Generate UserConfig from schema ... ish

Add command for turning JSON schemas into TypeScript typings
2026-05-10 15:50:28 +00:00 · 2025-10-17 16:19:12 +01:00 · 2025-10-17 16:12:28 +01:00
66 changed files with 2979 additions and 3379 deletions
@@ -1,55 +0,0 @@
-labeling:
-  applyCategoryLabels: true
-  categoryLabelPrefix: "size/"
-
-commenting:
-  addCommentWhenScoreThresholdHasBeenExceeded: false
-
-sizeup:
-  categories:
-    - name: extra small
-      lte: 25
-      label:
-        name: XS
-        description: Should be very easy to review
-        color: 3cbf00
-    - name: small
-      lte: 100
-      label:
-        name: S
-        description: Should be easy to review
-        color: 5d9801
-    - name: medium
-      lte: 250
-      label:
-        name: M
-        description: Should be of average difficulty to review
-        color: 7f7203
-    - name: large
-      lte: 500
-      label:
-        name: L
-        description: May be hard to review
-        color: a14c05
-    - name: extra large
-      lte: 1000
-      label:
-        name: XL
-        description: May be very hard to review
-        color: c32607
-    - name: extra extra large
-      label:
-        name: XXL
-        description: May be extremely hard to review
-        color: e50009
-  ignoredFilePatterns:
-    - ".github/workflows/__*"
-    - "lib/**/*"
-    - "package-lock.json"
-  testFilePatterns:
-    - "**/*.test.ts"
-  scoring:
-    # This formula and the aliases below it are written in prefix notation.
-    # For an explanation of how this works, please see:
-    # https://github.com/lerebear/sizeup-core/blob/main/README.md#prefix-notation
-    formula: "- - + additions deletions comments whitespace"
@@ -49,7 +49,7 @@ jobs:
      - name: Check out repository
        uses: actions/checkout@v5
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: 20.x
          cache: npm
@@ -73,7 +73,7 @@ jobs:
      - name: Check out repository
        uses: actions/checkout@v5
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: 20.x
          cache: npm
@@ -63,7 +63,7 @@ jobs:
      - name: Check out repository
        uses: actions/checkout@v5
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: 20.x
          cache: npm
@@ -63,7 +63,7 @@ jobs:
      - name: Check out repository
        uses: actions/checkout@v5
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: 20.x
          cache: npm
@@ -63,7 +63,7 @@ jobs:
      - name: Check out repository
        uses: actions/checkout@v5
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: 20.x
          cache: npm
@@ -80,7 +80,6 @@ jobs:
        with:
          output: ${{ runner.temp }}/results
          upload-database: false
-          post-processed-sarif-path: ${{ runner.temp }}/post-processed
      - name: Upload security SARIF
        if: contains(matrix.analysis-kinds, 'code-scanning')
        uses: actions/upload-artifact@v4
@@ -97,14 +96,6 @@ jobs:
            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
          path: ${{ runner.temp }}/results/javascript.quality.sarif
          retention-days: 7
-      - name: Upload post-processed SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: |
-            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
-          path: ${{ runner.temp }}/post-processed
-          retention-days: 7
-          if-no-files-found: error
      - name: Check quality query does not appear in security SARIF
        if: contains(matrix.analysis-kinds, 'code-scanning')
        uses: actions/github-script@v8
@@ -56,7 +56,7 @@ jobs:
      uses: actions/checkout@v5

    - name: Set up Node.js
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@v5
      with:
        node-version: 24
        cache: 'npm'
@@ -1,26 +0,0 @@
-name: Label PR with size
-
-on:
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - edited
-      - ready_for_review
-
-permissions:
-  contents: read
-  pull-requests: write
-
-jobs:
-  sizeup:
-    name: Label PR with size
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Run sizeup
-        uses: lerebear/sizeup-action@b7beb3dd273e36039e16e48e7bc690c189e61951 # 0.8.12
-        with:
-          token: "${{ secrets.GITHUB_TOKEN }}"
-          configuration-file-path: ".github/sizeup.yml"
@@ -47,7 +47,7 @@ jobs:
      - uses: actions/checkout@v5
        with:
          fetch-depth: 0  # ensure we have all tags and can push commits
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@v5

      - name: Update git config
        run: |
@@ -35,7 +35,7 @@ jobs:
      - uses: actions/checkout@v5

      - name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: ${{ matrix.node-version }}
          cache: 'npm'
@@ -32,7 +32,7 @@ jobs:
      uses: actions/checkout@v5

    - name: Install Node.js
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@v5
      with:
        node-version: 24
        cache: npm
@@ -41,7 +41,7 @@ jobs:
          git config --global user.name "github-actions[bot]"

      - name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: 24
          cache: 'npm'
@@ -4,15 +4,6 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

 ## [UNRELEASED]

-No user facing changes.
-
-## 4.31.0 - 24 Oct 2025
-
- Bump minimum CodeQL bundle version to 2.17.6. [#3223](https://github.com/github/codeql-action/pull/3223)
- When SARIF files are uploaded by the `analyze` or `upload-sarif` actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the `upload-sarif` action. For `analyze`, this may affect Advanced Setup for CodeQL users who specify a value other than `always` for the `upload` input. [#3222](https://github.com/github/codeql-action/pull/3222)
-
-## 4.30.9 - 17 Oct 2025
-
 - Update default CodeQL bundle version to 2.23.3. [#3205](https://github.com/github/codeql-action/pull/3205)
 - Experimental: A new `setup-codeql` action has been added which is similar to `init`, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#3204](https://github.com/github/codeql-action/pull/3204)

@@ -6,7 +6,7 @@ inputs:
    description: The name of the check run to add text to.
    required: false
  output:
-    description: The path of the directory in which to save the SARIF results from the CodeQL CLI.
+    description: The path of the directory in which to save the SARIF results
    required: false
    default: "../results"
  upload:
@@ -70,12 +70,6 @@ inputs:
    description: Whether to upload the resulting CodeQL database
    required: false
    default: "true"
-  post-processed-sarif-path:
-    description: >-
-      Before uploading the SARIF files produced by the CodeQL CLI, the CodeQL Action may perform some post-processing
-      on them. Ordinarily, these post-processed SARIF files are not saved to disk. However, if a path is provided as an
-      argument for this input, they are written to the specified directory.
-    required: false
  wait-for-processing:
    description: If true, the Action will wait for the uploaded SARIF to be processed before completing.
    required: true
@@ -131,7 +131,6 @@ export default [
      "no-sequences": "error",
      "no-shadow": "off",
      "@typescript-eslint/no-shadow": "error",
-      "@typescript-eslint/prefer-optional-chain": "error",
      "one-var": ["error", "never"],
    },
  },
@@ -0,0 +1,29 @@
+import fs from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+
+import { globSync } from "glob";
+import { compileFromFile } from 'json-schema-to-typescript';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+const SRC_DIR = path.join(__dirname, "schemas");
+const OUT_DIR = path.join(__dirname, "src");
+
+async function generateTypings() {
+  const schemas = globSync(`${SRC_DIR}/*.json`);
+  for (const schema of schemas) {
+    const outPath = path.join(
+      OUT_DIR,
+      `${path.basename(schema, ".json")}.d.ts`,
+    );
+    const ts = await compileFromFile(schema, {
+      bannerComment:
+        "/* This file was automatically generated by `npm run generate:schemas`. Do not edit by hand. */",
+    });
+    fs.writeFileSync(outPath, ts, "utf-8");
+  }
+}
+
+await generateTypings();
@@ -26460,7 +26460,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "4.31.1",
+      version: "4.30.9",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -26472,7 +26472,8 @@ var require_package = __commonJS({
        ava: "npm run transpile && ava --serial --verbose",
        test: "npm run ava -- src/",
        "test-debug": "npm run test -- --timeout=20m",
-        transpile: "tsc --build --verbose"
+        transpile: "npm run generate:schemas && tsc --build --verbose",
+        "generate:schemas": "node json-schemas.mjs"
      },
      ava: {
        typescript: {
@@ -26508,7 +26509,7 @@ var require_package = __commonJS({
        jsonschema: "1.4.1",
        long: "^5.3.2",
        "node-forge": "^1.3.1",
-        octokit: "^5.0.4",
+        octokit: "^5.0.3",
        semver: "^7.7.3",
        uuid: "^13.0.0"
      },
@@ -26516,7 +26517,7 @@ var require_package = __commonJS({
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.0",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.38.0",
+        "@eslint/js": "^9.37.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
@@ -26527,10 +26528,10 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.1",
+        "@typescript-eslint/eslint-plugin": "^8.46.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.11",
+        esbuild: "^0.25.10",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
@@ -26538,6 +26539,7 @@ var require_package = __commonJS({
        "eslint-plugin-import": "2.29.1",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.0.3",
+        "json-schema-to-typescript": "^15.0.4",
        nock: "^14.0.10",
        sinon: "^21.0.0",
        typescript: "^5.9.3"
@@ -119058,7 +119060,7 @@ function withGroup(groupName, f) {

 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.4";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 async function writeBaseDatabaseOidsFile(config, sourceRoot) {
  const gitFileOids = await getFileOidsUnderPath(sourceRoot);
@@ -119134,11 +119136,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
    minimumVersion: void 0
  },
-  ["analyze_use_new_upload" /* AnalyzeUseNewUpload */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_ANALYZE_USE_NEW_UPLOAD",
-    minimumVersion: void 0
-  },
  ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -119421,7 +119418,7 @@ async function shouldEnableIndirectTracing(codeql, config) {

 // src/codeql.ts
 var cachedCodeQL = void 0;
-var CODEQL_MINIMUM_VERSION = "2.17.6";
+var CODEQL_MINIMUM_VERSION = "2.16.6";
 var CODEQL_NEXT_MINIMUM_VERSION = "2.17.6";
 var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.13";
 var GHES_MOST_RECENT_DEPRECATION_DATE = "2025-06-19";
@@ -119708,6 +119705,12 @@ ${output}`
      } else {
        codeqlArgs.push("--no-sarif-include-diagnostics");
      }
+      if (!isSupportedToolsFeature(
+        await this.getVersion(),
+        "analysisSummaryV2Default" /* AnalysisSummaryV2IsDefault */
+      )) {
+        codeqlArgs.push("--new-analysis-summary");
+      }
      codeqlArgs.push(databasePath);
      if (querySuitePaths) {
        codeqlArgs.push(...querySuitePaths);
@@ -26460,7 +26460,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "4.31.1",
+      version: "4.30.9",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -26472,7 +26472,8 @@ var require_package = __commonJS({
        ava: "npm run transpile && ava --serial --verbose",
        test: "npm run ava -- src/",
        "test-debug": "npm run test -- --timeout=20m",
-        transpile: "tsc --build --verbose"
+        transpile: "npm run generate:schemas && tsc --build --verbose",
+        "generate:schemas": "node json-schemas.mjs"
      },
      ava: {
        typescript: {
@@ -26508,7 +26509,7 @@ var require_package = __commonJS({
        jsonschema: "1.4.1",
        long: "^5.3.2",
        "node-forge": "^1.3.1",
-        octokit: "^5.0.4",
+        octokit: "^5.0.3",
        semver: "^7.7.3",
        uuid: "^13.0.0"
      },
@@ -26516,7 +26517,7 @@ var require_package = __commonJS({
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.0",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.38.0",
+        "@eslint/js": "^9.37.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
@@ -26527,10 +26528,10 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.1",
+        "@typescript-eslint/eslint-plugin": "^8.46.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.11",
+        esbuild: "^0.25.10",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
@@ -26538,6 +26539,7 @@ var require_package = __commonJS({
        "eslint-plugin-import": "2.29.1",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.0.3",
+        "json-schema-to-typescript": "^15.0.4",
        nock: "^14.0.10",
        sinon: "^21.0.0",
        typescript: "^5.9.3"
@@ -75072,14 +75074,14 @@ var require_tool_cache = __commonJS({
    var assert_1 = require("assert");
    var exec_1 = require_exec();
    var retry_helper_1 = require_retry_helper();
-    var HTTPError2 = class extends Error {
+    var HTTPError = class extends Error {
      constructor(httpStatusCode) {
        super(`Unexpected HTTP response: ${httpStatusCode}`);
        this.httpStatusCode = httpStatusCode;
        Object.setPrototypeOf(this, new.target.prototype);
      }
    };
-    exports2.HTTPError = HTTPError2;
+    exports2.HTTPError = HTTPError;
    var IS_WINDOWS = process.platform === "win32";
    var IS_MAC = process.platform === "darwin";
    var userAgent = "actions/tool-cache";
@@ -75096,7 +75098,7 @@ var require_tool_cache = __commonJS({
        return yield retryHelper.execute(() => __awaiter4(this, void 0, void 0, function* () {
          return yield downloadToolAttempt(url, dest || "", auth, headers);
        }), (err) => {
-          if (err instanceof HTTPError2 && err.httpStatusCode) {
+          if (err instanceof HTTPError && err.httpStatusCode) {
            if (err.httpStatusCode < 500 && err.httpStatusCode !== 408 && err.httpStatusCode !== 429) {
              return false;
            }
@@ -75123,7 +75125,7 @@ var require_tool_cache = __commonJS({
        }
        const response = yield http.get(url, headers);
        if (response.message.statusCode !== 200) {
-          const err = new HTTPError2(response.message.statusCode);
+          const err = new HTTPError(response.message.statusCode);
          core14.debug(`Failed to download from "${url}". Code(${response.message.statusCode}) Message(${response.message.statusMessage})`);
          throw err;
        }
@@ -78985,28 +78987,13 @@ function getRequiredEnvParam(paramName) {
  }
  return value;
 }
-var HTTPError = class extends Error {
-  constructor(message, status) {
-    super(message);
-    this.status = status;
-  }
-};
 var ConfigurationError = class extends Error {
  constructor(message) {
    super(message);
  }
 };
-function asHTTPError(arg) {
-  if (typeof arg !== "object" || arg === null || typeof arg.message !== "string") {
-    return void 0;
-  }
-  if (Number.isInteger(arg.status)) {
-    return new HTTPError(arg.message, arg.status);
-  }
-  if (Number.isInteger(arg.httpStatusCode)) {
-    return new HTTPError(arg.message, arg.httpStatusCode);
-  }
-  return void 0;
+function isHTTPError(arg) {
+  return arg?.status !== void 0 && Number.isInteger(arg.status);
 }
 var cachedCodeQlVersion = void 0;
 function cacheCodeQlVersion(version) {
@@ -79813,7 +79800,7 @@ function getActionsLogger() {

 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.4";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 async function writeBaseDatabaseOidsFile(config, sourceRoot) {
  const gitFileOids = await getFileOidsUnderPath(sourceRoot);
@@ -79887,11 +79874,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
    minimumVersion: void 0
  },
-  ["analyze_use_new_upload" /* AnalyzeUseNewUpload */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_ANALYZE_USE_NEW_UPLOAD",
-    minimumVersion: void 0
-  },
  ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -80310,7 +80292,7 @@ var GitHubFeatureFlags = class {
        remoteFlags = { ...remoteFlags, ...chunkFlags };
      }
      this.logger.debug(
-        "Loaded the following default values for the feature flags from the CodeQL Action API:"
+        "Loaded the following default values for the feature flags from the Code Scanning API:"
      );
      for (const [feature, value] of Object.entries(remoteFlags).sort(
        ([nameA], [nameB]) => nameA.localeCompare(nameB)
@@ -80320,10 +80302,9 @@ var GitHubFeatureFlags = class {
      this.hasAccessedRemoteFeatureFlags = true;
      return remoteFlags;
    } catch (e) {
-      const httpError = asHTTPError(e);
-      if (httpError?.status === 403) {
+      if (isHTTPError(e) && e.status === 403) {
        this.logger.warning(
-          `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`
+          `This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the Action has the 'security-events: write' permission. Details: ${e.message}`
        );
        this.hasAccessedRemoteFeatureFlags = false;
        return {};
@@ -80472,7 +80453,7 @@ async function endTracingForCluster(codeql, config, logger) {

 // src/codeql.ts
 var cachedCodeQL = void 0;
-var CODEQL_MINIMUM_VERSION = "2.17.6";
+var CODEQL_MINIMUM_VERSION = "2.16.6";
 var CODEQL_NEXT_MINIMUM_VERSION = "2.17.6";
 var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.13";
 var GHES_MOST_RECENT_DEPRECATION_DATE = "2025-06-19";
@@ -80759,6 +80740,12 @@ ${output}`
      } else {
        codeqlArgs.push("--no-sarif-include-diagnostics");
      }
+      if (!isSupportedToolsFeature(
+        await this.getVersion(),
+        "analysisSummaryV2Default" /* AnalysisSummaryV2IsDefault */
+      )) {
+        codeqlArgs.push("--new-analysis-summary");
+      }
      codeqlArgs.push(databasePath);
      if (querySuitePaths) {
        codeqlArgs.push(...querySuitePaths);
@@ -81227,8 +81214,8 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
    return void 0;
  }
 }
-var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`.";
-var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`.";
+var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action.";
+var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action.";
 async function sendStatusReport(statusReport) {
  setJobStatusIfUnsuccessful(statusReport.status);
  const statusReportJSON = JSON.stringify(statusReport);
@@ -81249,22 +81236,19 @@ async function sendStatusReport(statusReport) {
      }
    );
  } catch (e) {
-    const httpError = asHTTPError(e);
-    if (httpError !== void 0) {
-      switch (httpError.status) {
+    if (isHTTPError(e)) {
+      switch (e.status) {
        case 403:
          if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") {
            core12.warning(
-              `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading CodeQL results requires write access. To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.`
+              `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.`
            );
          } else {
-            core12.warning(
-              `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`
-            );
+            core12.warning(e.message);
          }
          return;
        case 404:
-          core12.warning(httpError.message);
+          core12.warning(e.message);
          return;
        case 422:
          if (getRequiredEnvParam("GITHUB_SERVER_URL") !== GITHUB_DOTCOM_URL) {
@@ -81276,7 +81260,7 @@ async function sendStatusReport(statusReport) {
      }
    }
    core12.warning(
-      `An unexpected error occurred when sending a status report: ${getErrorMessage(
+      `An unexpected error occurred when sending code scanning status report: ${getErrorMessage(
        e
      )}`
    );
@@ -20602,14 +20602,14 @@ var require_dist_node4 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -20701,7 +20701,7 @@ var require_dist_node5 = __commonJS({
      const Ctor = Object.prototype.hasOwnProperty.call(proto, "constructor") && proto.constructor;
      return typeof Ctor === "function" && Ctor instanceof Ctor && Function.prototype.call(Ctor) === Function.prototype.call(value);
    }
-    var import_request_error = require_dist_node4();
+    var import_request_error2 = require_dist_node4();
    function getBufferResponse(response) {
      return response.arrayBuffer();
    }
@@ -20753,7 +20753,7 @@ var require_dist_node5 = __commonJS({
          if (status < 400) {
            return;
          }
-          throw new import_request_error.RequestError(response.statusText, status, {
+          throw new import_request_error2.RequestError(response.statusText, status, {
            response: {
              url: url2,
              status,
@@ -20764,7 +20764,7 @@ var require_dist_node5 = __commonJS({
          });
        }
        if (status === 304) {
-          throw new import_request_error.RequestError("Not modified", status, {
+          throw new import_request_error2.RequestError("Not modified", status, {
            response: {
              url: url2,
              status,
@@ -20776,7 +20776,7 @@ var require_dist_node5 = __commonJS({
        }
        if (status >= 400) {
          const data = await getResponseData(response);
-          const error2 = new import_request_error.RequestError(toErrorMessage(data), status, {
+          const error2 = new import_request_error2.RequestError(toErrorMessage(data), status, {
            response: {
              url: url2,
              status,
@@ -20796,7 +20796,7 @@ var require_dist_node5 = __commonJS({
          data
        };
      }).catch((error2) => {
-        if (error2 instanceof import_request_error.RequestError)
+        if (error2 instanceof import_request_error2.RequestError)
          throw error2;
        else if (error2.name === "AbortError")
          throw error2;
@@ -20808,7 +20808,7 @@ var require_dist_node5 = __commonJS({
            message = error2.cause;
          }
        }
-        throw new import_request_error.RequestError(message, 500, {
+        throw new import_request_error2.RequestError(message, 500, {
          request: requestOptions
        });
      });
@@ -21250,14 +21250,14 @@ var require_dist_node7 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -21349,7 +21349,7 @@ var require_dist_node8 = __commonJS({
      const Ctor = Object.prototype.hasOwnProperty.call(proto, "constructor") && proto.constructor;
      return typeof Ctor === "function" && Ctor instanceof Ctor && Function.prototype.call(Ctor) === Function.prototype.call(value);
    }
-    var import_request_error = require_dist_node7();
+    var import_request_error2 = require_dist_node7();
    function getBufferResponse(response) {
      return response.arrayBuffer();
    }
@@ -21401,7 +21401,7 @@ var require_dist_node8 = __commonJS({
          if (status < 400) {
            return;
          }
-          throw new import_request_error.RequestError(response.statusText, status, {
+          throw new import_request_error2.RequestError(response.statusText, status, {
            response: {
              url: url2,
              status,
@@ -21412,7 +21412,7 @@ var require_dist_node8 = __commonJS({
          });
        }
        if (status === 304) {
-          throw new import_request_error.RequestError("Not modified", status, {
+          throw new import_request_error2.RequestError("Not modified", status, {
            response: {
              url: url2,
              status,
@@ -21424,7 +21424,7 @@ var require_dist_node8 = __commonJS({
        }
        if (status >= 400) {
          const data = await getResponseData(response);
-          const error2 = new import_request_error.RequestError(toErrorMessage(data), status, {
+          const error2 = new import_request_error2.RequestError(toErrorMessage(data), status, {
            response: {
              url: url2,
              status,
@@ -21444,7 +21444,7 @@ var require_dist_node8 = __commonJS({
          data
        };
      }).catch((error2) => {
-        if (error2 instanceof import_request_error.RequestError)
+        if (error2 instanceof import_request_error2.RequestError)
          throw error2;
        else if (error2.name === "AbortError")
          throw error2;
@@ -21456,7 +21456,7 @@ var require_dist_node8 = __commonJS({
            message = error2.cause;
          }
        }
-        throw new import_request_error.RequestError(message, 500, {
+        throw new import_request_error2.RequestError(message, 500, {
          request: requestOptions
        });
      });
@@ -32309,7 +32309,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "4.31.1",
+      version: "4.30.9",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -32321,7 +32321,8 @@ var require_package = __commonJS({
        ava: "npm run transpile && ava --serial --verbose",
        test: "npm run ava -- src/",
        "test-debug": "npm run test -- --timeout=20m",
-        transpile: "tsc --build --verbose"
+        transpile: "npm run generate:schemas && tsc --build --verbose",
+        "generate:schemas": "node json-schemas.mjs"
      },
      ava: {
        typescript: {
@@ -32357,7 +32358,7 @@ var require_package = __commonJS({
        jsonschema: "1.4.1",
        long: "^5.3.2",
        "node-forge": "^1.3.1",
-        octokit: "^5.0.4",
+        octokit: "^5.0.3",
        semver: "^7.7.3",
        uuid: "^13.0.0"
      },
@@ -32365,7 +32366,7 @@ var require_package = __commonJS({
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.0",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.38.0",
+        "@eslint/js": "^9.37.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
@@ -32376,10 +32377,10 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.1",
+        "@typescript-eslint/eslint-plugin": "^8.46.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.11",
+        esbuild: "^0.25.10",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
@@ -32387,6 +32388,7 @@ var require_package = __commonJS({
        "eslint-plugin-import": "2.29.1",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.0.3",
+        "json-schema-to-typescript": "^15.0.4",
        nock: "^14.0.10",
        sinon: "^21.0.0",
        typescript: "^5.9.3"
@@ -33768,14 +33770,14 @@ var require_dist_node14 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -33877,7 +33879,7 @@ var require_dist_node15 = __commonJS({
      throw error2;
    }
    var import_light = __toESM2(require_light());
-    var import_request_error = require_dist_node14();
+    var import_request_error2 = require_dist_node14();
    async function wrapRequest(state, octokit, request, options) {
      const limiter = new import_light.default();
      limiter.on("failed", function(error2, info5) {
@@ -33898,7 +33900,7 @@ var require_dist_node15 = __commonJS({
      if (response.data && response.data.errors && response.data.errors.length > 0 && /Something went wrong while executing your query/.test(
        response.data.errors[0].message
      )) {
-        const error2 = new import_request_error.RequestError(response.data.errors[0].message, 500, {
+        const error2 = new import_request_error2.RequestError(response.data.errors[0].message, 500, {
          request: options,
          response
        });
@@ -80921,14 +80923,14 @@ var require_tool_cache = __commonJS({
    var assert_1 = require("assert");
    var exec_1 = require_exec();
    var retry_helper_1 = require_retry_helper();
-    var HTTPError2 = class extends Error {
+    var HTTPError = class extends Error {
      constructor(httpStatusCode) {
        super(`Unexpected HTTP response: ${httpStatusCode}`);
        this.httpStatusCode = httpStatusCode;
        Object.setPrototypeOf(this, new.target.prototype);
      }
    };
-    exports2.HTTPError = HTTPError2;
+    exports2.HTTPError = HTTPError;
    var IS_WINDOWS = process.platform === "win32";
    var IS_MAC = process.platform === "darwin";
    var userAgent = "actions/tool-cache";
@@ -80945,7 +80947,7 @@ var require_tool_cache = __commonJS({
        return yield retryHelper.execute(() => __awaiter4(this, void 0, void 0, function* () {
          return yield downloadToolAttempt(url2, dest || "", auth, headers);
        }), (err) => {
-          if (err instanceof HTTPError2 && err.httpStatusCode) {
+          if (err instanceof HTTPError && err.httpStatusCode) {
            if (err.httpStatusCode < 500 && err.httpStatusCode !== 408 && err.httpStatusCode !== 429) {
              return false;
            }
@@ -80972,7 +80974,7 @@ var require_tool_cache = __commonJS({
        }
        const response = yield http.get(url2, headers);
        if (response.message.statusCode !== 200) {
-          const err = new HTTPError2(response.message.statusCode);
+          const err = new HTTPError(response.message.statusCode);
          core18.debug(`Failed to download from "${url2}". Code(${response.message.statusCode}) Message(${response.message.statusMessage})`);
          throw err;
        }
@@ -91192,8 +91194,8 @@ var require_primordials = __commonJS({
      ArrayPrototypeIndexOf(self2, el) {
        return self2.indexOf(el);
      },
-      ArrayPrototypeJoin(self2, sep4) {
-        return self2.join(sep4);
+      ArrayPrototypeJoin(self2, sep5) {
+        return self2.join(sep5);
      },
      ArrayPrototypeMap(self2, fn) {
        return self2.map(fn);
@@ -103080,7 +103082,7 @@ var require_commonjs16 = __commonJS({
       *
       * @internal
       */
-      constructor(cwd = process.cwd(), pathImpl, sep4, { nocase, childrenCacheSize = 16 * 1024, fs: fs20 = defaultFS } = {}) {
+      constructor(cwd = process.cwd(), pathImpl, sep5, { nocase, childrenCacheSize = 16 * 1024, fs: fs20 = defaultFS } = {}) {
        this.#fs = fsFromOption(fs20);
        if (cwd instanceof URL || cwd.startsWith("file://")) {
          cwd = (0, node_url_1.fileURLToPath)(cwd);
@@ -103091,7 +103093,7 @@ var require_commonjs16 = __commonJS({
        this.#resolveCache = new ResolveCache();
        this.#resolvePosixCache = new ResolveCache();
        this.#children = new ChildrenCache(childrenCacheSize);
-        const split = cwdPath.substring(this.rootPath.length).split(sep4);
+        const split = cwdPath.substring(this.rootPath.length).split(sep5);
        if (split.length === 1 && !split[0]) {
          split.pop();
        }
@@ -113264,7 +113266,7 @@ var require_dist_node17 = __commonJS({
    var once2 = _interopDefault(require_once());
    var logOnceCode = once2((deprecation2) => console.warn(deprecation2));
    var logOnceHeaders = once2((deprecation2) => console.warn(deprecation2));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -113302,7 +113304,7 @@ var require_dist_node17 = __commonJS({
        });
      }
    };
-    exports2.RequestError = RequestError;
+    exports2.RequestError = RequestError2;
  }
 });

