Add changelog note

Remove restriction to github org
Allow explicit disablement too
2026-05-11 00:00:30 +00:00 · 2026-03-02 20:12:34 +01:00 · 2026-03-02 20:04:08 +01:00 · 2026-03-02 19:58:27 +01:00 · 2026-03-02 19:55:35 +01:00 · 2026-03-02 19:48:19 +01:00
205 changed files with 21431 additions and 27557 deletions
@@ -25,34 +25,35 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: all-platform-bundle-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group:
+    all-platform-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  all-platform-bundle:
    strategy:
@@ -75,15 +76,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -91,10 +83,19 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'true'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - id: init
        uses: ./../action/init
        with:
-          # Swift is not supported on Ubuntu so we manually exclude it from the list here
+      # Swift is not supported on Ubuntu so we manually exclude it from the list here
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
@@ -87,24 +87,24 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false
-          post-processed-sarif-path: '${{ runner.temp }}/post-processed'
+          post-processed-sarif-path: ${{ runner.temp }}/post-processed

      - name: Upload SARIF files
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v6
        with:
          name: |
            analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
-          path: '${{ runner.temp }}/results/*.sarif'
+          path: ${{ runner.temp }}/results/*.sarif
          retention-days: 7

      - name: Upload post-processed SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v6
        with:
          name: |
            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
-          path: '${{ runner.temp }}/post-processed'
+          path: ${{ runner.temp }}/post-processed
          retention-days: 7
          if-no-files-found: error

@@ -112,7 +112,7 @@ jobs:
        if: contains(matrix.analysis-kinds, 'code-scanning')
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
          EXPECT_PRESENT: 'false'
        with:
          script: ${{ env.CHECK_SCRIPT }}
@@ -120,7 +120,7 @@ jobs:
        if: contains(matrix.analysis-kinds, 'code-quality')
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: '${{ runner.temp }}/results/javascript.quality.sarif'
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.quality.sarif
          EXPECT_PRESENT: 'true'
        with:
          script: ${{ env.CHECK_SCRIPT }}
@@ -25,34 +25,45 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: analyze-ref-input-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group:
+    analyze-ref-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  analyze-ref-input:
    strategy:
@@ -71,15 +82,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -87,16 +89,31 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+            github.sha }}
      - name: Build code
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -65,10 +65,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -76,13 +72,17 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          languages: csharp
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/autobuild
        env:
-          # Explicitly disable the CLR tracer.
+      # Explicitly disable the CLR tracer.
          COR_ENABLE_PROFILING: ''
          COR_PROFILER: ''
          COR_PROFILER_PATH_64: ''
@@ -42,7 +42,8 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: autobuild-direct-tracing-with-working-dir-${{github.ref}}-${{inputs.java-version}}
+  group:
+    autobuild-direct-tracing-with-working-dir-${{github.ref}}-${{inputs.java-version}}
 jobs:
  autobuild-direct-tracing-with-working-dir:
    strategy:
@@ -67,11 +68,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Install Java
-        uses: actions/setup-java@v5
-        with:
-          java-version: ${{ inputs.java-version || '17' }}
-          distribution: temurin
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -79,6 +75,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Java
+        uses: actions/setup-java@v5
+        with:
+          java-version: ${{ inputs.java-version || '17' }}
+          distribution: temurin
      - name: Test setup
        run: |
          # Make sure that Gradle build succeeds in autobuild-dir ...
@@ -67,6 +67,13 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
      - name: Install Java
        uses: actions/setup-java@v5
        with:
@@ -80,13 +87,6 @@ jobs:
        run: |-
          gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe"
          echo "$YQ_PATH" >> "$GITHUB_PATH"
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
      - name: Set up Java test repo configuration
        run: |
          mv * .github ../action/tests/multi-language-repo/
@@ -97,7 +97,7 @@ jobs:
        id: init
        with:
          build-mode: autobuild
-          db-location: '${{ runner.temp }}/customDbLocation'
+          db-location: ${{ runner.temp }}/customDbLocation
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -25,34 +25,35 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: build-mode-manual-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group:
+    build-mode-manual-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  build-mode-manual:
    strategy:
@@ -71,15 +72,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -87,11 +79,20 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        id: init
        with:
          build-mode: manual
-          db-location: '${{ runner.temp }}/customDbLocation'
+          db-location: ${{ runner.temp }}/customDbLocation
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -64,7 +64,7 @@ jobs:
        id: init
        with:
          build-mode: none
-          db-location: '${{ runner.temp }}/customDbLocation'
+          db-location: ${{ runner.temp }}/customDbLocation
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -77,7 +77,7 @@ jobs:
            exit 1
          fi

-      # The latest nightly supports omitting the autobuild Action when the build mode is specified.
+  # The latest nightly supports omitting the autobuild Action when the build mode is specified.
      - uses: ./../action/autobuild
        if: matrix.version != 'nightly-latest'

