Merge pull request #3921 from github/dependabot/npm_and_yarn/npm-minor-28e225f5ad

Bump the npm-minor group across 1 directory with 6 updates

.github/actions/prepare-mergeback-branch/action.yml

@@ -41,7 +41,38 @@ runs:
         git add .
         git commit -m "Update changelog and version after ${VERSION}"
 
-        git push origin "${NEW_BRANCH}"
+    # Update the build artifacts with the new version number
+    - name: Rebuild the Action
+      shell: bash
+      run: |
+        set -exu
+        npm ci
+        npm run build
+
+    - name: Check for rebuild changes
+      id: rebuild_changes
+      shell: bash
+      run: |
+        set -exu
+        git add --all
+        if git diff --cached --quiet; then
+          echo "has_changes=false" >> "${GITHUB_OUTPUT}"
+        else
+          echo "has_changes=true" >> "${GITHUB_OUTPUT}"
+        fi
+
+    - name: Commit rebuild
+      if: steps.rebuild_changes.outputs.has_changes == 'true'
+      shell: bash
+      run: |
+        set -exu
+        git commit -m "Rebuild"
+
+    - name: Push mergeback branch
+      shell: bash
+      env:
+        NEW_BRANCH: "${{ inputs.branch }}"
+      run: git push origin "${NEW_BRANCH}"
 
     - name: Create PR
       shell: bash
@@ -60,8 +91,6 @@ runs:
 
           Please do the following:
 
-          - [ ] Remove and re-add the "Rebuild" label to the PR to trigger just this workflow.
-          - [ ] Wait for the "Rebuild" workflow to push a commit updating the distribution files.
           - [ ] Mark the PR as ready for review to trigger the full set of PR checks.
           - [ ] Approve and merge the PR. When merging the PR, make sure "Create a merge commit" is
                 selected rather than "Squash and merge" or "Rebase and merge".
@@ -74,7 +103,6 @@ runs:
           --head "${NEW_BRANCH}" \
           --base "${BASE_BRANCH}" \
           --title "${pr_title}" \
-          --label "Rebuild" \
           --body "${pr_body}" \
           --assignee "${GITHUB_ACTOR}" \
           --draft

.github/actions/release-initialise/action.yml

@@ -18,7 +18,7 @@ runs:
     - name: Set up Node
       uses: actions/setup-node@v6
       with:
-        node-version: 20
+        node-version: 24
         cache: 'npm'
 
     - name: Set up Python

.github/update-release-branch.py

@@ -19,6 +19,10 @@ No user facing changes.
 # Changing it requires a transition period where both old and new versions are supported.
 BACKPORT_COMMIT_MESSAGE = 'Update version and changelog for v'
 
+# Commit message used for rebuild commits, both those produced by this script and those produced
+# by the `Rebuild Action` workflow (`.github/workflows/rebuild.yml`).
+REBUILD_COMMIT_MESSAGE = 'Rebuild'
+
 # Name of the remote
 ORIGIN = 'origin'
 
@@ -43,6 +47,28 @@ def run_git(*args, allow_non_zero_exit_code=False):
     raise Exception(f'Call to {" ".join(cmd)} exited with code {p.returncode} stderr: {p.stderr.decode("ascii")}.')
   return p.stdout.decode('ascii')
 
+# Runs the given command, streaming output to the console.
+# Raises an error if the command does not exit successfully.
+def run_command(*args):
+  cmd = list(args)
+  print(f'Running `{" ".join(cmd)}`.')
+  subprocess.run(cmd, check=True)
+
+# Rebuilds the action and commits any changes.
+def rebuild_action():
+  # For backports, the only source-level change vs the source branch is the new version number,
+  # so we just need to refresh the version embedded in `lib/`.
+  run_command('npm', 'ci')
+  run_command('npm', 'run', 'build')
+
+  run_git('add', '--all')
+  # `git diff --cached --quiet` exits 0 if there are no staged changes, 1 if there are.
+  if subprocess.run(['git', 'diff', '--cached', '--quiet']).returncode == 0:
+    print('Rebuild produced no changes; skipping Rebuild commit.')
+  else:
+    run_git('commit', '-m', REBUILD_COMMIT_MESSAGE)
+    print('Created Rebuild commit.')
+
 # Returns true if the given branch exists on the origin remote
 def branch_exists_on_remote(branch_name):
   return run_git('ls-remote', '--heads', ORIGIN, branch_name).strip() != ''
@@ -98,9 +124,11 @@ def open_pr(
   body.append('Please do the following:')
   if len(conflicted_files) > 0:
     body.append(' - [ ] Ensure `package.json` file contains the correct version.')
-    body.append(' - [ ] Add commits to this branch to resolve the merge conflicts ' +
+    body.append(' - [ ] Add a commit to this branch to resolve the merge conflicts ' +
       'in the following files:')
-    body.extend([f'    - [ ] `{file}`' for file in conflicted_files])
+    body.extend([f'    - `{file}`' for file in conflicted_files])
+    body.append(' - [ ] Rebuild the Action locally (`npm run build`) and push any changes to the ' +
+      f'built output in `lib` as a separate commit named exactly `{REBUILD_COMMIT_MESSAGE}`.')
     body.append(' - [ ] Ensure another maintainer has reviewed the additional commits you added to this ' +
       'branch to resolve the merge conflicts.')
   body.append(' - [ ] Ensure the CHANGELOG displays the correct version and date.')
@@ -108,10 +136,6 @@ def open_pr(
   body.append(f' - [ ] Check that there are not any unexpected commits being merged into the `{target_branch}` branch.')
   body.append(' - [ ] Ensure the docs team is aware of any documentation changes that need to be released.')
 
-  if not is_primary_release:
-    body.append(' - [ ] Remove and re-add the "Rebuild" label to the PR to trigger just this workflow.')
-    body.append(' - [ ] Wait for the "Rebuild" workflow to push a commit updating the distribution files.')
-
   body.append(' - [ ] Mark the PR as ready for review to trigger the full set of PR checks.')
   body.append(' - [ ] Approve and merge this PR. Make sure `Create a merge commit` is selected rather than `Squash and merge` or `Rebase and merge`.')
 
@@ -120,13 +144,11 @@ def open_pr(
     body.append(' - [ ] Merge all backport PRs to older release branches, that will automatically be created once this PR is merged.')
 
   title = f'Merge {source_branch} into {target_branch}'
-  labels = ['Rebuild'] if not is_primary_release else []
 
   # Create the pull request
   # PR checks won't be triggered on PRs created by Actions. Therefore mark the PR as draft so that
   # a maintainer can take the PR out of draft, thereby triggering the PR checks.
   pr = repo.create_pull(title=title, body='\n'.join(body), head=new_branch_name, base=target_branch, draft=True)
-  pr.add_to_labels(*labels)
   print(f'Created PR #{str(pr.number)}')
 
   # Assign the conductor
@@ -385,8 +407,9 @@ def main():
       # releases.
       run_git('revert', vOlder_update_commits[0], '--no-edit')
 
-      # Also revert the "Rebuild" commit created by Actions.
-      rebuild_commit = run_git('log', '--grep', '^Rebuild$', '--format=%H').split()[0]
+      # Also revert the "Rebuild" commit, whether created by this script or by the
+      # `Rebuild Action` workflow.
+      rebuild_commit = run_git('log', '--grep', f'^{REBUILD_COMMIT_MESSAGE}$', '--format=%H').split()[0]
       print(f'  Reverting {rebuild_commit}')
       run_git('revert', rebuild_commit, '--no-edit')
 
@@ -401,9 +424,10 @@ def main():
       run_git('add', '.')
       run_git('commit', '--no-edit')
 
-    # Migrate the package version number from a vLatest version number to a vOlder version number
+    # Migrate the package version number from a vLatest version number to a vOlder version number.
+    # `package-lock.json` is updated as part of the subsequent rebuild step (see `rebuild_action`).
     print(f'Setting version number to {version} in package.json')
-    replace_version_package_json(get_current_version(), version) # We rely on the `Rebuild` workflow to update package-lock.json
+    replace_version_package_json(get_current_version(), version)
     run_git('add', 'package.json')
 
