Merge pull request #3373 from github/backport-v3.31.9-5d4e8d1ac

Merge releases/v4 into releases/v3

.github/actions/changed-files/action.yml

@@ -1,53 +0,0 @@
-name: Get changed files
-description: Outputs a stringified JSON array of changed files for a PR
-inputs:
-  github-token:
-    description: GitHub token
-    required: true
-  pattern:
-    description: "The glob pattern to use to check for changed files"
-    required: true
-    default: "${{ github.workspace }}/**/*"
-  exclude:
-    description: "A stringified JSON array of files to exclude"
-    required: false
-    default: "[]"
-outputs:
-  files:
-    description: Stringified JSON array of changed file paths
-    value: ${{ steps.changed-files.outputs.files }}
-runs:
-  using: "composite"
-  steps:
-    - name: Get changed files
-      id: changed-files
-      uses: actions/github-script@v7
-      env:
-        PATTERN: ${{ inputs.pattern }}
-        EXCLUDE: ${{ inputs.exclude }}
-      with:
-        github-token: ${{ inputs.github-token }}
-        script: |
-          const exclude = JSON.parse(process.env['EXCLUDE']);
-          const path = require('path');
-          const pr = context.payload.pull_request;
-          if (!pr) {
-            core.setOutput('files', JSON.stringify([]));
-            return;
-          }
-          const files = await github.paginate(
-            github.rest.pulls.listFiles,
-            {
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              pull_number: pr.number,
-              per_page: 100
-            }
-          );
-          const results = files
-            .filter(f => path.matchesGlob(
-              f.filename, process.env['PATTERN']
-            ) && !exclude.includes(f.filename))
-            .map(f => f.filename);
-          console.debug(results);
-          core.setOutput('files', JSON.stringify(results));

.github/actions/check-sarif/action.yml

@@ -16,5 +16,5 @@ inputs:
       Comma separated list of query ids that should NOT be included in this SARIF file.
 
 runs:
-  using: node24
+  using: node20
   main: index.js

.github/actions/verify-debug-artifact-scan-completed/action.yml

@@ -1,6 +0,0 @@
-name: Verify that the best-effort debug artifact scan completed
-description: Verifies that the best-effort debug artifact scan completed successfully during tests
-runs:
-  using: node24
-  main: index.js
-  post: post.js

.github/actions/verify-debug-artifact-scan-completed/index.js

@@ -1,2 +0,0 @@
-// The main step is a no-op, since we can only verify artifact scan completion in the post step.
-console.log("Will verify artifact scan completion in the post step.");

.github/actions/verify-debug-artifact-scan-completed/post.js

@@ -1,11 +0,0 @@
-// Post step - runs after the workflow completes, when artifact scan has finished
-const process = require("process");
-
-const scanFinished = process.env.CODEQL_ACTION_ARTIFACT_SCAN_FINISHED;
-
-if (scanFinished !== "true") {
-  console.error("Error: Best-effort artifact scan did not complete. Expected CODEQL_ACTION_ARTIFACT_SCAN_FINISHED=true");
-  process.exit(1);
-}
-
-console.log("✓ Best-effort artifact scan completed successfully");

.github/dependabot.yml

@@ -4,15 +4,14 @@ updates:
     directory: "/"
     schedule:
       interval: weekly
-    cooldown:
-      default-days: 7
-      exclude:
-        - "@actions/*"
     labels:
       - Rebuild
     # Ignore incompatible dependency updates
     ignore:
-      # This is broken due to the way configuration files have changed.
+      # There is a type incompatibility issue between v0.0.9 and our other dependencies.
+      - dependency-name: "@octokit/plugin-retry"
+        versions: ["~6.0.0"]
+      # This is broken due to the way configuration files have changed. 
       # This might be fixed when we move to eslint v9.
       - dependency-name: "eslint-plugin-import"
         versions: [">=2.30.0"]
@@ -29,10 +28,6 @@ updates:
       - "/.github/actions"
     schedule:
       interval: weekly
-    cooldown:
-      default-days: 7
-      exclude:
-        - "actions/*"
     labels:
       - Rebuild
     groups:

.github/pull_request_template.md

@@ -23,13 +23,13 @@ For internal use only. Please select the risk level of this change:
 Workflow types:
 
 - **Advanced setup** - Impacts users who have custom CodeQL workflows.
-- **Managed** - Impacts users with `dynamic` workflows (Default Setup, Code Quality, ...).
+- **Managed** - Impacts users with `dynamic` workflows (Default Setup, CCR, ...).
 
 Products:
 
 - **Code Scanning** - The changes impact analyses when `analysis-kinds: code-scanning`.
 - **Code Quality** - The changes impact analyses when `analysis-kinds: code-quality`.
-- **Other first-party** - The changes impact other first-party analyses.
+- **CCR** - The changes impact analyses for Copilot Code Reviews.
 - **Third-party analyses** - The changes affect the `upload-sarif` action.
 
 Environments:
@@ -54,7 +54,6 @@ Environments:
 
 - **Feature flags** - All new or changed code paths can be fully disabled with corresponding feature flags.
 - **Rollback** - Change can only be disabled by rolling back the release or releasing a new version with a fix.
-- **Development/testing only** - This change cannot cause any failures in production.
 - **Other** - Please provide details.
 
 #### How will you know if something goes wrong after this change is released?

.github/update-release-branch.py

@@ -71,9 +71,8 @@ def open_pr(
     body.append('')
     body.append('Contains the following pull requests:')
     for pr in pull_requests:
-      # Use PR author if they are GitHub staff, otherwise use the merger
-      display_user = get_pr_author_if_staff(pr) or get_merger_of_pr(repo, pr)
-      body.append(f'- #{pr.number} (@{display_user})')
+      merger = get_merger_of_pr(repo, pr)
+      body.append(f'- #{pr.number} (@{merger})')
 
   # List all commits not part of a PR
   if len(commits_without_pull_requests) > 0:
@@ -169,14 +168,6 @@ def get_pr_for_commit(commit):
 def get_merger_of_pr(repo, pr):
   return repo.get_commit(pr.merge_commit_sha).author.login
 
-# Get the PR author if they are GitHub staff, otherwise None.
-def get_pr_author_if_staff(pr):
-  if pr.user is None:
-    return None
-  if getattr(pr.user, 'site_admin', False):
-    return pr.user.login
-  return None
-
 def get_current_version():
   with open('package.json', 'r') as f:
     return json.load(f)['version']
@@ -190,9 +181,9 @@ def replace_version_package_json(prev_version, new_version):
       print(line.replace(prev_version, new_version), end='')
     else:
       prev_line_is_codeql = False
-      print(line, end='')
+      print(line, end='') 
     if '\"name\": \"codeql\",' in line:
-        prev_line_is_codeql = True
+        prev_line_is_codeql = True 
 
 def get_today_string():
   today = datetime.datetime.today()

.github/workflows/__all-platform-bundle.yml

@@ -18,68 +18,39 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: all-platform-bundle-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-all-platform-bundle:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   all-platform-bundle:
     strategy:
       fail-fast: false
@@ -92,9 +63,7 @@ jobs:
           - os: windows-latest
             version: nightly-latest
     name: All-platform bundle
-    needs:
-      - should-run-all-platform-bundle
-    if: needs.should-run-all-platform-bundle.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -103,15 +72,6 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -119,10 +79,19 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'true'
           setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - id: init
         uses: ./../action/init
         with:
-          # Swift is not supported on Ubuntu so we manually exclude it from the list here
+      # Swift is not supported on Ubuntu so we manually exclude it from the list here
           languages: cpp,csharp,go,java,javascript,python,ruby
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
@@ -130,23 +99,3 @@ jobs:
       - uses: ./../action/analyze
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-all-platform-bundle:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
-    name: All-platform bundle
-    needs:
-      - should-run-all-platform-bundle
-    if: needs.should-run-all-platform-bundle.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__analyze-ref-input.yml

