Feature flag: enable cpp overlay flag override in config-cli workflow

Merge pull request #3584 from github/idrissrio/cpp/overlay
Feature flag: C/C++ overlay
2026-05-04 04:40:09 +00:00 · 2026-03-19 17:01:40 +01:00 · 2026-03-19 15:26:48 +00:00 · 2026-03-19 15:42:47 +01:00 · 2026-03-19 14:14:03 +00:00 · 2026-03-19 14:58:16 +01:00
146 changed files with 20418 additions and 15714 deletions
@@ -92,7 +92,7 @@ jobs:
          post-processed-sarif-path: '${{ runner.temp }}/post-processed'

      - name: Upload SARIF files
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
        with:
          name: |
            analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
@@ -100,7 +100,7 @@ jobs:
          retention-days: 7

      - name: Upload post-processed SARIF
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
        with:
          name: |
            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
@@ -35,11 +35,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
  workflow_call:
    inputs:
      dotnet-version:
@@ -52,17 +47,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: analyze-ref-input-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
+  group: analyze-ref-input-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  analyze-ref-input:
    strategy:
@@ -90,11 +80,6 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest' || !matrix.version
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -39,10 +39,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: macos-latest
-            version: linked
          - os: ubuntu-latest
            version: linked
+          - os: macos-latest
+            version: linked
          - os: windows-latest
            version: linked
    name: 'Bundle: Caching checks'
@@ -39,10 +39,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: macos-latest
-            version: linked
          - os: ubuntu-latest
            version: linked
+          - os: macos-latest
+            version: linked
          - os: windows-latest
            version: linked
    name: 'Bundle: Zstandard checks'
@@ -82,7 +82,7 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
        with:
          name: ${{ matrix.os }}-zstd-bundle.sarif
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -70,7 +70,7 @@ jobs:
          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
        with:
          name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: '${{ runner.temp }}/results/javascript.sarif'
@@ -81,7 +81,7 @@ jobs:
          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
        with:
          name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: '${{ runner.temp }}/results/javascript.sarif'
@@ -102,7 +102,7 @@ jobs:
        with:
          output: '${{ runner.temp }}/results'
      - name: Upload SARIF
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
        with:
          name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: '${{ runner.temp }}/results/javascript.sarif'
@@ -51,32 +51,18 @@ jobs:
        include:
          - os: ubuntu-latest
            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
          - os: ubuntu-latest
            version: linked
          - os: macos-latest
@@ -51,32 +51,18 @@ jobs:
        include:
          - os: ubuntu-latest
            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
          - os: ubuntu-latest
            version: linked
          - os: macos-latest
@@ -51,32 +51,18 @@ jobs:
        include:
          - os: ubuntu-latest
            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
          - os: ubuntu-latest
            version: linked
          - os: macos-latest
@@ -67,7 +67,7 @@ jobs:
        with:
          output: '${{ runner.temp }}/results'
      - name: Upload SARIF
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
        with:
          name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: '${{ runner.temp }}/results/javascript.sarif'
@@ -35,11 +35,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
  workflow_call:
    inputs:
      dotnet-version:
@@ -52,17 +47,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: local-bundle-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
+  group: local-bundle-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  local-bundle:
    strategy:
@@ -90,11 +80,6 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest' || !matrix.version
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -35,11 +35,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
  workflow_call:
    inputs:
      dotnet-version:
@@ -52,58 +47,53 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: multi-language-autodetect-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
+  group: multi-language-autodetect-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  multi-language-autodetect:
    strategy:
      fail-fast: false
      matrix:
        include:
-          - os: macos-latest
-            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.17.6
          - os: macos-latest
-            version: stable-v2.18.4
+            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.18.4
          - os: macos-latest
-            version: stable-v2.19.4
+            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
          - os: macos-latest
-            version: stable-v2.20.7
+            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
          - os: macos-latest
-            version: stable-v2.21.4
+            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
          - os: macos-latest
-            version: stable-v2.22.4
+            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
          - os: macos-latest
-            version: default
+            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
          - os: macos-latest
-            version: linked
+            version: default
          - os: ubuntu-latest
            version: linked
          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
            version: nightly-latest
-          - os: ubuntu-latest
+          - os: macos-latest
            version: nightly-latest
    name: Multi-language repository
    if: github.triggering_actor != 'dependabot[bot]'
@@ -124,11 +114,6 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest' || !matrix.version
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -136,6 +121,14 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Python 3.13 for older CLI versions
+        # We need Python 3.13 for older CLI versions because they are not compatible with Python 3.14 or newer.
+        # See https://github.com/github/codeql-action/pull/3212
+        if: matrix.version != 'nightly-latest' && matrix.version != 'linked'
+        uses: actions/setup-python@v6
+        with:
+          python-version: '3.13'
+
      - name: Use Xcode 16
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"
@@ -35,11 +35,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
  workflow_call:
    inputs:
      dotnet-version:
@@ -52,17 +47,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
+  group: packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  packaging-codescanning-config-inputs-js:
    strategy:
@@ -101,11 +91,6 @@ jobs:
          cache: npm
      - name: Install dependencies
        run: npm ci
-      - name: Install Python
-        if: matrix.version != 'nightly-latest' || !matrix.version
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -35,11 +35,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
  workflow_call:
    inputs:
      dotnet-version:
@@ -52,17 +47,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: remote-config-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
+  group: remote-config-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  remote-config:
    strategy:
@@ -92,11 +82,6 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest' || !matrix.version
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -39,10 +39,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: default
          - os: ubuntu-latest
            version: linked
+          - os: ubuntu-latest
+            version: default
          - os: ubuntu-latest
            version: nightly-latest
    name: Resolve environment
@@ -35,11 +35,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
  workflow_call:
    inputs:
      dotnet-version:
@@ -52,17 +47,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: unset-environment-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
+  group: unset-environment-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  unset-environment:
    strategy:
@@ -92,11 +82,6 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest' || !matrix.version
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -35,11 +35,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
  workflow_call:
    inputs:
      dotnet-version:
@@ -52,17 +47,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: upload-ref-sha-input-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
+  group: upload-ref-sha-input-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  upload-ref-sha-input:
    strategy:
@@ -90,11 +80,6 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest' || !matrix.version
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -35,11 +35,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
  workflow_call:
    inputs:
      dotnet-version:
@@ -52,17 +47,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: upload-sarif-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
+  group: upload-sarif-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  upload-sarif:
    strategy:
@@ -97,11 +87,6 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest' || !matrix.version
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -35,11 +35,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
  workflow_call:
    inputs:
      dotnet-version:
@@ -52,17 +47,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: with-checkout-path-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
+  group: with-checkout-path-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  with-checkout-path:
    strategy:
@@ -91,11 +81,6 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest' || !matrix.version
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -11,6 +11,7 @@ env:
  CODEQL_ACTION_OVERLAY_ANALYSIS: true
  CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT: false
  CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT: true
+  CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CPP: true
  CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_CHECK: false
  CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS: true

