Merge branch 'main' into redsun82/dump-sarif

Setting it will cause the SARIF files that would be uploaded to be
dumped to the specified directory as `upload.sarif` or
`upload.quality.sarif`. Crucially, this happens even if uploads are
disabled, which is useful for testing.

.github/codeql/codeql-actions-config.yml

@@ -0,0 +1,4 @@
+# Configuration for the CodeQL Actions Queries
+name: "CodeQL Actions Queries config"
+queries:
+  - uses: security-and-quality

.github/codeql/codeql-config.yml

@@ -7,9 +7,9 @@ queries:
   # we include both even though one is a superset of the
   # other, because we're testing the parsing logic and
   # that the suites exist in the codeql bundle.
-  - uses: security-and-quality
   - uses: security-experimental
   - uses: security-extended
+  - uses: security-and-quality
 paths-ignore:
-  - lib
   - tests
+  - lib

.github/workflows/__all-platform-bundle.yml

@@ -34,9 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
   all-platform-bundle:
     strategy:
@@ -73,6 +70,7 @@ jobs:
           languages: cpp,csharp,go,java,javascript,python,ruby
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
+        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
     env:

.github/workflows/__analyze-ref-input.yml

@@ -34,9 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
   analyze-ref-input:
     strategy:
@@ -77,6 +74,7 @@ jobs:
           config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
             github.sha }}
       - name: Build code
+        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
         with:

.github/workflows/__autobuild-action.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   autobuild-action:
     strategy:
@@ -70,6 +67,7 @@ jobs:
           CORECLR_PROFILER_PATH_64: ''
       - uses: ./../action/analyze
       - name: Check database
+        shell: bash
         run: |
           cd "$RUNNER_TEMP/codeql_databases"
           if [[ ! -d csharp ]]; then

.github/workflows/__autobuild-direct-tracing-with-working-dir.yml

@@ -34,9 +34,6 @@ on:
         description: The version of Java to install
         required: false
         default: '17'
-defaults:
-  run:
-    shell: bash
 jobs:
   autobuild-direct-tracing-with-working-dir:
     strategy:
@@ -73,6 +70,7 @@ jobs:
           java-version: ${{ inputs.java-version || '17' }}
           distribution: temurin
       - name: Test setup
+        shell: bash
         run: |
           # Make sure that Gradle build succeeds in autobuild-dir ...
           cp -a ../action/tests/java-repo autobuild-dir
@@ -84,6 +82,7 @@ jobs:
           languages: java
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Check that indirect tracing is disabled
+        shell: bash
         run: |
           if [[ ! -z "${CODEQL_RUNNER}" ]]; then
             echo "Expected indirect tracing to be disabled, but the" \

.github/workflows/__autobuild-direct-tracing.yml

@@ -34,9 +34,6 @@ on:
         description: The version of Java to install
         required: false
         default: '17'
-defaults:
-  run:
-    shell: bash
 jobs:
   autobuild-direct-tracing:
     strategy:
@@ -73,6 +70,7 @@ jobs:
           java-version: ${{ inputs.java-version || '17' }}
           distribution: temurin
       - name: Set up Java test repo configuration
+        shell: bash
         run: |
           mv * .github ../action/tests/multi-language-repo/
           mv ../action/tests/multi-language-repo/.github/workflows .github
@@ -87,6 +85,7 @@ jobs:
           tools: ${{ steps.prepare-test.outputs.tools-url }}
 
       - name: Check that indirect tracing is disabled
+        shell: bash
         run: |
           if [[ ! -z "${CODEQL_RUNNER}" ]]; then
             echo "Expected indirect tracing to be disabled, but the" \

.github/workflows/__build-mode-autobuild.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   build-mode-autobuild:
     strategy:

.github/workflows/__build-mode-manual.yml

@@ -34,9 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
   build-mode-manual:
     strategy:
@@ -84,6 +81,7 @@ jobs:
           fi
 
       - name: Build code
+        shell: bash
         run: ./build.sh
 
       - uses: ./../action/analyze

.github/workflows/__build-mode-none.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   build-mode-none:
     strategy:

.github/workflows/__build-mode-rollback.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   build-mode-rollback:
     strategy:

.github/workflows/__bundle-toolcache.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   bundle-toolcache:
     strategy:

.github/workflows/__bundle-zstd.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   bundle-zstd:
     strategy:

.github/workflows/__cleanup-db-cluster-dir.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   cleanup-db-cluster-dir:
     strategy:

.github/workflows/__config-export.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   config-export:
     strategy:

.github/workflows/__config-input.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   config-input:
     strategy:

.github/workflows/__cpp-deptrace-disabled.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   cpp-deptrace-disabled:
     strategy:
@@ -56,6 +53,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Test setup
+        shell: bash
         run: |
           cp -a ../action/tests/cpp-autobuild autobuild-dir
       - uses: ./../action/init
@@ -67,7 +65,8 @@ jobs:
           working-directory: autobuild-dir
         env:
           CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: false
-      - run: |
+      - shell: bash
+        run: |
           if ls /usr/bin/errno; then
             echo "C/C++ autobuild installed errno, but it should not have since auto-install dependencies is disabled."
             exit 1

.github/workflows/__cpp-deptrace-enabled-on-macos.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   cpp-deptrace-enabled-on-macos:
     strategy:
@@ -54,6 +51,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Test setup
+        shell: bash
         run: |
           cp -a ../action/tests/cpp-autobuild autobuild-dir
       - uses: ./../action/init
@@ -65,7 +63,8 @@ jobs:
           working-directory: autobuild-dir
         env:
           CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-      - run: |
+      - shell: bash
+        run: |
           if ! ls /usr/bin/errno; then
             echo "As expected, CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES is a no-op on macOS"
           else

.github/workflows/__cpp-deptrace-enabled.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   cpp-deptrace-enabled:
     strategy:
@@ -56,6 +53,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Test setup
+        shell: bash
         run: |
           cp -a ../action/tests/cpp-autobuild autobuild-dir
       - uses: ./../action/init
@@ -67,7 +65,8 @@ jobs:
           working-directory: autobuild-dir
         env:
           CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-      - run: |
+      - shell: bash
+        run: |
           if ! ls /usr/bin/errno; then
             echo "Did not autoinstall errno"
             exit 1

.github/workflows/__diagnostics-export.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   diagnostics-export:
     strategy:
@@ -67,6 +64,7 @@ jobs:
           languages: javascript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Add test diagnostics
+        shell: bash
         env:
           CODEQL_PATH: ${{ steps.init.outputs.codeql-path }}
         run: |

.github/workflows/__export-file-baseline-information.yml

@@ -34,9 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
   export-file-baseline-information:
     strategy:
@@ -76,6 +73,7 @@ jobs:
           languages: javascript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
+        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
         with:
@@ -87,6 +85,7 @@ jobs:
           path: ${{ runner.temp }}/results/javascript.sarif
           retention-days: 7
       - name: Check results
+        shell: bash
         run: |
           cd "$RUNNER_TEMP/results"
           expected_baseline_languages="c csharp go java kotlin javascript python ruby"

.github/workflows/__extractor-ram-threads.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   extractor-ram-threads:
     strategy:
@@ -57,6 +54,7 @@ jobs:
           ram: 230
           threads: 1
       - name: Assert Results
+        shell: bash
         run: |
           if [ "${CODEQL_RAM}" != "230" ]; then
             echo "CODEQL_RAM is '${CODEQL_RAM}' instead of 230"

.github/workflows/__go-custom-queries.yml

@@ -34,9 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
   go-custom-queries:
     strategy:
@@ -74,6 +71,7 @@ jobs:
           config-file: ./.github/codeql/custom-queries.yml
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
+        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
     env:

.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml

@@ -34,9 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
   go-indirect-tracing-workaround-diagnostic:
     strategy:
@@ -75,6 +72,7 @@ jobs:
         with:
           go-version: '1.20'
       - name: Build code
+        shell: bash
         run: go build main.go
       - uses: ./../action/analyze
         with:

.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml

@@ -34,9 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
   go-indirect-tracing-workaround-no-file-program:
     strategy:
@@ -76,6 +73,7 @@ jobs:
           languages: go
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
+        shell: bash
         run: go build main.go
       - uses: ./../action/analyze
         with:

.github/workflows/__go-indirect-tracing-workaround.yml

@@ -34,9 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
   go-indirect-tracing-workaround:
     strategy:
@@ -71,9 +68,11 @@ jobs:
           languages: go
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
+        shell: bash
         run: go build main.go
       - uses: ./../action/analyze
-      - run: |
+      - shell: bash
+        run: |
           if [[ -z "${CODEQL_ACTION_GO_BINARY}" ]]; then
             echo "Expected the workaround for indirect tracing of static binaries to trigger, but the" \
               "CODEQL_ACTION_GO_BINARY environment variable is not set."

.github/workflows/__go-tracing-autobuilder.yml

@@ -34,9 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
   go-tracing-autobuilder:
     strategy:
@@ -63,10 +60,6 @@ jobs:
             version: stable-v2.21.4
           - os: macos-latest
             version: stable-v2.21.4
-          - os: ubuntu-latest
-            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
           - os: ubuntu-latest
             version: default
           - os: macos-latest
@@ -106,7 +99,8 @@ jobs:
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - uses: ./../action/autobuild
       - uses: ./../action/analyze
-      - run: |
+      - shell: bash
+        run: |
           if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then
             echo "Expected the Go autobuilder to be run, but the" \
               "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was not true."

.github/workflows/__go-tracing-custom-build-steps.yml

@@ -34,9 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
   go-tracing-custom-build-steps:
     strategy:
@@ -63,10 +60,6 @@ jobs:
             version: stable-v2.21.4
           - os: macos-latest
             version: stable-v2.21.4
-          - os: ubuntu-latest
-            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
           - os: ubuntu-latest
             version: default
           - os: macos-latest
@@ -105,9 +98,11 @@ jobs:
           languages: go
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
+        shell: bash
         run: go build main.go
       - uses: ./../action/analyze
-      - run: |
+      - shell: bash
+        run: |
           # Once we start running Bash 4.2 in all environments, we can replace the
           # `! -z` flag with the more elegant `-v` which confirms that the variable
           # is actually unset and not potentially set to a blank value.

