Update changelog for v4.36.2

Merge pull request #3948 from github/update-bundle/codeql-bundle-v2.25.6
Update default bundle to 2.25.6
2026-06-04 12:54:26 +00:00 · 2026-06-04 11:17:27 +00:00 · 2026-06-04 10:56:27 +00:00 · 2026-06-04 10:43:06 +00:00 · 2026-06-04 10:42:59 +00:00 · 2026-06-04 10:38:05 +00:00
121 changed files with 2112 additions and 95162 deletions
@@ -41,7 +41,38 @@ runs:
        git add .
        git commit -m "Update changelog and version after ${VERSION}"

-        git push origin "${NEW_BRANCH}"
+    # Update the build artifacts with the new version number
+    - name: Rebuild the Action
+      shell: bash
+      run: |
+        set -exu
+        npm ci
+        npm run build
+
+    - name: Check for rebuild changes
+      id: rebuild_changes
+      shell: bash
+      run: |
+        set -exu
+        git add --all
+        if git diff --cached --quiet; then
+          echo "has_changes=false" >> "${GITHUB_OUTPUT}"
+        else
+          echo "has_changes=true" >> "${GITHUB_OUTPUT}"
+        fi
+
+    - name: Commit rebuild
+      if: steps.rebuild_changes.outputs.has_changes == 'true'
+      shell: bash
+      run: |
+        set -exu
+        git commit -m "Rebuild"
+
+    - name: Push mergeback branch
+      shell: bash
+      env:
+        NEW_BRANCH: "${{ inputs.branch }}"
+      run: git push origin "${NEW_BRANCH}"

    - name: Create PR
      shell: bash
@@ -60,8 +91,6 @@ runs:

          Please do the following:

-          - [ ] Remove and re-add the "Rebuild" label to the PR to trigger just this workflow.
-          - [ ] Wait for the "Rebuild" workflow to push a commit updating the distribution files.
          - [ ] Mark the PR as ready for review to trigger the full set of PR checks.
          - [ ] Approve and merge the PR. When merging the PR, make sure "Create a merge commit" is
                selected rather than "Squash and merge" or "Rebase and merge".
@@ -74,7 +103,6 @@ runs:
          --head "${NEW_BRANCH}" \
          --base "${BASE_BRANCH}" \
          --title "${pr_title}" \
-          --label "Rebuild" \
          --body "${pr_body}" \
          --assignee "${GITHUB_ACTOR}" \
          --draft
@@ -16,13 +16,13 @@ runs:
      shell: bash

    - name: Set up Node
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
      with:
-        node-version: 20
+        node-version: 24
        cache: 'npm'

    - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
      with:
        python-version: '3.12'

@@ -19,6 +19,10 @@ No user facing changes.
 # Changing it requires a transition period where both old and new versions are supported.
 BACKPORT_COMMIT_MESSAGE = 'Update version and changelog for v'

+# Commit message used for rebuild commits, both those produced by this script and those produced
+# by the `Rebuild Action` workflow (`.github/workflows/rebuild.yml`).
+REBUILD_COMMIT_MESSAGE = 'Rebuild'
+
 # Name of the remote
 ORIGIN = 'origin'

@@ -43,6 +47,28 @@ def run_git(*args, allow_non_zero_exit_code=False):
    raise Exception(f'Call to {" ".join(cmd)} exited with code {p.returncode} stderr: {p.stderr.decode("ascii")}.')
  return p.stdout.decode('ascii')

+# Runs the given command, streaming output to the console.
+# Raises an error if the command does not exit successfully.
+def run_command(*args):
+  cmd = list(args)
+  print(f'Running `{" ".join(cmd)}`.')
+  subprocess.run(cmd, check=True)
+
+# Rebuilds the action and commits any changes.
+def rebuild_action():
+  # For backports, the only source-level change vs the source branch is the new version number,
+  # so we just need to refresh the version embedded in `lib/`.
+  run_command('npm', 'ci')
+  run_command('npm', 'run', 'build')
+
+  run_git('add', '--all')
+  # `git diff --cached --quiet` exits 0 if there are no staged changes, 1 if there are.
+  if subprocess.run(['git', 'diff', '--cached', '--quiet']).returncode == 0:
+    print('Rebuild produced no changes; skipping Rebuild commit.')
+  else:
+    run_git('commit', '-m', REBUILD_COMMIT_MESSAGE)
+    print('Created Rebuild commit.')
+
 # Returns true if the given branch exists on the origin remote
 def branch_exists_on_remote(branch_name):
  return run_git('ls-remote', '--heads', ORIGIN, branch_name).strip() != ''
@@ -98,9 +124,11 @@ def open_pr(
  body.append('Please do the following:')
  if len(conflicted_files) > 0:
    body.append(' - [ ] Ensure `package.json` file contains the correct version.')
-    body.append(' - [ ] Add commits to this branch to resolve the merge conflicts ' +
+    body.append(' - [ ] Add a commit to this branch to resolve the merge conflicts ' +
      'in the following files:')
-    body.extend([f'    - [ ] `{file}`' for file in conflicted_files])
+    body.extend([f'    - `{file}`' for file in conflicted_files])
+    body.append(' - [ ] Rebuild the Action locally (`npm run build`) and push any changes to the ' +
+      f'built output in `lib` as a separate commit named exactly `{REBUILD_COMMIT_MESSAGE}`.')
    body.append(' - [ ] Ensure another maintainer has reviewed the additional commits you added to this ' +
      'branch to resolve the merge conflicts.')
  body.append(' - [ ] Ensure the CHANGELOG displays the correct version and date.')
@@ -108,10 +136,6 @@ def open_pr(
  body.append(f' - [ ] Check that there are not any unexpected commits being merged into the `{target_branch}` branch.')
  body.append(' - [ ] Ensure the docs team is aware of any documentation changes that need to be released.')

-  if not is_primary_release:
-    body.append(' - [ ] Remove and re-add the "Rebuild" label to the PR to trigger just this workflow.')
-    body.append(' - [ ] Wait for the "Rebuild" workflow to push a commit updating the distribution files.')
-
  body.append(' - [ ] Mark the PR as ready for review to trigger the full set of PR checks.')
  body.append(' - [ ] Approve and merge this PR. Make sure `Create a merge commit` is selected rather than `Squash and merge` or `Rebase and merge`.')

@@ -120,13 +144,11 @@ def open_pr(
    body.append(' - [ ] Merge all backport PRs to older release branches, that will automatically be created once this PR is merged.')

  title = f'Merge {source_branch} into {target_branch}'
-  labels = ['Rebuild'] if not is_primary_release else []

  # Create the pull request
  # PR checks won't be triggered on PRs created by Actions. Therefore mark the PR as draft so that
  # a maintainer can take the PR out of draft, thereby triggering the PR checks.
  pr = repo.create_pull(title=title, body='\n'.join(body), head=new_branch_name, base=target_branch, draft=True)
-  pr.add_to_labels(*labels)
  print(f'Created PR #{str(pr.number)}')

  # Assign the conductor
@@ -385,8 +407,9 @@ def main():
      # releases.
      run_git('revert', vOlder_update_commits[0], '--no-edit')

-      # Also revert the "Rebuild" commit created by Actions.
-      rebuild_commit = run_git('log', '--grep', '^Rebuild$', '--format=%H').split()[0]
+      # Also revert the "Rebuild" commit, whether created by this script or by the
+      # `Rebuild Action` workflow.
+      rebuild_commit = run_git('log', '--grep', f'^{REBUILD_COMMIT_MESSAGE}$', '--format=%H').split()[0]
      print(f'  Reverting {rebuild_commit}')
      run_git('revert', rebuild_commit, '--no-edit')

@@ -401,9 +424,10 @@ def main():
      run_git('add', '.')
      run_git('commit', '--no-edit')

-    # Migrate the package version number from a vLatest version number to a vOlder version number
+    # Migrate the package version number from a vLatest version number to a vOlder version number.
+    # `package-lock.json` is updated as part of the subsequent rebuild step (see `rebuild_action`).
    print(f'Setting version number to {version} in package.json')
-    replace_version_package_json(get_current_version(), version) # We rely on the `Rebuild` workflow to update package-lock.json
+    replace_version_package_json(get_current_version(), version)
    run_git('add', 'package.json')

    # Migrate the changelog notes from vLatest version numbers to vOlder version numbers
@@ -426,6 +450,13 @@ def main():
    run_git('add', 'CHANGELOG.md')
    run_git('commit', '-m', f'Update changelog for v{version}')

+  if not is_primary_release:
+    if len(conflicted_files) == 0:
+      print('Rebuilding the Action.')
+      rebuild_action()
+    else:
+      print(f'Skipping automatic rebuild because the merge produced conflicts in {conflicted_files}.')
+
  run_git('push', ORIGIN, new_branch_name)

  # Open a PR to update the branch
@@ -74,13 +74,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -72,7 +72,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -92,7 +92,7 @@ jobs:
          post-processed-sarif-path: '${{ runner.temp }}/post-processed'

      - name: Upload SARIF files
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: |
            analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
@@ -100,7 +100,7 @@ jobs:
          retention-days: 7

      - name: Upload post-processed SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: |
            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
@@ -110,7 +110,7 @@ jobs:

