Merge branch 'main' into redsun82/dump-sarif

Prepare for merge from main
Do not prettify dumped SARIF file
2026-05-09 15:20:28 +00:00 · 2025-09-12 12:32:52 +02:00 · 2025-09-12 12:28:03 +02:00 · 2025-09-09 17:05:44 +02:00 · 2025-09-09 15:17:17 +02:00
149 changed files with 1647 additions and 3608 deletions
@@ -0,0 +1,4 @@
+# Configuration for the CodeQL Actions Queries
+name: "CodeQL Actions Queries config"
+queries:
+  - uses: security-and-quality
@@ -7,9 +7,9 @@ queries:
  # we include both even though one is a superset of the
  # other, because we're testing the parsing logic and
  # that the suites exist in the codeql bundle.
-  - uses: security-and-quality
  - uses: security-experimental
  - uses: security-extended
+  - uses: security-and-quality
 paths-ignore:
-  - lib
  - tests
+  - lib
@@ -8,6 +8,16 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -24,9 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
  all-platform-bundle:
    strategy:
@@ -63,6 +70,7 @@ jobs:
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
+        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
    env:
@@ -1,449 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: Manual Check - all
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    paths:
-      - .github/workflows/__all.yml
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      java-version:
-        type: string
-        description: The version of Java to install
-        required: false
-        default: '17'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      java-version:
-        type: string
-        description: The version of Java to install
-        required: false
-        default: '17'
-jobs:
-  all-platform-bundle:
-    name: All-platform bundle
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__all-platform-bundle.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  analyze-ref-input:
-    name: "Analyze: 'ref' and 'sha' from inputs"
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__analyze-ref-input.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  autobuild-action:
-    name: autobuild-action
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__autobuild-action.yml
-    with: {}
-  autobuild-direct-tracing-with-working-dir:
-    name: Autobuild direct tracing (custom working directory)
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__autobuild-direct-tracing-with-working-dir.yml
-    with:
-      java-version: ${{ inputs.java-version }}
-  autobuild-direct-tracing:
-    name: Autobuild direct tracing
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__autobuild-direct-tracing.yml
-    with:
-      java-version: ${{ inputs.java-version }}
-  build-mode-autobuild:
-    name: Build mode autobuild
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__build-mode-autobuild.yml
-    with: {}
-  build-mode-manual:
-    name: Build mode manual
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__build-mode-manual.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  build-mode-none:
-    name: Build mode none
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__build-mode-none.yml
-    with: {}
-  build-mode-rollback:
-    name: Build mode rollback
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__build-mode-rollback.yml
-    with: {}
-  bundle-toolcache:
-    name: 'Bundle: Caching checks'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__bundle-toolcache.yml
-    with: {}
-  bundle-zstd:
-    name: 'Bundle: Zstandard checks'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__bundle-zstd.yml
-    with: {}
-  cleanup-db-cluster-dir:
-    name: Clean up database cluster directory
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__cleanup-db-cluster-dir.yml
-    with: {}
-  config-export:
-    name: Config export
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__config-export.yml
-    with: {}
-  config-input:
-    name: Config input
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__config-input.yml
-    with: {}
-  cpp-deptrace-disabled:
-    name: 'C/C++: disabling autoinstalling dependencies (Linux)'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__cpp-deptrace-disabled.yml
-    with: {}
-  cpp-deptrace-enabled-on-macos:
-    name: 'C/C++: autoinstalling dependencies is skipped (macOS)'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__cpp-deptrace-enabled-on-macos.yml
-    with: {}
-  cpp-deptrace-enabled:
-    name: 'C/C++: autoinstalling dependencies (Linux)'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__cpp-deptrace-enabled.yml
-    with: {}
-  diagnostics-export:
-    name: Diagnostic export
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__diagnostics-export.yml
-    with: {}
-  export-file-baseline-information:
-    name: Export file baseline information
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__export-file-baseline-information.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  extractor-ram-threads:
-    name: Extractor ram and threads options test
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__extractor-ram-threads.yml
-    with: {}
-  go-custom-queries:
-    name: 'Go: Custom queries'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__go-custom-queries.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  go-indirect-tracing-workaround-diagnostic:
-    name: 'Go: diagnostic when Go is changed after init step'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  go-indirect-tracing-workaround-no-file-program:
-    name: 'Go: diagnostic when `file` is not installed'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  go-indirect-tracing-workaround:
-    name: 'Go: workaround for indirect tracing'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__go-indirect-tracing-workaround.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  go-tracing-autobuilder:
-    name: 'Go: tracing with autobuilder step'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__go-tracing-autobuilder.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  go-tracing-custom-build-steps:
-    name: 'Go: tracing with custom build steps'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__go-tracing-custom-build-steps.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  go-tracing-legacy-workflow:
-    name: 'Go: tracing with legacy workflow'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__go-tracing-legacy-workflow.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  init-with-registries:
-    name: 'Packaging: Download using registries'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__init-with-registries.yml
-    with: {}
-  javascript-source-root:
-    name: Custom source root
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__javascript-source-root.yml
-    with: {}
-  job-run-uuid-sarif:
-    name: Job run UUID added to SARIF
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__job-run-uuid-sarif.yml
-    with: {}
-  language-aliases:
-    name: Language aliases
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__language-aliases.yml
-    with: {}
-  multi-language-autodetect:
-    name: Multi-language repository
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__multi-language-autodetect.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  overlay-init-fallback:
-    name: Overlay database init fallback
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__overlay-init-fallback.yml
-    with: {}
-  packaging-codescanning-config-inputs-js:
-    name: 'Packaging: Config and input passed to the CLI'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__packaging-codescanning-config-inputs-js.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  packaging-config-inputs-js:
-    name: 'Packaging: Config and input'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__packaging-config-inputs-js.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  packaging-config-js:
-    name: 'Packaging: Config file'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__packaging-config-js.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  packaging-inputs-js:
-    name: 'Packaging: Action input'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__packaging-inputs-js.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  quality-queries:
-    name: Quality queries input
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__quality-queries.yml
-    with: {}
-  remote-config:
-    name: Remote config file
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__remote-config.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  resolve-environment-action:
-    name: Resolve environment
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__resolve-environment-action.yml
-    with: {}
-  rubocop-multi-language:
-    name: RuboCop multi-language
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__rubocop-multi-language.yml
-    with: {}
-  ruby:
-    name: Ruby analysis
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__ruby.yml
-    with: {}
-  rust:
-    name: Rust analysis
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__rust.yml
-    with: {}
-  split-workflow:
-    name: Split workflow
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__split-workflow.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  start-proxy:
-    name: Start proxy
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__start-proxy.yml
-    with: {}
-  submit-sarif-failure:
-    name: Submit SARIF after failure
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__submit-sarif-failure.yml
-    with: {}
-  swift-autobuild:
-    name: Swift analysis using autobuild
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__swift-autobuild.yml
-    with: {}
-  swift-custom-build:
-    name: Swift analysis using a custom build command
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__swift-custom-build.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  test-autobuild-working-dir:
-    name: Autobuild working directory
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__test-autobuild-working-dir.yml
-    with: {}
-  test-local-codeql:
-    name: Local CodeQL bundle
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__test-local-codeql.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  test-proxy:
-    name: Proxy test
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__test-proxy.yml
-    with: {}
-  unset-environment:
-    name: Test unsetting environment variables
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__unset-environment.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  upload-quality-sarif:
-    name: 'Upload-sarif: code quality endpoint'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__upload-quality-sarif.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  upload-ref-sha-input:
-    name: "Upload-sarif: 'ref' and 'sha' from inputs"
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__upload-ref-sha-input.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  with-checkout-path:
-    name: Use a custom `checkout_path`
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__with-checkout-path.yml
-    with:
-      go-version: ${{ inputs.go-version }}
@@ -8,6 +8,16 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -24,9 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
  analyze-ref-input:
    strategy:
@@ -67,6 +74,7 @@ jobs:
          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
            github.sha }}
      - name: Build code
+        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  autobuild-action:
    strategy:
@@ -60,6 +67,7 @@ jobs:
          CORECLR_PROFILER_PATH_64: ''
      - uses: ./../action/analyze
      - name: Check database
+        shell: bash
        run: |
          cd "$RUNNER_TEMP/codeql_databases"
          if [[ ! -d csharp ]]; then
@@ -8,6 +8,16 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -24,9 +34,6 @@ on:
        description: The version of Java to install
        required: false
        default: '17'
-defaults:
-  run:
-    shell: bash
 jobs:
  autobuild-direct-tracing-with-working-dir:
    strategy:
@@ -63,6 +70,7 @@ jobs:
          java-version: ${{ inputs.java-version || '17' }}
          distribution: temurin
      - name: Test setup
+        shell: bash
        run: |
          # Make sure that Gradle build succeeds in autobuild-dir ...
          cp -a ../action/tests/java-repo autobuild-dir
@@ -74,6 +82,7 @@ jobs:
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Check that indirect tracing is disabled
+        shell: bash
        run: |
          if [[ ! -z "${CODEQL_RUNNER}" ]]; then
            echo "Expected indirect tracing to be disabled, but the" \
@@ -8,6 +8,16 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -24,9 +34,6 @@ on:
        description: The version of Java to install
        required: false
        default: '17'
-defaults:
-  run:
-    shell: bash
 jobs:
  autobuild-direct-tracing:
    strategy:
@@ -63,6 +70,7 @@ jobs:
          java-version: ${{ inputs.java-version || '17' }}
          distribution: temurin
      - name: Set up Java test repo configuration
+        shell: bash
        run: |
          mv * .github ../action/tests/multi-language-repo/
          mv ../action/tests/multi-language-repo/.github/workflows .github
@@ -77,6 +85,7 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}

      - name: Check that indirect tracing is disabled
+        shell: bash
        run: |
          if [[ ! -z "${CODEQL_RUNNER}" ]]; then
            echo "Expected indirect tracing to be disabled, but the" \
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  build-mode-autobuild:
    strategy:
@@ -8,6 +8,16 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -24,9 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
  build-mode-manual:
    strategy:
@@ -74,6 +81,7 @@ jobs:
          fi