@@ -68,7 +68,7 @@ jobs:
        id: init
        with:
          build-mode: none
-          db-location: '${{ runner.temp }}/customDbLocation'
+          db-location: ${{ runner.temp }}/customDbLocation
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -66,7 +66,7 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          languages: javascript
      - name: Fail if the CodeQL version is not a nightly
-        if: ${{ !contains(steps.init.outputs.codeql-version, '+') }}
+        if: "!contains(steps.init.outputs.codeql-version, '+')"
        run: exit 1
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -39,10 +39,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: linked
          - os: macos-latest
            version: linked
+          - os: ubuntu-latest
+            version: linked
          - os: windows-latest
            version: linked
    name: 'Bundle: Caching checks'
@@ -39,10 +39,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: linked
          - os: macos-latest
            version: linked
+          - os: ubuntu-latest
+            version: linked
          - os: windows-latest
            version: linked
    name: 'Bundle: Zstandard checks'
@@ -82,7 +82,7 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v6
        with:
          name: ${{ matrix.os }}-zstd-bundle.sarif
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -67,7 +67,7 @@ jobs:
        id: init
        with:
          build-mode: none
-          db-location: '${{ runner.temp }}/customDbLocation'
+          db-location: ${{ runner.temp }}/customDbLocation
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -67,18 +67,18 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v6
        with:
          name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: '${{ runner.temp }}/results/javascript.sarif'
+          path: ${{ runner.temp }}/results/javascript.sarif
          retention-days: 7
      - name: Check config properties appear in SARIF
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
        with:
          script: |
            const fs = require('fs');
@@ -78,18 +78,18 @@ jobs:
            --ready-for-status-page
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v6
        with:
          name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: '${{ runner.temp }}/results/javascript.sarif'
+          path: ${{ runner.temp }}/results/javascript.sarif
          retention-days: 7
      - name: Check diagnostics appear in SARIF
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
        with:
          script: |
            const fs = require('fs');
@@ -25,34 +25,35 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: export-file-baseline-information-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group:
+    export-file-baseline-information-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  export-file-baseline-information:
    strategy:
@@ -75,15 +76,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -91,6 +83,15 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        id: init
        with:
@@ -100,12 +101,12 @@ jobs:
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
      - name: Upload SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v6
        with:
          name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: '${{ runner.temp }}/results/javascript.sarif'
+          path: ${{ runner.temp }}/results/javascript.sarif
          retention-days: 7
      - name: Check results
        run: |
@@ -25,34 +25,35 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-custom-queries-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group:
+    go-custom-queries-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  go-custom-queries:
    strategy:
@@ -73,15 +74,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -89,6 +81,15 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          languages: go
@@ -61,11 +61,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -73,11 +68,16 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      # Deliberately change Go after the `init` step
+  # Deliberately change Go after the `init` step
      - uses: actions/setup-go@v6
        with:
          go-version: '1.20'
@@ -85,12 +85,12 @@ jobs:
        run: go build main.go
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Check diagnostic appears in SARIF
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: '${{ runner.temp }}/results/go.sarif'
+          SARIF_PATH: ${{ runner.temp }}/results/go.sarif
        with:
          script: |
            const fs = require('fs');
@@ -42,7 +42,8 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-indirect-tracing-workaround-no-file-program-${{github.ref}}-${{inputs.go-version}}
+  group:
+    go-indirect-tracing-workaround-no-file-program-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-indirect-tracing-workaround-no-file-program:
    strategy:
@@ -61,11 +62,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -73,6 +69,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Remove `file` program
        run: |
          echo $(which file)
@@ -86,12 +87,12 @@ jobs:
        run: go build main.go
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Check diagnostic appears in SARIF
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: '${{ runner.temp }}/results/go.sarif'
+          SARIF_PATH: ${{ runner.temp }}/results/go.sarif
        with:
          script: |
            const fs = require('fs');
@@ -61,11 +61,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -73,6 +68,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
          languages: go
@@ -51,18 +51,32 @@ jobs:
        include:
          - os: ubuntu-latest
            version: stable-v2.17.6
+          - os: macos-latest
+            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.18.4
+          - os: macos-latest
+            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
+          - os: macos-latest
+            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
+          - os: macos-latest
+            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
+          - os: macos-latest
+            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
+          - os: macos-latest
+            version: default
          - os: ubuntu-latest
            version: linked
          - os: macos-latest
@@ -81,11 +95,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -93,6 +102,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
          languages: go
@@ -51,18 +51,32 @@ jobs:
        include:
          - os: ubuntu-latest
            version: stable-v2.17.6
+          - os: macos-latest
+            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.18.4
+          - os: macos-latest
+            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
+          - os: macos-latest
+            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
+          - os: macos-latest
+            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
+          - os: macos-latest
+            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
+          - os: macos-latest
+            version: default
          - os: ubuntu-latest
            version: linked
          - os: macos-latest
@@ -81,11 +95,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -93,6 +102,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
          languages: go
@@ -51,18 +51,32 @@ jobs:
        include:
          - os: ubuntu-latest
            version: stable-v2.17.6
+          - os: macos-latest
+            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.18.4
+          - os: macos-latest
+            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
+          - os: macos-latest
+            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
+          - os: macos-latest
+            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
+          - os: macos-latest
+            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
+          - os: macos-latest
+            version: default
          - os: ubuntu-latest
            version: linked
          - os: macos-latest
@@ -81,11 +95,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -93,6 +102,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
          languages: go
@@ -10,16 +10,16 @@ env:
 on:
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 jobs:
  go-custom-queries:
    name: 'Go: Custom queries'
@@ -28,8 +28,8 @@ jobs:
      security-events: read
    uses: ./.github/workflows/__go-custom-queries.yml
    with:
-      dotnet-version: ${{ inputs.dotnet-version }}
      go-version: ${{ inputs.go-version }}
+      dotnet-version: ${{ inputs.dotnet-version }}
  go-indirect-tracing-workaround-diagnostic:
    name: 'Go: diagnostic when Go is changed after init step'
    permissions:
@@ -50,6 +50,7 @@ jobs:
    permissions:
      contents: read
      packages: read
+
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -65,7 +66,7 @@ jobs:
      - name: Init with registries
        uses: ./../action/init
        with:
-          db-location: '${{ runner.temp }}/customDbLocation'
+          db-location: ${{ runner.temp }}/customDbLocation
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          config-file: ./.github/codeql/codeql-config-registries.yml
          languages: javascript
@@ -65,12 +65,12 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
      - name: Upload SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v6
        with:
          name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: '${{ runner.temp }}/results/javascript.sarif'
+          path: ${{ runner.temp }}/results/javascript.sarif
          retention-days: 7
      - name: Check results
        run: |
@@ -63,7 +63,7 @@ jobs:
          languages: C#,java-kotlin,swift,typescript
          tools: ${{ steps.prepare-test.outputs.tools-url }}