      - name: Check quality query does not appear in security SARIF
        if: contains(matrix.analysis-kinds, 'code-scanning')
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
          EXPECT_PRESENT: 'false'
@@ -118,7 +118,7 @@ jobs:
          script: ${{ env.CHECK_SCRIPT }}
      - name: Check quality query appears in quality SARIF
        if: contains(matrix.analysis-kinds, 'code-quality')
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          SARIF_PATH: '${{ runner.temp }}/results/javascript.quality.sarif'
          EXPECT_PRESENT: 'true'
@@ -70,13 +70,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -64,9 +64,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Prepare test
@@ -66,9 +66,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install Java
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
        with:
          java-version: ${{ inputs.java-version || '17' }}
          distribution: temurin
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -66,9 +66,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install Java
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
        with:
          java-version: ${{ inputs.java-version || '17' }}
          distribution: temurin
@@ -70,13 +70,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -62,7 +62,7 @@ jobs:
        run: npm install @actions/tool-cache@3
      - name: Check toolcache contains CodeQL
        continue-on-error: true
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            const toolcache = require('@actions/tool-cache');
@@ -75,7 +75,7 @@ jobs:
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Check CodeQL is installed within the toolcache
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            const toolcache = require('@actions/tool-cache');
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -63,7 +63,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            const fs = require('fs');
@@ -73,7 +73,7 @@ jobs:
      - name: Install @actions/tool-cache
        run: npm install @actions/tool-cache@3
      - name: Check toolcache does not contain CodeQL
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            const toolcache = require('@actions/tool-cache');
@@ -92,7 +92,7 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Check CodeQL is installed within the toolcache
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            const toolcache = require('@actions/tool-cache');
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -63,7 +63,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            const fs = require('fs');
@@ -82,13 +82,13 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: ${{ matrix.os }}-zstd-bundle.sarif
          path: ${{ runner.temp }}/results/javascript.sarif
          retention-days: 7
      - name: Check diagnostic with expected tools URL appears in SARIF
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
        with:
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -70,13 +70,13 @@ jobs:
          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: '${{ runner.temp }}/results/javascript.sarif'
          retention-days: 7
      - name: Check config properties appear in SARIF
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
        with:
@@ -50,9 +50,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 20.x
          cache: npm
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -81,13 +81,13 @@ jobs:
          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: '${{ runner.temp }}/results/javascript.sarif'
          retention-days: 7
      - name: Check diagnostics appear in SARIF
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
        with:
@@ -74,13 +74,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -102,7 +102,7 @@ jobs:
        with:
          output: '${{ runner.temp }}/results'
      - name: Upload SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: '${{ runner.temp }}/results/javascript.sarif'
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -72,13 +72,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -60,9 +60,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -78,7 +78,7 @@ jobs:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      # Deliberately change Go after the `init` step
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: '1.20'
      - name: Build code
@@ -88,7 +88,7 @@ jobs:
          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Check diagnostic appears in SARIF
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          SARIF_PATH: '${{ runner.temp }}/results/go.sarif'
        with:
@@ -60,9 +60,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -89,7 +89,7 @@ jobs:
          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Check diagnostic appears in SARIF
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          SARIF_PATH: '${{ runner.temp }}/results/go.sarif'
        with:
@@ -60,9 +60,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -80,9 +80,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -80,9 +80,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -80,9 +80,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -67,7 +67,7 @@ jobs:
        with:
          output: '${{ runner.temp }}/results'
      - name: Upload SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: '${{ runner.temp }}/results/javascript.sarif'
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -70,13 +70,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -104,13 +104,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -125,7 +125,7 @@ jobs:
        # We need Python 3.13 for older CLI versions because they are not compatible with Python 3.14 or newer.
        # See https://github.com/github/codeql-action/pull/3212
        if: matrix.version != 'nightly-latest' && matrix.version != 'linked'
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: '3.13'

@@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -74,18 +74,18 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 20.x
          cache: npm
@@ -74,18 +74,18 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 20.x
          cache: npm
@@ -74,18 +74,18 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 20.x
          cache: npm
@@ -74,18 +74,18 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 20.x
          cache: npm
@@ -72,13 +72,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -59,7 +59,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Set up Ruby
-        uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0
+        uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
@@ -60,7 +60,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -58,7 +58,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -80,13 +80,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -62,7 +62,7 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - uses: ./init
        with:
          languages: javascript
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -74,13 +74,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -72,13 +72,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -70,13 +70,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -77,13 +77,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -71,13 +71,13 @@ jobs:
    steps:
      # This ensures we don't accidentally use the original checkout for any part of the test.
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -96,7 +96,7 @@ jobs:
          rm -rf ./* .github .git
      # Check out the actions repo again, but at a different location.
      # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
          path: x/y/z/some-path
@@ -9,6 +9,10 @@ on:
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]

+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: ${{ github.workflow }}-${{ github.ref }}
+
 defaults:
  run:
    shell: bash
@@ -22,7 +26,7 @@ jobs:

    steps:
      - name: Checkout CodeQL Action
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Check Expected Release Files
        run: |
          bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"
@@ -35,7 +35,7 @@ jobs:
      security-events: read

    steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
    - name: Set up default CodeQL bundle
      id: setup-default
      uses: ./setup-codeql
@@ -87,7 +87,7 @@ jobs:

    steps:
    - name: Checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
    - name: Initialize CodeQL
      uses: ./init
      id: init
@@ -124,7 +124,7 @@ jobs:

    steps:
    - name: Checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
    - name: Initialize CodeQL
      uses: ./init
      with:
@@ -24,6 +24,10 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:

+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: ${{ github.workflow }}-${{ github.ref }}
+
 defaults:
  run:
    shell: bash
@@ -55,10 +59,10 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

    - name: Set up Node.js
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
      with:
        node-version: 24
        cache: 'npm'
@@ -20,6 +20,10 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:

+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: ${{ github.workflow }}-${{ github.ref }}
+
 defaults:
  run:
    shell: bash
@@ -49,17 +53,17 @@ jobs:
      - name: Dump GitHub event
        run: cat "${GITHUB_EVENT_PATH}"
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ^1.13.1
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: '9.x'
      - name: Assert best-effort artifact scan completed
@@ -90,7 +94,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      - name: Check expected artifacts exist
        run: |
          LANGUAGES="cpp csharp go java javascript python"
@@ -19,6 +19,10 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:

+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: ${{ github.workflow }}-${{ github.ref }}
+
 defaults:
  run:
    shell: bash
@@ -45,17 +49,17 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ^1.13.1
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: '9.x'
      - name: Assert best-effort artifact scan completed
@@ -83,7 +87,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      - name: Check expected artifacts exist
        run: |
          VERSIONS="stable-v2.20.3 default linked nightly-latest"
@@ -44,11 +44,14 @@ jobs:
          GITHUB_CONTEXT: '${{ toJson(github) }}'
        run: echo "${GITHUB_CONTEXT}"

-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          fetch-depth: 0  # ensure we have all tags and can push commits
-      - uses: actions/setup-node@v6
-      - uses: actions/setup-python@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: 24
+          cache: 'npm'
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: '3.12'

@@ -131,7 +134,7 @@ jobs:
          echo "::endgroup::"

      - name: Generate token
-        uses: actions/create-github-app-token@v3.2.0
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -10,6 +10,10 @@ on:
    types: [checks_requested]
  workflow_dispatch:

+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: ${{ github.workflow }}-${{ github.ref }}
+
 defaults:
  run:
    shell: bash
@@ -29,15 +33,19 @@ jobs:
    runs-on: ${{ matrix.os }}
    timeout-minutes: 45

+    concurrency:
+      cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+      group: pr-checks-unit-tests-${{ github.ref }}-${{ github.event_name }}-${{ matrix.os }}-node${{ matrix['node-version'] }}
+
    steps:
      - name: Prepare git (Windows)
        if: runner.os == 'Windows'
        run: git config --global core.autocrlf false

-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: ${{ matrix.node-version }}
          cache: 'npm'
@@ -67,60 +75,47 @@ jobs:
          sarif_file: eslint.sarif
          category: eslint

-  # Verifying the PR checks are up-to-date requires Node 24. The PR checks are not dependent
-  # on the main codebase and therefore do not need to be run as part of the same matrix that
-  # we use for the `unit-tests` job.
-  verify-pr-checks:
-    name: Verify PR checks
+  # These checks do not need to be run as part of the same matrix that we use for the `unit-tests`
+  # job.
+  other-checks:
+    name: Other checks
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    timeout-minutes: 10

-    steps:
-      - name: Prepare git (Windows)
-        if: runner.os == 'Windows'
-        run: git config --global core.autocrlf false
+    concurrency:
+      cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+      group: pr-checks-pr-checks-${{ github.ref }}-${{ github.event_name }}

+    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 24
          cache: 'npm'

      - name: Install dependencies
+        id: install-deps
        run: npm ci

      - name: Verify PR checks up to date
-        if: always()
+        if: ${{ !cancelled() && steps.install-deps.outcome == 'success' }}
        run: .github/workflows/script/verify-pr-checks.sh

      - name: Run pr-checks tests
-        if: always()
+        if: ${{ !cancelled() && steps.install-deps.outcome == 'success' }}
        working-directory: pr-checks
        run: npx tsx --test

-  check-node-version:
-    if: github.triggering_actor != 'dependabot[bot]'
-    name: Check Action Node versions
-    runs-on: ubuntu-latest
-    timeout-minutes: 45
-    env:
-      BASE_REF: ${{ github.base_ref }}
-
-    permissions:
-      contents: read
-
-    steps:
-      - uses: actions/checkout@v6
-      - id: head-version
-        name: Verify all Actions use the same Node version
+      - name: Verify all Actions use the same Node version
+        id: head-version
        run: |
-          NODE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
+          NODE_VERSION=$(find . -path "*/node_modules" -prune -o -name "action.yml" -exec yq -o=json '.runs.using' {} \; | jq -rs '[.[] | select(. != null and startswith("node"))] | unique | .[]')
          echo "NODE_VERSION: ${NODE_VERSION}"
          if [[ $(echo "$NODE_VERSION" | wc -l) -gt 1 ]]; then
            echo "::error::More than one node version used in 'action.yml' files."
@@ -128,22 +123,111 @@ jobs:
          fi
          echo "node_version=${NODE_VERSION}" >> $GITHUB_OUTPUT