@@ -128050,28 +128052,13 @@ function getRequiredEnvParam(paramName) {
  }
  return value;
 }
-var HTTPError = class extends Error {
-  constructor(message, status) {
-    super(message);
-    this.status = status;
-  }
-};
 var ConfigurationError = class extends Error {
  constructor(message) {
    super(message);
  }
 };
-function asHTTPError(arg) {
-  if (typeof arg !== "object" || arg === null || typeof arg.message !== "string") {
-    return void 0;
-  }
-  if (Number.isInteger(arg.status)) {
-    return new HTTPError(arg.message, arg.status);
-  }
-  if (Number.isInteger(arg.httpStatusCode)) {
-    return new HTTPError(arg.message, arg.httpStatusCode);
-  }
-  return void 0;
+function isHTTPError(arg) {
+  return arg?.status !== void 0 && Number.isInteger(arg.status);
 }
 var cachedCodeQlVersion = void 0;
 function cacheCodeQlVersion(version) {
@@ -128618,24 +128605,14 @@ async function listActionsCaches(key, ref) {
  );
 }
 function wrapApiConfigurationError(e) {
-  const httpError = asHTTPError(e);
-  if (httpError !== void 0) {
-    if ([
-      /API rate limit exceeded/,
-      /commit not found/,
-      /Resource not accessible by integration/,
-      /ref .* not found in this repository/
-    ].some((pattern) => pattern.test(httpError.message))) {
-      return new ConfigurationError(httpError.message);
-    }
-    if (httpError.message.includes("Bad credentials") || httpError.message.includes("Not Found")) {
+  if (isHTTPError(e)) {
+    if (e.message.includes("API rate limit exceeded for installation") || e.message.includes("commit not found") || e.message.includes("Resource not accessible by integration") || /ref .* not found in this repository/.test(e.message)) {
+      return new ConfigurationError(e.message);
+    } else if (e.message.includes("Bad credentials") || e.message.includes("Not Found")) {
      return new ConfigurationError(
        "Please check that your token is valid and has the required permissions: contents: read, security-events: write"
      );
    }
-    if (httpError.status === 429) {
-      return new ConfigurationError("API rate limit exceeded");
-    }
  }
  return e;
 }
@@ -128649,6 +128626,45 @@ var path13 = __toESM(require("path"));
 var core10 = __toESM(require_core());
 var toolrunner3 = __toESM(require_toolrunner());

+// node_modules/@octokit/request-error/dist-src/index.js
+var RequestError = class extends Error {
+  name;
+  /**
+   * http status code
+   */
+  status;
+  /**
+   * Request options that lead to the error.
+   */
+  request;
+  /**
+   * Response object if a response was received
+   */
+  response;
+  constructor(message, statusCode, options) {
+    super(message);
+    this.name = "HttpError";
+    this.status = Number.parseInt(statusCode);
+    if (Number.isNaN(this.status)) {
+      this.status = 0;
+    }
+    if ("response" in options) {
+      this.response = options.response;
+    }
+    const requestCopy = Object.assign({}, options.request);
+    if (options.request.headers.authorization) {
+      requestCopy.headers = Object.assign({}, options.request.headers, {
+        authorization: options.request.headers.authorization.replace(
+          /(?<! ) .*$/,
+          " [REDACTED]"
+        )
+      });
+    }
+    requestCopy.url = requestCopy.url.replace(/\bclient_secret=\w+/g, "client_secret=[REDACTED]").replace(/\baccess_token=\w+/g, "access_token=[REDACTED]");
+    this.request = requestCopy;
+  }
+};
+
 // src/cli-errors.ts
 var SUPPORTED_PLATFORMS = [
  ["linux", "x64"],
@@ -129171,7 +129187,7 @@ function formatDuration(durationMs) {

 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.4";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 async function writeBaseDatabaseOidsFile(config, sourceRoot) {
  const gitFileOids = await getFileOidsUnderPath(sourceRoot);
@@ -129250,11 +129266,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
    minimumVersion: void 0
  },
-  ["analyze_use_new_upload" /* AnalyzeUseNewUpload */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_ANALYZE_USE_NEW_UPLOAD",
-    minimumVersion: void 0
-  },
  ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -129673,7 +129684,7 @@ var GitHubFeatureFlags = class {
        remoteFlags = { ...remoteFlags, ...chunkFlags };
      }
      this.logger.debug(
-        "Loaded the following default values for the feature flags from the CodeQL Action API:"
+        "Loaded the following default values for the feature flags from the Code Scanning API:"
      );
      for (const [feature, value] of Object.entries(remoteFlags).sort(
        ([nameA], [nameB]) => nameA.localeCompare(nameB)
@@ -129683,10 +129694,9 @@ var GitHubFeatureFlags = class {
      this.hasAccessedRemoteFeatureFlags = true;
      return remoteFlags;
    } catch (e) {
-      const httpError = asHTTPError(e);
-      if (httpError?.status === 403) {
+      if (isHTTPError(e) && e.status === 403) {
        this.logger.warning(
-          `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`
+          `This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the Action has the 'security-events: write' permission. Details: ${e.message}`
        );
        this.hasAccessedRemoteFeatureFlags = false;
        return {};
@@ -129877,13 +129887,13 @@ async function getTarVersion() {
  }
  if (stdout.includes("GNU tar")) {
    const match = stdout.match(/tar \(GNU tar\) ([0-9.]+)/);
-    if (!match?.[1]) {
+    if (!match || !match[1]) {
      throw new Error("Failed to parse output of tar --version.");
    }
    return { type: "gnu", version: match[1] };
  } else if (stdout.includes("bsdtar")) {
    const match = stdout.match(/bsdtar ([0-9.]+)/);
-    if (!match?.[1]) {
+    if (!match || !match[1]) {
      throw new Error("Failed to parse output of tar --version.");
    }
    return { type: "bsd", version: match[1] };
@@ -130263,7 +130273,7 @@ function tryGetTagNameFromUrl(url2, logger) {
    return void 0;
  }
  const match = matches[matches.length - 1];
-  if (match?.length !== 2) {
+  if (match === null || match.length !== 2) {
    logger.debug(
      `Could not determine tag name for URL ${url2}. Matched ${JSON.stringify(
        match
@@ -130723,7 +130733,7 @@ async function shouldEnableIndirectTracing(codeql, config) {

 // src/codeql.ts
 var cachedCodeQL = void 0;
-var CODEQL_MINIMUM_VERSION = "2.17.6";
+var CODEQL_MINIMUM_VERSION = "2.16.6";
 var CODEQL_NEXT_MINIMUM_VERSION = "2.17.6";
 var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.13";
 var GHES_MOST_RECENT_DEPRECATION_DATE = "2025-06-19";
@@ -130767,9 +130777,9 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
      toolsVersion,
      zstdAvailability
    };
-  } catch (rawError) {
-    const e = wrapApiConfigurationError(rawError);
-    const ErrorClass = e instanceof ConfigurationError || e instanceof Error && e.message.includes("ENOSPC") ? ConfigurationError : Error;
+  } catch (e) {
+    const ErrorClass = e instanceof ConfigurationError || e instanceof Error && e.message.includes("ENOSPC") || // out of disk space
+    e instanceof RequestError && e.status === 429 ? ConfigurationError : Error;
    throw new ErrorClass(
      `Unable to download and extract CodeQL CLI: ${getErrorMessage(e)}${e instanceof Error && e.stack ? `

@@ -131058,6 +131068,12 @@ ${output}`
      } else {
        codeqlArgs.push("--no-sarif-include-diagnostics");
      }
+      if (!isSupportedToolsFeature(
+        await this.getVersion(),
+        "analysisSummaryV2Default" /* AnalysisSummaryV2IsDefault */
+      )) {
+        codeqlArgs.push("--new-analysis-summary");
+      }
      codeqlArgs.push(databasePath);
      if (querySuitePaths) {
        codeqlArgs.push(...querySuitePaths);
@@ -131730,8 +131746,8 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
    return void 0;
  }
 }
-var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`.";
-var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`.";
+var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action.";
+var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action.";
 async function sendStatusReport(statusReport) {
  setJobStatusIfUnsuccessful(statusReport.status);
  const statusReportJSON = JSON.stringify(statusReport);
@@ -131752,22 +131768,19 @@ async function sendStatusReport(statusReport) {
      }
    );
  } catch (e) {
-    const httpError = asHTTPError(e);
-    if (httpError !== void 0) {
-      switch (httpError.status) {
+    if (isHTTPError(e)) {
+      switch (e.status) {
        case 403:
          if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") {
            core13.warning(
-              `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading CodeQL results requires write access. To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.`
+              `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.`
            );
          } else {
-            core13.warning(
-              `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`
-            );
+            core13.warning(e.message);
          }
          return;
        case 404:
-          core13.warning(httpError.message);
+          core13.warning(e.message);
          return;
        case 422:
          if (getRequiredEnvParam("GITHUB_SERVER_URL") !== GITHUB_DOTCOM_URL) {
@@ -131779,7 +131792,7 @@ async function sendStatusReport(statusReport) {
      }
    }
    core13.warning(
-      `An unexpected error occurred when sending a status report: ${getErrorMessage(
+      `An unexpected error occurred when sending code scanning status report: ${getErrorMessage(
        e
      )}`
    );
@@ -133085,6 +133098,24 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo
    );
    codeQL = initCodeQLResult.codeql;
  }
+  if (!await codeQL.supportsFeature(
+    "sarifMergeRunsFromEqualCategory" /* SarifMergeRunsFromEqualCategory */
+  )) {
+    await throwIfCombineSarifFilesDisabled(sarifObjects, gitHubVersion);
+    logger.warning(
+      "The CodeQL CLI does not support merging SARIF files. Merging files in the action."
+    );
+    if (await shouldShowCombineSarifFilesDeprecationWarning(
+      sarifObjects,
+      gitHubVersion
+    )) {
+      logger.warning(
+        `Uploading multiple CodeQL runs with the same category is deprecated ${deprecationWarningMessage} for CodeQL CLI 2.16.6 and earlier. Please update your CodeQL CLI version or update your workflow to set a distinct category for each CodeQL run. ${deprecationMoreInformationMessage}`
+      );
+      core14.exportVariable("CODEQL_MERGE_SARIF_DEPRECATION_WARNING", "true");
+    }
+    return combineSarifFiles(sarifFiles, logger);
+  }
  const baseTempDir = path17.resolve(tempDir, "combined-sarif");
  fs17.mkdirSync(baseTempDir, { recursive: true });
  const outputDirectory = fs17.mkdtempSync(path17.resolve(baseTempDir, "output-"));
@@ -133143,17 +133174,16 @@ async function uploadPayload(payload, repositoryNwo, logger, analysis) {
    logger.info("Successfully uploaded results");
    return response.data.id;
  } catch (e) {
-    const httpError = asHTTPError(e);
-    if (httpError !== void 0) {
-      switch (httpError.status) {
+    if (isHTTPError(e)) {
+      switch (e.status) {
        case 403:
-          core14.warning(httpError.message || GENERIC_403_MSG);
+          core14.warning(e.message || GENERIC_403_MSG);
          break;
        case 404:
-          core14.warning(httpError.message || GENERIC_404_MSG);
+          core14.warning(e.message || GENERIC_404_MSG);
          break;
        default:
-          core14.warning(httpError.message);
+          core14.warning(e.message);
          break;
      }
    }
@@ -133287,11 +133317,26 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
  }
  return payloadObj;
 }
-async function postProcessSarifFiles(logger, features, checkoutPath, sarifPaths, category, analysis) {
-  logger.info(`Post-processing sarif files: ${JSON.stringify(sarifPaths)}`);
+async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
+  const sarifPaths = getSarifFilePaths(
+    inputSarifPath,
+    uploadTarget.sarifPredicate
+  );
+  return uploadSpecifiedFiles(
+    sarifPaths,
+    checkoutPath,
+    category,
+    features,
+    logger,
+    uploadTarget
+  );
+}
+async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
+  logger.startGroup(`Uploading ${uploadTarget.name} results`);
+  logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
  const gitHubVersion = await getGitHubVersion();
  let sarif;
-  category = analysis.fixCategory(logger, category);
+  category = uploadTarget.fixCategory(logger, category);
  if (sarifPaths.length > 1) {
    for (const sarifPath of sarifPaths) {
      const parsedSarif = readSarifFile(sarifPath);
@@ -133319,59 +133364,28 @@ async function postProcessSarifFiles(logger, features, checkoutPath, sarifPaths,
    analysisKey,
    environment
  );
-  return { sarif, analysisKey, environment };
-}
-async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
-  const sarifPaths = getSarifFilePaths(
-    inputSarifPath,
-    uploadTarget.sarifPredicate
-  );
-  return uploadSpecifiedFiles(
-    sarifPaths,
-    checkoutPath,
-    category,
-    features,
-    logger,
-    uploadTarget
-  );
-}
-async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
-  const processingResults = await postProcessSarifFiles(
-    logger,
-    features,
-    checkoutPath,
-    sarifPaths,
-    category,
-    uploadTarget
-  );
-  return uploadPostProcessedFiles(
-    logger,
-    checkoutPath,
-    uploadTarget,
-    processingResults
-  );
-}
-async function uploadPostProcessedFiles(logger, checkoutPath, uploadTarget, postProcessingResults) {
-  logger.startGroup(`Uploading ${uploadTarget.name} results`);
-  const sarif = postProcessingResults.sarif;
  const toolNames = getToolNames(sarif);
  logger.debug(`Validating that each SARIF run has a unique category`);
  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
  logger.debug(`Serializing SARIF for upload`);
  const sarifPayload = JSON.stringify(sarif);
+  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
+  if (dumpDir) {
+    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+  }
  logger.debug(`Compressing serialized SARIF`);
  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
  const checkoutURI = url.pathToFileURL(checkoutPath).href;
  const payload = buildPayload(
    await getCommitOid(checkoutPath),
    await getRef(),
-    postProcessingResults.analysisKey,
+    analysisKey,
    getRequiredEnvParam("GITHUB_WORKFLOW"),
    zippedSarif,
    getWorkflowRunID(),
    getWorkflowRunAttempt(),
    checkoutURI,
-    postProcessingResults.environment,
+    environment,
    toolNames,
    await determineBaseBranchHeadCommitOid()
  );
@@ -133397,6 +133411,21 @@ async function uploadPostProcessedFiles(logger, checkoutPath, uploadTarget, post
    sarifID
  };
 }
+function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
+  if (!fs17.existsSync(outputDir)) {
+    fs17.mkdirSync(outputDir, { recursive: true });
+  } else if (!fs17.lstatSync(outputDir).isDirectory()) {
+    throw new ConfigurationError(
+      `The path specified by the ${"CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */} environment variable exists and is not a directory: ${outputDir}`
+    );
+  }
+  const outputFile = path17.resolve(
+    outputDir,
+    `upload${uploadTarget.sarifExtension}`
+  );
+  logger.info(`Dumping processed SARIF file to ${outputFile}`);
+  fs17.writeFileSync(outputFile, sarifPayload);
+}
 var STATUS_CHECK_FREQUENCY_MILLISECONDS = 5 * 1e3;
 var STATUS_CHECK_TIMEOUT_MILLISECONDS = 2 * 60 * 1e3;
 async function waitForProcessing(repositoryNwo, sarifID, logger, options = {
@@ -133524,9 +133553,9 @@ function filterAlertsByDiffRange(logger, sarif) {
  if (!diffRanges?.length) {
    return sarif;
  }
+  const checkoutPath = getRequiredInput("checkout_path");
  for (const run2 of sarif.runs) {
    if (run2.results) {
-      const preAlertCount = run2.results.length;
      run2.results = run2.results.filter((result) => {
        const locations = [
          ...(result.locations || []).map((loc) => loc.physicalLocation),
@@ -133538,13 +133567,12 @@ function filterAlertsByDiffRange(logger, sarif) {
          if (!locationUri || locationStartLine === void 0) {
            return false;
          }
+          const locationPath = path17.join(checkoutPath, locationUri).replaceAll(path17.sep, "/");
          return diffRanges.some(
-            (range) => range.path === locationUri && (range.startLine <= locationStartLine && range.endLine >= locationStartLine || range.startLine === 0 && range.endLine === 0)
+            (range) => range.path === locationPath && (range.startLine <= locationStartLine && range.endLine >= locationStartLine || range.startLine === 0 && range.endLine === 0)
          );
        });
      });
-      const postAlertCount = run2.results.length;
-      logger.info(`Filtered ${preAlertCount - postAlertCount} alerts based on diff range.`);
    }
  }
  return sarif;
@@ -133640,7 +133668,7 @@ function getInputOrThrow(workflow, jobName, actionName, inputName, matrixVars) {
      input = input.replace(`\${{matrix.${key}}}`, value);
    }
  }
-  if (input?.includes("${{")) {
+  if (input !== void 0 && input.includes("${{")) {
    throw new Error(
      `Could not get ${inputName} input to ${actionName} since it contained an unrecognized dynamic value.`
    );
@@ -26460,7 +26460,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "4.31.1",
+      version: "4.30.9",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -26472,7 +26472,8 @@ var require_package = __commonJS({
        ava: "npm run transpile && ava --serial --verbose",
        test: "npm run ava -- src/",
        "test-debug": "npm run test -- --timeout=20m",
-        transpile: "tsc --build --verbose"
+        transpile: "npm run generate:schemas && tsc --build --verbose",
+        "generate:schemas": "node json-schemas.mjs"
      },
      ava: {
        typescript: {
@@ -26508,7 +26509,7 @@ var require_package = __commonJS({
        jsonschema: "1.4.1",
        long: "^5.3.2",
        "node-forge": "^1.3.1",
-        octokit: "^5.0.4",
+        octokit: "^5.0.3",
        semver: "^7.7.3",
        uuid: "^13.0.0"
      },
@@ -26516,7 +26517,7 @@ var require_package = __commonJS({
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.0",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.38.0",
+        "@eslint/js": "^9.37.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
@@ -26527,10 +26528,10 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.1",
+        "@typescript-eslint/eslint-plugin": "^8.46.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.11",
+        esbuild: "^0.25.10",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
@@ -26538,6 +26539,7 @@ var require_package = __commonJS({
        "eslint-plugin-import": "2.29.1",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.0.3",
+        "json-schema-to-typescript": "^15.0.4",
        nock: "^14.0.10",
        sinon: "^21.0.0",
        typescript: "^5.9.3"
@@ -75072,14 +75074,14 @@ var require_tool_cache = __commonJS({
    var assert_1 = require("assert");
    var exec_1 = require_exec();
    var retry_helper_1 = require_retry_helper();
-    var HTTPError2 = class extends Error {
+    var HTTPError = class extends Error {
      constructor(httpStatusCode) {
        super(`Unexpected HTTP response: ${httpStatusCode}`);
        this.httpStatusCode = httpStatusCode;
        Object.setPrototypeOf(this, new.target.prototype);
      }
    };
-    exports2.HTTPError = HTTPError2;
+    exports2.HTTPError = HTTPError;
    var IS_WINDOWS = process.platform === "win32";
    var IS_MAC = process.platform === "darwin";
    var userAgent = "actions/tool-cache";
@@ -75096,7 +75098,7 @@ var require_tool_cache = __commonJS({
        return yield retryHelper.execute(() => __awaiter4(this, void 0, void 0, function* () {
          return yield downloadToolAttempt(url, dest || "", auth, headers);
        }), (err) => {
-          if (err instanceof HTTPError2 && err.httpStatusCode) {
+          if (err instanceof HTTPError && err.httpStatusCode) {
            if (err.httpStatusCode < 500 && err.httpStatusCode !== 408 && err.httpStatusCode !== 429) {
              return false;
            }
@@ -75123,7 +75125,7 @@ var require_tool_cache = __commonJS({
        }
        const response = yield http.get(url, headers);
        if (response.message.statusCode !== 200) {
-          const err = new HTTPError2(response.message.statusCode);
+          const err = new HTTPError(response.message.statusCode);
          core13.debug(`Failed to download from "${url}". Code(${response.message.statusCode}) Message(${response.message.statusMessage})`);
          throw err;
        }
@@ -78978,28 +78980,13 @@ function getRequiredEnvParam(paramName) {
  }
  return value;
 }
-var HTTPError = class extends Error {
-  constructor(message, status) {
-    super(message);
-    this.status = status;
-  }
-};
 var ConfigurationError = class extends Error {
  constructor(message) {
    super(message);
  }
 };
-function asHTTPError(arg) {
-  if (typeof arg !== "object" || arg === null || typeof arg.message !== "string") {
-    return void 0;
-  }
-  if (Number.isInteger(arg.status)) {
-    return new HTTPError(arg.message, arg.status);
-  }
-  if (Number.isInteger(arg.httpStatusCode)) {
-    return new HTTPError(arg.message, arg.httpStatusCode);
-  }
-  return void 0;
+function isHTTPError(arg) {
+  return arg?.status !== void 0 && Number.isInteger(arg.status);
 }
 var cachedCodeQlVersion = void 0;
 function cacheCodeQlVersion(version) {
@@ -79806,7 +79793,7 @@ function getActionsLogger() {

 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.4";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 async function writeBaseDatabaseOidsFile(config, sourceRoot) {
  const gitFileOids = await getFileOidsUnderPath(sourceRoot);
@@ -79878,11 +79865,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
    minimumVersion: void 0
  },
-  ["analyze_use_new_upload" /* AnalyzeUseNewUpload */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_ANALYZE_USE_NEW_UPLOAD",
-    minimumVersion: void 0
-  },
  ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -80171,7 +80153,7 @@ async function shouldEnableIndirectTracing(codeql, config) {

