare2 = require_rcompare();
+    var rcompare = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
    var sort = require_sort();
@@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({
      patch,
      prerelease,
      compare,
-      rcompare: rcompare2,
+      rcompare,
      compareLoose,
      compareBuild,
      sort,
@@ -33772,8 +33772,8 @@ var require_semver3 = __commonJS({
      var versionB = new SemVer(b, loose);
      return versionA.compare(versionB) || versionA.compareBuild(versionB);
    }
-    exports2.rcompare = rcompare2;
-    function rcompare2(a, b, loose) {
+    exports2.rcompare = rcompare;
+    function rcompare(a, b, loose) {
      return compare(b, a, loose);
    }
    exports2.sort = sort;
@@ -103177,11 +103177,12 @@ var semver3 = __toESM(require_semver2());
 // src/feature-flags.ts
 var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_";
 var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
-var LINKED_CODEQL_VERSION = {
-  cliVersion,
-  tagName: bundleVersion
-};
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -103335,16 +103336,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
    minimumVersion: void 0
  },
-  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
-    minimumVersion: void 0
-  },
  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -103405,9 +103396,10 @@ var OfflineFeatures = class {
    this.logger = logger;
  }
  logger;
-  async getEnabledDefaultCliVersions(_variant) {
+  async getDefaultCliVersion(_variant) {
    return {
-      enabledVersions: [LINKED_CODEQL_VERSION]
+      cliVersion,
+      tagName: bundleVersion
    };
  }
  /**
@@ -103512,11 +103504,11 @@ var Features = class extends OfflineFeatures {
      logger
    );
  }
-  async getEnabledDefaultCliVersions(variant) {
+  async getDefaultCliVersion(variant) {
    if (supportsFeatureFlags(variant)) {
-      return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags();
+      return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags();
    }
-    return super.getEnabledDefaultCliVersions(variant);
+    return super.getDefaultCliVersion(variant);
  }
  /**
   *
@@ -103575,36 +103567,34 @@ var GitHubFeatureFlags = class {
    }
    return version;
  }
-  /**
-   * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature
-   * flags, sorted from highest to lowest. Falls back to the version pinned in
-   * `defaults.json` if no such flags are enabled.
-   */
-  async getEnabledDefaultCliVersionsFromFlags() {
+  async getDefaultCliVersionFromFlags() {
    const response = await this.getAllFeatures();
-    const sortedCliVersions = Object.entries(response).map(
+    const enabledFeatureFlagCliVersions = Object.entries(response).map(
      ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0
-    ).filter((f) => f !== void 0).sort(semver4.rcompare);
-    if (sortedCliVersions.length === 0) {
+    ).filter((f) => f !== void 0);
+    if (enabledFeatureFlagCliVersions.length === 0) {
      this.logger.warning(
        `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.`
      );
      const result = {
-        enabledVersions: [LINKED_CODEQL_VERSION]
+        cliVersion,
+        tagName: bundleVersion
      };
      if (this.hasAccessedRemoteFeatureFlags) {
        result.toolsFeatureFlagsValid = false;
      }
      return result;
    }
+    const maxCliVersion = enabledFeatureFlagCliVersions.reduce(
+      (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion,
+      enabledFeatureFlagCliVersions[0]
+    );
    this.logger.debug(
-      `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.`
+      `Derived default CLI version of ${maxCliVersion} from feature flags.`
    );
    return {
-      enabledVersions: sortedCliVersions.map((cliVersion2) => ({
-        cliVersion: cliVersion2,
-        tagName: `codeql-bundle-v${cliVersion2}`
-      })),
+      cliVersion: maxCliVersion,
+      tagName: `codeql-bundle-v${maxCliVersion}`,
      toolsFeatureFlagsValid: true
    };
  }
@@ -104484,7 +104474,7 @@ async function getReleaseByVersion(version) {
 }
 async function getCliVersionFromFeatures(features) {
  const gitHubVersion = await getGitHubVersion();
-  return await features.getEnabledDefaultCliVersions(gitHubVersion.type);
+  return await features.getDefaultCliVersion(gitHubVersion.type);
 }
 async function getDownloadUrl(logger, features) {
  const proxyPackage = getProxyPackage();
@@ -104492,7 +104482,7 @@ async function getDownloadUrl(logger, features) {
    const useFeaturesToDetermineCLI = await features.getValue(
      "start_proxy_use_features_release" /* StartProxyUseFeaturesRelease */
    );
-    const versionInfo = useFeaturesToDetermineCLI ? (await getCliVersionFromFeatures(features)).enabledVersions[0] : {
+    const versionInfo = useFeaturesToDetermineCLI ? await getCliVersionFromFeatures(features) : {
      cliVersion,
      tagName: bundleVersion
    };
@@ -26352,11 +26352,11 @@ var require_valid = __commonJS({
  "node_modules/semver/functions/valid.js"(exports2, module2) {
    "use strict";
    var parse2 = require_parse2();
-    var valid4 = (version, options) => {
+    var valid3 = (version, options) => {
      const v = parse2(version, options);
      return v ? v.version : null;
    };
-    module2.exports = valid4;
+    module2.exports = valid3;
  }
 });

@@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
    var compare2 = require_compare();
-    var rcompare3 = (a, b, loose) => compare2(b, a, loose);
-    module2.exports = rcompare3;
+    var rcompare = (a, b, loose) => compare2(b, a, loose);
+    module2.exports = rcompare;
  }
 });

