Merge branch 'main' into sam-robson/overlay-fallback

.github/workflows/__rubocop-multi-language.yml

@@ -59,7 +59,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Set up Ruby
-        uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0
+        uses: ruby/setup-ruby@0cb964fd540e0a24c900370abf38a33466142735 # v1.305.0
         with:
           ruby-version: 2.6
       - name: Install Code Scanning integration

.github/workflows/codescanning-config-cli.yml

@@ -6,13 +6,6 @@ env:
   # Diff informed queries add an additional query filter which is not yet
   # taken into account by these tests.
   CODEQL_ACTION_DIFF_INFORMED_QUERIES: false
-  # Specify overlay enablement manually to ensure stability around the exclude-from-incremental
-  # query filter. Here we only enable for the default code scanning suite.
-  CODEQL_ACTION_OVERLAY_ANALYSIS: true
-  CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT: false
-  CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT: true
-  CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_CHECK: false
-  CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS: true
 
 on:
   push:
@@ -79,33 +72,13 @@ jobs:
       with:
         version: ${{ matrix.version }}
 
-    # On PRs, overlay analysis may change the config that is passed to the CLI.
-    # Therefore, we have two variants of the following test, one for PRs and one for other events.
-    - name: Empty file (non-PR)
-      if: github.event_name != 'pull_request'
+    - name: Empty file
       uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: "{}"
         languages: javascript
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
-    - name: Empty file (PR)
-      if: github.event_name == 'pull_request'
-      uses: ./../action/.github/actions/check-codescanning-config
-      with:
-        expected-config-file-contents: |
-          {
-            "query-filters": [
-              {
-                "exclude": {
-                  "tags": "exclude-from-incremental"
-                }
-              }
-            ]
-          }
-        languages: javascript
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-
     - name: Packs from input
       if: success() || failure()
       uses: ./../action/.github/actions/check-codescanning-config

.vscode/tests.code-snippets

@@ -19,7 +19,7 @@
     "scope": "javascript, typescript",
     "prefix": "testMacro",
     "body": [
-      "const ${1:nameMacro} = makeMacro({",
+      "const ${1:nameMacro} = test.macro({",
       "  exec: async (t: ExecutionContext<unknown>) => {},",
       "",
       "  title: (providedTitle = \"\") => `${2:common title} - \\${providedTitle}`,",

CHANGELOG.md

@@ -4,11 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 ## [UNRELEASED]
 
-- Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. [#3880](https://github.com/github/codeql-action/pull/3880)
-
-## 4.35.4 - 07 May 2026
-
-- Update default CodeQL bundle version to [2.25.4](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4). [#3881](https://github.com/github/codeql-action/pull/3881)
+- For performance and accuracy reasons, [improved incremental analysis](https://github.com/github/roadmap/issues/1158) will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. [#3791](https://github.com/github/codeql-action/pull/3791)
 
 ## 4.35.3 - 01 May 2026
 

lib/analyze-action-post.js

@@ -26352,11 +26352,11 @@ var require_valid = __commonJS({
   "node_modules/semver/functions/valid.js"(exports2, module2) {
     "use strict";
     var parse2 = require_parse2();
-    var valid4 = (version, options) => {
+    var valid3 = (version, options) => {
       const v = parse2(version, options);
       return v ? v.version : null;
     };
-    module2.exports = valid4;
+    module2.exports = valid3;
   }
 });
 
@@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({
   "node_modules/semver/functions/rcompare.js"(exports2, module2) {
     "use strict";
     var compare2 = require_compare();
-    var rcompare3 = (a, b, loose) => compare2(b, a, loose);
-    module2.exports = rcompare3;
+    var rcompare = (a, b, loose) => compare2(b, a, loose);
+    module2.exports = rcompare;
   }
 });
 
@@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({
     var SemVer = require_semver();
     var identifiers = require_identifiers();
     var parse2 = require_parse2();
-    var valid4 = require_valid();
+    var valid3 = require_valid();
     var clean3 = require_clean();
     var inc = require_inc();
     var diff = require_diff();
@@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({
     var patch = require_patch();
     var prerelease = require_prerelease();
     var compare2 = require_compare();
-    var rcompare3 = require_rcompare();
+    var rcompare = require_rcompare();
     var compareLoose = require_compare_loose();
     var compareBuild = require_compare_build();
     var sort = require_sort();
@@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({
     var subset = require_subset();
     module2.exports = {
       parse: parse2,
-      valid: valid4,
+      valid: valid3,
       clean: clean3,
       inc,
       diff,
@@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({
       patch,
       prerelease,
       compare: compare2,
-      rcompare: rcompare3,
+      rcompare,
       compareLoose,
       compareBuild,
       sort,
@@ -29553,16 +29553,16 @@ var require_attribute = __commonJS({
       var result = new ValidatorResult(instance, schema2, options, ctx);
       var self2 = this;
       schema2.allOf.forEach(function(v, i) {
-        var valid4 = self2.validateSchema(instance, v, options, ctx);
-        if (!valid4.valid) {
+        var valid3 = self2.validateSchema(instance, v, options, ctx);
+        if (!valid3.valid) {
           var id = v.$id || v.id;
           var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]";
           result.addError({
             name: "allOf",
-            argument: { id: msg, length: valid4.errors.length, valid: valid4 },
-            message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:"
+            argument: { id: msg, length: valid3.errors.length, valid: valid3 },
+            message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:"
           });
-          result.importErrors(valid4);
+          result.importErrors(valid3);
         }
       });
       return result;
@@ -29851,8 +29851,8 @@ var require_attribute = __commonJS({
       if (typeof schema2.exclusiveMinimum === "boolean") return;
       if (!this.types.number(instance)) return;
       var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid4 = instance > schema2.exclusiveMinimum;
-      if (!valid4) {
+      var valid3 = instance > schema2.exclusiveMinimum;
+      if (!valid3) {
         result.addError({
           name: "exclusiveMinimum",
           argument: schema2.exclusiveMinimum,
@@ -29865,8 +29865,8 @@ var require_attribute = __commonJS({
       if (typeof schema2.exclusiveMaximum === "boolean") return;
       if (!this.types.number(instance)) return;
       var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid4 = instance < schema2.exclusiveMaximum;
-      if (!valid4) {
+      var valid3 = instance < schema2.exclusiveMaximum;
+      if (!valid3) {
         result.addError({
           name: "exclusiveMaximum",
           argument: schema2.exclusiveMaximum,
@@ -32649,8 +32649,8 @@ var require_semver3 = __commonJS({
         return null;
       }
     }
-    exports2.valid = valid4;
-    function valid4(version, options) {
+    exports2.valid = valid3;
+    function valid3(version, options) {
       var v = parse2(version, options);
       return v ? v.version : null;
     }
@@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({
       var versionB = new SemVer(b, loose);
       return versionA.compare(versionB) || versionA.compareBuild(versionB);
     }
-    exports2.rcompare = rcompare3;
-    function rcompare3(a, b, loose) {
+    exports2.rcompare = rcompare;
+    function rcompare(a, b, loose) {
       return compare2(b, a, loose);
     }
     exports2.sort = sort;
@@ -33779,7 +33779,7 @@ var require_cacheUtils = __commonJS({
     var crypto2 = __importStar2(require("crypto"));
     var fs9 = __importStar2(require("fs"));
     var path9 = __importStar2(require("path"));
-    var semver10 = __importStar2(require_semver3());
+    var semver9 = __importStar2(require_semver3());
     var util = __importStar2(require("util"));
     var constants_1 = require_constants7();
     var versionSalt = "1.0";
@@ -33872,7 +33872,7 @@ var require_cacheUtils = __commonJS({
     function getCompressionMethod() {
       return __awaiter2(this, void 0, void 0, function* () {
         const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver10.clean(versionOutput);
+        const version = semver9.clean(versionOutput);
         core15.debug(`zstd version: ${version}`);
         if (versionOutput === "") {
           return constants_1.CompressionMethod.Gzip;
@@ -75278,7 +75278,7 @@ var require_cacheHttpClient = __commonJS({
     exports2.getCacheEntry = getCacheEntry;
     exports2.downloadCache = downloadCache;
     exports2.reserveCache = reserveCache;
-    exports2.saveCache = saveCache5;
+    exports2.saveCache = saveCache4;
     var core15 = __importStar2(require_core());
     var http_client_1 = require_lib();
     var auth_1 = require_auth();
@@ -75455,7 +75455,7 @@ Other caches with similar key:`);
         }));
       });
     }
-    function saveCache5(cacheId, archivePath, signedUploadURL, options) {
+    function saveCache4(cacheId, archivePath, signedUploadURL, options) {
       return __awaiter2(this, void 0, void 0, function* () {
         const uploadOptions = (0, options_1.getUploadOptions)(options);
         if (uploadOptions.useAzureSdk) {
@@ -80955,8 +80955,8 @@ var require_cache4 = __commonJS({
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0;
     exports2.isFeatureAvailable = isFeatureAvailable;
-    exports2.restoreCache = restoreCache5;
-    exports2.saveCache = saveCache5;
+    exports2.restoreCache = restoreCache4;
+    exports2.saveCache = saveCache4;
     var core15 = __importStar2(require_core());
     var path9 = __importStar2(require("path"));
     var utils = __importStar2(require_cacheUtils());
@@ -81013,7 +81013,7 @@ var require_cache4 = __commonJS({
           return !!process.env["ACTIONS_CACHE_URL"];
       }
     }
-    function restoreCache5(paths_1, primaryKey_1, restoreKeys_1, options_1) {
+    function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) {
       return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) {
         const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
         core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81157,7 +81157,7 @@ var require_cache4 = __commonJS({
         return void 0;
       });
     }
-    function saveCache5(paths_1, key_1, options_1) {
+    function saveCache4(paths_1, key_1, options_1) {
       return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
         const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
         core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81394,7 +81394,7 @@ var require_manifest = __commonJS({
     exports2._findMatch = _findMatch;
     exports2._getOsVersion = _getOsVersion;
     exports2._readLinuxVersionFile = _readLinuxVersionFile;
-    var semver10 = __importStar2(require_semver2());
+    var semver9 = __importStar2(require_semver2());
     var core_1 = require_core();
     var os2 = require("os");
     var cp = require("child_process");
@@ -81408,7 +81408,7 @@ var require_manifest = __commonJS({
         for (const candidate of candidates) {
           const version = candidate.version;
           (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
             file = candidate.files.find((item) => {
               (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
               let chk = item.arch === archFilter && item.platform === platFilter;
@@ -81417,7 +81417,7 @@ var require_manifest = __commonJS({
                 if (osVersion === item.platform_version) {
                   chk = true;
                 } else {
-                  chk = semver10.satisfies(osVersion, item.platform_version);
+                  chk = semver9.satisfies(osVersion, item.platform_version);
                 }
               }
               return chk;
@@ -81677,7 +81677,7 @@ var require_tool_cache = __commonJS({
     var os2 = __importStar2(require("os"));
     var path9 = __importStar2(require("path"));
     var httpm = __importStar2(require_lib());
-    var semver10 = __importStar2(require_semver2());
+    var semver9 = __importStar2(require_semver2());
     var stream = __importStar2(require("stream"));
     var util = __importStar2(require("util"));
     var assert_1 = require("assert");
@@ -81950,7 +81950,7 @@ var require_tool_cache = __commonJS({
     }
     function cacheDir(sourceDir, tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver10.clean(version) || version;
+        version = semver9.clean(version) || version;
         arch = arch || os2.arch();
         core15.debug(`Caching tool ${tool} ${version} ${arch}`);
         core15.debug(`source dir: ${sourceDir}`);
@@ -81968,7 +81968,7 @@ var require_tool_cache = __commonJS({
     }
     function cacheFile(sourceFile, targetFile, tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver10.clean(version) || version;
+        version = semver9.clean(version) || version;
         arch = arch || os2.arch();
         core15.debug(`Caching tool ${tool} ${version} ${arch}`);
         core15.debug(`source file: ${sourceFile}`);
@@ -81998,7 +81998,7 @@ var require_tool_cache = __commonJS({
       }
       let toolPath = "";
       if (versionSpec) {
-        versionSpec = semver10.clean(versionSpec) || "";
+        versionSpec = semver9.clean(versionSpec) || "";
         const cachePath = path9.join(_getCacheDirectory(), toolName, versionSpec, arch);
         core15.debug(`checking cache: ${cachePath}`);
         if (fs9.existsSync(cachePath) && fs9.existsSync(`${cachePath}.complete`)) {
@@ -82078,7 +82078,7 @@ var require_tool_cache = __commonJS({
     }
     function _createToolPath(tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
+        const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
         core15.debug(`destination ${folderPath}`);
         const markerPath = `${folderPath}.complete`;
         yield io6.rmRF(folderPath);
@@ -82088,30 +82088,30 @@ var require_tool_cache = __commonJS({
       });
     }
     function _completeToolPath(tool, version, arch) {
-      const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
+      const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
       const markerPath = `${folderPath}.complete`;
       fs9.writeFileSync(markerPath, "");
       core15.debug("finished caching tool");
     }
     function isExplicitVersion(versionSpec) {
-      const c = semver10.clean(versionSpec) || "";
+      const c = semver9.clean(versionSpec) || "";
       core15.debug(`isExplicit: ${c}`);
-      const valid4 = semver10.valid(c) != null;
-      core15.debug(`explicit? ${valid4}`);
-      return valid4;
+      const valid3 = semver9.valid(c) != null;
+      core15.debug(`explicit? ${valid3}`);
+      return valid3;
     }
     function evaluateVersions(versions, versionSpec) {
       let version = "";
       core15.debug(`evaluating ${versions.length} versions`);
       versions = versions.sort((a, b) => {
-        if (semver10.gt(a, b)) {
+        if (semver9.gt(a, b)) {
           return 1;
         }
         return -1;
       });
       for (let i = versions.length - 1; i >= 0; i--) {
         const potential = versions[i];
-        const satisfied = semver10.satisfies(potential, versionSpec);
+        const satisfied = semver9.satisfies(potential, versionSpec);
         if (satisfied) {
           version = potential;
           break;
@@ -89825,7 +89825,7 @@ var require_stream_writable = __commonJS({
       pna.nextTick(cb, er);
     }
     function validChunk(stream, state, chunk, cb) {
-      var valid4 = true;
+      var valid3 = true;
       var er = false;
       if (chunk === null) {
         er = new TypeError("May not write null values to stream");
@@ -89835,9 +89835,9 @@ var require_stream_writable = __commonJS({
       if (er) {
         stream.emit("error", er);
         pna.nextTick(cb, er);
-        valid4 = false;
+        valid3 = false;
       }
-      return valid4;
+      return valid3;
     }
     Writable.prototype.write = function(chunk, encoding, cb) {
       var state = this._writableState;
@@ -126877,7 +126877,7 @@ function getDiffRangesJsonFilePath() {
   return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.5";
+  return "4.35.4";
 }
 function getWorkflowEventName() {
   return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -127883,16 +127883,6 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
     minimumVersion: void 0
   },
-  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
-    minimumVersion: void 0
-  },
   ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -128054,26 +128044,20 @@ function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
 // src/setup-codeql.ts
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver9 = __toESM(require_semver2());
-
-// src/overlay/caching.ts
-var actionsCache3 = __toESM(require_cache4());
-var semver6 = __toESM(require_semver2());
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
+var semver8 = __toESM(require_semver2());
 
 // src/tar.ts
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver7 = __toESM(require_semver2());
+var semver6 = __toESM(require_semver2());
 
 // src/tools-download.ts
 var core10 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver8 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;
 
 // src/tracer-config.ts
@@ -128670,7 +128654,7 @@ var core12 = __toESM(require_core());
 
 // src/dependency-caching.ts
 var import_path = require("path");
-var actionsCache4 = __toESM(require_cache4());
+var actionsCache3 = __toESM(require_cache4());
 var glob = __toESM(require_glob());
 function getJavaTempDependencyDir() {
   return (0, import_path.join)(getTemporaryDirectory(), "codeql_java", "repository");
@@ -128744,9 +128728,6 @@ async function scanArchiveFile(archivePath, relativeArchivePath, extractDir, log
       `Maximum archive extraction depth (${MAX_DEPTH}) reached for ${archivePath}`
     );
   }
-  if (process.platform === "win32") {
-    throw new Error("Scanning archives is not supported on Windows.");
-  }
   const result = {
     scannedFiles: 0,
     findings: []

lib/autobuild-action.js

@@ -26352,11 +26352,11 @@ var require_valid = __commonJS({
   "node_modules/semver/functions/valid.js"(exports2, module2) {
     "use strict";
     var parse2 = require_parse2();
-    var valid4 = (version, options) => {
+    var valid3 = (version, options) => {
       const v = parse2(version, options);
       return v ? v.version : null;
     };
-    module2.exports = valid4;
+    module2.exports = valid3;
   }
 });
 
@@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({
   "node_modules/semver/functions/rcompare.js"(exports2, module2) {
     "use strict";
     var compare2 = require_compare();
-    var rcompare3 = (a, b, loose) => compare2(b, a, loose);
-    module2.exports = rcompare3;
+    var rcompare = (a, b, loose) => compare2(b, a, loose);
+    module2.exports = rcompare;
   }
 });
 
@@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({
     var SemVer = require_semver();
     var identifiers = require_identifiers();
     var parse2 = require_parse2();
-    var valid4 = require_valid();
+    var valid3 = require_valid();
     var clean3 = require_clean();
     var inc = require_inc();
     var diff = require_diff();
@@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({
     var patch = require_patch();
     var prerelease = require_prerelease();
     var compare2 = require_compare();
-    var rcompare3 = require_rcompare();
+    var rcompare = require_rcompare();
     var compareLoose = require_compare_loose();
     var compareBuild = require_compare_build();
     var sort = require_sort();
@@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({
     var subset = require_subset();
     module2.exports = {
       parse: parse2,
-      valid: valid4,
+      valid: valid3,
       clean: clean3,
       inc,
       diff,
@@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({
       patch,
       prerelease,
       compare: compare2,
-      rcompare: rcompare3,
+      rcompare,
       compareLoose,
       compareBuild,
       sort,
@@ -29553,16 +29553,16 @@ var require_attribute = __commonJS({
       var result = new ValidatorResult(instance, schema2, options, ctx);
       var self2 = this;
       schema2.allOf.forEach(function(v, i) {
-        var valid4 = self2.validateSchema(instance, v, options, ctx);
-        if (!valid4.valid) {
+        var valid3 = self2.validateSchema(instance, v, options, ctx);
+        if (!valid3.valid) {
           var id = v.$id || v.id;
           var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]";
           result.addError({
             name: "allOf",
-            argument: { id: msg, length: valid4.errors.length, valid: valid4 },
-            message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:"
+            argument: { id: msg, length: valid3.errors.length, valid: valid3 },
+            message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:"
           });
-          result.importErrors(valid4);
+          result.importErrors(valid3);
         }
       });
       return result;
@@ -29851,8 +29851,8 @@ var require_attribute = __commonJS({
       if (typeof schema2.exclusiveMinimum === "boolean") return;
       if (!this.types.number(instance)) return;
       var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid4 = instance > schema2.exclusiveMinimum;
-      if (!valid4) {
+      var valid3 = instance > schema2.exclusiveMinimum;
+      if (!valid3) {
         result.addError({
           name: "exclusiveMinimum",
           argument: schema2.exclusiveMinimum,
@@ -29865,8 +29865,8 @@ var require_attribute = __commonJS({
       if (typeof schema2.exclusiveMaximum === "boolean") return;
       if (!this.types.number(instance)) return;
       var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid4 = instance < schema2.exclusiveMaximum;
-      if (!valid4) {
+      var valid3 = instance < schema2.exclusiveMaximum;
+      if (!valid3) {
         result.addError({
           name: "exclusiveMaximum",
           argument: schema2.exclusiveMaximum,
@@ -32649,8 +32649,8 @@ var require_semver3 = __commonJS({
         return null;
       }
     }
-    exports2.valid = valid4;
-    function valid4(version, options) {
+    exports2.valid = valid3;
+    function valid3(version, options) {
       var v = parse2(version, options);
       return v ? v.version : null;
     }
@@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({
       var versionB = new SemVer(b, loose);
       return versionA.compare(versionB) || versionA.compareBuild(versionB);
     }
-    exports2.rcompare = rcompare3;
-    function rcompare3(a, b, loose) {
+    exports2.rcompare = rcompare;
+    function rcompare(a, b, loose) {
       return compare2(b, a, loose);
     }
     exports2.sort = sort;
@@ -33779,7 +33779,7 @@ var require_cacheUtils = __commonJS({
     var crypto2 = __importStar2(require("crypto"));
     var fs8 = __importStar2(require("fs"));
     var path9 = __importStar2(require("path"));
-    var semver10 = __importStar2(require_semver3());
+    var semver9 = __importStar2(require_semver3());
     var util = __importStar2(require("util"));
     var constants_1 = require_constants7();
     var versionSalt = "1.0";
@@ -33872,7 +33872,7 @@ var require_cacheUtils = __commonJS({
     function getCompressionMethod() {
       return __awaiter2(this, void 0, void 0, function* () {
         const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver10.clean(versionOutput);
+        const version = semver9.clean(versionOutput);
         core15.debug(`zstd version: ${version}`);
         if (versionOutput === "") {
           return constants_1.CompressionMethod.Gzip;
@@ -75278,7 +75278,7 @@ var require_cacheHttpClient = __commonJS({
     exports2.getCacheEntry = getCacheEntry;
     exports2.downloadCache = downloadCache;
     exports2.reserveCache = reserveCache;
-    exports2.saveCache = saveCache4;
+    exports2.saveCache = saveCache3;
     var core15 = __importStar2(require_core());
     var http_client_1 = require_lib();
     var auth_1 = require_auth();
@@ -75455,7 +75455,7 @@ Other caches with similar key:`);
         }));
       });
     }
-    function saveCache4(cacheId, archivePath, signedUploadURL, options) {
+    function saveCache3(cacheId, archivePath, signedUploadURL, options) {
       return __awaiter2(this, void 0, void 0, function* () {
         const uploadOptions = (0, options_1.getUploadOptions)(options);
         if (uploadOptions.useAzureSdk) {
@@ -80955,8 +80955,8 @@ var require_cache4 = __commonJS({
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0;
     exports2.isFeatureAvailable = isFeatureAvailable;
-    exports2.restoreCache = restoreCache4;
-    exports2.saveCache = saveCache4;
+    exports2.restoreCache = restoreCache3;
+    exports2.saveCache = saveCache3;
     var core15 = __importStar2(require_core());
     var path9 = __importStar2(require("path"));
     var utils = __importStar2(require_cacheUtils());
@@ -81013,7 +81013,7 @@ var require_cache4 = __commonJS({
           return !!process.env["ACTIONS_CACHE_URL"];
       }
     }
-    function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) {
+    function restoreCache3(paths_1, primaryKey_1, restoreKeys_1, options_1) {
       return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) {
         const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
         core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81157,7 +81157,7 @@ var require_cache4 = __commonJS({
         return void 0;
       });
     }
-    function saveCache4(paths_1, key_1, options_1) {
+    function saveCache3(paths_1, key_1, options_1) {
       return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
         const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
         core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81394,7 +81394,7 @@ var require_manifest = __commonJS({
     exports2._findMatch = _findMatch;
     exports2._getOsVersion = _getOsVersion;
     exports2._readLinuxVersionFile = _readLinuxVersionFile;
-    var semver10 = __importStar2(require_semver2());
+    var semver9 = __importStar2(require_semver2());
     var core_1 = require_core();
     var os2 = require("os");
     var cp = require("child_process");
@@ -81408,7 +81408,7 @@ var require_manifest = __commonJS({
         for (const candidate of candidates) {
           const version = candidate.version;
           (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
             file = candidate.files.find((item) => {
               (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
               let chk = item.arch === archFilter && item.platform === platFilter;
@@ -81417,7 +81417,7 @@ var require_manifest = __commonJS({
                 if (osVersion === item.platform_version) {
                   chk = true;
                 } else {
-                  chk = semver10.satisfies(osVersion, item.platform_version);
+                  chk = semver9.satisfies(osVersion, item.platform_version);
                 }
               }
               return chk;
@@ -81677,7 +81677,7 @@ var require_tool_cache = __commonJS({
     var os2 = __importStar2(require("os"));
     var path9 = __importStar2(require("path"));
     var httpm = __importStar2(require_lib());
-    var semver10 = __importStar2(require_semver2());
+    var semver9 = __importStar2(require_semver2());
     var stream = __importStar2(require("stream"));
     var util = __importStar2(require("util"));
     var assert_1 = require("assert");
@@ -81950,7 +81950,7 @@ var require_tool_cache = __commonJS({
     }
     function cacheDir(sourceDir, tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver10.clean(version) || version;
+        version = semver9.clean(version) || version;
         arch = arch || os2.arch();
         core15.debug(`Caching tool ${tool} ${version} ${arch}`);
         core15.debug(`source dir: ${sourceDir}`);
@@ -81968,7 +81968,7 @@ var require_tool_cache = __commonJS({
     }
     function cacheFile(sourceFile, targetFile, tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver10.clean(version) || version;
+        version = semver9.clean(version) || version;
         arch = arch || os2.arch();
         core15.debug(`Caching tool ${tool} ${version} ${arch}`);
         core15.debug(`source file: ${sourceFile}`);
@@ -81998,7 +81998,7 @@ var require_tool_cache = __commonJS({
       }
       let toolPath = "";
       if (versionSpec) {
-        versionSpec = semver10.clean(versionSpec) || "";
+        versionSpec = semver9.clean(versionSpec) || "";
         const cachePath = path9.join(_getCacheDirectory(), toolName, versionSpec, arch);
         core15.debug(`checking cache: ${cachePath}`);
         if (fs8.existsSync(cachePath) && fs8.existsSync(`${cachePath}.complete`)) {
@@ -82078,7 +82078,7 @@ var require_tool_cache = __commonJS({
     }
     function _createToolPath(tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
+        const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
         core15.debug(`destination ${folderPath}`);
         const markerPath = `${folderPath}.complete`;
         yield io5.rmRF(folderPath);
@@ -82088,30 +82088,30 @@ var require_tool_cache = __commonJS({
       });
     }
     function _completeToolPath(tool, version, arch) {
-      const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
+      const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
       const markerPath = `${folderPath}.complete`;
       fs8.writeFileSync(markerPath, "");
       core15.debug("finished caching tool");
     }
     function isExplicitVersion(versionSpec) {
-      const c = semver10.clean(versionSpec) || "";
+      const c = semver9.clean(versionSpec) || "";
       core15.debug(`isExplicit: ${c}`);
-      const valid4 = semver10.valid(c) != null;
-      core15.debug(`explicit? ${valid4}`);
-      return valid4;
+      const valid3 = semver9.valid(c) != null;
+      core15.debug(`explicit? ${valid3}`);
+      return valid3;
     }
     function evaluateVersions(versions, versionSpec) {
       let version = "";
       core15.debug(`evaluating ${versions.length} versions`);
       versions = versions.sort((a, b) => {
-        if (semver10.gt(a, b)) {
+        if (semver9.gt(a, b)) {
           return 1;
         }
         return -1;
       });
       for (let i = versions.length - 1; i >= 0; i--) {
         const potential = versions[i];
-        const satisfied = semver10.satisfies(potential, versionSpec);
+        const satisfied = semver9.satisfies(potential, versionSpec);
         if (satisfied) {
           version = potential;
           break;
@@ -85608,7 +85608,7 @@ function getDiffRangesJsonFilePath() {
   return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.5";
+  return "4.35.4";
 }
 function getWorkflowEventName() {
   return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -86226,8 +86226,8 @@ var path5 = __toESM(require("path"));
 var semver5 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.25.4";
-var cliVersion = "2.25.4";
+var bundleVersion = "codeql-bundle-v2.25.3";
+var cliVersion = "2.25.3";
 
 // src/overlay/index.ts
 var fs3 = __toESM(require("fs"));
@@ -86538,10 +86538,6 @@ function isSupportedToolsFeature(versionInfo, feature) {
 // src/feature-flags.ts
 var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_";
 var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
-var LINKED_CODEQL_VERSION = {
-  cliVersion,
-  tagName: bundleVersion
-};
 var featureConfig = {
   ["allow_toolcache_input" /* AllowToolcacheInput */]: {
     defaultValue: false,
@@ -86696,16 +86692,6 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
     minimumVersion: void 0
   },
-  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
-    minimumVersion: void 0
-  },
   ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -86766,9 +86752,10 @@ var OfflineFeatures = class {
     this.logger = logger;
   }
   logger;
-  async getEnabledDefaultCliVersions(_variant) {
+  async getDefaultCliVersion(_variant) {
     return {
-      enabledVersions: [LINKED_CODEQL_VERSION]
+      cliVersion,
+      tagName: bundleVersion
     };
   }
   /**
@@ -86873,11 +86860,11 @@ var Features = class extends OfflineFeatures {
       logger
     );
   }
-  async getEnabledDefaultCliVersions(variant) {
+  async getDefaultCliVersion(variant) {
     if (supportsFeatureFlags(variant)) {
-      return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags();
+      return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags();
     }
-    return super.getEnabledDefaultCliVersions(variant);
+    return super.getDefaultCliVersion(variant);
   }
   /**
    *
@@ -86936,36 +86923,34 @@ var GitHubFeatureFlags = class {
     }
     return version;
   }
-  /**
-   * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature
-   * flags, sorted from highest to lowest. Falls back to the version pinned in
-   * `defaults.json` if no such flags are enabled.
-   */
-  async getEnabledDefaultCliVersionsFromFlags() {
+  async getDefaultCliVersionFromFlags() {
     const response = await this.getAllFeatures();
-    const sortedCliVersions = Object.entries(response).map(
+    const enabledFeatureFlagCliVersions = Object.entries(response).map(
       ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0
-    ).filter((f) => f !== void 0).sort(semver5.rcompare);
-    if (sortedCliVersions.length === 0) {
+    ).filter((f) => f !== void 0);
+    if (enabledFeatureFlagCliVersions.length === 0) {
       this.logger.warning(
         `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.`
       );
       const result = {
-        enabledVersions: [LINKED_CODEQL_VERSION]
+        cliVersion,
+        tagName: bundleVersion
       };
       if (this.hasAccessedRemoteFeatureFlags) {
         result.toolsFeatureFlagsValid = false;
       }
       return result;
     }
+    const maxCliVersion = enabledFeatureFlagCliVersions.reduce(
+      (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion,
+      enabledFeatureFlagCliVersions[0]
+    );
     this.logger.debug(
-      `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.`
+      `Derived default CLI version of ${maxCliVersion} from feature flags.`
     );
     return {
-      enabledVersions: sortedCliVersions.map((cliVersion2) => ({
-        cliVersion: cliVersion2,
-        tagName: `codeql-bundle-v${cliVersion2}`
-      })),
+      cliVersion: maxCliVersion,
+      tagName: `codeql-bundle-v${maxCliVersion}`,
       toolsFeatureFlagsValid: true
     };
   }
@@ -87195,26 +87180,20 @@ function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
 // src/setup-codeql.ts
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver9 = __toESM(require_semver2());
-
-// src/overlay/caching.ts
-var actionsCache3 = __toESM(require_cache4());
-var semver6 = __toESM(require_semver2());
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
+var semver8 = __toESM(require_semver2());
 
 // src/tar.ts
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver7 = __toESM(require_semver2());
+var semver6 = __toESM(require_semver2());
 
 // src/tools-download.ts
 var core10 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver8 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;
 