.github/workflows/__go-tracing-legacy-workflow.yml

@@ -34,9 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
   go-tracing-legacy-workflow:
     strategy:
@@ -63,10 +60,6 @@ jobs:
             version: stable-v2.21.4
           - os: macos-latest
             version: stable-v2.21.4
-          - os: ubuntu-latest
-            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
           - os: ubuntu-latest
             version: default
           - os: macos-latest
@@ -105,7 +98,8 @@ jobs:
           languages: go
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - uses: ./../action/analyze
-      - run: |
+      - shell: bash
+        run: |
           cd "$RUNNER_TEMP/codeql_databases"
           if [[ ! -d go ]]; then
             echo "Did not find a Go database"

.github/workflows/__init-with-registries.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   init-with-registries:
     strategy:
@@ -81,6 +78,7 @@ jobs:
               token: "${{ secrets.GITHUB_TOKEN }}"
 
       - name: Verify packages installed
+        shell: bash
         run: |
           PRIVATE_PACK="$HOME/.codeql/packages/codeql-testing/private-pack"
           CODEQL_PACK1="$HOME/.codeql/packages/codeql-testing/codeql-pack1"
@@ -102,6 +100,7 @@ jobs:
           fi
 
       - name: Verify qlconfig.yml file was created
+        shell: bash
         run: |
           QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
           echo "Expected qlconfig.yml file to be created at $QLCONFIG_PATH"
@@ -116,6 +115,7 @@ jobs:
       - name: Verify contents of qlconfig.yml
     # yq is not available on windows
         if: runner.os != 'Windows'
+        shell: bash
         run: |
           QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
           cat $QLCONFIG_PATH | yq -e '.registries[] | select(.url == "https://ghcr.io/v2/") | select(.packages == "*/*")'

.github/workflows/__javascript-source-root.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   javascript-source-root:
     strategy:
@@ -56,6 +53,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Move codeql-action
+        shell: bash
         run: |
           mkdir ../new-source-root
           mv * ../new-source-root
@@ -68,6 +66,7 @@ jobs:
         with:
           skip-queries: true
       - name: Assert database exists
+        shell: bash
         run: |
           cd "$RUNNER_TEMP/codeql_databases"
           if [[ ! -d javascript ]]; then

.github/workflows/__job-run-uuid-sarif.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   job-run-uuid-sarif:
     strategy:
@@ -66,6 +63,7 @@ jobs:
           path: ${{ runner.temp }}/results/javascript.sarif
           retention-days: 7
       - name: Check results
+        shell: bash
         run: |
           cd "$RUNNER_TEMP/results"
           actual=$(jq -r '.runs[0].properties.jobRunUuid' javascript.sarif)

.github/workflows/__language-aliases.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   language-aliases:
     strategy:

.github/workflows/__multi-language-autodetect.yml

@@ -34,9 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
   multi-language-autodetect:
     strategy:
@@ -63,10 +60,6 @@ jobs:
             version: stable-v2.21.4
           - os: ubuntu-latest
             version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.22.4
-          - os: ubuntu-latest
-            version: stable-v2.22.4
           - os: macos-latest
             version: default
           - os: ubuntu-latest
@@ -101,6 +94,7 @@ jobs:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
       - name: Use Xcode 16
+        shell: bash
         if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
         run: sudo xcode-select -s "/Applications/Xcode_16.app"
 
@@ -113,6 +107,7 @@ jobs:
           tools: ${{ steps.prepare-test.outputs.tools-url }}
 
       - name: Build code
+        shell: bash
         run: ./build.sh
 
       - uses: ./../action/analyze
@@ -121,6 +116,7 @@ jobs:
           upload-database: false
 
       - name: Check language autodetect for all languages excluding Swift
+        shell: bash
         run: |
           CPP_DB=${{ fromJson(steps.analysis.outputs.db-locations).cpp }}
           if [[ ! -d $CPP_DB ]] || [[ ! $CPP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
@@ -160,6 +156,7 @@ jobs:
 
       - name: Check language autodetect for Swift on macOS
         if: runner.os == 'macOS'
+        shell: bash
         run: |
           SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}
           if [[ ! -d $SWIFT_DB ]] || [[ ! $SWIFT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then

.github/workflows/__overlay-init-fallback.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   overlay-init-fallback:
     strategy:
@@ -64,6 +61,7 @@ jobs:
         with:
           upload-database: false
       - name: Check database
+        shell: bash
         run: |
           cd "$RUNNER_TEMP/codeql_databases/actions"
           if ! grep -q 'overlayBaseDatabase: false' codeql-database.yml ; then

.github/workflows/__packaging-codescanning-config-inputs-js.yml

@@ -34,9 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
   packaging-codescanning-config-inputs-js:
     strategy:
@@ -96,6 +93,7 @@ jobs:
           languages: javascript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
+        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
         with:
@@ -111,6 +109,7 @@ jobs:
           queries-not-run: foo,bar
 
       - name: Assert Results
+        shell: bash
         run: |
           cd "$RUNNER_TEMP/results"
           # We should have 4 hits from these rules

.github/workflows/__packaging-config-inputs-js.yml

@@ -34,9 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
   packaging-config-inputs-js:
     strategy:
@@ -96,6 +93,7 @@ jobs:
           languages: javascript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
+        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
         with:
@@ -111,6 +109,7 @@ jobs:
           queries-not-run: foo,bar
 
       - name: Assert Results
+        shell: bash
         run: |
           cd "$RUNNER_TEMP/results"
           # We should have 4 hits from these rules

.github/workflows/__packaging-config-js.yml

@@ -34,9 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
   packaging-config-js:
     strategy:
@@ -95,6 +92,7 @@ jobs:
           languages: javascript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
+        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
         with:
@@ -110,6 +108,7 @@ jobs:
           queries-not-run: foo,bar
 
       - name: Assert Results
+        shell: bash
         run: |
           cd "$RUNNER_TEMP/results"
           # We should have 4 hits from these rules

.github/workflows/__packaging-inputs-js.yml

@@ -34,9 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
   packaging-inputs-js:
     strategy:
@@ -96,6 +93,7 @@ jobs:
           packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
+        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
         with:
@@ -110,6 +108,7 @@ jobs:
           queries-not-run: foo,bar
 
       - name: Assert Results
+        shell: bash
         run: |
           cd "$RUNNER_TEMP/results"
           # We should have 4 hits from these rules

.github/workflows/__quality-queries.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   quality-queries:
     strategy:

.github/workflows/__remote-config.yml

@@ -34,9 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
   remote-config:
     strategy:
@@ -75,6 +72,7 @@ jobs:
           config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
             github.sha }}
       - name: Build code
+        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
     env:

.github/workflows/__resolve-environment-action.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   resolve-environment-action:
     strategy:

.github/workflows/__rubocop-multi-language.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   rubocop-multi-language:
     strategy:
@@ -56,10 +53,13 @@ jobs:
         with:
           ruby-version: 2.6
       - name: Install Code Scanning integration
+        shell: bash
         run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
       - name: Install dependencies
+        shell: bash
         run: bundle install
       - name: RuboCop run
+        shell: bash
         run: |
           bash -c "
             bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif

.github/workflows/__ruby.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   ruby:
     strategy:
@@ -70,6 +67,7 @@ jobs:
         with:
           upload-database: false
       - name: Check database
+        shell: bash
         run: |
           RUBY_DB="${{ fromJson(steps.analysis.outputs.db-locations).ruby }}"
           if [[ ! -d "$RUBY_DB" ]]; then

.github/workflows/__rust.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   rust:
     strategy:
@@ -68,6 +65,7 @@ jobs:
         with:
           upload-database: false
       - name: Check database
+        shell: bash
         run: |
           RUST_DB="${{ fromJson(steps.analysis.outputs.db-locations).rust }}"
           if [[ ! -d "$RUST_DB" ]]; then

.github/workflows/__split-workflow.yml

@@ -34,9 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
   split-workflow:
     strategy:
@@ -83,6 +80,7 @@ jobs:
           languages: javascript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
+        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
         with:
@@ -91,6 +89,7 @@ jobs:
           upload-database: false
 
       - name: Assert No Results
+        shell: bash
         run: |
           if [ "$(ls -A $RUNNER_TEMP/results)" ]; then
             echo "Expected results directory to be empty after skipping query execution!"
@@ -101,6 +100,7 @@ jobs:
           output: ${{ runner.temp }}/results
           upload-database: false
       - name: Assert Results
+        shell: bash
         run: |
           cd "$RUNNER_TEMP/results"
           # We should have 4 hits from these rules

.github/workflows/__start-proxy.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   start-proxy:
     strategy:

.github/workflows/__submit-sarif-failure.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   submit-sarif-failure:
     strategy:

.github/workflows/__swift-autobuild.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   swift-autobuild:
     strategy:
@@ -58,6 +55,7 @@ jobs:
           build-mode: autobuild
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Check working directory
+        shell: bash
         run: pwd
       - uses: ./../action/autobuild
         timeout-minutes: 30
@@ -66,6 +64,7 @@ jobs:
         with:
           upload-database: false
       - name: Check database
+        shell: bash
         run: |
           SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
           if [[ ! -d "$SWIFT_DB" ]]; then

.github/workflows/__swift-custom-build.yml

@@ -34,9 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
   swift-custom-build:
     strategy:
@@ -71,6 +68,7 @@ jobs:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
       - name: Use Xcode 16
+        shell: bash
         if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
         run: sudo xcode-select -s "/Applications/Xcode_16.app"
       - uses: ./../action/init
@@ -79,14 +77,17 @@ jobs:
           languages: swift
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Check working directory
+        shell: bash
         run: pwd
       - name: Build code
+        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
         id: analysis
         with:
           upload-database: false
       - name: Check database
+        shell: bash
         run: |
           SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
           if [[ ! -d "$SWIFT_DB" ]]; then

.github/workflows/__test-autobuild-working-dir.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   test-autobuild-working-dir:
     strategy:
@@ -52,6 +49,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Test setup
+        shell: bash
         run: |
           # Make sure that Gradle build succeeds in autobuild-dir ...
           cp -a ../action/tests/java-repo autobuild-dir
@@ -66,6 +64,7 @@ jobs:
           working-directory: autobuild-dir
       - uses: ./../action/analyze
       - name: Check database
+        shell: bash
         run: |
           cd "$RUNNER_TEMP/codeql_databases"
           if [[ ! -d java ]]; then

.github/workflows/__test-local-codeql.yml

@@ -34,9 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
   test-local-codeql:
     strategy:
@@ -67,6 +64,7 @@ jobs:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
       - name: Fetch a CodeQL bundle
+        shell: bash
         env:
           CODEQL_URL: ${{ steps.prepare-test.outputs.tools-url }}
         run: |
@@ -78,6 +76,7 @@ jobs:
           languages: cpp,csharp,go,java,javascript,python,ruby
           tools: ./codeql-bundle-linux64.tar.zst
       - name: Build code
+        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
     env:

.github/workflows/__test-proxy.yml

@@ -24,9 +24,6 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   test-proxy:
     strategy:

.github/workflows/__unset-environment.yml

@@ -34,9 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
   unset-environment:
     strategy:
@@ -76,12 +73,14 @@ jobs:
           languages: cpp,csharp,go,java,javascript,python,ruby
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
+        shell: bash
         run: env -i PATH="$PATH" HOME="$HOME" ./build.sh
       - uses: ./../action/analyze
         id: analysis
         with:
           upload-database: false
-      - run: |
+      - shell: bash
+        run: |
           CPP_DB="${{ fromJson(steps.analysis.outputs.db-locations).cpp }}"
           if [[ ! -d "$CPP_DB" ]] || [[ ! "$CPP_DB" == "${RUNNER_TEMP}/customDbLocation/cpp" ]]; then
             echo "::error::Did not create a database for CPP, or created it in the wrong location." \

.github/workflows/__upload-quality-sarif.yml

@@ -34,9 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
   upload-quality-sarif:
     strategy:
@@ -78,6 +75,7 @@ jobs:
             github.sha }}
           analysis-kinds: code-scanning,code-quality
       - name: Build code
+        shell: bash
         run: ./build.sh
   # Generate some SARIF we can upload with the upload-sarif step
       - uses: ./../action/analyze

.github/workflows/__upload-ref-sha-input.yml

@@ -34,9 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
   upload-ref-sha-input:
     strategy:
@@ -77,6 +74,7 @@ jobs:
           config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
             github.sha }}
       - name: Build code
+        shell: bash
         run: ./build.sh
   # Generate some SARIF we can upload with the upload-sarif step
       - uses: ./../action/analyze