-      - id: checkout-base
-        name: 'Backport: Check out base ref'
-        if: ${{ startsWith(github.head_ref, 'backport-') }}
-        uses: actions/checkout@v6
+      - name: Fetch base commit
+        id: fetch-base
+        # Forks and Dependabot PRs don't have permission to write comments, so skip the repo size
+        # check in those cases.
+        if: >-
+          github.event_name == 'pull_request' &&
+          github.event.pull_request.head.repo.full_name == github.repository &&
+          github.event.pull_request.user.login != 'dependabot[bot]'
+        env:
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Compare against the merge base so the size delta reflects only the commits actually
+          # added by this PR, ignoring any changes that have landed on the base branch since the
+          # PR branched off.
+          merge_base=$(gh api "repos/$GITHUB_REPOSITORY/compare/$BASE_SHA...$HEAD_SHA" --jq '.merge_base_commit.sha')
+          echo "merge_base=$merge_base" >> "$GITHUB_OUTPUT"
+          git fetch --no-tags --depth=1 origin "$merge_base" "$HEAD_SHA"
+
+      - name: Check repo size
+        if: steps.fetch-base.outcome == 'success'
+        working-directory: pr-checks
+        env:
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
+          BASE_SHA: ${{ steps.fetch-base.outputs.merge_base }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+        run: npx tsx check-repo-size.ts --output-dir "$RUNNER_TEMP/repo-size"
+
+      - name: Upload repo size comment
+        if: steps.fetch-base.outcome == 'success'
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
-          ref: ${{ env.BASE_REF }}
+          name: repo-size-comment
+          path: ${{ runner.temp }}/repo-size/
+          if-no-files-found: error
+
+      - name: 'Backport: Check out base ref'
+        id: checkout-base
+        if: ${{ startsWith(github.head_ref, 'backport-') }}
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          ref: ${{ github.base_ref }}

      - name: 'Backport: Verify Node versions unchanged'
        if: steps.checkout-base.outcome == 'success'
        env:
          HEAD_VERSION: ${{ steps.head-version.outputs.node_version }}
        run: |
-          BASE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
+          BASE_VERSION=$(find . -path "*/node_modules" -prune -o -name "action.yml" -exec yq -o=json '.runs.using' {} \; | jq -rs '[.[] | select(. != null and startswith("node"))] | unique | .[]')
          echo "HEAD_VERSION: ${HEAD_VERSION}"
          echo "BASE_VERSION: ${BASE_VERSION}"
          if [[ "$BASE_VERSION" != "$HEAD_VERSION" ]]; then
            echo "::error::Cannot change the Node version of an Action in a backport PR."
            exit 1
          fi
+
+  post-repo-size-comment:
+    name: Post repo size comment
+    needs: other-checks
+    # Keep write permissions isolated from the job that checks out and tests PR code. This job only
+    # posts the candidate comment body produced by the read-only `pr-checks` job.
+    if: >-
+      github.event_name == 'pull_request' &&
+      github.event.pull_request.head.repo.full_name == github.repository &&
+      github.event.pull_request.user.login != 'dependabot[bot]' &&
+      needs.other-checks.result == 'success'
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-slim
+    timeout-minutes: 10
+
+    concurrency:
+      cancel-in-progress: true
+      group: check-repo-size-${{ github.event.pull_request.number }}
+
+    steps:
+      - name: Download repo size comment
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: repo-size-comment
+          path: repo-size-comment
+
+      - name: Post repo size comment
+        env:
+          COMMENT_MARKER: "<!-- repo-size-diff-bot -->"
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          significant=$(jq -r '.significant' repo-size-comment/metadata.json)
+          comment_id=$(
+            gh api "repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/comments" \
+              --paginate \
+              --jq ".[] | select(.body | contains(\"$COMMENT_MARKER\")) | .id" \
+              | head -n 1
+          )
+
+          if [[ -n "$comment_id" ]]; then
+            echo "Updating existing comment $comment_id."
+            gh api --method PATCH "repos/$GITHUB_REPOSITORY/issues/comments/$comment_id" --field body=@repo-size-comment/body.md
+          elif [[ "$significant" == "true" ]]; then
+            echo "Creating new repo size comment."
+            gh api --method POST "repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/comments" --field body=@repo-size-comment/body.md
+          else
+            echo "Skipping repo size comment because the delta is below the threshold and no sticky comment exists."
+          fi
@@ -44,7 +44,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          fetch-depth: 0 # Need full history for calculation of diffs

@@ -20,8 +20,8 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Publish immutable release
        id: publish
-        uses: actions/publish-immutable-action@v0.0.4
+        uses: actions/publish-immutable-action@4bc8754ffc40f27910afb20287dbbbb675a4e978 # v0.0.4
@@ -14,6 +14,10 @@ on:
    - cron: '0 0 * * 1'
  workflow_dispatch:

+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: ${{ github.workflow }}-${{ github.ref }}
+
 defaults:
  run:
    shell: bash
@@ -31,11 +35,11 @@ jobs:
    runs-on: windows-latest

    steps:
-    - uses: actions/setup-python@v6
+    - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
      with:
        python-version: 3.12

-    - uses: actions/checkout@v6
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

    - name: Prepare test
      uses: ./.github/actions/prepare-test
@@ -17,6 +17,10 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:

+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: ${{ github.workflow }}-${{ github.ref }}
+
 defaults:
  run:
    shell: bash
@@ -31,10 +35,10 @@ jobs:
      contents: read # This permission is needed to allow the GitHub Actions workflow to read the contents of the repository.
    steps:
    - name: Check out repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

    - name: Install Node.js
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
      with:
        node-version: 24
        cache: npm
@@ -24,13 +24,13 @@ jobs:
      pull-requests: write # needed to comment on the PR
    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          fetch-depth: 0
          ref: ${{ env.HEAD_REF }}

      - name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 24
          cache: 'npm'
@@ -52,7 +52,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          fetch-depth: 0 # Need full history for calculation of diffs

@@ -136,7 +136,7 @@ jobs:

      - name: Generate token
        if: github.event_name == 'workflow_dispatch'
-        uses: actions/create-github-app-token@v3.2.0
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -18,6 +18,11 @@ on:
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
+
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: ${{ github.workflow }}-${{ github.ref }}
+
 defaults:
  run:
    shell: bash
@@ -38,7 +43,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/actions/prepare-test
@@ -46,7 +51,7 @@ jobs:
        version: ${{ matrix.version }}
        use-all-platform-bundle: true
    - name: Install .NET
-      uses: actions/setup-dotnet@v5
+      uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
      with:
        dotnet-version: '9.x'
    - id: init
@@ -33,7 +33,7 @@ jobs:
          GITHUB_CONTEXT: '${{ toJson(github) }}'
        run: echo "$GITHUB_CONTEXT"

-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Update git config
        run: |
@@ -41,12 +41,12 @@ jobs:
          git config --global user.name "github-actions[bot]"

      - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: '3.12'

      - name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 24
          cache: 'npm'
@@ -38,7 +38,7 @@ jobs:
      contents: write # needed to push commits
      pull-requests: write # needed to create pull request
    steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      with:
        fetch-depth: 0  # Need full history for calculation of diffs
    - uses: ./.github/actions/release-initialise
@@ -94,14 +94,14 @@ jobs:
      pull-requests: write # needed to create pull request
    steps:
    - name: Generate token
-      uses: actions/create-github-app-token@v3.2.0
+      uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
      id: app-token
      with:
        app-id: ${{ vars.AUTOMATION_APP_ID }}
        private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}

    - name: Checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      with:
        fetch-depth: 0  # Need full history for calculation of diffs
        token: ${{ steps.app-token.outputs.token }}
@@ -23,13 +23,13 @@ jobs:

    steps:
      - name: Setup Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: "3.13"
      - name: Checkout CodeQL Action
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Checkout Enterprise Releases
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          repository: github/enterprise-releases
          token: ${{ secrets.ENTERPRISE_RELEASE_TOKEN }}
@@ -2,10 +2,19 @@

 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.