-      - name: 'Check languages'
+      - name: Check languages
        run: |
          expected_languages="csharp,java,swift,javascript"
          actual_languages=$(jq -r '.languages | join(",")' "$RUNNER_TEMP"/config)
@@ -25,34 +25,45 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: local-bundle-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group:
+    local-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  local-bundle:
    strategy:
@@ -71,15 +82,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -87,13 +89,27 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Fetch latest CodeQL bundle
        run: |
          wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst
      - id: init
        uses: ./../action/init
        with:
-          # Swift is not supported on Ubuntu so we manually exclude it from the list here
+      # Swift is not supported on Ubuntu so we manually exclude it from the list here
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ./codeql-bundle-linux64.tar.zst
      - name: Build code
@@ -25,75 +25,86 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: multi-language-autodetect-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group:
+    multi-language-autodetect-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  multi-language-autodetect:
    strategy:
      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: stable-v2.17.6
          - os: macos-latest
            version: stable-v2.17.6
          - os: ubuntu-latest
-            version: stable-v2.18.4
+            version: stable-v2.17.6
          - os: macos-latest
            version: stable-v2.18.4
          - os: ubuntu-latest
-            version: stable-v2.19.4
+            version: stable-v2.18.4
          - os: macos-latest
            version: stable-v2.19.4
          - os: ubuntu-latest
-            version: stable-v2.20.7
+            version: stable-v2.19.4
          - os: macos-latest
            version: stable-v2.20.7
          - os: ubuntu-latest
-            version: stable-v2.21.4
+            version: stable-v2.20.7
          - os: macos-latest
            version: stable-v2.21.4
          - os: ubuntu-latest
-            version: stable-v2.22.4
+            version: stable-v2.21.4
          - os: macos-latest
            version: stable-v2.22.4
          - os: ubuntu-latest
-            version: default
+            version: stable-v2.22.4
          - os: macos-latest
            version: default
          - os: ubuntu-latest
-            version: linked
+            version: default
          - os: macos-latest
            version: linked
          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
            version: nightly-latest
-          - os: macos-latest
+          - os: ubuntu-latest
            version: nightly-latest
    name: Multi-language repository
    if: github.triggering_actor != 'dependabot[bot]'
@@ -105,15 +116,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -121,14 +123,20 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Python 3.13 for older CLI versions
-        # We need Python 3.13 for older CLI versions because they are not compatible with Python 3.14 or newer.
-        # See https://github.com/github/codeql-action/pull/3212
-        if: matrix.version != 'nightly-latest' && matrix.version != 'linked'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
        uses: actions/setup-python@v6
        with:
-          python-version: '3.13'
-
+          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Use Xcode 16
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"
@@ -136,8 +144,9 @@ jobs:
      - uses: ./../action/init
        id: init
        with:
-          db-location: '${{ runner.temp }}/customDbLocation'
-          languages: ${{ runner.os == 'Linux' && 'cpp,csharp,go,java,javascript,python,ruby' || '' }}
+          db-location: ${{ runner.temp }}/customDbLocation
+          languages: ${{ runner.os == 'Linux' && 'cpp,csharp,go,java,javascript,python,ruby'
+            || '' }}
          tools: ${{ steps.prepare-test.outputs.tools-url }}

      - name: Build code
@@ -25,34 +25,45 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group:
+    packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  packaging-codescanning-config-inputs-js:
    strategy:
@@ -75,15 +86,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Install Node.js
        uses: actions/setup-node@v6
        with:
@@ -98,9 +100,23 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
-          config-file: '.github/codeql/codeql-config-packaging3.yml'
+          config-file: .github/codeql/codeql-config-packaging3.yml
          packs: +codeql-testing/codeql-pack1@1.0.0
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -108,14 +124,15 @@ jobs:
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run:
+            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
@@ -25,34 +25,35 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: packaging-config-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group:
+    packaging-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  packaging-config-inputs-js:
    strategy:
@@ -75,15 +76,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Install Node.js
        uses: actions/setup-node@v6
        with:
@@ -98,9 +90,18 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
-          config-file: '.github/codeql/codeql-config-packaging3.yml'
+          config-file: .github/codeql/codeql-config-packaging3.yml
          packs: +codeql-testing/codeql-pack1@1.0.0
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -108,14 +109,15 @@ jobs:
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run:
+            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
@@ -25,34 +25,35 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: packaging-config-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group:
+    packaging-config-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  packaging-config-js:
    strategy:
@@ -75,15 +76,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Install Node.js
        uses: actions/setup-node@v6
        with:
@@ -98,23 +90,33 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
-          config-file: '.github/codeql/codeql-config-packaging.yml'
+          config-file: .github/codeql/codeql-config-packaging.yml
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run:
+            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
@@ -25,34 +25,35 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: packaging-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group:
+    packaging-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  packaging-inputs-js:
    strategy:
@@ -75,15 +76,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Install Node.js
        uses: actions/setup-node@v6
        with:
@@ -98,9 +90,18 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
-          config-file: '.github/codeql/codeql-config-packaging2.yml'
+          config-file: .github/codeql/codeql-config-packaging2.yml
          languages: javascript
          packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -108,13 +109,14 @@ jobs:
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run:
+            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
@@ -25,34 +25,45 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: remote-config-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group:
+    remote-config-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  remote-config:
    strategy:
@@ -73,15 +84,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -89,11 +91,26 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+            github.sha }}
      - name: Build code
        run: ./build.sh
      - uses: ./../action/analyze
@@ -39,10 +39,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: linked
          - os: ubuntu-latest
            version: default
+          - os: ubuntu-latest
+            version: linked
          - os: ubuntu-latest
            version: nightly-latest
    name: Resolve environment
@@ -84,7 +84,8 @@ jobs:
          language: javascript-typescript

      - name: Fail if JavaScript/TypeScript configuration present
-        if: fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
+        if:
+          fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
        run: exit 1
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -25,34 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: split-workflow-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group: split-workflow-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  split-workflow:
    strategy:
@@ -81,15 +81,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -97,9 +88,18 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
-          config-file: '.github/codeql/codeql-config-packaging3.yml'
+          config-file: .github/codeql/codeql-config-packaging3.yml
          packs: +codeql-testing/codeql-pack1@1.0.0
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -108,7 +108,7 @@ jobs:
      - uses: ./../action/analyze
        with:
          skip-queries: true
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false

      - name: Assert No Results
@@ -119,7 +119,7 @@ jobs:
          fi
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Assert Results
        run: |
@@ -71,7 +71,8 @@ jobs:
        id: proxy
        uses: ./../action/start-proxy
        with:
-          registry_secrets: '[{ "type": "nuget_feed", "url": "https://api.nuget.org/v3/index.json" }]'
+          registry_secrets: '[{ "type": "nuget_feed", "url": "https://api.nuget.org/v3/index.json"
+            }]'

      - name: Print proxy outputs
        run: |
@@ -80,7 +81,8 @@ jobs:
          echo "${{ steps.proxy.outputs.proxy_urls }}"