@@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({
    var SemVer = require_semver();
    var identifiers = require_identifiers();
    var parse2 = require_parse2();
-    var valid4 = require_valid();
+    var valid3 = require_valid();
    var clean3 = require_clean();
    var inc = require_inc();
    var diff = require_diff();
@@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({
    var patch = require_patch();
    var prerelease = require_prerelease();
    var compare2 = require_compare();
-    var rcompare3 = require_rcompare();
+    var rcompare = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
    var sort = require_sort();
@@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({
    var subset = require_subset();
    module2.exports = {
      parse: parse2,
-      valid: valid4,
+      valid: valid3,
      clean: clean3,
      inc,
      diff,
@@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({
      patch,
      prerelease,
      compare: compare2,
-      rcompare: rcompare3,
+      rcompare,
      compareLoose,
      compareBuild,
      sort,
@@ -80613,7 +80613,7 @@ var require_stream_writable = __commonJS({
      pna.nextTick(cb, er);
    }
    function validChunk(stream, state, chunk, cb) {
-      var valid4 = true;
+      var valid3 = true;
      var er = false;
      if (chunk === null) {
        er = new TypeError("May not write null values to stream");
@@ -80623,9 +80623,9 @@ var require_stream_writable = __commonJS({
      if (er) {
        stream.emit("error", er);
        pna.nextTick(cb, er);
-        valid4 = false;
+        valid3 = false;
      }
-      return valid4;
+      return valid3;
    }
    Writable.prototype.write = function(chunk, encoding, cb) {
      var state = this._writableState;
@@ -115281,16 +115281,16 @@ var require_attribute = __commonJS({
      var result = new ValidatorResult(instance, schema2, options, ctx);
      var self2 = this;
      schema2.allOf.forEach(function(v, i) {
-        var valid4 = self2.validateSchema(instance, v, options, ctx);
-        if (!valid4.valid) {
+        var valid3 = self2.validateSchema(instance, v, options, ctx);
+        if (!valid3.valid) {
          var id = v.$id || v.id;
          var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]";
          result.addError({
            name: "allOf",
-            argument: { id: msg, length: valid4.errors.length, valid: valid4 },
-            message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:"
+            argument: { id: msg, length: valid3.errors.length, valid: valid3 },
+            message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:"
          });
-          result.importErrors(valid4);
+          result.importErrors(valid3);
        }
      });
      return result;
@@ -115579,8 +115579,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMinimum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid4 = instance > schema2.exclusiveMinimum;
-      if (!valid4) {
+      var valid3 = instance > schema2.exclusiveMinimum;
+      if (!valid3) {
        result.addError({
          name: "exclusiveMinimum",
          argument: schema2.exclusiveMinimum,
@@ -115593,8 +115593,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMaximum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid4 = instance < schema2.exclusiveMaximum;
-      if (!valid4) {
+      var valid3 = instance < schema2.exclusiveMaximum;
+      if (!valid3) {
        result.addError({
          name: "exclusiveMaximum",
          argument: schema2.exclusiveMaximum,
@@ -118322,8 +118322,8 @@ var require_semver3 = __commonJS({
        return null;
      }
    }
-    exports2.valid = valid4;
-    function valid4(version, options) {
+    exports2.valid = valid3;
+    function valid3(version, options) {
      var v = parse2(version, options);
      return v ? v.version : null;
    }
@@ -118623,8 +118623,8 @@ var require_semver3 = __commonJS({
      var versionB = new SemVer(b, loose);
      return versionA.compare(versionB) || versionA.compareBuild(versionB);
    }
-    exports2.rcompare = rcompare3;
-    function rcompare3(a, b, loose) {
+    exports2.rcompare = rcompare;
+    function rcompare(a, b, loose) {
      return compare2(b, a, loose);
    }
    exports2.sort = sort;
@@ -119452,7 +119452,7 @@ var require_cacheUtils = __commonJS({
    var crypto2 = __importStar2(require("crypto"));
    var fs3 = __importStar2(require("fs"));
    var path3 = __importStar2(require("path"));
-    var semver10 = __importStar2(require_semver3());
+    var semver9 = __importStar2(require_semver3());
    var util = __importStar2(require("util"));
    var constants_1 = require_constants14();
    var versionSalt = "1.0";
@@ -119545,7 +119545,7 @@ var require_cacheUtils = __commonJS({
    function getCompressionMethod() {
      return __awaiter2(this, void 0, void 0, function* () {
        const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver10.clean(versionOutput);
+        const version = semver9.clean(versionOutput);
        core15.debug(`zstd version: ${version}`);
        if (versionOutput === "") {
          return constants_1.CompressionMethod.Gzip;
@@ -120855,7 +120855,7 @@ var require_cacheHttpClient = __commonJS({
    exports2.getCacheEntry = getCacheEntry;
    exports2.downloadCache = downloadCache;
    exports2.reserveCache = reserveCache;
-    exports2.saveCache = saveCache5;
+    exports2.saveCache = saveCache4;
    var core15 = __importStar2(require_core());
    var http_client_1 = require_lib();
    var auth_1 = require_auth();
@@ -121032,7 +121032,7 @@ Other caches with similar key:`);
        }));
      });
    }
-    function saveCache5(cacheId, archivePath, signedUploadURL, options) {
+    function saveCache4(cacheId, archivePath, signedUploadURL, options) {
      return __awaiter2(this, void 0, void 0, function* () {
        const uploadOptions = (0, options_1.getUploadOptions)(options);
        if (uploadOptions.useAzureSdk) {
@@ -122306,8 +122306,8 @@ var require_cache4 = __commonJS({
    Object.defineProperty(exports2, "__esModule", { value: true });
    exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0;
    exports2.isFeatureAvailable = isFeatureAvailable;
-    exports2.restoreCache = restoreCache5;
-    exports2.saveCache = saveCache5;
+    exports2.restoreCache = restoreCache4;
+    exports2.saveCache = saveCache4;
    var core15 = __importStar2(require_core());
    var path3 = __importStar2(require("path"));
    var utils = __importStar2(require_cacheUtils());
@@ -122364,7 +122364,7 @@ var require_cache4 = __commonJS({
          return !!process.env["ACTIONS_CACHE_URL"];
      }
    }
-    function restoreCache5(paths_1, primaryKey_1, restoreKeys_1, options_1) {
+    function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -122508,7 +122508,7 @@ var require_cache4 = __commonJS({
        return void 0;
      });
    }
-    function saveCache5(paths_1, key_1, options_1) {
+    function saveCache4(paths_1, key_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -122745,7 +122745,7 @@ var require_manifest = __commonJS({
    exports2._findMatch = _findMatch;
    exports2._getOsVersion = _getOsVersion;
    exports2._readLinuxVersionFile = _readLinuxVersionFile;
-    var semver10 = __importStar2(require_semver2());
+    var semver9 = __importStar2(require_semver2());
    var core_1 = require_core();
    var os2 = require("os");
    var cp = require("child_process");
@@ -122759,7 +122759,7 @@ var require_manifest = __commonJS({
        for (const candidate of candidates) {
          const version = candidate.version;
          (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
            file = candidate.files.find((item) => {
              (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
              let chk = item.arch === archFilter && item.platform === platFilter;
@@ -122768,7 +122768,7 @@ var require_manifest = __commonJS({
                if (osVersion === item.platform_version) {
                  chk = true;
                } else {
-                  chk = semver10.satisfies(osVersion, item.platform_version);
+                  chk = semver9.satisfies(osVersion, item.platform_version);
                }
              }
              return chk;
@@ -123028,7 +123028,7 @@ var require_tool_cache = __commonJS({
    var os2 = __importStar2(require("os"));
    var path3 = __importStar2(require("path"));
    var httpm = __importStar2(require_lib());
-    var semver10 = __importStar2(require_semver2());
+    var semver9 = __importStar2(require_semver2());
    var stream = __importStar2(require("stream"));
    var util = __importStar2(require("util"));
    var assert_1 = require("assert");
@@ -123301,7 +123301,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheDir(sourceDir, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver10.clean(version) || version;
+        version = semver9.clean(version) || version;
        arch = arch || os2.arch();
        core15.debug(`Caching tool ${tool} ${version} ${arch}`);
        core15.debug(`source dir: ${sourceDir}`);
@@ -123319,7 +123319,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheFile(sourceFile, targetFile, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver10.clean(version) || version;
+        version = semver9.clean(version) || version;
        arch = arch || os2.arch();
        core15.debug(`Caching tool ${tool} ${version} ${arch}`);
        core15.debug(`source file: ${sourceFile}`);
@@ -123349,7 +123349,7 @@ var require_tool_cache = __commonJS({
      }
      let toolPath = "";
      if (versionSpec) {
-        versionSpec = semver10.clean(versionSpec) || "";
+        versionSpec = semver9.clean(versionSpec) || "";
        const cachePath = path3.join(_getCacheDirectory(), toolName, versionSpec, arch);
        core15.debug(`checking cache: ${cachePath}`);
        if (fs3.existsSync(cachePath) && fs3.existsSync(`${cachePath}.complete`)) {
@@ -123429,7 +123429,7 @@ var require_tool_cache = __commonJS({
    }
    function _createToolPath(tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path3.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
+        const folderPath = path3.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
        core15.debug(`destination ${folderPath}`);
        const markerPath = `${folderPath}.complete`;
        yield io6.rmRF(folderPath);
@@ -123439,30 +123439,30 @@ var require_tool_cache = __commonJS({
      });
    }
    function _completeToolPath(tool, version, arch) {
-      const folderPath = path3.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
+      const folderPath = path3.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
      const markerPath = `${folderPath}.complete`;
      fs3.writeFileSync(markerPath, "");
      core15.debug("finished caching tool");
    }
    function isExplicitVersion(versionSpec) {
-      const c = semver10.clean(versionSpec) || "";
+      const c = semver9.clean(versionSpec) || "";
      core15.debug(`isExplicit: ${c}`);
-      const valid4 = semver10.valid(c) != null;
-      core15.debug(`explicit? ${valid4}`);
-      return valid4;
+      const valid3 = semver9.valid(c) != null;
+      core15.debug(`explicit? ${valid3}`);
+      return valid3;
    }
    function evaluateVersions(versions, versionSpec) {
      let version = "";
      core15.debug(`evaluating ${versions.length} versions`);
      versions = versions.sort((a, b) => {
-        if (semver10.gt(a, b)) {
+        if (semver9.gt(a, b)) {
          return 1;
        }
        return -1;
      });
      for (let i = versions.length - 1; i >= 0; i--) {
        const potential = versions[i];
-        const satisfied = semver10.satisfies(potential, versionSpec);
+        const satisfied = semver9.satisfies(potential, versionSpec);
        if (satisfied) {
          version = potential;
          break;
@@ -126983,6 +126983,247 @@ var import_archiver = __toESM(require_archiver());
 // src/analyze.ts
 var io5 = __toESM(require_io());

+// src/feature-flags.ts
+var semver4 = __toESM(require_semver2());
+
+// src/git-utils.ts
+var core6 = __toESM(require_core());
+var toolrunner2 = __toESM(require_toolrunner());
+var io3 = __toESM(require_io());
+var semver2 = __toESM(require_semver2());
+
+// src/overlay/index.ts
+var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8";
+var CODEQL_OVERLAY_MINIMUM_VERSION_CPP = "2.25.0";
+var CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP = "2.24.1";
+var CODEQL_OVERLAY_MINIMUM_VERSION_GO = "2.24.2";
+var CODEQL_OVERLAY_MINIMUM_VERSION_JAVA = "2.23.8";
+var CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT = "2.23.9";
+var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9";
+var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9";
+
+// src/tools-features.ts
+var semver3 = __toESM(require_semver2());
+var SafeArtifactUploadVersion = "2.20.3";
+function isSafeArtifactUpload(codeQlVersion) {
+  return !codeQlVersion ? true : semver3.gte(codeQlVersion, SafeArtifactUploadVersion);
+}
+
+// src/feature-flags.ts
+var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
+  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
+    minimumVersion: void 0
+  },
+  ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
+    minimumVersion: void 0
+  },
+  ["cpp_dependency_installation_enabled" /* CppDependencyInstallation */]: {
+    defaultValue: false,
+    envVar: "CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES",
+    legacyApi: true,
+    minimumVersion: "2.15.0"
+  },
+  ["csharp_cache_bmn" /* CsharpCacheBuildModeNone */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_CACHE_BMN",
+    minimumVersion: void 0
+  },
+  ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
+    minimumVersion: void 0
+  },
+  ["diff_informed_queries" /* DiffInformedQueries */]: {
+    defaultValue: true,
+    envVar: "CODEQL_ACTION_DIFF_INFORMED_QUERIES",
+    minimumVersion: "2.21.0"
+  },
+  ["disable_csharp_buildless" /* DisableCsharpBuildless */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_DISABLE_CSHARP_BUILDLESS",
+    minimumVersion: void 0
+  },
+  ["disable_java_buildless_enabled" /* DisableJavaBuildlessEnabled */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_DISABLE_JAVA_BUILDLESS",
+    legacyApi: true,
+    minimumVersion: void 0
+  },
+  ["disable_kotlin_analysis_enabled" /* DisableKotlinAnalysisEnabled */]: {
+    defaultValue: false,
+    envVar: "CODEQL_DISABLE_KOTLIN_ANALYSIS",
+    legacyApi: true,
+    minimumVersion: void 0
+  },
+  ["export_diagnostics_enabled" /* ExportDiagnosticsEnabled */]: {
+    defaultValue: true,
+    envVar: "CODEQL_ACTION_EXPORT_DIAGNOSTICS",
+    legacyApi: true,
+    minimumVersion: void 0
+  },
+  ["force_nightly" /* ForceNightly */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_FORCE_NIGHTLY",
+    minimumVersion: void 0
+  },
+  ["ignore_generated_files" /* IgnoreGeneratedFiles */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES",
+    minimumVersion: void 0
+  },
+  ["java_network_debugging" /* JavaNetworkDebugging */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING",
+    minimumVersion: void 0
+  },
+  ["overlay_analysis" /* OverlayAnalysis */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION
+  },
+  // Per-language overlay feature flags. Each has minimumVersion set to the
+  // minimum CLI version that supports overlay analysis for that language.
+  // Only languages that are GA or in staff-ship should have feature flags here.
+  ["overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CPP",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CPP
+  },
+  ["overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CSHARP",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
+  },
+  ["overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_GO",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
+  },
+  ["overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVA",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
+  },
+  ["overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
+  },
+  ["overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_PYTHON",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
+  },
+  ["overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUBY",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
+  },
+  ["overlay_analysis_cpp" /* OverlayAnalysisCpp */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CPP",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CPP
+  },
+  ["overlay_analysis_csharp" /* OverlayAnalysisCsharp */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CSHARP",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
+  },
+  ["overlay_analysis_go" /* OverlayAnalysisGo */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
+  },
+  ["overlay_analysis_java" /* OverlayAnalysisJava */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVA",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
+  },
+  ["overlay_analysis_javascript" /* OverlayAnalysisJavascript */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
+  },
+  ["overlay_analysis_python" /* OverlayAnalysisPython */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
+  },
+  ["overlay_analysis_ruby" /* OverlayAnalysisRuby */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUBY",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
+  },
+  // Other overlay-related feature flags
+  ["overlay_analysis_disable_trap_caching" /* OverlayAnalysisDisableTrapCaching */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
+    minimumVersion: void 0
+  },
+  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
+    minimumVersion: void 0
+  },
+  ["overlay_analysis_status_check" /* OverlayAnalysisStatusCheck */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_CHECK",
+    minimumVersion: void 0
+  },
+  ["overlay_analysis_status_save" /* OverlayAnalysisStatusSave */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_SAVE",
+    minimumVersion: void 0
+  },
+  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    minimumVersion: void 0
+  },
+  ["qa_telemetry_enabled" /* QaTelemetryEnabled */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_QA_TELEMETRY",
+    legacyApi: true,
+    minimumVersion: void 0
+  },
+  ["skip_file_coverage_on_prs" /* SkipFileCoverageOnPrs */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS",
+    minimumVersion: void 0,
+    toolsFeature: "suppressesMissingFileBaselineWarning" /* SuppressesMissingFileBaselineWarning */
+  },
+  ["start_proxy_remove_unused_registries" /* StartProxyRemoveUnusedRegistries */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_START_PROXY_REMOVE_UNUSED_REGISTRIES",
+    minimumVersion: void 0
+  },
+  ["start_proxy_use_features_release" /* StartProxyUseFeaturesRelease */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_START_PROXY_USE_FEATURES_RELEASE",
+    minimumVersion: void 0
+  },
+  ["upload_overlay_db_to_api" /* UploadOverlayDbToApi */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_UPLOAD_OVERLAY_DB_TO_API",
+    minimumVersion: void 0,
+    toolsFeature: "bundleSupportsOverlay" /* BundleSupportsOverlay */
+  },
+  ["validate_db_config" /* ValidateDbConfig */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_VALIDATE_DB_CONFIG",
+    minimumVersion: void 0
+  }
+};
+
 // src/analyses.ts
 var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
  AnalysisKind2["CodeScanning"] = "code-scanning";
@@ -127145,11 +127386,11 @@ var cliErrorsConfig = {
 var core9 = __toESM(require_core());