-## [UNRELEASED]
+## 4.36.2 - 04 Jun 2026
+
+- Update default CodeQL bundle version to [2.25.6](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.6). [#3948](https://github.com/github/codeql-action/pull/3948)
+
+## 4.36.1 - 02 Jun 2026
+
+No user facing changes.
+
+## 4.36.0 - 22 May 2026

 - _Breaking change_: Bump the minimum required CodeQL bundle version to 2.19.4. [#3894](https://github.com/github/codeql-action/pull/3894)
 - Add support for SHA-256 Git object IDs. [#3893](https://github.com/github/codeql-action/pull/3893)
+- Update default CodeQL bundle version to [2.25.5](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.5). [#3926](https://github.com/github/codeql-action/pull/3926)

 ## 4.35.5 - 15 May 2026

@@ -65,12 +65,22 @@ const onEndPlugin = {
 /** The name of the virtual `entry-points` module. */
 const SHARED_ENTRYPOINT = "entry-points";

+/** The property name under which `upload-lib`'s namespace is exposed in `entry-points`. */
+const UPLOAD_LIB_EXPORT = "uploadLib";
+
+/** The relative source path of the `upload-lib` module that we re-export from `entry-points`. */
+const UPLOAD_LIB_SRC = "./src/upload-lib";
+
 /**
- * This plugin finds all source files that contain Action entry points.
- * It then generates the virtual `entry-points` module which imports all identified files,
- * and re-exports their `runWrapper` functions with suitable aliases.
- * A tiny stub file is emitted for each Action entrypoint. Each stub imports the shared bundle
- * and calls the respective entry point.
+ * This plugin finds all source files that contain Action entry points. It then generates the
+ * virtual `entry-points` module which imports all identified files, and re-exports their
+ * `runWrapper` functions with suitable aliases.
+ *
+ * The virtual module additionally re-exports `upload-lib` under the `uploadLib` namespace so that
+ * external consumers can access it via the small `lib/upload-lib.js` stub emitted below.
+ * 
+ * A tiny stub file is emitted for each Action entrypoint, and one for `upload-lib`. Each stub
+ * imports the shared bundle and calls/re-exports from the respective entry point.
 *
 * @type {esbuild.Plugin}
 */
@@ -136,22 +146,29 @@ const entryPointsPlugin = {
        )
        .join("\n\n");

+      // Also re-export the `upload-lib` namespace so that external consumers can reach it
+      // via the `lib/upload-lib.js` stub without us having to bundle a second copy.
+      const uploadLibReExport = `export * as ${UPLOAD_LIB_EXPORT} from "${UPLOAD_LIB_SRC}";`;
+
      return {
-        contents: `"use strict";\n${imports}\n\n${wrappers}\n`,
+        contents: `"use strict";\n${imports}\n\n${uploadLibReExport}\n\n${wrappers}\n`,
        resolveDir: ".",
        loader: "ts",
      };
    });

    // Emit entry point stubs for each Action using the entry template.
-    build.onEnd(async (result) => {
-      // Read the entry point template.
-      const templatePath = "action-entry.js.tpl";
-      const template = await readFile(join(SRC_DIR, templatePath), "utf-8");
-
-      const makeHeader = (sourceFile) =>
+    build.onEnd(async () => {
+      const makeHeader = (templatePath, sourceFile) =>
        `// Automatically generated from '${templatePath}' for 'src/${basename(sourceFile)}'.\n\n`;

+      // Read the entry point template.
+      const actionTemplatePath = "action-entry.js.tpl";
+      const actionTemplate = await readFile(
+        join(SRC_DIR, actionTemplatePath),
+        "utf-8",
+      );
+
      // Write entry point stubs for each Action.
      for (const action of actions) {
        await writeFile(
@@ -159,20 +176,33 @@ const entryPointsPlugin = {
            OUT_DIR,
            `${action.name}${action.isPost ? "-post" : ""}-entry.js`,
          ),
-          makeHeader(action.path) +
-            template.replaceAll("__ACTION__", action.pascalCaseName),
+          makeHeader(actionTemplatePath, action.path) +
+            actionTemplate.replaceAll("__ACTION__", action.pascalCaseName),
        );
      }
+
+      // Write a small stub for `upload-lib` that re-exports it from the shared bundle.
+      // External callers (e.g. internal testing environments) `require("./lib/upload-lib")`
+      // and expect the same shape as before, so we expose the namespace as `module.exports`.
+      const uploadLibStubTemplatePath = "upload-lib-stub.js.tpl";
+      const uploadLibStubTemplate = await readFile(
+        join(SRC_DIR, uploadLibStubTemplatePath),
+        "utf-8",
+      );
+      await writeFile(
+        join(OUT_DIR, "upload-lib.js"),
+        makeHeader(uploadLibStubTemplatePath, `${UPLOAD_LIB_SRC}.ts`) +
+          uploadLibStubTemplate.replaceAll(
+            "__UPLOAD_LIB_EXPORT__",
+            UPLOAD_LIB_EXPORT,
+          ),
+      );
    });
  },
 };