@@ -18,18 +18,10 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
@@ -40,13 +32,13 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
@@ -57,39 +49,18 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: analyze-ref-input-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-analyze-ref-input:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   analyze-ref-input:
     strategy:
       fail-fast: false
@@ -98,9 +69,7 @@ jobs:
           - os: ubuntu-latest
             version: default
     name: "Analyze: 'ref' and 'sha' from inputs"
-    needs:
-      - should-run-analyze-ref-input
-    if: needs.should-run-analyze-ref-input.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -109,20 +78,6 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest' || !matrix.version
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -130,32 +85,31 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}
           languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+            github.sha }}
       - name: Build code
         run: ./build.sh
       - uses: ./../action/analyze
         with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-analyze-ref-input:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: default
-    name: "Analyze: 'ref' and 'sha' from inputs"
-    needs:
-      - should-run-analyze-ref-input
-    if: needs.should-run-analyze-ref-input.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__autobuild-action.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -41,35 +38,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: autobuild-action-${{github.ref}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-autobuild-action:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   autobuild-action:
     strategy:
       fail-fast: false
@@ -82,9 +53,7 @@ jobs:
           - os: windows-latest
             version: linked
     name: autobuild-action
-    needs:
-      - should-run-autobuild-action
-    if: needs.should-run-autobuild-action.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -93,10 +62,6 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -104,13 +69,17 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           languages: csharp
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - uses: ./../action/autobuild
         env:
-          # Explicitly disable the CLR tracer.
+      # Explicitly disable the CLR tracer.
           COR_ENABLE_PROFILING: ''
           COR_PROFILER: ''
           COR_PROFILER_PATH_64: ''
@@ -127,23 +96,3 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-autobuild-action:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-    name: autobuild-action
-    needs:
-      - should-run-autobuild-action
-    if: needs.should-run-autobuild-action.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__autobuild-direct-tracing-with-working-dir.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -41,35 +38,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: autobuild-direct-tracing-with-working-dir-${{github.ref}}-${{inputs.java-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-autobuild-direct-tracing-with-working-dir:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   autobuild-direct-tracing-with-working-dir:
     strategy:
       fail-fast: false
@@ -84,9 +55,7 @@ jobs:
           - os: windows-latest
             version: nightly-latest
     name: Autobuild direct tracing (custom working directory)
-    needs:
-      - should-run-autobuild-direct-tracing-with-working-dir
-    if: needs.should-run-autobuild-direct-tracing-with-working-dir.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -95,11 +64,6 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install Java
-        uses: actions/setup-java@v5
-        with:
-          java-version: ${{ inputs.java-version || '17' }}
-          distribution: temurin
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -107,6 +71,11 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install Java
+        uses: actions/setup-java@v5
+        with:
+          java-version: ${{ inputs.java-version || '17' }}
+          distribution: temurin
       - name: Test setup
         run: |
           # Make sure that Gradle build succeeds in autobuild-dir ...
@@ -132,25 +101,3 @@ jobs:
     env:
       CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
       CODEQL_ACTION_TEST_MODE: true
-  skip-autobuild-direct-tracing-with-working-dir:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
-    name: Autobuild direct tracing (custom working directory)
-    needs:
-      - should-run-autobuild-direct-tracing-with-working-dir
-    if: needs.should-run-autobuild-direct-tracing-with-working-dir.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__autobuild-working-dir.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: autobuild-working-dir-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-autobuild-working-dir:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   autobuild-working-dir:
     strategy:
       fail-fast: false
@@ -68,9 +39,7 @@ jobs:
           - os: ubuntu-latest
             version: linked
     name: Autobuild working directory
-    needs:
-      - should-run-autobuild-working-dir
-    if: needs.should-run-autobuild-working-dir.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -109,19 +78,3 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-autobuild-working-dir:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-    name: Autobuild working directory
-    needs:
-      - should-run-autobuild-working-dir
-    if: needs.should-run-autobuild-working-dir.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__build-mode-autobuild.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -41,35 +38,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: build-mode-autobuild-${{github.ref}}-${{inputs.java-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-build-mode-autobuild:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   build-mode-autobuild:
     strategy:
       fail-fast: false
@@ -84,9 +55,7 @@ jobs:
           - os: windows-latest
             version: nightly-latest
     name: Build mode autobuild
-    needs:
-      - should-run-build-mode-autobuild
-    if: needs.should-run-build-mode-autobuild.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -95,19 +64,6 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install Java
-        uses: actions/setup-java@v5
-        with:
-          java-version: ${{ inputs.java-version || '17' }}
-          distribution: temurin
-      - name: Install yq
-        if: runner.os == 'Windows'
-        env:
-          YQ_PATH: ${{ runner.temp }}/yq
-          YQ_VERSION: v4.50.1
-        run: |-
-          gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe"
-          echo "$YQ_PATH" >> "$GITHUB_PATH"
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -115,6 +71,11 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install Java
+        uses: actions/setup-java@v5
+        with:
+          java-version: ${{ inputs.java-version || '17' }}
+          distribution: temurin
       - name: Set up Java test repo configuration
         run: |
           mv * .github ../action/tests/multi-language-repo/
@@ -125,10 +86,15 @@ jobs:
         id: init
         with:
           build-mode: autobuild
-          db-location: '${{ runner.temp }}/customDbLocation'
+          db-location: ${{ runner.temp }}/customDbLocation
           languages: java
           tools: ${{ steps.prepare-test.outputs.tools-url }}
 
+      - name: Install yq
+        if: runner.os == 'Windows'
+        run: |
+          choco install yq -y
+
       - name: Validate database build mode
         run: |
           metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
@@ -149,25 +115,3 @@ jobs:
       - uses: ./../action/analyze
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-build-mode-autobuild:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
-    name: Build mode autobuild
-    needs:
-      - should-run-build-mode-autobuild
-    if: needs.should-run-build-mode-autobuild.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__build-mode-manual.yml

@@ -18,68 +18,39 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: build-mode-manual-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-build-mode-manual:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   build-mode-manual:
     strategy:
       fail-fast: false
@@ -88,9 +59,7 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Build mode manual
-    needs:
-      - should-run-build-mode-manual
-    if: needs.should-run-build-mode-manual.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -99,15 +68,6 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -115,11 +75,20 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         id: init
         with:
           build-mode: manual
-          db-location: '${{ runner.temp }}/customDbLocation'
+          db-location: ${{ runner.temp }}/customDbLocation
           languages: java
           tools: ${{ steps.prepare-test.outputs.tools-url }}
 
@@ -138,19 +107,3 @@ jobs:
       - uses: ./../action/analyze
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-build-mode-manual:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Build mode manual
-    needs:
-      - should-run-build-mode-manual
-    if: needs.should-run-build-mode-manual.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__build-mode-none.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: build-mode-none-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-build-mode-none:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   build-mode-none:
     strategy:
       fail-fast: false
@@ -70,9 +41,7 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Build mode none
-    needs:
-      - should-run-build-mode-none
-    if: needs.should-run-build-mode-none.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -92,7 +61,7 @@ jobs:
         id: init
         with:
           build-mode: none
-          db-location: '${{ runner.temp }}/customDbLocation'
+          db-location: ${{ runner.temp }}/customDbLocation
           languages: java
           tools: ${{ steps.prepare-test.outputs.tools-url }}
 