      - name: Build code
+        shell: bash
        run: ./build.sh

      - uses: ./../action/analyze
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  build-mode-none:
    strategy:
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  build-mode-rollback:
    strategy:
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  bundle-toolcache:
    strategy:
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  bundle-zstd:
    strategy:
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  cleanup-db-cluster-dir:
    strategy:
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  config-export:
    strategy:
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  config-input:
    strategy:
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  cpp-deptrace-disabled:
    strategy:
@@ -46,6 +53,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Test setup
+        shell: bash
        run: |
          cp -a ../action/tests/cpp-autobuild autobuild-dir
      - uses: ./../action/init
@@ -57,7 +65,8 @@ jobs:
          working-directory: autobuild-dir
        env:
          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: false
-      - run: |
+      - shell: bash
+        run: |
          if ls /usr/bin/errno; then
            echo "C/C++ autobuild installed errno, but it should not have since auto-install dependencies is disabled."
            exit 1
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  cpp-deptrace-enabled-on-macos:
    strategy:
@@ -44,6 +51,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Test setup
+        shell: bash
        run: |
          cp -a ../action/tests/cpp-autobuild autobuild-dir
      - uses: ./../action/init
@@ -55,7 +63,8 @@ jobs:
          working-directory: autobuild-dir
        env:
          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-      - run: |
+      - shell: bash
+        run: |
          if ! ls /usr/bin/errno; then
            echo "As expected, CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES is a no-op on macOS"
          else
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  cpp-deptrace-enabled:
    strategy:
@@ -46,6 +53,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Test setup
+        shell: bash
        run: |
          cp -a ../action/tests/cpp-autobuild autobuild-dir
      - uses: ./../action/init
@@ -57,7 +65,8 @@ jobs:
          working-directory: autobuild-dir
        env:
          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-      - run: |
+      - shell: bash
+        run: |
          if ! ls /usr/bin/errno; then
            echo "Did not autoinstall errno"
            exit 1
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  diagnostics-export:
    strategy:
@@ -57,6 +64,7 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Add test diagnostics
+        shell: bash
        env:
          CODEQL_PATH: ${{ steps.init.outputs.codeql-path }}
        run: |
@@ -8,6 +8,16 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -24,9 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
  export-file-baseline-information:
    strategy:
@@ -66,6 +73,7 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
+        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -77,6 +85,7 @@ jobs:
          path: ${{ runner.temp }}/results/javascript.sarif
          retention-days: 7
      - name: Check results
+        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          expected_baseline_languages="c csharp go java kotlin javascript python ruby"
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  extractor-ram-threads:
    strategy:
@@ -47,6 +54,7 @@ jobs:
          ram: 230
          threads: 1
      - name: Assert Results
+        shell: bash
        run: |
          if [ "${CODEQL_RAM}" != "230" ]; then
            echo "CODEQL_RAM is '${CODEQL_RAM}' instead of 230"
@@ -8,6 +8,16 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -24,9 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
  go-custom-queries:
    strategy:
@@ -64,6 +71,7 @@ jobs:
          config-file: ./.github/codeql/custom-queries.yml
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
+        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
    env:
@@ -8,6 +8,16 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -24,9 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
  go-indirect-tracing-workaround-diagnostic:
    strategy:
@@ -65,6 +72,7 @@ jobs:
        with:
          go-version: '1.20'
      - name: Build code
+        shell: bash
        run: go build main.go
      - uses: ./../action/analyze
        with:
@@ -8,6 +8,16 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -24,9 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
  go-indirect-tracing-workaround-no-file-program:
    strategy:
@@ -66,6 +73,7 @@ jobs:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
+        shell: bash
        run: go build main.go
      - uses: ./../action/analyze
        with:
@@ -8,6 +8,16 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -24,9 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
  go-indirect-tracing-workaround:
    strategy:
@@ -61,9 +68,11 @@ jobs:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
+        shell: bash
        run: go build main.go
      - uses: ./../action/analyze
-      - run: |
+      - shell: bash
+        run: |
          if [[ -z "${CODEQL_ACTION_GO_BINARY}" ]]; then
            echo "Expected the workaround for indirect tracing of static binaries to trigger, but the" \
              "CODEQL_ACTION_GO_BINARY environment variable is not set."
@@ -8,6 +8,16 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -24,9 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
  go-tracing-autobuilder:
    strategy:
@@ -53,10 +60,6 @@ jobs:
            version: stable-v2.21.4
          - os: macos-latest
            version: stable-v2.21.4
-          - os: ubuntu-latest
-            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
          - os: macos-latest
@@ -96,7 +99,8 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/autobuild
      - uses: ./../action/analyze
-      - run: |
+      - shell: bash
+        run: |
          if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then
            echo "Expected the Go autobuilder to be run, but the" \
              "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was not true."
@@ -8,6 +8,16 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -24,9 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
  go-tracing-custom-build-steps:
    strategy:
@@ -53,10 +60,6 @@ jobs:
            version: stable-v2.21.4
          - os: macos-latest
            version: stable-v2.21.4
-          - os: ubuntu-latest
-            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
          - os: macos-latest
@@ -95,9 +98,11 @@ jobs:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
+        shell: bash
        run: go build main.go
      - uses: ./../action/analyze
-      - run: |
+      - shell: bash
+        run: |
          # Once we start running Bash 4.2 in all environments, we can replace the
          # `! -z` flag with the more elegant `-v` which confirms that the variable
          # is actually unset and not potentially set to a blank value.
@@ -8,6 +8,16 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -24,9 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
  go-tracing-legacy-workflow:
    strategy:
@@ -53,10 +60,6 @@ jobs:
            version: stable-v2.21.4
          - os: macos-latest
            version: stable-v2.21.4
-          - os: ubuntu-latest
-            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
          - os: macos-latest
@@ -95,7 +98,8 @@ jobs:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
-      - run: |
+      - shell: bash
+        run: |
          cd "$RUNNER_TEMP/codeql_databases"
          if [[ ! -d go ]]; then
            echo "Did not find a Go database"
@@ -18,13 +18,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
 jobs:
  go-custom-queries:
    name: 'Go: Custom queries'
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  init-with-registries:
    strategy:
@@ -71,6 +78,7 @@ jobs:
              token: "${{ secrets.GITHUB_TOKEN }}"

      - name: Verify packages installed
+        shell: bash
        run: |
          PRIVATE_PACK="$HOME/.codeql/packages/codeql-testing/private-pack"
          CODEQL_PACK1="$HOME/.codeql/packages/codeql-testing/codeql-pack1"
@@ -92,6 +100,7 @@ jobs:
          fi

      - name: Verify qlconfig.yml file was created
+        shell: bash
        run: |
          QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
          echo "Expected qlconfig.yml file to be created at $QLCONFIG_PATH"
@@ -106,6 +115,7 @@ jobs:
      - name: Verify contents of qlconfig.yml
    # yq is not available on windows
        if: runner.os != 'Windows'
+        shell: bash
        run: |
          QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
          cat $QLCONFIG_PATH | yq -e '.registries[] | select(.url == "https://ghcr.io/v2/") | select(.packages == "*/*")'
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  javascript-source-root:
    strategy:
@@ -46,6 +53,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Move codeql-action
+        shell: bash
        run: |
          mkdir ../new-source-root
          mv * ../new-source-root
@@ -58,6 +66,7 @@ jobs:
        with:
          skip-queries: true
      - name: Assert database exists
+        shell: bash
        run: |
          cd "$RUNNER_TEMP/codeql_databases"
          if [[ ! -d javascript ]]; then
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  job-run-uuid-sarif:
    strategy:
@@ -56,6 +63,7 @@ jobs:
          path: ${{ runner.temp }}/results/javascript.sarif
          retention-days: 7
      - name: Check results
+        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          actual=$(jq -r '.runs[0].properties.jobRunUuid' javascript.sarif)
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  language-aliases:
    strategy:
@@ -8,6 +8,16 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -24,9 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
  multi-language-autodetect:
    strategy:
@@ -53,10 +60,6 @@ jobs:
            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.22.4
-          - os: ubuntu-latest
-            version: stable-v2.22.4
          - os: macos-latest
            version: default
          - os: ubuntu-latest
@@ -91,6 +94,7 @@ jobs:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Use Xcode 16
+        shell: bash
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"

@@ -103,6 +107,7 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}

      - name: Build code
+        shell: bash
        run: ./build.sh

      - uses: ./../action/analyze
@@ -111,6 +116,7 @@ jobs:
          upload-database: false

      - name: Check language autodetect for all languages excluding Swift
+        shell: bash
        run: |
          CPP_DB=${{ fromJson(steps.analysis.outputs.db-locations).cpp }}
          if [[ ! -d $CPP_DB ]] || [[ ! $CPP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
@@ -150,6 +156,7 @@ jobs:

      - name: Check language autodetect for Swift on macOS
        if: runner.os == 'macOS'
+        shell: bash
        run: |
          SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}
          if [[ ! -d $SWIFT_DB ]] || [[ ! $SWIFT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  overlay-init-fallback:
    strategy:
@@ -54,6 +61,7 @@ jobs:
        with:
          upload-database: false
      - name: Check database
+        shell: bash
        run: |
          cd "$RUNNER_TEMP/codeql_databases/actions"
          if ! grep -q 'overlayBaseDatabase: false' codeql-database.yml ; then
@@ -8,6 +8,16 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -24,9 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
  packaging-codescanning-config-inputs-js:
    strategy:
@@ -86,6 +93,7 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
+        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -101,6 +109,7 @@ jobs:
          queries-not-run: foo,bar

      - name: Assert Results
+        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          # We should have 4 hits from these rules
@@ -8,6 +8,16 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -24,9 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
  packaging-config-inputs-js:
    strategy:
@@ -86,6 +93,7 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
+        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -101,6 +109,7 @@ jobs:
          queries-not-run: foo,bar

      - name: Assert Results
+        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          # We should have 4 hits from these rules
@@ -8,6 +8,16 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -24,9 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
  packaging-config-js:
    strategy:
@@ -85,6 +92,7 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
+        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -100,6 +108,7 @@ jobs:
          queries-not-run: foo,bar

      - name: Assert Results
+        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          # We should have 4 hits from these rules
@@ -8,6 +8,16 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -24,9 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
  packaging-inputs-js:
    strategy:
@@ -86,6 +93,7 @@ jobs:
          packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
+        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -100,6 +108,7 @@ jobs:
          queries-not-run: foo,bar

      - name: Assert Results
+        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          # We should have 4 hits from these rules
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  quality-queries:
    strategy:
@@ -8,6 +8,16 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -24,9 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
  remote-config:
    strategy:
@@ -65,6 +72,7 @@ jobs:
          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
            github.sha }}
      - name: Build code
+        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
    env:
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  resolve-environment-action:
    strategy:
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  rubocop-multi-language:
    strategy:
@@ -46,10 +53,13 @@ jobs:
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
+        shell: bash
        run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
      - name: Install dependencies
+        shell: bash
        run: bundle install
      - name: RuboCop run
+        shell: bash
        run: |
          bash -c "
            bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  ruby:
    strategy:
@@ -60,6 +67,7 @@ jobs:
        with:
          upload-database: false
      - name: Check database
+        shell: bash
        run: |
          RUBY_DB="${{ fromJson(steps.analysis.outputs.db-locations).ruby }}"
          if [[ ! -d "$RUBY_DB" ]]; then
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  rust:
    strategy:
@@ -58,6 +65,7 @@ jobs:
        with:
          upload-database: false
      - name: Check database
+        shell: bash
        run: |
          RUST_DB="${{ fromJson(steps.analysis.outputs.db-locations).rust }}"
          if [[ ! -d "$RUST_DB" ]]; then
@@ -8,6 +8,16 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -24,9 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
  split-workflow:
    strategy:
@@ -73,6 +80,7 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
+        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -81,6 +89,7 @@ jobs:
          upload-database: false

      - name: Assert No Results
+        shell: bash
        run: |
          if [ "$(ls -A $RUNNER_TEMP/results)" ]; then
            echo "Expected results directory to be empty after skipping query execution!"
@@ -91,6 +100,7 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Assert Results
+        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          # We should have 4 hits from these rules
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  start-proxy:
    strategy:
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  submit-sarif-failure:
    strategy:
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  swift-autobuild:
    strategy:
@@ -48,6 +55,7 @@ jobs:
          build-mode: autobuild
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Check working directory
+        shell: bash
        run: pwd
      - uses: ./../action/autobuild
        timeout-minutes: 30
@@ -56,6 +64,7 @@ jobs:
        with:
          upload-database: false
      - name: Check database
+        shell: bash
        run: |
          SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
          if [[ ! -d "$SWIFT_DB" ]]; then
@@ -8,6 +8,16 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -24,9 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
  swift-custom-build:
    strategy:
@@ -61,6 +68,7 @@ jobs:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Use Xcode 16
+        shell: bash
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"
      - uses: ./../action/init
@@ -69,14 +77,17 @@ jobs:
          languages: swift
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Check working directory
+        shell: bash
        run: pwd
      - name: Build code
+        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        id: analysis
        with:
          upload-database: false
      - name: Check database
+        shell: bash
        run: |
          SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
          if [[ ! -d "$SWIFT_DB" ]]; then
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  test-autobuild-working-dir:
    strategy:
@@ -42,6 +49,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Test setup
+        shell: bash
        run: |
          # Make sure that Gradle build succeeds in autobuild-dir ...
          cp -a ../action/tests/java-repo autobuild-dir
@@ -56,6 +64,7 @@ jobs:
          working-directory: autobuild-dir
      - uses: ./../action/analyze
      - name: Check database
+        shell: bash
        run: |
          cd "$RUNNER_TEMP/codeql_databases"
          if [[ ! -d java ]]; then
@@ -8,6 +8,16 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -24,9 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
  test-local-codeql:
    strategy:
@@ -57,6 +64,7 @@ jobs:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Fetch a CodeQL bundle
+        shell: bash
        env:
          CODEQL_URL: ${{ steps.prepare-test.outputs.tools-url }}
        run: |
@@ -68,6 +76,7 @@ jobs:
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ./codeql-bundle-linux64.tar.zst
      - name: Build code
+        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
    env:
@@ -8,15 +8,22 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs: {}
  workflow_call:
    inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  test-proxy:
    strategy:
@@ -8,6 +8,16 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -24,9 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
  unset-environment:
    strategy:
@@ -66,12 +73,14 @@ jobs:
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
+        shell: bash
        run: env -i PATH="$PATH" HOME="$HOME" ./build.sh
      - uses: ./../action/analyze
        id: analysis
        with:
          upload-database: false
-      - run: |
+      - shell: bash
+        run: |
          CPP_DB="${{ fromJson(steps.analysis.outputs.db-locations).cpp }}"
          if [[ ! -d "$CPP_DB" ]] || [[ ! "$CPP_DB" == "${RUNNER_TEMP}/customDbLocation/cpp" ]]; then
            echo "::error::Did not create a database for CPP, or created it in the wrong location." \
@@ -8,6 +8,16 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -24,9 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
  upload-quality-sarif:
    strategy:
@@ -63,9 +70,12 @@ jobs:
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          languages: csharp,java,javascript,python
-          analysis-kinds: code-quality
+          languages: cpp,csharp,java,javascript,python
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+            github.sha }}
+          analysis-kinds: code-scanning,code-quality
      - name: Build code
+        shell: bash
        run: ./build.sh
  # Generate some SARIF we can upload with the upload-sarif step
      - uses: ./../action/analyze
@@ -74,12 +84,8 @@ jobs:
          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
          upload: never
      - uses: ./../action/upload-sarif
-        id: upload-sarif
        with:
          ref: refs/heads/main
          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
-      - name: Check output from `upload-sarif` step
-        if: fromJSON(steps.upload-sarif.outputs.sarif-ids)[0].analysis != 'code-quality'
-        run: exit 1
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -8,6 +8,16 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -24,9 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
  upload-ref-sha-input:
    strategy:
@@ -67,6 +74,7 @@ jobs:
          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
            github.sha }}
      - name: Build code
+        shell: bash
        run: ./build.sh
  # Generate some SARIF we can upload with the upload-sarif step
      - uses: ./../action/analyze
@@ -8,6 +8,16 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -24,9 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
  with-checkout-path:
    strategy:
@@ -61,6 +68,7 @@ jobs:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Delete original checkout
+        shell: bash
        run: |
          # delete the original checkout so we don't accidentally use it.
          # Actions does not support deleting the current working directory, so we
@@ -81,6 +89,7 @@ jobs:
          source-root: x/y/z/some-path/tests/multi-language-repo