.github/workflows/__with-checkout-path.yml

@@ -34,9 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
 jobs:
   with-checkout-path:
     strategy:
@@ -71,6 +68,7 @@ jobs:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
       - name: Delete original checkout
+        shell: bash
         run: |
           # delete the original checkout so we don't accidentally use it.
           # Actions does not support deleting the current working directory, so we
@@ -91,6 +89,7 @@ jobs:
           source-root: x/y/z/some-path/tests/multi-language-repo
 
       - name: Build code
+        shell: bash
         working-directory: x/y/z/some-path/tests/multi-language-repo
         run: |
           ./build.sh
@@ -102,6 +101,7 @@ jobs:
           sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
 
       - name: Verify SARIF after upload
+        shell: bash
         run: |
           EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
           EXPECTED_REF="v1.1.0"

.github/workflows/check-expected-release-files.yml

@@ -9,10 +9,6 @@ on:
     # by other workflows.
     types: [opened, synchronize, reopened, ready_for_review]
 
-defaults:
-  run:
-    shell: bash
-
 jobs:
   check-expected-release-files:
     runs-on: ubuntu-latest

.github/workflows/codeql.yml

@@ -13,10 +13,6 @@ on:
     - cron: '30 1 * * 0'
   workflow_dispatch:
 
-defaults:
-  run:
-    shell: bash
-
 env:
   CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
 
@@ -95,29 +91,22 @@ jobs:
       id: init
       with:
         languages: javascript
-        config-file: ./.github/codeql/codeql-config-javascript.yml
+        config-file: ./.github/codeql/codeql-config.yml
         tools: ${{ matrix.tools }}
     # confirm steps.init.outputs.codeql-path points to the codeql binary
     - name: Print CodeQL Version
-      run: >
-        "$CODEQL" version --format=json
-      env:
-        CODEQL: ${{steps.init.outputs.codeql-path}}
+      run: ${{steps.init.outputs.codeql-path}} version --format=json
     - name: Perform CodeQL Analysis
       uses: ./analyze
       with:
         category: "/language:javascript"
-        upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && 'always') || 'never' }}
 
-  analyze-other:
+
+  analyze-actions:
     runs-on: ubuntu-latest
 
     strategy:
       fail-fast: false
-      matrix:
-        include:
-          - language: actions
-          - language: python
 
     permissions:
       contents: read
@@ -129,15 +118,9 @@ jobs:
     - name: Initialize CodeQL
       uses: ./init
       with:
-        languages: ${{ matrix.language }}
-        build-mode: none
-        config: >
-          paths-ignore:
-            - lib
-            - tests
-          queries:
-            - uses: security-and-quality
+        languages: actions
+        config-file: ./.github/codeql/codeql-actions-config.yml
     - name: Perform CodeQL Analysis
       uses: ./analyze
       with:
-        category: "/language:${{ matrix.language }}"
+        category: "/language:actions"

.github/workflows/codescanning-config-cli.yml

@@ -22,10 +22,6 @@ on:
     - cron: '0 5 * * *'
   workflow_dispatch: {}
 
-defaults:
-  run:
-    shell: bash
-
 jobs:
   code-scanning-config-tests:
     continue-on-error: true

.github/workflows/debug-artifacts-failure-safe.yml

@@ -17,11 +17,6 @@ on:
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch: {}
-
-defaults:
-  run:
-    shell: bash
-
 jobs:
   upload-artifacts:
     strategy:
@@ -60,6 +55,7 @@ jobs:
           debug-artifact-name: my-debug-artifacts
           debug-database-name: my-db
       - name: Build code
+        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
         id: analysis
@@ -79,6 +75,7 @@ jobs:
       - name: Download all artifacts
         uses: actions/download-artifact@v5
       - name: Check expected artifacts exist
+        shell: bash
         run: |
           LANGUAGES="cpp csharp go java javascript python"
           for version in $VERSIONS; do

.github/workflows/debug-artifacts-safe.yml

@@ -16,11 +16,6 @@ on:
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch: {}
-
-defaults:
-  run:
-    shell: bash
-
 jobs:
   upload-artifacts:
     strategy:
@@ -59,6 +54,7 @@ jobs:
           # We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
           languages: cpp,csharp,go,java,javascript,python,ruby
       - name: Build code
+        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
         id: analysis
@@ -73,6 +69,7 @@ jobs:
       - name: Download all artifacts
         uses: actions/download-artifact@v5
       - name: Check expected artifacts exist
+        shell: bash
         run: |
           VERSIONS="stable-v2.20.3 default linked nightly-latest"
           LANGUAGES="cpp csharp go java javascript python"

.github/workflows/post-release-mergeback.yml

@@ -18,10 +18,6 @@ on:
     branches:
       - releases/v*
 
-defaults:
-  run:
-    shell: bash
-
 jobs:
   merge-back:
     runs-on: ubuntu-latest

.github/workflows/pr-checks.yml

@@ -8,10 +8,6 @@ on:
     types: [opened, synchronize, reopened, ready_for_review]
   workflow_dispatch:
 
-defaults:
-  run:
-    shell: bash
-
 jobs:
   unit-tests:
     name: Unit Tests
@@ -26,10 +22,6 @@ jobs:
     timeout-minutes: 45
 
     steps:
-      - name: Prepare git (Windows)
-        if: runner.os == 'Windows'
-        run: git config --global core.autocrlf false
-
       - uses: actions/checkout@v5
       
       - name: Set up Node.js

.github/workflows/prepare-release.yml

@@ -22,10 +22,6 @@ on:
     paths:
       - .github/workflows/prepare-release.yml
 
-defaults:
-  run:
-    shell: bash
-
 jobs:
   prepare:
     name: "Prepare release"

.github/workflows/publish-immutable-action.yml

@@ -4,10 +4,6 @@ on:
   release:
     types: [published]
 
-defaults:
-  run:
-    shell: bash
-
 jobs:
   publish:
     runs-on: ubuntu-latest

.github/workflows/python312-windows.yml

@@ -12,10 +12,6 @@ on:
     - cron: '0 0 * * 1'
   workflow_dispatch:
 
-defaults:
-  run:
-    shell: bash
-
 jobs:
   test-setup-python-scripts:
     env:

.github/workflows/query-filters.yml

@@ -15,10 +15,6 @@ on:
     - cron: '0 5 * * *'
   workflow_dispatch: {}
 
-defaults:
-  run:
-    shell: bash
-
 jobs:
   query-filters:
     name: Query Filters Tests

.github/workflows/rebuild.yml

@@ -5,10 +5,6 @@ on:
     types: [labeled]
   workflow_dispatch:
 
-defaults:
-  run:
-    shell: bash
-
 jobs:
   rebuild:
     name: Rebuild Action

.github/workflows/rollback-release.yml

@@ -14,10 +14,6 @@ on:
       - .github/workflows/rollback-release.yml
       - .github/actions/prepare-mergeback-branch/**
 
-defaults:
-  run:
-    shell: bash
-
 jobs:
   prepare:
     name: "Prepare release"
@@ -57,6 +53,7 @@ jobs:
 
       - name: Create tag for testing
         if: github.event_name != 'workflow_dispatch'
+        shell: bash
         run: git tag v0.0.0
 
       # We start by preparing the mergeback branch, mainly so that we have the updated changelog
@@ -99,6 +96,7 @@ jobs:
           echo "::endgroup::"
 
       - name: Create tags
+        shell: bash
         env:
           # We usually expect to checkout `inputs.rollback-tag` (required for `workflow_dispatch`),
           # but use `v0.0.0` for testing.
@@ -113,6 +111,7 @@ jobs:
       - name: Push tags
         # skip when testing
         if: github.event_name == 'workflow_dispatch'
+        shell: bash
         env:
           RELEASE_TAG: ${{ needs.prepare.outputs.version }}
           MAJOR_VERSION_TAG: ${{ needs.prepare.outputs.major_version }}
@@ -161,6 +160,7 @@ jobs:
           echo "Created draft rollback release at $RELEASE_URL" >> $GITHUB_STEP_SUMMARY
 
       - name: Update changelog
+        shell: bash
         env:
           NEW_CHANGELOG: "${{ runner.temp }}/new_changelog.md"
           NEW_BRANCH: "${{ steps.mergeback-branch.outputs.new-branch }}"

.github/workflows/test-codeql-bundle-all.yml

@@ -16,9 +16,6 @@ on:
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch: {}
-defaults:
-  run:
-    shell: bash
 jobs:
   test-codeql-bundle-all:
     strategy:
@@ -49,6 +46,7 @@ jobs:
         languages: cpp,csharp,go,java,javascript,python,ruby 
         tools: ${{ steps.prepare-test.outputs.tools-url }}
     - name: Build code
+      shell: bash
       run: ./build.sh
     - uses: ./../action/analyze
     env:

.github/workflows/update-bundle.yml

@@ -13,10 +13,6 @@ on:
     # to filter pre-release attribute.
     types: [published]
 
-defaults:
-  run:
-    shell: bash
-
 jobs:
   update-bundle:
     if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')

.github/workflows/update-proxy-release.yml

@@ -7,10 +7,6 @@ on:
         type: string
         required: true
 
-defaults:
-  run:
-    shell: bash
-
 jobs:
   update:
     name: Update code and create PR
@@ -24,6 +20,7 @@ jobs:
     steps:
       - name: Check release tag format
         id: checks
+        shell: bash
         run: |
           if ! [[ $RELEASE_TAG =~ ^codeql-bundle-v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
             echo "Invalid release tag: expected a CodeQL bundle tag in the 'codeql-bundle-vM.N.P' format."
@@ -33,6 +30,7 @@ jobs:
           echo "target_branch=dependency-proxy/$RELEASE_TAG" >> $GITHUB_OUTPUT
 
       - name: Check that the release exists
+        shell: bash
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
         run: |
@@ -48,17 +46,20 @@ jobs:
           ref: main
 
       - name: Update git config
+        shell: bash
         run: |
           git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git config --global user.name "github-actions[bot]"
 
       - name: Update release tag and version
+        shell: bash
         run: |
           NOW=$(date +"%Y%m%d%H%M%S") # only used to make sure we don't fetch stale binaries from the toolcache
           sed -i "s|https://github.com/github/codeql-action/releases/download/codeql-bundle-v[0-9.]\+/|https://github.com/github/codeql-action/releases/download/$RELEASE_TAG/|g" ./src/start-proxy-action.ts
           sed -i "s/\"v2.0.[0-9]\+\"/\"v2.0.$NOW\"/g" ./src/start-proxy-action.ts
 
       - name: Compile TypeScript and commit changes
+        shell: bash
         env:
           TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }}
         run: |
@@ -71,6 +72,7 @@ jobs:
           git commit -m "Update release used by \`start-proxy\` action"
 
       - name: Push changes and open PR
+        shell: bash
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }}

.github/workflows/update-release-branch.yml

@@ -11,10 +11,6 @@ on:
     branches:
       - releases/*
 
-defaults:
-  run:
-    shell: bash
-
 jobs:
 
   prepare:

CHANGELOG.md

@@ -5,7 +5,6 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 ## [UNRELEASED]
 
