Rename meta.json to build-metadata.json

Merge remote-tracking branch 'origin/main' into mbg/bundle-metadata-improvements
Set retention and if-no-files-found
2026-05-10 07:40:28 +00:00 · 2026-04-30 14:30:25 +01:00 · 2026-04-30 14:28:42 +01:00 · 2026-04-13 13:18:56 +01:00 · 2026-04-10 18:47:56 +01:00 · 2026-04-10 18:47:56 +01:00
66 changed files with 293048 additions and 10477 deletions
@@ -1,5 +1,5 @@
 name: "CodeQL config"
-queries:
+queries: 
  - name: Run custom queries
    uses: ./queries
  # Run all extra query suites, both because we want to
@@ -13,5 +13,3 @@ queries:
 paths-ignore:
  - lib
  - tests
-  - "**/*.test.ts"
-  - "**/testing-util.ts"
@@ -59,7 +59,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Set up Ruby
-        uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0
+        uses: ruby/setup-ruby@0cb964fd540e0a24c900370abf38a33466142735 # v1.305.0
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
@@ -52,6 +52,14 @@ jobs:
      - name: Verify compiled JS up to date
        run: .github/workflows/script/check-js.sh

+      - name: Upload esbuild metadata
+        uses: actions/upload-artifact@v7
+        with:
+          name: bundle-metadata-${{ matrix.os }}-${{ matrix.node-version }}
+          path: build-metadata.json
+          retention-days: ${{ (github.ref_name == github.event.repository.default_branch && 90) || 7 }}
+          if-no-files-found: error
+
      - name: Run unit tests
        if: always()
        run: npm test
@@ -12,4 +12,4 @@ eslint.sarif
 # for local incremental compilation
 tsconfig.tsbuildinfo
 # esbuild metadata file
-meta.json
+build-metadata.json
@@ -19,7 +19,7 @@
    "scope": "javascript, typescript",
    "prefix": "testMacro",
    "body": [
-      "const ${1:nameMacro} = makeMacro({",
+      "const ${1:nameMacro} = test.macro({",
      "  exec: async (t: ExecutionContext<unknown>) => {},",
      "",
      "  title: (providedTitle = \"\") => `${2:common title} - \\${providedTitle}`,",
@@ -4,19 +4,8 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

 ## [UNRELEASED]

- Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. [#3880](https://github.com/github/codeql-action/pull/3880)
-
-## 4.35.4 - 07 May 2026
-
- Update default CodeQL bundle version to [2.25.4](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4). [#3881](https://github.com/github/codeql-action/pull/3881)
-
-## 4.35.3 - 01 May 2026
-
- _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. [#3837](https://github.com/github/codeql-action/pull/3837)
- Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. [#3850](https://github.com/github/codeql-action/pull/3850)
- Best-effort connection tests for private registries now use `GET` requests instead of `HEAD` for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. [#3853](https://github.com/github/codeql-action/pull/3853)
 - Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. [#3852](https://github.com/github/codeql-action/pull/3852)
- Update default CodeQL bundle version to [2.25.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.3). [#3865](https://github.com/github/codeql-action/pull/3865)
+- _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. [#3837](https://github.com/github/codeql-action/pull/3837)

 ## 4.35.2 - 15 Apr 2026

@@ -82,6 +82,6 @@ const context = await esbuild.context({
 });

 const result = await context.rebuild();
-await writeFile(join(__dirname, "meta.json"), JSON.stringify(result.metafile));
+await writeFile(join(__dirname, "build-metadata.json"), JSON.stringify(result.metafile));

 await context.dispose();
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.4",
-  "cliVersion": "2.25.4",
-  "priorBundleVersion": "codeql-bundle-v2.25.3",
-  "priorCliVersion": "2.25.3"
+  "bundleVersion": "codeql-bundle-v2.25.2",
+  "cliVersion": "2.25.2",
+  "priorBundleVersion": "codeql-bundle-v2.25.1",
+  "priorCliVersion": "2.25.1"
 }
@@ -1,12 +1,12 @@
 {
  "name": "codeql",
-  "version": "4.35.5",
+  "version": "4.35.3",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "codeql",
-      "version": "4.35.5",
+      "version": "4.35.3",
      "license": "MIT",
      "workspaces": [
        "pr-checks"
@@ -43,14 +43,14 @@
        "@types/archiver": "^7.0.0",
        "@types/follow-redirects": "^1.14.4",
        "@types/js-yaml": "^4.0.9",
-        "@types/node": "^20.19.39",
+        "@types/node": "^20.19.9",
        "@types/node-forge": "^1.3.14",
        "@types/sarif": "^2.1.7",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^21.0.1",
        "ava": "^7.0.0",
        "esbuild": "^0.28.0",
-        "eslint": "^9.39.4",
+        "eslint": "^9.39.2",
        "eslint-import-resolver-typescript": "^4.4.4",
        "eslint-plugin-github": "^6.0.0",
        "eslint-plugin-import-x": "^4.16.2",
@@ -60,8 +60,8 @@
        "globals": "^17.5.0",
        "nock": "^14.0.12",
        "sinon": "^21.1.2",
-        "typescript": "^6.0.3",
-        "typescript-eslint": "^8.59.1"
+        "typescript": "^6.0.2",
+        "typescript-eslint": "^8.58.2"
      }
    },
    "node_modules/@aashutoshrathi/word-wrap": {
@@ -410,6 +410,15 @@
        "undici": "^6.23.0"
      }
    },
+    "node_modules/@actions/github/node_modules/undici": {
+      "version": "6.23.0",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-6.23.0.tgz",
+      "integrity": "sha512-VfQPToRA5FZs/qJxLIinmU59u0r7LXqoJkCzinq3ckNJp3vKEh7jTWN589YQ5+aoAC/TGRLyJLCPKcLQbM8r9g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18.17"
+      }
+    },
    "node_modules/@actions/glob": {
      "version": "0.5.1",
      "resolved": "https://registry.npmjs.org/@actions/glob/-/glob-0.5.1.tgz",
@@ -430,6 +439,15 @@
        "undici": "^6.23.0"
      }
    },
+    "node_modules/@actions/http-client/node_modules/undici": {
+      "version": "6.23.0",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-6.23.0.tgz",
+      "integrity": "sha512-VfQPToRA5FZs/qJxLIinmU59u0r7LXqoJkCzinq3ckNJp3vKEh7jTWN589YQ5+aoAC/TGRLyJLCPKcLQbM8r9g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18.17"
+      }
+    },
    "node_modules/@actions/io": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/@actions/io/-/io-2.0.0.tgz",
@@ -1337,15 +1355,15 @@
      }
    },
    "node_modules/@eslint/config-array": {
-      "version": "0.21.2",
-      "resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.21.2.tgz",
-      "integrity": "sha512-nJl2KGTlrf9GjLimgIru+V/mzgSK0ABCDQRvxw5BjURL7WfH5uoWmizbH7QB6MmnMBd8cIC9uceWnezL1VZWWw==",
+      "version": "0.21.1",
+      "resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.21.1.tgz",
+      "integrity": "sha512-aw1gNayWpdI/jSYVgzN5pL0cfzU02GT3NBpeT/DXbx1/1x7ZKxFPd9bwrzygx/qiwIQiJ1sw/zD8qY/kRvlGHA==",
      "dev": true,
      "license": "Apache-2.0",
      "dependencies": {
        "@eslint/object-schema": "^2.1.7",
        "debug": "^4.3.1",
-        "minimatch": "^3.1.5"
+        "minimatch": "^3.1.2"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -1391,20 +1409,20 @@
      }
    },
    "node_modules/@eslint/eslintrc": {
-      "version": "3.3.5",
-      "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-3.3.5.tgz",
-      "integrity": "sha512-4IlJx0X0qftVsN5E+/vGujTRIFtwuLbNsVUe7TO6zYPDR1O6nFwvwhIKEKSrl6dZchmYBITazxKoUYOjdtjlRg==",
+      "version": "3.3.3",
+      "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-3.3.3.tgz",
+      "integrity": "sha512-Kr+LPIUVKz2qkx1HAMH8q1q6azbqBAsXJUxBl/ODDuVPX45Z9DfwB8tPjTi6nNZ8BuM3nbJxC5zCAg5elnBUTQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "ajv": "^6.14.0",
+        "ajv": "^6.12.4",
        "debug": "^4.3.2",
        "espree": "^10.0.1",
        "globals": "^14.0.0",
        "ignore": "^5.2.0",
        "import-fresh": "^3.2.1",
        "js-yaml": "^4.1.1",
-        "minimatch": "^3.1.5",
+        "minimatch": "^3.1.2",
        "strip-json-comments": "^3.1.1"
      },
      "engines": {
@@ -1427,9 +1445,9 @@
      }
    },
    "node_modules/@eslint/js": {
-      "version": "9.39.4",
-      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.39.4.tgz",
-      "integrity": "sha512-nE7DEIchvtiFTwBw4Lfbu59PG+kCofhjsKaCWzxTpt4lfRjRMqG6uMBzKXuEcyXhOHoUp9riAm7/aWYGhXZ9cw==",
+      "version": "9.39.2",
+      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.39.2.tgz",
+      "integrity": "sha512-q1mjIoW1VX4IvSocvM/vbTiveKC4k9eLrajNEuSsmjymSDEbpGddtpfOoN7YGAqBK3NG+uqo8ia4PDTt8buCYA==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -1476,6 +1494,14 @@
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
      }
    },
+    "node_modules/@fastify/busboy": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.1.tgz",
+      "integrity": "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA==",
+      "engines": {
+        "node": ">=14"
+      }
+    },
    "node_modules/@github/browserslist-config": {
      "version": "1.0.0",
      "dev": true,
@@ -2469,9 +2495,9 @@
      "license": "MIT"
    },
    "node_modules/@types/node": {
-      "version": "20.19.39",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.39.tgz",
-      "integrity": "sha512-orrrD74MBUyK8jOAD/r0+lfa1I2MO6I+vAkmAWzMYbCcgrN4lCrmK52gRFQq/JRxfYPfonkr4b0jcY7Olqdqbw==",
+      "version": "20.19.9",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.9.tgz",
+      "integrity": "sha512-cuVNgarYWZqxRJDQHEB58GEONhOK79QVR/qYx4S7kcUObQvUwvFnYxJuuHUKm2aieN9X3yZB4LZsuYNU1Qphsw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -2528,17 +2554,17 @@
      "license": "MIT"
    },
    "node_modules/@typescript-eslint/eslint-plugin": {
-      "version": "8.59.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.59.1.tgz",
-      "integrity": "sha512-BOziFIfE+6osHO9FoJG4zjoHUcvI7fTNBSpdAwrNH0/TLvzjsk2oo8XSSOT2HhqUyhZPfHv4UOffoJ9oEEQ7Ag==",
+      "version": "8.58.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.58.2.tgz",
+      "integrity": "sha512-aC2qc5thQahutKjP+cl8cgN9DWe3ZUqVko30CMSZHnFEHyhOYoZSzkGtAI2mcwZ38xeImDucI4dnqsHiOYuuCw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@eslint-community/regexpp": "^4.12.2",
-        "@typescript-eslint/scope-manager": "8.59.1",
-        "@typescript-eslint/type-utils": "8.59.1",
-        "@typescript-eslint/utils": "8.59.1",
-        "@typescript-eslint/visitor-keys": "8.59.1",
+        "@typescript-eslint/scope-manager": "8.58.2",
+        "@typescript-eslint/type-utils": "8.58.2",
+        "@typescript-eslint/utils": "8.58.2",
+        "@typescript-eslint/visitor-keys": "8.58.2",
        "ignore": "^7.0.5",
        "natural-compare": "^1.4.0",
        "ts-api-utils": "^2.5.0"
@@ -2551,7 +2577,7 @@
        "url": "https://opencollective.com/typescript-eslint"
      },
      "peerDependencies": {
-        "@typescript-eslint/parser": "^8.59.1",
+        "@typescript-eslint/parser": "^8.58.2",
        "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
        "typescript": ">=4.8.4 <6.1.0"
      }
@@ -2567,16 +2593,16 @@
      }
    },
    "node_modules/@typescript-eslint/parser": {
-      "version": "8.59.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.59.1.tgz",
-      "integrity": "sha512-HDQH9O/47Dxi1ceDhBXdaldtf/WV9yRYMjbjCuNk3qnaTD564qwv61Y7+gTxwxRKzSrgO5uhtw584igXVuuZkA==",
+      "version": "8.58.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.58.2.tgz",
+      "integrity": "sha512-/Zb/xaIDfxeJnvishjGdcR4jmr7S+bda8PKNhRGdljDM+elXhlvN0FyPSsMnLmJUrVG9aPO6dof80wjMawsASg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/scope-manager": "8.59.1",
-        "@typescript-eslint/types": "8.59.1",
-        "@typescript-eslint/typescript-estree": "8.59.1",
-        "@typescript-eslint/visitor-keys": "8.59.1",
+        "@typescript-eslint/scope-manager": "8.58.2",
+        "@typescript-eslint/types": "8.58.2",
+        "@typescript-eslint/typescript-estree": "8.58.2",
+        "@typescript-eslint/visitor-keys": "8.58.2",
        "debug": "^4.4.3"
      },
      "engines": {
@@ -2610,14 +2636,14 @@
      }
    },
    "node_modules/@typescript-eslint/project-service": {
-      "version": "8.59.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.59.1.tgz",
-      "integrity": "sha512-+MuHQlHiEr00Of/IQbE/MmEoi44znZHbR/Pz7Opq4HryUOlRi+/44dro9Ycy8Fyo+/024IWtw8m4JUMCGTYxDg==",
+      "version": "8.58.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.58.2.tgz",
+      "integrity": "sha512-Cq6UfpZZk15+r87BkIh5rDpi38W4b+Sjnb8wQCPPDDweS/LRCFjCyViEbzHk5Ck3f2QDfgmlxqSa7S7clDtlfg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/tsconfig-utils": "^8.59.1",
-        "@typescript-eslint/types": "^8.59.1",
+        "@typescript-eslint/tsconfig-utils": "^8.58.2",
+        "@typescript-eslint/types": "^8.58.2",
        "debug": "^4.4.3"
      },
      "engines": {
@@ -2650,14 +2676,14 @@
      }
    },
    "node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.59.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.59.1.tgz",
-      "integrity": "sha512-LwuHQI4pDOYVKvmH2dkaJo6YZCSgouVgnS/z7yBPKBMvgtBvyLqiLy9Z6b7+m/TRcX1NFYUqZetI5Y+aT4GEfg==",
+      "version": "8.58.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.58.2.tgz",
+      "integrity": "sha512-SgmyvDPexWETQek+qzZnrG6844IaO02UVyOLhI4wpo82dpZJY9+6YZCKAMFzXb7qhx37mFK1QcPQ18tud+vo6Q==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.59.1",
-        "@typescript-eslint/visitor-keys": "8.59.1"
+        "@typescript-eslint/types": "8.58.2",
+        "@typescript-eslint/visitor-keys": "8.58.2"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2668,9 +2694,9 @@
      }
    },
    "node_modules/@typescript-eslint/tsconfig-utils": {
-      "version": "8.59.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.59.1.tgz",
-      "integrity": "sha512-/0nEyPbX7gRsk0Uwfe4ALwwgxuA66d/l2mhRDNlAvaj4U3juhUtJNq0DsY8M2AYwwb9rEq2hrC3IcIcEt++iJA==",
+      "version": "8.58.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.58.2.tgz",
+      "integrity": "sha512-3SR+RukipDvkkKp/d0jP0dyzuls3DbGmwDpVEc5wqk5f38KFThakqAAO0XMirWAE+kT00oTauTbzMFGPoAzB0A==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2685,15 +2711,15 @@
      }
    },
    "node_modules/@typescript-eslint/type-utils": {
-      "version": "8.59.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.59.1.tgz",
-      "integrity": "sha512-klWPBR2ciQHS3f++ug/mVnWKPjBUo7icEL3FAO1lhAR1Z1i5NQYZ1EannMSRYcq5qCv5wNALlXr6fksRHyYl7w==",
+      "version": "8.58.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.58.2.tgz",
+      "integrity": "sha512-Z7EloNR/B389FvabdGeTo2XMs4W9TjtPiO9DAsmT0yom0bwlPyRjkJ1uCdW1DvrrrYP50AJZ9Xc3sByZA9+dcg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.59.1",
-        "@typescript-eslint/typescript-estree": "8.59.1",
-        "@typescript-eslint/utils": "8.59.1",
+        "@typescript-eslint/types": "8.58.2",
+        "@typescript-eslint/typescript-estree": "8.58.2",
+        "@typescript-eslint/utils": "8.58.2",
        "debug": "^4.4.3",
        "ts-api-utils": "^2.5.0"
      },
@@ -2728,9 +2754,9 @@
      }
    },
    "node_modules/@typescript-eslint/types": {
-      "version": "8.59.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.59.1.tgz",
-      "integrity": "sha512-ZDCjgccSdYPw5Bxh+my4Z0lJU96ZDN7jbBzvmEn0FZx3RtU1C7VWl6NbDx94bwY3V5YsgwRzJPOgeY2Q/nLG8A==",
+      "version": "8.58.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.58.2.tgz",
+      "integrity": "sha512-9TukXyATBQf/Jq9AMQXfvurk+G5R2MwfqQGDR2GzGz28HvY/lXNKGhkY+6IOubwcquikWk5cjlgPvD2uAA7htQ==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2742,16 +2768,16 @@
      }
    },
    "node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.59.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.59.1.tgz",
-      "integrity": "sha512-OUd+vJS05sSkOip+BkZ/2NS8RMxrAAJemsC6vU3kmfLyeaJT0TftHkV9mcx2107MmsBVXXexhVu4F0TZXyMl4g==",
+      "version": "8.58.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.58.2.tgz",
+      "integrity": "sha512-ELGuoofuhhoCvNbQjFFiobFcGgcDCEm0ThWdmO4Z0UzLqPXS3KFvnEZ+SHewwOYHjM09tkzOWXNTv9u6Gqtyuw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/project-service": "8.59.1",
-        "@typescript-eslint/tsconfig-utils": "8.59.1",
-        "@typescript-eslint/types": "8.59.1",
-        "@typescript-eslint/visitor-keys": "8.59.1",
+        "@typescript-eslint/project-service": "8.58.2",
+        "@typescript-eslint/tsconfig-utils": "8.58.2",
+        "@typescript-eslint/types": "8.58.2",
+        "@typescript-eslint/visitor-keys": "8.58.2",
        "debug": "^4.4.3",
        "minimatch": "^10.2.2",
        "semver": "^7.7.3",
@@ -2827,16 +2853,16 @@
      }
    },
    "node_modules/@typescript-eslint/utils": {
-      "version": "8.59.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.59.1.tgz",
-      "integrity": "sha512-3pIeoXhCeYH9FSCBI8P3iNwJlGuzPlYKkTlen2O9T1DSeeg8UG8jstq6BLk+Mda0qup7mgk4z4XL4OzRaxZ8LA==",
+      "version": "8.58.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.58.2.tgz",
+      "integrity": "sha512-QZfjHNEzPY8+l0+fIXMvuQ2sJlplB4zgDZvA+NmvZsZv3EQwOcc1DuIU1VJUTWZ/RKouBMhDyNaBMx4sWvrzRA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@eslint-community/eslint-utils": "^4.9.1",
-        "@typescript-eslint/scope-manager": "8.59.1",
-        "@typescript-eslint/types": "8.59.1",
-        "@typescript-eslint/typescript-estree": "8.59.1"
+        "@typescript-eslint/scope-manager": "8.58.2",
+        "@typescript-eslint/types": "8.58.2",
+        "@typescript-eslint/typescript-estree": "8.58.2"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2851,13 +2877,13 @@
      }
    },
    "node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.59.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.59.1.tgz",
-      "integrity": "sha512-LdDNl6C5iJExcM0Yh0PwAIBb9PrSiCsWamF/JyEZawm3kFDnRoaq3LGE4bpyRao/fWeGKKyw7icx0YxrLFC5Cg==",
+      "version": "8.58.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.58.2.tgz",
+      "integrity": "sha512-f1WO2Lx8a9t8DARmcWAUPJbu0G20bJlj8L4z72K00TMeJAoyLr/tHhI/pzYBLrR4dXWkcxO1cWYZEOX8DKHTqA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.59.1",
+        "@typescript-eslint/types": "8.58.2",
        "eslint-visitor-keys": "^5.0.0"
      },
      "engines": {
@@ -3271,9 +3297,7 @@
      }
    },
    "node_modules/ajv": {
-      "version": "6.15.0",
-      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.15.0.tgz",
-      "integrity": "sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==",
+      "version": "6.12.6",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -4727,25 +4751,25 @@
      }
    },
    "node_modules/eslint": {
-      "version": "9.39.4",
-      "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.39.4.tgz",
-      "integrity": "sha512-XoMjdBOwe/esVgEvLmNsD3IRHkm7fbKIUGvrleloJXUZgDHig2IPWNniv+GwjyJXzuNqVjlr5+4yVUZjycJwfQ==",
+      "version": "9.39.2",
+      "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.39.2.tgz",
+      "integrity": "sha512-LEyamqS7W5HB3ujJyvi0HQK/dtVINZvd5mAAp9eT5S/ujByGjiZLCzPcHVzuXbpJDJF/cxwHlfceVUDZ2lnSTw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@eslint-community/eslint-utils": "^4.8.0",
        "@eslint-community/regexpp": "^4.12.1",
-        "@eslint/config-array": "^0.21.2",
+        "@eslint/config-array": "^0.21.1",
        "@eslint/config-helpers": "^0.4.2",
        "@eslint/core": "^0.17.0",
-        "@eslint/eslintrc": "^3.3.5",
-        "@eslint/js": "9.39.4",
+        "@eslint/eslintrc": "^3.3.1",
+        "@eslint/js": "9.39.2",
        "@eslint/plugin-kit": "^0.4.1",
        "@humanfs/node": "^0.16.6",
        "@humanwhocodes/module-importer": "^1.0.1",
        "@humanwhocodes/retry": "^0.4.2",
        "@types/estree": "^1.0.6",
-        "ajv": "^6.14.0",
+        "ajv": "^6.12.4",
        "chalk": "^4.0.0",
        "cross-spawn": "^7.0.6",
        "debug": "^4.3.2",
@@ -4764,7 +4788,7 @@
        "is-glob": "^4.0.0",
        "json-stable-stringify-without-jsonify": "^1.0.1",
        "lodash.merge": "^4.6.2",
-        "minimatch": "^3.1.5",
+        "minimatch": "^3.1.2",
        "natural-compare": "^1.4.0",
        "optionator": "^0.9.3"
      },
@@ -9773,9 +9797,9 @@
      }
    },
    "node_modules/typescript": {
-      "version": "6.0.3",
-      "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.3.tgz",
-      "integrity": "sha512-y2TvuxSZPDyQakkFRPZHKFm+KKVqIisdg9/CZwm9ftvKXLP8NRWj38/ODjNbr43SsoXqNuAisEf1GdCxqWcdBw==",
+      "version": "6.0.2",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.2.tgz",
+      "integrity": "sha512-bGdAIrZ0wiGDo5l8c++HWtbaNCWTS4UTv7RaTH/ThVIgjkveJt83m74bBHMJkuCbslY8ixgLBVZJIOiQlQTjfQ==",
      "dev": true,
      "license": "Apache-2.0",
      "bin": {
@@ -9787,16 +9811,16 @@
      }
    },
    "node_modules/typescript-eslint": {
-      "version": "8.59.1",
-      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.59.1.tgz",
-      "integrity": "sha512-xqDcFVBmlrltH64lklOVp1wYxgJr6LVdg3NamBgH2OOQDLFdTKfIZXF5PfghrnXQKXZGTQs8tr1vL7fJvq8CTQ==",
+      "version": "8.58.2",
+      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.58.2.tgz",
+      "integrity": "sha512-V8iSng9mRbdZjl54VJ9NKr6ZB+dW0J3TzRXRGcSbLIej9jV86ZRtlYeTKDR/QLxXykocJ5icNzbsl2+5TzIvcQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/eslint-plugin": "8.59.1",
-        "@typescript-eslint/parser": "8.59.1",
-        "@typescript-eslint/typescript-estree": "8.59.1",
-        "@typescript-eslint/utils": "8.59.1"
+        "@typescript-eslint/eslint-plugin": "8.58.2",
+        "@typescript-eslint/parser": "8.58.2",
+        "@typescript-eslint/typescript-estree": "8.58.2",
+        "@typescript-eslint/utils": "8.58.2"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -9830,12 +9854,14 @@
      }
    },
    "node_modules/undici": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-6.24.1.tgz",
-      "integrity": "sha512-sC+b0tB1whOCzbtlx20fx3WgCXwkW627p4EA9uM+/tNNPkSS+eSEld6pAs9nDv7WbY1UUljBMYPtu9BCOrCWKA==",
-      "license": "MIT",
+      "version": "5.29.0",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-5.29.0.tgz",
+      "integrity": "sha512-raqeBD6NQK4SkWhQzeYKd1KmIG6dllBOTt55Rmkt4HtI9mwdWtJljnrXjAFUBLTSN67HWrOIZ3EPF4kjUw80Bg==",
+      "dependencies": {
+        "@fastify/busboy": "^2.0.0"
+      },
      "engines": {
-        "node": ">=18.17"
+        "node": ">=14.0"
      }
    },
    "node_modules/undici-types": {
@@ -10390,7 +10416,7 @@
        "yaml": "^2.8.3"
      },
      "devDependencies": {
-        "@types/node": "^20.19.39",
+        "@types/node": "^20.19.9",
        "tsx": "^4.21.0"
      }
    }
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "4.35.5",
+  "version": "4.35.3",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -50,14 +50,14 @@
    "@types/archiver": "^7.0.0",
    "@types/follow-redirects": "^1.14.4",
    "@types/js-yaml": "^4.0.9",
-    "@types/node": "^20.19.39",
+    "@types/node": "^20.19.9",
    "@types/node-forge": "^1.3.14",
    "@types/sarif": "^2.1.7",
    "@types/semver": "^7.7.1",
    "@types/sinon": "^21.0.1",
    "ava": "^7.0.0",
    "esbuild": "^0.28.0",
-    "eslint": "^9.39.4",
+    "eslint": "^9.39.2",
    "eslint-import-resolver-typescript": "^4.4.4",
    "eslint-plugin-github": "^6.0.0",
    "eslint-plugin-import-x": "^4.16.2",
@@ -67,8 +67,8 @@
    "globals": "^17.5.0",
    "nock": "^14.0.12",
    "sinon": "^21.1.2",
-    "typescript": "^6.0.3",
-    "typescript-eslint": "^8.59.1"
+    "typescript": "^6.0.2",
+    "typescript-eslint": "^8.58.2"
  },
  "overrides": {
    "@actions/tool-cache": {
@@ -90,7 +90,6 @@
      "semver": ">=6.3.1"
    },
    "brace-expansion@2.0.1": "2.0.2",
-    "glob": "^11.1.0",
-    "undici": "^6.24.0"
+    "glob": "^11.1.0"
  }
 }
@@ -1,8 +1,16 @@
+import { ParseArgsConfig } from "node:util";
+
 import * as githubUtils from "@actions/github/lib/utils";
 import { type Octokit } from "@octokit/core";
 import { type PaginateInterface } from "@octokit/plugin-paginate-rest";
 import { type Api } from "@octokit/plugin-rest-endpoint-methods";

