Add a debug log for the feature flag API response

Differentiate setupCodeql.setupCodeQL from codeql.setupCodeQL
Add test for using default version with no requested URL on Dotcom
2026-05-09 23:30:28 +00:00 · 2023-01-11 19:10:22 +00:00 · 2023-01-11 19:06:50 +00:00 · 2023-01-11 19:06:50 +00:00 · 2023-01-11 19:06:50 +00:00 · 2023-01-11 19:06:50 +00:00
255 changed files with 7493 additions and 17772 deletions
@@ -1,5 +1,4 @@
 **/webpack.config.js
 lib/**
-runner/dist/**
 src/testdata/**
 tests/**
@@ -42,6 +42,8 @@ runs:
        packs: ${{ inputs.packs }}
        tools: ${{ inputs.tools }}
        db-location: ${{ runner.temp }}/codescanning-config-cli-test
+      env:
+        CODEQL_ACTION_TEST_MODE: 'true'

    - name: Install dependencies
      shell: bash
@@ -1,20 +1,17 @@
 version: 2
 updates:
-  - package-ecosystem: "npm"
+  - package-ecosystem: npm
    directory: "/"
    schedule:
-      interval: "weekly"
-      day: "thursday" # Gives us a working day to merge this before our typical release
+      interval: weekly
    labels:
-      - "Update dependencies"
+      - Update dependencies
    ignore:
      - dependency-name: "*"
-        update-types: ["version-update:semver-minor", "version-update:semver-patch"]
-  - package-ecosystem: "npm"
-    directory: "/runner"
+        update-types:
+          - version-update:semver-minor
+          - version-update:semver-patch
+  - package-ecosystem: github-actions
+    directory: "/"
    schedule:
-      interval: "weekly"
-      day: "thursday" # Gives us a working day to merge this before our typical release
-    ignore:
-      - dependency-name: "*"
-        update-types: ["version-update:semver-minor", "version-update:semver-patch"]
+      interval: weekly
@@ -35,14 +35,14 @@ runs:
        tools: ${{ inputs.tools }}
        db-location: ${{ runner.temp }}/query-filter-test
      env:
-        TEST_MODE: "true"
+        CODEQL_ACTION_TEST_MODE: "true"
    - uses: ./../action/analyze
      with:
        output: ${{ runner.temp }}/results
        upload-database: false
        upload: false
      env:
-        TEST_MODE: "true"
+        CODEQL_ACTION_TEST_MODE: "true"
    - name: Check SARIF
      uses: ./../action/.github/check-sarif
      with:
@@ -0,0 +1,32 @@
+name: "Set up Swift"
+description: Performs necessary steps to set up appropriate Swift version.
+inputs:
+  codeql-path:
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Get Swift version
+      id: get_swift_version
+      # We don't support Swift on Windows or prior versions of CLI.
+      if: "(runner.os != 'Windows') && (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version == 'nightly-latest')"
+      shell: bash
+      env: 
+        CODEQL_PATH: ${{inputs.codeql-path}}
+      run: |
+        if [ $RUNNER_OS = "macOS" ]; then
+          PLATFORM="osx64"
+        else # We do not run this step on Windows.
+          PLATFORM="linux64"
+        fi 
+        SWIFT_EXTRACTOR_DIR="$("$CODEQL_PATH" resolve languages --format json | jq -r '.swift[0]')"
+        VERSION="$("$SWIFT_EXTRACTOR_DIR/tools/$PLATFORM/extractor" --version | awk '/version/ { print $3 }')"
+        # Specify 5.7.0, otherwise setup Action will default to latest minor version. 
+        if [ $VERSION = "5.7" ]; then
+          VERSION="5.7.0"
+        fi
+        echo "version=$VERSION" | tee -a $GITHUB_OUTPUT
+    - uses: swift-actions/setup-swift@194625b58a582570f61cc707c3b558086c26b723
+      if: "(runner.os != 'Windows') && (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version == 'nightly-latest')"
+      with:
+        swift-version: "${{steps.get_swift_version.outputs.version}}"
@@ -5,7 +5,7 @@ import json
 import os
 import subprocess

-EMPTY_CHANGELOG = """# CodeQL Action and CodeQL Runner Changelog
+EMPTY_CHANGELOG = """# CodeQL Action Changelog

 ## [UNRELEASED]

@@ -7,6 +7,7 @@ name: "PR Check - Analyze: 'ref' and 'sha' from inputs"
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -72,14 +73,17 @@ jobs:
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
    - uses: ./../action/init
      with:
        tools: ${{ steps.prepare-test.outputs.tools-url }}
        languages: cpp,csharp,java,javascript,python
        config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
          github.sha }}
-      env:
-        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
@@ -87,7 +91,5 @@ jobs:
      with:
        ref: refs/heads/main
        sha: 5e235361806c361d4d3f8859e3c897658025a9a2
-      env:
-        TEST_MODE: true
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: PR Check - autobuild-action
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -46,8 +47,6 @@ jobs:
      with:
        languages: csharp
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - uses: ./../action/autobuild
      env:
      # Explicitly disable the CLR tracer.
@@ -58,8 +57,6 @@ jobs:
        CORECLR_PROFILER: ''
        CORECLR_PROFILER_PATH_64: ''
    - uses: ./../action/analyze
-      env:
-        TEST_MODE: true
    - name: Check database
      shell: bash
      run: |
@@ -69,4 +66,4 @@ jobs:
          exit 1
        fi
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: PR Check - Export file baseline information
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -43,12 +44,15 @@ jobs:
      with:
        version: ${{ matrix.version }}
    - uses: ./../action/init
+      id: init
      with:
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}
      env:
        CODEQL_FILE_BASELINE_INFORMATION: true
-        TEST_MODE: true
+    - uses: ./../action/.github/setup-swift
+      with:
+        codeql-path: ${{steps.init.outputs.codeql-path}}
    - name: Build code
      shell: bash
      run: ./build.sh
@@ -57,7 +61,6 @@ jobs:
        output: ${{ runner.temp }}/results
      env:
        CODEQL_FILE_BASELINE_INFORMATION: true
-        TEST_MODE: true
    - name: Upload SARIF
      uses: actions/upload-artifact@v3
      with:
@@ -68,7 +71,7 @@ jobs:
      shell: bash
      run: |
        cd "$RUNNER_TEMP/results"
-        expected_baseline_languages="cpp csharp go java js py ruby"
+        expected_baseline_languages="cpp cs go java js py rb swift"

        for lang in ${expected_baseline_languages}; do
          rule_name="${lang}/baseline/expected-extracted-files"
@@ -82,4 +85,5 @@ jobs:
          fi
        done
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: true # Remove when Swift is GA.
+      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: PR Check - Extractor ram and threads options test
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -43,8 +44,6 @@ jobs:
        languages: java
        ram: 230
        threads: 1
-      env:
-        TEST_MODE: true
    - name: Assert Results
      shell: bash
      run: |
@@ -65,4 +64,4 @@ jobs:
          exit 1
        fi
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: 'PR Check - Go: Custom queries'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -72,7 +73,9 @@ jobs:
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
-    - uses: actions/setup-go@v3
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
      with:
        go-version: ^1.13.1
    - uses: ./../action/init
@@ -80,14 +83,10 @@ jobs:
        languages: go
        config-file: ./.github/codeql/custom-queries.yml
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
-      env:
-        TEST_MODE: true
    env:
      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: 'PR Check - Go: tracing with autobuilder step'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -60,19 +61,17 @@ jobs:
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
-    - uses: actions/setup-go@v3
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
      with:
        go-version: ^1.13.1
    - uses: ./../action/init
      with:
        languages: go
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - uses: ./../action/autobuild
    - uses: ./../action/analyze
-      env:
-        TEST_MODE: true
    - shell: bash
      run: |
        if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then
@@ -87,4 +86,4 @@ jobs:
        fi
    env:
      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: 'PR Check - Go: tracing with custom build steps'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -60,21 +61,19 @@ jobs:
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
-    - uses: actions/setup-go@v3
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
      with:
        go-version: ^1.13.1
    - uses: ./../action/init
      with:
        languages: go
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - name: Build code
      shell: bash
      run: go build main.go
    - uses: ./../action/analyze
-      env:
-        TEST_MODE: true
    - shell: bash
      run: |
        # Once we start running Bash 4.2 in all environments, we can replace the
@@ -91,4 +90,4 @@ jobs:
          exit 1
        fi
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: 'PR Check - Go: tracing with legacy workflow'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -60,18 +61,16 @@ jobs:
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
-    - uses: actions/setup-go@v3
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
      with:
        go-version: ^1.13.1
    - uses: ./../action/init
      with:
        languages: go
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - uses: ./../action/analyze
-      env:
-        TEST_MODE: true
    - shell: bash
      run: |
        cd "$RUNNER_TEMP/codeql_databases"
@@ -81,4 +80,4 @@ jobs:
        fi
    env:
      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: 'PR Check - Packaging: Download using registries'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -54,8 +55,6 @@ jobs:
            packages: "*/*"
            token: "${{ secrets.GITHUB_TOKEN }}"

-      env:
-        TEST_MODE: true
    - name: Verify packages installed
      shell: bash
      run: |
@@ -78,4 +77,4 @@ jobs:
            exit 1
        fi
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: PR Check - Custom source root
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -52,8 +53,6 @@ jobs:
        languages: javascript
        source-root: ../new-source-root
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - uses: ./../action/analyze
      with:
        skip-queries: true
@@ -67,4 +66,4 @@ jobs:
          exit 1
        fi
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: PR Check - ML-powered queries
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -60,21 +61,22 @@ jobs:
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
    - uses: ./../action/init
      with:
        languages: javascript
        queries: security-extended
        source-root: ./../action/tests/ml-powered-queries-repo
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true

    - uses: ./../action/analyze
      with:
        output: ${{ runner.temp }}/results
        upload-database: false
-      env:
-        TEST_MODE: true

    - name: Upload SARIF
      uses: actions/upload-artifact@v3
@@ -86,8 +88,7 @@ jobs:
    - name: Check sarif
      uses: ./../action/.github/check-sarif
    # Running on Windows requires CodeQL CLI 2.9.0+.
-      if: "!(matrix.version == 'stable-20220120' && (matrix.os == 'windows-latest'\
-        \ || matrix.os == 'windows-2019'))"
+      if: "!(matrix.version == 'stable-20220120' && runner.os == 'Windows')"
      with:
        sarif-file: ${{ runner.temp }}/results/javascript.sarif
        queries-run: js/ml-powered/nosql-injection,js/ml-powered/path-injection,js/ml-powered/sql-injection,js/ml-powered/xss
@@ -97,7 +98,7 @@ jobs:
      env:
      # Running on Windows requires CodeQL CLI 2.9.0+.
        SHOULD_RUN_ML_POWERED_QUERIES: ${{ !(matrix.version == 'stable-20220120' &&
-          (matrix.os == 'windows-latest' || matrix.os == 'windows-2019')) }}
+          runner.os == 'Windows') }}
      shell: bash
      run: |
        echo "Expecting ML-powered queries to be run: ${SHOULD_RUN_ML_POWERED_QUERIES}"
@@ -132,4 +133,4 @@ jobs:
          exit 1
        fi
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: PR Check - Multi-language repository
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -60,20 +61,30 @@ jobs:
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
    - uses: ./../action/init
+      id: init
      with:
        db-location: ${{ runner.temp }}/customDbLocation
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
+
+    - uses: ./../action/.github/setup-swift
+      with:
+        codeql-path: ${{steps.init.outputs.codeql-path}}
+
    - name: Build code
      shell: bash
      run: ./build.sh
+
    - uses: ./../action/analyze
      id: analysis
-      env:
-        TEST_MODE: true
-    - shell: bash
+
+    - name: Check language autodetect for all languages excluding Ruby, Swift
+      shell: bash
      run: |
        CPP_DB=${{ fromJson(steps.analysis.outputs.db-locations).cpp }}
        if [[ ! -d $CPP_DB ]] || [[ ! $CPP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
@@ -105,5 +116,28 @@ jobs:
          echo "Did not create a database for Python, or created it in the wrong location."
          exit 1
        fi
+
+    - name: Check language autodetect for Ruby
+      if: (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version
+        == 'nightly-latest')
+      shell: bash
+      run: |
+        RUBY_DB=${{ fromJson(steps.analysis.outputs.db-locations).ruby }}
+        if [[ ! -d $RUBY_DB ]] || [[ ! $RUBY_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+          echo "Did not create a database for Ruby, or created it in the wrong location."
+          exit 1
+        fi
+
+    - name: Check language autodetect for Swift
+      if: (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version
+        == 'nightly-latest')
+      shell: bash
+      run: |
+        SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}
+        if [[ ! -d $SWIFT_DB ]] || [[ ! $SWIFT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+          echo "Did not create a database for Swift, or created it in the wrong location."
+          exit 1
+        fi
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true' # Remove when Swift is GA.
+      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: 'PR Check - Packaging: Config and input passed to the CLI'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -60,16 +61,12 @@ jobs:
        packs: +dsp-testing/codeql-pack1@1.0.0
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
      with:
        output: ${{ runner.temp }}/results
-      env:
-        TEST_MODE: true

    - name: Check results
      uses: ./../action/.github/check-sarif
@@ -95,4 +92,4 @@ jobs:
    env:
      CODEQL_PASS_CONFIG_TO_CLI: true

-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: 'PR Check - Packaging: Config and input'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -60,16 +61,12 @@ jobs:
        packs: +dsp-testing/codeql-pack1@1.0.0
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
      with:
        output: ${{ runner.temp }}/results
-      env:
-        TEST_MODE: true

    - name: Check results
      uses: ./../action/.github/check-sarif
@@ -93,4 +90,4 @@ jobs:
          exit 1
        fi
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: 'PR Check - Packaging: Config file'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -59,16 +60,12 @@ jobs:
        config-file: .github/codeql/codeql-config-packaging.yml
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
      with:
        output: ${{ runner.temp }}/results
-      env:
-        TEST_MODE: true

    - name: Check results
      uses: ./../action/.github/check-sarif
@@ -92,4 +89,4 @@ jobs:
          exit 1
        fi
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: 'PR Check - Packaging: Action input'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -60,16 +61,12 @@ jobs:
        languages: javascript
        packs: dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2, dsp-testing/codeql-pack3:other-query.ql
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
      with:
        output: ${{ runner.temp }}/results
-      env:
-        TEST_MODE: true

    - name: Check results
      uses: ./../action/.github/check-sarif
@@ -93,4 +90,4 @@ jobs:
          exit 1
        fi
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: PR Check - Remote config file
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -72,19 +73,20 @@ jobs:
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
    - uses: ./../action/init
      with:
        tools: ${{ steps.prepare-test.outputs.tools-url }}
        languages: cpp,csharp,java,javascript,python
        config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
          github.sha }}
-      env:
-        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
-      env:
-        TEST_MODE: true
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: PR Check - RuboCop multi-language
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -58,7 +59,5 @@ jobs:
    - uses: ./../action/upload-sarif
      with:
        sarif_file: rubocop.sarif
-      env:
-        TEST_MODE: true
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
@@ -1,70 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
-# to regenerate this file.
-
-name: PR Check - Ruby analysis using autodetect
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-    - main
-    - releases/v1
-    - releases/v2
-  pull_request:
-    types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
-  workflow_dispatch: {}
-jobs:
-  ruby-autodetect:
-    strategy:
-      matrix:
-        include:
-        - os: ubuntu-latest
-          version: latest
-        - os: macos-latest
-          version: latest
-        - os: ubuntu-latest
-          version: cached
-        - os: macos-latest
-          version: cached
-        - os: ubuntu-latest
-          version: nightly-latest
-        - os: macos-latest
-          version: nightly-latest
-    name: Ruby analysis using autodetect
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - uses: ./../action/init
-      with:
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
-    - uses: ./../action/analyze
-      id: analysis
-      env:
-        TEST_MODE: true
-    - name: Check database
-      shell: bash
-      run: |
-        RUBY_DB="${{ fromJson(steps.analysis.outputs.db-locations).ruby }}"
-        if [[ ! -d "$RUBY_DB" ]]; then
-          echo "Did not create a database for Ruby."
-          exit 1
-        fi
-    env:
-      CODEQL_ENABLE_EXPERIMENTAL_FEATURES: 'true'
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
@@ -7,6 +7,7 @@ name: PR Check - Ruby analysis
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -52,12 +53,8 @@ jobs:
      with:
        languages: ruby
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - uses: ./../action/analyze
      id: analysis
-      env:
-        TEST_MODE: true
    - name: Check database
      shell: bash
      run: |
@@ -67,5 +64,4 @@ jobs:
          exit 1
        fi
    env:
-      CODEQL_ENABLE_EXPERIMENTAL_FEATURES: 'true'
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: PR Check - Split workflow
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -54,8 +55,6 @@ jobs:
        packs: +dsp-testing/codeql-pack1@1.0.0
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
@@ -63,8 +62,6 @@ jobs:
      with:
        skip-queries: true
        output: ${{ runner.temp }}/results
-      env:
-        TEST_MODE: true

    - name: Assert No Results
      shell: bash
@@ -77,8 +74,6 @@ jobs:
      with:
        output: ${{ runner.temp }}/results
        upload-database: false
-      env:
-        TEST_MODE: true
    - name: Assert Results
      shell: bash
      run: |
@@ -94,4 +89,4 @@ jobs:
          exit 1
        fi
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
@@ -0,0 +1,73 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: PR Check - Submit SARIF after failure
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  submit-sarif-failure:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: latest
+        - os: ubuntu-latest
+          version: cached
+        - os: ubuntu-latest
+          version: nightly-latest
+    name: Submit SARIF after failure
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: actions/checkout@v3
+    - uses: ./init
+      with:
+        languages: javascript
+    - name: Fail
+    # We want this job to pass if the Action correctly uploads the SARIF file for
+    # the failed run.
+    # Setting this step to continue on error means that it is marked as completing
+    # successfully, so will not fail the job.
+      continue-on-error: true
+      run: exit 1
+    - uses: ./analyze
+    # In a real workflow, this step wouldn't run. Since we used `continue-on-error`
+    # above, we manually disable it with an `if` condition.
+      if: false
+      with:
+        category: /test-codeql-version:${{ matrix.version }}
+    env:
+  # Internal-only environment variable used to indicate that the post-init Action
+  # should expect to upload a SARIF file for the failed run.
+      CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF: true
+  # Make sure the uploading SARIF files feature is enabled.
+      CODEQL_ACTION_UPLOAD_FAILED_SARIF: true
+  # Upload the failed SARIF file as an integration test of the API endpoint.
+      CODEQL_ACTION_TEST_MODE: false
+  # Mark telemetry for this workflow so it can be treated separately.
+      CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
+
@@ -7,6 +7,7 @@ name: PR Check - Swift analysis using autobuild
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -43,16 +44,19 @@ jobs:
      with:
        version: ${{ matrix.version }}
    - uses: ./../action/init
+      id: init
      with:
        languages: swift
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
+    - uses: ./../action/.github/setup-swift
+      with:
+        codeql-path: ${{steps.init.outputs.codeql-path}}
+    - name: Check working directory
+      shell: bash
+      run: pwd
    - uses: ./../action/autobuild
    - uses: ./../action/analyze
      id: analysis
-      env:
-        TEST_MODE: true
    - name: Check database
      shell: bash
      run: |
@@ -62,5 +66,5 @@ jobs:
          exit 1
        fi
    env:
-      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true'
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true' # Remove when Swift is GA.
+      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: PR Check - Swift analysis using a custom build command
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -49,18 +50,21 @@ jobs:
      with:
        version: ${{ matrix.version }}
    - uses: ./../action/init
+      id: init
      with:
        languages: swift
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
+    - uses: ./../action/.github/setup-swift
+      with:
+        codeql-path: ${{steps.init.outputs.codeql-path}}
+    - name: Check working directory
+      shell: bash
+      run: pwd
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
      id: analysis
-      env:
-        TEST_MODE: true
    - name: Check database
      shell: bash
      run: |
@@ -70,6 +74,6 @@ jobs:
          exit 1
        fi
    env:
-      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true'
+      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true' # Remove when Swift is GA.
      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: PR Check - Autobuild working directory
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -49,14 +50,10 @@ jobs:
      with:
        languages: java
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - uses: ./../action/autobuild
      with:
        working-directory: autobuild-dir
    - uses: ./../action/analyze
-      env:
-        TEST_MODE: true
    - name: Check database
      shell: bash
      run: |
@@ -66,4 +63,4 @@ jobs:
          exit 1
        fi
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: PR Check - Local CodeQL bundle
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -47,13 +48,9 @@ jobs:
    - uses: ./../action/init
      with:
        tools: ./codeql-bundle.tar.gz
-      env:
-        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
-      env:
-        TEST_MODE: true
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: PR Check - Proxy test
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -42,14 +43,10 @@ jobs:
      with:
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - uses: ./../action/analyze
-      env:
-        TEST_MODE: true
    env:
      https_proxy: http://squid-proxy:3128
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
    container:
      image: ubuntu:22.04
      options: --dns 127.0.0.1
@@ -7,6 +7,7 @@ name: PR Check - Test unsetting environment variables
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -48,19 +49,23 @@ jobs:
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
    - uses: ./../action/init
      with:
        db-location: ${{ runner.temp }}/customDbLocation
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - name: Build code
      shell: bash
-      run: env -i PATH="$PATH" HOME="$HOME" ./build.sh
+    # Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
+    # workaround for our PR checks.
+      run: env -i CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN=true PATH="$PATH" HOME="$HOME"
+        ./build.sh
    - uses: ./../action/analyze
      id: analysis
-      env:
-        TEST_MODE: true
    - shell: bash
      run: |
        CPP_DB="${{ fromJson(steps.analysis.outputs.db-locations).cpp }}"
@@ -100,4 +105,4 @@ jobs:
          exit 1
        fi
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: "PR Check - Upload-sarif: 'ref' and 'sha' from inputs"
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -72,14 +73,17 @@ jobs:
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
    - uses: ./../action/init
      with:
        tools: ${{ steps.prepare-test.outputs.tools-url }}
        languages: cpp,csharp,java,javascript,python
        config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
          github.sha }}
-      env:
-        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
@@ -88,13 +92,9 @@ jobs:
        ref: refs/heads/main
        sha: 5e235361806c361d4d3f8859e3c897658025a9a2
        upload: false
-      env:
-        TEST_MODE: true
    - uses: ./../action/upload-sarif
      with:
        ref: refs/heads/main
        sha: 5e235361806c361d4d3f8859e3c897658025a9a2
-      env:
-        TEST_MODE: true
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: PR Check - Use a custom `checkout_path`
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -72,6 +73,11 @@ jobs:
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
    - uses: actions/checkout@v3
      with:
        ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
@@ -83,8 +89,6 @@ jobs:
        languages: csharp,javascript
        source-path: x/y/z/some-path/tests/multi-language-repo
        debug: true
-      env:
-        TEST_MODE: true
    - name: Build code (non-windows)
      shell: bash
      if: ${{ runner.os != 'Windows' }}
@@ -101,16 +105,12 @@ jobs:
        ref: v1.1.0
        sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
        upload: false
-      env:
-        TEST_MODE: true

    - uses: ./../action/upload-sarif
      with:
        ref: v1.1.0
        sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
        checkout_path: x/y/z/some-path/tests/multi-language-repo
-      env:
-        TEST_MODE: true

    - name: Verify SARIF after upload
      shell: bash
@@ -141,4 +141,4 @@ jobs:
          exit 1
        fi
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
@@ -8,6 +8,12 @@ on:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
+  schedule:
+    # Weekly on Sunday.
+    - cron: '30 1 * * 0'
+
+env:
+  CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks

 jobs:
  # Identify the CodeQL tool versions to use in the analysis job.
@@ -51,7 +57,7 @@ jobs:
        # be the same as `tools: null`. This allows us to make the job for each of the bundles a
        # required status check.
        #
-        # If we're running on push, then we can skip running with `tools: latest` when it would be
+        # If we're running on push or schedule, then we can skip running with `tools: latest` when it would be
        # the same as running with `tools: null`.
        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
          VERSIONS_JSON='[null]'
@@ -75,8 +81,10 @@ jobs:
      security-events: write

    steps:
-    - uses: actions/checkout@v3
-    - uses: ./init
+    - name: Checkout
+      uses: actions/checkout@v3
+    - name: Initialize CodeQL
+      uses: ./init
      id: init
      with:
        languages: javascript
@@ -85,4 +93,5 @@ jobs:
    # confirm steps.init.outputs.codeql-path points to the codeql binary
    - name: Print CodeQL Version
      run: ${{steps.init.outputs.codeql-path}} version --format=json
-    - uses: ./analyze
+    - name: Perform CodeQL Analysis
+      uses: ./analyze
@@ -2,6 +2,9 @@
 # when the analyze step fails.
 name: PR Check - Debug artifacts after failure
 env:
+  # Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
+  # workaround for our PR checks.
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: true
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 on:
  push:
@@ -23,6 +26,8 @@ jobs:
        os: [ubuntu-latest, macos-latest]
    name: Upload debug artifacts after failure in analyze
    continue-on-error: true
+    env:
+      CODEQL_ACTION_TEST_MODE: true
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -44,8 +49,6 @@ jobs:
          debug: true
          debug-artifact-name: my-debug-artifacts
          debug-database-name: my-db
-        env:
-          TEST_MODE: true
      - name: Build code
        shell: bash
        run: ./build.sh
@@ -54,8 +57,6 @@ jobs:
        with:
          expect-error: true
          ram: 1
-        env:
-          TEST_MODE: true
  download-and-check-artifacts:
    name: Download and check debug artifacts after failure in analyze
    needs: upload-artifacts
@@ -91,4 +92,3 @@ jobs:
          done
        env:
          GO111MODULE: auto
-          INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
@@ -1,6 +1,9 @@
 # Checks logs, SARIF, and database bundle debug artifacts exist.
 name: PR Check - Debug artifact upload
 env:
+  # Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
+  # workaround for our PR checks.
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: true
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 on:
  push:
@@ -45,6 +48,8 @@ jobs:
        - os: macos-latest
          version: nightly-latest
    name: Upload debug artifacts
+    env:
+      CODEQL_ACTION_TEST_MODE: true
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -64,15 +69,11 @@ jobs:
          debug: true
          debug-artifact-name: my-debug-artifacts
          debug-database-name: my-db
-        env:
-          TEST_MODE: true
      - name: Build code
        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        id: analysis  
-        env:
-          TEST_MODE: true
  download-and-check-artifacts:
    name: Download and check debug artifacts
    needs: upload-artifacts
@@ -117,4 +118,3 @@ jobs:
          done
        env:
          GO111MODULE: auto
-          INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
@@ -17,6 +17,8 @@ on:
 jobs:
  expected-queries:
    name: Expected Queries Tests
+    env:
+      CODEQL_ACTION_TEST_MODE: true
    timeout-minutes: 45
    runs-on: ubuntu-latest
    steps:
@@ -31,15 +33,11 @@ jobs:
      with:
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - uses: ./../action/analyze
      with:
        output: ${{ runner.temp }}/results
        upload-database: false
        upload: false
-      env:
-        TEST_MODE: true

    - name: Check Sarif
      uses: ./../action/.github/check-sarif
@@ -88,7 +88,7 @@ jobs:
          fi

      - name: Set up Python
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@v4
        with:
          python-version: 3.8

@@ -28,17 +28,7 @@ jobs:
        matrix:
          os: [ubuntu-20.04, ubuntu-22.04, macos-latest]
          python_deps_type: [pipenv, poetry, requirements, setup_py]
-          python_version: [2, 3]
-          exclude:
-            # Python2 and poetry are not supported. See https://github.com/actions/setup-python/issues/374
-            - python_version: 2
-              python_deps_type: poetry
-            # Python2 and pipenv are not supported since pipenv v2021.11.5
-            - python_version: 2
-              python_deps_type: pipenv
-            # Python2 is not available on ubuntu-22.04 by default -- see https://github.com/github/codeql-action/pull/1257
-            - python_version: 2
-              os: ubuntu-22.04
+          python_version: [3]


    env:
@@ -138,16 +128,10 @@ jobs:
        fail-fast: false
        matrix:
          python_deps_type: [pipenv, poetry, requirements, setup_py]
-          python_version: [2, 3]
-          exclude:
-            # Python2 and poetry are not supported. See https://github.com/actions/setup-python/issues/374
-            - python_version: 2
-              python_deps_type: poetry
-            # Python2 and pipenv are not supported since pipenv v2021.11.5
-            - python_version: 2
-              python_deps_type: pipenv
+          python_version: [3]

    env:
+      CODEQL_ACTION_TEST_MODE: true
      PYTHON_DEPS_TYPE: ${{ matrix.python_deps_type }}
      PYTHON_VERSION: ${{ matrix.python_version }}

@@ -155,7 +139,7 @@ jobs:
    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
    - uses: actions/checkout@v3

-    - uses: actions/setup-python@v3
+    - uses: actions/setup-python@v4
      with:
        python-version: ${{ matrix.python_version }}

@@ -165,8 +149,6 @@ jobs:
        tools: latest
        languages: python
        setup-python-dependencies: false
-      env:
-        TEST_MODE: true