@@ -105,28 +74,10 @@ jobs:
             exit 1
           fi
 
-      # The latest nightly supports omitting the autobuild Action when the build mode is specified.
+  # The latest nightly supports omitting the autobuild Action when the build mode is specified.
       - uses: ./../action/autobuild
         if: matrix.version != 'nightly-latest'
 
       - uses: ./../action/analyze
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-build-mode-none:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Build mode none
-    needs:
-      - should-run-build-mode-none
-    if: needs.should-run-build-mode-none.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__build-mode-rollback.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: build-mode-rollback-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-build-mode-rollback:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   build-mode-rollback:
     strategy:
       fail-fast: false
@@ -68,9 +39,7 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Build mode rollback
-    needs:
-      - should-run-build-mode-rollback
-    if: needs.should-run-build-mode-rollback.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -96,7 +65,7 @@ jobs:
         id: init
         with:
           build-mode: none
-          db-location: '${{ runner.temp }}/customDbLocation'
+          db-location: ${{ runner.temp }}/customDbLocation
           languages: java
           tools: ${{ steps.prepare-test.outputs.tools-url }}
 
@@ -113,19 +82,3 @@ jobs:
     env:
       CODEQL_ACTION_DISABLE_JAVA_BUILDLESS: true
       CODEQL_ACTION_TEST_MODE: true
-  skip-build-mode-rollback:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Build mode rollback
-    needs:
-      - should-run-build-mode-rollback
-    if: needs.should-run-build-mode-rollback.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__bundle-from-nightly.yml

@@ -1,116 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: 'PR Check - Bundle: From nightly'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: bundle-from-nightly-${{github.ref}}
-jobs:
-  should-run-bundle-from-nightly:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-  bundle-from-nightly:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-    name: 'Bundle: From nightly'
-    needs:
-      - should-run-bundle-from-nightly
-    if: needs.should-run-bundle-from-nightly.outputs.run-check == 'true'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - id: init
-        uses: ./../action/init
-        env:
-          CODEQL_ACTION_FORCE_NIGHTLY: true
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          languages: javascript
-      - name: Fail if the CodeQL version is not a nightly
-        if: ${{ !contains(steps.init.outputs.codeql-version, '+') }}
-        run: exit 1
-    env:
-      CODEQL_ACTION_TEST_MODE: true
-  skip-bundle-from-nightly:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-    name: 'Bundle: From nightly'
-    needs:
-      - should-run-bundle-from-nightly
-    if: needs.should-run-bundle-from-nightly.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__bundle-from-toolcache.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: bundle-from-toolcache-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-bundle-from-toolcache:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   bundle-from-toolcache:
     strategy:
       fail-fast: false
@@ -68,9 +39,7 @@ jobs:
           - os: ubuntu-latest
             version: toolcache
     name: 'Bundle: From toolcache'
-    needs:
-      - should-run-bundle-from-toolcache
-    if: needs.should-run-bundle-from-toolcache.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -87,7 +56,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Install @actions/tool-cache
-        run: npm install @actions/tool-cache@3
+        run: npm install @actions/tool-cache
       - name: Check toolcache contains CodeQL
         continue-on-error: true
         uses: actions/github-script@v8
@@ -114,19 +83,3 @@ jobs:
             }
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-bundle-from-toolcache:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: toolcache
-    name: 'Bundle: From toolcache'
-    needs:
-      - should-run-bundle-from-toolcache
-    if: needs.should-run-bundle-from-toolcache.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__bundle-toolcache.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: bundle-toolcache-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-bundle-toolcache:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   bundle-toolcache:
     strategy:
       fail-fast: false
@@ -72,9 +43,7 @@ jobs:
           - os: windows-latest
             version: linked
     name: 'Bundle: Caching checks'
-    needs:
-      - should-run-bundle-toolcache
-    if: needs.should-run-bundle-toolcache.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -99,7 +68,7 @@ jobs:
             const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
             fs.rmdirSync(codeqlPath, { recursive: true });
       - name: Install @actions/tool-cache
-        run: npm install @actions/tool-cache@3
+        run: npm install @actions/tool-cache
       - name: Check toolcache does not contain CodeQL
         uses: actions/github-script@v8
         with:
@@ -134,23 +103,3 @@ jobs:
             }
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-bundle-toolcache:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-    name: 'Bundle: Caching checks'
-    needs:
-      - should-run-bundle-toolcache
-    if: needs.should-run-bundle-toolcache.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__bundle-zstd.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: bundle-zstd-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-bundle-zstd:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   bundle-zstd:
     strategy:
       fail-fast: false
@@ -72,9 +43,7 @@ jobs:
           - os: windows-latest
             version: linked
     name: 'Bundle: Zstandard checks'
-    needs:
-      - should-run-bundle-zstd
-    if: needs.should-run-bundle-zstd.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -151,23 +120,3 @@ jobs:
             }
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-bundle-zstd:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-    name: 'Bundle: Zstandard checks'
-    needs:
-      - should-run-bundle-zstd
-    if: needs.should-run-bundle-zstd.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__cleanup-db-cluster-dir.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: cleanup-db-cluster-dir-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-cleanup-db-cluster-dir:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   cleanup-db-cluster-dir:
     strategy:
       fail-fast: false
@@ -68,9 +39,7 @@ jobs:
           - os: ubuntu-latest
             version: linked
     name: Clean up database cluster directory
-    needs:
-      - should-run-cleanup-db-cluster-dir
-    if: needs.should-run-cleanup-db-cluster-dir.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -95,7 +64,7 @@ jobs:
         id: init
         with:
           build-mode: none
-          db-location: '${{ runner.temp }}/customDbLocation'
+          db-location: ${{ runner.temp }}/customDbLocation
           languages: javascript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
 