     # Migrate the changelog notes from vLatest version numbers to vOlder version numbers
@@ -426,6 +450,13 @@ def main():
     run_git('add', 'CHANGELOG.md')
     run_git('commit', '-m', f'Update changelog for v{version}')
 
+  if not is_primary_release:
+    if len(conflicted_files) == 0:
+      print('Rebuilding the Action.')
+      rebuild_action()
+    else:
+      print(f'Skipping automatic rebuild because the merge produced conflicts in {conflicted_files}.')
+
   run_git('push', ORIGIN, new_branch_name)
 
   # Open a PR to update the branch

.github/workflows/check-expected-release-files.yml

@@ -9,6 +9,10 @@ on:
     # by other workflows.
     types: [opened, synchronize, reopened, ready_for_review]
 
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: ${{ github.workflow }}-${{ github.ref }}
+
 defaults:
   run:
     shell: bash

.github/workflows/codescanning-config-cli.yml

@@ -24,6 +24,10 @@ on:
     - cron: '0 5 * * *'
   workflow_dispatch:
 
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: ${{ github.workflow }}-${{ github.ref }}
+
 defaults:
   run:
     shell: bash

.github/workflows/debug-artifacts-failure-safe.yml

@@ -20,6 +20,10 @@ on:
     - cron: '0 5 * * *'
   workflow_dispatch:
 
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: ${{ github.workflow }}-${{ github.ref }}
+
 defaults:
   run:
     shell: bash

.github/workflows/debug-artifacts-safe.yml

@@ -19,6 +19,10 @@ on:
     - cron: '0 5 * * *'
   workflow_dispatch:
 
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: ${{ github.workflow }}-${{ github.ref }}
+
 defaults:
   run:
     shell: bash

.github/workflows/post-release-mergeback.yml

@@ -48,6 +48,9 @@ jobs:
         with:
           fetch-depth: 0  # ensure we have all tags and can push commits
       - uses: actions/setup-node@v6
+        with:
+          node-version: 24
+          cache: 'npm'
       - uses: actions/setup-python@v6
         with:
           python-version: '3.12'

.github/workflows/pr-checks.yml

@@ -10,6 +10,10 @@ on:
     types: [checks_requested]
   workflow_dispatch:
 
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: ${{ github.workflow }}-${{ github.ref }}
+
 defaults:
   run:
     shell: bash
@@ -29,6 +33,10 @@ jobs:
     runs-on: ${{ matrix.os }}
     timeout-minutes: 45
 
+    concurrency:
+      cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+      group: pr-checks-unit-tests-${{ github.ref }}-${{ github.event_name }}-${{ matrix.os }}-node${{ matrix['node-version'] }}
+
     steps:
       - name: Prepare git (Windows)
         if: runner.os == 'Windows'
@@ -67,22 +75,21 @@ jobs:
           sarif_file: eslint.sarif
           category: eslint
 
-  # Verifying the PR checks are up-to-date requires Node 24. The PR checks are not dependent
-  # on the main codebase and therefore do not need to be run as part of the same matrix that
-  # we use for the `unit-tests` job.
-  verify-pr-checks:
-    name: Verify PR checks
+  # These checks do not need to be run as part of the same matrix that we use for the `unit-tests`
+  # job.
+  other-checks:
+    name: Other checks
     if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
     timeout-minutes: 10
 
-    steps:
-      - name: Prepare git (Windows)
-        if: runner.os == 'Windows'
-        run: git config --global core.autocrlf false
+    concurrency:
+      cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+      group: pr-checks-pr-checks-${{ github.ref }}-${{ github.event_name }}
 
+    steps:
       - name: Checkout repository
         uses: actions/checkout@v6
 
@@ -93,34 +100,22 @@ jobs:
           cache: 'npm'
 
       - name: Install dependencies
+        id: install-deps
         run: npm ci
 
       - name: Verify PR checks up to date
-        if: always()
+        if: ${{ !cancelled() && steps.install-deps.outcome == 'success' }}
         run: .github/workflows/script/verify-pr-checks.sh
 
       - name: Run pr-checks tests
-        if: always()
+        if: ${{ !cancelled() && steps.install-deps.outcome == 'success' }}
         working-directory: pr-checks
         run: npx tsx --test
 
-  check-node-version:
-    if: github.triggering_actor != 'dependabot[bot]'
-    name: Check Action Node versions
-    runs-on: ubuntu-latest
-    timeout-minutes: 45
-    env:
-      BASE_REF: ${{ github.base_ref }}
-
-    permissions:
-      contents: read
-
-    steps:
-      - uses: actions/checkout@v6
-      - id: head-version
-        name: Verify all Actions use the same Node version
+      - name: Verify all Actions use the same Node version
+        id: head-version
         run: |
-          NODE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
+          NODE_VERSION=$(find . -path "*/node_modules" -prune -o -name "action.yml" -exec yq -o=json '.runs.using' {} \; | jq -rs '[.[] | select(. != null and startswith("node"))] | unique | .[]')
           echo "NODE_VERSION: ${NODE_VERSION}"
           if [[ $(echo "$NODE_VERSION" | wc -l) -gt 1 ]]; then
             echo "::error::More than one node version used in 'action.yml' files."
@@ -128,22 +123,111 @@ jobs:
           fi
           echo "node_version=${NODE_VERSION}" >> $GITHUB_OUTPUT
 
-      - id: checkout-base
-        name: 'Backport: Check out base ref'
+      - name: Fetch base commit
+        id: fetch-base
+        # Forks and Dependabot PRs don't have permission to write comments, so skip the repo size
+        # check in those cases.
+        if: >-
+          github.event_name == 'pull_request' &&
+          github.event.pull_request.head.repo.full_name == github.repository &&
+          github.event.pull_request.user.login != 'dependabot[bot]'
+        env:
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Compare against the merge base so the size delta reflects only the commits actually
+          # added by this PR, ignoring any changes that have landed on the base branch since the
+          # PR branched off.
+          merge_base=$(gh api "repos/$GITHUB_REPOSITORY/compare/$BASE_SHA...$HEAD_SHA" --jq '.merge_base_commit.sha')
+          echo "merge_base=$merge_base" >> "$GITHUB_OUTPUT"
+          git fetch --no-tags --depth=1 origin "$merge_base" "$HEAD_SHA"
+
+      - name: Check repo size
+        if: steps.fetch-base.outcome == 'success'
+        working-directory: pr-checks
+        env:
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
+          BASE_SHA: ${{ steps.fetch-base.outputs.merge_base }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+        run: npx tsx check-repo-size.ts --output-dir "$RUNNER_TEMP/repo-size"
+
+      - name: Upload repo size comment
+        if: steps.fetch-base.outcome == 'success'
+        uses: actions/upload-artifact@v7
+        with:
+          name: repo-size-comment
+          path: ${{ runner.temp }}/repo-size/
+          if-no-files-found: error
+
+      - name: 'Backport: Check out base ref'
+        id: checkout-base
         if: ${{ startsWith(github.head_ref, 'backport-') }}
         uses: actions/checkout@v6
         with:
-          ref: ${{ env.BASE_REF }}
+          ref: ${{ github.base_ref }}
 