 const context = await esbuild.context({
-  // Include upload-lib.ts as an entry point for use in testing environments.
-  entryPoints: [
-    { in: SHARED_ENTRYPOINT, out: SHARED_ENTRYPOINT },
-    join(SRC_DIR, "upload-lib.ts"),
-  ],
+  entryPoints: [{ in: SHARED_ENTRYPOINT, out: SHARED_ENTRYPOINT }],
  bundle: true,
  format: "cjs",
  outdir: OUT_DIR,
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.4",
-  "cliVersion": "2.25.4",
-  "priorBundleVersion": "codeql-bundle-v2.25.3",
-  "priorCliVersion": "2.25.3"
+  "bundleVersion": "codeql-bundle-v2.25.6",
+  "cliVersion": "2.25.6",
+  "priorBundleVersion": "codeql-bundle-v2.25.5",
+  "priorCliVersion": "2.25.5"
 }
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "4.36.0",
+  "version": "4.36.2",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -40,23 +40,23 @@
    "jsonschema": "1.5.0",
    "long": "^5.3.2",
    "node-forge": "^1.4.0",
-    "semver": "^7.7.4",
+    "semver": "^7.8.1",
    "uuid": "^14.0.0"
  },
  "devDependencies": {
-    "@ava/typescript": "7.0.0",
-    "@eslint/compat": "^2.0.5",
+    "@ava/typescript": "6.0.0",
+    "@eslint/compat": "^2.1.0",
    "@microsoft/eslint-formatter-sarif": "^3.1.0",
    "@octokit/types": "^16.0.0",
    "@types/archiver": "^7.0.0",
    "@types/follow-redirects": "^1.14.4",
    "@types/js-yaml": "^4.0.9",
-    "@types/node": "^20.19.39",
+    "@types/node": "^20.19.41",
    "@types/node-forge": "^1.3.14",
    "@types/sarif": "^2.1.7",
    "@types/semver": "^7.7.1",
    "@types/sinon": "^21.0.1",
-    "ava": "^7.0.0",
+    "ava": "^6.4.1",
    "esbuild": "^0.28.0",
    "eslint": "^9.39.4",
    "eslint-import-resolver-typescript": "^4.4.4",
@@ -66,10 +66,10 @@
    "eslint-plugin-no-async-foreach": "^0.1.1",
    "glob": "^11.1.0",
    "globals": "^17.6.0",
-    "nock": "^14.0.12",
+    "nock": "^14.0.15",
    "sinon": "^22.0.0",
    "typescript": "^6.0.3",
-    "typescript-eslint": "^8.59.2"
+    "typescript-eslint": "^8.60.0"
  },
  "overrides": {
    "@actions/tool-cache": {
@@ -0,0 +1,259 @@
+#!/usr/bin/env npx tsx
+
+/*
+Tests for check-repo-size.ts.
+*/
+
+import * as assert from "node:assert/strict";
+import { execFileSync } from "node:child_process";
+import { randomBytes } from "node:crypto";
+import * as fs from "node:fs";
+import * as os from "node:os";
+import * as path from "node:path";
+import { afterEach, beforeEach, describe, it } from "node:test";
+
+import {
+  COMMENT_MARKER,
+  DEFAULT_BASE_REF,
+  buildCommentBody,
+  formatBytes,
+  formatPercent,
+  isDeltaSignificant,
+  measureArchiveSize,
+  readArgs,
+} from "./check-repo-size";
+
+describe("formatBytes", async () => {
+  const cases: Array<[number, boolean, string]> = [
+    // Unsigned values, including sub-KiB amounts which round to 0.00.
+    [0, false, "0.00 KiB"],
+    [512, false, "0.50 KiB"],
+    [1024, false, "1.00 KiB"],
+    [1024 * 1024, false, "1024.00 KiB"],
+    [2 * 1024 * 1024, false, "2048.00 KiB"],
+    // Negative values always use a leading minus.
+    [-2 * 1024 * 1024, false, "-2048.00 KiB"],
+    // signed=true prepends a + to non-negative values.
+    [0, true, "+0.00 KiB"],
+    [2 * 1024 * 1024, true, "+2048.00 KiB"],
+    [-2 * 1024 * 1024, true, "-2048.00 KiB"],
+  ];
+  for (const [bytes, signed, expected] of cases) {
+    await it(`formats ${bytes} (signed=${signed}) as ${expected}`, () => {
+      assert.equal(formatBytes(bytes, signed), expected);
+    });
+  }
+});
+
+describe("formatPercent", async () => {
+  await it("formats positive fractions with a leading +", () => {
+    assert.equal(formatPercent(0.1), "+10.00%");
+    assert.equal(formatPercent(0.0123), "+1.23%");
+  });
+
+  await it("formats negative fractions with a leading -", () => {
+    assert.equal(formatPercent(-0.1), "-10.00%");
+  });
+
+  await it("formats zero without a sign", () => {
+    assert.equal(formatPercent(0), "0.00%");
+  });
+});
+
+describe("isDeltaSignificant", async () => {
+  const cases: Array<[number, number, number, boolean]> = [
+    // At and above threshold (both signs).
+    [100, 1000, 0.1, true],
+    [101, 1000, 0.1, true],
+    [-100, 1000, 0.1, true],
+    // Below threshold (both signs, plus exact zero).
+    [99, 1000, 0.1, false],
+    [-99, 1000, 0.1, false],
+    [0, 1000, 0.1, false],
+  ];
+  for (const [delta, base, fraction, expected] of cases) {
+    await it(`returns ${expected} for delta=${delta}, base=${base}, fraction=${fraction}`, () => {
+      assert.equal(isDeltaSignificant(delta, base, fraction), expected);
+    });
+  }
+});
+
+describe("buildCommentBody", async () => {
+  await it("includes the marker, the base/PR/delta rows, and the run URL", () => {
+    const body = buildCommentBody({
+      baseRef: "main",
+      baseSize: 2_000_000,
+      prSize: 2_300_000,
+      runUrl: "https://example.test/run",
+    });
+
+    assert.match(body, new RegExp(`^${escapeRegExp(COMMENT_MARKER)}`));
+    assert.match(body, /Base \(`main`\) \| 1953\.13 KiB \(2000000 bytes\)/);
+    assert.match(body, /This PR \| 2246\.09 KiB \(2300000 bytes\)/);
+    assert.match(
+      body,
+      /\*\*Delta\*\* \| \*\*\+292\.97 KiB \(\+300000 bytes, \+15\.00%\)\*\*/,
+    );
+    assert.match(body, /\[workflow run\]\(https:\/\/example\.test\/run\)/);
+  });
+
+  await it("formats negative deltas with a leading minus and omits the run URL when missing", () => {
+    const body = buildCommentBody({
+      baseRef: "main",
+      baseSize: 2_000_000,
+      prSize: 1_800_000,
+    });
+    assert.match(
+      body,
+      /\*\*Delta\*\* \| \*\*-195\.31 KiB \(-200000 bytes, -10\.00%\)\*\*/,
+    );
+    assert.doesNotMatch(body, /workflow run/);
+  });
+});
+
+describe("readArgs", async () => {
+  await it("defaults the base ref and head commit for local runs", () => {
+    const originalEnv = process.env;
+    const originalArgv = process.argv;
+
+    try {
+      process.env = {};
+      process.argv = ["node", "check-repo-size.ts", "--output-dir", "/tmp/out"];
+
+      const args = readArgs();
+
+      assert.equal(args.baseRef, DEFAULT_BASE_REF);
+      assert.equal(args.baseCommitish, `origin/${DEFAULT_BASE_REF}`);
+      assert.equal(args.headCommitish, "HEAD");
+      assert.equal(args.outputDir, "/tmp/out");
+      assert.equal(args.runUrl, undefined);
+    } finally {
+      process.env = originalEnv;
+      process.argv = originalArgv;
+    }
+  });
+
+  await it("uses the base and head SHAs when provided by the workflow", () => {
+    const originalEnv = process.env;
+    const originalArgv = process.argv;
+
+    try {
+      process.env = {
+        BASE_REF: "main",
+        BASE_SHA: "abc123",
+        HEAD_SHA: "def456",
+        RUN_URL: "https://example.test/run",
+      };
+      process.argv = ["node", "check-repo-size.ts", "--output-dir", "/tmp/out"];
+
+      const args = readArgs();
+
+      assert.equal(args.baseRef, "main");
+      assert.equal(args.baseCommitish, "abc123");
+      assert.equal(args.headCommitish, "def456");
+      assert.equal(args.outputDir, "/tmp/out");
+      assert.equal(args.runUrl, "https://example.test/run");
+    } finally {
+      process.env = originalEnv;
+      process.argv = originalArgv;
+    }
+  });
+
+  await it("throws when --output-dir is missing", () => {
+    const originalEnv = process.env;
+    const originalArgv = process.argv;
+
+    try {
+      process.env = {};
+      process.argv = ["node", "check-repo-size.ts"];
+      assert.throws(() => readArgs(), /--output-dir is required/);
+    } finally {
+      process.env = originalEnv;
+      process.argv = originalArgv;
+    }
+  });
+});
+
+let repoDir: string;
+
+beforeEach(() => {
+  repoDir = fs.mkdtempSync(path.join(os.tmpdir(), "check-repo-size-test-"));
+  execFileSync("git", ["init", "--initial-branch=main", "-q"], {
+    cwd: repoDir,
+  });
+  execFileSync("git", ["config", "user.email", "test@example.test"], {
+    cwd: repoDir,
+  });
+  execFileSync("git", ["config", "user.name", "Test"], { cwd: repoDir });
+  execFileSync("git", ["config", "commit.gpgsign", "false"], { cwd: repoDir });
+});
+
+afterEach(() => {
+  fs.rmSync(repoDir, { recursive: true, force: true });
+});
+
+function commit(name: string, content: string, message: string) {
+  fs.writeFileSync(path.join(repoDir, name), content);
+  execFileSync("git", ["add", name], { cwd: repoDir });
+  execFileSync("git", ["commit", "-q", "-m", message], { cwd: repoDir });
+}
+
+describe("measureArchiveSize", async () => {
+  await it("returns a positive byte count for a non-empty repo", async () => {
+    commit("a.txt", "hello world\n", "first");
+    const size = await measureArchiveSize("HEAD", repoDir);
+    assert.ok(size > 0, `expected size > 0, got ${size}`);
+  });
+
+  await it("returns the same size on repeated runs (deterministic)", async () => {
+    commit("a.txt", "hello world\n", "first");
+    const a = await measureArchiveSize("HEAD", repoDir);
+    const b = await measureArchiveSize("HEAD", repoDir);
+    assert.equal(a, b);
+  });
+
+  await it("returns a larger size when more content is added", async () => {
+    commit("a.txt", "hello world\n", "first");
+    const small = await measureArchiveSize("HEAD", repoDir);
+
+    // Use random bytes so the new content is incompressible and the archive
+    // is guaranteed to grow even after gzip.
+    commit("b.bin", randomBytes(8192).toString("base64"), "second");
+    const big = await measureArchiveSize("HEAD", repoDir);
+    assert.ok(
+      big > small,
+      `expected ${big} > ${small} after adding more content`,
+    );
+  });
+
+  await it("ignores untracked files (e.g. node_modules)", async () => {
+    commit("a.txt", "hello\n", "first");
+    commit(".gitignore", "node_modules/\n", "ignore node_modules");
+    const sizeBefore = await measureArchiveSize("HEAD", repoDir);
+
+    fs.mkdirSync(path.join(repoDir, "node_modules"));
+    fs.writeFileSync(
+      path.join(repoDir, "node_modules", "huge.bin"),
+      "x".repeat(1_000_000),
+    );
+
+    const sizeAfter = await measureArchiveSize("HEAD", repoDir);
+    assert.equal(
+      sizeAfter,
+      sizeBefore,
+      "untracked node_modules should not affect the archive size",
+    );
+  });
+
+  await it("rejects when the ref does not exist", async () => {
+    commit("a.txt", "hello\n", "first");
+    await assert.rejects(
+      () => measureArchiveSize("does-not-exist", repoDir),
+      /git archive does-not-exist exited with code/,
+    );
+  });
+});
+
+function escapeRegExp(s: string): string {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
@@ -0,0 +1,223 @@
+#!/usr/bin/env npx tsx
+
+/*
+Measures the difference in the `.tar.gz`'d checkout size of the repo between the PR head and the PR
+base. This size is relevant because it corresponds to the duration of the "Download action
+repository" step that happens at the start of every job that uses this Action.
+
+Writes the candidate sticky-comment body and a small metadata file to `--output-dir`. A separate
+workflow job consumes those artifacts and decides whether to create or update a PR comment.
+*/
+
+import { spawn } from "node:child_process";
+import * as fs from "node:fs";
+import * as path from "node:path";
+import { parseArgs } from "node:util";
+
+import { REPO_ROOT } from "./config";
+
+/** Hidden marker used to find the existing sticky comment on a PR. */
+export const COMMENT_MARKER = "<!-- repo-size-diff-bot -->";
+
+export const DEFAULT_BASE_REF = "main";
+
+/**
+ * Fraction of the base archive size at which a delta is considered significant enough to warrant
+ * a new sticky comment. We always update an existing comment regardless, so the comment stays in
+ * sync as the diff evolves.
+ */
+export const SIGNIFICANT_DELTA_FRACTION = 0.1;
+
+/**
+ * Stream `git archive --format=tar.gz <ref>` and count the compressed bytes.
+ *
+ * `git archive` only includes tracked files, so untracked directories like `node_modules` and
+ * `build` aren't counted in the size downloaded when starting up a CodeQL job.
+ */
+export async function measureArchiveSize(
+  ref: string,
+  cwd: string,
+): Promise<number> {
+  const git = spawn("git", ["archive", "--format=tar.gz", ref], { cwd });
+
+  let stderr = "";
+  git.stderr.on("data", (chunk: Buffer) => {
+    stderr += chunk.toString();
+  });
+
+  let size = 0;
+  git.stdout.on("data", (chunk: Buffer) => {
+    size += chunk.length;
+  });
+
+  const exitCode = await new Promise<number>((resolve, reject) => {
+    git.on("error", reject);
+    git.on("close", resolve);
+  });
+
+  if (exitCode !== 0) {
+    throw new Error(
+      `git archive ${ref} exited with code ${exitCode}: ${stderr.trim()}`,
+    );
+  }
+  return size;
+}
+
+/**
+ * Format a byte count as KiB. If `signed` is true, a leading `+` is prepended for non-negative
+ * values so gains and losses are visually distinct.
+ */
+export function formatBytes(bytes: number, signed = false): string {
+  const sign = bytes < 0 ? "-" : signed ? "+" : "";
+  const kib = Math.abs(bytes) / 1024;
+  return `${sign}${kib.toFixed(2)} KiB`;
+}
+
+/** Format a fraction as a signed percentage with 2 decimal places. */
+export function formatPercent(fraction: number): string {
+  const pct = fraction * 100;
+  const sign = pct > 0 ? "+" : "";
+  return `${sign}${pct.toFixed(2)}%`;
+}
+
+export interface CommentBodyOptions {
+  baseRef: string;
+  baseSize: number;
+  prSize: number;
+  /** Optional URL of the workflow run, included in the comment footer. */
+  runUrl?: string;
+}
+
+export function buildCommentBody(opts: CommentBodyOptions): string {
+  const { baseRef, baseSize, prSize, runUrl } = opts;
+  const delta = prSize - baseSize;
+  const signedDelta = delta >= 0 ? `+${delta}` : `${delta}`;
+  const runUrlLine = runUrl
+    ? ` See the [workflow run](${runUrl}) for details.`
+    : "";
+
+  return [
+    COMMENT_MARKER,
+    "### Repository checkout size",
+    "",
+    "| | Compressed archive size |",
+    "|---|---|",
+    `| Base (\`${baseRef}\`) | ${formatBytes(baseSize)} (${baseSize} bytes) |`,
+    `| This PR | ${formatBytes(prSize)} (${prSize} bytes) |`,
+    `| **Delta** | **${formatBytes(delta, true)} (${signedDelta} bytes, ${formatPercent(delta / baseSize)})** |`,
+    "",
+    "Sizes are measured by streaming `git archive --format=tar.gz <ref>`, " +
+      "which includes tracked files and excludes untracked files such as " +
+      "`node_modules`. The compressed checkout is " +
+      "downloaded by every consumer of this Action, so changes here directly " +
+      `affect Action download time.${runUrlLine}`,
+  ].join("\n");
+}
+
+/**
+ * Returns true when the absolute delta is at least `fraction` of the base size. Both increases and
+ * decreases are considered significant, so we report wins as well as losses.
+ */
+export function isDeltaSignificant(
+  delta: number,
+  baseSize: number,
+  fraction: number,
+): boolean {
+  return Math.abs(delta) >= baseSize * fraction;
+}
+
+interface MainArgs {
+  /** Base ref of the PR. Defaults to `main`. Used as the label in the PR comment. */
+  baseRef: string;
+  /** Base commit-ish to archive. Defaults to `origin/<baseRef>` for local runs. */
+  baseCommitish: string;
+  /** Head commit-ish to archive. Defaults to `HEAD` for local runs. */
+  headCommitish: string;
+  /** Optional URL of the workflow run, surfaced in the comment footer. */
+  runUrl?: string;
+  /** Directory where `body.md` and `metadata.json` are written. */
+  outputDir: string;
+}
+
+export function readArgs(): MainArgs {
+  const { values } = parseArgs({
+    options: {
+      "output-dir": { type: "string" },
+    },
+    strict: true,
+  });
+
+  const outputDir = values["output-dir"];
+  if (!outputDir) {
+    throw new Error("--output-dir is required");
+  }
+
+  const baseRef = process.env.BASE_REF ?? DEFAULT_BASE_REF;
+  const baseCommitish = process.env.BASE_SHA ?? `origin/${baseRef}`;
+  const headCommitish = process.env.HEAD_SHA ?? "HEAD";
+
+  return {
+    baseRef,
+    baseCommitish,
+    headCommitish,
+    runUrl: process.env.RUN_URL,
+    outputDir,
+  };
+}
+
+async function main(): Promise<number> {
+  const args = readArgs();
+
+  console.log(`Measuring base archive size for ${args.baseCommitish}...`);
+  const baseSize = await measureArchiveSize(args.baseCommitish, REPO_ROOT);
+  console.log(`  ${baseSize} bytes`);
+
+  console.log(`Measuring PR archive size for ${args.headCommitish}...`);
+  const prSize = await measureArchiveSize(args.headCommitish, REPO_ROOT);
+  console.log(`  ${prSize} bytes`);
+
+  const delta = prSize - baseSize;
+  const significant = isDeltaSignificant(
+    delta,
+    baseSize,
+    SIGNIFICANT_DELTA_FRACTION,
+  );
+  console.log(
+    `Delta: ${delta} bytes (significant=${significant}, threshold=${(
+      SIGNIFICANT_DELTA_FRACTION * 100
+    ).toFixed(2)}%)`,
+  );
+
+  const body = buildCommentBody({
+    baseRef: args.baseRef,
+    baseSize,
+    prSize,
+    runUrl: args.runUrl,
+  });
+
+  fs.mkdirSync(args.outputDir, { recursive: true });
+  fs.writeFileSync(path.join(args.outputDir, "body.md"), body);
+  fs.writeFileSync(
+    path.join(args.outputDir, "metadata.json"),
+    `${JSON.stringify(
+      { significant, baseRef: args.baseRef, baseSize, prSize, delta },
+      null,
+      2,
+    )}\n`,
+  );
+  console.log(`Wrote body.md and metadata.json to ${args.outputDir}.`);
+  return 0;
+}
+
+async function run(): Promise<void> {
+  try {
+    process.exit(await main());
+  } catch (err) {
+    console.error(err instanceof Error ? err.message : String(err));
+    process.exit(1);
+  }
+}
+
+if (require.main === module) {
+  void run();
+}
@@ -46,7 +46,7 @@ steps:
      post-processed-sarif-path: "${{ runner.temp }}/post-processed"