 // src/tracer-config.ts

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.4",
-  "cliVersion": "2.25.4",
-  "priorBundleVersion": "codeql-bundle-v2.25.3",
-  "priorCliVersion": "2.25.3"
+  "bundleVersion": "codeql-bundle-v2.25.3",
+  "cliVersion": "2.25.3",
+  "priorBundleVersion": "codeql-bundle-v2.25.2",
+  "priorCliVersion": "2.25.2"
 }

lib/resolve-environment-action.js

@@ -26352,11 +26352,11 @@ var require_valid = __commonJS({
   "node_modules/semver/functions/valid.js"(exports2, module2) {
     "use strict";
     var parse2 = require_parse2();
-    var valid4 = (version, options) => {
+    var valid3 = (version, options) => {
       const v = parse2(version, options);
       return v ? v.version : null;
     };
-    module2.exports = valid4;
+    module2.exports = valid3;
   }
 });
 
@@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({
   "node_modules/semver/functions/rcompare.js"(exports2, module2) {
     "use strict";
     var compare2 = require_compare();
-    var rcompare3 = (a, b, loose) => compare2(b, a, loose);
-    module2.exports = rcompare3;
+    var rcompare = (a, b, loose) => compare2(b, a, loose);
+    module2.exports = rcompare;
   }
 });
 
@@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({
     var SemVer = require_semver();
     var identifiers = require_identifiers();
     var parse2 = require_parse2();
-    var valid4 = require_valid();
+    var valid3 = require_valid();
     var clean3 = require_clean();
     var inc = require_inc();
     var diff = require_diff();
@@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({
     var patch = require_patch();
     var prerelease = require_prerelease();
     var compare2 = require_compare();
-    var rcompare3 = require_rcompare();
+    var rcompare = require_rcompare();
     var compareLoose = require_compare_loose();
     var compareBuild = require_compare_build();
     var sort = require_sort();
@@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({
     var subset = require_subset();
     module2.exports = {
       parse: parse2,
-      valid: valid4,
+      valid: valid3,
       clean: clean3,
       inc,
       diff,
@@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({
       patch,
       prerelease,
       compare: compare2,
-      rcompare: rcompare3,
+      rcompare,
       compareLoose,
       compareBuild,
       sort,
@@ -29553,16 +29553,16 @@ var require_attribute = __commonJS({
       var result = new ValidatorResult(instance, schema2, options, ctx);
       var self2 = this;
       schema2.allOf.forEach(function(v, i) {
-        var valid4 = self2.validateSchema(instance, v, options, ctx);
-        if (!valid4.valid) {
+        var valid3 = self2.validateSchema(instance, v, options, ctx);
+        if (!valid3.valid) {
           var id = v.$id || v.id;
           var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]";
           result.addError({
             name: "allOf",
-            argument: { id: msg, length: valid4.errors.length, valid: valid4 },
-            message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:"
+            argument: { id: msg, length: valid3.errors.length, valid: valid3 },
+            message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:"
           });
-          result.importErrors(valid4);
+          result.importErrors(valid3);
         }
       });
       return result;
@@ -29851,8 +29851,8 @@ var require_attribute = __commonJS({
       if (typeof schema2.exclusiveMinimum === "boolean") return;
       if (!this.types.number(instance)) return;
       var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid4 = instance > schema2.exclusiveMinimum;
-      if (!valid4) {
+      var valid3 = instance > schema2.exclusiveMinimum;
+      if (!valid3) {
         result.addError({
           name: "exclusiveMinimum",
           argument: schema2.exclusiveMinimum,
@@ -29865,8 +29865,8 @@ var require_attribute = __commonJS({
       if (typeof schema2.exclusiveMaximum === "boolean") return;
       if (!this.types.number(instance)) return;
       var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid4 = instance < schema2.exclusiveMaximum;
-      if (!valid4) {
+      var valid3 = instance < schema2.exclusiveMaximum;
+      if (!valid3) {
         result.addError({
           name: "exclusiveMaximum",
           argument: schema2.exclusiveMaximum,
@@ -32649,8 +32649,8 @@ var require_semver3 = __commonJS({
         return null;
       }
     }
-    exports2.valid = valid4;
-    function valid4(version, options) {
+    exports2.valid = valid3;
+    function valid3(version, options) {
       var v = parse2(version, options);
       return v ? v.version : null;
     }
@@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({
       var versionB = new SemVer(b, loose);
       return versionA.compare(versionB) || versionA.compareBuild(versionB);
     }
-    exports2.rcompare = rcompare3;
-    function rcompare3(a, b, loose) {
+    exports2.rcompare = rcompare;
+    function rcompare(a, b, loose) {
       return compare2(b, a, loose);
     }
     exports2.sort = sort;
@@ -33779,7 +33779,7 @@ var require_cacheUtils = __commonJS({
     var crypto2 = __importStar2(require("crypto"));
     var fs6 = __importStar2(require("fs"));
     var path7 = __importStar2(require("path"));
-    var semver10 = __importStar2(require_semver3());
+    var semver9 = __importStar2(require_semver3());
     var util = __importStar2(require("util"));
     var constants_1 = require_constants7();
     var versionSalt = "1.0";
@@ -33872,7 +33872,7 @@ var require_cacheUtils = __commonJS({
     function getCompressionMethod() {
       return __awaiter2(this, void 0, void 0, function* () {
         const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver10.clean(versionOutput);
+        const version = semver9.clean(versionOutput);
         core14.debug(`zstd version: ${version}`);
         if (versionOutput === "") {
           return constants_1.CompressionMethod.Gzip;
@@ -75278,7 +75278,7 @@ var require_cacheHttpClient = __commonJS({
     exports2.getCacheEntry = getCacheEntry;
     exports2.downloadCache = downloadCache;
     exports2.reserveCache = reserveCache;
-    exports2.saveCache = saveCache4;
+    exports2.saveCache = saveCache3;
     var core14 = __importStar2(require_core());
     var http_client_1 = require_lib();
     var auth_1 = require_auth();
@@ -75455,7 +75455,7 @@ Other caches with similar key:`);
         }));
       });
     }
-    function saveCache4(cacheId, archivePath, signedUploadURL, options) {
+    function saveCache3(cacheId, archivePath, signedUploadURL, options) {
       return __awaiter2(this, void 0, void 0, function* () {
         const uploadOptions = (0, options_1.getUploadOptions)(options);
         if (uploadOptions.useAzureSdk) {
@@ -80955,8 +80955,8 @@ var require_cache4 = __commonJS({
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0;
     exports2.isFeatureAvailable = isFeatureAvailable;
-    exports2.restoreCache = restoreCache4;
-    exports2.saveCache = saveCache4;
+    exports2.restoreCache = restoreCache3;
+    exports2.saveCache = saveCache3;
     var core14 = __importStar2(require_core());
     var path7 = __importStar2(require("path"));
     var utils = __importStar2(require_cacheUtils());
@@ -81013,7 +81013,7 @@ var require_cache4 = __commonJS({
           return !!process.env["ACTIONS_CACHE_URL"];
       }
     }
-    function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) {
+    function restoreCache3(paths_1, primaryKey_1, restoreKeys_1, options_1) {
       return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) {
         const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
         core14.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81157,7 +81157,7 @@ var require_cache4 = __commonJS({
         return void 0;
       });
     }
-    function saveCache4(paths_1, key_1, options_1) {
+    function saveCache3(paths_1, key_1, options_1) {
       return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
         const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
         core14.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81394,7 +81394,7 @@ var require_manifest = __commonJS({
     exports2._findMatch = _findMatch;
     exports2._getOsVersion = _getOsVersion;
     exports2._readLinuxVersionFile = _readLinuxVersionFile;
-    var semver10 = __importStar2(require_semver2());
+    var semver9 = __importStar2(require_semver2());
     var core_1 = require_core();
     var os2 = require("os");
     var cp = require("child_process");
@@ -81408,7 +81408,7 @@ var require_manifest = __commonJS({
         for (const candidate of candidates) {
           const version = candidate.version;
           (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
             file = candidate.files.find((item) => {
               (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
               let chk = item.arch === archFilter && item.platform === platFilter;
@@ -81417,7 +81417,7 @@ var require_manifest = __commonJS({
                 if (osVersion === item.platform_version) {
                   chk = true;
                 } else {
-                  chk = semver10.satisfies(osVersion, item.platform_version);
+                  chk = semver9.satisfies(osVersion, item.platform_version);
                 }
               }
               return chk;
@@ -81677,7 +81677,7 @@ var require_tool_cache = __commonJS({
     var os2 = __importStar2(require("os"));
     var path7 = __importStar2(require("path"));
     var httpm = __importStar2(require_lib());
-    var semver10 = __importStar2(require_semver2());
+    var semver9 = __importStar2(require_semver2());
     var stream = __importStar2(require("stream"));
     var util = __importStar2(require("util"));
     var assert_1 = require("assert");
@@ -81950,7 +81950,7 @@ var require_tool_cache = __commonJS({
     }
     function cacheDir(sourceDir, tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver10.clean(version) || version;
+        version = semver9.clean(version) || version;
         arch = arch || os2.arch();
         core14.debug(`Caching tool ${tool} ${version} ${arch}`);
         core14.debug(`source dir: ${sourceDir}`);
@@ -81968,7 +81968,7 @@ var require_tool_cache = __commonJS({
     }
     function cacheFile(sourceFile, targetFile, tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver10.clean(version) || version;
+        version = semver9.clean(version) || version;
         arch = arch || os2.arch();
         core14.debug(`Caching tool ${tool} ${version} ${arch}`);
         core14.debug(`source file: ${sourceFile}`);
@@ -81998,7 +81998,7 @@ var require_tool_cache = __commonJS({
       }
       let toolPath = "";
       if (versionSpec) {
-        versionSpec = semver10.clean(versionSpec) || "";
+        versionSpec = semver9.clean(versionSpec) || "";
         const cachePath = path7.join(_getCacheDirectory(), toolName, versionSpec, arch);
         core14.debug(`checking cache: ${cachePath}`);
         if (fs6.existsSync(cachePath) && fs6.existsSync(`${cachePath}.complete`)) {
@@ -82078,7 +82078,7 @@ var require_tool_cache = __commonJS({
     }
     function _createToolPath(tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path7.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
+        const folderPath = path7.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
         core14.debug(`destination ${folderPath}`);
         const markerPath = `${folderPath}.complete`;
         yield io5.rmRF(folderPath);
@@ -82088,30 +82088,30 @@ var require_tool_cache = __commonJS({
       });
     }
     function _completeToolPath(tool, version, arch) {
-      const folderPath = path7.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
+      const folderPath = path7.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
       const markerPath = `${folderPath}.complete`;
       fs6.writeFileSync(markerPath, "");
       core14.debug("finished caching tool");
     }
     function isExplicitVersion(versionSpec) {
-      const c = semver10.clean(versionSpec) || "";
+      const c = semver9.clean(versionSpec) || "";
       core14.debug(`isExplicit: ${c}`);
-      const valid4 = semver10.valid(c) != null;
-      core14.debug(`explicit? ${valid4}`);
-      return valid4;
+      const valid3 = semver9.valid(c) != null;
+      core14.debug(`explicit? ${valid3}`);
+      return valid3;
     }
     function evaluateVersions(versions, versionSpec) {
       let version = "";
       core14.debug(`evaluating ${versions.length} versions`);
       versions = versions.sort((a, b) => {
-        if (semver10.gt(a, b)) {
+        if (semver9.gt(a, b)) {
           return 1;
         }
         return -1;
       });
       for (let i = versions.length - 1; i >= 0; i--) {
         const potential = versions[i];
-        const satisfied = semver10.satisfies(potential, versionSpec);
+        const satisfied = semver9.satisfies(potential, versionSpec);
         if (satisfied) {
           version = potential;
           break;
@@ -85616,7 +85616,7 @@ function getDiffRangesJsonFilePath() {
   return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.5";
+  return "4.35.4";
 }
 function getWorkflowEventName() {
   return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -86683,16 +86683,6 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
     minimumVersion: void 0
   },
-  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
-    minimumVersion: void 0
-  },
   ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -86860,26 +86850,20 @@ var toolrunner3 = __toESM(require_toolrunner());
 // src/setup-codeql.ts
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver9 = __toESM(require_semver2());
-
-// src/overlay/caching.ts
-var actionsCache3 = __toESM(require_cache4());
-var semver6 = __toESM(require_semver2());
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
+var semver8 = __toESM(require_semver2());
 
 // src/tar.ts
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver7 = __toESM(require_semver2());
+var semver6 = __toESM(require_semver2());
 
 // src/tools-download.ts
 var core10 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver8 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;
 
 // src/tracer-config.ts

lib/start-proxy-action-post.js

@@ -26352,11 +26352,11 @@ var require_valid = __commonJS({
   "node_modules/semver/functions/valid.js"(exports2, module2) {
     "use strict";
     var parse2 = require_parse2();
-    var valid4 = (version, options) => {
+    var valid3 = (version, options) => {
       const v = parse2(version, options);
       return v ? v.version : null;
     };
-    module2.exports = valid4;
+    module2.exports = valid3;
   }
 });
 
@@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({
   "node_modules/semver/functions/rcompare.js"(exports2, module2) {
     "use strict";
     var compare2 = require_compare();
-    var rcompare3 = (a, b, loose) => compare2(b, a, loose);
-    module2.exports = rcompare3;
+    var rcompare = (a, b, loose) => compare2(b, a, loose);
+    module2.exports = rcompare;
   }
 });
 
@@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({
     var SemVer = require_semver();
     var identifiers = require_identifiers();
     var parse2 = require_parse2();
-    var valid4 = require_valid();
+    var valid3 = require_valid();
     var clean3 = require_clean();
     var inc = require_inc();
     var diff = require_diff();
@@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({
     var patch = require_patch();
     var prerelease = require_prerelease();
     var compare2 = require_compare();
-    var rcompare3 = require_rcompare();
+    var rcompare = require_rcompare();
     var compareLoose = require_compare_loose();
     var compareBuild = require_compare_build();
     var sort = require_sort();
@@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({
     var subset = require_subset();
     module2.exports = {
       parse: parse2,
-      valid: valid4,
+      valid: valid3,
       clean: clean3,
       inc,
       diff,
@@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({
       patch,
       prerelease,
       compare: compare2,
-      rcompare: rcompare3,
+      rcompare,
       compareLoose,
       compareBuild,
       sort,
@@ -29553,16 +29553,16 @@ var require_attribute = __commonJS({
       var result = new ValidatorResult(instance, schema2, options, ctx);
       var self2 = this;
       schema2.allOf.forEach(function(v, i) {
-        var valid4 = self2.validateSchema(instance, v, options, ctx);
-        if (!valid4.valid) {
+        var valid3 = self2.validateSchema(instance, v, options, ctx);
+        if (!valid3.valid) {
           var id = v.$id || v.id;
           var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]";
           result.addError({
             name: "allOf",
-            argument: { id: msg, length: valid4.errors.length, valid: valid4 },
-            message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:"
+            argument: { id: msg, length: valid3.errors.length, valid: valid3 },
+            message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:"
           });
-          result.importErrors(valid4);
+          result.importErrors(valid3);
         }
       });
       return result;
@@ -29851,8 +29851,8 @@ var require_attribute = __commonJS({
       if (typeof schema2.exclusiveMinimum === "boolean") return;
       if (!this.types.number(instance)) return;
       var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid4 = instance > schema2.exclusiveMinimum;
-      if (!valid4) {
+      var valid3 = instance > schema2.exclusiveMinimum;
+      if (!valid3) {
         result.addError({
           name: "exclusiveMinimum",
           argument: schema2.exclusiveMinimum,
@@ -29865,8 +29865,8 @@ var require_attribute = __commonJS({
       if (typeof schema2.exclusiveMaximum === "boolean") return;
       if (!this.types.number(instance)) return;
       var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid4 = instance < schema2.exclusiveMaximum;
-      if (!valid4) {
+      var valid3 = instance < schema2.exclusiveMaximum;
+      if (!valid3) {
         result.addError({
           name: "exclusiveMaximum",
           argument: schema2.exclusiveMaximum,
@@ -32649,8 +32649,8 @@ var require_semver3 = __commonJS({
         return null;
       }
     }
-    exports2.valid = valid4;
-    function valid4(version, options) {
+    exports2.valid = valid3;
+    function valid3(version, options) {
       var v = parse2(version, options);
       return v ? v.version : null;
     }
@@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({
       var versionB = new SemVer(b, loose);
       return versionA.compare(versionB) || versionA.compareBuild(versionB);
     }
-    exports2.rcompare = rcompare3;
-    function rcompare3(a, b, loose) {
+    exports2.rcompare = rcompare;
+    function rcompare(a, b, loose) {
       return compare2(b, a, loose);
     }
     exports2.sort = sort;
@@ -33779,7 +33779,7 @@ var require_cacheUtils = __commonJS({
     var crypto2 = __importStar2(require("crypto"));
     var fs3 = __importStar2(require("fs"));
     var path4 = __importStar2(require("path"));
-    var semver10 = __importStar2(require_semver3());
+    var semver9 = __importStar2(require_semver3());
     var util = __importStar2(require("util"));
     var constants_1 = require_constants7();
     var versionSalt = "1.0";
@@ -33872,7 +33872,7 @@ var require_cacheUtils = __commonJS({
     function getCompressionMethod() {
       return __awaiter2(this, void 0, void 0, function* () {
         const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver10.clean(versionOutput);
+        const version = semver9.clean(versionOutput);
         core15.debug(`zstd version: ${version}`);
         if (versionOutput === "") {
           return constants_1.CompressionMethod.Gzip;
@@ -75278,7 +75278,7 @@ var require_cacheHttpClient = __commonJS({
     exports2.getCacheEntry = getCacheEntry;
     exports2.downloadCache = downloadCache;
     exports2.reserveCache = reserveCache;
-    exports2.saveCache = saveCache5;
+    exports2.saveCache = saveCache4;
     var core15 = __importStar2(require_core());
     var http_client_1 = require_lib();
     var auth_1 = require_auth();
@@ -75455,7 +75455,7 @@ Other caches with similar key:`);
         }));
       });
     }
-    function saveCache5(cacheId, archivePath, signedUploadURL, options) {
+    function saveCache4(cacheId, archivePath, signedUploadURL, options) {
       return __awaiter2(this, void 0, void 0, function* () {
         const uploadOptions = (0, options_1.getUploadOptions)(options);
         if (uploadOptions.useAzureSdk) {
@@ -80955,8 +80955,8 @@ var require_cache4 = __commonJS({
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0;
     exports2.isFeatureAvailable = isFeatureAvailable;
-    exports2.restoreCache = restoreCache5;
-    exports2.saveCache = saveCache5;
+    exports2.restoreCache = restoreCache4;
+    exports2.saveCache = saveCache4;
     var core15 = __importStar2(require_core());
     var path4 = __importStar2(require("path"));
     var utils = __importStar2(require_cacheUtils());
@@ -81013,7 +81013,7 @@ var require_cache4 = __commonJS({
           return !!process.env["ACTIONS_CACHE_URL"];
       }
     }
-    function restoreCache5(paths_1, primaryKey_1, restoreKeys_1, options_1) {
+    function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) {
       return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) {
         const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
         core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81157,7 +81157,7 @@ var require_cache4 = __commonJS({
         return void 0;
       });
     }
-    function saveCache5(paths_1, key_1, options_1) {
+    function saveCache4(paths_1, key_1, options_1) {
       return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
         const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
         core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -88437,7 +88437,7 @@ var require_stream_writable = __commonJS({
       pna.nextTick(cb, er);
     }
     function validChunk(stream, state, chunk, cb) {
-      var valid4 = true;
+      var valid3 = true;
       var er = false;
       if (chunk === null) {
         er = new TypeError("May not write null values to stream");
@@ -88447,9 +88447,9 @@ var require_stream_writable = __commonJS({
       if (er) {
         stream.emit("error", er);
         pna.nextTick(cb, er);
-        valid4 = false;
+        valid3 = false;
       }
-      return valid4;
+      return valid3;
     }
     Writable.prototype.write = function(chunk, encoding, cb) {
       var state = this._writableState;
@@ -122745,7 +122745,7 @@ var require_manifest = __commonJS({
     exports2._findMatch = _findMatch;
     exports2._getOsVersion = _getOsVersion;
     exports2._readLinuxVersionFile = _readLinuxVersionFile;
-    var semver10 = __importStar2(require_semver2());
+    var semver9 = __importStar2(require_semver2());
     var core_1 = require_core();
     var os2 = require("os");
     var cp = require("child_process");
@@ -122759,7 +122759,7 @@ var require_manifest = __commonJS({
         for (const candidate of candidates) {
           const version = candidate.version;
           (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
             file = candidate.files.find((item) => {
               (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
               let chk = item.arch === archFilter && item.platform === platFilter;
@@ -122768,7 +122768,7 @@ var require_manifest = __commonJS({
                 if (osVersion === item.platform_version) {
                   chk = true;
                 } else {
-                  chk = semver10.satisfies(osVersion, item.platform_version);
+                  chk = semver9.satisfies(osVersion, item.platform_version);
                 }
               }
               return chk;
@@ -123028,7 +123028,7 @@ var require_tool_cache = __commonJS({
     var os2 = __importStar2(require("os"));
     var path4 = __importStar2(require("path"));
     var httpm = __importStar2(require_lib());
-    var semver10 = __importStar2(require_semver2());
+    var semver9 = __importStar2(require_semver2());
     var stream = __importStar2(require("stream"));
     var util = __importStar2(require("util"));
     var assert_1 = require("assert");
@@ -123301,7 +123301,7 @@ var require_tool_cache = __commonJS({
     }
     function cacheDir(sourceDir, tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver10.clean(version) || version;
+        version = semver9.clean(version) || version;
         arch = arch || os2.arch();
         core15.debug(`Caching tool ${tool} ${version} ${arch}`);
         core15.debug(`source dir: ${sourceDir}`);
@@ -123319,7 +123319,7 @@ var require_tool_cache = __commonJS({
     }
     function cacheFile(sourceFile, targetFile, tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver10.clean(version) || version;
+        version = semver9.clean(version) || version;
         arch = arch || os2.arch();
         core15.debug(`Caching tool ${tool} ${version} ${arch}`);
         core15.debug(`source file: ${sourceFile}`);
@@ -123349,7 +123349,7 @@ var require_tool_cache = __commonJS({
       }
       let toolPath = "";
       if (versionSpec) {
-        versionSpec = semver10.clean(versionSpec) || "";
+        versionSpec = semver9.clean(versionSpec) || "";
         const cachePath = path4.join(_getCacheDirectory(), toolName, versionSpec, arch);
         core15.debug(`checking cache: ${cachePath}`);
         if (fs3.existsSync(cachePath) && fs3.existsSync(`${cachePath}.complete`)) {
@@ -123429,7 +123429,7 @@ var require_tool_cache = __commonJS({
     }
     function _createToolPath(tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path4.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
+        const folderPath = path4.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
         core15.debug(`destination ${folderPath}`);
         const markerPath = `${folderPath}.complete`;
         yield io6.rmRF(folderPath);
@@ -123439,30 +123439,30 @@ var require_tool_cache = __commonJS({
       });
     }
     function _completeToolPath(tool, version, arch) {
-      const folderPath = path4.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
+      const folderPath = path4.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
       const markerPath = `${folderPath}.complete`;
       fs3.writeFileSync(markerPath, "");
       core15.debug("finished caching tool");
     }
     function isExplicitVersion(versionSpec) {
-      const c = semver10.clean(versionSpec) || "";
+      const c = semver9.clean(versionSpec) || "";
       core15.debug(`isExplicit: ${c}`);
-      const valid4 = semver10.valid(c) != null;
-      core15.debug(`explicit? ${valid4}`);
-      return valid4;
+      const valid3 = semver9.valid(c) != null;
+      core15.debug(`explicit? ${valid3}`);
+      return valid3;
     }
     function evaluateVersions(versions, versionSpec) {
       let version = "";
       core15.debug(`evaluating ${versions.length} versions`);
       versions = versions.sort((a, b) => {
-        if (semver10.gt(a, b)) {
+        if (semver9.gt(a, b)) {
           return 1;
         }
         return -1;
       });
       for (let i = versions.length - 1; i >= 0; i--) {
         const potential = versions[i];
-        const satisfied = semver10.satisfies(potential, versionSpec);
+        const satisfied = semver9.satisfies(potential, versionSpec);
         if (satisfied) {
           version = potential;
           break;
@@ -126824,7 +126824,7 @@ function getTemporaryDirectory() {
   return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP");
 }
 function getActionVersion() {
-  return "4.35.5";
+  return "4.35.4";
 }
 var persistedInputsKey = "persisted_inputs";
 var restoreInputs = function() {
@@ -127203,16 +127203,6 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
     minimumVersion: void 0
   },
-  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
-    minimumVersion: void 0
-  },
   ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -127515,30 +127505,24 @@ var cliErrorsConfig = {
 // src/setup-codeql.ts
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver9 = __toESM(require_semver2());
-
-// src/overlay/caching.ts
-var actionsCache3 = __toESM(require_cache4());
-var semver6 = __toESM(require_semver2());
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
+var semver8 = __toESM(require_semver2());
 
 // src/tar.ts
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver7 = __toESM(require_semver2());
+var semver6 = __toESM(require_semver2());
 
 // src/tools-download.ts
 var core10 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver8 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;
 
 // src/dependency-caching.ts
-var actionsCache4 = __toESM(require_cache4());
+var actionsCache3 = __toESM(require_cache4());
 var glob = __toESM(require_glob());
 
 // src/artifact-scanner.ts
@@ -127606,9 +127590,6 @@ async function scanArchiveFile(archivePath, relativeArchivePath, extractDir, log
       `Maximum archive extraction depth (${MAX_DEPTH}) reached for ${archivePath}`
     );
   }
-  if (process.platform === "win32") {
-    throw new Error("Scanning archives is not supported on Windows.");
-  }
   const result = {
     scannedFiles: 0,
     findings: []

lib/start-proxy-action.js

@@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({
   "node_modules/semver/functions/rcompare.js"(exports2, module2) {
     "use strict";
     var compare = require_compare();
-    var rcompare2 = (a, b, loose) => compare(b, a, loose);
-    module2.exports = rcompare2;
+    var rcompare = (a, b, loose) => compare(b, a, loose);
+    module2.exports = rcompare;
   }
 });
 
@@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({
     var patch = require_patch();
     var prerelease = require_prerelease();
     var compare = require_compare();
-    var rcompare2 = require_rcompare();
+    var rcompare = require_rcompare();
     var compareLoose = require_compare_loose();
     var compareBuild = require_compare_build();
     var sort = require_sort();
@@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({
       patch,
       prerelease,
       compare,
-      rcompare: rcompare2,
+      rcompare,
       compareLoose,
       compareBuild,
       sort,
@@ -33772,8 +33772,8 @@ var require_semver3 = __commonJS({
       var versionB = new SemVer(b, loose);
       return versionA.compare(versionB) || versionA.compareBuild(versionB);
     }
-    exports2.rcompare = rcompare2;
-    function rcompare2(a, b, loose) {
+    exports2.rcompare = rcompare;
+    function rcompare(a, b, loose) {
       return compare(b, a, loose);
     }
     exports2.sort = sort;
@@ -102813,7 +102813,7 @@ function getTemporaryDirectory() {
   return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP");
 }
 function getActionVersion() {
-  return "4.35.5";
+  return "4.35.4";
 }
 function getWorkflowEventName() {
   return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -103064,8 +103064,8 @@ var path = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.25.4";
-var cliVersion = "2.25.4";
+var bundleVersion = "codeql-bundle-v2.25.3";
+var cliVersion = "2.25.3";
 