    - name: Test Auto Package Installation
      run: |
@@ -1,412 +0,0 @@
-name: CodeQL Runner Checks
-
-on:
-  push:
-    branches: [main, releases/v1, releases/v2]
-  pull_request:
-    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
-    # by other workflows.
-    types: [opened, synchronize, reopened, ready_for_review]
-  workflow_dispatch:
-
-jobs:
-  runner-analyze-javascript-ubuntu:
-    name: Runner ubuntu JS analyze
-
-    timeout-minutes: 45
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build runner
-        run: |
-          cd runner
-          npm install
-          npm run build-runner
-
-      - name: Run init
-        run: |
-          # Pass --config-file here, but not for other jobs in this workflow.
-          # This means we're testing the config file parsing in the runner
-          # but not slowing down all jobs unnecessarily as it doesn't add much
-          # testing the parsing on different operating systems and languages.
-          runner/dist/codeql-runner-linux init --repository $GITHUB_REPOSITORY --languages javascript --config-file ./.github/codeql/codeql-config.yml --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-      - name: Run analyze
-        run: |
-          runner/dist/codeql-runner-linux analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-  runner-analyze-javascript-windows:
-    name: Runner windows JS analyze
-    timeout-minutes: 45
-    runs-on: windows-latest
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build runner
-        run: |
-          cd runner
-          npm install
-          npm run build-runner
-
-      - name: Run init
-        run: |
-          runner/dist/codeql-runner-win.exe init --repository $Env:GITHUB_REPOSITORY --languages javascript --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-      - name: Run analyze
-        run: |
-          runner/dist/codeql-runner-win.exe analyze --repository $Env:GITHUB_REPOSITORY --commit $Env:GITHUB_SHA --ref $Env:GITHUB_REF --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-  runner-analyze-javascript-macos:
-    name: Runner macos JS analyze
-    timeout-minutes: 45
-    runs-on: macos-latest
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build runner
-        run: |
-          cd runner
-          npm install
-          npm run build-runner
-
-      - name: Run init
-        run: |
-          runner/dist/codeql-runner-macos init --repository $GITHUB_REPOSITORY --languages javascript --config-file ./.github/codeql/codeql-config.yml --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-      - name: Run analyze
-        run: |
-          runner/dist/codeql-runner-macos analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-  runner-analyze-csharp-ubuntu:
-    name: Runner ubuntu C# analyze
-    timeout-minutes: 45
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Move codeql-action
-        shell: bash
-        run: |
-          mkdir ../action
-          mv * .github ../action/
-          mv ../action/tests/multi-language-repo/{*,.github} .
-          mv ../action/.github/workflows .github
-
-      - name: Build runner
-        run: |
-          cd ../action/runner
-          npm install
-          npm run build-runner
-
-      - name: Run init
-        run: |
-          ../action/runner/dist/codeql-runner-linux init --repository $GITHUB_REPOSITORY --languages csharp --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-      - name: Build code
-        run: |
-          . ./codeql-runner/codeql-env.sh
-          $CODEQL_RUNNER dotnet build /p:UseSharedCompilation=false
-
-      - name: Run analyze
-        run: |
-          ../action/runner/dist/codeql-runner-linux analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-  runner-analyze-csharp-windows:
-    name: Runner windows C# analyze
-
-    # Build tracing currently does not support Windows 2022, so use `windows-2019` instead of
-    # `windows-latest`.
-    timeout-minutes: 45
-    runs-on: windows-2019
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Move codeql-action
-        shell: bash
-        run: |
-          mkdir ../action
-          mv * .github ../action/
-          mv ../action/tests/multi-language-repo/{*,.github} .
-          mv ../action/.github/workflows .github
-
-      - name: Build runner
-        run: |
-          cd ../action/runner
-          npm install
-          npm run build-runner
-
-      - name: Run init
-        run: |
-          ../action/runner/dist/codeql-runner-win.exe init --repository $Env:GITHUB_REPOSITORY --languages csharp --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-      - name: Build code
-        shell: powershell
-        run: |
-          cat ./codeql-runner/codeql-env.sh | Invoke-Expression
-          & $Env:CODEQL_RUNNER dotnet build /p:UseSharedCompilation=false
-
-      - name: Upload tracer logs
-        uses: actions/upload-artifact@v3
-        with:
-          name: tracer-logs
-          path: ./codeql-runner/compound-build-tracer.log
-
-      - name: Run analyze
-        run: |
-          ../action/runner/dist/codeql-runner-win.exe analyze --repository $Env:GITHUB_REPOSITORY --commit $Env:GITHUB_SHA --ref $Env:GITHUB_REF --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-  runner-analyze-csharp-macos:
-    name: Runner macos C# analyze
-    timeout-minutes: 45
-
-    runs-on: macos-latest
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Move codeql-action
-        shell: bash
-        run: |
-          mkdir ../action
-          mv * .github ../action/
-          mv ../action/tests/multi-language-repo/{*,.github} .
-          mv ../action/.github/workflows .github
-
-      - name: Build runner
-        run: |
-          cd ../action/runner
-          npm install
-          npm run build-runner
-
-      - name: Run init
-        run: |
-          ../action/runner/dist/codeql-runner-macos init --repository $GITHUB_REPOSITORY --languages csharp --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-      - name: Build code
-        shell: bash
-        run: |
-          . ./codeql-runner/codeql-env.sh
-          $CODEQL_RUNNER dotnet build /p:UseSharedCompilation=false
-
-      - name: Run analyze
-        run: |
-          ../action/runner/dist/codeql-runner-macos analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-  runner-analyze-csharp-autobuild-ubuntu:
-    name: Runner ubuntu autobuild C# analyze
-    timeout-minutes: 45
-
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Move codeql-action
-        shell: bash
-        run: |
-          mkdir ../action
-          mv * .github ../action/
-          mv ../action/tests/multi-language-repo/{*,.github} .
-          mv ../action/.github/workflows .github
-
-      - name: Build runner
-        run: |
-          cd ../action/runner
-          npm install
-          npm run build-runner
-
-      - name: Run init
-        run: |
-          ../action/runner/dist/codeql-runner-linux init --repository $GITHUB_REPOSITORY --languages csharp --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-      - name: Build code
-        run: |
-          ../action/runner/dist/codeql-runner-linux autobuild
-
-      - name: Run analyze
-        run: |
-          ../action/runner/dist/codeql-runner-linux analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-  runner-analyze-csharp-autobuild-windows:
-    timeout-minutes: 45
-    name: Runner windows autobuild C# analyze
-
-    # Build tracing currently does not support Windows 2022, so use `windows-2019` instead of
-    # `windows-latest`.
-    runs-on: windows-2019
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Move codeql-action
-        shell: bash
-        run: |
-          mkdir ../action
-          mv * .github ../action/
-          mv ../action/tests/multi-language-repo/{*,.github} .
-          mv ../action/.github/workflows .github
-
-      - name: Build runner
-        run: |
-          cd ../action/runner
-          npm install
-          npm run build-runner
-
-      - name: Run init
-        run: |
-          ../action/runner/dist/codeql-runner-win.exe init --repository $Env:GITHUB_REPOSITORY --languages csharp --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-      - name: Build code
-        shell: powershell
-        run: |
-          ../action/runner/dist/codeql-runner-win.exe autobuild
-
-      - name: Run analyze
-        run: |
-          ../action/runner/dist/codeql-runner-win.exe analyze --repository $Env:GITHUB_REPOSITORY --commit $Env:GITHUB_SHA --ref $Env:GITHUB_REF --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-  runner-analyze-csharp-autobuild-macos:
-    name: Runner macos autobuild C# analyze
-
-    runs-on: macos-latest
-    timeout-minutes: 45
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Move codeql-action
-        shell: bash
-        run: |
-          mkdir ../action
-          mv * .github ../action/
-          mv ../action/tests/multi-language-repo/{*,.github} .
-          mv ../action/.github/workflows .github
-
-      - name: Build runner
-        run: |
-          cd ../action/runner
-          npm install
-          npm run build-runner
-
-      - name: Run init
-        run: |
-          ../action/runner/dist/codeql-runner-macos init --repository $GITHUB_REPOSITORY --languages csharp --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-      - name: Build code
-        shell: bash
-        run: |
-          . codeql-runner/codeql-env.sh
-          CODEQL_RUNNER="$(cat codeql-runner/codeql-env.json | jq -r '.CODEQL_RUNNER')"
-          echo "$CODEQL_RUNNER"
-          $CODEQL_RUNNER ../action/runner/dist/codeql-runner-macos autobuild
-
-      - name: Run analyze
-        run: |
-          ../action/runner/dist/codeql-runner-macos analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-  runner-upload-sarif:
-    name: Runner upload sarif
-
-    runs-on: ubuntu-latest
-    timeout-minutes: 45
-
-    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.base.repo.id == github.event.pull_request.head.repo.id }}
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build runner
-        run: |
-          cd runner
-          npm install
-          npm run build-runner
-
-      - name: Upload with runner
-        run: |
-          # Deliberately don't use TEST_MODE here. This is specifically testing
-          # the compatibility with the API.
-          runner/dist/codeql-runner-linux upload --sarif-file src/testdata/empty-sarif.sarif --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-
-  runner-extractor-ram-threads-options:
-    name: Runner ubuntu extractor RAM and threads options
-
-    runs-on: ubuntu-latest
-    timeout-minutes: 45
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build runner
-        run: |
-          cd runner
-          npm install
-          npm run build-runner
-
-      - name: Run init
-        run: |
-          runner/dist/codeql-runner-linux init --ram=230 --threads=1 --repository $GITHUB_REPOSITORY --languages java --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-      - name: Assert Results
-        shell: bash
-        run: |
-          . ./codeql-runner/codeql-env.sh
-          if [ "${CODEQL_RAM}" != "230" ]; then
-            echo "CODEQL_RAM is '${CODEQL_RAM}' instead of 230"
-            exit 1
-          fi
-          if [ "${CODEQL_EXTRACTOR_JAVA_RAM}" != "230" ]; then
-            echo "CODEQL_EXTRACTOR_JAVA_RAM is '${CODEQL_EXTRACTOR_JAVA_RAM}' instead of 230"
-            exit 1
-          fi
-          if [ "${CODEQL_THREADS}" != "1" ]; then
-            echo "CODEQL_THREADS is '${CODEQL_THREADS}' instead of 1"
-            exit 1
-          fi
-          if [ "${CODEQL_EXTRACTOR_JAVA_THREADS}" != "1" ]; then
-            echo "CODEQL_EXTRACTOR_JAVA_THREADS is '${CODEQL_EXTRACTOR_JAVA_THREADS}' instead of 1"
-            exit 1
-          fi
@@ -10,7 +10,7 @@ fi

 if [ "$#" -eq 1 ]; then
  # If we were passed an argument, use that as the SHA
-  GITHUB_SHA="$0"
+  GITHUB_SHA="$1"
 elif [ "$#" -gt 1 ]; then
  echo "Usage: $0 [SHA]"
  echo "Update the required checks based on the SHA, or main."
@@ -23,7 +23,7 @@ fi
 echo "Getting checks for $GITHUB_SHA"

 # Ignore any checks with "https://", CodeQL, LGTM, and Update checks.
-CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "LGTM.com" or contains("Update") or contains("update") or contains("test-setup-python-scripts") | not)] | unique | sort')"
+CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "LGTM.com" or . == "check-expected-release-files" or contains("Update") or contains("update") or contains("test-setup-python-scripts") | not)] | unique | sort')"

 echo "$CHECKS" | jq

@@ -29,7 +29,7 @@ jobs:
        fetch-depth: 0

    - name: Set up Python
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v4
      with:
        python-version: 3.8

@@ -13,7 +13,7 @@ jobs:

    steps:
      - name: Setup Python
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@v4
        with:
          python-version: "3.7"
      - name: Checkout CodeQL Action
@@ -35,7 +35,7 @@ jobs:
        env:
          ENTERPRISE_RELEASES_PATH: ${{ github.workspace }}/enterprise-releases/
      - name: Commit Changes
-        uses: peter-evans/create-pull-request@c7f493a8000b8aeb17a1332e326ba76b57cb83eb # v3.4.1
+        uses: peter-evans/create-pull-request@2b011faafdcbc9ceb11414d64d0573f37c774b04 # v4.2.3
        with:
          commit-message: Update supported GitHub Enterprise Server versions.
          title: Update supported GitHub Enterprise Server versions.
@@ -1,4 +1,2 @@
-/runner/dist/
-/runner/node_modules/
 # Ignore for example failing-tests.json from AVA
 node_modules/.cache
@@ -0,0 +1 @@
+lockfile-version=3
@@ -2,13 +2,36 @@

 ## [UNRELEASED]

+- Update default CodeQL bundle version to 2.12.0. [#1466](https://github.com/github/codeql-action/pull/1466)
+
+## 2.1.37 - 14 Dec 2022
+
+- Update default CodeQL bundle version to 2.11.6. [#1433](https://github.com/github/codeql-action/pull/1433)
+
+## 2.1.36 - 08 Dec 2022
+
+- Update default CodeQL bundle version to 2.11.5. [#1412](https://github.com/github/codeql-action/pull/1412)
+- Add a step that tries to upload a SARIF file for the workflow run when that workflow run fails. This will help better surface failed code scanning workflow runs. [#1393](https://github.com/github/codeql-action/pull/1393)
+- Python automatic dependency installation will no longer consider dependecy code installed in venv as user-written, for projects using Poetry that specify `virtualenvs.in-project = true` in their `poetry.toml`. [#1419](https://github.com/github/codeql-action/pull/1419).
+
+## 2.1.35 - 01 Dec 2022
+
+No user facing changes.
+
+## 2.1.34 - 25 Nov 2022
+
+- Update default CodeQL bundle version to 2.11.4. [#1391](https://github.com/github/codeql-action/pull/1391)
+- Fixed a bug where some the `init` action and the `analyze` action would have different sets of experimental feature flags enabled. [#1384](https://github.com/github/codeql-action/pull/1384)
+
+## 2.1.33 - 16 Nov 2022
+
 - Go is now analyzed in the same way as other compiled languages such as C/C++, C#, and Java. This completes the rollout of the feature described in [CodeQL Action version 2.1.27](#2127---06-oct-2022). [#1322](https://github.com/github/codeql-action/pull/1322)
+- Bump the minimum CodeQL bundle version to 2.6.3. [#1358](https://github.com/github/codeql-action/pull/1358)

 ## 2.1.32 - 14 Nov 2022

 - Update default CodeQL bundle version to 2.11.3. [#1348](https://github.com/github/codeql-action/pull/1348)
 - Update the ML-powered additional query pack for JavaScript to version 0.4.0. [#1351](https://github.com/github/codeql-action/pull/1351)
- Bump the minimum CodeQL bundle version to 2.6.3. [#1358](https://github.com/github/codeql-action/pull/1358)

 ## 2.1.31 - 04 Nov 2022

@@ -38,10 +38,6 @@ To see the effect of your changes and to test them, push your changes in a branc

 As well as the unit tests (see _Common tasks_ above), there are integration tests, defined in `.github/workflows/integration-testing.yml`.  These are run by a CI check.  Depending on the change you’re making, you may want to add a test to this file or extend an existing one.

-### Building the CodeQL runner
-
-Navigate to the `runner` directory and run `npm install` to install dependencies needed only for compiling the CodeQL runner. Run `npm run build-runner` to output files to the `runner/dist` directory.
-
 ## Submitting a pull request

 1. [Fork][fork] and clone the repository
@@ -59,7 +59,7 @@ jobs:
        uses: github/codeql-action/init@v2
        # Override language selection by uncommenting this and choosing your languages
        # with:
-        #   languages: go, javascript, csharp, python, cpp, java
+        #   languages: go, javascript, csharp, python, cpp, java, ruby

      # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
      # If this step fails, then you should remove it and run the build manually (see below).
@@ -12,6 +12,7 @@ inputs:
  upload:
    description: Upload the SARIF file to Code Scanning
    required: false
+    # If changing this, make sure to update workflow.ts accordingly.
    default: "true"
  cleanup-level:
    description: "Level of cleanup to perform on CodeQL databases at the end of the analyze step. This should either be 'none' to skip cleanup, or be a valid argument for the --mode flag of the CodeQL CLI command 'codeql database cleanup' as documented at https://codeql.github.com/docs/codeql-cli/manual/database-cleanup"
@@ -44,6 +45,7 @@ inputs:
  checkout_path:
    description: "The path at which the analyzed repository was checked out. Used to relativize any absolute paths in the uploaded SARIF file."
    required: false
+    # If changing this, make sure to update workflow.ts accordingly.
    default: ${{ github.workspace }}
  ref:
    description: "The ref where results will be uploaded. If not provided, the Action will use the GITHUB_REF environment variable. If provided, the sha input must be provided as well. This input is not available in pull requests from forks."
@@ -19,29 +19,24 @@ var __importStar = (this && this.__importStar) || function (mod) {
    return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.printDebugLogs = exports.isAnalyzingDefaultBranch = exports.getRelativeScriptPath = exports.isRunningLocalAction = exports.workflowEventName = exports.sendStatusReport = exports.createStatusReportBase = exports.getActionsStatus = exports.getRef = exports.computeAutomationID = exports.getAutomationID = exports.getAnalysisKey = exports.getWorkflowRunID = exports.getWorkflow = exports.formatWorkflowCause = exports.formatWorkflowErrors = exports.validateWorkflow = exports.getWorkflowErrors = exports.WorkflowErrors = exports.patternIsSuperset = exports.determineMergeBaseCommitOid = exports.getCommitOid = exports.getTemporaryDirectory = exports.getOptionalInput = exports.getRequiredInput = void 0;
+exports.printDebugLogs = exports.isAnalyzingDefaultBranch = exports.getRelativeScriptPath = exports.isRunningLocalAction = exports.workflowEventName = exports.sendStatusReport = exports.createStatusReportBase = exports.getActionsStatus = exports.getRef = exports.computeAutomationID = exports.getAutomationID = exports.getAnalysisKey = exports.determineMergeBaseCommitOid = exports.getCommitOid = exports.getTemporaryDirectory = exports.getOptionalInput = exports.getRequiredInput = void 0;
 const fs = __importStar(require("fs"));
 const os = __importStar(require("os"));
 const path = __importStar(require("path"));
 const core = __importStar(require("@actions/core"));
 const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
 const safeWhich = __importStar(require("@chrisgavin/safe-which"));
-const yaml = __importStar(require("js-yaml"));
 const api = __importStar(require("./api-client"));
 const sharedEnv = __importStar(require("./shared-environment"));
 const util_1 = require("./util");
+const workflow_1 = require("./workflow");
 // eslint-disable-next-line import/no-commonjs
 const pkg = require("../package.json");
-/**
- * The utils in this module are meant to be run inside of the action only.
- * Code paths from the runner should not enter this module.
- */
 /**
 * Wrapper around core.getInput for inputs that always have a value.
 * Also see getOptionalInput.
 *
- * This allows us to get stronger type checking of required/optional inputs
- * and make behaviour more consistent between actions and the runner.
+ * This allows us to get stronger type checking of required/optional inputs.
 */
 function getRequiredInput(name) {
    return core.getInput(name, { required: true });
@@ -51,8 +46,7 @@ exports.getRequiredInput = getRequiredInput;
 * Wrapper around core.getInput that converts empty inputs to undefined.
 * Also see getRequiredInput.
 *
- * This allows us to get stronger type checking of required/optional inputs
- * and make behaviour more consistent between actions and the runner.
+ * This allows us to get stronger type checking of required/optional inputs.
 */
 const getOptionalInput = function (name) {
    const value = core.getInput(name);
@@ -151,225 +145,6 @@ const determineMergeBaseCommitOid = async function () {
    }
 };
 exports.determineMergeBaseCommitOid = determineMergeBaseCommitOid;
-function isObject(o) {
-    return o !== null && typeof o === "object";
-}
-const GLOB_PATTERN = new RegExp("(\\*\\*?)");
-function escapeRegExp(string) {
-    return string.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"); // $& means the whole matched string
-}
-function patternToRegExp(value) {
-    return new RegExp(`^${value
-        .toString()
-        .split(GLOB_PATTERN)
-        .reduce(function (arr, cur) {
-        if (cur === "**") {
-            arr.push(".*?");
-        }
-        else if (cur === "*") {
-            arr.push("[^/]*?");
-        }
-        else if (cur) {
-            arr.push(escapeRegExp(cur));
-        }
-        return arr;
-    }, [])
-        .join("")}$`);
-}
-// this function should return true if patternA is a superset of patternB
-// e.g: * is a superset of main-* but main-* is not a superset of *.
-function patternIsSuperset(patternA, patternB) {
-    return patternToRegExp(patternA).test(patternB);
-}
-exports.patternIsSuperset = patternIsSuperset;
-function branchesToArray(branches) {
-    if (typeof branches === "string") {
-        return [branches];
-    }
-    if (Array.isArray(branches)) {
-        if (branches.length === 0) {
-            return "**";
-        }
-        return branches;
-    }
-    return "**";
-}
-function toCodedErrors(errors) {
-    return Object.entries(errors).reduce((acc, [key, value]) => {
-        acc[key] = { message: value, code: key };
-        return acc;
-    }, {});
-}
-// code to send back via status report
-// message to add as a warning annotation to the run
-exports.WorkflowErrors = toCodedErrors({
-    MismatchedBranches: `Please make sure that every branch in on.pull_request is also in on.push so that Code Scanning can compare pull requests against the state of the base branch.`,
-    MissingPushHook: `Please specify an on.push hook so that Code Scanning can compare pull requests against the state of the base branch.`,
-    PathsSpecified: `Using on.push.paths can prevent Code Scanning annotating new alerts in your pull requests.`,
-    PathsIgnoreSpecified: `Using on.push.paths-ignore can prevent Code Scanning annotating new alerts in your pull requests.`,
-    CheckoutWrongHead: `git checkout HEAD^2 is no longer necessary. Please remove this step as Code Scanning recommends analyzing the merge commit for best results.`,
-});
-function getWorkflowErrors(doc) {
-    var _a, _b, _c, _d, _e;
-    const errors = [];
-    const jobName = process.env.GITHUB_JOB;
-    if (jobName) {
-        const job = (_a = doc === null || doc === void 0 ? void 0 : doc.jobs) === null || _a === void 0 ? void 0 : _a[jobName];
-        const steps = job === null || job === void 0 ? void 0 : job.steps;
-        if (Array.isArray(steps)) {
-            for (const step of steps) {
-                // this was advice that we used to give in the README
-                // we actually want to run the analysis on the merge commit
-                // to produce results that are more inline with expectations
-                // (i.e: this is what will happen if you merge this PR)
-                // and avoid some race conditions
-                if ((step === null || step === void 0 ? void 0 : step.run) === "git checkout HEAD^2") {
-                    errors.push(exports.WorkflowErrors.CheckoutWrongHead);
-                    break;
-                }
-            }
-        }
-    }
-    let missingPush = false;
-    if (doc.on === undefined) {
-        // this is not a valid config
-    }
-    else if (typeof doc.on === "string") {
-        if (doc.on === "pull_request") {
-            missingPush = true;
-        }
-    }
-    else if (Array.isArray(doc.on)) {
-        const hasPush = doc.on.includes("push");
-        const hasPullRequest = doc.on.includes("pull_request");
-        if (hasPullRequest && !hasPush) {
-            missingPush = true;
-        }
-    }
-    else if (isObject(doc.on)) {
-        const hasPush = Object.prototype.hasOwnProperty.call(doc.on, "push");
-        const hasPullRequest = Object.prototype.hasOwnProperty.call(doc.on, "pull_request");
-        if (!hasPush && hasPullRequest) {
-            missingPush = true;
-        }
-        if (hasPush && hasPullRequest) {
-            const paths = (_b = doc.on.push) === null || _b === void 0 ? void 0 : _b.paths;
-            // if you specify paths or paths-ignore you can end up with commits that have no baseline
-            // if they didn't change any files
-            // currently we cannot go back through the history and find the most recent baseline
-            if (Array.isArray(paths) && paths.length > 0) {
-                errors.push(exports.WorkflowErrors.PathsSpecified);
-            }
-            const pathsIgnore = (_c = doc.on.push) === null || _c === void 0 ? void 0 : _c["paths-ignore"];
-            if (Array.isArray(pathsIgnore) && pathsIgnore.length > 0) {
-                errors.push(exports.WorkflowErrors.PathsIgnoreSpecified);
-            }
-        }
-        // if doc.on.pull_request is null that means 'all branches'
-        // if doc.on.pull_request is undefined that means 'off'
-        // we only want to check for mismatched branches if pull_request is on.
-        if (doc.on.pull_request !== undefined) {
-            const push = branchesToArray((_d = doc.on.push) === null || _d === void 0 ? void 0 : _d.branches);
-            if (push !== "**") {
-                const pull_request = branchesToArray((_e = doc.on.pull_request) === null || _e === void 0 ? void 0 : _e.branches);
-                if (pull_request !== "**") {
-                    const difference = pull_request.filter((value) => !push.some((o) => patternIsSuperset(o, value)));
-                    if (difference.length > 0) {
-                        // there are branches in pull_request that may not have a baseline
-                        // because we are not building them on push
-                        errors.push(exports.WorkflowErrors.MismatchedBranches);
-                    }
-                }
-                else if (push.length > 0) {
-                    // push is set up to run on a subset of branches
-                    // and you could open a PR against a branch with no baseline
-                    errors.push(exports.WorkflowErrors.MismatchedBranches);
-                }
-            }
-        }
-    }
-    if (missingPush) {
-        errors.push(exports.WorkflowErrors.MissingPushHook);
-    }
-    return errors;
-}
-exports.getWorkflowErrors = getWorkflowErrors;
-async function validateWorkflow() {
-    let workflow;
-    try {
-        workflow = await getWorkflow();
-    }
-    catch (e) {
-        return `error: getWorkflow() failed: ${String(e)}`;
-    }
-    let workflowErrors;
-    try {
-        workflowErrors = getWorkflowErrors(workflow);
-    }
-    catch (e) {
-        return `error: getWorkflowErrors() failed: ${String(e)}`;
-    }
-    if (workflowErrors.length > 0) {
-        let message;
-        try {
-            message = formatWorkflowErrors(workflowErrors);
-        }
-        catch (e) {
-            return `error: formatWorkflowErrors() failed: ${String(e)}`;
-        }
-        core.warning(message);
-    }
-    return formatWorkflowCause(workflowErrors);
-}
-exports.validateWorkflow = validateWorkflow;
-function formatWorkflowErrors(errors) {
-    const issuesWere = errors.length === 1 ? "issue was" : "issues were";
-    const errorsList = errors.map((e) => e.message).join(" ");
-    return `${errors.length} ${issuesWere} detected with this workflow: ${errorsList}`;
-}
-exports.formatWorkflowErrors = formatWorkflowErrors;
-function formatWorkflowCause(errors) {
-    if (errors.length === 0) {
-        return undefined;
-    }
-    return errors.map((e) => e.code).join(",");
-}
-exports.formatWorkflowCause = formatWorkflowCause;
-async function getWorkflow() {
-    const relativePath = await getWorkflowPath();
-    const absolutePath = path.join((0, util_1.getRequiredEnvParam)("GITHUB_WORKSPACE"), relativePath);
-    return yaml.load(fs.readFileSync(absolutePath, "utf-8"));
-}
-exports.getWorkflow = getWorkflow;
-/**
- * Get the path of the currently executing workflow.
- */
-async function getWorkflowPath() {
-    const repo_nwo = (0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY").split("/");
-    const owner = repo_nwo[0];
-    const repo = repo_nwo[1];
-    const run_id = Number((0, util_1.getRequiredEnvParam)("GITHUB_RUN_ID"));
-    const apiClient = api.getActionsApiClient();
-    const runsResponse = await apiClient.request("GET /repos/:owner/:repo/actions/runs/:run_id?exclude_pull_requests=true", {
-        owner,
-        repo,
-        run_id,
-    });
-    const workflowUrl = runsResponse.data.workflow_url;
-    const workflowResponse = await apiClient.request(`GET ${workflowUrl}`);
-    return workflowResponse.data.path;
-}
-/**
- * Get the workflow run ID.
- */
-function getWorkflowRunID() {
-    const workflowRunID = parseInt((0, util_1.getRequiredEnvParam)("GITHUB_RUN_ID"), 10);
-    if (Number.isNaN(workflowRunID)) {
-        throw new Error("GITHUB_RUN_ID must define a non NaN workflow run ID");
-    }
-    return workflowRunID;
-}
-exports.getWorkflowRunID = getWorkflowRunID;
 /**
 * Get the analysis key parameter for the current job.
 *
@@ -383,7 +158,7 @@ async function getAnalysisKey() {
    if (analysisKey !== undefined) {
        return analysisKey;
    }
-    const workflowPath = await getWorkflowPath();
+    const workflowPath = await (0, workflow_1.getWorkflowPath)();
    const jobName = (0, util_1.getRequiredEnvParam)("GITHUB_JOB");
    analysisKey = `${workflowPath}:${jobName}`;
    core.exportVariable(analysisKeyEnvVar, analysisKey);
@@ -398,10 +173,10 @@ async function getAutomationID() {
 exports.getAutomationID = getAutomationID;
 function computeAutomationID(analysis_key, environment) {
    let automationID = `${analysis_key}/`;
-    // the id has to be deterministic so we sort the fields
-    if (environment !== undefined && environment !== "null") {
-        const environmentObject = JSON.parse(environment);
-        for (const entry of Object.entries(environmentObject).sort()) {
+    const matrix = (0, util_1.parseMatrixInput)(environment);
+    if (matrix !== undefined) {
+        // the id has to be deterministic so we sort the fields
+        for (const entry of Object.entries(matrix).sort()) {
            if (typeof entry[1] === "string") {
                automationID += `${entry[0]}:${entry[1]}/`;
            }
@@ -432,7 +207,7 @@ async function getRef() {
    if ((hasRefInput || hasShaInput) && !(hasRefInput && hasShaInput)) {
        throw new Error("Both 'ref' and 'sha' are required if one of them is provided.");
    }
-    const ref = refInput || (0, util_1.getRequiredEnvParam)("GITHUB_REF");
+    const ref = refInput || getRefFromEnv();
    const sha = shaInput || (0, util_1.getRequiredEnvParam)("GITHUB_SHA");
    // If the ref is a user-provided input, we have to skip logic
    // and assume that it is really where they want to upload the results.
@@ -465,6 +240,26 @@ async function getRef() {
    }
 }
 exports.getRef = getRef;
+function getRefFromEnv() {
+    // To workaround a limitation of Actions dynamic workflows not setting
+    // the GITHUB_REF in some cases, we accept also the ref within the
+    // CODE_SCANNING_REF variable. When possible, however, we prefer to use
+    // the GITHUB_REF as that is a protected variable and cannot be overwritten.
+    let refEnv;
+    try {
+        refEnv = (0, util_1.getRequiredEnvParam)("GITHUB_REF");
+    }
+    catch (e) {
+        // If the GITHUB_REF is not set, we try to rescue by getting the
+        // CODE_SCANNING_REF.
+        const maybeRef = process.env["CODE_SCANNING_REF"];
+        if (maybeRef === undefined || maybeRef.length === 0) {
+            throw e;
+        }
+        refEnv = maybeRef;
+    }
+    return refEnv;
+}
 function getActionsStatus(error, otherFailureCause) {
    if (error || otherFailureCause) {
        return error instanceof util_1.UserError ? "user-error" : "failure";
@@ -579,7 +374,7 @@ async function sendStatusReport(statusReport) {
    }
    const nwo = (0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY");
    const [owner, repo] = nwo.split("/");
-    const client = api.getActionsApiClient();
+    const client = api.getApiClient();
    try {
        await client.request("PUT /repos/:owner/:repo/code-scanning/analysis/status", {
            owner,
@@ -25,14 +25,10 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const ava_1 = __importDefault(require("ava"));
-const yaml = __importStar(require("js-yaml"));
 const sinon = __importStar(require("sinon"));
 const actionsutil = __importStar(require("./actions-util"));
 const testing_utils_1 = require("./testing-utils");
 const util_1 = require("./util");
-function errorCodes(actual, expected) {
-    return [actual.map(({ code }) => code), expected.map(({ code }) => code)];
-}
 (0, testing_utils_1.setupTests)(ava_1.default);
 (0, ava_1.default)("getRef() throws on the empty string", async (t) => {
    process.env["GITHUB_REF"] = "";
@@ -98,6 +94,30 @@ function errorCodes(actual, expected) {
        getAdditionalInputStub.restore();
    });
 });
+(0, ava_1.default)("getRef() returns CODE_SCANNING_REF as a fallback for GITHUB_REF", async (t) => {
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
+        const expectedRef = "refs/pull/1/HEAD";
+        const currentSha = "a".repeat(40);
+        process.env["CODE_SCANNING_REF"] = expectedRef;
+        process.env["GITHUB_REF"] = "";
+        process.env["GITHUB_SHA"] = currentSha;
+        const actualRef = await actionsutil.getRef();
+        t.deepEqual(actualRef, expectedRef);
+    });
+});
+(0, ava_1.default)("getRef() returns GITHUB_REF over CODE_SCANNING_REF if both are provided", async (t) => {
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
+        const expectedRef = "refs/pull/1/merge";
+        const currentSha = "a".repeat(40);
+        process.env["CODE_SCANNING_REF"] = "refs/pull/1/HEAD";
+        process.env["GITHUB_REF"] = expectedRef;
+        process.env["GITHUB_SHA"] = currentSha;
+        const actualRef = await actionsutil.getRef();
+        t.deepEqual(actualRef, expectedRef);
+    });
+});
 (0, ava_1.default)("getRef() throws an error if only `ref` is provided as an input", async (t) => {
    await (0, util_1.withTmpDir)(async (tmpDir) => {
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
@@ -143,340 +163,9 @@ function errorCodes(actual, expected) {
    actualAutomationID = actionsutil.computeAutomationID(".github/workflows/codeql-analysis.yml:analyze", undefined);
    t.deepEqual(actualAutomationID, ".github/workflows/codeql-analysis.yml:analyze/");
 });
-(0, ava_1.default)("getWorkflowErrors() when on is empty", (t) => {
-    const errors = actionsutil.getWorkflowErrors({ on: {} });
-    t.deepEqual(...errorCodes(errors, []));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.push is an array missing pull_request", (t) => {
-    const errors = actionsutil.getWorkflowErrors({ on: ["push"] });
-    t.deepEqual(...errorCodes(errors, []));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.push is an array missing push", (t) => {
-    const errors = actionsutil.getWorkflowErrors({ on: ["pull_request"] });
-    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.MissingPushHook]));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.push is valid", (t) => {
-    const errors = actionsutil.getWorkflowErrors({
-        on: ["push", "pull_request"],
-    });
-    t.deepEqual(...errorCodes(errors, []));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.push is a valid superset", (t) => {
-    const errors = actionsutil.getWorkflowErrors({
-        on: ["push", "pull_request", "schedule"],
-    });
-    t.deepEqual(...errorCodes(errors, []));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.push should not have a path", (t) => {
-    const errors = actionsutil.getWorkflowErrors({
-        on: {
-            push: { branches: ["main"], paths: ["test/*"] },
-            pull_request: { branches: ["main"] },
-        },
-    });
-    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.PathsSpecified]));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.push is a correct object", (t) => {
-    const errors = actionsutil.getWorkflowErrors({
-        on: { push: { branches: ["main"] }, pull_request: { branches: ["main"] } },
-    });
-    t.deepEqual(...errorCodes(errors, []));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.pull_requests is a string", (t) => {
-    const errors = actionsutil.getWorkflowErrors({
-        on: { push: { branches: ["main"] }, pull_request: { branches: "*" } },
-    });
-    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.MismatchedBranches]));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.pull_requests is a string and correct", (t) => {
-    const errors = actionsutil.getWorkflowErrors({
-        on: { push: { branches: "*" }, pull_request: { branches: "*" } },
-    });
-    t.deepEqual(...errorCodes(errors, []));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.push is correct with empty objects", (t) => {
-    const errors = actionsutil.getWorkflowErrors(yaml.load(`
-on:
-  push:
-  pull_request:
-`));
-    t.deepEqual(...errorCodes(errors, []));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.push is mismatched", (t) => {
-    const errors = actionsutil.getWorkflowErrors({
-        on: {
-            push: { branches: ["main"] },
-            pull_request: { branches: ["feature"] },
-        },
-    });
-    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.MismatchedBranches]));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.push is not mismatched", (t) => {
-    const errors = actionsutil.getWorkflowErrors({
-        on: {
-            push: { branches: ["main", "feature"] },
-            pull_request: { branches: ["main"] },
-        },
-    });
-    t.deepEqual(...errorCodes(errors, []));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.push is mismatched for pull_request", (t) => {
-    const errors = actionsutil.getWorkflowErrors({
-        on: {
-            push: { branches: ["main"] },
-            pull_request: { branches: ["main", "feature"] },
-        },
-    });
-    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.MismatchedBranches]));
-});
-(0, ava_1.default)("getWorkflowErrors() for a range of malformed workflows", (t) => {
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
-        on: {
-            push: 1,
-            pull_request: 1,
-        },
-    }), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
-        on: 1,
-    }), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
-        on: 1,
-        jobs: 1,
-    }), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
-        on: 1,
-        jobs: [1],
-    }), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
-        on: 1,
-        jobs: { 1: 1 },
-    }), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
-        on: 1,
-        jobs: { test: 1 },
-    }), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
-        on: 1,
-        jobs: { test: [1] },
-    }), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
-        on: 1,
-        jobs: { test: { steps: 1 } },
-    }), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
-        on: 1,
-        jobs: { test: { steps: [{ notrun: "git checkout HEAD^2" }] } },
-    }), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
-        on: 1,
-        jobs: { test: [undefined] },
-    }), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors(1), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
-        on: {
-            push: {
-                branches: 1,
-            },
-            pull_request: {
-                branches: 1,
-            },
-        },
-    }), []));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.pull_request for every branch but push specifies branches", (t) => {
-    const errors = actionsutil.getWorkflowErrors(yaml.load(`
-name: "CodeQL"
-on:
-  push:
-    branches: ["main"]
-  pull_request:
-`));
-    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.MismatchedBranches]));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.pull_request for wildcard branches", (t) => {
-    const errors = actionsutil.getWorkflowErrors({
-        on: {
-            push: { branches: ["feature/*"] },
-            pull_request: { branches: "feature/moose" },
-        },
-    });
-    t.deepEqual(...errorCodes(errors, []));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.pull_request for mismatched wildcard branches", (t) => {
-    const errors = actionsutil.getWorkflowErrors({
-        on: {
-            push: { branches: ["feature/moose"] },
-            pull_request: { branches: "feature/*" },
-        },
-    });
-    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.MismatchedBranches]));
-});
-(0, ava_1.default)("getWorkflowErrors() when HEAD^2 is checked out", (t) => {
-    process.env.GITHUB_JOB = "test";
-    const errors = actionsutil.getWorkflowErrors({
-        on: ["push", "pull_request"],
-        jobs: { test: { steps: [{ run: "git checkout HEAD^2" }] } },
-    });
-    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.CheckoutWrongHead]));
-});
-(0, ava_1.default)("formatWorkflowErrors() when there is one error", (t) => {
-    const message = actionsutil.formatWorkflowErrors([
-        actionsutil.WorkflowErrors.CheckoutWrongHead,
-    ]);
-    t.true(message.startsWith("1 issue was detected with this workflow:"));
-});
-(0, ava_1.default)("formatWorkflowErrors() when there are multiple errors", (t) => {
-    const message = actionsutil.formatWorkflowErrors([
-        actionsutil.WorkflowErrors.CheckoutWrongHead,
-        actionsutil.WorkflowErrors.PathsSpecified,
-    ]);
-    t.true(message.startsWith("2 issues were detected with this workflow:"));
-});
-(0, ava_1.default)("formatWorkflowCause() with no errors", (t) => {
-    const message = actionsutil.formatWorkflowCause([]);
-    t.deepEqual(message, undefined);
-});
-(0, ava_1.default)("formatWorkflowCause()", (t) => {
-    const message = actionsutil.formatWorkflowCause([
-        actionsutil.WorkflowErrors.CheckoutWrongHead,
-        actionsutil.WorkflowErrors.PathsSpecified,
-    ]);
-    t.deepEqual(message, "CheckoutWrongHead,PathsSpecified");
-    t.deepEqual(actionsutil.formatWorkflowCause([]), undefined);
-});
-(0, ava_1.default)("patternIsSuperset()", (t) => {
-    t.false(actionsutil.patternIsSuperset("main-*", "main"));
-    t.true(actionsutil.patternIsSuperset("*", "*"));
-    t.true(actionsutil.patternIsSuperset("*", "main-*"));
-    t.false(actionsutil.patternIsSuperset("main-*", "*"));
-    t.false(actionsutil.patternIsSuperset("main-*", "main"));
-    t.true(actionsutil.patternIsSuperset("main", "main"));
-    t.false(actionsutil.patternIsSuperset("*", "feature/*"));
-    t.true(actionsutil.patternIsSuperset("**", "feature/*"));
-    t.false(actionsutil.patternIsSuperset("feature-*", "**"));
-    t.false(actionsutil.patternIsSuperset("a/**/c", "a/**/d"));
-    t.false(actionsutil.patternIsSuperset("a/**/c", "a/**"));
-    t.true(actionsutil.patternIsSuperset("a/**", "a/**/c"));
-    t.true(actionsutil.patternIsSuperset("a/**/c", "a/main-**/c"));
-    t.false(actionsutil.patternIsSuperset("a/**/b/**/c", "a/**/d/**/c"));
-    t.true(actionsutil.patternIsSuperset("a/**/b/**/c", "a/**/b/c/**/c"));
-    t.true(actionsutil.patternIsSuperset("a/**/b/**/c", "a/**/b/d/**/c"));
-    t.false(actionsutil.patternIsSuperset("a/**/c/d/**/c", "a/**/b/**/c"));
-    t.false(actionsutil.patternIsSuperset("a/main-**/c", "a/**/c"));
-    t.true(actionsutil.patternIsSuperset("/robin/*/release/*", "/robin/moose/release/goose"));
-    t.false(actionsutil.patternIsSuperset("/robin/moose/release/goose", "/robin/*/release/*"));
-});
-(0, ava_1.default)("getWorkflowErrors() when branches contain dots", (t) => {
-    const errors = actionsutil.getWorkflowErrors(yaml.load(`
-  on:
-    push:
-      branches: [4.1, master]
-    pull_request:
-      # The branches below must be a subset of the branches above
-      branches: [4.1, master]
-`));
-    t.deepEqual(...errorCodes(errors, []));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.push has a trailing comma", (t) => {
-    const errors = actionsutil.getWorkflowErrors(yaml.load(`
-name: "CodeQL"
-on:
-  push:
-    branches: [master, ]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [master]
-`));
-    t.deepEqual(...errorCodes(errors, []));
-});
-(0, ava_1.default)("getWorkflowErrors() should only report the current job's CheckoutWrongHead", (t) => {
-    process.env.GITHUB_JOB = "test";
-    const errors = actionsutil.getWorkflowErrors(yaml.load(`
-name: "CodeQL"
-on:
-  push:
-    branches: [master]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [master]
-jobs:
-  test:
-    steps:
-      - run: "git checkout HEAD^2"
-
-  test2:
-    steps:
-      - run: "git checkout HEAD^2"
-
-  test3:
-    steps: []
-`));
-    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.CheckoutWrongHead]));
-});
-(0, ava_1.default)("getWorkflowErrors() should not report a different job's CheckoutWrongHead", (t) => {
-    process.env.GITHUB_JOB = "test3";
-    const errors = actionsutil.getWorkflowErrors(yaml.load(`
-name: "CodeQL"
-on:
-  push:
-    branches: [master]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [master]
-jobs:
-  test:
-    steps:
-      - run: "git checkout HEAD^2"
-
-  test2:
-    steps:
-      - run: "git checkout HEAD^2"
-
-  test3:
-    steps: []
-`));
-    t.deepEqual(...errorCodes(errors, []));
-});
-(0, ava_1.default)("getWorkflowErrors() when on is missing", (t) => {
-    const errors = actionsutil.getWorkflowErrors(yaml.load(`
-name: "CodeQL"
-`));
-    t.deepEqual(...errorCodes(errors, []));
-});
-(0, ava_1.default)("getWorkflowErrors() with a different on setup", (t) => {
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors(yaml.load(`
-name: "CodeQL"
-on: "workflow_dispatch"
-`)), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors(yaml.load(`
-name: "CodeQL"
-on: [workflow_dispatch]
-`)), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors(yaml.load(`
-name: "CodeQL"
-on:
-  workflow_dispatch: {}
-`)), []));
-});
-(0, ava_1.default)("getWorkflowErrors() should not report an error if PRs are totally unconfigured", (t) => {
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors(yaml.load(`
-name: "CodeQL"
-on:
-  push:
-    branches: [master]
-`)), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors(yaml.load(`
-name: "CodeQL"
-on: ["push"]
-`)), []));
-});
 (0, ava_1.default)("initializeEnvironment", (t) => {
-    (0, util_1.initializeEnvironment)(util_1.Mode.actions, "1.2.3");
-    t.deepEqual((0, util_1.getMode)(), util_1.Mode.actions);
+    (0, util_1.initializeEnvironment)("1.2.3");
    t.deepEqual(process.env.CODEQL_ACTION_VERSION, "1.2.3");
-    (0, util_1.initializeEnvironment)(util_1.Mode.runner, "4.5.6");
-    t.deepEqual((0, util_1.getMode)(), util_1.Mode.runner);
-    t.deepEqual(process.env.CODEQL_ACTION_VERSION, "4.5.6");
 });
 (0, ava_1.default)("isAnalyzingDefaultBranch()", async (t) => {
    await (0, util_1.withTmpDir)(async (tmpDir) => {
@@ -45,6 +45,7 @@ const util = __importStar(require("./util"));
            .stub(actionsUtil, "createStatusReportBase")
            .resolves({});
        sinon.stub(actionsUtil, "sendStatusReport").resolves(true);
+        sinon.stub(actionsUtil, "isAnalyzingDefaultBranch").resolves(true);
        const gitHubVersion = {
            type: util.GitHubVariant.DOTCOM,
        };
@@ -1 +1 @@
-{"version":3,"file":"analyze-action-env.test.js","sourceRoot":"","sources":["../src/analyze-action-env.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,mDAAqC;AACrC,4DAA8C;AAC9C,mDAIyB;AACzB,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,4EAA4E;AAC5E,4EAA4E;AAC5E,+EAA+E;AAC/E,+EAA+E;AAC/E,gFAAgF;AAChF,iCAAiC;AAEjC,IAAA,aAAI,EAAC,8DAA8D,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC/E,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,sCAAsC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,wBAAwB,CAAC;QACzD,KAAK;aACF,IAAI,CAAC,WAAW,EAAE,wBAAwB,CAAC;aAC3C,QAAQ,CAAC,EAAkC,CAAC,CAAC;QAChD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC3D,MAAM,aAAa,GAAuB;YACxC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;SAChC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC;YAC5C,aAAa;YACb,SAAS,EAAE,EAAE;YACb,KAAK,EAAE,EAAE;YACT,UAAU,EAAE,EAAE;SACkB,CAAC,CAAC;QACpC,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC1D,iBAAiB,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC/D,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC5D,iBAAiB,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC5D,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC7D,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,IAAA,0CAA0B,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEpC,uEAAuE;QACvE,0EAA0E;QAC1E,iBAAiB;QACjB,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,IAAI,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC;QAEnC,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAC3D,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QACzD,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;QAElD,uEAAuE;QACvE,oEAAoE;QACpE,4EAA4E;QAC5E,wEAAwE;QACxE,MAAM,aAAa,CAAC,UAAU,CAAC;QAE/B,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC/D,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;QAC7D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC9D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