@@ -89,7 +89,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@v8
      - name: Check expected artifacts exist
        run: |
          LANGUAGES="cpp csharp go java javascript python"
@@ -83,7 +83,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@v8
      - name: Check expected artifacts exist
        run: |
          VERSIONS="stable-v2.20.3 default linked nightly-latest"
@@ -131,7 +131,7 @@ jobs:
          echo "::endgroup::"

      - name: Generate token
-        uses: actions/create-github-app-token@v2.2.1
+        uses: actions/create-github-app-token@v3.0.0
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -52,19 +52,10 @@ jobs:
      - name: Verify compiled JS up to date
        run: .github/workflows/script/check-js.sh

-      - name: Verify PR checks up to date
-        if: always()
-        run: .github/workflows/script/verify-pr-checks.sh
-
      - name: Run unit tests
        if: always()
        run: npm test

-      - name: Run pr-checks tests
-        if: always()
-        working-directory: pr-checks
-        run: npm ci && npx tsx --test
-
      - name: Lint
        if: always() && matrix.os != 'windows-latest'
        run: npm run lint-ci
@@ -76,6 +67,43 @@ jobs:
          sarif_file: eslint.sarif
          category: eslint

+  # Verifying the PR checks are up-to-date requires Node 24. The PR checks are not dependent
+  # on the main codebase and therefore do not need to be run as part of the same matrix that
+  # we use for the `unit-tests` job.
+  verify-pr-checks:
+    name: Verify PR checks
+    if: github.triggering_actor != 'dependabot[bot]'
+    permissions:
+      contents: read
+    runs-on: ubuntu-slim
+    timeout-minutes: 10
+
+    steps:
+      - name: Prepare git (Windows)
+        if: runner.os == 'Windows'
+        run: git config --global core.autocrlf false
+
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Verify PR checks up to date
+        if: always()
+        run: .github/workflows/script/verify-pr-checks.sh
+
+      - name: Run pr-checks tests
+        if: always()
+        working-directory: pr-checks
+        run: npx tsx --test
+
  check-node-version:
    if: github.triggering_actor != 'dependabot[bot]'
    name: Check Action Node versions
@@ -29,6 +29,12 @@ jobs:
          fetch-depth: 0
          ref: ${{ env.HEAD_REF }}

+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24
+          cache: 'npm'
+
      - name: Remove label
        if: github.event_name == 'pull_request'
        env:
@@ -49,9 +55,18 @@ jobs:
          git fetch origin "$BASE_BRANCH"

          # Allow merge conflicts in `lib`, since rebuilding should resolve them.
-          git merge "origin/$BASE_BRANCH" || echo "Merge conflicts detected, continuing."
+          git merge "origin/$BASE_BRANCH"
          MERGE_RESULT=$?