 // src/git-utils.ts
 var core6 = __toESM(require_core());
@@ -103177,10 +103177,6 @@ var semver3 = __toESM(require_semver2());
 // src/feature-flags.ts
 var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_";
 var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
-var LINKED_CODEQL_VERSION = {
-  cliVersion,
-  tagName: bundleVersion
-};
 var featureConfig = {
   ["allow_toolcache_input" /* AllowToolcacheInput */]: {
     defaultValue: false,
@@ -103335,16 +103331,6 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
     minimumVersion: void 0
   },
-  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
-    minimumVersion: void 0
-  },
   ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -103405,9 +103391,10 @@ var OfflineFeatures = class {
     this.logger = logger;
   }
   logger;
-  async getEnabledDefaultCliVersions(_variant) {
+  async getDefaultCliVersion(_variant) {
     return {
-      enabledVersions: [LINKED_CODEQL_VERSION]
+      cliVersion,
+      tagName: bundleVersion
     };
   }
   /**
@@ -103512,11 +103499,11 @@ var Features = class extends OfflineFeatures {
       logger
     );
   }
-  async getEnabledDefaultCliVersions(variant) {
+  async getDefaultCliVersion(variant) {
     if (supportsFeatureFlags(variant)) {
-      return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags();
+      return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags();
     }
-    return super.getEnabledDefaultCliVersions(variant);
+    return super.getDefaultCliVersion(variant);
   }
   /**
    *
@@ -103575,36 +103562,34 @@ var GitHubFeatureFlags = class {
     }
     return version;
   }
-  /**
-   * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature
-   * flags, sorted from highest to lowest. Falls back to the version pinned in
-   * `defaults.json` if no such flags are enabled.
-   */
-  async getEnabledDefaultCliVersionsFromFlags() {
+  async getDefaultCliVersionFromFlags() {
     const response = await this.getAllFeatures();
-    const sortedCliVersions = Object.entries(response).map(
+    const enabledFeatureFlagCliVersions = Object.entries(response).map(
       ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0
-    ).filter((f) => f !== void 0).sort(semver4.rcompare);
-    if (sortedCliVersions.length === 0) {
+    ).filter((f) => f !== void 0);
+    if (enabledFeatureFlagCliVersions.length === 0) {
       this.logger.warning(
         `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.`
       );
       const result = {
-        enabledVersions: [LINKED_CODEQL_VERSION]
+        cliVersion,
+        tagName: bundleVersion
       };
       if (this.hasAccessedRemoteFeatureFlags) {
         result.toolsFeatureFlagsValid = false;
       }
       return result;
     }
+    const maxCliVersion = enabledFeatureFlagCliVersions.reduce(
+      (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion,
+      enabledFeatureFlagCliVersions[0]
+    );
     this.logger.debug(
-      `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.`
+      `Derived default CLI version of ${maxCliVersion} from feature flags.`
     );
     return {
-      enabledVersions: sortedCliVersions.map((cliVersion2) => ({
-        cliVersion: cliVersion2,
-        tagName: `codeql-bundle-v${cliVersion2}`
-      })),
+      cliVersion: maxCliVersion,
+      tagName: `codeql-bundle-v${maxCliVersion}`,
       toolsFeatureFlagsValid: true
     };
   }
@@ -104484,7 +104469,7 @@ async function getReleaseByVersion(version) {
 }
 async function getCliVersionFromFeatures(features) {
   const gitHubVersion = await getGitHubVersion();
-  return await features.getEnabledDefaultCliVersions(gitHubVersion.type);
+  return await features.getDefaultCliVersion(gitHubVersion.type);
 }
 async function getDownloadUrl(logger, features) {
   const proxyPackage = getProxyPackage();
@@ -104492,7 +104477,7 @@ async function getDownloadUrl(logger, features) {
     const useFeaturesToDetermineCLI = await features.getValue(
       "start_proxy_use_features_release" /* StartProxyUseFeaturesRelease */
     );
-    const versionInfo = useFeaturesToDetermineCLI ? (await getCliVersionFromFeatures(features)).enabledVersions[0] : {
+    const versionInfo = useFeaturesToDetermineCLI ? await getCliVersionFromFeatures(features) : {
       cliVersion,
       tagName: bundleVersion
     };

lib/upload-lib.js

@@ -203,7 +203,7 @@ var require_file_command = __commonJS({
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.issueFileCommand = issueFileCommand;
     exports2.prepareKeyValueMessage = prepareKeyValueMessage;
-    var crypto3 = __importStar2(require("crypto"));
+    var crypto2 = __importStar2(require("crypto"));
     var fs14 = __importStar2(require("fs"));
     var os2 = __importStar2(require("os"));
     var utils_1 = require_utils();
@@ -220,7 +220,7 @@ var require_file_command = __commonJS({
       });
     }
     function prepareKeyValueMessage(key, value) {
-      const delimiter = `ghadelimiter_${crypto3.randomUUID()}`;
+      const delimiter = `ghadelimiter_${crypto2.randomUUID()}`;
       const convertedValue = (0, utils_1.toCommandValue)(value);
       if (key.includes(delimiter)) {
         throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`);
@@ -4287,11 +4287,11 @@ var require_util2 = __commonJS({
     var { isUint8Array } = require("node:util/types");
     var { webidl } = require_webidl();
     var supportedHashes = [];
-    var crypto3;
+    var crypto2;
     try {
-      crypto3 = require("node:crypto");
+      crypto2 = require("node:crypto");
       const possibleRelevantHashes = ["sha256", "sha384", "sha512"];
-      supportedHashes = crypto3.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2));
+      supportedHashes = crypto2.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2));
     } catch {
     }
     function responseURL(response) {
@@ -4564,7 +4564,7 @@ var require_util2 = __commonJS({
       }
     }
     function bytesMatch(bytes, metadataList) {
-      if (crypto3 === void 0) {
+      if (crypto2 === void 0) {
         return true;
       }
       const parsedMetadata = parseMetadata(metadataList);
@@ -4579,7 +4579,7 @@ var require_util2 = __commonJS({
       for (const item of metadata) {
         const algorithm = item.algo;
         const expectedValue = item.hash;
-        let actualValue = crypto3.createHash(algorithm).update(bytes).digest("base64");
+        let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64");
         if (actualValue[actualValue.length - 1] === "=") {
           if (actualValue[actualValue.length - 2] === "=") {
             actualValue = actualValue.slice(0, -2);
@@ -5643,8 +5643,8 @@ var require_body = __commonJS({
     var { multipartFormDataParser } = require_formdata_parser();
     var random;
     try {
-      const crypto3 = require("node:crypto");
-      random = (max) => crypto3.randomInt(0, max);
+      const crypto2 = require("node:crypto");
+      random = (max) => crypto2.randomInt(0, max);
     } catch {
       random = (max) => Math.floor(Math.random(max));
     }
@@ -17052,13 +17052,13 @@ var require_frame = __commonJS({
     "use strict";
     var { maxUnsigned16Bit } = require_constants5();
     var BUFFER_SIZE = 16386;
-    var crypto3;
+    var crypto2;
     var buffer = null;
     var bufIdx = BUFFER_SIZE;
     try {
-      crypto3 = require("node:crypto");
+      crypto2 = require("node:crypto");
     } catch {
-      crypto3 = {
+      crypto2 = {
         // not full compatibility, but minimum.
         randomFillSync: function randomFillSync(buffer2, _offset, _size) {
           for (let i = 0; i < buffer2.length; ++i) {
@@ -17071,7 +17071,7 @@ var require_frame = __commonJS({
     function generateMask() {
       if (bufIdx === BUFFER_SIZE) {
         bufIdx = 0;
-        crypto3.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE);
+        crypto2.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE);
       }
       return [buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++]];
     }
@@ -17143,9 +17143,9 @@ var require_connection = __commonJS({
     var { Headers, getHeadersList } = require_headers();
     var { getDecodeSplit } = require_util2();
     var { WebsocketFrameSend } = require_frame();
-    var crypto3;
+    var crypto2;
     try {
-      crypto3 = require("node:crypto");
+      crypto2 = require("node:crypto");
     } catch {
     }
     function establishWebSocketConnection(url2, protocols, client, ws, onEstablish, options) {
@@ -17165,7 +17165,7 @@ var require_connection = __commonJS({
         const headersList = getHeadersList(new Headers(options.headers));
         request2.headersList = headersList;
       }
-      const keyValue = crypto3.randomBytes(16).toString("base64");
+      const keyValue = crypto2.randomBytes(16).toString("base64");
       request2.headersList.append("sec-websocket-key", keyValue);
       request2.headersList.append("sec-websocket-version", "13");
       for (const protocol of protocols) {
@@ -17195,7 +17195,7 @@ var require_connection = __commonJS({
             return;
           }
           const secWSAccept = response.headersList.get("Sec-WebSocket-Accept");
-          const digest = crypto3.createHash("sha1").update(keyValue + uid).digest("base64");
+          const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64");
           if (secWSAccept !== digest) {
             failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header.");
             return;
@@ -21993,16 +21993,16 @@ var require_attribute = __commonJS({
       var result = new ValidatorResult(instance, schema2, options, ctx);
       var self2 = this;
       schema2.allOf.forEach(function(v, i) {
-        var valid4 = self2.validateSchema(instance, v, options, ctx);
-        if (!valid4.valid) {
+        var valid3 = self2.validateSchema(instance, v, options, ctx);
+        if (!valid3.valid) {
           var id = v.$id || v.id;
           var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]";
           result.addError({
             name: "allOf",
-            argument: { id: msg, length: valid4.errors.length, valid: valid4 },
-            message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:"
+            argument: { id: msg, length: valid3.errors.length, valid: valid3 },
+            message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:"
           });
-          result.importErrors(valid4);
+          result.importErrors(valid3);
         }
       });
       return result;
@@ -22291,8 +22291,8 @@ var require_attribute = __commonJS({
       if (typeof schema2.exclusiveMinimum === "boolean") return;
       if (!this.types.number(instance)) return;
       var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid4 = instance > schema2.exclusiveMinimum;
-      if (!valid4) {
+      var valid3 = instance > schema2.exclusiveMinimum;
+      if (!valid3) {
         result.addError({
           name: "exclusiveMinimum",
           argument: schema2.exclusiveMinimum,
@@ -22305,8 +22305,8 @@ var require_attribute = __commonJS({
       if (typeof schema2.exclusiveMaximum === "boolean") return;
       if (!this.types.number(instance)) return;
       var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid4 = instance < schema2.exclusiveMaximum;
-      if (!valid4) {
+      var valid3 = instance < schema2.exclusiveMaximum;
+      if (!valid3) {
         result.addError({
           name: "exclusiveMaximum",
           argument: schema2.exclusiveMaximum,
@@ -27657,11 +27657,11 @@ var require_valid = __commonJS({
   "node_modules/semver/functions/valid.js"(exports2, module2) {
     "use strict";
     var parse2 = require_parse2();
-    var valid4 = (version, options) => {
+    var valid3 = (version, options) => {
       const v = parse2(version, options);
       return v ? v.version : null;
     };
-    module2.exports = valid4;
+    module2.exports = valid3;
   }
 });
 
@@ -27804,8 +27804,8 @@ var require_rcompare = __commonJS({
   "node_modules/semver/functions/rcompare.js"(exports2, module2) {
     "use strict";
     var compare3 = require_compare();
-    var rcompare3 = (a, b, loose) => compare3(b, a, loose);
-    module2.exports = rcompare3;
+    var rcompare = (a, b, loose) => compare3(b, a, loose);
+    module2.exports = rcompare;
   }
 });
 
@@ -29021,7 +29021,7 @@ var require_semver2 = __commonJS({
     var SemVer = require_semver();
     var identifiers = require_identifiers();
     var parse2 = require_parse2();
-    var valid4 = require_valid();
+    var valid3 = require_valid();
     var clean3 = require_clean();
     var inc = require_inc();
     var diff = require_diff();
@@ -29030,7 +29030,7 @@ var require_semver2 = __commonJS({
     var patch = require_patch();
     var prerelease = require_prerelease();
     var compare3 = require_compare();
-    var rcompare3 = require_rcompare();
+    var rcompare = require_rcompare();
     var compareLoose = require_compare_loose();
     var compareBuild = require_compare_build();
     var sort = require_sort();
@@ -29059,7 +29059,7 @@ var require_semver2 = __commonJS({
     var subset = require_subset();
     module2.exports = {
       parse: parse2,
-      valid: valid4,
+      valid: valid3,
       clean: clean3,
       inc,
       diff,
@@ -29068,7 +29068,7 @@ var require_semver2 = __commonJS({
       patch,
       prerelease,
       compare: compare3,
-      rcompare: rcompare3,
+      rcompare,
       compareLoose,
       compareBuild,
       sort,
@@ -32371,7 +32371,7 @@ var require_internal_hash_files = __commonJS({
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.hashFiles = hashFiles;
-    var crypto3 = __importStar2(require("crypto"));
+    var crypto2 = __importStar2(require("crypto"));
     var core14 = __importStar2(require_core());
     var fs14 = __importStar2(require("fs"));
     var stream2 = __importStar2(require("stream"));
@@ -32384,7 +32384,7 @@ var require_internal_hash_files = __commonJS({
         const writeDelegate = verbose ? core14.info : core14.debug;
         let hasMatch = false;
         const githubWorkspace = currentWorkspace ? currentWorkspace : (_d = process.env["GITHUB_WORKSPACE"]) !== null && _d !== void 0 ? _d : process.cwd();
-        const result = crypto3.createHash("sha256");
+        const result = crypto2.createHash("sha256");
         let count = 0;
         try {
           for (var _e = true, _f = __asyncValues2(globber.globGenerator()), _g; _g = yield _f.next(), _a = _g.done, !_a; _e = true) {
@@ -32400,7 +32400,7 @@ var require_internal_hash_files = __commonJS({
               writeDelegate(`Skip directory '${file}'.`);
               continue;
             }
-            const hash2 = crypto3.createHash("sha256");
+            const hash2 = crypto2.createHash("sha256");
             const pipeline = util.promisify(stream2.pipeline);
             yield pipeline(fs14.createReadStream(file), hash2);
             result.write(hash2.digest());
@@ -32649,8 +32649,8 @@ var require_semver3 = __commonJS({
         return null;
       }
     }
-    exports2.valid = valid4;
-    function valid4(version, options) {
+    exports2.valid = valid3;
+    function valid3(version, options) {
       var v = parse2(version, options);
       return v ? v.version : null;
     }
@@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({
       var versionB = new SemVer(b, loose);
       return versionA.compare(versionB) || versionA.compareBuild(versionB);
     }
-    exports2.rcompare = rcompare3;
-    function rcompare3(a, b, loose) {
+    exports2.rcompare = rcompare;
+    function rcompare(a, b, loose) {
       return compare3(b, a, loose);
     }
     exports2.sort = sort;
@@ -33776,10 +33776,10 @@ var require_cacheUtils = __commonJS({
     var exec = __importStar2(require_exec());
     var glob = __importStar2(require_glob());
     var io6 = __importStar2(require_io());
-    var crypto3 = __importStar2(require("crypto"));
+    var crypto2 = __importStar2(require("crypto"));
     var fs14 = __importStar2(require("fs"));
     var path12 = __importStar2(require("path"));
-    var semver10 = __importStar2(require_semver3());
+    var semver9 = __importStar2(require_semver3());
     var util = __importStar2(require("util"));
     var constants_1 = require_constants7();
     var versionSalt = "1.0";
@@ -33800,7 +33800,7 @@ var require_cacheUtils = __commonJS({
           }
           tempDirectory = path12.join(baseLocation, "actions", "temp");
         }
-        const dest = path12.join(tempDirectory, crypto3.randomUUID());
+        const dest = path12.join(tempDirectory, crypto2.randomUUID());
         yield io6.mkdirP(dest);
         return dest;
       });
@@ -33872,7 +33872,7 @@ var require_cacheUtils = __commonJS({
     function getCompressionMethod() {
       return __awaiter2(this, void 0, void 0, function* () {
         const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver10.clean(versionOutput);
+        const version = semver9.clean(versionOutput);
         core14.debug(`zstd version: ${version}`);
         if (versionOutput === "") {
           return constants_1.CompressionMethod.Gzip;
@@ -33908,7 +33908,7 @@ var require_cacheUtils = __commonJS({
         components.push("windows-only");
       }
       components.push(versionSalt);
-      return crypto3.createHash("sha256").update(components.join("|")).digest("hex");
+      return crypto2.createHash("sha256").update(components.join("|")).digest("hex");
     }
     function getRuntimeToken() {
       const token = process.env["ACTIONS_RUNTIME_TOKEN"];
@@ -75278,7 +75278,7 @@ var require_cacheHttpClient = __commonJS({
     exports2.getCacheEntry = getCacheEntry;
     exports2.downloadCache = downloadCache;
     exports2.reserveCache = reserveCache;
-    exports2.saveCache = saveCache4;
+    exports2.saveCache = saveCache3;
     var core14 = __importStar2(require_core());
     var http_client_1 = require_lib();
     var auth_1 = require_auth();
@@ -75455,7 +75455,7 @@ Other caches with similar key:`);
         }));
       });
     }
-    function saveCache4(cacheId, archivePath, signedUploadURL, options) {
+    function saveCache3(cacheId, archivePath, signedUploadURL, options) {
       return __awaiter2(this, void 0, void 0, function* () {
         const uploadOptions = (0, options_1.getUploadOptions)(options);
         if (uploadOptions.useAzureSdk) {
@@ -80955,8 +80955,8 @@ var require_cache4 = __commonJS({
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0;
     exports2.isFeatureAvailable = isFeatureAvailable;
-    exports2.restoreCache = restoreCache4;
-    exports2.saveCache = saveCache4;
+    exports2.restoreCache = restoreCache3;
+    exports2.saveCache = saveCache3;
     var core14 = __importStar2(require_core());
     var path12 = __importStar2(require("path"));
     var utils = __importStar2(require_cacheUtils());
@@ -81013,7 +81013,7 @@ var require_cache4 = __commonJS({
           return !!process.env["ACTIONS_CACHE_URL"];
       }
     }
-    function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) {
+    function restoreCache3(paths_1, primaryKey_1, restoreKeys_1, options_1) {
       return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) {
         const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
         core14.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81157,7 +81157,7 @@ var require_cache4 = __commonJS({
         return void 0;
       });
     }
-    function saveCache4(paths_1, key_1, options_1) {
+    function saveCache3(paths_1, key_1, options_1) {
       return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
         const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
         core14.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81394,7 +81394,7 @@ var require_manifest = __commonJS({
     exports2._findMatch = _findMatch;
     exports2._getOsVersion = _getOsVersion;
     exports2._readLinuxVersionFile = _readLinuxVersionFile;
-    var semver10 = __importStar2(require_semver2());
+    var semver9 = __importStar2(require_semver2());
     var core_1 = require_core();
     var os2 = require("os");
     var cp = require("child_process");
@@ -81408,7 +81408,7 @@ var require_manifest = __commonJS({
         for (const candidate of candidates) {
           const version = candidate.version;
           (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
             file = candidate.files.find((item) => {
               (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
               let chk = item.arch === archFilter && item.platform === platFilter;
@@ -81417,7 +81417,7 @@ var require_manifest = __commonJS({
                 if (osVersion === item.platform_version) {
                   chk = true;
                 } else {
-                  chk = semver10.satisfies(osVersion, item.platform_version);
+                  chk = semver9.satisfies(osVersion, item.platform_version);
                 }
               }
               return chk;
@@ -81671,13 +81671,13 @@ var require_tool_cache = __commonJS({
     exports2.evaluateVersions = evaluateVersions;
     var core14 = __importStar2(require_core());
     var io6 = __importStar2(require_io());
-    var crypto3 = __importStar2(require("crypto"));
+    var crypto2 = __importStar2(require("crypto"));
     var fs14 = __importStar2(require("fs"));
     var mm = __importStar2(require_manifest());
     var os2 = __importStar2(require("os"));
     var path12 = __importStar2(require("path"));
     var httpm = __importStar2(require_lib());
-    var semver10 = __importStar2(require_semver2());
+    var semver9 = __importStar2(require_semver2());
     var stream2 = __importStar2(require("stream"));
     var util = __importStar2(require("util"));
     var assert_1 = require("assert");
@@ -81696,7 +81696,7 @@ var require_tool_cache = __commonJS({
     var userAgent2 = "actions/tool-cache";
     function downloadTool2(url2, dest, auth2, headers) {
       return __awaiter2(this, void 0, void 0, function* () {
-        dest = dest || path12.join(_getTempDirectory(), crypto3.randomUUID());
+        dest = dest || path12.join(_getTempDirectory(), crypto2.randomUUID());
         yield io6.mkdirP(path12.dirname(dest));
         core14.debug(`Downloading ${url2}`);
         core14.debug(`Destination ${dest}`);
@@ -81950,7 +81950,7 @@ var require_tool_cache = __commonJS({
     }
     function cacheDir(sourceDir, tool, version, arch2) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver10.clean(version) || version;
+        version = semver9.clean(version) || version;
         arch2 = arch2 || os2.arch();
         core14.debug(`Caching tool ${tool} ${version} ${arch2}`);
         core14.debug(`source dir: ${sourceDir}`);
@@ -81968,7 +81968,7 @@ var require_tool_cache = __commonJS({
     }
     function cacheFile(sourceFile, targetFile, tool, version, arch2) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver10.clean(version) || version;
+        version = semver9.clean(version) || version;
         arch2 = arch2 || os2.arch();
         core14.debug(`Caching tool ${tool} ${version} ${arch2}`);
         core14.debug(`source file: ${sourceFile}`);
@@ -81998,7 +81998,7 @@ var require_tool_cache = __commonJS({
       }
       let toolPath = "";
       if (versionSpec) {
-        versionSpec = semver10.clean(versionSpec) || "";
+        versionSpec = semver9.clean(versionSpec) || "";
         const cachePath = path12.join(_getCacheDirectory(), toolName, versionSpec, arch2);
         core14.debug(`checking cache: ${cachePath}`);
         if (fs14.existsSync(cachePath) && fs14.existsSync(`${cachePath}.complete`)) {
@@ -82070,7 +82070,7 @@ var require_tool_cache = __commonJS({
     function _createExtractFolder(dest) {
       return __awaiter2(this, void 0, void 0, function* () {
         if (!dest) {
-          dest = path12.join(_getTempDirectory(), crypto3.randomUUID());
+          dest = path12.join(_getTempDirectory(), crypto2.randomUUID());
         }
         yield io6.mkdirP(dest);
         return dest;
@@ -82078,7 +82078,7 @@ var require_tool_cache = __commonJS({
     }
     function _createToolPath(tool, version, arch2) {
       return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path12.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || "");
+        const folderPath = path12.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || "");
         core14.debug(`destination ${folderPath}`);
         const markerPath = `${folderPath}.complete`;
         yield io6.rmRF(folderPath);
@@ -82088,30 +82088,30 @@ var require_tool_cache = __commonJS({
       });
     }
     function _completeToolPath(tool, version, arch2) {
-      const folderPath = path12.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || "");
+      const folderPath = path12.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || "");
       const markerPath = `${folderPath}.complete`;
       fs14.writeFileSync(markerPath, "");
       core14.debug("finished caching tool");
     }
     function isExplicitVersion(versionSpec) {
-      const c = semver10.clean(versionSpec) || "";
+      const c = semver9.clean(versionSpec) || "";
       core14.debug(`isExplicit: ${c}`);
-      const valid4 = semver10.valid(c) != null;
-      core14.debug(`explicit? ${valid4}`);
-      return valid4;
+      const valid3 = semver9.valid(c) != null;
+      core14.debug(`explicit? ${valid3}`);
+      return valid3;
     }
     function evaluateVersions(versions, versionSpec) {
       let version = "";
       core14.debug(`evaluating ${versions.length} versions`);
       versions = versions.sort((a, b) => {
-        if (semver10.gt(a, b)) {
+        if (semver9.gt(a, b)) {
           return 1;
         }
         return -1;
       });
       for (let i = versions.length - 1; i >= 0; i--) {
         const potential = versions[i];
-        const satisfied = semver10.satisfies(potential, versionSpec);
+        const satisfied = semver9.satisfies(potential, versionSpec);
         if (satisfied) {
           version = potential;
           break;
@@ -88509,7 +88509,7 @@ function getDiffRangesJsonFilePath() {
   return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.5";
+  return "4.35.4";
 }
 function getWorkflowEventName() {
   return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -88630,32 +88630,6 @@ async function runTool(cmd, args = [], opts = {}) {
   }
   return stdout;
 }
-function getPullRequestBranches() {
-  const pullRequest = github.context.payload.pull_request;
-  if (pullRequest) {
-    return {
-      base: pullRequest.base.ref,
-      // We use the head label instead of the head ref here, because the head
-      // ref lacks owner information and by itself does not uniquely identify
-      // the head branch (which may be in a forked repository).
-      head: pullRequest.head.label
-    };
-  }
-  const codeScanningRef = process.env.CODE_SCANNING_REF;
-  const codeScanningBaseBranch = process.env.CODE_SCANNING_BASE_BRANCH;
-  if (codeScanningRef && codeScanningBaseBranch) {
-    return {
-      base: codeScanningBaseBranch,
-      // PR analysis under Default Setup analyzes the PR head commit instead of
-      // the merge commit, so we can use the provided ref directly.
-      head: codeScanningRef
-    };
-  }
-  return void 0;
-}
-function isAnalyzingPullRequest() {
-  return getPullRequestBranches() !== void 0;
-}
 var qualityCategoryMapping = {
   "c#": "csharp",
   cpp: "c-cpp",
@@ -88938,11 +88912,6 @@ async function getAnalysisKey() {
   core5.exportVariable("CODEQL_ACTION_ANALYSIS_KEY" /* ANALYSIS_KEY */, analysisKey);
   return analysisKey;
 }
-async function getAutomationID() {
-  const analysis_key = await getAnalysisKey();
-  const environment = getRequiredInput("matrix");
-  return computeAutomationID(analysis_key, environment);
-}
 function computeAutomationID(analysis_key, environment) {
   let automationID = `${analysis_key}/`;
   const matrix = parseMatrixInput(environment);
@@ -88957,18 +88926,6 @@ function computeAutomationID(analysis_key, environment) {
   }
   return automationID;
 }
-async function listActionsCaches(keyPrefix, ref) {
-  const repositoryNwo = getRepositoryNwo();
-  return await getApiClient().paginate(
-    "GET /repos/{owner}/{repo}/actions/caches",
-    {
-      owner: repositoryNwo.owner,
-      repo: repositoryNwo.repo,
-      key: keyPrefix,
-      ref
-    }
-  );
-}
 function isEnablementError(msg) {
   return [
     /Code Security must be enabled/i,
@@ -89267,13 +89224,7 @@ var path6 = __toESM(require("path"));
 var core9 = __toESM(require_core());
 
 // src/caching-utils.ts
-var crypto2 = __toESM(require("crypto"));
 var core6 = __toESM(require_core());
-var cacheKeyHashLength = 16;
-function createCacheKeyHash(components) {
-  const componentsJson = JSON.stringify(components);
-  return crypto2.createHash("sha256").update(componentsJson).digest("hex").substring(0, cacheKeyHashLength);
-}
 
 // src/config/db-config.ts
 var jsonschema = __toESM(require_lib2());
@@ -89388,16 +89339,6 @@ function writeDiagnostic(config, language, diagnostic) {
     logger.debug(JSON.stringify(diagnostic));
   }
 }
-function makeTelemetryDiagnostic(id, name, attributes) {
-  return makeDiagnostic(id, name, {
-    attributes,
-    visibility: {
-      cliSummaryTable: false,
-      statusPage: false,
-      telemetry: true
-    }
-  });
-}
 
 // src/diff-informed-analysis-utils.ts
 var fs5 = __toESM(require("fs"));
@@ -89406,8 +89347,8 @@ var fs5 = __toESM(require("fs"));
 var semver5 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.25.4";
-var cliVersion = "2.25.4";
+var bundleVersion = "codeql-bundle-v2.25.3";
+var cliVersion = "2.25.3";
 
 // src/overlay/index.ts
 var fs4 = __toESM(require("fs"));
@@ -89905,16 +89846,6 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
     minimumVersion: void 0
   },
-  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
-    minimumVersion: void 0
-  },
   ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -90021,17 +89952,6 @@ var builtin_default = {
 
 // src/languages/index.ts
 var builtInLanguageSet = new Set(builtin_default.languages);
-function isBuiltInLanguage(language) {
-  return builtInLanguageSet.has(language);
-}
-function parseBuiltInLanguage(language) {
-  language = language.trim().toLowerCase();
-  language = builtin_default.aliases[language] ?? language;
-  if (isBuiltInLanguage(language)) {
-    return language;
-  }
-  return void 0;
-}
 
 // src/overlay/status.ts
 var actionsCache = __toESM(require_cache4());
@@ -90111,7 +90031,7 @@ var fs9 = __toESM(require("fs"));
 var path8 = __toESM(require("path"));
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver9 = __toESM(require_semver2());
+var semver8 = __toESM(require_semver2());
 
 // node_modules/uuid/dist-node/stringify.js
 var byteToHex = [];
@@ -90157,68 +90077,6 @@ function _v4(options, buf, offset) {
 }
 var v4_default = v4;
 
-// src/overlay/caching.ts
-var actionsCache3 = __toESM(require_cache4());
-var semver6 = __toESM(require_semver2());
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
-var CACHE_VERSION = 1;
-var CACHE_PREFIX = "codeql-overlay-base-database";
-async function getCacheKeyPrefixBase(parsedLanguages) {
-  const languagesComponent = [...parsedLanguages].sort().join("_");
-  const cacheKeyComponents = {
-    automationID: await getAutomationID()
-    // Add more components here as needed in the future
-  };
-  const componentsHash = createCacheKeyHash(cacheKeyComponents);
-  return `${CACHE_PREFIX}-${CACHE_VERSION}-${componentsHash}-${languagesComponent}-`;
-}
-async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) {
-  const languages = rawLanguages.map(parseBuiltInLanguage);
-  if (languages.includes(void 0)) {
-    logger.warning(
-      "One or more provided languages are not recognized as built-in languages. Skipping searching for overlay-base databases in cache."
-    );
-    return void 0;
-  }
-  const dedupedLanguages = [
-    ...new Set(languages.filter((l) => l !== void 0))
-  ];
-  const cacheKeyPrefix = await getCacheKeyPrefixBase(dedupedLanguages);
-  logger.debug(
-    `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}`
-  );
-  const caches = await listActionsCaches(cacheKeyPrefix);
-  if (caches.length === 0) {
-    logger.info("No overlay-base databases found in Actions cache.");
-    return [];
-  }
-  logger.info(
-    `Found ${caches.length} overlay-base ${caches.length === 1 ? "database" : "databases"} in the Actions cache.`
-  );
-  const versionRegex = /^([\d.]+)-/;
-  const versionSet = /* @__PURE__ */ new Set();
-  for (const cache of caches) {
-    if (!cache.key) continue;
-    const suffix = cache.key.substring(cacheKeyPrefix.length);
-    const match = suffix.match(versionRegex);
-    if (match && semver6.valid(match[1])) {
-      versionSet.add(match[1]);
-    }
-  }
-  if (versionSet.size === 0) {
-    logger.info(
-      "Could not parse any CodeQL versions from overlay-base database cache keys."
-    );
-    return [];
-  }
-  const versions = [...versionSet].sort(semver6.rcompare);
-  logger.info(
-    `Found overlay databases for the following CodeQL versions in the Actions cache: ${versions.join(", ")}`
-  );
-  return versions;
-}
-
 // src/tar.ts
 var import_child_process = require("child_process");
 var fs7 = __toESM(require("fs"));
@@ -90226,7 +90084,7 @@ var stream = __toESM(require("stream"));
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver7 = __toESM(require_semver2());
+var semver6 = __toESM(require_semver2());
 var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3";
 var MIN_REQUIRED_GNU_TAR_VERSION = "1.31";
 async function getTarVersion() {
@@ -90268,9 +90126,9 @@ async function isZstdAvailable(logger) {
       case "gnu":
         return {
           available: foundZstdBinary && // GNU tar only uses major and minor version numbers
-          semver7.gte(
-            semver7.coerce(version),
-            semver7.coerce(MIN_REQUIRED_GNU_TAR_VERSION)
+          semver6.gte(
+            semver6.coerce(version),
+            semver6.coerce(MIN_REQUIRED_GNU_TAR_VERSION)
           ),
           foundZstdBinary,
           version: tarVersion
@@ -90279,7 +90137,7 @@ async function isZstdAvailable(logger) {
         return {
           available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain
           // a patch version number.
-          semver7.gte(version, MIN_REQUIRED_BSD_TAR_VERSION),
+          semver6.gte(version, MIN_REQUIRED_BSD_TAR_VERSION),
           foundZstdBinary,
           version: tarVersion
         };
@@ -90386,7 +90244,7 @@ var core10 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver8 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;
 var TOOLCACHE_TOOL_NAME = "CodeQL";
 function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) {
@@ -90516,7 +90374,7 @@ function getToolcacheDirectory(version) {
   return path7.join(
     getRequiredEnvParam("RUNNER_TOOL_CACHE"),
     TOOLCACHE_TOOL_NAME,
-    semver8.clean(version) || version,
+    semver7.clean(version) || version,
     os.arch() || ""
   );
 }
@@ -90641,13 +90499,13 @@ function tryGetTagNameFromUrl(url2, logger) {
   return match[1];
 }
 function convertToSemVer(version, logger) {
-  if (!semver9.valid(version)) {
+  if (!semver8.valid(version)) {
     logger.debug(
       `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.`
     );
     version = `0.0.0-${version}`;
   }
-  const s = semver9.clean(version);
+  const s = semver8.clean(version);
   if (!s) {
     throw new Error(`Bundle version ${version} is not in SemVer format.`);
   }
@@ -90679,84 +90537,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
   }
   return void 0;
 }
-async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, rawLanguages, features, logger) {
-  if (rawLanguages === void 0 || rawLanguages.length === 0) {
-    return [];
-  }
-  const isEnabled = await features.getValue(
-    "overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */
-  );
-  const isDryRun = !isEnabled && await features.getValue("overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */);
-  if (!isEnabled && !isDryRun) {
-    return [];
-  }
-  let cachedVersions;
-  try {
-    cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases(
-      rawLanguages,
-      logger
-    );
-  } catch (e) {
-    logger.warning(
-      `Could not list overlay-base databases in the Actions cache while choosing a default CodeQL CLI version, falling back to the highest enabled version. Details: ${getErrorMessage(e)}`
-    );
-    return [];
-  }
-  if (cachedVersions === void 0 || cachedVersions.length === 0) {
-    return [];
-  }
-  const cachedVersionsSet = new Set(cachedVersions);
-  const overlayVersions = defaultCliVersion.enabledVersions.filter(
-    (v) => cachedVersionsSet.has(v.cliVersion)
-  );
-  if (overlayVersions.length === 0) {
-    return [];
-  }
-  const isCachedVersionDifferent = overlayVersions[0].cliVersion !== defaultCliVersion.enabledVersions[0].cliVersion;
-  if (isCachedVersionDifferent) {
-    addNoLanguageDiagnostic(
-      void 0,
-      makeTelemetryDiagnostic(
-        "codeql-action/overlay-aware-default-codeql-version",
-        "Overlay-aware default CodeQL version selection",
-        {
-          cachedVersions,
-          enabledVersions: defaultCliVersion.enabledVersions.map(
-            (v) => v.cliVersion
-          ),
-          isDryRun,
-          overlayAwareVersion: overlayVersions[0].cliVersion
-        }
-      )
-    );
-  }
-  if (isDryRun) {
-    logger.debug(
-      `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.`
-    );
-    return [];
-  }
-  return overlayVersions;
-}
-async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) {
-  if (!useOverlayAwareDefaultCliVersion || !isAnalyzingPullRequest()) {
-    return defaultCliVersion.enabledVersions[0];
-  }
-  const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases(
-    defaultCliVersion,
-    rawLanguages,
-    features,
-    logger
-  );
-  if (overlayVersions.length > 0) {
-    logger.info(
-      `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the highest enabled version that has a cached overlay-base database.`
-    );
-    return overlayVersions[0];
-  }
-  return defaultCliVersion.enabledVersions[0];
-}
-async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) {
+async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) {
   if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) {
     logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
     const compressionMethod2 = inferCompressionMethod(toolsInput);
@@ -90850,35 +90631,21 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, useO
           );
         }
       }
-      const version = await resolveDefaultCliVersion(
-        defaultCliVersion,
-        rawLanguages,
-        useOverlayAwareDefaultCliVersion,
-        features,
-        logger
-      );
-      cliVersion2 = version.cliVersion;
-      tagName = version.tagName;
+      cliVersion2 = defaultCliVersion.cliVersion;
+      tagName = defaultCliVersion.tagName;
     }
   } else if (toolsInput !== void 0) {
     tagName = tryGetTagNameFromUrl(toolsInput, logger);
     url2 = toolsInput;
     if (tagName) {
       const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger);
-      if (bundleVersion3 && semver9.valid(bundleVersion3)) {
+      if (bundleVersion3 && semver8.valid(bundleVersion3)) {
         cliVersion2 = convertToSemVer(bundleVersion3, logger);
       }
     }
   } else {
-    const version = await resolveDefaultCliVersion(
-      defaultCliVersion,
-      rawLanguages,
-      useOverlayAwareDefaultCliVersion,
-      features,
-      logger
-    );
-    cliVersion2 = version.cliVersion;
-    tagName = version.tagName;
+    cliVersion2 = defaultCliVersion.cliVersion;
+    tagName = defaultCliVersion.tagName;
   }
   const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger);
   const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url2 ?? "unknown";
@@ -91075,7 +90842,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) {
   }
   return cliVersion2;
 }
-async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) {
+async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) {
   if (!await isBinaryAccessible("tar", logger)) {
     throw new ConfigurationError(
       "Could not find tar in PATH, so unable to extract CodeQL bundle."
@@ -91085,8 +90852,6 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau
   const source = await getCodeQLSource(
     toolsInput,
     defaultCliVersion,
-    rawLanguages,
-    useOverlayAwareDefaultCliVersion,
     apiDetails,
     variant,
     zstdAvailability.available,
@@ -91145,7 +90910,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau
 async function useZstdBundle(cliVersion2, tarSupportsZstd) {
   return (
     // In testing, gzip performs better than zstd on Windows.
-    process.platform !== "win32" && tarSupportsZstd && semver9.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE)
+    process.platform !== "win32" && tarSupportsZstd && semver8.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE)
   );
 }
 function getTempExtractionDir(tempDir) {
@@ -91177,7 +90942,7 @@ async function getNightlyToolsUrl(logger) {
   }
 }
 function getLatestToolcacheVersion(logger) {
-  const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver9.compare(b, a));
+  const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver8.compare(b, a));
   logger.debug(
     `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify(
       allVersions
@@ -91214,7 +90979,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4";
 var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15";
 var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09";
 var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
-async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger, checkVersion) {
+async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) {
   try {
     const {
       codeqlFolder,
@@ -91228,8 +90993,6 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
       tempDir,
       variant,
       defaultCliVersion,
-      rawLanguages,
-      useOverlayAwareDefaultCliVersion,
       features,
       logger
     );
@@ -92951,7 +92714,7 @@ var core12 = __toESM(require_core());
 var toolrunner4 = __toESM(require_toolrunner());
 var github2 = __toESM(require_github());
 var io5 = __toESM(require_io());
-async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) {
+async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) {
   logger.startGroup("Setup CodeQL tools");
   const {
     codeql,
@@ -92965,8 +92728,6 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe
     tempDir,
     variant,
     defaultCliVersion,
-    rawLanguages,
-    useOverlayAwareDefaultCliVersion,
     features,
     logger,
     true
@@ -93115,7 +92876,9 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo
       url: getRequiredEnvParam("GITHUB_SERVER_URL"),
       apiURL: getRequiredEnvParam("GITHUB_API_URL")
     };
-    const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type);
+    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
+      gitHubVersion.type
+    );
     const initCodeQLResult = await initCodeQL(
       void 0,
       // There is no tools input on the upload action
@@ -93123,10 +92886,6 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo
       tempDir,
       gitHubVersion.type,
       codeQLDefaultVersionInfo,
-      void 0,
-      // rawLanguages: upload-lib does not run analysis
-      false,
-      // useOverlayAwareDefaultCliVersion: upload-lib does not run analysis
       features,
       logger
     );
@@ -93142,7 +92901,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo
   return readSarifFile(outputFile);
 }
 function populateRunAutomationDetails(sarifFile, category, analysis_key, environment) {
-  const automationID = getAutomationID2(category, analysis_key, environment);
+  const automationID = getAutomationID(category, analysis_key, environment);
   if (automationID !== void 0) {
     for (const run of sarifFile.runs || []) {
       if (run.automationDetails === void 0) {
@@ -93155,7 +92914,7 @@ function populateRunAutomationDetails(sarifFile, category, analysis_key, environ
   }
   return sarifFile;
 }
-function getAutomationID2(category, analysis_key, environment) {
+function getAutomationID(category, analysis_key, environment) {
   if (category !== void 0) {
     let automationID = category;
     if (!automationID.endsWith("/")) {