 - We have improved the CodeQL Action's ability to validate that the workflow it is used in does not use different versions of the CodeQL Action for different workflow steps. Mixing different versions of the CodeQL Action in the same workflow is unsupported and can lead to unpredictable results. A warning will now be emitted from the `codeql-action/init` step if different versions of the CodeQL Action are detected in the workflow file. Additionally, an error will now be thrown by the other CodeQL Action steps if they load a configuration file that was generated by a different version of the `codeql-action/init` step. [#3099](https://github.com/github/codeql-action/pull/3099) and [#3100](https://github.com/github/codeql-action/pull/3100)
-- We added support for reducing the size of dependency caches for Java analyses, which will reduce cache usage and speed up workflows. This will be enabled automatically at a later time. [#3107](https://github.com/github/codeql-action/pull/3107)
 
 ## 3.30.3 - 10 Sep 2025
 

lib/analyze-action-post.js

@@ -26486,7 +26486,7 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^13.0.0"
+        uuid: "^12.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
@@ -26536,8 +26536,7 @@ var require_package = __commonJS({
         },
         "eslint-plugin-jsx-a11y": {
           semver: ">=6.3.1"
-        },
-        "brace-expansion@2.0.1": "2.0.2"
+        }
       }
     };
   }
@@ -77686,7 +77685,7 @@ var require_brace_expansion2 = __commonJS({
         var isSequence = isNumericSequence || isAlphaSequence;
         var isOptions = m.body.indexOf(",") >= 0;
         if (!isSequence && !isOptions) {
-          if (m.post.match(/,(?!,).*\}/)) {
+          if (m.post.match(/,.*\}/)) {
             str2 = m.pre + "{" + m.body + escClose + m.post;
             return expand(str2);
           }
@@ -117919,11 +117918,6 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_QA_TELEMETRY",
     legacyApi: true,
     minimumVersion: void 0
-  },
-  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
-    minimumVersion: "2.23.0"
   }
 };
 

lib/analyze-action.js

@@ -32335,7 +32335,7 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^13.0.0"
+        uuid: "^12.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
@@ -32385,8 +32385,7 @@ var require_package = __commonJS({
         },
         "eslint-plugin-jsx-a11y": {
           semver: ">=6.3.1"
-        },
-        "brace-expansion@2.0.1": "2.0.2"
+        }
       }
     };
   }
@@ -91153,11 +91152,6 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_QA_TELEMETRY",
     legacyApi: true,
     minimumVersion: void 0
-  },
-  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
-    minimumVersion: "2.23.0"
   }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -91683,7 +91677,7 @@ var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
 var semver7 = __toESM(require_semver2());
 
-// node_modules/uuid/dist-node/stringify.js
+// node_modules/uuid/dist/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
   byteToHex.push((i + 256).toString(16).slice(1));
@@ -91692,7 +91686,7 @@ function unsafeStringify(arr, offset = 0) {
   return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }
 
-// node_modules/uuid/dist-node/rng.js
+// node_modules/uuid/dist/rng.js
 var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
@@ -91704,11 +91698,11 @@ function rng() {
   return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }
 
-// node_modules/uuid/dist-node/native.js
+// node_modules/uuid/dist/native.js
 var import_node_crypto2 = require("node:crypto");
 var native_default = { randomUUID: import_node_crypto2.randomUUID };
 
-// node_modules/uuid/dist-node/v4.js
+// node_modules/uuid/dist/v4.js
 function _v4(options, buf, offset) {
   options = options || {};
   const rnds = options.random ?? options.rng?.() ?? rng();
@@ -93247,7 +93241,7 @@ function getDefaultCacheConfig() {
 async function makeGlobber(patterns) {
   return glob.create(patterns.join("\n"));
 }
-async function uploadDependencyCaches(config, logger, minimizeJavaJars) {
+async function uploadDependencyCaches(config, logger) {
   for (const language of config.languages) {
     const cacheConfig = getDefaultCacheConfig()[language];
     if (cacheConfig === void 0) {
@@ -93270,7 +93264,7 @@ async function uploadDependencyCaches(config, logger, minimizeJavaJars) {
       );
       continue;
     }
-    const key = await cacheKey2(language, cacheConfig, minimizeJavaJars);
+    const key = await cacheKey2(language, cacheConfig);
     logger.info(
       `Uploading cache of size ${size} for ${language} with key ${key}...`
     );
@@ -93288,20 +93282,17 @@ async function uploadDependencyCaches(config, logger, minimizeJavaJars) {
     }
   }
 }
-async function cacheKey2(language, cacheConfig, minimizeJavaJars = false) {
+async function cacheKey2(language, cacheConfig) {
   const hash2 = await glob.hashFiles(cacheConfig.hash.join("\n"));
-  return `${await cachePrefix2(language, minimizeJavaJars)}${hash2}`;
+  return `${await cachePrefix2(language)}${hash2}`;
 }
-async function cachePrefix2(language, minimizeJavaJars) {
+async function cachePrefix2(language) {
   const runnerOs = getRequiredEnvParam("RUNNER_OS");
   const customPrefix = process.env["CODEQL_ACTION_DEPENDENCY_CACHE_PREFIX" /* DEPENDENCY_CACHING_PREFIX */];
   let prefix = CODEQL_DEPENDENCY_CACHE_PREFIX;
   if (customPrefix !== void 0 && customPrefix.length > 0) {
     prefix = `${prefix}-${customPrefix}`;
   }
-  if (language === "java" /* java */ && minimizeJavaJars) {
-    prefix = `minify-${prefix}`;
-  }
   return `${prefix}-${CODEQL_DEPENDENCY_CACHE_VERSION}-${runnerOs}-${language}-`;
 }
 
@@ -95590,98 +95581,113 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
   }
   return payloadObj;
 }
-async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
+async function maybeUploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
   const sarifPaths = getSarifFilePaths(
     inputSarifPath,
     uploadTarget.sarifPredicate
   );
-  return uploadSpecifiedFiles(
+  return maybeUploadSpecifiedFiles(
     sarifPaths,
     checkoutPath,
     category,
     features,
     logger,
-    uploadTarget
+    uploadTarget,
+    uploadKind
   );
 }
-async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
-  logger.startGroup(`Uploading ${uploadTarget.name} results`);
-  logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
-  const gitHubVersion = await getGitHubVersion();
-  let sarif;
-  if (sarifPaths.length > 1) {
-    for (const sarifPath of sarifPaths) {
-      const parsedSarif = readSarifFile(sarifPath);
-      validateSarifFileSchema(parsedSarif, sarifPath, logger);
-    }
-    sarif = await combineSarifFilesUsingCLI(
-      sarifPaths,
-      gitHubVersion,
-      features,
-      logger
-    );
-  } else {
-    const sarifPath = sarifPaths[0];
-    sarif = readSarifFile(sarifPath);
-    validateSarifFileSchema(sarif, sarifPath, logger);
-    await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
-  }
-  sarif = filterAlertsByDiffRange(logger, sarif);
-  sarif = await addFingerprints(sarif, checkoutPath, logger);
-  const analysisKey = await getAnalysisKey();
-  const environment = getRequiredInput("matrix");
-  sarif = populateRunAutomationDetails(
-    sarif,
-    category,
-    analysisKey,
-    environment
-  );
-  const toolNames = getToolNames(sarif);
-  logger.debug(`Validating that each SARIF run has a unique category`);
-  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
-  logger.debug(`Serializing SARIF for upload`);
-  const sarifPayload = JSON.stringify(sarif);
+async function maybeUploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
   const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
-  if (dumpDir) {
-    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+  const upload = uploadKind === "always";
+  if (!upload && !dumpDir) {
+    logger.info(`Skipping upload of ${uploadTarget.name} results`);
+    return void 0;
+  }
+  logger.startGroup(`Processing ${uploadTarget.name} results`);
+  try {
+    logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
+    const gitHubVersion = await getGitHubVersion();
+    let sarif;
+    if (sarifPaths.length > 1) {
+      for (const sarifPath of sarifPaths) {
+        const parsedSarif = readSarifFile(sarifPath);
+        validateSarifFileSchema(parsedSarif, sarifPath, logger);
+      }
+      sarif = await combineSarifFilesUsingCLI(
+        sarifPaths,
+        gitHubVersion,
+        features,
+        logger
+      );
+    } else {
+      const sarifPath = sarifPaths[0];
+      sarif = readSarifFile(sarifPath);
+      validateSarifFileSchema(sarif, sarifPath, logger);
+      await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
+    }
+    sarif = filterAlertsByDiffRange(logger, sarif);
+    sarif = await addFingerprints(sarif, checkoutPath, logger);
+    const analysisKey = await getAnalysisKey();
+    const environment = getRequiredInput("matrix");
+    sarif = populateRunAutomationDetails(
+      sarif,
+      category,
+      analysisKey,
+      environment
+    );
+    const toolNames = getToolNames(sarif);
+    logger.debug(`Validating that each SARIF run has a unique category`);
+    validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
+    logger.debug(`Serializing SARIF for upload`);
+    const sarifPayload = JSON.stringify(sarif);
+    if (dumpDir) {
+      dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+    }
+    if (!upload) {
+      logger.info(
+        `Skipping upload of ${uploadTarget.name} results because upload kind is "${uploadKind}"`
+      );
+      return void 0;
+    }
+    logger.debug(`Compressing serialized SARIF`);
+    const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
+    const checkoutURI = url.pathToFileURL(checkoutPath).href;
+    const payload = buildPayload(
+      await getCommitOid(checkoutPath),
+      await getRef(),
+      analysisKey,
+      getRequiredEnvParam("GITHUB_WORKFLOW"),
+      zippedSarif,
+      getWorkflowRunID(),
+      getWorkflowRunAttempt(),
+      checkoutURI,
+      environment,
+      toolNames,
+      await determineBaseBranchHeadCommitOid()
+    );
+    const rawUploadSizeBytes = sarifPayload.length;
+    logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
+    const zippedUploadSizeBytes = zippedSarif.length;
+    logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
+    const numResultInSarif = countResultsInSarif(sarifPayload);
+    logger.debug(`Number of results in upload: ${numResultInSarif}`);
+    const sarifID = await uploadPayload(
+      payload,
+      getRepositoryNwo(),
+      logger,
+      uploadTarget.target
+    );
+    return {
+      statusReport: {
+        raw_upload_size_bytes: rawUploadSizeBytes,
+        zipped_upload_size_bytes: zippedUploadSizeBytes,
+        num_results_in_sarif: numResultInSarif
+      },
+      sarifID
+    };
+  } finally {
+    logger.endGroup();
   }
-  logger.debug(`Compressing serialized SARIF`);
-  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
-  const checkoutURI = url.pathToFileURL(checkoutPath).href;
-  const payload = buildPayload(
-    await getCommitOid(checkoutPath),
-    await getRef(),
-    analysisKey,
-    getRequiredEnvParam("GITHUB_WORKFLOW"),
-    zippedSarif,
-    getWorkflowRunID(),
-    getWorkflowRunAttempt(),
-    checkoutURI,
-    environment,
-    toolNames,
-    await determineBaseBranchHeadCommitOid()
-  );
-  const rawUploadSizeBytes = sarifPayload.length;
-  logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
-  const zippedUploadSizeBytes = zippedSarif.length;
-  logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
-  const numResultInSarif = countResultsInSarif(sarifPayload);
-  logger.debug(`Number of results in upload: ${numResultInSarif}`);
-  const sarifID = await uploadPayload(
-    payload,
-    getRepositoryNwo(),
-    logger,
-    uploadTarget.target
-  );
-  logger.endGroup();
-  return {
-    statusReport: {
-      raw_upload_size_bytes: rawUploadSizeBytes,
-      zipped_upload_size_bytes: zippedUploadSizeBytes,
-      num_results_in_sarif: numResultInSarif
-    },
-    sarifID
-  };
 }
 function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
   if (!fs18.existsSync(outputDir)) {
@@ -96042,21 +96048,26 @@ async function run() {
     }
     core14.setOutput("db-locations", dbLocations);
     core14.setOutput("sarif-output", import_path4.default.resolve(outputDir));
-    const uploadInput = getOptionalInput("upload");
-    if (runStats && getUploadValue(uploadInput) === "always") {
+    const uploadInput = getUploadValue(
+      getOptionalInput("upload")
+    );
+    if (runStats) {
       if (isCodeScanningEnabled(config)) {
-        uploadResult = await uploadFiles(
+        uploadResult = await maybeUploadFiles(
           outputDir,
           getRequiredInput("checkout_path"),
           getOptionalInput("category"),
           features,
           logger,
-          CodeScanning
+          CodeScanning,
+          uploadInput
         );
-        core14.setOutput("sarif-id", uploadResult.sarifID);
+        if (uploadResult) {
+          core14.setOutput("sarif-id", uploadResult.sarifID);
+        }
       }
       if (isCodeQualityEnabled(config)) {
-        const qualityUploadResult = await uploadFiles(
+        const qualityUploadResult = await maybeUploadFiles(
           outputDir,
           getRequiredInput("checkout_path"),
           fixCodeQualityCategory(
@@ -96065,12 +96076,15 @@ async function run() {
           ),
           features,
           logger,
-          CodeQuality
+          CodeQuality,
+          uploadInput
         );
-        core14.setOutput("quality-sarif-id", qualityUploadResult.sarifID);
+        if (qualityUploadResult) {
+          core14.setOutput("quality-sarif-id", qualityUploadResult.sarifID);
+        }
       }
     } else {
-      logger.info("Not uploading results");
+      logger.info("No query status report, skipping upload");
     }
     await uploadOverlayBaseDatabaseToCache(codeql, config, logger);
     await uploadDatabases(repositoryNwo, codeql, config, apiDetails, logger);
@@ -96083,11 +96097,7 @@ async function run() {
       logger
     );
     if (shouldStoreCache(config.dependencyCachingEnabled)) {
-      const minimizeJavaJars = await features.getValue(
-        "java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */,
-        codeql
-      );
-      await uploadDependencyCaches(config, logger, minimizeJavaJars);
+      await uploadDependencyCaches(config, logger);
     }
     if (isInTestMode()) {
       logger.debug("In test mode. Waiting for processing is disabled.");