+/** Identifies the CodeQL Action repository. */
+export const CODEQL_ACTION_REPO = {
+  owner: "github",
+  repo: "codeql-action",
+};
+
 /** The type of the Octokit client. */
 export type ApiClient = Octokit & Api & { paginate: PaginateInterface };

@@ -11,3 +19,16 @@ export function getApiClient(token: string): ApiClient {
  const opts = githubUtils.getOctokitOptions(token);
  return new githubUtils.GitHub(opts);
 }
+
+export interface TokenOption {
+  /** The token to use to authenticate to the GitHub API. */
+  token?: string;
+}
+
+/** Command-line argument parser settings for the token parameter. */
+export const TOKEN_OPTION_CONFIG = {
+  // The token to use to authenticate to the API.
+  token: {
+    type: "string",
+  },
+} satisfies ParseArgsConfig["options"];
@@ -1,8 +1,43 @@
 #!/usr/bin/env npx tsx

 import * as fs from "node:fs/promises";
+import { parseArgs, ParseArgsConfig } from "node:util";

-import { BUNDLE_METADATA_FILE } from "./config";
+import * as exec from "@actions/exec";
+
+import {
+  ApiClient,
+  CODEQL_ACTION_REPO,
+  getApiClient,
+  TOKEN_OPTION_CONFIG,
+} from "./api-client";
+import { BASELINE_BUNDLE_METADATA_FILE, BUNDLE_METADATA_FILE } from "./config";
+
+const optionsConfig = {
+  ...TOKEN_OPTION_CONFIG,
+  branch: {
+    type: "string",
+    default: "main",
+  },
+  runner: {
+    type: "string",
+    default: "macos-latest",
+  },
+  "node-version": {
+    type: "string",
+    default: "24",
+  },
+} satisfies ParseArgsConfig["options"];
+
+function parseOptions() {
+  const { values: options } = parseArgs({
+    options: optionsConfig,
+  });
+
+  return options;
+}
+
+type Options = ReturnType<typeof parseOptions>;

 interface InputInfo {
  bytesInOutput: number;
@@ -23,21 +58,125 @@ function toMB(bytes: number): string {
  return `${(bytes / (1024 * 1024)).toFixed(2)}MB`;
 }

+async function getBaselineFrom(client: ApiClient, options: Options) {
+  const workflowRun = await client.rest.actions.listWorkflowRuns({
+    ...CODEQL_ACTION_REPO,
+    branch: options.branch,
+    workflow_id: "pr-checks.yml",
+    status: "success",
+    per_page: 1,
+    event: "push",
+  });
+
+  if (workflowRun.data.total_count === 0) {
+    throw new Error(
+      `Expected to find a 'pr-checks.yml' run for '${options.branch}', but found none.`,
+    );
+  }
+
+  const expectedArtifactName = `bundle-metadata-${options.runner}-${options["node-version"]}`;
+  const artifacts = await client.rest.actions.listWorkflowRunArtifacts({
+    ...CODEQL_ACTION_REPO,
+    run_id: workflowRun.data.workflow_runs[0].id,
+    name: expectedArtifactName,
+  });
+
+  if (artifacts.data.total_count === 0) {
+    throw new Error(
+      `Expected to find an artifact named '${expectedArtifactName}', but found none.`,
+    );
+  }
+
+  const downloadInfo = await client.rest.actions.downloadArtifact({
+    ...CODEQL_ACTION_REPO,
+    artifact_id: artifacts.data.artifacts[0].id,
+    archive_format: "zip",
+  });
+
+  // This works fine for us with our version of Octokit, so we don't need to
+  // worry about over-complicating this script and handle other possibilities.
+  if (downloadInfo.data instanceof ArrayBuffer) {
+    const archivePath = `${expectedArtifactName}.zip`;
+    await fs.writeFile(archivePath, Buffer.from(downloadInfo.data));
+
+    console.info(`Extracting zip file: ${archivePath}`);
+    await exec.exec("unzip", ["-o", archivePath, "-d", "."]);
+
+    // We no longer need the archive after unzipping it.
+    await fs.rm(archivePath);
+
+    // Check that we have the expected file.
+    try {
+      await fs.stat(BASELINE_BUNDLE_METADATA_FILE);
+    } catch (err) {
+      throw new Error(
+        `Expected '${BASELINE_BUNDLE_METADATA_FILE}' to have been extracted, but it does not exist: ${err}`,
+      );
+    }
+
+    const baselineData = await fs.readFile(BASELINE_BUNDLE_METADATA_FILE);
+    return JSON.parse(String(baselineData)) as Metadata;
+  } else {
+    throw new Error("Expected to receive artifact data, but didn't.");
+  }
+}
+
 async function main() {
+  const options = parseOptions();
+
+  if (options.token === undefined) {
+    throw new Error("Missing --token");
+  }
+
+  // Initialise the API client.
+  const client = getApiClient(options.token);
+  const baselineMetadata = await getBaselineFrom(client, options);
+
  const fileContents = await fs.readFile(BUNDLE_METADATA_FILE);
  const metadata = JSON.parse(String(fileContents)) as Metadata;

+  console.info("Comparing bundle metadata to baseline...");
+
+  const filesInBaseline = new Set(Object.keys(baselineMetadata.outputs));
+  const filesInCurrent = new Set(Object.keys(metadata.outputs));
+
+  const filesNotPresent = filesInBaseline.difference(filesInCurrent);
+  if (filesNotPresent.size > 0) {
+    console.info(`Found ${filesNotPresent.size} file(s) which were removed:`);
+    for (const removedFile of filesNotPresent) {
+      console.info(`  - ${removedFile}`);
+    }
+  }
+
  for (const [outputFile, outputData] of Object.entries(
    metadata.outputs,
  ).reverse()) {
-    console.info(`${outputFile}: ${toMB(outputData.bytes)}`);
+    const baselineOutputData = baselineMetadata.outputs[outputFile];

-    for (const [inputName, inputData] of Object.entries(outputData.inputs)) {
-      // Ignore any inputs that make up less than 5% of the output.
-      const percentage = (inputData.bytesInOutput / outputData.bytes) * 100.0;
-      if (percentage < 5.0) continue;
+    if (baselineOutputData === undefined) {
+      console.info(`${outputFile}: New file (${toMB(outputData.bytes)})`);
+    } else {
+      const percentageDifference =
+        ((outputData.bytes - baselineOutputData.bytes) /
+          baselineOutputData.bytes) *
+        100.0;

-      console.info(`  ${inputName}: ${toMB(inputData.bytesInOutput)}`);
+      if (Math.abs(percentageDifference) >= 5) {
+        console.info(
+          `${outputFile}: ${toMB(outputData.bytes)} (${percentageDifference.toFixed(2)}%)`,
+        );
+
+        for (const [inputName, inputData] of Object.entries(
+          outputData.inputs,
+        )) {
+          // Ignore any inputs that make up less than 5% of the output.
+          const percentage =
+            (inputData.bytesInOutput / outputData.bytes) * 100.0;
+          if (percentage < 5.0) continue;
+
+          console.info(`  ${inputName}: ${toMB(inputData.bytesInOutput)}`);
+        }
+      }
    }
  }
 }
@@ -5,7 +5,7 @@ versions:
  - default
 steps:
  - name: Set up Ruby
-    uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0
+    uses: ruby/setup-ruby@0cb964fd540e0a24c900370abf38a33466142735 # v1.305.0
    with:
      ruby-version: 2.6
  - name: Install Code Scanning integration
@@ -10,7 +10,17 @@ export const PR_CHECKS_DIR = __dirname;
 export const PR_CHECK_EXCLUDED_FILE = path.join(PR_CHECKS_DIR, "excluded.yml");

 /** The path to the esbuild metadata file. */
-export const BUNDLE_METADATA_FILE = path.join(PR_CHECKS_DIR, "..", "meta.json");
+export const BUNDLE_METADATA_FILE = path.join(
+  PR_CHECKS_DIR,
+  "..",
+  "build-metadata.json",
+);
+
+/** The path of the baseline esbuild metadata file, once extracted from a workflow artifact. */
+export const BASELINE_BUNDLE_METADATA_FILE = path.join(
+  PR_CHECKS_DIR,
+  "build-metadata.json",
+);

 /** The `src` directory. */
 const SOURCE_ROOT = path.join(PR_CHECKS_DIR, "..", "src");
@@ -10,7 +10,7 @@
    "yaml": "^2.8.3"
  },
  "devDependencies": {
-    "@types/node": "^20.19.39",
+    "@types/node": "^20.19.9",
    "tsx": "^4.21.0"
  }
 }
@@ -7,16 +7,20 @@ import { parseArgs } from "node:util";

 import * as yaml from "yaml";

-import { type ApiClient, getApiClient } from "./api-client";
+import {
+  type ApiClient,
+  CODEQL_ACTION_REPO,
+  getApiClient,
+  TOKEN_OPTION_CONFIG,
+  TokenOption,
+} from "./api-client";
 import {
  OLDEST_SUPPORTED_MAJOR_VERSION,
  PR_CHECK_EXCLUDED_FILE,
 } from "./config";

 /** Represents the command-line options. */
-export interface Options {
-  /** The token to use to authenticate to the GitHub API. */
-  token?: string;
+export interface Options extends TokenOption {
  /** The git ref to use the checks for. */
  ref?: string;
  /** Whether to actually apply the changes or not. */
@@ -25,12 +29,6 @@ export interface Options {
  verbose: boolean;
 }

-/** Identifies the CodeQL Action repository. */
-const codeqlActionRepo = {
-  owner: "github",
-  repo: "codeql-action",
-};
-
 /** Represents a configuration of which checks should not be set up as required checks. */
 export interface Exclusions {
  /** A list of strings that, if contained in a check name, are excluded. */
@@ -100,7 +98,7 @@ async function getChecksFor(
  const response = await client.paginate(
    "GET /repos/{owner}/{repo}/commits/{ref}/check-runs",
    {
-      ...codeqlActionRepo,
+      ...CODEQL_ACTION_REPO,
      ref,
    },
  );
@@ -133,7 +131,7 @@ async function getChecksFor(
 /** Gets the current list of release branches. */
 async function getReleaseBranches(client: ApiClient): Promise<string[]> {
  const refs = await client.rest.git.listMatchingRefs({
-    ...codeqlActionRepo,
+    ...CODEQL_ACTION_REPO,
    ref: "heads/releases/v",
  });
  return refs.data.map((ref) => ref.ref).sort();
@@ -146,7 +144,7 @@ async function patchBranchProtectionRule(
  checks: Set<string>,
 ) {
  await client.rest.repos.setStatusCheckContexts({
-    ...codeqlActionRepo,
+    ...CODEQL_ACTION_REPO,
    branch,
    contexts: Array.from(checks),
  });
@@ -163,7 +161,7 @@ async function updateBranch(

  // Query the current set of required checks for this branch.
  const currentContexts = await client.rest.repos.getAllStatusCheckContexts({
-    ...codeqlActionRepo,
+    ...CODEQL_ACTION_REPO,
    branch,
  });

@@ -205,10 +203,7 @@ async function updateBranch(
 async function main(): Promise<void> {
  const { values: options } = parseArgs({
    options: {
-      // The token to use to authenticate to the API.
-      token: {
-        type: "string",
-      },
+      ...TOKEN_OPTION_CONFIG,
      // The git ref for which to retrieve the check runs.
      ref: {
        type: "string",
@@ -19,25 +19,6 @@ inputs:
      If not specified, the Action will check in several places until it finds
      the CodeQL tools.
    required: false
-  languages:
-    description: >-
-      A comma-separated list of CodeQL languages that will be analyzed in subsequent
-      `github/codeql-action/init` and `github/codeql-action/analyze` invocations. If specified, the
-      Action may use this list to select a CodeQL CLI version that is best suited to analyzing those
-      languages, for example by preferring a version that has a cached overlay-base database for the
-      specified languages. This input is not remembered and must also be passed to
-      `github/codeql-action/init`.
-    required: false
-  analysis-kinds:
-    description: >-
-      [Internal] A comma-separated list of analysis kinds that subsequent
-      `github/codeql-action/init` invocations will enable. If specified, the Action may use this
-      list to select a CodeQL CLI version that is best suited to those analysis kinds. This input is
-      not remembered and must also be passed to `github/codeql-action/init`.
-
-      Available options are the same as for the `analysis-kinds` input on the `init` Action.
-    default: 'code-scanning'
-    required: true
  token:
    description: GitHub token to use for authenticating with this instance of GitHub.
    default: ${{ github.token }}
@@ -128,8 +128,6 @@ export async function getGitHubVersionFromApi(

  // Doesn't strictly have to be the meta endpoint as we're only
  // using the response headers which are available on every request.
-  //
-  // See https://docs.github.com/en/rest/meta/meta#get-github-meta-information.
  // eslint-disable-next-line @typescript-eslint/no-unsafe-call
  const response = await apiClient.rest.meta.get();

@@ -166,9 +164,6 @@ export async function getGitHubVersion(): Promise<GitHubVersion> {

 /**
 * Get the path of the currently executing workflow relative to the repository root.
- *
- * See https://docs.github.com/en/rest/actions/workflow-runs#get-a-workflow-run
- * and https://docs.github.com/en/rest/actions/workflows#get-a-workflow.
 */
 export async function getWorkflowRelativePath(): Promise<string> {
  const repo_nwo = getRepositoryNwo();
@@ -257,13 +252,9 @@ export interface ActionsCacheItem {
  size_in_bytes?: number;
 }

-/**
- * List all Actions cache entries starting with the provided key prefix and matching the provided ref.
- *
- * See https://docs.github.com/en/rest/actions/cache#list-github-actions-caches-for-a-repository.
- */
+/** List all Actions cache entries matching the provided key and ref. */
 export async function listActionsCaches(
-  keyPrefix: string,
+  key: string,
  ref?: string,
 ): Promise<ActionsCacheItem[]> {
  const repositoryNwo = getRepositoryNwo();
@@ -273,17 +264,13 @@ export async function listActionsCaches(
    {
      owner: repositoryNwo.owner,
      repo: repositoryNwo.repo,
-      key: keyPrefix,
+      key,
      ref,
    },
  );
 }

-/**
- * Delete an Actions cache item by its ID.
- *
- * See https://docs.github.com/en/rest/actions/cache#delete-a-github-actions-cache-for-a-repository-using-a-cache-id.
- */
+/** Delete an Actions cache item by its ID. */
 export async function deleteActionsCache(id: number) {
  const repositoryNwo = getRepositoryNwo();

@@ -294,11 +281,7 @@ export async function deleteActionsCache(id: number) {
  });
 }

-/**
- * Retrieve all custom repository properties.
- *
- * See https://docs.github.com/en/rest/repos/custom-properties#get-all-custom-property-values-for-a-repository.
- */
+/** Retrieve all custom repository properties. */
 export async function getRepositoryProperties(repositoryNwo: RepositoryNwo) {
  return getApiClient().request("GET /repos/:owner/:repo/properties/values", {
    owner: repositoryNwo.owner,
@@ -141,12 +141,7 @@ test("scanArtifactsForTokens handles files without tokens", async (t) => {
  }
 });

-// This test is slow (extracts and scans a zip artifact), so by default we only run it in CI. Set
-// RUN_SLOW_TESTS=1 to run it locally.
-if (
-  os.platform() !== "win32" &&
-  (process.env.CI === "true" || process.env.RUN_SLOW_TESTS === "1")
-) {
+if (os.platform() !== "win32") {
  test("scanArtifactsForTokens finds token in debug artifacts", async (t) => {
    t.timeout(15000); // 15 seconds
    const messages: LoggedMessage[] = [];
@@ -156,10 +156,6 @@ async function scanArchiveFile(
    );
  }

-  if (process.platform === "win32") {
-    throw new Error("Scanning archives is not supported on Windows.");
-  }
-
  const result: ScanResult = {
    scannedFiles: 0,
    findings: [],
@@ -33,7 +33,6 @@ import {
  mockBundleDownloadApi,
  makeVersionInfo,
  createTestConfig,
-  makeMacro,
 } from "./testing-utils";
 import { ToolsDownloadStatusReport } from "./tools-download";
 import * as util from "./util";
@@ -71,10 +70,8 @@ async function installIntoToolcache({
    tmpDir,
    util.GitHubVariant.GHES,
    cliVersion !== undefined
-      ? { enabledVersions: [{ cliVersion, tagName }] }
+      ? { cliVersion, tagName }
      : SAMPLE_DEFAULT_CLI_VERSION,
-    undefined, // rawLanguages
-    false, // useOverlayAwareDefaultCliVersion
    createFeatures([]),
    getRunnerLogger(true),
    false,
@@ -146,8 +143,6 @@ test.serial(
          tmpDir,
          util.GitHubVariant.DOTCOM,
          SAMPLE_DEFAULT_CLI_VERSION,
-          undefined, // rawLanguages
-          false, // useOverlayAwareDefaultCliVersion
          features,
          getRunnerLogger(true),
          false,
@@ -180,8 +175,6 @@ test.serial(
        tmpDir,
        util.GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -221,8 +214,6 @@ test.serial(
        tmpDir,
        util.GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -273,8 +264,6 @@ for (const {
          tmpDir,
          util.GitHubVariant.DOTCOM,
          SAMPLE_DEFAULT_CLI_VERSION,
-          undefined, // rawLanguages
-          false, // useOverlayAwareDefaultCliVersion
          features,
          getRunnerLogger(true),
          false,
@@ -295,11 +284,11 @@ for (const {
 for (const toolcacheVersion of [
  // Test that we use the tools from the toolcache when `SAMPLE_DEFAULT_CLI_VERSION` is requested
  // and `SAMPLE_DEFAULT_CLI_VERSION-` is in the toolcache.
-  SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion,
-  `${SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion}-20230101`,
+  SAMPLE_DEFAULT_CLI_VERSION.cliVersion,
+  `${SAMPLE_DEFAULT_CLI_VERSION.cliVersion}-20230101`,
 ]) {
  test.serial(
-    `uses tools from toolcache when ${SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion} is requested and ` +
+    `uses tools from toolcache when ${SAMPLE_DEFAULT_CLI_VERSION.cliVersion} is requested and ` +
      `${toolcacheVersion} is installed`,
    async (t) => {
      const features = createFeatures([]);
@@ -319,16 +308,11 @@ for (const toolcacheVersion of [
          tmpDir,
          util.GitHubVariant.DOTCOM,
          SAMPLE_DEFAULT_CLI_VERSION,
-          undefined, // rawLanguages
-          false, // useOverlayAwareDefaultCliVersion
          features,
          getRunnerLogger(true),
          false,
        );
-        t.is(
-          result.toolsVersion,
-          SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion,
-        );
+        t.is(result.toolsVersion, SAMPLE_DEFAULT_CLI_VERSION.cliVersion);
        t.is(result.toolsSource, ToolsSource.Toolcache);
        t.is(result.toolsDownloadStatusReport?.combinedDurationMs, undefined);
        t.is(result.toolsDownloadStatusReport?.downloadDurationMs, undefined);
@@ -358,15 +342,9 @@ test.serial(
        tmpDir,
        util.GitHubVariant.GHES,
        {
-          enabledVersions: [
-            {
-              cliVersion: defaults.cliVersion,
-              tagName: defaults.bundleVersion,
-            },
-          ],
+          cliVersion: defaults.cliVersion,
+          tagName: defaults.bundleVersion,
        },
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -406,15 +384,9 @@ test.serial(
        tmpDir,
        util.GitHubVariant.GHES,
        {
-          enabledVersions: [
-            {
-              cliVersion: defaults.cliVersion,
-              tagName: defaults.bundleVersion,
-            },
-          ],
+          cliVersion: defaults.cliVersion,
+          tagName: defaults.bundleVersion,
        },
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -454,8 +426,6 @@ test.serial(
        tmpDir,
        util.GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -497,8 +467,6 @@ test.serial(
        tmpDir,
        util.GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -572,7 +540,7 @@ test.serial("getExtraOptions throws for bad content", (t) => {
 });