lib/upload-sarif-action-post.js

@@ -26352,11 +26352,11 @@ var require_valid = __commonJS({
   "node_modules/semver/functions/valid.js"(exports2, module2) {
     "use strict";
     var parse2 = require_parse2();
-    var valid4 = (version, options) => {
+    var valid3 = (version, options) => {
       const v = parse2(version, options);
       return v ? v.version : null;
     };
-    module2.exports = valid4;
+    module2.exports = valid3;
   }
 });
 
@@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({
   "node_modules/semver/functions/rcompare.js"(exports2, module2) {
     "use strict";
     var compare2 = require_compare();
-    var rcompare3 = (a, b, loose) => compare2(b, a, loose);
-    module2.exports = rcompare3;
+    var rcompare = (a, b, loose) => compare2(b, a, loose);
+    module2.exports = rcompare;
   }
 });
 
@@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({
     var SemVer = require_semver();
     var identifiers = require_identifiers();
     var parse2 = require_parse2();
-    var valid4 = require_valid();
+    var valid3 = require_valid();
     var clean3 = require_clean();
     var inc = require_inc();
     var diff = require_diff();
@@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({
     var patch = require_patch();
     var prerelease = require_prerelease();
     var compare2 = require_compare();
-    var rcompare3 = require_rcompare();
+    var rcompare = require_rcompare();
     var compareLoose = require_compare_loose();
     var compareBuild = require_compare_build();
     var sort = require_sort();
@@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({
     var subset = require_subset();
     module2.exports = {
       parse: parse2,
-      valid: valid4,
+      valid: valid3,
       clean: clean3,
       inc,
       diff,
@@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({
       patch,
       prerelease,
       compare: compare2,
-      rcompare: rcompare3,
+      rcompare,
       compareLoose,
       compareBuild,
       sort,
@@ -80613,7 +80613,7 @@ var require_stream_writable = __commonJS({
       pna.nextTick(cb, er);
     }
     function validChunk(stream, state, chunk, cb) {
-      var valid4 = true;
+      var valid3 = true;
       var er = false;
       if (chunk === null) {
         er = new TypeError("May not write null values to stream");
@@ -80623,9 +80623,9 @@ var require_stream_writable = __commonJS({
       if (er) {
         stream.emit("error", er);
         pna.nextTick(cb, er);
-        valid4 = false;
+        valid3 = false;
       }
-      return valid4;
+      return valid3;
     }
     Writable.prototype.write = function(chunk, encoding, cb) {
       var state = this._writableState;
@@ -115281,16 +115281,16 @@ var require_attribute = __commonJS({
       var result = new ValidatorResult(instance, schema2, options, ctx);
       var self2 = this;
       schema2.allOf.forEach(function(v, i) {
-        var valid4 = self2.validateSchema(instance, v, options, ctx);
-        if (!valid4.valid) {
+        var valid3 = self2.validateSchema(instance, v, options, ctx);
+        if (!valid3.valid) {
           var id = v.$id || v.id;
           var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]";
           result.addError({
             name: "allOf",
-            argument: { id: msg, length: valid4.errors.length, valid: valid4 },
-            message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:"
+            argument: { id: msg, length: valid3.errors.length, valid: valid3 },
+            message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:"
           });
-          result.importErrors(valid4);
+          result.importErrors(valid3);
         }
       });
       return result;
@@ -115579,8 +115579,8 @@ var require_attribute = __commonJS({
       if (typeof schema2.exclusiveMinimum === "boolean") return;
       if (!this.types.number(instance)) return;
       var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid4 = instance > schema2.exclusiveMinimum;
-      if (!valid4) {
+      var valid3 = instance > schema2.exclusiveMinimum;
+      if (!valid3) {
         result.addError({
           name: "exclusiveMinimum",
           argument: schema2.exclusiveMinimum,
@@ -115593,8 +115593,8 @@ var require_attribute = __commonJS({
       if (typeof schema2.exclusiveMaximum === "boolean") return;
       if (!this.types.number(instance)) return;
       var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid4 = instance < schema2.exclusiveMaximum;
-      if (!valid4) {
+      var valid3 = instance < schema2.exclusiveMaximum;
+      if (!valid3) {
         result.addError({
           name: "exclusiveMaximum",
           argument: schema2.exclusiveMaximum,
@@ -118322,8 +118322,8 @@ var require_semver3 = __commonJS({
         return null;
       }
     }
-    exports2.valid = valid4;
-    function valid4(version, options) {
+    exports2.valid = valid3;
+    function valid3(version, options) {
       var v = parse2(version, options);
       return v ? v.version : null;
     }
@@ -118623,8 +118623,8 @@ var require_semver3 = __commonJS({
       var versionB = new SemVer(b, loose);
       return versionA.compare(versionB) || versionA.compareBuild(versionB);
     }
-    exports2.rcompare = rcompare3;
-    function rcompare3(a, b, loose) {
+    exports2.rcompare = rcompare;
+    function rcompare(a, b, loose) {
       return compare2(b, a, loose);
     }
     exports2.sort = sort;
@@ -119452,7 +119452,7 @@ var require_cacheUtils = __commonJS({
     var crypto2 = __importStar2(require("crypto"));
     var fs3 = __importStar2(require("fs"));
     var path3 = __importStar2(require("path"));
-    var semver10 = __importStar2(require_semver3());
+    var semver9 = __importStar2(require_semver3());
     var util = __importStar2(require("util"));
     var constants_1 = require_constants14();
     var versionSalt = "1.0";
@@ -119545,7 +119545,7 @@ var require_cacheUtils = __commonJS({
     function getCompressionMethod() {
       return __awaiter2(this, void 0, void 0, function* () {
         const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver10.clean(versionOutput);
+        const version = semver9.clean(versionOutput);
         core15.debug(`zstd version: ${version}`);
         if (versionOutput === "") {
           return constants_1.CompressionMethod.Gzip;
@@ -120855,7 +120855,7 @@ var require_cacheHttpClient = __commonJS({
     exports2.getCacheEntry = getCacheEntry;
     exports2.downloadCache = downloadCache;
     exports2.reserveCache = reserveCache;
-    exports2.saveCache = saveCache5;
+    exports2.saveCache = saveCache4;
     var core15 = __importStar2(require_core());
     var http_client_1 = require_lib();
     var auth_1 = require_auth();
@@ -121032,7 +121032,7 @@ Other caches with similar key:`);
         }));
       });
     }
-    function saveCache5(cacheId, archivePath, signedUploadURL, options) {
+    function saveCache4(cacheId, archivePath, signedUploadURL, options) {
       return __awaiter2(this, void 0, void 0, function* () {
         const uploadOptions = (0, options_1.getUploadOptions)(options);
         if (uploadOptions.useAzureSdk) {
@@ -122306,8 +122306,8 @@ var require_cache4 = __commonJS({
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0;
     exports2.isFeatureAvailable = isFeatureAvailable;
-    exports2.restoreCache = restoreCache5;
-    exports2.saveCache = saveCache5;
+    exports2.restoreCache = restoreCache4;
+    exports2.saveCache = saveCache4;
     var core15 = __importStar2(require_core());
     var path3 = __importStar2(require("path"));
     var utils = __importStar2(require_cacheUtils());
@@ -122364,7 +122364,7 @@ var require_cache4 = __commonJS({
           return !!process.env["ACTIONS_CACHE_URL"];
       }
     }
-    function restoreCache5(paths_1, primaryKey_1, restoreKeys_1, options_1) {
+    function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) {
       return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) {
         const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
         core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -122508,7 +122508,7 @@ var require_cache4 = __commonJS({
         return void 0;
       });
     }
-    function saveCache5(paths_1, key_1, options_1) {
+    function saveCache4(paths_1, key_1, options_1) {
       return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
         const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
         core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -122745,7 +122745,7 @@ var require_manifest = __commonJS({
     exports2._findMatch = _findMatch;
     exports2._getOsVersion = _getOsVersion;
     exports2._readLinuxVersionFile = _readLinuxVersionFile;
-    var semver10 = __importStar2(require_semver2());
+    var semver9 = __importStar2(require_semver2());
     var core_1 = require_core();
     var os2 = require("os");
     var cp = require("child_process");
@@ -122759,7 +122759,7 @@ var require_manifest = __commonJS({
         for (const candidate of candidates) {
           const version = candidate.version;
           (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
             file = candidate.files.find((item) => {
               (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
               let chk = item.arch === archFilter && item.platform === platFilter;
@@ -122768,7 +122768,7 @@ var require_manifest = __commonJS({
                 if (osVersion === item.platform_version) {
                   chk = true;
                 } else {
-                  chk = semver10.satisfies(osVersion, item.platform_version);
+                  chk = semver9.satisfies(osVersion, item.platform_version);
                 }
               }
               return chk;
@@ -123028,7 +123028,7 @@ var require_tool_cache = __commonJS({
     var os2 = __importStar2(require("os"));
     var path3 = __importStar2(require("path"));
     var httpm = __importStar2(require_lib());
-    var semver10 = __importStar2(require_semver2());
+    var semver9 = __importStar2(require_semver2());
     var stream = __importStar2(require("stream"));
     var util = __importStar2(require("util"));
     var assert_1 = require("assert");
@@ -123301,7 +123301,7 @@ var require_tool_cache = __commonJS({
     }
     function cacheDir(sourceDir, tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver10.clean(version) || version;
+        version = semver9.clean(version) || version;
         arch = arch || os2.arch();
         core15.debug(`Caching tool ${tool} ${version} ${arch}`);
         core15.debug(`source dir: ${sourceDir}`);
@@ -123319,7 +123319,7 @@ var require_tool_cache = __commonJS({
     }
     function cacheFile(sourceFile, targetFile, tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver10.clean(version) || version;
+        version = semver9.clean(version) || version;
         arch = arch || os2.arch();
         core15.debug(`Caching tool ${tool} ${version} ${arch}`);
         core15.debug(`source file: ${sourceFile}`);
@@ -123349,7 +123349,7 @@ var require_tool_cache = __commonJS({
       }
       let toolPath = "";
       if (versionSpec) {
-        versionSpec = semver10.clean(versionSpec) || "";
+        versionSpec = semver9.clean(versionSpec) || "";
         const cachePath = path3.join(_getCacheDirectory(), toolName, versionSpec, arch);
         core15.debug(`checking cache: ${cachePath}`);
         if (fs3.existsSync(cachePath) && fs3.existsSync(`${cachePath}.complete`)) {
@@ -123429,7 +123429,7 @@ var require_tool_cache = __commonJS({
     }
     function _createToolPath(tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path3.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
+        const folderPath = path3.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
         core15.debug(`destination ${folderPath}`);
         const markerPath = `${folderPath}.complete`;
         yield io6.rmRF(folderPath);
@@ -123439,30 +123439,30 @@ var require_tool_cache = __commonJS({
       });
     }
     function _completeToolPath(tool, version, arch) {
-      const folderPath = path3.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
+      const folderPath = path3.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
       const markerPath = `${folderPath}.complete`;
       fs3.writeFileSync(markerPath, "");
       core15.debug("finished caching tool");
     }
     function isExplicitVersion(versionSpec) {
-      const c = semver10.clean(versionSpec) || "";
+      const c = semver9.clean(versionSpec) || "";
       core15.debug(`isExplicit: ${c}`);
-      const valid4 = semver10.valid(c) != null;
-      core15.debug(`explicit? ${valid4}`);
-      return valid4;
+      const valid3 = semver9.valid(c) != null;
+      core15.debug(`explicit? ${valid3}`);
+      return valid3;
     }
     function evaluateVersions(versions, versionSpec) {
       let version = "";
       core15.debug(`evaluating ${versions.length} versions`);
       versions = versions.sort((a, b) => {
-        if (semver10.gt(a, b)) {
+        if (semver9.gt(a, b)) {
           return 1;
         }
         return -1;
       });
       for (let i = versions.length - 1; i >= 0; i--) {
         const potential = versions[i];
-        const satisfied = semver10.satisfies(potential, versionSpec);
+        const satisfied = semver9.satisfies(potential, versionSpec);
         if (satisfied) {
           version = potential;
           break;
@@ -126824,7 +126824,7 @@ function getTemporaryDirectory() {
   return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP");
 }
 function getActionVersion() {
-  return "4.35.5";
+  return "4.35.4";
 }
 var persistedInputsKey = "persisted_inputs";
 var restoreInputs = function() {
@@ -127373,16 +127373,6 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
     minimumVersion: void 0
   },
-  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
-    minimumVersion: void 0
-  },
   ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -127502,30 +127492,24 @@ var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
 // src/setup-codeql.ts
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver9 = __toESM(require_semver2());
-
-// src/overlay/caching.ts
-var actionsCache3 = __toESM(require_cache4());
-var semver6 = __toESM(require_semver2());
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
+var semver8 = __toESM(require_semver2());
 
 // src/tar.ts
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver7 = __toESM(require_semver2());
+var semver6 = __toESM(require_semver2());
 
 // src/tools-download.ts
 var core10 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver8 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;
 
 // src/dependency-caching.ts
-var actionsCache4 = __toESM(require_cache4());
+var actionsCache3 = __toESM(require_cache4());
 var glob = __toESM(require_glob2());
 
 // src/artifact-scanner.ts
@@ -127593,9 +127577,6 @@ async function scanArchiveFile(archivePath, relativeArchivePath, extractDir, log
       `Maximum archive extraction depth (${MAX_DEPTH}) reached for ${archivePath}`
     );
   }
-  if (process.platform === "win32") {
-    throw new Error("Scanning archives is not supported on Windows.");
-  }
   const result = {
     scannedFiles: 0,
     findings: []

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "4.35.5",
+  "version": "4.35.4",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "4.35.5",
+      "version": "4.35.4",
       "license": "MIT",
       "workspaces": [
         "pr-checks"
@@ -43,14 +43,14 @@
         "@types/archiver": "^7.0.0",
         "@types/follow-redirects": "^1.14.4",
         "@types/js-yaml": "^4.0.9",
-        "@types/node": "^20.19.39",
+        "@types/node": "^20.19.9",
         "@types/node-forge": "^1.3.14",
         "@types/sarif": "^2.1.7",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.1",
         "ava": "^7.0.0",
         "esbuild": "^0.28.0",
-        "eslint": "^9.39.4",
+        "eslint": "^9.39.2",
         "eslint-import-resolver-typescript": "^4.4.4",
         "eslint-plugin-github": "^6.0.0",
         "eslint-plugin-import-x": "^4.16.2",
@@ -60,8 +60,8 @@
         "globals": "^17.5.0",
         "nock": "^14.0.12",
         "sinon": "^21.1.2",
-        "typescript": "^6.0.3",
-        "typescript-eslint": "^8.59.1"
+        "typescript": "^6.0.2",
+        "typescript-eslint": "^8.58.2"
       }
     },
     "node_modules/@aashutoshrathi/word-wrap": {
@@ -1337,15 +1337,15 @@
       }
     },
     "node_modules/@eslint/config-array": {
-      "version": "0.21.2",
-      "resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.21.2.tgz",
-      "integrity": "sha512-nJl2KGTlrf9GjLimgIru+V/mzgSK0ABCDQRvxw5BjURL7WfH5uoWmizbH7QB6MmnMBd8cIC9uceWnezL1VZWWw==",
+      "version": "0.21.1",
+      "resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.21.1.tgz",
+      "integrity": "sha512-aw1gNayWpdI/jSYVgzN5pL0cfzU02GT3NBpeT/DXbx1/1x7ZKxFPd9bwrzygx/qiwIQiJ1sw/zD8qY/kRvlGHA==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
         "@eslint/object-schema": "^2.1.7",
         "debug": "^4.3.1",
-        "minimatch": "^3.1.5"
+        "minimatch": "^3.1.2"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -1391,20 +1391,20 @@
       }
     },
     "node_modules/@eslint/eslintrc": {
-      "version": "3.3.5",
-      "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-3.3.5.tgz",
-      "integrity": "sha512-4IlJx0X0qftVsN5E+/vGujTRIFtwuLbNsVUe7TO6zYPDR1O6nFwvwhIKEKSrl6dZchmYBITazxKoUYOjdtjlRg==",
+      "version": "3.3.3",
+      "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-3.3.3.tgz",
+      "integrity": "sha512-Kr+LPIUVKz2qkx1HAMH8q1q6azbqBAsXJUxBl/ODDuVPX45Z9DfwB8tPjTi6nNZ8BuM3nbJxC5zCAg5elnBUTQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "ajv": "^6.14.0",
+        "ajv": "^6.12.4",
         "debug": "^4.3.2",
         "espree": "^10.0.1",
         "globals": "^14.0.0",
         "ignore": "^5.2.0",
         "import-fresh": "^3.2.1",
         "js-yaml": "^4.1.1",
-        "minimatch": "^3.1.5",
+        "minimatch": "^3.1.2",
         "strip-json-comments": "^3.1.1"
       },
       "engines": {
@@ -1427,9 +1427,9 @@
       }
     },
     "node_modules/@eslint/js": {
-      "version": "9.39.4",
-      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.39.4.tgz",
-      "integrity": "sha512-nE7DEIchvtiFTwBw4Lfbu59PG+kCofhjsKaCWzxTpt4lfRjRMqG6uMBzKXuEcyXhOHoUp9riAm7/aWYGhXZ9cw==",
+      "version": "9.39.2",
+      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.39.2.tgz",
+      "integrity": "sha512-q1mjIoW1VX4IvSocvM/vbTiveKC4k9eLrajNEuSsmjymSDEbpGddtpfOoN7YGAqBK3NG+uqo8ia4PDTt8buCYA==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2469,9 +2469,9 @@
       "license": "MIT"
     },
     "node_modules/@types/node": {
-      "version": "20.19.39",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.39.tgz",
-      "integrity": "sha512-orrrD74MBUyK8jOAD/r0+lfa1I2MO6I+vAkmAWzMYbCcgrN4lCrmK52gRFQq/JRxfYPfonkr4b0jcY7Olqdqbw==",
+      "version": "20.19.9",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.9.tgz",
+      "integrity": "sha512-cuVNgarYWZqxRJDQHEB58GEONhOK79QVR/qYx4S7kcUObQvUwvFnYxJuuHUKm2aieN9X3yZB4LZsuYNU1Qphsw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -2528,17 +2528,17 @@
       "license": "MIT"
     },
     "node_modules/@typescript-eslint/eslint-plugin": {
-      "version": "8.59.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.59.1.tgz",
-      "integrity": "sha512-BOziFIfE+6osHO9FoJG4zjoHUcvI7fTNBSpdAwrNH0/TLvzjsk2oo8XSSOT2HhqUyhZPfHv4UOffoJ9oEEQ7Ag==",
+      "version": "8.58.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.58.2.tgz",
+      "integrity": "sha512-aC2qc5thQahutKjP+cl8cgN9DWe3ZUqVko30CMSZHnFEHyhOYoZSzkGtAI2mcwZ38xeImDucI4dnqsHiOYuuCw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@eslint-community/regexpp": "^4.12.2",
-        "@typescript-eslint/scope-manager": "8.59.1",
-        "@typescript-eslint/type-utils": "8.59.1",
-        "@typescript-eslint/utils": "8.59.1",
-        "@typescript-eslint/visitor-keys": "8.59.1",
+        "@typescript-eslint/scope-manager": "8.58.2",
+        "@typescript-eslint/type-utils": "8.58.2",
+        "@typescript-eslint/utils": "8.58.2",
+        "@typescript-eslint/visitor-keys": "8.58.2",
         "ignore": "^7.0.5",
         "natural-compare": "^1.4.0",
         "ts-api-utils": "^2.5.0"
@@ -2551,7 +2551,7 @@
         "url": "https://opencollective.com/typescript-eslint"
       },
       "peerDependencies": {
-        "@typescript-eslint/parser": "^8.59.1",
+        "@typescript-eslint/parser": "^8.58.2",
         "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
         "typescript": ">=4.8.4 <6.1.0"
       }
@@ -2567,16 +2567,16 @@
       }
     },
     "node_modules/@typescript-eslint/parser": {
-      "version": "8.59.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.59.1.tgz",
-      "integrity": "sha512-HDQH9O/47Dxi1ceDhBXdaldtf/WV9yRYMjbjCuNk3qnaTD564qwv61Y7+gTxwxRKzSrgO5uhtw584igXVuuZkA==",
+      "version": "8.58.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.58.2.tgz",
+      "integrity": "sha512-/Zb/xaIDfxeJnvishjGdcR4jmr7S+bda8PKNhRGdljDM+elXhlvN0FyPSsMnLmJUrVG9aPO6dof80wjMawsASg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/scope-manager": "8.59.1",
-        "@typescript-eslint/types": "8.59.1",
-        "@typescript-eslint/typescript-estree": "8.59.1",
-        "@typescript-eslint/visitor-keys": "8.59.1",
+        "@typescript-eslint/scope-manager": "8.58.2",
+        "@typescript-eslint/types": "8.58.2",
+        "@typescript-eslint/typescript-estree": "8.58.2",
+        "@typescript-eslint/visitor-keys": "8.58.2",
         "debug": "^4.4.3"
       },
       "engines": {
@@ -2610,14 +2610,14 @@
       }
     },
     "node_modules/@typescript-eslint/project-service": {
-      "version": "8.59.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.59.1.tgz",
-      "integrity": "sha512-+MuHQlHiEr00Of/IQbE/MmEoi44znZHbR/Pz7Opq4HryUOlRi+/44dro9Ycy8Fyo+/024IWtw8m4JUMCGTYxDg==",
+      "version": "8.58.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.58.2.tgz",
+      "integrity": "sha512-Cq6UfpZZk15+r87BkIh5rDpi38W4b+Sjnb8wQCPPDDweS/LRCFjCyViEbzHk5Ck3f2QDfgmlxqSa7S7clDtlfg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/tsconfig-utils": "^8.59.1",
-        "@typescript-eslint/types": "^8.59.1",
+        "@typescript-eslint/tsconfig-utils": "^8.58.2",
+        "@typescript-eslint/types": "^8.58.2",
         "debug": "^4.4.3"
       },
       "engines": {
@@ -2650,14 +2650,14 @@
       }
     },
     "node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.59.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.59.1.tgz",
-      "integrity": "sha512-LwuHQI4pDOYVKvmH2dkaJo6YZCSgouVgnS/z7yBPKBMvgtBvyLqiLy9Z6b7+m/TRcX1NFYUqZetI5Y+aT4GEfg==",
+      "version": "8.58.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.58.2.tgz",
+      "integrity": "sha512-SgmyvDPexWETQek+qzZnrG6844IaO02UVyOLhI4wpo82dpZJY9+6YZCKAMFzXb7qhx37mFK1QcPQ18tud+vo6Q==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.59.1",
-        "@typescript-eslint/visitor-keys": "8.59.1"
+        "@typescript-eslint/types": "8.58.2",
+        "@typescript-eslint/visitor-keys": "8.58.2"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2668,9 +2668,9 @@
       }
     },
     "node_modules/@typescript-eslint/tsconfig-utils": {
-      "version": "8.59.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.59.1.tgz",
-      "integrity": "sha512-/0nEyPbX7gRsk0Uwfe4ALwwgxuA66d/l2mhRDNlAvaj4U3juhUtJNq0DsY8M2AYwwb9rEq2hrC3IcIcEt++iJA==",
+      "version": "8.58.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.58.2.tgz",
+      "integrity": "sha512-3SR+RukipDvkkKp/d0jP0dyzuls3DbGmwDpVEc5wqk5f38KFThakqAAO0XMirWAE+kT00oTauTbzMFGPoAzB0A==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2685,15 +2685,15 @@
       }
     },
     "node_modules/@typescript-eslint/type-utils": {
-      "version": "8.59.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.59.1.tgz",
-      "integrity": "sha512-klWPBR2ciQHS3f++ug/mVnWKPjBUo7icEL3FAO1lhAR1Z1i5NQYZ1EannMSRYcq5qCv5wNALlXr6fksRHyYl7w==",
+      "version": "8.58.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.58.2.tgz",
+      "integrity": "sha512-Z7EloNR/B389FvabdGeTo2XMs4W9TjtPiO9DAsmT0yom0bwlPyRjkJ1uCdW1DvrrrYP50AJZ9Xc3sByZA9+dcg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.59.1",
-        "@typescript-eslint/typescript-estree": "8.59.1",
-        "@typescript-eslint/utils": "8.59.1",
+        "@typescript-eslint/types": "8.58.2",
+        "@typescript-eslint/typescript-estree": "8.58.2",
+        "@typescript-eslint/utils": "8.58.2",
         "debug": "^4.4.3",
         "ts-api-utils": "^2.5.0"
       },
@@ -2728,9 +2728,9 @@
       }
     },
     "node_modules/@typescript-eslint/types": {
-      "version": "8.59.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.59.1.tgz",
-      "integrity": "sha512-ZDCjgccSdYPw5Bxh+my4Z0lJU96ZDN7jbBzvmEn0FZx3RtU1C7VWl6NbDx94bwY3V5YsgwRzJPOgeY2Q/nLG8A==",
+      "version": "8.58.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.58.2.tgz",
+      "integrity": "sha512-9TukXyATBQf/Jq9AMQXfvurk+G5R2MwfqQGDR2GzGz28HvY/lXNKGhkY+6IOubwcquikWk5cjlgPvD2uAA7htQ==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2742,16 +2742,16 @@
       }
     },
     "node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.59.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.59.1.tgz",
-      "integrity": "sha512-OUd+vJS05sSkOip+BkZ/2NS8RMxrAAJemsC6vU3kmfLyeaJT0TftHkV9mcx2107MmsBVXXexhVu4F0TZXyMl4g==",
+      "version": "8.58.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.58.2.tgz",
+      "integrity": "sha512-ELGuoofuhhoCvNbQjFFiobFcGgcDCEm0ThWdmO4Z0UzLqPXS3KFvnEZ+SHewwOYHjM09tkzOWXNTv9u6Gqtyuw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/project-service": "8.59.1",
-        "@typescript-eslint/tsconfig-utils": "8.59.1",
-        "@typescript-eslint/types": "8.59.1",
-        "@typescript-eslint/visitor-keys": "8.59.1",
+        "@typescript-eslint/project-service": "8.58.2",
+        "@typescript-eslint/tsconfig-utils": "8.58.2",
+        "@typescript-eslint/types": "8.58.2",
+        "@typescript-eslint/visitor-keys": "8.58.2",
         "debug": "^4.4.3",
         "minimatch": "^10.2.2",
         "semver": "^7.7.3",
@@ -2827,16 +2827,16 @@
       }
     },
     "node_modules/@typescript-eslint/utils": {
-      "version": "8.59.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.59.1.tgz",
-      "integrity": "sha512-3pIeoXhCeYH9FSCBI8P3iNwJlGuzPlYKkTlen2O9T1DSeeg8UG8jstq6BLk+Mda0qup7mgk4z4XL4OzRaxZ8LA==",
+      "version": "8.58.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.58.2.tgz",
+      "integrity": "sha512-QZfjHNEzPY8+l0+fIXMvuQ2sJlplB4zgDZvA+NmvZsZv3EQwOcc1DuIU1VJUTWZ/RKouBMhDyNaBMx4sWvrzRA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.9.1",
-        "@typescript-eslint/scope-manager": "8.59.1",
-        "@typescript-eslint/types": "8.59.1",
-        "@typescript-eslint/typescript-estree": "8.59.1"
+        "@typescript-eslint/scope-manager": "8.58.2",
+        "@typescript-eslint/types": "8.58.2",
+        "@typescript-eslint/typescript-estree": "8.58.2"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2851,13 +2851,13 @@
       }
     },
     "node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.59.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.59.1.tgz",
-      "integrity": "sha512-LdDNl6C5iJExcM0Yh0PwAIBb9PrSiCsWamF/JyEZawm3kFDnRoaq3LGE4bpyRao/fWeGKKyw7icx0YxrLFC5Cg==",
+      "version": "8.58.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.58.2.tgz",
+      "integrity": "sha512-f1WO2Lx8a9t8DARmcWAUPJbu0G20bJlj8L4z72K00TMeJAoyLr/tHhI/pzYBLrR4dXWkcxO1cWYZEOX8DKHTqA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.59.1",
+        "@typescript-eslint/types": "8.58.2",
         "eslint-visitor-keys": "^5.0.0"
       },
       "engines": {
@@ -3271,9 +3271,7 @@
       }
     },
     "node_modules/ajv": {
-      "version": "6.15.0",
-      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.15.0.tgz",
-      "integrity": "sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==",
+      "version": "6.12.6",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -4727,25 +4725,25 @@
       }
     },
     "node_modules/eslint": {
-      "version": "9.39.4",
-      "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.39.4.tgz",
-      "integrity": "sha512-XoMjdBOwe/esVgEvLmNsD3IRHkm7fbKIUGvrleloJXUZgDHig2IPWNniv+GwjyJXzuNqVjlr5+4yVUZjycJwfQ==",
+      "version": "9.39.2",
+      "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.39.2.tgz",
+      "integrity": "sha512-LEyamqS7W5HB3ujJyvi0HQK/dtVINZvd5mAAp9eT5S/ujByGjiZLCzPcHVzuXbpJDJF/cxwHlfceVUDZ2lnSTw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.8.0",
         "@eslint-community/regexpp": "^4.12.1",
-        "@eslint/config-array": "^0.21.2",
+        "@eslint/config-array": "^0.21.1",
         "@eslint/config-helpers": "^0.4.2",
         "@eslint/core": "^0.17.0",
-        "@eslint/eslintrc": "^3.3.5",
-        "@eslint/js": "9.39.4",
+        "@eslint/eslintrc": "^3.3.1",
+        "@eslint/js": "9.39.2",
         "@eslint/plugin-kit": "^0.4.1",
         "@humanfs/node": "^0.16.6",
         "@humanwhocodes/module-importer": "^1.0.1",
         "@humanwhocodes/retry": "^0.4.2",
         "@types/estree": "^1.0.6",
-        "ajv": "^6.14.0",
+        "ajv": "^6.12.4",
         "chalk": "^4.0.0",
         "cross-spawn": "^7.0.6",
         "debug": "^4.3.2",
@@ -4764,7 +4762,7 @@
         "is-glob": "^4.0.0",
         "json-stable-stringify-without-jsonify": "^1.0.1",
         "lodash.merge": "^4.6.2",
-        "minimatch": "^3.1.5",
+        "minimatch": "^3.1.2",
         "natural-compare": "^1.4.0",
         "optionator": "^0.9.3"
       },
@@ -9773,9 +9771,9 @@
       }
     },
     "node_modules/typescript": {
-      "version": "6.0.3",
-      "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.3.tgz",
-      "integrity": "sha512-y2TvuxSZPDyQakkFRPZHKFm+KKVqIisdg9/CZwm9ftvKXLP8NRWj38/ODjNbr43SsoXqNuAisEf1GdCxqWcdBw==",
+      "version": "6.0.2",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.2.tgz",
+      "integrity": "sha512-bGdAIrZ0wiGDo5l8c++HWtbaNCWTS4UTv7RaTH/ThVIgjkveJt83m74bBHMJkuCbslY8ixgLBVZJIOiQlQTjfQ==",
       "dev": true,
       "license": "Apache-2.0",
       "bin": {
@@ -9787,16 +9785,16 @@
       }
     },
     "node_modules/typescript-eslint": {
-      "version": "8.59.1",
-      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.59.1.tgz",
-      "integrity": "sha512-xqDcFVBmlrltH64lklOVp1wYxgJr6LVdg3NamBgH2OOQDLFdTKfIZXF5PfghrnXQKXZGTQs8tr1vL7fJvq8CTQ==",
+      "version": "8.58.2",
+      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.58.2.tgz",
+      "integrity": "sha512-V8iSng9mRbdZjl54VJ9NKr6ZB+dW0J3TzRXRGcSbLIej9jV86ZRtlYeTKDR/QLxXykocJ5icNzbsl2+5TzIvcQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/eslint-plugin": "8.59.1",
-        "@typescript-eslint/parser": "8.59.1",
-        "@typescript-eslint/typescript-estree": "8.59.1",
-        "@typescript-eslint/utils": "8.59.1"
+        "@typescript-eslint/eslint-plugin": "8.58.2",
+        "@typescript-eslint/parser": "8.58.2",
+        "@typescript-eslint/typescript-estree": "8.58.2",
+        "@typescript-eslint/utils": "8.58.2"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -10390,7 +10388,7 @@
         "yaml": "^2.8.3"
       },
       "devDependencies": {
-        "@types/node": "^20.19.39",
+        "@types/node": "^20.19.9",
         "tsx": "^4.21.0"
       }
     }