@@ -108,19 +77,3 @@ jobs:
           echo "File was cleaned up"
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-cleanup-db-cluster-dir:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-    name: Clean up database cluster directory
-    needs:
-      - should-run-cleanup-db-cluster-dir
-    if: needs.should-run-cleanup-db-cluster-dir.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__config-export.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: config-export-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-config-export:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   config-export:
     strategy:
       fail-fast: false
@@ -70,9 +41,7 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Config export
-    needs:
-      - should-run-config-export
-    if: needs.should-run-config-export.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -95,18 +64,18 @@ jobs:
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - uses: ./../action/analyze
         with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
           upload-database: false
       - name: Upload SARIF
         uses: actions/upload-artifact@v6
         with:
           name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: '${{ runner.temp }}/results/javascript.sarif'
+          path: ${{ runner.temp }}/results/javascript.sarif
           retention-days: 7
       - name: Check config properties appear in SARIF
         uses: actions/github-script@v8
         env:
-          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
         with:
           script: |
             const fs = require('fs');
@@ -131,21 +100,3 @@ jobs:
             core.info('Finished config export tests.');
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-config-export:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Config export
-    needs:
-      - should-run-config-export
-    if: needs.should-run-config-export.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__config-input.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: config-input-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-config-input:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   config-input:
     strategy:
       fail-fast: false
@@ -68,9 +39,7 @@ jobs:
           - os: ubuntu-latest
             version: linked
     name: Config input
-    needs:
-      - should-run-config-input
-    if: needs.should-run-config-input.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -123,19 +92,3 @@ jobs:
           queries-not-run: javascript/codeql-action/default-setup-context-properties
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-config-input:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-    name: Config input
-    needs:
-      - should-run-config-input
-    if: needs.should-run-config-input.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__cpp-deptrace-disabled.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: cpp-deptrace-disabled-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-cpp-deptrace-disabled:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   cpp-deptrace-disabled:
     strategy:
       fail-fast: false
@@ -72,9 +43,7 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: 'C/C++: disabling autoinstalling dependencies (Linux)'
-    needs:
-      - should-run-cpp-deptrace-disabled
-    if: needs.should-run-cpp-deptrace-disabled.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -110,23 +79,3 @@ jobs:
     env:
       DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
       CODEQL_ACTION_TEST_MODE: true
-  skip-cpp-deptrace-disabled:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: 'C/C++: disabling autoinstalling dependencies (Linux)'
-    needs:
-      - should-run-cpp-deptrace-disabled
-    if: needs.should-run-cpp-deptrace-disabled.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__cpp-deptrace-enabled-on-macos.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: cpp-deptrace-enabled-on-macos-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-cpp-deptrace-enabled-on-macos:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   cpp-deptrace-enabled-on-macos:
     strategy:
       fail-fast: false
@@ -70,9 +41,7 @@ jobs:
           - os: macos-latest
             version: nightly-latest
     name: 'C/C++: autoinstalling dependencies is skipped (macOS)'
-    needs:
-      - should-run-cpp-deptrace-enabled-on-macos
-    if: needs.should-run-cpp-deptrace-enabled-on-macos.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -110,21 +79,3 @@ jobs:
     env:
       DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
       CODEQL_ACTION_TEST_MODE: true
-  skip-cpp-deptrace-enabled-on-macos:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: linked
-          - os: macos-latest
-            version: nightly-latest
-    name: 'C/C++: autoinstalling dependencies is skipped (macOS)'
-    needs:
-      - should-run-cpp-deptrace-enabled-on-macos
-    if: needs.should-run-cpp-deptrace-enabled-on-macos.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__cpp-deptrace-enabled.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: cpp-deptrace-enabled-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-cpp-deptrace-enabled:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   cpp-deptrace-enabled:
     strategy:
       fail-fast: false
@@ -72,9 +43,7 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: 'C/C++: autoinstalling dependencies (Linux)'
-    needs:
-      - should-run-cpp-deptrace-enabled
-    if: needs.should-run-cpp-deptrace-enabled.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -110,23 +79,3 @@ jobs:
     env:
       DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
       CODEQL_ACTION_TEST_MODE: true
-  skip-cpp-deptrace-enabled:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: 'C/C++: autoinstalling dependencies (Linux)'
-    needs:
-      - should-run-cpp-deptrace-enabled
-    if: needs.should-run-cpp-deptrace-enabled.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__diagnostics-export.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: diagnostics-export-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-diagnostics-export:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   diagnostics-export:
     strategy:
       fail-fast: false
@@ -70,9 +41,7 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Diagnostic export
-    needs:
-      - should-run-diagnostics-export
-    if: needs.should-run-diagnostics-export.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -106,18 +75,18 @@ jobs:
             --ready-for-status-page
       - uses: ./../action/analyze
         with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
           upload-database: false
       - name: Upload SARIF
         uses: actions/upload-artifact@v6
         with:
           name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: '${{ runner.temp }}/results/javascript.sarif'
+          path: ${{ runner.temp }}/results/javascript.sarif
           retention-days: 7
       - name: Check diagnostics appear in SARIF
         uses: actions/github-script@v8
         env:
-          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
         with:
           script: |
             const fs = require('fs');
@@ -167,21 +136,3 @@ jobs:
     env:
       CODEQL_ACTION_EXPORT_DIAGNOSTICS: true
       CODEQL_ACTION_TEST_MODE: true
-  skip-diagnostics-export:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Diagnostic export
-    needs:
-      - should-run-diagnostics-export
-    if: needs.should-run-diagnostics-export.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__export-file-baseline-information.yml

@@ -18,68 +18,39 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: export-file-baseline-information-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-export-file-baseline-information:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   export-file-baseline-information:
     strategy:
       fail-fast: false
@@ -92,9 +63,7 @@ jobs:
           - os: windows-latest
             version: nightly-latest
     name: Export file baseline information
-    needs:
-      - should-run-export-file-baseline-information
-    if: needs.should-run-export-file-baseline-information.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -103,15 +72,6 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -119,6 +79,15 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         id: init
         with:
@@ -128,12 +97,12 @@ jobs:
         run: ./build.sh
       - uses: ./../action/analyze
         with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
       - name: Upload SARIF
         uses: actions/upload-artifact@v6
         with:
           name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: '${{ runner.temp }}/results/javascript.sarif'
+          path: ${{ runner.temp }}/results/javascript.sarif
           retention-days: 7
       - name: Check results
         run: |
@@ -155,26 +124,5 @@ jobs:
             fi
           done
     env:
-      CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS: false
       CODEQL_ACTION_SUBLANGUAGE_FILE_COVERAGE: true
       CODEQL_ACTION_TEST_MODE: true
-  skip-export-file-baseline-information:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
-    name: Export file baseline information
-    needs:
-      - should-run-export-file-baseline-information
-    if: needs.should-run-export-file-baseline-information.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__extractor-ram-threads.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: extractor-ram-threads-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-extractor-ram-threads:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   extractor-ram-threads:
     strategy:
       fail-fast: false
@@ -68,9 +39,7 @@ jobs:
           - os: ubuntu-latest
             version: linked
     name: Extractor ram and threads options test
-    needs:
-      - should-run-extractor-ram-threads
-    if: needs.should-run-extractor-ram-threads.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -111,19 +80,3 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-extractor-ram-threads:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-    name: Extractor ram and threads options test
-    needs:
-      - should-run-extractor-ram-threads
-    if: needs.should-run-extractor-ram-threads.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__global-proxy.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: global-proxy-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-global-proxy:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   global-proxy:
     strategy:
       fail-fast: false
@@ -70,15 +41,25 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Proxy test
-    needs:
-      - should-run-global-proxy
-    if: needs.should-run-global-proxy.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+  # These steps are required to initialise the `gh` cli in a container that doesn't
+  # come pre-installed with it. The reason for that is that this is later
+  # needed by the `prepare-test` workflow to find the latest release of CodeQL.
+      - name: Set up GitHub CLI
+        run: |
+          apt update
+          apt install -y curl libreadline8 gnupg2 software-properties-common zstd
+          curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
+          apt-key add /usr/share/keyrings/githubcli-archive-keyring.gpg
+          apt-add-repository https://cli.github.com/packages
+          apt install -y gh
+        env: {}
       - name: Check out repository
         uses: actions/checkout@v6
       - name: Prepare test
@@ -95,7 +76,6 @@ jobs:
       - uses: ./../action/analyze
     env:
       https_proxy: http://squid-proxy:3128
-      CODEQL_ACTION_TOLERATE_MISSING_GIT_VERSION: true
       CODEQL_ACTION_TEST_MODE: true
     container:
       image: ubuntu:22.04
@@ -104,21 +84,3 @@ jobs:
         image: ubuntu/squid:latest
         ports:
           - 3128:3128
-  skip-global-proxy:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Proxy test
-    needs:
-      - should-run-global-proxy
-    if: needs.should-run-global-proxy.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__go-custom-queries.yml