+          if [ "$MERGE_RESULT" -eq 0 ]; then
+            echo "Merge succeeded cleanly."
+          elif [ "$MERGE_RESULT" -eq 1 ]; then
+            echo "Merge conflicts detected (exit code $MERGE_RESULT), continuing."
+          else
+            echo "git merge failed with unexpected exit code $MERGE_RESULT."
+            exit 1
+          fi
+
          if [ "$MERGE_RESULT" -ne 0 ]; then
            echo "merge-in-progress=true" >> $GITHUB_OUTPUT

@@ -79,7 +94,7 @@ jobs:
        working-directory: pr-checks
        run: |
          npm ci
-          npx tsx sync_back.ts --verbose
+          npx tsx sync-back.ts --verbose

      - name: Generate workflows
        working-directory: pr-checks
@@ -104,7 +119,7 @@ jobs:
            # Otherwise, just commit the changes.
            if git rev-parse --verify MERGE_HEAD >/dev/null 2>&1; then
              echo "In progress merge detected, finishing it up."
-              git merge --continue --no-edit
+              git commit --no-edit
            else
              echo "No in-progress merge detected, committing changes."
              git commit -m "Rebuild"
@@ -136,7 +136,7 @@ jobs:

      - name: Generate token
        if: github.event_name == 'workflow_dispatch'
-        uses: actions/create-github-app-token@v2.2.1
+        uses: actions/create-github-app-token@v3.0.0
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -93,7 +93,7 @@ jobs:
      pull-requests: write # needed to create pull request
    steps:
    - name: Generate token
-      uses: actions/create-github-app-token@v2.2.1
+      uses: actions/create-github-app-token@v3.0.0
      id: app-token
      with:
        app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -4,7 +4,27 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

 ## [UNRELEASED]

-No user facing changes.
+- Added an experimental change which disables TRAP caching when [improved incremental analysis](https://github.com/github/roadmap/issues/1158) is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. [#3569](https://github.com/github/codeql-action/pull/3569)
+- We are rolling out improved incremental analysis to C/C++ analyses that use build mode `none`. We expect this rollout to be complete by the end of April 2026. [#3584](https://github.com/github/codeql-action/pull/3584)
+- Update default CodeQL bundle version to [2.25.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0). [#3585](https://github.com/github/codeql-action/pull/3585)
+
+## 4.33.0 - 16 Mar 2026
+
+- Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. [#3562](https://github.com/github/codeql-action/pull/3562)
+
+  To opt out of this change:
+  - **Repositories owned by an organization:** Create a custom repository property with the name `github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to `true` in the repository's settings. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). Alternatively, if you are using an advanced setup workflow, you can set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
+  - **User-owned repositories using default setup:** Switch to an advanced setup workflow and set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
+  - **User-owned repositories using advanced setup:** Set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
+- Fixed [a bug](https://github.com/github/codeql-action/issues/3555) which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. [#3557](https://github.com/github/codeql-action/pull/3557)
+- The CodeQL Action now loads [custom repository properties](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) on GitHub Enterprise Server, enabling the customization of features such as `github-codeql-disable-overlay` that was previously only available on GitHub.com. [#3559](https://github.com/github/codeql-action/pull/3559)
+- Once [private package registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. [#3563](https://github.com/github/codeql-action/pull/3563)
+- Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". [#3564](https://github.com/github/codeql-action/pull/3564)
+- A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. [#3570](https://github.com/github/codeql-action/pull/3570)
+
+## 4.32.6 - 05 Mar 2026
+
+- Update default CodeQL bundle version to [2.24.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3). [#3548](https://github.com/github/codeql-action/pull/3548)

 ## 4.32.5 - 02 Mar 2026

@@ -0,0 +1,9 @@
+export default {
+  typescript: {
+    rewritePaths: {
+      "src/": "build/",
+    },
+    compile: false,
+  },
+  require: ["./ava.setup.mjs"],
+};
@@ -0,0 +1,3 @@
+import pkg from "./package.json" with { type: "json" };
+
+globalThis.__CODEQL_ACTION_VERSION__ = pkg.version;
@@ -5,6 +5,8 @@ import { fileURLToPath } from "node:url";
 import * as esbuild from "esbuild";
 import { globSync } from "glob";

+import pkg from "./package.json" with { type: "json" };
+
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);

@@ -13,7 +15,7 @@ const OUT_DIR = join(__dirname, "lib");

 /**
 * Clean the output directory before building.
- * 
+ *
 * @type {esbuild.Plugin}
 */
 const cleanPlugin = {
@@ -27,7 +29,7 @@ const cleanPlugin = {