package.json

@@ -1,11 +1,11 @@
 {
   "name": "codeql",
-  "version": "4.35.5",
+  "version": "4.35.4",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
     "_build_comment": "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'",
-    "build": "./scripts/check-node-modules.sh && npm run transpile && node build.mjs",
+    "build": "./scripts/check-node-modules.sh && npm run transpile && node build.mjs && npx tsx ./pr-checks/bundle-metadata.ts",
     "lint": "eslint --report-unused-disable-directives --max-warnings=0 .",
     "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
     "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
@@ -50,14 +50,14 @@
     "@types/archiver": "^7.0.0",
     "@types/follow-redirects": "^1.14.4",
     "@types/js-yaml": "^4.0.9",
-    "@types/node": "^20.19.39",
+    "@types/node": "^20.19.9",
     "@types/node-forge": "^1.3.14",
     "@types/sarif": "^2.1.7",
     "@types/semver": "^7.7.1",
     "@types/sinon": "^21.0.1",
     "ava": "^7.0.0",
     "esbuild": "^0.28.0",
-    "eslint": "^9.39.4",
+    "eslint": "^9.39.2",
     "eslint-import-resolver-typescript": "^4.4.4",
     "eslint-plugin-github": "^6.0.0",
     "eslint-plugin-import-x": "^4.16.2",
@@ -67,8 +67,8 @@
     "globals": "^17.5.0",
     "nock": "^14.0.12",
     "sinon": "^21.1.2",
-    "typescript": "^6.0.3",
-    "typescript-eslint": "^8.59.1"
+    "typescript": "^6.0.2",
+    "typescript-eslint": "^8.58.2"
   },
   "overrides": {
     "@actions/tool-cache": {

pr-checks/checks/rubocop-multi-language.yml

@@ -5,7 +5,7 @@ versions:
   - default
 steps:
   - name: Set up Ruby
-    uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0
+    uses: ruby/setup-ruby@0cb964fd540e0a24c900370abf38a33466142735 # v1.305.0
     with:
       ruby-version: 2.6
   - name: Install Code Scanning integration

pr-checks/package.json

@@ -10,7 +10,7 @@
     "yaml": "^2.8.3"
   },
   "devDependencies": {
-    "@types/node": "^20.19.39",
+    "@types/node": "^20.19.9",
     "tsx": "^4.21.0"
   }
 }

setup-codeql/action.yml

@@ -19,25 +19,6 @@ inputs:
       If not specified, the Action will check in several places until it finds
       the CodeQL tools.
     required: false
-  languages:
-    description: >-
-      A comma-separated list of CodeQL languages that will be analyzed in subsequent
-      `github/codeql-action/init` and `github/codeql-action/analyze` invocations. If specified, the
-      Action may use this list to select a CodeQL CLI version that is best suited to analyzing those
-      languages, for example by preferring a version that has a cached overlay-base database for the
-      specified languages. This input is not remembered and must also be passed to
-      `github/codeql-action/init`.
-    required: false
-  analysis-kinds:
-    description: >-
-      [Internal] A comma-separated list of analysis kinds that subsequent
-      `github/codeql-action/init` invocations will enable. If specified, the Action may use this
-      list to select a CodeQL CLI version that is best suited to those analysis kinds. This input is
-      not remembered and must also be passed to `github/codeql-action/init`.
-
-      Available options are the same as for the `analysis-kinds` input on the `init` Action.
-    default: 'code-scanning'
-    required: true
   token:
     description: GitHub token to use for authenticating with this instance of GitHub.
     default: ${{ github.token }}

src/artifact-scanner.test.ts

@@ -141,12 +141,7 @@ test("scanArtifactsForTokens handles files without tokens", async (t) => {
   }
 });
 
-// This test is slow (extracts and scans a zip artifact), so by default we only run it in CI. Set
-// RUN_SLOW_TESTS=1 to run it locally.
-if (
-  os.platform() !== "win32" &&
-  (process.env.CI === "true" || process.env.RUN_SLOW_TESTS === "1")
-) {
+if (os.platform() !== "win32") {
   test("scanArtifactsForTokens finds token in debug artifacts", async (t) => {
     t.timeout(15000); // 15 seconds
     const messages: LoggedMessage[] = [];

src/artifact-scanner.ts

@@ -156,10 +156,6 @@ async function scanArchiveFile(
     );
   }
 
-  if (process.platform === "win32") {
-    throw new Error("Scanning archives is not supported on Windows.");
-  }
-
   const result: ScanResult = {
     scannedFiles: 0,
     findings: [],

src/codeql.test.ts

@@ -33,7 +33,6 @@ import {
   mockBundleDownloadApi,
   makeVersionInfo,
   createTestConfig,
-  makeMacro,
 } from "./testing-utils";
 import { ToolsDownloadStatusReport } from "./tools-download";
 import * as util from "./util";
@@ -71,10 +70,8 @@ async function installIntoToolcache({
     tmpDir,
     util.GitHubVariant.GHES,
     cliVersion !== undefined
-      ? { enabledVersions: [{ cliVersion, tagName }] }
+      ? { cliVersion, tagName }
       : SAMPLE_DEFAULT_CLI_VERSION,
-    undefined, // rawLanguages
-    false, // useOverlayAwareDefaultCliVersion
     createFeatures([]),
     getRunnerLogger(true),
     false,
@@ -146,8 +143,6 @@ test.serial(
           tmpDir,
           util.GitHubVariant.DOTCOM,
           SAMPLE_DEFAULT_CLI_VERSION,
-          undefined, // rawLanguages
-          false, // useOverlayAwareDefaultCliVersion
           features,
           getRunnerLogger(true),
           false,
@@ -180,8 +175,6 @@ test.serial(
         tmpDir,
         util.GitHubVariant.DOTCOM,
         SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
         features,
         getRunnerLogger(true),
         false,
@@ -221,8 +214,6 @@ test.serial(
         tmpDir,
         util.GitHubVariant.DOTCOM,
         SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
         features,
         getRunnerLogger(true),
         false,
@@ -273,8 +264,6 @@ for (const {
           tmpDir,
           util.GitHubVariant.DOTCOM,
           SAMPLE_DEFAULT_CLI_VERSION,
-          undefined, // rawLanguages
-          false, // useOverlayAwareDefaultCliVersion
           features,
           getRunnerLogger(true),
           false,
@@ -295,11 +284,11 @@ for (const {
 for (const toolcacheVersion of [
   // Test that we use the tools from the toolcache when `SAMPLE_DEFAULT_CLI_VERSION` is requested
   // and `SAMPLE_DEFAULT_CLI_VERSION-` is in the toolcache.
-  SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion,
-  `${SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion}-20230101`,
+  SAMPLE_DEFAULT_CLI_VERSION.cliVersion,
+  `${SAMPLE_DEFAULT_CLI_VERSION.cliVersion}-20230101`,
 ]) {
   test.serial(
-    `uses tools from toolcache when ${SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion} is requested and ` +
+    `uses tools from toolcache when ${SAMPLE_DEFAULT_CLI_VERSION.cliVersion} is requested and ` +
       `${toolcacheVersion} is installed`,
     async (t) => {
       const features = createFeatures([]);
@@ -319,16 +308,11 @@ for (const toolcacheVersion of [
           tmpDir,
           util.GitHubVariant.DOTCOM,
           SAMPLE_DEFAULT_CLI_VERSION,
-          undefined, // rawLanguages
-          false, // useOverlayAwareDefaultCliVersion
           features,
           getRunnerLogger(true),
           false,
         );
-        t.is(
-          result.toolsVersion,
-          SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion,
-        );
+        t.is(result.toolsVersion, SAMPLE_DEFAULT_CLI_VERSION.cliVersion);
         t.is(result.toolsSource, ToolsSource.Toolcache);
         t.is(result.toolsDownloadStatusReport?.combinedDurationMs, undefined);
         t.is(result.toolsDownloadStatusReport?.downloadDurationMs, undefined);
@@ -358,15 +342,9 @@ test.serial(
         tmpDir,
         util.GitHubVariant.GHES,
         {
-          enabledVersions: [
-            {
-              cliVersion: defaults.cliVersion,
-              tagName: defaults.bundleVersion,
-            },
-          ],
+          cliVersion: defaults.cliVersion,
+          tagName: defaults.bundleVersion,
         },
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
         features,
         getRunnerLogger(true),
         false,
@@ -406,15 +384,9 @@ test.serial(
         tmpDir,
         util.GitHubVariant.GHES,
         {
-          enabledVersions: [
-            {
-              cliVersion: defaults.cliVersion,
-              tagName: defaults.bundleVersion,
-            },
-          ],
+          cliVersion: defaults.cliVersion,
+          tagName: defaults.bundleVersion,
         },
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
         features,
         getRunnerLogger(true),
         false,
@@ -454,8 +426,6 @@ test.serial(
         tmpDir,
         util.GitHubVariant.DOTCOM,
         SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
         features,
         getRunnerLogger(true),
         false,
@@ -497,8 +467,6 @@ test.serial(
         tmpDir,
         util.GitHubVariant.DOTCOM,
         SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
         features,
         getRunnerLogger(true),
         false,
@@ -572,7 +540,7 @@ test.serial("getExtraOptions throws for bad content", (t) => {
 });
 
 // Test macro for ensuring different variants of injected augmented configurations
-const injectedConfigMacro = makeMacro({
+const injectedConfigMacro = test.macro({
   exec: async (
     t: ExecutionContext<unknown>,
     augmentationProperties: AugmentationProperties,
@@ -622,8 +590,9 @@ const injectedConfigMacro = makeMacro({
     `databaseInitCluster() injected config: ${providedTitle}`,
 });
 
-injectedConfigMacro.serial(
+test.serial(
   "basic",
+  injectedConfigMacro,
   {
     ...defaultAugmentationProperties,
   },
@@ -631,8 +600,9 @@ injectedConfigMacro.serial(
   {},
 );
 
-injectedConfigMacro.serial(
+test.serial(
   "injected packs from input",
+  injectedConfigMacro,
   {
     ...defaultAugmentationProperties,
     packsInput: ["xxx", "yyy"],
@@ -643,8 +613,9 @@ injectedConfigMacro.serial(
   },
 );
 
-injectedConfigMacro.serial(
+test.serial(
   "injected packs from input with existing packs combines",
+  injectedConfigMacro,
   {
     ...defaultAugmentationProperties,
     packsInputCombines: true,
@@ -664,8 +635,9 @@ injectedConfigMacro.serial(
   },
 );
 
-injectedConfigMacro.serial(
+test.serial(
   "injected packs from input with existing packs overrides",
+  injectedConfigMacro,
   {
     ...defaultAugmentationProperties,
     packsInput: ["xxx", "yyy"],
@@ -683,8 +655,9 @@ injectedConfigMacro.serial(
 );
 
 // similar, but with queries
-injectedConfigMacro.serial(
+test.serial(
   "injected queries from input",
+  injectedConfigMacro,
   {
     ...defaultAugmentationProperties,
     queriesInput: [{ uses: "xxx" }, { uses: "yyy" }],
@@ -702,8 +675,9 @@ injectedConfigMacro.serial(
   },
 );
 
-injectedConfigMacro.serial(
+test.serial(
   "injected queries from input overrides",
+  injectedConfigMacro,
   {
     ...defaultAugmentationProperties,
     queriesInput: [{ uses: "xxx" }, { uses: "yyy" }],
@@ -725,8 +699,9 @@ injectedConfigMacro.serial(
   },
 );
 
-injectedConfigMacro.serial(
+test.serial(
   "injected queries from input combines",
+  injectedConfigMacro,
   {
     ...defaultAugmentationProperties,
     queriesInputCombines: true,
@@ -752,8 +727,9 @@ injectedConfigMacro.serial(
   },
 );
 
-injectedConfigMacro.serial(
+test.serial(
   "injected queries from input combines 2",
+  injectedConfigMacro,
   {
     ...defaultAugmentationProperties,
     queriesInputCombines: true,
@@ -773,8 +749,9 @@ injectedConfigMacro.serial(
   },
 );
 
-injectedConfigMacro.serial(
+test.serial(
   "injected queries and packs, but empty",
+  injectedConfigMacro,
   {
     ...defaultAugmentationProperties,
     queriesInputCombines: true,
@@ -791,8 +768,9 @@ injectedConfigMacro.serial(
   {},
 );
 
-injectedConfigMacro.serial(
+test.serial(
   "repo property queries have the highest precedence",
+  injectedConfigMacro,
   {
     ...defaultAugmentationProperties,
     queriesInputCombines: true,
@@ -812,8 +790,9 @@ injectedConfigMacro.serial(
   },
 );
 
-injectedConfigMacro.serial(
+test.serial(
   "repo property queries combines with queries input",
+  injectedConfigMacro,
   {
     ...defaultAugmentationProperties,
     queriesInputCombines: false,
@@ -838,8 +817,9 @@ injectedConfigMacro.serial(
   },
 );
 
-injectedConfigMacro.serial(
+test.serial(
   "repo property queries combines everything else",
+  injectedConfigMacro,
   {
     ...defaultAugmentationProperties,
     queriesInputCombines: true,

src/codeql.ts

@@ -305,8 +305,6 @@ const EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
  * @param tempDir
  * @param variant
  * @param defaultCliVersion
- * @param rawLanguages Raw set of languages.
- * @param useOverlayAwareDefaultCliVersion Whether to select an overlay-aware default CLI version.
  * @param features Information about the features that are enabled.
  * @param logger
  * @param checkVersion Whether to check that CodeQL CLI meets the minimum
@@ -319,8 +317,6 @@ export async function setupCodeQL(
   tempDir: string,
   variant: util.GitHubVariant,
   defaultCliVersion: CodeQLDefaultVersionInfo,
-  rawLanguages: string[] | undefined,
-  useOverlayAwareDefaultCliVersion: boolean,
   features: FeatureEnablement,
   logger: Logger,
   checkVersion: boolean,
@@ -344,8 +340,6 @@ export async function setupCodeQL(
       tempDir,
       variant,
       defaultCliVersion,
-      rawLanguages,
-      useOverlayAwareDefaultCliVersion,
       features,
       logger,
     );

src/config-utils.test.ts

@@ -21,6 +21,7 @@ import { GitVersionInfo } from "./git-utils";
 import { BuiltInLanguage, Language } from "./languages";
 import { getRunnerLogger } from "./logging";
 import { CODEQL_OVERLAY_MINIMUM_VERSION } from "./overlay";
+import * as overlayDiagnostics from "./overlay/diagnostics";
 import { OverlayDisabledReason } from "./overlay/diagnostics";
 import { OverlayDatabaseMode } from "./overlay/overlay-database-mode";
 import * as overlayStatus from "./overlay/status";
@@ -34,7 +35,6 @@ import {
   LoggedMessage,
   mockCodeQLVersion,
   createTestConfig,
-  makeMacro,
 } from "./testing-utils";
 import {
   GitHubVariant,
@@ -1035,9 +1035,10 @@ const defaultOverlayDatabaseModeTestSetup: OverlayDatabaseModeTestSetup = {
   repositoryProperties: {},
 };
 
-const checkOverlayEnablementMacro = makeMacro({
+const checkOverlayEnablementMacro = test.macro({
   exec: async (
     t: ExecutionContext,
+    _title: string,
     setupOverrides: Partial<OverlayDatabaseModeTestSetup>,
     expected:
       | {
@@ -1131,10 +1132,11 @@ const checkOverlayEnablementMacro = makeMacro({
       }
     });
   },
-  title: (title) => `checkOverlayEnablement: ${title}`,
+  title: (_, title) => `checkOverlayEnablement: ${title}`,
 });
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Environment variable override - Overlay",
   {
     overlayDatabaseEnvVar: "overlay",
@@ -1145,7 +1147,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Environment variable override - OverlayBase",
   {
     overlayDatabaseEnvVar: "overlay-base",
@@ -1156,7 +1159,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Environment variable override - None",
   {
     overlayDatabaseEnvVar: "none",
@@ -1166,7 +1170,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Ignore invalid environment variable",
   {
     overlayDatabaseEnvVar: "invalid-mode",
@@ -1176,7 +1181,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Ignore feature flag when analyzing non-default branch",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1187,7 +1193,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Overlay-base database on default branch when feature enabled",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1200,14 +1207,15 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Overlay-base database on default branch when feature enabled with custom analysis",
   {
     languages: [BuiltInLanguage.javascript],
     features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript],
     codeScanningConfig: {
       packs: ["some-custom-pack@1.0.0"],
-    },
+    } as UserConfig,
     isDefaultBranch: true,
   },
   {
@@ -1216,7 +1224,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Overlay-base database on default branch when code-scanning feature enabled",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1232,7 +1241,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "No overlay-base database on default branch if runner disk space is too low",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1251,7 +1261,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "No overlay-base database on default branch if we can't determine runner disk space",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1267,7 +1278,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Overlay-base database on default branch if runner disk space is too low and skip resource checks flag is enabled",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1288,7 +1300,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "No overlay-base database on default branch if runner disk space is below v2 limit and v2 resource checks enabled",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1308,7 +1321,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Overlay-base database on default branch if runner disk space is between v2 and v1 limits and v2 resource checks enabled",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1329,7 +1343,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "No overlay-base database on default branch if runner disk space is between v2 and v1 limits and v2 resource checks not enabled",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1348,7 +1363,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "No overlay-base database on default branch if memory flag is too low",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1364,7 +1380,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Overlay-base database on default branch if memory flag is too low but CodeQL >= 2.24.3",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1382,7 +1399,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Overlay-base database on default branch if memory flag is too low and skip resource checks flag is enabled",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1400,7 +1418,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "No overlay-base database on default branch when cached status indicates previous failure",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1417,7 +1436,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "No overlay analysis on PR when cached status indicates previous failure",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1434,7 +1454,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "No overlay-base database on default branch when code-scanning feature enabled with disable-default-queries",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1444,7 +1465,7 @@ checkOverlayEnablementMacro.serial(
     ],
     codeScanningConfig: {
       "disable-default-queries": true,
-    },
+    } as UserConfig,
     isDefaultBranch: true,
   },
   {
@@ -1452,7 +1473,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "No overlay-base database on default branch when code-scanning feature enabled with packs",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1462,7 +1484,7 @@ checkOverlayEnablementMacro.serial(
     ],
     codeScanningConfig: {
       packs: ["some-custom-pack@1.0.0"],
-    },
+    } as UserConfig,
     isDefaultBranch: true,
   },
   {
@@ -1470,7 +1492,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "No overlay-base database on default branch when code-scanning feature enabled with queries",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1480,7 +1503,7 @@ checkOverlayEnablementMacro.serial(
     ],
     codeScanningConfig: {
       queries: [{ uses: "some-query.ql" }],
-    },
+    } as UserConfig,
     isDefaultBranch: true,
   },
   {
@@ -1488,7 +1511,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "No overlay-base database on default branch when code-scanning feature enabled with query-filters",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1498,7 +1522,7 @@ checkOverlayEnablementMacro.serial(
     ],
     codeScanningConfig: {
       "query-filters": [{ include: { "security-severity": "high" } }],
-    },
+    } as UserConfig,
     isDefaultBranch: true,
   },
   {
@@ -1506,7 +1530,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "No overlay-base database on default branch when only language-specific feature enabled",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1518,7 +1543,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "No overlay-base database on default branch when only code-scanning feature enabled",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1530,7 +1556,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "No overlay-base database on default branch when language-specific feature disabled",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1542,7 +1569,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Overlay analysis on PR when feature enabled",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1555,14 +1583,15 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Overlay analysis on PR when feature enabled with custom analysis",
   {
     languages: [BuiltInLanguage.javascript],
     features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript],
     codeScanningConfig: {
       packs: ["some-custom-pack@1.0.0"],
-    },
+    } as UserConfig,
     isPullRequest: true,
   },
   {
@@ -1571,7 +1600,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Overlay analysis on PR when code-scanning feature enabled",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1587,7 +1617,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "No overlay analysis on PR if runner disk space is too low",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1606,7 +1637,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Overlay analysis on PR if runner disk space is too low and skip resource checks flag is enabled",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1627,7 +1659,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "No overlay analysis on PR if we can't determine runner disk space",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1643,7 +1676,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "No overlay analysis on PR if memory flag is too low",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1659,7 +1693,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Overlay analysis on PR if memory flag is too low but CodeQL >= 2.24.3",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1677,7 +1712,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Overlay analysis on PR if memory flag is too low and skip resource checks flag is enabled",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1695,7 +1731,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "No overlay analysis on PR when code-scanning feature enabled with disable-default-queries",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1705,7 +1742,7 @@ checkOverlayEnablementMacro.serial(
     ],
     codeScanningConfig: {
       "disable-default-queries": true,
-    },
+    } as UserConfig,
     isPullRequest: true,
   },
   {
@@ -1713,7 +1750,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "No overlay analysis on PR when code-scanning feature enabled with packs",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1723,7 +1761,7 @@ checkOverlayEnablementMacro.serial(
     ],
     codeScanningConfig: {
       packs: ["some-custom-pack@1.0.0"],
-    },
+    } as UserConfig,
     isPullRequest: true,
   },
   {
@@ -1731,7 +1769,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "No overlay analysis on PR when code-scanning feature enabled with queries",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1741,7 +1780,7 @@ checkOverlayEnablementMacro.serial(
     ],
     codeScanningConfig: {
       queries: [{ uses: "some-query.ql" }],
-    },
+    } as UserConfig,
     isPullRequest: true,
   },
   {
@@ -1749,7 +1788,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "No overlay analysis on PR when code-scanning feature enabled with query-filters",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1759,7 +1799,7 @@ checkOverlayEnablementMacro.serial(
     ],
     codeScanningConfig: {
       "query-filters": [{ include: { "security-severity": "high" } }],
-    },
+    } as UserConfig,
     isPullRequest: true,
   },
   {
@@ -1767,7 +1807,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "No overlay analysis on PR when only language-specific feature enabled",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1779,7 +1820,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "No overlay analysis on PR when only code-scanning feature enabled",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1791,7 +1833,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "No overlay analysis on PR when language-specific feature disabled",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1803,7 +1846,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Overlay PR analysis by env",
   {
     overlayDatabaseEnvVar: "overlay",
@@ -1814,7 +1858,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Overlay PR analysis by env on a runner with low disk space",
   {
     overlayDatabaseEnvVar: "overlay",
@@ -1826,7 +1871,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Overlay PR analysis by feature flag",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1839,7 +1885,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Fallback due to autobuild with traced language",
   {
     overlayDatabaseEnvVar: "overlay",
@@ -1851,7 +1898,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Fallback due to no build mode with traced language",
   {
     overlayDatabaseEnvVar: "overlay",
@@ -1863,7 +1911,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Fallback due to old CodeQL version",
   {
     overlayDatabaseEnvVar: "overlay",
@@ -1874,7 +1923,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Fallback due to missing git root",
   {
     overlayDatabaseEnvVar: "overlay",
@@ -1885,7 +1935,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Fallback due to old git version with submodules",
   {
     overlayDatabaseEnvVar: "overlay",
@@ -1897,7 +1948,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Fallback when git version cannot be determined and repo has submodules",
   {
     overlayDatabaseEnvVar: "overlay",
@@ -1909,7 +1961,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Overlay enabled when git version cannot be determined and repo has no submodules",
   {
     overlayDatabaseEnvVar: "overlay",
@@ -1922,7 +1975,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "No overlay when disabled via repository property",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1937,7 +1991,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Overlay not disabled when repository property is false",
   {
     languages: [BuiltInLanguage.javascript],
@@ -1953,7 +2008,8 @@ checkOverlayEnablementMacro.serial(
   },
 );
 
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "Environment variable override takes precedence over repository property",
   {
     overlayDatabaseEnvVar: "overlay",
@@ -1969,7 +2025,8 @@ checkOverlayEnablementMacro.serial(
 