 // src/codeql.ts
 var cachedCodeQL = void 0;
-var CODEQL_MINIMUM_VERSION = "2.17.6";
+var CODEQL_MINIMUM_VERSION = "2.16.6";
 var CODEQL_NEXT_MINIMUM_VERSION = "2.17.6";
 var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.13";
 var GHES_MOST_RECENT_DEPRECATION_DATE = "2025-06-19";
@@ -80458,6 +80440,12 @@ ${output}`
      } else {
        codeqlArgs.push("--no-sarif-include-diagnostics");
      }
+      if (!isSupportedToolsFeature(
+        await this.getVersion(),
+        "analysisSummaryV2Default" /* AnalysisSummaryV2IsDefault */
+      )) {
+        codeqlArgs.push("--new-analysis-summary");
+      }
      codeqlArgs.push(databasePath);
      if (querySuitePaths) {
        codeqlArgs.push(...querySuitePaths);
@@ -80853,8 +80841,8 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
    return void 0;
  }
 }
-var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`.";
-var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`.";
+var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action.";
+var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action.";
 async function sendStatusReport(statusReport) {
  setJobStatusIfUnsuccessful(statusReport.status);
  const statusReportJSON = JSON.stringify(statusReport);
@@ -80875,22 +80863,19 @@ async function sendStatusReport(statusReport) {
      }
    );
  } catch (e) {
-    const httpError = asHTTPError(e);
-    if (httpError !== void 0) {
-      switch (httpError.status) {
+    if (isHTTPError(e)) {
+      switch (e.status) {
        case 403:
          if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") {
            core11.warning(
-              `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading CodeQL results requires write access. To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.`
+              `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.`
            );
          } else {
-            core11.warning(
-              `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`
-            );
+            core11.warning(e.message);
          }
          return;
        case 404:
-          core11.warning(httpError.message);
+          core11.warning(e.message);
          return;
        case 422:
          if (getRequiredEnvParam("GITHUB_SERVER_URL") !== GITHUB_DOTCOM_URL) {
@@ -80902,7 +80887,7 @@ async function sendStatusReport(statusReport) {
      }
    }
    core11.warning(
-      `An unexpected error occurred when sending a status report: ${getErrorMessage(
+      `An unexpected error occurred when sending code scanning status report: ${getErrorMessage(
        e
      )}`
    );
@@ -20602,14 +20602,14 @@ var require_dist_node4 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -20701,7 +20701,7 @@ var require_dist_node5 = __commonJS({
      const Ctor = Object.prototype.hasOwnProperty.call(proto, "constructor") && proto.constructor;
      return typeof Ctor === "function" && Ctor instanceof Ctor && Function.prototype.call(Ctor) === Function.prototype.call(value);
    }
-    var import_request_error = require_dist_node4();
+    var import_request_error2 = require_dist_node4();
    function getBufferResponse(response) {
      return response.arrayBuffer();
    }
@@ -20753,7 +20753,7 @@ var require_dist_node5 = __commonJS({
          if (status < 400) {
            return;
          }
-          throw new import_request_error.RequestError(response.statusText, status, {
+          throw new import_request_error2.RequestError(response.statusText, status, {
            response: {
              url,
              status,
@@ -20764,7 +20764,7 @@ var require_dist_node5 = __commonJS({
          });
        }
        if (status === 304) {
-          throw new import_request_error.RequestError("Not modified", status, {
+          throw new import_request_error2.RequestError("Not modified", status, {
            response: {
              url,
              status,
@@ -20776,7 +20776,7 @@ var require_dist_node5 = __commonJS({
        }
        if (status >= 400) {
          const data = await getResponseData(response);
-          const error2 = new import_request_error.RequestError(toErrorMessage(data), status, {
+          const error2 = new import_request_error2.RequestError(toErrorMessage(data), status, {
            response: {
              url,
              status,
@@ -20796,7 +20796,7 @@ var require_dist_node5 = __commonJS({
          data
        };
      }).catch((error2) => {
-        if (error2 instanceof import_request_error.RequestError)
+        if (error2 instanceof import_request_error2.RequestError)
          throw error2;
        else if (error2.name === "AbortError")
          throw error2;
@@ -20808,7 +20808,7 @@ var require_dist_node5 = __commonJS({
            message = error2.cause;
          }
        }
-        throw new import_request_error.RequestError(message, 500, {
+        throw new import_request_error2.RequestError(message, 500, {
          request: requestOptions
        });
      });
@@ -21250,14 +21250,14 @@ var require_dist_node7 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -21349,7 +21349,7 @@ var require_dist_node8 = __commonJS({
      const Ctor = Object.prototype.hasOwnProperty.call(proto, "constructor") && proto.constructor;
      return typeof Ctor === "function" && Ctor instanceof Ctor && Function.prototype.call(Ctor) === Function.prototype.call(value);
    }
-    var import_request_error = require_dist_node7();
+    var import_request_error2 = require_dist_node7();
    function getBufferResponse(response) {
      return response.arrayBuffer();
    }
@@ -21401,7 +21401,7 @@ var require_dist_node8 = __commonJS({
          if (status < 400) {
            return;
          }
-          throw new import_request_error.RequestError(response.statusText, status, {
+          throw new import_request_error2.RequestError(response.statusText, status, {
            response: {
              url,
              status,
@@ -21412,7 +21412,7 @@ var require_dist_node8 = __commonJS({
          });
        }
        if (status === 304) {
-          throw new import_request_error.RequestError("Not modified", status, {
+          throw new import_request_error2.RequestError("Not modified", status, {
            response: {
              url,
              status,
@@ -21424,7 +21424,7 @@ var require_dist_node8 = __commonJS({
        }
        if (status >= 400) {
          const data = await getResponseData(response);
-          const error2 = new import_request_error.RequestError(toErrorMessage(data), status, {
+          const error2 = new import_request_error2.RequestError(toErrorMessage(data), status, {
            response: {
              url,
              status,
@@ -21444,7 +21444,7 @@ var require_dist_node8 = __commonJS({
          data
        };
      }).catch((error2) => {
-        if (error2 instanceof import_request_error.RequestError)
+        if (error2 instanceof import_request_error2.RequestError)
          throw error2;
        else if (error2.name === "AbortError")
          throw error2;
@@ -21456,7 +21456,7 @@ var require_dist_node8 = __commonJS({
            message = error2.cause;
          }
        }
-        throw new import_request_error.RequestError(message, 500, {
+        throw new import_request_error2.RequestError(message, 500, {
          request: requestOptions
        });
      });
@@ -32309,7 +32309,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "4.31.1",
+      version: "4.30.9",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -32321,7 +32321,8 @@ var require_package = __commonJS({
        ava: "npm run transpile && ava --serial --verbose",
        test: "npm run ava -- src/",
        "test-debug": "npm run test -- --timeout=20m",
-        transpile: "tsc --build --verbose"
+        transpile: "npm run generate:schemas && tsc --build --verbose",
+        "generate:schemas": "node json-schemas.mjs"
      },
      ava: {
        typescript: {
@@ -32357,7 +32358,7 @@ var require_package = __commonJS({
        jsonschema: "1.4.1",
        long: "^5.3.2",
        "node-forge": "^1.3.1",
-        octokit: "^5.0.4",
+        octokit: "^5.0.3",
        semver: "^7.7.3",
        uuid: "^13.0.0"
      },
@@ -32365,7 +32366,7 @@ var require_package = __commonJS({
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.0",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.38.0",
+        "@eslint/js": "^9.37.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
@@ -32376,10 +32377,10 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.1",
+        "@typescript-eslint/eslint-plugin": "^8.46.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.11",
+        esbuild: "^0.25.10",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
@@ -32387,6 +32388,7 @@ var require_package = __commonJS({
        "eslint-plugin-import": "2.29.1",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.0.3",
+        "json-schema-to-typescript": "^15.0.4",
        nock: "^14.0.10",
        sinon: "^21.0.0",
        typescript: "^5.9.3"
@@ -33768,14 +33770,14 @@ var require_dist_node14 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -33877,7 +33879,7 @@ var require_dist_node15 = __commonJS({
      throw error2;
    }
    var import_light = __toESM2(require_light());
-    var import_request_error = require_dist_node14();
+    var import_request_error2 = require_dist_node14();
    async function wrapRequest(state, octokit, request, options) {
      const limiter = new import_light.default();
      limiter.on("failed", function(error2, info4) {
@@ -33898,7 +33900,7 @@ var require_dist_node15 = __commonJS({
      if (response.data && response.data.errors && response.data.errors.length > 0 && /Something went wrong while executing your query/.test(
        response.data.errors[0].message
      )) {
-        const error2 = new import_request_error.RequestError(response.data.errors[0].message, 500, {
+        const error2 = new import_request_error2.RequestError(response.data.errors[0].message, 500, {
          request: options,
          response
        });
@@ -80921,14 +80923,14 @@ var require_tool_cache = __commonJS({
    var assert_1 = require("assert");
    var exec_1 = require_exec();
    var retry_helper_1 = require_retry_helper();
-    var HTTPError2 = class extends Error {
+    var HTTPError = class extends Error {
      constructor(httpStatusCode) {
        super(`Unexpected HTTP response: ${httpStatusCode}`);
        this.httpStatusCode = httpStatusCode;
        Object.setPrototypeOf(this, new.target.prototype);
      }
    };
-    exports2.HTTPError = HTTPError2;
+    exports2.HTTPError = HTTPError;
    var IS_WINDOWS = process.platform === "win32";
    var IS_MAC = process.platform === "darwin";
    var userAgent = "actions/tool-cache";
@@ -80945,7 +80947,7 @@ var require_tool_cache = __commonJS({
        return yield retryHelper.execute(() => __awaiter4(this, void 0, void 0, function* () {
          return yield downloadToolAttempt(url, dest || "", auth, headers);
        }), (err) => {
-          if (err instanceof HTTPError2 && err.httpStatusCode) {
+          if (err instanceof HTTPError && err.httpStatusCode) {
            if (err.httpStatusCode < 500 && err.httpStatusCode !== 408 && err.httpStatusCode !== 429) {
              return false;
            }
@@ -80972,7 +80974,7 @@ var require_tool_cache = __commonJS({
        }
        const response = yield http.get(url, headers);
        if (response.message.statusCode !== 200) {
-          const err = new HTTPError2(response.message.statusCode);
+          const err = new HTTPError(response.message.statusCode);
          core13.debug(`Failed to download from "${url}". Code(${response.message.statusCode}) Message(${response.message.statusMessage})`);
          throw err;
        }
@@ -85630,28 +85632,13 @@ function getRequiredEnvParam(paramName) {
  }
  return value;
 }
-var HTTPError = class extends Error {
-  constructor(message, status) {
-    super(message);
-    this.status = status;
-  }
-};
 var ConfigurationError = class extends Error {
  constructor(message) {
    super(message);
  }
 };
-function asHTTPError(arg) {
-  if (typeof arg !== "object" || arg === null || typeof arg.message !== "string") {
-    return void 0;
-  }
-  if (Number.isInteger(arg.status)) {
-    return new HTTPError(arg.message, arg.status);
-  }
-  if (Number.isInteger(arg.httpStatusCode)) {
-    return new HTTPError(arg.message, arg.httpStatusCode);
-  }
-  return void 0;
+function isHTTPError(arg) {
+  return arg?.status !== void 0 && Number.isInteger(arg.status);
 }
 var cachedCodeQlVersion = void 0;
 function cacheCodeQlVersion(version) {
@@ -86063,28 +86050,6 @@ async function getAnalysisKey() {
  core5.exportVariable(analysisKeyEnvVar, analysisKey);
  return analysisKey;
 }
-function wrapApiConfigurationError(e) {
-  const httpError = asHTTPError(e);
-  if (httpError !== void 0) {
-    if ([
-      /API rate limit exceeded/,
-      /commit not found/,
-      /Resource not accessible by integration/,
-      /ref .* not found in this repository/
-    ].some((pattern) => pattern.test(httpError.message))) {
-      return new ConfigurationError(httpError.message);
-    }
-    if (httpError.message.includes("Bad credentials") || httpError.message.includes("Not Found")) {
-      return new ConfigurationError(
-        "Please check that your token is valid and has the required permissions: contents: read, security-events: write"
-      );
-    }
-    if (httpError.status === 429) {
-      return new ConfigurationError("API rate limit exceeded");
-    }
-  }
-  return e;
-}

 // src/feature-flags.ts
 var fs6 = __toESM(require("fs"));
@@ -86282,7 +86247,7 @@ function formatDuration(durationMs) {

 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.4";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 async function writeBaseDatabaseOidsFile(config, sourceRoot) {
  const gitFileOids = await getFileOidsUnderPath(sourceRoot);
@@ -86357,11 +86322,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
    minimumVersion: void 0
  },
-  ["analyze_use_new_upload" /* AnalyzeUseNewUpload */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_ANALYZE_USE_NEW_UPLOAD",
-    minimumVersion: void 0
-  },
  ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -86780,7 +86740,7 @@ var GitHubFeatureFlags = class {
        remoteFlags = { ...remoteFlags, ...chunkFlags };
      }
      this.logger.debug(
-        "Loaded the following default values for the feature flags from the CodeQL Action API:"
+        "Loaded the following default values for the feature flags from the Code Scanning API:"
      );
      for (const [feature, value] of Object.entries(remoteFlags).sort(
        ([nameA], [nameB]) => nameA.localeCompare(nameB)
@@ -86790,10 +86750,9 @@ var GitHubFeatureFlags = class {
      this.hasAccessedRemoteFeatureFlags = true;
      return remoteFlags;
    } catch (e) {
-      const httpError = asHTTPError(e);
-      if (httpError?.status === 403) {
+      if (isHTTPError(e) && e.status === 403) {
        this.logger.warning(
-          `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`
+          `This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the Action has the 'security-events: write' permission. Details: ${e.message}`
        );
        this.hasAccessedRemoteFeatureFlags = false;
        return {};
@@ -86816,6 +86775,45 @@ var path11 = __toESM(require("path"));
 var core10 = __toESM(require_core());
 var toolrunner3 = __toESM(require_toolrunner());

+// node_modules/@octokit/request-error/dist-src/index.js
+var RequestError = class extends Error {
+  name;
+  /**
+   * http status code
+   */
+  status;
+  /**
+   * Request options that lead to the error.
+   */
+  request;
+  /**
+   * Response object if a response was received
+   */
+  response;
+  constructor(message, statusCode, options) {
+    super(message);
+    this.name = "HttpError";
+    this.status = Number.parseInt(statusCode);
+    if (Number.isNaN(this.status)) {
+      this.status = 0;
+    }
+    if ("response" in options) {
+      this.response = options.response;
+    }
+    const requestCopy = Object.assign({}, options.request);
+    if (options.request.headers.authorization) {
+      requestCopy.headers = Object.assign({}, options.request.headers, {
+        authorization: options.request.headers.authorization.replace(
+          /(?<! ) .*$/,
+          " [REDACTED]"
+        )
+      });
+    }
+    requestCopy.url = requestCopy.url.replace(/\bclient_secret=\w+/g, "client_secret=[REDACTED]").replace(/\baccess_token=\w+/g, "access_token=[REDACTED]");
+    this.request = requestCopy;
+  }
+};
+
 // src/cli-errors.ts
 var SUPPORTED_PLATFORMS = [
  ["linux", "x64"],
@@ -87156,13 +87154,13 @@ async function getTarVersion() {
  }
  if (stdout.includes("GNU tar")) {
    const match = stdout.match(/tar \(GNU tar\) ([0-9.]+)/);
-    if (!match?.[1]) {
+    if (!match || !match[1]) {
      throw new Error("Failed to parse output of tar --version.");
    }
    return { type: "gnu", version: match[1] };
  } else if (stdout.includes("bsdtar")) {
    const match = stdout.match(/bsdtar ([0-9.]+)/);
-    if (!match?.[1]) {
+    if (!match || !match[1]) {
      throw new Error("Failed to parse output of tar --version.");
    }
    return { type: "bsd", version: match[1] };
@@ -87542,7 +87540,7 @@ function tryGetTagNameFromUrl(url, logger) {
    return void 0;
  }
  const match = matches[matches.length - 1];
-  if (match?.length !== 2) {
+  if (match === null || match.length !== 2) {
    logger.debug(
      `Could not determine tag name for URL ${url}. Matched ${JSON.stringify(
        match
@@ -88002,7 +88000,7 @@ async function shouldEnableIndirectTracing(codeql, config) {

 // src/codeql.ts
 var cachedCodeQL = void 0;
-var CODEQL_MINIMUM_VERSION = "2.17.6";
+var CODEQL_MINIMUM_VERSION = "2.16.6";
 var CODEQL_NEXT_MINIMUM_VERSION = "2.17.6";
 var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.13";
 var GHES_MOST_RECENT_DEPRECATION_DATE = "2025-06-19";
@@ -88046,9 +88044,9 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
      toolsVersion,
      zstdAvailability
    };
-  } catch (rawError) {
-    const e = wrapApiConfigurationError(rawError);
-    const ErrorClass = e instanceof ConfigurationError || e instanceof Error && e.message.includes("ENOSPC") ? ConfigurationError : Error;
+  } catch (e) {
+    const ErrorClass = e instanceof ConfigurationError || e instanceof Error && e.message.includes("ENOSPC") || // out of disk space
+    e instanceof RequestError && e.status === 429 ? ConfigurationError : Error;
    throw new ErrorClass(
      `Unable to download and extract CodeQL CLI: ${getErrorMessage(e)}${e instanceof Error && e.stack ? `

@@ -88331,6 +88329,12 @@ ${output}`
      } else {
        codeqlArgs.push("--no-sarif-include-diagnostics");
      }
+      if (!isSupportedToolsFeature(
+        await this.getVersion(),
+        "analysisSummaryV2Default" /* AnalysisSummaryV2IsDefault */
+      )) {
+        codeqlArgs.push("--new-analysis-summary");
+      }
      codeqlArgs.push(databasePath);
      if (querySuitePaths) {
        codeqlArgs.push(...querySuitePaths);
@@ -88744,8 +88748,8 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
    return void 0;
  }
 }
-var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`.";
-var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`.";
+var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action.";
+var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action.";
 async function sendStatusReport(statusReport) {
  setJobStatusIfUnsuccessful(statusReport.status);
  const statusReportJSON = JSON.stringify(statusReport);
@@ -88766,22 +88770,19 @@ async function sendStatusReport(statusReport) {
      }
    );
  } catch (e) {
-    const httpError = asHTTPError(e);
-    if (httpError !== void 0) {
-      switch (httpError.status) {
+    if (isHTTPError(e)) {
+      switch (e.status) {
        case 403:
          if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") {
            core11.warning(
-              `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading CodeQL results requires write access. To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.`
+              `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.`
            );
          } else {
-            core11.warning(
-              `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`
-            );
+            core11.warning(e.message);
          }
          return;
        case 404:
-          core11.warning(httpError.message);
+          core11.warning(e.message);
          return;
        case 422:
          if (getRequiredEnvParam("GITHUB_SERVER_URL") !== GITHUB_DOTCOM_URL) {
@@ -88793,7 +88794,7 @@ async function sendStatusReport(statusReport) {
      }
    }
    core11.warning(
-      `An unexpected error occurred when sending a status report: ${getErrorMessage(
+      `An unexpected error occurred when sending code scanning status report: ${getErrorMessage(
        e
      )}`
    );
@@ -26460,7 +26460,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "4.31.1",
+      version: "4.30.9",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -26472,7 +26472,8 @@ var require_package = __commonJS({
        ava: "npm run transpile && ava --serial --verbose",
        test: "npm run ava -- src/",
        "test-debug": "npm run test -- --timeout=20m",
-        transpile: "tsc --build --verbose"
+        transpile: "npm run generate:schemas && tsc --build --verbose",
+        "generate:schemas": "node json-schemas.mjs"
      },
      ava: {
        typescript: {
@@ -26508,7 +26509,7 @@ var require_package = __commonJS({
        jsonschema: "1.4.1",
        long: "^5.3.2",
        "node-forge": "^1.3.1",
-        octokit: "^5.0.4",
+        octokit: "^5.0.3",
        semver: "^7.7.3",
        uuid: "^13.0.0"
      },
@@ -26516,7 +26517,7 @@ var require_package = __commonJS({
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.0",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.38.0",
+        "@eslint/js": "^9.37.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
@@ -26527,10 +26528,10 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.1",
+        "@typescript-eslint/eslint-plugin": "^8.46.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.11",
+        esbuild: "^0.25.10",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
@@ -26538,6 +26539,7 @@ var require_package = __commonJS({
        "eslint-plugin-import": "2.29.1",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.0.3",
+        "json-schema-to-typescript": "^15.0.4",
        nock: "^14.0.10",
        sinon: "^21.0.0",
        typescript: "^5.9.3"
@@ -118527,7 +118529,7 @@ function getActionsLogger() {

 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.4";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;

 // src/tools-features.ts
@@ -118540,11 +118542,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
    minimumVersion: void 0
  },
-  ["analyze_use_new_upload" /* AnalyzeUseNewUpload */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_ANALYZE_USE_NEW_UPLOAD",
-    minimumVersion: void 0
-  },
  ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -118980,7 +118977,7 @@ async function runWrapper() {
      getTemporaryDirectory(),
      logger
    );
-    if (config?.debugMode || core13.isDebug()) {
+    if (config && config.debugMode || core13.isDebug()) {
      const logFilePath = core13.getState("proxy-log-file");
      logger.info(
        "Debug mode is on. Uploading proxy log as Actions debugging artifact..."
@@ -22065,14 +22065,14 @@ var require_tool_cache = __commonJS({
    var assert_1 = require("assert");
    var exec_1 = require_exec();
    var retry_helper_1 = require_retry_helper();
-    var HTTPError2 = class extends Error {
+    var HTTPError = class extends Error {
      constructor(httpStatusCode) {
        super(`Unexpected HTTP response: ${httpStatusCode}`);
        this.httpStatusCode = httpStatusCode;
        Object.setPrototypeOf(this, new.target.prototype);
      }
    };
-    exports2.HTTPError = HTTPError2;
+    exports2.HTTPError = HTTPError;
    var IS_WINDOWS = process.platform === "win32";
    var IS_MAC = process.platform === "darwin";
    var userAgent = "actions/tool-cache";
@@ -22089,7 +22089,7 @@ var require_tool_cache = __commonJS({
        return yield retryHelper.execute(() => __awaiter4(this, void 0, void 0, function* () {
          return yield downloadToolAttempt(url, dest || "", auth, headers);
        }), (err) => {
-          if (err instanceof HTTPError2 && err.httpStatusCode) {
+          if (err instanceof HTTPError && err.httpStatusCode) {
            if (err.httpStatusCode < 500 && err.httpStatusCode !== 408 && err.httpStatusCode !== 429) {
              return false;
            }
@@ -22116,7 +22116,7 @@ var require_tool_cache = __commonJS({
        }
        const response = yield http.get(url, headers);
        if (response.message.statusCode !== 200) {
-          const err = new HTTPError2(response.message.statusCode);
+          const err = new HTTPError(response.message.statusCode);
          core12.debug(`Failed to download from "${url}". Code(${response.message.statusCode}) Message(${response.message.statusMessage})`);
          throw err;
        }
@@ -44996,7 +44996,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "4.31.1",
+      version: "4.30.9",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -45008,7 +45008,8 @@ var require_package = __commonJS({
        ava: "npm run transpile && ava --serial --verbose",
        test: "npm run ava -- src/",
        "test-debug": "npm run test -- --timeout=20m",
-        transpile: "tsc --build --verbose"
+        transpile: "npm run generate:schemas && tsc --build --verbose",
+        "generate:schemas": "node json-schemas.mjs"
      },
      ava: {
        typescript: {
@@ -45044,7 +45045,7 @@ var require_package = __commonJS({
        jsonschema: "1.4.1",
        long: "^5.3.2",
        "node-forge": "^1.3.1",
-        octokit: "^5.0.4",
+        octokit: "^5.0.3",
        semver: "^7.7.3",
        uuid: "^13.0.0"
      },
@@ -45052,7 +45053,7 @@ var require_package = __commonJS({
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.0",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.38.0",
+        "@eslint/js": "^9.37.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
@@ -45063,10 +45064,10 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.1",
+        "@typescript-eslint/eslint-plugin": "^8.46.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.11",
+        esbuild: "^0.25.10",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
@@ -45074,6 +45075,7 @@ var require_package = __commonJS({
        "eslint-plugin-import": "2.29.1",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.0.3",
+        "json-schema-to-typescript": "^15.0.4",
        nock: "^14.0.10",
        sinon: "^21.0.0",
        typescript: "^5.9.3"
@@ -96091,28 +96093,13 @@ function getRequiredEnvParam(paramName) {
  }
  return value;
 }
-var HTTPError = class extends Error {
-  constructor(message, status) {
-    super(message);
-    this.status = status;
-  }
-};
 var ConfigurationError = class extends Error {
  constructor(message) {
    super(message);
  }
 };
-function asHTTPError(arg) {
-  if (typeof arg !== "object" || arg === null || typeof arg.message !== "string") {
-    return void 0;
-  }
-  if (Number.isInteger(arg.status)) {
-    return new HTTPError(arg.message, arg.status);
-  }
-  if (Number.isInteger(arg.httpStatusCode)) {
-    return new HTTPError(arg.message, arg.httpStatusCode);
-  }
-  return void 0;
+function isHTTPError(arg) {
+  return arg?.status !== void 0 && Number.isInteger(arg.status);
 }
 var cachedCodeQlVersion = void 0;
 function getCachedCodeQlVersion() {
@@ -96656,7 +96643,7 @@ async function getRef() {

 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.4";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;

 // src/tools-features.ts
@@ -96669,11 +96656,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
    minimumVersion: void 0
  },
-  ["analyze_use_new_upload" /* AnalyzeUseNewUpload */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_ANALYZE_USE_NEW_UPLOAD",
-    minimumVersion: void 0
-  },
  ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -97005,8 +96987,8 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
    return void 0;
  }
 }
-var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`.";
-var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`.";
+var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action.";
+var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action.";
 async function sendStatusReport(statusReport) {
  setJobStatusIfUnsuccessful(statusReport.status);
  const statusReportJSON = JSON.stringify(statusReport);
@@ -97027,22 +97009,19 @@ async function sendStatusReport(statusReport) {
      }
    );
  } catch (e) {
-    const httpError = asHTTPError(e);
-    if (httpError !== void 0) {
-      switch (httpError.status) {
+    if (isHTTPError(e)) {
+      switch (e.status) {
        case 403:
          if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") {
            core10.warning(
-              `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading CodeQL results requires write access. To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.`
+              `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.`
            );
          } else {
-            core10.warning(
-              `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`
-            );
+            core10.warning(e.message);
          }
          return;
        case 404:
-          core10.warning(httpError.message);
+          core10.warning(e.message);
          return;
        case 422:
          if (getRequiredEnvParam("GITHUB_SERVER_URL") !== GITHUB_DOTCOM_URL) {
@@ -97054,7 +97033,7 @@ async function sendStatusReport(statusReport) {
      }
    }
    core10.warning(
-      `An unexpected error occurred when sending a status report: ${getErrorMessage(
+      `An unexpected error occurred when sending code scanning status report: ${getErrorMessage(
        e
      )}`
    );
@@ -21899,14 +21899,14 @@ var require_dist_node4 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -21998,7 +21998,7 @@ var require_dist_node5 = __commonJS({
      const Ctor = Object.prototype.hasOwnProperty.call(proto, "constructor") && proto.constructor;
      return typeof Ctor === "function" && Ctor instanceof Ctor && Function.prototype.call(Ctor) === Function.prototype.call(value);
    }
-    var import_request_error = require_dist_node4();
+    var import_request_error2 = require_dist_node4();
    function getBufferResponse(response) {
      return response.arrayBuffer();
    }
@@ -22050,7 +22050,7 @@ var require_dist_node5 = __commonJS({
          if (status < 400) {
            return;
          }
-          throw new import_request_error.RequestError(response.statusText, status, {
+          throw new import_request_error2.RequestError(response.statusText, status, {
            response: {
              url: url2,
              status,
@@ -22061,7 +22061,7 @@ var require_dist_node5 = __commonJS({
          });
        }
        if (status === 304) {
-          throw new import_request_error.RequestError("Not modified", status, {
+          throw new import_request_error2.RequestError("Not modified", status, {
            response: {
              url: url2,
              status,
@@ -22073,7 +22073,7 @@ var require_dist_node5 = __commonJS({
        }
        if (status >= 400) {
          const data = await getResponseData(response);
-          const error2 = new import_request_error.RequestError(toErrorMessage(data), status, {
+          const error2 = new import_request_error2.RequestError(toErrorMessage(data), status, {
            response: {
              url: url2,
              status,
@@ -22093,7 +22093,7 @@ var require_dist_node5 = __commonJS({
          data
        };
      }).catch((error2) => {
-        if (error2 instanceof import_request_error.RequestError)
+        if (error2 instanceof import_request_error2.RequestError)
          throw error2;
        else if (error2.name === "AbortError")
          throw error2;
@@ -22105,7 +22105,7 @@ var require_dist_node5 = __commonJS({
            message = error2.cause;
          }
        }
-        throw new import_request_error.RequestError(message, 500, {
+        throw new import_request_error2.RequestError(message, 500, {
          request: requestOptions
        });
      });
@@ -22547,14 +22547,14 @@ var require_dist_node7 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -22646,7 +22646,7 @@ var require_dist_node8 = __commonJS({
      const Ctor = Object.prototype.hasOwnProperty.call(proto, "constructor") && proto.constructor;
      return typeof Ctor === "function" && Ctor instanceof Ctor && Function.prototype.call(Ctor) === Function.prototype.call(value);
    }
-    var import_request_error = require_dist_node7();
+    var import_request_error2 = require_dist_node7();
    function getBufferResponse(response) {
      return response.arrayBuffer();
    }
@@ -22698,7 +22698,7 @@ var require_dist_node8 = __commonJS({
          if (status < 400) {
            return;
          }
-          throw new import_request_error.RequestError(response.statusText, status, {
+          throw new import_request_error2.RequestError(response.statusText, status, {
            response: {
              url: url2,
              status,
@@ -22709,7 +22709,7 @@ var require_dist_node8 = __commonJS({
          });
        }
        if (status === 304) {
-          throw new import_request_error.RequestError("Not modified", status, {
+          throw new import_request_error2.RequestError("Not modified", status, {
            response: {
              url: url2,
              status,
@@ -22721,7 +22721,7 @@ var require_dist_node8 = __commonJS({
        }
        if (status >= 400) {
          const data = await getResponseData(response);
-          const error2 = new import_request_error.RequestError(toErrorMessage(data), status, {
+          const error2 = new import_request_error2.RequestError(toErrorMessage(data), status, {
            response: {
              url: url2,
              status,
@@ -22741,7 +22741,7 @@ var require_dist_node8 = __commonJS({
          data
        };
      }).catch((error2) => {
-        if (error2 instanceof import_request_error.RequestError)
+        if (error2 instanceof import_request_error2.RequestError)
          throw error2;
        else if (error2.name === "AbortError")
          throw error2;
@@ -22753,7 +22753,7 @@ var require_dist_node8 = __commonJS({
            message = error2.cause;
          }
        }
-        throw new import_request_error.RequestError(message, 500, {
+        throw new import_request_error2.RequestError(message, 500, {
          request: requestOptions
        });
      });
@@ -33606,7 +33606,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "4.31.1",
+      version: "4.30.9",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -33618,7 +33618,8 @@ var require_package = __commonJS({
        ava: "npm run transpile && ava --serial --verbose",
        test: "npm run ava -- src/",
        "test-debug": "npm run test -- --timeout=20m",
-        transpile: "tsc --build --verbose"
+        transpile: "npm run generate:schemas && tsc --build --verbose",
+        "generate:schemas": "node json-schemas.mjs"
      },
      ava: {
        typescript: {
@@ -33654,7 +33655,7 @@ var require_package = __commonJS({
        jsonschema: "1.4.1",
        long: "^5.3.2",
        "node-forge": "^1.3.1",
-        octokit: "^5.0.4",
+        octokit: "^5.0.3",
        semver: "^7.7.3",
        uuid: "^13.0.0"
      },
@@ -33662,7 +33663,7 @@ var require_package = __commonJS({
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.0",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.38.0",
+        "@eslint/js": "^9.37.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
@@ -33673,10 +33674,10 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.1",
+        "@typescript-eslint/eslint-plugin": "^8.46.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.11",
+        esbuild: "^0.25.10",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
@@ -33684,6 +33685,7 @@ var require_package = __commonJS({
        "eslint-plugin-import": "2.29.1",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.0.3",
+        "json-schema-to-typescript": "^15.0.4",
        nock: "^14.0.10",
        sinon: "^21.0.0",
        typescript: "^5.9.3"
@@ -35065,14 +35067,14 @@ var require_dist_node14 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -35174,7 +35176,7 @@ var require_dist_node15 = __commonJS({
      throw error2;
    }
    var import_light = __toESM2(require_light());
-    var import_request_error = require_dist_node14();
+    var import_request_error2 = require_dist_node14();
    async function wrapRequest(state, octokit, request, options) {
      const limiter = new import_light.default();
      limiter.on("failed", function(error2, info4) {
@@ -35195,7 +35197,7 @@ var require_dist_node15 = __commonJS({
      if (response.data && response.data.errors && response.data.errors.length > 0 && /Something went wrong while executing your query/.test(
        response.data.errors[0].message
      )) {
-        const error2 = new import_request_error.RequestError(response.data.errors[0].message, 500, {
+        const error2 = new import_request_error2.RequestError(response.data.errors[0].message, 500, {
          request: options,
          response
        });
@@ -80921,14 +80923,14 @@ var require_tool_cache = __commonJS({
    var assert_1 = require("assert");
    var exec_1 = require_exec();
    var retry_helper_1 = require_retry_helper();
-    var HTTPError2 = class extends Error {
+    var HTTPError = class extends Error {
      constructor(httpStatusCode) {
        super(`Unexpected HTTP response: ${httpStatusCode}`);
        this.httpStatusCode = httpStatusCode;
        Object.setPrototypeOf(this, new.target.prototype);
      }
    };
-    exports2.HTTPError = HTTPError2;
+    exports2.HTTPError = HTTPError;
    var IS_WINDOWS = process.platform === "win32";
    var IS_MAC = process.platform === "darwin";
    var userAgent = "actions/tool-cache";
@@ -80945,7 +80947,7 @@ var require_tool_cache = __commonJS({
        return yield retryHelper.execute(() => __awaiter4(this, void 0, void 0, function* () {
          return yield downloadToolAttempt(url2, dest || "", auth, headers);
        }), (err) => {
-          if (err instanceof HTTPError2 && err.httpStatusCode) {
+          if (err instanceof HTTPError && err.httpStatusCode) {
            if (err.httpStatusCode < 500 && err.httpStatusCode !== 408 && err.httpStatusCode !== 429) {
              return false;
            }
@@ -80972,7 +80974,7 @@ var require_tool_cache = __commonJS({
        }
        const response = yield http.get(url2, headers);
        if (response.message.statusCode !== 200) {
-          const err = new HTTPError2(response.message.statusCode);
+          const err = new HTTPError(response.message.statusCode);
          core12.debug(`Failed to download from "${url2}". Code(${response.message.statusCode}) Message(${response.message.statusMessage})`);
          throw err;
        }
@@ -84847,7 +84849,6 @@ __export(upload_lib_exports, {
  getGroupedSarifFilePaths: () => getGroupedSarifFilePaths,
  getSarifFilePaths: () => getSarifFilePaths,
  populateRunAutomationDetails: () => populateRunAutomationDetails,
-  postProcessSarifFiles: () => postProcessSarifFiles,
  readSarifFile: () => readSarifFile,
  shouldConsiderConfigurationError: () => shouldConsiderConfigurationError,
  shouldConsiderInvalidRequest: () => shouldConsiderInvalidRequest,
@@ -84855,11 +84856,10 @@ __export(upload_lib_exports, {
  throwIfCombineSarifFilesDisabled: () => throwIfCombineSarifFilesDisabled,
  uploadFiles: () => uploadFiles,
  uploadPayload: () => uploadPayload,
-  uploadPostProcessedFiles: () => uploadPostProcessedFiles,
+  uploadSpecifiedFiles: () => uploadSpecifiedFiles,
  validateSarifFileSchema: () => validateSarifFileSchema,
  validateUniqueCategory: () => validateUniqueCategory,
-  waitForProcessing: () => waitForProcessing,
-  writePostProcessedFiles: () => writePostProcessedFiles
+  waitForProcessing: () => waitForProcessing
 });
 module.exports = __toCommonJS(upload_lib_exports);
 var fs13 = __toESM(require("fs"));
@@ -88330,35 +88330,13 @@ function getRequiredEnvParam(paramName) {
  }
  return value;
 }
-function getOptionalEnvVar(paramName) {
-  const value = process.env[paramName];
-  if (value?.trim().length === 0) {
-    return void 0;
-  }
-  return value;
-}
-var HTTPError = class extends Error {
-  constructor(message, status) {
-    super(message);
-    this.status = status;
-  }
-};
 var ConfigurationError = class extends Error {
  constructor(message) {
    super(message);
  }
 };
-function asHTTPError(arg) {
-  if (typeof arg !== "object" || arg === null || typeof arg.message !== "string") {
-    return void 0;
-  }
-  if (Number.isInteger(arg.status)) {
-    return new HTTPError(arg.message, arg.status);
-  }
-  if (Number.isInteger(arg.httpStatusCode)) {
-    return new HTTPError(arg.message, arg.httpStatusCode);
-  }
-  return void 0;
+function isHTTPError(arg) {
+  return arg?.status !== void 0 && Number.isInteger(arg.status);
 }
 var cachedCodeQlVersion = void 0;
 function cacheCodeQlVersion(version) {
@@ -88771,24 +88749,14 @@ function computeAutomationID(analysis_key, environment) {
  return automationID;
 }
 function wrapApiConfigurationError(e) {
-  const httpError = asHTTPError(e);
-  if (httpError !== void 0) {
-    if ([
-      /API rate limit exceeded/,
-      /commit not found/,
-      /Resource not accessible by integration/,
-      /ref .* not found in this repository/
-    ].some((pattern) => pattern.test(httpError.message))) {
-      return new ConfigurationError(httpError.message);
-    }
-    if (httpError.message.includes("Bad credentials") || httpError.message.includes("Not Found")) {
+  if (isHTTPError(e)) {
+    if (e.message.includes("API rate limit exceeded for installation") || e.message.includes("commit not found") || e.message.includes("Resource not accessible by integration") || /ref .* not found in this repository/.test(e.message)) {
+      return new ConfigurationError(e.message);
+    } else if (e.message.includes("Bad credentials") || e.message.includes("Not Found")) {
      return new ConfigurationError(
        "Please check that your token is valid and has the required permissions: contents: read, security-events: write"
      );
    }
-    if (httpError.status === 429) {
-      return new ConfigurationError("API rate limit exceeded");
-    }
  }
  return e;
 }
@@ -88799,6 +88767,45 @@ var path12 = __toESM(require("path"));
 var core10 = __toESM(require_core());
 var toolrunner3 = __toESM(require_toolrunner());