      - name: Build code
+        shell: bash
        working-directory: x/y/z/some-path/tests/multi-language-repo
        run: |
          ./build.sh
@@ -92,6 +101,7 @@ jobs:
          sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6

      - name: Verify SARIF after upload
+        shell: bash
        run: |
          EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
          EXPECTED_REF="v1.1.0"
@@ -9,10 +9,6 @@ on:
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]

-defaults:
-  run:
-    shell: bash
-
 jobs:
  check-expected-release-files:
    runs-on: ubuntu-latest
@@ -13,10 +13,6 @@ on:
    - cron: '30 1 * * 0'
  workflow_dispatch:

-defaults:
-  run:
-    shell: bash
-
 env:
  CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks

@@ -95,29 +91,22 @@ jobs:
      id: init
      with:
        languages: javascript
-        config-file: ./.github/codeql/codeql-config-javascript.yml
+        config-file: ./.github/codeql/codeql-config.yml
        tools: ${{ matrix.tools }}
    # confirm steps.init.outputs.codeql-path points to the codeql binary
    - name: Print CodeQL Version
-      run: >
-        "$CODEQL" version --format=json
-      env:
-        CODEQL: ${{steps.init.outputs.codeql-path}}
+      run: ${{steps.init.outputs.codeql-path}} version --format=json
    - name: Perform CodeQL Analysis
      uses: ./analyze
      with:
        category: "/language:javascript"
-        upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && 'always') || 'never' }}

-  analyze-other:
+
+  analyze-actions:
    runs-on: ubuntu-latest

    strategy:
      fail-fast: false
-      matrix:
-        include:
-          - language: actions
-          - language: python

    permissions:
      contents: read
@@ -129,15 +118,9 @@ jobs:
    - name: Initialize CodeQL
      uses: ./init
      with:
-        languages: ${{ matrix.language }}
-        build-mode: none
-        config: >
-          paths-ignore:
-            - lib
-            - tests
-          queries:
-            - uses: security-and-quality
+        languages: actions
+        config-file: ./.github/codeql/codeql-actions-config.yml
    - name: Perform CodeQL Analysis
      uses: ./analyze
      with:
-        category: "/language:${{ matrix.language }}"
+        category: "/language:actions"
@@ -22,10 +22,6 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch: {}

-defaults:
-  run:
-    shell: bash
-
 jobs:
  code-scanning-config-tests:
    continue-on-error: true
@@ -17,11 +17,6 @@ on:
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch: {}
-
-defaults:
-  run:
-    shell: bash
-
 jobs:
  upload-artifacts:
    strategy:
@@ -60,6 +55,7 @@ jobs:
          debug-artifact-name: my-debug-artifacts
          debug-database-name: my-db
      - name: Build code
+        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        id: analysis
@@ -79,6 +75,7 @@ jobs:
      - name: Download all artifacts
        uses: actions/download-artifact@v5
      - name: Check expected artifacts exist
+        shell: bash
        run: |
          LANGUAGES="cpp csharp go java javascript python"
          for version in $VERSIONS; do
@@ -16,11 +16,6 @@ on:
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch: {}
-
-defaults:
-  run:
-    shell: bash
-
 jobs:
  upload-artifacts:
    strategy:
@@ -59,6 +54,7 @@ jobs:
          # We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
          languages: cpp,csharp,go,java,javascript,python,ruby
      - name: Build code
+        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        id: analysis
@@ -73,6 +69,7 @@ jobs:
      - name: Download all artifacts
        uses: actions/download-artifact@v5
      - name: Check expected artifacts exist
+        shell: bash
        run: |
          VERSIONS="stable-v2.20.3 default linked nightly-latest"
          LANGUAGES="cpp csharp go java javascript python"
@@ -18,10 +18,6 @@ on:
    branches:
      - releases/v*

-defaults:
-  run:
-    shell: bash
-
 jobs:
  merge-back:
    runs-on: ubuntu-latest
@@ -8,10 +8,6 @@ on:
    types: [opened, synchronize, reopened, ready_for_review]
  workflow_dispatch:

-defaults:
-  run:
-    shell: bash
-
 jobs:
  unit-tests:
    name: Unit Tests
@@ -26,12 +22,8 @@ jobs:
    timeout-minutes: 45

    steps:
-      - name: Prepare git (Windows)
-        if: runner.os == 'Windows'
-        run: git config --global core.autocrlf false
-
      - uses: actions/checkout@v5
-
+      
      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
@@ -70,12 +62,6 @@ jobs:
          sarif_file: eslint.sarif
          category: eslint

-  pr-checks:
-    name: "Run all PR checks"
-    needs:
-      - unit-tests
-    uses: ./.github/workflows/__all.yml
-
  check-node-version:
    if: github.event.pull_request
    name: Check Action Node versions
@@ -22,10 +22,6 @@ on:
    paths:
      - .github/workflows/prepare-release.yml

-defaults:
-  run:
-    shell: bash
-
 jobs:
  prepare:
    name: "Prepare release"
@@ -4,10 +4,6 @@ on:
  release:
    types: [published]

-defaults:
-  run:
-    shell: bash
-
 jobs:
  publish:
    runs-on: ubuntu-latest
@@ -12,10 +12,6 @@ on:
    - cron: '0 0 * * 1'
  workflow_dispatch:

-defaults:
-  run:
-    shell: bash
-
 jobs:
  test-setup-python-scripts:
    env:
@@ -15,10 +15,6 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch: {}

-defaults:
-  run:
-    shell: bash
-
 jobs:
  query-filters:
    name: Query Filters Tests
@@ -5,10 +5,6 @@ on:
    types: [labeled]
  workflow_dispatch:

-defaults:
-  run:
-    shell: bash
-
 jobs:
  rebuild:
    name: Rebuild Action
@@ -14,10 +14,6 @@ on:
      - .github/workflows/rollback-release.yml
      - .github/actions/prepare-mergeback-branch/**

-defaults:
-  run:
-    shell: bash
-
 jobs:
  prepare:
    name: "Prepare release"
@@ -57,6 +53,7 @@ jobs:

      - name: Create tag for testing
        if: github.event_name != 'workflow_dispatch'
+        shell: bash
        run: git tag v0.0.0

      # We start by preparing the mergeback branch, mainly so that we have the updated changelog
@@ -99,6 +96,7 @@ jobs:
          echo "::endgroup::"

      - name: Create tags
+        shell: bash
        env:
          # We usually expect to checkout `inputs.rollback-tag` (required for `workflow_dispatch`),
          # but use `v0.0.0` for testing.
@@ -113,6 +111,7 @@ jobs:
      - name: Push tags
        # skip when testing
        if: github.event_name == 'workflow_dispatch'
+        shell: bash
        env:
          RELEASE_TAG: ${{ needs.prepare.outputs.version }}
          MAJOR_VERSION_TAG: ${{ needs.prepare.outputs.major_version }}
@@ -161,6 +160,7 @@ jobs:
          echo "Created draft rollback release at $RELEASE_URL" >> $GITHUB_STEP_SUMMARY

      - name: Update changelog
+        shell: bash
        env:
          NEW_CHANGELOG: "${{ runner.temp }}/new_changelog.md"
          NEW_BRANCH: "${{ steps.mergeback-branch.outputs.new-branch }}"
@@ -16,9 +16,6 @@ on:
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch: {}
-defaults:
-  run:
-    shell: bash
 jobs:
  test-codeql-bundle-all:
    strategy:
@@ -49,6 +46,7 @@ jobs:
        languages: cpp,csharp,go,java,javascript,python,ruby 
        tools: ${{ steps.prepare-test.outputs.tools-url }}
    - name: Build code
+      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
    env:
@@ -13,10 +13,6 @@ on:
    # to filter pre-release attribute.
    types: [published]

-defaults:
-  run:
-    shell: bash
-
 jobs:
  update-bundle:
    if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
@@ -7,10 +7,6 @@ on:
        type: string
        required: true

-defaults:
-  run:
-    shell: bash
-
 jobs:
  update:
    name: Update code and create PR
@@ -24,6 +20,7 @@ jobs:
    steps:
      - name: Check release tag format
        id: checks
+        shell: bash
        run: |
          if ! [[ $RELEASE_TAG =~ ^codeql-bundle-v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            echo "Invalid release tag: expected a CodeQL bundle tag in the 'codeql-bundle-vM.N.P' format."
@@ -33,6 +30,7 @@ jobs:
          echo "target_branch=dependency-proxy/$RELEASE_TAG" >> $GITHUB_OUTPUT

      - name: Check that the release exists
+        shell: bash
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
        run: |
@@ -48,17 +46,20 @@ jobs:
          ref: main

      - name: Update git config
+        shell: bash
        run: |
          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git config --global user.name "github-actions[bot]"

      - name: Update release tag and version
+        shell: bash
        run: |
          NOW=$(date +"%Y%m%d%H%M%S") # only used to make sure we don't fetch stale binaries from the toolcache
          sed -i "s|https://github.com/github/codeql-action/releases/download/codeql-bundle-v[0-9.]\+/|https://github.com/github/codeql-action/releases/download/$RELEASE_TAG/|g" ./src/start-proxy-action.ts
          sed -i "s/\"v2.0.[0-9]\+\"/\"v2.0.$NOW\"/g" ./src/start-proxy-action.ts

      - name: Compile TypeScript and commit changes
+        shell: bash
        env:
          TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }}
        run: |
@@ -71,6 +72,7 @@ jobs:
          git commit -m "Update release used by \`start-proxy\` action"

      - name: Push changes and open PR
+        shell: bash
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
          TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }}
@@ -11,10 +11,6 @@ on:
    branches:
      - releases/*

-defaults:
-  run:
-    shell: bash
-
 jobs:

  prepare:
@@ -5,7 +5,6 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 ## [UNRELEASED]

 - We have improved the CodeQL Action's ability to validate that the workflow it is used in does not use different versions of the CodeQL Action for different workflow steps. Mixing different versions of the CodeQL Action in the same workflow is unsupported and can lead to unpredictable results. A warning will now be emitted from the `codeql-action/init` step if different versions of the CodeQL Action are detected in the workflow file. Additionally, an error will now be thrown by the other CodeQL Action steps if they load a configuration file that was generated by a different version of the `codeql-action/init` step. [#3099](https://github.com/github/codeql-action/pull/3099) and [#3100](https://github.com/github/codeql-action/pull/3100)
- We added support for reducing the size of dependency caches for Java analyses, which will reduce cache usage and speed up workflows. This will be enabled automatically at a later time. [#3107](https://github.com/github/codeql-action/pull/3107)