+{"version":3,"file":"analyze-action-env.test.js","sourceRoot":"","sources":["../src/analyze-action-env.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,mDAAqC;AACrC,4DAA8C;AAC9C,mDAIyB;AACzB,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,4EAA4E;AAC5E,4EAA4E;AAC5E,+EAA+E;AAC/E,+EAA+E;AAC/E,gFAAgF;AAChF,iCAAiC;AAEjC,IAAA,aAAI,EAAC,8DAA8D,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC/E,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,sCAAsC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,wBAAwB,CAAC;QACzD,KAAK;aACF,IAAI,CAAC,WAAW,EAAE,wBAAwB,CAAC;aAC3C,QAAQ,CAAC,EAAkC,CAAC,CAAC;QAChD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC3D,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,0BAA0B,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAEnE,MAAM,aAAa,GAAuB;YACxC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;SAChC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC;YAC5C,aAAa;YACb,SAAS,EAAE,EAAE;YACb,KAAK,EAAE,EAAE;YACT,UAAU,EAAE,EAAE;SACkB,CAAC,CAAC;QACpC,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC1D,iBAAiB,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC/D,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC5D,iBAAiB,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC5D,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC7D,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,IAAA,0CAA0B,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEpC,uEAAuE;QACvE,0EAA0E;QAC1E,iBAAiB;QACjB,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,IAAI,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC;QAEnC,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAC3D,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QACzD,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;QAElD,uEAAuE;QACvE,oEAAoE;QACpE,4EAA4E;QAC5E,wEAAwE;QACxE,MAAM,aAAa,CAAC,UAAU,CAAC;QAE/B,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC/D,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;QAC7D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC9D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
@@ -61,6 +61,7 @@ const util = __importStar(require("./util"));
        optionalInputStub.withArgs("cleanup-level").returns("none");
        optionalInputStub.withArgs("expect-error").returns("false");
        sinon.stub(util, "getGitHubVersion").resolves(gitHubVersion);
+        sinon.stub(actionsUtil, "isAnalyzingDefaultBranch").resolves(true);
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
        (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, {});
        process.env["CODEQL_THREADS"] = "1";
@@ -1 +1 @@
-{"version":3,"file":"analyze-action-input.test.js","sourceRoot":"","sources":["../src/analyze-action-input.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,mDAAqC;AACrC,4DAA8C;AAC9C,mDAIyB;AACzB,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,4EAA4E;AAC5E,4EAA4E;AAC5E,+EAA+E;AAC/E,+EAA+E;AAC/E,gFAAgF;AAChF,iCAAiC;AAEjC,IAAA,aAAI,EAAC,sDAAsD,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvE,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,sCAAsC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,wBAAwB,CAAC;QACzD,KAAK;aACF,IAAI,CAAC,WAAW,EAAE,wBAAwB,CAAC;aAC3C,QAAQ,CAAC,EAAkC,CAAC,CAAC;QAChD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC3D,MAAM,aAAa,GAAuB;YACxC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;SAChC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC;YAC5C,aAAa;YACb,SAAS,EAAE,EAAE;YACb,KAAK,EAAE,EAAE;YACT,UAAU,EAAE,EAAE;SACkB,CAAC,CAAC;QACpC,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC1D,iBAAiB,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC/D,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC5D,iBAAiB,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC5D,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC7D,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,IAAA,0CAA0B,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEpC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,GAAG,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC;QAEnC,4DAA4D;QAC5D,iBAAiB,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACpD,iBAAiB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAElD,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAC3D,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QACzD,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;QAElD,uEAAuE;QACvE,oEAAoE;QACpE,4EAA4E;QAC5E,wEAAwE;QACxE,MAAM,aAAa,CAAC,UAAU,CAAC;QAE/B,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC/D,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;QAC7D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC9D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
+{"version":3,"file":"analyze-action-input.test.js","sourceRoot":"","sources":["../src/analyze-action-input.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,mDAAqC;AACrC,4DAA8C;AAC9C,mDAIyB;AACzB,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,4EAA4E;AAC5E,4EAA4E;AAC5E,+EAA+E;AAC/E,+EAA+E;AAC/E,gFAAgF;AAChF,iCAAiC;AAEjC,IAAA,aAAI,EAAC,sDAAsD,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvE,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,sCAAsC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,wBAAwB,CAAC;QACzD,KAAK;aACF,IAAI,CAAC,WAAW,EAAE,wBAAwB,CAAC;aAC3C,QAAQ,CAAC,EAAkC,CAAC,CAAC;QAChD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC3D,MAAM,aAAa,GAAuB;YACxC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;SAChC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC;YAC5C,aAAa;YACb,SAAS,EAAE,EAAE;YACb,KAAK,EAAE,EAAE;YACT,UAAU,EAAE,EAAE;SACkB,CAAC,CAAC;QACpC,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC1D,iBAAiB,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC/D,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC5D,iBAAiB,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC5D,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC7D,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,0BAA0B,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QACnE,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,IAAA,0CAA0B,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEpC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,GAAG,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC;QAEnC,4DAA4D;QAC5D,iBAAiB,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACpD,iBAAiB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAElD,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAC3D,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QACzD,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;QAElD,uEAAuE;QACvE,oEAAoE;QACpE,4EAA4E;QAC5E,wEAAwE;QACxE,MAAM,aAAa,CAAC,UAAU,CAAC;QAE/B,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC/D,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;QAC7D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC9D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
@@ -39,6 +39,7 @@ const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
 const logging_1 = require("./logging");
 const repository_1 = require("./repository");
+const shared_environment_1 = require("./shared-environment");
 const trap_caching_1 = require("./trap-caching");
 const upload_lib = __importStar(require("./upload-lib"));
 const util = __importStar(require("./util"));
@@ -103,6 +104,8 @@ function doesGoExtractionOutputExist(config) {
 * - We detect whether an autobuild step is present by checking the
 * `util.DID_AUTOBUILD_GO_ENV_VAR_NAME` environment variable, which is set
 * when the autobuilder is invoked.
+ * - We detect whether the Go database has already been finalized in case it
+ * has been manually set in a prior Action step.
 * - We approximate whether manual build steps are present by looking at
 * whether any extraction output already exists for Go.
 */
@@ -114,6 +117,10 @@ async function runAutobuildIfLegacyGoWorkflow(config, logger) {
        logger.debug("Won't run Go autobuild since it has already been run.");
        return;
    }
+    if ((0, analyze_1.dbIsFinalized)(config, languages_1.Language.go, logger)) {
+        logger.debug("Won't run Go autobuild since there is already a finalized database for Go.");
+        return;
+    }
    // This captures whether a user has added manual build steps for Go
    if (doesGoExtractionOutputExist(config)) {
        logger.debug("Won't run Go autobuild since at least one file of Go code has already been extracted.");
@@ -134,7 +141,7 @@ async function run() {
    let trapCacheUploadTime = undefined;
    let dbCreationTimings = undefined;
    let didUploadTrapCaches = false;
-    util.initializeEnvironment(util.Mode.actions, pkg.version);
+    util.initializeEnvironment(pkg.version);
    await util.checkActionVersion(pkg.version);
    const logger = (0, logging_1.getActionsLogger)();
    try {
@@ -148,14 +155,14 @@ async function run() {
        if (hasBadExpectErrorInput()) {
            throw new Error("`expect-error` input parameter is for internal use only. It should only be set by codeql-action or a fork.");
        }
-        await util.enrichEnvironment(util.Mode.actions, await (0, codeql_1.getCodeQL)(config.codeQLCmd));
+        await util.enrichEnvironment(await (0, codeql_1.getCodeQL)(config.codeQLCmd));
        const apiDetails = (0, api_client_1.getApiDetails)();
        const outputDir = actionsUtil.getRequiredInput("output");
        const threads = util.getThreadsFlag(actionsUtil.getOptionalInput("threads") || process.env["CODEQL_THREADS"], logger);
        const memory = util.getMemoryFlag(actionsUtil.getOptionalInput("ram") || process.env["CODEQL_RAM"]);
        const repositoryNwo = (0, repository_1.parseRepositoryNwo)(util.getRequiredEnvParam("GITHUB_REPOSITORY"));
-        const gitHubVersion = await (0, api_client_1.getGitHubVersionActionsOnly)();
-        const features = new feature_flags_1.Features(gitHubVersion, apiDetails, repositoryNwo, logger);
+        const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
+        const features = new feature_flags_1.Features(gitHubVersion, repositoryNwo, actionsUtil.getTemporaryDirectory(), logger);
        await runAutobuildIfLegacyGoWorkflow(config, logger);
        dbCreationTimings = await (0, analyze_1.runFinalize)(outputDir, threads, memory, config, logger);
        if (actionsUtil.getRequiredInput("skip-queries") !== "true") {
@@ -170,7 +177,7 @@ async function run() {
        }
        core.setOutput("db-locations", dbLocations);
        if (runStats && actionsUtil.getRequiredInput("upload") === "true") {
-            uploadResult = await upload_lib.uploadFromActions(outputDir, config.gitHubVersion, apiDetails, logger);
+            uploadResult = await upload_lib.uploadFromActions(outputDir, actionsUtil.getRequiredInput("checkout_path"), actionsUtil.getOptionalInput("category"), logger);
            core.setOutput("sarif-id", uploadResult.sarifID);
        }
        else {
@@ -189,12 +196,13 @@ async function run() {
        }
        else if (uploadResult !== undefined &&
            actionsUtil.getRequiredInput("wait-for-processing") === "true") {
-            await upload_lib.waitForProcessing((0, repository_1.parseRepositoryNwo)(util.getRequiredEnvParam("GITHUB_REPOSITORY")), uploadResult.sarifID, apiDetails, (0, logging_1.getActionsLogger)());
+            await upload_lib.waitForProcessing((0, repository_1.parseRepositoryNwo)(util.getRequiredEnvParam("GITHUB_REPOSITORY")), uploadResult.sarifID, (0, logging_1.getActionsLogger)());
        }
        // If we did not throw an error yet here, but we expect one, throw it.
        if (actionsUtil.getOptionalInput("expect-error") === "true") {
            core.setFailed(`expect-error input was set to true but no error was thrown.`);
        }
+        core.exportVariable(shared_environment_1.CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY, "true");
    }
    catch (origError) {
        const error = origError instanceof Error ? origError : new Error(String(origError));
@@ -202,7 +210,6 @@ async function run() {
            hasBadExpectErrorInput()) {
            core.setFailed(error.message);
        }
-        console.log(error);
        if (error instanceof analyze_1.CodeQLAnalysisError) {
            const stats = { ...error.queriesStatusReport };
            await sendStatusReport(startedAt, config, stats, error, trapCacheUploadTime, dbCreationTimings, didUploadTrapCaches, logger);
@@ -232,7 +239,6 @@ async function runWrapper() {
    }
    catch (error) {
        core.setFailed(`analyze action failed: ${error}`);
-        console.log(error);
    }
    await (0, util_1.checkForTimeout)();
 }
@@ -159,6 +159,7 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
                logger.info(analysisSummary);
            }
            else {
+                // config was generated by the action, so must be interpreted by the action.
                logger.startGroup(`Running queries for ${language}`);
                const querySuitePaths = [];
                if (queries["builtin"].length > 0) {
@@ -207,7 +208,7 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
    return statusReport;
    async function runInterpretResults(language, queries, sarifFile, enableDebugLogging) {
        const databasePath = util.getCodeQLDatabasePath(config, language);
-        return await codeql.databaseInterpretResults(databasePath, queries, sarifFile, addSnippetsFlag, threadsFlag, enableDebugLogging ? "-vv" : "-v", automationDetailsId, featureEnablement);
+        return await codeql.databaseInterpretResults(databasePath, queries, sarifFile, addSnippetsFlag, threadsFlag, enableDebugLogging ? "-vv" : "-v", automationDetailsId);
    }
    async function runPrintLinesOfCode(language) {
        const databasePath = util.getCodeQLDatabasePath(config, language);
@@ -22,8 +22,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getGitHubVersionActionsOnly = exports.getActionsApiClient = exports.getApiDetails = exports.getApiClient = exports.DisallowedAPIVersionReason = void 0;
-const path = __importStar(require("path"));
+exports.getGitHubVersion = exports.getApiClientWithExternalAuth = exports.getApiClient = exports.getApiDetails = exports.DisallowedAPIVersionReason = void 0;
 const githubUtils = __importStar(require("@actions/github/lib/utils"));
 const retry = __importStar(require("@octokit/plugin-retry"));
 const console_log_level_1 = __importDefault(require("console-log-level"));
@@ -37,28 +36,14 @@ var DisallowedAPIVersionReason;
    DisallowedAPIVersionReason[DisallowedAPIVersionReason["ACTION_TOO_OLD"] = 0] = "ACTION_TOO_OLD";
    DisallowedAPIVersionReason[DisallowedAPIVersionReason["ACTION_TOO_NEW"] = 1] = "ACTION_TOO_NEW";
 })(DisallowedAPIVersionReason = exports.DisallowedAPIVersionReason || (exports.DisallowedAPIVersionReason = {}));
-const getApiClient = function (apiDetails, { allowExternal = false } = {}) {
+function createApiClientWithDetails(apiDetails, { allowExternal = false } = {}) {
    const auth = (allowExternal && apiDetails.externalRepoAuth) || apiDetails.auth;
    const retryingOctokit = githubUtils.GitHub.plugin(retry.retry);
-    const apiURL = apiDetails.apiURL || deriveApiUrl(apiDetails.url);
    return new retryingOctokit(githubUtils.getOctokitOptions(auth, {
-        baseUrl: apiURL,
-        userAgent: `CodeQL-${(0, util_1.getMode)()}/${pkg.version}`,
+        baseUrl: apiDetails.apiURL,
+        userAgent: `CodeQL-Action/${pkg.version}`,
        log: (0, console_log_level_1.default)({ level: "debug" }),
    }));
-};
-exports.getApiClient = getApiClient;
-// Once the runner is deleted, this can also be removed since the GitHub API URL is always available in an environment variable on Actions.
-function deriveApiUrl(githubUrl) {
-    const url = new URL(githubUrl);
-    // If we detect this is trying to connect to github.com
-    // then return with a fixed canonical URL.
-    if (url.hostname === "github.com" || url.hostname === "api.github.com") {
-        return "https://api.github.com";
-    }
-    // Add the /api/v3 API prefix
-    url.pathname = path.join(url.pathname, "api", "v3");
-    return url.toString();
 }
 function getApiDetails() {
    return {
@@ -68,30 +53,27 @@ function getApiDetails() {
    };
 }
 exports.getApiDetails = getApiDetails;
-// Temporary function to aid in the transition to running on and off of github actions.
-// Once all code has been converted this function should be removed or made canonical
-// and called only from the action entrypoints.
-function getActionsApiClient() {
-    return (0, exports.getApiClient)(getApiDetails());
+function getApiClient() {
+    return createApiClientWithDetails(getApiDetails());
 }
-exports.getActionsApiClient = getActionsApiClient;
+exports.getApiClient = getApiClient;
+function getApiClientWithExternalAuth(apiDetails) {
+    return createApiClientWithDetails(apiDetails, { allowExternal: true });
+}
+exports.getApiClientWithExternalAuth = getApiClientWithExternalAuth;
 let cachedGitHubVersion = undefined;
 /**
 * Report the GitHub server version. This is a wrapper around
 * util.getGitHubVersion() that automatically supplies GitHub API details using
- * GitHub Action inputs. If you need to get the GitHub server version from the
- * Runner, please call util.getGitHubVersion() instead.
+ * GitHub Action inputs.
 *
 * @returns GitHub version
 */
-async function getGitHubVersionActionsOnly() {
-    if (!util.isActions()) {
-        throw new Error("getGitHubVersionActionsOnly() works only in an action");
-    }
+async function getGitHubVersion() {
    if (cachedGitHubVersion === undefined) {
        cachedGitHubVersion = await util.getGitHubVersion(getApiDetails());
    }
    return cachedGitHubVersion;
 }
-exports.getGitHubVersionActionsOnly = getGitHubVersionActionsOnly;
+exports.getGitHubVersion = getGitHubVersion;
 //# sourceMappingURL=api-client.js.map
@@ -1 +1 @@
-{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../src/api-client.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,uEAAyD;AACzD,6DAA+C;AAC/C,0EAAgD;AAEhD,iDAAkD;AAClD,6CAA+B;AAC/B,iCAAqE;AAErE,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAEvC,IAAY,0BAGX;AAHD,WAAY,0BAA0B;IACpC,+FAAc,CAAA;IACd,+FAAc,CAAA;AAChB,CAAC,EAHW,0BAA0B,GAA1B,kCAA0B,KAA1B,kCAA0B,QAGrC;AAiBM,MAAM,YAAY,GAAG,UAC1B,UAAoC,EACpC,EAAE,aAAa,GAAG,KAAK,EAAE,GAAG,EAAE;IAE9B,MAAM,IAAI,GACR,CAAC,aAAa,IAAI,UAAU,CAAC,gBAAgB,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC;IACpE,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC/D,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,IAAI,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACjE,OAAO,IAAI,eAAe,CACxB,WAAW,CAAC,iBAAiB,CAAC,IAAI,EAAE;QAClC,OAAO,EAAE,MAAM;QACf,SAAS,EAAE,UAAU,IAAA,cAAO,GAAE,IAAI,GAAG,CAAC,OAAO,EAAE;QAC/C,GAAG,EAAE,IAAA,2BAAe,EAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;KACzC,CAAC,CACH,CAAC;AACJ,CAAC,CAAC;AAfW,QAAA,YAAY,gBAevB;AAEF,2IAA2I;AAC3I,SAAS,YAAY,CAAC,SAAiB;IACrC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAE/B,uDAAuD;IACvD,0CAA0C;IAC1C,IAAI,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,GAAG,CAAC,QAAQ,KAAK,gBAAgB,EAAE;QACtE,OAAO,wBAAwB,CAAC;KACjC;IAED,6BAA6B;IAC7B,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IACpD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED,SAAgB,aAAa;IAC3B,OAAO;QACL,IAAI,EAAE,IAAA,+BAAgB,EAAC,OAAO,CAAC;QAC/B,GAAG,EAAE,IAAA,0BAAmB,EAAC,mBAAmB,CAAC;QAC7C,MAAM,EAAE,IAAA,0BAAmB,EAAC,gBAAgB,CAAC;KAC9C,CAAC;AACJ,CAAC;AAND,sCAMC;AAED,uFAAuF;AACvF,qFAAqF;AACrF,+CAA+C;AAC/C,SAAgB,mBAAmB;IACjC,OAAO,IAAA,oBAAY,EAAC,aAAa,EAAE,CAAC,CAAC;AACvC,CAAC;AAFD,kDAEC;AAED,IAAI,mBAAmB,GAA8B,SAAS,CAAC;AAE/D;;;;;;;GAOG;AACI,KAAK,UAAU,2BAA2B;IAC/C,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE;QACrB,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;KAC1E;IACD,IAAI,mBAAmB,KAAK,SAAS,EAAE;QACrC,mBAAmB,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,aAAa,EAAE,CAAC,CAAC;KACpE;IACD,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AARD,kEAQC"}
+{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../src/api-client.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uEAAyD;AACzD,6DAA+C;AAC/C,0EAAgD;AAEhD,iDAAkD;AAClD,6CAA+B;AAC/B,iCAA4D;AAE5D,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAEvC,IAAY,0BAGX;AAHD,WAAY,0BAA0B;IACpC,+FAAc,CAAA;IACd,+FAAc,CAAA;AAChB,CAAC,EAHW,0BAA0B,GAA1B,kCAA0B,KAA1B,kCAA0B,QAGrC;AAiBD,SAAS,0BAA0B,CACjC,UAAoC,EACpC,EAAE,aAAa,GAAG,KAAK,EAAE,GAAG,EAAE;IAE9B,MAAM,IAAI,GACR,CAAC,aAAa,IAAI,UAAU,CAAC,gBAAgB,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC;IACpE,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC/D,OAAO,IAAI,eAAe,CACxB,WAAW,CAAC,iBAAiB,CAAC,IAAI,EAAE;QAClC,OAAO,EAAE,UAAU,CAAC,MAAM;QAC1B,SAAS,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE;QACzC,GAAG,EAAE,IAAA,2BAAe,EAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;KACzC,CAAC,CACH,CAAC;AACJ,CAAC;AAED,SAAgB,aAAa;IAC3B,OAAO;QACL,IAAI,EAAE,IAAA,+BAAgB,EAAC,OAAO,CAAC;QAC/B,GAAG,EAAE,IAAA,0BAAmB,EAAC,mBAAmB,CAAC;QAC7C,MAAM,EAAE,IAAA,0BAAmB,EAAC,gBAAgB,CAAC;KAC9C,CAAC;AACJ,CAAC;AAND,sCAMC;AAED,SAAgB,YAAY;IAC1B,OAAO,0BAA0B,CAAC,aAAa,EAAE,CAAC,CAAC;AACrD,CAAC;AAFD,oCAEC;AAED,SAAgB,4BAA4B,CAC1C,UAAoC;IAEpC,OAAO,0BAA0B,CAAC,UAAU,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;AACzE,CAAC;AAJD,oEAIC;AAED,IAAI,mBAAmB,GAA8B,SAAS,CAAC;AAE/D;;;;;;GAMG;AACI,KAAK,UAAU,gBAAgB;IACpC,IAAI,mBAAmB,KAAK,SAAS,EAAE;QACrC,mBAAmB,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,aAAa,EAAE,CAAC,CAAC;KACpE;IACD,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AALD,4CAKC"}
@@ -25,9 +25,10 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const githubUtils = __importStar(require("@actions/github/lib/utils"));
 const ava_1 = __importDefault(require("ava"));
 const sinon = __importStar(require("sinon"));
+const actionsUtil = __importStar(require("./actions-util"));
 const api_client_1 = require("./api-client");
 const testing_utils_1 = require("./testing-utils");
-const util_1 = require("./util");
+const util = __importStar(require("./util"));
 // eslint-disable-next-line import/no-commonjs
 const pkg = require("../package.json");
 (0, testing_utils_1.setupTests)(ava_1.default);
@@ -37,66 +38,23 @@ ava_1.default.beforeEach(() => {
    pluginStub = sinon.stub(githubUtils.GitHub, "plugin");
    githubStub = sinon.stub();
    pluginStub.returns(githubStub);
-    (0, util_1.initializeEnvironment)(util_1.Mode.actions, pkg.version);
+    util.initializeEnvironment(pkg.version);
 });
-(0, ava_1.default)("Get the client API", async (t) => {
-    doTest(t, {
-        auth: "xyz",
-        externalRepoAuth: "abc",
-        url: "http://hucairz",
-    }, undefined, {
-        auth: "token xyz",
-        baseUrl: "http://hucairz/api/v3",
-        userAgent: `CodeQL-Action/${pkg.version}`,
-    });
-});
-(0, ava_1.default)("Get the client API external", async (t) => {
-    doTest(t, {
-        auth: "xyz",
-        externalRepoAuth: "abc",
-        url: "http://hucairz",
-    }, { allowExternal: true }, {
-        auth: "token abc",
-        baseUrl: "http://hucairz/api/v3",
-        userAgent: `CodeQL-Action/${pkg.version}`,
-    });
-});
-(0, ava_1.default)("Get the client API external not present", async (t) => {
-    doTest(t, {
-        auth: "xyz",
-        url: "http://hucairz",
-    }, { allowExternal: true }, {
-        auth: "token xyz",
-        baseUrl: "http://hucairz/api/v3",
-        userAgent: `CodeQL-Action/${pkg.version}`,
-    });
-});
-(0, ava_1.default)("Get the client API with github url", async (t) => {
-    doTest(t, {
-        auth: "xyz",
-        url: "https://github.com/some/invalid/url",
-    }, undefined, {
-        auth: "token xyz",
-        baseUrl: "https://api.github.com",
-        userAgent: `CodeQL-Action/${pkg.version}`,
-    });
-});
-(0, ava_1.default)("Get the API with an API URL directly", async (t) => {
-    doTest(t, {
-        auth: "xyz",
-        url: "http://github.localhost",
-        apiURL: "http://api.github.localhost",
-    }, undefined, {
+(0, ava_1.default)("getApiClient", async (t) => {
+    sinon.stub(actionsUtil, "getRequiredInput").withArgs("token").returns("xyz");
+    const requiredEnvParamStub = sinon.stub(util, "getRequiredEnvParam");
+    requiredEnvParamStub
+        .withArgs("GITHUB_SERVER_URL")
+        .returns("http://github.localhost");
+    requiredEnvParamStub
+        .withArgs("GITHUB_API_URL")
+        .returns("http://api.github.localhost");
+    (0, api_client_1.getApiClient)();
+    t.assert(githubStub.calledOnceWithExactly({
        auth: "token xyz",
        baseUrl: "http://api.github.localhost",
+        log: sinon.match.any,
        userAgent: `CodeQL-Action/${pkg.version}`,
-    });
+    }));
 });
-function doTest(t, clientArgs, clientOptions, expected) {
-    (0, api_client_1.getApiClient)(clientArgs, clientOptions);
-    const firstCallArgs = githubStub.args[0];
-    // log is a function, so we don't need to test for equality of it
-    delete firstCallArgs[0].log;
-    t.deepEqual(firstCallArgs, [expected]);
-}
 //# sourceMappingURL=api-client.test.js.map
@@ -1 +1 @@
-{"version":3,"file":"api-client.test.js","sourceRoot":"","sources":["../src/api-client.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,uEAAyD;AACzD,8CAA6C;AAC7C,6CAA+B;AAE/B,6CAA4C;AAC5C,mDAA6C;AAC7C,iCAAqD;AAErD,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAEvC,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,IAAI,UAA2B,CAAC;AAChC,IAAI,UAA2B,CAAC;AAEhC,aAAI,CAAC,UAAU,CAAC,GAAG,EAAE;IACnB,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IACtD,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAC1B,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAC/B,IAAA,4BAAqB,EAAC,WAAI,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;AACnD,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,oBAAoB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrC,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,gBAAgB,EAAE,KAAK;QACvB,GAAG,EAAE,gBAAgB;KACtB,EACD,SAAS,EACT;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE;KAC1C,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,6BAA6B,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC9C,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,gBAAgB,EAAE,KAAK;QACvB,GAAG,EAAE,gBAAgB;KACtB,EACD,EAAE,aAAa,EAAE,IAAI,EAAE,EACvB;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE;KAC1C,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,yCAAyC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC1D,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,gBAAgB;KACtB,EACD,EAAE,aAAa,EAAE,IAAI,EAAE,EACvB;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE;KAC1C,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,oCAAoC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrD,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,qCAAqC;KAC3C,EACD,SAAS,EACT;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,wBAAwB;QACjC,SAAS,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE;KAC1C,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,sCAAsC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvD,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,yBAAyB;QAC9B,MAAM,EAAE,6BAA6B;KACtC,EACD,SAAS,EACT;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,6BAA6B;QACtC,SAAS,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE;KAC1C,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,SAAS,MAAM,CACb,CAA4B,EAC5B,UAAe,EACf,aAAkB,EAClB,QAAa;IAEb,IAAA,yBAAY,EAAC,UAAU,EAAE,aAAa,CAAC,CAAC;IAExC,MAAM,aAAa,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACzC,iEAAiE;IACjE,OAAO,aAAa,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IAC5B,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;AACzC,CAAC"}
+{"version":3,"file":"api-client.test.js","sourceRoot":"","sources":["../src/api-client.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,uEAAyD;AACzD,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,6CAA4C;AAC5C,mDAA6C;AAC7C,6CAA+B;AAE/B,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAEvC,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,IAAI,UAA2B,CAAC;AAChC,IAAI,UAA2B,CAAC;AAEhC,aAAI,CAAC,UAAU,CAAC,GAAG,EAAE;IACnB,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IACtD,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAC1B,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAC/B,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AAC1C,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,cAAc,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC/B,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC7E,MAAM,oBAAoB,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,qBAAqB,CAAC,CAAC;IACrE,oBAAoB;SACjB,QAAQ,CAAC,mBAAmB,CAAC;SAC7B,OAAO,CAAC,yBAAyB,CAAC,CAAC;IACtC,oBAAoB;SACjB,QAAQ,CAAC,gBAAgB,CAAC;SAC1B,OAAO,CAAC,6BAA6B,CAAC,CAAC;IAE1C,IAAA,yBAAY,GAAE,CAAC;IAEf,CAAC,CAAC,MAAM,CACN,UAAU,CAAC,qBAAqB,CAAC;QAC/B,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,6BAA6B;QACtC,GAAG,EAAE,KAAK,CAAC,KAAK,CAAC,GAAG;QACpB,SAAS,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE;KAC1C,CAAC,CACH,CAAC;AACJ,CAAC,CAAC,CAAC"}
@@ -1 +1 @@
-{ "maximumVersion": "3.7", "minimumVersion": "3.3" }
+{ "maximumVersion": "3.8", "minimumVersion": "3.3" }
@@ -30,7 +30,7 @@ const util_1 = require("./util");
 // eslint-disable-next-line import/no-commonjs
 const pkg = require("../package.json");
 async function sendCompletedStatusReport(startedAt, allLanguages, failingLanguage, cause) {
-    (0, util_1.initializeEnvironment)(util_1.Mode.actions, pkg.version);
+    (0, util_1.initializeEnvironment)(pkg.version);
    const status = (0, actions_util_1.getActionsStatus)(cause, failingLanguage);
    const statusReportBase = await (0, actions_util_1.createStatusReportBase)("autobuild", status, startedAt, cause === null || cause === void 0 ? void 0 : cause.message, cause === null || cause === void 0 ? void 0 : cause.stack);
    const statusReport = {
@@ -50,8 +50,8 @@ async function run() {
        if (!(await (0, actions_util_1.sendStatusReport)(await (0, actions_util_1.createStatusReportBase)("autobuild", "starting", startedAt)))) {
            return;
        }
-        const gitHubVersion = await (0, api_client_1.getGitHubVersionActionsOnly)();
-        (0, util_1.checkGitHubVersionInRange)(gitHubVersion, logger, util_1.Mode.actions);
+        const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
+        (0, util_1.checkGitHubVersionInRange)(gitHubVersion, logger);
        const config = await configUtils.getConfig((0, actions_util_1.getTemporaryDirectory)(), logger);
        if (config === undefined) {
            throw new Error("Config file could not be found at expected location. Has the 'init' action been called?");
@@ -1 +1 @@
-{"version":3,"file":"autobuild-action.js","sourceRoot":"","sources":["../src/autobuild-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,iDAOwB;AACxB,6CAA2D;AAC3D,2CAAwE;AACxE,4DAA8C;AAC9C,2CAAuC;AACvC,uCAA6C;AAC7C,iCAMgB;AAEhB,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AASvC,KAAK,UAAU,yBAAyB,CACtC,SAAe,EACf,YAAsB,EACtB,eAAwB,EACxB,KAAa;IAEb,IAAA,4BAAqB,EAAC,WAAI,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IAEjD,MAAM,MAAM,GAAG,IAAA,+BAAgB,EAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IACxD,MAAM,gBAAgB,GAAG,MAAM,IAAA,qCAAsB,EACnD,WAAW,EACX,MAAM,EACN,SAAS,EACT,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,OAAO,EACd,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,KAAK,CACb,CAAC;IACF,MAAM,YAAY,GAA0B;QAC1C,GAAG,gBAAgB;QACnB,mBAAmB,EAAE,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC;QAC3C,iBAAiB,EAAE,eAAe;KACnC,CAAC;IACF,MAAM,IAAA,+BAAgB,EAAC,YAAY,CAAC,CAAC;AACvC,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,IAAA,yBAAkB,EAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACtC,IAAI,eAAe,GAAyB,SAAS,CAAC;IACtD,IAAI,SAAS,GAA2B,SAAS,CAAC;IAClD,IAAI;QACF,IACE,CAAC,CAAC,MAAM,IAAA,+BAAgB,EACtB,MAAM,IAAA,qCAAsB,EAAC,WAAW,EAAE,UAAU,EAAE,SAAS,CAAC,CACjE,CAAC,EACF;YACA,OAAO;SACR;QAED,MAAM,aAAa,GAAG,MAAM,IAAA,wCAA2B,GAAE,CAAC;QAC1D,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,EAAE,WAAI,CAAC,OAAO,CAAC,CAAC;QAE/D,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,SAAS,CAAC,IAAA,oCAAqB,GAAE,EAAE,MAAM,CAAC,CAAC;QAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;YACxB,MAAM,IAAI,KAAK,CACb,yFAAyF,CAC1F,CAAC;SACH;QAED,SAAS,GAAG,MAAM,IAAA,uCAA2B,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC9D,IAAI,SAAS,KAAK,SAAS,EAAE;YAC3B,MAAM,gBAAgB,GAAG,IAAA,+BAAgB,EAAC,mBAAmB,CAAC,CAAC;YAC/D,IAAI,gBAAgB,EAAE;gBACpB,MAAM,CAAC,IAAI,CACT,6CAA6C,gBAAgB,EAAE,CAChE,CAAC;gBACF,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;aACjC;YACD,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE;gBAChC,eAAe,GAAG,QAAQ,CAAC;gBAC3B,MAAM,IAAA,wBAAY,EAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;gBAC7C,IAAI,QAAQ,KAAK,oBAAQ,CAAC,EAAE,EAAE;oBAC5B,IAAI,CAAC,cAAc,CAAC,oCAA6B,EAAE,MAAM,CAAC,CAAC;iBAC5D;aACF;SACF;KACF;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CACZ,mIACE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,CACH,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,yBAAyB,CAC7B,SAAS,EACT,SAAS,aAAT,SAAS,cAAT,SAAS,GAAI,EAAE,EACf,eAAe,EACf,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAC1D,CAAC;QACF,OAAO;KACR;IAED,MAAM,yBAAyB,CAAC,SAAS,EAAE,SAAS,aAAT,SAAS,cAAT,SAAS,GAAI,EAAE,CAAC,CAAC;AAC9D,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,4BAA4B,KAAK,EAAE,CAAC,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"autobuild-action.js","sourceRoot":"","sources":["../src/autobuild-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,iDAOwB;AACxB,6CAAgD;AAChD,2CAAwE;AACxE,4DAA8C;AAC9C,2CAAuC;AACvC,uCAA6C;AAC7C,iCAKgB;AAEhB,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AASvC,KAAK,UAAU,yBAAyB,CACtC,SAAe,EACf,YAAsB,EACtB,eAAwB,EACxB,KAAa;IAEb,IAAA,4BAAqB,EAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAEnC,MAAM,MAAM,GAAG,IAAA,+BAAgB,EAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IACxD,MAAM,gBAAgB,GAAG,MAAM,IAAA,qCAAsB,EACnD,WAAW,EACX,MAAM,EACN,SAAS,EACT,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,OAAO,EACd,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,KAAK,CACb,CAAC;IACF,MAAM,YAAY,GAA0B;QAC1C,GAAG,gBAAgB;QACnB,mBAAmB,EAAE,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC;QAC3C,iBAAiB,EAAE,eAAe;KACnC,CAAC;IACF,MAAM,IAAA,+BAAgB,EAAC,YAAY,CAAC,CAAC;AACvC,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,IAAA,yBAAkB,EAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACtC,IAAI,eAAe,GAAyB,SAAS,CAAC;IACtD,IAAI,SAAS,GAA2B,SAAS,CAAC;IAClD,IAAI;QACF,IACE,CAAC,CAAC,MAAM,IAAA,+BAAgB,EACtB,MAAM,IAAA,qCAAsB,EAAC,WAAW,EAAE,UAAU,EAAE,SAAS,CAAC,CACjE,CAAC,EACF;YACA,OAAO;SACR;QAED,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,SAAS,CAAC,IAAA,oCAAqB,GAAE,EAAE,MAAM,CAAC,CAAC;QAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;YACxB,MAAM,IAAI,KAAK,CACb,yFAAyF,CAC1F,CAAC;SACH;QAED,SAAS,GAAG,MAAM,IAAA,uCAA2B,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC9D,IAAI,SAAS,KAAK,SAAS,EAAE;YAC3B,MAAM,gBAAgB,GAAG,IAAA,+BAAgB,EAAC,mBAAmB,CAAC,CAAC;YAC/D,IAAI,gBAAgB,EAAE;gBACpB,MAAM,CAAC,IAAI,CACT,6CAA6C,gBAAgB,EAAE,CAChE,CAAC;gBACF,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;aACjC;YACD,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE;gBAChC,eAAe,GAAG,QAAQ,CAAC;gBAC3B,MAAM,IAAA,wBAAY,EAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;gBAC7C,IAAI,QAAQ,KAAK,oBAAQ,CAAC,EAAE,EAAE;oBAC5B,IAAI,CAAC,cAAc,CAAC,oCAA6B,EAAE,MAAM,CAAC,CAAC;iBAC5D;aACF;SACF;KACF;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CACZ,mIACE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,CACH,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,yBAAyB,CAC7B,SAAS,EACT,SAAS,aAAT,SAAS,cAAT,SAAS,GAAI,EAAE,EACf,eAAe,EACf,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAC1D,CAAC;QACF,OAAO;KACR;IAED,MAAM,yBAAyB,CAAC,SAAS,EAAE,SAAS,aAAT,SAAS,cAAT,SAAS,GAAI,EAAE,CAAC,CAAC;AAC9D,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,4BAA4B,KAAK,EAAE,CAAC,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