       - name: 'Backport: Verify Node versions unchanged'
         if: steps.checkout-base.outcome == 'success'
         env:
           HEAD_VERSION: ${{ steps.head-version.outputs.node_version }}
         run: |
-          BASE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
+          BASE_VERSION=$(find . -path "*/node_modules" -prune -o -name "action.yml" -exec yq -o=json '.runs.using' {} \; | jq -rs '[.[] | select(. != null and startswith("node"))] | unique | .[]')
           echo "HEAD_VERSION: ${HEAD_VERSION}"
           echo "BASE_VERSION: ${BASE_VERSION}"
           if [[ "$BASE_VERSION" != "$HEAD_VERSION" ]]; then
             echo "::error::Cannot change the Node version of an Action in a backport PR."
             exit 1
           fi
+
+  post-repo-size-comment:
+    name: Post repo size comment
+    needs: other-checks
+    # Keep write permissions isolated from the job that checks out and tests PR code. This job only
+    # posts the candidate comment body produced by the read-only `pr-checks` job.
+    if: >-
+      github.event_name == 'pull_request' &&
+      github.event.pull_request.head.repo.full_name == github.repository &&
+      github.event.pull_request.user.login != 'dependabot[bot]' &&
+      needs.other-checks.result == 'success'
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-slim
+    timeout-minutes: 10
+
+    concurrency:
+      cancel-in-progress: true
+      group: check-repo-size-${{ github.event.pull_request.number }}
+
+    steps:
+      - name: Download repo size comment
+        uses: actions/download-artifact@v8
+        with:
+          name: repo-size-comment
+          path: repo-size-comment
+
+      - name: Post repo size comment
+        env:
+          COMMENT_MARKER: "<!-- repo-size-diff-bot -->"
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          significant=$(jq -r '.significant' repo-size-comment/metadata.json)
+          comment_id=$(
+            gh api "repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/comments" \
+              --paginate \
+              --jq ".[] | select(.body | contains(\"$COMMENT_MARKER\")) | .id" \
+              | head -n 1
+          )
+
+          if [[ -n "$comment_id" ]]; then
+            echo "Updating existing comment $comment_id."
+            gh api --method PATCH "repos/$GITHUB_REPOSITORY/issues/comments/$comment_id" --field body=@repo-size-comment/body.md
+          elif [[ "$significant" == "true" ]]; then
+            echo "Creating new repo size comment."
+            gh api --method POST "repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/comments" --field body=@repo-size-comment/body.md
+          else
+            echo "Skipping repo size comment because the delta is below the threshold and no sticky comment exists."
+          fi

.github/workflows/python312-windows.yml

@@ -14,6 +14,10 @@ on:
     - cron: '0 0 * * 1'
   workflow_dispatch:
 
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: ${{ github.workflow }}-${{ github.ref }}
+
 defaults:
   run:
     shell: bash

.github/workflows/query-filters.yml

@@ -17,6 +17,10 @@ on:
     - cron: '0 5 * * *'
   workflow_dispatch:
 
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: ${{ github.workflow }}-${{ github.ref }}
+
 defaults:
   run:
     shell: bash

.github/workflows/test-codeql-bundle-all.yml

@@ -18,6 +18,11 @@ on:
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
+
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: ${{ github.workflow }}-${{ github.ref }}
+
 defaults:
   run:
     shell: bash

CHANGELOG.md

@@ -4,8 +4,13 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 ## [UNRELEASED]
 
+No user facing changes.
+
+## 4.36.0 - 22 May 2026
+
 - _Breaking change_: Bump the minimum required CodeQL bundle version to 2.19.4. [#3894](https://github.com/github/codeql-action/pull/3894)
 - Add support for SHA-256 Git object IDs. [#3893](https://github.com/github/codeql-action/pull/3893)
+- Update default CodeQL bundle version to [2.25.5](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.5). [#3926](https://github.com/github/codeql-action/pull/3926)
 
 ## 4.35.5 - 15 May 2026
 

build.mjs

@@ -65,12 +65,22 @@ const onEndPlugin = {
 /** The name of the virtual `entry-points` module. */
 const SHARED_ENTRYPOINT = "entry-points";
 
+/** The property name under which `upload-lib`'s namespace is exposed in `entry-points`. */
+const UPLOAD_LIB_EXPORT = "uploadLib";
+
+/** The relative source path of the `upload-lib` module that we re-export from `entry-points`. */
+const UPLOAD_LIB_SRC = "./src/upload-lib";
+
 /**
- * This plugin finds all source files that contain Action entry points.
- * It then generates the virtual `entry-points` module which imports all identified files,
- * and re-exports their `runWrapper` functions with suitable aliases.
- * A tiny stub file is emitted for each Action entrypoint. Each stub imports the shared bundle
- * and calls the respective entry point.
+ * This plugin finds all source files that contain Action entry points. It then generates the
+ * virtual `entry-points` module which imports all identified files, and re-exports their
+ * `runWrapper` functions with suitable aliases.
+ *
+ * The virtual module additionally re-exports `upload-lib` under the `uploadLib` namespace so that
+ * external consumers can access it via the small `lib/upload-lib.js` stub emitted below.
+ * 
+ * A tiny stub file is emitted for each Action entrypoint, and one for `upload-lib`. Each stub
+ * imports the shared bundle and calls/re-exports from the respective entry point.
  *
  * @type {esbuild.Plugin}
  */
@@ -136,22 +146,29 @@ const entryPointsPlugin = {
         )
         .join("\n\n");
 
+      // Also re-export the `upload-lib` namespace so that external consumers can reach it
+      // via the `lib/upload-lib.js` stub without us having to bundle a second copy.
+      const uploadLibReExport = `export * as ${UPLOAD_LIB_EXPORT} from "${UPLOAD_LIB_SRC}";`;
+
       return {
-        contents: `"use strict";\n${imports}\n\n${wrappers}\n`,
+        contents: `"use strict";\n${imports}\n\n${uploadLibReExport}\n\n${wrappers}\n`,
         resolveDir: ".",
         loader: "ts",
       };
     });
 
     // Emit entry point stubs for each Action using the entry template.
-    build.onEnd(async (result) => {
-      // Read the entry point template.
-      const templatePath = "action-entry.js.tpl";
-      const template = await readFile(join(SRC_DIR, templatePath), "utf-8");
-
-      const makeHeader = (sourceFile) =>
+    build.onEnd(async () => {
+      const makeHeader = (templatePath, sourceFile) =>
         `// Automatically generated from '${templatePath}' for 'src/${basename(sourceFile)}'.\n\n`;
 
+      // Read the entry point template.
+      const actionTemplatePath = "action-entry.js.tpl";
+      const actionTemplate = await readFile(
+        join(SRC_DIR, actionTemplatePath),
+        "utf-8",
+      );
+
       // Write entry point stubs for each Action.
       for (const action of actions) {
         await writeFile(
@@ -159,20 +176,33 @@ const entryPointsPlugin = {
             OUT_DIR,
             `${action.name}${action.isPost ? "-post" : ""}-entry.js`,
           ),
-          makeHeader(action.path) +
-            template.replaceAll("__ACTION__", action.pascalCaseName),
+          makeHeader(actionTemplatePath, action.path) +
+            actionTemplate.replaceAll("__ACTION__", action.pascalCaseName),
         );
       }
+
+      // Write a small stub for `upload-lib` that re-exports it from the shared bundle.
+      // External callers (e.g. internal testing environments) `require("./lib/upload-lib")`
+      // and expect the same shape as before, so we expose the namespace as `module.exports`.
+      const uploadLibStubTemplatePath = "upload-lib-stub.js.tpl";
+      const uploadLibStubTemplate = await readFile(
+        join(SRC_DIR, uploadLibStubTemplatePath),
+        "utf-8",
+      );
+      await writeFile(
+        join(OUT_DIR, "upload-lib.js"),
+        makeHeader(uploadLibStubTemplatePath, `${UPLOAD_LIB_SRC}.ts`) +
+          uploadLibStubTemplate.replaceAll(
+            "__UPLOAD_LIB_EXPORT__",
+            UPLOAD_LIB_EXPORT,
+          ),
+      );
     });
   },
 };
 
 const context = await esbuild.context({
-  // Include upload-lib.ts as an entry point for use in testing environments.
-  entryPoints: [
-    { in: SHARED_ENTRYPOINT, out: SHARED_ENTRYPOINT },
-    join(SRC_DIR, "upload-lib.ts"),
-  ],
+  entryPoints: [{ in: SHARED_ENTRYPOINT, out: SHARED_ENTRYPOINT }],
   bundle: true,
   format: "cjs",
   outdir: OUT_DIR,

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.4",
-  "cliVersion": "2.25.4",
-  "priorBundleVersion": "codeql-bundle-v2.25.3",
-  "priorCliVersion": "2.25.3"
+  "bundleVersion": "codeql-bundle-v2.25.5",
+  "cliVersion": "2.25.5",
+  "priorBundleVersion": "codeql-bundle-v2.25.4",
+  "priorCliVersion": "2.25.4"
 }

lib/entry-points.js

@@ -26704,6 +26704,47 @@ var require_coerce = __commonJS({
   }
 });
 