lib/autobuild-action.js

@@ -26486,7 +26486,7 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^13.0.0"
+        uuid: "^12.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
@@ -26536,8 +26536,7 @@ var require_package = __commonJS({
         },
         "eslint-plugin-jsx-a11y": {
           semver: ">=6.3.1"
-        },
-        "brace-expansion@2.0.1": "2.0.2"
+        }
       }
     };
   }
@@ -78657,11 +78656,6 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_QA_TELEMETRY",
     legacyApi: true,
     minimumVersion: void 0
-  },
-  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
-    minimumVersion: "2.23.0"
   }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";

lib/init-action-post.js

@@ -32335,7 +32335,7 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^13.0.0"
+        uuid: "^12.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
@@ -32385,8 +32385,7 @@ var require_package = __commonJS({
         },
         "eslint-plugin-jsx-a11y": {
           semver: ">=6.3.1"
-        },
-        "brace-expansion@2.0.1": "2.0.2"
+        }
       }
     };
   }
@@ -83535,7 +83534,7 @@ var require_brace_expansion2 = __commonJS({
         var isSequence = isNumericSequence || isAlphaSequence;
         var isOptions = m.body.indexOf(",") >= 0;
         if (!isSequence && !isOptions) {
-          if (m.post.match(/,(?!,).*\}/)) {
+          if (m.post.match(/,.*\}/)) {
             str2 = m.pre + "{" + m.body + escClose + m.post;
             return expand(str2);
           }
@@ -129252,11 +129251,6 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_QA_TELEMETRY",
     legacyApi: true,
     minimumVersion: void 0
-  },
-  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
-    minimumVersion: "2.23.0"
   }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -129626,7 +129620,7 @@ var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
 var semver7 = __toESM(require_semver2());
 
-// node_modules/uuid/dist-node/stringify.js
+// node_modules/uuid/dist/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
   byteToHex.push((i + 256).toString(16).slice(1));
@@ -129635,7 +129629,7 @@ function unsafeStringify(arr, offset = 0) {
   return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }
 
-// node_modules/uuid/dist-node/rng.js
+// node_modules/uuid/dist/rng.js
 var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
@@ -129647,11 +129641,11 @@ function rng() {
   return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }
 
-// node_modules/uuid/dist-node/native.js
+// node_modules/uuid/dist/native.js
 var import_node_crypto2 = require("node:crypto");
 var native_default = { randomUUID: import_node_crypto2.randomUUID };
 
-// node_modules/uuid/dist-node/v4.js
+// node_modules/uuid/dist/v4.js
 function _v4(options, buf, offset) {
   options = options || {};
   const rnds = options.random ?? options.rng?.() ?? rng();
@@ -133025,97 +133019,123 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
   return payloadObj;
 }
 async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
+  return maybeUploadFiles(
+    inputSarifPath,
+    checkoutPath,
+    category,
+    features,
+    logger,
+    uploadTarget,
+    "always"
+  );
+}
+async function maybeUploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
   const sarifPaths = getSarifFilePaths(
     inputSarifPath,
     uploadTarget.sarifPredicate
   );
-  return uploadSpecifiedFiles(
+  return maybeUploadSpecifiedFiles(
     sarifPaths,
     checkoutPath,
     category,
     features,
     logger,
-    uploadTarget
+    uploadTarget,
+    uploadKind
   );
 }
-async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
-  logger.startGroup(`Uploading ${uploadTarget.name} results`);
-  logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
-  const gitHubVersion = await getGitHubVersion();
-  let sarif;
-  if (sarifPaths.length > 1) {
-    for (const sarifPath of sarifPaths) {
-      const parsedSarif = readSarifFile(sarifPath);
-      validateSarifFileSchema(parsedSarif, sarifPath, logger);
-    }
-    sarif = await combineSarifFilesUsingCLI(
-      sarifPaths,
-      gitHubVersion,
-      features,
-      logger
-    );
-  } else {
-    const sarifPath = sarifPaths[0];
-    sarif = readSarifFile(sarifPath);
-    validateSarifFileSchema(sarif, sarifPath, logger);
-    await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
-  }
-  sarif = filterAlertsByDiffRange(logger, sarif);
-  sarif = await addFingerprints(sarif, checkoutPath, logger);
-  const analysisKey = await getAnalysisKey();
-  const environment = getRequiredInput("matrix");
-  sarif = populateRunAutomationDetails(
-    sarif,
-    category,
-    analysisKey,
-    environment
-  );
-  const toolNames = getToolNames(sarif);
-  logger.debug(`Validating that each SARIF run has a unique category`);
-  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
-  logger.debug(`Serializing SARIF for upload`);
-  const sarifPayload = JSON.stringify(sarif);
+async function maybeUploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
   const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
-  if (dumpDir) {
-    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+  const upload = uploadKind === "always";
+  if (!upload && !dumpDir) {
+    logger.info(`Skipping upload of ${uploadTarget.name} results`);
+    return void 0;
+  }
+  logger.startGroup(`Processing ${uploadTarget.name} results`);
+  try {
+    logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
+    const gitHubVersion = await getGitHubVersion();
+    let sarif;
+    if (sarifPaths.length > 1) {
+      for (const sarifPath of sarifPaths) {
+        const parsedSarif = readSarifFile(sarifPath);
+        validateSarifFileSchema(parsedSarif, sarifPath, logger);
+      }
+      sarif = await combineSarifFilesUsingCLI(
+        sarifPaths,
+        gitHubVersion,
+        features,
+        logger
+      );
+    } else {
+      const sarifPath = sarifPaths[0];
+      sarif = readSarifFile(sarifPath);
+      validateSarifFileSchema(sarif, sarifPath, logger);
+      await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
+    }
+    sarif = filterAlertsByDiffRange(logger, sarif);
+    sarif = await addFingerprints(sarif, checkoutPath, logger);
+    const analysisKey = await getAnalysisKey();
+    const environment = getRequiredInput("matrix");
+    sarif = populateRunAutomationDetails(
+      sarif,
+      category,
+      analysisKey,
+      environment
+    );
+    const toolNames = getToolNames(sarif);
+    logger.debug(`Validating that each SARIF run has a unique category`);
+    validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
+    logger.debug(`Serializing SARIF for upload`);
+    const sarifPayload = JSON.stringify(sarif);
+    if (dumpDir) {
+      dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+    }
+    if (!upload) {
+      logger.info(
+        `Skipping upload of ${uploadTarget.name} results because upload kind is "${uploadKind}"`
+      );
+      return void 0;
+    }
+    logger.debug(`Compressing serialized SARIF`);
+    const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
+    const checkoutURI = url.pathToFileURL(checkoutPath).href;
+    const payload = buildPayload(
+      await getCommitOid(checkoutPath),
+      await getRef(),
+      analysisKey,
+      getRequiredEnvParam("GITHUB_WORKFLOW"),
+      zippedSarif,
+      getWorkflowRunID(),
+      getWorkflowRunAttempt(),
+      checkoutURI,
+      environment,
+      toolNames,
+      await determineBaseBranchHeadCommitOid()
+    );
+    const rawUploadSizeBytes = sarifPayload.length;
+    logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
+    const zippedUploadSizeBytes = zippedSarif.length;
+    logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
+    const numResultInSarif = countResultsInSarif(sarifPayload);
+    logger.debug(`Number of results in upload: ${numResultInSarif}`);
+    const sarifID = await uploadPayload(
+      payload,
+      getRepositoryNwo(),
+      logger,
+      uploadTarget.target
+    );
+    return {
+      statusReport: {
+        raw_upload_size_bytes: rawUploadSizeBytes,
+        zipped_upload_size_bytes: zippedUploadSizeBytes,
+        num_results_in_sarif: numResultInSarif
+      },
+      sarifID
+    };
+  } finally {
+    logger.endGroup();
   }
-  logger.debug(`Compressing serialized SARIF`);
-  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
-  const checkoutURI = url.pathToFileURL(checkoutPath).href;
-  const payload = buildPayload(
-    await getCommitOid(checkoutPath),
-    await getRef(),
-    analysisKey,
-    getRequiredEnvParam("GITHUB_WORKFLOW"),
-    zippedSarif,
-    getWorkflowRunID(),
-    getWorkflowRunAttempt(),
-    checkoutURI,
-    environment,
-    toolNames,
-    await determineBaseBranchHeadCommitOid()
-  );
-  const rawUploadSizeBytes = sarifPayload.length;
-  logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
-  const zippedUploadSizeBytes = zippedSarif.length;
-  logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
-  const numResultInSarif = countResultsInSarif(sarifPayload);
-  logger.debug(`Number of results in upload: ${numResultInSarif}`);
-  const sarifID = await uploadPayload(
-    payload,
-    getRepositoryNwo(),
-    logger,
-    uploadTarget.target
-  );
-  logger.endGroup();
-  return {
-    statusReport: {
-      raw_upload_size_bytes: rawUploadSizeBytes,
-      zipped_upload_size_bytes: zippedUploadSizeBytes,
-      num_results_in_sarif: numResultInSarif
-    },
-    sarifID
-  };
 }
 function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
   if (!fs17.existsSync(outputDir)) {

lib/init-action.js

@@ -32335,7 +32335,7 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^13.0.0"
+        uuid: "^12.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
@@ -32385,8 +32385,7 @@ var require_package = __commonJS({
         },
         "eslint-plugin-jsx-a11y": {
           semver: ">=6.3.1"
-        },
-        "brace-expansion@2.0.1": "2.0.2"
+        }
       }
     };
   }
@@ -81687,7 +81686,7 @@ var core13 = __toESM(require_core());
 var io6 = __toESM(require_io());
 var semver8 = __toESM(require_semver2());
 