 // src/caching-utils.ts
-var core6 = __toESM(require_core());
+var core7 = __toESM(require_core());

 // src/config/db-config.ts
 var jsonschema = __toESM(require_lib5());
-var semver2 = __toESM(require_semver2());
+var semver5 = __toESM(require_semver2());

 // src/feature-flags/properties.ts
 var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
@@ -127171,273 +127412,27 @@ var PACK_IDENTIFIER_PATTERN = (function() {
 })();

 // src/logging.ts
-var core7 = __toESM(require_core());
+var core8 = __toESM(require_core());
 function getActionsLogger() {
  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
  };
 }
 function withGroup(groupName, f) {
-  core7.startGroup(groupName);
+  core8.startGroup(groupName);
  try {
    return f();
  } finally {
-    core7.endGroup();
+    core8.endGroup();
  }
 }

-// src/feature-flags.ts
-var semver5 = __toESM(require_semver2());
-
-// src/git-utils.ts
-var core8 = __toESM(require_core());
-var toolrunner2 = __toESM(require_toolrunner());
-var io3 = __toESM(require_io());
-var semver3 = __toESM(require_semver2());
-
-// src/overlay/index.ts
-var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8";
-var CODEQL_OVERLAY_MINIMUM_VERSION_CPP = "2.25.0";
-var CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP = "2.24.1";
-var CODEQL_OVERLAY_MINIMUM_VERSION_GO = "2.24.2";
-var CODEQL_OVERLAY_MINIMUM_VERSION_JAVA = "2.23.8";
-var CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT = "2.23.9";
-var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9";
-var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9";
-
-// src/tools-features.ts
-var semver4 = __toESM(require_semver2());
-var SafeArtifactUploadVersion = "2.20.3";
-function isSafeArtifactUpload(codeQlVersion) {
-  return !codeQlVersion ? true : semver4.gte(codeQlVersion, SafeArtifactUploadVersion);
-}
-
-// src/feature-flags.ts
-var featureConfig = {
-  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
-    minimumVersion: void 0
-  },
-  ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
-    minimumVersion: void 0
-  },
-  ["cpp_dependency_installation_enabled" /* CppDependencyInstallation */]: {
-    defaultValue: false,
-    envVar: "CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES",
-    legacyApi: true,
-    minimumVersion: "2.15.0"
-  },
-  ["csharp_cache_bmn" /* CsharpCacheBuildModeNone */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_CSHARP_CACHE_BMN",
-    minimumVersion: void 0
-  },
-  ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
-    minimumVersion: void 0
-  },
-  ["diff_informed_queries" /* DiffInformedQueries */]: {
-    defaultValue: true,
-    envVar: "CODEQL_ACTION_DIFF_INFORMED_QUERIES",
-    minimumVersion: "2.21.0"
-  },
-  ["disable_csharp_buildless" /* DisableCsharpBuildless */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_DISABLE_CSHARP_BUILDLESS",
-    minimumVersion: void 0
-  },
-  ["disable_java_buildless_enabled" /* DisableJavaBuildlessEnabled */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_DISABLE_JAVA_BUILDLESS",
-    legacyApi: true,
-    minimumVersion: void 0
-  },
-  ["disable_kotlin_analysis_enabled" /* DisableKotlinAnalysisEnabled */]: {
-    defaultValue: false,
-    envVar: "CODEQL_DISABLE_KOTLIN_ANALYSIS",
-    legacyApi: true,
-    minimumVersion: void 0
-  },
-  ["export_diagnostics_enabled" /* ExportDiagnosticsEnabled */]: {
-    defaultValue: true,
-    envVar: "CODEQL_ACTION_EXPORT_DIAGNOSTICS",
-    legacyApi: true,
-    minimumVersion: void 0
-  },
-  ["force_nightly" /* ForceNightly */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_FORCE_NIGHTLY",
-    minimumVersion: void 0
-  },
-  ["ignore_generated_files" /* IgnoreGeneratedFiles */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES",
-    minimumVersion: void 0
-  },
-  ["java_network_debugging" /* JavaNetworkDebugging */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis" /* OverlayAnalysis */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION
-  },
-  // Per-language overlay feature flags. Each has minimumVersion set to the
-  // minimum CLI version that supports overlay analysis for that language.
-  // Only languages that are GA or in staff-ship should have feature flags here.
-  ["overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CPP",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CPP
-  },
-  ["overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CSHARP",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
-  },
-  ["overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_GO",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
-  },
-  ["overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVA",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
-  },
-  ["overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
-  },
-  ["overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_PYTHON",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
-  },
-  ["overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUBY",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
-  },
-  ["overlay_analysis_cpp" /* OverlayAnalysisCpp */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CPP",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CPP
-  },
-  ["overlay_analysis_csharp" /* OverlayAnalysisCsharp */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CSHARP",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
-  },
-  ["overlay_analysis_go" /* OverlayAnalysisGo */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
-  },
-  ["overlay_analysis_java" /* OverlayAnalysisJava */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVA",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
-  },
-  ["overlay_analysis_javascript" /* OverlayAnalysisJavascript */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
-  },
-  ["overlay_analysis_python" /* OverlayAnalysisPython */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
-  },
-  ["overlay_analysis_ruby" /* OverlayAnalysisRuby */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUBY",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
-  },
-  // Other overlay-related feature flags
-  ["overlay_analysis_disable_trap_caching" /* OverlayAnalysisDisableTrapCaching */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_status_check" /* OverlayAnalysisStatusCheck */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_CHECK",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_status_save" /* OverlayAnalysisStatusSave */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_SAVE",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
-    minimumVersion: void 0
-  },
-  ["qa_telemetry_enabled" /* QaTelemetryEnabled */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_QA_TELEMETRY",
-    legacyApi: true,
-    minimumVersion: void 0
-  },
-  ["skip_file_coverage_on_prs" /* SkipFileCoverageOnPrs */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS",
-    minimumVersion: void 0,
-    toolsFeature: "suppressesMissingFileBaselineWarning" /* SuppressesMissingFileBaselineWarning */
-  },
-  ["start_proxy_remove_unused_registries" /* StartProxyRemoveUnusedRegistries */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_START_PROXY_REMOVE_UNUSED_REGISTRIES",
-    minimumVersion: void 0
-  },
-  ["start_proxy_use_features_release" /* StartProxyUseFeaturesRelease */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_START_PROXY_USE_FEATURES_RELEASE",
-    minimumVersion: void 0
-  },
-  ["upload_overlay_db_to_api" /* UploadOverlayDbToApi */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_UPLOAD_OVERLAY_DB_TO_API",
-    minimumVersion: void 0,
-    toolsFeature: "bundleSupportsOverlay" /* BundleSupportsOverlay */
-  },
-  ["validate_db_config" /* ValidateDbConfig */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_VALIDATE_DB_CONFIG",
-    minimumVersion: void 0
-  }
-};
-
 // src/languages/builtin.json
 var builtin_default = {
  languages: [
@@ -127502,30 +127497,24 @@ var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
 // src/setup-codeql.ts
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver9 = __toESM(require_semver2());
-
-// src/overlay/caching.ts
-var actionsCache3 = __toESM(require_cache4());
-var semver6 = __toESM(require_semver2());
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
+var semver8 = __toESM(require_semver2());

 // src/tar.ts
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver7 = __toESM(require_semver2());
+var semver6 = __toESM(require_semver2());

 // src/tools-download.ts
 var core10 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver8 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;

 // src/dependency-caching.ts
-var actionsCache4 = __toESM(require_cache4());
+var actionsCache3 = __toESM(require_cache4());
 var glob = __toESM(require_glob2());