+// node_modules/@octokit/request-error/dist-src/index.js
+var RequestError = class extends Error {
+  name;
+  /**
+   * http status code
+   */
+  status;
+  /**
+   * Request options that lead to the error.
+   */
+  request;
+  /**
+   * Response object if a response was received
+   */
+  response;
+  constructor(message, statusCode, options) {
+    super(message);
+    this.name = "HttpError";
+    this.status = Number.parseInt(statusCode);
+    if (Number.isNaN(this.status)) {
+      this.status = 0;
+    }
+    if ("response" in options) {
+      this.response = options.response;
+    }
+    const requestCopy = Object.assign({}, options.request);
+    if (options.request.headers.authorization) {
+      requestCopy.headers = Object.assign({}, options.request.headers, {
+        authorization: options.request.headers.authorization.replace(
+          /(?<! ) .*$/,
+          " [REDACTED]"
+        )
+      });
+    }
+    requestCopy.url = requestCopy.url.replace(/\bclient_secret=\w+/g, "client_secret=[REDACTED]").replace(/\baccess_token=\w+/g, "access_token=[REDACTED]");
+    this.request = requestCopy;
+  }
+};
+
 // src/cli-errors.ts
 var SUPPORTED_PLATFORMS = [
  ["linux", "x64"],
@@ -89285,7 +89292,7 @@ function formatDuration(durationMs) {

 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.4";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 async function writeBaseDatabaseOidsFile(config, sourceRoot) {
  const gitFileOids = await getFileOidsUnderPath(sourceRoot);
@@ -89358,11 +89365,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
    minimumVersion: void 0
  },
-  ["analyze_use_new_upload" /* AnalyzeUseNewUpload */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_ANALYZE_USE_NEW_UPLOAD",
-    minimumVersion: void 0
-  },
  ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -89717,13 +89719,13 @@ async function getTarVersion() {
  }
  if (stdout.includes("GNU tar")) {
    const match = stdout.match(/tar \(GNU tar\) ([0-9.]+)/);
-    if (!match?.[1]) {
+    if (!match || !match[1]) {
      throw new Error("Failed to parse output of tar --version.");
    }
    return { type: "gnu", version: match[1] };
  } else if (stdout.includes("bsdtar")) {
    const match = stdout.match(/bsdtar ([0-9.]+)/);
-    if (!match?.[1]) {
+    if (!match || !match[1]) {
      throw new Error("Failed to parse output of tar --version.");
    }
    return { type: "bsd", version: match[1] };
@@ -90103,7 +90105,7 @@ function tryGetTagNameFromUrl(url2, logger) {
    return void 0;
  }
  const match = matches[matches.length - 1];
-  if (match?.length !== 2) {
+  if (match === null || match.length !== 2) {
    logger.debug(
      `Could not determine tag name for URL ${url2}. Matched ${JSON.stringify(
        match
@@ -90563,7 +90565,7 @@ async function shouldEnableIndirectTracing(codeql, config) {

 // src/codeql.ts
 var cachedCodeQL = void 0;
-var CODEQL_MINIMUM_VERSION = "2.17.6";
+var CODEQL_MINIMUM_VERSION = "2.16.6";
 var CODEQL_NEXT_MINIMUM_VERSION = "2.17.6";
 var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.13";
 var GHES_MOST_RECENT_DEPRECATION_DATE = "2025-06-19";
@@ -90607,9 +90609,9 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
      toolsVersion,
      zstdAvailability
    };
-  } catch (rawError) {
-    const e = wrapApiConfigurationError(rawError);
-    const ErrorClass = e instanceof ConfigurationError || e instanceof Error && e.message.includes("ENOSPC") ? ConfigurationError : Error;
+  } catch (e) {
+    const ErrorClass = e instanceof ConfigurationError || e instanceof Error && e.message.includes("ENOSPC") || // out of disk space
+    e instanceof RequestError && e.status === 429 ? ConfigurationError : Error;
    throw new ErrorClass(
      `Unable to download and extract CodeQL CLI: ${getErrorMessage(e)}${e instanceof Error && e.stack ? `

@@ -90898,6 +90900,12 @@ ${output}`
      } else {
        codeqlArgs.push("--no-sarif-include-diagnostics");
      }
+      if (!isSupportedToolsFeature(
+        await this.getVersion(),
+        "analysisSummaryV2Default" /* AnalysisSummaryV2IsDefault */
+      )) {
+        codeqlArgs.push("--new-analysis-summary");
+      }
      codeqlArgs.push(databasePath);
      if (querySuitePaths) {
        codeqlArgs.push(...querySuitePaths);
@@ -92447,6 +92455,24 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo
    );
    codeQL = initCodeQLResult.codeql;
  }
+  if (!await codeQL.supportsFeature(
+    "sarifMergeRunsFromEqualCategory" /* SarifMergeRunsFromEqualCategory */
+  )) {
+    await throwIfCombineSarifFilesDisabled(sarifObjects, gitHubVersion);
+    logger.warning(
+      "The CodeQL CLI does not support merging SARIF files. Merging files in the action."
+    );
+    if (await shouldShowCombineSarifFilesDeprecationWarning(
+      sarifObjects,
+      gitHubVersion
+    )) {
+      logger.warning(
+        `Uploading multiple CodeQL runs with the same category is deprecated ${deprecationWarningMessage} for CodeQL CLI 2.16.6 and earlier. Please update your CodeQL CLI version or update your workflow to set a distinct category for each CodeQL run. ${deprecationMoreInformationMessage}`
+      );
+      core11.exportVariable("CODEQL_MERGE_SARIF_DEPRECATION_WARNING", "true");
+    }
+    return combineSarifFiles(sarifFiles, logger);
+  }
  const baseTempDir = path14.resolve(tempDir, "combined-sarif");
  fs13.mkdirSync(baseTempDir, { recursive: true });
  const outputDirectory = fs13.mkdtempSync(path14.resolve(baseTempDir, "output-"));
@@ -92505,17 +92531,16 @@ async function uploadPayload(payload, repositoryNwo, logger, analysis) {
    logger.info("Successfully uploaded results");
    return response.data.id;
  } catch (e) {
-    const httpError = asHTTPError(e);
-    if (httpError !== void 0) {
-      switch (httpError.status) {
+    if (isHTTPError(e)) {
+      switch (e.status) {
        case 403:
-          core11.warning(httpError.message || GENERIC_403_MSG);
+          core11.warning(e.message || GENERIC_403_MSG);
          break;
        case 404:
-          core11.warning(httpError.message || GENERIC_404_MSG);
+          core11.warning(e.message || GENERIC_404_MSG);
          break;
        default:
-          core11.warning(httpError.message);
+          core11.warning(e.message);
          break;
      }
    }
@@ -92697,11 +92722,26 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
  }
  return payloadObj;
 }
-async function postProcessSarifFiles(logger, features, checkoutPath, sarifPaths, category, analysis) {
-  logger.info(`Post-processing sarif files: ${JSON.stringify(sarifPaths)}`);
+async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
+  const sarifPaths = getSarifFilePaths(
+    inputSarifPath,
+    uploadTarget.sarifPredicate
+  );
+  return uploadSpecifiedFiles(
+    sarifPaths,
+    checkoutPath,
+    category,
+    features,
+    logger,
+    uploadTarget
+  );
+}
+async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
+  logger.startGroup(`Uploading ${uploadTarget.name} results`);
+  logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
  const gitHubVersion = await getGitHubVersion();
  let sarif;
-  category = analysis.fixCategory(logger, category);
+  category = uploadTarget.fixCategory(logger, category);
  if (sarifPaths.length > 1) {
    for (const sarifPath of sarifPaths) {
      const parsedSarif = readSarifFile(sarifPath);
@@ -92729,72 +92769,28 @@ async function postProcessSarifFiles(logger, features, checkoutPath, sarifPaths,
    analysisKey,
    environment
  );
-  return { sarif, analysisKey, environment };
-}
-async function writePostProcessedFiles(logger, pathInput, uploadTarget, postProcessingResults) {
-  const outputPath = pathInput || getOptionalEnvVar("CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */);
-  if (outputPath !== void 0) {
-    dumpSarifFile(
-      JSON.stringify(postProcessingResults.sarif),
-      outputPath,
-      logger,
-      uploadTarget
-    );
-  } else {
-    logger.debug(`Not writing post-processed SARIF files.`);
-  }
-}
-async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
-  const sarifPaths = getSarifFilePaths(
-    inputSarifPath,
-    uploadTarget.sarifPredicate
-  );
-  return uploadSpecifiedFiles(
-    sarifPaths,
-    checkoutPath,
-    category,
-    features,
-    logger,
-    uploadTarget
-  );
-}
-async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
-  const processingResults = await postProcessSarifFiles(
-    logger,
-    features,
-    checkoutPath,
-    sarifPaths,
-    category,
-    uploadTarget
-  );
-  return uploadPostProcessedFiles(
-    logger,
-    checkoutPath,
-    uploadTarget,
-    processingResults
-  );
-}
-async function uploadPostProcessedFiles(logger, checkoutPath, uploadTarget, postProcessingResults) {
-  logger.startGroup(`Uploading ${uploadTarget.name} results`);
-  const sarif = postProcessingResults.sarif;
  const toolNames = getToolNames(sarif);
  logger.debug(`Validating that each SARIF run has a unique category`);
  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
  logger.debug(`Serializing SARIF for upload`);
  const sarifPayload = JSON.stringify(sarif);
+  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
+  if (dumpDir) {
+    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+  }
  logger.debug(`Compressing serialized SARIF`);
  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
  const checkoutURI = url.pathToFileURL(checkoutPath).href;
  const payload = buildPayload(
    await getCommitOid(checkoutPath),
    await getRef(),
-    postProcessingResults.analysisKey,
+    analysisKey,
    getRequiredEnvParam("GITHUB_WORKFLOW"),
    zippedSarif,
    getWorkflowRunID(),
    getWorkflowRunAttempt(),
    checkoutURI,
-    postProcessingResults.environment,
+    environment,
    toolNames,
    await determineBaseBranchHeadCommitOid()
  );
@@ -92825,14 +92821,14 @@ function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
    fs13.mkdirSync(outputDir, { recursive: true });
  } else if (!fs13.lstatSync(outputDir).isDirectory()) {
    throw new ConfigurationError(
-      `The path that processed SARIF files should be written to exists, but is not a directory: ${outputDir}`
+      `The path specified by the ${"CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */} environment variable exists and is not a directory: ${outputDir}`
    );
  }
  const outputFile = path14.resolve(
    outputDir,
    `upload${uploadTarget.sarifExtension}`
  );
-  logger.info(`Writing processed SARIF file to ${outputFile}`);
+  logger.info(`Dumping processed SARIF file to ${outputFile}`);
  fs13.writeFileSync(outputFile, sarifPayload);
 }
 var STATUS_CHECK_FREQUENCY_MILLISECONDS = 5 * 1e3;
@@ -92962,9 +92958,9 @@ function filterAlertsByDiffRange(logger, sarif) {
  if (!diffRanges?.length) {
    return sarif;
  }
+  const checkoutPath = getRequiredInput("checkout_path");
  for (const run of sarif.runs) {
    if (run.results) {
-      const preAlertCount = run.results.length;
      run.results = run.results.filter((result) => {
        const locations = [
          ...(result.locations || []).map((loc) => loc.physicalLocation),
@@ -92976,13 +92972,12 @@ function filterAlertsByDiffRange(logger, sarif) {
          if (!locationUri || locationStartLine === void 0) {
            return false;
          }
+          const locationPath = path14.join(checkoutPath, locationUri).replaceAll(path14.sep, "/");
          return diffRanges.some(
-            (range) => range.path === locationUri && (range.startLine <= locationStartLine && range.endLine >= locationStartLine || range.startLine === 0 && range.endLine === 0)
+            (range) => range.path === locationPath && (range.startLine <= locationStartLine && range.endLine >= locationStartLine || range.startLine === 0 && range.endLine === 0)
          );
        });
      });
-      const postAlertCount = run.results.length;
-      logger.info(`Filtered ${preAlertCount - postAlertCount} alerts based on diff range.`);
    }
  }
  return sarif;
@@ -92995,7 +92990,6 @@ function filterAlertsByDiffRange(logger, sarif) {
  getGroupedSarifFilePaths,
  getSarifFilePaths,
  populateRunAutomationDetails,
-  postProcessSarifFiles,
  readSarifFile,
  shouldConsiderConfigurationError,
  shouldConsiderInvalidRequest,
@@ -93003,11 +92997,10 @@ function filterAlertsByDiffRange(logger, sarif) {
  throwIfCombineSarifFilesDisabled,
  uploadFiles,
  uploadPayload,
-  uploadPostProcessedFiles,
+  uploadSpecifiedFiles,
  validateSarifFileSchema,
  validateUniqueCategory,
-  waitForProcessing,
-  writePostProcessedFiles
+  waitForProcessing
 });
 /*! Bundled license information:

@@ -26460,7 +26460,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "4.31.1",
+      version: "4.30.9",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -26472,7 +26472,8 @@ var require_package = __commonJS({
        ava: "npm run transpile && ava --serial --verbose",
        test: "npm run ava -- src/",
        "test-debug": "npm run test -- --timeout=20m",
-        transpile: "tsc --build --verbose"
+        transpile: "npm run generate:schemas && tsc --build --verbose",
+        "generate:schemas": "node json-schemas.mjs"
      },
      ava: {
        typescript: {
@@ -26508,7 +26509,7 @@ var require_package = __commonJS({
        jsonschema: "1.4.1",
        long: "^5.3.2",
        "node-forge": "^1.3.1",
-        octokit: "^5.0.4",
+        octokit: "^5.0.3",
        semver: "^7.7.3",
        uuid: "^13.0.0"
      },
@@ -26516,7 +26517,7 @@ var require_package = __commonJS({
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.0",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.38.0",
+        "@eslint/js": "^9.37.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
@@ -26527,10 +26528,10 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.1",
+        "@typescript-eslint/eslint-plugin": "^8.46.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.11",
+        esbuild: "^0.25.10",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
@@ -26538,6 +26539,7 @@ var require_package = __commonJS({
        "eslint-plugin-import": "2.29.1",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.0.3",
+        "json-schema-to-typescript": "^15.0.4",
        nock: "^14.0.10",
        sinon: "^21.0.0",
        typescript: "^5.9.3"
@@ -118689,7 +118691,7 @@ function withGroup(groupName, f) {

 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.4";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;

 // src/tools-features.ts
@@ -118706,11 +118708,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
    minimumVersion: void 0
  },
-  ["analyze_use_new_upload" /* AnalyzeUseNewUpload */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_ANALYZE_USE_NEW_UPLOAD",
-    minimumVersion: void 0
-  },
  ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -20602,14 +20602,14 @@ var require_dist_node4 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -20701,7 +20701,7 @@ var require_dist_node5 = __commonJS({
      const Ctor = Object.prototype.hasOwnProperty.call(proto, "constructor") && proto.constructor;
      return typeof Ctor === "function" && Ctor instanceof Ctor && Function.prototype.call(Ctor) === Function.prototype.call(value);
    }
-    var import_request_error = require_dist_node4();
+    var import_request_error2 = require_dist_node4();
    function getBufferResponse(response) {
      return response.arrayBuffer();
    }
@@ -20753,7 +20753,7 @@ var require_dist_node5 = __commonJS({
          if (status < 400) {
            return;
          }
-          throw new import_request_error.RequestError(response.statusText, status, {
+          throw new import_request_error2.RequestError(response.statusText, status, {
            response: {
              url: url2,
              status,
@@ -20764,7 +20764,7 @@ var require_dist_node5 = __commonJS({
          });
        }
        if (status === 304) {
-          throw new import_request_error.RequestError("Not modified", status, {
+          throw new import_request_error2.RequestError("Not modified", status, {
            response: {
              url: url2,
              status,
@@ -20776,7 +20776,7 @@ var require_dist_node5 = __commonJS({
        }
        if (status >= 400) {
          const data = await getResponseData(response);
-          const error2 = new import_request_error.RequestError(toErrorMessage(data), status, {
+          const error2 = new import_request_error2.RequestError(toErrorMessage(data), status, {
            response: {
              url: url2,
              status,
@@ -20796,7 +20796,7 @@ var require_dist_node5 = __commonJS({
          data
        };
      }).catch((error2) => {
-        if (error2 instanceof import_request_error.RequestError)
+        if (error2 instanceof import_request_error2.RequestError)
          throw error2;
        else if (error2.name === "AbortError")
          throw error2;
@@ -20808,7 +20808,7 @@ var require_dist_node5 = __commonJS({
            message = error2.cause;
          }
        }
-        throw new import_request_error.RequestError(message, 500, {
+        throw new import_request_error2.RequestError(message, 500, {
          request: requestOptions
        });
      });
@@ -21250,14 +21250,14 @@ var require_dist_node7 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -21349,7 +21349,7 @@ var require_dist_node8 = __commonJS({
      const Ctor = Object.prototype.hasOwnProperty.call(proto, "constructor") && proto.constructor;
      return typeof Ctor === "function" && Ctor instanceof Ctor && Function.prototype.call(Ctor) === Function.prototype.call(value);
    }
-    var import_request_error = require_dist_node7();
+    var import_request_error2 = require_dist_node7();
    function getBufferResponse(response) {
      return response.arrayBuffer();
    }
@@ -21401,7 +21401,7 @@ var require_dist_node8 = __commonJS({
          if (status < 400) {
            return;
          }
-          throw new import_request_error.RequestError(response.statusText, status, {
+          throw new import_request_error2.RequestError(response.statusText, status, {
            response: {
              url: url2,
              status,
@@ -21412,7 +21412,7 @@ var require_dist_node8 = __commonJS({
          });
        }
        if (status === 304) {
-          throw new import_request_error.RequestError("Not modified", status, {
+          throw new import_request_error2.RequestError("Not modified", status, {
            response: {
              url: url2,
              status,
@@ -21424,7 +21424,7 @@ var require_dist_node8 = __commonJS({
        }
        if (status >= 400) {
          const data = await getResponseData(response);
-          const error2 = new import_request_error.RequestError(toErrorMessage(data), status, {
+          const error2 = new import_request_error2.RequestError(toErrorMessage(data), status, {
            response: {
              url: url2,
              status,
@@ -21444,7 +21444,7 @@ var require_dist_node8 = __commonJS({
          data
        };
      }).catch((error2) => {
-        if (error2 instanceof import_request_error.RequestError)
+        if (error2 instanceof import_request_error2.RequestError)
          throw error2;
        else if (error2.name === "AbortError")
          throw error2;
@@ -21456,7 +21456,7 @@ var require_dist_node8 = __commonJS({
            message = error2.cause;
          }
        }
-        throw new import_request_error.RequestError(message, 500, {
+        throw new import_request_error2.RequestError(message, 500, {
          request: requestOptions
        });
      });
@@ -32309,7 +32309,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "4.31.1",
+      version: "4.30.9",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -32321,7 +32321,8 @@ var require_package = __commonJS({
        ava: "npm run transpile && ava --serial --verbose",
        test: "npm run ava -- src/",
        "test-debug": "npm run test -- --timeout=20m",
-        transpile: "tsc --build --verbose"
+        transpile: "npm run generate:schemas && tsc --build --verbose",
+        "generate:schemas": "node json-schemas.mjs"
      },
      ava: {
        typescript: {
@@ -32357,7 +32358,7 @@ var require_package = __commonJS({
        jsonschema: "1.4.1",
        long: "^5.3.2",
        "node-forge": "^1.3.1",
-        octokit: "^5.0.4",
+        octokit: "^5.0.3",
        semver: "^7.7.3",
        uuid: "^13.0.0"
      },
@@ -32365,7 +32366,7 @@ var require_package = __commonJS({
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.0",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.38.0",
+        "@eslint/js": "^9.37.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
@@ -32376,10 +32377,10 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.1",
+        "@typescript-eslint/eslint-plugin": "^8.46.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.11",
+        esbuild: "^0.25.10",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
@@ -32387,6 +32388,7 @@ var require_package = __commonJS({
        "eslint-plugin-import": "2.29.1",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.0.3",
+        "json-schema-to-typescript": "^15.0.4",
        nock: "^14.0.10",
        sinon: "^21.0.0",
        typescript: "^5.9.3"
@@ -33768,14 +33770,14 @@ var require_dist_node14 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -33877,7 +33879,7 @@ var require_dist_node15 = __commonJS({
      throw error2;
    }
    var import_light = __toESM2(require_light());
-    var import_request_error = require_dist_node14();
+    var import_request_error2 = require_dist_node14();
    async function wrapRequest(state, octokit, request, options) {
      const limiter = new import_light.default();
      limiter.on("failed", function(error2, info4) {
@@ -33898,7 +33900,7 @@ var require_dist_node15 = __commonJS({
      if (response.data && response.data.errors && response.data.errors.length > 0 && /Something went wrong while executing your query/.test(
        response.data.errors[0].message
      )) {
-        const error2 = new import_request_error.RequestError(response.data.errors[0].message, 500, {
+        const error2 = new import_request_error2.RequestError(response.data.errors[0].message, 500, {
          request: options,
          response
        });
@@ -80921,14 +80923,14 @@ var require_tool_cache = __commonJS({
    var assert_1 = require("assert");
    var exec_1 = require_exec();
    var retry_helper_1 = require_retry_helper();
-    var HTTPError2 = class extends Error {
+    var HTTPError = class extends Error {
      constructor(httpStatusCode) {
        super(`Unexpected HTTP response: ${httpStatusCode}`);
        this.httpStatusCode = httpStatusCode;
        Object.setPrototypeOf(this, new.target.prototype);
      }
    };
-    exports2.HTTPError = HTTPError2;
+    exports2.HTTPError = HTTPError;
    var IS_WINDOWS = process.platform === "win32";
    var IS_MAC = process.platform === "darwin";
    var userAgent = "actions/tool-cache";
@@ -80945,7 +80947,7 @@ var require_tool_cache = __commonJS({
        return yield retryHelper.execute(() => __awaiter4(this, void 0, void 0, function* () {
          return yield downloadToolAttempt(url2, dest || "", auth, headers);
        }), (err) => {
-          if (err instanceof HTTPError2 && err.httpStatusCode) {
+          if (err instanceof HTTPError && err.httpStatusCode) {
            if (err.httpStatusCode < 500 && err.httpStatusCode !== 408 && err.httpStatusCode !== 429) {
              return false;
            }
@@ -80972,7 +80974,7 @@ var require_tool_cache = __commonJS({
        }
        const response = yield http.get(url2, headers);
        if (response.message.statusCode !== 200) {
-          const err = new HTTPError2(response.message.statusCode);
+          const err = new HTTPError(response.message.statusCode);
          core14.debug(`Failed to download from "${url2}". Code(${response.message.statusCode}) Message(${response.message.statusMessage})`);
          throw err;
        }
@@ -88444,35 +88446,13 @@ function getRequiredEnvParam(paramName) {
  }
  return value;
 }
-function getOptionalEnvVar(paramName) {
-  const value = process.env[paramName];
-  if (value?.trim().length === 0) {
-    return void 0;
-  }
-  return value;
-}
-var HTTPError = class extends Error {
-  constructor(message, status) {
-    super(message);
-    this.status = status;
-  }
-};
 var ConfigurationError = class extends Error {
  constructor(message) {
    super(message);
  }
 };
-function asHTTPError(arg) {
-  if (typeof arg !== "object" || arg === null || typeof arg.message !== "string") {
-    return void 0;
-  }
-  if (Number.isInteger(arg.status)) {
-    return new HTTPError(arg.message, arg.status);
-  }
-  if (Number.isInteger(arg.httpStatusCode)) {
-    return new HTTPError(arg.message, arg.httpStatusCode);
-  }
-  return void 0;
+function isHTTPError(arg) {
+  return arg?.status !== void 0 && Number.isInteger(arg.status);
 }
 var cachedCodeQlVersion = void 0;
 function cacheCodeQlVersion(version) {
@@ -88980,24 +88960,14 @@ function computeAutomationID(analysis_key, environment) {
  return automationID;
 }
 function wrapApiConfigurationError(e) {
-  const httpError = asHTTPError(e);
-  if (httpError !== void 0) {
-    if ([
-      /API rate limit exceeded/,
-      /commit not found/,
-      /Resource not accessible by integration/,
-      /ref .* not found in this repository/
-    ].some((pattern) => pattern.test(httpError.message))) {
-      return new ConfigurationError(httpError.message);
-    }
-    if (httpError.message.includes("Bad credentials") || httpError.message.includes("Not Found")) {
+  if (isHTTPError(e)) {
+    if (e.message.includes("API rate limit exceeded for installation") || e.message.includes("commit not found") || e.message.includes("Resource not accessible by integration") || /ref .* not found in this repository/.test(e.message)) {
+      return new ConfigurationError(e.message);
+    } else if (e.message.includes("Bad credentials") || e.message.includes("Not Found")) {
      return new ConfigurationError(
        "Please check that your token is valid and has the required permissions: contents: read, security-events: write"
      );
    }
-    if (httpError.status === 429) {
-      return new ConfigurationError("API rate limit exceeded");
-    }
  }
  return e;
 }
@@ -89232,7 +89202,7 @@ function formatDuration(durationMs) {