 // Test macro for ensuring different variants of injected augmented configurations
-const injectedConfigMacro = makeMacro({
+const injectedConfigMacro = test.macro({
  exec: async (
    t: ExecutionContext<unknown>,
    augmentationProperties: AugmentationProperties,
@@ -622,8 +590,9 @@ const injectedConfigMacro = makeMacro({
    `databaseInitCluster() injected config: ${providedTitle}`,
 });

-injectedConfigMacro.serial(
+test.serial(
  "basic",
+  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
  },
@@ -631,8 +600,9 @@ injectedConfigMacro.serial(
  {},
 );

-injectedConfigMacro.serial(
+test.serial(
  "injected packs from input",
+  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    packsInput: ["xxx", "yyy"],
@@ -643,8 +613,9 @@ injectedConfigMacro.serial(
  },
 );

-injectedConfigMacro.serial(
+test.serial(
  "injected packs from input with existing packs combines",
+  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    packsInputCombines: true,
@@ -664,8 +635,9 @@ injectedConfigMacro.serial(
  },
 );

-injectedConfigMacro.serial(
+test.serial(
  "injected packs from input with existing packs overrides",
+  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    packsInput: ["xxx", "yyy"],
@@ -683,8 +655,9 @@ injectedConfigMacro.serial(
 );

 // similar, but with queries
-injectedConfigMacro.serial(
+test.serial(
  "injected queries from input",
+  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    queriesInput: [{ uses: "xxx" }, { uses: "yyy" }],
@@ -702,8 +675,9 @@ injectedConfigMacro.serial(
  },
 );

-injectedConfigMacro.serial(
+test.serial(
  "injected queries from input overrides",
+  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    queriesInput: [{ uses: "xxx" }, { uses: "yyy" }],
@@ -725,8 +699,9 @@ injectedConfigMacro.serial(
  },
 );

-injectedConfigMacro.serial(
+test.serial(
  "injected queries from input combines",
+  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    queriesInputCombines: true,
@@ -752,8 +727,9 @@ injectedConfigMacro.serial(
  },
 );

-injectedConfigMacro.serial(
+test.serial(
  "injected queries from input combines 2",
+  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    queriesInputCombines: true,
@@ -773,8 +749,9 @@ injectedConfigMacro.serial(
  },
 );

-injectedConfigMacro.serial(
+test.serial(
  "injected queries and packs, but empty",
+  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    queriesInputCombines: true,
@@ -791,8 +768,9 @@ injectedConfigMacro.serial(
  {},
 );

-injectedConfigMacro.serial(
+test.serial(
  "repo property queries have the highest precedence",
+  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    queriesInputCombines: true,
@@ -812,8 +790,9 @@ injectedConfigMacro.serial(
  },
 );

-injectedConfigMacro.serial(
+test.serial(
  "repo property queries combines with queries input",
+  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    queriesInputCombines: false,
@@ -838,8 +817,9 @@ injectedConfigMacro.serial(
  },
 );

-injectedConfigMacro.serial(
+test.serial(
  "repo property queries combines everything else",
+  injectedConfigMacro,
  {
    ...defaultAugmentationProperties,
    queriesInputCombines: true,
@@ -305,8 +305,6 @@ const EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
 * @param tempDir
 * @param variant
 * @param defaultCliVersion
- * @param rawLanguages Raw set of languages.
- * @param useOverlayAwareDefaultCliVersion Whether to select an overlay-aware default CLI version.
 * @param features Information about the features that are enabled.
 * @param logger
 * @param checkVersion Whether to check that CodeQL CLI meets the minimum
@@ -319,8 +317,6 @@ export async function setupCodeQL(
  tempDir: string,
  variant: util.GitHubVariant,
  defaultCliVersion: CodeQLDefaultVersionInfo,
-  rawLanguages: string[] | undefined,
-  useOverlayAwareDefaultCliVersion: boolean,
  features: FeatureEnablement,
  logger: Logger,
  checkVersion: boolean,
@@ -344,8 +340,6 @@ export async function setupCodeQL(
      tempDir,
      variant,
      defaultCliVersion,
-      rawLanguages,
-      useOverlayAwareDefaultCliVersion,
      features,
      logger,
    );
@@ -34,7 +34,6 @@ import {
  LoggedMessage,
  mockCodeQLVersion,
  createTestConfig,
-  makeMacro,
 } from "./testing-utils";
 import {
  GitHubVariant,
@@ -1035,9 +1034,10 @@ const defaultOverlayDatabaseModeTestSetup: OverlayDatabaseModeTestSetup = {
  repositoryProperties: {},
 };

-const checkOverlayEnablementMacro = makeMacro({
+const checkOverlayEnablementMacro = test.macro({
  exec: async (
    t: ExecutionContext,
+    _title: string,
    setupOverrides: Partial<OverlayDatabaseModeTestSetup>,
    expected:
      | {
@@ -1131,10 +1131,11 @@ const checkOverlayEnablementMacro = makeMacro({
      }
    });
  },
-  title: (title) => `checkOverlayEnablement: ${title}`,
+  title: (_, title) => `checkOverlayEnablement: ${title}`,
 });

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Environment variable override - Overlay",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1145,7 +1146,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Environment variable override - OverlayBase",
  {
    overlayDatabaseEnvVar: "overlay-base",
@@ -1156,7 +1158,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Environment variable override - None",
  {
    overlayDatabaseEnvVar: "none",
@@ -1166,7 +1169,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Ignore invalid environment variable",
  {
    overlayDatabaseEnvVar: "invalid-mode",
@@ -1176,7 +1180,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Ignore feature flag when analyzing non-default branch",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1187,7 +1192,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Overlay-base database on default branch when feature enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1200,14 +1206,15 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Overlay-base database on default branch when feature enabled with custom analysis",
  {
    languages: [BuiltInLanguage.javascript],
    features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript],
    codeScanningConfig: {
      packs: ["some-custom-pack@1.0.0"],
-    },
+    } as UserConfig,
    isDefaultBranch: true,
  },
  {
@@ -1216,7 +1223,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Overlay-base database on default branch when code-scanning feature enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1232,7 +1240,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "No overlay-base database on default branch if runner disk space is too low",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1251,7 +1260,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "No overlay-base database on default branch if we can't determine runner disk space",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1267,7 +1277,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Overlay-base database on default branch if runner disk space is too low and skip resource checks flag is enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1288,7 +1299,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "No overlay-base database on default branch if runner disk space is below v2 limit and v2 resource checks enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1308,7 +1320,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Overlay-base database on default branch if runner disk space is between v2 and v1 limits and v2 resource checks enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1329,7 +1342,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "No overlay-base database on default branch if runner disk space is between v2 and v1 limits and v2 resource checks not enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1348,7 +1362,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "No overlay-base database on default branch if memory flag is too low",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1364,7 +1379,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Overlay-base database on default branch if memory flag is too low but CodeQL >= 2.24.3",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1382,7 +1398,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Overlay-base database on default branch if memory flag is too low and skip resource checks flag is enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1400,7 +1417,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "No overlay-base database on default branch when cached status indicates previous failure",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1417,7 +1435,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "No overlay analysis on PR when cached status indicates previous failure",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1434,7 +1453,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "No overlay-base database on default branch when code-scanning feature enabled with disable-default-queries",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1444,7 +1464,7 @@ checkOverlayEnablementMacro.serial(
    ],
    codeScanningConfig: {
      "disable-default-queries": true,
-    },
+    } as UserConfig,
    isDefaultBranch: true,
  },
  {
@@ -1452,7 +1472,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "No overlay-base database on default branch when code-scanning feature enabled with packs",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1462,7 +1483,7 @@ checkOverlayEnablementMacro.serial(
    ],
    codeScanningConfig: {
      packs: ["some-custom-pack@1.0.0"],
-    },
+    } as UserConfig,
    isDefaultBranch: true,
  },
  {
@@ -1470,7 +1491,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "No overlay-base database on default branch when code-scanning feature enabled with queries",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1480,7 +1502,7 @@ checkOverlayEnablementMacro.serial(
    ],
    codeScanningConfig: {
      queries: [{ uses: "some-query.ql" }],
-    },
+    } as UserConfig,
    isDefaultBranch: true,
  },
  {
@@ -1488,7 +1510,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "No overlay-base database on default branch when code-scanning feature enabled with query-filters",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1498,7 +1521,7 @@ checkOverlayEnablementMacro.serial(
    ],
    codeScanningConfig: {
      "query-filters": [{ include: { "security-severity": "high" } }],
-    },
+    } as UserConfig,
    isDefaultBranch: true,
  },
  {
@@ -1506,7 +1529,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "No overlay-base database on default branch when only language-specific feature enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1518,7 +1542,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "No overlay-base database on default branch when only code-scanning feature enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1530,7 +1555,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "No overlay-base database on default branch when language-specific feature disabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1542,7 +1568,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Overlay analysis on PR when feature enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1555,14 +1582,15 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Overlay analysis on PR when feature enabled with custom analysis",
  {
    languages: [BuiltInLanguage.javascript],
    features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript],
    codeScanningConfig: {
      packs: ["some-custom-pack@1.0.0"],
-    },
+    } as UserConfig,
    isPullRequest: true,
  },
  {
@@ -1571,7 +1599,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Overlay analysis on PR when code-scanning feature enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1587,7 +1616,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "No overlay analysis on PR if runner disk space is too low",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1606,7 +1636,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Overlay analysis on PR if runner disk space is too low and skip resource checks flag is enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1627,7 +1658,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "No overlay analysis on PR if we can't determine runner disk space",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1643,7 +1675,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "No overlay analysis on PR if memory flag is too low",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1659,7 +1692,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Overlay analysis on PR if memory flag is too low but CodeQL >= 2.24.3",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1677,7 +1711,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Overlay analysis on PR if memory flag is too low and skip resource checks flag is enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1695,7 +1730,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "No overlay analysis on PR when code-scanning feature enabled with disable-default-queries",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1705,7 +1741,7 @@ checkOverlayEnablementMacro.serial(
    ],
    codeScanningConfig: {
      "disable-default-queries": true,
-    },
+    } as UserConfig,
    isPullRequest: true,
  },
  {
@@ -1713,7 +1749,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "No overlay analysis on PR when code-scanning feature enabled with packs",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1723,7 +1760,7 @@ checkOverlayEnablementMacro.serial(
    ],
    codeScanningConfig: {
      packs: ["some-custom-pack@1.0.0"],
-    },
+    } as UserConfig,
    isPullRequest: true,
  },
  {
@@ -1731,7 +1768,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "No overlay analysis on PR when code-scanning feature enabled with queries",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1741,7 +1779,7 @@ checkOverlayEnablementMacro.serial(
    ],
    codeScanningConfig: {
      queries: [{ uses: "some-query.ql" }],
-    },
+    } as UserConfig,
    isPullRequest: true,
  },
  {
@@ -1749,7 +1787,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "No overlay analysis on PR when code-scanning feature enabled with query-filters",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1759,7 +1798,7 @@ checkOverlayEnablementMacro.serial(
    ],
    codeScanningConfig: {
      "query-filters": [{ include: { "security-severity": "high" } }],
-    },
+    } as UserConfig,
    isPullRequest: true,
  },
  {
@@ -1767,7 +1806,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "No overlay analysis on PR when only language-specific feature enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1779,7 +1819,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "No overlay analysis on PR when only code-scanning feature enabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1791,7 +1832,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "No overlay analysis on PR when language-specific feature disabled",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1803,7 +1845,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Overlay PR analysis by env",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1814,7 +1857,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Overlay PR analysis by env on a runner with low disk space",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1826,7 +1870,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Overlay PR analysis by feature flag",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1839,7 +1884,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Fallback due to autobuild with traced language",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1851,7 +1897,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Fallback due to no build mode with traced language",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1863,7 +1910,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Fallback due to old CodeQL version",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1874,7 +1922,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Fallback due to missing git root",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1885,7 +1934,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Fallback due to old git version with submodules",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1897,7 +1947,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Fallback when git version cannot be determined and repo has submodules",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1909,7 +1960,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Overlay enabled when git version cannot be determined and repo has no submodules",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1922,7 +1974,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "No overlay when disabled via repository property",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1937,7 +1990,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Overlay not disabled when repository property is false",
  {
    languages: [BuiltInLanguage.javascript],
@@ -1953,7 +2007,8 @@ checkOverlayEnablementMacro.serial(
  },
 );

-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "Environment variable override takes precedence over repository property",
  {
    overlayDatabaseEnvVar: "overlay",
@@ -1969,7 +2024,8 @@ checkOverlayEnablementMacro.serial(

 // Exercise language-specific overlay analysis features code paths
 for (const language in BuiltInLanguage) {
-  checkOverlayEnablementMacro.serial(
+  test.serial(
+    checkOverlayEnablementMacro,
    `Check default overlay analysis feature for ${language}`,
    {
      languages: [language],
@@ -1986,7 +2042,8 @@ for (const language in BuiltInLanguage) {
 // overlay analysis enabled, even when the base overlay feature flag is on.
 // Using swift here as it doesn't currently have overlay support — update this if
 // swift gains overlay support.
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
  "No overlay analysis for language without per-language overlay feature flag",
  {
    languages: [BuiltInLanguage.swift],
@@ -407,7 +407,6 @@ export async function getLanguages(
  return languages;
 }

-/** Parses the `languages` input into a list of languages without checking if they are supported by CodeQL. */
 export function getRawLanguagesNoAutodetect(
  languagesInput: string | undefined,
 ): string[] {
@@ -7,7 +7,6 @@ import {
  checkExpectedLogMessages,
  getRecordingLogger,
  LoggedMessage,
-  makeMacro,
 } from "../testing-utils";
 import { ConfigurationError, prettyPrintPack } from "../util";

@@ -16,7 +15,7 @@ import * as dbConfig from "./db-config";
 /**
 * Test macro for ensuring the packs block is valid
 */
-const parsePacksMacro = makeMacro({
+const parsePacksMacro = test.macro({
  exec: (
    t: ExecutionContext<unknown>,
    packsInput: string,
@@ -34,7 +33,7 @@ const parsePacksMacro = makeMacro({
 /**
 * Test macro for testing when the packs block is invalid
 */
-const parsePacksErrorMacro = makeMacro({
+const parsePacksErrorMacro = test.macro({
  exec: (
    t: ExecutionContext<unknown>,
    packsInput: string,
@@ -50,32 +49,34 @@ const parsePacksErrorMacro = makeMacro({
 /**
 * Test macro for testing when the packs block is invalid
 */
-const invalidPackNameMacro = makeMacro({
-  exec: (t: ExecutionContext, arg: string) =>
-    parsePacksErrorMacro.fn(
+const invalidPackNameMacro = test.macro({
+  exec: (t: ExecutionContext, name: string) =>
+    parsePacksErrorMacro.exec(
      t,
-      arg,
+      name,
      [BuiltInLanguage.cpp],
-      new RegExp(`^"${arg}" is not a valid pack$`),
+      new RegExp(`^"${name}" is not a valid pack$`),
    ),
  title: (_providedTitle: string | undefined, arg: string | undefined) =>
    `Invalid pack string: ${arg}`,
 });

-parsePacksMacro("no packs", "", [], undefined);
-parsePacksMacro("two packs", "a/b,c/d@1.2.3", [BuiltInLanguage.cpp], {
+test("no packs", parsePacksMacro, "", [], undefined);
+test("two packs", parsePacksMacro, "a/b,c/d@1.2.3", [BuiltInLanguage.cpp], {
  [BuiltInLanguage.cpp]: ["a/b", "c/d@1.2.3"],
 });
-parsePacksMacro(
+test(
  "two packs with spaces",
+  parsePacksMacro,
  " a/b , c/d@1.2.3 ",
  [BuiltInLanguage.cpp],
  {
    [BuiltInLanguage.cpp]: ["a/b", "c/d@1.2.3"],
  },
 );
-parsePacksErrorMacro(
+test(
  "two packs with language",
+  parsePacksErrorMacro,
  "a/b,c/d@1.2.3",
  [BuiltInLanguage.cpp, BuiltInLanguage.java],
  new RegExp(
@@ -84,8 +85,9 @@ parsePacksErrorMacro(
  ),
 );

-parsePacksMacro(
+test(
  "packs with other valid names",
+  parsePacksMacro,
  [
    // ranges are ok
    "c/d@1.0",
@@ -121,23 +123,23 @@ parsePacksMacro(
  },
 );

-invalidPackNameMacro.test("c"); // all packs require at least a scope and a name
-invalidPackNameMacro.test("c-/d");
-invalidPackNameMacro.test("-c/d");
-invalidPackNameMacro.test("c/d_d");
-invalidPackNameMacro.test("c/d@@");
-invalidPackNameMacro.test("c/d@1.0.0:");
-invalidPackNameMacro.test("c/d:");
-invalidPackNameMacro.test("c/d:/a");
-invalidPackNameMacro.test("@1.0.0:a");
-invalidPackNameMacro.test("c/d@../a");
-invalidPackNameMacro.test("c/d@b/../a");
-invalidPackNameMacro.test("c/d:z@1");
+test(invalidPackNameMacro, "c"); // all packs require at least a scope and a name
+test(invalidPackNameMacro, "c-/d");
+test(invalidPackNameMacro, "-c/d");
+test(invalidPackNameMacro, "c/d_d");
+test(invalidPackNameMacro, "c/d@@");
+test(invalidPackNameMacro, "c/d@1.0.0:");
+test(invalidPackNameMacro, "c/d:");
+test(invalidPackNameMacro, "c/d:/a");
+test(invalidPackNameMacro, "@1.0.0:a");
+test(invalidPackNameMacro, "c/d@../a");
+test(invalidPackNameMacro, "c/d@b/../a");
+test(invalidPackNameMacro, "c/d:z@1");

 /**
 * Test macro for pretty printing pack specs
 */
-const packSpecPrettyPrintingMacro = makeMacro({
+const packSpecPrettyPrintingMacro = test.macro({
  exec: (t: ExecutionContext, packStr: string, packObj: dbConfig.Pack) => {
    const parsed = dbConfig.parsePacksSpecification(packStr);
    t.deepEqual(parsed, packObj, "parsed pack spec is correct");
@@ -161,35 +163,36 @@ const packSpecPrettyPrintingMacro = makeMacro({
  ) => `Prettyprint pack spec: '${packStr}'`,
 });

-packSpecPrettyPrintingMacro.test("a/b", {
+test(packSpecPrettyPrintingMacro, "a/b", {
  name: "a/b",
  version: undefined,
  path: undefined,
 });
-packSpecPrettyPrintingMacro.test("a/b@~1.2.3", {
+test(packSpecPrettyPrintingMacro, "a/b@~1.2.3", {
  name: "a/b",
  version: "~1.2.3",
  path: undefined,
 });
-packSpecPrettyPrintingMacro.test("a/b@~1.2.3:abc/def", {
+test(packSpecPrettyPrintingMacro, "a/b@~1.2.3:abc/def", {
  name: "a/b",
  version: "~1.2.3",
  path: "abc/def",
 });
-packSpecPrettyPrintingMacro.test("a/b:abc/def", {
+test(packSpecPrettyPrintingMacro, "a/b:abc/def", {
  name: "a/b",
  version: undefined,
  path: "abc/def",
 });
-packSpecPrettyPrintingMacro.test("    a/b:abc/def    ", {
+test(packSpecPrettyPrintingMacro, "    a/b:abc/def    ", {
  name: "a/b",
  version: undefined,
  path: "abc/def",
 });

-const calculateAugmentationMacro = makeMacro({
+const calculateAugmentationMacro = test.macro({
  exec: async (
    t: ExecutionContext,
+    _title: string,
    rawPacksInput: string | undefined,
    rawQueriesInput: string | undefined,
    languages: Language[],
@@ -204,10 +207,11 @@ const calculateAugmentationMacro = makeMacro({
    );
    t.deepEqual(actualAugmentationProperties, expectedAugmentationProperties);
  },
-  title: (title) => `Calculate Augmentation: ${title}`,
+  title: (_, title) => `Calculate Augmentation: ${title}`,
 });

-calculateAugmentationMacro(
+test(
+  calculateAugmentationMacro,
  "All empty",
  undefined,
  undefined,
@@ -218,7 +222,8 @@ calculateAugmentationMacro(
  },
 );

-calculateAugmentationMacro(
+test(
+  calculateAugmentationMacro,
  "With queries",
  undefined,
  " a, b , c, d",
@@ -230,7 +235,8 @@ calculateAugmentationMacro(
  },
 );

-calculateAugmentationMacro(
+test(
+  calculateAugmentationMacro,
  "With queries combining",
  undefined,
  "   +   a, b , c, d ",
@@ -243,7 +249,8 @@ calculateAugmentationMacro(
  },
 );

-calculateAugmentationMacro(
+test(
+  calculateAugmentationMacro,
  "With packs",
  "   codeql/a , codeql/b   , codeql/c  , codeql/d  ",
  undefined,
@@ -255,7 +262,8 @@ calculateAugmentationMacro(
  },
 );

-calculateAugmentationMacro(
+test(
+  calculateAugmentationMacro,
  "With packs combining",
  "   +   codeql/a, codeql/b, codeql/c, codeql/d",
  undefined,
@@ -268,7 +276,8 @@ calculateAugmentationMacro(
  },
 );

-calculateAugmentationMacro(
+test(
+  calculateAugmentationMacro,
  "With repo property queries",
  undefined,
  undefined,
@@ -285,7 +294,8 @@ calculateAugmentationMacro(
  },
 );

-calculateAugmentationMacro(
+test(
+  calculateAugmentationMacro,
  "With repo property queries combining",
  undefined,
  undefined,
@@ -302,9 +312,10 @@ calculateAugmentationMacro(
  },
 );

-const calculateAugmentationErrorMacro = makeMacro({
+const calculateAugmentationErrorMacro = test.macro({
  exec: async (
    t: ExecutionContext,
+    _title: string,
    rawPacksInput: string | undefined,
    rawQueriesInput: string | undefined,
    languages: Language[],
@@ -322,10 +333,11 @@ const calculateAugmentationErrorMacro = makeMacro({
      { message: expectedError },
    );
  },
-  title: (title) => `Calculate Augmentation Error: ${title}`,
+  title: (_, title) => `Calculate Augmentation Error: ${title}`,
 });

-calculateAugmentationErrorMacro(
+test(
+  calculateAugmentationErrorMacro,
  "Plus (+) with nothing else (queries)",
  undefined,
  "   +   ",
@@ -334,7 +346,8 @@ calculateAugmentationErrorMacro(
  /The workflow property "queries" is invalid/,
 );

-calculateAugmentationErrorMacro(
+test(
+  calculateAugmentationErrorMacro,
  "Plus (+) with nothing else (packs)",
  "   +   ",
  undefined,
@@ -343,7 +356,8 @@ calculateAugmentationErrorMacro(
  /The workflow property "packs" is invalid/,
 );

-calculateAugmentationErrorMacro(
+test(
+  calculateAugmentationErrorMacro,
  "Plus (+) with nothing else (repo property queries)",
  undefined,
  undefined,
@@ -354,7 +368,8 @@ calculateAugmentationErrorMacro(
  /The repository property "github-codeql-extra-queries" is invalid/,
 );

-calculateAugmentationErrorMacro(
+test(
+  calculateAugmentationErrorMacro,
  "Packs input with multiple languages",
  "   +  a/b, c/d ",
  undefined,
@@ -363,7 +378,8 @@ calculateAugmentationErrorMacro(
  /Cannot specify a 'packs' input in a multi-language analysis/,
 );