-// node_modules/uuid/dist-node/stringify.js
+// node_modules/uuid/dist/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
   byteToHex.push((i + 256).toString(16).slice(1));
@@ -81696,7 +81695,7 @@ function unsafeStringify(arr, offset = 0) {
   return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }
 
-// node_modules/uuid/dist-node/rng.js
+// node_modules/uuid/dist/rng.js
 var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
@@ -81708,11 +81707,11 @@ function rng() {
   return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }
 
-// node_modules/uuid/dist-node/native.js
+// node_modules/uuid/dist/native.js
 var import_node_crypto2 = require("node:crypto");
 var native_default = { randomUUID: import_node_crypto2.randomUUID };
 
-// node_modules/uuid/dist-node/v4.js
+// node_modules/uuid/dist/v4.js
 function _v4(options, buf, offset) {
   options = options || {};
   const rnds = options.random ?? options.rng?.() ?? rng();
@@ -86752,11 +86751,6 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_QA_TELEMETRY",
     legacyApi: true,
     minimumVersion: void 0
-  },
-  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
-    minimumVersion: "2.23.0"
   }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -87974,7 +87968,7 @@ function getDefaultCacheConfig() {
 async function makeGlobber(patterns) {
   return glob.create(patterns.join("\n"));
 }
-async function downloadDependencyCaches(languages, logger, minimizeJavaJars) {
+async function downloadDependencyCaches(languages, logger) {
   const restoredCaches = [];
   for (const language of languages) {
     const cacheConfig = getDefaultCacheConfig()[language];
@@ -87991,10 +87985,8 @@ async function downloadDependencyCaches(languages, logger, minimizeJavaJars) {
       );
       continue;
     }
-    const primaryKey = await cacheKey2(language, cacheConfig, minimizeJavaJars);
-    const restoreKeys = [
-      await cachePrefix2(language, minimizeJavaJars)
-    ];
+    const primaryKey = await cacheKey2(language, cacheConfig);
+    const restoreKeys = [await cachePrefix2(language)];
     logger.info(
       `Downloading cache for ${language} with key ${primaryKey} and restore keys ${restoreKeys.join(
         ", "
@@ -88014,20 +88006,17 @@ async function downloadDependencyCaches(languages, logger, minimizeJavaJars) {
   }
   return restoredCaches;
 }
-async function cacheKey2(language, cacheConfig, minimizeJavaJars = false) {
+async function cacheKey2(language, cacheConfig) {
   const hash = await glob.hashFiles(cacheConfig.hash.join("\n"));
-  return `${await cachePrefix2(language, minimizeJavaJars)}${hash}`;
+  return `${await cachePrefix2(language)}${hash}`;
 }
-async function cachePrefix2(language, minimizeJavaJars) {
+async function cachePrefix2(language) {
   const runnerOs = getRequiredEnvParam("RUNNER_OS");
   const customPrefix = process.env["CODEQL_ACTION_DEPENDENCY_CACHE_PREFIX" /* DEPENDENCY_CACHING_PREFIX */];
   let prefix = CODEQL_DEPENDENCY_CACHE_PREFIX;
   if (customPrefix !== void 0 && customPrefix.length > 0) {
     prefix = `${prefix}-${customPrefix}`;
   }
-  if (language === "java" /* java */ && minimizeJavaJars) {
-    prefix = `minify-${prefix}`;
-  }
   return `${prefix}-${CODEQL_DEPENDENCY_CACHE_VERSION}-${runnerOs}-${language}-`;
 }
 
@@ -90633,16 +90622,8 @@ exec ${goBinaryPath} "$@"`
         core13.exportVariable(envVar, "false");
       }
     }
-    const minimizeJavaJars = await features.getValue(
-      "java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */,
-      codeql
-    );
     if (shouldRestoreCache(config.dependencyCachingEnabled)) {
-      await downloadDependencyCaches(
-        config.languages,
-        logger,
-        minimizeJavaJars
-      );
+      await downloadDependencyCaches(config.languages, logger);
     }
     if (await codeQlVersionAtLeast(codeql, "2.17.1")) {
     } else {
@@ -90675,16 +90656,6 @@ exec ${goBinaryPath} "$@"`
         core13.exportVariable("CODEQL_EXTRACTOR_PYTHON_EXTRACT_STDLIB", "true");
       }
     }
-    if (process.env["CODEQL_EXTRACTOR_JAVA_OPTION_MINIMIZE_DEPENDENCY_JARS" /* JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS */]) {
-      logger.debug(
-        `${"CODEQL_EXTRACTOR_JAVA_OPTION_MINIMIZE_DEPENDENCY_JARS" /* JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS */} is already set to '${process.env["CODEQL_EXTRACTOR_JAVA_OPTION_MINIMIZE_DEPENDENCY_JARS" /* JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS */]}', so the Action will not override it.`
-      );
-    } else if (minimizeJavaJars && config.dependencyCachingEnabled && config.buildMode === "none" /* None */ && config.languages.includes("java" /* java */)) {
-      core13.exportVariable(
-        "CODEQL_EXTRACTOR_JAVA_OPTION_MINIMIZE_DEPENDENCY_JARS" /* JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS */,
-        "true"
-      );
-    }
     const { registriesAuthTokens, qlconfigFile } = await generateRegistries(
       getOptionalInput("registries"),
       config.tempDir,

lib/resolve-environment-action.js

@@ -26486,7 +26486,7 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^13.0.0"
+        uuid: "^12.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
@@ -26536,8 +26536,7 @@ var require_package = __commonJS({
         },
         "eslint-plugin-jsx-a11y": {
           semver: ">=6.3.1"
-        },
-        "brace-expansion@2.0.1": "2.0.2"
+        }
       }
     };
   }
@@ -78648,11 +78647,6 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_QA_TELEMETRY",
     legacyApi: true,
     minimumVersion: void 0
-  },
-  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
-    minimumVersion: "2.23.0"
   }
 };
 

lib/start-proxy-action-post.js

@@ -26486,7 +26486,7 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^13.0.0"
+        uuid: "^12.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
@@ -26536,8 +26536,7 @@ var require_package = __commonJS({
         },
         "eslint-plugin-jsx-a11y": {
           semver: ">=6.3.1"
-        },
-        "brace-expansion@2.0.1": "2.0.2"
+        }
       }
     };
   }
@@ -76346,7 +76345,7 @@ var require_brace_expansion2 = __commonJS({
         var isSequence = isNumericSequence || isAlphaSequence;
         var isOptions = m.body.indexOf(",") >= 0;
         if (!isSequence && !isOptions) {
-          if (m.post.match(/,(?!,).*\}/)) {
+          if (m.post.match(/,.*\}/)) {
             str2 = m.pre + "{" + m.body + escClose + m.post;
             return expand(str2);
           }
@@ -117328,11 +117327,6 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_QA_TELEMETRY",
     legacyApi: true,
     minimumVersion: void 0
-  },
-  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
-    minimumVersion: "2.23.0"
   }
 };
 

lib/upload-lib.js

@@ -33632,7 +33632,7 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^13.0.0"
+        uuid: "^12.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
@@ -33682,8 +33682,7 @@ var require_package = __commonJS({
         },
         "eslint-plugin-jsx-a11y": {
           semver: ">=6.3.1"
-        },
-        "brace-expansion@2.0.1": "2.0.2"
+        }
       }
     };
   }
@@ -84783,6 +84782,7 @@ __export(upload_lib_exports, {
   buildPayload: () => buildPayload,
   findSarifFilesInDir: () => findSarifFilesInDir,
   getSarifFilePaths: () => getSarifFilePaths,
+  maybeUploadFiles: () => maybeUploadFiles,
   populateRunAutomationDetails: () => populateRunAutomationDetails,
   readSarifFile: () => readSarifFile,
   shouldConsiderConfigurationError: () => shouldConsiderConfigurationError,
@@ -89344,11 +89344,6 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_QA_TELEMETRY",
     legacyApi: true,
     minimumVersion: void 0
-  },
-  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
-    minimumVersion: "2.23.0"
   }
 };
 
@@ -89454,7 +89449,7 @@ var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
 var semver7 = __toESM(require_semver2());
 
-// node_modules/uuid/dist-node/stringify.js
+// node_modules/uuid/dist/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
   byteToHex.push((i + 256).toString(16).slice(1));
@@ -89463,7 +89458,7 @@ function unsafeStringify(arr, offset = 0) {
   return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }
 
-// node_modules/uuid/dist-node/rng.js
+// node_modules/uuid/dist/rng.js
 var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
@@ -89475,11 +89470,11 @@ function rng() {
   return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }
 
-// node_modules/uuid/dist-node/native.js
+// node_modules/uuid/dist/native.js
 var import_node_crypto2 = require("node:crypto");
 var native_default = { randomUUID: import_node_crypto2.randomUUID };
 