  - name: Upload SARIF files
-    uses: actions/upload-artifact@v7
+    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
    with:
      name: |
        analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
@@ -54,7 +54,7 @@ steps:
      retention-days: 7

  - name: Upload post-processed SARIF
-    uses: actions/upload-artifact@v7
+    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
    with:
      name: |
        post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
@@ -64,7 +64,7 @@ steps:

  - name: Check quality query does not appear in security SARIF
    if: contains(matrix.analysis-kinds, 'code-scanning')
-    uses: actions/github-script@v8
+    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
    env:
      SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif"
      EXPECT_PRESENT: "false"
@@ -72,7 +72,7 @@ steps:
      script: ${{ env.CHECK_SCRIPT }}
  - name: Check quality query appears in quality SARIF
    if: contains(matrix.analysis-kinds, 'code-quality')
-    uses: actions/github-script@v8
+    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
    env:
      SARIF_PATH: "${{ runner.temp }}/results/javascript.quality.sarif"
      EXPECT_PRESENT: "true"
@@ -7,7 +7,7 @@ steps:
    run: npm install @actions/tool-cache@3
  - name: Check toolcache contains CodeQL
    continue-on-error: true
-    uses: actions/github-script@v8
+    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
    with:
      script: |
        const toolcache = require('@actions/tool-cache');
@@ -20,7 +20,7 @@ steps:
    with:
      tools: ${{ steps.prepare-test.outputs.tools-url }}
  - name: Check CodeQL is installed within the toolcache
-    uses: actions/github-script@v8
+    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
    with:
      script: |
        const toolcache = require('@actions/tool-cache');
@@ -8,7 +8,7 @@ operatingSystems:
  - windows
 steps:
  - name: Remove CodeQL from toolcache
-    uses: actions/github-script@v8
+    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
    with:
      script: |
        const fs = require('fs');
@@ -18,7 +18,7 @@ steps:
  - name: Install @actions/tool-cache
    run: npm install @actions/tool-cache@3
  - name: Check toolcache does not contain CodeQL
-    uses: actions/github-script@v8
+    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
    with:
      script: |
        const toolcache = require('@actions/tool-cache');
@@ -37,7 +37,7 @@ steps:
      output: ${{ runner.temp }}/results
      upload-database: false
  - name: Check CodeQL is installed within the toolcache
-    uses: actions/github-script@v8
+    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
    with:
      script: |
        const toolcache = require('@actions/tool-cache');
@@ -8,7 +8,7 @@ operatingSystems:
  - windows
 steps:
  - name: Remove CodeQL from toolcache
-    uses: actions/github-script@v8
+    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
    with:
      script: |
        const fs = require('fs');
@@ -27,13 +27,13 @@ steps:
      output: ${{ runner.temp }}/results
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v7
+    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
    with:
      name: ${{ matrix.os }}-zstd-bundle.sarif
      path: ${{ runner.temp }}/results/javascript.sarif
      retention-days: 7
  - name: Check diagnostic with expected tools URL appears in SARIF
-    uses: actions/github-script@v8
+    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
    env:
      SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
    with:
@@ -14,13 +14,13 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v7
+    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
    with:
      name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
      retention-days: 7
  - name: Check config properties appear in SARIF
-    uses: actions/github-script@v8
+    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
    env:
      SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif"
    with:
@@ -27,13 +27,13 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v7
+    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
    with:
      name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
      retention-days: 7
  - name: Check diagnostics appear in SARIF
-    uses: actions/github-script@v8
+    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
    env:
      SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif"
    with:
@@ -23,7 +23,7 @@ steps:
    with:
      output: "${{ runner.temp }}/results"
  - name: Upload SARIF
-    uses: actions/upload-artifact@v7
+    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
    with:
      name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -12,7 +12,7 @@ steps:
      languages: go
      tools: ${{ steps.prepare-test.outputs.tools-url }}
  # Deliberately change Go after the `init` step
-  - uses: actions/setup-go@v6
+  - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
    with:
      go-version: "1.20"
  - name: Build code
@@ -22,7 +22,7 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
  - name: Check diagnostic appears in SARIF
-    uses: actions/github-script@v8
+    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
    env:
      SARIF_PATH: "${{ runner.temp }}/results/go.sarif"
    with:
@@ -23,7 +23,7 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
  - name: Check diagnostic appears in SARIF
-    uses: actions/github-script@v8
+    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
    env:
      SARIF_PATH: "${{ runner.temp }}/results/go.sarif"
    with:
@@ -12,7 +12,7 @@ steps:
    with:
      output: "${{ runner.temp }}/results"
  - name: Upload SARIF
-    uses: actions/upload-artifact@v7
+    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
    with:
      name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -13,7 +13,7 @@ steps:
    # We need Python 3.13 for older CLI versions because they are not compatible with Python 3.14 or newer.
    # See https://github.com/github/codeql-action/pull/3212
    if: matrix.version != 'nightly-latest' && matrix.version != 'linked'
-    uses: actions/setup-python@v6
+    uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
    with:
      python-version: "3.13"