 ## 3.30.3 - 10 Sep 2025

@@ -58,7 +58,7 @@ inputs:
    # If changing this, make sure to update workflow.ts accordingly.
    default: ${{ github.workspace }}
  ref:
-    description: "The ref where results will be uploaded. If not provided, the Action will use the GITHUB_REF environment variable. If provided, the sha input must be provided as well. This input is ignored for pull requests from forks. Expected format: refs/heads/<branch name>, refs/tags/<tag>, refs/pull/<number>/merge, or refs/pull/<number>/head."
+    description: "The ref where results will be uploaded. If not provided, the Action will use the GITHUB_REF environment variable. If provided, the sha input must be provided as well. This input is ignored for pull requests from forks."
    required: false
  sha:
    description: "The sha of the HEAD of the ref where results will be uploaded. If not provided, the Action will use the GITHUB_SHA environment variable. If provided, the ref input must be provided as well. This input is ignored for pull requests from forks."
@@ -26486,7 +26486,7 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^13.0.0"
+        uuid: "^12.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
@@ -26536,8 +26536,7 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        },
-        "brace-expansion@2.0.1": "2.0.2"
+        }
      }
    };
  }
@@ -77686,7 +77685,7 @@ var require_brace_expansion2 = __commonJS({
        var isSequence = isNumericSequence || isAlphaSequence;
        var isOptions = m.body.indexOf(",") >= 0;
        if (!isSequence && !isOptions) {
-          if (m.post.match(/,(?!,).*\}/)) {
+          if (m.post.match(/,.*\}/)) {
            str2 = m.pre + "{" + m.body + escClose + m.post;
            return expand(str2);
          }
@@ -117919,11 +117918,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
-  },
-  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
-    minimumVersion: "2.23.0"
  }
 };

@@ -32335,7 +32335,7 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^13.0.0"
+        uuid: "^12.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
@@ -32385,8 +32385,7 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        },
-        "brace-expansion@2.0.1": "2.0.2"
+        }
      }
    };
  }
@@ -89754,7 +89753,7 @@ async function tryGetFolderBytes(cacheDir, logger, quiet = false) {
  }
 }
 var hadTimeout = false;
-async function waitForResultWithTimeLimit(timeoutMs, promise, onTimeout) {
+async function withTimeout(timeoutMs, promise, onTimeout) {
  let finished2 = false;
  const mainTask = async () => {
    const result = await promise;
@@ -90872,7 +90871,7 @@ function computeChangedFiles(baseFileOids, overlayFileOids) {
 }
 var CACHE_VERSION = 1;
 var CACHE_PREFIX = "codeql-overlay-base-database";
-var MAX_CACHE_OPERATION_MS = 6e5;
+var MAX_CACHE_OPERATION_MS = 12e4;
 function checkOverlayBaseDatabase(config, logger, warningPrefix) {
  const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config);
  if (!fs6.existsSync(baseDatabaseOidsFilePath)) {
@@ -90940,7 +90939,7 @@ async function uploadOverlayBaseDatabaseToCache(codeql, config, logger) {
    `Uploading overlay-base database to Actions cache with key ${cacheSaveKey}`
  );
  try {
-    const cacheId = await waitForResultWithTimeLimit(
+    const cacheId = await withTimeout(
      MAX_CACHE_OPERATION_MS,
      actionsCache.saveCache([dbLocation], cacheSaveKey),
      () => {
@@ -91153,11 +91152,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
-  },
-  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
-    minimumVersion: "2.23.0"
  }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -91498,7 +91492,7 @@ async function uploadTrapCaches(codeql, config, logger) {
      process.env.GITHUB_SHA || "unknown"
    );
    logger.info(`Uploading TRAP cache to Actions cache with key ${key}`);
-    await waitForResultWithTimeLimit(
+    await withTimeout(
      MAX_CACHE_OPERATION_MS2,
      actionsCache2.saveCache([cacheDir], key),
      () => {
@@ -91683,7 +91677,7 @@ var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
 var semver7 = __toESM(require_semver2());

-// node_modules/uuid/dist-node/stringify.js
+// node_modules/uuid/dist/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
  byteToHex.push((i + 256).toString(16).slice(1));
@@ -91692,7 +91686,7 @@ function unsafeStringify(arr, offset = 0) {
  return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }

-// node_modules/uuid/dist-node/rng.js
+// node_modules/uuid/dist/rng.js
 var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
@@ -91704,11 +91698,11 @@ function rng() {
  return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }

-// node_modules/uuid/dist-node/native.js
+// node_modules/uuid/dist/native.js
 var import_node_crypto2 = require("node:crypto");
 var native_default = { randomUUID: import_node_crypto2.randomUUID };

-// node_modules/uuid/dist-node/v4.js
+// node_modules/uuid/dist/v4.js
 function _v4(options, buf, offset) {
  options = options || {};
  const rnds = options.random ?? options.rng?.() ?? rng();
@@ -93247,7 +93241,7 @@ function getDefaultCacheConfig() {
 async function makeGlobber(patterns) {
  return glob.create(patterns.join("\n"));
 }
-async function uploadDependencyCaches(config, logger, minimizeJavaJars) {
+async function uploadDependencyCaches(config, logger) {
  for (const language of config.languages) {
    const cacheConfig = getDefaultCacheConfig()[language];
    if (cacheConfig === void 0) {
@@ -93270,7 +93264,7 @@ async function uploadDependencyCaches(config, logger, minimizeJavaJars) {
      );
      continue;
    }
-    const key = await cacheKey2(language, cacheConfig, minimizeJavaJars);
+    const key = await cacheKey2(language, cacheConfig);
    logger.info(
      `Uploading cache of size ${size} for ${language} with key ${key}...`
    );
@@ -93288,20 +93282,17 @@ async function uploadDependencyCaches(config, logger, minimizeJavaJars) {
    }
  }
 }
-async function cacheKey2(language, cacheConfig, minimizeJavaJars = false) {
+async function cacheKey2(language, cacheConfig) {
  const hash2 = await glob.hashFiles(cacheConfig.hash.join("\n"));
-  return `${await cachePrefix2(language, minimizeJavaJars)}${hash2}`;
+  return `${await cachePrefix2(language)}${hash2}`;
 }
-async function cachePrefix2(language, minimizeJavaJars) {
+async function cachePrefix2(language) {
  const runnerOs = getRequiredEnvParam("RUNNER_OS");
  const customPrefix = process.env["CODEQL_ACTION_DEPENDENCY_CACHE_PREFIX" /* DEPENDENCY_CACHING_PREFIX */];
  let prefix = CODEQL_DEPENDENCY_CACHE_PREFIX;
  if (customPrefix !== void 0 && customPrefix.length > 0) {
    prefix = `${prefix}-${customPrefix}`;
  }
-  if (language === "java" /* java */ && minimizeJavaJars) {
-    prefix = `minify-${prefix}`;
-  }
  return `${prefix}-${CODEQL_DEPENDENCY_CACHE_VERSION}-${runnerOs}-${language}-`;
 }

@@ -95590,98 +95581,113 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
  }
  return payloadObj;
 }
-async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
+async function maybeUploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
  const sarifPaths = getSarifFilePaths(
    inputSarifPath,
    uploadTarget.sarifPredicate
  );
-  return uploadSpecifiedFiles(
+  return maybeUploadSpecifiedFiles(
    sarifPaths,
    checkoutPath,
    category,
    features,
    logger,
-    uploadTarget
+    uploadTarget,
+    uploadKind
  );
 }
-async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
-  logger.startGroup(`Uploading ${uploadTarget.name} results`);
-  logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
-  const gitHubVersion = await getGitHubVersion();
-  let sarif;
-  if (sarifPaths.length > 1) {
-    for (const sarifPath of sarifPaths) {
-      const parsedSarif = readSarifFile(sarifPath);
-      validateSarifFileSchema(parsedSarif, sarifPath, logger);
-    }
-    sarif = await combineSarifFilesUsingCLI(
-      sarifPaths,
-      gitHubVersion,
-      features,
-      logger
-    );
-  } else {
-    const sarifPath = sarifPaths[0];
-    sarif = readSarifFile(sarifPath);
-    validateSarifFileSchema(sarif, sarifPath, logger);
-    await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
-  }
-  sarif = filterAlertsByDiffRange(logger, sarif);
-  sarif = await addFingerprints(sarif, checkoutPath, logger);
-  const analysisKey = await getAnalysisKey();
-  const environment = getRequiredInput("matrix");
-  sarif = populateRunAutomationDetails(
-    sarif,
-    category,
-    analysisKey,
-    environment
-  );
-  const toolNames = getToolNames(sarif);
-  logger.debug(`Validating that each SARIF run has a unique category`);
-  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
-  logger.debug(`Serializing SARIF for upload`);
-  const sarifPayload = JSON.stringify(sarif);
+async function maybeUploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
-  if (dumpDir) {
-    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+  const upload = uploadKind === "always";
+  if (!upload && !dumpDir) {
+    logger.info(`Skipping upload of ${uploadTarget.name} results`);
+    return void 0;
+  }
+  logger.startGroup(`Processing ${uploadTarget.name} results`);
+  try {
+    logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
+    const gitHubVersion = await getGitHubVersion();
+    let sarif;
+    if (sarifPaths.length > 1) {
+      for (const sarifPath of sarifPaths) {
+        const parsedSarif = readSarifFile(sarifPath);
+        validateSarifFileSchema(parsedSarif, sarifPath, logger);
+      }
+      sarif = await combineSarifFilesUsingCLI(
+        sarifPaths,
+        gitHubVersion,
+        features,
+        logger
+      );
+    } else {
+      const sarifPath = sarifPaths[0];
+      sarif = readSarifFile(sarifPath);
+      validateSarifFileSchema(sarif, sarifPath, logger);
+      await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
+    }
+    sarif = filterAlertsByDiffRange(logger, sarif);
+    sarif = await addFingerprints(sarif, checkoutPath, logger);
+    const analysisKey = await getAnalysisKey();
+    const environment = getRequiredInput("matrix");
+    sarif = populateRunAutomationDetails(
+      sarif,
+      category,
+      analysisKey,
+      environment
+    );
+    const toolNames = getToolNames(sarif);
+    logger.debug(`Validating that each SARIF run has a unique category`);
+    validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
+    logger.debug(`Serializing SARIF for upload`);
+    const sarifPayload = JSON.stringify(sarif);
+    if (dumpDir) {
+      dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+    }
+    if (!upload) {
+      logger.info(
+        `Skipping upload of ${uploadTarget.name} results because upload kind is "${uploadKind}"`
+      );
+      return void 0;
+    }
+    logger.debug(`Compressing serialized SARIF`);
+    const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
+    const checkoutURI = url.pathToFileURL(checkoutPath).href;
+    const payload = buildPayload(
+      await getCommitOid(checkoutPath),
+      await getRef(),
+      analysisKey,
+      getRequiredEnvParam("GITHUB_WORKFLOW"),
+      zippedSarif,
+      getWorkflowRunID(),
+      getWorkflowRunAttempt(),
+      checkoutURI,
+      environment,
+      toolNames,
+      await determineBaseBranchHeadCommitOid()
+    );
+    const rawUploadSizeBytes = sarifPayload.length;
+    logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
+    const zippedUploadSizeBytes = zippedSarif.length;
+    logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
+    const numResultInSarif = countResultsInSarif(sarifPayload);
+    logger.debug(`Number of results in upload: ${numResultInSarif}`);
+    const sarifID = await uploadPayload(
+      payload,
+      getRepositoryNwo(),
+      logger,
+      uploadTarget.target
+    );
+    return {
+      statusReport: {
+        raw_upload_size_bytes: rawUploadSizeBytes,
+        zipped_upload_size_bytes: zippedUploadSizeBytes,
+        num_results_in_sarif: numResultInSarif
+      },
+      sarifID
+    };
+  } finally {
+    logger.endGroup();
  }
-  logger.debug(`Compressing serialized SARIF`);
-  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
-  const checkoutURI = url.pathToFileURL(checkoutPath).href;
-  const payload = buildPayload(
-    await getCommitOid(checkoutPath),
-    await getRef(),
-    analysisKey,
-    getRequiredEnvParam("GITHUB_WORKFLOW"),
-    zippedSarif,
-    getWorkflowRunID(),
-    getWorkflowRunAttempt(),
-    checkoutURI,
-    environment,
-    toolNames,
-    await determineBaseBranchHeadCommitOid()
-  );
-  const rawUploadSizeBytes = sarifPayload.length;
-  logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
-  const zippedUploadSizeBytes = zippedSarif.length;
-  logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
-  const numResultInSarif = countResultsInSarif(sarifPayload);
-  logger.debug(`Number of results in upload: ${numResultInSarif}`);
-  const sarifID = await uploadPayload(
-    payload,
-    getRepositoryNwo(),
-    logger,
-    uploadTarget.target
-  );
-  logger.endGroup();
-  return {
-    statusReport: {
-      raw_upload_size_bytes: rawUploadSizeBytes,
-      zipped_upload_size_bytes: zippedUploadSizeBytes,
-      num_results_in_sarif: numResultInSarif
-    },
-    sarifID
-  };
 }
 function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
  if (!fs18.existsSync(outputDir)) {
@@ -96042,21 +96048,26 @@ async function run() {
    }
    core14.setOutput("db-locations", dbLocations);
    core14.setOutput("sarif-output", import_path4.default.resolve(outputDir));
-    const uploadInput = getOptionalInput("upload");
-    if (runStats && getUploadValue(uploadInput) === "always") {
+    const uploadInput = getUploadValue(
+      getOptionalInput("upload")
+    );
+    if (runStats) {
      if (isCodeScanningEnabled(config)) {
-        uploadResult = await uploadFiles(
+        uploadResult = await maybeUploadFiles(
          outputDir,
          getRequiredInput("checkout_path"),
          getOptionalInput("category"),
          features,
          logger,
-          CodeScanning
+          CodeScanning,
+          uploadInput
        );
-        core14.setOutput("sarif-id", uploadResult.sarifID);
+        if (uploadResult) {
+          core14.setOutput("sarif-id", uploadResult.sarifID);
+        }
      }
      if (isCodeQualityEnabled(config)) {
-        const qualityUploadResult = await uploadFiles(
+        const qualityUploadResult = await maybeUploadFiles(
          outputDir,
          getRequiredInput("checkout_path"),
          fixCodeQualityCategory(
@@ -96065,12 +96076,15 @@ async function run() {
          ),
          features,
          logger,
-          CodeQuality
+          CodeQuality,
+          uploadInput
        );
-        core14.setOutput("quality-sarif-id", qualityUploadResult.sarifID);
+        if (qualityUploadResult) {
+          core14.setOutput("quality-sarif-id", qualityUploadResult.sarifID);
+        }
      }
    } else {
-      logger.info("Not uploading results");
+      logger.info("No query status report, skipping upload");
    }
    await uploadOverlayBaseDatabaseToCache(codeql, config, logger);
    await uploadDatabases(repositoryNwo, codeql, config, apiDetails, logger);
@@ -96083,11 +96097,7 @@ async function run() {
      logger
    );
    if (shouldStoreCache(config.dependencyCachingEnabled)) {
-      const minimizeJavaJars = await features.getValue(
-        "java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */,
-        codeql
-      );
-      await uploadDependencyCaches(config, logger, minimizeJavaJars);
+      await uploadDependencyCaches(config, logger);
    }
    if (isInTestMode()) {
      logger.debug("In test mode. Waiting for processing is disabled.");
@@ -26486,7 +26486,7 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^13.0.0"
+        uuid: "^12.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
@@ -26536,8 +26536,7 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        },
-        "brace-expansion@2.0.1": "2.0.2"
+        }
      }
    };
  }
@@ -78657,11 +78656,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
-  },
-  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
-    minimumVersion: "2.23.0"
  }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -32335,7 +32335,7 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^13.0.0"
+        uuid: "^12.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
@@ -32385,8 +32385,7 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        },
-        "brace-expansion@2.0.1": "2.0.2"
+        }
      }
    };
  }
@@ -83535,7 +83534,7 @@ var require_brace_expansion2 = __commonJS({
        var isSequence = isNumericSequence || isAlphaSequence;
        var isOptions = m.body.indexOf(",") >= 0;
        if (!isSequence && !isOptions) {
-          if (m.post.match(/,(?!,).*\}/)) {
+          if (m.post.match(/,.*\}/)) {
            str2 = m.pre + "{" + m.body + escClose + m.post;
            return expand(str2);
          }
@@ -129252,11 +129251,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
-  },
-  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
-    minimumVersion: "2.23.0"
  }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -129626,7 +129620,7 @@ var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
 var semver7 = __toESM(require_semver2());