-// node_modules/uuid/dist-node/v4.js
+// node_modules/uuid/dist/v4.js
 function _v4(options, buf, offset) {
   options = options || {};
   const rnds = options.random ?? options.rng?.() ?? rng();
@@ -92397,97 +92392,134 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
   return payloadObj;
 }
 async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
+  return maybeUploadFiles(
+    inputSarifPath,
+    checkoutPath,
+    category,
+    features,
+    logger,
+    uploadTarget,
+    "always"
+  );
+}
+async function maybeUploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
   const sarifPaths = getSarifFilePaths(
     inputSarifPath,
     uploadTarget.sarifPredicate
   );
-  return uploadSpecifiedFiles(
+  return maybeUploadSpecifiedFiles(
     sarifPaths,
     checkoutPath,
     category,
     features,
     logger,
-    uploadTarget
+    uploadTarget,
+    uploadKind
   );
 }
 async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
-  logger.startGroup(`Uploading ${uploadTarget.name} results`);
-  logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
-  const gitHubVersion = await getGitHubVersion();
-  let sarif;
-  if (sarifPaths.length > 1) {
-    for (const sarifPath of sarifPaths) {
-      const parsedSarif = readSarifFile(sarifPath);
-      validateSarifFileSchema(parsedSarif, sarifPath, logger);
-    }
-    sarif = await combineSarifFilesUsingCLI(
-      sarifPaths,
-      gitHubVersion,
-      features,
-      logger
-    );
-  } else {
-    const sarifPath = sarifPaths[0];
-    sarif = readSarifFile(sarifPath);
-    validateSarifFileSchema(sarif, sarifPath, logger);
-    await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
-  }
-  sarif = filterAlertsByDiffRange(logger, sarif);
-  sarif = await addFingerprints(sarif, checkoutPath, logger);
-  const analysisKey = await getAnalysisKey();
-  const environment = getRequiredInput("matrix");
-  sarif = populateRunAutomationDetails(
-    sarif,
+  return maybeUploadSpecifiedFiles(
+    sarifPaths,
+    checkoutPath,
     category,
-    analysisKey,
-    environment
-  );
-  const toolNames = getToolNames(sarif);
-  logger.debug(`Validating that each SARIF run has a unique category`);
-  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
-  logger.debug(`Serializing SARIF for upload`);
-  const sarifPayload = JSON.stringify(sarif);
-  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
-  if (dumpDir) {
-    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
-  }
-  logger.debug(`Compressing serialized SARIF`);
-  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
-  const checkoutURI = url.pathToFileURL(checkoutPath).href;
-  const payload = buildPayload(
-    await getCommitOid(checkoutPath),
-    await getRef(),
-    analysisKey,
-    getRequiredEnvParam("GITHUB_WORKFLOW"),
-    zippedSarif,
-    getWorkflowRunID(),
-    getWorkflowRunAttempt(),
-    checkoutURI,
-    environment,
-    toolNames,
-    await determineBaseBranchHeadCommitOid()
-  );
-  const rawUploadSizeBytes = sarifPayload.length;
-  logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
-  const zippedUploadSizeBytes = zippedSarif.length;
-  logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
-  const numResultInSarif = countResultsInSarif(sarifPayload);
-  logger.debug(`Number of results in upload: ${numResultInSarif}`);
-  const sarifID = await uploadPayload(
-    payload,
-    getRepositoryNwo(),
+    features,
     logger,
-    uploadTarget.target
+    uploadTarget,
+    "always"
   );
-  logger.endGroup();
-  return {
-    statusReport: {
-      raw_upload_size_bytes: rawUploadSizeBytes,
-      zipped_upload_size_bytes: zippedUploadSizeBytes,
-      num_results_in_sarif: numResultInSarif
-    },
-    sarifID
-  };
+}
+async function maybeUploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
+  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
+  const upload = uploadKind === "always";
+  if (!upload && !dumpDir) {
+    logger.info(`Skipping upload of ${uploadTarget.name} results`);
+    return void 0;
+  }
+  logger.startGroup(`Processing ${uploadTarget.name} results`);
+  try {
+    logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
+    const gitHubVersion = await getGitHubVersion();
+    let sarif;
+    if (sarifPaths.length > 1) {
+      for (const sarifPath of sarifPaths) {
+        const parsedSarif = readSarifFile(sarifPath);
+        validateSarifFileSchema(parsedSarif, sarifPath, logger);
+      }
+      sarif = await combineSarifFilesUsingCLI(
+        sarifPaths,
+        gitHubVersion,
+        features,
+        logger
+      );
+    } else {
+      const sarifPath = sarifPaths[0];
+      sarif = readSarifFile(sarifPath);
+      validateSarifFileSchema(sarif, sarifPath, logger);
+      await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
+    }
+    sarif = filterAlertsByDiffRange(logger, sarif);
+    sarif = await addFingerprints(sarif, checkoutPath, logger);
+    const analysisKey = await getAnalysisKey();
+    const environment = getRequiredInput("matrix");
+    sarif = populateRunAutomationDetails(
+      sarif,
+      category,
+      analysisKey,
+      environment
+    );
+    const toolNames = getToolNames(sarif);
+    logger.debug(`Validating that each SARIF run has a unique category`);
+    validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
+    logger.debug(`Serializing SARIF for upload`);
+    const sarifPayload = JSON.stringify(sarif);
+    if (dumpDir) {
+      dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+    }
+    if (!upload) {
+      logger.info(
+        `Skipping upload of ${uploadTarget.name} results because upload kind is "${uploadKind}"`
+      );
+      return void 0;
+    }
+    logger.debug(`Compressing serialized SARIF`);
+    const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
+    const checkoutURI = url.pathToFileURL(checkoutPath).href;
+    const payload = buildPayload(
+      await getCommitOid(checkoutPath),
+      await getRef(),
+      analysisKey,
+      getRequiredEnvParam("GITHUB_WORKFLOW"),
+      zippedSarif,
+      getWorkflowRunID(),
+      getWorkflowRunAttempt(),
+      checkoutURI,
+      environment,
+      toolNames,
+      await determineBaseBranchHeadCommitOid()
+    );
+    const rawUploadSizeBytes = sarifPayload.length;
+    logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
+    const zippedUploadSizeBytes = zippedSarif.length;
+    logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
+    const numResultInSarif = countResultsInSarif(sarifPayload);
+    logger.debug(`Number of results in upload: ${numResultInSarif}`);
+    const sarifID = await uploadPayload(
+      payload,
+      getRepositoryNwo(),
+      logger,
+      uploadTarget.target
+    );
+    return {
+      statusReport: {
+        raw_upload_size_bytes: rawUploadSizeBytes,
+        zipped_upload_size_bytes: zippedUploadSizeBytes,
+        num_results_in_sarif: numResultInSarif
+      },
+      sarifID
+    };
+  } finally {
+    logger.endGroup();
+  }
 }
 function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
   if (!fs13.existsSync(outputDir)) {
@@ -92661,6 +92693,7 @@ function filterAlertsByDiffRange(logger, sarif) {
   buildPayload,
   findSarifFilesInDir,
   getSarifFilePaths,
+  maybeUploadFiles,
   populateRunAutomationDetails,
   readSarifFile,
   shouldConsiderConfigurationError,

lib/upload-sarif-action-post.js

@@ -26486,7 +26486,7 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^13.0.0"
+        uuid: "^12.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
@@ -26536,8 +26536,7 @@ var require_package = __commonJS({
         },
         "eslint-plugin-jsx-a11y": {
           semver: ">=6.3.1"
-        },
-        "brace-expansion@2.0.1": "2.0.2"
+        }
       }
     };
   }
@@ -70468,7 +70467,7 @@ var require_brace_expansion = __commonJS({
         var isSequence = isNumericSequence || isAlphaSequence;
         var isOptions = m.body.indexOf(",") >= 0;
         if (!isSequence && !isOptions) {
-          if (m.post.match(/,(?!,).*\}/)) {
+          if (m.post.match(/,.*\}/)) {
             str2 = m.pre + "{" + m.body + escClose + m.post;
             return expand(str2);
           }
@@ -117493,11 +117492,6 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_QA_TELEMETRY",
     legacyApi: true,
     minimumVersion: void 0
-  },
-  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
-    minimumVersion: "2.23.0"
   }
 };
 

lib/upload-sarif-action.js

@@ -32335,7 +32335,7 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^13.0.0"
+        uuid: "^12.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
@@ -32385,8 +32385,7 @@ var require_package = __commonJS({
         },
         "eslint-plugin-jsx-a11y": {
           semver: ">=6.3.1"
-        },
-        "brace-expansion@2.0.1": "2.0.2"
+        }
       }
     };
   }
@@ -89340,11 +89339,6 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_QA_TELEMETRY",
     legacyApi: true,
     minimumVersion: void 0
-  },
-  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
-    minimumVersion: "2.23.0"
   }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -90155,7 +90149,7 @@ var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
 var semver7 = __toESM(require_semver2());
 
-// node_modules/uuid/dist-node/stringify.js
+// node_modules/uuid/dist/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
   byteToHex.push((i + 256).toString(16).slice(1));
@@ -90164,7 +90158,7 @@ function unsafeStringify(arr, offset = 0) {
   return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }
 
-// node_modules/uuid/dist-node/rng.js
+// node_modules/uuid/dist/rng.js
 var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
@@ -90176,11 +90170,11 @@ function rng() {
   return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }
 
-// node_modules/uuid/dist-node/native.js
+// node_modules/uuid/dist/native.js
 var import_node_crypto2 = require("node:crypto");
 var native_default = { randomUUID: import_node_crypto2.randomUUID };
 