 // src/artifact-scanner.ts
@@ -5670,9 +5670,9 @@
      "license": "MIT"
    },
    "node_modules/fast-xml-builder": {
-      "version": "1.1.5",
-      "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.5.tgz",
-      "integrity": "sha512-4TJn/8FKLeslLAH3dnohXqE3QSoxkhvaMzepOIZytwJXZO69Bfz0HBdDHzOTOon6G59Zrk6VQ2bEiv1t61rfkA==",
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.2.0.tgz",
+      "integrity": "sha512-00aAWieqff+ZJhsXA4g1g7M8k+7AYoMUUHF+/zFb5U6Uv/P0Vl4QZo84/IcufzYalLuEj9928bXN9PbbFzMF0Q==",
      "funding": [
        {
          "type": "github",
@@ -5681,7 +5681,8 @@
      ],
      "license": "MIT",
      "dependencies": {
-        "path-expression-matcher": "^1.1.3"
+        "path-expression-matcher": "^1.5.0",
+        "xml-naming": "^0.1.0"
      }
    },
    "node_modules/fast-xml-parser": {
@@ -10223,6 +10224,21 @@
        "node": "^20.17.0 || >=22.9.0"
      }
    },
+    "node_modules/xml-naming": {
+      "version": "0.1.0",
+      "resolved": "https://registry.npmjs.org/xml-naming/-/xml-naming-0.1.0.tgz",
+      "integrity": "sha512-k8KO9hrMyNk6tUWqUfkTEZbezRRpONVOzUTnc97VnCvyj6Tf9lyUR9EDAIeiVLv56jsMcoXEwjW8Kv5yPY52lw==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/NaturalIntelligence"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=16.0.0"
+      }
+    },
    "node_modules/y18n": {
      "version": "5.0.8",
      "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz",
@@ -19,25 +19,6 @@ inputs:
      If not specified, the Action will check in several places until it finds
      the CodeQL tools.
    required: false
-  languages:
-    description: >-
-      A comma-separated list of CodeQL languages that will be analyzed in subsequent
-      `github/codeql-action/init` and `github/codeql-action/analyze` invocations. If specified, the
-      Action may use this list to select a CodeQL CLI version that is best suited to analyzing those
-      languages, for example by preferring a version that has a cached overlay-base database for the
-      specified languages. This input is not remembered and must also be passed to
-      `github/codeql-action/init`.
-    required: false
-  analysis-kinds:
-    description: >-
-      [Internal] A comma-separated list of analysis kinds that subsequent
-      `github/codeql-action/init` invocations will enable. If specified, the Action may use this
-      list to select a CodeQL CLI version that is best suited to those analysis kinds. This input is
-      not remembered and must also be passed to `github/codeql-action/init`.
-
-      Available options are the same as for the `analysis-kinds` input on the `init` Action.
-    default: 'code-scanning'
-    required: true
  token:
    description: GitHub token to use for authenticating with this instance of GitHub.
    default: ${{ github.token }}
@@ -16,7 +16,7 @@ import {
 } from "./analyses";
 import { EnvVar } from "./environment";
 import { getRunnerLogger } from "./logging";
-import { setupTests } from "./testing-utils";
+import { createFeatures, RecordingLogger, setupTests } from "./testing-utils";
 import { AssessmentPayload } from "./upload-lib/types";
 import { ConfigurationError } from "./util";

@@ -53,24 +53,56 @@ test("Parsing analysis kinds requires at least one analysis kind", async (t) =>
 test.serial(
  "getAnalysisKinds - returns expected analysis kinds for `analysis-kinds` input",
  async (t) => {
+    process.env[EnvVar.TEST_MODE] = "true";
+    const features = createFeatures([]);
    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
    requiredInputStub
      .withArgs("analysis-kinds")
      .returns("code-scanning,code-quality");
-    const result = await getAnalysisKinds(getRunnerLogger(true), true);
+    const result = await getAnalysisKinds(
+      getRunnerLogger(true),
+      features,
+      true,
+    );
    t.assert(result.includes(AnalysisKind.CodeScanning));
    t.assert(result.includes(AnalysisKind.CodeQuality));
  },
 );

+test.serial(
+  "getAnalysisKinds - only use `code-scanning` for multiple analysis kinds outside of test mode",
+  async (t) => {
+    process.env[EnvVar.TEST_MODE] = "false";
+    const features = createFeatures([]);
+    const logger = new RecordingLogger();
+    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+    requiredInputStub
+      .withArgs("analysis-kinds")
+      .returns("code-scanning,code-quality");
+    const result = await getAnalysisKinds(logger, features, true);
+    t.deepEqual(result, [AnalysisKind.CodeScanning]);
+    t.assert(
+      logger.hasMessage(
+        "Continuing with only `analysis-kinds: code-scanning`.",
+      ),
+    );
+  },
+);
+
 test.serial(
  "getAnalysisKinds - includes `code-quality` when deprecated `quality-queries` input is used",
  async (t) => {
+    process.env[EnvVar.TEST_MODE] = "true";
+    const features = createFeatures([]);
    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
    requiredInputStub.withArgs("analysis-kinds").returns("code-scanning");
    const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
    optionalInputStub.withArgs("quality-queries").returns("code-quality");
-    const result = await getAnalysisKinds(getRunnerLogger(true), true);
+    const result = await getAnalysisKinds(
+      getRunnerLogger(true),
+      features,
+      true,
+    );
    t.assert(result.includes(AnalysisKind.CodeScanning));
    t.assert(result.includes(AnalysisKind.CodeQuality));
  },
@@ -79,9 +111,12 @@ test.serial(
 test.serial(
  "getAnalysisKinds - throws if `analysis-kinds` input is invalid",
  async (t) => {
+    const features = createFeatures([]);
    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
    requiredInputStub.withArgs("analysis-kinds").returns("no-such-thing");
-    await t.throwsAsync(getAnalysisKinds(getRunnerLogger(true), true));
+    await t.throwsAsync(
+      getAnalysisKinds(getRunnerLogger(true), features, true),
+    );
  },
 );

@@ -98,11 +133,17 @@ for (let i = 0; i < analysisKinds.length; i++) {
      test.serial(
        `getAnalysisKinds - allows ${analysisKind} with ${otherAnalysis}`,
        async (t) => {
+          process.env[EnvVar.TEST_MODE] = "true";
+          const features = createFeatures([]);
          const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
          requiredInputStub
            .withArgs("analysis-kinds")
            .returns([analysisKind, otherAnalysis].join(","));
-          const result = await getAnalysisKinds(getRunnerLogger(true), true);
+          const result = await getAnalysisKinds(
+            getRunnerLogger(true),
+            features,
+            true,
+          );
          t.is(result.length, 2);
        },
      );
@@ -110,14 +151,18 @@ for (let i = 0; i < analysisKinds.length; i++) {
      test.serial(
        `getAnalysisKinds - throws if ${analysisKind} is enabled with ${otherAnalysis}`,
        async (t) => {
+          const features = createFeatures([]);
          const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
          requiredInputStub
            .withArgs("analysis-kinds")
            .returns([analysisKind, otherAnalysis].join(","));
-          await t.throwsAsync(getAnalysisKinds(getRunnerLogger(true), true), {
-            instanceOf: ConfigurationError,
-            message: `${analysisKind} and ${otherAnalysis} cannot be enabled at the same time`,
-          });
+          await t.throwsAsync(
+            getAnalysisKinds(getRunnerLogger(true), features, true),
+            {
+              instanceOf: ConfigurationError,
+              message: `${analysisKind} and ${otherAnalysis} cannot be enabled at the same time`,
+            },
+          );
        },
      );
    }
@@ -4,13 +4,14 @@ import {
  getRequiredInput,
 } from "./actions-util";
 import { EnvVar } from "./environment";
+import { Feature, FeatureEnablement } from "./feature-flags";
 import { Logger } from "./logging";
 import {
  AssessmentPayload,
  BasePayload,
  UploadPayload,
 } from "./upload-lib/types";
-import { ConfigurationError, getRequiredEnvParam } from "./util";
+import { ConfigurationError, getRequiredEnvParam, isInTestMode } from "./util";

 export enum AnalysisKind {
  CodeScanning = "code-scanning",
@@ -77,6 +78,7 @@ let cachedAnalysisKinds: AnalysisKind[] | undefined;
 */
 export async function getAnalysisKinds(
  logger: Logger,
+  features: FeatureEnablement,
  skipCache: boolean = false,
 ): Promise<AnalysisKind[]> {
  if (!skipCache && cachedAnalysisKinds !== undefined) {
@@ -120,6 +122,25 @@ export async function getAnalysisKinds(
    }
  }

+  // Log an error if we have multiple inputs for `analysis-kinds` outside of test mode,
+  // and enable only `code-scanning`.
+  if (
+    !isInTestMode() &&
+    analysisKinds.length > 1 &&
+    !(await features.getValue(Feature.AllowMultipleAnalysisKinds))
+  ) {
+    logger.error(
+      "The `analysis-kinds` input is experimental and for GitHub-internal use only. " +
+        "Its behaviour may change at any time or be removed entirely. " +
+        "Specifying multiple values as input is no longer supported. " +
+        "Continuing with only `analysis-kinds: code-scanning`.",
+    );
+
+    // Only enable Code Scanning.
+    cachedAnalysisKinds = [AnalysisKind.CodeScanning];
+    return cachedAnalysisKinds;
+  }
+
  // Cache the analysis kinds and return them.
  cachedAnalysisKinds = analysisKinds;
  return cachedAnalysisKinds;
@@ -71,10 +71,8 @@ async function installIntoToolcache({
    tmpDir,
    util.GitHubVariant.GHES,
    cliVersion !== undefined
-      ? { enabledVersions: [{ cliVersion, tagName }] }
+      ? { cliVersion, tagName }
      : SAMPLE_DEFAULT_CLI_VERSION,
-    undefined, // rawLanguages
-    false, // useOverlayAwareDefaultCliVersion
    createFeatures([]),
    getRunnerLogger(true),
    false,
@@ -146,8 +144,6 @@ test.serial(
          tmpDir,
          util.GitHubVariant.DOTCOM,
          SAMPLE_DEFAULT_CLI_VERSION,
-          undefined, // rawLanguages
-          false, // useOverlayAwareDefaultCliVersion
          features,
          getRunnerLogger(true),
          false,
@@ -180,8 +176,6 @@ test.serial(
        tmpDir,
        util.GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -221,8 +215,6 @@ test.serial(
        tmpDir,
        util.GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -273,8 +265,6 @@ for (const {
          tmpDir,
          util.GitHubVariant.DOTCOM,
          SAMPLE_DEFAULT_CLI_VERSION,
-          undefined, // rawLanguages
-          false, // useOverlayAwareDefaultCliVersion
          features,
          getRunnerLogger(true),
          false,
@@ -295,11 +285,11 @@ for (const {
 for (const toolcacheVersion of [
  // Test that we use the tools from the toolcache when `SAMPLE_DEFAULT_CLI_VERSION` is requested
  // and `SAMPLE_DEFAULT_CLI_VERSION-` is in the toolcache.
-  SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion,
-  `${SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion}-20230101`,
+  SAMPLE_DEFAULT_CLI_VERSION.cliVersion,
+  `${SAMPLE_DEFAULT_CLI_VERSION.cliVersion}-20230101`,
 ]) {
  test.serial(
-    `uses tools from toolcache when ${SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion} is requested and ` +
+    `uses tools from toolcache when ${SAMPLE_DEFAULT_CLI_VERSION.cliVersion} is requested and ` +
      `${toolcacheVersion} is installed`,
    async (t) => {
      const features = createFeatures([]);
@@ -319,16 +309,11 @@ for (const toolcacheVersion of [
          tmpDir,
          util.GitHubVariant.DOTCOM,
          SAMPLE_DEFAULT_CLI_VERSION,
-          undefined, // rawLanguages
-          false, // useOverlayAwareDefaultCliVersion
          features,
          getRunnerLogger(true),
          false,
        );
-        t.is(
-          result.toolsVersion,
-          SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion,
-        );
+        t.is(result.toolsVersion, SAMPLE_DEFAULT_CLI_VERSION.cliVersion);
        t.is(result.toolsSource, ToolsSource.Toolcache);
        t.is(result.toolsDownloadStatusReport?.combinedDurationMs, undefined);
        t.is(result.toolsDownloadStatusReport?.downloadDurationMs, undefined);
@@ -358,15 +343,9 @@ test.serial(
        tmpDir,
        util.GitHubVariant.GHES,
        {
-          enabledVersions: [
-            {
-              cliVersion: defaults.cliVersion,
-              tagName: defaults.bundleVersion,
-            },
-          ],
+          cliVersion: defaults.cliVersion,
+          tagName: defaults.bundleVersion,
        },
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -406,15 +385,9 @@ test.serial(
        tmpDir,
        util.GitHubVariant.GHES,
        {
-          enabledVersions: [
-            {
-              cliVersion: defaults.cliVersion,
-              tagName: defaults.bundleVersion,
-            },
-          ],
+          cliVersion: defaults.cliVersion,
+          tagName: defaults.bundleVersion,
        },
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -454,8 +427,6 @@ test.serial(
        tmpDir,
        util.GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -497,8 +468,6 @@ test.serial(
        tmpDir,
        util.GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -305,8 +305,6 @@ const EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
 * @param tempDir
 * @param variant
 * @param defaultCliVersion
- * @param rawLanguages Raw set of languages.
- * @param useOverlayAwareDefaultCliVersion Whether to select an overlay-aware default CLI version.
 * @param features Information about the features that are enabled.
 * @param logger
 * @param checkVersion Whether to check that CodeQL CLI meets the minimum
@@ -319,8 +317,6 @@ export async function setupCodeQL(
  tempDir: string,
  variant: util.GitHubVariant,
  defaultCliVersion: CodeQLDefaultVersionInfo,
-  rawLanguages: string[] | undefined,
-  useOverlayAwareDefaultCliVersion: boolean,
  features: FeatureEnablement,
  logger: Logger,
  checkVersion: boolean,
@@ -344,8 +340,6 @@ export async function setupCodeQL(
      tempDir,
      variant,
      defaultCliVersion,
-      rawLanguages,
-      useOverlayAwareDefaultCliVersion,
      features,
      logger,
    );
@@ -407,7 +407,6 @@ export async function getLanguages(
  return languages;
 }