      - name: Fail if proxy outputs are not set
-        if: (!steps.proxy.outputs.proxy_host) || (!steps.proxy.outputs.proxy_port) || (!steps.proxy.outputs.proxy_ca_certificate) || (!steps.proxy.outputs.proxy_urls)
+        if: (!steps.proxy.outputs.proxy_host) || (!steps.proxy.outputs.proxy_port)
+          || (!steps.proxy.outputs.proxy_ca_certificate) || (!steps.proxy.outputs.proxy_urls)
        run: exit 1
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -49,7 +49,8 @@ jobs:
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: write # needed to upload the SARIF file
+
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -68,20 +69,26 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Fail
-        # We want this job to pass if the Action correctly uploads the SARIF file for
-        # the failed run.
-        # Setting this step to continue on error means that it is marked as completing
-        # successfully, so will not fail the job.
+    # We want this job to pass if the Action correctly uploads the SARIF file for
+    # the failed run.
+    # Setting this step to continue on error means that it is marked as completing
+    # successfully, so will not fail the job.
        continue-on-error: true
        run: exit 1
      - uses: ./analyze
-        # In a real workflow, this step wouldn't run. Since we used `continue-on-error`
-        # above, we manually disable it with an `if` condition.
+    # In a real workflow, this step wouldn't run. Since we used `continue-on-error`
+    # above, we manually disable it with an `if` condition.
        if: false
        with:
-          category: '/test-codeql-version:${{ matrix.version }}'
+          category: /test-codeql-version:${{ matrix.version }}
    env:
+  # Internal-only environment variable used to indicate that the post-init Action
+  # should expect to upload a SARIF file for the failed run.
      CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF: true
+  # Make sure the uploading SARIF files feature is enabled.
      CODEQL_ACTION_UPLOAD_FAILED_SARIF: true
+  # Upload the failed SARIF file as an integration test of the API endpoint.
      CODEQL_ACTION_TEST_MODE: false
+  # Mark telemetry for this workflow so it can be treated separately.
      CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
+
@@ -25,34 +25,35 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: swift-custom-build-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group:
+    swift-custom-build-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  swift-custom-build:
    strategy:
@@ -75,15 +76,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -91,6 +83,15 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Use Xcode 16
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"
@@ -25,34 +25,45 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: unset-environment-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group:
+    unset-environment-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  unset-environment:
    strategy:
@@ -73,15 +84,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -89,11 +91,25 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        id: init
        with:
          db-location: ${{ runner.temp }}/customDbLocation
-          # Swift is not supported on Ubuntu so we manually exclude it from the list here
+      # Swift is not supported on Ubuntu so we manually exclude it from the list here
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
@@ -25,34 +25,45 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: upload-ref-sha-input-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group:
+    upload-ref-sha-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  upload-ref-sha-input:
    strategy:
@@ -71,15 +82,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -87,22 +89,37 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+            github.sha }}
      - name: Build code
        run: ./build.sh
-      # Generate some SARIF we can upload with the upload-sarif step
+  # Generate some SARIF we can upload with the upload-sarif step
      - uses: ./../action/analyze
        with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
          upload: never
      - uses: ./../action/upload-sarif
        with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -25,34 +25,45 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: upload-sarif-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group:
+    upload-sarif-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  upload-sarif:
    strategy:
@@ -78,15 +89,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -94,6 +96,20 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -101,11 +117,11 @@ jobs:
          analysis-kinds: ${{ matrix.analysis-kinds }}
      - name: Build code
        run: ./build.sh
-      # Generate some SARIF we can upload with the upload-sarif step
+  # Generate some SARIF we can upload with the upload-sarif step
      - uses: ./../action/analyze
        with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
          upload: never
          output: ${{ runner.temp }}/results

@@ -114,15 +130,15 @@ jobs:
        uses: ./../action/upload-sarif
        id: upload-sarif
        with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
          sarif_file: ${{ runner.temp }}/results
          category: |
            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:all-files/
-      - name: 'Fail for missing output from `upload-sarif` step for `code-scanning`'
+      - name: Fail for missing output from `upload-sarif` step for `code-scanning`
        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning)
        run: exit 1
-      - name: 'Fail for missing output from `upload-sarif` step for `code-quality`'
+      - name: Fail for missing output from `upload-sarif` step for `code-quality`
        if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)
        run: exit 1

@@ -131,26 +147,28 @@ jobs:
        id: upload-single-sarif-code-scanning
        if: contains(matrix.analysis-kinds, 'code-scanning')
        with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
          sarif_file: ${{ runner.temp }}/results/javascript.sarif
          category: |
            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-scanning/
-      - name: 'Fail for missing output from `upload-single-sarif-code-scanning` step'
-        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)
+      - name: Fail for missing output from `upload-single-sarif-code-scanning` step
+        if: contains(matrix.analysis-kinds, 'code-scanning') &&
+          !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)
        run: exit 1
      - name: Upload single SARIF file for Code Quality
        uses: ./../action/upload-sarif
        id: upload-single-sarif-code-quality
        if: contains(matrix.analysis-kinds, 'code-quality')
        with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
          sarif_file: ${{ runner.temp }}/results/javascript.quality.sarif
          category: |
            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-quality/
-      - name: 'Fail for missing output from `upload-single-sarif-code-quality` step'
-        if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)
+      - name: Fail for missing output from `upload-single-sarif-code-quality` step
+        if: contains(matrix.analysis-kinds, 'code-quality') &&
+          !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)
        run: exit 1

      - name: Change SARIF file extension
@@ -161,12 +179,12 @@ jobs:
        id: upload-single-non-sarif
        if: contains(matrix.analysis-kinds, 'code-scanning')
        with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
          sarif_file: ${{ runner.temp }}/results/javascript.sarif.json
          category: |
            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:non-sarif/
-      - name: 'Fail for missing output from `upload-single-non-sarif` step'
+      - name: Fail for missing output from `upload-single-non-sarif` step
        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning)
        run: exit 1
    env:
@@ -25,34 +25,45 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: with-checkout-path-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  group:
+    with-checkout-path-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  with-checkout-path:
    strategy:
@@ -69,18 +80,8 @@ jobs:
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      # This ensures we don't accidentally use the original checkout for any part of the test.
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -88,14 +89,28 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Delete original checkout
        run: |
          # delete the original checkout so we don't accidentally use it.
          # Actions does not support deleting the current working directory, so we
          # delete the contents of the directory instead.
          rm -rf ./* .github .git
-      # Check out the actions repo again, but at a different location.
-      # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
+  # Check out the actions repo again, but at a different location.
+  # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
      - uses: actions/checkout@v6
        with:
          ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
@@ -104,7 +119,7 @@ jobs:
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          # it's enough to test one compiled language and one interpreted language
+      # it's enough to test one compiled language and one interpreted language
          languages: csharp,javascript
          source-root: x/y/z/some-path/tests/multi-language-repo