@@ -18,68 +18,39 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-custom-queries-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-go-custom-queries:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   go-custom-queries:
     strategy:
       fail-fast: false
@@ -90,9 +61,7 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: 'Go: Custom queries'
-    needs:
-      - should-run-go-custom-queries
-    if: needs.should-run-go-custom-queries.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -101,15 +70,6 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -117,6 +77,15 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           languages: go
@@ -128,21 +97,3 @@ jobs:
     env:
       DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
       CODEQL_ACTION_TEST_MODE: true
-  skip-go-custom-queries:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: 'Go: Custom queries'
-    needs:
-      - should-run-go-custom-queries
-    if: needs.should-run-go-custom-queries.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -41,35 +38,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-indirect-tracing-workaround-diagnostic-${{github.ref}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-go-indirect-tracing-workaround-diagnostic:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   go-indirect-tracing-workaround-diagnostic:
     strategy:
       fail-fast: false
@@ -78,9 +49,7 @@ jobs:
           - os: ubuntu-latest
             version: default
     name: 'Go: diagnostic when Go is changed after init step'
-    needs:
-      - should-run-go-indirect-tracing-workaround-diagnostic
-    if: needs.should-run-go-indirect-tracing-workaround-diagnostic.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -89,11 +58,6 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -101,11 +65,16 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
       - uses: ./../action/init
         with:
           languages: go
           tools: ${{ steps.prepare-test.outputs.tools-url }}
-      # Deliberately change Go after the `init` step
+  # Deliberately change Go after the `init` step
       - uses: actions/setup-go@v6
         with:
           go-version: '1.20'
@@ -113,12 +82,12 @@ jobs:
         run: go build main.go
       - uses: ./../action/analyze
         with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
           upload-database: false
       - name: Check diagnostic appears in SARIF
         uses: actions/github-script@v8
         env:
-          SARIF_PATH: '${{ runner.temp }}/results/go.sarif'
+          SARIF_PATH: ${{ runner.temp }}/results/go.sarif
         with:
           script: |
             const fs = require('fs');
@@ -140,19 +109,3 @@ jobs:
             }
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-go-indirect-tracing-workaround-diagnostic:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: default
-    name: 'Go: diagnostic when Go is changed after init step'
-    needs:
-      - should-run-go-indirect-tracing-workaround-diagnostic
-    if: needs.should-run-go-indirect-tracing-workaround-diagnostic.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -41,35 +38,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-indirect-tracing-workaround-no-file-program-${{github.ref}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-go-indirect-tracing-workaround-no-file-program:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   go-indirect-tracing-workaround-no-file-program:
     strategy:
       fail-fast: false
@@ -78,9 +49,7 @@ jobs:
           - os: ubuntu-latest
             version: default
     name: 'Go: diagnostic when `file` is not installed'
-    needs:
-      - should-run-go-indirect-tracing-workaround-no-file-program
-    if: needs.should-run-go-indirect-tracing-workaround-no-file-program.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -89,11 +58,6 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -101,6 +65,11 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
       - name: Remove `file` program
         run: |
           echo $(which file)
@@ -114,12 +83,12 @@ jobs:
         run: go build main.go
       - uses: ./../action/analyze
         with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
           upload-database: false
       - name: Check diagnostic appears in SARIF
         uses: actions/github-script@v8
         env:
-          SARIF_PATH: '${{ runner.temp }}/results/go.sarif'
+          SARIF_PATH: ${{ runner.temp }}/results/go.sarif
         with:
           script: |
             const fs = require('fs');
@@ -141,19 +110,3 @@ jobs:
             }
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-go-indirect-tracing-workaround-no-file-program:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: default
-    name: 'Go: diagnostic when `file` is not installed'
-    needs:
-      - should-run-go-indirect-tracing-workaround-no-file-program
-    if: needs.should-run-go-indirect-tracing-workaround-no-file-program.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__go-indirect-tracing-workaround.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -41,35 +38,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-indirect-tracing-workaround-${{github.ref}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-go-indirect-tracing-workaround:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   go-indirect-tracing-workaround:
     strategy:
       fail-fast: false
@@ -78,9 +49,7 @@ jobs:
           - os: ubuntu-latest
             version: default
     name: 'Go: workaround for indirect tracing'
-    needs:
-      - should-run-go-indirect-tracing-workaround
-    if: needs.should-run-go-indirect-tracing-workaround.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -89,11 +58,6 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -101,6 +65,11 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
       - uses: ./../action/init
         with:
           languages: go
@@ -135,19 +104,3 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-go-indirect-tracing-workaround:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: default
-    name: 'Go: workaround for indirect tracing'
-    needs:
-      - should-run-go-indirect-tracing-workaround
-    if: needs.should-run-go-indirect-tracing-workaround.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__go-tracing-autobuilder.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -41,35 +38,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-tracing-autobuilder-${{github.ref}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-go-tracing-autobuilder:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   go-tracing-autobuilder:
     strategy:
       fail-fast: false
@@ -112,9 +83,7 @@ jobs:
           - os: macos-latest
             version: nightly-latest
     name: 'Go: tracing with autobuilder step'
-    needs:
-      - should-run-go-tracing-autobuilder
-    if: needs.should-run-go-tracing-autobuilder.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -123,11 +92,6 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -135,6 +99,11 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
       - uses: ./../action/init
         with:
           languages: go
@@ -155,53 +124,3 @@ jobs:
     env:
       DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
       CODEQL_ACTION_TEST_MODE: true
-  skip-go-tracing-autobuilder:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
-          - os: ubuntu-latest
-            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
-          - os: ubuntu-latest
-            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
-          - os: ubuntu-latest
-            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.21.4
-          - os: ubuntu-latest
-            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-    name: 'Go: tracing with autobuilder step'
-    needs:
-      - should-run-go-tracing-autobuilder
-    if: needs.should-run-go-tracing-autobuilder.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__go-tracing-custom-build-steps.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -41,35 +38,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-tracing-custom-build-steps-${{github.ref}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-go-tracing-custom-build-steps:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   go-tracing-custom-build-steps:
     strategy:
       fail-fast: false
@@ -112,9 +83,7 @@ jobs:
           - os: macos-latest
             version: nightly-latest
     name: 'Go: tracing with custom build steps'
-    needs:
-      - should-run-go-tracing-custom-build-steps
-    if: needs.should-run-go-tracing-custom-build-steps.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -123,11 +92,6 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -135,6 +99,11 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
       - uses: ./../action/init
         with:
           languages: go
@@ -158,53 +127,3 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-go-tracing-custom-build-steps:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
-          - os: ubuntu-latest
-            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
-          - os: ubuntu-latest
-            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
-          - os: ubuntu-latest
-            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.21.4
-          - os: ubuntu-latest
-            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-    name: 'Go: tracing with custom build steps'
-    needs:
-      - should-run-go-tracing-custom-build-steps
-    if: needs.should-run-go-tracing-custom-build-steps.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__go-tracing-legacy-workflow.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -41,35 +38,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-tracing-legacy-workflow-${{github.ref}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-go-tracing-legacy-workflow:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   go-tracing-legacy-workflow:
     strategy:
       fail-fast: false
@@ -112,9 +83,7 @@ jobs:
           - os: macos-latest
             version: nightly-latest
     name: 'Go: tracing with legacy workflow'
-    needs:
-      - should-run-go-tracing-legacy-workflow
-    if: needs.should-run-go-tracing-legacy-workflow.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -123,11 +92,6 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -135,6 +99,11 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
       - uses: ./../action/init
         with:
           languages: go
@@ -149,53 +118,3 @@ jobs:
     env:
       DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
       CODEQL_ACTION_TEST_MODE: true
-  skip-go-tracing-legacy-workflow:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
-          - os: ubuntu-latest
-            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
-          - os: ubuntu-latest
-            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
-          - os: ubuntu-latest
-            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.21.4
-          - os: ubuntu-latest
-            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-    name: 'Go: tracing with legacy workflow'
-    needs:
-      - should-run-go-tracing-legacy-workflow
-    if: needs.should-run-go-tracing-legacy-workflow.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__go.yml