-/** Splits the `languages` input into a list of raw languages without checking if they are supported by CodeQL. */
 export function getRawLanguagesNoAutodetect(
  languagesInput: string | undefined,
 ): string[] {
@@ -451,16 +451,12 @@ test.serial(`selects CLI from defaults.json on GHES`, async (t) => {
  await withTmpDir(async (tmpDir) => {
    const features = setUpFeatureFlagTests(tmpDir);

-    const defaultCliVersion = await features.getEnabledDefaultCliVersions(
+    const defaultCliVersion = await features.getDefaultCliVersion(
      GitHubVariant.GHES,
    );
    t.deepEqual(defaultCliVersion, {
-      enabledVersions: [
-        {
-          cliVersion: defaults.cliVersion,
-          tagName: defaults.bundleVersion,
-        },
-      ],
+      cliVersion: defaults.cliVersion,
+      tagName: defaults.bundleVersion,
    });
  });
 });
@@ -486,13 +482,10 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) {
          false;
        mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement);

-        const defaultCliVersion =
-          await features.getEnabledDefaultCliVersions(variant);
+        const defaultCliVersion = await features.getDefaultCliVersion(variant);
        t.deepEqual(defaultCliVersion, {
-          enabledVersions: [
-            { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
-            { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" },
-          ],
+          cliVersion: "2.20.1",
+          tagName: "codeql-bundle-v2.20.1",
          toolsFeatureFlagsValid: true,
        });
      });
@@ -507,15 +500,10 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) {
        const expectedFeatureEnablement = initializeFeatures(true);
        mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement);

-        const defaultCliVersion =
-          await features.getEnabledDefaultCliVersions(variant);
+        const defaultCliVersion = await features.getDefaultCliVersion(variant);
        t.deepEqual(defaultCliVersion, {
-          enabledVersions: [
-            {
-              cliVersion: defaults.cliVersion,
-              tagName: defaults.bundleVersion,
-            },
-          ],
+          cliVersion: defaults.cliVersion,
+          tagName: defaults.bundleVersion,
          toolsFeatureFlagsValid: false,
        });
      });
@@ -541,13 +529,10 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) {
        ] = true;
        mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement);

-        const defaultCliVersion =
-          await features.getEnabledDefaultCliVersions(variant);
+        const defaultCliVersion = await features.getDefaultCliVersion(variant);
        t.deepEqual(defaultCliVersion, {
-          enabledVersions: [
-            { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
-            { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" },
-          ],
+          cliVersion: "2.20.1",
+          tagName: "codeql-bundle-v2.20.1",
          toolsFeatureFlagsValid: true,
        });

@@ -29,32 +29,9 @@ const DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
 */
 export const CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0";

-const LINKED_CODEQL_VERSION: CodeQLVersionInfo = {
-  cliVersion: defaults.cliVersion,
-  tagName: defaults.bundleVersion,
-};
-
-export interface CodeQLVersionInfo {
-  /** The version number of the CodeQL CLI, e.g. `2.19.0`. */
-  cliVersion: string;
-  /**
-   * The tag name of the CodeQL Bundle associated with this version, e.g. `codeql-bundle-v2.19.0`.
-   */
-  tagName: string;
-}
-
 export interface CodeQLDefaultVersionInfo {
-  /**
-   * CodeQL CLI versions that are enabled as defaults, sorted from highest to lowest.
-   *
-   * Guaranteed to be non-empty. When feature flags are unavailable, this falls back to a single
-   * entry containing the version pinned in `defaults.json`.
-   */
-  enabledVersions: CodeQLVersionInfo[];
-  /**
-   * If accessed, whether the tools feature flags are valid, i.e. contain at least one enabled
-   * version.
-   */
+  cliVersion: string;
+  tagName: string;
  toolsFeatureFlagsValid?: boolean;
 }

@@ -67,6 +44,8 @@ export interface CodeQLDefaultVersionInfo {
 * Legacy features should end with `_enabled`.
 */
 export enum Feature {
+  /** Controls whether we allow multiple values for the `analysis-kinds` input. */
+  AllowMultipleAnalysisKinds = "allow_multiple_analysis_kinds",
  AllowToolcacheInput = "allow_toolcache_input",
  CleanupTrapCaches = "cleanup_trap_caches",
  CppDependencyInstallation = "cpp_dependency_installation_enabled",
@@ -95,19 +74,6 @@ export enum Feature {
  OverlayAnalysisGo = "overlay_analysis_go",
  OverlayAnalysisJava = "overlay_analysis_java",
  OverlayAnalysisJavascript = "overlay_analysis_javascript",
-  /**
-   * When set, chooses the default CodeQL CLI version as the highest version that is both enabled by
-   * feature flags and present as an overlay-base database in the Actions cache for the configured
-   * languages. Falls back to the highest feature flagged version if no intersecting overlay-base
-   * database exists in the cache.
-   */
-  OverlayAnalysisMatchCodeqlVersion = "overlay_analysis_match_codeql_version",
-  /**
-   * Like `OverlayAnalysisMatchCodeqlVersion`, but only logs a diagnostic with the version that
-   * would have been chosen instead of actually changing the default CodeQL CLI version.
-   * `OverlayAnalysisMatchCodeqlVersion` overrides this flag.
-   */
-  OverlayAnalysisMatchCodeqlVersionDryRun = "overlay_analysis_match_codeql_version_dry_run",
  OverlayAnalysisPython = "overlay_analysis_python",
  /**
   * Controls whether lower disk space requirements are used for overlay hardware checks.
@@ -160,6 +126,11 @@ export type FeatureConfig = {
 };

 export const featureConfig = {
+  [Feature.AllowMultipleAnalysisKinds]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: undefined,
+  },
  [Feature.AllowToolcacheInput]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -313,16 +284,6 @@ export const featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
    minimumVersion: undefined,
  },
-  [Feature.OverlayAnalysisMatchCodeqlVersion]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
-    minimumVersion: undefined,
-  },
-  [Feature.OverlayAnalysisMatchCodeqlVersionDryRun]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
-    minimumVersion: undefined,
-  },
  [Feature.OverlayAnalysisResourceChecksV2]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -392,12 +353,8 @@ export type FeatureWithoutCLI = {
 }[keyof typeof featureConfig];

 export interface FeatureEnablement {
-  /**
-   * Returns the set of default CodeQL CLI versions to consider, sorted from
-   * highest to lowest. The first entry is the version that the CodeQL Action
-   * will use by default. The list is always non-empty.
-   */
-  getEnabledDefaultCliVersions(
+  /** Gets the default version of the CodeQL tools. */
+  getDefaultCliVersion(
    variant: util.GitHubVariant,
  ): Promise<CodeQLDefaultVersionInfo>;
  getValue(feature: FeatureWithoutCLI): Promise<boolean>;
@@ -421,11 +378,12 @@ export const FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
 class OfflineFeatures implements FeatureEnablement {
  constructor(protected readonly logger: Logger) {}

-  async getEnabledDefaultCliVersions(
+  async getDefaultCliVersion(
    _variant: util.GitHubVariant,
  ): Promise<CodeQLDefaultVersionInfo> {
    return {
-      enabledVersions: [LINKED_CODEQL_VERSION],
+      cliVersion: defaults.cliVersion,
+      tagName: defaults.bundleVersion,
    };
  }

@@ -567,13 +525,13 @@ class Features extends OfflineFeatures {
    );
  }

-  async getEnabledDefaultCliVersions(
+  async getDefaultCliVersion(
    variant: util.GitHubVariant,
  ): Promise<CodeQLDefaultVersionInfo> {
    if (supportsFeatureFlags(variant)) {
-      return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags();
+      return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags();
    }
-    return super.getEnabledDefaultCliVersions(variant);
+    return super.getDefaultCliVersion(variant);
  }

  /**
@@ -649,22 +607,16 @@ class GitHubFeatureFlags {
    return version;
  }

-  /**
-   * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature
-   * flags, sorted from highest to lowest. Falls back to the version pinned in
-   * `defaults.json` if no such flags are enabled.
-   */
-  async getEnabledDefaultCliVersionsFromFlags(): Promise<CodeQLDefaultVersionInfo> {
+  async getDefaultCliVersionFromFlags(): Promise<CodeQLDefaultVersionInfo> {
    const response = await this.getAllFeatures();