+// node_modules/semver/functions/truncate.js
+var require_truncate = __commonJS({
+  "node_modules/semver/functions/truncate.js"(exports2, module2) {
+    "use strict";
+    var parse2 = require_parse2();
+    var constants = require_constants6();
+    var SemVer = require_semver();
+    var truncate = (version, truncation, options) => {
+      if (!constants.RELEASE_TYPES.includes(truncation)) {
+        return null;
+      }
+      const clonedVersion = cloneInputVersion(version, options);
+      return clonedVersion && doTruncation(clonedVersion, truncation);
+    };
+    var cloneInputVersion = (version, options) => {
+      const versionStringToParse = version instanceof SemVer ? version.version : version;
+      return parse2(versionStringToParse, options);
+    };
+    var doTruncation = (version, truncation) => {
+      if (isPrerelease(truncation)) {
+        return version.version;
+      }
+      version.prerelease = [];
+      switch (truncation) {
+        case "major":
+          version.minor = 0;
+          version.patch = 0;
+          break;
+        case "minor":
+          version.patch = 0;
+          break;
+      }
+      return version.format();
+    };
+    var isPrerelease = (type2) => {
+      return type2.startsWith("pre");
+    };
+    module2.exports = truncate;
+  }
+});
+
 // node_modules/semver/internal/lrucache.js
 var require_lrucache = __commonJS({
   "node_modules/semver/internal/lrucache.js"(exports2, module2) {
@@ -27738,6 +27779,7 @@ var require_semver2 = __commonJS({
     var lte = require_lte();
     var cmp = require_cmp();
     var coerce3 = require_coerce();
+    var truncate = require_truncate();
     var Comparator = require_comparator();
     var Range2 = require_range();
     var satisfies2 = require_satisfies();
@@ -27776,6 +27818,7 @@ var require_semver2 = __commonJS({
       lte,
       cmp,
       coerce: coerce3,
+      truncate,
       Comparator,
       Range: Range2,
       satisfies: satisfies2,
@@ -31025,13 +31068,15 @@ var require_brace_expansion = __commonJS({
       parts.push.apply(parts, p);
       return parts;
     }
-    function expandTop(str2) {
+    function expandTop(str2, options) {
       if (!str2)
         return [];
+      options = options || {};
+      var max = options.max == null ? Infinity : options.max;
       if (str2.substr(0, 2) === "{}") {
         str2 = "\\{\\}" + str2.substr(2);
       }
-      return expand2(escapeBraces(str2), true).map(unescapeBraces);
+      return expand2(escapeBraces(str2), max, true).map(unescapeBraces);
     }
     function embrace(str2) {
       return "{" + str2 + "}";
@@ -31045,7 +31090,7 @@ var require_brace_expansion = __commonJS({
     function gte6(i, y) {
       return i >= y;
     }
-    function expand2(str2, isTop) {
+    function expand2(str2, max, isTop) {
       var expansions = [];
       var m = balanced("{", "}", str2);
       if (!m || /\$$/.test(m.pre)) return [str2];
@@ -31056,7 +31101,7 @@ var require_brace_expansion = __commonJS({
       if (!isSequence && !isOptions) {
         if (m.post.match(/,(?!,).*\}/)) {
           str2 = m.pre + "{" + m.body + escClose + m.post;
-          return expand2(str2);
+          return expand2(str2, max, true);
         }
         return [str2];
       }
@@ -31066,9 +31111,9 @@ var require_brace_expansion = __commonJS({
       } else {
         n = parseCommaParts(m.body);
         if (n.length === 1) {
-          n = expand2(n[0], false).map(embrace);
+          n = expand2(n[0], max, false).map(embrace);
           if (n.length === 1) {
-            var post = m.post.length ? expand2(m.post, false) : [""];
+            var post = m.post.length ? expand2(m.post, max, false) : [""];
             return post.map(function(p) {
               return m.pre + n[0] + p;
             });
@@ -31076,7 +31121,7 @@ var require_brace_expansion = __commonJS({
         }
       }
       var pre = m.pre;
-      var post = m.post.length ? expand2(m.post, false) : [""];
+      var post = m.post.length ? expand2(m.post, max, false) : [""];
       var N;
       if (isSequence) {
         var x = numeric(n[0]);
@@ -31114,11 +31159,11 @@ var require_brace_expansion = __commonJS({
         }
       } else {
         N = concatMap(n, function(el) {
-          return expand2(el, false);
+          return expand2(el, max, false);
         });
       }
       for (var j = 0; j < N.length; j++) {
-        for (var k = 0; k < post.length; k++) {
+        for (var k = 0; k < post.length && expansions.length < max; k++) {
           var expansion = pre + N[j] + post[k];
           if (!isTop || isSequence || expansion)
             expansions.push(expansion);
@@ -102244,7 +102289,7 @@ var require_commonjs19 = __commonJS({
           }
           const pad = n.some(isPadded);
           N = [];
-          for (let i = x; test(i, y); i += incr) {
+          for (let i = x; test(i, y) && N.length < max; i += incr) {
             let c;
             if (isAlphaSequence) {
               c = String.fromCharCode(i);
@@ -144948,7 +144993,8 @@ __export(entry_points_exports, {
   runStartProxyAction: () => runStartProxyAction,
   runStartProxyPostAction: () => runStartProxyPostAction,
   runUploadSarifAction: () => runUploadSarifAction,
-  runUploadSarifPostAction: () => runUploadSarifPostAction
+  runUploadSarifPostAction: () => runUploadSarifPostAction,
+  uploadLib: () => upload_lib_exports
 });
 module.exports = __toCommonJS(entry_points_exports);
 
@@ -148304,7 +148350,7 @@ function getDiffRangesJsonFilePath() {
   return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.36.0";
+  return "4.36.1";
 }
 function getWorkflowEventName() {
   return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -148868,8 +148914,8 @@ function wrapApiConfigurationError(e) {
 }
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.25.4";
-var cliVersion = "2.25.4";
+var bundleVersion = "codeql-bundle-v2.25.5";
+var cliVersion = "2.25.5";
 
 // src/overlay/index.ts
 var fs4 = __toESM(require("fs"));
@@ -149856,6 +149902,12 @@ async function parseAnalysisKinds(input) {
   );
 }
 var cachedAnalysisKinds;
+function isOnlyCodeScanningEnabled(analysisKinds) {
+  return analysisKinds.length === 1 && analysisKinds[0] === "code-scanning" /* CodeScanning */;
+}
+function makeAnalysisKindUsageError(message) {
+  return `The \`analysis-kinds\` input is experimental and for GitHub-internal use only. Its behaviour may change at any time or be removed entirely. ${message}`;
+}
 async function getAnalysisKinds(logger, features, skipCache = false) {
   if (!skipCache && cachedAnalysisKinds !== void 0) {
     return cachedAnalysisKinds;
@@ -149863,6 +149915,14 @@ async function getAnalysisKinds(logger, features, skipCache = false) {
   const analysisKinds = await parseAnalysisKinds(
     getRequiredInput("analysis-kinds")
   );
+  if (!isInTestMode() && !isDynamicWorkflow() && !isOnlyCodeScanningEnabled(analysisKinds)) {
+    const codeQualityHint = analysisKinds.includes("code-quality" /* CodeQuality */) ? " If your intention is to use quality queries outside of Code Quality, use the `queries` input with `code-quality` instead." : "";
+    logger.error(
+      makeAnalysisKindUsageError(
+        `An analysis kind other than \`code-scanning\` was specified in a custom workflow. This is not supported and will become a fatal error in a future version of the CodeQL Action.${codeQualityHint}`
+      )
+    );
+  }
   const qualityQueriesInput = getOptionalInput("quality-queries");
   if (qualityQueriesInput !== void 0) {
     logger.warning(
@@ -149884,7 +149944,9 @@ async function getAnalysisKinds(logger, features, skipCache = false) {
   }
   if (!isInTestMode() && analysisKinds.length > 1 && !await features.getValue("allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */)) {
     logger.error(
-      "The `analysis-kinds` input is experimental and for GitHub-internal use only. Its behaviour may change at any time or be removed entirely. Specifying multiple values as input is no longer supported. Continuing with only `analysis-kinds: code-scanning`."
+      makeAnalysisKindUsageError(
+        "Specifying multiple values as input is no longer supported. Continuing with only `analysis-kinds: code-scanning`."
+      )
     );
     cachedAnalysisKinds = ["code-scanning" /* CodeScanning */];
     return cachedAnalysisKinds;
@@ -155484,6 +155546,27 @@ async function sendUnhandledErrorStatusReport(actionName, actionStartedAt, error
 }
 