@@ -18,30 +18,19 @@ var __importStar = (this && this.__importStar) || function (mod) {
    __setModuleDefault(result, mod);
    return result;
 };
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getExtraOptions = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.convertToSemVer = exports.getCodeQLURLVersion = exports.setupCodeQL = exports.getCodeQLActionRepository = exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_TRACING_GLIBC_2_34 = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = exports.CODEQL_VERSION_CONFIG_FILES = exports.CODEQL_DEFAULT_ACTION_REPOSITORY = exports.CommandInvocationError = void 0;
+exports.getExtraOptions = exports.getCodeQLForCmd = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.setupCodeQL = exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_TRACING_GLIBC_2_34 = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = exports.CommandInvocationError = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
-const toolcache = __importStar(require("@actions/tool-cache"));
-const fast_deep_equal_1 = __importDefault(require("fast-deep-equal"));
 const yaml = __importStar(require("js-yaml"));
-const query_string_1 = __importDefault(require("query-string"));
-const semver = __importStar(require("semver"));
-const uuid_1 = require("uuid");
 const actions_util_1 = require("./actions-util");
-const api = __importStar(require("./api-client"));
-const defaults = __importStar(require("./defaults.json")); // Referenced from codeql-action-sync-tool!
 const error_matcher_1 = require("./error-matcher");
-const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
+const setupCodeql = __importStar(require("./setup-codeql"));
 const toolrunner_error_catcher_1 = require("./toolrunner-error-catcher");
 const trap_caching_1 = require("./trap-caching");
 const util = __importStar(require("./util"));
-const util_1 = require("./util");
 class CommandInvocationError extends Error {
    constructor(cmd, args, exitCode, error, output) {
        super(`Failure invoking ${cmd} with arguments ${args}.\n
@@ -56,8 +45,6 @@ exports.CommandInvocationError = CommandInvocationError;
 * Can be overridden in tests using `setCodeQL`.
 */
 let cachedCodeQL = undefined;
-const CODEQL_BUNDLE_VERSION = defaults.bundleVersion;
-exports.CODEQL_DEFAULT_ACTION_REPOSITORY = "github/codeql-action";
 /**
 * The oldest version of CodeQL that the Action will run with. This should be
 * at least three minor versions behind the current version and must include the
@@ -74,9 +61,9 @@ const CODEQL_MINIMUM_VERSION = "2.6.3";
 */
 const CODEQL_VERSION_CUSTOM_QUERY_HELP = "2.7.1";
 const CODEQL_VERSION_LUA_TRACER_CONFIG = "2.10.0";
-exports.CODEQL_VERSION_CONFIG_FILES = "2.10.1";
 const CODEQL_VERSION_LUA_TRACING_GO_WINDOWS_FIXED = "2.10.4";
 exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = "2.10.4";
+const CODEQL_VERSION_FILE_BASELINE_INFORMATION = "2.11.3";
 /**
 * This variable controls using the new style of tracing from the CodeQL
 * CLI. In particular, with versions above this we will use both indirect
@@ -103,205 +90,23 @@ exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = "2.9.0";
 * --extractor-options-verbosity that we need.
 */
 exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = "2.10.3";
-function getCodeQLBundleName() {
-    let platform;
-    if (process.platform === "win32") {
-        platform = "win64";
-    }
-    else if (process.platform === "linux") {
-        platform = "linux64";
-    }
-    else if (process.platform === "darwin") {
-        platform = "osx64";
-    }
-    else {
-        return "codeql-bundle.tar.gz";
-    }
-    return `codeql-bundle-${platform}.tar.gz`;
-}
-function getCodeQLActionRepository(logger) {
-    if (!util.isActions()) {
-        return exports.CODEQL_DEFAULT_ACTION_REPOSITORY;
-    }
-    else {
-        return getActionsCodeQLActionRepository(logger);
-    }
-}
-exports.getCodeQLActionRepository = getCodeQLActionRepository;
-function getActionsCodeQLActionRepository(logger) {
-    if (process.env["GITHUB_ACTION_REPOSITORY"] !== undefined) {
-        return process.env["GITHUB_ACTION_REPOSITORY"];
-    }
-    // The Actions Runner used with GitHub Enterprise Server 2.22 did not set the GITHUB_ACTION_REPOSITORY variable.
-    // This fallback logic can be removed after the end-of-support for 2.22 on 2021-09-23.
-    if ((0, actions_util_1.isRunningLocalAction)()) {
-        // This handles the case where the Action does not come from an Action repository,
-        // e.g. our integration tests which use the Action code from the current checkout.
-        logger.info("The CodeQL Action is checked out locally. Using the default CodeQL Action repository.");
-        return exports.CODEQL_DEFAULT_ACTION_REPOSITORY;
-    }
-    logger.info("GITHUB_ACTION_REPOSITORY environment variable was not set. Falling back to legacy method of finding the GitHub Action.");
-    const relativeScriptPathParts = (0, actions_util_1.getRelativeScriptPath)().split(path.sep);
-    return `${relativeScriptPathParts[0]}/${relativeScriptPathParts[1]}`;
-}
-async function getCodeQLBundleDownloadURL(apiDetails, variant, logger) {
-    const codeQLActionRepository = getCodeQLActionRepository(logger);
-    const potentialDownloadSources = [
-        // This GitHub instance, and this Action.
-        [apiDetails.url, codeQLActionRepository],
-        // This GitHub instance, and the canonical Action.
-        [apiDetails.url, exports.CODEQL_DEFAULT_ACTION_REPOSITORY],
-        // GitHub.com, and the canonical Action.
-        [util.GITHUB_DOTCOM_URL, exports.CODEQL_DEFAULT_ACTION_REPOSITORY],
-    ];
-    // We now filter out any duplicates.
-    // Duplicates will happen either because the GitHub instance is GitHub.com, or because the Action is not a fork.
-    const uniqueDownloadSources = potentialDownloadSources.filter((source, index, self) => {
-        return !self.slice(0, index).some((other) => (0, fast_deep_equal_1.default)(source, other));
-    });
-    const codeQLBundleName = getCodeQLBundleName();
-    if (variant === util.GitHubVariant.GHAE) {
-        try {
-            const release = await api
-                .getApiClient(apiDetails)
-                .request("GET /enterprise/code-scanning/codeql-bundle/find/{tag}", {
-                tag: CODEQL_BUNDLE_VERSION,
-            });
-            const assetID = release.data.assets[codeQLBundleName];
-            if (assetID !== undefined) {
-                const download = await api
-                    .getApiClient(apiDetails)
-                    .request("GET /enterprise/code-scanning/codeql-bundle/download/{asset_id}", { asset_id: assetID });
-                const downloadURL = download.data.url;
-                logger.info(`Found CodeQL bundle at GitHub AE endpoint with URL ${downloadURL}.`);
-                return downloadURL;
-            }
-            else {
-                logger.info(`Attempted to fetch bundle from GitHub AE endpoint but the bundle ${codeQLBundleName} was not found in the assets ${JSON.stringify(release.data.assets)}.`);
-            }
-        }
-        catch (e) {
-            logger.info(`Attempted to fetch bundle from GitHub AE endpoint but got error ${e}.`);
-        }
-    }
-    for (const downloadSource of uniqueDownloadSources) {
-        const [apiURL, repository] = downloadSource;
-        // If we've reached the final case, short-circuit the API check since we know the bundle exists and is public.
-        if (apiURL === util.GITHUB_DOTCOM_URL &&
-            repository === exports.CODEQL_DEFAULT_ACTION_REPOSITORY) {
-            break;
-        }
-        const [repositoryOwner, repositoryName] = repository.split("/");
-        try {
-            const release = await api.getApiClient(apiDetails).repos.getReleaseByTag({
-                owner: repositoryOwner,
-                repo: repositoryName,
-                tag: CODEQL_BUNDLE_VERSION,
-            });
-            for (const asset of release.data.assets) {
-                if (asset.name === codeQLBundleName) {
-                    logger.info(`Found CodeQL bundle in ${downloadSource[1]} on ${downloadSource[0]} with URL ${asset.url}.`);
-                    return asset.url;
-                }
-            }
-        }
-        catch (e) {
-            logger.info(`Looked for CodeQL bundle in ${downloadSource[1]} on ${downloadSource[0]} but got error ${e}.`);
-        }
-    }
-    return `https://github.com/${exports.CODEQL_DEFAULT_ACTION_REPOSITORY}/releases/download/${CODEQL_BUNDLE_VERSION}/${codeQLBundleName}`;
-}
 /**
 * Set up CodeQL CLI access.
 *
- * @param codeqlURL
+ * @param toolsInput
 * @param apiDetails
 * @param tempDir
 * @param variant
- * @param features
+ * @param bypassToolcache
+ * @param defaultCliVersion
 * @param logger
 * @param checkVersion Whether to check that CodeQL CLI meets the minimum
 *        version requirement. Must be set to true outside tests.
 * @returns a { CodeQL, toolsVersion } object.
 */
-async function setupCodeQL(codeqlURL, apiDetails, tempDir, variant, features, logger, checkVersion) {
+async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, bypassToolcache, defaultCliVersion, logger, checkVersion) {
    try {
-        const forceLatestReason = 
-        // We use the special value of 'latest' to prioritize the version in the
-        // defaults over any pinned cached version.
-        codeqlURL === "latest"
-            ? '"tools: latest" was requested'
-            : // If the user hasn't requested a particular CodeQL version, then bypass
-                // the toolcache when the appropriate feature is enabled. This
-                // allows us to quickly rollback a broken bundle that has made its way
-                // into the toolcache.
-                codeqlURL === undefined &&
-                    (await features.getValue(feature_flags_1.Feature.BypassToolcacheEnabled))
-                    ? "a specific version of CodeQL was not requested and the bypass toolcache feature is enabled"
-                    : undefined;
-        const forceLatest = forceLatestReason !== undefined;
-        if (forceLatest) {
-            logger.debug(`Forcing the latest version of the CodeQL tools since ${forceLatestReason}.`);
-            codeqlURL = undefined;
-        }
-        let codeqlFolder;
-        let codeqlURLVersion;
-        if (codeqlURL && !codeqlURL.startsWith("http")) {
-            codeqlFolder = await toolcache.extractTar(codeqlURL);
-            codeqlURLVersion = "local";
-        }
-        else {
-            codeqlURLVersion = getCodeQLURLVersion(codeqlURL || `/${CODEQL_BUNDLE_VERSION}/`);
-            const codeqlURLSemVer = convertToSemVer(codeqlURLVersion, logger);
-            // If we find the specified version, we always use that.
-            codeqlFolder = toolcache.find("CodeQL", codeqlURLSemVer);
-            // If we don't find the requested version, in some cases we may allow a
-            // different version to save download time if the version hasn't been
-            // specified explicitly (in which case we always honor it).
-            if (!codeqlFolder && !codeqlURL && !forceLatest) {
-                const codeqlVersions = toolcache.findAllVersions("CodeQL");
-                if (codeqlVersions.length === 1 && (0, util_1.isGoodVersion)(codeqlVersions[0])) {
-                    const tmpCodeqlFolder = toolcache.find("CodeQL", codeqlVersions[0]);
-                    if (fs.existsSync(path.join(tmpCodeqlFolder, "pinned-version"))) {
-                        logger.debug(`CodeQL in cache overriding the default ${CODEQL_BUNDLE_VERSION}`);
-                        codeqlFolder = tmpCodeqlFolder;
-                        codeqlURLVersion = codeqlVersions[0];
-                    }
-                }
-            }
-            if (codeqlFolder) {
-                logger.debug(`CodeQL found in cache ${codeqlFolder}`);
-            }
-            else {
-                if (!codeqlURL) {
-                    codeqlURL = await getCodeQLBundleDownloadURL(apiDetails, variant, logger);
-                }
-                const parsedCodeQLURL = new URL(codeqlURL);
-                const parsedQueryString = query_string_1.default.parse(parsedCodeQLURL.search);
-                const headers = {
-                    accept: "application/octet-stream",
-                };
-                // We only want to provide an authorization header if we are downloading
-                // from the same GitHub instance the Action is running on.
-                // This avoids leaking Enterprise tokens to dotcom.
-                // We also don't want to send an authorization header if there's already a token provided in the URL.
-                if (codeqlURL.startsWith(`${apiDetails.url}/`) &&
-                    parsedQueryString["token"] === undefined) {
-                    logger.debug("Downloading CodeQL bundle with token.");
-                    headers.authorization = `token ${apiDetails.auth}`;
-                }
-                else {
-                    logger.debug("Downloading CodeQL bundle without token.");
-                }
-                logger.info(`Downloading CodeQL tools from ${codeqlURL}. This may take a while.`);
-                const dest = path.join(tempDir, (0, uuid_1.v4)());
-                const finalHeaders = Object.assign({ "User-Agent": "CodeQL Action" }, headers);
-                const codeqlPath = await toolcache.downloadTool(codeqlURL, dest, undefined, finalHeaders);
-                logger.debug(`CodeQL bundle download to ${codeqlPath} complete.`);
-                const codeqlExtracted = await toolcache.extractTar(codeqlPath);
-                codeqlFolder = await toolcache.cacheDir(codeqlExtracted, "CodeQL", codeqlURLSemVer);
-            }
-        }
+        const { codeqlFolder, toolsVersion } = await setupCodeql.setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, bypassToolcache, defaultCliVersion, logger);
        let codeqlCmd = path.join(codeqlFolder, "codeql", "codeql");
        if (process.platform === "win32") {
            codeqlCmd += ".exe";
@@ -310,7 +115,7 @@ async function setupCodeQL(codeqlURL, apiDetails, tempDir, variant, features, lo
            throw new Error(`Unsupported platform: ${process.platform}`);
        }
        cachedCodeQL = await getCodeQLForCmd(codeqlCmd, checkVersion);
-        return { codeql: cachedCodeQL, toolsVersion: codeqlURLVersion };
+        return { codeql: cachedCodeQL, toolsVersion };
    }
    catch (e) {
        logger.error(e instanceof Error ? e : new Error(String(e)));
@@ -318,26 +123,6 @@ async function setupCodeQL(codeqlURL, apiDetails, tempDir, variant, features, lo
    }
 }
 exports.setupCodeQL = setupCodeQL;
-function getCodeQLURLVersion(url) {
-    const match = url.match(/\/codeql-bundle-(.*)\//);
-    if (match === null || match.length < 2) {
-        throw new Error(`Malformed tools url: ${url}. Version could not be inferred`);
-    }
-    return match[1];
-}
-exports.getCodeQLURLVersion = getCodeQLURLVersion;
-function convertToSemVer(version, logger) {
-    if (!semver.valid(version)) {
-        logger.debug(`Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.`);
-        version = `0.0.0-${version}`;
-    }
-    const s = semver.clean(version);
-    if (!s) {
-        throw new Error(`Bundle version ${version} is not in SemVer format.`);
-    }
-    return s;
-}
-exports.convertToSemVer = convertToSemVer;
 /**
 * Use the CodeQL executable located at the given path.
 */
@@ -386,6 +171,7 @@ function setCodeQL(partialCodeql) {
        databaseRunQueries: resolveFunction(partialCodeql, "databaseRunQueries"),
        databaseInterpretResults: resolveFunction(partialCodeql, "databaseInterpretResults"),
        databasePrintBaseline: resolveFunction(partialCodeql, "databasePrintBaseline"),
+        diagnosticsExport: resolveFunction(partialCodeql, "diagnosticsExport"),
    };
    return cachedCodeQL;
 }
@@ -504,20 +290,12 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                ...getExtraOptionsFromEnv(["database", "init"]),
            ]);
        },
-        async databaseInitCluster(config, sourceRoot, processName, processLevel, featureEnablement) {
+        async databaseInitCluster(config, sourceRoot, processName, featureEnablement) {
            const extraArgs = config.languages.map((language) => `--language=${language}`);
            if (config.languages.filter((l) => (0, languages_1.isTracedLanguage)(l)).length > 0) {
                extraArgs.push("--begin-tracing");
                extraArgs.push(...(await (0, trap_caching_1.getTrapCachingExtractorConfigArgs)(config)));
-                if (processName !== undefined) {
-                    extraArgs.push(`--trace-process-name=${processName}`);
-                }
-                else {
-                    // We default to 3 if no other arguments are provided since this was the default
-                    // behavior of the Runner. Note this path never happens in the CodeQL Action
-                    // because that always passes in a process name.
-                    extraArgs.push(`--trace-process-level=${processLevel || 3}`);
-                }
+                extraArgs.push(`--trace-process-name=${processName}`);
                if (
                // There's a bug in Lua tracing for Go on Windows in versions earlier than
                // `CODEQL_VERSION_LUA_TRACING_GO_WINDOWS_FIXED`, so don't use Lua tracing
@@ -530,9 +308,16 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                    extraArgs.push("--no-internal-use-lua-tracing");
                }
            }
+            // A config file is only generated if the CliConfigFileEnabled feature flag is enabled.
            const configLocation = await generateCodeScanningConfig(codeql, config, featureEnablement);
+            // Only pass external repository token if a config file is going to be parsed by the CLI.
+            let externalRepositoryToken;
            if (configLocation) {
                extraArgs.push(`--codescanning-config=${configLocation}`);
+                externalRepositoryToken = (0, actions_util_1.getOptionalInput)("external-repository-token");
+                if (externalRepositoryToken) {
+                    extraArgs.push("--external-repository-token-stdin");
+                }
            }
            await runTool(cmd, [
                "database",
@@ -542,7 +327,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                `--source-root=${sourceRoot}`,
                ...extraArgs,
                ...getExtraOptionsFromEnv(["database", "init"]),
-            ]);
+            ], { stdin: externalRepositoryToken });
        },
        async runAutobuild(language) {
            const cmdName = process.platform === "win32" ? "autobuild.cmd" : "autobuild.sh";
@@ -689,9 +474,9 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            if (querySuitePath) {
                codeqlArgs.push(querySuitePath);
            }
-            await runTool(cmd, codeqlArgs);
+            await (0, toolrunner_error_catcher_1.toolrunnerErrorCatcher)(cmd, codeqlArgs, error_matcher_1.errorMatchers);
        },
-        async databaseInterpretResults(databasePath, querySuitePaths, sarifFile, addSnippetsFlag, threadsFlag, verbosityFlag, automationDetailsId, featureEnablement) {
+        async databaseInterpretResults(databasePath, querySuitePaths, sarifFile, addSnippetsFlag, threadsFlag, verbosityFlag, automationDetailsId) {
            const codeqlArgs = [
                "database",
                "interpret-results",
@@ -710,7 +495,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            if (automationDetailsId !== undefined) {
                codeqlArgs.push("--sarif-category", automationDetailsId);
            }
-            if (await featureEnablement.getValue(feature_flags_1.Feature.FileBaselineInformationEnabled, this)) {
+            if (await util.codeQlVersionAbove(this, CODEQL_VERSION_FILE_BASELINE_INFORMATION)) {
                codeqlArgs.push("--sarif-add-baseline-file-info");
            }
            codeqlArgs.push(databasePath);
@@ -718,7 +503,8 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                codeqlArgs.push(...querySuitePaths);
            }
            // capture stdout, which contains analysis summaries
-            return await runTool(cmd, codeqlArgs);
+            const returnState = await (0, toolrunner_error_catcher_1.toolrunnerErrorCatcher)(cmd, codeqlArgs, error_matcher_1.errorMatchers);
+            return returnState.stdout;
        },
        async databasePrintBaseline(databasePath) {
            const codeqlArgs = [
@@ -794,6 +580,19 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            ];
            await new toolrunner.ToolRunner(cmd, args).exec();
        },
+        async diagnosticsExport(sarifFile, automationDetailsId) {
+            const args = [
+                "diagnostics",
+                "export",
+                "--format=sarif-latest",
+                `--output=${sarifFile}`,
+                ...getExtraOptionsFromEnv(["diagnostics", "export"]),
+            ];
+            if (automationDetailsId !== undefined) {
+                args.push("--sarif-category", automationDetailsId);
+            }
+            await new toolrunner.ToolRunner(cmd, args).exec();
+        },
    };
    // To ensure that status reports include the CodeQL CLI version wherever
    // possible, we want to call getVersion(), which populates the version value
@@ -809,6 +608,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
    }
    return codeql;
 }
+exports.getCodeQLForCmd = getCodeQLForCmd;
 /**
 * Gets the options for `path` of `options` as an array of extra option strings.
 */
@@ -863,20 +663,26 @@ exports.getExtraOptions = getExtraOptions;
 *     status reports on GitHub.com.
 */
 const maxErrorSize = 20000;
-async function runTool(cmd, args = []) {
+async function runTool(cmd, args = [], opts = {}) {
    let output = "";
    let error = "";
    const exitCode = await new toolrunner.ToolRunner(cmd, args, {
        listeners: {
            stdout: (data) => {
-                output += data.toString();
+                output += data.toString("utf8");
            },
            stderr: (data) => {
-                const toRead = Math.min(maxErrorSize - error.length, data.length);
-                error += data.toString("utf8", 0, toRead);
+                let readStartIndex = 0;
+                // If the error is too large, then we only take the last 20,000 characters
+                if (data.length - maxErrorSize > 0) {
+                    // Eg: if we have 20,000 the start index should be 2.
+                    readStartIndex = data.length - maxErrorSize + 1;
+                }
+                error += data.toString("utf8", readStartIndex);
            },
        },
        ignoreReturnCode: true,
+        ...(opts.stdin ? { input: Buffer.from(opts.stdin || "") } : {}),
    }).exec();
    if (exitCode !== 0)
        throw new CommandInvocationError(cmd, args, exitCode, error, output);
@@ -24,16 +24,19 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.stubToolRunnerConstructor = void 0;
 const fs = __importStar(require("fs"));
-const path = __importStar(require("path"));
+const path_1 = __importDefault(require("path"));
 const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
 const toolcache = __importStar(require("@actions/tool-cache"));
+const safeWhich = __importStar(require("@chrisgavin/safe-which"));
 const ava_1 = __importDefault(require("ava"));
 const del_1 = __importDefault(require("del"));
 const yaml = __importStar(require("js-yaml"));
 const nock_1 = __importDefault(require("nock"));
 const sinon = __importStar(require("sinon"));
+const actionsUtil = __importStar(require("./actions-util"));
+const api = __importStar(require("./api-client"));
 const codeql = __importStar(require("./codeql"));
-const defaults = __importStar(require("./defaults.json"));
+const defaults = __importStar(require("./defaults.json")); // Referenced from codeql-action-sync-tool!
 const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
 const logging_1 = require("./logging");
@@ -44,18 +47,20 @@ const util_1 = require("./util");
 const sampleApiDetails = {
    auth: "token",
    url: "https://github.com",
-    apiURL: undefined,
-    registriesAuthTokens: undefined,
+    apiURL: "https://api.github.com",
 };
 const sampleGHAEApiDetails = {
    auth: "token",
    url: "https://example.githubenterprise.com",
-    apiURL: undefined,
-    registriesAuthTokens: undefined,
+    apiURL: "https://example.githubenterprise.com/api/v3",
+};
+const SAMPLE_DEFAULT_CLI_VERSION = {
+    cliVersion: "2.0.0",
+    variant: util.GitHubVariant.DOTCOM,
 };
 let stubConfig;
 ava_1.default.beforeEach(() => {
-    (0, util_1.initializeEnvironment)(util_1.Mode.actions, "1.2.3");
+    (0, util_1.initializeEnvironment)("1.2.3");
    stubConfig = {
        languages: [languages_1.Language.cpp],
        queries: {},
@@ -81,7 +86,13 @@ ava_1.default.beforeEach(() => {
        trapCacheDownloadTime: 0,
    };
 });
-async function mockApiAndSetupCodeQL({ apiDetails, featureEnablement, isPinned, tmpDir, toolsInput, version, }) {
+/**
+ * Mocks the API for downloading the bundle tagged `tagName`.
+ *
+ * @returns the download URL for the bundle. This can be passed to the tools parameter of
+ * `codeql.setupCodeQL`.
+ */
+async function mockDownloadApi({ apiDetails = sampleApiDetails, isPinned, tagName, }) {
    var _a;
    const platform = process.platform === "win32"
        ? "win64"
@@ -90,133 +101,148 @@ async function mockApiAndSetupCodeQL({ apiDetails, featureEnablement, isPinned,
            : "osx64";
    const baseUrl = (_a = apiDetails === null || apiDetails === void 0 ? void 0 : apiDetails.url) !== null && _a !== void 0 ? _a : "https://example.com";
    const relativeUrl = apiDetails
-        ? `/github/codeql-action/releases/download/${version}/codeql-bundle-${platform}.tar.gz`
-        : `/download/codeql-bundle-${version}/codeql-bundle.tar.gz`;
+        ? `/github/codeql-action/releases/download/${tagName}/codeql-bundle-${platform}.tar.gz`
+        : `/download/${tagName}/codeql-bundle.tar.gz`;
    (0, nock_1.default)(baseUrl)
        .get(relativeUrl)
-        .replyWithFile(200, path.join(__dirname, `/../src/testdata/codeql-bundle${isPinned ? "-pinned" : ""}.tar.gz`));
-    return await codeql.setupCodeQL(toolsInput ? toolsInput.input : `${baseUrl}${relativeUrl}`, apiDetails !== null && apiDetails !== void 0 ? apiDetails : sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, featureEnablement !== null && featureEnablement !== void 0 ? featureEnablement : (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true), false);
+        .replyWithFile(200, path_1.default.join(__dirname, `/../src/testdata/codeql-bundle${isPinned ? "-pinned" : ""}.tar.gz`));
+    return `${baseUrl}${relativeUrl}`;
 }
-(0, ava_1.default)("download codeql bundle cache", async (t) => {
+async function installIntoToolcache({ apiDetails = sampleApiDetails, cliVersion, isPinned, tagName, tmpDir, }) {
+    const url = await mockDownloadApi({ apiDetails, isPinned, tagName });
+    await codeql.setupCodeQL(cliVersion !== undefined ? undefined : url, apiDetails, tmpDir, util.GitHubVariant.GHES, false, cliVersion !== undefined
+        ? { cliVersion, tagName, variant: util.GitHubVariant.GHES }
+        : SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+}
+(0, ava_1.default)("downloads and caches explicitly requested bundles that aren't in the toolcache", async (t) => {
    await util.withTmpDir(async (tmpDir) => {
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
        const versions = ["20200601", "20200610"];
        for (let i = 0; i < versions.length; i++) {
            const version = versions[i];
-            const codeQLConfig = await mockApiAndSetupCodeQL({ version, tmpDir });
+            const url = await mockDownloadApi({
+                tagName: `codeql-bundle-${version}`,
+                isPinned: false,
+            });
+            const result = await codeql.setupCodeQL(url, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, false, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
            t.assert(toolcache.find("CodeQL", `0.0.0-${version}`));
-            t.deepEqual(codeQLConfig.toolsVersion, version);
+            t.is(result.toolsVersion, `0.0.0-${version}`);
        }
        t.is(toolcache.findAllVersions("CodeQL").length, 2);
    });
 });
-(0, ava_1.default)("download codeql bundle cache explicitly requested with pinned different version cached", async (t) => {
+(0, ava_1.default)("downloads an explicitly requested bundle even if a different version is cached", async (t) => {
    await util.withTmpDir(async (tmpDir) => {
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-        const pinnedCodeQLConfig = await mockApiAndSetupCodeQL({
-            version: "20200601",
+        await installIntoToolcache({
+            tagName: "codeql-bundle-20200601",
            isPinned: true,
            tmpDir,
        });
-        t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
-        t.deepEqual(pinnedCodeQLConfig.toolsVersion, "20200601");
-        const unpinnedCodeQLConfig = await mockApiAndSetupCodeQL({
-            version: "20200610",
-            tmpDir,
+        const url = await mockDownloadApi({
+            tagName: "codeql-bundle-20200610",
        });
+        const result = await codeql.setupCodeQL(url, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, false, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
        t.assert(toolcache.find("CodeQL", "0.0.0-20200610"));
-        t.deepEqual(unpinnedCodeQLConfig.toolsVersion, "20200610");
+        t.deepEqual(result.toolsVersion, "0.0.0-20200610");
    });
 });
-(0, ava_1.default)("don't download codeql bundle cache with pinned different version cached", async (t) => {
-    await util.withTmpDir(async (tmpDir) => {
-        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-        const pinnedCodeQLConfig = await mockApiAndSetupCodeQL({
-            version: "20200601",
-            isPinned: true,
-            tmpDir,
-        });
-        t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
-        t.deepEqual(pinnedCodeQLConfig.toolsVersion, "20200601");
-        const codeQLConfig = await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true), false);
-        t.deepEqual(codeQLConfig.toolsVersion, "0.0.0-20200601");
-        const cachedVersions = toolcache.findAllVersions("CodeQL");
-        t.is(cachedVersions.length, 1);
-    });
-});
-(0, ava_1.default)("download codeql bundle cache with different version cached (not pinned)", async (t) => {
-    await util.withTmpDir(async (tmpDir) => {
-        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-        const cachedCodeQLConfig = await mockApiAndSetupCodeQL({
-            version: "20200601",
-            tmpDir,
-        });
-        t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
-        t.deepEqual(cachedCodeQLConfig.toolsVersion, "20200601");
-        const codeQLConfig = await mockApiAndSetupCodeQL({
-            version: defaults.bundleVersion,
-            tmpDir,
-            apiDetails: sampleApiDetails,
-            toolsInput: { input: undefined },
-        });
-        t.deepEqual(codeQLConfig.toolsVersion, defaults.bundleVersion.replace("codeql-bundle-", ""));
-        const cachedVersions = toolcache.findAllVersions("CodeQL");
-        t.is(cachedVersions.length, 2);