-    const sortedCliVersions = Object.entries(response)
+    const enabledFeatureFlagCliVersions = Object.entries(response)
      .map(([f, isEnabled]) =>
        isEnabled ? this.getCliVersionFromFeatureFlag(f) : undefined,
      )
-      .filter((f): f is string => f !== undefined)
-      .sort(semver.rcompare);
+      .filter((f): f is string => f !== undefined);

-    if (sortedCliVersions.length === 0) {
+    if (enabledFeatureFlagCliVersions.length === 0) {
      // We expect at least one default CLI version to be enabled on Dotcom at any time. However if
      // the feature flags are misconfigured, rather than crashing, we fall back to the CLI version
      // shipped with the Action in defaults.json. This has the effect of immediately rolling out
@@ -680,7 +632,8 @@ class GitHubFeatureFlags {
          `shipped with the Action. This is ${defaults.cliVersion}.`,
      );
      const result: CodeQLDefaultVersionInfo = {
-        enabledVersions: [LINKED_CODEQL_VERSION],
+        cliVersion: defaults.cliVersion,
+        tagName: defaults.bundleVersion,
      };
      if (this.hasAccessedRemoteFeatureFlags) {
        result.toolsFeatureFlagsValid = false;
@@ -688,14 +641,17 @@ class GitHubFeatureFlags {
      return result;
    }

+    const maxCliVersion = enabledFeatureFlagCliVersions.reduce(
+      (maxVersion, currentVersion) =>
+        currentVersion > maxVersion ? currentVersion : maxVersion,
+      enabledFeatureFlagCliVersions[0],
+    );
    this.logger.debug(
-      `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.`,
+      `Derived default CLI version of ${maxCliVersion} from feature flags.`,
    );
    return {
-      enabledVersions: sortedCliVersions.map((cliVersion) => ({
-        cliVersion,
-        tagName: `codeql-bundle-v${cliVersion}`,
-      })),
+      cliVersion: maxCliVersion,
+      tagName: `codeql-bundle-v${maxCliVersion}`,
      toolsFeatureFlagsValid: true,
    };
  }
@@ -281,7 +281,7 @@ async function run(startedAt: Date) {
    // successful, the results are cached so that we don't duplicate the work in normal runs.
    let analysisKinds: AnalysisKind[] | undefined;
    try {
-      analysisKinds = await getAnalysisKinds(logger);
+      analysisKinds = await getAnalysisKinds(logger, features);
    } catch (err) {
      logger.debug(
        `Failed to parse analysis kinds for 'starting' status report: ${getErrorMessage(err)}`,
@@ -298,23 +298,16 @@ async function run(startedAt: Date) {
      );
    }

-    const codeQLDefaultVersionInfo =
-      await features.getEnabledDefaultCliVersions(gitHubVersion.type);
-    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
-    const rawLanguages = configUtils.getRawLanguagesNoAutodetect(
-      getOptionalInput("languages"),
+    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
+      gitHubVersion.type,
    );
-    const useOverlayAwareDefaultCliVersion =
-      analysisKinds?.length === 1 &&
-      analysisKinds[0] === AnalysisKind.CodeScanning;
+    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
    const initCodeQLResult = await initCodeQL(
      getOptionalInput("tools"),
      apiDetails,
      getTemporaryDirectory(),
      gitHubVersion.type,
      codeQLDefaultVersionInfo,
-      rawLanguages,
-      useOverlayAwareDefaultCliVersion,
      features,
      logger,
    );
@@ -353,7 +346,7 @@ async function run(startedAt: Date) {
      }
    }

-    analysisKinds = await getAnalysisKinds(logger);
+    analysisKinds = await getAnalysisKinds(logger, features);
    const debugMode = getOptionalInput("debug") === "true" || core.isDebug();
    const repositoryProperties = repositoryPropertiesResult.orElse({});
    const fileCoverageResult = await getFileCoverageInformationEnabled(
@@ -39,8 +39,6 @@ export async function initCodeQL(
  tempDir: string,
  variant: util.GitHubVariant,
  defaultCliVersion: CodeQLDefaultVersionInfo,
-  rawLanguages: string[] | undefined,
-  useOverlayAwareDefaultCliVersion: boolean,
  features: FeatureEnablement,
  logger: Logger,
 ): Promise<{
@@ -63,8 +61,6 @@ export async function initCodeQL(
    tempDir,
    variant,
    defaultCliVersion,
-    rawLanguages,
-    useOverlayAwareDefaultCliVersion,
    features,
    logger,
    true,
@@ -380,32 +380,6 @@ test.serial(
  },
 );

-test.serial(
-  "getCodeQlVersionsForOverlayBaseDatabases de-duplicates resolved language aliases",
-  async (t) => {
-    const logger = getRunnerLogger(true);
-
-    sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
-    const listActionsCachesStub = sinon
-      .stub(apiClient, "listActionsCaches")
-      .resolves([
-        {
-          key: "codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-2.25.0-abc123-1-1",
-        },
-      ]);
-
-    const result = await getCodeQlVersionsForOverlayBaseDatabases(
-      ["javascript", "typescript", "Python", "python"],
-      logger,
-    );
-    t.deepEqual(result, ["2.25.0"]);
-    sinon.assert.calledOnceWithExactly(
-      listActionsCachesStub,
-      "codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-",
-    );
-  },
-);
-
 test.serial(
  "getCodeQlVersionsForOverlayBaseDatabases ignores nightly versions with build metadata",
  async (t) => {
@@ -461,10 +461,9 @@ export async function getCodeQlVersionsForOverlayBaseDatabases(
    );
    return undefined;
  }
-  const dedupedLanguages = [
-    ...new Set(languages.filter((l) => l !== undefined)),
-  ];
-  const cacheKeyPrefix = await getCacheKeyPrefixBase(dedupedLanguages);
+  const cacheKeyPrefix = await getCacheKeyPrefixBase(
+    languages.filter((l) => l !== undefined),
+  );

  logger.debug(
    `Searching for overlay-base databases in Actions cache with ` +
@@ -7,10 +7,8 @@ import {
  getRequiredInput,
  getTemporaryDirectory,
 } from "./actions-util";
-import { AnalysisKind, getAnalysisKinds } from "./analyses";
 import { getGitHubVersion } from "./api-client";
 import { CodeQL } from "./codeql";
-import { getRawLanguagesNoAutodetect } from "./config-utils";
 import { EnvVar } from "./environment";
 import { initFeatures } from "./feature-flags";
 import { initCodeQL } from "./init";
@@ -138,22 +136,16 @@ async function run(startedAt: Date): Promise<void> {
    if (statusReportBase !== undefined) {
      await sendStatusReport(statusReportBase);
    }
-    const codeQLDefaultVersionInfo =
-      await features.getEnabledDefaultCliVersions(gitHubVersion.type);
-    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
-    const rawLanguages = getRawLanguagesNoAutodetect(
-      getOptionalInput("languages"),
+    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
+      gitHubVersion.type,
    );
-    const analysisKinds = await getAnalysisKinds(logger);
+    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
    const initCodeQLResult = await initCodeQL(
      getOptionalInput("tools"),
      apiDetails,
      getTemporaryDirectory(),
      gitHubVersion.type,
      codeQLDefaultVersionInfo,
-      rawLanguages,
-      analysisKinds.length === 1 &&
-        analysisKinds[0] === AnalysisKind.CodeScanning,
      features,
      logger,
    );
@@ -7,9 +7,8 @@ import * as sinon from "sinon";

 import * as actionsUtil from "./actions-util";
 import * as api from "./api-client";
-import { Feature } from "./feature-flags";
+import { Feature, FeatureEnablement } from "./feature-flags";
 import { getRunnerLogger } from "./logging";
-import { getCacheRestoreKeyPrefix } from "./overlay/caching";
 import * as setupCodeql from "./setup-codeql";
 import * as tar from "./tar";
 import {
@@ -19,8 +18,8 @@ import {
  SAMPLE_DOTCOM_API_DETAILS,
  checkExpectedLogMessages,
  createFeatures,
-  createTestConfig,
  getRecordingLogger,
+  initializeFeatures,
  makeMacro,
  mockBundleDownloadApi,
  setupActionsVars,
@@ -35,6 +34,14 @@ import {

 setupTests(test);

+// TODO: Remove when when we no longer need to pass in features (https://github.com/github/codeql-action/issues/2600)
+const expectedFeatureEnablement: FeatureEnablement = initializeFeatures(
+  true,
+) as FeatureEnablement;
+expectedFeatureEnablement.getValue = function (feature: Feature) {
+  // eslint-disable-next-line @typescript-eslint/no-unsafe-return
+  return expectedFeatureEnablement[feature];
+};
 test.beforeEach(() => {
  initializeEnvironment("1.2.3");
 });
@@ -101,8 +108,6 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        `https://github.com/github/codeql-action/releases/download/${tagName}/codeql-bundle-linux64.tar.gz`,
        SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -126,8 +131,6 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        "linked",
        SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -153,8 +156,6 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        "latest",
        SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -211,8 +212,6 @@ test.serial(
        "tmp/codeql_action_test/",
        GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        features,
        logger,
      );
@@ -268,8 +267,6 @@ test.serial(
        "tmp/codeql_action_test/",
        GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        features,
        logger,
      );
@@ -321,8 +318,6 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        "nightly",
        SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -384,8 +379,6 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        undefined,
        SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -440,8 +433,6 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        "toolcache",
        SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -509,8 +500,6 @@ const toolcacheInputFallbackMacro = makeMacro({
      const source = await setupCodeql.getCodeQLSource(
        "toolcache",
        SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -526,10 +515,7 @@ const toolcacheInputFallbackMacro = makeMacro({

      // Check that `sourceType` and `toolsVersion` match expectations.
      t.is(source.sourceType, "download");
-      t.is(
-        source.toolsVersion,
-        SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion,
-      );
+      t.is(source.toolsVersion, SAMPLE_DEFAULT_CLI_VERSION.cliVersion);