 // Exercise language-specific overlay analysis features code paths
 for (const language in BuiltInLanguage) {
-  checkOverlayEnablementMacro.serial(
+  test.serial(
+    checkOverlayEnablementMacro,
     `Check default overlay analysis feature for ${language}`,
     {
       languages: [language],
@@ -1986,7 +2043,8 @@ for (const language in BuiltInLanguage) {
 // overlay analysis enabled, even when the base overlay feature flag is on.
 // Using swift here as it doesn't currently have overlay support — update this if
 // swift gains overlay support.
-checkOverlayEnablementMacro.serial(
+test.serial(
+  checkOverlayEnablementMacro,
   "No overlay analysis for language without per-language overlay feature flag",
   {
     languages: [BuiltInLanguage.swift],
@@ -2143,3 +2201,87 @@ test.serial(
     });
   },
 );
+
+test("applyIncrementalAnalysisSettings: no-op when mode is not Overlay and diff ranges are unavailable", async (t) => {
+  const config = createTestConfig({});
+  config.overlayDatabaseMode = OverlayDatabaseMode.None;
+  const codeql = createStubCodeQL({});
+  const logger = getRunnerLogger(true);
+
+  await configUtils.applyIncrementalAnalysisSettings(
+    config,
+    false,
+    codeql,
+    logger,
+  );
+
+  t.is(config.overlayDatabaseMode, OverlayDatabaseMode.None);
+  t.deepEqual(config.extraQueryExclusions, []);
+});
+
+test("applyIncrementalAnalysisSettings: keeps overlay mode and adds exclusions when diff ranges are available", async (t) => {
+  const config = createTestConfig({
+    overlayDatabaseMode: OverlayDatabaseMode.Overlay,
+  });
+  const codeql = createStubCodeQL({});
+  const logger = getRunnerLogger(true);
+
+  await configUtils.applyIncrementalAnalysisSettings(
+    config,
+    true,
+    codeql,
+    logger,
+  );
+
+  t.is(config.overlayDatabaseMode, OverlayDatabaseMode.Overlay);
+  t.deepEqual(config.extraQueryExclusions, [
+    { exclude: { tags: "exclude-from-incremental" } },
+  ]);
+});
+
+test("applyIncrementalAnalysisSettings: disables overlay analysis when diff ranges are unavailable", async (t) => {
+  const config = createTestConfig({
+    overlayDatabaseMode: OverlayDatabaseMode.Overlay,
+  });
+  config.useOverlayDatabaseCaching = true;
+  const codeql = createStubCodeQL({});
+  const logger = getRunnerLogger(true);
+  const addDiagnosticsStub = sinon
+    .stub(overlayDiagnostics, "addOverlayDisablementDiagnostics")
+    .resolves();
+
+  await configUtils.applyIncrementalAnalysisSettings(
+    config,
+    false,
+    codeql,
+    logger,
+  );
+
+  t.is(config.overlayDatabaseMode, OverlayDatabaseMode.None);
+  t.is(config.useOverlayDatabaseCaching, false);
+  t.deepEqual(config.extraQueryExclusions, []);
+  t.true(addDiagnosticsStub.calledOnce);
+  t.is(
+    addDiagnosticsStub.firstCall.args[2],
+    OverlayDisabledReason.DiffInformedAnalysisNotEnabled,
+  );
+});
+
+test("applyIncrementalAnalysisSettings: adds exclusions for diff-informed-only runs", async (t) => {
+  const config = createTestConfig({});
+  config.overlayDatabaseMode = OverlayDatabaseMode.None;
+  const codeql = createStubCodeQL({});
+  const logger = getRunnerLogger(true);
+
+  await configUtils.applyIncrementalAnalysisSettings(
+    config,
+    true,
+    codeql,
+    logger,
+  );
+
+  t.is(config.overlayDatabaseMode, OverlayDatabaseMode.None);
+  t.deepEqual(config.extraQueryExclusions, [
+    { exclude: { tags: "exclude-from-incremental" } },
+  ]);
+});

src/config-utils.ts

@@ -31,7 +31,7 @@ import {
   addNoLanguageDiagnostic,
   makeTelemetryDiagnostic,
 } from "./diagnostics";
-import { shouldPerformDiffInformedAnalysis } from "./diff-informed-analysis-utils";
+import { prepareDiffInformedAnalysis } from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
 import * as errorMessages from "./error-messages";
 import { Feature, FeatureEnablement } from "./feature-flags";
@@ -407,7 +407,6 @@ export async function getLanguages(
   return languages;
 }
 
-/** Parses the `languages` input into a list of languages without checking if they are supported by CodeQL. */
 export function getRawLanguagesNoAutodetect(
   languagesInput: string | undefined,
 ): string[] {
@@ -1077,6 +1076,48 @@ function hasQueryCustomisation(userConfig: UserConfig): boolean {
   );
 }
 
+/**
+ * Finalize the incremental-analysis configuration for this run.
+ *
+ * Overlay analysis has only been validated in combination with diff-informed
+ * analysis, so if `Overlay` mode was selected for a pull request but the diff
+ * ranges could not be computed, fall back to a full non-overlay analysis.
+ *
+ * Query exclusions for incremental-only queries are then applied whenever the
+ * diff ranges are available — which, after the fallback above, is exactly the
+ * set of runs where any kind of incremental analysis (overlay or
+ * diff-informed) is in effect.
+ */
+export async function applyIncrementalAnalysisSettings(
+  config: Config,
+  hasDiffRanges: boolean,
+  codeql: CodeQL,
+  logger: Logger,
+): Promise<void> {
+  if (
+    config.overlayDatabaseMode === OverlayDatabaseMode.Overlay &&
+    !hasDiffRanges
+  ) {
+    logger.info(
+      `Reverting overlay database mode to ${OverlayDatabaseMode.None} ` +
+        "because the PR diff ranges could not be computed.",
+    );
+    config.overlayDatabaseMode = OverlayDatabaseMode.None;
+    config.useOverlayDatabaseCaching = false;
+    await addOverlayDisablementDiagnostics(
+      config,
+      codeql,
+      OverlayDisabledReason.DiffInformedAnalysisNotEnabled,
+    );
+  }
+
+  if (hasDiffRanges) {
+    config.extraQueryExclusions.push({
+      exclude: { tags: "exclude-from-incremental" },
+    });
+  }
+}
+
 /**
  * Load and return the config.
  *
@@ -1231,18 +1272,18 @@ export async function initConfig(
     );
   }
 
-  if (
-    config.overlayDatabaseMode === OverlayDatabaseMode.Overlay ||
-    (await shouldPerformDiffInformedAnalysis(
-      inputs.codeql,
-      inputs.features,
-      logger,
-    ))
-  ) {
-    config.extraQueryExclusions.push({
-      exclude: { tags: "exclude-from-incremental" },
-    });
-  }
+  const hasDiffRanges = await prepareDiffInformedAnalysis(
+    inputs.codeql,
+    inputs.features,
+    logger,
+  );
+
+  await applyIncrementalAnalysisSettings(
+    config,
+    hasDiffRanges,
+    inputs.codeql,
+    logger,
+  );
 
   if (await isTrapCachingEnabled(features, config.overlayDatabaseMode)) {
     const { trapCaches, trapCacheDownloadTime } = await downloadCacheWithTime(

src/config/db-config.test.ts

@@ -7,7 +7,6 @@ import {
   checkExpectedLogMessages,
   getRecordingLogger,
   LoggedMessage,
-  makeMacro,
 } from "../testing-utils";
 import { ConfigurationError, prettyPrintPack } from "../util";
 
@@ -16,7 +15,7 @@ import * as dbConfig from "./db-config";
 /**
  * Test macro for ensuring the packs block is valid
  */
-const parsePacksMacro = makeMacro({
+const parsePacksMacro = test.macro({
   exec: (
     t: ExecutionContext<unknown>,
     packsInput: string,
@@ -34,7 +33,7 @@ const parsePacksMacro = makeMacro({
 /**
  * Test macro for testing when the packs block is invalid
  */
-const parsePacksErrorMacro = makeMacro({
+const parsePacksErrorMacro = test.macro({
   exec: (
     t: ExecutionContext<unknown>,
     packsInput: string,
@@ -50,32 +49,34 @@ const parsePacksErrorMacro = makeMacro({
 /**
  * Test macro for testing when the packs block is invalid
  */
-const invalidPackNameMacro = makeMacro({
-  exec: (t: ExecutionContext, arg: string) =>
-    parsePacksErrorMacro.fn(
+const invalidPackNameMacro = test.macro({
+  exec: (t: ExecutionContext, name: string) =>
+    parsePacksErrorMacro.exec(
       t,
-      arg,
+      name,
       [BuiltInLanguage.cpp],
-      new RegExp(`^"${arg}" is not a valid pack$`),
+      new RegExp(`^"${name}" is not a valid pack$`),
     ),
   title: (_providedTitle: string | undefined, arg: string | undefined) =>
     `Invalid pack string: ${arg}`,
 });
 
-parsePacksMacro("no packs", "", [], undefined);
-parsePacksMacro("two packs", "a/b,c/d@1.2.3", [BuiltInLanguage.cpp], {
+test("no packs", parsePacksMacro, "", [], undefined);
+test("two packs", parsePacksMacro, "a/b,c/d@1.2.3", [BuiltInLanguage.cpp], {
   [BuiltInLanguage.cpp]: ["a/b", "c/d@1.2.3"],
 });
-parsePacksMacro(
+test(
   "two packs with spaces",
+  parsePacksMacro,
   " a/b , c/d@1.2.3 ",
   [BuiltInLanguage.cpp],
   {
     [BuiltInLanguage.cpp]: ["a/b", "c/d@1.2.3"],
   },
 );
-parsePacksErrorMacro(
+test(
   "two packs with language",
+  parsePacksErrorMacro,
   "a/b,c/d@1.2.3",
   [BuiltInLanguage.cpp, BuiltInLanguage.java],
   new RegExp(
@@ -84,8 +85,9 @@ parsePacksErrorMacro(
   ),
 );
 
-parsePacksMacro(
+test(
   "packs with other valid names",
+  parsePacksMacro,
   [
     // ranges are ok
     "c/d@1.0",
@@ -121,23 +123,23 @@ parsePacksMacro(
   },
 );
 
-invalidPackNameMacro.test("c"); // all packs require at least a scope and a name
-invalidPackNameMacro.test("c-/d");
-invalidPackNameMacro.test("-c/d");
-invalidPackNameMacro.test("c/d_d");
-invalidPackNameMacro.test("c/d@@");
-invalidPackNameMacro.test("c/d@1.0.0:");
-invalidPackNameMacro.test("c/d:");
-invalidPackNameMacro.test("c/d:/a");
-invalidPackNameMacro.test("@1.0.0:a");
-invalidPackNameMacro.test("c/d@../a");
-invalidPackNameMacro.test("c/d@b/../a");
-invalidPackNameMacro.test("c/d:z@1");
+test(invalidPackNameMacro, "c"); // all packs require at least a scope and a name
+test(invalidPackNameMacro, "c-/d");
+test(invalidPackNameMacro, "-c/d");
+test(invalidPackNameMacro, "c/d_d");
+test(invalidPackNameMacro, "c/d@@");
+test(invalidPackNameMacro, "c/d@1.0.0:");
+test(invalidPackNameMacro, "c/d:");
+test(invalidPackNameMacro, "c/d:/a");
+test(invalidPackNameMacro, "@1.0.0:a");
+test(invalidPackNameMacro, "c/d@../a");
+test(invalidPackNameMacro, "c/d@b/../a");
+test(invalidPackNameMacro, "c/d:z@1");
 
 /**
  * Test macro for pretty printing pack specs
  */
-const packSpecPrettyPrintingMacro = makeMacro({
+const packSpecPrettyPrintingMacro = test.macro({
   exec: (t: ExecutionContext, packStr: string, packObj: dbConfig.Pack) => {
     const parsed = dbConfig.parsePacksSpecification(packStr);
     t.deepEqual(parsed, packObj, "parsed pack spec is correct");
@@ -161,35 +163,36 @@ const packSpecPrettyPrintingMacro = makeMacro({
   ) => `Prettyprint pack spec: '${packStr}'`,
 });
 
-packSpecPrettyPrintingMacro.test("a/b", {
+test(packSpecPrettyPrintingMacro, "a/b", {
   name: "a/b",
   version: undefined,
   path: undefined,
 });
-packSpecPrettyPrintingMacro.test("a/b@~1.2.3", {
+test(packSpecPrettyPrintingMacro, "a/b@~1.2.3", {
   name: "a/b",
   version: "~1.2.3",
   path: undefined,
 });
-packSpecPrettyPrintingMacro.test("a/b@~1.2.3:abc/def", {
+test(packSpecPrettyPrintingMacro, "a/b@~1.2.3:abc/def", {
   name: "a/b",
   version: "~1.2.3",
   path: "abc/def",
 });
-packSpecPrettyPrintingMacro.test("a/b:abc/def", {
+test(packSpecPrettyPrintingMacro, "a/b:abc/def", {
   name: "a/b",
   version: undefined,
   path: "abc/def",
 });
-packSpecPrettyPrintingMacro.test("    a/b:abc/def    ", {
+test(packSpecPrettyPrintingMacro, "    a/b:abc/def    ", {
   name: "a/b",
   version: undefined,
   path: "abc/def",
 });
 
-const calculateAugmentationMacro = makeMacro({
+const calculateAugmentationMacro = test.macro({
   exec: async (
     t: ExecutionContext,
+    _title: string,
     rawPacksInput: string | undefined,
     rawQueriesInput: string | undefined,
     languages: Language[],
@@ -204,10 +207,11 @@ const calculateAugmentationMacro = makeMacro({
     );
     t.deepEqual(actualAugmentationProperties, expectedAugmentationProperties);
   },
-  title: (title) => `Calculate Augmentation: ${title}`,
+  title: (_, title) => `Calculate Augmentation: ${title}`,
 });
 
-calculateAugmentationMacro(
+test(
+  calculateAugmentationMacro,
   "All empty",
   undefined,
   undefined,
@@ -218,7 +222,8 @@ calculateAugmentationMacro(
   },
 );
 
-calculateAugmentationMacro(
+test(
+  calculateAugmentationMacro,
   "With queries",
   undefined,
   " a, b , c, d",
@@ -230,7 +235,8 @@ calculateAugmentationMacro(
   },
 );
 
-calculateAugmentationMacro(
+test(
+  calculateAugmentationMacro,
   "With queries combining",
   undefined,
   "   +   a, b , c, d ",
@@ -243,7 +249,8 @@ calculateAugmentationMacro(
   },
 );
 
-calculateAugmentationMacro(
+test(
+  calculateAugmentationMacro,
   "With packs",
   "   codeql/a , codeql/b   , codeql/c  , codeql/d  ",
   undefined,
@@ -255,7 +262,8 @@ calculateAugmentationMacro(
   },
 );
 
-calculateAugmentationMacro(
+test(
+  calculateAugmentationMacro,
   "With packs combining",
   "   +   codeql/a, codeql/b, codeql/c, codeql/d",
   undefined,
@@ -268,7 +276,8 @@ calculateAugmentationMacro(
   },
 );
 
-calculateAugmentationMacro(
+test(
+  calculateAugmentationMacro,
   "With repo property queries",
   undefined,
   undefined,
@@ -285,7 +294,8 @@ calculateAugmentationMacro(
   },
 );
 
-calculateAugmentationMacro(
+test(
+  calculateAugmentationMacro,
   "With repo property queries combining",
   undefined,
   undefined,
@@ -302,9 +312,10 @@ calculateAugmentationMacro(
   },
 );
 
-const calculateAugmentationErrorMacro = makeMacro({
+const calculateAugmentationErrorMacro = test.macro({
   exec: async (
     t: ExecutionContext,
+    _title: string,
     rawPacksInput: string | undefined,
     rawQueriesInput: string | undefined,
     languages: Language[],
@@ -322,10 +333,11 @@ const calculateAugmentationErrorMacro = makeMacro({
       { message: expectedError },
     );
   },
-  title: (title) => `Calculate Augmentation Error: ${title}`,
+  title: (_, title) => `Calculate Augmentation Error: ${title}`,
 });
 
-calculateAugmentationErrorMacro(
+test(
+  calculateAugmentationErrorMacro,
   "Plus (+) with nothing else (queries)",
   undefined,
   "   +   ",
@@ -334,7 +346,8 @@ calculateAugmentationErrorMacro(
   /The workflow property "queries" is invalid/,
 );
 
-calculateAugmentationErrorMacro(
+test(
+  calculateAugmentationErrorMacro,
   "Plus (+) with nothing else (packs)",
   "   +   ",
   undefined,
@@ -343,7 +356,8 @@ calculateAugmentationErrorMacro(
   /The workflow property "packs" is invalid/,
 );
 
-calculateAugmentationErrorMacro(
+test(
+  calculateAugmentationErrorMacro,
   "Plus (+) with nothing else (repo property queries)",
   undefined,
   undefined,
@@ -354,7 +368,8 @@ calculateAugmentationErrorMacro(
   /The repository property "github-codeql-extra-queries" is invalid/,
 );
 
-calculateAugmentationErrorMacro(
+test(
+  calculateAugmentationErrorMacro,
   "Packs input with multiple languages",
   "   +  a/b, c/d ",
   undefined,
@@ -363,7 +378,8 @@ calculateAugmentationErrorMacro(
   /Cannot specify a 'packs' input in a multi-language analysis/,
 );
 
-calculateAugmentationErrorMacro(
+test(
+  calculateAugmentationErrorMacro,
   "Packs input with no languages",
   "   +  a/b, c/d ",
   undefined,
@@ -372,7 +388,8 @@ calculateAugmentationErrorMacro(
   /No languages specified/,
 );
 
-calculateAugmentationErrorMacro(
+test(
+  calculateAugmentationErrorMacro,
   "Invalid packs",
   " a-pack-without-a-scope ",
   undefined,

src/debug-artifacts.ts

@@ -263,7 +263,7 @@ export function getArtifactSuffix(matrix: string | undefined): string {
     try {
       const matrixObject = JSON.parse(matrix);
       if (json.isObject(matrixObject)) {
-        for (const matrixKey of Object.keys(matrixObject).sort())
+        for (const matrixKey of Object.keys(matrixObject as object).sort())
           suffix += `-${matrixObject[matrixKey]}`;
       } else {
         core.warning("User-specified `matrix` input is not an object.");

src/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.4",
-  "cliVersion": "2.25.4",
-  "priorBundleVersion": "codeql-bundle-v2.25.3",
-  "priorCliVersion": "2.25.3"
+  "bundleVersion": "codeql-bundle-v2.25.3",
+  "cliVersion": "2.25.3",
+  "priorBundleVersion": "codeql-bundle-v2.25.2",
+  "priorCliVersion": "2.25.2"
 }

src/diff-informed-analysis-utils.test.ts

@@ -5,18 +5,19 @@ import * as actionsUtil from "./actions-util";
 import type { PullRequestBranches } from "./actions-util";
 import * as apiClient from "./api-client";
 import {
-  shouldPerformDiffInformedAnalysis,
+  getDiffInformedAnalysisBranches,
+  prepareDiffInformedAnalysis,
   exportedForTesting,
 } from "./diff-informed-analysis-utils";
-import { Feature, initFeatures } from "./feature-flags";
+import { Feature, FeatureEnablement, initFeatures } from "./feature-flags";
 import { getRunnerLogger } from "./logging";
 import { parseRepositoryNwo } from "./repository";
 import {
   setupTests,
+  createFeatures,
   mockCodeQLVersion,
   mockFeatureFlagApiEndpoint,
   setupActionsVars,
-  makeMacro,
 } from "./testing-utils";
 import { GitHubVariant, withTmpDir } from "./util";
 import type { GitHubVersion } from "./util";
@@ -43,9 +44,10 @@ const defaultTestCase: DiffInformedAnalysisTestCase = {
   codeQLVersion: "2.21.0",
 };
 
-const testShouldPerformDiffInformedAnalysis = makeMacro({
+const testShouldPerformDiffInformedAnalysis = test.macro({
   exec: async (
     t: ExecutionContext,
+    _title: string,
     partialTestCase: Partial<DiffInformedAnalysisTestCase>,
     expectedResult: boolean,
   ) => {
@@ -80,13 +82,13 @@ const testShouldPerformDiffInformedAnalysis = makeMacro({
         .stub(actionsUtil, "getPullRequestBranches")
         .returns(testCase.pullRequestBranches);
 
-      const result = await shouldPerformDiffInformedAnalysis(
+      const branches = await getDiffInformedAnalysisBranches(
         codeql,
         features,
         logger,
       );
 
-      t.is(result, expectedResult);
+      t.is(branches !== undefined, expectedResult);
 
       delete process.env.CODEQL_ACTION_DIFF_INFORMED_QUERIES;
 
@@ -94,16 +96,18 @@ const testShouldPerformDiffInformedAnalysis = makeMacro({
       getPullRequestBranchesStub.restore();
     });
   },
-  title: (title) => `shouldPerformDiffInformedAnalysis: ${title}`,
+  title: (_, title) => `getDiffInformedAnalysisBranches: ${title}`,
 });
 
-testShouldPerformDiffInformedAnalysis.serial(
+test.serial(
+  testShouldPerformDiffInformedAnalysis,
   "returns true in the default test case",
   {},
   true,
 );
 
-testShouldPerformDiffInformedAnalysis.serial(
+test.serial(
+  testShouldPerformDiffInformedAnalysis,
   "returns false when feature flag is disabled from the API",
   {
     featureEnabled: false,
@@ -111,7 +115,8 @@ testShouldPerformDiffInformedAnalysis.serial(
   false,
 );
 
-testShouldPerformDiffInformedAnalysis.serial(
+test.serial(
+  testShouldPerformDiffInformedAnalysis,
   "returns false when CODEQL_ACTION_DIFF_INFORMED_QUERIES is set to false",
   {
     featureEnabled: true,
@@ -120,7 +125,8 @@ testShouldPerformDiffInformedAnalysis.serial(
   false,
 );
 
-testShouldPerformDiffInformedAnalysis.serial(
+test.serial(
+  testShouldPerformDiffInformedAnalysis,
   "returns true when CODEQL_ACTION_DIFF_INFORMED_QUERIES is set to true",
   {
     featureEnabled: false,
@@ -129,7 +135,8 @@ testShouldPerformDiffInformedAnalysis.serial(
   true,
 );
 
-testShouldPerformDiffInformedAnalysis.serial(
+test.serial(
+  testShouldPerformDiffInformedAnalysis,
   "returns false for CodeQL version 2.20.0",
   {
     codeQLVersion: "2.20.0",
@@ -137,7 +144,8 @@ testShouldPerformDiffInformedAnalysis.serial(
   false,
 );
 
-testShouldPerformDiffInformedAnalysis.serial(
+test.serial(
+  testShouldPerformDiffInformedAnalysis,
   "returns false for invalid GHES version",
   {
     gitHubVersion: {
@@ -148,7 +156,8 @@ testShouldPerformDiffInformedAnalysis.serial(
   false,
 );
 
-testShouldPerformDiffInformedAnalysis.serial(
+test.serial(
+  testShouldPerformDiffInformedAnalysis,
   "returns false for GHES version 3.18.5",
   {
     gitHubVersion: {
@@ -159,7 +168,8 @@ testShouldPerformDiffInformedAnalysis.serial(
   false,
 );
 
-testShouldPerformDiffInformedAnalysis.serial(
+test.serial(
+  testShouldPerformDiffInformedAnalysis,
   "returns true for GHES version 3.19.0",
   {
     gitHubVersion: {
@@ -170,7 +180,8 @@ testShouldPerformDiffInformedAnalysis.serial(
   true,
 );
 
-testShouldPerformDiffInformedAnalysis.serial(
+test.serial(
+  testShouldPerformDiffInformedAnalysis,
   "returns false when not a pull request",
   {
     pullRequestBranches: undefined,
@@ -178,6 +189,135 @@ testShouldPerformDiffInformedAnalysis.serial(
   false,
 );
 
+test.serial(
+  "prepareDiffInformedAnalysis: returns false when not a pull request",
+  async (t) => {
+    await withTmpDir(async (tmpDir) => {
+      setupActionsVars(tmpDir, tmpDir);
+      const logger = getRunnerLogger(true);
+      const codeql = mockCodeQLVersion("2.21.0");
+      const features = createFeatures([Feature.DiffInformedQueries]);
+
+      sinon.stub(actionsUtil, "getPullRequestBranches").returns(undefined);
+      sinon
+        .stub(apiClient, "getGitHubVersion")
+        .resolves({ type: GitHubVariant.DOTCOM });
+
+      const result = await prepareDiffInformedAnalysis(
+        codeql,
+        features,
+        logger,
+      );
+
+      t.false(result);
+    });
+  },
+);
+
+test.serial(
+  "prepareDiffInformedAnalysis: returns false when applicability check throws",
+  async (t) => {
+    await withTmpDir(async (tmpDir) => {
+      setupActionsVars(tmpDir, tmpDir);
+      const logger = getRunnerLogger(true);
+      const codeql = mockCodeQLVersion("2.21.0");
+      // A features implementation whose getValue rejects, simulating an
+      // unexpected failure when determining whether diff-informed analysis
+      // should run.
+      const features: FeatureEnablement = {
+        getDefaultCliVersion: async () => {
+          throw new Error("not implemented");
+        },
+        getValue: async () => {
+          throw new Error("feature flag lookup failed");
+        },
+      };
+
+      const result = await prepareDiffInformedAnalysis(
+        codeql,
+        features,
+        logger,
+      );
+
+      t.false(result);
+    });
+  },
+);
+
+test.serial(
+  "prepareDiffInformedAnalysis: returns true when the diff is fetched successfully",
+  async (t) => {
+    await withTmpDir(async (tmpDir) => {
+      setupActionsVars(tmpDir, tmpDir);
+      const logger = getRunnerLogger(true);
+      const codeql = mockCodeQLVersion("2.21.0");
+      const features = createFeatures([Feature.DiffInformedQueries]);
+
+      sinon
+        .stub(actionsUtil, "getPullRequestBranches")
+        .returns({ base: "main", head: "feature" });
+      sinon
+        .stub(apiClient, "getGitHubVersion")
+        .resolves({ type: GitHubVariant.DOTCOM });
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
+      sinon.stub(apiClient, "getApiClient").returns({
+        rest: {
+          repos: {
+            compareCommitsWithBasehead: sinon
+              .stub()
+              .resolves({ data: { files: [] } }),
+          },
+        },
+      } as any);
+
+      const result = await prepareDiffInformedAnalysis(
+        codeql,
+        features,
+        logger,
+      );
+
+      t.true(result);
+    });
+  },
+);
+
+test.serial(
+  "prepareDiffInformedAnalysis: returns false when the diff API call fails",
+  async (t) => {
+    await withTmpDir(async (tmpDir) => {
+      setupActionsVars(tmpDir, tmpDir);
+      const logger = getRunnerLogger(true);
+      const codeql = mockCodeQLVersion("2.21.0");
+      const features = createFeatures([Feature.DiffInformedQueries]);
+
+      sinon
+        .stub(actionsUtil, "getPullRequestBranches")
+        .returns({ base: "main", head: "feature" });
+      sinon
+        .stub(apiClient, "getGitHubVersion")
+        .resolves({ type: GitHubVariant.DOTCOM });
+      const notFoundError: any = new Error("Not Found");
+      notFoundError.status = 404;
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
+      sinon.stub(apiClient, "getApiClient").returns({
+        rest: {
+          repos: {
+            compareCommitsWithBasehead: sinon.stub().rejects(notFoundError),
+          },
+        },
+      } as any);
+
+      const result = await prepareDiffInformedAnalysis(
+        codeql,
+        features,
+        logger,
+      );
+
+      t.false(result);
+    });
+  },
+);
+
 function runGetDiffRanges(changes: number, patch: string[] | undefined): any {
   return exportedForTesting.getDiffRanges(
     {

src/diff-informed-analysis-utils.ts

@@ -5,9 +5,9 @@ import type { PullRequestBranches } from "./actions-util";
 import { getApiClient, getGitHubVersion } from "./api-client";
 import type { CodeQL } from "./codeql";
 import { Feature, FeatureEnablement } from "./feature-flags";
-import { Logger } from "./logging";
+import { Logger, withGroupAsync } from "./logging";
 import { getRepositoryNwoFromEnv } from "./repository";
-import { GitHubVariant, satisfiesGHESVersion } from "./util";
+import { getErrorMessage, GitHubVariant, satisfiesGHESVersion } from "./util";
 
 /**
  * This interface is an abbreviated version of the file diff object returned by
@@ -21,20 +21,6 @@ interface FileDiff {
   patch?: string | undefined;
 }
 
-/**
- * Check if the action should perform diff-informed analysis.
- */
-export async function shouldPerformDiffInformedAnalysis(
-  codeql: CodeQL,
-  features: FeatureEnablement,
-  logger: Logger,
-): Promise<boolean> {
-  return (
-    (await getDiffInformedAnalysisBranches(codeql, features, logger)) !==
-    undefined
-  );
-}
-
 /**
  * Get the branches to use for diff-informed analysis.
  *
@@ -69,6 +55,46 @@ export async function getDiffInformedAnalysisBranches(
   return branches;
 }
 
+/**
+ * Prepares the diff ranges needed for diff-informed analysis for the current
+ * run.
+ *
+ * @returns `true` if the diff ranges were successfully computed and persisted
+ *   and are therefore available for use, `false` otherwise.
+ */
+export async function prepareDiffInformedAnalysis(
+  codeql: CodeQL,
+  features: FeatureEnablement,
+  logger: Logger,
+): Promise<boolean> {
+  let branches: PullRequestBranches | undefined;
+  try {
+    branches = await getDiffInformedAnalysisBranches(codeql, features, logger);
+  } catch (e) {
+    // If we cannot determine whether diff-informed analysis applies (for
+    // example, because a feature-flag lookup failed), treat it as not
+    // applicable rather than triggering the overlay fallback.
+    logger.warning(
+      `Failed to determine branch information for diff-informed analysis: ${getErrorMessage(e)}`,
+    );
+    return false;
+  }
+  if (!branches) {
+    return false;
+  }
+
+  return await withGroupAsync("Computing PR diff ranges", async () => {
+    try {
+      return await computeAndPersistDiffRanges(branches, logger);
+    } catch (e) {
+      logger.warning(
+        `Failed to compute diff-informed analysis ranges: ${getErrorMessage(e)}`,
+      );
+      return false;
+    }
+  });
+}
+
 export interface DiffThunkRange {
   /** Relative path from the repository root, using forward slashes as separators. */
   path: string;
@@ -151,6 +177,33 @@ export async function getPullRequestEditedDiffRanges(
   return results;
 }
 
+/**
+ * Compute and persist the diff ranges for a pull request. This fetches the
+ * diff from the GitHub API and writes it to the diff ranges JSON file so that
+ * CodeQL can use it for diff-informed analysis.
+ *
+ * @param branches The base and head branches of the pull request, as returned
+ *   by `getDiffInformedAnalysisBranches`.
+ * @param logger
+ * @returns `true` if the diff ranges were successfully computed and persisted,
+ *   otherwise `false`.
+ */
+export async function computeAndPersistDiffRanges(
+  branches: PullRequestBranches,
+  logger: Logger,
+): Promise<boolean> {
+  const ranges = await getPullRequestEditedDiffRanges(branches, logger);
+  if (ranges === undefined) {
+    return false;
+  }
+  writeDiffRangesJsonFile(logger, ranges);
+  const distinctFiles = new Set(ranges.map((r) => r.path)).size;
+  logger.info(
+    `Persisted ${ranges.length} diff range(s) across ${distinctFiles} file(s).`,
+  );
+  return true;
+}
+
 async function getFileDiffsWithBasehead(
   branches: PullRequestBranches,
   logger: Logger,

src/feature-flags.test.ts

@@ -451,16 +451,12 @@ test.serial(`selects CLI from defaults.json on GHES`, async (t) => {
   await withTmpDir(async (tmpDir) => {
     const features = setUpFeatureFlagTests(tmpDir);
 
-    const defaultCliVersion = await features.getEnabledDefaultCliVersions(
+    const defaultCliVersion = await features.getDefaultCliVersion(
       GitHubVariant.GHES,
     );
     t.deepEqual(defaultCliVersion, {
-      enabledVersions: [
-        {
-          cliVersion: defaults.cliVersion,
-          tagName: defaults.bundleVersion,
-        },
-      ],
+      cliVersion: defaults.cliVersion,
+      tagName: defaults.bundleVersion,
     });
   });
 });
@@ -486,13 +482,10 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) {
           false;
         mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement);
 
-        const defaultCliVersion =
-          await features.getEnabledDefaultCliVersions(variant);
+        const defaultCliVersion = await features.getDefaultCliVersion(variant);
         t.deepEqual(defaultCliVersion, {
-          enabledVersions: [
-            { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
-            { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" },
-          ],
+          cliVersion: "2.20.1",
+          tagName: "codeql-bundle-v2.20.1",
           toolsFeatureFlagsValid: true,
         });
       });
@@ -507,15 +500,10 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) {
         const expectedFeatureEnablement = initializeFeatures(true);
         mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement);
 
-        const defaultCliVersion =
-          await features.getEnabledDefaultCliVersions(variant);
+        const defaultCliVersion = await features.getDefaultCliVersion(variant);
         t.deepEqual(defaultCliVersion, {
-          enabledVersions: [
-            {
-              cliVersion: defaults.cliVersion,
-              tagName: defaults.bundleVersion,
-            },
-          ],
+          cliVersion: defaults.cliVersion,
+          tagName: defaults.bundleVersion,
           toolsFeatureFlagsValid: false,
         });
       });
@@ -541,13 +529,10 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) {
         ] = true;
         mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement);
 