@@ -11,9 +11,6 @@ env:
  CODEQL_ACTION_OVERLAY_ANALYSIS: true
  CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT: false
  CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT: true
-  CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CPP: true
-  CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_CHECK: false
-  CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS: true

 on:
  push:
@@ -89,7 +89,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@v7
      - name: Check expected artifacts exist
        run: |
          LANGUAGES="cpp csharp go java javascript python"
@@ -83,7 +83,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@v7
      - name: Check expected artifacts exist
        run: |
          VERSIONS="stable-v2.20.3 default linked nightly-latest"
@@ -131,7 +131,7 @@ jobs:
          echo "::endgroup::"

      - name: Generate token
-        uses: actions/create-github-app-token@v3.0.0
+        uses: actions/create-github-app-token@v2.2.1
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -42,6 +42,11 @@ jobs:
          node-version: ${{ matrix.node-version }}
          cache: 'npm'

+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: 3.11
+
      - name: Install dependencies
        run: |
          # Use the system Bash shell to ensure we can run commands like `npm ci`
@@ -52,10 +57,19 @@ jobs:
      - name: Verify compiled JS up to date
        run: .github/workflows/script/check-js.sh

+      - name: Verify PR checks up to date
+        if: always()
+        run: .github/workflows/script/verify-pr-checks.sh
+
      - name: Run unit tests
        if: always()
        run: npm test

+      - name: Run pr-checks tests
+        if: always()
+        working-directory: pr-checks
+        run: python -m unittest discover
+
      - name: Lint
        if: always() && matrix.os != 'windows-latest'
        run: npm run lint-ci
@@ -67,43 +81,6 @@ jobs:
          sarif_file: eslint.sarif
          category: eslint

-  # Verifying the PR checks are up-to-date requires Node 24. The PR checks are not dependent
-  # on the main codebase and therefore do not need to be run as part of the same matrix that
-  # we use for the `unit-tests` job.
-  verify-pr-checks:
-    name: Verify PR checks
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-    runs-on: ubuntu-slim
-    timeout-minutes: 10
-
-    steps:
-      - name: Prepare git (Windows)
-        if: runner.os == 'Windows'
-        run: git config --global core.autocrlf false
-
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Set up Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: 24
-          cache: 'npm'
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Verify PR checks up to date
-        if: always()
-        run: .github/workflows/script/verify-pr-checks.sh
-
-      - name: Run pr-checks tests
-        if: always()
-        working-directory: pr-checks
-        run: npx tsx --test
-
  check-node-version:
    if: github.triggering_actor != 'dependabot[bot]'
    name: Check Action Node versions
@@ -29,12 +29,6 @@ jobs:
          fetch-depth: 0
          ref: ${{ env.HEAD_REF }}

-      - name: Set up Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: 24
-          cache: 'npm'
-
      - name: Remove label
        if: github.event_name == 'pull_request'
        env:
@@ -55,18 +49,9 @@ jobs:
          git fetch origin "$BASE_BRANCH"

          # Allow merge conflicts in `lib`, since rebuilding should resolve them.
-          git merge "origin/$BASE_BRANCH"
+          git merge "origin/$BASE_BRANCH" || echo "Merge conflicts detected, continuing."
          MERGE_RESULT=$?

-          if [ "$MERGE_RESULT" -eq 0 ]; then
-            echo "Merge succeeded cleanly."
-          elif [ "$MERGE_RESULT" -eq 1 ]; then
-            echo "Merge conflicts detected (exit code $MERGE_RESULT), continuing."
-          else
-            echo "git merge failed with unexpected exit code $MERGE_RESULT."
-            exit 1
-          fi
-
          if [ "$MERGE_RESULT" -ne 0 ]; then
            echo "merge-in-progress=true" >> $GITHUB_OUTPUT

@@ -88,17 +73,24 @@ jobs:
          npm run lint -- --fix
          npm run build

+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: 3.11
+
      - name: Sync back version updates to generated workflows
        # Only sync back versions on Dependabot update PRs
        if: startsWith(env.HEAD_REF, 'dependabot/')
        working-directory: pr-checks
        run: |
-          npm ci
-          npx tsx sync-back.ts --verbose
+          python3 sync_back.py -v

      - name: Generate workflows
        working-directory: pr-checks
-        run: ./sync.sh
+        run: |
+          python -m pip install --upgrade pip
+          pip install ruamel.yaml==0.17.31
+          python3 sync.py

      - name: "Merge in progress: Finish merge and push"
        if: steps.merge.outputs.merge-in-progress == 'true'
@@ -119,7 +111,7 @@ jobs:
            # Otherwise, just commit the changes.
            if git rev-parse --verify MERGE_HEAD >/dev/null 2>&1; then
              echo "In progress merge detected, finishing it up."
-              git commit --no-edit
+              git merge --continue --no-edit
            else
              echo "No in-progress merge detected, committing changes."
              git commit -m "Rebuild"
@@ -136,7 +136,7 @@ jobs:

      - name: Generate token
        if: github.event_name == 'workflow_dispatch'
-        uses: actions/create-github-app-token@v3.0.0
+        uses: actions/create-github-app-token@v2.2.1
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -19,7 +19,7 @@ if [ ! -z "$(git status --porcelain)" ]; then
    # If we get a fail here then the PR needs attention
    git diff
    git status
-    >&2 echo "Failed: PR checks are not up to date. Run 'cd pr-checks && ./sync.sh' to update"
+    >&2 echo "Failed: PR checks are not up to date. Run 'cd pr-checks && python3 sync.py' to update"

    echo "### Generated workflows diff" >> $GITHUB_STEP_SUMMARY
    echo "" >> $GITHUB_STEP_SUMMARY
@@ -93,7 +93,7 @@ jobs:
      pull-requests: write # needed to create pull request
    steps:
    - name: Generate token
-      uses: actions/create-github-app-token@v3.0.0
+      uses: actions/create-github-app-token@v2.2.1
      id: app-token
      with:
        app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -4,27 +4,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