-// node_modules/uuid/dist-node/v4.js
+// node_modules/uuid/dist/v4.js
 function _v4(options, buf, offset) {
   options = options || {};
   const rnds = options.random ?? options.rng?.() ?? rng();
@@ -93098,97 +93092,134 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
   return payloadObj;
 }
 async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
+  return maybeUploadFiles(
+    inputSarifPath,
+    checkoutPath,
+    category,
+    features,
+    logger,
+    uploadTarget,
+    "always"
+  );
+}
+async function maybeUploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
   const sarifPaths = getSarifFilePaths(
     inputSarifPath,
     uploadTarget.sarifPredicate
   );
-  return uploadSpecifiedFiles(
+  return maybeUploadSpecifiedFiles(
     sarifPaths,
     checkoutPath,
     category,
     features,
     logger,
-    uploadTarget
+    uploadTarget,
+    uploadKind
   );
 }
 async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
-  logger.startGroup(`Uploading ${uploadTarget.name} results`);
-  logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
-  const gitHubVersion = await getGitHubVersion();
-  let sarif;
-  if (sarifPaths.length > 1) {
-    for (const sarifPath of sarifPaths) {
-      const parsedSarif = readSarifFile(sarifPath);
-      validateSarifFileSchema(parsedSarif, sarifPath, logger);
-    }
-    sarif = await combineSarifFilesUsingCLI(
-      sarifPaths,
-      gitHubVersion,
-      features,
-      logger
-    );
-  } else {
-    const sarifPath = sarifPaths[0];
-    sarif = readSarifFile(sarifPath);
-    validateSarifFileSchema(sarif, sarifPath, logger);
-    await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
-  }
-  sarif = filterAlertsByDiffRange(logger, sarif);
-  sarif = await addFingerprints(sarif, checkoutPath, logger);
-  const analysisKey = await getAnalysisKey();
-  const environment = getRequiredInput("matrix");
-  sarif = populateRunAutomationDetails(
-    sarif,
+  return maybeUploadSpecifiedFiles(
+    sarifPaths,
+    checkoutPath,
     category,
-    analysisKey,
-    environment
-  );
-  const toolNames = getToolNames(sarif);
-  logger.debug(`Validating that each SARIF run has a unique category`);
-  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
-  logger.debug(`Serializing SARIF for upload`);
-  const sarifPayload = JSON.stringify(sarif);
-  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
-  if (dumpDir) {
-    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
-  }
-  logger.debug(`Compressing serialized SARIF`);
-  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
-  const checkoutURI = url.pathToFileURL(checkoutPath).href;
-  const payload = buildPayload(
-    await getCommitOid(checkoutPath),
-    await getRef(),
-    analysisKey,
-    getRequiredEnvParam("GITHUB_WORKFLOW"),
-    zippedSarif,
-    getWorkflowRunID(),
-    getWorkflowRunAttempt(),
-    checkoutURI,
-    environment,
-    toolNames,
-    await determineBaseBranchHeadCommitOid()
-  );
-  const rawUploadSizeBytes = sarifPayload.length;
-  logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
-  const zippedUploadSizeBytes = zippedSarif.length;
-  logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
-  const numResultInSarif = countResultsInSarif(sarifPayload);
-  logger.debug(`Number of results in upload: ${numResultInSarif}`);
-  const sarifID = await uploadPayload(
-    payload,
-    getRepositoryNwo(),
+    features,
     logger,
-    uploadTarget.target
+    uploadTarget,
+    "always"
   );
-  logger.endGroup();
-  return {
-    statusReport: {
-      raw_upload_size_bytes: rawUploadSizeBytes,
-      zipped_upload_size_bytes: zippedUploadSizeBytes,
-      num_results_in_sarif: numResultInSarif
-    },
-    sarifID
-  };
+}
+async function maybeUploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
+  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
+  const upload = uploadKind === "always";
+  if (!upload && !dumpDir) {
+    logger.info(`Skipping upload of ${uploadTarget.name} results`);
+    return void 0;
+  }
+  logger.startGroup(`Processing ${uploadTarget.name} results`);
+  try {
+    logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
+    const gitHubVersion = await getGitHubVersion();
+    let sarif;
+    if (sarifPaths.length > 1) {
+      for (const sarifPath of sarifPaths) {
+        const parsedSarif = readSarifFile(sarifPath);
+        validateSarifFileSchema(parsedSarif, sarifPath, logger);
+      }
+      sarif = await combineSarifFilesUsingCLI(
+        sarifPaths,
+        gitHubVersion,
+        features,
+        logger
+      );
+    } else {
+      const sarifPath = sarifPaths[0];
+      sarif = readSarifFile(sarifPath);
+      validateSarifFileSchema(sarif, sarifPath, logger);
+      await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
+    }
+    sarif = filterAlertsByDiffRange(logger, sarif);
+    sarif = await addFingerprints(sarif, checkoutPath, logger);
+    const analysisKey = await getAnalysisKey();
+    const environment = getRequiredInput("matrix");
+    sarif = populateRunAutomationDetails(
+      sarif,
+      category,
+      analysisKey,
+      environment
+    );
+    const toolNames = getToolNames(sarif);
+    logger.debug(`Validating that each SARIF run has a unique category`);
+    validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
+    logger.debug(`Serializing SARIF for upload`);
+    const sarifPayload = JSON.stringify(sarif);
+    if (dumpDir) {
+      dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+    }
+    if (!upload) {
+      logger.info(
+        `Skipping upload of ${uploadTarget.name} results because upload kind is "${uploadKind}"`
+      );
+      return void 0;
+    }
+    logger.debug(`Compressing serialized SARIF`);
+    const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
+    const checkoutURI = url.pathToFileURL(checkoutPath).href;
+    const payload = buildPayload(
+      await getCommitOid(checkoutPath),
+      await getRef(),
+      analysisKey,
+      getRequiredEnvParam("GITHUB_WORKFLOW"),
+      zippedSarif,
+      getWorkflowRunID(),
+      getWorkflowRunAttempt(),
+      checkoutURI,
+      environment,
+      toolNames,
+      await determineBaseBranchHeadCommitOid()
+    );
+    const rawUploadSizeBytes = sarifPayload.length;
+    logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
+    const zippedUploadSizeBytes = zippedSarif.length;
+    logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
+    const numResultInSarif = countResultsInSarif(sarifPayload);
+    logger.debug(`Number of results in upload: ${numResultInSarif}`);
+    const sarifID = await uploadPayload(
+      payload,
+      getRepositoryNwo(),
+      logger,
+      uploadTarget.target
+    );
+    return {
+      statusReport: {
+        raw_upload_size_bytes: rawUploadSizeBytes,
+        zipped_upload_size_bytes: zippedUploadSizeBytes,
+        num_results_in_sarif: numResultInSarif
+      },
+      sarifID
+    };
+  } finally {
+    logger.endGroup();
+  }
 }
 function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
   if (!fs14.existsSync(outputDir)) {

package-lock.json

@@ -34,7 +34,7 @@
         "node-forge": "^1.3.1",
         "octokit": "^5.0.3",
         "semver": "^7.7.2",
-        "uuid": "^13.0.0"
+        "uuid": "^12.0.0"
       },
       "devDependencies": {
         "@ava/typescript": "6.0.0",
@@ -3164,9 +3164,9 @@
       }
     },
     "node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
+      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -7792,9 +7792,9 @@
       }
     },
     "node_modules/readdir-glob/node_modules/brace-expansion": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
+      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
       "license": "MIT",
       "dependencies": {
         "balanced-match": "^1.0.0"
@@ -9076,16 +9076,16 @@
       "license": "MIT"
     },
     "node_modules/uuid": {
-      "version": "13.0.0",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-13.0.0.tgz",
-      "integrity": "sha512-XQegIaBTVUjSHliKqcnFqYypAd4S+WCYt5NIeRs6w/UAry7z8Y9j5ZwRRL4kzq9U3sD6v+85er9FvkEaBpji2w==",
+      "version": "12.0.0",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-12.0.0.tgz",
+      "integrity": "sha512-USe1zesMYh4fjCA8ZH5+X5WIVD0J4V1Jksm1bFTVBX2F/cwSXt0RO5w/3UXbdLKmZX65MiWV+hwhSS8p6oBTGA==",
       "funding": [
         "https://github.com/sponsors/broofa",
         "https://github.com/sponsors/ctavan"
       ],
       "license": "MIT",
       "bin": {
-        "uuid": "dist-node/bin/uuid"
+        "uuid": "dist/bin/uuid"
       }
     },
     "node_modules/webidl-conversions": {

package.json

@@ -48,7 +48,7 @@
     "node-forge": "^1.3.1",
     "octokit": "^5.0.3",
     "semver": "^7.7.2",
-    "uuid": "^13.0.0"
+    "uuid": "^12.0.0"
   },
   "devDependencies": {
     "@ava/typescript": "6.0.0",
@@ -98,7 +98,6 @@
     },
     "eslint-plugin-jsx-a11y": {
       "semver": ">=6.3.1"
-    },
-    "brace-expansion@2.0.1": "2.0.2"
+    }
   }
 }

pr-checks/checks/all-platform-bundle.yml

@@ -12,5 +12,6 @@ steps:
       languages: cpp,csharp,go,java,javascript,python,ruby
       tools: ${{ steps.prepare-test.outputs.tools-url }}
   - name: Build code
+    shell: bash
     run: ./build.sh
   - uses: ./../action/analyze

pr-checks/checks/analyze-ref-input.yml

@@ -9,6 +9,7 @@ steps:
       languages: cpp,csharp,java,javascript,python
       config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
   - name: Build code
+    shell: bash
     run: ./build.sh
   - uses: ./../action/analyze
     with:

pr-checks/checks/autobuild-action.yml

@@ -17,6 +17,7 @@ steps:
       CORECLR_PROFILER_PATH_64: ""
   - uses: ./../action/analyze
   - name: Check database
+    shell: bash
     run: |
       cd "$RUNNER_TEMP/codeql_databases"
       if [[ ! -d csharp ]]; then

pr-checks/checks/autobuild-direct-tracing-with-working-dir.yml

@@ -10,6 +10,7 @@ env:
   CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
 steps:
   - name: Test setup
+    shell: bash
     run: |
       # Make sure that Gradle build succeeds in autobuild-dir ...
       cp -a ../action/tests/java-repo autobuild-dir
@@ -21,6 +22,7 @@ steps:
       languages: java
       tools: ${{ steps.prepare-test.outputs.tools-url }}
   - name: Check that indirect tracing is disabled
+    shell: bash
     run: |
       if [[ ! -z "${CODEQL_RUNNER}" ]]; then
         echo "Expected indirect tracing to be disabled, but the" \

pr-checks/checks/autobuild-direct-tracing.yml

@@ -7,6 +7,7 @@ env:
   CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
 steps:
   - name: Set up Java test repo configuration
+    shell: bash
     run: |
       mv * .github ../action/tests/multi-language-repo/
       mv ../action/tests/multi-language-repo/.github/workflows .github
@@ -21,6 +22,7 @@ steps:
       tools: ${{ steps.prepare-test.outputs.tools-url }}
 
   - name: Check that indirect tracing is disabled
+    shell: bash
     run: |
       if [[ ! -z "${CODEQL_RUNNER}" ]]; then
         echo "Expected indirect tracing to be disabled, but the" \

pr-checks/checks/build-mode-manual.yml

@@ -22,6 +22,7 @@ steps:
       fi
 
   - name: Build code
+    shell: bash
     run: ./build.sh
 
   - uses: ./../action/analyze

pr-checks/checks/cpp-deptrace-disabled.yml

@@ -6,6 +6,7 @@ env:
   DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
   - name: Test setup
+    shell: bash
     run: |
       cp -a ../action/tests/cpp-autobuild autobuild-dir
   - uses: ./../action/init
@@ -17,7 +18,8 @@ steps:
       working-directory: autobuild-dir
     env:
       CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: false
-  - run: |
+  - shell: bash
+    run: |
       if ls /usr/bin/errno; then
         echo "C/C++ autobuild installed errno, but it should not have since auto-install dependencies is disabled."
         exit 1

pr-checks/checks/cpp-deptrace-enabled-on-macos.yml

@@ -6,6 +6,7 @@ env:
   DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
   - name: Test setup
+    shell: bash
     run: |
       cp -a ../action/tests/cpp-autobuild autobuild-dir
   - uses: ./../action/init
@@ -17,7 +18,8 @@ steps:
       working-directory: autobuild-dir
     env:
       CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-  - run: |
+  - shell: bash
+    run: |
       if ! ls /usr/bin/errno; then
         echo "As expected, CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES is a no-op on macOS"
       else

pr-checks/checks/cpp-deptrace-enabled.yml

@@ -6,6 +6,7 @@ env:
   DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
   - name: Test setup
+    shell: bash
     run: |
       cp -a ../action/tests/cpp-autobuild autobuild-dir
   - uses: ./../action/init
@@ -17,7 +18,8 @@ steps:
       working-directory: autobuild-dir
     env:
       CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-  - run: |
+  - shell: bash
+    run: |
       if ! ls /usr/bin/errno; then
         echo "Did not autoinstall errno"
         exit 1

pr-checks/checks/diagnostics-export.yml

@@ -10,6 +10,7 @@ steps:
       languages: javascript
       tools: ${{ steps.prepare-test.outputs.tools-url }}
   - name: Add test diagnostics
+    shell: bash
     env:
       CODEQL_PATH: ${{ steps.init.outputs.codeql-path }}
     run: |

pr-checks/checks/export-file-baseline-information.yml

@@ -11,6 +11,7 @@ steps:
       languages: javascript
       tools: ${{ steps.prepare-test.outputs.tools-url }}
   - name: Build code
+    shell: bash
     run: ./build.sh
   - uses: ./../action/analyze
     with:
@@ -22,6 +23,7 @@ steps:
       path: "${{ runner.temp }}/results/javascript.sarif"
       retention-days: 7
   - name: Check results
+    shell: bash
     run: |
       cd "$RUNNER_TEMP/results"
       expected_baseline_languages="c csharp go java kotlin javascript python ruby"

pr-checks/checks/extractor-ram-threads.yml

@@ -9,6 +9,7 @@ steps:
       ram: 230
       threads: 1
   - name: Assert Results
+    shell: bash
     run: |
       if [ "${CODEQL_RAM}" != "230" ]; then
         echo "CODEQL_RAM is '${CODEQL_RAM}' instead of 230"