 /**
 * Copy defaults.json to the output directory since other projects depend on it.
- * 
+ *
 * @type {esbuild.Plugin}
 */
 const copyDefaultsPlugin = {
@@ -69,6 +71,9 @@ const context = await esbuild.context({
  platform: "node",
  plugins: [cleanPlugin, copyDefaultsPlugin, onEndPlugin],
  target: ["node20"],
+  define: {
+    __CODEQL_ACTION_VERSION__: JSON.stringify(pkg.version),
+  },
 });

 await context.rebuild();
@@ -19,9 +19,10 @@ export default [
      "src/testdata/**/*",
      "tests/**/*",
      "build.mjs",
+      "ava.config.mjs",
+      "ava.setup.mjs",
      "eslint.config.mjs",
      ".github/**/*",
-      "pr-checks/**/*",
    ],
  },
  // eslint recommended config
@@ -161,10 +162,36 @@ export default [
      "@typescript-eslint/no-unused-vars": [
        "error",
        {
+          "args": "all",
          "argsIgnorePattern": "^_",
        }
      ],
      "func-style": "off",
    },
  },
+  {
+    files: ["pr-checks/**/*.ts"],
+
+    languageOptions: {
+      parserOptions: {
+        // Use the correct `tsconfig.json` for `pr-checks`.
+        project: "./pr-checks/tsconfig.json",
+      },
+    },
+
+    rules: {
+      // The scripts in `pr-checks` are expected to output to the console.
+      "no-console": "off",
+
+      "@typescript-eslint/no-floating-promises": [
+        "error",
+        {
+          allowForKnownSafeCalls: [
+            // Avoid needing explicit `void` in front of `describe` calls in test files.
+            { from: "package", name: ["describe"], package: "node:test" },
+          ],
+        },
+      ],
+    },
+  },
 ];
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.24.2",
-  "cliVersion": "2.24.2",
-  "priorBundleVersion": "codeql-bundle-v2.24.1",
-  "priorCliVersion": "2.24.1"
+  "bundleVersion": "codeql-bundle-v2.25.0",
+  "cliVersion": "2.25.0",
+  "priorBundleVersion": "codeql-bundle-v2.24.3",
+  "priorCliVersion": "2.24.3"
 }
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "4.32.6",
+  "version": "4.34.0",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -14,15 +14,10 @@
    "test-debug": "npm run test -- --timeout=20m",
    "transpile": "tsc --build --verbose"
  },
-  "ava": {
-    "typescript": {
-      "rewritePaths": {
-        "src/": "build/"
-      },
-      "compile": false
-    }
-  },
  "license": "MIT",
+  "workspaces": [
+    "pr-checks"
+  ],
  "dependencies": {
    "@actions/artifact": "^5.0.3",
    "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2",
@@ -50,7 +45,7 @@
  },
  "devDependencies": {
    "@ava/typescript": "6.0.0",
-    "@eslint/compat": "^2.0.2",
+    "@eslint/compat": "^2.0.3",
    "@microsoft/eslint-formatter-sarif": "^3.1.0",
    "@octokit/types": "^16.0.0",
    "@types/archiver": "^7.0.0",
@@ -61,20 +56,20 @@
    "@types/sarif": "^2.1.7",
    "@types/semver": "^7.7.1",
    "@types/sinon": "^21.0.0",
-    "ava": "^6.4.1",
+    "ava": "^7.0.0",
    "esbuild": "^0.27.3",
    "eslint": "^9.39.2",
    "eslint-import-resolver-typescript": "^3.8.7",
    "eslint-plugin-github": "^6.0.0",
    "eslint-plugin-import-x": "^4.16.1",
-    "eslint-plugin-jsdoc": "^62.6.0",
+    "eslint-plugin-jsdoc": "^62.7.1",
    "eslint-plugin-no-async-foreach": "^0.1.1",
    "glob": "^11.1.0",
-    "globals": "^17.3.0",
+    "globals": "^17.4.0",
    "nock": "^14.0.11",
-    "sinon": "^21.0.1",
+    "sinon": "^21.0.2",
    "typescript": "^5.9.3",
-    "typescript-eslint": "^8.56.0"
+    "typescript-eslint": "^8.57.0"
  },
  "overrides": {
    "@actions/tool-cache": {
@@ -1,7 +1,11 @@
 name: "All-platform bundle"
 description: "Tests using an all-platform CodeQL Bundle"
-operatingSystems: ["ubuntu", "macos", "windows"]
-versions: ["nightly-latest"]
+operatingSystems:
+  - ubuntu
+  - macos
+  - windows
+versions:
+  - nightly-latest
 useAllPlatformBundle: "true"
 installGo: true
 installDotNet: true
@@ -1,7 +1,13 @@
 name: "Analysis kinds"
 description: "Tests basic functionality for different `analysis-kinds` inputs."
-versions: ["linked", "nightly-latest"]
-analysisKinds: ["code-scanning", "code-quality", "code-scanning,code-quality", "risk-assessment"]
+versions:
+  - linked
+  - nightly-latest
+analysisKinds:
+  - code-scanning
+  - code-quality
+  - code-scanning,code-quality
+  - risk-assessment
 env:
  CODEQL_ACTION_RISK_ASSESSMENT_ID: 1
  CHECK_SCRIPT: |
@@ -40,7 +46,7 @@ steps:
      post-processed-sarif-path: "${{ runner.temp }}/post-processed"