 ## [UNRELEASED]

- Added an experimental change which disables TRAP caching when [improved incremental analysis](https://github.com/github/roadmap/issues/1158) is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. [#3569](https://github.com/github/codeql-action/pull/3569)
- We are rolling out improved incremental analysis to C/C++ analyses that use build mode `none`. We expect this rollout to be complete by the end of April 2026. [#3584](https://github.com/github/codeql-action/pull/3584)
- Update default CodeQL bundle version to [2.25.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0). [#3585](https://github.com/github/codeql-action/pull/3585)
-
-## 4.33.0 - 16 Mar 2026
-
- Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. [#3562](https://github.com/github/codeql-action/pull/3562)
-
-  To opt out of this change:
-  - **Repositories owned by an organization:** Create a custom repository property with the name `github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to `true` in the repository's settings. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). Alternatively, if you are using an advanced setup workflow, you can set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
-  - **User-owned repositories using default setup:** Switch to an advanced setup workflow and set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
-  - **User-owned repositories using advanced setup:** Set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
- Fixed [a bug](https://github.com/github/codeql-action/issues/3555) which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. [#3557](https://github.com/github/codeql-action/pull/3557)
- The CodeQL Action now loads [custom repository properties](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) on GitHub Enterprise Server, enabling the customization of features such as `github-codeql-disable-overlay` that was previously only available on GitHub.com. [#3559](https://github.com/github/codeql-action/pull/3559)
- Once [private package registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. [#3563](https://github.com/github/codeql-action/pull/3563)
- Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". [#3564](https://github.com/github/codeql-action/pull/3564)
- A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. [#3570](https://github.com/github/codeql-action/pull/3570)
-
-## 4.32.6 - 05 Mar 2026
-
- Update default CodeQL bundle version to [2.24.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3). [#3548](https://github.com/github/codeql-action/pull/3548)
+- Added an experimental change which disables file coverage information on pull requests to speed up analysis.
+  - If your repository is owned by an organization, you can opt out of this change by setting up the `github-codeql-enable-file-coverage-on-prs` custom repository property as follows. First, create a custom repository property with the name `github-codeql-enable-file-coverage-on-prs` and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to `true`. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization).
+  - If you are using Advanced Setup, you can opt out of this change by setting the `CODEQL_ACTION_ENABLE_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
+  - If you are using Default Setup to analyze a repository owned by a personal account, you will need to switch to Advanced Setup to opt out of this change. For more information, see [Configuring advanced setup for code scanning](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning).

 ## 4.32.5 - 02 Mar 2026

@@ -92,7 +92,7 @@ We typically deprecate a version of CodeQL when the GitHub Enterprise Server (GH
 1. Remove support for the old version of CodeQL.
    - Bump `CODEQL_MINIMUM_VERSION` in `src/codeql.ts` to the new minimum version of CodeQL.
    - Remove any code that is only needed to support the old version of CodeQL. This is often behind a version guard, so look for instances of version numbers between the old minimum version and the new minimum version in the codebase. A good place to start is the list of version numbers in `src/codeql.ts`.
-    - Update the default set of CodeQL test versions in `pr-checks/sync.ts`.
+    - Update the default set of CodeQL test versions in `pr-checks/sync.py`.
        - Remove the old minimum version of CodeQL.
        - Add the latest patch release for any new CodeQL minor version series that have shipped in GHES.
        - Run the script to update the generated PR checks.
@@ -1,9 +0,0 @@
-export default {
-  typescript: {
-    rewritePaths: {
-      "src/": "build/",
-    },
-    compile: false,
-  },
-  require: ["./ava.setup.mjs"],
-};
@@ -1,3 +0,0 @@
-import pkg from "./package.json" with { type: "json" };
-
-globalThis.__CODEQL_ACTION_VERSION__ = pkg.version;
@@ -5,8 +5,6 @@ import { fileURLToPath } from "node:url";
 import * as esbuild from "esbuild";
 import { globSync } from "glob";

-import pkg from "./package.json" with { type: "json" };
-
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);

@@ -15,7 +13,7 @@ const OUT_DIR = join(__dirname, "lib");

 /**
 * Clean the output directory before building.
- *
+ * 
 * @type {esbuild.Plugin}
 */
 const cleanPlugin = {
@@ -29,7 +27,7 @@ const cleanPlugin = {

 /**
 * Copy defaults.json to the output directory since other projects depend on it.
- *
+ * 
 * @type {esbuild.Plugin}
 */
 const copyDefaultsPlugin = {
@@ -71,9 +69,6 @@ const context = await esbuild.context({
  platform: "node",
  plugins: [cleanPlugin, copyDefaultsPlugin, onEndPlugin],
  target: ["node20"],
-  define: {
-    __CODEQL_ACTION_VERSION__: JSON.stringify(pkg.version),
-  },
 });