-// node_modules/uuid/dist-node/stringify.js
+// node_modules/uuid/dist/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
  byteToHex.push((i + 256).toString(16).slice(1));
@@ -129635,7 +129629,7 @@ function unsafeStringify(arr, offset = 0) {
  return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }

-// node_modules/uuid/dist-node/rng.js
+// node_modules/uuid/dist/rng.js
 var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
@@ -129647,11 +129641,11 @@ function rng() {
  return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }

-// node_modules/uuid/dist-node/native.js
+// node_modules/uuid/dist/native.js
 var import_node_crypto2 = require("node:crypto");
 var native_default = { randomUUID: import_node_crypto2.randomUUID };

-// node_modules/uuid/dist-node/v4.js
+// node_modules/uuid/dist/v4.js
 function _v4(options, buf, offset) {
  options = options || {};
  const rnds = options.random ?? options.rng?.() ?? rng();
@@ -133025,97 +133019,123 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
  return payloadObj;
 }
 async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
+  return maybeUploadFiles(
+    inputSarifPath,
+    checkoutPath,
+    category,
+    features,
+    logger,
+    uploadTarget,
+    "always"
+  );
+}
+async function maybeUploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
  const sarifPaths = getSarifFilePaths(
    inputSarifPath,
    uploadTarget.sarifPredicate
  );
-  return uploadSpecifiedFiles(
+  return maybeUploadSpecifiedFiles(
    sarifPaths,
    checkoutPath,
    category,
    features,
    logger,
-    uploadTarget
+    uploadTarget,
+    uploadKind
  );
 }
-async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
-  logger.startGroup(`Uploading ${uploadTarget.name} results`);
-  logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
-  const gitHubVersion = await getGitHubVersion();
-  let sarif;
-  if (sarifPaths.length > 1) {
-    for (const sarifPath of sarifPaths) {
-      const parsedSarif = readSarifFile(sarifPath);
-      validateSarifFileSchema(parsedSarif, sarifPath, logger);
-    }
-    sarif = await combineSarifFilesUsingCLI(
-      sarifPaths,
-      gitHubVersion,
-      features,
-      logger
-    );
-  } else {
-    const sarifPath = sarifPaths[0];
-    sarif = readSarifFile(sarifPath);
-    validateSarifFileSchema(sarif, sarifPath, logger);
-    await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
-  }
-  sarif = filterAlertsByDiffRange(logger, sarif);
-  sarif = await addFingerprints(sarif, checkoutPath, logger);
-  const analysisKey = await getAnalysisKey();
-  const environment = getRequiredInput("matrix");
-  sarif = populateRunAutomationDetails(
-    sarif,
-    category,
-    analysisKey,
-    environment
-  );
-  const toolNames = getToolNames(sarif);
-  logger.debug(`Validating that each SARIF run has a unique category`);
-  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
-  logger.debug(`Serializing SARIF for upload`);
-  const sarifPayload = JSON.stringify(sarif);
+async function maybeUploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
-  if (dumpDir) {
-    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+  const upload = uploadKind === "always";
+  if (!upload && !dumpDir) {
+    logger.info(`Skipping upload of ${uploadTarget.name} results`);
+    return void 0;
+  }
+  logger.startGroup(`Processing ${uploadTarget.name} results`);
+  try {
+    logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
+    const gitHubVersion = await getGitHubVersion();
+    let sarif;
+    if (sarifPaths.length > 1) {
+      for (const sarifPath of sarifPaths) {
+        const parsedSarif = readSarifFile(sarifPath);
+        validateSarifFileSchema(parsedSarif, sarifPath, logger);
+      }
+      sarif = await combineSarifFilesUsingCLI(
+        sarifPaths,
+        gitHubVersion,
+        features,
+        logger
+      );
+    } else {
+      const sarifPath = sarifPaths[0];
+      sarif = readSarifFile(sarifPath);
+      validateSarifFileSchema(sarif, sarifPath, logger);
+      await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
+    }
+    sarif = filterAlertsByDiffRange(logger, sarif);
+    sarif = await addFingerprints(sarif, checkoutPath, logger);
+    const analysisKey = await getAnalysisKey();
+    const environment = getRequiredInput("matrix");
+    sarif = populateRunAutomationDetails(
+      sarif,
+      category,
+      analysisKey,
+      environment
+    );
+    const toolNames = getToolNames(sarif);
+    logger.debug(`Validating that each SARIF run has a unique category`);
+    validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
+    logger.debug(`Serializing SARIF for upload`);
+    const sarifPayload = JSON.stringify(sarif);
+    if (dumpDir) {
+      dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+    }
+    if (!upload) {
+      logger.info(
+        `Skipping upload of ${uploadTarget.name} results because upload kind is "${uploadKind}"`
+      );
+      return void 0;
+    }
+    logger.debug(`Compressing serialized SARIF`);
+    const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
+    const checkoutURI = url.pathToFileURL(checkoutPath).href;
+    const payload = buildPayload(
+      await getCommitOid(checkoutPath),
+      await getRef(),
+      analysisKey,
+      getRequiredEnvParam("GITHUB_WORKFLOW"),
+      zippedSarif,
+      getWorkflowRunID(),
+      getWorkflowRunAttempt(),
+      checkoutURI,
+      environment,
+      toolNames,
+      await determineBaseBranchHeadCommitOid()
+    );
+    const rawUploadSizeBytes = sarifPayload.length;
+    logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
+    const zippedUploadSizeBytes = zippedSarif.length;
+    logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
+    const numResultInSarif = countResultsInSarif(sarifPayload);
+    logger.debug(`Number of results in upload: ${numResultInSarif}`);
+    const sarifID = await uploadPayload(
+      payload,
+      getRepositoryNwo(),
+      logger,
+      uploadTarget.target
+    );
+    return {
+      statusReport: {
+        raw_upload_size_bytes: rawUploadSizeBytes,
+        zipped_upload_size_bytes: zippedUploadSizeBytes,
+        num_results_in_sarif: numResultInSarif
+      },
+      sarifID
+    };
+  } finally {
+    logger.endGroup();
  }
-  logger.debug(`Compressing serialized SARIF`);
-  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
-  const checkoutURI = url.pathToFileURL(checkoutPath).href;
-  const payload = buildPayload(
-    await getCommitOid(checkoutPath),
-    await getRef(),
-    analysisKey,
-    getRequiredEnvParam("GITHUB_WORKFLOW"),
-    zippedSarif,
-    getWorkflowRunID(),
-    getWorkflowRunAttempt(),
-    checkoutURI,
-    environment,
-    toolNames,
-    await determineBaseBranchHeadCommitOid()
-  );
-  const rawUploadSizeBytes = sarifPayload.length;
-  logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
-  const zippedUploadSizeBytes = zippedSarif.length;
-  logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
-  const numResultInSarif = countResultsInSarif(sarifPayload);
-  logger.debug(`Number of results in upload: ${numResultInSarif}`);
-  const sarifID = await uploadPayload(
-    payload,
-    getRepositoryNwo(),
-    logger,
-    uploadTarget.target
-  );
-  logger.endGroup();
-  return {
-    statusReport: {
-      raw_upload_size_bytes: rawUploadSizeBytes,
-      zipped_upload_size_bytes: zippedUploadSizeBytes,
-      num_results_in_sarif: numResultInSarif
-    },
-    sarifID
-  };
 }
 function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
  if (!fs17.existsSync(outputDir)) {
@@ -32335,7 +32335,7 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^13.0.0"
+        uuid: "^12.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
@@ -32385,8 +32385,7 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        },
-        "brace-expansion@2.0.1": "2.0.2"
+        }
      }
    };
  }
@@ -81687,7 +81686,7 @@ var core13 = __toESM(require_core());
 var io6 = __toESM(require_io());
 var semver8 = __toESM(require_semver2());

-// node_modules/uuid/dist-node/stringify.js
+// node_modules/uuid/dist/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
  byteToHex.push((i + 256).toString(16).slice(1));
@@ -81696,7 +81695,7 @@ function unsafeStringify(arr, offset = 0) {
  return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }

-// node_modules/uuid/dist-node/rng.js
+// node_modules/uuid/dist/rng.js
 var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
@@ -81708,11 +81707,11 @@ function rng() {
  return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }

-// node_modules/uuid/dist-node/native.js
+// node_modules/uuid/dist/native.js
 var import_node_crypto2 = require("node:crypto");
 var native_default = { randomUUID: import_node_crypto2.randomUUID };