@@ -10,16 +10,16 @@ env:
 on:
   workflow_dispatch:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 jobs:
   go-custom-queries:
     name: 'Go: Custom queries'
@@ -28,8 +28,8 @@ jobs:
       security-events: read
     uses: ./.github/workflows/__go-custom-queries.yml
     with:
-      dotnet-version: ${{ inputs.dotnet-version }}
       go-version: ${{ inputs.go-version }}
+      dotnet-version: ${{ inputs.dotnet-version }}
   go-indirect-tracing-workaround-diagnostic:
     name: 'Go: diagnostic when Go is changed after init step'
     permissions:

.github/workflows/__init-with-registries.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: init-with-registries-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-init-with-registries:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   init-with-registries:
     strategy:
       fail-fast: false
@@ -72,12 +43,11 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: 'Packaging: Download using registries'
-    needs:
-      - should-run-init-with-registries
-    if: needs.should-run-init-with-registries.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       packages: read
+
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -93,7 +63,7 @@ jobs:
       - name: Init with registries
         uses: ./../action/init
         with:
-          db-location: '${{ runner.temp }}/customDbLocation'
+          db-location: ${{ runner.temp }}/customDbLocation
           tools: ${{ steps.prepare-test.outputs.tools-url }}
           config-file: ./.github/codeql/codeql-config-registries.yml
           languages: javascript
@@ -150,23 +120,3 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-init-with-registries:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: 'Packaging: Download using registries'
-    needs:
-      - should-run-init-with-registries
-    if: needs.should-run-init-with-registries.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__javascript-source-root.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: javascript-source-root-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-javascript-source-root:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   javascript-source-root:
     strategy:
       fail-fast: false
@@ -72,9 +43,7 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Custom source root
-    needs:
-      - should-run-javascript-source-root
-    if: needs.should-run-javascript-source-root.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -111,23 +80,3 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-javascript-source-root:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Custom source root
-    needs:
-      - should-run-javascript-source-root
-    if: needs.should-run-javascript-source-root.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__job-run-uuid-sarif.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: job-run-uuid-sarif-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-job-run-uuid-sarif:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   job-run-uuid-sarif:
     strategy:
       fail-fast: false
@@ -68,9 +39,7 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Job run UUID added to SARIF
-    needs:
-      - should-run-job-run-uuid-sarif
-    if: needs.should-run-job-run-uuid-sarif.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -93,12 +62,12 @@ jobs:
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - uses: ./../action/analyze
         with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
       - name: Upload SARIF
         uses: actions/upload-artifact@v6
         with:
           name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: '${{ runner.temp }}/results/javascript.sarif'
+          path: ${{ runner.temp }}/results/javascript.sarif
           retention-days: 7
       - name: Check results
         run: |
@@ -112,19 +81,3 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-job-run-uuid-sarif:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Job run UUID added to SARIF
-    needs:
-      - should-run-job-run-uuid-sarif
-    if: needs.should-run-job-run-uuid-sarif.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__language-aliases.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: language-aliases-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-language-aliases:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   language-aliases:
     strategy:
       fail-fast: false
@@ -68,9 +39,7 @@ jobs:
           - os: ubuntu-latest
             version: linked
     name: Language aliases
-    needs:
-      - should-run-language-aliases
-    if: needs.should-run-language-aliases.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -91,7 +60,7 @@ jobs:
           languages: C#,java-kotlin,swift,typescript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
 
-      - name: 'Check languages'
+      - name: Check languages
         run: |
           expected_languages="csharp,java,swift,javascript"
           actual_languages=$(jq -r '.languages | join(",")' "$RUNNER_TEMP"/config)
@@ -103,19 +72,3 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-language-aliases:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-    name: Language aliases
-    needs:
-      - should-run-language-aliases
-    if: needs.should-run-language-aliases.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__local-bundle.yml

@@ -18,18 +18,10 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
@@ -40,13 +32,13 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
@@ -57,39 +49,18 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: local-bundle-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-local-bundle:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   local-bundle:
     strategy:
       fail-fast: false
@@ -98,9 +69,7 @@ jobs:
           - os: ubuntu-latest
             version: linked
     name: Local CodeQL bundle
-    needs:
-      - should-run-local-bundle
-    if: needs.should-run-local-bundle.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -109,20 +78,6 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest' || !matrix.version
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -130,13 +85,27 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - name: Fetch latest CodeQL bundle
         run: |
           wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst
       - id: init
         uses: ./../action/init
         with:
-          # Swift is not supported on Ubuntu so we manually exclude it from the list here
+      # Swift is not supported on Ubuntu so we manually exclude it from the list here
           languages: cpp,csharp,go,java,javascript,python,ruby
           tools: ./codeql-bundle-linux64.tar.zst
       - name: Build code
@@ -144,19 +113,3 @@ jobs:
       - uses: ./../action/analyze
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-local-bundle:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-    name: Local CodeQL bundle
-    needs:
-      - should-run-local-bundle
-    if: needs.should-run-local-bundle.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__multi-language-autodetect.yml

@@ -18,18 +18,10 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
@@ -40,13 +32,13 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
@@ -57,39 +49,18 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: multi-language-autodetect-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-multi-language-autodetect:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   multi-language-autodetect:
     strategy:
       fail-fast: false
@@ -132,9 +103,7 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Multi-language repository
-    needs:
-      - should-run-multi-language-autodetect
-    if: needs.should-run-multi-language-autodetect.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -143,20 +112,6 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest' || !matrix.version
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -164,6 +119,20 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - name: Use Xcode 16
         if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
         run: sudo xcode-select -s "/Applications/Xcode_16.app"
@@ -171,8 +140,9 @@ jobs:
       - uses: ./../action/init
         id: init
         with:
-          db-location: '${{ runner.temp }}/customDbLocation'
-          languages: ${{ runner.os == 'Linux' && 'cpp,csharp,go,java,javascript,python,ruby' || '' }}
+          db-location: ${{ runner.temp }}/customDbLocation
+          languages: ${{ runner.os == 'Linux' && 'cpp,csharp,go,java,javascript,python,ruby'
+            || '' }}
           tools: ${{ steps.prepare-test.outputs.tools-url }}
 
       - name: Build code
@@ -232,53 +202,3 @@ jobs:
     env:
       CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
       CODEQL_ACTION_TEST_MODE: true
-  skip-multi-language-autodetect:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.18.4
-          - os: ubuntu-latest
-            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.19.4
-          - os: ubuntu-latest
-            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.20.7
-          - os: ubuntu-latest
-            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.21.4
-          - os: ubuntu-latest
-            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.22.4
-          - os: ubuntu-latest
-            version: stable-v2.22.4
-          - os: macos-latest
-            version: default
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: nightly-latest
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Multi-language repository
-    needs:
-      - should-run-multi-language-autodetect
-    if: needs.should-run-multi-language-autodetect.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__overlay-init-fallback.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: overlay-init-fallback-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-overlay-init-fallback:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   overlay-init-fallback:
     strategy:
       fail-fast: false
@@ -70,9 +41,7 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Overlay database init fallback
-    needs:
-      - should-run-overlay-init-fallback
-    if: needs.should-run-overlay-init-fallback.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -107,21 +76,3 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-overlay-init-fallback:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Overlay database init fallback
-    needs:
-      - should-run-overlay-init-fallback
-    if: needs.should-run-overlay-init-fallback.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__packaging-codescanning-config-inputs-js.yml