 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.4";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 async function writeBaseDatabaseOidsFile(config, sourceRoot) {
  const gitFileOids = await getFileOidsUnderPath(sourceRoot);
@@ -89307,11 +89277,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
    minimumVersion: void 0
  },
-  ["analyze_use_new_upload" /* AnalyzeUseNewUpload */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_ANALYZE_USE_NEW_UPLOAD",
-    minimumVersion: void 0
-  },
  ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -89730,7 +89695,7 @@ var GitHubFeatureFlags = class {
        remoteFlags = { ...remoteFlags, ...chunkFlags };
      }
      this.logger.debug(
-        "Loaded the following default values for the feature flags from the CodeQL Action API:"
+        "Loaded the following default values for the feature flags from the Code Scanning API:"
      );
      for (const [feature, value] of Object.entries(remoteFlags).sort(
        ([nameA], [nameB]) => nameA.localeCompare(nameB)
@@ -89740,10 +89705,9 @@ var GitHubFeatureFlags = class {
      this.hasAccessedRemoteFeatureFlags = true;
      return remoteFlags;
    } catch (e) {
-      const httpError = asHTTPError(e);
-      if (httpError?.status === 403) {
+      if (isHTTPError(e) && e.status === 403) {
        this.logger.warning(
-          `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`
+          `This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the Action has the 'security-events: write' permission. Details: ${e.message}`
        );
        this.hasAccessedRemoteFeatureFlags = false;
        return {};
@@ -89994,8 +89958,8 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
    return void 0;
  }
 }
-var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`.";
-var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`.";
+var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action.";
+var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action.";
 async function sendStatusReport(statusReport) {
  setJobStatusIfUnsuccessful(statusReport.status);
  const statusReportJSON = JSON.stringify(statusReport);
@@ -90016,22 +89980,19 @@ async function sendStatusReport(statusReport) {
      }
    );
  } catch (e) {
-    const httpError = asHTTPError(e);
-    if (httpError !== void 0) {
-      switch (httpError.status) {
+    if (isHTTPError(e)) {
+      switch (e.status) {
        case 403:
          if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") {
            core9.warning(
-              `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading CodeQL results requires write access. To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.`
+              `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.`
            );
          } else {
-            core9.warning(
-              `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`
-            );
+            core9.warning(e.message);
          }
          return;
        case 404:
-          core9.warning(httpError.message);
+          core9.warning(e.message);
          return;
        case 422:
          if (getRequiredEnvParam("GITHUB_SERVER_URL") !== GITHUB_DOTCOM_URL) {
@@ -90043,7 +90004,7 @@ async function sendStatusReport(statusReport) {
      }
    }
    core9.warning(
-      `An unexpected error occurred when sending a status report: ${getErrorMessage(
+      `An unexpected error occurred when sending code scanning status report: ${getErrorMessage(
        e
      )}`
    );
@@ -90064,6 +90025,45 @@ var path13 = __toESM(require("path"));
 var core11 = __toESM(require_core());
 var toolrunner3 = __toESM(require_toolrunner());

+// node_modules/@octokit/request-error/dist-src/index.js
+var RequestError = class extends Error {
+  name;
+  /**
+   * http status code
+   */
+  status;
+  /**
+   * Request options that lead to the error.
+   */
+  request;
+  /**
+   * Response object if a response was received
+   */
+  response;
+  constructor(message, statusCode, options) {
+    super(message);
+    this.name = "HttpError";
+    this.status = Number.parseInt(statusCode);
+    if (Number.isNaN(this.status)) {
+      this.status = 0;
+    }
+    if ("response" in options) {
+      this.response = options.response;
+    }
+    const requestCopy = Object.assign({}, options.request);
+    if (options.request.headers.authorization) {
+      requestCopy.headers = Object.assign({}, options.request.headers, {
+        authorization: options.request.headers.authorization.replace(
+          /(?<! ) .*$/,
+          " [REDACTED]"
+        )
+      });
+    }
+    requestCopy.url = requestCopy.url.replace(/\bclient_secret=\w+/g, "client_secret=[REDACTED]").replace(/\baccess_token=\w+/g, "access_token=[REDACTED]");
+    this.request = requestCopy;
+  }
+};
+
 // src/cli-errors.ts
 var SUPPORTED_PLATFORMS = [
  ["linux", "x64"],
@@ -90390,13 +90390,13 @@ async function getTarVersion() {
  }
  if (stdout.includes("GNU tar")) {
    const match = stdout.match(/tar \(GNU tar\) ([0-9.]+)/);
-    if (!match?.[1]) {
+    if (!match || !match[1]) {
      throw new Error("Failed to parse output of tar --version.");
    }
    return { type: "gnu", version: match[1] };
  } else if (stdout.includes("bsdtar")) {
    const match = stdout.match(/bsdtar ([0-9.]+)/);
-    if (!match?.[1]) {
+    if (!match || !match[1]) {
      throw new Error("Failed to parse output of tar --version.");
    }
    return { type: "bsd", version: match[1] };
@@ -90776,7 +90776,7 @@ function tryGetTagNameFromUrl(url2, logger) {
    return void 0;
  }
  const match = matches[matches.length - 1];
-  if (match?.length !== 2) {
+  if (match === null || match.length !== 2) {
    logger.debug(
      `Could not determine tag name for URL ${url2}. Matched ${JSON.stringify(
        match
@@ -91236,7 +91236,7 @@ async function shouldEnableIndirectTracing(codeql, config) {

 // src/codeql.ts
 var cachedCodeQL = void 0;
-var CODEQL_MINIMUM_VERSION = "2.17.6";
+var CODEQL_MINIMUM_VERSION = "2.16.6";
 var CODEQL_NEXT_MINIMUM_VERSION = "2.17.6";
 var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.13";
 var GHES_MOST_RECENT_DEPRECATION_DATE = "2025-06-19";
@@ -91280,9 +91280,9 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
      toolsVersion,
      zstdAvailability
    };
-  } catch (rawError) {
-    const e = wrapApiConfigurationError(rawError);
-    const ErrorClass = e instanceof ConfigurationError || e instanceof Error && e.message.includes("ENOSPC") ? ConfigurationError : Error;
+  } catch (e) {
+    const ErrorClass = e instanceof ConfigurationError || e instanceof Error && e.message.includes("ENOSPC") || // out of disk space
+    e instanceof RequestError && e.status === 429 ? ConfigurationError : Error;
    throw new ErrorClass(
      `Unable to download and extract CodeQL CLI: ${getErrorMessage(e)}${e instanceof Error && e.stack ? `

@@ -91571,6 +91571,12 @@ ${output}`
      } else {
        codeqlArgs.push("--no-sarif-include-diagnostics");
      }
+      if (!isSupportedToolsFeature(
+        await this.getVersion(),
+        "analysisSummaryV2Default" /* AnalysisSummaryV2IsDefault */
+      )) {
+        codeqlArgs.push("--new-analysis-summary");
+      }
      codeqlArgs.push(databasePath);
      if (querySuitePaths) {
        codeqlArgs.push(...querySuitePaths);
@@ -93120,6 +93126,24 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo
    );
    codeQL = initCodeQLResult.codeql;
  }
+  if (!await codeQL.supportsFeature(
+    "sarifMergeRunsFromEqualCategory" /* SarifMergeRunsFromEqualCategory */
+  )) {
+    await throwIfCombineSarifFilesDisabled(sarifObjects, gitHubVersion);
+    logger.warning(
+      "The CodeQL CLI does not support merging SARIF files. Merging files in the action."
+    );
+    if (await shouldShowCombineSarifFilesDeprecationWarning(
+      sarifObjects,
+      gitHubVersion
+    )) {
+      logger.warning(
+        `Uploading multiple CodeQL runs with the same category is deprecated ${deprecationWarningMessage} for CodeQL CLI 2.16.6 and earlier. Please update your CodeQL CLI version or update your workflow to set a distinct category for each CodeQL run. ${deprecationMoreInformationMessage}`
+      );
+      core12.exportVariable("CODEQL_MERGE_SARIF_DEPRECATION_WARNING", "true");
+    }
+    return combineSarifFiles(sarifFiles, logger);
+  }
  const baseTempDir = path15.resolve(tempDir, "combined-sarif");
  fs14.mkdirSync(baseTempDir, { recursive: true });
  const outputDirectory = fs14.mkdtempSync(path15.resolve(baseTempDir, "output-"));
@@ -93178,17 +93202,16 @@ async function uploadPayload(payload, repositoryNwo, logger, analysis) {
    logger.info("Successfully uploaded results");
    return response.data.id;
  } catch (e) {
-    const httpError = asHTTPError(e);
-    if (httpError !== void 0) {
-      switch (httpError.status) {
+    if (isHTTPError(e)) {
+      switch (e.status) {
        case 403:
-          core12.warning(httpError.message || GENERIC_403_MSG);
+          core12.warning(e.message || GENERIC_403_MSG);
          break;
        case 404:
-          core12.warning(httpError.message || GENERIC_404_MSG);
+          core12.warning(e.message || GENERIC_404_MSG);
          break;
        default:
-          core12.warning(httpError.message);
+          core12.warning(e.message);
          break;
      }
    }
@@ -93353,11 +93376,12 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
  }
  return payloadObj;
 }
-async function postProcessSarifFiles(logger, features, checkoutPath, sarifPaths, category, analysis) {
-  logger.info(`Post-processing sarif files: ${JSON.stringify(sarifPaths)}`);
+async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
+  logger.startGroup(`Uploading ${uploadTarget.name} results`);
+  logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
  const gitHubVersion = await getGitHubVersion();
  let sarif;
-  category = analysis.fixCategory(logger, category);
+  category = uploadTarget.fixCategory(logger, category);
  if (sarifPaths.length > 1) {
    for (const sarifPath of sarifPaths) {
      const parsedSarif = readSarifFile(sarifPath);
@@ -93385,42 +93409,28 @@ async function postProcessSarifFiles(logger, features, checkoutPath, sarifPaths,
    analysisKey,
    environment
  );
-  return { sarif, analysisKey, environment };
-}
-async function writePostProcessedFiles(logger, pathInput, uploadTarget, postProcessingResults) {
-  const outputPath = pathInput || getOptionalEnvVar("CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */);
-  if (outputPath !== void 0) {
-    dumpSarifFile(
-      JSON.stringify(postProcessingResults.sarif),
-      outputPath,
-      logger,
-      uploadTarget
-    );
-  } else {
-    logger.debug(`Not writing post-processed SARIF files.`);
-  }
-}
-async function uploadPostProcessedFiles(logger, checkoutPath, uploadTarget, postProcessingResults) {
-  logger.startGroup(`Uploading ${uploadTarget.name} results`);
-  const sarif = postProcessingResults.sarif;
  const toolNames = getToolNames(sarif);
  logger.debug(`Validating that each SARIF run has a unique category`);
  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
  logger.debug(`Serializing SARIF for upload`);
  const sarifPayload = JSON.stringify(sarif);
+  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
+  if (dumpDir) {
+    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+  }
  logger.debug(`Compressing serialized SARIF`);
  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
  const checkoutURI = url.pathToFileURL(checkoutPath).href;
  const payload = buildPayload(
    await getCommitOid(checkoutPath),
    await getRef(),
-    postProcessingResults.analysisKey,
+    analysisKey,
    getRequiredEnvParam("GITHUB_WORKFLOW"),
    zippedSarif,
    getWorkflowRunID(),
    getWorkflowRunAttempt(),
    checkoutURI,
-    postProcessingResults.environment,
+    environment,
    toolNames,
    await determineBaseBranchHeadCommitOid()
  );
@@ -93451,14 +93461,14 @@ function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
    fs14.mkdirSync(outputDir, { recursive: true });
  } else if (!fs14.lstatSync(outputDir).isDirectory()) {
    throw new ConfigurationError(
-      `The path that processed SARIF files should be written to exists, but is not a directory: ${outputDir}`
+      `The path specified by the ${"CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */} environment variable exists and is not a directory: ${outputDir}`
    );
  }
  const outputFile = path15.resolve(
    outputDir,
    `upload${uploadTarget.sarifExtension}`
  );
-  logger.info(`Writing processed SARIF file to ${outputFile}`);
+  logger.info(`Dumping processed SARIF file to ${outputFile}`);
  fs14.writeFileSync(outputFile, sarifPayload);
 }
 var STATUS_CHECK_FREQUENCY_MILLISECONDS = 5 * 1e3;
@@ -93588,9 +93598,9 @@ function filterAlertsByDiffRange(logger, sarif) {
  if (!diffRanges?.length) {
    return sarif;
  }
+  const checkoutPath = getRequiredInput("checkout_path");
  for (const run2 of sarif.runs) {
    if (run2.results) {
-      const preAlertCount = run2.results.length;
      run2.results = run2.results.filter((result) => {
        const locations = [
          ...(result.locations || []).map((loc) => loc.physicalLocation),
@@ -93602,20 +93612,19 @@ function filterAlertsByDiffRange(logger, sarif) {
          if (!locationUri || locationStartLine === void 0) {
            return false;
          }
+          const locationPath = path15.join(checkoutPath, locationUri).replaceAll(path15.sep, "/");
          return diffRanges.some(
-            (range) => range.path === locationUri && (range.startLine <= locationStartLine && range.endLine >= locationStartLine || range.startLine === 0 && range.endLine === 0)
+            (range) => range.path === locationPath && (range.startLine <= locationStartLine && range.endLine >= locationStartLine || range.startLine === 0 && range.endLine === 0)
          );
        });
      });
-      const postAlertCount = run2.results.length;
-      logger.info(`Filtered ${preAlertCount - postAlertCount} alerts based on diff range.`);
    }
  }
  return sarif;
 }

 // src/upload-sarif.ts
-async function postProcessAndUploadSarif(logger, features, uploadKind, checkoutPath, sarifPath, category, postProcessedOutputPath) {
+async function uploadSarif(logger, features, checkoutPath, sarifPath, category) {
  const sarifGroups = await getGroupedSarifFilePaths(
    logger,
    sarifPath
@@ -93625,28 +93634,14 @@ async function postProcessAndUploadSarif(logger, features, uploadKind, checkoutP
    sarifGroups
  )) {
    const analysisConfig = getAnalysisConfig(analysisKind);
-    const postProcessingResults = await postProcessSarifFiles(
-      logger,
-      features,
-      checkoutPath,
+    uploadResults[analysisKind] = await uploadSpecifiedFiles(
      sarifFiles,
+      checkoutPath,
      category,
+      features,
+      logger,
      analysisConfig
    );
-    await writePostProcessedFiles(
-      logger,
-      postProcessedOutputPath,
-      analysisConfig,
-      postProcessingResults
-    );
-    if (uploadKind === "always") {
-      uploadResults[analysisKind] = await uploadPostProcessedFiles(
-        logger,
-        checkoutPath,
-        analysisConfig,
-        postProcessingResults
-      );
-    }
  }
  return uploadResults;
 }
@@ -93698,10 +93693,9 @@ async function run() {
    const sarifPath = getRequiredInput("sarif_file");
    const checkoutPath = getRequiredInput("checkout_path");
    const category = getOptionalInput("category");
-    const uploadResults = await postProcessAndUploadSarif(
+    const uploadResults = await uploadSarif(
      logger,
      features,
-      "always",
      checkoutPath,
      sarifPath,
      category
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "4.31.1",
+  "version": "4.30.9",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -12,7 +12,8 @@
    "ava": "npm run transpile && ava --serial --verbose",
    "test": "npm run ava -- src/",
    "test-debug": "npm run test -- --timeout=20m",
-    "transpile": "tsc --build --verbose"
+    "transpile": "npm run generate:schemas && tsc --build --verbose",
+    "generate:schemas": "node json-schemas.mjs"
  },
  "ava": {
    "typescript": {
@@ -48,7 +49,7 @@
    "jsonschema": "1.4.1",
    "long": "^5.3.2",
    "node-forge": "^1.3.1",
-    "octokit": "^5.0.4",
+    "octokit": "^5.0.3",
    "semver": "^7.7.3",
    "uuid": "^13.0.0"
  },
@@ -56,7 +57,7 @@
    "@ava/typescript": "6.0.0",
    "@eslint/compat": "^1.4.0",
    "@eslint/eslintrc": "^3.3.1",
-    "@eslint/js": "^9.38.0",
+    "@eslint/js": "^9.37.0",
    "@microsoft/eslint-formatter-sarif": "^3.1.0",
    "@octokit/types": "^15.0.0",
    "@types/archiver": "^6.0.3",
@@ -67,10 +68,10 @@
    "@types/node-forge": "^1.3.14",
    "@types/semver": "^7.7.1",
    "@types/sinon": "^17.0.4",
-    "@typescript-eslint/eslint-plugin": "^8.46.1",
+    "@typescript-eslint/eslint-plugin": "^8.46.0",
    "@typescript-eslint/parser": "^8.41.0",
    "ava": "^6.4.1",
-    "esbuild": "^0.25.11",
+    "esbuild": "^0.25.10",
    "eslint": "^8.57.1",
    "eslint-import-resolver-typescript": "^3.8.7",
    "eslint-plugin-filenames": "^1.3.2",
@@ -78,6 +79,7 @@
    "eslint-plugin-import": "2.29.1",
    "eslint-plugin-no-async-foreach": "^0.1.1",
    "glob": "^11.0.3",
+    "json-schema-to-typescript": "^15.0.4",
    "nock": "^14.0.10",
    "sinon": "^21.0.0",
    "typescript": "^5.9.3"
@@ -36,7 +36,6 @@ steps:
    with:
      output: "${{ runner.temp }}/results"
      upload-database: false
-      post-processed-sarif-path: "${{ runner.temp }}/post-processed"
  - name: Upload security SARIF
    if: contains(matrix.analysis-kinds, 'code-scanning')
    uses: actions/upload-artifact@v4
@@ -53,14 +52,6 @@ steps:
        quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
      path: "${{ runner.temp }}/results/javascript.quality.sarif"
      retention-days: 7
-  - name: Upload post-processed SARIF
-    uses: actions/upload-artifact@v4
-    with:
-      name: |
-        post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
-      path: "${{ runner.temp }}/post-processed"
-      retention-days: 7
-      if-no-files-found: error
  - name: Check quality query does not appear in security SARIF
    if: contains(matrix.analysis-kinds, 'code-scanning')
    uses: actions/github-script@v8
@@ -117,7 +117,7 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
        steps.extend([
            {
                'name': 'Install Node.js',
-                'uses': 'actions/setup-node@v6',
+                'uses': 'actions/setup-node@v5',
                'with': {
                    'node-version': '20.x',
                    'cache': 'npm',
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "title": "CodeQL Database Configuration",
+  "title": "UserConfig",
  "description": "Format of the config file supplied by the user for CodeQL analysis",
  "type": "object",
  "properties": {
@@ -24,9 +24,6 @@ setupTests(test);
 // but the first test would fail.

 test("analyze action with RAM & threads from environment variables", async (t) => {
-  // This test frequently times out on Windows with the default timeout, so we bump
-  // it a bit to 20s.
-  t.timeout(1000 * 20);
  await util.withTmpDir(async (tmpDir) => {
    process.env["GITHUB_SERVER_URL"] = util.GITHUB_DOTCOM_URL;
    process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
@@ -24,7 +24,6 @@ setupTests(test);
 // but the first test would fail.

 test("analyze action with RAM & threads from action inputs", async (t) => {
-  t.timeout(1000 * 20);
  await util.withTmpDir(async (tmpDir) => {
    process.env["GITHUB_SERVER_URL"] = util.GITHUB_DOTCOM_URL;
    process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
@@ -30,6 +30,7 @@ import {
  DependencyCacheUploadStatusReport,
  uploadDependencyCaches,
 } from "./dependency-caching";
+import { getDiffInformedAnalysisBranches } from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
 import { Feature, Features } from "./feature-flags";
 import { KnownLanguage } from "./languages";
@@ -51,7 +52,6 @@ import {
 } from "./trap-caching";
 import * as uploadLib from "./upload-lib";
 import { UploadResult } from "./upload-lib";
-import { postProcessAndUploadSarif } from "./upload-sarif";
 import * as util from "./util";

 interface AnalysisStatusReport
@@ -211,9 +211,7 @@ async function runAutobuildIfLegacyGoWorkflow(config: Config, logger: Logger) {

 async function run() {
  const startedAt = new Date();
-  let uploadResults:
-    | Partial<Record<analyses.AnalysisKind, UploadResult>>
-    | undefined = undefined;
+  let uploadResult: UploadResult | undefined = undefined;
  let runStats: QueriesStatusReport | undefined = undefined;
  let config: Config | undefined = undefined;
  let trapCacheCleanupTelemetry: TrapCacheCleanupStatusReport | undefined =
@@ -301,8 +299,14 @@ async function run() {
      logger,
    );

-    // Setup diff informed analysis if needed (based on whether init created the file)
-    const diffRangePackDir = await setupDiffInformedQueryRun(logger);
+    const branches = await getDiffInformedAnalysisBranches(
+      codeql,
+      features,
+      logger,
+    );
+    const diffRangePackDir = branches
+      ? await setupDiffInformedQueryRun(branches, logger)
+      : undefined;

    await warnIfGoInstalledAfterInit(config, logger);
    await runAutobuildIfLegacyGoWorkflow(config, logger);
@@ -337,67 +341,31 @@ async function run() {
    }
    core.setOutput("db-locations", dbLocations);
    core.setOutput("sarif-output", path.resolve(outputDir));
-    const uploadKind = actionsUtil.getUploadValue(
-      actionsUtil.getOptionalInput("upload"),
-    );
-    if (runStats) {
-      const checkoutPath = actionsUtil.getRequiredInput("checkout_path");
-      const category = actionsUtil.getOptionalInput("category");
-
-      if (await features.getValue(Feature.AnalyzeUseNewUpload)) {
-        uploadResults = await postProcessAndUploadSarif(
-          logger,
-          features,
-          uploadKind,
-          checkoutPath,
+    const uploadInput = actionsUtil.getOptionalInput("upload");
+    if (runStats && actionsUtil.getUploadValue(uploadInput) === "always") {
+      if (isCodeScanningEnabled(config)) {
+        uploadResult = await uploadLib.uploadFiles(
          outputDir,
-          category,
-          actionsUtil.getOptionalInput("post-processed-sarif-path"),
+          actionsUtil.getRequiredInput("checkout_path"),
+          actionsUtil.getOptionalInput("category"),
+          features,
+          logger,
+          analyses.CodeScanning,
        );
-      } else if (uploadKind === "always") {
-        uploadResults = {};
-
-        if (isCodeScanningEnabled(config)) {
-          uploadResults[analyses.AnalysisKind.CodeScanning] =
-            await uploadLib.uploadFiles(
-              outputDir,
-              checkoutPath,
-              category,
-              features,
-              logger,
-              analyses.CodeScanning,
-            );
-        }
-
-        if (isCodeQualityEnabled(config)) {
-          uploadResults[analyses.AnalysisKind.CodeQuality] =
-            await uploadLib.uploadFiles(
-              outputDir,
-              checkoutPath,
-              category,
-              features,
-              logger,
-              analyses.CodeQuality,
-            );
-        }
-      } else {
-        uploadResults = {};
-        logger.info("Not uploading results");
+        core.setOutput("sarif-id", uploadResult.sarifID);
      }

-      // Set the SARIF id outputs only if we have results for them, to avoid
-      // having keys with empty values in the action output.
-      if (uploadResults[analyses.AnalysisKind.CodeScanning] !== undefined) {
-        core.setOutput(
-          "sarif-id",
-          uploadResults[analyses.AnalysisKind.CodeScanning].sarifID,
-        );
-      }
-      if (uploadResults[analyses.AnalysisKind.CodeQuality] !== undefined) {
-        core.setOutput(
-          "quality-sarif-id",
-          uploadResults[analyses.AnalysisKind.CodeQuality].sarifID,
+      if (isCodeQualityEnabled(config)) {
+        const analysis = analyses.CodeQuality;
+        const qualityUploadResult = await uploadLib.uploadFiles(
+          outputDir,
+          actionsUtil.getRequiredInput("checkout_path"),
+          actionsUtil.getOptionalInput("category"),
+          features,
+          logger,
+          analysis,
        );
+        core.setOutput("quality-sarif-id", qualityUploadResult.sarifID);
      }
    } else {
      logger.info("Not uploading results");
@@ -440,12 +408,12 @@ async function run() {
    if (util.isInTestMode()) {
      logger.debug("In test mode. Waiting for processing is disabled.");
    } else if (
-      uploadResults?.[analyses.AnalysisKind.CodeScanning] !== undefined &&
+      uploadResult !== undefined &&
      actionsUtil.getRequiredInput("wait-for-processing") === "true"
    ) {
      await uploadLib.waitForProcessing(
        getRepositoryNwo(),
-        uploadResults[analyses.AnalysisKind.CodeScanning].sarifID,
+        uploadResult.sarifID,
        getActionsLogger(),
      );
    }
@@ -482,16 +450,13 @@ async function run() {
    return;
  }