      // Check that key messages we would expect to find in the log are present.
      for (const expectedMessage of expectedMessages) {
@@ -610,288 +596,3 @@ test.serial(
    t.is(setupCodeql.getLatestToolcacheVersion(getRunnerLogger(true)), "3.2.1");
  },
 );
-
-const overlayMatchEnabledVersions = {
-  enabledVersions: [
-    { cliVersion: "2.20.2", tagName: "codeql-bundle-v2.20.2" },
-    { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
-    { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" },
-  ],
-  toolsFeatureFlagsValid: true,
-};
-
-async function fakeOverlayBaseCacheKey(
-  language: string,
-  cliVersion: string,
-  suffix: string,
-): Promise<string> {
-  const prefix = await getCacheRestoreKeyPrefix(
-    createTestConfig({ languages: [language] }),
-    cliVersion,
-  );
-  return `${prefix}${suffix}`;
-}
-
-test.serial(
-  "getCodeQLSource uses overlay-aware default version when requested for a PR",
-  async (t) => {
-    await withTmpDir(async (tmpDir) => {
-      setupActionsVars(tmpDir, tmpDir);
-      process.env["CODE_SCANNING_REF"] = "refs/heads/feature-branch";
-      process.env["CODE_SCANNING_BASE_BRANCH"] = "main";
-
-      sinon.stub(api, "getAutomationID").resolves("test/");
-      const listStub = sinon.stub(api, "listActionsCaches").resolves([
-        {
-          key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"),
-        },
-      ]);
-      sinon
-        .stub(toolcache, "find")
-        .withArgs("CodeQL", "2.20.1")
-        .returns("/path/to/codeql-2.20.1");
-
-      const source = await setupCodeql.getCodeQLSource(
-        undefined,
-        overlayMatchEnabledVersions,
-        ["javascript"],
-        true,
-        SAMPLE_DOTCOM_API_DETAILS,
-        GitHubVariant.DOTCOM,
-        false,
-        createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
-        getRunnerLogger(true),
-      );
-
-      t.assert(listStub.calledOnce);
-      t.is(source.sourceType, "toolcache");
-      t.is(source.toolsVersion, "2.20.1");
-    });
-  },
-);
-
-test.serial(
-  "getCodeQLSource skips overlay-aware default version when not requested",
-  async (t) => {
-    await withTmpDir(async (tmpDir) => {
-      setupActionsVars(tmpDir, tmpDir);
-      process.env["CODE_SCANNING_REF"] = "refs/heads/feature-branch";
-      process.env["CODE_SCANNING_BASE_BRANCH"] = "main";
-
-      sinon.stub(api, "getAutomationID").resolves("test/");
-      const listStub = sinon.stub(api, "listActionsCaches").resolves([
-        {
-          key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"),
-        },
-      ]);
-      sinon
-        .stub(toolcache, "find")
-        .withArgs("CodeQL", "2.20.2")
-        .returns("/path/to/codeql-2.20.2");
-
-      const source = await setupCodeql.getCodeQLSource(
-        undefined,
-        overlayMatchEnabledVersions,
-        ["javascript"],
-        false,
-        SAMPLE_DOTCOM_API_DETAILS,
-        GitHubVariant.DOTCOM,
-        false,
-        createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
-        getRunnerLogger(true),
-      );
-
-      t.assert(listStub.notCalled);
-      t.is(source.sourceType, "toolcache");
-      t.is(source.toolsVersion, "2.20.2");
-    });
-  },
-);
-
-test.serial(
-  "getEnabledVersionsWithOverlayBaseDatabases returns flag-enabled versions present in cache, sorted desc",
-  async (t) => {
-    sinon.stub(api, "getAutomationID").resolves("test/");
-    sinon.stub(api, "listActionsCaches").resolves([
-      // Flag-enabled versions present in the cache, listed in non-descending
-      // order so the test exercises the sort.
-      {
-        key: await fakeOverlayBaseCacheKey("javascript", "2.20.0", "ghi-3-1"),
-      },
-      {
-        key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "def-2-1"),
-      },
-      // Newer than any flag-enabled version: should be filtered out.
-      {
-        key: await fakeOverlayBaseCacheKey("javascript", "2.21.0", "abc-1-1"),
-      },
-    ]);
-
-    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
-      overlayMatchEnabledVersions,
-      ["javascript"],
-      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
-      getRunnerLogger(true),
-    );
-    t.deepEqual(result, [
-      { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
-      { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" },
-    ]);
-  },
-);
-
-test.serial(
-  "getEnabledVersionsWithOverlayBaseDatabases returns empty when no cached version is flag-enabled",
-  async (t) => {
-    sinon.stub(api, "getAutomationID").resolves("test/");
-    sinon.stub(api, "listActionsCaches").resolves([
-      {
-        key: await fakeOverlayBaseCacheKey("javascript", "2.19.0", "abc-1-1"),
-      },
-    ]);
-
-    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
-      overlayMatchEnabledVersions,
-      ["javascript"],
-      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
-      getRunnerLogger(true),
-    );
-    t.deepEqual(result, []);
-  },
-);
-
-const noLanguagesMacro = makeMacro({
-  exec: async (
-    t: ExecutionContext<unknown>,
-    rawLanguages: string[] | undefined,
-  ) => {
-    const listStub = sinon.stub(api, "listActionsCaches").resolves([]);
-
-    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
-      overlayMatchEnabledVersions,
-      rawLanguages,
-      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
-      getRunnerLogger(true),
-    );
-    t.deepEqual(result, []);
-    t.assert(
-      listStub.notCalled,
-      "Should not list Actions caches without any rawLanguages.",
-    );
-  },
-  title: (providedTitle = "") =>
-    `getEnabledVersionsWithOverlayBaseDatabases does not list caches when rawLanguages is ${providedTitle}`,
-});
-
-noLanguagesMacro.serial("undefined", undefined);
-noLanguagesMacro.serial("an empty array", []);
-
-test.serial(
-  "getEnabledVersionsWithOverlayBaseDatabases returns empty when listing caches throws",
-  async (t) => {
-    sinon.stub(api, "getAutomationID").resolves("test/");
-    sinon.stub(api, "listActionsCaches").rejects(new Error("listing failed"));
-
-    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
-      overlayMatchEnabledVersions,
-      ["javascript"],
-      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
-      getRunnerLogger(true),
-    );
-    t.deepEqual(result, []);
-  },
-);
-
-test.serial(
-  "getEnabledVersionsWithOverlayBaseDatabases returns versions present in the cache",
-  async (t) => {
-    sinon.stub(api, "getAutomationID").resolves("test/");
-    sinon.stub(api, "listActionsCaches").resolves([
-      {
-        key: await fakeOverlayBaseCacheKey("javascript", "2.20.2", "abc-1-1"),
-      },
-    ]);
-
-    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
-      overlayMatchEnabledVersions,
-      ["javascript"],
-      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
-      getRunnerLogger(true),
-    );
-    t.deepEqual(result, [
-      { cliVersion: "2.20.2", tagName: "codeql-bundle-v2.20.2" },
-    ]);
-  },
-);
-
-test.serial(
-  "getEnabledVersionsWithOverlayBaseDatabases does not list caches when both gates are off",
-  async (t) => {
-    const listStub = sinon.stub(api, "listActionsCaches").resolves([]);
-
-    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
-      overlayMatchEnabledVersions,
-      ["javascript"],
-      createFeatures([]),
-      getRunnerLogger(true),
-    );
-    t.deepEqual(result, []);
-    t.assert(
-      listStub.notCalled,
-      "Should not list Actions caches when both gating feature flags are off.",
-    );
-  },
-);
-
-test.serial(
-  "getEnabledVersionsWithOverlayBaseDatabases dry-run returns empty but lists caches",
-  async (t) => {
-    sinon.stub(api, "getAutomationID").resolves("test/");
-    const listStub = sinon.stub(api, "listActionsCaches").resolves([
-      {
-        key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"),
-      },
-    ]);
-
-    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
-      overlayMatchEnabledVersions,
-      ["javascript"],
-      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersionDryRun]),
-      getRunnerLogger(true),
-    );
-    t.deepEqual(
-      result,
-      [],
-      "Dry-run should return an empty list so the caller falls back.",
-    );
-    t.assert(
-      listStub.calledOnce,
-      "Dry-run should still list Actions caches to populate the diagnostic.",
-    );
-  },
-);
-
-test.serial(
-  "getEnabledVersionsWithOverlayBaseDatabases match flag wins over dry-run",
-  async (t) => {
-    sinon.stub(api, "getAutomationID").resolves("test/");
-    sinon.stub(api, "listActionsCaches").resolves([
-      {
-        key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"),
-      },
-    ]);
-
-    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
-      overlayMatchEnabledVersions,
-      ["javascript"],
-      createFeatures([
-        Feature.OverlayAnalysisMatchCodeqlVersion,
-        Feature.OverlayAnalysisMatchCodeqlVersionDryRun,
-      ]),
-      getRunnerLogger(true),
-    );
-    t.deepEqual(result, [
-      { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
-    ]);
-  },
-);
@@ -7,27 +7,17 @@ import { default as deepEqual } from "fast-deep-equal";
 import * as semver from "semver";
 import { v4 as uuidV4 } from "uuid";

-import {
-  isAnalyzingPullRequest,
-  isDynamicWorkflow,
-  isRunningLocalAction,
-} from "./actions-util";
+import { isDynamicWorkflow, isRunningLocalAction } from "./actions-util";
 import * as api from "./api-client";
 import * as defaults from "./defaults.json";
-import {
-  addNoLanguageDiagnostic,
-  makeDiagnostic,
-  makeTelemetryDiagnostic,
-} from "./diagnostics";
+import { addNoLanguageDiagnostic, makeDiagnostic } from "./diagnostics";
 import {
  CODEQL_VERSION_ZSTD_BUNDLE,
  CodeQLDefaultVersionInfo,
-  CodeQLVersionInfo,
  Feature,
  FeatureEnablement,
 } from "./feature-flags";
 import { Logger } from "./logging";
-import { getCodeQlVersionsForOverlayBaseDatabases } from "./overlay/caching";
 import * as tar from "./tar";
 import {
  downloadAndExtract,
@@ -274,131 +264,12 @@ async function findOverridingToolsInCache(
  return undefined;
 }