 // src/upload-lib.ts
+var upload_lib_exports = {};
+__export(upload_lib_exports, {
+  buildPayload: () => buildPayload,
+  filterAlertsByDiffRange: () => filterAlertsByDiffRange,
+  findSarifFilesInDir: () => findSarifFilesInDir,
+  getGroupedSarifFilePaths: () => getGroupedSarifFilePaths,
+  populateRunAutomationDetails: () => populateRunAutomationDetails,
+  postProcessSarifFiles: () => postProcessSarifFiles,
+  readSarifFileOrThrow: () => readSarifFileOrThrow,
+  shouldConsiderConfigurationError: () => shouldConsiderConfigurationError,
+  shouldConsiderInvalidRequest: () => shouldConsiderInvalidRequest,
+  shouldShowCombineSarifFilesDeprecationWarning: () => shouldShowCombineSarifFilesDeprecationWarning,
+  throwIfCombineSarifFilesDisabled: () => throwIfCombineSarifFilesDisabled,
+  uploadFiles: () => uploadFiles,
+  uploadPayload: () => uploadPayload,
+  uploadPostProcessedFiles: () => uploadPostProcessedFiles,
+  validateSarifFileSchema: () => validateSarifFileSchema,
+  validateUniqueCategory: () => validateUniqueCategory,
+  waitForProcessing: () => waitForProcessing,
+  writePostProcessedFiles: () => writePostProcessedFiles
+});
 var fs21 = __toESM(require("fs"));
 var path18 = __toESM(require("path"));
 var url = __toESM(require("url"));
@@ -161271,7 +161354,8 @@ async function runUploadSarifPostAction() {
   runStartProxyAction,
   runStartProxyPostAction,
   runUploadSarifAction,
-  runUploadSarifPostAction
+  runUploadSarifPostAction,
+  uploadLib
 });
 /*! Bundled license information:
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "4.36.0",
+  "version": "4.36.1",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
@@ -40,23 +40,23 @@
     "jsonschema": "1.5.0",
     "long": "^5.3.2",
     "node-forge": "^1.4.0",
-    "semver": "^7.7.4",
+    "semver": "^7.8.0",
     "uuid": "^14.0.0"
   },
   "devDependencies": {
-    "@ava/typescript": "7.0.0",
-    "@eslint/compat": "^2.0.5",
+    "@ava/typescript": "6.0.0",
+    "@eslint/compat": "^2.1.0",
     "@microsoft/eslint-formatter-sarif": "^3.1.0",
     "@octokit/types": "^16.0.0",
     "@types/archiver": "^7.0.0",
     "@types/follow-redirects": "^1.14.4",
     "@types/js-yaml": "^4.0.9",
-    "@types/node": "^20.19.39",
+    "@types/node": "^20.19.41",
     "@types/node-forge": "^1.3.14",
     "@types/sarif": "^2.1.7",
     "@types/semver": "^7.7.1",
     "@types/sinon": "^21.0.1",
-    "ava": "^7.0.0",
+    "ava": "^6.4.1",
     "esbuild": "^0.28.0",
     "eslint": "^9.39.4",
     "eslint-import-resolver-typescript": "^4.4.4",
@@ -66,10 +66,10 @@
     "eslint-plugin-no-async-foreach": "^0.1.1",
     "glob": "^11.1.0",
     "globals": "^17.6.0",
-    "nock": "^14.0.12",
+    "nock": "^14.0.15",
     "sinon": "^22.0.0",
     "typescript": "^6.0.3",
-    "typescript-eslint": "^8.59.2"
+    "typescript-eslint": "^8.59.3"
   },
   "overrides": {
     "@actions/tool-cache": {