  - name: Upload SARIF files
-    uses: actions/upload-artifact@v6
+    uses: actions/upload-artifact@v7
    with:
      name: |
        analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
@@ -48,7 +54,7 @@ steps:
      retention-days: 7

  - name: Upload post-processed SARIF
-    uses: actions/upload-artifact@v6
+    uses: actions/upload-artifact@v7
    with:
      name: |
        post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
@@ -1,8 +1,8 @@
 name: "Analyze: 'ref' and 'sha' from inputs"
 description: "Checks that specifying 'ref' and 'sha' as inputs works"
-versions: ["default"]
+versions:
+  - default
 installGo: true
-installPython: true
 installDotNet: true
 steps:
  - uses: ./../action/init
@@ -1,7 +1,11 @@
 name: "autobuild-action"
 description: "Tests that the C# autobuild action works"
-operatingSystems: ["ubuntu", "macos", "windows"]
-versions: ["linked"]
+operatingSystems:
+  - ubuntu
+  - macos
+  - windows
+versions:
+  - linked
 installDotNet: true
 steps:
  - uses: ./../action/init
@@ -3,8 +3,12 @@ description: >
  An end-to-end integration test of a Java repository built using 'build-mode: autobuild',
  with direct tracing enabled and a custom working directory specified as the input to the
  autobuild Action.
-operatingSystems: ["ubuntu", "windows"]
-versions: ["linked", "nightly-latest"]
+operatingSystems:
+  - ubuntu
+  - windows
+versions:
+  - linked
+  - nightly-latest
 installJava: true
 env:
  CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
@@ -1,6 +1,7 @@
 name: "Autobuild working directory"
 description: "Tests working-directory input of autobuild action"
-versions: ["linked"]
+versions:
+  - linked
 steps:
  - name: Test setup
    run: |
@@ -1,7 +1,11 @@
 name: "Build mode autobuild"
 description: "An end-to-end integration test of a Java repository built using 'build-mode: autobuild'"
-operatingSystems: ["ubuntu", "windows"]
-versions: ["linked", "nightly-latest"]
+operatingSystems:
+  - ubuntu
+  - windows
+versions:
+  - linked
+  - nightly-latest
 installJava: true
 installYq: true
 steps:
@@ -1,6 +1,7 @@
 name: "Build mode manual"
 description: "An end-to-end integration test of a Java repository built using 'build-mode: manual'"
-versions: ["nightly-latest"]
+versions:
+  - nightly-latest
 installGo: true
 installDotNet: true
 steps:
@@ -1,6 +1,8 @@
 name: "Build mode none"
 description: "An end-to-end integration test of a Java repository built using 'build-mode: none'"
-versions: ["linked", "nightly-latest"]
+versions:
+  - linked
+  - nightly-latest
 steps:
  - uses: ./../action/init
    id: init
@@ -1,6 +1,7 @@
 name: "Build mode rollback"
 description: "The build mode is rolled back from none to autobuild when the relevant feature flag is enabled."
-versions: ["nightly-latest"]
+versions:
+  - nightly-latest
 env:
  CODEQL_ACTION_DISABLE_JAVA_BUILDLESS: true
 steps:
@@ -3,8 +3,8 @@ description: "The CodeQL bundle should be cached within the toolcache"
 versions:
  - linked
 operatingSystems:
-  - macos
  - ubuntu
+  - macos
  - windows
 steps:
  - name: Remove CodeQL from toolcache
@@ -3,8 +3,8 @@ description: "A Zstandard CodeQL bundle should be extracted on supported operati
 versions:
  - linked
 operatingSystems:
-  - macos
  - ubuntu
+  - macos
  - windows
 steps:
  - name: Remove CodeQL from toolcache
@@ -27,7 +27,7 @@ steps:
      output: ${{ runner.temp }}/results
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v6
+    uses: actions/upload-artifact@v7
    with:
      name: ${{ matrix.os }}-zstd-bundle.sarif
      path: ${{ runner.temp }}/results/javascript.sarif
@@ -1,6 +1,7 @@
 name: "Clean up database cluster directory"
 description: "The database cluster directory is cleaned up if it is not empty."
-versions: ["linked"]
+versions:
+  - linked
 steps:
  - name: Add a file to the database cluster directory
    run: |
@@ -1,6 +1,8 @@
 name: "Config export"
 description: "Tests that the code scanning configuration file is exported to SARIF correctly."
-versions: ["linked", "nightly-latest"]
+versions:
+  - linked
+  - nightly-latest
 steps:
  - uses: ./../action/init
    with:
@@ -12,7 +14,7 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v6
+    uses: actions/upload-artifact@v7
    with:
      name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -1,7 +1,8 @@
 name: "Config input"
 description: "Tests specifying configuration using the config input"
 installNode: true
-versions: ["linked"]
+versions:
+  - linked
 steps:
  - name: Copy queries into workspace
    run: |
@@ -1,6 +1,9 @@
 name: "C/C++: disabling autoinstalling dependencies (Linux)"
 description: "Checks that running C/C++ autobuild with autoinstalling dependencies explicitly disabled works"
-versions: ["linked", "default", "nightly-latest"]
+versions:
+  - linked
+  - default
+  - nightly-latest
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
@@ -1,7 +1,10 @@