-calculateAugmentationErrorMacro(
+test(
+  calculateAugmentationErrorMacro,
  "Packs input with no languages",
  "   +  a/b, c/d ",
  undefined,
@@ -372,7 +388,8 @@ calculateAugmentationErrorMacro(
  /No languages specified/,
 );

-calculateAugmentationErrorMacro(
+test(
+  calculateAugmentationErrorMacro,
  "Invalid packs",
  " a-pack-without-a-scope ",
  undefined,
@@ -263,7 +263,7 @@ export function getArtifactSuffix(matrix: string | undefined): string {
    try {
      const matrixObject = JSON.parse(matrix);
      if (json.isObject(matrixObject)) {
-        for (const matrixKey of Object.keys(matrixObject).sort())
+        for (const matrixKey of Object.keys(matrixObject as object).sort())
          suffix += `-${matrixObject[matrixKey]}`;
      } else {
        core.warning("User-specified `matrix` input is not an object.");
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.4",
-  "cliVersion": "2.25.4",
-  "priorBundleVersion": "codeql-bundle-v2.25.3",
-  "priorCliVersion": "2.25.3"
+  "bundleVersion": "codeql-bundle-v2.25.2",
+  "cliVersion": "2.25.2",
+  "priorBundleVersion": "codeql-bundle-v2.25.1",
+  "priorCliVersion": "2.25.1"
 }
@@ -16,7 +16,6 @@ import {
  mockCodeQLVersion,
  mockFeatureFlagApiEndpoint,
  setupActionsVars,
-  makeMacro,
 } from "./testing-utils";
 import { GitHubVariant, withTmpDir } from "./util";
 import type { GitHubVersion } from "./util";
@@ -43,9 +42,10 @@ const defaultTestCase: DiffInformedAnalysisTestCase = {
  codeQLVersion: "2.21.0",
 };

-const testShouldPerformDiffInformedAnalysis = makeMacro({
+const testShouldPerformDiffInformedAnalysis = test.macro({
  exec: async (
    t: ExecutionContext,
+    _title: string,
    partialTestCase: Partial<DiffInformedAnalysisTestCase>,
    expectedResult: boolean,
  ) => {
@@ -94,16 +94,18 @@ const testShouldPerformDiffInformedAnalysis = makeMacro({
      getPullRequestBranchesStub.restore();
    });
  },
-  title: (title) => `shouldPerformDiffInformedAnalysis: ${title}`,
+  title: (_, title) => `shouldPerformDiffInformedAnalysis: ${title}`,
 });

-testShouldPerformDiffInformedAnalysis.serial(
+test.serial(
+  testShouldPerformDiffInformedAnalysis,
  "returns true in the default test case",
  {},
  true,
 );

-testShouldPerformDiffInformedAnalysis.serial(
+test.serial(
+  testShouldPerformDiffInformedAnalysis,
  "returns false when feature flag is disabled from the API",
  {
    featureEnabled: false,
@@ -111,7 +113,8 @@ testShouldPerformDiffInformedAnalysis.serial(
  false,
 );

-testShouldPerformDiffInformedAnalysis.serial(
+test.serial(
+  testShouldPerformDiffInformedAnalysis,
  "returns false when CODEQL_ACTION_DIFF_INFORMED_QUERIES is set to false",
  {
    featureEnabled: true,
@@ -120,7 +123,8 @@ testShouldPerformDiffInformedAnalysis.serial(
  false,
 );

-testShouldPerformDiffInformedAnalysis.serial(
+test.serial(
+  testShouldPerformDiffInformedAnalysis,
  "returns true when CODEQL_ACTION_DIFF_INFORMED_QUERIES is set to true",
  {
    featureEnabled: false,
@@ -129,7 +133,8 @@ testShouldPerformDiffInformedAnalysis.serial(
  true,
 );

-testShouldPerformDiffInformedAnalysis.serial(
+test.serial(
+  testShouldPerformDiffInformedAnalysis,
  "returns false for CodeQL version 2.20.0",
  {
    codeQLVersion: "2.20.0",
@@ -137,7 +142,8 @@ testShouldPerformDiffInformedAnalysis.serial(
  false,
 );

-testShouldPerformDiffInformedAnalysis.serial(
+test.serial(
+  testShouldPerformDiffInformedAnalysis,
  "returns false for invalid GHES version",
  {
    gitHubVersion: {
@@ -148,7 +154,8 @@ testShouldPerformDiffInformedAnalysis.serial(
  false,
 );

-testShouldPerformDiffInformedAnalysis.serial(
+test.serial(
+  testShouldPerformDiffInformedAnalysis,
  "returns false for GHES version 3.18.5",
  {
    gitHubVersion: {
@@ -159,7 +166,8 @@ testShouldPerformDiffInformedAnalysis.serial(
  false,
 );

-testShouldPerformDiffInformedAnalysis.serial(
+test.serial(
+  testShouldPerformDiffInformedAnalysis,
  "returns true for GHES version 3.19.0",
  {
    gitHubVersion: {
@@ -170,7 +178,8 @@ testShouldPerformDiffInformedAnalysis.serial(
  true,
 );

-testShouldPerformDiffInformedAnalysis.serial(
+test.serial(
+  testShouldPerformDiffInformedAnalysis,
  "returns false when not a pull request",
  {
    pullRequestBranches: undefined,
@@ -451,16 +451,12 @@ test.serial(`selects CLI from defaults.json on GHES`, async (t) => {
  await withTmpDir(async (tmpDir) => {
    const features = setUpFeatureFlagTests(tmpDir);

-    const defaultCliVersion = await features.getEnabledDefaultCliVersions(
+    const defaultCliVersion = await features.getDefaultCliVersion(
      GitHubVariant.GHES,
    );
    t.deepEqual(defaultCliVersion, {
-      enabledVersions: [
-        {
-          cliVersion: defaults.cliVersion,
-          tagName: defaults.bundleVersion,
-        },
-      ],
+      cliVersion: defaults.cliVersion,
+      tagName: defaults.bundleVersion,
    });
  });
 });
@@ -486,13 +482,10 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) {
          false;
        mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement);

-        const defaultCliVersion =
-          await features.getEnabledDefaultCliVersions(variant);
+        const defaultCliVersion = await features.getDefaultCliVersion(variant);
        t.deepEqual(defaultCliVersion, {
-          enabledVersions: [
-            { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
-            { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" },
-          ],
+          cliVersion: "2.20.1",
+          tagName: "codeql-bundle-v2.20.1",
          toolsFeatureFlagsValid: true,
        });
      });
@@ -507,15 +500,10 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) {
        const expectedFeatureEnablement = initializeFeatures(true);
        mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement);

-        const defaultCliVersion =
-          await features.getEnabledDefaultCliVersions(variant);
+        const defaultCliVersion = await features.getDefaultCliVersion(variant);
        t.deepEqual(defaultCliVersion, {
-          enabledVersions: [
-            {
-              cliVersion: defaults.cliVersion,
-              tagName: defaults.bundleVersion,
-            },
-          ],
+          cliVersion: defaults.cliVersion,
+          tagName: defaults.bundleVersion,
          toolsFeatureFlagsValid: false,
        });
      });
@@ -541,13 +529,10 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) {
        ] = true;
        mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement);

-        const defaultCliVersion =
-          await features.getEnabledDefaultCliVersions(variant);
+        const defaultCliVersion = await features.getDefaultCliVersion(variant);
        t.deepEqual(defaultCliVersion, {
-          enabledVersions: [
-            { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
-            { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" },
-          ],
+          cliVersion: "2.20.1",
+          tagName: "codeql-bundle-v2.20.1",
          toolsFeatureFlagsValid: true,
        });

@@ -29,32 +29,9 @@ const DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
 */
 export const CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0";

-const LINKED_CODEQL_VERSION: CodeQLVersionInfo = {
-  cliVersion: defaults.cliVersion,
-  tagName: defaults.bundleVersion,
-};
-
-export interface CodeQLVersionInfo {
-  /** The version number of the CodeQL CLI, e.g. `2.19.0`. */
-  cliVersion: string;
-  /**
-   * The tag name of the CodeQL Bundle associated with this version, e.g. `codeql-bundle-v2.19.0`.
-   */
-  tagName: string;
-}
-
 export interface CodeQLDefaultVersionInfo {
-  /**
-   * CodeQL CLI versions that are enabled as defaults, sorted from highest to lowest.
-   *
-   * Guaranteed to be non-empty. When feature flags are unavailable, this falls back to a single
-   * entry containing the version pinned in `defaults.json`.
-   */
-  enabledVersions: CodeQLVersionInfo[];
-  /**
-   * If accessed, whether the tools feature flags are valid, i.e. contain at least one enabled
-   * version.
-   */
+  cliVersion: string;
+  tagName: string;
  toolsFeatureFlagsValid?: boolean;
 }

@@ -95,19 +72,6 @@ export enum Feature {
  OverlayAnalysisGo = "overlay_analysis_go",
  OverlayAnalysisJava = "overlay_analysis_java",
  OverlayAnalysisJavascript = "overlay_analysis_javascript",
-  /**
-   * When set, chooses the default CodeQL CLI version as the highest version that is both enabled by
-   * feature flags and present as an overlay-base database in the Actions cache for the configured
-   * languages. Falls back to the highest feature flagged version if no intersecting overlay-base
-   * database exists in the cache.
-   */
-  OverlayAnalysisMatchCodeqlVersion = "overlay_analysis_match_codeql_version",
-  /**
-   * Like `OverlayAnalysisMatchCodeqlVersion`, but only logs a diagnostic with the version that
-   * would have been chosen instead of actually changing the default CodeQL CLI version.
-   * `OverlayAnalysisMatchCodeqlVersion` overrides this flag.
-   */
-  OverlayAnalysisMatchCodeqlVersionDryRun = "overlay_analysis_match_codeql_version_dry_run",
  OverlayAnalysisPython = "overlay_analysis_python",
  /**
   * Controls whether lower disk space requirements are used for overlay hardware checks.
@@ -313,16 +277,6 @@ export const featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
    minimumVersion: undefined,
  },
-  [Feature.OverlayAnalysisMatchCodeqlVersion]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
-    minimumVersion: undefined,
-  },
-  [Feature.OverlayAnalysisMatchCodeqlVersionDryRun]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
-    minimumVersion: undefined,
-  },
  [Feature.OverlayAnalysisResourceChecksV2]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -392,12 +346,8 @@ export type FeatureWithoutCLI = {
 }[keyof typeof featureConfig];

 export interface FeatureEnablement {
-  /**
-   * Returns the set of default CodeQL CLI versions to consider, sorted from
-   * highest to lowest. The first entry is the version that the CodeQL Action
-   * will use by default. The list is always non-empty.
-   */
-  getEnabledDefaultCliVersions(
+  /** Gets the default version of the CodeQL tools. */
+  getDefaultCliVersion(
    variant: util.GitHubVariant,
  ): Promise<CodeQLDefaultVersionInfo>;
  getValue(feature: FeatureWithoutCLI): Promise<boolean>;
@@ -421,11 +371,12 @@ export const FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
 class OfflineFeatures implements FeatureEnablement {
  constructor(protected readonly logger: Logger) {}

-  async getEnabledDefaultCliVersions(
+  async getDefaultCliVersion(
    _variant: util.GitHubVariant,
  ): Promise<CodeQLDefaultVersionInfo> {
    return {
-      enabledVersions: [LINKED_CODEQL_VERSION],
+      cliVersion: defaults.cliVersion,
+      tagName: defaults.bundleVersion,
    };
  }

@@ -435,7 +386,7 @@ class OfflineFeatures implements FeatureEnablement {
  getFeatureConfig(feature: Feature): FeatureConfig {
    // Narrow the type to FeatureConfig to avoid type errors. To avoid unsafe use of `as`, we
    // check that the required properties exist using `satisfies`.
-    return featureConfig[feature] satisfies FeatureConfig;
+    return featureConfig[feature] satisfies FeatureConfig as FeatureConfig;
  }

  /**
@@ -567,13 +518,13 @@ class Features extends OfflineFeatures {
    );
  }

-  async getEnabledDefaultCliVersions(
+  async getDefaultCliVersion(
    variant: util.GitHubVariant,
  ): Promise<CodeQLDefaultVersionInfo> {
    if (supportsFeatureFlags(variant)) {
-      return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags();
+      return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags();
    }
-    return super.getEnabledDefaultCliVersions(variant);
+    return super.getDefaultCliVersion(variant);
  }

  /**
@@ -649,22 +600,16 @@ class GitHubFeatureFlags {
    return version;
  }

-  /**
-   * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature
-   * flags, sorted from highest to lowest. Falls back to the version pinned in
-   * `defaults.json` if no such flags are enabled.
-   */
-  async getEnabledDefaultCliVersionsFromFlags(): Promise<CodeQLDefaultVersionInfo> {
+  async getDefaultCliVersionFromFlags(): Promise<CodeQLDefaultVersionInfo> {
    const response = await this.getAllFeatures();

-    const sortedCliVersions = Object.entries(response)
+    const enabledFeatureFlagCliVersions = Object.entries(response)
      .map(([f, isEnabled]) =>
        isEnabled ? this.getCliVersionFromFeatureFlag(f) : undefined,
      )
-      .filter((f): f is string => f !== undefined)
-      .sort(semver.rcompare);
+      .filter((f): f is string => f !== undefined);

-    if (sortedCliVersions.length === 0) {
+    if (enabledFeatureFlagCliVersions.length === 0) {
      // We expect at least one default CLI version to be enabled on Dotcom at any time. However if
      // the feature flags are misconfigured, rather than crashing, we fall back to the CLI version
      // shipped with the Action in defaults.json. This has the effect of immediately rolling out
@@ -680,7 +625,8 @@ class GitHubFeatureFlags {
          `shipped with the Action. This is ${defaults.cliVersion}.`,
      );
      const result: CodeQLDefaultVersionInfo = {
-        enabledVersions: [LINKED_CODEQL_VERSION],
+        cliVersion: defaults.cliVersion,
+        tagName: defaults.bundleVersion,
      };
      if (this.hasAccessedRemoteFeatureFlags) {
        result.toolsFeatureFlagsValid = false;
@@ -688,14 +634,17 @@ class GitHubFeatureFlags {
      return result;
    }

+    const maxCliVersion = enabledFeatureFlagCliVersions.reduce(
+      (maxVersion, currentVersion) =>
+        currentVersion > maxVersion ? currentVersion : maxVersion,
+      enabledFeatureFlagCliVersions[0],
+    );
    this.logger.debug(
-      `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.`,
+      `Derived default CLI version of ${maxCliVersion} from feature flags.`,
    );
    return {
-      enabledVersions: sortedCliVersions.map((cliVersion) => ({
-        cliVersion,
-        tagName: `codeql-bundle-v${cliVersion}`,
-      })),
+      cliVersion: maxCliVersion,
+      tagName: `codeql-bundle-v${maxCliVersion}`,
      toolsFeatureFlagsValid: true,
    };
  }
@@ -19,7 +19,6 @@ import {
  createFeatures,
  createTestConfig,
  DEFAULT_ACTIONS_VARS,
-  makeMacro,
  makeVersionInfo,
  RecordingLogger,
  setupActionsVars,
@@ -602,7 +601,7 @@ async function testFailedSarifUpload(
  uploadFiles.resolves({
    sarifID: "42",
    statusReport: { raw_upload_size_bytes: 20, zipped_upload_size_bytes: 10 },
-  });
+  } as uploadLib.UploadResult);
  const waitForProcessing = sinon.stub(uploadLib, "waitForProcessing");

  const features = [] as Feature[];
@@ -797,7 +796,7 @@ test.serial(
  },
 );

-const skippedUploadTest = makeMacro({
+const skippedUploadTest = test.macro({
  exec: async (
    t: ExecutionContext<unknown>,
    config: Partial<configUtils.Config>,
@@ -824,8 +823,9 @@ const skippedUploadTest = makeMacro({
    `tryUploadSarifIfRunFailed - skips upload ${providedTitle}`,
 });

-skippedUploadTest.serial(
+test.serial(
  "without CodeQL command",
+  skippedUploadTest,
  // No codeQLCmd
  {
    analysisKinds: [AnalysisKind.RiskAssessment],
@@ -834,8 +834,9 @@ skippedUploadTest.serial(
  "CodeQL command not found",
 );

-skippedUploadTest.serial(
+test.serial(
  "if no language is configured",
+  skippedUploadTest,
  // No explicit language configuration
  {
    analysisKinds: [AnalysisKind.RiskAssessment],
@@ -844,8 +845,9 @@ skippedUploadTest.serial(
  "Unexpectedly, the configuration is not for a single language.",
 );

-skippedUploadTest.serial(
+test.serial(
  "if multiple languages is configured",
+  skippedUploadTest,
  // Multiple explicit languages configured
  {
    analysisKinds: [AnalysisKind.RiskAssessment],
@@ -298,23 +298,16 @@ async function run(startedAt: Date) {
      );
    }

-    const codeQLDefaultVersionInfo =
-      await features.getEnabledDefaultCliVersions(gitHubVersion.type);
+    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
+      gitHubVersion.type,
+    );
    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
-    const rawLanguages = configUtils.getRawLanguagesNoAutodetect(
-      getOptionalInput("languages"),
-    );
-    const useOverlayAwareDefaultCliVersion = !!analysisKinds?.includes(
-      AnalysisKind.CodeScanning,
-    );
    const initCodeQLResult = await initCodeQL(
      getOptionalInput("tools"),
      apiDetails,
      getTemporaryDirectory(),
      gitHubVersion.type,
      codeQLDefaultVersionInfo,
-      rawLanguages,
-      useOverlayAwareDefaultCliVersion,
      features,
      logger,
    );
@@ -22,7 +22,6 @@ import {
  createTestConfig,
  getRecordingLogger,
  setupTests,
-  makeMacro,
 } from "./testing-utils";
 import { ConfigurationError, withTmpDir } from "./util";

@@ -159,9 +158,10 @@ type PackInfo = {
  qlpackFileName?: string;
 };

-const testCheckPacksForOverlayCompatibility = makeMacro({
+const testCheckPacksForOverlayCompatibility = test.macro({
  exec: async (
    t: ExecutionContext,
+    _title: string,
    {
      cliOverlayVersion,
      languages,
@@ -234,10 +234,11 @@ const testCheckPacksForOverlayCompatibility = makeMacro({
      );
    });
  },
-  title: (title) => `checkPacksForOverlayCompatibility: ${title}`,
+  title: (_, title) => `checkPacksForOverlayCompatibility: ${title}`,
 });

-testCheckPacksForOverlayCompatibility(
+test(
+  testCheckPacksForOverlayCompatibility,
  "returns false when CLI does not support overlay",
  {
    cliOverlayVersion: undefined,
@@ -252,7 +253,8 @@ testCheckPacksForOverlayCompatibility(
  },
 );

-testCheckPacksForOverlayCompatibility(
+test(
+  testCheckPacksForOverlayCompatibility,
  "returns true when there are no query packs",
  {
    cliOverlayVersion: 2,
@@ -262,7 +264,8 @@ testCheckPacksForOverlayCompatibility(
  },
 );

-testCheckPacksForOverlayCompatibility(
+test(
+  testCheckPacksForOverlayCompatibility,
  "returns true when query pack has not been compiled",
  {
    cliOverlayVersion: 2,
@@ -278,7 +281,8 @@ testCheckPacksForOverlayCompatibility(
  },
 );

-testCheckPacksForOverlayCompatibility(
+test(
+  testCheckPacksForOverlayCompatibility,
  "returns true when query pack has expected overlay version",
  {
    cliOverlayVersion: 2,
@@ -293,7 +297,8 @@ testCheckPacksForOverlayCompatibility(
  },
 );

-testCheckPacksForOverlayCompatibility(
+test(
+  testCheckPacksForOverlayCompatibility,
  "returns true when query packs for all languages to analyze are compatible",
  {
    cliOverlayVersion: 2,
@@ -312,7 +317,8 @@ testCheckPacksForOverlayCompatibility(
  },
 );

-testCheckPacksForOverlayCompatibility(
+test(
+  testCheckPacksForOverlayCompatibility,
  "returns true when query pack for a language not analyzed is incompatible",
  {
    cliOverlayVersion: 2,
@@ -331,7 +337,8 @@ testCheckPacksForOverlayCompatibility(
  },
 );

-testCheckPacksForOverlayCompatibility(
+test(
+  testCheckPacksForOverlayCompatibility,
  "returns false when query pack for a language to analyze is incompatible",
  {
    cliOverlayVersion: 2,
@@ -350,7 +357,8 @@ testCheckPacksForOverlayCompatibility(
  },
 );

-testCheckPacksForOverlayCompatibility(
+test(
+  testCheckPacksForOverlayCompatibility,
  "returns false when query pack is missing .packinfo",
  {
    cliOverlayVersion: 2,
@@ -369,7 +377,8 @@ testCheckPacksForOverlayCompatibility(
  },
 );

-testCheckPacksForOverlayCompatibility(
+test(
+  testCheckPacksForOverlayCompatibility,
  "returns false when query pack has different overlay version",
  {
    cliOverlayVersion: 2,
@@ -388,7 +397,8 @@ testCheckPacksForOverlayCompatibility(
  },
 );

-testCheckPacksForOverlayCompatibility(
+test(
+  testCheckPacksForOverlayCompatibility,
  "returns false when query pack is missing overlayVersion in .packinfo",
  {
    cliOverlayVersion: 2,
@@ -407,7 +417,8 @@ testCheckPacksForOverlayCompatibility(
  },
 );

-testCheckPacksForOverlayCompatibility(
+test(
+  testCheckPacksForOverlayCompatibility,
  "returns false when .packinfo is not valid JSON",
  {
    cliOverlayVersion: 2,
@@ -426,7 +437,8 @@ testCheckPacksForOverlayCompatibility(
  },
 );