pr-checks/check-repo-size.test.ts

@@ -0,0 +1,259 @@
+#!/usr/bin/env npx tsx
+
+/*
+Tests for check-repo-size.ts.
+*/
+
+import * as assert from "node:assert/strict";
+import { execFileSync } from "node:child_process";
+import { randomBytes } from "node:crypto";
+import * as fs from "node:fs";
+import * as os from "node:os";
+import * as path from "node:path";
+import { afterEach, beforeEach, describe, it } from "node:test";
+
+import {
+  COMMENT_MARKER,
+  DEFAULT_BASE_REF,
+  buildCommentBody,
+  formatBytes,
+  formatPercent,
+  isDeltaSignificant,
+  measureArchiveSize,
+  readArgs,
+} from "./check-repo-size";
+
+describe("formatBytes", async () => {
+  const cases: Array<[number, boolean, string]> = [
+    // Unsigned values, including sub-KiB amounts which round to 0.00.
+    [0, false, "0.00 KiB"],
+    [512, false, "0.50 KiB"],
+    [1024, false, "1.00 KiB"],
+    [1024 * 1024, false, "1024.00 KiB"],
+    [2 * 1024 * 1024, false, "2048.00 KiB"],
+    // Negative values always use a leading minus.
+    [-2 * 1024 * 1024, false, "-2048.00 KiB"],
+    // signed=true prepends a + to non-negative values.
+    [0, true, "+0.00 KiB"],
+    [2 * 1024 * 1024, true, "+2048.00 KiB"],
+    [-2 * 1024 * 1024, true, "-2048.00 KiB"],
+  ];
+  for (const [bytes, signed, expected] of cases) {
+    await it(`formats ${bytes} (signed=${signed}) as ${expected}`, () => {
+      assert.equal(formatBytes(bytes, signed), expected);
+    });
+  }
+});
+
+describe("formatPercent", async () => {
+  await it("formats positive fractions with a leading +", () => {
+    assert.equal(formatPercent(0.1), "+10.00%");
+    assert.equal(formatPercent(0.0123), "+1.23%");
+  });
+
+  await it("formats negative fractions with a leading -", () => {
+    assert.equal(formatPercent(-0.1), "-10.00%");
+  });
+
+  await it("formats zero without a sign", () => {
+    assert.equal(formatPercent(0), "0.00%");
+  });
+});
+
+describe("isDeltaSignificant", async () => {
+  const cases: Array<[number, number, number, boolean]> = [
+    // At and above threshold (both signs).
+    [100, 1000, 0.1, true],
+    [101, 1000, 0.1, true],
+    [-100, 1000, 0.1, true],
+    // Below threshold (both signs, plus exact zero).
+    [99, 1000, 0.1, false],
+    [-99, 1000, 0.1, false],
+    [0, 1000, 0.1, false],
+  ];
+  for (const [delta, base, fraction, expected] of cases) {
+    await it(`returns ${expected} for delta=${delta}, base=${base}, fraction=${fraction}`, () => {
+      assert.equal(isDeltaSignificant(delta, base, fraction), expected);
+    });
+  }
+});
+
+describe("buildCommentBody", async () => {
+  await it("includes the marker, the base/PR/delta rows, and the run URL", () => {
+    const body = buildCommentBody({
+      baseRef: "main",
+      baseSize: 2_000_000,
+      prSize: 2_300_000,
+      runUrl: "https://example.test/run",
+    });
+
+    assert.match(body, new RegExp(`^${escapeRegExp(COMMENT_MARKER)}`));
+    assert.match(body, /Base \(`main`\) \| 1953\.13 KiB \(2000000 bytes\)/);
+    assert.match(body, /This PR \| 2246\.09 KiB \(2300000 bytes\)/);
+    assert.match(
+      body,
+      /\*\*Delta\*\* \| \*\*\+292\.97 KiB \(\+300000 bytes, \+15\.00%\)\*\*/,
+    );
+    assert.match(body, /\[workflow run\]\(https:\/\/example\.test\/run\)/);
+  });
+
+  await it("formats negative deltas with a leading minus and omits the run URL when missing", () => {
+    const body = buildCommentBody({
+      baseRef: "main",
+      baseSize: 2_000_000,
+      prSize: 1_800_000,
+    });
+    assert.match(
+      body,
+      /\*\*Delta\*\* \| \*\*-195\.31 KiB \(-200000 bytes, -10\.00%\)\*\*/,
+    );
+    assert.doesNotMatch(body, /workflow run/);
+  });
+});
+
+describe("readArgs", async () => {
+  await it("defaults the base ref and head commit for local runs", () => {
+    const originalEnv = process.env;
+    const originalArgv = process.argv;
+
+    try {
+      process.env = {};
+      process.argv = ["node", "check-repo-size.ts", "--output-dir", "/tmp/out"];
+
+      const args = readArgs();
+
+      assert.equal(args.baseRef, DEFAULT_BASE_REF);
+      assert.equal(args.baseCommitish, `origin/${DEFAULT_BASE_REF}`);
+      assert.equal(args.headCommitish, "HEAD");
+      assert.equal(args.outputDir, "/tmp/out");
+      assert.equal(args.runUrl, undefined);
+    } finally {
+      process.env = originalEnv;
+      process.argv = originalArgv;
+    }
+  });
+
+  await it("uses the base and head SHAs when provided by the workflow", () => {
+    const originalEnv = process.env;
+    const originalArgv = process.argv;
+
+    try {
+      process.env = {
+        BASE_REF: "main",
+        BASE_SHA: "abc123",
+        HEAD_SHA: "def456",
+        RUN_URL: "https://example.test/run",
+      };
+      process.argv = ["node", "check-repo-size.ts", "--output-dir", "/tmp/out"];
+
+      const args = readArgs();
+
+      assert.equal(args.baseRef, "main");
+      assert.equal(args.baseCommitish, "abc123");
+      assert.equal(args.headCommitish, "def456");
+      assert.equal(args.outputDir, "/tmp/out");
+      assert.equal(args.runUrl, "https://example.test/run");
+    } finally {
+      process.env = originalEnv;
+      process.argv = originalArgv;
+    }
+  });
+
+  await it("throws when --output-dir is missing", () => {
+    const originalEnv = process.env;
+    const originalArgv = process.argv;
+
+    try {
+      process.env = {};
+      process.argv = ["node", "check-repo-size.ts"];
+      assert.throws(() => readArgs(), /--output-dir is required/);
+    } finally {
+      process.env = originalEnv;
+      process.argv = originalArgv;
+    }
+  });
+});
+
+let repoDir: string;
+
+beforeEach(() => {
+  repoDir = fs.mkdtempSync(path.join(os.tmpdir(), "check-repo-size-test-"));
+  execFileSync("git", ["init", "--initial-branch=main", "-q"], {
+    cwd: repoDir,
+  });
+  execFileSync("git", ["config", "user.email", "test@example.test"], {
+    cwd: repoDir,
+  });
+  execFileSync("git", ["config", "user.name", "Test"], { cwd: repoDir });
+  execFileSync("git", ["config", "commit.gpgsign", "false"], { cwd: repoDir });
+});
+
+afterEach(() => {
+  fs.rmSync(repoDir, { recursive: true, force: true });
+});
+
+function commit(name: string, content: string, message: string) {
+  fs.writeFileSync(path.join(repoDir, name), content);
+  execFileSync("git", ["add", name], { cwd: repoDir });
+  execFileSync("git", ["commit", "-q", "-m", message], { cwd: repoDir });
+}
+
+describe("measureArchiveSize", async () => {
+  await it("returns a positive byte count for a non-empty repo", async () => {
+    commit("a.txt", "hello world\n", "first");
+    const size = await measureArchiveSize("HEAD", repoDir);
+    assert.ok(size > 0, `expected size > 0, got ${size}`);
+  });
+
+  await it("returns the same size on repeated runs (deterministic)", async () => {
+    commit("a.txt", "hello world\n", "first");
+    const a = await measureArchiveSize("HEAD", repoDir);
+    const b = await measureArchiveSize("HEAD", repoDir);
+    assert.equal(a, b);
+  });
+
+  await it("returns a larger size when more content is added", async () => {
+    commit("a.txt", "hello world\n", "first");
+    const small = await measureArchiveSize("HEAD", repoDir);
+
+    // Use random bytes so the new content is incompressible and the archive
+    // is guaranteed to grow even after gzip.
+    commit("b.bin", randomBytes(8192).toString("base64"), "second");
+    const big = await measureArchiveSize("HEAD", repoDir);
+    assert.ok(
+      big > small,
+      `expected ${big} > ${small} after adding more content`,
+    );
+  });
+
+  await it("ignores untracked files (e.g. node_modules)", async () => {
+    commit("a.txt", "hello\n", "first");
+    commit(".gitignore", "node_modules/\n", "ignore node_modules");
+    const sizeBefore = await measureArchiveSize("HEAD", repoDir);
+
+    fs.mkdirSync(path.join(repoDir, "node_modules"));
+    fs.writeFileSync(
+      path.join(repoDir, "node_modules", "huge.bin"),
+      "x".repeat(1_000_000),
+    );
+
+    const sizeAfter = await measureArchiveSize("HEAD", repoDir);
+    assert.equal(
+      sizeAfter,
+      sizeBefore,
+      "untracked node_modules should not affect the archive size",
+    );
+  });
+
+  await it("rejects when the ref does not exist", async () => {
+    commit("a.txt", "hello\n", "first");
+    await assert.rejects(
+      () => measureArchiveSize("does-not-exist", repoDir),
+      /git archive does-not-exist exited with code/,
+    );
+  });
+});
+
+function escapeRegExp(s: string): string {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}