-// node_modules/uuid/dist-node/v4.js
+// node_modules/uuid/dist/v4.js
 function _v4(options, buf, offset) {
  options = options || {};
  const rnds = options.random ?? options.rng?.() ?? rng();
@@ -85619,7 +85618,7 @@ async function tryGetFolderBytes(cacheDir, logger, quiet = false) {
  }
 }
 var hadTimeout = false;
-async function waitForResultWithTimeLimit(timeoutMs, promise, onTimeout) {
+async function withTimeout(timeoutMs, promise, onTimeout) {
  let finished2 = false;
  const mainTask = async () => {
    const result = await promise;
@@ -86478,7 +86477,7 @@ function computeChangedFiles(baseFileOids, overlayFileOids) {
 }
 var CACHE_VERSION = 1;
 var CACHE_PREFIX = "codeql-overlay-base-database";
-var MAX_CACHE_OPERATION_MS = 6e5;
+var MAX_CACHE_OPERATION_MS = 12e4;
 function checkOverlayBaseDatabase(config, logger, warningPrefix) {
  const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config);
  if (!fs6.existsSync(baseDatabaseOidsFilePath)) {
@@ -86521,39 +86520,9 @@ async function downloadOverlayBaseDatabaseFromCache(codeql, config, logger) {
  let databaseDownloadDurationMs = 0;
  try {
    const databaseDownloadStart = performance.now();
-    const foundKey = await waitForResultWithTimeLimit(
-      // This ten-minute limit for the cache restore operation is mainly to
-      // guard against the possibility that the cache service is unresponsive
-      // and hangs outside the data download.
-      //
-      // Data download (which is normally the most time-consuming part of the
-      // restore operation) should not run long enough to hit this limit. Even
-      // for an extremely large 10GB database, at a download speed of 40MB/s
-      // (see below), the download should complete within five minutes. If we
-      // do hit this limit, there are likely more serious problems other than
-      // mere slow download speed.
-      //
-      // This is important because we don't want any ongoing file operations
-      // on the database directory when we do hit this limit. Hitting this
-      // time limit takes us to a fallback path where we re-initialize the
-      // database from scratch at dbLocation, and having the cache restore
-      // operation continue to write into dbLocation in the background would
-      // really mess things up. We want to hit this limit only in the case
-      // of a hung cache service, not just slow download speed.
+    const foundKey = await withTimeout(
      MAX_CACHE_OPERATION_MS,
-      actionsCache.restoreCache(
-        [dbLocation],
-        cacheRestoreKeyPrefix,
-        void 0,
-        {
-          // Azure SDK download (which is the default) uses 128MB segments; see
-          // https://github.com/actions/toolkit/blob/main/packages/cache/README.md.
-          // Setting segmentTimeoutInMs to 3000 translates to segment download
-          // speed of about 40 MB/s, which should be achievable unless the
-          // download is unreliable (in which case we do want to abort).
-          segmentTimeoutInMs: 3e3
-        }
-      ),
+      actionsCache.restoreCache([dbLocation], cacheRestoreKeyPrefix),
      () => {
        logger.info("Timed out downloading overlay-base database from cache");
      }
@@ -86782,11 +86751,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
-  },
-  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
-    minimumVersion: "2.23.0"
  }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -87136,7 +87100,7 @@ async function downloadTrapCaches(codeql, languages, logger) {
    logger.info(
      `Looking in Actions cache for TRAP cache with key ${preferredKey}`
    );
-    const found = await waitForResultWithTimeLimit(
+    const found = await withTimeout(
      MAX_CACHE_OPERATION_MS2,
      actionsCache2.restoreCache([cacheDir], preferredKey, [
        // Fall back to any cache with the right key prefix
@@ -88004,7 +87968,7 @@ function getDefaultCacheConfig() {
 async function makeGlobber(patterns) {
  return glob.create(patterns.join("\n"));
 }
-async function downloadDependencyCaches(languages, logger, minimizeJavaJars) {
+async function downloadDependencyCaches(languages, logger) {
  const restoredCaches = [];
  for (const language of languages) {
    const cacheConfig = getDefaultCacheConfig()[language];
@@ -88021,10 +87985,8 @@ async function downloadDependencyCaches(languages, logger, minimizeJavaJars) {
      );
      continue;
    }
-    const primaryKey = await cacheKey2(language, cacheConfig, minimizeJavaJars);
-    const restoreKeys = [
-      await cachePrefix2(language, minimizeJavaJars)
-    ];
+    const primaryKey = await cacheKey2(language, cacheConfig);
+    const restoreKeys = [await cachePrefix2(language)];
    logger.info(
      `Downloading cache for ${language} with key ${primaryKey} and restore keys ${restoreKeys.join(
        ", "
@@ -88044,20 +88006,17 @@ async function downloadDependencyCaches(languages, logger, minimizeJavaJars) {
  }
  return restoredCaches;
 }
-async function cacheKey2(language, cacheConfig, minimizeJavaJars = false) {
+async function cacheKey2(language, cacheConfig) {
  const hash = await glob.hashFiles(cacheConfig.hash.join("\n"));
-  return `${await cachePrefix2(language, minimizeJavaJars)}${hash}`;
+  return `${await cachePrefix2(language)}${hash}`;
 }
-async function cachePrefix2(language, minimizeJavaJars) {
+async function cachePrefix2(language) {
  const runnerOs = getRequiredEnvParam("RUNNER_OS");
  const customPrefix = process.env["CODEQL_ACTION_DEPENDENCY_CACHE_PREFIX" /* DEPENDENCY_CACHING_PREFIX */];
  let prefix = CODEQL_DEPENDENCY_CACHE_PREFIX;
  if (customPrefix !== void 0 && customPrefix.length > 0) {
    prefix = `${prefix}-${customPrefix}`;
  }
-  if (language === "java" /* java */ && minimizeJavaJars) {
-    prefix = `minify-${prefix}`;
-  }
  return `${prefix}-${CODEQL_DEPENDENCY_CACHE_VERSION}-${runnerOs}-${language}-`;
 }

@@ -90663,16 +90622,8 @@ exec ${goBinaryPath} "$@"`
        core13.exportVariable(envVar, "false");
      }
    }
-    const minimizeJavaJars = await features.getValue(
-      "java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */,
-      codeql
-    );
    if (shouldRestoreCache(config.dependencyCachingEnabled)) {
-      await downloadDependencyCaches(
-        config.languages,
-        logger,
-        minimizeJavaJars
-      );
+      await downloadDependencyCaches(config.languages, logger);
    }
    if (await codeQlVersionAtLeast(codeql, "2.17.1")) {
    } else {
@@ -90705,16 +90656,6 @@ exec ${goBinaryPath} "$@"`
        core13.exportVariable("CODEQL_EXTRACTOR_PYTHON_EXTRACT_STDLIB", "true");
      }
    }
-    if (process.env["CODEQL_EXTRACTOR_JAVA_OPTION_MINIMIZE_DEPENDENCY_JARS" /* JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS */]) {
-      logger.debug(
-        `${"CODEQL_EXTRACTOR_JAVA_OPTION_MINIMIZE_DEPENDENCY_JARS" /* JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS */} is already set to '${process.env["CODEQL_EXTRACTOR_JAVA_OPTION_MINIMIZE_DEPENDENCY_JARS" /* JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS */]}', so the Action will not override it.`
-      );
-    } else if (minimizeJavaJars && config.dependencyCachingEnabled && config.buildMode === "none" /* None */ && config.languages.includes("java" /* java */)) {
-      core13.exportVariable(
-        "CODEQL_EXTRACTOR_JAVA_OPTION_MINIMIZE_DEPENDENCY_JARS" /* JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS */,
-        "true"
-      );
-    }
    const { registriesAuthTokens, qlconfigFile } = await generateRegistries(
      getOptionalInput("registries"),
      config.tempDir,
@@ -26486,7 +26486,7 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^13.0.0"
+        uuid: "^12.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
@@ -26536,8 +26536,7 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        },
-        "brace-expansion@2.0.1": "2.0.2"
+        }
      }
    };
  }
@@ -78648,11 +78647,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
-  },
-  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
-    minimumVersion: "2.23.0"
  }
 };

@@ -26486,7 +26486,7 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^13.0.0"
+        uuid: "^12.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
@@ -26536,8 +26536,7 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        },
-        "brace-expansion@2.0.1": "2.0.2"
+        }
      }
    };
  }
@@ -76346,7 +76345,7 @@ var require_brace_expansion2 = __commonJS({
        var isSequence = isNumericSequence || isAlphaSequence;
        var isOptions = m.body.indexOf(",") >= 0;
        if (!isSequence && !isOptions) {
-          if (m.post.match(/,(?!,).*\}/)) {
+          if (m.post.match(/,.*\}/)) {
            str2 = m.pre + "{" + m.body + escClose + m.post;
            return expand(str2);
          }
@@ -117328,11 +117327,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
-  },
-  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
-    minimumVersion: "2.23.0"
  }
 };

@@ -33632,7 +33632,7 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^13.0.0"
+        uuid: "^12.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
@@ -33682,8 +33682,7 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        },
-        "brace-expansion@2.0.1": "2.0.2"
+        }
      }
    };
  }
@@ -84783,6 +84782,7 @@ __export(upload_lib_exports, {
  buildPayload: () => buildPayload,
  findSarifFilesInDir: () => findSarifFilesInDir,
  getSarifFilePaths: () => getSarifFilePaths,
+  maybeUploadFiles: () => maybeUploadFiles,
  populateRunAutomationDetails: () => populateRunAutomationDetails,
  readSarifFile: () => readSarifFile,
  shouldConsiderConfigurationError: () => shouldConsiderConfigurationError,
@@ -89344,11 +89344,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
-  },
-  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
-    minimumVersion: "2.23.0"
  }
 };

@@ -89454,7 +89449,7 @@ var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
 var semver7 = __toESM(require_semver2());

-// node_modules/uuid/dist-node/stringify.js
+// node_modules/uuid/dist/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
  byteToHex.push((i + 256).toString(16).slice(1));
@@ -89463,7 +89458,7 @@ function unsafeStringify(arr, offset = 0) {
  return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }

-// node_modules/uuid/dist-node/rng.js
+// node_modules/uuid/dist/rng.js
 var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
@@ -89475,11 +89470,11 @@ function rng() {
  return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }

-// node_modules/uuid/dist-node/native.js
+// node_modules/uuid/dist/native.js
 var import_node_crypto2 = require("node:crypto");
 var native_default = { randomUUID: import_node_crypto2.randomUUID };