-testCheckPacksForOverlayCompatibility(
+test(
+  testCheckPacksForOverlayCompatibility,
  "returns true when query pack uses codeql-pack.yml filename",
  {
    cliOverlayVersion: 2,
@@ -39,8 +39,6 @@ export async function initCodeQL(
  tempDir: string,
  variant: util.GitHubVariant,
  defaultCliVersion: CodeQLDefaultVersionInfo,
-  rawLanguages: string[] | undefined,
-  useOverlayAwareDefaultCliVersion: boolean,
  features: FeatureEnablement,
  logger: Logger,
 ): Promise<{
@@ -63,8 +61,6 @@ export async function initCodeQL(
    tempDir,
    variant,
    defaultCliVersion,
-    rawLanguages,
-    useOverlayAwareDefaultCliVersion,
    features,
    logger,
    true,
@@ -1,46 +0,0 @@
-import test from "ava";
-
-import { setupTests } from "../testing-utils";
-
-import * as json from ".";
-
-setupTests(test);
-
-const testSchema = {
-  requiredKey: json.string,
-};
-
-const optionalSchema = {
-  optionalKey: json.optional(json.string),
-};
-
-test("validateSchema - required properties are required", async (t) => {
-  t.false(json.validateSchema(testSchema, {}));
-  t.false(json.validateSchema(testSchema, { requiredKey: undefined }));
-  t.false(json.validateSchema(testSchema, { requiredKey: null }));
-  t.false(json.validateSchema(testSchema, { requiredKey: 0 }));
-  t.false(json.validateSchema(testSchema, { requiredKey: 123 }));
-  t.false(json.validateSchema(testSchema, { requiredKey: false }));
-  t.false(json.validateSchema(testSchema, { requiredKey: true }));
-  t.false(json.validateSchema(testSchema, { requiredKey: [] }));
-  t.false(json.validateSchema(testSchema, { requiredKey: {} }));
-  t.true(json.validateSchema(testSchema, { requiredKey: "" }));
-  t.true(json.validateSchema(testSchema, { requiredKey: "foo" }));
-});
-
-test("validateSchema - optional properties are optional", async (t) => {
-  // Optional fields may be absent
-  t.true(json.validateSchema(optionalSchema, {}));
-  t.true(json.validateSchema(optionalSchema, { optionalKey: undefined }));
-  t.true(json.validateSchema(optionalSchema, { optionalKey: null }));
-
-  // But, if present, should have the expected type
-  t.false(json.validateSchema(optionalSchema, { optionalKey: 0 }));
-  t.false(json.validateSchema(optionalSchema, { optionalKey: 123 }));
-  t.false(json.validateSchema(optionalSchema, { optionalKey: false }));
-  t.false(json.validateSchema(optionalSchema, { optionalKey: true }));
-  t.false(json.validateSchema(optionalSchema, { optionalKey: [] }));
-  t.false(json.validateSchema(optionalSchema, { optionalKey: {} }));
-  t.true(json.validateSchema(optionalSchema, { optionalKey: "" }));
-  t.true(json.validateSchema(optionalSchema, { optionalKey: "foo" }));
-});
@@ -36,82 +36,3 @@ export function isStringOrUndefined(
 ): value is string | undefined {
  return value === undefined || isString(value);
 }
-
-/**
- * Represents a field of type `T` in a schema.
- * Carries a validation function and flag indicating whether the field is required or not.
- */
-export type Validator<T> = {
-  validate: (val: unknown) => val is T;
-  required: boolean;
-};
-
-/** Extracts `T` from `Validator<T>`. */
-export type UnwrapValidator<V> = V extends Validator<infer A> ? A : never;
-
-/** A validator for string fields in schemas. */
-export const string = {
-  validate: isString,
-  required: true,
-} as const satisfies Validator<string>;
-
-/** Transforms a validator to be optional. */
-export function optional<T>(validator: Validator<T>) {
-  return {
-    validate: (val: unknown) => {
-      return val === undefined || val === null || validator.validate(val);
-    },
-    required: false,
-  } as const satisfies Validator<T | undefined | null>;
-}
-
-/** Represents an arbitrary object schema. */
-export type Schema = Record<string, Validator<any>>;
-
-/** Extracts the required keys from `S`. */
-export type RequiredKeys<S extends Schema> = {
-  [K in keyof S]: S[K]["required"] extends true ? K : never;
-}[keyof S];
-
-/** Extracts optional keys from `S`. */
-export type OptionalKeys<S extends Schema> = {
-  [K in keyof S]: S[K]["required"] extends true ? never : K;
-}[keyof S];
-
-/** Constructs an object type corresponding to a schema. */
-export type FromSchema<S extends Schema> = {
-  [K in RequiredKeys<S>]: UnwrapValidator<S[K]>;
-} & { [K in OptionalKeys<S>]?: UnwrapValidator<S[K]> };
-
-/**
- * Validates that `obj` satisfies at least `schema`. Additional keys are accepted.
- *
- * @param schema The schema to validate against.
- * @param obj The object to validate.
- * @returns Asserts that `obj` is of the `schema`'s type if validation is successful.
- */
-export function validateSchema<S extends Schema>(
-  schema: S,
-  obj: UnvalidatedObject<any>,
-): obj is FromSchema<S> {
-  for (const [key, validator] of Object.entries(schema)) {
-    const hasKey = key in obj;
-
-    // If the property is required, but absent, fail.
-    if (validator.required && !hasKey) {
-      return false;
-    }
-
-    // If the property is required, but undefined or null, fail.
-    if (validator.required && (obj[key] === undefined || obj[key] === null)) {
-      return false;
-    }
-
-    // If the property is present, validate it.
-    if (hasKey && !validator.validate(obj[key])) {
-      return false;
-    }
-  }
-
-  return true;
-}
@@ -1,106 +0,0 @@
-import { ExecutionContext } from "ava";
-
-import * as json from ".";
-
-/**
- * Constructs an object based on `schema` for unit tests.
- * Assumes that all keys in `schema` have string values.
- *
- * @param includeOptional Whether to include optional properties.
- * @param schema The schema to base the object on.
- * @returns An object that satisfies `schema`.
- */
-export function makeFromSchema<S extends json.Schema>(
-  includeOptional: boolean,
-  schema: S,
-): json.FromSchema<S> {
-  const result = {};
-  for (const [key, validator] of Object.entries(schema)) {
-    if (!validator.required && !includeOptional) {
-      continue;
-    }
-    result[key] = `value-for-${key}`;
-  }
-  return result as json.FromSchema<S>;
-}
-
-/** Options for `withSchemaMatrix`. */
-export interface SchemaMatrixOptions {
-  /** Whether cases where the properties are entirely absent should be excluded. */
-  excludeAbsent?: boolean;
-}
-
-/**
- * Constructs a test matrix of possible objects for `schema`: all required properties
- * plus all permutations of possible states for the optional properties.
- *
- * @param schema The schema to construct a test matrix for.
- * @param body The test body to call with each value from the test matrix.
- */
-export function withSchemaMatrix<S extends json.Schema>(
-  t: ExecutionContext<any>,
-  schema: S,
-  opts: SchemaMatrixOptions,
-  body: (value: json.FromSchema<S>) => void,
-): void {
-  // Construct a base object that includes all required properties.
-  const required = makeFromSchema(false, schema);
-
-  // Identify optional properties.
-  const optionalKeys: Array<keyof S> = [];
-
-  for (const [key, validator] of Object.entries(schema)) {
-    if (!validator.required) {
-      optionalKeys.push(key);
-    }
-  }
-
-  const optionalValues = (key: keyof S) => [
-    null,
-    undefined,
-    `value-for-${String(key)}`,
-  ];
-
-  // Constructs an array of test objects, starting with `required` and combining it with all
-  // possible states of each optional property. For example, with default settings:
-  //
-  // For { requiredKey: string }, we get: `[{ requiredKey: "some-string-value" }]`
-  //
-  // For { requiredKey: string, optionalKey?: string }, we get:
-  // [ { requiredKey: "some-string-value" },
-  //   { requiredKey: "some-string-value", optionalKey: undefined },
-  //   { requiredKey: "some-string-value", optionalKey: null },
-  //   { requiredKey: "some-string-value", optionalKey: "some-value" },
-  // ]
-  const permutations = (keys: Array<keyof S>) => {
-    if (keys.length === 0) return [required];
-
-    const bases = permutations(keys.slice(1));
-    const result: Array<json.FromSchema<S>> = [];
-
-    const optionalKey = keys[0];
-    for (const base of bases) {
-      if (!opts.excludeAbsent) {
-        // Optional keys can be absent entirely.
-        result.push(base);
-      }
-
-      // Or be present and have one of the `optionalValues`.
-      for (const optionalValue of optionalValues(optionalKey)) {
-        result.push({ ...base, [optionalKey]: optionalValue });
-      }
-    }
-    return result;
-  };
-
-  // Call `body` for all test cases.
-  const testCases = permutations(optionalKeys);
-  for (const testCase of testCases) {
-    try {
-      body(testCase);
-    } catch (err) {
-      t.log(testCase);
-      throw err;
-    }
-  }
-}
@@ -7,13 +7,12 @@ import * as sinon from "sinon";

 import * as actionsUtil from "../actions-util";
 import * as apiClient from "../api-client";
-import type { ResolveDatabaseOutput } from "../codeql";
+import { ResolveDatabaseOutput } from "../codeql";
 import * as gitUtils from "../git-utils";
 import { BuiltInLanguage } from "../languages";
 import { getRunnerLogger } from "../logging";
 import {
  createTestConfig,
-  makeMacro,
  mockCodeQLVersion,
  setupTests,
 } from "../testing-utils";
@@ -24,7 +23,6 @@ import {
  downloadOverlayBaseDatabaseFromCache,
  getCacheRestoreKeyPrefix,
  getCacheSaveKey,
-  getCodeQlVersionsForOverlayBaseDatabases,
 } from "./caching";
 import { OverlayDatabaseMode } from "./overlay-database-mode";

@@ -52,9 +50,10 @@ const defaultDownloadTestCase: DownloadOverlayBaseDatabaseTestCase = {
  resolveDatabaseOutput: { overlayBaseSpecifier: "20250626:XXX" },
 };

-const testDownloadOverlayBaseDatabaseFromCache = makeMacro({
+const testDownloadOverlayBaseDatabaseFromCache = test.macro({
  exec: async (
    t,
+    _title: string,
    partialTestCase: Partial<DownloadOverlayBaseDatabaseTestCase>,
    expectDownloadSuccess: boolean,
  ) => {
@@ -142,16 +141,18 @@ const testDownloadOverlayBaseDatabaseFromCache = makeMacro({
      }
    });
  },
-  title: (title) => `downloadOverlayBaseDatabaseFromCache: ${title}`,
+  title: (_, title) => `downloadOverlayBaseDatabaseFromCache: ${title}`,
 });

-testDownloadOverlayBaseDatabaseFromCache.serial(
+test.serial(
+  testDownloadOverlayBaseDatabaseFromCache,
  "returns stats when successful",
  {},
  true,
 );

-testDownloadOverlayBaseDatabaseFromCache.serial(
+test.serial(
+  testDownloadOverlayBaseDatabaseFromCache,
  "returns undefined when mode is OverlayDatabaseMode.OverlayBase",
  {
    overlayDatabaseMode: OverlayDatabaseMode.OverlayBase,
@@ -159,7 +160,8 @@ testDownloadOverlayBaseDatabaseFromCache.serial(
  false,
 );

-testDownloadOverlayBaseDatabaseFromCache.serial(
+test.serial(
+  testDownloadOverlayBaseDatabaseFromCache,
  "returns undefined when mode is OverlayDatabaseMode.None",
  {
    overlayDatabaseMode: OverlayDatabaseMode.None,
@@ -167,7 +169,8 @@ testDownloadOverlayBaseDatabaseFromCache.serial(
  false,
 );

-testDownloadOverlayBaseDatabaseFromCache.serial(
+test.serial(
+  testDownloadOverlayBaseDatabaseFromCache,
  "returns undefined when caching is disabled",
  {
    useOverlayDatabaseCaching: false,
@@ -175,7 +178,8 @@ testDownloadOverlayBaseDatabaseFromCache.serial(
  false,
 );

-testDownloadOverlayBaseDatabaseFromCache.serial(
+test.serial(
+  testDownloadOverlayBaseDatabaseFromCache,
  "returns undefined in test mode",
  {
    isInTestMode: true,
@@ -183,7 +187,8 @@ testDownloadOverlayBaseDatabaseFromCache.serial(
  false,
 );

-testDownloadOverlayBaseDatabaseFromCache.serial(
+test.serial(
+  testDownloadOverlayBaseDatabaseFromCache,
  "returns undefined when cache miss",
  {
    restoreCacheResult: undefined,
@@ -191,7 +196,8 @@ testDownloadOverlayBaseDatabaseFromCache.serial(
  false,
 );

-testDownloadOverlayBaseDatabaseFromCache.serial(
+test.serial(
+  testDownloadOverlayBaseDatabaseFromCache,
  "returns undefined when download fails",
  {
    restoreCacheResult: new Error("Download failed"),
@@ -199,7 +205,8 @@ testDownloadOverlayBaseDatabaseFromCache.serial(
  false,
 );

-testDownloadOverlayBaseDatabaseFromCache.serial(
+test.serial(
+  testDownloadOverlayBaseDatabaseFromCache,
  "returns undefined when downloaded database is invalid",
  {
    hasBaseDatabaseOidsFile: false,
@@ -207,7 +214,8 @@ testDownloadOverlayBaseDatabaseFromCache.serial(
  false,
 );

-testDownloadOverlayBaseDatabaseFromCache.serial(
+test.serial(
+  testDownloadOverlayBaseDatabaseFromCache,
  "returns undefined when downloaded database doesn't have an overlayBaseSpecifier",
  {
    resolveDatabaseOutput: {},
@@ -215,7 +223,8 @@ testDownloadOverlayBaseDatabaseFromCache.serial(
  false,
 );

-testDownloadOverlayBaseDatabaseFromCache.serial(
+test.serial(
+  testDownloadOverlayBaseDatabaseFromCache,
  "returns undefined when resolving database metadata fails",
  {
    resolveDatabaseOutput: new Error("Failed to resolve database metadata"),
@@ -223,7 +232,8 @@ testDownloadOverlayBaseDatabaseFromCache.serial(
  false,
 );

-testDownloadOverlayBaseDatabaseFromCache.serial(
+test.serial(
+  testDownloadOverlayBaseDatabaseFromCache,
  "returns undefined when filesystem error occurs",
  {
    tryGetFolderBytesSucceeds: false,
@@ -275,160 +285,3 @@ test.serial("overlay-base database cache keys remain stable", async (t) => {
    `Expected save key "${saveKey}" to start with restore key prefix "${restoreKeyPrefix}"`,
  );
 });
-
-test.serial(
-  "getCodeQlVersionsForOverlayBaseDatabases returns unique versions sorted latest first",
-  async (t) => {
-    const logger = getRunnerLogger(true);
-
-    sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
-    sinon.stub(apiClient, "listActionsCaches").resolves([
-      {
-        key: "codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-2.23.0-abc123-1-1",
-      },
-      {
-        key: "codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-2.24.1-def456-2-1",
-      },
-      {
-        key: "codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-2.23.0-ghi789-3-1",
-      },
-    ]);
-
-    const result = await getCodeQlVersionsForOverlayBaseDatabases(
-      ["javascript", "python"],
-      logger,
-    );
-    t.deepEqual(result, ["2.24.1", "2.23.0"]);
-  },
-);
-
-test.serial(
-  "getCodeQlVersionsForOverlayBaseDatabases returns empty list when no caches exist",
-  async (t) => {
-    const logger = getRunnerLogger(true);
-
-    sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
-    sinon.stub(apiClient, "listActionsCaches").resolves([]);
-
-    const result = await getCodeQlVersionsForOverlayBaseDatabases(
-      ["python"],
-      logger,
-    );
-    t.deepEqual(result, []);
-  },
-);
-
-test.serial(
-  "getCodeQlVersionsForOverlayBaseDatabases returns empty list when cache keys are unparseable",
-  async (t) => {
-    const logger = getRunnerLogger(true);
-
-    sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
-    sinon.stub(apiClient, "listActionsCaches").resolves([
-      {
-        key: "codeql-overlay-base-database-1-c5666c509a2d9895-python-malformed",
-      },
-      { key: undefined },
-    ]);
-
-    const result = await getCodeQlVersionsForOverlayBaseDatabases(
-      ["python"],
-      logger,
-    );
-    t.deepEqual(result, []);
-  },
-);
-
-test.serial(
-  "getCodeQlVersionsForOverlayBaseDatabases returns the single version when only one cache exists",
-  async (t) => {
-    const logger = getRunnerLogger(true);
-
-    sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
-    sinon.stub(apiClient, "listActionsCaches").resolves([
-      {
-        key: "codeql-overlay-base-database-1-c5666c509a2d9895-cpp-2.25.0-abc123-1-1",
-      },
-    ]);
-
-    const result = await getCodeQlVersionsForOverlayBaseDatabases(
-      ["cpp"],
-      logger,
-    );
-    t.deepEqual(result, ["2.25.0"]);
-  },
-);
-
-test.serial(
-  "getCodeQlVersionsForOverlayBaseDatabases resolves language aliases",
-  async (t) => {
-    const logger = getRunnerLogger(true);
-    // The alias `c++` should be resolved to "cpp" and match cache entries keyed with "cpp"
-
-    sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
-    sinon.stub(apiClient, "listActionsCaches").resolves([
-      {
-        key: "codeql-overlay-base-database-1-c5666c509a2d9895-cpp-2.25.0-abc123-1-1",
-      },
-    ]);
-
-    const result = await getCodeQlVersionsForOverlayBaseDatabases(
-      ["c++"],
-      logger,
-    );
-    t.deepEqual(result, ["2.25.0"]);
-  },
-);
-
-test.serial(
-  "getCodeQlVersionsForOverlayBaseDatabases de-duplicates resolved language aliases",
-  async (t) => {
-    const logger = getRunnerLogger(true);
-
-    sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
-    const listActionsCachesStub = sinon
-      .stub(apiClient, "listActionsCaches")
-      .resolves([
-        {
-          key: "codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-2.25.0-abc123-1-1",
-        },
-      ]);
-
-    const result = await getCodeQlVersionsForOverlayBaseDatabases(
-      ["javascript", "typescript", "Python", "python"],
-      logger,
-    );
-    t.deepEqual(result, ["2.25.0"]);
-    sinon.assert.calledOnceWithExactly(
-      listActionsCachesStub,
-      "codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-",
-    );
-  },
-);
-
-test.serial(
-  "getCodeQlVersionsForOverlayBaseDatabases ignores nightly versions with build metadata",
-  async (t) => {
-    const logger = getRunnerLogger(true);
-
-    sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
-    sinon.stub(apiClient, "listActionsCaches").resolves([
-      {
-        key: "codeql-overlay-base-database-1-c5666c509a2d9895-python-2.25.0-abc123-1-1",
-      },
-      {
-        // Nightly release with semver build metadata; should be ignored.
-        key: "codeql-overlay-base-database-1-c5666c509a2d9895-python-2.26.0+202604211234-def456-2-1",
-      },
-      {
-        key: "codeql-overlay-base-database-1-c5666c509a2d9895-python-2.24.0-ghi789-3-1",
-      },
-    ]);
-
-    const result = await getCodeQlVersionsForOverlayBaseDatabases(
-      ["python"],
-      logger,
-    );
-    t.deepEqual(result, ["2.25.0", "2.24.0"]);
-  },
-);
@@ -1,20 +1,18 @@
 import * as fs from "fs";

 import * as actionsCache from "@actions/cache";
-import * as semver from "semver";

 import {
  getRequiredInput,
  getWorkflowRunAttempt,
  getWorkflowRunID,
 } from "../actions-util";
-import { getAutomationID, listActionsCaches } from "../api-client";
+import { getAutomationID } from "../api-client";
 import { createCacheKeyHash } from "../caching-utils";
 import { type CodeQL } from "../codeql";
 import { type Config } from "../config-utils";
 import { getCommitOid } from "../git-utils";
-import { type Language, parseBuiltInLanguage } from "../languages";
-import { type Logger, withGroupAsync } from "../logging";
+import { Logger, withGroupAsync } from "../logging";
 import {
  CleanupLevel,
  getBaseDatabaseOidsFilePath,
@@ -406,17 +404,7 @@ export async function getCacheRestoreKeyPrefix(
  config: Config,
  codeQlVersion: string,
 ): Promise<string> {
-  return `${await getCacheKeyPrefixBase(config.languages)}${codeQlVersion}-`;
-}
-
-/**
- * Computes the cache key prefix for overlay-base databases, excluding the
- * CodeQL version.
- */
-async function getCacheKeyPrefixBase(
-  parsedLanguages: Language[],
-): Promise<string> {
-  const languagesComponent = [...parsedLanguages].sort().join("_");
+  const languages = [...config.languages].sort().join("_");

  const cacheKeyComponents = {
    automationID: await getAutomationID(),
@@ -424,98 +412,17 @@ async function getCacheKeyPrefixBase(
  };
  const componentsHash = createCacheKeyHash(cacheKeyComponents);

+  // For a cached overlay-base database to be considered compatible for overlay
+  // analysis, all components in the cache restore key must match:
+  //
  // CACHE_PREFIX: distinguishes overlay-base databases from other cache objects
  // CACHE_VERSION: cache format version
  // componentsHash: hash of additional components (see above for details)
-  // languagesComponent: the languages included in the overlay-base database
+  // languages: the languages included in the overlay-base database
+  // codeQlVersion: CodeQL bundle version
  //
-  // Technically we can also include languages in the componentsHash, but
-  // including them explicitly in the cache key makes it easier to debug and
-  // understand the cache key structure.
-  return `${CACHE_PREFIX}-${CACHE_VERSION}-${componentsHash}-${languagesComponent}-`;
-}
-
-/**
- * Searches the GitHub Actions cache for overlay-base databases matching the given languages, and
- * returns all stable CodeQL versions found across matching cache entries.
- *
- * Note that we do not guarantee that the cache entry for these versions of CodeQL will still be
- * present by the time we attempt to restore the cache. We could achieve that with a download retry
- * loop, but we expect that if there is sufficient Actions cache contention that an overlay-base
- * cache entry for a particular CodeQL version is evicted before we can use it, then it is likely
- * that the same thing will happen to other overlay-base cache entries, and therefore we will not be
- * able to use overlay.
- *
- * @returns Unique stable CodeQL versions found in cached overlay-base databases, sorted from latest to
- * earliest, or undefined if one of the languages is not a built-in language.
- */
-export async function getCodeQlVersionsForOverlayBaseDatabases(
-  rawLanguages: string[],
-  logger: Logger,
-): Promise<string[] | undefined> {
-  const languages = rawLanguages.map(parseBuiltInLanguage);
-  if (languages.includes(undefined)) {
-    logger.warning(
-      "One or more provided languages are not recognized as built-in languages. " +
-        "Skipping searching for overlay-base databases in cache.",
-    );
-    return undefined;
-  }
-  const dedupedLanguages = [
-    ...new Set(languages.filter((l) => l !== undefined)),
-  ];
-  const cacheKeyPrefix = await getCacheKeyPrefixBase(dedupedLanguages);
-
-  logger.debug(
-    `Searching for overlay-base databases in Actions cache with ` +
-      `prefix ${cacheKeyPrefix}`,
-  );
-
-  const caches = await listActionsCaches(cacheKeyPrefix);
-
-  if (caches.length === 0) {
-    logger.info("No overlay-base databases found in Actions cache.");
-    return [];
-  }
-
-  logger.info(
-    `Found ${caches.length} overlay-base ` +
-      `${caches.length === 1 ? "database" : "databases"} in the Actions cache.`,
-  );
-
-  // Parse CodeQL versions from cache keys, matching only stable releases.
-  //
-  // After the prefix, the remaining key format starts with `${codeQlVersion}-`. Nightlies will have
-  // a suffix like `+202604201548` that will break the match.
-  //
-  // Caveat: this relies on the fact that we haven't released any CodeQL bundles with the
-  // `x.y.z-<pre-release>` semver format which does not interact well with the current overlay base
-  // DB cache key format.
-  const versionRegex = /^([\d.]+)-/;
-  const versionSet = new Set<string>();
-
-  for (const cache of caches) {
-    if (!cache.key) continue;
-    const suffix = cache.key.substring(cacheKeyPrefix.length);
-    const match = suffix.match(versionRegex);
-    if (match && semver.valid(match[1])) {
-      versionSet.add(match[1]);
-    }
-  }
-
-  if (versionSet.size === 0) {
-    logger.info(
-      "Could not parse any CodeQL versions from overlay-base database " +
-        "cache keys.",
-    );
-    return [];
-  }
-
-  const versions = [...versionSet].sort(semver.rcompare);
-
-  logger.info(
-    `Found overlay databases for the following CodeQL versions in the Actions cache: ${versions.join(", ")}`,
-  );
-
-  return versions;
+  // Technically we can also include languages and codeQlVersion in the
+  // componentsHash, but including them explicitly in the cache key makes it
+  // easier to debug and understand the cache key structure.
+  return `${CACHE_PREFIX}-${CACHE_VERSION}-${componentsHash}-${languages}-${codeQlVersion}-`;
 }
@@ -7,10 +7,8 @@ import {
  getRequiredInput,
  getTemporaryDirectory,
 } from "./actions-util";
-import { AnalysisKind, getAnalysisKinds } from "./analyses";
 import { getGitHubVersion } from "./api-client";
 import { CodeQL } from "./codeql";
-import { getRawLanguagesNoAutodetect } from "./config-utils";
 import { EnvVar } from "./environment";
 import { initFeatures } from "./feature-flags";
 import { initCodeQL } from "./init";
@@ -138,21 +136,16 @@ async function run(startedAt: Date): Promise<void> {
    if (statusReportBase !== undefined) {
      await sendStatusReport(statusReportBase);
    }
-    const codeQLDefaultVersionInfo =
-      await features.getEnabledDefaultCliVersions(gitHubVersion.type);
-    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
-    const rawLanguages = getRawLanguagesNoAutodetect(
-      getOptionalInput("languages"),
+    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
+      gitHubVersion.type,
    );
-    const analysisKinds = await getAnalysisKinds(logger);
+    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
    const initCodeQLResult = await initCodeQL(
      getOptionalInput("tools"),
      apiDetails,
      getTemporaryDirectory(),
      gitHubVersion.type,
      codeQLDefaultVersionInfo,
-      rawLanguages,
-      analysisKinds.includes(AnalysisKind.CodeScanning),
      features,
      logger,
    );
@@ -7,9 +7,8 @@ import * as sinon from "sinon";

 import * as actionsUtil from "./actions-util";
 import * as api from "./api-client";
-import { Feature } from "./feature-flags";
+import { Feature, FeatureEnablement } from "./feature-flags";
 import { getRunnerLogger } from "./logging";
-import { getCacheRestoreKeyPrefix } from "./overlay/caching";
 import * as setupCodeql from "./setup-codeql";
 import * as tar from "./tar";
 import {
@@ -19,9 +18,8 @@ import {
  SAMPLE_DOTCOM_API_DETAILS,
  checkExpectedLogMessages,
  createFeatures,
-  createTestConfig,
  getRecordingLogger,
-  makeMacro,
+  initializeFeatures,
  mockBundleDownloadApi,
  setupActionsVars,
  setupTests,
@@ -35,6 +33,14 @@ import {

 setupTests(test);