-    });
-});
-(0, ava_1.default)('download codeql bundle cache with pinned different version cached if "latest" tools specified', async (t) => {
-    await util.withTmpDir(async (tmpDir) => {
-        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-        const pinnedCodeQLConfig = await mockApiAndSetupCodeQL({
-            version: "20200601",
-            isPinned: true,
-            tmpDir,
-        });
-        t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
-        t.deepEqual(pinnedCodeQLConfig.toolsVersion, "20200601");
-        const latestCodeQLConfig = await mockApiAndSetupCodeQL({
-            version: defaults.bundleVersion,
-            apiDetails: sampleApiDetails,
-            toolsInput: { input: "latest" },
-            tmpDir,
-        });
-        t.deepEqual(latestCodeQLConfig.toolsVersion, defaults.bundleVersion.replace("codeql-bundle-", ""));
-        const cachedVersions = toolcache.findAllVersions("CodeQL");
-        t.is(cachedVersions.length, 2);
-    });
-});
-const TOOLCACHE_BYPASS_TEST_CASES = [
-    [true, undefined, true],
-    [false, undefined, false],
-    [
-        true,
-        "https://github.com/github/codeql-action/releases/download/codeql-bundle-20200601/codeql-bundle.tar.gz",
-        false,
-    ],
-];
-for (const [isFeatureEnabled, toolsInput, shouldToolcacheBeBypassed,] of TOOLCACHE_BYPASS_TEST_CASES) {
-    (0, ava_1.default)(`download codeql bundle ${shouldToolcacheBeBypassed ? "bypasses" : "does not bypass"} toolcache when feature ${isFeatureEnabled ? "enabled" : "disabled"} and tools: ${toolsInput} passed`, async (t) => {
+for (const isCached of [true, false]) {
+    (0, ava_1.default)(`uses default version on Dotcom when default version bundle is ${isCached ? "" : "not "}cached`, async (t) => {
        await util.withTmpDir(async (tmpDir) => {
            (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-            await mockApiAndSetupCodeQL({
-                version: "codeql-bundle-20200601",
-                apiDetails: sampleApiDetails,
-                isPinned: true,
-                tmpDir,
-            });
-            t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
-            await mockApiAndSetupCodeQL({
-                version: defaults.bundleVersion,
-                apiDetails: sampleApiDetails,
-                featureEnablement: (0, testing_utils_1.createFeatures)(isFeatureEnabled ? [feature_flags_1.Feature.BypassToolcacheEnabled] : []),
-                toolsInput: { input: toolsInput },
-                tmpDir,
-            });
-            const cachedVersions = toolcache.findAllVersions("CodeQL");
-            t.is(cachedVersions.length, shouldToolcacheBeBypassed ? 2 : 1);
+            const tagName = `codeql-bundle-20230101`;
+            if (isCached) {
+                await installIntoToolcache({
+                    cliVersion: SAMPLE_DEFAULT_CLI_VERSION.cliVersion,
+                    tagName,
+                    isPinned: true,
+                    tmpDir,
+                });
+            }
+            else {
+                await mockDownloadApi({
+                    tagName,
+                });
+                sinon.stub(api, "getApiClient").value(() => ({
+                    repos: {
+                        listReleases: sinon.stub().resolves(undefined),
+                    },
+                    paginate: sinon.stub().resolves([
+                        {
+                            assets: [
+                                {
+                                    name: "cli-version-2.0.0.txt",
+                                },
+                            ],
+                            tag_name: tagName,
+                        },
+                    ]),
+                }));
+            }
+            const result = await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, false, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+            t.is(result.toolsVersion, SAMPLE_DEFAULT_CLI_VERSION.cliVersion);
        });
    });
 }
+for (const variant of [util.GitHubVariant.GHAE, util.GitHubVariant.GHES]) {
+    (0, ava_1.default)(`uses a cached bundle when no tools input is given on ${util.GitHubVariant[variant]}`, async (t) => {
+        await util.withTmpDir(async (tmpDir) => {
+            (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
+            await installIntoToolcache({
+                tagName: "codeql-bundle-20200601",
+                isPinned: true,
+                tmpDir,
+            });
+            const result = await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, variant, false, {
+                cliVersion: defaults.cliVersion,
+                tagName: defaults.bundleVersion,
+                variant,
+            }, (0, logging_1.getRunnerLogger)(true), false);
+            t.deepEqual(result.toolsVersion, "0.0.0-20200601");
+            const cachedVersions = toolcache.findAllVersions("CodeQL");
+            t.is(cachedVersions.length, 1);
+        });
+    });
+    (0, ava_1.default)(`downloads bundle if only an unpinned version is cached on ${util.GitHubVariant[variant]}`, async (t) => {
+        await util.withTmpDir(async (tmpDir) => {
+            (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
+            await installIntoToolcache({
+                tagName: "codeql-bundle-20200601",
+                isPinned: false,
+                tmpDir,
+            });
+            await mockDownloadApi({
+                tagName: defaults.bundleVersion,
+            });
+            const result = await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, variant, false, {
+                cliVersion: defaults.cliVersion,
+                tagName: defaults.bundleVersion,
+                variant,
+            }, (0, logging_1.getRunnerLogger)(true), false);
+            t.deepEqual(result.toolsVersion, defaults.cliVersion);
+            const cachedVersions = toolcache.findAllVersions("CodeQL");
+            t.is(cachedVersions.length, 2);
+        });
+    });
+}
+(0, ava_1.default)('downloads bundle if "latest" tools specified but not cached', async (t) => {
+    await util.withTmpDir(async (tmpDir) => {
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
+        await installIntoToolcache({
+            tagName: "codeql-bundle-20200601",
+            isPinned: true,
+            tmpDir,
+        });
+        await mockDownloadApi({
+            tagName: defaults.bundleVersion,
+        });
+        const result = await codeql.setupCodeQL("latest", sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, false, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+        t.deepEqual(result.toolsVersion, defaults.cliVersion);
+        const cachedVersions = toolcache.findAllVersions("CodeQL");
+        t.is(cachedVersions.length, 2);
+    });
+});
 (0, ava_1.default)("download codeql bundle from github ae endpoint", async (t) => {
    await util.withTmpDir(async (tmpDir) => {
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
@@ -239,34 +265,33 @@ for (const [isFeatureEnabled, toolsInput, shouldToolcacheBeBypassed,] of TOOLCAC
        });
        (0, nock_1.default)("https://example.githubenterprise.com")
            .get(`/github/codeql-action/releases/download/${defaults.bundleVersion}/${codeQLBundleName}`)
-            .replyWithFile(200, path.join(__dirname, `/../src/testdata/codeql-bundle-pinned.tar.gz`));
-        await codeql.setupCodeQL(undefined, sampleGHAEApiDetails, tmpDir, util.GitHubVariant.GHAE, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true), false);
+            .replyWithFile(200, path_1.default.join(__dirname, `/../src/testdata/codeql-bundle-pinned.tar.gz`));
+        // This is a workaround to mock `api.getApiDetails()` since it doesn't seem to be possible to
+        // mock this directly. The difficulty is that `getApiDetails()` is called locally in
+        // `api-client.ts`, but `sinon.stub(api, "getApiDetails")` only affects calls to
+        // `getApiDetails()` via an imported `api` module.
+        sinon
+            .stub(actionsUtil, "getRequiredInput")
+            .withArgs("token")
+            .returns(sampleGHAEApiDetails.auth);
+        const requiredEnvParamStub = sinon.stub(util, "getRequiredEnvParam");
+        requiredEnvParamStub
+            .withArgs("GITHUB_SERVER_URL")
+            .returns(sampleGHAEApiDetails.url);
+        requiredEnvParamStub
+            .withArgs("GITHUB_API_URL")
+            .returns(sampleGHAEApiDetails.apiURL);
+        sinon.stub(actionsUtil, "isRunningLocalAction").returns(false);
+        process.env["GITHUB_ACTION_REPOSITORY"] = "github/codeql-action";
+        await codeql.setupCodeQL(undefined, sampleGHAEApiDetails, tmpDir, util.GitHubVariant.GHAE, false, {
+            cliVersion: defaults.cliVersion,
+            tagName: defaults.bundleVersion,
+            variant: util.GitHubVariant.GHAE,
+        }, (0, logging_1.getRunnerLogger)(true), false);
        const cachedVersions = toolcache.findAllVersions("CodeQL");
        t.is(cachedVersions.length, 1);
    });
 });
-(0, ava_1.default)("parse codeql bundle url version", (t) => {
-    t.deepEqual(codeql.getCodeQLURLVersion("https://github.com/.../codeql-bundle-20200601/..."), "20200601");
-});
-(0, ava_1.default)("convert to semver", (t) => {
-    const tests = {
-        "20200601": "0.0.0-20200601",
-        "20200601.0": "0.0.0-20200601.0",
-        "20200601.0.0": "20200601.0.0",
-        "1.2.3": "1.2.3",
-        "1.2.3-alpha": "1.2.3-alpha",
-        "1.2.3-beta.1": "1.2.3-beta.1",
-    };
-    for (const [version, expectedVersion] of Object.entries(tests)) {
-        try {
-            const parsedVersion = codeql.convertToSemVer(version, (0, logging_1.getRunnerLogger)(true));
-            t.deepEqual(parsedVersion, expectedVersion);
-        }
-        catch (e) {
-            t.fail(e instanceof Error ? e.message : String(e));
-        }
-    }
-});
 (0, ava_1.default)("getExtraOptions works for explicit paths", (t) => {
    t.deepEqual(codeql.getExtraOptions({}, ["foo"], []), []);
    t.deepEqual(codeql.getExtraOptions({ foo: [42] }, ["foo"], []), ["42"]);
@@ -289,33 +314,22 @@ for (const [isFeatureEnabled, toolsInput, shouldToolcacheBeBypassed,] of TOOLCAC
    t.throws(() => codeql.getExtraOptions({ foo: 87 }, ["foo"], []));
    t.throws(() => codeql.getExtraOptions({ "*": [42], foo: { "*": 87, bar: [99] } }, ["foo", "bar"], []));
 });
-(0, ava_1.default)("getCodeQLActionRepository", (t) => {
-    const logger = (0, logging_1.getRunnerLogger)(true);
-    (0, util_1.initializeEnvironment)(util_1.Mode.runner, "1.2.3");
-    const repoActions = codeql.getCodeQLActionRepository(logger);
-    t.deepEqual(repoActions, "github/codeql-action");
-    (0, util_1.initializeEnvironment)(util_1.Mode.actions, "1.2.3");
-    // isRunningLocalAction() === true
-    delete process.env["GITHUB_ACTION_REPOSITORY"];
-    process.env["RUNNER_TEMP"] = path.dirname(__dirname);
-    const repoLocalRunner = codeql.getCodeQLActionRepository(logger);
-    t.deepEqual(repoLocalRunner, "github/codeql-action");
-    process.env["GITHUB_ACTION_REPOSITORY"] = "xxx/yyy";
-    const repoEnv = codeql.getCodeQLActionRepository(logger);
-    t.deepEqual(repoEnv, "xxx/yyy");
-});
 (0, ava_1.default)("databaseInterpretResults() does not set --sarif-add-query-help for 2.7.0", async (t) => {
    const runnerConstructorStub = stubToolRunnerConstructor();
    const codeqlObject = await codeql.getCodeQLForTesting();
    sinon.stub(codeqlObject, "getVersion").resolves("2.7.0");
-    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "", (0, testing_utils_1.createFeatures)([]));
+    // safeWhich throws because of the test CodeQL object.
+    sinon.stub(safeWhich, "safeWhich").resolves("");
+    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "");
    t.false(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-query-help"), "--sarif-add-query-help should be absent, but it is present");
 });
 (0, ava_1.default)("databaseInterpretResults() sets --sarif-add-query-help for 2.7.1", async (t) => {
    const runnerConstructorStub = stubToolRunnerConstructor();
    const codeqlObject = await codeql.getCodeQLForTesting();
    sinon.stub(codeqlObject, "getVersion").resolves("2.7.1");
-    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "", (0, testing_utils_1.createFeatures)([]));
+    // safeWhich throws because of the test CodeQL object.
+    sinon.stub(safeWhich, "safeWhich").resolves("");
+    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "");
    t.true(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-query-help"), "--sarif-add-query-help should be present, but it is absent");
 });
 (0, ava_1.default)("databaseInitCluster() without injected codescanning config", async (t) => {
@@ -323,6 +337,8 @@ for (const [isFeatureEnabled, toolsInput, shouldToolcacheBeBypassed,] of TOOLCAC
        const runnerConstructorStub = stubToolRunnerConstructor();
        const codeqlObject = await codeql.getCodeQLForTesting();
        sinon.stub(codeqlObject, "getVersion").resolves("2.8.1");
+        // safeWhich throws because of the test CodeQL object.
+        sinon.stub(safeWhich, "safeWhich").resolves("");
        const thisStubConfig = {
            ...stubConfig,
            tempDir,
@@ -332,7 +348,7 @@ for (const [isFeatureEnabled, toolsInput, shouldToolcacheBeBypassed,] of TOOLCAC
                packsInputCombines: false,
            },
        };
-        await codeqlObject.databaseInitCluster(thisStubConfig, "", undefined, undefined, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
+        await codeqlObject.databaseInitCluster(thisStubConfig, "", undefined, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        const args = runnerConstructorStub.firstCall.args[1];
        // should NOT have used an config file
        const configArg = args.find((arg) => arg.startsWith("--codescanning-config="));
@@ -347,14 +363,14 @@ const injectedConfigMacro = ava_1.default.macro({
            const codeqlObject = await codeql.getCodeQLForTesting();
            sinon
                .stub(codeqlObject, "getVersion")
-                .resolves(codeql.CODEQL_VERSION_CONFIG_FILES);
+                .resolves(feature_flags_1.featureConfig[feature_flags_1.Feature.CliConfigFileEnabled].minimumVersion);
            const thisStubConfig = {
                ...stubConfig,
                ...configOverride,
                tempDir,
                augmentationProperties,
            };
-            await codeqlObject.databaseInitCluster(thisStubConfig, "", undefined, undefined, (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.CliConfigFileEnabled]), (0, logging_1.getRunnerLogger)(true));
+            await codeqlObject.databaseInitCluster(thisStubConfig, "", undefined, (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.CliConfigFileEnabled]), (0, logging_1.getRunnerLogger)(true));
            const args = runnerConstructorStub.firstCall.args[1];
            // should have used an config file
            const configArg = args.find((arg) => arg.startsWith("--codescanning-config="));
@@ -377,7 +393,7 @@ const injectedConfigMacro = ava_1.default.macro({
    queriesInputCombines: false,
    packsInputCombines: false,
 }, {}, {
-    packs: ["codeql/javascript-experimental-atm-queries@~0.3.0"],
+    packs: ["codeql/javascript-experimental-atm-queries@~0.4.0"],
 });
 (0, ava_1.default)("injected ML queries with existing packs", injectedConfigMacro, {
    injectedMlQueries: true,
@@ -391,7 +407,7 @@ const injectedConfigMacro = ava_1.default.macro({
    packs: {
        javascript: [
            "codeql/something-else",
-            "codeql/javascript-experimental-atm-queries@~0.3.0",
+            "codeql/javascript-experimental-atm-queries@~0.4.0",
        ],
    },
 });
@@ -406,7 +422,7 @@ const injectedConfigMacro = ava_1.default.macro({
 }, {
    packs: {
        cpp: ["codeql/something-else"],
-        javascript: ["codeql/javascript-experimental-atm-queries@~0.3.0"],
+        javascript: ["codeql/javascript-experimental-atm-queries@~0.4.0"],
    },
 });
 (0, ava_1.default)("injected packs from input", injectedConfigMacro, {
@@ -459,7 +475,7 @@ const injectedConfigMacro = ava_1.default.macro({
        },
    },
 }, {
-    packs: ["xxx", "yyy", "codeql/javascript-experimental-atm-queries@~0.3.0"],
+    packs: ["xxx", "yyy", "codeql/javascript-experimental-atm-queries@~0.4.0"],
 });
 // similar, but with queries
 (0, ava_1.default)("injected queries from input", injectedConfigMacro, {
@@ -553,8 +569,8 @@ const injectedConfigMacro = ava_1.default.macro({
        const codeqlObject = await codeql.getCodeQLForTesting();
        sinon
            .stub(codeqlObject, "getVersion")
-            .resolves(codeql.CODEQL_VERSION_CONFIG_FILES);
-        await codeqlObject.databaseInitCluster(stubConfig, "", undefined, undefined, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
+            .resolves(feature_flags_1.featureConfig[feature_flags_1.Feature.CliConfigFileEnabled].minimumVersion);
+        await codeqlObject.databaseInitCluster(stubConfig, "", undefined, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        const args = runnerConstructorStub.firstCall.args[1];
        // should have used an config file
        const configArg = args.find((arg) => arg.startsWith("--codescanning-config="));
@@ -564,24 +580,22 @@ const injectedConfigMacro = ava_1.default.macro({
        process.env["CODEQL_PASS_CONFIG_TO_CLI"] = origCODEQL_PASS_CONFIG_TO_CLI;
    }
 });
-(0, ava_1.default)("databaseInterpretResults() sets --sarif-add-baseline-file-info when feature enabled", async (t) => {
+(0, ava_1.default)("databaseInterpretResults() sets --sarif-add-baseline-file-info for 2.11.3", async (t) => {
    const runnerConstructorStub = stubToolRunnerConstructor();
    const codeqlObject = await codeql.getCodeQLForTesting();
-    // We need to set a CodeQL version such that running `databaseInterpretResults` does not crash.
-    // The version of CodeQL is checked separately to determine feature enablement, and does not
-    // otherwise impact this test, so set it to 0.0.0.
-    sinon.stub(codeqlObject, "getVersion").resolves("0.0.0");
-    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "", (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.FileBaselineInformationEnabled]));
+    sinon.stub(codeqlObject, "getVersion").resolves("2.11.3");
+    // safeWhich throws because of the test CodeQL object.
+    sinon.stub(safeWhich, "safeWhich").resolves("");
+    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "");
    t.true(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-baseline-file-info"), "--sarif-add-baseline-file-info should be present, but it is absent");
 });
-(0, ava_1.default)("databaseInterpretResults() does not set --sarif-add-baseline-file-info if feature disabled", async (t) => {
+(0, ava_1.default)("databaseInterpretResults() does not set --sarif-add-baseline-file-info for 2.11.2", async (t) => {
    const runnerConstructorStub = stubToolRunnerConstructor();
    const codeqlObject = await codeql.getCodeQLForTesting();
-    // We need to set a CodeQL version such that running `databaseInterpretResults` does not crash.
-    // The version of CodeQL is checked upstream to determine feature enablement, so it does not
-    // affect this test.
-    sinon.stub(codeqlObject, "getVersion").resolves("0.0.0");
-    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "", (0, testing_utils_1.createFeatures)([]));
+    sinon.stub(codeqlObject, "getVersion").resolves("2.11.2");
+    // safeWhich throws because of the test CodeQL object.
+    sinon.stub(safeWhich, "safeWhich").resolves("");
+    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "");
    t.false(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-baseline-file-info"), "--sarif-add-baseline-file-info must be absent, but it is present");
 });
 function stubToolRunnerConstructor() {
@@ -19,7 +19,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
    return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.downloadPacks = exports.getConfig = exports.getPathToParsedConfigFile = exports.initConfig = exports.parsePacks = exports.validatePackSpecification = exports.prettyPrintPack = exports.parsePacksSpecification = exports.parsePacksFromConfig = exports.calculateAugmentation = exports.getDefaultConfig = exports.getUnknownLanguagesError = exports.getNoLanguagesError = exports.getConfigFileDirectoryGivenMessage = exports.getConfigFileFormatInvalidMessage = exports.getConfigFileRepoFormatInvalidMessage = exports.getConfigFileDoesNotExistErrorMessage = exports.getConfigFileOutsideWorkspaceErrorMessage = exports.getLocalPathDoesNotExist = exports.getLocalPathOutsideOfRepository = exports.getPacksStrInvalid = exports.getPacksInvalid = exports.getPacksInvalidSplit = exports.getPathsInvalid = exports.getPathsIgnoreInvalid = exports.getQueryUsesInvalid = exports.getQueriesMissingUses = exports.getQueriesInvalid = exports.getDisableDefaultQueriesInvalid = exports.getNameInvalid = exports.validateAndSanitisePath = exports.defaultAugmentationProperties = void 0;
+exports.downloadPacks = exports.getConfig = exports.getPathToParsedConfigFile = exports.initConfig = exports.parsePacks = exports.validatePackSpecification = exports.prettyPrintPack = exports.parsePacksSpecification = exports.parsePacksFromConfig = exports.calculateAugmentation = exports.getDefaultConfig = exports.getRawLanguages = exports.getLanguages = exports.getLanguagesInRepo = exports.getUnknownLanguagesError = exports.getNoLanguagesError = exports.getConfigFileDirectoryGivenMessage = exports.getConfigFileFormatInvalidMessage = exports.getConfigFileRepoFormatInvalidMessage = exports.getConfigFileDoesNotExistErrorMessage = exports.getConfigFileOutsideWorkspaceErrorMessage = exports.getLocalPathDoesNotExist = exports.getLocalPathOutsideOfRepository = exports.getPacksStrInvalid = exports.getPacksInvalid = exports.getPacksInvalidSplit = exports.getPathsInvalid = exports.getPathsIgnoreInvalid = exports.getQueryUsesInvalid = exports.getQueriesMissingUses = exports.getQueriesInvalid = exports.getDisableDefaultQueriesInvalid = exports.getNameInvalid = exports.validateAndSanitisePath = exports.defaultAugmentationProperties = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 // We need to import `performance` on Node 12
@@ -240,8 +240,12 @@ async function parseQueryUses(languages, codeQL, resultMap, packs, queryUses, te
    if (queryUses.indexOf("/") === -1 && queryUses.indexOf("@") === -1) {
        return await addBuiltinSuiteQueries(languages, codeQL, resultMap, packs, queryUses, featureEnablement, configFile);
    }
-    // Otherwise, must be a reference to another repo
-    await addRemoteQueries(codeQL, resultMap, queryUses, tempDir, apiDetails, logger, configFile);
+    // Otherwise, must be a reference to another repo.
+    // If config parsing is handled in CLI, then this repo will be downloaded
+    // later by the CLI.
+    if (!(await (0, util_1.useCodeScanningConfigInCli)(codeQL, featureEnablement))) {
+        await addRemoteQueries(codeQL, resultMap, queryUses, tempDir, apiDetails, logger, configFile);
+    }
    return false;
 }
 // Regex validating stars in paths or paths-ignore entries.
@@ -385,11 +389,12 @@ function getUnknownLanguagesError(languages) {
 }
 exports.getUnknownLanguagesError = getUnknownLanguagesError;
 /**
- * Gets the set of languages in the current repository
+ * Gets the set of languages in the current repository that are
+ * scannable by CodeQL.
 */
-async function getLanguagesInRepo(repository, apiDetails, logger) {
+async function getLanguagesInRepo(repository, logger) {
    logger.debug(`GitHub repo ${repository.owner} ${repository.repo}`);
-    const response = await api.getApiClient(apiDetails).repos.listLanguages({
+    const response = await api.getApiClient().repos.listLanguages({
        owner: repository.owner,
        repo: repository.repo,
    });
@@ -407,6 +412,7 @@ async function getLanguagesInRepo(repository, apiDetails, logger) {
    }
    return [...languages];
 }
+exports.getLanguagesInRepo = getLanguagesInRepo;
 /**
 * Get the languages to analyse.
 *
@@ -417,19 +423,17 @@ async function getLanguagesInRepo(repository, apiDetails, logger) {
 * If no languages could be detected from either the workflow or the repository
 * then throw an error.
 */
-async function getLanguages(codeQL, languagesInput, repository, apiDetails, logger) {
-    // Obtain from action input 'languages' if set
-    let languages = (languagesInput || "")
-        .split(",")
-        .map((x) => x.trim())
-        .filter((x) => x.length > 0);
-    logger.info(`Languages from configuration: ${JSON.stringify(languages)}`);
-    if (languages.length === 0) {
-        // Obtain languages as all languages in the repo that can be analysed
-        languages = await getLanguagesInRepo(repository, apiDetails, logger);
+async function getLanguages(codeQL, languagesInput, repository, logger) {
+    // Obtain languages without filtering them.
+    const { rawLanguages, autodetected } = await getRawLanguages(languagesInput, repository, logger);
+    let languages = rawLanguages.map(languages_1.resolveAlias);
+    if (autodetected) {
        const availableLanguages = await codeQL.resolveLanguages();
        languages = languages.filter((value) => value in availableLanguages);
-        logger.info(`Automatically detected languages: ${JSON.stringify(languages)}`);
+        logger.info(`Automatically detected languages: ${languages.join(", ")}`);
+    }
+    else {
+        logger.info(`Languages from configuration: ${languages.join(", ")}`);
    }
    // If the languages parameter was not given and no languages were
    // detected then fail here as this is a workflow configuration error.
@@ -440,19 +444,51 @@ async function getLanguages(codeQL, languagesInput, repository, apiDetails, logg
    const parsedLanguages = [];
    const unknownLanguages = [];
    for (const language of languages) {
+        // We know this is not an alias since we resolved it above.
        const parsedLanguage = (0, languages_1.parseLanguage)(language);
        if (parsedLanguage === undefined) {
            unknownLanguages.push(language);
        }
-        else if (parsedLanguages.indexOf(parsedLanguage) === -1) {
+        else if (!parsedLanguages.includes(parsedLanguage)) {
            parsedLanguages.push(parsedLanguage);
        }
    }
+    // Any unknown languages here would have come directly from the input
+    // since we filter unknown languages coming from the GitHub API.
    if (unknownLanguages.length > 0) {
        throw new Error(getUnknownLanguagesError(unknownLanguages));
    }
    return parsedLanguages;
 }
+exports.getLanguages = getLanguages;
+/**
+ * Gets the set of languages in the current repository without checking to
+ * see if these languages are actually supported by CodeQL.
+ *
+ * @param languagesInput The languages from the workflow input
+ * @param repository the owner/name of the repository
+ * @param logger a logger
+ * @returns A tuple containing a list of languages in this repository that might be
+ * analyzable and whether or not this list was determined automatically.
+ */
+async function getRawLanguages(languagesInput, repository, logger) {
+    // Obtain from action input 'languages' if set
+    let rawLanguages = (languagesInput || "")
+        .split(",")
+        .map((x) => x.trim().toLowerCase())
+        .filter((x) => x.length > 0);
+    let autodetected;
+    if (rawLanguages.length) {
+        autodetected = false;
+    }
+    else {
+        autodetected = true;
+        // Obtain all languages in the repo that can be analysed
+        rawLanguages = (await getLanguagesInRepo(repository, logger));
+    }
+    return { rawLanguages, autodetected };
+}
+exports.getRawLanguages = getRawLanguages;
 async function addQueriesAndPacksFromWorkflow(codeQL, queriesInput, languages, resultMap, packs, tempDir, workspacePath, apiDetails, featureEnablement, logger) {
    let injectedMlQueries = false;
    queriesInput = queriesInput.trim();
@@ -478,7 +514,7 @@ function shouldAddConfigFileQueries(queriesInput) {
 * Get the default config for when the user has not supplied one.
 */
 async function getDefaultConfig(languagesInput, rawQueriesInput, rawPacksInput, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, featureEnablement, logger) {
-    const languages = await getLanguages(codeQL, languagesInput, repository, apiDetails, logger);
+    const languages = await getLanguages(codeQL, languagesInput, repository, logger);
    const queries = {};
    for (const language of languages) {
        queries[language] = {
@@ -552,7 +588,7 @@ async function loadConfig(languagesInput, rawQueriesInput, rawPacksInput, config
            throw new Error(getNameInvalid(configFile));
        }
    }
-    const languages = await getLanguages(codeQL, languagesInput, repository, apiDetails, logger);
+    const languages = await getLanguages(codeQL, languagesInput, repository, logger);
    const queries = {};
    for (const language of languages) {
        queries[language] = {
@@ -893,22 +929,23 @@ async function initConfig(languagesInput, queriesInput, packsInput, registriesIn
    else {
        config = await loadConfig(languagesInput, queriesInput, packsInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, featureEnablement, logger);
    }
-    // The list of queries should not be empty for any language. If it is then
-    // it is a user configuration error.
-    for (const language of config.languages) {
-        const hasBuiltinQueries = ((_a = config.queries[language]) === null || _a === void 0 ? void 0 : _a.builtin.length) > 0;
-        const hasCustomQueries = ((_b = config.queries[language]) === null || _b === void 0 ? void 0 : _b.custom.length) > 0;
-        const hasPacks = (((_c = config.packs[language]) === null || _c === void 0 ? void 0 : _c.length) || 0) > 0;
-        if (!hasPacks && !hasBuiltinQueries && !hasCustomQueries) {
-            throw new Error(`Did not detect any queries to run for ${language}. ` +
-                "Please make sure that the default queries are enabled, or you are specifying queries to run.");
-        }
-    }
    // When using the codescanning config in the CLI, pack downloads
    // happen in the CLI during the `database init` command, so no need
    // to download them here.
    await (0, util_1.logCodeScanningConfigInCli)(codeQL, featureEnablement, logger);
    if (!(await (0, util_1.useCodeScanningConfigInCli)(codeQL, featureEnablement))) {
+        // The list of queries should not be empty for any language. If it is then
+        // it is a user configuration error.
+        // This check occurs in the CLI when it parses the config file.
+        for (const language of config.languages) {
+            const hasBuiltinQueries = ((_a = config.queries[language]) === null || _a === void 0 ? void 0 : _a.builtin.length) > 0;
+            const hasCustomQueries = ((_b = config.queries[language]) === null || _b === void 0 ? void 0 : _b.custom.length) > 0;
+            const hasPacks = (((_c = config.packs[language]) === null || _c === void 0 ? void 0 : _c.length) || 0) > 0;
+            if (!hasPacks && !hasBuiltinQueries && !hasCustomQueries) {
+                throw new Error(`Did not detect any queries to run for ${language}. ` +
+                    "Please make sure that the default queries are enabled, or you are specifying queries to run.");
+            }
+        }
        const registries = parseRegistries(registriesInput);
        await downloadPacks(codeQL, config.languages, config.packs, registries, apiDetails, config.tempDir, logger);
    }
@@ -954,7 +991,7 @@ async function getRemoteConfig(configFile, apiDetails) {
        throw new Error(getConfigFileRepoFormatInvalidMessage(configFile));
    }
    const response = await api
-        .getApiClient(apiDetails, { allowExternal: true })
+        .getApiClientWithExternalAuth(apiDetails)
        .repos.getContent({
        owner: pieces.groups.owner,
        repo: pieces.groups.repo,
@@ -34,6 +34,7 @@ const configUtils = __importStar(require("./config-utils"));
 const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
 const logging_1 = require("./logging");
+const repository_1 = require("./repository");
 const testing_utils_1 = require("./testing-utils");
 const util = __importStar(require("./util"));
 (0, testing_utils_1.setupTests)(ava_1.default);
@@ -61,6 +62,7 @@ function mockGetContents(content) {
        .stub(client.repos, "getContent")
        .resolves(response);
    sinon.stub(api, "getApiClient").value(() => client);
+    sinon.stub(api, "getApiClientWithExternalAuth").value(() => client);
    return spyGetContents;
 }
 function mockListLanguages(languages) {
@@ -932,11 +934,7 @@ function parseInputAndConfigMacro(t, packsFromConfig, packsFromInput, languages,
    languages, "/a/b", mockLogger), expected);
 }
 parseInputAndConfigMacro.title = (providedTitle) => `Parse Packs input and config: ${providedTitle}`;
-const mockLogger = {
-    info: (message) => {
-        console.log(message);
-    },
-};
+const mockLogger = (0, logging_1.getRunnerLogger)(true);
 function parseInputAndConfigErrorMacro(t, packsFromConfig, packsFromInput, languages, packsFromInputOverride, expected) {
    t.throws(() => {
        configUtils.parsePacks(packsFromConfig, packsFromInput, packsFromInputOverride, languages, "/a/b", mockLogger);
@@ -1236,4 +1234,86 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
        }, { instanceOf: Error }, "Invalid 'registries' input. Must be an array of objects with 'url' and 'packages' properties.");
    });
 });
+// getLanguages
+const mockRepositoryNwo = (0, repository_1.parseRepositoryNwo)("owner/repo");