-// node_modules/uuid/dist-node/v4.js
+// node_modules/uuid/dist/v4.js
 function _v4(options, buf, offset) {
  options = options || {};
  const rnds = options.random ?? options.rng?.() ?? rng();
@@ -92397,97 +92392,134 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
  return payloadObj;
 }
 async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
+  return maybeUploadFiles(
+    inputSarifPath,
+    checkoutPath,
+    category,
+    features,
+    logger,
+    uploadTarget,
+    "always"
+  );
+}
+async function maybeUploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
  const sarifPaths = getSarifFilePaths(
    inputSarifPath,
    uploadTarget.sarifPredicate
  );
-  return uploadSpecifiedFiles(
+  return maybeUploadSpecifiedFiles(
    sarifPaths,
    checkoutPath,
    category,
    features,
    logger,
-    uploadTarget
+    uploadTarget,
+    uploadKind
  );
 }
 async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
-  logger.startGroup(`Uploading ${uploadTarget.name} results`);
-  logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
-  const gitHubVersion = await getGitHubVersion();
-  let sarif;
-  if (sarifPaths.length > 1) {
-    for (const sarifPath of sarifPaths) {
-      const parsedSarif = readSarifFile(sarifPath);
-      validateSarifFileSchema(parsedSarif, sarifPath, logger);
-    }
-    sarif = await combineSarifFilesUsingCLI(
-      sarifPaths,
-      gitHubVersion,
-      features,
-      logger
-    );
-  } else {
-    const sarifPath = sarifPaths[0];
-    sarif = readSarifFile(sarifPath);
-    validateSarifFileSchema(sarif, sarifPath, logger);
-    await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
-  }
-  sarif = filterAlertsByDiffRange(logger, sarif);
-  sarif = await addFingerprints(sarif, checkoutPath, logger);
-  const analysisKey = await getAnalysisKey();
-  const environment = getRequiredInput("matrix");
-  sarif = populateRunAutomationDetails(
-    sarif,
+  return maybeUploadSpecifiedFiles(
+    sarifPaths,
+    checkoutPath,
    category,
-    analysisKey,
-    environment
-  );
-  const toolNames = getToolNames(sarif);
-  logger.debug(`Validating that each SARIF run has a unique category`);
-  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
-  logger.debug(`Serializing SARIF for upload`);
-  const sarifPayload = JSON.stringify(sarif);
-  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
-  if (dumpDir) {
-    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
-  }
-  logger.debug(`Compressing serialized SARIF`);
-  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
-  const checkoutURI = url.pathToFileURL(checkoutPath).href;
-  const payload = buildPayload(
-    await getCommitOid(checkoutPath),
-    await getRef(),
-    analysisKey,
-    getRequiredEnvParam("GITHUB_WORKFLOW"),
-    zippedSarif,
-    getWorkflowRunID(),
-    getWorkflowRunAttempt(),
-    checkoutURI,
-    environment,
-    toolNames,
-    await determineBaseBranchHeadCommitOid()
-  );
-  const rawUploadSizeBytes = sarifPayload.length;
-  logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
-  const zippedUploadSizeBytes = zippedSarif.length;
-  logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
-  const numResultInSarif = countResultsInSarif(sarifPayload);
-  logger.debug(`Number of results in upload: ${numResultInSarif}`);
-  const sarifID = await uploadPayload(
-    payload,
-    getRepositoryNwo(),
+    features,
    logger,
-    uploadTarget.target
+    uploadTarget,
+    "always"
  );
-  logger.endGroup();
-  return {
-    statusReport: {
-      raw_upload_size_bytes: rawUploadSizeBytes,
-      zipped_upload_size_bytes: zippedUploadSizeBytes,
-      num_results_in_sarif: numResultInSarif
-    },
-    sarifID
-  };
+}
+async function maybeUploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
+  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
+  const upload = uploadKind === "always";
+  if (!upload && !dumpDir) {
+    logger.info(`Skipping upload of ${uploadTarget.name} results`);
+    return void 0;
+  }
+  logger.startGroup(`Processing ${uploadTarget.name} results`);
+  try {
+    logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
+    const gitHubVersion = await getGitHubVersion();
+    let sarif;
+    if (sarifPaths.length > 1) {
+      for (const sarifPath of sarifPaths) {
+        const parsedSarif = readSarifFile(sarifPath);
+        validateSarifFileSchema(parsedSarif, sarifPath, logger);
+      }
+      sarif = await combineSarifFilesUsingCLI(
+        sarifPaths,
+        gitHubVersion,
+        features,
+        logger
+      );
+    } else {
+      const sarifPath = sarifPaths[0];
+      sarif = readSarifFile(sarifPath);
+      validateSarifFileSchema(sarif, sarifPath, logger);
+      await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
+    }
+    sarif = filterAlertsByDiffRange(logger, sarif);
+    sarif = await addFingerprints(sarif, checkoutPath, logger);
+    const analysisKey = await getAnalysisKey();
+    const environment = getRequiredInput("matrix");
+    sarif = populateRunAutomationDetails(
+      sarif,
+      category,
+      analysisKey,
+      environment
+    );
+    const toolNames = getToolNames(sarif);
+    logger.debug(`Validating that each SARIF run has a unique category`);
+    validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
+    logger.debug(`Serializing SARIF for upload`);
+    const sarifPayload = JSON.stringify(sarif);
+    if (dumpDir) {
+      dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+    }
+    if (!upload) {
+      logger.info(
+        `Skipping upload of ${uploadTarget.name} results because upload kind is "${uploadKind}"`
+      );
+      return void 0;
+    }
+    logger.debug(`Compressing serialized SARIF`);
+    const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
+    const checkoutURI = url.pathToFileURL(checkoutPath).href;
+    const payload = buildPayload(
+      await getCommitOid(checkoutPath),
+      await getRef(),
+      analysisKey,
+      getRequiredEnvParam("GITHUB_WORKFLOW"),
+      zippedSarif,
+      getWorkflowRunID(),
+      getWorkflowRunAttempt(),
+      checkoutURI,
+      environment,
+      toolNames,
+      await determineBaseBranchHeadCommitOid()
+    );
+    const rawUploadSizeBytes = sarifPayload.length;
+    logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
+    const zippedUploadSizeBytes = zippedSarif.length;
+    logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
+    const numResultInSarif = countResultsInSarif(sarifPayload);
+    logger.debug(`Number of results in upload: ${numResultInSarif}`);
+    const sarifID = await uploadPayload(
+      payload,
+      getRepositoryNwo(),
+      logger,
+      uploadTarget.target
+    );
+    return {
+      statusReport: {
+        raw_upload_size_bytes: rawUploadSizeBytes,
+        zipped_upload_size_bytes: zippedUploadSizeBytes,
+        num_results_in_sarif: numResultInSarif
+      },
+      sarifID
+    };
+  } finally {
+    logger.endGroup();
+  }
 }
 function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
  if (!fs13.existsSync(outputDir)) {
@@ -92661,6 +92693,7 @@ function filterAlertsByDiffRange(logger, sarif) {
  buildPayload,
  findSarifFilesInDir,
  getSarifFilePaths,
+  maybeUploadFiles,
  populateRunAutomationDetails,
  readSarifFile,
  shouldConsiderConfigurationError,
@@ -26486,7 +26486,7 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^13.0.0"
+        uuid: "^12.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
@@ -26536,8 +26536,7 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        },
-        "brace-expansion@2.0.1": "2.0.2"
+        }
      }
    };
  }
@@ -70468,7 +70467,7 @@ var require_brace_expansion = __commonJS({
        var isSequence = isNumericSequence || isAlphaSequence;
        var isOptions = m.body.indexOf(",") >= 0;
        if (!isSequence && !isOptions) {
-          if (m.post.match(/,(?!,).*\}/)) {
+          if (m.post.match(/,.*\}/)) {
            str2 = m.pre + "{" + m.body + escClose + m.post;
            return expand(str2);
          }
@@ -117493,11 +117492,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
-  },
-  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
-    minimumVersion: "2.23.0"
  }
 };

@@ -32335,7 +32335,7 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^13.0.0"
+        uuid: "^12.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
@@ -32385,8 +32385,7 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        },
-        "brace-expansion@2.0.1": "2.0.2"
+        }
      }
    };
  }
@@ -89340,11 +89339,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
-  },
-  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
-    minimumVersion: "2.23.0"
  }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -90155,7 +90149,7 @@ var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
 var semver7 = __toESM(require_semver2());

-// node_modules/uuid/dist-node/stringify.js
+// node_modules/uuid/dist/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
  byteToHex.push((i + 256).toString(16).slice(1));
@@ -90164,7 +90158,7 @@ function unsafeStringify(arr, offset = 0) {
  return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }

-// node_modules/uuid/dist-node/rng.js
+// node_modules/uuid/dist/rng.js
 var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
@@ -90176,11 +90170,11 @@ function rng() {
  return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }

-// node_modules/uuid/dist-node/native.js
+// node_modules/uuid/dist/native.js
 var import_node_crypto2 = require("node:crypto");
 var native_default = { randomUUID: import_node_crypto2.randomUUID };

-// node_modules/uuid/dist-node/v4.js
+// node_modules/uuid/dist/v4.js
 function _v4(options, buf, offset) {
  options = options || {};
  const rnds = options.random ?? options.rng?.() ?? rng();
@@ -92985,6 +92979,23 @@ function findSarifFilesInDir(sarifPath, isSarif) {
  walkSarifFiles(sarifPath);
  return sarifFiles;
 }
+function getSarifFilePaths(sarifPath, isSarif) {
+  if (!fs14.existsSync(sarifPath)) {
+    throw new ConfigurationError(`Path does not exist: ${sarifPath}`);
+  }
+  let sarifFiles;
+  if (fs14.lstatSync(sarifPath).isDirectory()) {
+    sarifFiles = findSarifFilesInDir(sarifPath, isSarif);
+    if (sarifFiles.length === 0) {
+      throw new ConfigurationError(
+        `No SARIF files found to upload in "${sarifPath}".`
+      );
+    }
+  } else {
+    sarifFiles = [sarifPath];
+  }
+  return sarifFiles;
+}
 function countResultsInSarif(sarif) {
  let numResults = 0;
  const parsedSarif = JSON.parse(sarif);
@@ -93080,84 +93091,135 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
  }
  return payloadObj;
 }
-async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
-  logger.startGroup(`Uploading ${uploadTarget.name} results`);
-  logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
-  const gitHubVersion = await getGitHubVersion();
-  let sarif;
-  if (sarifPaths.length > 1) {
-    for (const sarifPath of sarifPaths) {
-      const parsedSarif = readSarifFile(sarifPath);
-      validateSarifFileSchema(parsedSarif, sarifPath, logger);
-    }
-    sarif = await combineSarifFilesUsingCLI(
-      sarifPaths,
-      gitHubVersion,
-      features,
-      logger
-    );
-  } else {
-    const sarifPath = sarifPaths[0];
-    sarif = readSarifFile(sarifPath);
-    validateSarifFileSchema(sarif, sarifPath, logger);
-    await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
-  }
-  sarif = filterAlertsByDiffRange(logger, sarif);
-  sarif = await addFingerprints(sarif, checkoutPath, logger);
-  const analysisKey = await getAnalysisKey();
-  const environment = getRequiredInput("matrix");
-  sarif = populateRunAutomationDetails(
-    sarif,
+async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
+  return maybeUploadFiles(
+    inputSarifPath,
+    checkoutPath,
    category,
-    analysisKey,
-    environment
-  );
-  const toolNames = getToolNames(sarif);
-  logger.debug(`Validating that each SARIF run has a unique category`);
-  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
-  logger.debug(`Serializing SARIF for upload`);
-  const sarifPayload = JSON.stringify(sarif);
-  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
-  if (dumpDir) {
-    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
-  }
-  logger.debug(`Compressing serialized SARIF`);
-  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
-  const checkoutURI = url.pathToFileURL(checkoutPath).href;
-  const payload = buildPayload(
-    await getCommitOid(checkoutPath),
-    await getRef(),
-    analysisKey,
-    getRequiredEnvParam("GITHUB_WORKFLOW"),
-    zippedSarif,
-    getWorkflowRunID(),
-    getWorkflowRunAttempt(),
-    checkoutURI,
-    environment,
-    toolNames,
-    await determineBaseBranchHeadCommitOid()
-  );
-  const rawUploadSizeBytes = sarifPayload.length;
-  logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
-  const zippedUploadSizeBytes = zippedSarif.length;
-  logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
-  const numResultInSarif = countResultsInSarif(sarifPayload);
-  logger.debug(`Number of results in upload: ${numResultInSarif}`);
-  const sarifID = await uploadPayload(
-    payload,
-    getRepositoryNwo(),
+    features,
    logger,
-    uploadTarget.target
+    uploadTarget,
+    "always"
  );
-  logger.endGroup();
-  return {
-    statusReport: {
-      raw_upload_size_bytes: rawUploadSizeBytes,
-      zipped_upload_size_bytes: zippedUploadSizeBytes,
-      num_results_in_sarif: numResultInSarif
-    },
-    sarifID
-  };
+}
+async function maybeUploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
+  const sarifPaths = getSarifFilePaths(
+    inputSarifPath,
+    uploadTarget.sarifPredicate
+  );
+  return maybeUploadSpecifiedFiles(
+    sarifPaths,
+    checkoutPath,
+    category,
+    features,
+    logger,
+    uploadTarget,
+    uploadKind
+  );
+}
+async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
+  return maybeUploadSpecifiedFiles(
+    sarifPaths,
+    checkoutPath,
+    category,
+    features,
+    logger,
+    uploadTarget,
+    "always"
+  );
+}
+async function maybeUploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
+  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
+  const upload = uploadKind === "always";
+  if (!upload && !dumpDir) {
+    logger.info(`Skipping upload of ${uploadTarget.name} results`);
+    return void 0;
+  }
+  logger.startGroup(`Processing ${uploadTarget.name} results`);
+  try {
+    logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
+    const gitHubVersion = await getGitHubVersion();
+    let sarif;
+    if (sarifPaths.length > 1) {
+      for (const sarifPath of sarifPaths) {
+        const parsedSarif = readSarifFile(sarifPath);
+        validateSarifFileSchema(parsedSarif, sarifPath, logger);
+      }
+      sarif = await combineSarifFilesUsingCLI(
+        sarifPaths,
+        gitHubVersion,
+        features,
+        logger
+      );
+    } else {
+      const sarifPath = sarifPaths[0];
+      sarif = readSarifFile(sarifPath);
+      validateSarifFileSchema(sarif, sarifPath, logger);
+      await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
+    }
+    sarif = filterAlertsByDiffRange(logger, sarif);
+    sarif = await addFingerprints(sarif, checkoutPath, logger);
+    const analysisKey = await getAnalysisKey();
+    const environment = getRequiredInput("matrix");
+    sarif = populateRunAutomationDetails(
+      sarif,
+      category,
+      analysisKey,
+      environment
+    );
+    const toolNames = getToolNames(sarif);
+    logger.debug(`Validating that each SARIF run has a unique category`);
+    validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
+    logger.debug(`Serializing SARIF for upload`);
+    const sarifPayload = JSON.stringify(sarif);
+    if (dumpDir) {
+      dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+    }
+    if (!upload) {
+      logger.info(
+        `Skipping upload of ${uploadTarget.name} results because upload kind is "${uploadKind}"`
+      );
+      return void 0;
+    }
+    logger.debug(`Compressing serialized SARIF`);
+    const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
+    const checkoutURI = url.pathToFileURL(checkoutPath).href;
+    const payload = buildPayload(
+      await getCommitOid(checkoutPath),
+      await getRef(),
+      analysisKey,
+      getRequiredEnvParam("GITHUB_WORKFLOW"),
+      zippedSarif,
+      getWorkflowRunID(),
+      getWorkflowRunAttempt(),
+      checkoutURI,
+      environment,
+      toolNames,
+      await determineBaseBranchHeadCommitOid()
+    );
+    const rawUploadSizeBytes = sarifPayload.length;
+    logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
+    const zippedUploadSizeBytes = zippedSarif.length;
+    logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
+    const numResultInSarif = countResultsInSarif(sarifPayload);
+    logger.debug(`Number of results in upload: ${numResultInSarif}`);
+    const sarifID = await uploadPayload(
+      payload,
+      getRepositoryNwo(),
+      logger,
+      uploadTarget.target
+    );
+    return {
+      statusReport: {
+        raw_upload_size_bytes: rawUploadSizeBytes,
+        zipped_upload_size_bytes: zippedUploadSizeBytes,
+        num_results_in_sarif: numResultInSarif
+      },
+      sarifID
+    };
+  } finally {
+    logger.endGroup();
+  }
 }
 function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
  if (!fs14.existsSync(outputDir)) {
@@ -93327,30 +93389,6 @@ function filterAlertsByDiffRange(logger, sarif) {
 }