+// TODO: Remove when when we no longer need to pass in features (https://github.com/github/codeql-action/issues/2600)
+const expectedFeatureEnablement: FeatureEnablement = initializeFeatures(
+  true,
+) as FeatureEnablement;
+expectedFeatureEnablement.getValue = function (feature: Feature) {
+  // eslint-disable-next-line @typescript-eslint/no-unsafe-return
+  return expectedFeatureEnablement[feature];
+};
 test.beforeEach(() => {
  initializeEnvironment("1.2.3");
 });
@@ -101,8 +107,6 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        `https://github.com/github/codeql-action/releases/download/${tagName}/codeql-bundle-linux64.tar.gz`,
        SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -126,8 +130,6 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        "linked",
        SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -153,8 +155,6 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        "latest",
        SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -211,8 +211,6 @@ test.serial(
        "tmp/codeql_action_test/",
        GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        features,
        logger,
      );
@@ -268,8 +266,6 @@ test.serial(
        "tmp/codeql_action_test/",
        GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        features,
        logger,
      );
@@ -321,8 +317,6 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        "nightly",
        SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -384,8 +378,6 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        undefined,
        SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -440,8 +432,6 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        "toolcache",
        SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -483,7 +473,7 @@ test.serial(
  },
 );

-const toolcacheInputFallbackMacro = makeMacro({
+const toolcacheInputFallbackMacro = test.macro({
  exec: async (
    t: ExecutionContext<unknown>,
    featureList: Feature[],
@@ -509,8 +499,6 @@ const toolcacheInputFallbackMacro = makeMacro({
      const source = await setupCodeql.getCodeQLSource(
        "toolcache",
        SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -526,10 +514,7 @@ const toolcacheInputFallbackMacro = makeMacro({

      // Check that `sourceType` and `toolsVersion` match expectations.
      t.is(source.sourceType, "download");
-      t.is(
-        source.toolsVersion,
-        SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion,
-      );
+      t.is(source.toolsVersion, SAMPLE_DEFAULT_CLI_VERSION.cliVersion);

      // Check that key messages we would expect to find in the log are present.
      for (const expectedMessage of expectedMessages) {
@@ -548,8 +533,9 @@ const toolcacheInputFallbackMacro = makeMacro({
    `getCodeQLSource falls back to downloading the CLI if ${providedTitle}`,
 });

-toolcacheInputFallbackMacro.serial(
+test.serial(
  "the toolcache doesn't have a CodeQL CLI when tools == toolcache",
+  toolcacheInputFallbackMacro,
  [Feature.AllowToolcacheInput],
  { GITHUB_EVENT_NAME: "dynamic" },
  [],
@@ -559,8 +545,9 @@ toolcacheInputFallbackMacro.serial(
  ],
 );

-toolcacheInputFallbackMacro.serial(
+test.serial(
  "the workflow trigger is not `dynamic`",
+  toolcacheInputFallbackMacro,
  [Feature.AllowToolcacheInput],
  { GITHUB_EVENT_NAME: "pull_request" },
  [],
@@ -569,8 +556,9 @@ toolcacheInputFallbackMacro.serial(
  ],
 );

-toolcacheInputFallbackMacro.serial(
+test.serial(
  "the feature flag is not enabled",
+  toolcacheInputFallbackMacro,
  [],
  { GITHUB_EVENT_NAME: "dynamic" },
  [],
@@ -610,288 +598,3 @@ test.serial(
    t.is(setupCodeql.getLatestToolcacheVersion(getRunnerLogger(true)), "3.2.1");
  },
 );
-
-const overlayMatchEnabledVersions = {
-  enabledVersions: [
-    { cliVersion: "2.20.2", tagName: "codeql-bundle-v2.20.2" },
-    { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
-    { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" },
-  ],
-  toolsFeatureFlagsValid: true,
-};
-
-async function fakeOverlayBaseCacheKey(
-  language: string,
-  cliVersion: string,
-  suffix: string,
-): Promise<string> {
-  const prefix = await getCacheRestoreKeyPrefix(
-    createTestConfig({ languages: [language] }),
-    cliVersion,
-  );
-  return `${prefix}${suffix}`;
-}
-
-test.serial(
-  "getCodeQLSource uses overlay-aware default version when requested for a PR",
-  async (t) => {
-    await withTmpDir(async (tmpDir) => {
-      setupActionsVars(tmpDir, tmpDir);
-      process.env["CODE_SCANNING_REF"] = "refs/heads/feature-branch";
-      process.env["CODE_SCANNING_BASE_BRANCH"] = "main";
-
-      sinon.stub(api, "getAutomationID").resolves("test/");
-      const listStub = sinon.stub(api, "listActionsCaches").resolves([
-        {
-          key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"),
-        },
-      ]);
-      sinon
-        .stub(toolcache, "find")
-        .withArgs("CodeQL", "2.20.1")
-        .returns("/path/to/codeql-2.20.1");
-
-      const source = await setupCodeql.getCodeQLSource(
-        undefined,
-        overlayMatchEnabledVersions,
-        ["javascript"],
-        true,
-        SAMPLE_DOTCOM_API_DETAILS,
-        GitHubVariant.DOTCOM,
-        false,
-        createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
-        getRunnerLogger(true),
-      );
-
-      t.assert(listStub.calledOnce);
-      t.is(source.sourceType, "toolcache");
-      t.is(source.toolsVersion, "2.20.1");
-    });
-  },
-);
-
-test.serial(
-  "getCodeQLSource skips overlay-aware default version when not requested",
-  async (t) => {
-    await withTmpDir(async (tmpDir) => {
-      setupActionsVars(tmpDir, tmpDir);
-      process.env["CODE_SCANNING_REF"] = "refs/heads/feature-branch";
-      process.env["CODE_SCANNING_BASE_BRANCH"] = "main";
-
-      sinon.stub(api, "getAutomationID").resolves("test/");
-      const listStub = sinon.stub(api, "listActionsCaches").resolves([
-        {
-          key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"),
-        },
-      ]);
-      sinon
-        .stub(toolcache, "find")
-        .withArgs("CodeQL", "2.20.2")
-        .returns("/path/to/codeql-2.20.2");
-
-      const source = await setupCodeql.getCodeQLSource(
-        undefined,
-        overlayMatchEnabledVersions,
-        ["javascript"],
-        false,
-        SAMPLE_DOTCOM_API_DETAILS,
-        GitHubVariant.DOTCOM,
-        false,
-        createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
-        getRunnerLogger(true),
-      );
-
-      t.assert(listStub.notCalled);
-      t.is(source.sourceType, "toolcache");
-      t.is(source.toolsVersion, "2.20.2");
-    });
-  },
-);
-
-test.serial(
-  "getEnabledVersionsWithOverlayBaseDatabases returns flag-enabled versions present in cache, sorted desc",
-  async (t) => {
-    sinon.stub(api, "getAutomationID").resolves("test/");
-    sinon.stub(api, "listActionsCaches").resolves([
-      // Flag-enabled versions present in the cache, listed in non-descending
-      // order so the test exercises the sort.
-      {
-        key: await fakeOverlayBaseCacheKey("javascript", "2.20.0", "ghi-3-1"),
-      },
-      {
-        key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "def-2-1"),
-      },
-      // Newer than any flag-enabled version: should be filtered out.
-      {
-        key: await fakeOverlayBaseCacheKey("javascript", "2.21.0", "abc-1-1"),
-      },
-    ]);
-
-    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
-      overlayMatchEnabledVersions,
-      ["javascript"],
-      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
-      getRunnerLogger(true),
-    );
-    t.deepEqual(result, [
-      { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
-      { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" },
-    ]);
-  },
-);
-
-test.serial(
-  "getEnabledVersionsWithOverlayBaseDatabases returns empty when no cached version is flag-enabled",
-  async (t) => {
-    sinon.stub(api, "getAutomationID").resolves("test/");
-    sinon.stub(api, "listActionsCaches").resolves([
-      {
-        key: await fakeOverlayBaseCacheKey("javascript", "2.19.0", "abc-1-1"),
-      },
-    ]);
-
-    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
-      overlayMatchEnabledVersions,
-      ["javascript"],
-      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
-      getRunnerLogger(true),
-    );
-    t.deepEqual(result, []);
-  },
-);
-
-const noLanguagesMacro = makeMacro({
-  exec: async (
-    t: ExecutionContext<unknown>,
-    rawLanguages: string[] | undefined,
-  ) => {
-    const listStub = sinon.stub(api, "listActionsCaches").resolves([]);
-
-    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
-      overlayMatchEnabledVersions,
-      rawLanguages,
-      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
-      getRunnerLogger(true),
-    );
-    t.deepEqual(result, []);
-    t.assert(
-      listStub.notCalled,
-      "Should not list Actions caches without any rawLanguages.",
-    );
-  },
-  title: (providedTitle = "") =>
-    `getEnabledVersionsWithOverlayBaseDatabases does not list caches when rawLanguages is ${providedTitle}`,
-});
-
-noLanguagesMacro.serial("undefined", undefined);
-noLanguagesMacro.serial("an empty array", []);
-
-test.serial(
-  "getEnabledVersionsWithOverlayBaseDatabases returns empty when listing caches throws",
-  async (t) => {
-    sinon.stub(api, "getAutomationID").resolves("test/");
-    sinon.stub(api, "listActionsCaches").rejects(new Error("listing failed"));
-
-    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
-      overlayMatchEnabledVersions,
-      ["javascript"],
-      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
-      getRunnerLogger(true),
-    );
-    t.deepEqual(result, []);
-  },
-);
-
-test.serial(
-  "getEnabledVersionsWithOverlayBaseDatabases returns versions present in the cache",
-  async (t) => {
-    sinon.stub(api, "getAutomationID").resolves("test/");
-    sinon.stub(api, "listActionsCaches").resolves([
-      {
-        key: await fakeOverlayBaseCacheKey("javascript", "2.20.2", "abc-1-1"),
-      },
-    ]);
-
-    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
-      overlayMatchEnabledVersions,
-      ["javascript"],
-      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
-      getRunnerLogger(true),
-    );
-    t.deepEqual(result, [
-      { cliVersion: "2.20.2", tagName: "codeql-bundle-v2.20.2" },
-    ]);
-  },
-);
-
-test.serial(
-  "getEnabledVersionsWithOverlayBaseDatabases does not list caches when both gates are off",
-  async (t) => {
-    const listStub = sinon.stub(api, "listActionsCaches").resolves([]);
-
-    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
-      overlayMatchEnabledVersions,
-      ["javascript"],
-      createFeatures([]),
-      getRunnerLogger(true),
-    );
-    t.deepEqual(result, []);
-    t.assert(
-      listStub.notCalled,
-      "Should not list Actions caches when both gating feature flags are off.",
-    );
-  },
-);
-
-test.serial(
-  "getEnabledVersionsWithOverlayBaseDatabases dry-run returns empty but lists caches",
-  async (t) => {
-    sinon.stub(api, "getAutomationID").resolves("test/");
-    const listStub = sinon.stub(api, "listActionsCaches").resolves([
-      {
-        key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"),
-      },
-    ]);
-
-    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
-      overlayMatchEnabledVersions,
-      ["javascript"],
-      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersionDryRun]),
-      getRunnerLogger(true),
-    );
-    t.deepEqual(
-      result,
-      [],
-      "Dry-run should return an empty list so the caller falls back.",
-    );
-    t.assert(
-      listStub.calledOnce,
-      "Dry-run should still list Actions caches to populate the diagnostic.",
-    );
-  },
-);
-
-test.serial(
-  "getEnabledVersionsWithOverlayBaseDatabases match flag wins over dry-run",
-  async (t) => {
-    sinon.stub(api, "getAutomationID").resolves("test/");
-    sinon.stub(api, "listActionsCaches").resolves([
-      {
-        key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"),
-      },
-    ]);
-
-    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
-      overlayMatchEnabledVersions,
-      ["javascript"],
-      createFeatures([
-        Feature.OverlayAnalysisMatchCodeqlVersion,
-        Feature.OverlayAnalysisMatchCodeqlVersionDryRun,
-      ]),
-      getRunnerLogger(true),
-    );
-    t.deepEqual(result, [
-      { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
-    ]);
-  },
-);
@@ -7,27 +7,17 @@ import { default as deepEqual } from "fast-deep-equal";
 import * as semver from "semver";
 import { v4 as uuidV4 } from "uuid";

-import {
-  isAnalyzingPullRequest,
-  isDynamicWorkflow,
-  isRunningLocalAction,
-} from "./actions-util";
+import { isDynamicWorkflow, isRunningLocalAction } from "./actions-util";
 import * as api from "./api-client";
 import * as defaults from "./defaults.json";
-import {
-  addNoLanguageDiagnostic,
-  makeDiagnostic,
-  makeTelemetryDiagnostic,
-} from "./diagnostics";
+import { addNoLanguageDiagnostic, makeDiagnostic } from "./diagnostics";
 import {
  CODEQL_VERSION_ZSTD_BUNDLE,
  CodeQLDefaultVersionInfo,
-  CodeQLVersionInfo,
  Feature,
  FeatureEnablement,
 } from "./feature-flags";
 import { Logger } from "./logging";
-import { getCodeQlVersionsForOverlayBaseDatabases } from "./overlay/caching";
 import * as tar from "./tar";
 import {
  downloadAndExtract,
@@ -274,131 +264,12 @@ async function findOverridingToolsInCache(
  return undefined;
 }

-/**
- * Returns the sorted set of enabled versions that have cached overlay-base databases for the
- * given languages, or an empty list if neither the `OverlayAnalysisMatchCodeqlVersion` nor the
- * `OverlayAnalysisMatchCodeqlVersionDryRun` feature flag is enabled. When only the dry-run flag
- * is enabled, this performs the lookup and emits a telemetry diagnostic with the version that
- * would have been chosen, but still returns an empty list so the caller falls back.
- */
-export async function getEnabledVersionsWithOverlayBaseDatabases(
-  defaultCliVersion: CodeQLDefaultVersionInfo,
-  rawLanguages: string[] | undefined,
-  features: FeatureEnablement,
-  logger: Logger,
-): Promise<CodeQLVersionInfo[]> {
-  if (rawLanguages === undefined || rawLanguages.length === 0) {
-    return [];
-  }
-  const isEnabled = await features.getValue(
-    Feature.OverlayAnalysisMatchCodeqlVersion,
-  );
-  const isDryRun =
-    !isEnabled &&
-    (await features.getValue(Feature.OverlayAnalysisMatchCodeqlVersionDryRun));
-  if (!isEnabled && !isDryRun) {
-    return [];
-  }
-
-  let cachedVersions: string[] | undefined;
-  try {
-    cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases(
-      rawLanguages,
-      logger,
-    );
-  } catch (e) {
-    logger.warning(
-      "Could not list overlay-base databases in the Actions cache while choosing a default " +
-        `CodeQL CLI version, falling back to the highest enabled version. Details: ${util.getErrorMessage(e)}`,
-    );
-    return [];
-  }
-
-  if (cachedVersions === undefined || cachedVersions.length === 0) {
-    return [];
-  }
-
-  const cachedVersionsSet = new Set(cachedVersions);
-  const overlayVersions = defaultCliVersion.enabledVersions.filter((v) =>
-    cachedVersionsSet.has(v.cliVersion),
-  );
-
-  if (overlayVersions.length === 0) {
-    return [];
-  }
-
-  const isCachedVersionDifferent =
-    overlayVersions[0].cliVersion !==
-    defaultCliVersion.enabledVersions[0].cliVersion;
-
-  if (isCachedVersionDifferent) {
-    addNoLanguageDiagnostic(
-      undefined,
-      makeTelemetryDiagnostic(
-        "codeql-action/overlay-aware-default-codeql-version",
-        "Overlay-aware default CodeQL version selection",
-        {
-          cachedVersions,
-          enabledVersions: defaultCliVersion.enabledVersions.map(
-            (v) => v.cliVersion,
-          ),
-          isDryRun,
-          overlayAwareVersion: overlayVersions[0].cliVersion,
-        },
-      ),
-    );
-  }
-
-  if (isDryRun) {
-    logger.debug(
-      `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.`,
-    );
-    return [];
-  }
-
-  return overlayVersions;
-}
-
-/**
- * Resolves the newest enabled default CLI version that has a cached overlay-base database for the
- * relevant languages, if running a Code Scanning analysis for a pull request and one exists.
- * Otherwise, falls back to the newest enabled default CLI version.
- */
-async function resolveDefaultCliVersion(
-  defaultCliVersion: CodeQLDefaultVersionInfo,
-  rawLanguages: string[] | undefined,
-  useOverlayAwareDefaultCliVersion: boolean,
-  features: FeatureEnablement,
-  logger: Logger,
-): Promise<CodeQLVersionInfo> {
-  if (!useOverlayAwareDefaultCliVersion || !isAnalyzingPullRequest()) {
-    return defaultCliVersion.enabledVersions[0];
-  }
-
-  const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases(
-    defaultCliVersion,
-    rawLanguages,
-    features,
-    logger,
-  );
-  if (overlayVersions.length > 0) {
-    logger.info(
-      `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the ` +
-        `highest enabled version that has a cached overlay-base database.`,
-    );
-    return overlayVersions[0];
-  }
-  return defaultCliVersion.enabledVersions[0];
-}
-
 /**
 * Determines where the CodeQL CLI we want to use comes from. This can be from a local file,
 * the Actions toolcache, or a download.
 *
 * @param toolsInput The argument provided for the `tools` input, if any.
 * @param defaultCliVersion The default CLI version that's linked to the CodeQL Action.
- * @param rawLanguages Raw set of languages.
- * @param useOverlayAwareDefaultCliVersion Whether to select an overlay-aware default CLI version.
 * @param apiDetails Information about the GitHub API.
 * @param variant The GitHub variant we are running on.
 * @param tarSupportsZstd Whether zstd is supported by `tar`.
@@ -410,8 +281,6 @@ async function resolveDefaultCliVersion(
 export async function getCodeQLSource(
  toolsInput: string | undefined,
  defaultCliVersion: CodeQLDefaultVersionInfo,
-  rawLanguages: string[] | undefined,
-  useOverlayAwareDefaultCliVersion: boolean,
  apiDetails: api.GitHubApiDetails,
  variant: util.GitHubVariant,
  tarSupportsZstd: boolean,
@@ -569,15 +438,8 @@ export async function getCodeQLSource(
        }
      }

-      const version = await resolveDefaultCliVersion(
-        defaultCliVersion,
-        rawLanguages,
-        useOverlayAwareDefaultCliVersion,
-        features,
-        logger,
-      );
-      cliVersion = version.cliVersion;
-      tagName = version.tagName;
+      cliVersion = defaultCliVersion.cliVersion;
+      tagName = defaultCliVersion.tagName;
    }
  } else if (toolsInput !== undefined) {
    // If a tools URL was provided, then use that.
@@ -592,15 +454,9 @@ export async function getCodeQLSource(
      }
    }
  } else {
-    const version = await resolveDefaultCliVersion(
-      defaultCliVersion,
-      rawLanguages,
-      useOverlayAwareDefaultCliVersion,
-      features,
-      logger,
-    );
-    cliVersion = version.cliVersion;
-    tagName = version.tagName;
+    // Otherwise, use the default CLI version passed in.
+    cliVersion = defaultCliVersion.cliVersion;
+    tagName = defaultCliVersion.tagName;
  }

  const bundleVersion =
@@ -935,8 +791,6 @@ export async function setupCodeQLBundle(
  tempDir: string,
  variant: util.GitHubVariant,
  defaultCliVersion: CodeQLDefaultVersionInfo,
-  rawLanguages: string[] | undefined,
-  useOverlayAwareDefaultCliVersion: boolean,
  features: FeatureEnablement,
  logger: Logger,
 ): Promise<SetupCodeQLResult> {
@@ -950,8 +804,6 @@ export async function setupCodeQLBundle(
  const source = await getCodeQLSource(
    toolsInput,
    defaultCliVersion,
-    rawLanguages,
-    useOverlayAwareDefaultCliVersion,
    apiDetails,
    variant,
    zstdAvailability.available,
@@ -198,7 +198,6 @@ async function startProxy(
    .map((credential) => ({
      type: credential.type,
      url: credential.url,
-      "replaces-base": credential["replaces-base"],
    }));
  core.setOutput("proxy_urls", JSON.stringify(registry_urls));

@@ -8,8 +8,6 @@ import sinon from "sinon";
 import * as apiClient from "./api-client";
 import * as defaults from "./defaults.json";
 import { setUpFeatureFlagTests } from "./feature-flags/testing-util";
-import { UnvalidatedObject, validateSchema } from "./json";
-import { makeFromSchema } from "./json/testing-util";
 import { BuiltInLanguage } from "./languages";
 import { getRunnerLogger, Logger } from "./logging";
 import * as startProxyExports from "./start-proxy";
@@ -18,7 +16,6 @@ import {
  assertNotLogged,
  checkExpectedLogMessages,
  createFeatures,
-  makeMacro,
  makeTestToken,
  RecordingLogger,
  setupTests,
@@ -33,7 +30,7 @@ import {

 setupTests(test);

-const sendFailedStatusReportTest = makeMacro({
+const sendFailedStatusReportTest = test.macro({
  exec: async (
    t: ExecutionContext<unknown>,
    err: Error,
@@ -89,14 +86,16 @@ const sendFailedStatusReportTest = makeMacro({
  title: (providedTitle = "") => `sendFailedStatusReport - ${providedTitle}`,
 });