-  if (
-    runStats !== undefined &&
-    uploadResults?.[analyses.AnalysisKind.CodeScanning] !== undefined
-  ) {
+  if (runStats && uploadResult) {
    await sendStatusReport(
      startedAt,
      config,
      {
        ...runStats,
-        ...uploadResults[analyses.AnalysisKind.CodeScanning].statusReport,
+        ...uploadResult.statusReport,
      },
      undefined,
      trapCacheUploadTime,
@@ -501,7 +466,7 @@ async function run() {
      dependencyCacheResults,
      logger,
    );
-  } else if (runStats !== undefined) {
+  } else if (runStats) {
    await sendStatusReport(
      startedAt,
      config,
@@ -4,8 +4,10 @@ import * as path from "path";
 import test from "ava";
 import * as sinon from "sinon";

+import * as actionsUtil from "./actions-util";
 import { CodeQuality, CodeScanning } from "./analyses";
 import {
+  exportedForTesting,
  runQueries,
  defaultSuites,
  resolveQuerySuiteAlias,
@@ -129,6 +131,204 @@ test("status report fields", async (t) => {
  });
 });

+function runGetDiffRanges(changes: number, patch: string[] | undefined): any {
+  sinon
+    .stub(actionsUtil, "getRequiredInput")
+    .withArgs("checkout_path")
+    .returns("/checkout/path");
+  return exportedForTesting.getDiffRanges(
+    {
+      filename: "test.txt",
+      changes,
+      patch: patch?.join("\n"),
+    },
+    getRunnerLogger(true),
+  );
+}
+
+test("getDiffRanges: file unchanged", async (t) => {
+  const diffRanges = runGetDiffRanges(0, undefined);
+  t.deepEqual(diffRanges, []);
+});
+
+test("getDiffRanges: file diff too large", async (t) => {
+  const diffRanges = runGetDiffRanges(1000000, undefined);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 0,
+      endLine: 0,
+    },
+  ]);
+});
+
+test("getDiffRanges: diff thunk with single addition range", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,6 +50,8 @@",
+    " a",
+    " b",
+    " c",
+    "+1",
+    "+2",
+    " d",
+    " e",
+    " f",
+  ]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 53,
+      endLine: 54,
+    },
+  ]);
+});
+
+test("getDiffRanges: diff thunk with single deletion range", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,8 +50,6 @@",
+    " a",
+    " b",
+    " c",
+    "-1",
+    "-2",
+    " d",
+    " e",
+    " f",
+  ]);
+  t.deepEqual(diffRanges, []);
+});
+
+test("getDiffRanges: diff thunk with single update range", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,7 +50,7 @@",
+    " a",
+    " b",
+    " c",
+    "-1",
+    "+2",
+    " d",
+    " e",
+    " f",
+  ]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 53,
+      endLine: 53,
+    },
+  ]);
+});
+
+test("getDiffRanges: diff thunk with addition ranges", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,7 +50,9 @@",
+    " a",
+    " b",
+    " c",
+    "+1",
+    " c",
+    "+2",
+    " d",
+    " e",
+    " f",
+  ]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 53,
+      endLine: 53,
+    },
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 55,
+      endLine: 55,
+    },
+  ]);
+});
+
+test("getDiffRanges: diff thunk with mixed ranges", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,7 +50,7 @@",
+    " a",
+    " b",
+    " c",
+    "-1",
+    " d",
+    "-2",
+    "+3",
+    " e",
+    " f",
+    "+4",
+    "+5",
+    " g",
+    " h",
+    " i",
+  ]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 54,
+      endLine: 54,
+    },
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 57,
+      endLine: 58,
+    },
+  ]);
+});
+
+test("getDiffRanges: multiple diff thunks", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,6 +50,8 @@",
+    " a",
+    " b",
+    " c",
+    "+1",
+    "+2",
+    " d",
+    " e",
+    " f",
+    "@@ -130,6 +150,8 @@",
+    " a",
+    " b",
+    " c",
+    "+1",
+    "+2",
+    " d",
+    " e",
+    " f",
+  ]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 53,
+      endLine: 54,
+    },
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 153,
+      endLine: 154,
+    },
+  ]);
+});
+
+test("getDiffRanges: no diff context lines", async (t) => {
+  const diffRanges = runGetDiffRanges(2, ["@@ -30 +50,2 @@", "+1", "+2"]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 50,
+      endLine: 51,
+    },
+  ]);
+});
+
+test("getDiffRanges: malformed thunk header", async (t) => {
+  const diffRanges = runGetDiffRanges(2, ["@@ 30 +50,2 @@", "+1", "+2"]);
+  t.deepEqual(diffRanges, undefined);
+});
+
 test("resolveQuerySuiteAlias", (t) => {
  // default query suite names should resolve to something language-specific ending in `.qls`.
  for (const suite of defaultSuites) {
@@ -6,8 +6,13 @@ import * as io from "@actions/io";
 import * as del from "del";
 import * as yaml from "js-yaml";

-import { getTemporaryDirectory, getRequiredInput } from "./actions-util";
+import {
+  getRequiredInput,
+  getTemporaryDirectory,
+  PullRequestBranches,
+} from "./actions-util";
 import * as analyses from "./analyses";
+import { getApiClient } from "./api-client";
 import { setupCppAutobuild } from "./autobuild";
 import { type CodeQL } from "./codeql";
 import * as configUtils from "./config-utils";
@@ -15,13 +20,14 @@ import { getJavaTempDependencyDir } from "./dependency-caching";
 import { addDiagnostic, makeDiagnostic } from "./diagnostics";
 import {
  DiffThunkRange,
-  readDiffRangesJsonFile,
+  writeDiffRangesJsonFile,
 } from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
 import { FeatureEnablement, Feature } from "./feature-flags";
 import { KnownLanguage, Language } from "./languages";
 import { Logger, withGroupAsync } from "./logging";
 import { OverlayDatabaseMode } from "./overlay-database-utils";
+import { getRepositoryNwoFromEnv } from "./repository";
 import { DatabaseCreationTimings, EventReport } from "./status-report";
 import { endTracingForCluster } from "./tracer-config";
 import * as util from "./util";
@@ -281,36 +287,16 @@ async function finalizeDatabaseCreation(
 * the diff range information, or `undefined` if the feature is disabled.
 */
 export async function setupDiffInformedQueryRun(
+  branches: PullRequestBranches,
  logger: Logger,
 ): Promise<string | undefined> {
  return await withGroupAsync(
    "Generating diff range extension pack",
    async () => {
-      // Only use precomputed diff ranges; never recompute here.
-      let diffRanges: DiffThunkRange[] | undefined;
-      try {
-        diffRanges = readDiffRangesJsonFile(logger);
-      } catch (e) {
-        logger.debug(
-          `Failed to read precomputed diff ranges: ${util.getErrorMessage(e)}`,
-        );
-        diffRanges = undefined;
-      }
-
-      if (diffRanges === undefined) {
-        logger.info(
-          "No precomputed diff ranges found; skipping diff-informed analysis stage.",
-        );
-        return undefined;
-      }
-
-      const fileCount = new Set(
-        diffRanges.filter((r) => r.path).map((r) => r.path),
-      ).size;
      logger.info(
-        `Using precomputed diff ranges (${diffRanges.length} ranges across ${fileCount} files).`,
+        `Calculating diff ranges for ${branches.base}...${branches.head}`,
      );
-
+      const diffRanges = await getPullRequestEditedDiffRanges(branches, logger);
      const packDir = writeDiffRangeDataExtensionPack(logger, diffRanges);
      if (packDir === undefined) {
        logger.warning(
@@ -327,6 +313,185 @@ export async function setupDiffInformedQueryRun(
  );
 }

+/**
+ * Return the file line ranges that were added or modified in the pull request.
+ *
+ * @param branches The base and head branches of the pull request.
+ * @param logger
+ * @returns An array of tuples, where each tuple contains the absolute path of a
+ * file, the start line and the end line (both 1-based and inclusive) of an
+ * added or modified range in that file. Returns `undefined` if the action was
+ * not triggered by a pull request or if there was an error.
+ */
+async function getPullRequestEditedDiffRanges(
+  branches: PullRequestBranches,
+  logger: Logger,
+): Promise<DiffThunkRange[] | undefined> {
+  const fileDiffs = await getFileDiffsWithBasehead(branches, logger);
+  if (fileDiffs === undefined) {
+    return undefined;
+  }
+  if (fileDiffs.length >= 300) {
+    // The "compare two commits" API returns a maximum of 300 changed files. If
+    // we see that many changed files, it is possible that there could be more,
+    // with the rest being truncated. In this case, we should not attempt to
+    // compute the diff ranges, as the result would be incomplete.
+    logger.warning(
+      `Cannot retrieve the full diff because there are too many ` +
+        `(${fileDiffs.length}) changed files in the pull request.`,
+    );
+    return undefined;
+  }
+  const results: DiffThunkRange[] = [];
+  for (const filediff of fileDiffs) {
+    const diffRanges = getDiffRanges(filediff, logger);
+    if (diffRanges === undefined) {
+      return undefined;
+    }
+    results.push(...diffRanges);
+  }
+  return results;
+}
+
+/**
+ * This interface is an abbreviated version of the file diff object returned by
+ * the GitHub API.
+ */
+interface FileDiff {
+  filename: string;
+  changes: number;
+  // A patch may be absent if the file is binary, if the file diff is too large,
+  // or if the file is unchanged.
+  patch?: string | undefined;
+}
+
+async function getFileDiffsWithBasehead(
+  branches: PullRequestBranches,
+  logger: Logger,
+): Promise<FileDiff[] | undefined> {
+  // Check CODE_SCANNING_REPOSITORY first. If it is empty or not set, fall back
+  // to GITHUB_REPOSITORY.
+  const repositoryNwo = getRepositoryNwoFromEnv(
+    "CODE_SCANNING_REPOSITORY",
+    "GITHUB_REPOSITORY",
+  );
+  const basehead = `${branches.base}...${branches.head}`;
+  try {
+    const response = await getApiClient().rest.repos.compareCommitsWithBasehead(
+      {
+        owner: repositoryNwo.owner,
+        repo: repositoryNwo.repo,
+        basehead,
+        per_page: 1,
+      },
+    );
+    logger.debug(
+      `Response from compareCommitsWithBasehead(${basehead}):` +
+        `\n${JSON.stringify(response, null, 2)}`,
+    );
+    return response.data.files;
+  } catch (error: any) {
+    if (error.status) {
+      logger.warning(`Error retrieving diff ${basehead}: ${error.message}`);
+      logger.debug(
+        `Error running compareCommitsWithBasehead(${basehead}):` +
+          `\nRequest: ${JSON.stringify(error.request, null, 2)}` +
+          `\nError Response: ${JSON.stringify(error.response, null, 2)}`,
+      );
+      return undefined;
+    } else {
+      throw error;
+    }
+  }
+}
+
+function getDiffRanges(
+  fileDiff: FileDiff,
+  logger: Logger,
+): DiffThunkRange[] | undefined {
+  // Diff-informed queries expect the file path to be absolute. CodeQL always
+  // uses forward slashes as the path separator, so on Windows we need to
+  // replace any backslashes with forward slashes.
+  const filename = path
+    .join(getRequiredInput("checkout_path"), fileDiff.filename)
+    .replaceAll(path.sep, "/");
+
+  if (fileDiff.patch === undefined) {
+    if (fileDiff.changes === 0) {
+      // There are situations where a changed file legitimately has no diff.
+      // For example, the file may be a binary file, or that the file may have
+      // been renamed with no changes to its contents. In these cases, the
+      // file would be reported as having 0 changes, and we can return an empty
+      // array to indicate no diff range in this file.
+      return [];
+    }
+    // If a file is reported to have nonzero changes but no patch, that may be
+    // due to the file diff being too large. In this case, we should fall back
+    // to a special diff range that covers the entire file.
+    return [
+      {
+        path: filename,
+        startLine: 0,
+        endLine: 0,
+      },
+    ];
+  }
+
+  // The 1-based file line number of the current line
+  let currentLine = 0;
+  // The 1-based file line number that starts the current range of added lines
+  let additionRangeStartLine: number | undefined = undefined;
+  const diffRanges: DiffThunkRange[] = [];
+
+  const diffLines = fileDiff.patch.split("\n");
+  // Adding a fake context line at the end ensures that the following loop will
+  // always terminate the last range of added lines.
+  diffLines.push(" ");
+
+  for (const diffLine of diffLines) {
+    if (diffLine.startsWith("-")) {
+      // Ignore deletions completely -- we do not even want to consider them when
+      // calculating consecutive ranges of added lines.
+      continue;
+    }
+    if (diffLine.startsWith("+")) {
+      if (additionRangeStartLine === undefined) {
+        additionRangeStartLine = currentLine;
+      }
+      currentLine++;
+      continue;
+    }
+    if (additionRangeStartLine !== undefined) {
+      // Any line that does not start with a "+" or "-" terminates the current
+      // range of added lines.
+      diffRanges.push({
+        path: filename,
+        startLine: additionRangeStartLine,
+        endLine: currentLine - 1,
+      });
+      additionRangeStartLine = undefined;
+    }
+    if (diffLine.startsWith("@@ ")) {
+      // A new hunk header line resets the current line number.
+      const match = diffLine.match(/^@@ -\d+(?:,\d+)? \+(\d+)(?:,\d+)? @@/);
+      if (match === null) {
+        logger.warning(
+          `Cannot parse diff hunk header for ${fileDiff.filename}: ${diffLine}`,
+        );
+        return undefined;
+      }
+      currentLine = parseInt(match[1], 10);
+      continue;
+    }
+    if (diffLine.startsWith(" ")) {
+      // An unchanged context line advances the current line number.
+      currentLine++;
+      continue;
+    }
+  }
+  return diffRanges;
+}
+
 /**
 * Create an extension pack in the temporary directory that contains the file
 * line ranges that were added or modified in the pull request.
@@ -385,22 +550,14 @@ extensions:
 `;

  let data = ranges
-    .map((range) => {
-      // Diff-informed queries expect the file path to be absolute. CodeQL always
-      // uses forward slashes as the path separator, so on Windows we need to
-      // replace any backslashes with forward slashes.
-      const filename = path
-        .join(getRequiredInput("checkout_path"), range.path)
-        .replaceAll(path.sep, "/");
-
-      // Using yaml.dump() with `forceQuotes: true` ensures that all special
-      // characters are escaped, and that the path is always rendered as a
-      // quoted string on a single line.
-      return (
-        `      - [${yaml.dump(filename, { forceQuotes: true }).trim()}, ` +
-        `${range.startLine}, ${range.endLine}]\n`
-      );
-    })
+    .map(
+      (range) =>
+        // Using yaml.dump() with `forceQuotes: true` ensures that all special
+        // characters are escaped, and that the path is always rendered as a
+        // quoted string on a single line.
+        `      - [${yaml.dump(range.path, { forceQuotes: true }).trim()}, ` +
+        `${range.startLine}, ${range.endLine}]\n`,
+    )
    .join("");
  if (!data) {
    // Ensure that the data extension is not empty, so that a pull request with
@@ -415,6 +572,10 @@ extensions:
    `Wrote pr-diff-range extension pack to ${extensionFilePath}:\n${extensionContents}`,
  );

+  // Write the diff ranges to a JSON file, for action-side alert filtering by the
+  // upload-lib module.
+  writeDiffRangesJsonFile(logger, ranges);
+
  return diffRangeDir;
 }

@@ -761,3 +922,7 @@ export async function warnIfGoInstalledAfterInit(
    }
  }
 }
+
+export const exportedForTesting = {
+  getDiffRanges,
+};
@@ -7,12 +7,12 @@ import { getActionVersion, getRequiredInput } from "./actions-util";
 import { Logger } from "./logging";
 import { getRepositoryNwo, RepositoryNwo } from "./repository";
 import {
-  asHTTPError,
  ConfigurationError,
  getRequiredEnvParam,
  GITHUB_DOTCOM_URL,
  GitHubVariant,
  GitHubVersion,
+  isHTTPError,
  parseGitHubUrl,
  parseMatrixInput,
 } from "./util";
@@ -280,29 +280,22 @@ export async function getRepositoryProperties(repositoryNwo: RepositoryNwo) {
 }

 export function wrapApiConfigurationError(e: unknown) {
-  const httpError = asHTTPError(e);
-  if (httpError !== undefined) {
+  if (isHTTPError(e)) {
    if (
-      [
-        /API rate limit exceeded/,
-        /commit not found/,
-        /Resource not accessible by integration/,
-        /ref .* not found in this repository/,
-      ].some((pattern) => pattern.test(httpError.message))
+      e.message.includes("API rate limit exceeded for installation") ||
+      e.message.includes("commit not found") ||
+      e.message.includes("Resource not accessible by integration") ||
+      /ref .* not found in this repository/.test(e.message)
    ) {
-      return new ConfigurationError(httpError.message);
-    }
-    if (
-      httpError.message.includes("Bad credentials") ||
-      httpError.message.includes("Not Found")
+      return new ConfigurationError(e.message);
+    } else if (
+      e.message.includes("Bad credentials") ||
+      e.message.includes("Not Found")
    ) {
      return new ConfigurationError(
        "Please check that your token is valid and has the required permissions: contents: read, security-events: write",
      );
    }
-    if (httpError.status === 429) {
-      return new ConfigurationError("API rate limit exceeded");
-    }
  }
  return e;
 }
@@ -36,6 +36,7 @@ import {
  createTestConfig,
 } from "./testing-utils";
 import { ToolsDownloadStatusReport } from "./tools-download";
+import { ToolsFeature } from "./tools-features";
 import * as util from "./util";
 import { initializeEnvironment } from "./util";

@@ -869,6 +870,84 @@ test("does not pass a qlconfig to the CLI when it is undefined", async (t: Execu
  });
 });

+const NEW_ANALYSIS_SUMMARY_TEST_CASES = [
+  {
+    codeqlVersion: makeVersionInfo("2.15.0", {
+      [ToolsFeature.AnalysisSummaryV2IsDefault]: true,
+    }),
+    githubVersion: {
+      type: util.GitHubVariant.DOTCOM,
+    },
+    flagPassed: false,
+    negativeFlagPassed: false,
+  },
+  {
+    codeqlVersion: makeVersionInfo("2.15.0"),
+    githubVersion: {
+      type: util.GitHubVariant.DOTCOM,
+    },
+    flagPassed: true,
+    negativeFlagPassed: false,
+  },
+  {
+    codeqlVersion: makeVersionInfo("2.15.0"),
+    githubVersion: {
+      type: util.GitHubVariant.GHES,
+      version: "3.10.0",
+    },
+    flagPassed: true,
+    negativeFlagPassed: false,
+  },
+];
+
+for (const {
+  codeqlVersion,
+  flagPassed,
+  githubVersion,
+  negativeFlagPassed,
+} of NEW_ANALYSIS_SUMMARY_TEST_CASES) {
+  test(`database interpret-results passes ${
+    flagPassed
+      ? "--new-analysis-summary"
+      : negativeFlagPassed
+        ? "--no-new-analysis-summary"
+        : "nothing"
+  } for CodeQL version ${JSON.stringify(codeqlVersion)} and ${
+    util.GitHubVariant[githubVersion.type]
+  } ${githubVersion.version ? ` ${githubVersion.version}` : ""}`, async (t) => {
+    const runnerConstructorStub = stubToolRunnerConstructor();
+    const codeqlObject = await codeql.getCodeQLForTesting();
+    sinon.stub(codeqlObject, "getVersion").resolves(codeqlVersion);
+    // io throws because of the test CodeQL object.
+    sinon.stub(io, "which").resolves("");
+    await codeqlObject.databaseInterpretResults(
+      "",
+      [],
+      "",
+      "",
+      "",
+      "-v",
+      undefined,
+      "",
+      Object.assign({}, stubConfig, { gitHubVersion: githubVersion }),
+      createFeatures([]),
+    );
+    const actualArgs = runnerConstructorStub.firstCall.args[1] as string[];
+    t.is(
+      actualArgs.includes("--new-analysis-summary"),
+      flagPassed,
+      `--new-analysis-summary should${flagPassed ? "" : "n't"} be passed`,
+    );
+    t.is(
+      actualArgs.includes("--no-new-analysis-summary"),
+      negativeFlagPassed,
+      `--no-new-analysis-summary should${
+        negativeFlagPassed ? "" : "n't"
+      } be passed`,
+    );
+  });
+}
+
 test("runTool summarizes several fatal errors", async (t) => {
  const heapError =
    "A fatal error occurred: Evaluator heap must be at least 384.00 MiB";
@@ -3,6 +3,7 @@ import * as path from "path";

 import * as core from "@actions/core";
 import * as toolrunner from "@actions/exec/lib/toolrunner";
+import { RequestError } from "@octokit/request-error";
 import * as yaml from "js-yaml";

 import {
@@ -267,7 +268,7 @@ let cachedCodeQL: CodeQL | undefined = undefined;
 * The version flags below can be used to conditionally enable certain features
 * on versions newer than this.
 */
-const CODEQL_MINIMUM_VERSION = "2.17.6";
+const CODEQL_MINIMUM_VERSION = "2.16.6";

 /**
 * This version will shortly become the oldest version of CodeQL that the Action will run with.
@@ -370,11 +371,11 @@ export async function setupCodeQL(
      toolsVersion,
      zstdAvailability,
    };
-  } catch (rawError) {
-    const e = api.wrapApiConfigurationError(rawError);
+  } catch (e) {
    const ErrorClass =
      e instanceof util.ConfigurationError ||
-      (e instanceof Error && e.message.includes("ENOSPC")) // out of disk space
+      (e instanceof Error && e.message.includes("ENOSPC")) || // out of disk space
+      (e instanceof RequestError && e.status === 429) // rate limited
        ? util.ConfigurationError
        : Error;

@@ -860,6 +861,14 @@ export async function getCodeQLForCmd(
      } else {
        codeqlArgs.push("--no-sarif-include-diagnostics");
      }
+      if (
+        !isSupportedToolsFeature(
+          await this.getVersion(),
+          ToolsFeature.AnalysisSummaryV2IsDefault,
+        )
+      ) {
+        codeqlArgs.push("--new-analysis-summary");
+      }
      codeqlArgs.push(databasePath);
      if (querySuitePaths) {
        codeqlArgs.push(...querySuitePaths);
@@ -943,7 +943,7 @@ async function getRemoteConfig(
  );
  const pieces = format.exec(configFile);
  // 5 = 4 groups + the whole expression
-  if (pieces?.groups === undefined || pieces.length < 5) {
+  if (pieces === null || pieces.groups === undefined || pieces.length < 5) {
    throw new ConfigurationError(
      errorMessages.getConfigFileRepoFormatInvalidMessage(configFile),
    );
@@ -4,6 +4,7 @@ import * as yaml from "js-yaml";
 import * as jsonschema from "jsonschema";
 import * as semver from "semver";

+import type { UserConfig as DbConfig, QuerySpec } from "../db-config-schema";
 import * as errorMessages from "../error-messages";
 import {
  RepositoryProperties,
@@ -13,6 +14,8 @@ import { Language } from "../languages";
 import { Logger } from "../logging";
 import { cloneObject, ConfigurationError, prettyPrintPack } from "../util";

+export type { QuerySpec } from "../db-config-schema";
+
 export interface ExcludeQueryFilter {
  exclude: Record<string, string[] | string>;
 }
@@ -23,30 +26,14 @@ export interface IncludeQueryFilter {

 export type QueryFilter = ExcludeQueryFilter | IncludeQueryFilter;

-export interface QuerySpec {
-  name?: string;
-  uses: string;
-}
-
 /**
 * Format of the config file supplied by the user.
 */
-export interface UserConfig {
-  name?: string;
-  "disable-default-queries"?: boolean;
-  queries?: QuerySpec[];
-  "paths-ignore"?: string[];
-  paths?: string[];
-
-  // If this is a multi-language analysis, then the packages must be split by
-  // language. If this is a single language analysis, then no split by
-  // language is necessary.
-  packs?: Record<string, string[]> | string[];
-
+export type UserConfig = DbConfig & {
  // Set of query filters to include and exclude extra queries based on
  // codeql query suite `include` and `exclude` properties
  "query-filters"?: QueryFilter[];
-}
+};

 /**
 * Represents additional configuration data from a source other than
@@ -380,7 +367,10 @@ function combineQueries(
  const result: QuerySpec[] = [];

  // Query settings obtained from the repository properties have the highest precedence.
-  if (augmentationProperties.repoPropertyQueries?.input) {
+  if (
+    augmentationProperties.repoPropertyQueries &&
+    augmentationProperties.repoPropertyQueries.input
+  ) {
    logger.info(
      `Found query configuration in the repository properties (${RepositoryPropertyName.EXTRA_QUERIES}): ` +
        `${augmentationProperties.repoPropertyQueries.input.map((q) => q.uses).join(", ")}`,
@@ -493,7 +483,7 @@ export function parseUserConfig(
  try {
    const schema =
      // eslint-disable-next-line @typescript-eslint/no-require-imports
-      require("../../src/db-config-schema.json") as jsonschema.Schema;
+      require("../../schemas/db-config-schema.json") as jsonschema.Schema;

    const doc = yaml.load(contents);

@@ -5,7 +5,6 @@ import test from "ava";
 import * as sinon from "sinon";

 import * as actionsUtil from "./actions-util";
-import { AnalysisKind } from "./analyses";
 import { GitHubApiDetails } from "./api-client";
 import * as apiClient from "./api-client";
 import { createStubCodeQL } from "./codeql";
@@ -109,39 +108,6 @@ test("Abort database upload if 'upload-database' input set to false", async (t)
  });
 });

-test("Abort database upload if 'analysis-kinds: code-scanning' is not enabled", async (t) => {
-  await withTmpDir(async (tmpDir) => {
-    setupActionsVars(tmpDir, tmpDir);
-    sinon
-      .stub(actionsUtil, "getRequiredInput")
-      .withArgs("upload-database")
-      .returns("true");
-    sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
-
-    await mockHttpRequests(201);
-
-    const loggedMessages = [];
-    await uploadDatabases(
-      testRepoName,
-      getCodeQL(),
-      {
-        ...getTestConfig(tmpDir),
-        analysisKinds: [AnalysisKind.CodeQuality],
-      },
-      testApiDetails,
-      getRecordingLogger(loggedMessages),
-    );
-    t.assert(
-      loggedMessages.find(
-        (v: LoggedMessage) =>
-          v.type === "debug" &&
-          v.message ===
-            "Not uploading database because 'analysis-kinds: code-scanning' is not enabled.",
-      ) !== undefined,
-    );
-  });
-});
-
 test("Abort database upload if running against GHES", async (t) => {
  await withTmpDir(async (tmpDir) => {
    setupActionsVars(tmpDir, tmpDir);
@@ -1,7 +1,6 @@
 import * as fs from "fs";

 import * as actionsUtil from "./actions-util";
-import { AnalysisKind } from "./analyses";
 import { getApiClient, GitHubApiDetails } from "./api-client";
 import { type CodeQL } from "./codeql";
 import { Config } from "./config-utils";
@@ -23,13 +22,6 @@ export async function uploadDatabases(
    return;
  }