pr-checks/check-repo-size.ts

@@ -0,0 +1,223 @@
+#!/usr/bin/env npx tsx
+
+/*
+Measures the difference in the `.tar.gz`'d checkout size of the repo between the PR head and the PR
+base. This size is relevant because it corresponds to the duration of the "Download action
+repository" step that happens at the start of every job that uses this Action.
+
+Writes the candidate sticky-comment body and a small metadata file to `--output-dir`. A separate
+workflow job consumes those artifacts and decides whether to create or update a PR comment.
+*/
+
+import { spawn } from "node:child_process";
+import * as fs from "node:fs";
+import * as path from "node:path";
+import { parseArgs } from "node:util";
+
+import { REPO_ROOT } from "./config";
+
+/** Hidden marker used to find the existing sticky comment on a PR. */
+export const COMMENT_MARKER = "<!-- repo-size-diff-bot -->";
+
+export const DEFAULT_BASE_REF = "main";
+
+/**
+ * Fraction of the base archive size at which a delta is considered significant enough to warrant
+ * a new sticky comment. We always update an existing comment regardless, so the comment stays in
+ * sync as the diff evolves.
+ */
+export const SIGNIFICANT_DELTA_FRACTION = 0.1;
+
+/**
+ * Stream `git archive --format=tar.gz <ref>` and count the compressed bytes.
+ *
+ * `git archive` only includes tracked files, so untracked directories like `node_modules` and
+ * `build` aren't counted in the size downloaded when starting up a CodeQL job.
+ */
+export async function measureArchiveSize(
+  ref: string,
+  cwd: string,
+): Promise<number> {
+  const git = spawn("git", ["archive", "--format=tar.gz", ref], { cwd });
+
+  let stderr = "";
+  git.stderr.on("data", (chunk: Buffer) => {
+    stderr += chunk.toString();
+  });
+
+  let size = 0;
+  git.stdout.on("data", (chunk: Buffer) => {
+    size += chunk.length;
+  });
+
+  const exitCode = await new Promise<number>((resolve, reject) => {
+    git.on("error", reject);
+    git.on("close", resolve);
+  });
+
+  if (exitCode !== 0) {
+    throw new Error(
+      `git archive ${ref} exited with code ${exitCode}: ${stderr.trim()}`,
+    );
+  }
+  return size;
+}
+
+/**
+ * Format a byte count as KiB. If `signed` is true, a leading `+` is prepended for non-negative
+ * values so gains and losses are visually distinct.
+ */
+export function formatBytes(bytes: number, signed = false): string {
+  const sign = bytes < 0 ? "-" : signed ? "+" : "";
+  const kib = Math.abs(bytes) / 1024;
+  return `${sign}${kib.toFixed(2)} KiB`;
+}
+
+/** Format a fraction as a signed percentage with 2 decimal places. */
+export function formatPercent(fraction: number): string {
+  const pct = fraction * 100;
+  const sign = pct > 0 ? "+" : "";
+  return `${sign}${pct.toFixed(2)}%`;
+}
+
+export interface CommentBodyOptions {
+  baseRef: string;
+  baseSize: number;
+  prSize: number;
+  /** Optional URL of the workflow run, included in the comment footer. */
+  runUrl?: string;
+}
+
+export function buildCommentBody(opts: CommentBodyOptions): string {
+  const { baseRef, baseSize, prSize, runUrl } = opts;
+  const delta = prSize - baseSize;
+  const signedDelta = delta >= 0 ? `+${delta}` : `${delta}`;
+  const runUrlLine = runUrl
+    ? ` See the [workflow run](${runUrl}) for details.`
+    : "";
+
+  return [
+    COMMENT_MARKER,
+    "### Repository checkout size",
+    "",
+    "| | Compressed archive size |",
+    "|---|---|",
+    `| Base (\`${baseRef}\`) | ${formatBytes(baseSize)} (${baseSize} bytes) |`,
+    `| This PR | ${formatBytes(prSize)} (${prSize} bytes) |`,
+    `| **Delta** | **${formatBytes(delta, true)} (${signedDelta} bytes, ${formatPercent(delta / baseSize)})** |`,
+    "",
+    "Sizes are measured by streaming `git archive --format=tar.gz <ref>`, " +
+      "which includes tracked files and excludes untracked files such as " +
+      "`node_modules`. The compressed checkout is " +
+      "downloaded by every consumer of this Action, so changes here directly " +
+      `affect Action download time.${runUrlLine}`,
+  ].join("\n");
+}
+
+/**
+ * Returns true when the absolute delta is at least `fraction` of the base size. Both increases and
+ * decreases are considered significant, so we report wins as well as losses.
+ */
+export function isDeltaSignificant(
+  delta: number,
+  baseSize: number,
+  fraction: number,
+): boolean {
+  return Math.abs(delta) >= baseSize * fraction;
+}
+
+interface MainArgs {
+  /** Base ref of the PR. Defaults to `main`. Used as the label in the PR comment. */
+  baseRef: string;
+  /** Base commit-ish to archive. Defaults to `origin/<baseRef>` for local runs. */
+  baseCommitish: string;
+  /** Head commit-ish to archive. Defaults to `HEAD` for local runs. */
+  headCommitish: string;
+  /** Optional URL of the workflow run, surfaced in the comment footer. */
+  runUrl?: string;
+  /** Directory where `body.md` and `metadata.json` are written. */
+  outputDir: string;
+}
+
+export function readArgs(): MainArgs {
+  const { values } = parseArgs({
+    options: {
+      "output-dir": { type: "string" },
+    },
+    strict: true,
+  });
+
+  const outputDir = values["output-dir"];
+  if (!outputDir) {
+    throw new Error("--output-dir is required");
+  }
+
+  const baseRef = process.env.BASE_REF ?? DEFAULT_BASE_REF;
+  const baseCommitish = process.env.BASE_SHA ?? `origin/${baseRef}`;
+  const headCommitish = process.env.HEAD_SHA ?? "HEAD";
+
+  return {
+    baseRef,
+    baseCommitish,
+    headCommitish,
+    runUrl: process.env.RUN_URL,
+    outputDir,
+  };
+}
+
+async function main(): Promise<number> {
+  const args = readArgs();
+
+  console.log(`Measuring base archive size for ${args.baseCommitish}...`);
+  const baseSize = await measureArchiveSize(args.baseCommitish, REPO_ROOT);
+  console.log(`  ${baseSize} bytes`);
+
+  console.log(`Measuring PR archive size for ${args.headCommitish}...`);
+  const prSize = await measureArchiveSize(args.headCommitish, REPO_ROOT);
+  console.log(`  ${prSize} bytes`);
+
+  const delta = prSize - baseSize;
+  const significant = isDeltaSignificant(
+    delta,
+    baseSize,
+    SIGNIFICANT_DELTA_FRACTION,
+  );
+  console.log(
+    `Delta: ${delta} bytes (significant=${significant}, threshold=${(
+      SIGNIFICANT_DELTA_FRACTION * 100
+    ).toFixed(2)}%)`,
+  );
+
+  const body = buildCommentBody({
+    baseRef: args.baseRef,
+    baseSize,
+    prSize,
+    runUrl: args.runUrl,
+  });
+
+  fs.mkdirSync(args.outputDir, { recursive: true });
+  fs.writeFileSync(path.join(args.outputDir, "body.md"), body);
+  fs.writeFileSync(
+    path.join(args.outputDir, "metadata.json"),
+    `${JSON.stringify(
+      { significant, baseRef: args.baseRef, baseSize, prSize, delta },
+      null,
+      2,
+    )}\n`,
+  );
+  console.log(`Wrote body.md and metadata.json to ${args.outputDir}.`);
+  return 0;
+}
+
+async function run(): Promise<void> {
+  try {
+    process.exit(await main());
+  } catch (err) {
+    console.error(err instanceof Error ? err.message : String(err));
+    process.exit(1);
+  }
+}
+
+if (require.main === module) {
+  void run();
+}

pr-checks/config.ts

@@ -6,14 +6,17 @@ export const OLDEST_SUPPORTED_MAJOR_VERSION = 3;
 /** The `pr-checks` directory. */
 export const PR_CHECKS_DIR = __dirname;
 
+/** The repository root. */
+export const REPO_ROOT = path.join(PR_CHECKS_DIR, "..");
+
 /** The path of the file configuring which checks shouldn't be required. */
 export const PR_CHECK_EXCLUDED_FILE = path.join(PR_CHECKS_DIR, "excluded.yml");
 
 /** The path to the esbuild metadata file. */
-export const BUNDLE_METADATA_FILE = path.join(PR_CHECKS_DIR, "..", "meta.json");
+export const BUNDLE_METADATA_FILE = path.join(REPO_ROOT, "meta.json");
 
 /** The `src` directory. */
-const SOURCE_ROOT = path.join(PR_CHECKS_DIR, "..", "src");
+const SOURCE_ROOT = path.join(REPO_ROOT, "src");
 
 /** The path to the built-in languages file. */
 export const BUILTIN_LANGUAGES_FILE = path.join(

pr-checks/excluded.yml

@@ -1,16 +1,17 @@
 # PR checks to exclude from required checks
 contains:
-  - "https://"
-  - "Update"
   - "ESLint"
-  - "update"
+  - "https://"
   - "test-setup-python-scripts"
+  - "update"
+  - "Update"
 is:
+  - "Agent"
+  - "check-expected-release-files"
+  - "Cleanup artifacts"
   - "CodeQL"
   - "Dependabot"
-  - "check-expected-release-files"
-  - "Agent"
-  - "Cleanup artifacts"
+  - "Label PR with size"
+  - "Post repo size comment"
   - "Prepare"
   - "Upload results"
-  - "Label PR with size"

pr-checks/package.json

@@ -7,10 +7,10 @@
     "@octokit/core": "^7.0.6",
     "@octokit/plugin-paginate-rest": ">=9.2.2",
     "@octokit/plugin-rest-endpoint-methods": "^17.0.0",
-    "yaml": "^2.8.4"
+    "yaml": "^2.9.0"
   },
   "devDependencies": {
-    "@types/node": "^20.19.39",
+    "@types/node": "^20.19.41",
     "tsx": "^4.21.0"
   }
 }

queries/default-setup-environment-variables.ql

@@ -43,6 +43,7 @@ predicate envVarRead(DataFlow::Node node, string envVar) {
 from DataFlow::Node read, string envVar
 where
   envVarRead(read, envVar) and
+  read.getFile().getRelativePath().matches("src/%") and
   not read.getFile().getBaseName().matches("%.test.ts") and
   not isSafeForDefaultSetup(envVar)
 select read,

src/analyses.test.ts

@@ -16,7 +16,12 @@ import {
 } from "./analyses";
 import { EnvVar } from "./environment";
 import { getRunnerLogger } from "./logging";
-import { createFeatures, RecordingLogger, setupTests } from "./testing-utils";
+import {
+  createFeatures,
+  RecordingLogger,
+  setupBaseActionsVars,
+  setupTests,
+} from "./testing-utils";
 import { AssessmentPayload } from "./upload-lib/types";
 import { ConfigurationError } from "./util";
 