-sendFailedStatusReportTest.serial(
+test.serial(
  "reports generic error message for non-StartProxyError error",
+  sendFailedStatusReportTest,
  new Error("Something went wrong today"),
  "Error from start-proxy Action omitted (Error).",
 );

-sendFailedStatusReportTest.serial(
+test.serial(
  "reports generic error message for non-StartProxyError error with safe error message",
+  sendFailedStatusReportTest,
  new Error(
    startProxyExports.getStartProxyErrorMessage(
      startProxyExports.StartProxyErrorType.DownloadFailed,
@@ -105,8 +104,9 @@ sendFailedStatusReportTest.serial(
  "Error from start-proxy Action omitted (Error).",
 );

-sendFailedStatusReportTest.serial(
+test.serial(
  "reports generic error message for ConfigurationError error",
+  sendFailedStatusReportTest,
  new ConfigurationError("Something went wrong today"),
  "Error from start-proxy Action omitted (ConfigurationError).",
  "user-error",
@@ -349,46 +349,131 @@ test("getCredentials throws an error when non-printable characters are used", as
  }
 });

-for (const oidcSchemaInfo of startProxyExports.oidcSchemas) {
-  test(`getCredentials throws when non-printable characters are used (${oidcSchemaInfo.name} OIDC)`, (t) => {
-    const validCredential = makeFromSchema(true, oidcSchemaInfo.schema);
-    for (const key of Object.keys(validCredential)) {
-      const invalidAuthConfig = {
-        ...validCredential,
-        [key]: "123\x00",
-      };
-      const invalidCredential: startProxyExports.RawCredential = {
-        type: "nuget_feed",
-        host: `${key}.nuget.pkg.github.com`,
-        ...invalidAuthConfig,
-      };
-      const credentialsInput = toEncodedJSON([invalidCredential]);
+const validAzureCredential: startProxyExports.AzureConfig = {
+  "tenant-id": "12345678-1234-1234-1234-123456789012",
+  "client-id": "abcdef01-2345-6789-abcd-ef0123456789",
+};

-      t.throws(
-        () =>
-          startProxyExports.getCredentials(
-            getRunnerLogger(true),
-            undefined,
-            credentialsInput,
-            undefined,
-          ),
-        {
-          message:
-            "Invalid credentials - fields must contain only printable characters",
-        },
-      );
-    }
-  });
-}
+const validAwsCredential: startProxyExports.AWSConfig = {
+  "aws-region": "us-east-1",
+  "account-id": "123456789012",
+  "role-name": "MY_ROLE",
+  domain: "MY_DOMAIN",
+  "domain-owner": "987654321098",
+  audience: "custom-audience",
+};
+
+const validJFrogCredential: startProxyExports.JFrogConfig = {
+  "jfrog-oidc-provider-name": "MY_PROVIDER",
+  audience: "jfrog-audience",
+  "identity-mapping-name": "my-mapping",
+};
+
+test("getCredentials throws an error when non-printable characters are used for Azure OIDC", (t) => {
+  for (const key of Object.keys(validAzureCredential)) {
+    const invalidAzureCredential = {
+      ...validAzureCredential,
+      [key]: "123\x00",
+    };
+    const invalidCredential: startProxyExports.RawCredential = {
+      type: "nuget_feed",
+      host: `${key}.nuget.pkg.github.com`,
+      ...invalidAzureCredential,
+    };
+    const credentialsInput = toEncodedJSON([invalidCredential]);
+
+    t.throws(
+      () =>
+        startProxyExports.getCredentials(
+          getRunnerLogger(true),
+          undefined,
+          credentialsInput,
+          undefined,
+        ),
+      {
+        message:
+          "Invalid credentials - fields must contain only printable characters",
+      },
+    );
+  }
+});
+
+test("getCredentials throws an error when non-printable characters are used for AWS OIDC", (t) => {
+  for (const key of Object.keys(validAwsCredential)) {
+    const invalidAwsCredential = {
+      ...validAwsCredential,
+      [key]: "123\x00",
+    };
+    const invalidCredential: startProxyExports.RawCredential = {
+      type: "nuget_feed",
+      host: `${key}.nuget.pkg.github.com`,
+      ...invalidAwsCredential,
+    };
+    const credentialsInput = toEncodedJSON([invalidCredential]);
+
+    t.throws(
+      () =>
+        startProxyExports.getCredentials(
+          getRunnerLogger(true),
+          undefined,
+          credentialsInput,
+          undefined,
+        ),
+      {
+        message:
+          "Invalid credentials - fields must contain only printable characters",
+      },
+    );
+  }
+});
+
+test("getCredentials throws an error when non-printable characters are used for JFrog OIDC", (t) => {
+  for (const key of Object.keys(validJFrogCredential)) {
+    const invalidJFrogCredential = {
+      ...validJFrogCredential,
+      [key]: "123\x00",
+    };
+    const invalidCredential: startProxyExports.RawCredential = {
+      type: "nuget_feed",
+      host: `${key}.nuget.pkg.github.com`,
+      ...invalidJFrogCredential,
+    };
+    const credentialsInput = toEncodedJSON([invalidCredential]);
+
+    t.throws(
+      () =>
+        startProxyExports.getCredentials(
+          getRunnerLogger(true),
+          undefined,
+          credentialsInput,
+          undefined,
+        ),
+      {
+        message:
+          "Invalid credentials - fields must contain only printable characters",
+      },
+    );
+  }
+});

 test("getCredentials accepts OIDC configurations", (t) => {
-  const oidcConfigurations = startProxyExports.oidcSchemas.map(
-    (schemaInfo) => ({
+  const oidcConfigurations = [
+    {
      type: "nuget_feed",
-      host: `${schemaInfo.name.toLowerCase()}.pkg.github.com`,
-      ...makeFromSchema(true, schemaInfo.schema),
-    }),
-  );
+      host: "azure.pkg.github.com",
+      ...validAzureCredential,
+    },
+    {
+      type: "nuget_feed",
+      host: "aws.pkg.github.com",
+      ...validAwsCredential,
+    },
+    {
+      type: "nuget_feed",
+      host: "jfrog.pkg.github.com",
+      ...validJFrogCredential,
+    },
+  ];

  const credentials = startProxyExports.getCredentials(
    getRunnerLogger(true),
@@ -396,23 +481,15 @@ test("getCredentials accepts OIDC configurations", (t) => {
    toEncodedJSON(oidcConfigurations),
    BuiltInLanguage.csharp,
  );
-  t.is(credentials.length, startProxyExports.oidcSchemas.length);
+  t.is(credentials.length, 3);

  t.assert(credentials.every((c) => c.type === "nuget_feed"));
-
-  for (const oidcSchemaInfo of startProxyExports.oidcSchemas) {
-    t.assert(
-      credentials.some((c) =>
-        validateSchema(
-          oidcSchemaInfo.schema,
-          c as unknown as UnvalidatedObject<any>,
-        ),
-      ),
-    );
-  }
+  t.assert(credentials.some((c) => startProxyExports.isAzureConfig(c)));
+  t.assert(credentials.some((c) => startProxyExports.isAWSConfig(c)));
+  t.assert(credentials.some((c) => startProxyExports.isJFrogConfig(c)));
 });

-const getCredentialsMacro = makeMacro({
+const getCredentialsMacro = test.macro({
  exec: async (
    t: ExecutionContext<unknown>,
    credentials: startProxyExports.RawCredential[],
@@ -438,8 +515,9 @@ const getCredentialsMacro = makeMacro({
  title: (providedTitle = "") => `getCredentials - ${providedTitle}`,
 });

-getCredentialsMacro(
+test(
  "warns for PAT-like password without a username",
+  getCredentialsMacro,
  [
    {
      type: "git_server",
@@ -454,7 +532,7 @@ getCredentialsMacro(
    t.is(results[0].type, "git_server");
    t.is(results[0].host, "https://github.com/");

-    if (startProxyExports.hasUsernameAndPassword(results[0])) {
+    if (startProxyExports.isUsernamePassword(results[0])) {
      t.assert(results[0].password?.startsWith("ghp_"));
    } else {
      t.fail("Expected a `UsernamePassword`-based credential.");
@@ -467,8 +545,9 @@ getCredentialsMacro(
  },
 );

-getCredentialsMacro(
+test(
  "no warning for PAT-like password with a username",
+  getCredentialsMacro,
  [
    {
      type: "git_server",
@@ -484,7 +563,7 @@ getCredentialsMacro(
    t.is(results[0].type, "git_server");
    t.is(results[0].host, "https://github.com/");

-    if (startProxyExports.hasUsernameAndPassword(results[0])) {
+    if (startProxyExports.isUsernamePassword(results[0])) {
      t.assert(results[0].password?.startsWith("ghp_"));
    } else {
      t.fail("Expected a `UsernamePassword`-based credential.");
@@ -498,8 +577,9 @@ getCredentialsMacro(
  },
 );

-getCredentialsMacro(
+test(
  "warns for PAT-like token without a username",
+  getCredentialsMacro,
  [
    {
      type: "git_server",
@@ -527,8 +607,9 @@ getCredentialsMacro(
  },
 );

-getCredentialsMacro(
+test(
  "no warning for PAT-like token with a username",
+  getCredentialsMacro,
  [
    {
      type: "git_server",
@@ -558,76 +639,6 @@ getCredentialsMacro(
  },
 );

-test("getCredentials validates 'replaces-base' correctly", async (t) => {
-  // Valid cases.
-  const credentialsInput = toEncodedJSON([
-    {
-      type: "maven_repository",
-      host: "maven1.pkg.github.com",
-      token: "abc",
-      "replaces-base": false,
-    },
-    {
-      type: "maven_repository",
-      host: "maven2.pkg.github.com",
-      token: "def",
-      "replaces-base": true,
-    },
-    {
-      type: "maven_repository",
-      host: "maven3.pkg.github.com",
-      token: "ghi",
-    },
-  ]);
-
-  const credentials = startProxyExports.getCredentials(
-    getRunnerLogger(true),
-    undefined,
-    credentialsInput,
-    BuiltInLanguage.java,
-    false,
-  );
-
-  t.is(credentials.length, 3);
-  t.true(credentials.some((c) => c["replaces-base"] === true));
-  t.true(credentials.some((c) => c["replaces-base"] === false));
-  t.true(credentials.some((c) => c["replaces-base"] === undefined));
-
-  // Invalid cases.
-  const baseInvalid = {
-    type: "maven_repository",
-    host: "maven4.pkg.github.com",
-    token: "jkl",
-  };
-  t.throws(() =>
-    startProxyExports.getCredentials(
-      getRunnerLogger(true),
-      undefined,
-      toEncodedJSON([{ ...baseInvalid, "replaces-base": null }]),
-      BuiltInLanguage.actions,
-      false,
-    ),
-  );
-  t.throws(() =>
-    startProxyExports.getCredentials(
-      getRunnerLogger(true),
-      undefined,
-      toEncodedJSON([{ ...baseInvalid, "replaces-base": 123 }]),
-      BuiltInLanguage.actions,
-      false,
-    ),
-  );
-  t.throws(() =>
-    startProxyExports.getCredentials(
-      getRunnerLogger(true),
-      undefined,
-      toEncodedJSON([{ ...baseInvalid, "replaces-base": "true" }]),
-      BuiltInLanguage.actions,
-      false,
-    ),
-  );
-});
-
 test("getCredentials returns all credentials for Actions when using LANGUAGE_TO_REGISTRY_TYPE", async (t) => {
  const credentialsInput = toEncodedJSON(mixedCredentials);

@@ -790,7 +801,7 @@ test.serial(
  },
 );

-const wrapFailureTest = makeMacro({
+const wrapFailureTest = test.macro({
  exec: async (
    t: ExecutionContext<unknown>,
    setup: () => void,
@@ -821,8 +832,9 @@ test.serial("downloadProxy - returns file path on success", async (t) => {
  });
 });

-wrapFailureTest.serial(
+test.serial(
  "downloadProxy",
+  wrapFailureTest,
  () => {
    sinon.stub(toolcache, "downloadTool").throws();
  },
@@ -841,8 +853,9 @@ test.serial("extractProxy - returns file path on success", async (t) => {
  });
 });

-wrapFailureTest.serial(
+test.serial(
  "extractProxy",
+  wrapFailureTest,
  () => {
    sinon.stub(toolcache, "extractTar").throws();
  },
@@ -866,8 +879,9 @@ test.serial("cacheProxy - returns file path on success", async (t) => {
  });
 });

-wrapFailureTest.serial(
+test.serial(
  "cacheProxy",
+  wrapFailureTest,
  () => {
    sinon.stub(toolcache, "cacheDir").throws();
  },
@@ -1010,10 +1024,8 @@ test.serial(
        return true;
      });
      const getDefaultCliVersion = sinon
-        .stub(features, "getEnabledDefaultCliVersions")
-        .resolves({
-          enabledVersions: [{ cliVersion: "2.20.1", tagName: expectedTag }],
-        });
+        .stub(features, "getDefaultCliVersion")
+        .resolves({ cliVersion: "2.20.1", tagName: expectedTag });
      const path = await startProxyExports.getProxyBinaryPath(logger, features);

      t.assert(getDefaultCliVersion.calledOnce);
@@ -24,12 +24,20 @@ import {
  Address,
  Registry,
  Credential,
-  hasToken,
-  hasUsernameAndPassword,
+  AuthConfig,
+  isToken,
+  isAzureConfig,
+  Token,
+  UsernamePassword,
+  AzureConfig,
+  isAWSConfig,
+  AWSConfig,
+  isJFrogConfig,
+  JFrogConfig,
+  isUsernamePassword,
  hasUsername,
  RawCredential,
 } from "./start-proxy/types";
-import { getAuthConfig } from "./start-proxy/validation";
 import {
  ActionName,
  createStatusReportBase,
@@ -243,6 +251,75 @@ function getRegistryAddress(
  }
 }

+/** Extracts an `AuthConfig` value from `config`. */
+export function getAuthConfig(
+  config: json.UnvalidatedObject<AuthConfig>,
+): AuthConfig {
+  // Start by checking for the OIDC configurations, since they have required properties
+  // which we can use to identify them.
+  if (isAzureConfig(config)) {
+    return {
+      "tenant-id": config["tenant-id"],
+      "client-id": config["client-id"],
+    } satisfies AzureConfig;
+  } else if (isAWSConfig(config)) {
+    return {
+      "aws-region": config["aws-region"],
+      "account-id": config["account-id"],
+      "role-name": config["role-name"],
+      domain: config.domain,
+      "domain-owner": config["domain-owner"],
+      audience: config.audience,
+    } satisfies AWSConfig;
+  } else if (isJFrogConfig(config)) {
+    return {
+      "jfrog-oidc-provider-name": config["jfrog-oidc-provider-name"],
+      "identity-mapping-name": config["identity-mapping-name"],
+      audience: config.audience,
+    } satisfies JFrogConfig;
+  } else if (isToken(config)) {
+    // There are three scenarios for non-OIDC authentication based on the registry type:
+    //
+    // 1. `username`+`token`
+    // 2. A `token` that combines the username and actual token, separated by ':'.
+    // 3. `username`+`password`
+    //
+    // In all three cases, all fields are optional. If the `token` field is present,
+    // we accept the configuration as a `Token` typed configuration, with the `token`
+    // value and an optional `username`. Otherwise, we accept the configuration
+    // typed as `UsernamePassword` (in the `else` clause below) with optional
+    // username and password. I.e. a private registry type that uses 1. or 2.,
+    // but has no `token` configured, will get accepted as `UsernamePassword` here.
+
+    if (isDefined(config.token)) {
+      // Mask token to reduce chance of accidental leakage in logs, if we have one.
+      core.setSecret(config.token);
+    }
+
+    return { username: config.username, token: config.token } satisfies Token;
+  } else {
+    let username: string | undefined = undefined;
+    let password: string | undefined = undefined;
+
+    // Both "username" and "password" are optional. If we have reached this point, we need
+    // to validate which of them are present and that they have the correct type if so.
+    if ("password" in config && json.isString(config.password)) {
+      // Mask password to reduce chance of accidental leakage in logs, if we have one.
+      core.setSecret(config.password);
+      password = config.password;
+    }
+    if ("username" in config && json.isString(config.username)) {
+      username = config.username;
+    }
+
+    // Return the `UsernamePassword` object. Both username and password may be undefined.
+    return {
+      username,
+      password,
+    } satisfies UsernamePassword;
+  }
+}
+
 // getCredentials returns registry credentials from action inputs.
 // It prefers `registries_credentials` over `registry_secrets`.
 // If neither is set, it returns an empty array.
@@ -331,11 +408,11 @@ export function getCredentials(
    const noUsername =
      !hasUsername(authConfig) || !isDefined(authConfig.username);
    const passwordIsPAT =
-      hasUsernameAndPassword(authConfig) &&
+      isUsernamePassword(authConfig) &&
      isDefined(authConfig.password) &&
      isPAT(authConfig.password);
    const tokenIsPAT =
-      hasToken(authConfig) &&
+      isToken(authConfig) &&
      isDefined(authConfig.token) &&
      isPAT(authConfig.token);

@@ -347,25 +424,8 @@ export function getCredentials(
      );
    }

-    // Construct the base credential object.
-    const baseCredential: Omit<Registry, keyof Address> = { type: e.type };
-
-    // If "replaces-base" is present, it must be a boolean.
-    if ("replaces-base" in e) {
-      if (
-        isDefined(e["replaces-base"]) &&
-        typeof e["replaces-base"] === "boolean"
-      ) {
-        baseCredential["replaces-base"] = e["replaces-base"];
-      } else {
-        throw new ConfigurationError(
-          "Invalid credentials - 'replaces-base' must be a boolean",
-        );
-      }
-    }
-
    out.push({
-      ...baseCredential,
+      type: e.type,
      ...authConfig,
      ...address,
    });
@@ -415,7 +475,7 @@ async function getCliVersionFromFeatures(
  features: FeatureEnablement,
 ): Promise<CodeQLDefaultVersionInfo> {
  const gitHubVersion = await getGitHubVersion();
-  return await features.getEnabledDefaultCliVersions(gitHubVersion.type);
+  return await features.getDefaultCliVersion(gitHubVersion.type);
 }

 /**
@@ -440,7 +500,7 @@ export async function getDownloadUrl(
    // Retrieve information about the CLI version we should use. This will be either the linked
    // version, or the one enabled by FFs.
    const versionInfo = useFeaturesToDetermineCLI
-      ? (await getCliVersionFromFeatures(features)).enabledVersions[0]
+      ? await getCliVersionFromFeatures(features)
      : {
          cliVersion: defaults.cliVersion,
          tagName: defaults.bundleVersion,
@@ -1,6 +1,5 @@
 import test from "ava";

-import { makeFromSchema, withSchemaMatrix } from "../json/testing-util";
 import { setupTests } from "../testing-utils";

 import * as types from "./types";
@@ -27,38 +26,6 @@ const validJFrogCredential: types.JFrogConfig = {
  "identity-mapping-name": "my-mapping",
 };

-test("hasUsername", (t) => {
-  // Reject the case where `username` is missing.
-  t.false(types.hasUsername({}));
-
-  // Test all cases where `username` is present.
-  withSchemaMatrix(
-    t,
-    types.usernameSchema,
-    { excludeAbsent: true },
-    (value) => {
-      t.true(types.hasUsername(value));
-    },
-  );
-});
-
-test("hasUsernameAndPassword", (t) => {
-  // Reject cases where `username` or `password` are missing.
-  t.false(types.hasUsernameAndPassword({}));
-  t.false(types.hasUsernameAndPassword({ username: "foo" }));
-  t.false(types.hasUsernameAndPassword({ password: "foo" }));
-
-  // Test all cases where both `username` and `password` are present.
-  withSchemaMatrix(
-    t,
-    types.usernamePasswordSchema,
-    { excludeAbsent: true },
-    (value) => {
-      t.true(types.hasUsernameAndPassword(value));
-    },
-  );
-});
-
 test("credentialToStr - pretty-prints valid username+password configurations", (t) => {
  const secret = "password123";
  const credential: types.Credential = {
@@ -140,46 +107,13 @@ test("credentialToStr - pretty-prints valid JFrog OIDC configurations", (t) => {
  );
 });

-test("credentialToStr - pretty-prints valid Cloudsmith OIDC configurations", (t) => {
-  const credential: types.Credential = {
-    type: "maven_credential",
-    url: "https://localhost",
-    ...(makeFromSchema(
-      true,
-      types.cloudsmithConfigSchema,
-    ) as types.CloudsmithConfig),
-  };
-
-  const str = types.credentialToStr(credential);
-
-  t.is(
-    "Type: maven_credential; Url: https://localhost; Cloudsmith Namespace: value-for-namespace; Cloudsmith Service Slug: value-for-service-slug; Cloudsmith API Host: value-for-api-host;",
-    str,
-  );
-});
-
-test("credentialToStr - pretty-prints valid GCP OIDC configurations", (t) => {
-  const credential: types.Credential = {
-    type: "maven_credential",
-    url: "https://localhost",
-    ...(makeFromSchema(true, types.gcpConfigSchema) as types.GCPConfig),
-  };
-
-  const str = types.credentialToStr(credential);
-
-  t.is(
-    "Type: maven_credential; Url: https://localhost; GCP Workload Identity Provider: value-for-workload-identity-provider; GCP Service Account: value-for-service-account; GCP Audience: value-for-audience;",
-    str,
-  );
-});
-
 test("credentialToStr - hides passwords", (t) => {
  const secret = "password123";
  const credential = {
    type: "maven_credential",
    password: secret,
    url: "https://localhost",
-  } satisfies types.Credential;
+  };

  const str = types.credentialToStr(credential);

@@ -193,7 +127,7 @@ test("credentialToStr - hides tokens", (t) => {
    type: "maven_credential",
    token: secret,
    url: "https://localhost",
-  } satisfies types.Credential;
+  };

  const str = types.credentialToStr(credential);

@@ -9,177 +9,144 @@ import { isDefined } from "../util";
 */
 export type RawCredential = UnvalidatedObject<Credential>;

-/** A schema for credential objects with a username. */
-export const usernameSchema = {
-  /** The username needed to authenticate to the package registry, if any. */
-  username: json.optional(json.string),
-} as const satisfies json.Schema;
-
 /** Usernames may be present for both authentication with tokens or passwords. */
-export type Username = json.FromSchema<typeof usernameSchema>;
+export type Username = {
+  /** The username needed to authenticate to the package registry, if any. */
+  username?: string;
+};

-/**
- * Narrows `config` to `Username` if `config` has a `username` property.
- * Not used for validation. Assumes that `config` is already a validated `AuthConfig`.
- */
+/** Decides whether `config` has a username. */
 export function hasUsername(config: AuthConfig): config is Username {
  return "username" in config;
 }

-/** A schema for credential objects with a username and password. */
-export const usernamePasswordSchema = {
-  /** The password needed to authenticate to the package registry, if any. */
-  password: json.optional(json.string),
-  ...usernameSchema,
-} as const satisfies json.Schema;
-
 /**
 * Fields expected for authentication based on a username and password.
 * Both username and password are optional.
 */
-export type UsernamePassword = json.FromSchema<typeof usernamePasswordSchema>;
+export type UsernamePassword = {
+  /** The password needed to authenticate to the package registry, if any. */
+  password?: string;
+} & Username;

-/**
- * Narrows `config` to `UsernamePassword` if it has a `username` and `password` property.
- * Not used for validation. Assumes that `config` is already a validated `AuthConfig`.
- */
-export function hasUsernameAndPassword(
+/** Decides whether `config` is based on a username and password. */
+export function isUsernamePassword(
  config: AuthConfig,
 ): config is UsernamePassword {
  return hasUsername(config) && "password" in config;
 }