 name: "C/C++: autoinstalling dependencies is skipped (macOS)"
 description: "Checks that running C/C++ autobuild with autoinstalling dependencies explicitly enabled is a no-op on macOS"
-operatingSystems: ["macos"]
-versions: ["linked", "nightly-latest"]
+operatingSystems:
+  - macos
+versions:
+  - linked
+  - nightly-latest
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
@@ -1,6 +1,9 @@
 name: "C/C++: autoinstalling dependencies (Linux)"
 description: "Checks that running C/C++ autobuild with autoinstalling dependencies works"
-versions: ["linked", "default", "nightly-latest"]
+versions:
+  - linked
+  - default
+  - nightly-latest
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
@@ -1,6 +1,8 @@
 name: "Diagnostic export"
 description: "Tests that manually added diagnostics are correctly exported to SARIF."
-versions: ["linked", "nightly-latest"]
+versions:
+  - linked
+  - nightly-latest
 env:
  CODEQL_ACTION_EXPORT_DIAGNOSTICS: true
 steps:
@@ -25,7 +27,7 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v6
+    uses: actions/upload-artifact@v7
    with:
      name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -1,7 +1,11 @@
 name: "Export file baseline information"
 description: "Tests that file baseline information is exported when the feature is enabled"
-operatingSystems: ["ubuntu", "macos", "windows"]
-versions: ["nightly-latest"]
+operatingSystems:
+  - ubuntu
+  - macos
+  - windows
+versions:
+  - nightly-latest
 installGo: true
 installDotNet: true
 env:
@@ -19,7 +23,7 @@ steps:
    with:
      output: "${{ runner.temp }}/results"
  - name: Upload SARIF
-    uses: actions/upload-artifact@v6
+    uses: actions/upload-artifact@v7
    with:
      name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -1,6 +1,7 @@
 name: "Extractor ram and threads options test"
 description: "Tests passing RAM and threads limits to extractors"
-versions: ["linked"]
+versions:
+  - linked
 steps:
  - uses: ./../action/init
    with:
@@ -1,6 +1,8 @@
 name: "Proxy test"
 description: "Tests using a proxy specified by the https_proxy environment variable"
-versions: ["linked", "nightly-latest"]
+versions:
+  - linked
+  - nightly-latest
 container:
  image: ubuntu:22.04
 services:
@@ -2,7 +2,8 @@ name: "Go: diagnostic when Go is changed after init step"
 description: "Checks that we emit a diagnostic if Go is changed after the init step"
 # only Linux is affected
 # pinned to a version which does not support statically linked binaries for indirect tracing
-versions: ["default"]
+versions:
+  - default
 installGo: true
 collection: go
 steps:
@@ -2,7 +2,8 @@ name: "Go: diagnostic when `file` is not installed"
 description: "Checks that we emit a diagnostic if the `file` program is not installed"
 # only Linux is affected
 # pinned to a version which does not support statically linked binaries for indirect tracing
-versions: ["default"]
+versions:
+  - default
 installGo: true
 collection: go
 steps:
@@ -2,7 +2,8 @@ name: "Go: workaround for indirect tracing"
 description: "Checks that our workaround for indirect tracing for Go 1.21+ on Linux works"
 # only Linux is affected
 # pinned to a version which does not support statically linked binaries for indirect tracing
-versions: ["default"]
+versions:
+  - default
 installGo: true
 collection: go
 steps:
@@ -1,7 +1,13 @@
 name: "Go: tracing with autobuilder step"
 description: "Checks that Go tracing works when using an autobuilder step"
 collection: go
-operatingSystems: ["ubuntu", "macos"]
+operatingSystems:
+  - ubuntu
+  - macos
+osCodeQlVersions:
+  macos:
+    - linked
+    - nightly-latest
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 installGo: true
@@ -1,7 +1,13 @@
 name: "Go: tracing with custom build steps"
 description: "Checks that Go tracing traces the build when using custom build steps"
 collection: go
-operatingSystems: ["ubuntu", "macos"]
+operatingSystems:
+  - ubuntu
+  - macos
+osCodeQlVersions:
+  macos:
+    - linked
+    - nightly-latest
 installGo: true
 steps:
  - uses: ./../action/init
@@ -1,7 +1,13 @@
 name: "Go: tracing with legacy workflow"
 description: "Checks that we run the autobuilder in legacy workflows with neither an autobuild step nor manual build steps"
 collection: go
-operatingSystems: ["ubuntu", "macos"]
+operatingSystems:
+  - ubuntu
+  - macos
+osCodeQlVersions:
+  macos:
+    - linked
+    - nightly-latest
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 installGo: true
@@ -4,12 +4,11 @@
 # basic mechanics of multi-registry auth is working.
 name: "Packaging: Download using registries"
 description: "Checks that specifying a registries block and associated auth works as expected"
-versions: [
-    # This feature is not compatible with older CLIs
-    "default",
-    "linked",
-    "nightly-latest",
-]
+versions:
+  # This feature is not compatible with older CLIs
+  - default
+  - linked
+  - nightly-latest