-  if (!config.analysisKinds.includes(AnalysisKind.CodeScanning)) {
-    logger.debug(
-      `Not uploading database because 'analysis-kinds: ${AnalysisKind.CodeScanning}' is not enabled.`,
-    );
-    return;
-  }
-
  if (util.isInTestMode()) {
    logger.debug("In test mode. Skipping database upload.");
    return;
@@ -0,0 +1,53 @@
+/* This file was automatically generated by `npm run generate:schemas`. Do not edit by hand. */
+
+/**
+ * Format of the config file supplied by the user for CodeQL analysis
+ */
+export interface UserConfig {
+  /**
+   * Name of the configuration
+   */
+  name?: string;
+  /**
+   * Whether to disable default queries
+   */
+  "disable-default-queries"?: boolean;
+  /**
+   * List of additional queries to run
+   */
+  queries?: QuerySpec[];
+  /**
+   * Paths to ignore during analysis
+   */
+  "paths-ignore"?: string[];
+  /**
+   * Paths to include in analysis
+   */
+  paths?: string[];
+  /**
+   * Query packs to include. Can be a simple array for single-language analysis or an object with language-specific arrays for multi-language analysis
+   */
+  packs?:
+    | string[]
+    | {
+        [k: string]: string[];
+      };
+  /**
+   * Set of query filters to include and exclude extra queries based on CodeQL query suite include and exclude properties
+   */
+  "query-filters"?: unknown[];
+  [k: string]: unknown;
+}
+/**
+ * Detailed query specification object
+ */
+export interface QuerySpec {
+  /**
+   * Optional name for the query
+   */
+  name?: string;
+  /**
+   * The query or query suite to use
+   */
+  uses: string;
+}
@@ -4,10 +4,7 @@ import * as sinon from "sinon";
 import * as actionsUtil from "./actions-util";
 import type { PullRequestBranches } from "./actions-util";
 import * as apiClient from "./api-client";
-import {
-  shouldPerformDiffInformedAnalysis,
-  exportedForTesting,
-} from "./diff-informed-analysis-utils";
+import { shouldPerformDiffInformedAnalysis } from "./diff-informed-analysis-utils";
 import { Feature, Features } from "./feature-flags";
 import { getRunnerLogger } from "./logging";
 import { parseRepositoryNwo } from "./repository";
@@ -186,197 +183,3 @@ test(
  },
  false,
 );
-
-function runGetDiffRanges(changes: number, patch: string[] | undefined): any {
-  return exportedForTesting.getDiffRanges(
-    {
-      filename: "test.txt",
-      changes,
-      patch: patch?.join("\n"),
-    },
-    getRunnerLogger(true),
-  );
-}
-
-test("getDiffRanges: file unchanged", async (t) => {
-  const diffRanges = runGetDiffRanges(0, undefined);
-  t.deepEqual(diffRanges, []);
-});
-
-test("getDiffRanges: file diff too large", async (t) => {
-  const diffRanges = runGetDiffRanges(1000000, undefined);
-  t.deepEqual(diffRanges, [
-    {
-      path: "test.txt",
-      startLine: 0,
-      endLine: 0,
-    },
-  ]);
-});
-
-test("getDiffRanges: diff thunk with single addition range", async (t) => {
-  const diffRanges = runGetDiffRanges(2, [
-    "@@ -30,6 +50,8 @@",
-    " a",
-    " b",
-    " c",
-    "+1",
-    "+2",
-    " d",
-    " e",
-    " f",
-  ]);
-  t.deepEqual(diffRanges, [
-    {
-      path: "test.txt",
-      startLine: 53,
-      endLine: 54,
-    },
-  ]);
-});
-
-test("getDiffRanges: diff thunk with single deletion range", async (t) => {
-  const diffRanges = runGetDiffRanges(2, [
-    "@@ -30,8 +50,6 @@",
-    " a",
-    " b",
-    " c",
-    "-1",
-    "-2",
-    " d",
-    " e",
-    " f",
-  ]);
-  t.deepEqual(diffRanges, []);
-});
-
-test("getDiffRanges: diff thunk with single update range", async (t) => {
-  const diffRanges = runGetDiffRanges(2, [
-    "@@ -30,7 +50,7 @@",
-    " a",
-    " b",
-    " c",
-    "-1",
-    "+2",
-    " d",
-    " e",
-    " f",
-  ]);
-  t.deepEqual(diffRanges, [
-    {
-      path: "test.txt",
-      startLine: 53,
-      endLine: 53,
-    },
-  ]);
-});
-
-test("getDiffRanges: diff thunk with addition ranges", async (t) => {
-  const diffRanges = runGetDiffRanges(2, [
-    "@@ -30,7 +50,9 @@",
-    " a",
-    " b",
-    " c",
-    "+1",
-    " c",
-    "+2",
-    " d",
-    " e",
-    " f",
-  ]);
-  t.deepEqual(diffRanges, [
-    {
-      path: "test.txt",
-      startLine: 53,
-      endLine: 53,
-    },
-    {
-      path: "test.txt",
-      startLine: 55,
-      endLine: 55,
-    },
-  ]);
-});
-
-test("getDiffRanges: diff thunk with mixed ranges", async (t) => {
-  const diffRanges = runGetDiffRanges(2, [
-    "@@ -30,7 +50,7 @@",
-    " a",
-    " b",
-    " c",
-    "-1",
-    " d",
-    "-2",
-    "+3",
-    " e",
-    " f",
-    "+4",
-    "+5",
-    " g",
-    " h",
-    " i",
-  ]);
-  t.deepEqual(diffRanges, [
-    {
-      path: "test.txt",
-      startLine: 54,
-      endLine: 54,
-    },
-    {
-      path: "test.txt",
-      startLine: 57,
-      endLine: 58,
-    },
-  ]);
-});
-
-test("getDiffRanges: multiple diff thunks", async (t) => {
-  const diffRanges = runGetDiffRanges(2, [
-    "@@ -30,6 +50,8 @@",
-    " a",
-    " b",
-    " c",
-    "+1",
-    "+2",
-    " d",
-    " e",
-    " f",
-    "@@ -130,6 +150,8 @@",
-    " a",
-    " b",
-    " c",
-    "+1",
-    "+2",
-    " d",
-    " e",
-    " f",
-  ]);
-  t.deepEqual(diffRanges, [
-    {
-      path: "test.txt",
-      startLine: 53,
-      endLine: 54,
-    },
-    {
-      path: "test.txt",
-      startLine: 153,
-      endLine: 154,
-    },
-  ]);
-});
-
-test("getDiffRanges: no diff context lines", async (t) => {
-  const diffRanges = runGetDiffRanges(2, ["@@ -30 +50,2 @@", "+1", "+2"]);
-  t.deepEqual(diffRanges, [
-    {
-      path: "test.txt",
-      startLine: 50,
-      endLine: 51,
-    },
-  ]);
-});
-
-test("getDiffRanges: malformed thunk header", async (t) => {
-  const diffRanges = runGetDiffRanges(2, ["@@ 30 +50,2 @@", "+1", "+2"]);
-  t.deepEqual(diffRanges, undefined);
-});
@@ -3,25 +3,12 @@ import * as path from "path";

 import * as actionsUtil from "./actions-util";
 import type { PullRequestBranches } from "./actions-util";
-import { getApiClient, getGitHubVersion } from "./api-client";
+import { getGitHubVersion } from "./api-client";
 import type { CodeQL } from "./codeql";
 import { Feature, FeatureEnablement } from "./feature-flags";
 import { Logger } from "./logging";
-import { getRepositoryNwoFromEnv } from "./repository";
 import { GitHubVariant, satisfiesGHESVersion } from "./util";

-/**
- * This interface is an abbreviated version of the file diff object returned by
- * the GitHub API.
- */
-interface FileDiff {
-  filename: string;
-  changes: number;
-  // A patch may be absent if the file is binary, if the file diff is too large,
-  // or if the file is unchanged.
-  patch?: string | undefined;
-}
-
 /**
 * Check if the action should perform diff-informed analysis.
 */
@@ -106,169 +93,3 @@ export function readDiffRangesJsonFile(
  );
  return JSON.parse(jsonContents) as DiffThunkRange[];
 }
-
-/**
- * Return the file line ranges that were added or modified in the pull request.
- *
- * @param branches The base and head branches of the pull request.
- * @param logger
- * @returns An array of tuples, where each tuple contains the absolute path of a
- * file, the start line and the end line (both 1-based and inclusive) of an
- * added or modified range in that file. Returns `undefined` if the action was
- * not triggered by a pull request or if there was an error.
- */
-export async function getPullRequestEditedDiffRanges(
-  branches: PullRequestBranches,
-  logger: Logger,
-): Promise<DiffThunkRange[] | undefined> {
-  const fileDiffs = await getFileDiffsWithBasehead(branches, logger);
-  if (fileDiffs === undefined) {
-    return undefined;
-  }
-  if (fileDiffs.length >= 300) {
-    // The "compare two commits" API returns a maximum of 300 changed files. If
-    // we see that many changed files, it is possible that there could be more,
-    // with the rest being truncated. In this case, we should not attempt to
-    // compute the diff ranges, as the result would be incomplete.
-    logger.warning(
-      `Cannot retrieve the full diff because there are too many ` +
-        `(${fileDiffs.length}) changed files in the pull request.`,
-    );
-    return undefined;
-  }
-  const results: DiffThunkRange[] = [];
-  for (const filediff of fileDiffs) {
-    const diffRanges = getDiffRanges(filediff, logger);
-    if (diffRanges === undefined) {
-      return undefined;
-    }
-    results.push(...diffRanges);
-  }
-  return results;
-}
-
-async function getFileDiffsWithBasehead(
-  branches: PullRequestBranches,
-  logger: Logger,
-): Promise<FileDiff[] | undefined> {
-  // Check CODE_SCANNING_REPOSITORY first. If it is empty or not set, fall back
-  // to GITHUB_REPOSITORY.
-  const repositoryNwo = getRepositoryNwoFromEnv(
-    "CODE_SCANNING_REPOSITORY",
-    "GITHUB_REPOSITORY",
-  );
-  const basehead = `${branches.base}...${branches.head}`;
-  try {
-    const response = await getApiClient().rest.repos.compareCommitsWithBasehead(
-      {
-        owner: repositoryNwo.owner,
-        repo: repositoryNwo.repo,
-        basehead,
-        per_page: 1,
-      },
-    );
-    logger.debug(
-      `Response from compareCommitsWithBasehead(${basehead}):` +
-        `\n${JSON.stringify(response, null, 2)}`,
-    );
-    return response.data.files;
-  } catch (error: any) {
-    if (error.status) {
-      logger.warning(`Error retrieving diff ${basehead}: ${error.message}`);
-      logger.debug(
-        `Error running compareCommitsWithBasehead(${basehead}):` +
-          `\nRequest: ${JSON.stringify(error.request, null, 2)}` +
-          `\nError Response: ${JSON.stringify(error.response, null, 2)}`,
-      );
-      return undefined;
-    } else {
-      throw error;
-    }
-  }
-}
-
-function getDiffRanges(
-  fileDiff: FileDiff,
-  logger: Logger,
-): DiffThunkRange[] | undefined {
-  const filename = fileDiff.filename;
-
-  if (fileDiff.patch === undefined) {
-    if (fileDiff.changes === 0) {
-      // There are situations where a changed file legitimately has no diff.
-      // For example, the file may be a binary file, or that the file may have
-      // been renamed with no changes to its contents. In these cases, the
-      // file would be reported as having 0 changes, and we can return an empty
-      // array to indicate no diff range in this file.
-      return [];
-    }
-    // If a file is reported to have nonzero changes but no patch, that may be
-    // due to the file diff being too large. In this case, we should fall back
-    // to a special diff range that covers the entire file.
-    return [
-      {
-        path: filename,
-        startLine: 0,
-        endLine: 0,
-      },
-    ];
-  }
-
-  // The 1-based file line number of the current line
-  let currentLine = 0;
-  // The 1-based file line number that starts the current range of added lines
-  let additionRangeStartLine: number | undefined = undefined;
-  const diffRanges: DiffThunkRange[] = [];
-
-  const diffLines = fileDiff.patch.split("\n");
-  // Adding a fake context line at the end ensures that the following loop will
-  // always terminate the last range of added lines.
-  diffLines.push(" ");
-
-  for (const diffLine of diffLines) {
-    if (diffLine.startsWith("-")) {
-      // Ignore deletions completely -- we do not even want to consider them when
-      // calculating consecutive ranges of added lines.
-      continue;
-    }
-    if (diffLine.startsWith("+")) {
-      if (additionRangeStartLine === undefined) {
-        additionRangeStartLine = currentLine;
-      }
-      currentLine++;
-      continue;
-    }
-    if (additionRangeStartLine !== undefined) {
-      // Any line that does not start with a "+" or "-" terminates the current
-      // range of added lines.
-      diffRanges.push({
-        path: filename,
-        startLine: additionRangeStartLine,
-        endLine: currentLine - 1,
-      });
-      additionRangeStartLine = undefined;
-    }
-    if (diffLine.startsWith("@@ ")) {
-      // A new hunk header line resets the current line number.
-      const match = diffLine.match(/^@@ -\d+(?:,\d+)? \+(\d+)(?:,\d+)? @@/);
-      if (match === null) {
-        logger.warning(
-          `Cannot parse diff hunk header for ${fileDiff.filename}: ${diffLine}`,
-        );
-        return undefined;
-      }
-      currentLine = parseInt(match[1], 10);
-      continue;
-    }
-    if (diffLine.startsWith(" ")) {
-      // An unchanged context line advances the current line number.
-      currentLine++;
-      continue;
-    }
-  }
-  return diffRanges;
-}
-
-export const exportedForTesting = {
-  getDiffRanges,
-};
@@ -44,7 +44,6 @@ export interface FeatureEnablement {
 */
 export enum Feature {
  AllowToolcacheInput = "allow_toolcache_input",
-  AnalyzeUseNewUpload = "analyze_use_new_upload",
  CleanupTrapCaches = "cleanup_trap_caches",
  CppDependencyInstallation = "cpp_dependency_installation_enabled",
  DiffInformedQueries = "diff_informed_queries",
@@ -117,11 +116,6 @@ export const featureConfig: Record<
    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
    minimumVersion: undefined,
  },
-  [Feature.AnalyzeUseNewUpload]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_ANALYZE_USE_NEW_UPLOAD",
-    minimumVersion: undefined,
-  },
  [Feature.CleanupTrapCaches]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -653,7 +647,7 @@ class GitHubFeatureFlags {
      }

      this.logger.debug(
-        "Loaded the following default values for the feature flags from the CodeQL Action API:",
+        "Loaded the following default values for the feature flags from the Code Scanning API:",
      );
      for (const [feature, value] of Object.entries(remoteFlags).sort(
        ([nameA], [nameB]) => nameA.localeCompare(nameB),
@@ -663,13 +657,12 @@ class GitHubFeatureFlags {
      this.hasAccessedRemoteFeatureFlags = true;
      return remoteFlags;
    } catch (e) {
-      const httpError = util.asHTTPError(e);
-      if (httpError?.status === 403) {
+      if (util.isHTTPError(e) && e.status === 403) {
        this.logger.warning(
-          "This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. " +
+          "This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. " +
            "As a result, it will not be opted into any experimental features. " +
            "This could be because the Action is running on a pull request from a fork. If not, " +
-            `please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`,
+            `please ensure the Action has the 'security-events: write' permission. Details: ${e.message}`,
        );
        this.hasAccessedRemoteFeatureFlags = false;
        return {};
@@ -34,11 +34,6 @@ import {
  logUnwrittenDiagnostics,
  makeDiagnostic,
 } from "./diagnostics";
-import {
-  getPullRequestEditedDiffRanges,
-  writeDiffRangesJsonFile,
-  getDiffInformedAnalysisBranches,
-} from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
 import { Feature, Features } from "./feature-flags";
 import { loadPropertiesFromApi } from "./feature-flags/properties";
@@ -51,7 +46,7 @@ import {
  runDatabaseInitCluster,
 } from "./init";
 import { KnownLanguage } from "./languages";
-import { getActionsLogger, Logger, withGroupAsync } from "./logging";
+import { getActionsLogger, Logger } from "./logging";
 import {
  downloadOverlayBaseDatabaseFromCache,
  OverlayBaseDatabaseDownloadStats,
@@ -363,7 +358,6 @@ async function run() {
    });

    await checkInstallPython311(config.languages, codeql);
-    await computeAndPersistDiffRanges(codeql, features, logger);
  } catch (unwrappedError) {
    const error = wrapError(unwrappedError);
    core.setFailed(error.message);
@@ -776,43 +770,6 @@ async function run() {
  );
 }

-/**
- * Compute and persist diff ranges when diff-informed analysis
- * is enabled (feature flag + PR context). This writes the standard pr-diff-range.json
- * file for later reuse in the analyze step. Failures are logged but non-fatal.
- */
-async function computeAndPersistDiffRanges(
-  codeql: CodeQL,
-  features: Features,
-  logger: Logger,
-): Promise<void> {
-  try {
-    await withGroupAsync("Compute PR diff ranges", async () => {
-      const branches = await getDiffInformedAnalysisBranches(
-        codeql,
-        features,
-        logger,
-      );
-      if (!branches) {
-        return;
-      }
-      const ranges = await getPullRequestEditedDiffRanges(branches, logger);
-      if (ranges === undefined) {
-        return;
-      }
-      writeDiffRangesJsonFile(logger, ranges);
-      const distinctFiles = new Set(ranges.map((r) => r.path)).size;
-      logger.info(
-        `Persisted ${ranges.length} diff range(s) across ${distinctFiles} file(s).`,
-      );
-    });
-  } catch (e) {
-    logger.warning(
-      `Failed to compute and persist PR diff ranges: ${getErrorMessage(e)}`,
-    );
-  }
-}
-
 function getTrapCachingEnabled(): boolean {
  // If the workflow specified something always respect that
  const trapCaching = getOptionalInput("trap-caching");
@@ -11,8 +11,6 @@ import * as gitUtils from "./git-utils";
 import { getRunnerLogger } from "./logging";
 import {
  downloadOverlayBaseDatabaseFromCache,
-  getCacheRestoreKeyPrefix,
-  getCacheSaveKey,
  OverlayDatabaseMode,
  writeBaseDatabaseOidsFile,
  writeOverlayChangesFile,
@@ -263,48 +261,3 @@ test(
  },
  false,
 );
-
-test("overlay-base database cache keys remain stable", async (t) => {
-  const logger = getRunnerLogger(true);
-  const config = createTestConfig({ languages: ["python", "javascript"] });
-  const codeQlVersion = "2.23.0";
-  const commitOid = "abc123def456";
-
-  sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
-  sinon.stub(gitUtils, "getCommitOid").resolves(commitOid);
-  sinon.stub(actionsUtil, "getWorkflowRunID").returns(12345);
-  sinon.stub(actionsUtil, "getWorkflowRunAttempt").returns(1);
-
-  const saveKey = await getCacheSaveKey(
-    config,
-    codeQlVersion,
-    "checkout-path",
-    logger,
-  );
-  const expectedSaveKey =
-    "codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-2.23.0-abc123def456-12345-1";
-  t.is(
-    saveKey,
-    expectedSaveKey,
-    "Cache save key changed unexpectedly. " +
-      "This may indicate breaking changes in the cache key generation logic.",
-  );
-
-  const restoreKeyPrefix = await getCacheRestoreKeyPrefix(
-    config,
-    codeQlVersion,
-  );
-  const expectedRestoreKeyPrefix =
-    "codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-2.23.0-";
-  t.is(
-    restoreKeyPrefix,
-    expectedRestoreKeyPrefix,
-    "Cache restore key prefix changed unexpectedly. " +
-      "This may indicate breaking changes in the cache key generation logic.",
-  );
-
-  t.true(
-    saveKey.startsWith(restoreKeyPrefix),
-    `Expected save key "${saveKey}" to start with restore key prefix "${restoreKeyPrefix}"`,
-  );
-});
@@ -4,19 +4,13 @@ import * as path from "path";

 import * as actionsCache from "@actions/cache";

-import {
-  getRequiredInput,
-  getTemporaryDirectory,
-  getWorkflowRunAttempt,
-  getWorkflowRunID,
-} from "./actions-util";
+import { getRequiredInput, getTemporaryDirectory } from "./actions-util";
 import { getAutomationID } from "./api-client";
 import { type CodeQL } from "./codeql";
 import { type Config } from "./config-utils";
 import { getCommitOid, getFileOidsUnderPath } from "./git-utils";
 import { Logger, withGroupAsync } from "./logging";
 import {
-  getErrorMessage,
  isInTestMode,
  tryGetFolderBytes,
  waitForResultWithTimeLimit,
@@ -40,10 +34,15 @@ export const CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.4";
 * Actions Cache client library. Instead we place a limit on the uncompressed
 * size of the overlay-base database.
 *
- * Assuming 2.5:1 compression ratio, the 7.5 GB limit on uncompressed data would
- * translate to a limit of around 3 GB after compression.
+ * Assuming 2.5:1 compression ratio, the 15 GB limit on uncompressed data would
+ * translate to a limit of around 6 GB after compression. This is a high limit
+ * compared to the default 10GB Actions Cache capacity, but enforcement of Actions
+ * Cache quotas is not immediate.
+ *
+ * TODO: revisit this limit before removing the restriction for overlay analysis
+ * to the `github` and `dsp-testing` orgs.
 */
-const OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
+const OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15000;
 const OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES =
  OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1_000_000;

@@ -272,7 +271,6 @@ export async function uploadOverlayBaseDatabaseToCache(
    config,
    codeQlVersion,
    checkoutPath,
-    logger,
  );
  logger.info(
    `Uploading overlay-base database to Actions cache with key ${cacheSaveKey}`,
@@ -450,28 +448,17 @@ export async function downloadOverlayBaseDatabaseFromCache(
 * The key consists of the restore key prefix (which does not include the
 * commit SHA) and the commit SHA of the current checkout.
 */
-export async function getCacheSaveKey(
+async function getCacheSaveKey(
  config: Config,
  codeQlVersion: string,
  checkoutPath: string,
-  logger: Logger,
 ): Promise<string> {
-  let runId = 1;
-  let attemptId = 1;
-  try {
-    runId = getWorkflowRunID();
-    attemptId = getWorkflowRunAttempt();
-  } catch (e) {
-    logger.warning(
-      `Failed to get workflow run ID or attempt ID. Reason: ${getErrorMessage(e)}`,
-    );
-  }
  const sha = await getCommitOid(checkoutPath);
  const restoreKeyPrefix = await getCacheRestoreKeyPrefix(
    config,
    codeQlVersion,
  );
-  return `${restoreKeyPrefix}${sha}-${runId}-${attemptId}`;
+  return `${restoreKeyPrefix}${sha}`;
 }

 /**
@@ -488,7 +475,7 @@ export async function getCacheSaveKey(
 * not include the commit SHA. This allows us to restore the most recent
 * compatible overlay-base database.
 */
-export async function getCacheRestoreKeyPrefix(
+async function getCacheRestoreKeyPrefix(
  config: Config,
  codeQlVersion: string,
 ): Promise<string> {
@@ -168,7 +168,7 @@ export function tryGetTagNameFromUrl(
  // assumes less about the structure of the URL.
  const match = matches[matches.length - 1];

-  if (match?.length !== 2) {
+  if (match === null || match.length !== 2) {
    logger.debug(
      `Could not determine tag name for URL ${url}. Matched ${JSON.stringify(
        match,
@@ -30,7 +30,7 @@ async function runWrapper() {
      logger,
    );

-    if (config?.debugMode || core.isDebug()) {
+    if ((config && config.debugMode) || core.isDebug()) {
      const logFilePath = core.getState("proxy-log-file");
      logger.info(
        "Debug mode is on. Uploading proxy log as Actions debugging artifact...",
@@ -23,6 +23,7 @@ import { getRepositoryNwo } from "./repository";
 import { ToolsSource } from "./setup-codeql";
 import {
  ConfigurationError,
+  isHTTPError,
  getRequiredEnvParam,
  getCachedCodeQlVersion,
  isInTestMode,
@@ -32,7 +33,6 @@ import {
  BuildMode,
  getErrorMessage,
  getTestingEnvironment,
-  asHTTPError,
 } from "./util";

 export enum ActionName {
@@ -387,9 +387,9 @@ export async function createStatusReportBase(
 }

 const OUT_OF_DATE_MSG =
-  "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`.";
+  "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action.";
 const INCOMPATIBLE_MSG =
-  "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`.";
+  "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action.";

 /**
 * Send a status report to the code_scanning/analysis/status endpoint.
@@ -429,9 +429,8 @@ export async function sendStatusReport<S extends StatusReportBase>(
      },
    );
  } catch (e) {
-    const httpError = asHTTPError(e);
-    if (httpError !== undefined) {
-      switch (httpError.status) {
+    if (isHTTPError(e)) {
+      switch (e.status) {
        case 403:
          if (
            getWorkflowEventName() === "push" &&
@@ -439,20 +438,16 @@ export async function sendStatusReport<S extends StatusReportBase>(
          ) {
            core.warning(
              'Workflows triggered by Dependabot on the "push" event run with read-only access. ' +
-                "Uploading CodeQL results requires write access. " +
-                'To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. ' +
+                "Uploading Code Scanning results requires write access. " +
+                'To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. ' +
                `See ${DocUrl.SCANNING_ON_PUSH} for more information on how to configure these events.`,
            );
          } else {
-            core.warning(
-              "This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. " +
-                "This could be because the Action is running on a pull request from a fork. If not, " +
-                `please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`,
-            );
+            core.warning(e.message);
          }
          return;
        case 404:
-          core.warning(httpError.message);
+          core.warning(e.message);
          return;
        case 422:
          // schema incompatibility when reporting status
@@ -470,7 +465,7 @@ export async function sendStatusReport<S extends StatusReportBase>(
    // something else has gone wrong and the request/response will be logged by octokit
    // it's possible this is a transient error and we should continue scanning
    core.warning(
-      `An unexpected error occurred when sending a status report: ${getErrorMessage(
+      `An unexpected error occurred when sending code scanning status report: ${getErrorMessage(
        e,
      )}`,
    );
@@ -35,14 +35,14 @@ async function getTarVersion(): Promise<TarVersion> {
  // Return whether this is GNU tar or BSD tar, and the version number
  if (stdout.includes("GNU tar")) {
    const match = stdout.match(/tar \(GNU tar\) ([0-9.]+)/);
-    if (!match?.[1]) {
+    if (!match || !match[1]) {
      throw new Error("Failed to parse output of tar --version.");
    }

    return { type: "gnu", version: match[1] };
  } else if (stdout.includes("bsdtar")) {
    const match = stdout.match(/bsdtar ([0-9.]+)/);
-    if (!match?.[1]) {
+    if (!match || !match[1]) {
      throw new Error("Failed to parse output of tar --version.");
    }

@@ -3,11 +3,13 @@ import * as semver from "semver";
 import type { VersionInfo } from "./codeql";

 export enum ToolsFeature {
+  AnalysisSummaryV2IsDefault = "analysisSummaryV2Default",
  BuiltinExtractorsSpecifyDefaultQueries = "builtinExtractorsSpecifyDefaultQueries",
  DatabaseInterpretResultsSupportsSarifRunProperty = "databaseInterpretResultsSupportsSarifRunProperty",
  ForceOverwrite = "forceOverwrite",
  IndirectTracingSupportsStaticBinaries = "indirectTracingSupportsStaticBinaries",
  PythonDefaultIsToNotExtractStdlib = "pythonDefaultIsToNotExtractStdlib",
+  SarifMergeRunsFromEqualCategory = "sarifMergeRunsFromEqualCategory",
 }