@@ -18,18 +18,10 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
@@ -40,13 +32,13 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
@@ -57,39 +49,18 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-packaging-codescanning-config-inputs-js:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   packaging-codescanning-config-inputs-js:
     strategy:
       fail-fast: false
@@ -102,9 +73,7 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: 'Packaging: Config and input passed to the CLI'
-    needs:
-      - should-run-packaging-codescanning-config-inputs-js
-    if: needs.should-run-packaging-codescanning-config-inputs-js.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -113,15 +82,6 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
       - name: Install Node.js
         uses: actions/setup-node@v6
         with:
@@ -129,11 +89,6 @@ jobs:
           cache: npm
       - name: Install dependencies
         run: npm ci
-      - name: Install Python
-        if: matrix.version != 'nightly-latest' || !matrix.version
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -141,9 +96,23 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
-          config-file: '.github/codeql/codeql-config-packaging3.yml'
+          config-file: .github/codeql/codeql-config-packaging3.yml
           packs: +codeql-testing/codeql-pack1@1.0.0
           languages: javascript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -151,14 +120,15 @@ jobs:
         run: ./build.sh
       - uses: ./../action/analyze
         with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
           upload-database: false
 
       - name: Check results
         uses: ./../action/.github/actions/check-sarif
         with:
           sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run:
+            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
           queries-not-run: foo,bar
 
       - name: Assert Results
@@ -176,23 +146,3 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-packaging-codescanning-config-inputs-js:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: 'Packaging: Config and input passed to the CLI'
-    needs:
-      - should-run-packaging-codescanning-config-inputs-js
-    if: needs.should-run-packaging-codescanning-config-inputs-js.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__packaging-config-inputs-js.yml

@@ -18,68 +18,39 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: packaging-config-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-packaging-config-inputs-js:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   packaging-config-inputs-js:
     strategy:
       fail-fast: false
@@ -92,9 +63,7 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: 'Packaging: Config and input'
-    needs:
-      - should-run-packaging-config-inputs-js
-    if: needs.should-run-packaging-config-inputs-js.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -103,15 +72,6 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
       - name: Install Node.js
         uses: actions/setup-node@v6
         with:
@@ -126,9 +86,18 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
-          config-file: '.github/codeql/codeql-config-packaging3.yml'
+          config-file: .github/codeql/codeql-config-packaging3.yml
           packs: +codeql-testing/codeql-pack1@1.0.0
           languages: javascript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -136,14 +105,15 @@ jobs:
         run: ./build.sh
       - uses: ./../action/analyze
         with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
           upload-database: false
 
       - name: Check results
         uses: ./../action/.github/actions/check-sarif
         with:
           sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run:
+            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
           queries-not-run: foo,bar
 
       - name: Assert Results
@@ -161,23 +131,3 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-packaging-config-inputs-js:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: 'Packaging: Config and input'
-    needs:
-      - should-run-packaging-config-inputs-js
-    if: needs.should-run-packaging-config-inputs-js.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__packaging-config-js.yml

@@ -18,68 +18,39 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: packaging-config-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-packaging-config-js:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   packaging-config-js:
     strategy:
       fail-fast: false
@@ -92,9 +63,7 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: 'Packaging: Config file'
-    needs:
-      - should-run-packaging-config-js
-    if: needs.should-run-packaging-config-js.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -103,15 +72,6 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
       - name: Install Node.js
         uses: actions/setup-node@v6
         with:
@@ -126,23 +86,33 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
-          config-file: '.github/codeql/codeql-config-packaging.yml'
+          config-file: .github/codeql/codeql-config-packaging.yml
           languages: javascript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
         run: ./build.sh
       - uses: ./../action/analyze
         with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
           upload-database: false
 
       - name: Check results
         uses: ./../action/.github/actions/check-sarif
         with:
           sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run:
+            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
           queries-not-run: foo,bar
 
       - name: Assert Results
@@ -160,23 +130,3 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-packaging-config-js:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: 'Packaging: Config file'
-    needs:
-      - should-run-packaging-config-js
-    if: needs.should-run-packaging-config-js.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__packaging-inputs-js.yml

@@ -18,68 +18,39 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: packaging-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-packaging-inputs-js:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   packaging-inputs-js:
     strategy:
       fail-fast: false
@@ -92,9 +63,7 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: 'Packaging: Action input'
-    needs:
-      - should-run-packaging-inputs-js
-    if: needs.should-run-packaging-inputs-js.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -103,15 +72,6 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
       - name: Install Node.js
         uses: actions/setup-node@v6
         with:
@@ -126,9 +86,18 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
-          config-file: '.github/codeql/codeql-config-packaging2.yml'
+          config-file: .github/codeql/codeql-config-packaging2.yml
           languages: javascript
           packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
           tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -136,13 +105,14 @@ jobs:
         run: ./build.sh
       - uses: ./../action/analyze
         with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
 
       - name: Check results
         uses: ./../action/.github/actions/check-sarif
         with:
           sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run:
+            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
           queries-not-run: foo,bar
 
       - name: Assert Results
@@ -160,23 +130,3 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-packaging-inputs-js:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: 'Packaging: Action input'
-    needs:
-      - should-run-packaging-inputs-js
-    if: needs.should-run-packaging-inputs-js.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__quality-queries.yml

@@ -3,7 +3,7 @@
 #     pr-checks/sync.sh
 # to regenerate this file.
 
-name: PR Check - Analysis kinds
+name: PR Check - Quality queries input
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,36 +28,10 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: analysis-kinds-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-analysis-kinds:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-  analysis-kinds:
+  quality-queries:
     strategy:
       fail-fast: false
       matrix:
@@ -74,9 +45,6 @@ jobs:
           - os: ubuntu-latest
             version: linked
             analysis-kinds: code-scanning,code-quality
-          - os: ubuntu-latest
-            version: linked
-            analysis-kinds: risk-assessment
           - os: ubuntu-latest
             version: nightly-latest
             analysis-kinds: code-scanning
@@ -86,13 +54,8 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
             analysis-kinds: code-scanning,code-quality
-          - os: ubuntu-latest
-            version: nightly-latest
-            analysis-kinds: risk-assessment
-    name: Analysis kinds
-    needs:
-      - should-run-analysis-kinds
-    if: needs.should-run-analysis-kinds.outputs.run-check == 'true'
+    name: Quality queries input
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -115,32 +78,38 @@ jobs:
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - uses: ./../action/analyze
         with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
           upload-database: false
-          post-processed-sarif-path: '${{ runner.temp }}/post-processed'
-
-      - name: Upload SARIF files
+          post-processed-sarif-path: ${{ runner.temp }}/post-processed
+      - name: Upload security SARIF
+        if: contains(matrix.analysis-kinds, 'code-scanning')
         uses: actions/upload-artifact@v6
         with:
           name: |
-            analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
-          path: '${{ runner.temp }}/results/*.sarif'
+            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
+          path: ${{ runner.temp }}/results/javascript.sarif
+          retention-days: 7
+      - name: Upload quality SARIF
+        if: contains(matrix.analysis-kinds, 'code-quality')
+        uses: actions/upload-artifact@v6
+        with:
+          name: |
+            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
+          path: ${{ runner.temp }}/results/javascript.quality.sarif
           retention-days: 7
-
       - name: Upload post-processed SARIF
         uses: actions/upload-artifact@v6
         with:
           name: |
-            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
-          path: '${{ runner.temp }}/post-processed'
+            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
+          path: ${{ runner.temp }}/post-processed
           retention-days: 7
           if-no-files-found: error
-
       - name: Check quality query does not appear in security SARIF
         if: contains(matrix.analysis-kinds, 'code-scanning')
         uses: actions/github-script@v8
         env:
-          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
           EXPECT_PRESENT: 'false'
         with:
           script: ${{ env.CHECK_SCRIPT }}
@@ -148,12 +117,11 @@ jobs:
         if: contains(matrix.analysis-kinds, 'code-quality')
         uses: actions/github-script@v8
         env:
-          SARIF_PATH: '${{ runner.temp }}/results/javascript.quality.sarif'
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.quality.sarif
           EXPECT_PRESENT: 'true'
         with:
           script: ${{ env.CHECK_SCRIPT }}
     env:
-      CODEQL_ACTION_RISK_ASSESSMENT_ID: 1
       CHECK_SCRIPT: |
         const fs = require('fs');
 