-/**
- * Returns the sorted set of enabled versions that have cached overlay-base databases for the
- * given languages, or an empty list if neither the `OverlayAnalysisMatchCodeqlVersion` nor the
- * `OverlayAnalysisMatchCodeqlVersionDryRun` feature flag is enabled. When only the dry-run flag
- * is enabled, this performs the lookup and emits a telemetry diagnostic with the version that
- * would have been chosen, but still returns an empty list so the caller falls back.
- */
-export async function getEnabledVersionsWithOverlayBaseDatabases(
-  defaultCliVersion: CodeQLDefaultVersionInfo,
-  rawLanguages: string[] | undefined,
-  features: FeatureEnablement,
-  logger: Logger,
-): Promise<CodeQLVersionInfo[]> {
-  if (rawLanguages === undefined || rawLanguages.length === 0) {
-    return [];
-  }
-  const isEnabled = await features.getValue(
-    Feature.OverlayAnalysisMatchCodeqlVersion,
-  );
-  const isDryRun =
-    !isEnabled &&
-    (await features.getValue(Feature.OverlayAnalysisMatchCodeqlVersionDryRun));
-  if (!isEnabled && !isDryRun) {
-    return [];
-  }
-
-  let cachedVersions: string[] | undefined;
-  try {
-    cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases(
-      rawLanguages,
-      logger,
-    );
-  } catch (e) {
-    logger.warning(
-      "Could not list overlay-base databases in the Actions cache while choosing a default " +
-        `CodeQL CLI version, falling back to the highest enabled version. Details: ${util.getErrorMessage(e)}`,
-    );
-    return [];
-  }
-
-  if (cachedVersions === undefined || cachedVersions.length === 0) {
-    return [];
-  }
-
-  const cachedVersionsSet = new Set(cachedVersions);
-  const overlayVersions = defaultCliVersion.enabledVersions.filter((v) =>
-    cachedVersionsSet.has(v.cliVersion),
-  );
-
-  if (overlayVersions.length === 0) {
-    return [];
-  }
-
-  const isCachedVersionDifferent =
-    overlayVersions[0].cliVersion !==
-    defaultCliVersion.enabledVersions[0].cliVersion;
-
-  if (isCachedVersionDifferent) {
-    addNoLanguageDiagnostic(
-      undefined,
-      makeTelemetryDiagnostic(
-        "codeql-action/overlay-aware-default-codeql-version",
-        "Overlay-aware default CodeQL version selection",
-        {
-          cachedVersions,
-          enabledVersions: defaultCliVersion.enabledVersions.map(
-            (v) => v.cliVersion,
-          ),
-          isDryRun,
-          overlayAwareVersion: overlayVersions[0].cliVersion,
-        },
-      ),
-    );
-  }
-
-  if (isDryRun) {
-    logger.debug(
-      `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.`,
-    );
-    return [];
-  }
-
-  return overlayVersions;
-}
-
-/**
- * Resolves the newest enabled default CLI version that has a cached overlay-base database for the
- * relevant languages, if running a Code Scanning analysis for a pull request and one exists.
- * Otherwise, falls back to the newest enabled default CLI version.
- */
-async function resolveDefaultCliVersion(
-  defaultCliVersion: CodeQLDefaultVersionInfo,
-  rawLanguages: string[] | undefined,
-  useOverlayAwareDefaultCliVersion: boolean,
-  features: FeatureEnablement,
-  logger: Logger,
-): Promise<CodeQLVersionInfo> {
-  if (!useOverlayAwareDefaultCliVersion || !isAnalyzingPullRequest()) {
-    return defaultCliVersion.enabledVersions[0];
-  }
-
-  const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases(
-    defaultCliVersion,
-    rawLanguages,
-    features,
-    logger,
-  );
-  if (overlayVersions.length > 0) {
-    logger.info(
-      `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the ` +
-        `highest enabled version that has a cached overlay-base database.`,
-    );
-    return overlayVersions[0];
-  }
-  return defaultCliVersion.enabledVersions[0];
-}
-
 /**
 * Determines where the CodeQL CLI we want to use comes from. This can be from a local file,
 * the Actions toolcache, or a download.
 *
 * @param toolsInput The argument provided for the `tools` input, if any.
 * @param defaultCliVersion The default CLI version that's linked to the CodeQL Action.
- * @param rawLanguages Raw set of languages.
- * @param useOverlayAwareDefaultCliVersion Whether to select an overlay-aware default CLI version.
 * @param apiDetails Information about the GitHub API.
 * @param variant The GitHub variant we are running on.
 * @param tarSupportsZstd Whether zstd is supported by `tar`.
@@ -410,8 +281,6 @@ async function resolveDefaultCliVersion(
 export async function getCodeQLSource(
  toolsInput: string | undefined,
  defaultCliVersion: CodeQLDefaultVersionInfo,
-  rawLanguages: string[] | undefined,
-  useOverlayAwareDefaultCliVersion: boolean,
  apiDetails: api.GitHubApiDetails,
  variant: util.GitHubVariant,
  tarSupportsZstd: boolean,
@@ -569,15 +438,8 @@ export async function getCodeQLSource(
        }
      }

-      const version = await resolveDefaultCliVersion(
-        defaultCliVersion,
-        rawLanguages,
-        useOverlayAwareDefaultCliVersion,
-        features,
-        logger,
-      );
-      cliVersion = version.cliVersion;
-      tagName = version.tagName;
+      cliVersion = defaultCliVersion.cliVersion;
+      tagName = defaultCliVersion.tagName;
    }
  } else if (toolsInput !== undefined) {
    // If a tools URL was provided, then use that.
@@ -592,15 +454,9 @@ export async function getCodeQLSource(
      }
    }
  } else {
-    const version = await resolveDefaultCliVersion(
-      defaultCliVersion,
-      rawLanguages,
-      useOverlayAwareDefaultCliVersion,
-      features,
-      logger,
-    );
-    cliVersion = version.cliVersion;
-    tagName = version.tagName;
+    // Otherwise, use the default CLI version passed in.
+    cliVersion = defaultCliVersion.cliVersion;
+    tagName = defaultCliVersion.tagName;
  }

  const bundleVersion =
@@ -935,8 +791,6 @@ export async function setupCodeQLBundle(
  tempDir: string,
  variant: util.GitHubVariant,
  defaultCliVersion: CodeQLDefaultVersionInfo,
-  rawLanguages: string[] | undefined,
-  useOverlayAwareDefaultCliVersion: boolean,
  features: FeatureEnablement,
  logger: Logger,
 ): Promise<SetupCodeQLResult> {
@@ -950,8 +804,6 @@ export async function setupCodeQLBundle(
  const source = await getCodeQLSource(
    toolsInput,
    defaultCliVersion,
-    rawLanguages,
-    useOverlayAwareDefaultCliVersion,
    apiDetails,
    variant,
    zstdAvailability.available,
@@ -1010,10 +1010,8 @@ test.serial(
        return true;
      });
      const getDefaultCliVersion = sinon
-        .stub(features, "getEnabledDefaultCliVersions")
-        .resolves({
-          enabledVersions: [{ cliVersion: "2.20.1", tagName: expectedTag }],
-        });
+        .stub(features, "getDefaultCliVersion")
+        .resolves({ cliVersion: "2.20.1", tagName: expectedTag });
      const path = await startProxyExports.getProxyBinaryPath(logger, features);

      t.assert(getDefaultCliVersion.calledOnce);
@@ -415,7 +415,7 @@ async function getCliVersionFromFeatures(
  features: FeatureEnablement,
 ): Promise<CodeQLDefaultVersionInfo> {
  const gitHubVersion = await getGitHubVersion();
-  return await features.getEnabledDefaultCliVersions(gitHubVersion.type);
+  return await features.getDefaultCliVersion(gitHubVersion.type);
 }

 /**
@@ -440,7 +440,7 @@ export async function getDownloadUrl(
    // Retrieve information about the CLI version we should use. This will be either the linked
    // version, or the one enabled by FFs.
    const versionInfo = useFeaturesToDetermineCLI
-      ? (await getCliVersionFromFeatures(features)).enabledVersions[0]
+      ? await getCliVersionFromFeatures(features)
      : {
          cliVersion: defaults.cliVersion,
          tagName: defaults.bundleVersion,
@@ -40,20 +40,16 @@ export const SAMPLE_DOTCOM_API_DETAILS = {
  apiURL: "https://api.github.com",
 };

+export const SAMPLE_DEFAULT_CLI_VERSION: CodeQLDefaultVersionInfo = {
+  cliVersion: "2.20.0",
+  tagName: "codeql-bundle-v2.20.0",
+};
+
 export const LINKED_CLI_VERSION = {
  cliVersion: defaults.cliVersion,
  tagName: defaults.bundleVersion,
 };

-export const SAMPLE_DEFAULT_CLI_VERSION: CodeQLDefaultVersionInfo = {
-  enabledVersions: [
-    {
-      cliVersion: "2.20.0",
-      tagName: "codeql-bundle-v2.20.0",
-    },
-  ],
-};
-
 type TestContext = {
  stdoutWrite: any;
  stderrWrite: any;
@@ -470,7 +466,7 @@ export function mockCodeQLVersion(
 */
 export function createFeatures(enabledFeatures: Feature[]): FeatureEnablement {
  return {
-    getEnabledDefaultCliVersions: async () => {
+    getDefaultCliVersion: async () => {
      throw new Error("not implemented");
    },
    getValue: async (feature) => {
@@ -156,8 +156,9 @@ async function combineSarifFilesUsingCLI(
      apiURL: getRequiredEnvParam("GITHUB_API_URL"),
    };

-    const codeQLDefaultVersionInfo =
-      await features.getEnabledDefaultCliVersions(gitHubVersion.type);
+    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
+      gitHubVersion.type,
+    );

    const initCodeQLResult = await initCodeQL(
      undefined, // There is no tools input on the upload action
@@ -165,8 +166,6 @@ async function combineSarifFilesUsingCLI(
      tempDir,
      gitHubVersion.type,
      codeQLDefaultVersionInfo,
-      undefined, // rawLanguages: upload-lib does not run analysis
-      false, // useOverlayAwareDefaultCliVersion: upload-lib does not run analysis
      features,
      logger,
    );
Author	SHA1	Message	Date
Michael B. Gale	257b3d3fc8	Enable only `code-scanning`	2026-05-12 15:46:28 +01:00
Michael B. Gale	312a2fee96	Add changelog entry	2026-05-12 15:03:58 +01:00
Michael B. Gale	70419e3273	Throw error if multiple analysis kinds are specified	2026-05-12 14:54:11 +01:00
Michael B. Gale	b62aaa99a5	Merge pull request #3889 from github/dependabot/npm_and_yarn/fast-xml-builder-1.2.0 Bump fast-xml-builder from 1.1.5 to 1.2.0	2026-05-11 14:59:28 +00:00
dependabot[bot]	2f2dbd2e78	Bump fast-xml-builder from 1.1.5 to 1.2.0 Bumps [fast-xml-builder](https://github.com/NaturalIntelligence/fast-xml-builder) from 1.1.5 to 1.2.0. - [Changelog](https://github.com/NaturalIntelligence/fast-xml-builder/blob/main/CHANGELOG.md) - [Commits](https://github.com/NaturalIntelligence/fast-xml-builder/compare/v1.1.5...v1.2.0) --- updated-dependencies: - dependency-name: fast-xml-builder dependency-version: 1.2.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-08 19:05:11 +00:00