 /**
@@ -13,8 +13,8 @@ import * as gitUtils from "./git-utils";
 import { Language } from "./languages";
 import { Logger } from "./logging";
 import {
-  asHTTPError,
  getErrorMessage,
+  isHTTPError,
  tryGetFolderBytes,
  waitForResultWithTimeLimit,
 } from "./util";
@@ -236,7 +236,7 @@ export async function cleanupTrapCaches(
    }
    return { trap_cache_cleanup_size_bytes: totalBytesCleanedUp };
  } catch (e) {
-    if (asHTTPError(e)?.status === 403) {
+    if (isHTTPError(e) && e.status === 403) {
      logger.warning(
        "Could not cleanup TRAP caches as the token did not have the required permissions. " +
          'To clean up TRAP caches, ensure the token has the "actions:write" permission. ' +
@@ -21,6 +21,7 @@ import * as gitUtils from "./git-utils";
 import { initCodeQL } from "./init";
 import { Logger } from "./logging";
 import { getRepositoryNwo, RepositoryNwo } from "./repository";
+import { ToolsFeature } from "./tools-features";
 import * as util from "./util";
 import {
  ConfigurationError,
@@ -268,6 +269,32 @@ async function combineSarifFilesUsingCLI(
    codeQL = initCodeQLResult.codeql;
  }

+  if (
+    !(await codeQL.supportsFeature(
+      ToolsFeature.SarifMergeRunsFromEqualCategory,
+    ))
+  ) {
+    await throwIfCombineSarifFilesDisabled(sarifObjects, gitHubVersion);
+
+    logger.warning(
+      "The CodeQL CLI does not support merging SARIF files. Merging files in the action.",
+    );
+
+    if (
+      await shouldShowCombineSarifFilesDeprecationWarning(
+        sarifObjects,
+        gitHubVersion,
+      )
+    ) {
+      logger.warning(
+        `Uploading multiple CodeQL runs with the same category is deprecated ${deprecationWarningMessage} for CodeQL CLI 2.16.6 and earlier. Please update your CodeQL CLI version or update your workflow to set a distinct category for each CodeQL run. ${deprecationMoreInformationMessage}`,
+      );
+      core.exportVariable("CODEQL_MERGE_SARIF_DEPRECATION_WARNING", "true");
+    }
+
+    return combineSarifFiles(sarifFiles, logger);
+  }
+
  const baseTempDir = path.resolve(tempDir, "combined-sarif");
  fs.mkdirSync(baseTempDir, { recursive: true });
  const outputDirectory = fs.mkdtempSync(path.resolve(baseTempDir, "output-"));
@@ -359,17 +386,16 @@ export async function uploadPayload(
    logger.info("Successfully uploaded results");
    return response.data.id as string;
  } catch (e) {
-    const httpError = util.asHTTPError(e);
-    if (httpError !== undefined) {
-      switch (httpError.status) {
+    if (util.isHTTPError(e)) {
+      switch (e.status) {
        case 403:
-          core.warning(httpError.message || GENERIC_403_MSG);
+          core.warning(e.message || GENERIC_403_MSG);
          break;
        case 404:
-          core.warning(httpError.message || GENERIC_404_MSG);
+          core.warning(e.message || GENERIC_404_MSG);
          break;
        default:
-          core.warning(httpError.message);
+          core.warning(e.message);
          break;
      }
    }
@@ -661,39 +687,51 @@ export function buildPayload(
  return payloadObj;
 }

-export interface PostProcessingResults {
-  sarif: util.SarifFile;
-  analysisKey: string;
-  environment: string;
+/**
+ * Uploads a single SARIF file or a directory of SARIF files depending on what `inputSarifPath` refers
+ * to.
+ */
+export async function uploadFiles(
+  inputSarifPath: string,
+  checkoutPath: string,
+  category: string | undefined,
+  features: FeatureEnablement,
+  logger: Logger,
+  uploadTarget: analyses.AnalysisConfig,
+): Promise<UploadResult> {
+  const sarifPaths = getSarifFilePaths(
+    inputSarifPath,
+    uploadTarget.sarifPredicate,
+  );
+
+  return uploadSpecifiedFiles(
+    sarifPaths,
+    checkoutPath,
+    category,
+    features,
+    logger,
+    uploadTarget,
+  );
 }

 /**
- * Performs post-processing of the SARIF files given by `sarifPaths`.
- *
- * @param logger The logger to use.
- * @param features Information about enabled features.
- * @param checkoutPath The path where the repo was checked out at.
- * @param sarifPaths The paths of the SARIF files to post-process.
- * @param category The analysis category.
- * @param analysis The analysis configuration.
- *
- * @returns Returns the results of post-processing the SARIF files,
- *          including the resulting SARIF file.
+ * Uploads the given array of SARIF files.
 */
-export async function postProcessSarifFiles(
-  logger: Logger,
-  features: FeatureEnablement,
-  checkoutPath: string,
+export async function uploadSpecifiedFiles(
  sarifPaths: string[],
+  checkoutPath: string,
  category: string | undefined,
-  analysis: analyses.AnalysisConfig,
-): Promise<PostProcessingResults> {
-  logger.info(`Post-processing sarif files: ${JSON.stringify(sarifPaths)}`);
+  features: FeatureEnablement,
+  logger: Logger,
+  uploadTarget: analyses.AnalysisConfig,
+): Promise<UploadResult> {
+  logger.startGroup(`Uploading ${uploadTarget.name} results`);
+  logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);

  const gitHubVersion = await getGitHubVersion();

  let sarif: SarifFile;
-  category = analysis.fixCategory(logger, category);
+  category = uploadTarget.fixCategory(logger, category);

  if (sarifPaths.length > 1) {
    // Validate that the files we were asked to upload are all valid SARIF files
@@ -729,113 +767,6 @@ export async function postProcessSarifFiles(
    environment,
  );

-  return { sarif, analysisKey, environment };
-}
-
-/**
- * Writes the post-processed SARIF file to disk, if needed based on `pathInput` or the `SARIF_DUMP_DIR`.
- *
- * @param logger The logger to use.
- * @param pathInput The input provided for `post-processed-sarif-path`.
- * @param uploadTarget The upload target.
- * @param processingResults The results of post-processing SARIF files.
- */
-export async function writePostProcessedFiles(
-  logger: Logger,
-  pathInput: string | undefined,
-  uploadTarget: analyses.AnalysisConfig,
-  postProcessingResults: PostProcessingResults,
-) {
-  // If there's an explicit input, use that. Otherwise, use the value from the environment variable.
-  const outputPath = pathInput || util.getOptionalEnvVar(EnvVar.SARIF_DUMP_DIR);
-
-  // If we have a non-empty output path, write the SARIF file to it.
-  if (outputPath !== undefined) {
-    dumpSarifFile(
-      JSON.stringify(postProcessingResults.sarif),
-      outputPath,
-      logger,
-      uploadTarget,
-    );
-  } else {
-    logger.debug(`Not writing post-processed SARIF files.`);
-  }
-}
-
-/**
- * Uploads a single SARIF file or a directory of SARIF files depending on what `inputSarifPath` refers
- * to.
- */
-export async function uploadFiles(
-  inputSarifPath: string,
-  checkoutPath: string,
-  category: string | undefined,
-  features: FeatureEnablement,
-  logger: Logger,
-  uploadTarget: analyses.AnalysisConfig,
-): Promise<UploadResult> {
-  const sarifPaths = getSarifFilePaths(
-    inputSarifPath,
-    uploadTarget.sarifPredicate,
-  );
-
-  return uploadSpecifiedFiles(
-    sarifPaths,
-    checkoutPath,
-    category,
-    features,
-    logger,
-    uploadTarget,
-  );
-}
-
-/**
- * Uploads the given array of SARIF files.
- */
-async function uploadSpecifiedFiles(
-  sarifPaths: string[],
-  checkoutPath: string,
-  category: string | undefined,
-  features: FeatureEnablement,
-  logger: Logger,
-  uploadTarget: analyses.AnalysisConfig,
-): Promise<UploadResult> {
-  const processingResults: PostProcessingResults = await postProcessSarifFiles(
-    logger,
-    features,
-    checkoutPath,
-    sarifPaths,
-    category,
-    uploadTarget,
-  );
-
-  return uploadPostProcessedFiles(
-    logger,
-    checkoutPath,
-    uploadTarget,
-    processingResults,
-  );
-}
-
-/**
- * Uploads the results of post-processing SARIF files to the specified upload target.
- *
- * @param logger The logger to use.
- * @param checkoutPath The path at which the repository was checked out.
- * @param uploadTarget The analysis configuration.
- * @param postProcessingResults The results of post-processing SARIF files.
- *
- * @returns The results of uploading the `postProcessingResults` to `uploadTarget`.
- */
-export async function uploadPostProcessedFiles(
-  logger: Logger,
-  checkoutPath: string,
-  uploadTarget: analyses.AnalysisConfig,
-  postProcessingResults: PostProcessingResults,
-): Promise<UploadResult> {
-  logger.startGroup(`Uploading ${uploadTarget.name} results`);
-
-  const sarif = postProcessingResults.sarif;
  const toolNames = util.getToolNames(sarif);

  logger.debug(`Validating that each SARIF run has a unique category`);
@@ -843,6 +774,11 @@ export async function uploadPostProcessedFiles(
  logger.debug(`Serializing SARIF for upload`);
  const sarifPayload = JSON.stringify(sarif);

+  const dumpDir = process.env[EnvVar.SARIF_DUMP_DIR];
+  if (dumpDir) {
+    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+  }
+
  logger.debug(`Compressing serialized SARIF`);
  const zippedSarif = zlib.gzipSync(sarifPayload).toString("base64");
  const checkoutURI = url.pathToFileURL(checkoutPath).href;
@@ -850,13 +786,13 @@ export async function uploadPostProcessedFiles(
  const payload = buildPayload(
    await gitUtils.getCommitOid(checkoutPath),
    await gitUtils.getRef(),
-    postProcessingResults.analysisKey,
+    analysisKey,
    util.getRequiredEnvParam("GITHUB_WORKFLOW"),
    zippedSarif,
    actionsUtil.getWorkflowRunID(),
    actionsUtil.getWorkflowRunAttempt(),
    checkoutURI,
-    postProcessingResults.environment,
+    environment,
    toolNames,
    await gitUtils.determineBaseBranchHeadCommitOid(),
  );
@@ -902,14 +838,14 @@ function dumpSarifFile(
    fs.mkdirSync(outputDir, { recursive: true });
  } else if (!fs.lstatSync(outputDir).isDirectory()) {
    throw new ConfigurationError(
-      `The path that processed SARIF files should be written to exists, but is not a directory: ${outputDir}`,
+      `The path specified by the ${EnvVar.SARIF_DUMP_DIR} environment variable exists and is not a directory: ${outputDir}`,
    );
  }
  const outputFile = path.resolve(
    outputDir,
    `upload${uploadTarget.sarifExtension}`,
  );
-  logger.info(`Writing processed SARIF file to ${outputFile}`);
+  logger.info(`Dumping processed SARIF file to ${outputFile}`);
  fs.writeFileSync(outputFile, sarifPayload);
 }

@@ -1140,9 +1076,10 @@ function filterAlertsByDiffRange(logger: Logger, sarif: SarifFile): SarifFile {
    return sarif;
  }

+  const checkoutPath = actionsUtil.getRequiredInput("checkout_path");
+
  for (const run of sarif.runs) {
    if (run.results) {
-      const preAlertCount = run.results.length;
      run.results = run.results.filter((result) => {
        const locations = [
          ...(result.locations || []).map((loc) => loc.physicalLocation),
@@ -1155,6 +1092,11 @@ function filterAlertsByDiffRange(logger: Logger, sarif: SarifFile): SarifFile {
          if (!locationUri || locationStartLine === undefined) {
            return false;
          }
+          // CodeQL always uses forward slashes as the path separator, so on Windows we
+          // need to replace any backslashes with forward slashes.
+          const locationPath = path
+            .join(checkoutPath, locationUri)
+            .replaceAll(path.sep, "/");
          // Alert filtering here replicates the same behavior as the restrictAlertsTo
          // extensible predicate in CodeQL. See the restrictAlertsTo documentation
          // https://codeql.github.com/codeql-standard-libraries/csharp/codeql/util/AlertFiltering.qll/predicate.AlertFiltering$restrictAlertsTo.3.html
@@ -1162,16 +1104,13 @@ function filterAlertsByDiffRange(logger: Logger, sarif: SarifFile): SarifFile {
          // of an alert location.
          return diffRanges.some(
            (range) =>
-              range.path === locationUri &&
+              range.path === locationPath &&
              ((range.startLine <= locationStartLine &&
                range.endLine >= locationStartLine) ||
                (range.startLine === 0 && range.endLine === 0)),
          );
        });
      });
-
-      const postAlertCount = run.results.length;
-      logger.info(`Filtered ${preAlertCount - postAlertCount} alerts based on diff range.`);
    }
  }

@@ -16,7 +16,7 @@ import {
  isThirdPartyAnalysis,
 } from "./status-report";
 import * as upload_lib from "./upload-lib";
-import { postProcessAndUploadSarif } from "./upload-sarif";
+import { uploadSarif } from "./upload-sarif";
 import {
  ConfigurationError,
  checkActionVersion,
@@ -90,10 +90,9 @@ async function run() {
    const checkoutPath = actionsUtil.getRequiredInput("checkout_path");
    const category = actionsUtil.getOptionalInput("category");

-    const uploadResults = await postProcessAndUploadSarif(
+    const uploadResults = await uploadSarif(
      logger,
      features,
-      "always",
      checkoutPath,
      sarifPath,
      category,
@@ -9,7 +9,7 @@ import { getRunnerLogger } from "./logging";
 import { createFeatures, setupTests } from "./testing-utils";
 import { UploadResult } from "./upload-lib";
 import * as uploadLib from "./upload-lib";
-import { postProcessAndUploadSarif } from "./upload-sarif";
+import { uploadSarif } from "./upload-sarif";
 import * as util from "./util";

 setupTests(test);
@@ -19,27 +19,7 @@ interface UploadSarifExpectedResult {
  expectedFiles?: string[];
 }

-function mockPostProcessSarifFiles() {
-  const postProcessSarifFiles = sinon.stub(uploadLib, "postProcessSarifFiles");
-
-  for (const analysisKind of Object.values(AnalysisKind)) {
-    const analysisConfig = getAnalysisConfig(analysisKind);
-    postProcessSarifFiles
-      .withArgs(
-        sinon.match.any,
-        sinon.match.any,
-        sinon.match.any,
-        sinon.match.any,
-        sinon.match.any,
-        analysisConfig,
-      )
-      .resolves({ sarif: { runs: [] }, analysisKey: "", environment: "" });
-  }
-
-  return postProcessSarifFiles;
-}
-
-const postProcessAndUploadSarifMacro = test.macro({
+const uploadSarifMacro = test.macro({
  exec: async (
    t: ExecutionContext<unknown>,
    sarifFiles: string[],
@@ -53,16 +33,21 @@ const postProcessAndUploadSarifMacro = test.macro({

      const toFullPath = (filename: string) => path.join(tempDir, filename);

-      const postProcessSarifFiles = mockPostProcessSarifFiles();
-      const uploadPostProcessedFiles = sinon.stub(
+      const uploadSpecifiedFiles = sinon.stub(
        uploadLib,
-        "uploadPostProcessedFiles",
+        "uploadSpecifiedFiles",
      );

      for (const analysisKind of Object.values(AnalysisKind)) {
-        const analysisConfig = getAnalysisConfig(analysisKind);
-        uploadPostProcessedFiles
-          .withArgs(logger, sinon.match.any, analysisConfig, sinon.match.any)
+        uploadSpecifiedFiles
+          .withArgs(
+            sinon.match.any,
+            sinon.match.any,
+            sinon.match.any,
+            features,
+            logger,
+            getAnalysisConfig(analysisKind),
+          )
          .resolves(expectedResult[analysisKind as AnalysisKind]?.uploadResult);
      }

@@ -71,57 +56,53 @@ const postProcessAndUploadSarifMacro = test.macro({
        fs.writeFileSync(sarifFile, "");
      }

-      const actual = await postProcessAndUploadSarif(
-        logger,
-        features,
-        "always",
-        "",
-        testPath,
-      );
+      const actual = await uploadSarif(logger, features, "", testPath);

      for (const analysisKind of Object.values(AnalysisKind)) {
        const analysisKindResult = expectedResult[analysisKind];
        if (analysisKindResult) {
          // We are expecting a result for this analysis kind, check that we have it.
          t.deepEqual(actual[analysisKind], analysisKindResult.uploadResult);
-          // Additionally, check that the mocked `postProcessSarifFiles` was called with only the file paths
+          // Additionally, check that the mocked `uploadSpecifiedFiles` was called with only the file paths
          // that we expected it to be called with.
          t.assert(
-            postProcessSarifFiles.calledWith(
-              logger,
-              features,
-              sinon.match.any,
+            uploadSpecifiedFiles.calledWith(
              analysisKindResult.expectedFiles?.map(toFullPath) ??
                fullSarifPaths,
              sinon.match.any,
+              sinon.match.any,
+              features,
+              logger,
              getAnalysisConfig(analysisKind),
            ),
          );
        } else {
          // Otherwise, we are not expecting a result for this analysis kind. However, note that `undefined`
-          // is also returned by our mocked `uploadProcessedFiles` when there is no expected result for this
+          // is also returned by our mocked `uploadSpecifiedFiles` when there is no expected result for this
          // analysis kind.
          t.is(actual[analysisKind], undefined);
-          // Therefore, we also check that the mocked `uploadProcessedFiles` was not called for this analysis kind.
+          // Therefore, we also check that the mocked `uploadSpecifiedFiles` was not called for this analysis kind.
          t.assert(
-            !uploadPostProcessedFiles.calledWith(
+            !uploadSpecifiedFiles.calledWith(
+              sinon.match.any,
+              sinon.match.any,
+              sinon.match.any,
+              features,
              logger,
-              sinon.match.any,
              getAnalysisConfig(analysisKind),
-              sinon.match.any,
            ),
-            `uploadProcessedFiles was called for ${analysisKind}, but should not have been.`,
+            `uploadSpecifiedFiles was called for ${analysisKind}, but should not have been.`,
          );
        }
      }
    });
  },
-  title: (providedTitle = "") => `processAndUploadSarif - ${providedTitle}`,
+  title: (providedTitle = "") => `uploadSarif - ${providedTitle}`,
 });

 test(
  "SARIF file",
-  postProcessAndUploadSarifMacro,
+  uploadSarifMacro,
  ["test.sarif"],
  (tempDir) => path.join(tempDir, "test.sarif"),
  {
@@ -136,7 +117,7 @@ test(

 test(
  "JSON file",
-  postProcessAndUploadSarifMacro,
+  uploadSarifMacro,
  ["test.json"],
  (tempDir) => path.join(tempDir, "test.json"),
  {
@@ -151,7 +132,7 @@ test(

 test(
  "Code Scanning files",
-  postProcessAndUploadSarifMacro,
+  uploadSarifMacro,
  ["test.json", "test.sarif"],
  undefined,
  {
@@ -167,7 +148,7 @@ test(

 test(
  "Code Quality file",
-  postProcessAndUploadSarifMacro,
+  uploadSarifMacro,
  ["test.quality.sarif"],
  (tempDir) => path.join(tempDir, "test.quality.sarif"),
  {
@@ -182,7 +163,7 @@ test(

 test(
  "Mixed files",
-  postProcessAndUploadSarifMacro,
+  uploadSarifMacro,
  ["test.sarif", "test.quality.sarif"],
  undefined,
  {
@@ -202,65 +183,3 @@ test(
    },
  },
 );
-
-test("postProcessAndUploadSarif doesn't upload if upload is disabled", async (t) => {
-  await util.withTmpDir(async (tempDir) => {
-    const logger = getRunnerLogger(true);
-    const features = createFeatures([]);
-
-    const toFullPath = (filename: string) => path.join(tempDir, filename);
-
-    const postProcessSarifFiles = mockPostProcessSarifFiles();
-    const uploadPostProcessedFiles = sinon.stub(
-      uploadLib,
-      "uploadPostProcessedFiles",
-    );
-
-    fs.writeFileSync(toFullPath("test.sarif"), "");
-    fs.writeFileSync(toFullPath("test.quality.sarif"), "");
-
-    const actual = await postProcessAndUploadSarif(
-      logger,
-      features,
-      "never",
-      "",
-      tempDir,
-    );
-
-    t.truthy(actual);
-    t.assert(postProcessSarifFiles.calledTwice);
-    t.assert(uploadPostProcessedFiles.notCalled);
-  });
-});
-
-test("postProcessAndUploadSarif writes post-processed SARIF files if output directory is provided", async (t) => {
-  await util.withTmpDir(async (tempDir) => {
-    const logger = getRunnerLogger(true);
-    const features = createFeatures([]);
-
-    const toFullPath = (filename: string) => path.join(tempDir, filename);
-
-    const postProcessSarifFiles = mockPostProcessSarifFiles();
-
-    fs.writeFileSync(toFullPath("test.sarif"), "");
-    fs.writeFileSync(toFullPath("test.quality.sarif"), "");
-
-    const postProcessedOutPath = path.join(tempDir, "post-processed");
-    const actual = await postProcessAndUploadSarif(
-      logger,
-      features,
-      "never",
-      "",
-      tempDir,
-      "",
-      postProcessedOutPath,
-    );
-
-    t.truthy(actual);
-    t.assert(postProcessSarifFiles.calledTwice);
-    t.assert(fs.existsSync(path.join(postProcessedOutPath, "upload.sarif")));
-    t.assert(
-      fs.existsSync(path.join(postProcessedOutPath, "upload.quality.sarif")),
-    );
-  });
-});
@@ -1,4 +1,3 @@
-import { UploadKind } from "./actions-util";
 import * as analyses from "./analyses";
 import { FeatureEnablement } from "./feature-flags";
 import { Logger } from "./logging";
@@ -11,26 +10,22 @@ export type UploadSarifResults = Partial<
 >;

 /**
- * Finds SARIF files in `sarifPath`, post-processes them, and uploads them to the appropriate services.
+ * Finds SARIF files in `sarifPath` and uploads them to the appropriate services.
 *
 * @param logger The logger to use.
 * @param features Information about enabled features.
- * @param uploadKind The kind of upload that is requested.
 * @param checkoutPath The path where the repository was checked out at.
 * @param sarifPath The path to the file or directory to upload.
 * @param category The analysis category.
- * @param postProcessedOutputPath The path to a directory to which the post-processed SARIF files should be written to.
 *
 * @returns A partial mapping from analysis kinds to the upload results.
 */
-export async function postProcessAndUploadSarif(
+export async function uploadSarif(
  logger: Logger,
  features: FeatureEnablement,
-  uploadKind: UploadKind,
  checkoutPath: string,
  sarifPath: string,
  category?: string,
-  postProcessedOutputPath?: string,
 ): Promise<UploadSarifResults> {
  const sarifGroups = await upload_lib.getGroupedSarifFilePaths(
    logger,
@@ -42,33 +37,14 @@ export async function postProcessAndUploadSarif(
    sarifGroups,
  )) {
    const analysisConfig = analyses.getAnalysisConfig(analysisKind);
-    const postProcessingResults = await upload_lib.postProcessSarifFiles(
-      logger,
-      features,
-      checkoutPath,
+    uploadResults[analysisKind] = await upload_lib.uploadSpecifiedFiles(
      sarifFiles,
+      checkoutPath,
      category,
-      analysisConfig,
-    );
-
-    // Write the post-processed SARIF files to disk. This will only write them if needed based on user inputs
-    // or environment variables.
-    await upload_lib.writePostProcessedFiles(
+      features,
      logger,
-      postProcessedOutputPath,
      analysisConfig,
-      postProcessingResults,
    );
-
-    // Only perform the actual upload of the post-processed files if `uploadKind` is `always`.
-    if (uploadKind === "always") {
-      uploadResults[analysisKind] = await upload_lib.uploadPostProcessedFiles(
-        logger,
-        checkoutPath,
-        analysisConfig,
-        postProcessingResults,
-      );
-    }
  }

  return uploadResults;
@@ -252,35 +252,6 @@ test("allowed API versions", async (t) => {
  );
 });

-test("getRequiredEnvParam - gets environment variables", (t) => {
-  process.env.SOME_UNIT_TEST_VAR = "foo";
-  const result = util.getRequiredEnvParam("SOME_UNIT_TEST_VAR");
-  t.is(result, "foo");
-});
-
-test("getRequiredEnvParam - throws if an environment variable isn't set", (t) => {
-  t.throws(() => util.getRequiredEnvParam("SOME_UNIT_TEST_VAR"));
-});
-
-test("getOptionalEnvVar - gets environment variables", (t) => {
-  process.env.SOME_UNIT_TEST_VAR = "foo";
-  const result = util.getOptionalEnvVar("SOME_UNIT_TEST_VAR");
-  t.is(result, "foo");
-});
-
-test("getOptionalEnvVar - gets undefined for empty environment variables", (t) => {
-  process.env.SOME_UNIT_TEST_VAR = "";
-  const result = util.getOptionalEnvVar("SOME_UNIT_TEST_VAR");
-  t.is(result, undefined);
-});
-
-test("getOptionalEnvVar - doesn't throw for undefined environment variables", (t) => {
-  t.notThrows(() => {
-    const result = util.getOptionalEnvVar("SOME_UNIT_TEST_VAR");
-    t.is(result, undefined);
-  });
-});
-
 test("doesDirectoryExist", async (t) => {
  // Returns false if no file/dir of this name exists
  t.false(util.doesDirectoryExist("non-existent-file.txt"));
@@ -673,17 +673,6 @@ export function getRequiredEnvParam(paramName: string): string {
  return value;
 }

-/**
- * Get an environment variable, but return `undefined` if it is not set or empty.
- */
-export function getOptionalEnvVar(paramName: string): string | undefined {
-  const value = process.env[paramName];
-  if (value?.trim().length === 0) {
-    return undefined;
-  }
-  return value;
-}
-
 export class HTTPError extends Error {
  public status: number;

@@ -703,22 +692,8 @@ export class ConfigurationError extends Error {
  }
 }

-export function asHTTPError(arg: any): HTTPError | undefined {
-  if (
-    typeof arg !== "object" ||
-    arg === null ||
-    typeof arg.message !== "string"
-  ) {
-    return undefined;
-  }
-  if (Number.isInteger(arg.status)) {
-    return new HTTPError(arg.message as string, arg.status as number);
-  }
-  // See https://github.com/actions/toolkit/blob/acb230b99a46ed33a3f04a758cd68b47b9a82908/packages/tool-cache/src/tool-cache.ts#L19
-  if (Number.isInteger(arg.httpStatusCode)) {
-    return new HTTPError(arg.message as string, arg.httpStatusCode as number);
-  }
-  return undefined;
+export function isHTTPError(arg: any): arg is HTTPError {
+  return arg?.status !== undefined && Number.isInteger(arg.status);
 }

 let cachedCodeQlVersion: undefined | VersionInfo = undefined;
@@ -371,7 +371,7 @@ function getInputOrThrow(
      input = input.replace(`\${{matrix.${key}}}`, value);
    }
  }
-  if (input?.includes("${{")) {
+  if (input !== undefined && input.includes("${{")) {
    throw new Error(
      `Could not get ${inputName} input to ${actionName} since it contained an unrecognized dynamic value.`,
    );
Author	SHA1	Message	Date
Michael B. Gale	0cf61911ea	Generate `UserConfig` from schema ... ish	2025-10-17 16:19:12 +01:00
Michael B. Gale	816fc30181	Add command for turning JSON schemas into TypeScript typings	2025-10-17 16:12:28 +01:00