-        const defaultCliVersion =
-          await features.getEnabledDefaultCliVersions(variant);
+        const defaultCliVersion = await features.getDefaultCliVersion(variant);
         t.deepEqual(defaultCliVersion, {
-          enabledVersions: [
-            { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
-            { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" },
-          ],
+          cliVersion: "2.20.1",
+          tagName: "codeql-bundle-v2.20.1",
           toolsFeatureFlagsValid: true,
         });
 

src/feature-flags.ts

@@ -29,32 +29,9 @@ const DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
  */
 export const CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0";
 
-const LINKED_CODEQL_VERSION: CodeQLVersionInfo = {
-  cliVersion: defaults.cliVersion,
-  tagName: defaults.bundleVersion,
-};
-
-export interface CodeQLVersionInfo {
-  /** The version number of the CodeQL CLI, e.g. `2.19.0`. */
-  cliVersion: string;
-  /**
-   * The tag name of the CodeQL Bundle associated with this version, e.g. `codeql-bundle-v2.19.0`.
-   */
-  tagName: string;
-}
-
 export interface CodeQLDefaultVersionInfo {
-  /**
-   * CodeQL CLI versions that are enabled as defaults, sorted from highest to lowest.
-   *
-   * Guaranteed to be non-empty. When feature flags are unavailable, this falls back to a single
-   * entry containing the version pinned in `defaults.json`.
-   */
-  enabledVersions: CodeQLVersionInfo[];
-  /**
-   * If accessed, whether the tools feature flags are valid, i.e. contain at least one enabled
-   * version.
-   */
+  cliVersion: string;
+  tagName: string;
   toolsFeatureFlagsValid?: boolean;
 }
 
@@ -95,19 +72,6 @@ export enum Feature {
   OverlayAnalysisGo = "overlay_analysis_go",
   OverlayAnalysisJava = "overlay_analysis_java",
   OverlayAnalysisJavascript = "overlay_analysis_javascript",
-  /**
-   * When set, chooses the default CodeQL CLI version as the highest version that is both enabled by
-   * feature flags and present as an overlay-base database in the Actions cache for the configured
-   * languages. Falls back to the highest feature flagged version if no intersecting overlay-base
-   * database exists in the cache.
-   */
-  OverlayAnalysisMatchCodeqlVersion = "overlay_analysis_match_codeql_version",
-  /**
-   * Like `OverlayAnalysisMatchCodeqlVersion`, but only logs a diagnostic with the version that
-   * would have been chosen instead of actually changing the default CodeQL CLI version.
-   * `OverlayAnalysisMatchCodeqlVersion` overrides this flag.
-   */
-  OverlayAnalysisMatchCodeqlVersionDryRun = "overlay_analysis_match_codeql_version_dry_run",
   OverlayAnalysisPython = "overlay_analysis_python",
   /**
    * Controls whether lower disk space requirements are used for overlay hardware checks.
@@ -313,16 +277,6 @@ export const featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
     minimumVersion: undefined,
   },
-  [Feature.OverlayAnalysisMatchCodeqlVersion]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
-    minimumVersion: undefined,
-  },
-  [Feature.OverlayAnalysisMatchCodeqlVersionDryRun]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
-    minimumVersion: undefined,
-  },
   [Feature.OverlayAnalysisResourceChecksV2]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -392,12 +346,8 @@ export type FeatureWithoutCLI = {
 }[keyof typeof featureConfig];
 
 export interface FeatureEnablement {
-  /**
-   * Returns the set of default CodeQL CLI versions to consider, sorted from
-   * highest to lowest. The first entry is the version that the CodeQL Action
-   * will use by default. The list is always non-empty.
-   */
-  getEnabledDefaultCliVersions(
+  /** Gets the default version of the CodeQL tools. */
+  getDefaultCliVersion(
     variant: util.GitHubVariant,
   ): Promise<CodeQLDefaultVersionInfo>;
   getValue(feature: FeatureWithoutCLI): Promise<boolean>;
@@ -421,11 +371,12 @@ export const FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
 class OfflineFeatures implements FeatureEnablement {
   constructor(protected readonly logger: Logger) {}
 
-  async getEnabledDefaultCliVersions(
+  async getDefaultCliVersion(
     _variant: util.GitHubVariant,
   ): Promise<CodeQLDefaultVersionInfo> {
     return {
-      enabledVersions: [LINKED_CODEQL_VERSION],
+      cliVersion: defaults.cliVersion,
+      tagName: defaults.bundleVersion,
     };
   }
 
@@ -435,7 +386,7 @@ class OfflineFeatures implements FeatureEnablement {
   getFeatureConfig(feature: Feature): FeatureConfig {
     // Narrow the type to FeatureConfig to avoid type errors. To avoid unsafe use of `as`, we
     // check that the required properties exist using `satisfies`.
-    return featureConfig[feature] satisfies FeatureConfig;
+    return featureConfig[feature] satisfies FeatureConfig as FeatureConfig;
   }
 
   /**
@@ -567,13 +518,13 @@ class Features extends OfflineFeatures {
     );
   }
 
-  async getEnabledDefaultCliVersions(
+  async getDefaultCliVersion(
     variant: util.GitHubVariant,
   ): Promise<CodeQLDefaultVersionInfo> {
     if (supportsFeatureFlags(variant)) {
-      return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags();
+      return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags();
     }
-    return super.getEnabledDefaultCliVersions(variant);
+    return super.getDefaultCliVersion(variant);
   }
 
   /**
@@ -649,22 +600,16 @@ class GitHubFeatureFlags {
     return version;
   }
 
-  /**
-   * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature
-   * flags, sorted from highest to lowest. Falls back to the version pinned in
-   * `defaults.json` if no such flags are enabled.
-   */
-  async getEnabledDefaultCliVersionsFromFlags(): Promise<CodeQLDefaultVersionInfo> {
+  async getDefaultCliVersionFromFlags(): Promise<CodeQLDefaultVersionInfo> {
     const response = await this.getAllFeatures();
 
-    const sortedCliVersions = Object.entries(response)
+    const enabledFeatureFlagCliVersions = Object.entries(response)
       .map(([f, isEnabled]) =>
         isEnabled ? this.getCliVersionFromFeatureFlag(f) : undefined,
       )
-      .filter((f): f is string => f !== undefined)
-      .sort(semver.rcompare);
+      .filter((f): f is string => f !== undefined);
 
-    if (sortedCliVersions.length === 0) {
+    if (enabledFeatureFlagCliVersions.length === 0) {
       // We expect at least one default CLI version to be enabled on Dotcom at any time. However if
       // the feature flags are misconfigured, rather than crashing, we fall back to the CLI version
       // shipped with the Action in defaults.json. This has the effect of immediately rolling out
@@ -680,7 +625,8 @@ class GitHubFeatureFlags {
           `shipped with the Action. This is ${defaults.cliVersion}.`,
       );
       const result: CodeQLDefaultVersionInfo = {
-        enabledVersions: [LINKED_CODEQL_VERSION],
+        cliVersion: defaults.cliVersion,
+        tagName: defaults.bundleVersion,
       };
       if (this.hasAccessedRemoteFeatureFlags) {
         result.toolsFeatureFlagsValid = false;
@@ -688,14 +634,17 @@ class GitHubFeatureFlags {
       return result;
     }
 
+    const maxCliVersion = enabledFeatureFlagCliVersions.reduce(
+      (maxVersion, currentVersion) =>
+        currentVersion > maxVersion ? currentVersion : maxVersion,
+      enabledFeatureFlagCliVersions[0],
+    );
     this.logger.debug(
-      `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.`,
+      `Derived default CLI version of ${maxCliVersion} from feature flags.`,
     );
     return {
-      enabledVersions: sortedCliVersions.map((cliVersion) => ({
-        cliVersion,
-        tagName: `codeql-bundle-v${cliVersion}`,
-      })),
+      cliVersion: maxCliVersion,
+      tagName: `codeql-bundle-v${maxCliVersion}`,
       toolsFeatureFlagsValid: true,
     };
   }

src/init-action-post-helper.test.ts

@@ -19,7 +19,6 @@ import {
   createFeatures,
   createTestConfig,
   DEFAULT_ACTIONS_VARS,
-  makeMacro,
   makeVersionInfo,
   RecordingLogger,
   setupActionsVars,
@@ -602,7 +601,7 @@ async function testFailedSarifUpload(
   uploadFiles.resolves({
     sarifID: "42",
     statusReport: { raw_upload_size_bytes: 20, zipped_upload_size_bytes: 10 },
-  });
+  } as uploadLib.UploadResult);
   const waitForProcessing = sinon.stub(uploadLib, "waitForProcessing");
 
   const features = [] as Feature[];
@@ -797,7 +796,7 @@ test.serial(
   },
 );
 
-const skippedUploadTest = makeMacro({
+const skippedUploadTest = test.macro({
   exec: async (
     t: ExecutionContext<unknown>,
     config: Partial<configUtils.Config>,
@@ -824,8 +823,9 @@ const skippedUploadTest = makeMacro({
     `tryUploadSarifIfRunFailed - skips upload ${providedTitle}`,
 });
 
-skippedUploadTest.serial(
+test.serial(
   "without CodeQL command",
+  skippedUploadTest,
   // No codeQLCmd
   {
     analysisKinds: [AnalysisKind.RiskAssessment],
@@ -834,8 +834,9 @@ skippedUploadTest.serial(
   "CodeQL command not found",
 );
 
-skippedUploadTest.serial(
+test.serial(
   "if no language is configured",
+  skippedUploadTest,
   // No explicit language configuration
   {
     analysisKinds: [AnalysisKind.RiskAssessment],
@@ -844,8 +845,9 @@ skippedUploadTest.serial(
   "Unexpectedly, the configuration is not for a single language.",
 );
 
-skippedUploadTest.serial(
+test.serial(
   "if multiple languages is configured",
+  skippedUploadTest,
   // Multiple explicit languages configured
   {
     analysisKinds: [AnalysisKind.RiskAssessment],

src/init-action.ts

@@ -37,11 +37,6 @@ import {
   makeDiagnostic,
   makeTelemetryDiagnostic,
 } from "./diagnostics";
-import {
-  getDiffInformedAnalysisBranches,
-  getPullRequestEditedDiffRanges,
-  writeDiffRangesJsonFile,
-} from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
 import { Feature, FeatureEnablement, initFeatures } from "./feature-flags";
 import {
@@ -298,23 +293,16 @@ async function run(startedAt: Date) {
       );
     }
 
-    const codeQLDefaultVersionInfo =
-      await features.getEnabledDefaultCliVersions(gitHubVersion.type);
+    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
+      gitHubVersion.type,
+    );
     toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
-    const rawLanguages = configUtils.getRawLanguagesNoAutodetect(
-      getOptionalInput("languages"),
-    );
-    const useOverlayAwareDefaultCliVersion = !!analysisKinds?.includes(
-      AnalysisKind.CodeScanning,
-    );
     const initCodeQLResult = await initCodeQL(
       getOptionalInput("tools"),
       apiDetails,
       getTemporaryDirectory(),
       gitHubVersion.type,
       codeQLDefaultVersionInfo,
-      rawLanguages,
-      useOverlayAwareDefaultCliVersion,
       features,
       logger,
     );
@@ -434,7 +422,6 @@ async function run(startedAt: Date) {
     }
 
     await checkInstallPython311(config.languages, codeql);
-    await computeAndPersistDiffRanges(codeql, features, logger);
   } catch (unwrappedError) {
     const error = wrapError(unwrappedError);
     core.setFailed(error.message);
@@ -830,42 +817,6 @@ async function loadRepositoryProperties(
   }
 }
 
-/**
- * Compute and persist diff ranges when diff-informed analysis is enabled
- * (feature flag + PR context). This writes the standard pr-diff-range.json
- * file for later reuse in the analyze step. Failures are logged but non-fatal.
- */
-async function computeAndPersistDiffRanges(
-  codeql: CodeQL,
-  features: FeatureEnablement,
-  logger: Logger,
-): Promise<void> {
-  await withGroupAsync("Computing PR diff ranges", async () => {
-    try {
-      const branches = await getDiffInformedAnalysisBranches(
-        codeql,
-        features,
-        logger,
-      );
-      if (!branches) {
-        return;
-      }
-      const ranges = await getPullRequestEditedDiffRanges(branches, logger);
-      if (ranges === undefined) {
-        return;
-      }
-      writeDiffRangesJsonFile(logger, ranges);
-      const distinctFiles = new Set(ranges.map((r) => r.path)).size;
-      logger.info(
-        `Persisted ${ranges.length} diff range(s) across ${distinctFiles} file(s).`,
-      );
-    } catch (e) {
-      logger.warning(
-        `Failed to compute and persist PR diff ranges: ${getErrorMessage(e)}`,
-      );
-    }
-  });
-}
 async function recordZstdAvailability(
   config: configUtils.Config,
   zstdAvailability: ZstdAvailability,

src/init.test.ts

@@ -22,7 +22,6 @@ import {
   createTestConfig,
   getRecordingLogger,
   setupTests,
-  makeMacro,
 } from "./testing-utils";
 import { ConfigurationError, withTmpDir } from "./util";
 
@@ -159,9 +158,10 @@ type PackInfo = {
   qlpackFileName?: string;
 };
 
-const testCheckPacksForOverlayCompatibility = makeMacro({
+const testCheckPacksForOverlayCompatibility = test.macro({
   exec: async (
     t: ExecutionContext,
+    _title: string,
     {
       cliOverlayVersion,
       languages,
@@ -234,10 +234,11 @@ const testCheckPacksForOverlayCompatibility = makeMacro({
       );
     });
   },
-  title: (title) => `checkPacksForOverlayCompatibility: ${title}`,
+  title: (_, title) => `checkPacksForOverlayCompatibility: ${title}`,
 });
 
-testCheckPacksForOverlayCompatibility(
+test(
+  testCheckPacksForOverlayCompatibility,
   "returns false when CLI does not support overlay",
   {
     cliOverlayVersion: undefined,
@@ -252,7 +253,8 @@ testCheckPacksForOverlayCompatibility(
   },
 );
 
-testCheckPacksForOverlayCompatibility(
+test(
+  testCheckPacksForOverlayCompatibility,
   "returns true when there are no query packs",
   {
     cliOverlayVersion: 2,
@@ -262,7 +264,8 @@ testCheckPacksForOverlayCompatibility(
   },
 );
 
-testCheckPacksForOverlayCompatibility(
+test(
+  testCheckPacksForOverlayCompatibility,
   "returns true when query pack has not been compiled",
   {
     cliOverlayVersion: 2,
@@ -278,7 +281,8 @@ testCheckPacksForOverlayCompatibility(
   },
 );
 
-testCheckPacksForOverlayCompatibility(
+test(
+  testCheckPacksForOverlayCompatibility,
   "returns true when query pack has expected overlay version",
   {
     cliOverlayVersion: 2,
@@ -293,7 +297,8 @@ testCheckPacksForOverlayCompatibility(
   },
 );
 
-testCheckPacksForOverlayCompatibility(
+test(
+  testCheckPacksForOverlayCompatibility,
   "returns true when query packs for all languages to analyze are compatible",
   {
     cliOverlayVersion: 2,
@@ -312,7 +317,8 @@ testCheckPacksForOverlayCompatibility(
   },
 );
 
-testCheckPacksForOverlayCompatibility(
+test(
+  testCheckPacksForOverlayCompatibility,
   "returns true when query pack for a language not analyzed is incompatible",
   {
     cliOverlayVersion: 2,
@@ -331,7 +337,8 @@ testCheckPacksForOverlayCompatibility(
   },
 );
 
-testCheckPacksForOverlayCompatibility(
+test(
+  testCheckPacksForOverlayCompatibility,
   "returns false when query pack for a language to analyze is incompatible",
   {
     cliOverlayVersion: 2,
@@ -350,7 +357,8 @@ testCheckPacksForOverlayCompatibility(
   },
 );
 
-testCheckPacksForOverlayCompatibility(
+test(
+  testCheckPacksForOverlayCompatibility,
   "returns false when query pack is missing .packinfo",
   {
     cliOverlayVersion: 2,
@@ -369,7 +377,8 @@ testCheckPacksForOverlayCompatibility(
   },
 );
 
-testCheckPacksForOverlayCompatibility(
+test(
+  testCheckPacksForOverlayCompatibility,
   "returns false when query pack has different overlay version",
   {
     cliOverlayVersion: 2,
@@ -388,7 +397,8 @@ testCheckPacksForOverlayCompatibility(
   },
 );
 
-testCheckPacksForOverlayCompatibility(
+test(
+  testCheckPacksForOverlayCompatibility,
   "returns false when query pack is missing overlayVersion in .packinfo",
   {
     cliOverlayVersion: 2,
@@ -407,7 +417,8 @@ testCheckPacksForOverlayCompatibility(
   },
 );
 
-testCheckPacksForOverlayCompatibility(
+test(
+  testCheckPacksForOverlayCompatibility,
   "returns false when .packinfo is not valid JSON",
   {
     cliOverlayVersion: 2,
@@ -426,7 +437,8 @@ testCheckPacksForOverlayCompatibility(
   },
 );
 
-testCheckPacksForOverlayCompatibility(
+test(
+  testCheckPacksForOverlayCompatibility,
   "returns true when query pack uses codeql-pack.yml filename",
   {
     cliOverlayVersion: 2,

src/init.ts

@@ -39,8 +39,6 @@ export async function initCodeQL(
   tempDir: string,
   variant: util.GitHubVariant,
   defaultCliVersion: CodeQLDefaultVersionInfo,
-  rawLanguages: string[] | undefined,
-  useOverlayAwareDefaultCliVersion: boolean,
   features: FeatureEnablement,
   logger: Logger,
 ): Promise<{
@@ -63,8 +61,6 @@ export async function initCodeQL(
     tempDir,
     variant,
     defaultCliVersion,
-    rawLanguages,
-    useOverlayAwareDefaultCliVersion,
     features,
     logger,
     true,

src/overlay/caching.test.ts

@@ -13,7 +13,6 @@ import { BuiltInLanguage } from "../languages";
 import { getRunnerLogger } from "../logging";
 import {
   createTestConfig,
-  makeMacro,
   mockCodeQLVersion,
   setupTests,
 } from "../testing-utils";
@@ -52,9 +51,10 @@ const defaultDownloadTestCase: DownloadOverlayBaseDatabaseTestCase = {
   resolveDatabaseOutput: { overlayBaseSpecifier: "20250626:XXX" },
 };
 
-const testDownloadOverlayBaseDatabaseFromCache = makeMacro({
+const testDownloadOverlayBaseDatabaseFromCache = test.macro({
   exec: async (
     t,
+    _title: string,
     partialTestCase: Partial<DownloadOverlayBaseDatabaseTestCase>,
     expectDownloadSuccess: boolean,
   ) => {
@@ -142,16 +142,18 @@ const testDownloadOverlayBaseDatabaseFromCache = makeMacro({
       }
     });
   },
-  title: (title) => `downloadOverlayBaseDatabaseFromCache: ${title}`,
+  title: (_, title) => `downloadOverlayBaseDatabaseFromCache: ${title}`,
 });
 
-testDownloadOverlayBaseDatabaseFromCache.serial(
+test.serial(
+  testDownloadOverlayBaseDatabaseFromCache,
   "returns stats when successful",
   {},
   true,
 );
 
-testDownloadOverlayBaseDatabaseFromCache.serial(
+test.serial(
+  testDownloadOverlayBaseDatabaseFromCache,
   "returns undefined when mode is OverlayDatabaseMode.OverlayBase",
   {
     overlayDatabaseMode: OverlayDatabaseMode.OverlayBase,
@@ -159,7 +161,8 @@ testDownloadOverlayBaseDatabaseFromCache.serial(
   false,
 );
 
-testDownloadOverlayBaseDatabaseFromCache.serial(
+test.serial(
+  testDownloadOverlayBaseDatabaseFromCache,
   "returns undefined when mode is OverlayDatabaseMode.None",
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
@@ -167,7 +170,8 @@ testDownloadOverlayBaseDatabaseFromCache.serial(
   false,
 );
 
-testDownloadOverlayBaseDatabaseFromCache.serial(
+test.serial(
+  testDownloadOverlayBaseDatabaseFromCache,
   "returns undefined when caching is disabled",
   {
     useOverlayDatabaseCaching: false,
@@ -175,7 +179,8 @@ testDownloadOverlayBaseDatabaseFromCache.serial(
   false,
 );
 
-testDownloadOverlayBaseDatabaseFromCache.serial(
+test.serial(
+  testDownloadOverlayBaseDatabaseFromCache,
   "returns undefined in test mode",
   {
     isInTestMode: true,
@@ -183,7 +188,8 @@ testDownloadOverlayBaseDatabaseFromCache.serial(
   false,
 );
 
-testDownloadOverlayBaseDatabaseFromCache.serial(
+test.serial(
+  testDownloadOverlayBaseDatabaseFromCache,
   "returns undefined when cache miss",
   {
     restoreCacheResult: undefined,
@@ -191,7 +197,8 @@ testDownloadOverlayBaseDatabaseFromCache.serial(
   false,
 );
 
-testDownloadOverlayBaseDatabaseFromCache.serial(
+test.serial(
+  testDownloadOverlayBaseDatabaseFromCache,
   "returns undefined when download fails",
   {
     restoreCacheResult: new Error("Download failed"),
@@ -199,7 +206,8 @@ testDownloadOverlayBaseDatabaseFromCache.serial(
   false,
 );
 
-testDownloadOverlayBaseDatabaseFromCache.serial(
+test.serial(
+  testDownloadOverlayBaseDatabaseFromCache,
   "returns undefined when downloaded database is invalid",
   {
     hasBaseDatabaseOidsFile: false,
@@ -207,7 +215,8 @@ testDownloadOverlayBaseDatabaseFromCache.serial(
   false,
 );
 
-testDownloadOverlayBaseDatabaseFromCache.serial(
+test.serial(
+  testDownloadOverlayBaseDatabaseFromCache,
   "returns undefined when downloaded database doesn't have an overlayBaseSpecifier",
   {
     resolveDatabaseOutput: {},
@@ -215,7 +224,8 @@ testDownloadOverlayBaseDatabaseFromCache.serial(
   false,
 );
 
-testDownloadOverlayBaseDatabaseFromCache.serial(
+test.serial(
+  testDownloadOverlayBaseDatabaseFromCache,
   "returns undefined when resolving database metadata fails",
   {
     resolveDatabaseOutput: new Error("Failed to resolve database metadata"),
@@ -223,7 +233,8 @@ testDownloadOverlayBaseDatabaseFromCache.serial(
   false,
 );
 
-testDownloadOverlayBaseDatabaseFromCache.serial(
+test.serial(
+  testDownloadOverlayBaseDatabaseFromCache,
   "returns undefined when filesystem error occurs",
   {
     tryGetFolderBytesSucceeds: false,
@@ -380,32 +391,6 @@ test.serial(
   },
 );
 
-test.serial(
-  "getCodeQlVersionsForOverlayBaseDatabases de-duplicates resolved language aliases",
-  async (t) => {
-    const logger = getRunnerLogger(true);
-
-    sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
-    const listActionsCachesStub = sinon
-      .stub(apiClient, "listActionsCaches")
-      .resolves([
-        {
-          key: "codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-2.25.0-abc123-1-1",
-        },
-      ]);
-
-    const result = await getCodeQlVersionsForOverlayBaseDatabases(
-      ["javascript", "typescript", "Python", "python"],
-      logger,
-    );
-    t.deepEqual(result, ["2.25.0"]);
-    sinon.assert.calledOnceWithExactly(
-      listActionsCachesStub,
-      "codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-",
-    );
-  },
-);
-
 test.serial(
   "getCodeQlVersionsForOverlayBaseDatabases ignores nightly versions with build metadata",
   async (t) => {

src/overlay/caching.ts

@@ -461,10 +461,9 @@ export async function getCodeQlVersionsForOverlayBaseDatabases(
     );
     return undefined;
   }
-  const dedupedLanguages = [
-    ...new Set(languages.filter((l) => l !== undefined)),
-  ];
-  const cacheKeyPrefix = await getCacheKeyPrefixBase(dedupedLanguages);
+  const cacheKeyPrefix = await getCacheKeyPrefixBase(
+    languages.filter((l) => l !== undefined),
+  );
 
   logger.debug(
     `Searching for overlay-base databases in Actions cache with ` +

src/overlay/diagnostics.ts

@@ -39,6 +39,15 @@ export enum OverlayDisabledReason {
   NotPullRequestOrDefaultBranch = "not-pull-request-or-default-branch",
   /** The top-level overlay analysis feature flag is not enabled. */
   OverallFeatureNotEnabled = "overall-feature-not-enabled",
+  /**
+   * Overlay analysis was selected for a pull request, but diff-informed
+   * analysis was not enabled for the run (for example, because the
+   * `DiffInformedQueries` feature flag is off, the GHES version is too old,
+   * or the PR diff ranges could not be computed). Overlay analysis has only
+   * been validated in combination with diff-informed analysis, so we fall
+   * back to a non-overlay analysis in this case.
+   */
+  DiffInformedAnalysisNotEnabled = "diff-informed-analysis-not-enabled",
   /** Overlay analysis was skipped because it previously failed with similar hardware resources. */
   SkippedDueToCachedStatus = "skipped-due-to-cached-status",
   /** Disk usage could not be determined during the overlay status check. */

src/setup-codeql-action.ts

@@ -7,10 +7,8 @@ import {
   getRequiredInput,
   getTemporaryDirectory,
 } from "./actions-util";
-import { AnalysisKind, getAnalysisKinds } from "./analyses";
 import { getGitHubVersion } from "./api-client";
 import { CodeQL } from "./codeql";
-import { getRawLanguagesNoAutodetect } from "./config-utils";
 import { EnvVar } from "./environment";
 import { initFeatures } from "./feature-flags";
 import { initCodeQL } from "./init";
@@ -138,21 +136,16 @@ async function run(startedAt: Date): Promise<void> {
     if (statusReportBase !== undefined) {
       await sendStatusReport(statusReportBase);
     }
-    const codeQLDefaultVersionInfo =
-      await features.getEnabledDefaultCliVersions(gitHubVersion.type);
-    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
-    const rawLanguages = getRawLanguagesNoAutodetect(
-      getOptionalInput("languages"),
+    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
+      gitHubVersion.type,
     );
-    const analysisKinds = await getAnalysisKinds(logger);
+    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
     const initCodeQLResult = await initCodeQL(
       getOptionalInput("tools"),
       apiDetails,
       getTemporaryDirectory(),
       gitHubVersion.type,
       codeQLDefaultVersionInfo,
-      rawLanguages,
-      analysisKinds.includes(AnalysisKind.CodeScanning),
       features,
       logger,
     );

src/setup-codeql.test.ts

@@ -7,9 +7,8 @@ import * as sinon from "sinon";
 
 import * as actionsUtil from "./actions-util";
 import * as api from "./api-client";
-import { Feature } from "./feature-flags";
+import { Feature, FeatureEnablement } from "./feature-flags";
 import { getRunnerLogger } from "./logging";
-import { getCacheRestoreKeyPrefix } from "./overlay/caching";
 import * as setupCodeql from "./setup-codeql";
 import * as tar from "./tar";
 import {
@@ -19,9 +18,8 @@ import {
   SAMPLE_DOTCOM_API_DETAILS,
   checkExpectedLogMessages,
   createFeatures,
-  createTestConfig,
   getRecordingLogger,
-  makeMacro,
+  initializeFeatures,
   mockBundleDownloadApi,
   setupActionsVars,
   setupTests,
@@ -35,6 +33,14 @@ import {
 
 setupTests(test);
 
+// TODO: Remove when when we no longer need to pass in features (https://github.com/github/codeql-action/issues/2600)
+const expectedFeatureEnablement: FeatureEnablement = initializeFeatures(
+  true,
+) as FeatureEnablement;
+expectedFeatureEnablement.getValue = function (feature: Feature) {
+  // eslint-disable-next-line @typescript-eslint/no-unsafe-return
+  return expectedFeatureEnablement[feature];
+};
 test.beforeEach(() => {
   initializeEnvironment("1.2.3");
 });
@@ -101,8 +107,6 @@ test.serial(
       const source = await setupCodeql.getCodeQLSource(
         `https://github.com/github/codeql-action/releases/download/${tagName}/codeql-bundle-linux64.tar.gz`,
         SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
         SAMPLE_DOTCOM_API_DETAILS,
         GitHubVariant.DOTCOM,
         false,
@@ -126,8 +130,6 @@ test.serial(
       const source = await setupCodeql.getCodeQLSource(
         "linked",
         SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
         SAMPLE_DOTCOM_API_DETAILS,
         GitHubVariant.DOTCOM,
         false,
@@ -153,8 +155,6 @@ test.serial(
       const source = await setupCodeql.getCodeQLSource(
         "latest",
         SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
         SAMPLE_DOTCOM_API_DETAILS,
         GitHubVariant.DOTCOM,
         false,
@@ -211,8 +211,6 @@ test.serial(
         "tmp/codeql_action_test/",
         GitHubVariant.DOTCOM,
         SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
         features,
         logger,
       );
@@ -268,8 +266,6 @@ test.serial(
         "tmp/codeql_action_test/",
         GitHubVariant.DOTCOM,
         SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
         features,
         logger,
       );
@@ -321,8 +317,6 @@ test.serial(
       const source = await setupCodeql.getCodeQLSource(
         "nightly",
         SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
         SAMPLE_DOTCOM_API_DETAILS,
         GitHubVariant.DOTCOM,
         false,
@@ -384,8 +378,6 @@ test.serial(
       const source = await setupCodeql.getCodeQLSource(
         undefined,
         SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
         SAMPLE_DOTCOM_API_DETAILS,
         GitHubVariant.DOTCOM,
         false,
@@ -440,8 +432,6 @@ test.serial(
       const source = await setupCodeql.getCodeQLSource(
         "toolcache",
         SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
         SAMPLE_DOTCOM_API_DETAILS,
         GitHubVariant.DOTCOM,
         false,
@@ -483,7 +473,7 @@ test.serial(
   },
 );
 
-const toolcacheInputFallbackMacro = makeMacro({
+const toolcacheInputFallbackMacro = test.macro({
   exec: async (
     t: ExecutionContext<unknown>,
     featureList: Feature[],
@@ -509,8 +499,6 @@ const toolcacheInputFallbackMacro = makeMacro({
       const source = await setupCodeql.getCodeQLSource(
         "toolcache",
         SAMPLE_DEFAULT_CLI_VERSION,
-        undefined, // rawLanguages
-        false, // useOverlayAwareDefaultCliVersion
         SAMPLE_DOTCOM_API_DETAILS,
         GitHubVariant.DOTCOM,
         false,
@@ -526,10 +514,7 @@ const toolcacheInputFallbackMacro = makeMacro({
 
       // Check that `sourceType` and `toolsVersion` match expectations.
       t.is(source.sourceType, "download");
-      t.is(
-        source.toolsVersion,
-        SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion,
-      );
+      t.is(source.toolsVersion, SAMPLE_DEFAULT_CLI_VERSION.cliVersion);
 
       // Check that key messages we would expect to find in the log are present.
       for (const expectedMessage of expectedMessages) {
@@ -548,8 +533,9 @@ const toolcacheInputFallbackMacro = makeMacro({
     `getCodeQLSource falls back to downloading the CLI if ${providedTitle}`,
 });
 
-toolcacheInputFallbackMacro.serial(
+test.serial(
   "the toolcache doesn't have a CodeQL CLI when tools == toolcache",
+  toolcacheInputFallbackMacro,
   [Feature.AllowToolcacheInput],
   { GITHUB_EVENT_NAME: "dynamic" },
   [],
@@ -559,8 +545,9 @@ toolcacheInputFallbackMacro.serial(
   ],
 );
 