-/** A schema for credential objects for token-based authentication. */
-export const tokenSchema = {
-  /** The token needed to authenticate to the package registry, if any. */
-  token: json.optional(json.string),
-  ...usernameSchema,
-} as const satisfies json.Schema;
-
 /**
 * Fields expected for token-based authentication.
 * Both username and token are optional.
 */
-export type Token = json.FromSchema<typeof tokenSchema>;
-
-/**
- * Narrows `config` to `Token` if it has a `token` property.
- * Not used for validation. Assumes that `config` is already a validated `AuthConfig`.
- */
-export function hasToken(config: AuthConfig): config is Token {
-  return "token" in config;
-}
+export type Token = {
+  /** The token needed to authenticate to the package registry, if any. */
+  token?: string;
+} & Username;

 /** Decides whether `config` is token-based. */
 export function isToken(
  config: UnvalidatedObject<AuthConfig>,
 ): config is Token {
-  return "token" in config && json.validateSchema(tokenSchema, config);
+  // The "username" field is optional, but should be a string if present.
+  if ("username" in config && !json.isStringOrUndefined(config.username)) {
+    return false;
+  }
+
+  // The "token" field is required, and must be a string or undefined.
+  return "token" in config && json.isStringOrUndefined(config.token);
 }

-/** A schema for Azure OIDC configurations. */
-export const azureConfigSchema = {
-  "tenant-id": json.string,
-  "client-id": json.string,
-} as const satisfies json.Schema;
-
 /** Configuration for Azure OIDC. */
-export type AzureConfig = json.FromSchema<typeof azureConfigSchema>;
+export type AzureConfig = { "tenant-id": string; "client-id": string };

 /** Decides whether `config` is an Azure OIDC configuration. */
 export function isAzureConfig(
  config: UnvalidatedObject<AuthConfig>,
 ): config is AzureConfig {
-  return json.validateSchema(azureConfigSchema, config);
+  return (
+    "tenant-id" in config &&
+    "client-id" in config &&
+    isDefined(config["tenant-id"]) &&
+    isDefined(config["client-id"]) &&
+    json.isString(config["tenant-id"]) &&
+    json.isString(config["client-id"])
+  );
 }

-/** A schema for AWS OIDC configurations. */
-export const awsConfigSchema = {
-  "aws-region": json.string,
-  "account-id": json.string,
-  "role-name": json.string,
-  domain: json.string,
-  "domain-owner": json.string,
-  audience: json.optional(json.string),
-} as const satisfies json.Schema;
-
 /** Configuration for AWS OIDC. */
-export type AWSConfig = json.FromSchema<typeof awsConfigSchema>;
+export type AWSConfig = {
+  "aws-region": string;
+  "account-id": string;
+  "role-name": string;
+  domain: string;
+  "domain-owner": string;
+  audience?: string;
+};

 /** Decides whether `config` is an AWS OIDC configuration. */
 export function isAWSConfig(
  config: UnvalidatedObject<AuthConfig>,
 ): config is AWSConfig {
-  return json.validateSchema(awsConfigSchema, config);
+  // All of these properties are required.
+  const requiredProperties = [
+    "aws-region",
+    "account-id",
+    "role-name",
+    "domain",
+    "domain-owner",
+  ];
+
+  for (const property of requiredProperties) {
+    if (
+      !(property in config) ||
+      !isDefined(config[property]) ||
+      !json.isString(config[property])
+    ) {
+      return false;
+    }
+  }
+
+  // The "audience" field is optional, but should be a string if present.
+  if ("audience" in config && !json.isStringOrUndefined(config.audience)) {
+    return false;
+  }
+
+  return true;
 }

-/** A schema for JFrog OIDC configurations. */
-export const jfrogConfigSchema = {
-  "jfrog-oidc-provider-name": json.string,
-  audience: json.optional(json.string),
-  "identity-mapping-name": json.optional(json.string),
-} as const satisfies json.Schema;
-
 /** Configuration for JFrog OIDC. */
-export type JFrogConfig = json.FromSchema<typeof jfrogConfigSchema>;
+export type JFrogConfig = {
+  "jfrog-oidc-provider-name": string;
+  audience?: string;
+  "identity-mapping-name"?: string;
+};

 /** Decides whether `config` is a JFrog OIDC configuration. */
 export function isJFrogConfig(
  config: UnvalidatedObject<AuthConfig>,
 ): config is JFrogConfig {
-  return json.validateSchema(jfrogConfigSchema, config);
+  // The "audience" and "identity-mapping-name" fields are optional, but should be strings if present.
+  if ("audience" in config && !json.isStringOrUndefined(config.audience)) {
+    return false;
+  }
+  if (
+    "identity-mapping-name" in config &&
+    !json.isStringOrUndefined(config["identity-mapping-name"])
+  ) {
+    return false;
+  }
+
+  return (
+    "jfrog-oidc-provider-name" in config &&
+    isDefined(config["jfrog-oidc-provider-name"]) &&
+    json.isString(config["jfrog-oidc-provider-name"])
+  );
 }

-/** A schema for Cloudsmith OIDC configurations. */
-export const cloudsmithConfigSchema = {
-  namespace: json.string,
-  "service-slug": json.string,
-  "api-host": json.string,
-} as const satisfies json.Schema;
-
-/** Configuration for Cloudsmith OIDC. */
-export type CloudsmithConfig = json.FromSchema<typeof cloudsmithConfigSchema>;
-
-/** Decides whether `config` is a Cloudsmith OIDC configuration. */
-export function isCloudsmithConfig(
-  config: UnvalidatedObject<AuthConfig>,
-): config is CloudsmithConfig {
-  return json.validateSchema(cloudsmithConfigSchema, config);
-}
-
-/** A schema for GCP OIDC configurations. */
-export const gcpConfigSchema = {
-  "workload-identity-provider": json.string,
-  "service-account": json.optional(json.string),
-  audience: json.optional(json.string),
-} as const satisfies json.Schema;
-
-/** Configuration for GCP OIDC. */
-export type GCPConfig = json.FromSchema<typeof gcpConfigSchema>;
-
-/** Decides whether `config` is a GCP OIDC configuration. */
-export function isGCPConfig(
-  config: UnvalidatedObject<AuthConfig>,
-): config is GCPConfig {
-  return json.validateSchema(gcpConfigSchema, config);
-}
-
-/** An array of all OIDC configuration schemas along with output-friendly names. */
-export const oidcSchemas = [
-  { schema: azureConfigSchema, name: "Azure" },
-  { schema: awsConfigSchema, name: "AWS" },
-  { schema: jfrogConfigSchema, name: "JFrog" },
-  { schema: cloudsmithConfigSchema, name: "Cloudsmith" },
-  { schema: gcpConfigSchema, name: "GCP" },
-];
-
 /** Represents all supported OIDC configurations. */
-export type OIDC =
-  | AzureConfig
-  | AWSConfig
-  | JFrogConfig
-  | CloudsmithConfig
-  | GCPConfig;
+export type OIDC = AzureConfig | AWSConfig | JFrogConfig;

 /** All authentication-related fields. */
 export type AuthConfig = UsernamePassword | Token | OIDC;
@@ -198,7 +165,7 @@ export type Credential = AuthConfig & Registry;
 export function credentialToStr(credential: Credential): string {
  let result: string = `Type: ${credential.type};`;

-  const appendIfDefined = (name: string, val: string | undefined | null) => {
+  const appendIfDefined = (name: string, val: string | undefined) => {
    if (isDefined(val)) {
      result += ` ${name}: ${val};`;
    }
@@ -217,7 +184,7 @@ export function credentialToStr(credential: Credential): string {
      isDefined(credential.password) ? "***" : undefined,
    );
  }
-  if (hasToken(credential)) {
+  if (isToken(credential)) {
    appendIfDefined("Token", isDefined(credential.token) ? "***" : undefined);
  }

@@ -238,17 +205,6 @@ export function credentialToStr(credential: Credential): string {
      credential["identity-mapping-name"],
    );
    appendIfDefined("JFrog Audience", credential.audience);
-  } else if (isCloudsmithConfig(credential)) {
-    appendIfDefined("Cloudsmith Namespace", credential.namespace);
-    appendIfDefined("Cloudsmith Service Slug", credential["service-slug"]);
-    appendIfDefined("Cloudsmith API Host", credential["api-host"]);
-  } else if (isGCPConfig(credential)) {
-    appendIfDefined(
-      "GCP Workload Identity Provider",
-      credential["workload-identity-provider"],
-    );
-    appendIfDefined("GCP Service Account", credential["service-account"]);
-    appendIfDefined("GCP Audience", credential.audience);
  }

  return result;
@@ -258,8 +214,6 @@ export function credentialToStr(credential: Credential): string {
 export type Registry = {
  /** The type of the package registry. */
  type: string;
-  /** Whether the registry replaces the base registry for the ecosystem. */
-  "replaces-base"?: boolean;
 } & Address;

 // If a registry has an `url`, then that takes precedence over the `host` which may or may
@@ -1,69 +0,0 @@
-import test from "ava";
-
-import * as json from "../json";
-import { makeFromSchema } from "../json/testing-util";
-import { setupTests } from "../testing-utils";
-
-import * as types from "./types";
-import { getAuthConfig } from "./validation";
-
-setupTests(test);
-
-for (const schemaTest of types.oidcSchemas) {
-  for (const includeOptional of [true, false]) {
-    const minimalName = includeOptional ? "full" : "minimal";
-
-    test(`getAuthConfig - ${schemaTest.name} - ${minimalName}`, async (t) => {
-      const config = makeFromSchema(includeOptional, schemaTest.schema);
-
-      t.deepEqual(
-        getAuthConfig({
-          ...config,
-          unexpected: "unexpected-value",
-        } as unknown as json.UnvalidatedObject<types.AuthConfig>),
-        config,
-      );
-    });
-  }
-}
-
-test("getAuthConfig - token", async (t) => {
-  const config = makeFromSchema(true, types.tokenSchema);
-
-  t.deepEqual(
-    getAuthConfig({
-      ...config,
-      unexpected: "unexpected-value",
-    } as json.UnvalidatedObject<types.AuthConfig>),
-    config,
-  );
-});
-
-test("getAuthConfig - username and password", async (t) => {
-  const config = makeFromSchema(true, types.usernamePasswordSchema);
-
-  t.deepEqual(
-    getAuthConfig({
-      ...config,
-      unexpected: "unexpected-value",
-    } as json.UnvalidatedObject<types.AuthConfig>),
-    config,
-  );
-});
-
-test("getAuthConfig - empty", async (t) => {
-  const config = makeFromSchema(false, types.usernamePasswordSchema);
-
-  // Since the purpose of constructing the `AuthConfig` values is for
-  // serialisation to JSON so that they can be passed to the proxy as configuration,
-  // we only care that the stringified JSON representations are the same.
-  t.deepEqual(
-    JSON.stringify(
-      getAuthConfig({
-        ...config,
-        unexpected: "unexpected-value",
-      } as json.UnvalidatedObject<types.AuthConfig>),
-    ),
-    JSON.stringify({}),
-  );
-});
@@ -1,81 +0,0 @@
-import * as core from "@actions/core";
-
-import * as json from "../json";
-import { isDefined } from "../util";
-
-import type { AuthConfig, UsernamePassword } from "./types";
-import * as types from "./types";
-
-/** Constructs a new object from `obj` with only keys that exist in `schema`. */
-export function cloneCredential<S extends json.Schema>(
-  schema: S,
-  obj: json.FromSchema<S>,
-): json.FromSchema<S> {
-  const result = {};
-
-  for (const key of Object.keys(schema)) {
-    // Skip keys that don't exist or don't have a value.
-    if (!isDefined(obj[key])) {
-      continue;
-    }
-    result[key] = obj[key];
-  }
-
-  return result as json.FromSchema<S>;
-}
-
-/** Extracts an `AuthConfig` value from `config`. */
-export function getAuthConfig(
-  config: json.UnvalidatedObject<AuthConfig>,
-): AuthConfig {
-  // Start by checking for the OIDC configurations, since they have required properties
-  // which we can use to identify them.
-  for (const oidcSchema of types.oidcSchemas) {
-    if (json.validateSchema(oidcSchema.schema, config)) {
-      return cloneCredential(oidcSchema.schema, config);
-    }
-  }
-
-  // Otherwise, try the basic configuration types.
-  if (types.isToken(config)) {
-    // There are three scenarios for non-OIDC authentication based on the registry type:
-    //
-    // 1. `username`+`token`
-    // 2. A `token` that combines the username and actual token, separated by ':'.
-    // 3. `username`+`password`
-    //
-    // In all three cases, all fields are optional. If the `token` field is present,
-    // we accept the configuration as a `Token` typed configuration, with the `token`
-    // value and an optional `username`. Otherwise, we accept the configuration
-    // typed as `UsernamePassword` (in the `else` clause below) with optional
-    // username and password. I.e. a private registry type that uses 1. or 2.,
-    // but has no `token` configured, will get accepted as `UsernamePassword` here.
-
-    if (isDefined(config.token)) {
-      // Mask token to reduce chance of accidental leakage in logs, if we have one.
-      core.setSecret(config.token);
-    }
-
-    return cloneCredential(types.tokenSchema, config);
-  } else {
-    let username: string | undefined = undefined;
-    let password: string | undefined = undefined;
-
-    // Both "username" and "password" are optional. If we have reached this point, we need
-    // to validate which of them are present and that they have the correct type if so.
-    if ("password" in config && json.isString(config.password)) {
-      // Mask password to reduce chance of accidental leakage in logs, if we have one.
-      core.setSecret(config.password);
-      password = config.password;
-    }
-    if ("username" in config && json.isString(config.username)) {
-      username = config.username;
-    }
-
-    // Return the `UsernamePassword` object. Both username and password may be undefined.
-    return {
-      username,
-      password,
-    } satisfies UsernamePassword;
-  }
-}
@@ -19,7 +19,6 @@ import {
  setupTests,
  setupActionsVars,
  createTestConfig,
-  makeMacro,
 } from "./testing-utils";
 import { BuildMode, ConfigurationError, withTmpDir, wrapError } from "./util";

@@ -292,9 +291,10 @@ test.serial(
  },
 );

-const testCreateInitWithConfigStatusReport = makeMacro({
+const testCreateInitWithConfigStatusReport = test.macro({
  exec: async (
    t,
+    _title: string,
    config: Config,
    expectedReportProperties: Partial<InitWithConfigStatusReport>,
  ) => {
@@ -337,10 +337,11 @@ const testCreateInitWithConfigStatusReport = makeMacro({
      }
    });
  },
-  title: (title) => `createInitWithConfigStatusReport: ${title}`,
+  title: (_, title) => `createInitWithConfigStatusReport: ${title}`,
 });

-testCreateInitWithConfigStatusReport.serial(
+test.serial(
+  testCreateInitWithConfigStatusReport,
  "returns a value",
  createTestConfig({
    buildMode: BuildMode.None,
@@ -354,7 +355,8 @@ testCreateInitWithConfigStatusReport.serial(
  },
 );

-testCreateInitWithConfigStatusReport.serial(
+test.serial(
+  testCreateInitWithConfigStatusReport,
  "includes packs for a single language",
  createTestConfig({
    buildMode: BuildMode.None,
@@ -370,7 +372,8 @@ testCreateInitWithConfigStatusReport.serial(
  },
 );

-testCreateInitWithConfigStatusReport.serial(
+test.serial(
+  testCreateInitWithConfigStatusReport,
  "includes packs for multiple languages",
  createTestConfig({
    buildMode: BuildMode.None,
@@ -2,11 +2,7 @@ import { TextDecoder } from "node:util";
 import path from "path";

 import * as github from "@actions/github";
-import test, {
-  type ExecutionContext,
-  type MacroDeclarationOptions,
-  type TestFn,
-} from "ava";
+import { ExecutionContext, TestFn } from "ava";
 import nock from "nock";
 import * as sinon from "sinon";

@@ -40,20 +36,16 @@ export const SAMPLE_DOTCOM_API_DETAILS = {
  apiURL: "https://api.github.com",
 };

+export const SAMPLE_DEFAULT_CLI_VERSION: CodeQLDefaultVersionInfo = {
+  cliVersion: "2.20.0",
+  tagName: "codeql-bundle-v2.20.0",
+};
+
 export const LINKED_CLI_VERSION = {
  cliVersion: defaults.cliVersion,
  tagName: defaults.bundleVersion,
 };

-export const SAMPLE_DEFAULT_CLI_VERSION: CodeQLDefaultVersionInfo = {
-  enabledVersions: [
-    {
-      cliVersion: "2.20.0",
-      tagName: "codeql-bundle-v2.20.0",
-    },
-  ],
-};
-
 type TestContext = {
  stdoutWrite: any;
  stderrWrite: any;
@@ -93,8 +85,8 @@ function wrapOutput(context: TestContext) {
  };
 }

-export function setupTests(testFn: TestFn<any>) {
-  const typedTest = testFn as TestFn<TestContext>;
+export function setupTests(test: TestFn<any>) {
+  const typedTest = test as TestFn<TestContext>;

  typedTest.beforeEach((t) => {
    // Set an empty CodeQL object so that all method calls will fail
@@ -147,26 +139,6 @@ export function setupTests(testFn: TestFn<any>) {
  });
 }

-/**
- * Declare a reusable test implementation, with better type safety than `test.macro`.
- */
-export function makeMacro<Args extends unknown[]>(
-  decl: MacroDeclarationOptions<Args, unknown>,
-) {
-  const m = test.macro<Args>(decl);
-
-  const wrapper = (name: string, ...args: Args) => test(name, m, ...args);
-  wrapper.test = (...args: Args) => test(m, ...args);
-  wrapper.serial = (name: string, ...args: Args) =>
-    test.serial(name, m, ...args);
-  // Make the implementation available as `fn`. We don't call it `exec` so
-  // that results from this function are not valid arguments to `test`
-  // or `test.serial`.
-  wrapper.fn = decl.exec;
-
-  return wrapper;
-}
-
 /**
 * Default values for environment variables typically set in an Actions
 * environment. Tests can override individual variables by passing them in the
@@ -470,7 +442,7 @@ export function mockCodeQLVersion(
 */
 export function createFeatures(enabledFeatures: Feature[]): FeatureEnablement {
  return {
-    getEnabledDefaultCliVersions: async () => {
+    getDefaultCliVersion: async () => {
      throw new Error("not implemented");
    },
    getValue: async (feature) => {
@@ -156,8 +156,9 @@ async function combineSarifFilesUsingCLI(
      apiURL: getRequiredEnvParam("GITHUB_API_URL"),
    };

-    const codeQLDefaultVersionInfo =
-      await features.getEnabledDefaultCliVersions(gitHubVersion.type);
+    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
+      gitHubVersion.type,
+    );

    const initCodeQLResult = await initCodeQL(
      undefined, // There is no tools input on the upload action
@@ -165,8 +166,6 @@ async function combineSarifFilesUsingCLI(
      tempDir,
      gitHubVersion.type,
      codeQLDefaultVersionInfo,
-      undefined, // rawLanguages: upload-lib does not run analysis
-      false, // useOverlayAwareDefaultCliVersion: upload-lib does not run analysis
      features,
      logger,
    );
@@ -6,7 +6,7 @@ import * as sinon from "sinon";

 import { AnalysisKind, getAnalysisConfig } from "./analyses";
 import { getRunnerLogger } from "./logging";
-import { createFeatures, makeMacro, setupTests } from "./testing-utils";
+import { createFeatures, setupTests } from "./testing-utils";
 import { UploadResult } from "./upload-lib";
 import * as uploadLib from "./upload-lib";
 import { postProcessAndUploadSarif } from "./upload-sarif";
@@ -43,7 +43,7 @@ function mockPostProcessSarifFiles() {
  return postProcessSarifFiles;
 }

-const postProcessAndUploadSarifMacro = makeMacro({
+const postProcessAndUploadSarifMacro = test.macro({
  exec: async (
    t: ExecutionContext<unknown>,
    sarifFiles: string[],
@@ -67,7 +67,7 @@ const postProcessAndUploadSarifMacro = makeMacro({
        const analysisConfig = getAnalysisConfig(analysisKind);
        uploadPostProcessedFiles
          .withArgs(logger, sinon.match.any, analysisConfig, sinon.match.any)
-          .resolves(expectedResult[analysisKind]?.uploadResult);
+          .resolves(expectedResult[analysisKind as AnalysisKind]?.uploadResult);
      }

      const fullSarifPaths = sarifFiles.map(toFullPath);
@@ -123,8 +123,9 @@ const postProcessAndUploadSarifMacro = makeMacro({
  title: (providedTitle = "") => `processAndUploadSarif - ${providedTitle}`,
 });

-postProcessAndUploadSarifMacro.serial(
+test.serial(
  "SARIF file",
+  postProcessAndUploadSarifMacro,
  ["test.sarif"],
  (tempDir) => path.join(tempDir, "test.sarif"),
  {
@@ -137,8 +138,9 @@ postProcessAndUploadSarifMacro.serial(
  },
 );

-postProcessAndUploadSarifMacro.serial(
+test.serial(
  "JSON file",
+  postProcessAndUploadSarifMacro,
  ["test.json"],
  (tempDir) => path.join(tempDir, "test.json"),
  {
@@ -151,8 +153,9 @@ postProcessAndUploadSarifMacro.serial(
  },
 );

-postProcessAndUploadSarifMacro.serial(
+test.serial(
  "Code Scanning files",
+  postProcessAndUploadSarifMacro,
  ["test.json", "test.sarif"],
  undefined,
  {
@@ -166,8 +169,9 @@ postProcessAndUploadSarifMacro.serial(
  },
 );

-postProcessAndUploadSarifMacro.serial(
+test.serial(
  "Code Quality file",
+  postProcessAndUploadSarifMacro,
  ["test.quality.sarif"],
  (tempDir) => path.join(tempDir, "test.quality.sarif"),
  {
@@ -180,8 +184,9 @@ postProcessAndUploadSarifMacro.serial(
  },
 );

-postProcessAndUploadSarifMacro.serial(
+test.serial(
  "Mixed files",
+  postProcessAndUploadSarifMacro,
  ["test.sarif", "test.quality.sarif"],
  undefined,
  {
@@ -422,7 +422,7 @@ async function testLanguageAliases(
          ],
        },
      },
-    },
+    } as Workflow,
    codeql,
  );
Author	SHA1	Message	Date
Michael B. Gale	a6fad803a6	Rename `meta.json` to `build-metadata.json`	2026-04-30 14:30:25 +01:00
Michael B. Gale	e09b8dbe8a	Merge remote-tracking branch 'origin/main' into mbg/bundle-metadata-improvements	2026-04-30 14:28:42 +01:00
Michael B. Gale	6e368b7e89	Set retention and `if-no-files-found`	2026-04-13 13:18:56 +01:00
Michael B. Gale	2ab95cc5ab	Compare baseline to current metadata	2026-04-10 18:47:56 +01:00
Michael B. Gale	af6b899441	Fetch baseline bundle metadata	2026-04-10 18:47:56 +01:00
Michael B. Gale	989d6f4689	Move `CODEQL_ACTION_REPO` out of `sync-checks.ts`	2026-04-10 17:29:36 +01:00
Michael B. Gale	dbfd510456	Make `token` parameter reusable	2026-04-10 17:09:18 +01:00
Michael B. Gale	4acf6eb187	Upload `meta.json` as workflow artifact	2026-04-10 12:22:50 +01:00
Michael B. Gale	8b990db7d7	Do not run `bundle-metadata.ts` as part of `npm run build`	2026-04-10 12:18:17 +01:00