 permissions:
  contents: read
@@ -1,6 +1,10 @@
 name: "Custom source root"
 description: "Checks that the argument specifying a non-default source root works"
-versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
+# This feature is not compatible with old CLIs
+versions:
+  - linked
+  - default
+  - nightly-latest
 steps:
  - name: Move codeql-action
    run: |
@@ -1,6 +1,7 @@
 name: "Job run UUID added to SARIF"
 description: "Tests that the job run UUID is added to the SARIF output"
-versions: ["nightly-latest"]
+versions:
+  - nightly-latest
 steps:
  - uses: ./../action/init
    id: init
@@ -11,7 +12,7 @@ steps:
    with:
      output: "${{ runner.temp }}/results"
  - name: Upload SARIF
-    uses: actions/upload-artifact@v6
+    uses: actions/upload-artifact@v7
    with:
      name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -1,6 +1,7 @@
 name: "Language aliases"
 description: "Tests that language aliases are resolved correctly"
-versions: ["linked"]
+versions:
+  - linked
 steps:
  - uses: ./../action/init
    with:
@@ -1,8 +1,8 @@
 name: "Local CodeQL bundle"
 description: "Tests using a CodeQL bundle from a local file rather than a URL"
-versions: ["linked"]
+versions:
+  - linked
 installGo: true
-installPython: true
 installDotNet: true
 steps:
  - name: Fetch latest CodeQL bundle
@@ -1,12 +1,21 @@
 name: "Multi-language repository"
-description: "An end-to-end integration test of a multi-language repository using automatic language detection for macOS"
-operatingSystems: ["macos", "ubuntu"]
+description: "An end-to-end integration test of a multi-language repository using automatic language detection"
+operatingSystems:
+  - ubuntu
+  - macos
 env:
  CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
 installGo: true
-installPython: true
 installDotNet: true
 steps:
+  - name: Install Python 3.13 for older CLI versions
+    # We need Python 3.13 for older CLI versions because they are not compatible with Python 3.14 or newer.
+    # See https://github.com/github/codeql-action/pull/3212
+    if: matrix.version != 'nightly-latest' && matrix.version != 'linked'
+    uses: actions/setup-python@v6
+    with:
+      python-version: "3.13"
+
  - name: Use Xcode 16
    if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
    run: sudo xcode-select -s "/Applications/Xcode_16.app"
@@ -1,6 +1,8 @@
 name: "Overlay database init fallback"
 description: "Tests that overlay init action succeeds with non-overlay packs"
-versions: ["linked", "nightly-latest"]
+versions:
+  - linked
+  - nightly-latest
 steps:
  - uses: ./../action/init
    with:
@@ -1,9 +1,12 @@
 name: "Packaging: Config and input passed to the CLI"
 description: "Checks that specifying packages using a combination of a config file and input to the Action works"
-versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
+# This feature is not compatible with old CLIs
+versions:
+  - linked
+  - default
+  - nightly-latest
 installGo: true
 installNode: true
-installPython: true
 installDotNet: true
 steps:
  - uses: ./../action/init
@@ -1,6 +1,10 @@
 name: "Packaging: Config and input"
 description: "Checks that specifying packages using a combination of a config file and input to the Action works"
-versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
+# This feature is not compatible with old CLIs
+versions:
+  - linked
+  - default
+  - nightly-latest
 installGo: true
 installNode: true
 installDotNet: true
@@ -1,6 +1,10 @@
 name: "Packaging: Config file"
 description: "Checks that specifying packages using only a config file works"
-versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
+# This feature is not compatible with old CLIs
+versions:
+  - linked
+  - default
+  - nightly-latest
 installGo: true
 installNode: true
 installDotNet: true
@@ -1,6 +1,10 @@
 name: "Packaging: Action input"
 description: "Checks that specifying packages using the input to the Action works"
-versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
+# This feature is not compatible with old CLIs
+versions:
+  - linked
+  - default
+  - nightly-latest
 installGo: true
 installNode: true
 installDotNet: true
@@ -6,7 +6,6 @@ versions:
  - linked
  - nightly-latest
 installGo: true
-installPython: true
 installDotNet: true
 steps:
  - uses: ./../action/init
@@ -1,6 +1,9 @@
 name: "Resolve environment"
 description: "Tests that the resolve-environment action works for Go and JavaScript/TypeScript"
-versions: ["default", "linked", "nightly-latest"]
+versions:
+  - linked
+  - default
+  - nightly-latest
 steps:
  - uses: ./../action/init
    with:
@@ -1,7 +1,8 @@
 name: "RuboCop multi-language"
 description: "Tests using RuboCop to analyze a multi-language repository and then using the CodeQL Action to upload the resulting SARIF"
 # This check doesn't use CodeQL, so the `version` matrix variable is unused.
-versions: ["default"]
+versions:
+  - default
 steps:
  - name: Set up Ruby
    uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0
@@ -1,7 +1,12 @@
 name: "Ruby analysis"
 description: "Tests creation of a Ruby database"
-versions: ["linked", "default", "nightly-latest"]
-operatingSystems: ["ubuntu", "macos"]
+versions:
+  - linked
+  - default
+  - nightly-latest
+operatingSystems:
+  - ubuntu
+  - macos
 steps:
  - uses: ./../action/init
    with:
@@ -1,7 +1,13 @@
 name: "Split workflow"
 description: "Tests a split-up workflow in which we first build a database and later analyze it"
-operatingSystems: ["ubuntu", "macos"]
-versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
+operatingSystems:
+  - ubuntu
+  - macos
+# This feature is not compatible with old CLIs
+versions:
+  - linked
+  - default
+  - nightly-latest
 installGo: true
 installDotNet: true
 steps:
@@ -1,7 +1,11 @@
 name: "Start proxy"
 description: "Tests that the proxy can be initialised on all platforms"
-operatingSystems: ["ubuntu", "macos", "windows"]
-versions: ["linked"]
+operatingSystems:
+  - ubuntu
+  - macos
+  - windows
+versions:
+  - linked
 steps:
  - uses: ./../action/init
    with:
@@ -1,6 +1,9 @@
 name: Submit SARIF after failure
 description: Check that a SARIF file is submitted for the workflow run if it fails
-versions: ["linked", "default", "nightly-latest"]
+versions:
+  - linked
+  - default
+  - nightly-latest