@@ -5,7 +5,7 @@ versions:
  - default
 steps:
  - name: Set up Ruby
-    uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0
+    uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
    with:
      ruby-version: 2.6
  - name: Install Code Scanning integration
@@ -21,7 +21,7 @@ permissions:
  security-events: write # needed to upload the SARIF file

 steps:
-  - uses: actions/checkout@v6
+  - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
  - uses: ./init
    with:
      languages: javascript
@@ -14,7 +14,7 @@ steps:
      rm -rf ./* .github .git
  # Check out the actions repo again, but at a different location.
  # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
-  - uses: actions/checkout@v6
+  - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
    with:
      ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
      path: x/y/z/some-path
@@ -6,14 +6,17 @@ export const OLDEST_SUPPORTED_MAJOR_VERSION = 3;
 /** The `pr-checks` directory. */
 export const PR_CHECKS_DIR = __dirname;

+/** The repository root. */
+export const REPO_ROOT = path.join(PR_CHECKS_DIR, "..");
+
 /** The path of the file configuring which checks shouldn't be required. */
 export const PR_CHECK_EXCLUDED_FILE = path.join(PR_CHECKS_DIR, "excluded.yml");

 /** The path to the esbuild metadata file. */
-export const BUNDLE_METADATA_FILE = path.join(PR_CHECKS_DIR, "..", "meta.json");
+export const BUNDLE_METADATA_FILE = path.join(REPO_ROOT, "meta.json");

 /** The `src` directory. */
-const SOURCE_ROOT = path.join(PR_CHECKS_DIR, "..", "src");
+const SOURCE_ROOT = path.join(REPO_ROOT, "src");