+// eslint-disable-next-line github/array-foreach
+[
+    {
+        name: "languages from input",
+        codeqlResolvedLanguages: ["javascript", "java", "python"],
+        languagesInput: "jAvAscript, \n jaVa",
+        languagesInRepository: ["SwiFt", "other"],
+        expectedLanguages: ["javascript", "java"],
+        expectedApiCall: false,
+    },
+    {
+        name: "languages from github api",
+        codeqlResolvedLanguages: ["javascript", "java", "python"],
+        languagesInput: "",
+        languagesInRepository: ["  jAvAscript\n \t", " jaVa", "SwiFt", "other"],
+        expectedLanguages: ["javascript", "java"],
+        expectedApiCall: true,
+    },
+    {
+        name: "aliases from input",
+        codeqlResolvedLanguages: ["javascript", "csharp", "cpp", "java", "python"],
+        languagesInput: "  typEscript\n \t, C#, c , KoTlin",
+        languagesInRepository: ["SwiFt", "other"],
+        expectedLanguages: ["javascript", "csharp", "cpp", "java"],
+        expectedApiCall: false,
+    },
+    {
+        name: "duplicate languages from input",
+        codeqlResolvedLanguages: ["javascript", "java", "python"],
+        languagesInput: "jAvAscript, \n jaVa, kotlin, typescript",
+        languagesInRepository: ["SwiFt", "other"],
+        expectedLanguages: ["javascript", "java"],
+        expectedApiCall: false,
+    },
+    {
+        name: "aliases from github api",
+        codeqlResolvedLanguages: ["javascript", "csharp", "cpp", "java", "python"],
+        languagesInput: "",
+        languagesInRepository: ["  typEscript\n \t", " C#", "c", "other"],
+        expectedLanguages: ["javascript", "csharp", "cpp"],
+        expectedApiCall: true,
+    },
+    {
+        name: "no languages",
+        codeqlResolvedLanguages: ["javascript", "java", "python"],
+        languagesInput: "",
+        languagesInRepository: [],
+        expectedApiCall: true,
+        expectedError: configUtils.getNoLanguagesError(),
+    },
+    {
+        name: "unrecognized languages from input",
+        codeqlResolvedLanguages: ["javascript", "java", "python"],
+        languagesInput: "a, b, c, javascript",
+        languagesInRepository: [],
+        expectedApiCall: false,
+        expectedError: configUtils.getUnknownLanguagesError(["a", "b"]),
+    },
+].forEach((args) => {
+    (0, ava_1.default)(`getLanguages: ${args.name}`, async (t) => {
+        const mockRequest = (0, testing_utils_1.mockLanguagesInRepo)(args.languagesInRepository);
+        const languages = args.codeqlResolvedLanguages.reduce((acc, lang) => ({
+            ...acc,
+            [lang]: true,
+        }), {});
+        const codeQL = (0, codeql_1.setCodeQL)({
+            resolveLanguages: () => Promise.resolve(languages),
+        });
+        if (args.expectedLanguages) {
+            // happy path
+            const actualLanguages = await configUtils.getLanguages(codeQL, args.languagesInput, mockRepositoryNwo, mockLogger);
+            t.deepEqual(actualLanguages.sort(), args.expectedLanguages.sort());
+        }
+        else {
+            // there is an error
+            await t.throwsAsync(async () => await configUtils.getLanguages(codeQL, args.languagesInput, mockRepositoryNwo, mockLogger), { message: args.expectedError });
+        }
+        t.deepEqual(mockRequest.called, args.expectedApiCall);
+    });
+});
 //# sourceMappingURL=config-utils.test.js.map
@@ -41,27 +41,35 @@ async function uploadDatabases(repositoryNwo, config, apiDetails, logger) {
        logger.debug("Not analyzing default branch. Skipping upload.");
        return;
    }
-    const client = (0, api_client_1.getApiClient)(apiDetails);
+    const client = (0, api_client_1.getApiClient)();
    const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
    for (const language of config.languages) {
-        // Upload the database bundle.
-        // Although we are uploading arbitrary file contents to the API, it's worth
-        // noting that it's the API's job to validate that the contents is acceptable.
-        // This API method is available to anyone with write access to the repo.
-        const payload = fs.readFileSync(await (0, util_1.bundleDb)(config, language, codeql, language));
        try {
-            await client.request(`POST https://uploads.github.com/repos/:owner/:repo/code-scanning/codeql/databases/:language?name=:name`, {
-                owner: repositoryNwo.owner,
-                repo: repositoryNwo.repo,
-                language,
-                name: `${language}-database`,
-                data: payload,
-                headers: {
-                    authorization: `token ${apiDetails.auth}`,
-                    "Content-Type": "application/zip",
-                },
-            });
-            logger.debug(`Successfully uploaded database for ${language}`);
+            // Upload the database bundle.
+            // Although we are uploading arbitrary file contents to the API, it's worth
+            // noting that it's the API's job to validate that the contents is acceptable.
+            // This API method is available to anyone with write access to the repo.
+            const bundledDb = await (0, util_1.bundleDb)(config, language, codeql, language);
+            const bundledDbSize = fs.statSync(bundledDb).size;
+            const bundledDbReadStream = fs.createReadStream(bundledDb);
+            try {
+                await client.request(`POST https://uploads.github.com/repos/:owner/:repo/code-scanning/codeql/databases/:language?name=:name`, {
+                    owner: repositoryNwo.owner,
+                    repo: repositoryNwo.repo,
+                    language,
+                    name: `${language}-database`,
+                    data: bundledDbReadStream,
+                    headers: {
+                        authorization: `token ${apiDetails.auth}`,
+                        "Content-Type": "application/zip",
+                        "Content-Length": bundledDbSize,
+                    },
+                });
+                logger.debug(`Successfully uploaded database for ${language}`);
+            }
+            finally {
+                bundledDbReadStream.close();
+            }
        }
        catch (e) {
            console.log(e);
@@ -1 +1 @@
-{"version":3,"file":"database-upload.js","sourceRoot":"","sources":["../src/database-upload.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AAEzB,4DAA8C;AAC9C,6CAA8D;AAC9D,qCAAqC;AAIrC,6CAA+B;AAC/B,iCAAkC;AAE3B,KAAK,UAAU,eAAe,CACnC,aAA4B,EAC5B,MAAc,EACd,UAA4B,EAC5B,MAAc;IAEd,IAAI,WAAW,CAAC,gBAAgB,CAAC,iBAAiB,CAAC,KAAK,MAAM,EAAE;QAC9D,MAAM,CAAC,KAAK,CAAC,wDAAwD,CAAC,CAAC;QACvE,OAAO;KACR;IAED,iDAAiD;IACjD,IAAI,MAAM,CAAC,aAAa,CAAC,IAAI,KAAK,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE;QAC3D,MAAM,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACjE,OAAO;KACR;IAED,IAAI,CAAC,CAAC,MAAM,WAAW,CAAC,wBAAwB,EAAE,CAAC,EAAE;QACnD,4EAA4E;QAC5E,MAAM,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;QAC/D,OAAO;KACR;IAED,MAAM,MAAM,GAAG,IAAA,yBAAY,EAAC,UAAU,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAEjD,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE;QACvC,8BAA8B;QAC9B,2EAA2E;QAC3E,8EAA8E;QAC9E,wEAAwE;QACxE,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAC7B,MAAM,IAAA,eAAQ,EAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CACnD,CAAC;QACF,IAAI;YACF,MAAM,MAAM,CAAC,OAAO,CAClB,wGAAwG,EACxG;gBACE,KAAK,EAAE,aAAa,CAAC,KAAK;gBAC1B,IAAI,EAAE,aAAa,CAAC,IAAI;gBACxB,QAAQ;gBACR,IAAI,EAAE,GAAG,QAAQ,WAAW;gBAC5B,IAAI,EAAE,OAAO;gBACb,OAAO,EAAE;oBACP,aAAa,EAAE,SAAS,UAAU,CAAC,IAAI,EAAE;oBACzC,cAAc,EAAE,iBAAiB;iBAClC;aACF,CACF,CAAC;YACF,MAAM,CAAC,KAAK,CAAC,sCAAsC,QAAQ,EAAE,CAAC,CAAC;SAChE;QAAC,OAAO,CAAC,EAAE;YACV,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACf,4CAA4C;YAC5C,MAAM,CAAC,OAAO,CAAC,iCAAiC,QAAQ,KAAK,CAAC,EAAE,CAAC,CAAC;SACnE;KACF;AACH,CAAC;AAxDD,0CAwDC"}
+{"version":3,"file":"database-upload.js","sourceRoot":"","sources":["../src/database-upload.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AAEzB,4DAA8C;AAC9C,6CAA8D;AAC9D,qCAAqC;AAIrC,6CAA+B;AAC/B,iCAAkC;AAE3B,KAAK,UAAU,eAAe,CACnC,aAA4B,EAC5B,MAAc,EACd,UAA4B,EAC5B,MAAc;IAEd,IAAI,WAAW,CAAC,gBAAgB,CAAC,iBAAiB,CAAC,KAAK,MAAM,EAAE;QAC9D,MAAM,CAAC,KAAK,CAAC,wDAAwD,CAAC,CAAC;QACvE,OAAO;KACR;IAED,iDAAiD;IACjD,IAAI,MAAM,CAAC,aAAa,CAAC,IAAI,KAAK,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE;QAC3D,MAAM,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACjE,OAAO;KACR;IAED,IAAI,CAAC,CAAC,MAAM,WAAW,CAAC,wBAAwB,EAAE,CAAC,EAAE;QACnD,4EAA4E;QAC5E,MAAM,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;QAC/D,OAAO;KACR;IAED,MAAM,MAAM,GAAG,IAAA,yBAAY,GAAE,CAAC;IAC9B,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAEjD,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE;QACvC,IAAI;YACF,8BAA8B;YAC9B,2EAA2E;YAC3E,8EAA8E;YAC9E,wEAAwE;YACxE,MAAM,SAAS,GAAG,MAAM,IAAA,eAAQ,EAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;YACrE,MAAM,aAAa,GAAG,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC;YAClD,MAAM,mBAAmB,GAAG,EAAE,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC;YAC3D,IAAI;gBACF,MAAM,MAAM,CAAC,OAAO,CAClB,wGAAwG,EACxG;oBACE,KAAK,EAAE,aAAa,CAAC,KAAK;oBAC1B,IAAI,EAAE,aAAa,CAAC,IAAI;oBACxB,QAAQ;oBACR,IAAI,EAAE,GAAG,QAAQ,WAAW;oBAC5B,IAAI,EAAE,mBAAmB;oBACzB,OAAO,EAAE;wBACP,aAAa,EAAE,SAAS,UAAU,CAAC,IAAI,EAAE;wBACzC,cAAc,EAAE,iBAAiB;wBACjC,gBAAgB,EAAE,aAAa;qBAChC;iBACF,CACF,CAAC;gBACF,MAAM,CAAC,KAAK,CAAC,sCAAsC,QAAQ,EAAE,CAAC,CAAC;aAChE;oBAAS;gBACR,mBAAmB,CAAC,KAAK,EAAE,CAAC;aAC7B;SACF;QAAC,OAAO,CAAC,EAAE;YACV,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACf,4CAA4C;YAC5C,MAAM,CAAC,OAAO,CAAC,iCAAiC,QAAQ,KAAK,CAAC,EAAE,CAAC,CAAC;SACnE;KACF;AACH,CAAC;AA7DD,0CA6DC"}
@@ -36,7 +36,7 @@ const testing_utils_1 = require("./testing-utils");
 const util_1 = require("./util");
 (0, testing_utils_1.setupTests)(ava_1.default);
 ava_1.default.beforeEach(() => {
-    (0, util_1.initializeEnvironment)(util_1.Mode.actions, "1.2.3");
+    (0, util_1.initializeEnvironment)("1.2.3");
 });
 const testRepoName = { owner: "github", repo: "example" };
 const testApiDetails = {
@@ -1,3 +1,6 @@
 {
-    "bundleVersion": "codeql-bundle-20221105"
+    "bundleVersion": "codeql-bundle-20230105",
+    "cliVersion": "2.12.0",
+    "priorBundleVersion": "codeql-bundle-20221211",
+    "priorCliVersion": "2.11.6"
 }
@@ -12,6 +12,10 @@ exports.namedMatchersForTesting = {
        message: "No code found during the build. Please see:\n" +
            "https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-code-scanning#no-code-found-during-the-build",
    },
+    fatalError: {
+        outputRegex: new RegExp("A fatal error occurred"),
+        message: "A fatal error occurred.",
+    },
 };
 // we collapse the matches into an array for use in execErrorCatcher
 exports.errorMatchers = Object.values(exports.namedMatchersForTesting);
@@ -1 +1 @@
-{"version":3,"file":"error-matcher.js","sourceRoot":"","sources":["../src/error-matcher.ts"],"names":[],"mappings":";;;AAQA,qCAAqC;AACxB,QAAA,uBAAuB,GAAoC;IACtE;;MAEE;IACF,iBAAiB,EAAE;QACjB,QAAQ,EAAE,EAAE;QACZ,WAAW,EAAE,IAAI,MAAM,CAAC,2CAA2C,CAAC;QACpE,OAAO,EACL,+CAA+C;YAC/C,yJAAyJ;KAC5J;CACF,CAAC;AAEF,oEAAoE;AACvD,QAAA,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC,+BAAuB,CAAC,CAAC"}
+{"version":3,"file":"error-matcher.js","sourceRoot":"","sources":["../src/error-matcher.ts"],"names":[],"mappings":";;;AAQA,qCAAqC;AACxB,QAAA,uBAAuB,GAAoC;IACtE;;MAEE;IACF,iBAAiB,EAAE;QACjB,QAAQ,EAAE,EAAE;QACZ,WAAW,EAAE,IAAI,MAAM,CAAC,2CAA2C,CAAC;QACpE,OAAO,EACL,+CAA+C;YAC/C,yJAAyJ;KAC5J;IACD,UAAU,EAAE;QACV,WAAW,EAAE,IAAI,MAAM,CAAC,wBAAwB,CAAC;QACjD,OAAO,EAAE,yBAAyB;KACnC;CACF,CAAC;AAEF,oEAAoE;AACvD,QAAA,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC,+BAAuB,CAAC,CAAC"}
@@ -16,6 +16,9 @@ NB We test the regexes for all the matchers against example log output snippets.
  2020-09-07T17:39:53.9251124Z [2020-09-07 17:39:53] [ERROR] Spawned process exited abnormally (code 255; tried to run: [/opt/hostedtoolcache/CodeQL/0.0.0-20200630/x64/codeql/javascript/tools/autobuild.sh])
  `));
 });
+(0, ava_1.default)("fatalError matches against example log output", async (t) => {
+    t.assert(testErrorMatcher("fatalError", "A fatal error occurred: Could not process query metadata for test-query.ql"));
+});
 function testErrorMatcher(matcherName, logSample) {
    if (!(matcherName in error_matcher_1.namedMatchersForTesting)) {
        throw new Error(`Unknown matcher ${matcherName}`);
@@ -1 +1 @@
-{"version":3,"file":"error-matcher.test.js","sourceRoot":"","sources":["../src/error-matcher.test.ts"],"names":[],"mappings":";;;;;AAAA,8CAAuB;AAEvB,mDAA0D;AAE1D;;EAEE;AAEF,IAAA,aAAI,EAAC,6DAA6D,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC9E,CAAC,CAAC,MAAM,CACN,gBAAgB,CACd,mBAAmB,EACnB;;;;;GAKH,CACE,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,SAAS,gBAAgB,CAAC,WAAmB,EAAE,SAAiB;IAC9D,IAAI,CAAC,CAAC,WAAW,IAAI,uCAAuB,CAAC,EAAE;QAC7C,MAAM,IAAI,KAAK,CAAC,mBAAmB,WAAW,EAAE,CAAC,CAAC;KACnD;IACD,MAAM,KAAK,GAAG,uCAAuB,CAAC,WAAW,CAAC,CAAC,WAAW,CAAC;IAC/D,IAAI,KAAK,KAAK,SAAS,EAAE;QACvB,MAAM,IAAI,KAAK,CAAC,uBAAuB,WAAW,kBAAkB,CAAC,CAAC;KACvE;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;AAC/B,CAAC"}
+{"version":3,"file":"error-matcher.test.js","sourceRoot":"","sources":["../src/error-matcher.test.ts"],"names":[],"mappings":";;;;;AAAA,8CAAuB;AAEvB,mDAA0D;AAE1D;;EAEE;AAEF,IAAA,aAAI,EAAC,6DAA6D,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC9E,CAAC,CAAC,MAAM,CACN,gBAAgB,CACd,mBAAmB,EACnB;;;;;GAKH,CACE,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,+CAA+C,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAChE,CAAC,CAAC,MAAM,CACN,gBAAgB,CACd,YAAY,EACZ,4EAA4E,CAC7E,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,SAAS,gBAAgB,CAAC,WAAmB,EAAE,SAAiB;IAC9D,IAAI,CAAC,CAAC,WAAW,IAAI,uCAAuB,CAAC,EAAE;QAC7C,MAAM,IAAI,KAAK,CAAC,mBAAmB,WAAW,EAAE,CAAC,CAAC;KACnD;IACD,MAAM,KAAK,GAAG,uCAAuB,CAAC,WAAW,CAAC,CAAC,WAAW,CAAC;IAC/D,IAAI,KAAK,KAAK,SAAS,EAAE;QACvB,MAAM,IAAI,KAAK,CAAC,uBAAuB,WAAW,kBAAkB,CAAC,CAAC;KACvE;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;AAC/B,CAAC"}
@@ -19,34 +19,46 @@ var __importStar = (this && this.__importStar) || function (mod) {
    return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.Features = exports.featureConfig = exports.Feature = void 0;
+exports.Features = exports.FEATURE_FLAGS_FILE_NAME = exports.featureConfig = exports.Feature = void 0;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const semver = __importStar(require("semver"));
 const api_client_1 = require("./api-client");
+const defaults = __importStar(require("./defaults.json")); // Referenced from codeql-action-sync-tool!
 const util = __importStar(require("./util"));
+const DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_";
+const DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
+const MINIMUM_ENABLED_CODEQL_VERSION = "2.11.6";
 var Feature;
 (function (Feature) {
    Feature["BypassToolcacheEnabled"] = "bypass_toolcache_enabled";
+    Feature["BypassToolcacheKotlinSwiftEnabled"] = "bypass_toolcache_kotlin_swift_enabled";
    Feature["CliConfigFileEnabled"] = "cli_config_file_enabled";
-    Feature["FileBaselineInformationEnabled"] = "file_baseline_information_enabled";
-    Feature["GolangExtractionReconciliationEnabled"] = "golang_extraction_reconciliation_enabled";
+    Feature["DisableKotlinAnalysisEnabled"] = "disable_kotlin_analysis_enabled";
    Feature["MlPoweredQueriesEnabled"] = "ml_powered_queries_enabled";
    Feature["TrapCachingEnabled"] = "trap_caching_enabled";
+    Feature["UploadFailedSarifEnabled"] = "upload_failed_sarif_enabled";
 })(Feature = exports.Feature || (exports.Feature = {}));
 exports.featureConfig = {
    [Feature.BypassToolcacheEnabled]: {
        envVar: "CODEQL_BYPASS_TOOLCACHE",
+        // Cannot specify a minimum version because this flag is checked before we have
+        // access to the CodeQL instance.
+        minimumVersion: undefined,
+    },
+    [Feature.BypassToolcacheKotlinSwiftEnabled]: {
+        envVar: "CODEQL_BYPASS_TOOLCACHE_KOTLIN_SWIFT",
+        // Cannot specify a minimum version because this flag is checked before we have
+        // access to the CodeQL instance.
+        minimumVersion: undefined,
+    },
+    [Feature.DisableKotlinAnalysisEnabled]: {
+        envVar: "CODEQL_DISABLE_KOTLIN_ANALYSIS",
        minimumVersion: undefined,
    },
    [Feature.CliConfigFileEnabled]: {
        envVar: "CODEQL_PASS_CONFIG_TO_CLI",
-        minimumVersion: "2.11.1",
-    },
-    [Feature.FileBaselineInformationEnabled]: {
-        envVar: "CODEQL_FILE_BASELINE_INFORMATION",
-        minimumVersion: "2.11.3",
-    },
-    [Feature.GolangExtractionReconciliationEnabled]: {
-        envVar: "CODEQL_GOLANG_EXTRACTION_RECONCILIATION",
-        minimumVersion: undefined,
+        minimumVersion: "2.11.6",
    },
    [Feature.MlPoweredQueriesEnabled]: {
        envVar: "CODEQL_ML_POWERED_QUERIES",
@@ -56,15 +68,23 @@ exports.featureConfig = {
        envVar: "CODEQL_TRAP_CACHING",
        minimumVersion: undefined,
    },
+    [Feature.UploadFailedSarifEnabled]: {
+        envVar: "CODEQL_ACTION_UPLOAD_FAILED_SARIF",
+        minimumVersion: "2.11.3",
+    },
 };
+exports.FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
 /**
 * Determines the enablement status of a number of features.
 * If feature enablement is not able to be determined locally, a request to the
 * GitHub API is made to determine the enablement status.
 */
 class Features {
-    constructor(gitHubVersion, apiDetails, repositoryNwo, logger) {
-        this.gitHubFeatureFlags = new GitHubFeatureFlags(gitHubVersion, apiDetails, repositoryNwo, logger);
+    constructor(gitHubVersion, repositoryNwo, tempDir, logger) {
+        this.gitHubFeatureFlags = new GitHubFeatureFlags(gitHubVersion, repositoryNwo, path.join(tempDir, exports.FEATURE_FLAGS_FILE_NAME), logger);
+    }
+    async getDefaultCliVersion(variant) {
+        return await this.gitHubFeatureFlags.getDefaultCliVersion(variant);
    }
    /**
     *
@@ -108,15 +128,57 @@ class Features {
 }
 exports.Features = Features;
 class GitHubFeatureFlags {
-    constructor(gitHubVersion, apiDetails, repositoryNwo, logger) {
+    constructor(gitHubVersion, repositoryNwo, featureFlagsFile, logger) {
        this.gitHubVersion = gitHubVersion;
-        this.apiDetails = apiDetails;
        this.repositoryNwo = repositoryNwo;
+        this.featureFlagsFile = featureFlagsFile;
        this.logger = logger;
        /**/
    }
+    getCliVersionFromFeatureFlag(f) {
+        if (!f.startsWith(DEFAULT_VERSION_FEATURE_FLAG_PREFIX) ||
+            !f.endsWith(DEFAULT_VERSION_FEATURE_FLAG_SUFFIX)) {
+            return undefined;
+        }
+        const version = f
+            .substring(DEFAULT_VERSION_FEATURE_FLAG_PREFIX.length, f.length - DEFAULT_VERSION_FEATURE_FLAG_SUFFIX.length)
+            .replace(/_/g, ".");
+        if (!semver.valid(version)) {
+            this.logger.warning(`Ignoring feature flag ${f} as it does not specify a valid CodeQL version.`);
+            return undefined;
+        }
+        return version;
+    }
+    async getDefaultCliVersion(variant) {
+        if (variant === util.GitHubVariant.DOTCOM) {
+            return {
+                cliVersion: await this.getDefaultDotcomCliVersion(),
+                variant,
+            };
+        }
+        return {
+            cliVersion: defaults.cliVersion,
+            tagName: defaults.bundleVersion,
+            variant,
+        };
+    }
+    async getDefaultDotcomCliVersion() {
+        const response = await this.getAllFeatures();
+        const enabledFeatureFlagCliVersions = Object.entries(response)
+            .map(([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : undefined)
+            .filter((f) => f !== undefined)
+            .map((f) => f);
+        if (enabledFeatureFlagCliVersions.length === 0) {
+            this.logger.debug("Feature flags do not specify a default CLI version. Falling back to CLI version " +
+                `${MINIMUM_ENABLED_CODEQL_VERSION}.`);
+            return MINIMUM_ENABLED_CODEQL_VERSION;
+        }
+        const maxCliVersion = enabledFeatureFlagCliVersions.reduce((maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion, enabledFeatureFlagCliVersions[0]);
+        this.logger.debug(`Derived default CLI version of ${maxCliVersion} from feature flags.`);
+        return maxCliVersion;
+    }
    async getValue(feature) {
-        const response = await this.getApiResponse();
+        const response = await this.getAllFeatures();
        if (response === undefined) {
            this.logger.debug(`No feature flags API response for ${feature}, considering it disabled.`);
            return false;
@@ -128,10 +190,48 @@ class GitHubFeatureFlags {
        }
        return !!featureEnablement;
    }
-    async getApiResponse() {
-        const apiResponse = this.cachedApiResponse || (await this.loadApiResponse());
-        this.cachedApiResponse = apiResponse;
-        return apiResponse;
+    async getAllFeatures() {
+        // if we have an in memory cache, use that
+        if (this.cachedApiResponse !== undefined) {
+            return this.cachedApiResponse;
+        }
+        // if a previous step has written a feature flags file to disk, use that
+        const fileFlags = await this.readLocalFlags();
+        if (fileFlags !== undefined) {
+            this.cachedApiResponse = fileFlags;
+            return fileFlags;
+        }
+        // if not, request flags from the server
+        let remoteFlags = await this.loadApiResponse();
+        if (remoteFlags === undefined) {
+            remoteFlags = {};
+        }
+        // cache the response in memory
+        this.cachedApiResponse = remoteFlags;
+        // and cache them to disk so future workflow steps can use them
+        await this.writeLocalFlags(remoteFlags);
+        return remoteFlags;
+    }
+    async readLocalFlags() {
+        try {
+            if (fs.existsSync(this.featureFlagsFile)) {
+                this.logger.debug(`Loading feature flags from ${this.featureFlagsFile}`);
+                return JSON.parse(fs.readFileSync(this.featureFlagsFile, "utf8"));
+            }
+        }
+        catch (e) {
+            this.logger.warning(`Error reading cached feature flags file ${this.featureFlagsFile}: ${e}. Requesting from GitHub instead.`);
+        }
+        return undefined;
+    }
+    async writeLocalFlags(flags) {
+        try {
+            this.logger.debug(`Writing feature flags to ${this.featureFlagsFile}`);
+            fs.writeFileSync(this.featureFlagsFile, JSON.stringify(flags));
+        }
+        catch (e) {
+            this.logger.warning(`Error writing cached feature flags file ${this.featureFlagsFile}: ${e}.`);
+        }
    }
    async loadApiResponse() {
        // Do nothing when not running against github.com
@@ -139,13 +239,15 @@ class GitHubFeatureFlags {
            this.logger.debug("Not running against github.com. Disabling all toggleable features.");
            return {};
        }
-        const client = (0, api_client_1.getApiClient)(this.apiDetails);
        try {
-            const response = await client.request("GET /repos/:owner/:repo/code-scanning/codeql-action/features", {
+            const response = await (0, api_client_1.getApiClient)().request("GET /repos/:owner/:repo/code-scanning/codeql-action/features", {
                owner: this.repositoryNwo.owner,
                repo: this.repositoryNwo.repo,
            });
-            return response.data;
+            const remoteFlags = response.data;
+            this.logger.debug("Loaded the following default values for the feature flags from the Code Scanning API: " +
+                `${JSON.stringify(remoteFlags)}`);
+            return remoteFlags;
        }
        catch (e) {
            if (util.isHTTPError(e) && e.status === 403) {
@@ -153,6 +255,7 @@ class GitHubFeatureFlags {
                    "As a result, it will not be opted into any experimental features. " +
                    "This could be because the Action is running on a pull request from a fork. If not, " +
                    `please ensure the Action has the 'security-events: write' permission. Details: ${e}`);
+                return {};
            }
            else {
                // Some features, such as `ml_powered_queries_enabled` affect the produced alerts.
@@ -1,9 +1,31 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
 var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
 const ava_1 = __importDefault(require("ava"));
+const defaults = __importStar(require("./defaults.json")); // Referenced from codeql-action-sync-tool!
 const feature_flags_1 = require("./feature-flags");
 const logging_1 = require("./logging");
 const repository_1 = require("./repository");
@@ -11,13 +33,8 @@ const testing_utils_1 = require("./testing-utils");
 const util_1 = require("./util");
 (0, testing_utils_1.setupTests)(ava_1.default);
 ava_1.default.beforeEach(() => {
-    (0, util_1.initializeEnvironment)(util_1.Mode.actions, "1.2.3");
+    (0, util_1.initializeEnvironment)("1.2.3");
 });
-const testApiDetails = {
-    auth: "1234",
-    url: "https://github.com",
-    apiURL: undefined,
-};
 const testRepositoryNwo = (0, repository_1.parseRepositoryNwo)("github/example");
 const ALL_FEATURES_DISABLED_VARIANTS = [
    {
@@ -30,7 +47,7 @@ for (const variant of ALL_FEATURES_DISABLED_VARIANTS) {
    (0, ava_1.default)(`All features are disabled if running against ${variant.description}`, async (t) => {
        await (0, util_1.withTmpDir)(async (tmpDir) => {
            const loggedMessages = [];
-            const featureEnablement = setUpTests(tmpDir, (0, testing_utils_1.getRecordingLogger)(loggedMessages), variant.gitHubVersion);
+            const featureEnablement = setUpFeatureFlagTests(tmpDir, (0, testing_utils_1.getRecordingLogger)(loggedMessages), variant.gitHubVersion);
            for (const feature of Object.values(feature_flags_1.Feature)) {
                t.false(await featureEnablement.getValue(feature, includeCodeQlIfRequired(feature)));
            }
@@ -43,7 +60,7 @@ for (const variant of ALL_FEATURES_DISABLED_VARIANTS) {
 (0, ava_1.default)("API response missing", async (t) => {
    await (0, util_1.withTmpDir)(async (tmpDir) => {
        const loggedMessages = [];
-        const featureEnablement = setUpTests(tmpDir, (0, testing_utils_1.getRecordingLogger)(loggedMessages));
+        const featureEnablement = setUpFeatureFlagTests(tmpDir, (0, testing_utils_1.getRecordingLogger)(loggedMessages));
        (0, testing_utils_1.mockFeatureFlagApiEndpoint)(403, {});
        for (const feature of Object.values(feature_flags_1.Feature)) {
            t.assert((await featureEnablement.getValue(feature, includeCodeQlIfRequired(feature))) === false);
@@ -54,7 +71,7 @@ for (const variant of ALL_FEATURES_DISABLED_VARIANTS) {
 (0, ava_1.default)("Features are disabled if they're not returned in API response", async (t) => {
    await (0, util_1.withTmpDir)(async (tmpDir) => {
        const loggedMessages = [];
-        const featureEnablement = setUpTests(tmpDir, (0, testing_utils_1.getRecordingLogger)(loggedMessages));
+        const featureEnablement = setUpFeatureFlagTests(tmpDir, (0, testing_utils_1.getRecordingLogger)(loggedMessages));
        (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, {});
        for (const feature of Object.values(feature_flags_1.Feature)) {
            t.assert((await featureEnablement.getValue(feature, includeCodeQlIfRequired(feature))) === false);
@@ -64,7 +81,7 @@ for (const variant of ALL_FEATURES_DISABLED_VARIANTS) {
 });
 (0, ava_1.default)("Feature flags exception is propagated if the API request errors", async (t) => {
    await (0, util_1.withTmpDir)(async (tmpDir) => {
-        const featureEnablement = setUpTests(tmpDir);
+        const featureEnablement = setUpFeatureFlagTests(tmpDir);
        (0, testing_utils_1.mockFeatureFlagApiEndpoint)(500, {});
        await t.throwsAsync(async () => featureEnablement.getValue(feature_flags_1.Feature.MlPoweredQueriesEnabled, includeCodeQlIfRequired(feature_flags_1.Feature.MlPoweredQueriesEnabled)), {
            message: "Encountered an error while trying to determine feature enablement: Error: some error message",
@@ -74,7 +91,7 @@ for (const variant of ALL_FEATURES_DISABLED_VARIANTS) {
 for (const feature of Object.keys(feature_flags_1.featureConfig)) {
    (0, ava_1.default)(`Only feature '${feature}' is enabled if enabled in the API response. Other features disabled`, async (t) => {
        await (0, util_1.withTmpDir)(async (tmpDir) => {
-            const featureEnablement = setUpTests(tmpDir);
+            const featureEnablement = setUpFeatureFlagTests(tmpDir);
            // set all features to false except the one we're testing
            const expectedFeatureEnablement = {};
            for (const f of Object.keys(feature_flags_1.featureConfig)) {
@@ -92,7 +109,7 @@ for (const feature of Object.keys(feature_flags_1.featureConfig)) {
    });
    (0, ava_1.default)(`Only feature '${feature}' is enabled if the associated environment variable is true. Others disabled.`, async (t) => {
        await (0, util_1.withTmpDir)(async (tmpDir) => {
-            const featureEnablement = setUpTests(tmpDir);
+            const featureEnablement = setUpFeatureFlagTests(tmpDir);
            const expectedFeatureEnablement = initializeFeatures(false);
            (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, expectedFeatureEnablement);
            // feature should be disabled initially
@@ -104,7 +121,7 @@ for (const feature of Object.keys(feature_flags_1.featureConfig)) {
    });
    (0, ava_1.default)(`Feature '${feature}' is disabled if the associated environment variable is false, even if enabled in API`, async (t) => {
        await (0, util_1.withTmpDir)(async (tmpDir) => {
-            const featureEnablement = setUpTests(tmpDir);
+            const featureEnablement = setUpFeatureFlagTests(tmpDir);
            const expectedFeatureEnablement = initializeFeatures(true);
            (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, expectedFeatureEnablement);
            // feature should be enabled initially
@@ -117,7 +134,7 @@ for (const feature of Object.keys(feature_flags_1.featureConfig)) {
    if (feature_flags_1.featureConfig[feature].minimumVersion !== undefined) {
        (0, ava_1.default)(`Getting feature '${feature} should throw if no codeql is provided`, async (t) => {
            await (0, util_1.withTmpDir)(async (tmpDir) => {
-                const featureEnablement = setUpTests(tmpDir);
+                const featureEnablement = setUpFeatureFlagTests(tmpDir);
                const expectedFeatureEnablement = initializeFeatures(true);
                (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, expectedFeatureEnablement);
                await t.throwsAsync(async () => featureEnablement.getValue(feature), {
@@ -129,7 +146,7 @@ for (const feature of Object.keys(feature_flags_1.featureConfig)) {
    if (feature_flags_1.featureConfig[feature].minimumVersion !== undefined) {
        (0, ava_1.default)(`Feature '${feature}' is disabled if the minimum CLI version is below ${feature_flags_1.featureConfig[feature].minimumVersion}`, async (t) => {
            await (0, util_1.withTmpDir)(async (tmpDir) => {
-                const featureEnablement = setUpTests(tmpDir);
+                const featureEnablement = setUpFeatureFlagTests(tmpDir);
                const expectedFeatureEnablement = initializeFeatures(true);
                (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, expectedFeatureEnablement);
                // feature should be disabled when an old CLI version is set
@@ -161,6 +178,96 @@ for (const feature of Object.keys(feature_flags_1.featureConfig)) {
    // An even less likely scenario is that we no longer have any features.
    t.assert(Object.values(feature_flags_1.featureConfig).length > 0, "There should be at least one feature");
 });
+(0, ava_1.default)("Feature flags are saved to disk", async (t) => {
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        const featureEnablement = setUpFeatureFlagTests(tmpDir);
+        const expectedFeatureEnablement = initializeFeatures(true);
+        (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, expectedFeatureEnablement);
+        const cachedFeatureFlags = path.join(tmpDir, feature_flags_1.FEATURE_FLAGS_FILE_NAME);
+        t.false(fs.existsSync(cachedFeatureFlags), "Feature flag cached file should not exist before getting feature flags");
+        t.true(await featureEnablement.getValue(feature_flags_1.Feature.CliConfigFileEnabled, includeCodeQlIfRequired(feature_flags_1.Feature.CliConfigFileEnabled)), "Feature flag should be enabled initially");
+        t.true(fs.existsSync(cachedFeatureFlags), "Feature flag cached file should exist after getting feature flags");
+        const actualFeatureEnablement = JSON.parse(fs.readFileSync(cachedFeatureFlags, "utf8"));
+        t.deepEqual(actualFeatureEnablement, expectedFeatureEnablement);
+        // now test that we actually use the feature flag cache instead of the server
+        actualFeatureEnablement[feature_flags_1.Feature.CliConfigFileEnabled] = false;
+        fs.writeFileSync(cachedFeatureFlags, JSON.stringify(actualFeatureEnablement));
+        // delete the in memory cache so that we are forced to use the cached file
+        featureEnablement.gitHubFeatureFlags.cachedApiResponse = undefined;
+        t.false(await featureEnablement.getValue(feature_flags_1.Feature.CliConfigFileEnabled, includeCodeQlIfRequired(feature_flags_1.Feature.CliConfigFileEnabled)), "Feature flag should be enabled after reading from cached file");
+    });
+});
+(0, ava_1.default)("Environment variable can override feature flag cache", async (t) => {