 // src/upload-sarif-action.ts
-async function findAndUpload(logger, features, sarifPath, pathStats, checkoutPath, analysis, category) {
-  let sarifFiles;
-  if (pathStats.isDirectory()) {
-    sarifFiles = findSarifFilesInDir(
-      sarifPath,
-      analysis.sarifPredicate
-    );
-  } else if (pathStats.isFile() && analysis.sarifPredicate(sarifPath)) {
-    sarifFiles = [sarifPath];
-  } else {
-    return void 0;
-  }
-  if (sarifFiles.length !== 0) {
-    return await uploadSpecifiedFiles(
-      sarifFiles,
-      checkoutPath,
-      category,
-      features,
-      logger,
-      analysis
-    );
-  }
-  return void 0;
-}
 async function sendSuccessStatusReport(startedAt, uploadStats, logger) {
  const statusReportBase = await createStatusReportBase(
    "upload-sarif" /* UploadSarif */,
@@ -93397,59 +93435,41 @@ async function run() {
    const sarifPath = getRequiredInput("sarif_file");
    const checkoutPath = getRequiredInput("checkout_path");
    const category = getOptionalInput("category");
-    const pathStats = fs15.lstatSync(sarifPath, { throwIfNoEntry: false });
-    if (pathStats === void 0) {
-      throw new ConfigurationError(`Path does not exist: ${sarifPath}.`);
-    }
-    const sarifIds = [];
-    const uploadResult = await findAndUpload(
-      logger,
-      features,
+    const uploadResult = await uploadFiles(
      sarifPath,
-      pathStats,
      checkoutPath,
-      CodeScanning,
-      category
-    );
-    if (uploadResult !== void 0) {
-      core13.setOutput("sarif-id", uploadResult.sarifID);
-      sarifIds.push({
-        analysis: "code-scanning" /* CodeScanning */,
-        id: uploadResult.sarifID
-      });
-    }
-    const qualityUploadResult = await findAndUpload(
-      logger,
+      category,
      features,
-      sarifPath,
-      pathStats,
-      checkoutPath,
-      CodeQuality,
-      fixCodeQualityCategory(logger, category)
+      logger,
+      CodeScanning
    );
-    if (qualityUploadResult !== void 0) {
-      sarifIds.push({
-        analysis: "code-quality" /* CodeQuality */,
-        id: qualityUploadResult.sarifID
-      });
-    }
-    core13.setOutput("sarif-ids", JSON.stringify(sarifIds));
-    if (isInTestMode()) {
-      core13.debug("In test mode. Waiting for processing is disabled.");
-    } else if (getRequiredInput("wait-for-processing") === "true") {
-      if (uploadResult !== void 0) {
-        await waitForProcessing(
-          getRepositoryNwo(),
-          uploadResult.sarifID,
-          logger
+    core13.setOutput("sarif-id", uploadResult.sarifID);
+    if (fs15.lstatSync(sarifPath).isDirectory()) {
+      const qualitySarifFiles = findSarifFilesInDir(
+        sarifPath,
+        CodeQuality.sarifPredicate
+      );
+      if (qualitySarifFiles.length !== 0) {
+        await uploadSpecifiedFiles(
+          qualitySarifFiles,
+          checkoutPath,
+          fixCodeQualityCategory(logger, category),
+          features,
+          logger,
+          CodeQuality
        );
      }
    }
-    await sendSuccessStatusReport(
-      startedAt,
-      uploadResult?.statusReport || {},
-      logger
-    );
+    if (isInTestMode()) {
+      core13.debug("In test mode. Waiting for processing is disabled.");
+    } else if (getRequiredInput("wait-for-processing") === "true") {
+      await waitForProcessing(
+        getRepositoryNwo(),
+        uploadResult.sarifID,
+        logger
+      );
+    }
+    await sendSuccessStatusReport(startedAt, uploadResult.statusReport, logger);
  } catch (unwrappedError) {
    const error2 = isThirdPartyAnalysis("upload-sarif" /* UploadSarif */) && unwrappedError instanceof InvalidSarifUploadError ? new ConfigurationError(unwrappedError.message) : wrapError(unwrappedError);
    const message = error2.message;
@@ -34,7 +34,7 @@
        "node-forge": "^1.3.1",
        "octokit": "^5.0.3",
        "semver": "^7.7.2",
-        "uuid": "^13.0.0"
+        "uuid": "^12.0.0"
      },
      "devDependencies": {
        "@ava/typescript": "6.0.0",
@@ -3164,9 +3164,9 @@
      }
    },
    "node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
+      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -7792,9 +7792,9 @@
      }
    },
    "node_modules/readdir-glob/node_modules/brace-expansion": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
+      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
      "license": "MIT",
      "dependencies": {
        "balanced-match": "^1.0.0"
@@ -9076,16 +9076,16 @@
      "license": "MIT"
    },
    "node_modules/uuid": {
-      "version": "13.0.0",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-13.0.0.tgz",
-      "integrity": "sha512-XQegIaBTVUjSHliKqcnFqYypAd4S+WCYt5NIeRs6w/UAry7z8Y9j5ZwRRL4kzq9U3sD6v+85er9FvkEaBpji2w==",
+      "version": "12.0.0",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-12.0.0.tgz",
+      "integrity": "sha512-USe1zesMYh4fjCA8ZH5+X5WIVD0J4V1Jksm1bFTVBX2F/cwSXt0RO5w/3UXbdLKmZX65MiWV+hwhSS8p6oBTGA==",
      "funding": [
        "https://github.com/sponsors/broofa",
        "https://github.com/sponsors/ctavan"
      ],
      "license": "MIT",
      "bin": {
-        "uuid": "dist-node/bin/uuid"
+        "uuid": "dist/bin/uuid"
      }
    },
    "node_modules/webidl-conversions": {
@@ -48,7 +48,7 @@
    "node-forge": "^1.3.1",
    "octokit": "^5.0.3",
    "semver": "^7.7.2",
-    "uuid": "^13.0.0"
+    "uuid": "^12.0.0"
  },
  "devDependencies": {
    "@ava/typescript": "6.0.0",
@@ -98,7 +98,6 @@
    },
    "eslint-plugin-jsx-a11y": {
      "semver": ">=6.3.1"
-    },
-    "brace-expansion@2.0.1": "2.0.2"
+    }
  }
 }
@@ -12,5 +12,6 @@ steps:
      languages: cpp,csharp,go,java,javascript,python,ruby
      tools: ${{ steps.prepare-test.outputs.tools-url }}
  - name: Build code
+    shell: bash
    run: ./build.sh
  - uses: ./../action/analyze
@@ -9,6 +9,7 @@ steps:
      languages: cpp,csharp,java,javascript,python
      config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
  - name: Build code
+    shell: bash
    run: ./build.sh
  - uses: ./../action/analyze
    with:
@@ -17,6 +17,7 @@ steps:
      CORECLR_PROFILER_PATH_64: ""
  - uses: ./../action/analyze
  - name: Check database
+    shell: bash
    run: |
      cd "$RUNNER_TEMP/codeql_databases"
      if [[ ! -d csharp ]]; then
@@ -10,6 +10,7 @@ env:
  CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
 steps:
  - name: Test setup
+    shell: bash
    run: |
      # Make sure that Gradle build succeeds in autobuild-dir ...
      cp -a ../action/tests/java-repo autobuild-dir
@@ -21,6 +22,7 @@ steps:
      languages: java
      tools: ${{ steps.prepare-test.outputs.tools-url }}
  - name: Check that indirect tracing is disabled
+    shell: bash
    run: |
      if [[ ! -z "${CODEQL_RUNNER}" ]]; then
        echo "Expected indirect tracing to be disabled, but the" \
@@ -7,6 +7,7 @@ env:
  CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
 steps:
  - name: Set up Java test repo configuration
+    shell: bash
    run: |
      mv * .github ../action/tests/multi-language-repo/
      mv ../action/tests/multi-language-repo/.github/workflows .github
@@ -21,6 +22,7 @@ steps:
      tools: ${{ steps.prepare-test.outputs.tools-url }}

  - name: Check that indirect tracing is disabled
+    shell: bash
    run: |
      if [[ ! -z "${CODEQL_RUNNER}" ]]; then
        echo "Expected indirect tracing to be disabled, but the" \
@@ -22,6 +22,7 @@ steps:
      fi

  - name: Build code
+    shell: bash
    run: ./build.sh

  - uses: ./../action/analyze
@@ -6,6 +6,7 @@ env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
  - name: Test setup
+    shell: bash
    run: |
      cp -a ../action/tests/cpp-autobuild autobuild-dir
  - uses: ./../action/init
@@ -17,7 +18,8 @@ steps:
      working-directory: autobuild-dir
    env:
      CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: false
-  - run: |
+  - shell: bash
+    run: |
      if ls /usr/bin/errno; then
        echo "C/C++ autobuild installed errno, but it should not have since auto-install dependencies is disabled."
        exit 1
@@ -6,6 +6,7 @@ env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
  - name: Test setup
+    shell: bash
    run: |
      cp -a ../action/tests/cpp-autobuild autobuild-dir
  - uses: ./../action/init
@@ -17,7 +18,8 @@ steps:
      working-directory: autobuild-dir
    env:
      CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-  - run: |
+  - shell: bash
+    run: |
      if ! ls /usr/bin/errno; then
        echo "As expected, CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES is a no-op on macOS"
      else
@@ -6,6 +6,7 @@ env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
  - name: Test setup
+    shell: bash
    run: |
      cp -a ../action/tests/cpp-autobuild autobuild-dir
  - uses: ./../action/init
@@ -17,7 +18,8 @@ steps:
      working-directory: autobuild-dir
    env:
      CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-  - run: |
+  - shell: bash
+    run: |
      if ! ls /usr/bin/errno; then
        echo "Did not autoinstall errno"
        exit 1
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Paolo Tranquilli	9fbfe02d3e	Merge branch 'main' into redsun82/dump-sarif	2025-09-12 12:32:52 +02:00
Paolo Tranquilli	53b268a8f0	Prepare for merge from main	2025-09-12 12:28:03 +02:00
Paolo Tranquilli	33a31c1c92	Do not prettify dumped SARIF file	2025-09-09 17:05:44 +02:00
Paolo Tranquilli	a7fb336064	Introduce `CODEQL_ACTION_SARIF_DUMP_DIR` Setting it will cause the SARIF files that would be uploaded to be dumped to the specified directory as `upload.sarif` or `upload.quality.sarif`. Crucially, this happens even if uploads are disabled, which is useful for testing.	2025-09-09 15:17:17 +02:00