 /** The path to the built-in languages file. */
 export const BUILTIN_LANGUAGES_FILE = path.join(
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
github-actions[bot]	8aeff0ffb7	Update changelog for v4.36.2	2026-06-04 11:17:27 +00:00
Henry Mercer	dcb947ce15	Merge pull request #3948 from github/update-bundle/codeql-bundle-v2.25.6 Update default bundle to 2.25.6	2026-06-04 10:56:27 +00:00
github-actions[bot]	c251bcefa1	Add changelog note	2026-06-04 10:43:06 +00:00
github-actions[bot]	62953c18b3	Update default bundle to codeql-bundle-v2.25.6	2026-06-04 10:42:59 +00:00
Henry Mercer	423b570baf	Merge pull request #3946 from github/dependabot/npm_and_yarn/npm-minor-5d507a028b Bump the npm-minor group across 1 directory with 2 updates	2026-06-04 10:38:05 +00:00
Henry Mercer	c35d1b1644	Merge pull request #3947 from github/dependabot/github_actions/dot-github/workflows/actions-minor-3d0b6ad432 Bump ruby/setup-ruby from 1.307.0 to 1.310.0 in /.github/workflows in the actions-minor group across 1 directory	2026-06-04 10:10:18 +00:00
Robert	cb1a588b02	Merge pull request #3937 from github/robertbrignull/waitForProcessing_backoff Change waitForProcessing to use exponential backoff	2026-06-04 10:06:49 +00:00
Henry Mercer	ba47406412	Merge pull request #3943 from github/henrymercer/cache-cli-version-info Cache CLI version information across Actions steps	2026-06-04 09:58:34 +00:00
Henry Mercer	5be8119767	Merge pull request #3938 from github/henrymercer/git-client-feature-flag Add FF to force JGit-based Git backend	2026-06-04 09:58:15 +00:00
Robert	6047ac775f	Merge branch 'main' into robertbrignull/waitForProcessing_backoff	2026-06-04 10:35:04 +01:00
github-actions[bot]	af7b8f37ea	Rebuild	2026-06-04 02:43:57 +00:00
dependabot[bot]	3569f75599	Bump ruby/setup-ruby Bumps the actions-minor group with 1 update in the /.github/workflows directory: [ruby/setup-ruby](https://github.com/ruby/setup-ruby). Updates `ruby/setup-ruby` from 1.307.0 to 1.310.0 - [Release notes](https://github.com/ruby/setup-ruby/releases) - [Changelog](https://github.com/ruby/setup-ruby/blob/master/release.rb) - [Commits](https://github.com/ruby/setup-ruby/compare/6aaa311d81eba98ae12eaffbcb63296ace0efcde...afeafc3d1ab54a631816aba4c914a0081c12ff2f) --- updated-dependencies: - dependency-name: ruby/setup-ruby dependency-version: 1.310.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-06-04 02:42:04 +00:00
github-actions[bot]	acb38f7265	Rebuild	2026-06-04 02:40:00 +00:00
dependabot[bot]	dd9e36c0d3	Bump the npm-minor group across 1 directory with 2 updates Bumps the npm-minor group with 2 updates in the / directory: [semver](https://github.com/npm/node-semver) and [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint). Updates `semver` from 7.8.0 to 7.8.1 - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/node-semver/compare/v7.8.0...v7.8.1) Updates `typescript-eslint` from 8.59.4 to 8.60.0 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.60.0/packages/typescript-eslint) --- updated-dependencies: - dependency-name: semver dependency-version: 7.8.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm-minor - dependency-name: typescript-eslint dependency-version: 8.60.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-06-04 02:38:09 +00:00
Henry Mercer	5ccef82244	Address review comments	2026-06-03 18:31:11 +01:00
Henry Mercer	2ceebd64c4	Merge pull request #3945 from github/henrymercer/pin-actions-to-shas Pin first-party Actions to SHAs	2026-06-03 17:09:52 +00:00
Henry Mercer	fd3f10809d	Update sync-back script This is intended as a workaround until https://github.com/github/codeql-action/pull/3556 is merged.	2026-06-03 17:21:10 +01:00
Henry Mercer	87f4948cb0	Pin first-party Actions	2026-06-03 17:19:36 +01:00
Henry Mercer	bab673d0e0	Cache CLI version information across Actions steps	2026-06-02 19:27:05 +01:00
Henry Mercer	8ed7f7c384	Merge pull request #3941 from github/mergeback/v4.36.1-to-main-87557b9c Mergeback v4.36.1 refs/heads/releases/v4 into main	2026-06-02 10:35:51 +00:00
github-actions[bot]	0ad7c1f95e	Rebuild	2026-06-02 10:09:37 +00:00
github-actions[bot]	25c25b5e09	Update changelog and version after v4.36.1	2026-06-02 10:09:22 +00:00
Henry Mercer	87557b9c84	Merge pull request #3940 from github/update-v4.36.1-2a1689ed4 Merge main into releases/v4	2026-06-02 11:07:55 +01:00
github-actions[bot]	9431011964	Update changelog for v4.36.1	2026-06-02 09:50:57 +00:00
Henry Mercer	2a1689ed43	Merge pull request #3939 from github/henrymercer/skip-overlay-revert-when-explicit Disable missing diff-ranges fallback when overlay enabled manually	2026-06-01 17:25:10 +00:00
Robert	d40e417f3c	Only do initial wait when not running tests	2026-06-01 16:43:42 +01:00
Henry Mercer	524532393a	Disable missing diff-ranges fallback when overlay enabled manually	2026-06-01 15:34:08 +01:00
Henry Mercer	948a63aed1	Add FF to force JGit-based Git backend	2026-06-01 15:20:13 +01:00
Henry Mercer	d1eb1207b4	Merge pull request #3933 from github/update-supported-enterprise-server-versions Update supported GitHub Enterprise Server versions	2026-05-29 11:10:43 +00:00
Michael B. Gale	115001ba8d	Merge pull request #3934 from github/dependabot/npm_and_yarn/npm-minor-86fb5ccea6 Bump the npm-minor group across 1 directory with 2 updates	2026-05-28 14:53:43 +00:00
Michael B. Gale	cef2e7a910	Merge pull request #3925 from github/dependabot/github_actions/dot-github/workflows/actions-minor-da8be134b1 Bump ruby/setup-ruby from 1.306.0 to 1.307.0 in /.github/workflows in the actions-minor group across 1 directory	2026-05-28 13:59:27 +00:00
Michael B. Gale	5e6adf70ed	Merge pull request #3936 from github/dependabot/npm_and_yarn/tmp-0.2.7 Bump tmp from 0.2.4 to 0.2.7	2026-05-28 13:54:02 +00:00
Michael B. Gale	ad170e6c4e	Merge branch 'main' into dependabot/github_actions/dot-github/workflows/actions-minor-da8be134b1	2026-05-28 14:48:30 +01:00
Robert	dfc14113e3	Change waitForProcessing to use exponential backoff	2026-05-28 11:15:07 +01:00
github-actions[bot]	6a37b3a57a	Rebuild	2026-05-28 02:48:34 +00:00
dependabot[bot]	bef1eb7126	Bump tmp from 0.2.4 to 0.2.7 Bumps [tmp](https://github.com/raszi/node-tmp) from 0.2.4 to 0.2.7. - [Changelog](https://github.com/raszi/node-tmp/blob/master/CHANGELOG.md) - [Commits](https://github.com/raszi/node-tmp/compare/v0.2.4...v0.2.7) --- updated-dependencies: - dependency-name: tmp dependency-version: 0.2.7 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-28 02:46:38 +00:00
dependabot[bot]	b42b7546a5	Bump the npm-minor group across 1 directory with 2 updates Bumps the npm-minor group with 2 updates in the / directory: [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) and [tsx](https://github.com/privatenumber/tsx). Updates `typescript-eslint` from 8.59.3 to 8.59.4 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.59.4/packages/typescript-eslint) Updates `tsx` from 4.21.0 to 4.22.3 - [Release notes](https://github.com/privatenumber/tsx/releases) - [Changelog](https://github.com/privatenumber/tsx/blob/master/release.config.cjs) - [Commits](https://github.com/privatenumber/tsx/compare/v4.21.0...v4.22.3) --- updated-dependencies: - dependency-name: typescript-eslint dependency-version: 8.59.4 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor - dependency-name: tsx dependency-version: 4.22.3 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-27 20:06:49 +00:00
github-actions[bot]	8b0c522441	Update supported GitHub Enterprise Server versions	2026-05-27 00:44:49 +00:00
Michael B. Gale	0e150e4076	Merge pull request #3921 from github/dependabot/npm_and_yarn/npm-minor-28e225f5ad Bump the npm-minor group across 1 directory with 6 updates	2026-05-22 14:35:33 +00:00
Michael B. Gale	8a1e375368	Merge branch 'main' into dependabot/npm_and_yarn/npm-minor-28e225f5ad	2026-05-22 15:08:30 +01:00
Óscar San José	0fb8a6672b	Merge pull request #3928 from github/mergeback/v4.36.0-to-main-7211b7c8 Mergeback v4.36.0 refs/heads/releases/v4 into main	2026-05-22 11:28:10 +00:00
github-actions[bot]	80795fb0d4	Rebuild	2026-05-22 11:08:00 +00:00
github-actions[bot]	0cd24d8654	Update changelog and version after v4.36.0	2026-05-22 11:07:48 +00:00
Óscar San José	7211b7c807	Merge pull request #3927 from github/update-v4.36.0-ebc2d9e2b Merge main into releases/v4	2026-05-22 13:06:23 +02:00
github-actions[bot]	7740f2fb21	Update changelog for v4.36.0	2026-05-22 10:49:45 +00:00
Óscar San José	ebc2d9e2bc	Merge pull request #3926 from github/update-bundle/codeql-bundle-v2.25.5 Update default bundle to 2.25.5	2026-05-22 10:32:55 +00:00
github-actions[bot]	d1f74b777c	Add changelog note	2026-05-22 10:18:49 +00:00
github-actions[bot]	2dc40cec39	Update default bundle to codeql-bundle-v2.25.5	2026-05-22 10:18:43 +00:00
Henry Mercer	84498526a0	Merge pull request #3910 from github/henrymercer/repo-size-diff-check Action size: Add a PR check that comments on significant repo size changes	2026-05-21 10:29:33 +00:00
Henry Mercer	72ac23c6d1	Update excluded required check list	2026-05-21 10:16:47 +01:00
github-actions[bot]	14c150999e	Rebuild	2026-05-20 22:08:52 +00:00
github-actions[bot]	89c58e65c1	Rebuild	2026-05-20 22:07:31 +00:00
dependabot[bot]	a0a8d16e7b	Bump ruby/setup-ruby Bumps the actions-minor group with 1 update in the /.github/workflows directory: [ruby/setup-ruby](https://github.com/ruby/setup-ruby). Updates `ruby/setup-ruby` from 1.306.0 to 1.307.0 - [Release notes](https://github.com/ruby/setup-ruby/releases) - [Changelog](https://github.com/ruby/setup-ruby/blob/master/release.rb) - [Commits](https://github.com/ruby/setup-ruby/compare/c4e5b1316158f92e3d49443a9d58b31d25ac0f8f...6aaa311d81eba98ae12eaffbcb63296ace0efcde) --- updated-dependencies: - dependency-name: ruby/setup-ruby dependency-version: 1.307.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-20 22:06:56 +00:00
dependabot[bot]	bd77449ac2	Bump the npm-minor group across 1 directory with 6 updates Bumps the npm-minor group with 6 updates in the / directory: \| Package \| From \| To \| \| --- \| --- \| --- \| \| [semver](https://github.com/npm/node-semver) \| `7.7.4` \| `7.8.0` \| \| [@eslint/compat](https://github.com/eslint/rewrite/tree/HEAD/packages/compat) \| `2.0.5` \| `2.1.0` \| \| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) \| `20.19.39` \| `20.19.41` \| \| [nock](https://github.com/nock/nock) \| `14.0.12` \| `14.0.15` \| \| [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) \| `8.59.2` \| `8.59.3` \| \| [yaml](https://github.com/eemeli/yaml) \| `2.8.4` \| `2.9.0` \| Updates `semver` from 7.7.4 to 7.8.0 - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/node-semver/compare/v7.7.4...v7.8.0) Updates `@eslint/compat` from 2.0.5 to 2.1.0 - [Release notes](https://github.com/eslint/rewrite/releases) - [Changelog](https://github.com/eslint/rewrite/blob/main/packages/compat/CHANGELOG.md) - [Commits](https://github.com/eslint/rewrite/commits/compat-v2.1.0/packages/compat) Updates `@types/node` from 20.19.39 to 20.19.41 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `nock` from 14.0.12 to 14.0.15 - [Release notes](https://github.com/nock/nock/releases) - [Changelog](https://github.com/nock/nock/blob/main/CHANGELOG.md) - [Commits](https://github.com/nock/nock/compare/v14.0.12...v14.0.15) Updates `typescript-eslint` from 8.59.2 to 8.59.3 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.59.3/packages/typescript-eslint) Updates `yaml` from 2.8.4 to 2.9.0 - [Release notes](https://github.com/eemeli/yaml/releases) - [Commits](https://github.com/eemeli/yaml/compare/v2.8.4...v2.9.0) --- updated-dependencies: - dependency-name: semver dependency-version: 7.8.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-minor - dependency-name: "@eslint/compat" dependency-version: 2.1.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor - dependency-name: "@types/node" dependency-version: 20.19.41 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor - dependency-name: nock dependency-version: 14.0.15 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor - dependency-name: typescript-eslint dependency-version: 8.59.3 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor - dependency-name: yaml dependency-version: 2.9.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-20 22:05:27 +00:00
Henry Mercer	c5297a28a2	Merge pull request #3919 from github/henrymercer/workflow-concurrency CI: Automatically cancel non-generated workflows	2026-05-20 16:26:50 +00:00
Henry Mercer	8ffeae7d05	CI: Automatically cancel non-generated workflows Specify concurrency groups for non-generated workflows so we can cancel in-progress runs when new commits are pushed to a PR.	2026-05-20 16:39:16 +01:00
Henry Mercer	f3f52bf568	Revert `getErrorMessage` import To avoid requiring additional dependencies	2026-05-20 15:55:41 +01:00
Henry Mercer	a14f75e3ac	Address review comments	2026-05-20 15:39:14 +01:00
Henry Mercer	164c32a61e	Merge pull request #3918 from github/henrymercer/upgrade-brace-expansion Bump `brace-expansion`	2026-05-20 14:31:25 +00:00
Henry Mercer	a134948b87	Bump `brace-expansion` Address https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2	2026-05-20 15:17:16 +01:00
Henry Mercer	f4d0a7abf7	Merge pull request #3912 from github/henrymercer/smaller-upload-lib Action size: Reduce duplication between `upload-lib` and `entry-points`	2026-05-19 18:55:28 +00:00
Henry Mercer	f62fbc9627	Merge pull request #3895 from github/mbg/analysis-kinds/warn-on-non-cs-advanced-setup Log error for non-default `analysis-kinds` input outside of managed workflows	2026-05-19 18:43:18 +00:00
Henry Mercer	2a7340616e	Address review comments	2026-05-19 19:41:51 +01:00
Henry Mercer	3b0e64cb09	Merge pull request #3914 from github/henrymercer/auto-rebuild-release-prs Release process: Automatically rebuild PRs	2026-05-19 18:00:31 +00:00
Michael B. Gale	0a7280a837	Assert that nothing is logged	2026-05-19 14:22:23 +01:00
Michael B. Gale	b79a976789	Merge remote-tracking branch 'origin/main' into mbg/analysis-kinds/warn-on-non-cs-advanced-setup	2026-05-19 14:18:19 +01:00
Henry Mercer	2c8faa5e9f	Pass comment body file directly	2026-05-18 20:28:53 +01:00
Henry Mercer	15a712bbc2	Address review comments	2026-05-18 20:08:43 +01:00
Henry Mercer	eb9a790d15	Apply suggestion from @henrymercer	2026-05-18 19:39:41 +01:00
Henry Mercer	b8baf41834	Remove comments about npm cache	2026-05-18 19:31:53 +01:00
Henry Mercer	5e9ae56429	Add specific instruction about "Rebuild" commit	2026-05-18 19:28:49 +01:00
Henry Mercer	8442bc0af9	Release process: Automatically rebuild PRs	2026-05-18 19:06:49 +01:00
Henry Mercer	26a1e570a6	Merge pull request #3913 from github/henrymercer/downgrade-ava Downgrade ava to version 6.4.1	2026-05-18 18:00:26 +00:00
Henry Mercer	9b6438e936	Tweak workflow	2026-05-18 18:25:26 +01:00
Henry Mercer	b5b50d62f1	Merge branch 'main' into henrymercer/repo-size-diff-check	2026-05-18 18:20:16 +01:00
Henry Mercer	9665bc2f5a	Downgrade ava to version 6.4.1 Since we run CI on Node 20 as well as Node 24	2026-05-18 18:07:08 +01:00
Henry Mercer	5a80681bb6	Address review comments	2026-05-18 17:53:50 +01:00
Henry Mercer	bcffb2b658	Unify checks into a single job	2026-05-18 17:33:45 +01:00
Henry Mercer	fcc1e3197f	Action size: Reduce duplication between `upload-lib` and `entry-points`	2026-05-18 17:18:03 +01:00
Henry Mercer	6f8805e224	Default setup env vars: Restrict results to `src`	2026-05-18 17:15:30 +01:00
Henry Mercer	4fc0f3e51b	Add a PR check that comments on significant repo size changes	2026-05-18 16:36:58 +01:00
Michael B. Gale	4235601f6f	Log error for non-default `analysis-kinds` input outside of managed workflows	2026-05-13 17:43:16 +01:00