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        const featureEnablement = setUpFeatureFlagTests(tmpDir);
+        const expectedFeatureEnablement = initializeFeatures(true);
+        (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, expectedFeatureEnablement);
+        const cachedFeatureFlags = path.join(tmpDir, feature_flags_1.FEATURE_FLAGS_FILE_NAME);
+        t.true(await featureEnablement.getValue(feature_flags_1.Feature.CliConfigFileEnabled, includeCodeQlIfRequired(feature_flags_1.Feature.CliConfigFileEnabled)), "Feature flag should be enabled initially");
+        t.true(fs.existsSync(cachedFeatureFlags), "Feature flag cached file should exist after getting feature flags");
+        process.env.CODEQL_PASS_CONFIG_TO_CLI = "false";
+        t.false(await featureEnablement.getValue(feature_flags_1.Feature.CliConfigFileEnabled, includeCodeQlIfRequired(feature_flags_1.Feature.CliConfigFileEnabled)), "Feature flag should be disabled after setting env var");
+    });
+});
+for (const variant of [util_1.GitHubVariant.GHAE, util_1.GitHubVariant.GHES]) {
+    (0, ava_1.default)(`selects CLI from defaults.json on ${util_1.GitHubVariant[variant]}`, async (t) => {
+        await (0, util_1.withTmpDir)(async (tmpDir) => {
+            const features = setUpFeatureFlagTests(tmpDir);
+            t.deepEqual(await features.getDefaultCliVersion(variant), {
+                cliVersion: defaults.cliVersion,
+                tagName: defaults.bundleVersion,
+                variant,
+            });
+        });
+    });
+}
+(0, ava_1.default)("selects CLI v2.12.1 on Dotcom when feature flags enable v2.12.0 and v2.12.1", async (t) => {
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        const featureEnablement = setUpFeatureFlagTests(tmpDir);
+        const expectedFeatureEnablement = initializeFeatures(true);
+        expectedFeatureEnablement["default_codeql_version_2_12_0_enabled"] = true;
+        expectedFeatureEnablement["default_codeql_version_2_12_1_enabled"] = true;
+        expectedFeatureEnablement["default_codeql_version_2_12_2_enabled"] = false;
+        expectedFeatureEnablement["default_codeql_version_2_12_3_enabled"] = false;
+        expectedFeatureEnablement["default_codeql_version_2_12_4_enabled"] = false;
+        expectedFeatureEnablement["default_codeql_version_2_12_5_enabled"] = false;
+        (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, expectedFeatureEnablement);
+        t.deepEqual(await featureEnablement.getDefaultCliVersion(util_1.GitHubVariant.DOTCOM), {
+            cliVersion: "2.12.1",
+            variant: util_1.GitHubVariant.DOTCOM,
+        });
+    });
+});
+(0, ava_1.default)(`selects CLI v2.11.6 on Dotcom when no default version feature flags are enabled`, async (t) => {
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        const featureEnablement = setUpFeatureFlagTests(tmpDir);
+        const expectedFeatureEnablement = initializeFeatures(true);
+        (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, expectedFeatureEnablement);
+        t.deepEqual(await featureEnablement.getDefaultCliVersion(util_1.GitHubVariant.DOTCOM), {
+            cliVersion: "2.11.6",
+            variant: util_1.GitHubVariant.DOTCOM,
+        });
+    });
+});
+(0, ava_1.default)("ignores invalid version numbers in default version feature flags", async (t) => {
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        const loggedMessages = [];
+        const featureEnablement = setUpFeatureFlagTests(tmpDir, (0, testing_utils_1.getRecordingLogger)(loggedMessages));
+        const expectedFeatureEnablement = initializeFeatures(true);
+        expectedFeatureEnablement["default_codeql_version_2_12_0_enabled"] = true;
+        expectedFeatureEnablement["default_codeql_version_2_12_1_enabled"] = true;
+        expectedFeatureEnablement["default_codeql_version_2_12_invalid_enabled"] =
+            true;
+        (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, expectedFeatureEnablement);
+        t.deepEqual(await featureEnablement.getDefaultCliVersion(util_1.GitHubVariant.DOTCOM), {
+            cliVersion: "2.12.1",
+            variant: util_1.GitHubVariant.DOTCOM,
+        });
+        t.assert(loggedMessages.find((v) => v.type === "warning" &&
+            v.message ===
+                "Ignoring feature flag default_codeql_version_2_12_invalid_enabled as it does not specify a valid CodeQL version.") !== undefined);
+    });
+});
 function assertAllFeaturesUndefinedInApi(t, loggedMessages) {
    for (const feature of Object.keys(feature_flags_1.featureConfig)) {
        t.assert(loggedMessages.find((v) => v.type === "debug" &&
@@ -174,9 +281,9 @@ function initializeFeatures(initialValue) {
        return features;
    }, {});
 }
-function setUpTests(tmpDir, logger = (0, logging_1.getRunnerLogger)(true), gitHubVersion = { type: util_1.GitHubVariant.DOTCOM }) {
+function setUpFeatureFlagTests(tmpDir, logger = (0, logging_1.getRunnerLogger)(true), gitHubVersion = { type: util_1.GitHubVariant.DOTCOM }) {
    (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-    return new feature_flags_1.Features(gitHubVersion, testApiDetails, testRepositoryNwo, logger);
+    return new feature_flags_1.Features(gitHubVersion, testRepositoryNwo, tmpDir, logger);
 }
 function includeCodeQlIfRequired(feature) {
    return feature_flags_1.featureConfig[feature].minimumVersion !== undefined
@@ -19,24 +19,94 @@ var __importStar = (this && this.__importStar) || function (mod) {
    return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.run = void 0;
+exports.run = exports.tryUploadSarifIfRunFailed = void 0;
 const core = __importStar(require("@actions/core"));
 const actionsUtil = __importStar(require("./actions-util"));
+const codeql_1 = require("./codeql");
 const config_utils_1 = require("./config-utils");
-const logging_1 = require("./logging");
-async function run(uploadDatabaseBundleDebugArtifact, uploadLogsDebugArtifact, printDebugLogs) {
-    const logger = (0, logging_1.getActionsLogger)();
+const feature_flags_1 = require("./feature-flags");
+const shared_environment_1 = require("./shared-environment");
+const uploadLib = __importStar(require("./upload-lib"));
+const util_1 = require("./util");
+const workflow_1 = require("./workflow");
+function createFailedUploadFailedSarifResult(error) {
+    return {
+        upload_failed_run_error: error instanceof Error ? error.message : String(error),
+        upload_failed_run_stack_trace: error instanceof Error ? error.stack : undefined,
+    };
+}
+/**
+ * Upload a failed SARIF file if we can verify that SARIF upload is enabled and determine the SARIF
+ * category for the workflow.
+ */
+async function maybeUploadFailedSarif(config, repositoryNwo, featureEnablement, logger) {
+    var _a;
+    if (!config.codeQLCmd) {
+        return { upload_failed_run_skipped_because: "CodeQL command not found" };
+    }
+    const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
+    if (!(await featureEnablement.getValue(feature_flags_1.Feature.UploadFailedSarifEnabled, codeql))) {
+        return { upload_failed_run_skipped_because: "Feature disabled" };
+    }
+    const workflow = await (0, workflow_1.getWorkflow)();
+    const jobName = (0, util_1.getRequiredEnvParam)("GITHUB_JOB");
+    const matrix = (0, util_1.parseMatrixInput)(actionsUtil.getRequiredInput("matrix"));
+    if ((0, workflow_1.getUploadInputOrThrow)(workflow, jobName, matrix) !== "true" ||
+        (0, util_1.isInTestMode)()) {
+        return { upload_failed_run_skipped_because: "SARIF upload is disabled" };
+    }
+    const category = (0, workflow_1.getCategoryInputOrThrow)(workflow, jobName, matrix);
+    const checkoutPath = (0, workflow_1.getCheckoutPathInputOrThrow)(workflow, jobName, matrix);
+    const sarifFile = "../codeql-failed-run.sarif";
+    await codeql.diagnosticsExport(sarifFile, category);
+    core.info(`Uploading failed SARIF file ${sarifFile}`);
+    const uploadResult = await uploadLib.uploadFromActions(sarifFile, checkoutPath, category, logger);
+    await uploadLib.waitForProcessing(repositoryNwo, uploadResult.sarifID, logger, { isUnsuccessfulExecution: true });
+    return (_a = uploadResult === null || uploadResult === void 0 ? void 0 : uploadResult.statusReport) !== null && _a !== void 0 ? _a : {};
+}
+async function tryUploadSarifIfRunFailed(config, repositoryNwo, featureEnablement, logger) {
+    if (process.env[shared_environment_1.CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY] !== "true") {
+        try {
+            return await maybeUploadFailedSarif(config, repositoryNwo, featureEnablement, logger);
+        }
+        catch (e) {
+            logger.debug(`Failed to upload a SARIF file for this failed CodeQL code scanning run. ${e}`);
+            return createFailedUploadFailedSarifResult(e);
+        }
+    }
+    else {
+        return {
+            upload_failed_run_skipped_because: "Analyze Action completed successfully",
+        };
+    }
+}
+exports.tryUploadSarifIfRunFailed = tryUploadSarifIfRunFailed;
+async function run(uploadDatabaseBundleDebugArtifact, uploadLogsDebugArtifact, printDebugLogs, repositoryNwo, featureEnablement, logger) {
    const config = await (0, config_utils_1.getConfig)(actionsUtil.getTemporaryDirectory(), logger);
    if (config === undefined) {
        logger.warning("Debugging artifacts are unavailable since the 'init' Action failed before it could produce any.");
+        return;
+    }
+    const uploadFailedSarifResult = await tryUploadSarifIfRunFailed(config, repositoryNwo, featureEnablement, logger);
+    if (uploadFailedSarifResult.upload_failed_run_skipped_because) {
+        logger.debug("Won't upload a failed SARIF file for this CodeQL code scanning run because: " +
+            `${uploadFailedSarifResult.upload_failed_run_skipped_because}.`);
+    }
+    // Throw an error if in integration tests, we expected to upload a SARIF file for a failed run
+    // but we didn't upload anything.
+    if (process.env["CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF"] === "true" &&
+        !uploadFailedSarifResult.raw_upload_size_bytes) {
+        throw new Error("Expected to upload a failed SARIF file for this CodeQL code scanning run, " +
+            `but the result was instead ${uploadFailedSarifResult}.`);
    }
    // Upload appropriate Actions artifacts for debugging
-    if (config === null || config === void 0 ? void 0 : config.debugMode) {
+    if (config.debugMode) {
        core.info("Debug mode is on. Uploading available database bundles and logs as Actions debugging artifacts...");
        await uploadDatabaseBundleDebugArtifact(config, logger);
        await uploadLogsDebugArtifact(config);
        await printDebugLogs(config);
    }
+    return uploadFailedSarifResult;
 }
 exports.run = run;
 //# sourceMappingURL=init-action-post-helper.js.map
@@ -1 +1 @@
-{"version":3,"file":"init-action-post-helper.js","sourceRoot":"","sources":["../src/init-action-post-helper.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,iDAA2C;AAC3C,uCAA6C;AAEtC,KAAK,UAAU,GAAG,CACvB,iCAA2C,EAC3C,uBAAiC,EACjC,cAAwB;IAExB,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAElC,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,WAAW,CAAC,qBAAqB,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;QACxB,MAAM,CAAC,OAAO,CACZ,iGAAiG,CAClG,CAAC;KACH;IAED,qDAAqD;IACrD,IAAI,MAAM,aAAN,MAAM,uBAAN,MAAM,CAAE,SAAS,EAAE;QACrB,IAAI,CAAC,IAAI,CACP,mGAAmG,CACpG,CAAC;QACF,MAAM,iCAAiC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,uBAAuB,CAAC,MAAM,CAAC,CAAC;QAEtC,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;KAC9B;AACH,CAAC;AAxBD,kBAwBC"}
+{"version":3,"file":"init-action-post-helper.js","sourceRoot":"","sources":["../src/init-action-post-helper.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,qCAAqC;AACrC,iDAAmD;AACnD,mDAA6D;AAG7D,6DAAuF;AACvF,wDAA0C;AAC1C,iCAA6E;AAC7E,yCAKoB;AAWpB,SAAS,mCAAmC,CAC1C,KAAc;IAEd,OAAO;QACL,uBAAuB,EACrB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;QACxD,6BAA6B,EAC3B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;KACnD,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,sBAAsB,CACnC,MAAc,EACd,aAA4B,EAC5B,iBAAoC,EACpC,MAAc;;IAEd,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE;QACrB,OAAO,EAAE,iCAAiC,EAAE,0BAA0B,EAAE,CAAC;KAC1E;IACD,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,IACE,CAAC,CAAC,MAAM,iBAAiB,CAAC,QAAQ,CAChC,uBAAO,CAAC,wBAAwB,EAChC,MAAM,CACP,CAAC,EACF;QACA,OAAO,EAAE,iCAAiC,EAAE,kBAAkB,EAAE,CAAC;KAClE;IACD,MAAM,QAAQ,GAAG,MAAM,IAAA,sBAAW,GAAE,CAAC;IACrC,MAAM,OAAO,GAAG,IAAA,0BAAmB,EAAC,YAAY,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,IAAA,uBAAgB,EAAC,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC;IACxE,IACE,IAAA,gCAAqB,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,KAAK,MAAM;QAC3D,IAAA,mBAAY,GAAE,EACd;QACA,OAAO,EAAE,iCAAiC,EAAE,0BAA0B,EAAE,CAAC;KAC1E;IACD,MAAM,QAAQ,GAAG,IAAA,kCAAuB,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IACpE,MAAM,YAAY,GAAG,IAAA,sCAA2B,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IAE5E,MAAM,SAAS,GAAG,4BAA4B,CAAC;IAC/C,MAAM,MAAM,CAAC,iBAAiB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IAEpD,IAAI,CAAC,IAAI,CAAC,+BAA+B,SAAS,EAAE,CAAC,CAAC;IACtD,MAAM,YAAY,GAAG,MAAM,SAAS,CAAC,iBAAiB,CACpD,SAAS,EACT,YAAY,EACZ,QAAQ,EACR,MAAM,CACP,CAAC;IACF,MAAM,SAAS,CAAC,iBAAiB,CAC/B,aAAa,EACb,YAAY,CAAC,OAAO,EACpB,MAAM,EACN,EAAE,uBAAuB,EAAE,IAAI,EAAE,CAClC,CAAC;IACF,OAAO,MAAA,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,YAAY,mCAAI,EAAE,CAAC;AAC1C,CAAC;AAEM,KAAK,UAAU,yBAAyB,CAC7C,MAAc,EACd,aAA4B,EAC5B,iBAAoC,EACpC,MAAc;IAEd,IAAI,OAAO,CAAC,GAAG,CAAC,oEAA+C,CAAC,KAAK,MAAM,EAAE;QAC3E,IAAI;YACF,OAAO,MAAM,sBAAsB,CACjC,MAAM,EACN,aAAa,EACb,iBAAiB,EACjB,MAAM,CACP,CAAC;SACH;QAAC,OAAO,CAAC,EAAE;YACV,MAAM,CAAC,KAAK,CACV,2EAA2E,CAAC,EAAE,CAC/E,CAAC;YACF,OAAO,mCAAmC,CAAC,CAAC,CAAC,CAAC;SAC/C;KACF;SAAM;QACL,OAAO;YACL,iCAAiC,EAC/B,uCAAuC;SAC1C,CAAC;KACH;AACH,CAAC;AA1BD,8DA0BC;AAEM,KAAK,UAAU,GAAG,CACvB,iCAA2C,EAC3C,uBAAiC,EACjC,cAAwB,EACxB,aAA4B,EAC5B,iBAAoC,EACpC,MAAc;IAEd,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,WAAW,CAAC,qBAAqB,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;QACxB,MAAM,CAAC,OAAO,CACZ,iGAAiG,CAClG,CAAC;QACF,OAAO;KACR;IAED,MAAM,uBAAuB,GAAG,MAAM,yBAAyB,CAC7D,MAAM,EACN,aAAa,EACb,iBAAiB,EACjB,MAAM,CACP,CAAC;IACF,IAAI,uBAAuB,CAAC,iCAAiC,EAAE;QAC7D,MAAM,CAAC,KAAK,CACV,8EAA8E;YAC5E,GAAG,uBAAuB,CAAC,iCAAiC,GAAG,CAClE,CAAC;KACH;IACD,8FAA8F;IAC9F,iCAAiC;IACjC,IACE,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,KAAK,MAAM;QAClE,CAAC,uBAAuB,CAAC,qBAAqB,EAC9C;QACA,MAAM,IAAI,KAAK,CACb,4EAA4E;YAC1E,8BAA8B,uBAAuB,GAAG,CAC3D,CAAC;KACH;IAED,qDAAqD;IACrD,IAAI,MAAM,CAAC,SAAS,EAAE;QACpB,IAAI,CAAC,IAAI,CACP,mGAAmG,CACpG,CAAC;QACF,MAAM,iCAAiC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,uBAAuB,CAAC,MAAM,CAAC,CAAC;QAEtC,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;KAC9B;IAED,OAAO,uBAAuB,CAAC;AACjC,CAAC;AApDD,kBAoDC"}
@@ -24,13 +24,21 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 const ava_1 = __importDefault(require("ava"));
 const sinon = __importStar(require("sinon"));
+const actionsUtil = __importStar(require("./actions-util"));
+const codeql = __importStar(require("./codeql"));
 const configUtils = __importStar(require("./config-utils"));
+const feature_flags_1 = require("./feature-flags");
 const initActionPostHelper = __importStar(require("./init-action-post-helper"));
+const logging_1 = require("./logging");
+const repository_1 = require("./repository");
 const testing_utils_1 = require("./testing-utils");
+const uploadLib = __importStar(require("./upload-lib"));
 const util = __importStar(require("./util"));
+const workflow = __importStar(require("./workflow"));
 (0, testing_utils_1.setupTests)(ava_1.default);
 (0, ava_1.default)("post: init action with debug mode off", async (t) => {
    return await util.withTmpDir(async (tmpDir) => {
+        process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
        process.env["RUNNER_TEMP"] = tmpDir;
        const gitHubVersion = {
            type: util.GitHubVariant.DOTCOM,
@@ -44,7 +52,7 @@ const util = __importStar(require("./util"));
        const uploadDatabaseBundleSpy = sinon.spy();
        const uploadLogsSpy = sinon.spy();
        const printDebugLogsSpy = sinon.spy();
-        await initActionPostHelper.run(uploadDatabaseBundleSpy, uploadLogsSpy, printDebugLogsSpy);
+        await initActionPostHelper.run(uploadDatabaseBundleSpy, uploadLogsSpy, printDebugLogsSpy, (0, repository_1.parseRepositoryNwo)("github/codeql-action"), (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        t.assert(uploadDatabaseBundleSpy.notCalled);
        t.assert(uploadLogsSpy.notCalled);
        t.assert(printDebugLogsSpy.notCalled);
@@ -52,6 +60,7 @@ const util = __importStar(require("./util"));
 });
 (0, ava_1.default)("post: init action with debug mode on", async (t) => {
    return await util.withTmpDir(async (tmpDir) => {
+        process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
        process.env["RUNNER_TEMP"] = tmpDir;
        const gitHubVersion = {
            type: util.GitHubVariant.DOTCOM,
@@ -65,10 +74,193 @@ const util = __importStar(require("./util"));
        const uploadDatabaseBundleSpy = sinon.spy();
        const uploadLogsSpy = sinon.spy();
        const printDebugLogsSpy = sinon.spy();
-        await initActionPostHelper.run(uploadDatabaseBundleSpy, uploadLogsSpy, printDebugLogsSpy);
+        await initActionPostHelper.run(uploadDatabaseBundleSpy, uploadLogsSpy, printDebugLogsSpy, (0, repository_1.parseRepositoryNwo)("github/codeql-action"), (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        t.assert(uploadDatabaseBundleSpy.called);
        t.assert(uploadLogsSpy.called);
        t.assert(printDebugLogsSpy.called);
    });
 });
+(0, ava_1.default)("uploads failed SARIF run for typical workflow", async (t) => {
+    const actionsWorkflow = createTestWorkflow([
+        {
+            name: "Checkout repository",
+            uses: "actions/checkout@v3",
+        },
+        {
+            name: "Initialize CodeQL",
+            uses: "github/codeql-action/init@v2",
+            with: {
+                languages: "javascript",
+            },
+        },
+        {
+            name: "Perform CodeQL Analysis",
+            uses: "github/codeql-action/analyze@v2",
+            with: {
+                category: "my-category",
+            },
+        },
+    ]);
+    await testFailedSarifUpload(t, actionsWorkflow, { category: "my-category" });
+});
+(0, ava_1.default)("doesn't upload failed SARIF for workflow with upload: false", async (t) => {
+    const actionsWorkflow = createTestWorkflow([
+        {
+            name: "Checkout repository",
+            uses: "actions/checkout@v3",
+        },
+        {
+            name: "Initialize CodeQL",
+            uses: "github/codeql-action/init@v2",
+            with: {
+                languages: "javascript",
+            },
+        },
+        {
+            name: "Perform CodeQL Analysis",
+            uses: "github/codeql-action/analyze@v2",
+            with: {
+                category: "my-category",
+                upload: false,
+            },
+        },
+    ]);
+    const result = await testFailedSarifUpload(t, actionsWorkflow, {
+        expectUpload: false,
+    });
+    t.is(result.upload_failed_run_skipped_because, "SARIF upload is disabled");
+});
+(0, ava_1.default)("uploading failed SARIF run succeeds when workflow uses an input with a matrix var", async (t) => {
+    const actionsWorkflow = createTestWorkflow([
+        {
+            name: "Checkout repository",
+            uses: "actions/checkout@v3",
+        },
+        {
+            name: "Initialize CodeQL",
+            uses: "github/codeql-action/init@v2",
+            with: {
+                languages: "javascript",
+            },
+        },
+        {
+            name: "Perform CodeQL Analysis",
+            uses: "github/codeql-action/analyze@v2",
+            with: {
+                category: "/language:${{ matrix.language }}",
+            },
+        },
+    ]);
+    await testFailedSarifUpload(t, actionsWorkflow, {
+        category: "/language:csharp",
+        matrix: { language: "csharp" },
+    });
+});
+(0, ava_1.default)("uploading failed SARIF run fails when workflow uses a complex upload input", async (t) => {
+    const actionsWorkflow = createTestWorkflow([
+        {
+            name: "Checkout repository",
+            uses: "actions/checkout@v3",
+        },
+        {
+            name: "Initialize CodeQL",
+            uses: "github/codeql-action/init@v2",
+            with: {
+                languages: "javascript",
+            },
+        },
+        {
+            name: "Perform CodeQL Analysis",
+            uses: "github/codeql-action/analyze@v2",
+            with: {
+                upload: "${{ matrix.language != 'csharp' }}",
+            },
+        },
+    ]);
+    const result = await testFailedSarifUpload(t, actionsWorkflow, {
+        expectUpload: false,
+    });
+    t.is(result.upload_failed_run_error, "Could not get upload input to github/codeql-action/analyze since it contained an " +
+        "unrecognized dynamic value.");
+});
+(0, ava_1.default)("uploading failed SARIF run fails when workflow does not reference github/codeql-action", async (t) => {
+    const actionsWorkflow = createTestWorkflow([
+        {
+            name: "Checkout repository",
+            uses: "actions/checkout@v3",
+        },
+    ]);
+    const result = await testFailedSarifUpload(t, actionsWorkflow, {
+        expectUpload: false,
+    });
+    t.is(result.upload_failed_run_error, "Could not get upload input to github/codeql-action/analyze since the analyze job does not " +
+        "call github/codeql-action/analyze.");
+    t.truthy(result.upload_failed_run_stack_trace);
+});
+function createTestWorkflow(steps) {
+    return {
+        name: "CodeQL",
+        on: {
+            push: {
+                branches: ["main"],
+            },
+            pull_request: {
+                branches: ["main"],
+            },
+        },
+        jobs: {
+            analyze: {
+                name: "CodeQL Analysis",
+                "runs-on": "ubuntu-latest",
+                steps,
+            },
+        },
+    };
+}
+async function testFailedSarifUpload(t, actionsWorkflow, { category, expectUpload = true, matrix = {}, } = {}) {
+    const config = {
+        codeQLCmd: "codeql",
+        debugMode: true,
+        languages: [],
+        packs: [],
+    };
+    process.env["GITHUB_JOB"] = "analyze";
+    process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
+    process.env["GITHUB_WORKSPACE"] =
+        "/home/runner/work/codeql-action/codeql-action";
+    sinon
+        .stub(actionsUtil, "getRequiredInput")
+        .withArgs("matrix")
+        .returns(JSON.stringify(matrix));
+    const codeqlObject = await codeql.getCodeQLForTesting();
+    sinon.stub(codeql, "getCodeQL").resolves(codeqlObject);
+    const diagnosticsExportStub = sinon.stub(codeqlObject, "diagnosticsExport");
+    sinon.stub(workflow, "getWorkflow").resolves(actionsWorkflow);
+    const uploadFromActions = sinon.stub(uploadLib, "uploadFromActions");
+    uploadFromActions.resolves({
+        sarifID: "42",
+        statusReport: { raw_upload_size_bytes: 20, zipped_upload_size_bytes: 10 },
+    });
+    const waitForProcessing = sinon.stub(uploadLib, "waitForProcessing");
+    const result = await initActionPostHelper.tryUploadSarifIfRunFailed(config, (0, repository_1.parseRepositoryNwo)("github/codeql-action"), (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.UploadFailedSarifEnabled]), (0, logging_1.getRunnerLogger)(true));
+    if (expectUpload) {
+        t.deepEqual(result, {
+            raw_upload_size_bytes: 20,
+            zipped_upload_size_bytes: 10,
+        });
+    }
+    if (expectUpload) {
+        t.true(diagnosticsExportStub.calledOnceWith(sinon.match.string, category), `Actual args were: ${diagnosticsExportStub.args}`);
+        t.true(uploadFromActions.calledOnceWith(sinon.match.string, sinon.match.string, category, sinon.match.any), `Actual args were: ${uploadFromActions.args}`);
+        t.true(waitForProcessing.calledOnceWith(sinon.match.any, "42", sinon.match.any, {
+            isUnsuccessfulExecution: true,
+        }));
+    }
+    else {
+        t.true(diagnosticsExportStub.notCalled);
+        t.true(uploadFromActions.notCalled);
+        t.true(waitForProcessing.notCalled);
+    }
+    return result;
+}
 //# sourceMappingURL=init-action-post-helper.test.js.map
@@ -25,17 +25,37 @@ var __importStar = (this && this.__importStar) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const core = __importStar(require("@actions/core"));
-const actionsUtil = __importStar(require("./actions-util"));
+const actions_util_1 = require("./actions-util");
+const api_client_1 = require("./api-client");
 const debugArtifacts = __importStar(require("./debug-artifacts"));
+const feature_flags_1 = require("./feature-flags");
 const initActionPostHelper = __importStar(require("./init-action-post-helper"));
+const logging_1 = require("./logging");
+const repository_1 = require("./repository");
+const util_1 = require("./util");
 async function runWrapper() {
+    const startedAt = new Date();
+    let uploadFailedSarifResult;
    try {
-        await initActionPostHelper.run(debugArtifacts.uploadDatabaseBundleDebugArtifact, debugArtifacts.uploadLogsDebugArtifact, actionsUtil.printDebugLogs);
+        const logger = (0, logging_1.getActionsLogger)();
+        const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
+        (0, util_1.checkGitHubVersionInRange)(gitHubVersion, logger);
+        const repositoryNwo = (0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY"));
+        const features = new feature_flags_1.Features(gitHubVersion, repositoryNwo, (0, actions_util_1.getTemporaryDirectory)(), logger);
+        uploadFailedSarifResult = await initActionPostHelper.run(debugArtifacts.uploadDatabaseBundleDebugArtifact, debugArtifacts.uploadLogsDebugArtifact, actions_util_1.printDebugLogs, repositoryNwo, features, logger);
    }
-    catch (error) {
-        core.setFailed(`init post-action step failed: ${error}`);
-        console.log(error);
+    catch (e) {
+        core.setFailed(e instanceof Error ? e.message : String(e));
+        console.log(e);
+        await (0, actions_util_1.sendStatusReport)(await (0, actions_util_1.createStatusReportBase)("init-post", (0, actions_util_1.getActionsStatus)(e), startedAt, String(e), e instanceof Error ? e.stack : undefined));
+        return;
    }
+    const statusReportBase = await (0, actions_util_1.createStatusReportBase)("init-post", "success", startedAt);
+    const statusReport = {
+        ...statusReportBase,
+        ...uploadFailedSarifResult,
+    };
+    await (0, actions_util_1.sendStatusReport)(statusReport);
 }
 void runWrapper();
 //# sourceMappingURL=init-action-post.js.map
@@ -1 +1 @@
-{"version":3,"file":"init-action-post.js","sourceRoot":"","sources":["../src/init-action-post.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;;;;;;;;;;;;;;;;;;;AAEH,oDAAsC;AAEtC,4DAA8C;AAC9C,kEAAoD;AACpD,gFAAkE;AAElE,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,oBAAoB,CAAC,GAAG,CAC5B,cAAc,CAAC,iCAAiC,EAChD,cAAc,CAAC,uBAAuB,EACtC,WAAW,CAAC,cAAc,CAC3B,CAAC;KACH;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,iCAAiC,KAAK,EAAE,CAAC,CAAC;QACzD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"init-action-post.js","sourceRoot":"","sources":["../src/init-action-post.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;;;;;;;;;;;;;;;;;;;AAEH,oDAAsC;AAEtC,iDAOwB;AACxB,6CAAgD;AAChD,kEAAoD;AACpD,mDAA2C;AAC3C,gFAAkE;AAClE,uCAA6C;AAC7C,6CAAkD;AAClD,iCAAwE;AAMxE,KAAK,UAAU,UAAU;IACvB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IAAI,uBAES,CAAC;IACd,IAAI;QACF,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,MAAM,aAAa,GAAG,IAAA,+BAAkB,EACtC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CACzC,CAAC;QACF,MAAM,QAAQ,GAAG,IAAI,wBAAQ,CAC3B,aAAa,EACb,aAAa,EACb,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;QAEF,uBAAuB,GAAG,MAAM,oBAAoB,CAAC,GAAG,CACtD,cAAc,CAAC,iCAAiC,EAChD,cAAc,CAAC,uBAAuB,EACtC,6BAAc,EACd,aAAa,EACb,QAAQ,EACR,MAAM,CACP,CAAC;KACH;IAAC,OAAO,CAAC,EAAE;QACV,IAAI,CAAC,SAAS,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QAE3D,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACf,MAAM,IAAA,+BAAgB,EACpB,MAAM,IAAA,qCAAsB,EAC1B,WAAW,EACX,IAAA,+BAAgB,EAAC,CAAC,CAAC,EACnB,SAAS,EACT,MAAM,CAAC,CAAC,CAAC,EACT,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CACzC,CACF,CAAC;QACF,OAAO;KACR;IACD,MAAM,gBAAgB,GAAG,MAAM,IAAA,qCAAsB,EACnD,WAAW,EACX,SAAS,EACT,SAAS,CACV,CAAC;IACF,MAAM,YAAY,GAAyB;QACzC,GAAG,gBAAgB;QACnB,GAAG,uBAAuB;KAC3B,CAAC;IACF,MAAM,IAAA,+BAAgB,EAAC,YAAY,CAAC,CAAC;AACvC,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
@@ -31,6 +31,7 @@ const logging_1 = require("./logging");
 const repository_1 = require("./repository");
 const trap_caching_1 = require("./trap-caching");
 const util_1 = require("./util");
+const workflow_1 = require("./workflow");
 // eslint-disable-next-line import/no-commonjs
 const pkg = require("../package.json");
 async function sendSuccessStatusReport(startedAt, config, toolsVersion, logger) {
@@ -74,7 +75,7 @@ async function sendSuccessStatusReport(startedAt, config, toolsVersion, logger)
 async function run() {
    const startedAt = new Date();
    const logger = (0, logging_1.getActionsLogger)();
-    (0, util_1.initializeEnvironment)(util_1.Mode.actions, pkg.version);
+    (0, util_1.initializeEnvironment)(pkg.version);
    await (0, util_1.checkActionVersion)(pkg.version);
    let config;
    let codeql;
@@ -85,19 +86,20 @@ async function run() {
        url: (0, util_1.getRequiredEnvParam)("GITHUB_SERVER_URL"),
        apiURL: (0, util_1.getRequiredEnvParam)("GITHUB_API_URL"),
    };
-    const gitHubVersion = await (0, api_client_1.getGitHubVersionActionsOnly)();
-    (0, util_1.checkGitHubVersionInRange)(gitHubVersion, logger, util_1.Mode.actions);
+    const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
+    (0, util_1.checkGitHubVersionInRange)(gitHubVersion, logger);
    const repositoryNwo = (0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY"));
-    const features = new feature_flags_1.Features(gitHubVersion, apiDetails, repositoryNwo, logger);
+    const features = new feature_flags_1.Features(gitHubVersion, repositoryNwo, (0, actions_util_1.getTemporaryDirectory)(), logger);
    try {
-        const workflowErrors = await (0, actions_util_1.validateWorkflow)();
+        const workflowErrors = await (0, workflow_1.validateWorkflow)();
        if (!(await (0, actions_util_1.sendStatusReport)(await (0, actions_util_1.createStatusReportBase)("init", "starting", startedAt, workflowErrors)))) {
            return;
        }
-        const initCodeQLResult = await (0, init_1.initCodeQL)((0, actions_util_1.getOptionalInput)("tools"), apiDetails, (0, actions_util_1.getTemporaryDirectory)(), gitHubVersion.type, features, logger);
+        const defaultCliVersion = await features.getDefaultCliVersion(gitHubVersion.type);
+        const initCodeQLResult = await (0, init_1.initCodeQL)((0, actions_util_1.getOptionalInput)("tools"), apiDetails, (0, actions_util_1.getTemporaryDirectory)(), gitHubVersion.type, await (0, util_1.shouldBypassToolcache)(features, (0, actions_util_1.getOptionalInput)("tools"), (0, actions_util_1.getOptionalInput)("languages"), repositoryNwo, logger), defaultCliVersion, logger);
        codeql = initCodeQLResult.codeql;
        toolsVersion = initCodeQLResult.toolsVersion;
-        await (0, util_1.enrichEnvironment)(util_1.Mode.actions, codeql);
+        await (0, util_1.enrichEnvironment)(codeql);
        config = await (0, init_1.initConfig)((0, actions_util_1.getOptionalInput)("languages"), (0, actions_util_1.getOptionalInput)("queries"), (0, actions_util_1.getOptionalInput)("packs"), (0, actions_util_1.getOptionalInput)("registries"), (0, actions_util_1.getOptionalInput)("config-file"), (0, actions_util_1.getOptionalInput)("db-location"), await getTrapCachingEnabled(features), 
        // Debug mode is enabled if:
        // - The `init` Action is passed `debug: true`.
@@ -137,8 +139,12 @@ async function run() {
        core.exportVariable("CODEQL_RAM", process.env["CODEQL_RAM"] ||
            (0, util_1.getMemoryFlagValue)((0, actions_util_1.getOptionalInput)("ram")).toString());
        core.exportVariable("CODEQL_THREADS", (0, util_1.getThreadsFlagValue)((0, actions_util_1.getOptionalInput)("threads"), logger).toString());
+        // Disable Kotlin extractor if feature flag set
+        if (await features.getValue(feature_flags_1.Feature.DisableKotlinAnalysisEnabled)) {
+            core.exportVariable("CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN", "true");
+        }
        const sourceRoot = path.resolve((0, util_1.getRequiredEnvParam)("GITHUB_WORKSPACE"), (0, actions_util_1.getOptionalInput)("source-root") || "");
-        const tracerConfig = await (0, init_1.runInit)(codeql, config, sourceRoot, "Runner.Worker.exe", undefined, features, logger);
+        const tracerConfig = await (0, init_1.runInit)(codeql, config, sourceRoot, "Runner.Worker.exe", features, logger);
        if (tracerConfig !== undefined) {
            for (const [key, value] of Object.entries(tracerConfig.env)) {
                core.exportVariable(key, value);
@@ -177,6 +183,7 @@ async function runWrapper() {
        core.setFailed(`init action failed: ${error}`);
        console.log(error);
    }
+    await (0, util_1.checkForTimeout)();
 }
 void runWrapper();
 //# sourceMappingURL=init-action.js.map
--- a/Show More
+++ b/Show More