 await context.rebuild();
@@ -19,8 +19,6 @@ export default [
      "src/testdata/**/*",
      "tests/**/*",
      "build.mjs",
-      "ava.config.mjs",
-      "ava.setup.mjs",
      "eslint.config.mjs",
      ".github/**/*",
    ],
@@ -162,36 +160,10 @@ export default [
      "@typescript-eslint/no-unused-vars": [
        "error",
        {
-          "args": "all",
          "argsIgnorePattern": "^_",
        }
      ],
      "func-style": "off",
    },
  },
-  {
-    files: ["pr-checks/**/*.ts"],
-
-    languageOptions: {
-      parserOptions: {
-        // Use the correct `tsconfig.json` for `pr-checks`.
-        project: "./pr-checks/tsconfig.json",
-      },
-    },
-
-    rules: {
-      // The scripts in `pr-checks` are expected to output to the console.
-      "no-console": "off",
-
-      "@typescript-eslint/no-floating-promises": [
-        "error",
-        {
-          allowForKnownSafeCalls: [
-            // Avoid needing explicit `void` in front of `describe` calls in test files.
-            { from: "package", name: ["describe"], package: "node:test" },
-          ],
-        },
-      ],
-    },
-  },
 ];
@@ -159,11 +159,6 @@ inputs:
    description: >-
      Explicitly enable or disable caching of project build dependencies.
    required: false
-  check-run-id:
-    description: >-
-      [Internal] The ID of the check run, as provided by the Actions runtime environment. Do not set this value manually.
-    default: ${{ job.check_run_id }}
-    required: false
 outputs:
  codeql-path:
    description: The path of the CodeQL binary used for analysis
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.0",
-  "cliVersion": "2.25.0",
-  "priorBundleVersion": "codeql-bundle-v2.24.3",
-  "priorCliVersion": "2.24.3"
+  "bundleVersion": "codeql-bundle-v2.24.2",
+  "cliVersion": "2.24.2",
+  "priorBundleVersion": "codeql-bundle-v2.24.1",
+  "priorCliVersion": "2.24.1"
 }
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "4.34.0",
+  "version": "4.32.6",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -9,15 +9,20 @@
    "lint": "eslint --report-unused-disable-directives --max-warnings=0 .",
    "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
    "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-    "ava": "npm run transpile && ava --verbose",
+    "ava": "npm run transpile && ava --serial --verbose",
    "test": "npm run ava -- src/",
    "test-debug": "npm run test -- --timeout=20m",
    "transpile": "tsc --build --verbose"
  },
+  "ava": {
+    "typescript": {
+      "rewritePaths": {
+        "src/": "build/"
+      },
+      "compile": false
+    }
+  },
  "license": "MIT",
-  "workspaces": [
-    "pr-checks"
-  ],
  "dependencies": {
    "@actions/artifact": "^5.0.3",
    "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2",
@@ -45,7 +50,7 @@
  },
  "devDependencies": {
    "@ava/typescript": "6.0.0",
-    "@eslint/compat": "^2.0.3",
+    "@eslint/compat": "^2.0.2",
    "@microsoft/eslint-formatter-sarif": "^3.1.0",
    "@octokit/types": "^16.0.0",
    "@types/archiver": "^7.0.0",
@@ -53,23 +58,22 @@
    "@types/js-yaml": "^4.0.9",
    "@types/node": "^20.19.9",
    "@types/node-forge": "^1.3.14",
-    "@types/sarif": "^2.1.7",
    "@types/semver": "^7.7.1",
    "@types/sinon": "^21.0.0",
-    "ava": "^7.0.0",
+    "ava": "^6.4.1",
    "esbuild": "^0.27.3",
    "eslint": "^9.39.2",
    "eslint-import-resolver-typescript": "^3.8.7",
    "eslint-plugin-github": "^6.0.0",
    "eslint-plugin-import-x": "^4.16.1",
-    "eslint-plugin-jsdoc": "^62.7.1",
+    "eslint-plugin-jsdoc": "^62.6.0",
    "eslint-plugin-no-async-foreach": "^0.1.1",
    "glob": "^11.1.0",
-    "globals": "^17.4.0",
+    "globals": "^17.3.0",
    "nock": "^14.0.11",
-    "sinon": "^21.0.2",
+    "sinon": "^21.0.1",
    "typescript": "^5.9.3",
-    "typescript-eslint": "^8.57.0"
+    "typescript-eslint": "^8.56.0"
  },
  "overrides": {
    "@actions/tool-cache": {
@@ -1 +1,3 @@
-node_modules/
+env
+__pycache__/
+*.pyc
@@ -1,11 +1,7 @@
 name: "All-platform bundle"
 description: "Tests using an all-platform CodeQL Bundle"
-operatingSystems:
-  - ubuntu
-  - macos
-  - windows
-versions:
-  - nightly-latest
+operatingSystems: ["ubuntu", "macos", "windows"]
+versions: ["nightly-latest"]
 useAllPlatformBundle: "true"
 installGo: true
 installDotNet: true
@@ -1,13 +1,7 @@
 name: "Analysis kinds"
 description: "Tests basic functionality for different `analysis-kinds` inputs."
-versions:
-  - linked
-  - nightly-latest
-analysisKinds:
-  - code-scanning
-  - code-quality
-  - code-scanning,code-quality
-  - risk-assessment
+versions: ["linked", "nightly-latest"]
+analysisKinds: ["code-scanning", "code-quality", "code-scanning,code-quality", "risk-assessment"]
 env:
  CODEQL_ACTION_RISK_ASSESSMENT_ID: 1
  CHECK_SCRIPT: |
@@ -46,7 +40,7 @@ steps:
      post-processed-sarif-path: "${{ runner.temp }}/post-processed"

  - name: Upload SARIF files
-    uses: actions/upload-artifact@v7
+    uses: actions/upload-artifact@v6
    with:
      name: |
        analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
@@ -54,7 +48,7 @@ steps:
      retention-days: 7