 env:
  # Internal-only environment variable used to indicate that the post-init Action
@@ -1,7 +1,9 @@
 name: "Swift analysis using autobuild"
 description: "Tests creation of a Swift database using autobuild"
-versions: ["nightly-latest"]
-operatingSystems: ["macos"]
+versions:
+  - nightly-latest
+operatingSystems:
+  - macos
 steps:
  - uses: ./../action/init
    id: init
@@ -1,7 +1,11 @@
 name: "Swift analysis using a custom build command"
 description: "Tests creation of a Swift database using custom build"
-versions: ["linked", "default", "nightly-latest"]
-operatingSystems: ["macos"]
+versions:
+  - linked
+  - default
+  - nightly-latest
+operatingSystems:
+  - macos
 installGo: true
 installDotNet: true
 env:
@@ -6,7 +6,6 @@ versions:
  - linked
  - nightly-latest
 installGo: true
-installPython: true
 installDotNet: true
 steps:
  - uses: ./../action/init
@@ -1,8 +1,8 @@
 name: "Upload-sarif: 'ref' and 'sha' from inputs"
 description: "Checks that specifying 'ref' and 'sha' as inputs works"
-versions: ["default"]
+versions:
+  - default
 installGo: true
-installPython: true
 installDotNet: true
 steps:
  - uses: ./../action/init
@@ -1,9 +1,12 @@
 name: "Test different uses of `upload-sarif`"
 description: "Checks that uploading SARIFs to the code quality endpoint works"
-versions: ["default"]
-analysisKinds: ["code-scanning", "code-quality", "code-scanning,code-quality"]
+versions:
+  - default
+analysisKinds:
+  - code-scanning
+  - code-quality
+  - code-scanning,code-quality
 installGo: true
-installPython: true
 installDotNet: true
 steps:
  - uses: ./../action/init
@@ -1,8 +1,8 @@
 name: "Use a custom `checkout_path`"
 description: "Checks that a custom `checkout_path` will find the proper commit_oid"
-versions: ["linked"]
+versions:
+  - linked
 installGo: true
-installPython: true
 installDotNet: true
 steps:
  # This ensures we don't accidentally use the original checkout for any part of the test.
--- a/Show More
+++ b/Show More