@@ -72,6 +77,7 @@ test.serial(
 test.serial(
   "getAnalysisKinds - only use `code-scanning` for multiple analysis kinds outside of test mode",
   async (t) => {
+    setupBaseActionsVars();
     process.env[EnvVar.TEST_MODE] = "false";
     const features = createFeatures([]);
     const logger = new RecordingLogger();
@@ -89,6 +95,40 @@ test.serial(
   },
 );
 
+test.serial(
+  "getAnalysisKinds - logs error for non-default `analysis-kinds` in custom workflow",
+  async (t) => {
+    setupBaseActionsVars({ GITHUB_EVENT_NAME: "push" });
+    process.env[EnvVar.TEST_MODE] = "false";
+    const features = createFeatures([]);
+    const logger = new RecordingLogger();
+    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+    requiredInputStub.withArgs("analysis-kinds").returns("code-quality");
+    const result = await getAnalysisKinds(logger, features, true);
+    t.deepEqual(result, [AnalysisKind.CodeQuality]);
+    t.assert(
+      logger.hasMessage(
+        "An analysis kind other than `code-scanning` was specified in a custom workflow.",
+      ),
+    );
+  },
+);
+
+test.serial(
+  "getAnalysisKinds - no error for non-default `analysis-kinds` in managed workflow",
+  async (t) => {
+    setupBaseActionsVars({ GITHUB_EVENT_NAME: "dynamic" });
+    process.env[EnvVar.TEST_MODE] = "false";
+    const features = createFeatures([]);
+    const logger = new RecordingLogger();
+    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+    requiredInputStub.withArgs("analysis-kinds").returns("code-quality");
+    const result = await getAnalysisKinds(logger, features, true);
+    t.deepEqual(result, [AnalysisKind.CodeQuality]);
+    t.deepEqual(logger.messages, []);
+  },
+);
+
 test.serial(
   "getAnalysisKinds - includes `code-quality` when deprecated `quality-queries` input is used",
   async (t) => {
@@ -133,6 +173,7 @@ for (let i = 0; i < analysisKinds.length; i++) {
       test.serial(
         `getAnalysisKinds - allows ${analysisKind} with ${otherAnalysis}`,
         async (t) => {
+          setupBaseActionsVars();
           process.env[EnvVar.TEST_MODE] = "true";
           const features = createFeatures([]);
           const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
@@ -151,6 +192,7 @@ for (let i = 0; i < analysisKinds.length; i++) {
       test.serial(
         `getAnalysisKinds - throws if ${analysisKind} is enabled with ${otherAnalysis}`,
         async (t) => {
+          setupBaseActionsVars();
           const features = createFeatures([]);
           const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
           requiredInputStub

src/analyses.ts

@@ -2,6 +2,7 @@ import {
   fixCodeQualityCategory,
   getOptionalInput,
   getRequiredInput,
+  isDynamicWorkflow,
 } from "./actions-util";
 import { EnvVar } from "./environment";
 import { Feature, FeatureEnablement } from "./feature-flags";
@@ -65,6 +66,21 @@ export async function parseAnalysisKinds(
 // Used to avoid re-parsing the input after we have done it once.
 let cachedAnalysisKinds: AnalysisKind[] | undefined;
 
+/** Determines whether `code-scanning` is the only enabled analysis kind in `analysisKinds`. */
+function isOnlyCodeScanningEnabled(analysisKinds: AnalysisKind[]) {
+  return (
+    analysisKinds.length === 1 && analysisKinds[0] === AnalysisKind.CodeScanning
+  );
+}
+
+/** Prepends a generic message about the intended usage for `analysis-kinds` to `message`. */
+function makeAnalysisKindUsageError(message: string) {
+  return (
+    "The `analysis-kinds` input is experimental and for GitHub-internal use only. " +
+    `Its behaviour may change at any time or be removed entirely. ${message}`
+  );
+}
+
 /**
  * Initialises the analysis kinds for the analysis based on the `analysis-kinds` input.
  * This function will also use the deprecated `quality-queries` input as an indicator to enable `code-quality`.
@@ -89,6 +105,26 @@ export async function getAnalysisKinds(
     getRequiredInput("analysis-kinds"),
   );
 
+  // Log an error if we are outside of a GitHub-managed workflow and an analysis kind
+  // other than `code-scanning` is enabled.
+  if (
+    !isInTestMode() &&
+    !isDynamicWorkflow() &&
+    !isOnlyCodeScanningEnabled(analysisKinds)
+  ) {
+    const codeQualityHint = analysisKinds.includes(AnalysisKind.CodeQuality)
+      ? " If your intention is to use quality queries outside of Code Quality, " +
+        "use the `queries` input with `code-quality` instead."
+      : "";
+
+    logger.error(
+      makeAnalysisKindUsageError(
+        "An analysis kind other than `code-scanning` was specified in a custom workflow. " +
+          `This is not supported and will become a fatal error in a future version of the CodeQL Action.${codeQualityHint}`,
+      ),
+    );
+  }
+
   // Warn that `quality-queries` is deprecated if there is an argument for it.
   const qualityQueriesInput = getOptionalInput("quality-queries");
 
@@ -130,10 +166,10 @@ export async function getAnalysisKinds(
     !(await features.getValue(Feature.AllowMultipleAnalysisKinds))
   ) {
     logger.error(
-      "The `analysis-kinds` input is experimental and for GitHub-internal use only. " +
-        "Its behaviour may change at any time or be removed entirely. " +
+      makeAnalysisKindUsageError(
         "Specifying multiple values as input is no longer supported. " +
-        "Continuing with only `analysis-kinds: code-scanning`.",
+          "Continuing with only `analysis-kinds: code-scanning`.",
+      ),
     );
 
     // Only enable Code Scanning.

src/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.4",
-  "cliVersion": "2.25.4",
-  "priorBundleVersion": "codeql-bundle-v2.25.3",
-  "priorCliVersion": "2.25.3"
+  "bundleVersion": "codeql-bundle-v2.25.5",
+  "cliVersion": "2.25.5",
+  "priorBundleVersion": "codeql-bundle-v2.25.4",
+  "priorCliVersion": "2.25.4"
 }

src/testing-utils.ts

@@ -188,17 +188,37 @@ export const DEFAULT_ACTIONS_VARS = {
   RUNNER_OS: "Linux",
 } as const satisfies Record<string, string>;
 
-// Sets environment variables that make using some libraries designed for
-// use only on actions safe to use outside of actions.
-export function setupActionsVars(
-  tempDir: string,
-  toolsDir: string,
-  overrides?: Partial<Record<keyof typeof DEFAULT_ACTIONS_VARS, string>>,
-) {
+/** Partial mappings from GitHub Actions environment variables to values. */
+export type ActionVarOverrides = Partial<
+  Record<keyof typeof DEFAULT_ACTIONS_VARS, string>
+>;
+
+/**
+ * Sets environment variables that are always available on GitHub Actions,
+ * excluding some that are expected to be set to paths. See `setupActionsVars`.
+ *
+ * @param overrides Overrides for the defaults.
+ */
+export function setupBaseActionsVars(overrides?: ActionVarOverrides) {
   const vars = { ...DEFAULT_ACTIONS_VARS, ...overrides };
   for (const [key, value] of Object.entries(vars)) {
     process.env[key] = value;
   }
+}
+
+/**
+ * Sets environment variables that are always available on GitHub Actions.
+ *
+ * @param tempDir A value for `RUNNER_TEMP` and `GITHUB_WORKSPACE`.
+ * @param toolsDir A value for `RUNNER_TOOL_CACHE`.
+ * @param overrides Overrides for the defaults.
+ */
+export function setupActionsVars(
+  tempDir: string,
+  toolsDir: string,
+  overrides?: ActionVarOverrides,
+) {
+  setupBaseActionsVars(overrides);
   process.env["RUNNER_TEMP"] = tempDir;
   process.env["RUNNER_TOOL_CACHE"] = toolsDir;
   process.env["GITHUB_WORKSPACE"] = tempDir;

src/upload-lib-stub.js.tpl

@@ -0,0 +1,3 @@
+"use strict";
+
+module.exports = require("./entry-points").__UPLOAD_LIB_EXPORT__;