  - name: Upload post-processed SARIF
-    uses: actions/upload-artifact@v7
+    uses: actions/upload-artifact@v6
    with:
      name: |
        post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
@@ -1,8 +1,8 @@
 name: "Analyze: 'ref' and 'sha' from inputs"
 description: "Checks that specifying 'ref' and 'sha' as inputs works"
-versions:
-  - default
+versions: ["default"]
 installGo: true
+installPython: true
 installDotNet: true
 steps:
  - uses: ./../action/init
@@ -1,11 +1,7 @@
 name: "autobuild-action"
 description: "Tests that the C# autobuild action works"
-operatingSystems:
-  - ubuntu
-  - macos
-  - windows
-versions:
-  - linked
+operatingSystems: ["ubuntu", "macos", "windows"]
+versions: ["linked"]
 installDotNet: true
 steps:
  - uses: ./../action/init
@@ -3,13 +3,9 @@ description: >
  An end-to-end integration test of a Java repository built using 'build-mode: autobuild',
  with direct tracing enabled and a custom working directory specified as the input to the
  autobuild Action.
-operatingSystems:
-  - ubuntu
-  - windows
-versions:
-  - linked
-  - nightly-latest
-installJava: true
+operatingSystems: ["ubuntu", "windows"]
+versions: ["linked", "nightly-latest"]
+installJava: "true"
 env:
  CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
 steps:
@@ -1,7 +1,6 @@
 name: "Autobuild working directory"
 description: "Tests working-directory input of autobuild action"
-versions:
-  - linked
+versions: ["linked"]
 steps:
  - name: Test setup
    run: |
@@ -1,13 +1,9 @@
 name: "Build mode autobuild"
 description: "An end-to-end integration test of a Java repository built using 'build-mode: autobuild'"
-operatingSystems:
-  - ubuntu
-  - windows
-versions:
-  - linked
-  - nightly-latest
-installJava: true
-installYq: true
+operatingSystems: ["ubuntu", "windows"]
+versions: ["linked", "nightly-latest"]
+installJava: "true"
+installYq: "true"
 steps:
  - name: Set up Java test repo configuration
    run: |
@@ -1,7 +1,6 @@
 name: "Build mode manual"
 description: "An end-to-end integration test of a Java repository built using 'build-mode: manual'"
-versions:
-  - nightly-latest
+versions: ["nightly-latest"]
 installGo: true
 installDotNet: true
 steps:
@@ -1,8 +1,6 @@
 name: "Build mode none"
 description: "An end-to-end integration test of a Java repository built using 'build-mode: none'"
-versions:
-  - linked
-  - nightly-latest
+versions: ["linked", "nightly-latest"]
 steps:
  - uses: ./../action/init
    id: init
@@ -1,7 +1,6 @@
 name: "Build mode rollback"
 description: "The build mode is rolled back from none to autobuild when the relevant feature flag is enabled."
-versions:
-  - nightly-latest
+versions: ["nightly-latest"]
 env:
  CODEQL_ACTION_DISABLE_JAVA_BUILDLESS: true
 steps:
@@ -11,5 +11,5 @@ steps:
      tools: ${{ steps.prepare-test.outputs.tools-url }}
      languages: javascript
  - name: Fail if the CodeQL version is not a nightly
-    if: ${{ !contains(steps.init.outputs.codeql-version, '+') }}
+    if: "!contains(steps.init.outputs.codeql-version, '+')"
    run: exit 1
@@ -3,8 +3,8 @@ description: "The CodeQL bundle should be cached within the toolcache"
 versions:
  - linked
 operatingSystems:
-  - ubuntu
  - macos
+  - ubuntu
  - windows
 steps:
  - name: Remove CodeQL from toolcache
@@ -3,8 +3,8 @@ description: "A Zstandard CodeQL bundle should be extracted on supported operati
 versions:
  - linked
 operatingSystems:
-  - ubuntu
  - macos
+  - ubuntu
  - windows
 steps:
  - name: Remove CodeQL from toolcache
@@ -27,7 +27,7 @@ steps:
      output: ${{ runner.temp }}/results
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v7
+    uses: actions/upload-artifact@v6
    with:
      name: ${{ matrix.os }}-zstd-bundle.sarif
      path: ${{ runner.temp }}/results/javascript.sarif
@@ -1,7 +1,6 @@
 name: "Clean up database cluster directory"
 description: "The database cluster directory is cleaned up if it is not empty."
-versions:
-  - linked
+versions: ["linked"]
 steps:
  - name: Add a file to the database cluster directory
    run: |
@@ -1,8 +1,6 @@
 name: "Config export"
 description: "Tests that the code scanning configuration file is exported to SARIF correctly."
-versions:
-  - linked
-  - nightly-latest
+versions: ["linked", "nightly-latest"]
 steps:
  - uses: ./../action/init
    with:
@@ -14,7 +12,7 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v7
+    uses: actions/upload-artifact@v6
    with:
      name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -1,8 +1,7 @@
 name: "Config input"
 description: "Tests specifying configuration using the config input"
 installNode: true
-versions:
-  - linked
+versions: ["linked"]
 steps:
  - name: Copy queries into workspace
    run: |
@@ -1,9 +1,6 @@
 name: "C/C++: disabling autoinstalling dependencies (Linux)"
 description: "Checks that running C/C++ autobuild with autoinstalling dependencies explicitly disabled works"
-versions:
-  - linked
-  - default
-  - nightly-latest
+versions: ["linked", "default", "nightly-latest"]
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
@@ -1,10 +1,7 @@
 name: "C/C++: autoinstalling dependencies is skipped (macOS)"
 description: "Checks that running C/C++ autobuild with autoinstalling dependencies explicitly enabled is a no-op on macOS"
-operatingSystems:
-  - macos
-versions:
-  - linked
-  - nightly-latest
+operatingSystems: ["macos"]
+versions: ["linked", "nightly-latest"]
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
@@ -1,9 +1,6 @@
 name: "C/C++: autoinstalling dependencies (Linux)"
 description: "Checks that running C/C++ autobuild with autoinstalling dependencies works"
-versions:
-  - linked
-  - default
-  - nightly-latest
+versions: ["linked", "default", "nightly-latest"]
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
@@ -1,8 +1,6 @@
 name: "Diagnostic export"
 description: "Tests that manually added diagnostics are correctly exported to SARIF."
-versions:
-  - linked
-  - nightly-latest
+versions: ["linked", "nightly-latest"]
 env:
  CODEQL_ACTION_EXPORT_DIAGNOSTICS: true
 steps:
@@ -27,7 +25,7 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v7
+    uses: actions/upload-artifact@v6
    with:
      name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -1,11 +1,7 @@
 name: "Export file baseline information"
 description: "Tests that file baseline information is exported when the feature is enabled"
-operatingSystems:
-  - ubuntu
-  - macos
-  - windows
-versions:
-  - nightly-latest
+operatingSystems: ["ubuntu", "macos", "windows"]
+versions: ["nightly-latest"]
 installGo: true
 installDotNet: true
 env:
@@ -23,7 +19,7 @@ steps:
    with:
      output: "${{ runner.temp }}/results"
  - name: Upload SARIF
-    uses: actions/upload-artifact@v7
+    uses: actions/upload-artifact@v6
    with:
      name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -1,7 +1,6 @@
 name: "Extractor ram and threads options test"
 description: "Tests passing RAM and threads limits to extractors"
-versions:
-  - linked
+versions: ["linked"]
 steps:
  - uses: ./../action/init
    with:
@@ -1,8 +1,6 @@
 name: "Proxy test"
 description: "Tests using a proxy specified by the https_proxy environment variable"
-versions:
-  - linked
-  - nightly-latest
+versions: ["linked", "nightly-latest"]
 container:
  image: ubuntu:22.04
 services:
@@ -2,8 +2,7 @@ name: "Go: diagnostic when Go is changed after init step"
 description: "Checks that we emit a diagnostic if Go is changed after the init step"
 # only Linux is affected
 # pinned to a version which does not support statically linked binaries for indirect tracing
-versions:
-  - default
+versions: ["default"]
 installGo: true
 collection: go
 steps:
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Henry Mercer	99fa33b653	Add changelog note	2026-03-02 20:12:34 +01:00
Henry Mercer	e0af356cbc	Remove restriction to `github` org	2026-03-02 20:04:08 +01:00
Henry Mercer	9e1b38bcc6	Allow explicit disablement too	2026-03-02 19:58:27 +01:00
Henry Mercer	2a4d1eca6b	Add env var to enable file coverage on PRs	2026-03-02 19:55:35 +01:00
Henry Mercer	003c59c557	Log ability to re-enable via repo property	2026-03-02 19:48:19 +01:00
Henry Mercer	b2fff91823	Add repository property for file coverage on PRs	2026-03-02 19:20:43 +01:00