-toolcacheInputFallbackMacro.serial(
+test.serial(
   "the workflow trigger is not `dynamic`",
+  toolcacheInputFallbackMacro,
   [Feature.AllowToolcacheInput],
   { GITHUB_EVENT_NAME: "pull_request" },
   [],
@@ -569,8 +556,9 @@ toolcacheInputFallbackMacro.serial(
   ],
 );
 
-toolcacheInputFallbackMacro.serial(
+test.serial(
   "the feature flag is not enabled",
+  toolcacheInputFallbackMacro,
   [],
   { GITHUB_EVENT_NAME: "dynamic" },
   [],
@@ -610,288 +598,3 @@ test.serial(
     t.is(setupCodeql.getLatestToolcacheVersion(getRunnerLogger(true)), "3.2.1");
   },
 );
-
-const overlayMatchEnabledVersions = {
-  enabledVersions: [
-    { cliVersion: "2.20.2", tagName: "codeql-bundle-v2.20.2" },
-    { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
-    { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" },
-  ],
-  toolsFeatureFlagsValid: true,
-};
-
-async function fakeOverlayBaseCacheKey(
-  language: string,
-  cliVersion: string,
-  suffix: string,
-): Promise<string> {
-  const prefix = await getCacheRestoreKeyPrefix(
-    createTestConfig({ languages: [language] }),
-    cliVersion,
-  );
-  return `${prefix}${suffix}`;
-}
-
-test.serial(
-  "getCodeQLSource uses overlay-aware default version when requested for a PR",
-  async (t) => {
-    await withTmpDir(async (tmpDir) => {
-      setupActionsVars(tmpDir, tmpDir);
-      process.env["CODE_SCANNING_REF"] = "refs/heads/feature-branch";
-      process.env["CODE_SCANNING_BASE_BRANCH"] = "main";
-
-      sinon.stub(api, "getAutomationID").resolves("test/");
-      const listStub = sinon.stub(api, "listActionsCaches").resolves([
-        {
-          key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"),
-        },
-      ]);
-      sinon
-        .stub(toolcache, "find")
-        .withArgs("CodeQL", "2.20.1")
-        .returns("/path/to/codeql-2.20.1");
-
-      const source = await setupCodeql.getCodeQLSource(
-        undefined,
-        overlayMatchEnabledVersions,
-        ["javascript"],
-        true,
-        SAMPLE_DOTCOM_API_DETAILS,
-        GitHubVariant.DOTCOM,
-        false,
-        createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
-        getRunnerLogger(true),
-      );
-
-      t.assert(listStub.calledOnce);
-      t.is(source.sourceType, "toolcache");
-      t.is(source.toolsVersion, "2.20.1");
-    });
-  },
-);
-
-test.serial(
-  "getCodeQLSource skips overlay-aware default version when not requested",
-  async (t) => {
-    await withTmpDir(async (tmpDir) => {
-      setupActionsVars(tmpDir, tmpDir);
-      process.env["CODE_SCANNING_REF"] = "refs/heads/feature-branch";
-      process.env["CODE_SCANNING_BASE_BRANCH"] = "main";
-
-      sinon.stub(api, "getAutomationID").resolves("test/");
-      const listStub = sinon.stub(api, "listActionsCaches").resolves([
-        {
-          key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"),
-        },
-      ]);
-      sinon
-        .stub(toolcache, "find")
-        .withArgs("CodeQL", "2.20.2")
-        .returns("/path/to/codeql-2.20.2");
-
-      const source = await setupCodeql.getCodeQLSource(
-        undefined,
-        overlayMatchEnabledVersions,
-        ["javascript"],
-        false,
-        SAMPLE_DOTCOM_API_DETAILS,
-        GitHubVariant.DOTCOM,
-        false,
-        createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
-        getRunnerLogger(true),
-      );
-
-      t.assert(listStub.notCalled);
-      t.is(source.sourceType, "toolcache");
-      t.is(source.toolsVersion, "2.20.2");
-    });
-  },
-);
-
-test.serial(
-  "getEnabledVersionsWithOverlayBaseDatabases returns flag-enabled versions present in cache, sorted desc",
-  async (t) => {
-    sinon.stub(api, "getAutomationID").resolves("test/");
-    sinon.stub(api, "listActionsCaches").resolves([
-      // Flag-enabled versions present in the cache, listed in non-descending
-      // order so the test exercises the sort.
-      {
-        key: await fakeOverlayBaseCacheKey("javascript", "2.20.0", "ghi-3-1"),
-      },
-      {
-        key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "def-2-1"),
-      },
-      // Newer than any flag-enabled version: should be filtered out.
-      {
-        key: await fakeOverlayBaseCacheKey("javascript", "2.21.0", "abc-1-1"),
-      },
-    ]);
-
-    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
-      overlayMatchEnabledVersions,
-      ["javascript"],
-      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
-      getRunnerLogger(true),
-    );
-    t.deepEqual(result, [
-      { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
-      { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" },
-    ]);
-  },
-);
-
-test.serial(
-  "getEnabledVersionsWithOverlayBaseDatabases returns empty when no cached version is flag-enabled",
-  async (t) => {
-    sinon.stub(api, "getAutomationID").resolves("test/");
-    sinon.stub(api, "listActionsCaches").resolves([
-      {
-        key: await fakeOverlayBaseCacheKey("javascript", "2.19.0", "abc-1-1"),
-      },
-    ]);
-
-    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
-      overlayMatchEnabledVersions,
-      ["javascript"],
-      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
-      getRunnerLogger(true),
-    );
-    t.deepEqual(result, []);
-  },
-);
-
-const noLanguagesMacro = makeMacro({
-  exec: async (
-    t: ExecutionContext<unknown>,
-    rawLanguages: string[] | undefined,
-  ) => {
-    const listStub = sinon.stub(api, "listActionsCaches").resolves([]);
-
-    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
-      overlayMatchEnabledVersions,
-      rawLanguages,
-      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
-      getRunnerLogger(true),
-    );
-    t.deepEqual(result, []);
-    t.assert(
-      listStub.notCalled,
-      "Should not list Actions caches without any rawLanguages.",
-    );
-  },
-  title: (providedTitle = "") =>
-    `getEnabledVersionsWithOverlayBaseDatabases does not list caches when rawLanguages is ${providedTitle}`,
-});
-
-noLanguagesMacro.serial("undefined", undefined);
-noLanguagesMacro.serial("an empty array", []);
-
-test.serial(
-  "getEnabledVersionsWithOverlayBaseDatabases returns empty when listing caches throws",
-  async (t) => {
-    sinon.stub(api, "getAutomationID").resolves("test/");
-    sinon.stub(api, "listActionsCaches").rejects(new Error("listing failed"));
-
-    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
-      overlayMatchEnabledVersions,
-      ["javascript"],
-      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
-      getRunnerLogger(true),
-    );
-    t.deepEqual(result, []);
-  },
-);
-
-test.serial(
-  "getEnabledVersionsWithOverlayBaseDatabases returns versions present in the cache",
-  async (t) => {
-    sinon.stub(api, "getAutomationID").resolves("test/");
-    sinon.stub(api, "listActionsCaches").resolves([
-      {
-        key: await fakeOverlayBaseCacheKey("javascript", "2.20.2", "abc-1-1"),
-      },
-    ]);
-
-    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
-      overlayMatchEnabledVersions,
-      ["javascript"],
-      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
-      getRunnerLogger(true),
-    );
-    t.deepEqual(result, [
-      { cliVersion: "2.20.2", tagName: "codeql-bundle-v2.20.2" },
-    ]);
-  },
-);
-
-test.serial(
-  "getEnabledVersionsWithOverlayBaseDatabases does not list caches when both gates are off",
-  async (t) => {
-    const listStub = sinon.stub(api, "listActionsCaches").resolves([]);
-
-    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
-      overlayMatchEnabledVersions,
-      ["javascript"],
-      createFeatures([]),
-      getRunnerLogger(true),
-    );
-    t.deepEqual(result, []);
-    t.assert(
-      listStub.notCalled,
-      "Should not list Actions caches when both gating feature flags are off.",
-    );
-  },
-);
-
-test.serial(
-  "getEnabledVersionsWithOverlayBaseDatabases dry-run returns empty but lists caches",
-  async (t) => {
-    sinon.stub(api, "getAutomationID").resolves("test/");
-    const listStub = sinon.stub(api, "listActionsCaches").resolves([
-      {
-        key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"),
-      },
-    ]);
-
-    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
-      overlayMatchEnabledVersions,
-      ["javascript"],
-      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersionDryRun]),
-      getRunnerLogger(true),
-    );
-    t.deepEqual(
-      result,
-      [],
-      "Dry-run should return an empty list so the caller falls back.",
-    );
-    t.assert(
-      listStub.calledOnce,
-      "Dry-run should still list Actions caches to populate the diagnostic.",
-    );
-  },
-);
-
-test.serial(
-  "getEnabledVersionsWithOverlayBaseDatabases match flag wins over dry-run",
-  async (t) => {
-    sinon.stub(api, "getAutomationID").resolves("test/");
-    sinon.stub(api, "listActionsCaches").resolves([
-      {
-        key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"),
-      },
-    ]);
-
-    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
-      overlayMatchEnabledVersions,
-      ["javascript"],
-      createFeatures([
-        Feature.OverlayAnalysisMatchCodeqlVersion,
-        Feature.OverlayAnalysisMatchCodeqlVersionDryRun,
-      ]),
-      getRunnerLogger(true),
-    );
-    t.deepEqual(result, [
-      { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
-    ]);
-  },
-);

src/setup-codeql.ts

@@ -7,27 +7,17 @@ import { default as deepEqual } from "fast-deep-equal";
 import * as semver from "semver";
 import { v4 as uuidV4 } from "uuid";
 
-import {
-  isAnalyzingPullRequest,
-  isDynamicWorkflow,
-  isRunningLocalAction,
-} from "./actions-util";
+import { isDynamicWorkflow, isRunningLocalAction } from "./actions-util";
 import * as api from "./api-client";
 import * as defaults from "./defaults.json";
-import {
-  addNoLanguageDiagnostic,
-  makeDiagnostic,
-  makeTelemetryDiagnostic,
-} from "./diagnostics";
+import { addNoLanguageDiagnostic, makeDiagnostic } from "./diagnostics";
 import {
   CODEQL_VERSION_ZSTD_BUNDLE,
   CodeQLDefaultVersionInfo,
-  CodeQLVersionInfo,
   Feature,
   FeatureEnablement,
 } from "./feature-flags";
 import { Logger } from "./logging";
-import { getCodeQlVersionsForOverlayBaseDatabases } from "./overlay/caching";
 import * as tar from "./tar";
 import {
   downloadAndExtract,
@@ -274,131 +264,12 @@ async function findOverridingToolsInCache(
   return undefined;
 }
 
-/**
- * Returns the sorted set of enabled versions that have cached overlay-base databases for the
- * given languages, or an empty list if neither the `OverlayAnalysisMatchCodeqlVersion` nor the
- * `OverlayAnalysisMatchCodeqlVersionDryRun` feature flag is enabled. When only the dry-run flag
- * is enabled, this performs the lookup and emits a telemetry diagnostic with the version that
- * would have been chosen, but still returns an empty list so the caller falls back.
- */
-export async function getEnabledVersionsWithOverlayBaseDatabases(
-  defaultCliVersion: CodeQLDefaultVersionInfo,
-  rawLanguages: string[] | undefined,
-  features: FeatureEnablement,
-  logger: Logger,
-): Promise<CodeQLVersionInfo[]> {
-  if (rawLanguages === undefined || rawLanguages.length === 0) {
-    return [];
-  }
-  const isEnabled = await features.getValue(
-    Feature.OverlayAnalysisMatchCodeqlVersion,
-  );
-  const isDryRun =
-    !isEnabled &&
-    (await features.getValue(Feature.OverlayAnalysisMatchCodeqlVersionDryRun));
-  if (!isEnabled && !isDryRun) {
-    return [];
-  }
-
-  let cachedVersions: string[] | undefined;
-  try {
-    cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases(
-      rawLanguages,
-      logger,
-    );
-  } catch (e) {
-    logger.warning(
-      "Could not list overlay-base databases in the Actions cache while choosing a default " +
-        `CodeQL CLI version, falling back to the highest enabled version. Details: ${util.getErrorMessage(e)}`,
-    );
-    return [];
-  }
-
-  if (cachedVersions === undefined || cachedVersions.length === 0) {
-    return [];
-  }
-
-  const cachedVersionsSet = new Set(cachedVersions);
-  const overlayVersions = defaultCliVersion.enabledVersions.filter((v) =>
-    cachedVersionsSet.has(v.cliVersion),
-  );
-
-  if (overlayVersions.length === 0) {
-    return [];
-  }
-
-  const isCachedVersionDifferent =
-    overlayVersions[0].cliVersion !==
-    defaultCliVersion.enabledVersions[0].cliVersion;
-
-  if (isCachedVersionDifferent) {
-    addNoLanguageDiagnostic(
-      undefined,
-      makeTelemetryDiagnostic(
-        "codeql-action/overlay-aware-default-codeql-version",
-        "Overlay-aware default CodeQL version selection",
-        {
-          cachedVersions,
-          enabledVersions: defaultCliVersion.enabledVersions.map(
-            (v) => v.cliVersion,
-          ),
-          isDryRun,
-          overlayAwareVersion: overlayVersions[0].cliVersion,
-        },
-      ),
-    );
-  }
-
-  if (isDryRun) {
-    logger.debug(
-      `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.`,
-    );
-    return [];
-  }
-
-  return overlayVersions;
-}
-
-/**
- * Resolves the newest enabled default CLI version that has a cached overlay-base database for the
- * relevant languages, if running a Code Scanning analysis for a pull request and one exists.
- * Otherwise, falls back to the newest enabled default CLI version.
- */
-async function resolveDefaultCliVersion(
-  defaultCliVersion: CodeQLDefaultVersionInfo,
-  rawLanguages: string[] | undefined,
-  useOverlayAwareDefaultCliVersion: boolean,
-  features: FeatureEnablement,
-  logger: Logger,
-): Promise<CodeQLVersionInfo> {
-  if (!useOverlayAwareDefaultCliVersion || !isAnalyzingPullRequest()) {
-    return defaultCliVersion.enabledVersions[0];
-  }
-
-  const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases(
-    defaultCliVersion,
-    rawLanguages,
-    features,
-    logger,
-  );
-  if (overlayVersions.length > 0) {
-    logger.info(
-      `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the ` +
-        `highest enabled version that has a cached overlay-base database.`,
-    );
-    return overlayVersions[0];
-  }
-  return defaultCliVersion.enabledVersions[0];
-}
-
 /**
  * Determines where the CodeQL CLI we want to use comes from. This can be from a local file,
  * the Actions toolcache, or a download.
  *
  * @param toolsInput The argument provided for the `tools` input, if any.
  * @param defaultCliVersion The default CLI version that's linked to the CodeQL Action.
- * @param rawLanguages Raw set of languages.
- * @param useOverlayAwareDefaultCliVersion Whether to select an overlay-aware default CLI version.
  * @param apiDetails Information about the GitHub API.
  * @param variant The GitHub variant we are running on.
  * @param tarSupportsZstd Whether zstd is supported by `tar`.
@@ -410,8 +281,6 @@ async function resolveDefaultCliVersion(
 export async function getCodeQLSource(
   toolsInput: string | undefined,
   defaultCliVersion: CodeQLDefaultVersionInfo,
-  rawLanguages: string[] | undefined,
-  useOverlayAwareDefaultCliVersion: boolean,
   apiDetails: api.GitHubApiDetails,
   variant: util.GitHubVariant,
   tarSupportsZstd: boolean,
@@ -569,15 +438,8 @@ export async function getCodeQLSource(
         }
       }
 
-      const version = await resolveDefaultCliVersion(
-        defaultCliVersion,
-        rawLanguages,
-        useOverlayAwareDefaultCliVersion,
-        features,
-        logger,
-      );
-      cliVersion = version.cliVersion;
-      tagName = version.tagName;
+      cliVersion = defaultCliVersion.cliVersion;
+      tagName = defaultCliVersion.tagName;
     }
   } else if (toolsInput !== undefined) {
     // If a tools URL was provided, then use that.
@@ -592,15 +454,9 @@ export async function getCodeQLSource(
       }
     }
   } else {
-    const version = await resolveDefaultCliVersion(
-      defaultCliVersion,
-      rawLanguages,
-      useOverlayAwareDefaultCliVersion,
-      features,
-      logger,
-    );
-    cliVersion = version.cliVersion;
-    tagName = version.tagName;
+    // Otherwise, use the default CLI version passed in.
+    cliVersion = defaultCliVersion.cliVersion;
+    tagName = defaultCliVersion.tagName;
   }
 
   const bundleVersion =
@@ -935,8 +791,6 @@ export async function setupCodeQLBundle(
   tempDir: string,
   variant: util.GitHubVariant,
   defaultCliVersion: CodeQLDefaultVersionInfo,
-  rawLanguages: string[] | undefined,
-  useOverlayAwareDefaultCliVersion: boolean,
   features: FeatureEnablement,
   logger: Logger,
 ): Promise<SetupCodeQLResult> {
@@ -950,8 +804,6 @@ export async function setupCodeQLBundle(
   const source = await getCodeQLSource(
     toolsInput,
     defaultCliVersion,
-    rawLanguages,
-    useOverlayAwareDefaultCliVersion,
     apiDetails,
     variant,
     zstdAvailability.available,

src/start-proxy.test.ts

@@ -18,7 +18,6 @@ import {
   assertNotLogged,
   checkExpectedLogMessages,
   createFeatures,
-  makeMacro,
   makeTestToken,
   RecordingLogger,
   setupTests,
@@ -33,7 +32,7 @@ import {
 
 setupTests(test);
 
-const sendFailedStatusReportTest = makeMacro({
+const sendFailedStatusReportTest = test.macro({
   exec: async (
     t: ExecutionContext<unknown>,
     err: Error,
@@ -89,14 +88,16 @@ const sendFailedStatusReportTest = makeMacro({
   title: (providedTitle = "") => `sendFailedStatusReport - ${providedTitle}`,
 });
 
-sendFailedStatusReportTest.serial(
+test.serial(
   "reports generic error message for non-StartProxyError error",
+  sendFailedStatusReportTest,
   new Error("Something went wrong today"),
   "Error from start-proxy Action omitted (Error).",
 );
 
-sendFailedStatusReportTest.serial(
+test.serial(
   "reports generic error message for non-StartProxyError error with safe error message",
+  sendFailedStatusReportTest,
   new Error(
     startProxyExports.getStartProxyErrorMessage(
       startProxyExports.StartProxyErrorType.DownloadFailed,
@@ -105,8 +106,9 @@ sendFailedStatusReportTest.serial(
   "Error from start-proxy Action omitted (Error).",
 );
 
-sendFailedStatusReportTest.serial(
+test.serial(
   "reports generic error message for ConfigurationError error",
+  sendFailedStatusReportTest,
   new ConfigurationError("Something went wrong today"),
   "Error from start-proxy Action omitted (ConfigurationError).",
   "user-error",
@@ -412,7 +414,7 @@ test("getCredentials accepts OIDC configurations", (t) => {
   }
 });
 
-const getCredentialsMacro = makeMacro({
+const getCredentialsMacro = test.macro({
   exec: async (
     t: ExecutionContext<unknown>,
     credentials: startProxyExports.RawCredential[],
@@ -438,8 +440,9 @@ const getCredentialsMacro = makeMacro({
   title: (providedTitle = "") => `getCredentials - ${providedTitle}`,
 });
 
-getCredentialsMacro(
+test(
   "warns for PAT-like password without a username",
+  getCredentialsMacro,
   [
     {
       type: "git_server",
@@ -467,8 +470,9 @@ getCredentialsMacro(
   },
 );
 
-getCredentialsMacro(
+test(
   "no warning for PAT-like password with a username",
+  getCredentialsMacro,
   [
     {
       type: "git_server",
@@ -498,8 +502,9 @@ getCredentialsMacro(
   },
 );
 
-getCredentialsMacro(
+test(
   "warns for PAT-like token without a username",
+  getCredentialsMacro,
   [
     {
       type: "git_server",
@@ -527,8 +532,9 @@ getCredentialsMacro(
   },
 );
 
-getCredentialsMacro(
+test(
   "no warning for PAT-like token with a username",
+  getCredentialsMacro,
   [
     {
       type: "git_server",
@@ -790,7 +796,7 @@ test.serial(
   },
 );
 
-const wrapFailureTest = makeMacro({
+const wrapFailureTest = test.macro({
   exec: async (
     t: ExecutionContext<unknown>,
     setup: () => void,
@@ -821,8 +827,9 @@ test.serial("downloadProxy - returns file path on success", async (t) => {
   });
 });
 
-wrapFailureTest.serial(
+test.serial(
   "downloadProxy",
+  wrapFailureTest,
   () => {
     sinon.stub(toolcache, "downloadTool").throws();
   },
@@ -841,8 +848,9 @@ test.serial("extractProxy - returns file path on success", async (t) => {
   });
 });
 
-wrapFailureTest.serial(
+test.serial(
   "extractProxy",
+  wrapFailureTest,
   () => {
     sinon.stub(toolcache, "extractTar").throws();
   },
@@ -866,8 +874,9 @@ test.serial("cacheProxy - returns file path on success", async (t) => {
   });
 });
 
-wrapFailureTest.serial(
+test.serial(
   "cacheProxy",
+  wrapFailureTest,
   () => {
     sinon.stub(toolcache, "cacheDir").throws();
   },
@@ -1010,10 +1019,8 @@ test.serial(
         return true;
       });
       const getDefaultCliVersion = sinon
-        .stub(features, "getEnabledDefaultCliVersions")
-        .resolves({
-          enabledVersions: [{ cliVersion: "2.20.1", tagName: expectedTag }],
-        });
+        .stub(features, "getDefaultCliVersion")
+        .resolves({ cliVersion: "2.20.1", tagName: expectedTag });
       const path = await startProxyExports.getProxyBinaryPath(logger, features);
 
       t.assert(getDefaultCliVersion.calledOnce);

src/start-proxy.ts

@@ -415,7 +415,7 @@ async function getCliVersionFromFeatures(
   features: FeatureEnablement,
 ): Promise<CodeQLDefaultVersionInfo> {
   const gitHubVersion = await getGitHubVersion();
-  return await features.getEnabledDefaultCliVersions(gitHubVersion.type);
+  return await features.getDefaultCliVersion(gitHubVersion.type);
 }
 
 /**
@@ -440,7 +440,7 @@ export async function getDownloadUrl(
     // Retrieve information about the CLI version we should use. This will be either the linked
     // version, or the one enabled by FFs.
     const versionInfo = useFeaturesToDetermineCLI
-      ? (await getCliVersionFromFeatures(features)).enabledVersions[0]
+      ? await getCliVersionFromFeatures(features)
       : {
           cliVersion: defaults.cliVersion,
           tagName: defaults.bundleVersion,

src/status-report.test.ts

@@ -19,7 +19,6 @@ import {
   setupTests,
   setupActionsVars,
   createTestConfig,
-  makeMacro,
 } from "./testing-utils";
 import { BuildMode, ConfigurationError, withTmpDir, wrapError } from "./util";
 
@@ -292,9 +291,10 @@ test.serial(
   },
 );
 
-const testCreateInitWithConfigStatusReport = makeMacro({
+const testCreateInitWithConfigStatusReport = test.macro({
   exec: async (
     t,
+    _title: string,
     config: Config,
     expectedReportProperties: Partial<InitWithConfigStatusReport>,
   ) => {
@@ -337,10 +337,11 @@ const testCreateInitWithConfigStatusReport = makeMacro({
       }
     });
   },
-  title: (title) => `createInitWithConfigStatusReport: ${title}`,
+  title: (_, title) => `createInitWithConfigStatusReport: ${title}`,
 });
 
-testCreateInitWithConfigStatusReport.serial(
+test.serial(
+  testCreateInitWithConfigStatusReport,
   "returns a value",
   createTestConfig({
     buildMode: BuildMode.None,
@@ -354,7 +355,8 @@ testCreateInitWithConfigStatusReport.serial(
   },
 );
 
-testCreateInitWithConfigStatusReport.serial(
+test.serial(
+  testCreateInitWithConfigStatusReport,
   "includes packs for a single language",
   createTestConfig({
     buildMode: BuildMode.None,
@@ -370,7 +372,8 @@ testCreateInitWithConfigStatusReport.serial(
   },
 );
 
-testCreateInitWithConfigStatusReport.serial(
+test.serial(
+  testCreateInitWithConfigStatusReport,
   "includes packs for multiple languages",
   createTestConfig({
     buildMode: BuildMode.None,

src/testing-utils.ts

@@ -2,11 +2,7 @@ import { TextDecoder } from "node:util";
 import path from "path";
 
 import * as github from "@actions/github";
-import test, {
-  type ExecutionContext,
-  type MacroDeclarationOptions,
-  type TestFn,
-} from "ava";
+import { ExecutionContext, TestFn } from "ava";
 import nock from "nock";
 import * as sinon from "sinon";
 
@@ -40,20 +36,16 @@ export const SAMPLE_DOTCOM_API_DETAILS = {
   apiURL: "https://api.github.com",
 };
 
+export const SAMPLE_DEFAULT_CLI_VERSION: CodeQLDefaultVersionInfo = {
+  cliVersion: "2.20.0",
+  tagName: "codeql-bundle-v2.20.0",
+};
+
 export const LINKED_CLI_VERSION = {
   cliVersion: defaults.cliVersion,
   tagName: defaults.bundleVersion,
 };
 
-export const SAMPLE_DEFAULT_CLI_VERSION: CodeQLDefaultVersionInfo = {
-  enabledVersions: [
-    {
-      cliVersion: "2.20.0",
-      tagName: "codeql-bundle-v2.20.0",
-    },
-  ],
-};
-
 type TestContext = {
   stdoutWrite: any;
   stderrWrite: any;
@@ -93,8 +85,8 @@ function wrapOutput(context: TestContext) {
   };
 }
 
-export function setupTests(testFn: TestFn<any>) {
-  const typedTest = testFn as TestFn<TestContext>;
+export function setupTests(test: TestFn<any>) {
+  const typedTest = test as TestFn<TestContext>;
 
   typedTest.beforeEach((t) => {
     // Set an empty CodeQL object so that all method calls will fail
@@ -147,26 +139,6 @@ export function setupTests(testFn: TestFn<any>) {
   });
 }
 
-/**
- * Declare a reusable test implementation, with better type safety than `test.macro`.
- */
-export function makeMacro<Args extends unknown[]>(
-  decl: MacroDeclarationOptions<Args, unknown>,
-) {
-  const m = test.macro<Args>(decl);
-
-  const wrapper = (name: string, ...args: Args) => test(name, m, ...args);
-  wrapper.test = (...args: Args) => test(m, ...args);
-  wrapper.serial = (name: string, ...args: Args) =>
-    test.serial(name, m, ...args);
-  // Make the implementation available as `fn`. We don't call it `exec` so
-  // that results from this function are not valid arguments to `test`
-  // or `test.serial`.
-  wrapper.fn = decl.exec;
-
-  return wrapper;
-}
-
 /**
  * Default values for environment variables typically set in an Actions
  * environment. Tests can override individual variables by passing them in the
@@ -470,7 +442,7 @@ export function mockCodeQLVersion(
  */
 export function createFeatures(enabledFeatures: Feature[]): FeatureEnablement {
   return {
-    getEnabledDefaultCliVersions: async () => {
+    getDefaultCliVersion: async () => {
       throw new Error("not implemented");
     },
     getValue: async (feature) => {

src/upload-lib.ts

@@ -156,8 +156,9 @@ async function combineSarifFilesUsingCLI(
       apiURL: getRequiredEnvParam("GITHUB_API_URL"),
     };
 
-    const codeQLDefaultVersionInfo =
-      await features.getEnabledDefaultCliVersions(gitHubVersion.type);
+    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
+      gitHubVersion.type,
+    );
 
     const initCodeQLResult = await initCodeQL(
       undefined, // There is no tools input on the upload action
@@ -165,8 +166,6 @@ async function combineSarifFilesUsingCLI(
       tempDir,
       gitHubVersion.type,
       codeQLDefaultVersionInfo,
-      undefined, // rawLanguages: upload-lib does not run analysis
-      false, // useOverlayAwareDefaultCliVersion: upload-lib does not run analysis
       features,
       logger,
     );

src/upload-sarif.test.ts

@@ -6,7 +6,7 @@ import * as sinon from "sinon";
 
 import { AnalysisKind, getAnalysisConfig } from "./analyses";
 import { getRunnerLogger } from "./logging";
-import { createFeatures, makeMacro, setupTests } from "./testing-utils";
+import { createFeatures, setupTests } from "./testing-utils";
 import { UploadResult } from "./upload-lib";
 import * as uploadLib from "./upload-lib";
 import { postProcessAndUploadSarif } from "./upload-sarif";
@@ -43,7 +43,7 @@ function mockPostProcessSarifFiles() {
   return postProcessSarifFiles;
 }
 
-const postProcessAndUploadSarifMacro = makeMacro({
+const postProcessAndUploadSarifMacro = test.macro({
   exec: async (
     t: ExecutionContext<unknown>,
     sarifFiles: string[],
@@ -67,7 +67,7 @@ const postProcessAndUploadSarifMacro = makeMacro({
         const analysisConfig = getAnalysisConfig(analysisKind);
         uploadPostProcessedFiles
           .withArgs(logger, sinon.match.any, analysisConfig, sinon.match.any)
-          .resolves(expectedResult[analysisKind]?.uploadResult);
+          .resolves(expectedResult[analysisKind as AnalysisKind]?.uploadResult);
       }
 
       const fullSarifPaths = sarifFiles.map(toFullPath);
@@ -123,8 +123,9 @@ const postProcessAndUploadSarifMacro = makeMacro({
   title: (providedTitle = "") => `processAndUploadSarif - ${providedTitle}`,
 });
 
-postProcessAndUploadSarifMacro.serial(
+test.serial(
   "SARIF file",
+  postProcessAndUploadSarifMacro,
   ["test.sarif"],
   (tempDir) => path.join(tempDir, "test.sarif"),
   {
@@ -137,8 +138,9 @@ postProcessAndUploadSarifMacro.serial(
   },
 );
 
-postProcessAndUploadSarifMacro.serial(
+test.serial(
   "JSON file",
+  postProcessAndUploadSarifMacro,
   ["test.json"],
   (tempDir) => path.join(tempDir, "test.json"),
   {
@@ -151,8 +153,9 @@ postProcessAndUploadSarifMacro.serial(
   },
 );
 
-postProcessAndUploadSarifMacro.serial(
+test.serial(
   "Code Scanning files",
+  postProcessAndUploadSarifMacro,
   ["test.json", "test.sarif"],
   undefined,
   {
@@ -166,8 +169,9 @@ postProcessAndUploadSarifMacro.serial(
   },
 );
 
-postProcessAndUploadSarifMacro.serial(
+test.serial(
   "Code Quality file",
+  postProcessAndUploadSarifMacro,
   ["test.quality.sarif"],
   (tempDir) => path.join(tempDir, "test.quality.sarif"),
   {
@@ -180,8 +184,9 @@ postProcessAndUploadSarifMacro.serial(
   },
 );
 
-postProcessAndUploadSarifMacro.serial(
+test.serial(
   "Mixed files",
+  postProcessAndUploadSarifMacro,
   ["test.sarif", "test.quality.sarif"],
   undefined,
   {

src/workflow.test.ts

@@ -422,7 +422,7 @@ async function testLanguageAliases(
           ],
         },
       },
-    },
+    } as Workflow,
     codeql,
   );