@@ -178,41 +146,3 @@ jobs:
           core.setFailed(`${ found ? "Found" : "Didn't find" } rule ${targetId}`);
         }
       CODEQL_ACTION_TEST_MODE: true
-  skip-analysis-kinds:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-            analysis-kinds: code-scanning
-          - os: ubuntu-latest
-            version: linked
-            analysis-kinds: code-quality
-          - os: ubuntu-latest
-            version: linked
-            analysis-kinds: code-scanning,code-quality
-          - os: ubuntu-latest
-            version: linked
-            analysis-kinds: risk-assessment
-          - os: ubuntu-latest
-            version: nightly-latest
-            analysis-kinds: code-scanning
-          - os: ubuntu-latest
-            version: nightly-latest
-            analysis-kinds: code-quality
-          - os: ubuntu-latest
-            version: nightly-latest
-            analysis-kinds: code-scanning,code-quality
-          - os: ubuntu-latest
-            version: nightly-latest
-            analysis-kinds: risk-assessment
-    name: Analysis kinds
-    needs:
-      - should-run-analysis-kinds
-    if: needs.should-run-analysis-kinds.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__remote-config.yml

@@ -18,18 +18,10 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
@@ -40,13 +32,13 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
@@ -57,39 +49,18 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: remote-config-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-remote-config:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   remote-config:
     strategy:
       fail-fast: false
@@ -100,9 +71,7 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Remote config file
-    needs:
-      - should-run-remote-config
-    if: needs.should-run-remote-config.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -111,20 +80,6 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest' || !matrix.version
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -132,31 +87,28 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}
           languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+            github.sha }}
       - name: Build code
         run: ./build.sh
       - uses: ./../action/analyze
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-remote-config:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Remote config file
-    needs:
-      - should-run-remote-config
-    if: needs.should-run-remote-config.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__resolve-environment-action.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: resolve-environment-action-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-resolve-environment-action:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   resolve-environment-action:
     strategy:
       fail-fast: false
@@ -72,9 +43,7 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Resolve environment
-    needs:
-      - should-run-resolve-environment-action
-    if: needs.should-run-resolve-environment-action.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -112,27 +81,8 @@ jobs:
           language: javascript-typescript
 
       - name: Fail if JavaScript/TypeScript configuration present
-        if: fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
+        if:
+          fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
         run: exit 1
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-resolve-environment-action:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Resolve environment
-    needs:
-      - should-run-resolve-environment-action
-    if: needs.should-run-resolve-environment-action.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__rubocop-multi-language.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: rubocop-multi-language-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-rubocop-multi-language:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   rubocop-multi-language:
     strategy:
       fail-fast: false
@@ -68,9 +39,7 @@ jobs:
           - os: ubuntu-latest
             version: default
     name: RuboCop multi-language
-    needs:
-      - should-run-rubocop-multi-language
-    if: needs.should-run-rubocop-multi-language.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -87,7 +56,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Set up Ruby
-        uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0
+        uses: ruby/setup-ruby@ac793fdd38cc468a4dd57246fa9d0e868aba9085 # v1.270.0
         with:
           ruby-version: 2.6
       - name: Install Code Scanning integration
@@ -105,19 +74,3 @@ jobs:
           sarif_file: rubocop.sarif
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-rubocop-multi-language:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: default
-    name: RuboCop multi-language
-    needs:
-      - should-run-rubocop-multi-language
-    if: needs.should-run-rubocop-multi-language.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__ruby.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ruby-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-ruby:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   ruby:
     strategy:
       fail-fast: false
@@ -78,9 +49,7 @@ jobs:
           - os: macos-latest
             version: nightly-latest
     name: Ruby analysis
-    needs:
-      - should-run-ruby
-    if: needs.should-run-ruby.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -113,29 +82,3 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-ruby:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-    name: Ruby analysis
-    needs:
-      - should-run-ruby
-    if: needs.should-run-ruby.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__rust.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: rust-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-rust:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   rust:
     strategy:
       fail-fast: false
@@ -76,9 +47,7 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Rust analysis
-    needs:
-      - should-run-rust
-    if: needs.should-run-rust.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -111,27 +80,3 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-rust:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: stable-v2.19.3
-          - os: ubuntu-latest
-            version: stable-v2.22.1
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Rust analysis
-    needs:
-      - should-run-rust
-    if: needs.should-run-rust.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__split-workflow.yml

@@ -18,68 +18,39 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: split-workflow-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-split-workflow:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   split-workflow:
     strategy:
       fail-fast: false
@@ -98,9 +69,7 @@ jobs:
           - os: macos-latest
             version: nightly-latest
     name: Split workflow
-    needs:
-      - should-run-split-workflow
-    if: needs.should-run-split-workflow.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -109,15 +78,6 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -125,9 +85,18 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
-          config-file: '.github/codeql/codeql-config-packaging3.yml'
+          config-file: .github/codeql/codeql-config-packaging3.yml
           packs: +codeql-testing/codeql-pack1@1.0.0
           languages: javascript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -136,7 +105,7 @@ jobs:
       - uses: ./../action/analyze
         with:
           skip-queries: true
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
           upload-database: false
 
       - name: Assert No Results
@@ -147,7 +116,7 @@ jobs:
           fi
       - uses: ./../action/analyze
         with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
           upload-database: false
       - name: Assert Results
         run: |
@@ -164,29 +133,3 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-split-workflow:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-    name: Split workflow
-    needs:
-      - should-run-split-workflow
-    if: needs.should-run-split-workflow.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__start-proxy.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: start-proxy-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-start-proxy:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   start-proxy:
     strategy:
       fail-fast: false
@@ -72,9 +43,7 @@ jobs:
           - os: windows-latest
             version: linked
     name: Start proxy
-    needs:
-      - should-run-start-proxy
-    if: needs.should-run-start-proxy.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -99,7 +68,8 @@ jobs:
         id: proxy
         uses: ./../action/start-proxy
         with:
-          registry_secrets: '[{ "type": "nuget_feed", "url": "https://api.nuget.org/v3/index.json" }]'
+          registry_secrets: '[{ "type": "nuget_feed", "url": "https://api.nuget.org/v3/index.json"
+            }]'
 
       - name: Print proxy outputs
         run: |
@@ -108,27 +78,8 @@ jobs:
           echo "${{ steps.proxy.outputs.proxy_urls }}"
 
       - name: Fail if proxy outputs are not set
-        if: (!steps.proxy.outputs.proxy_host) || (!steps.proxy.outputs.proxy_port) || (!steps.proxy.outputs.proxy_ca_certificate) || (!steps.proxy.outputs.proxy_urls)
+        if: (!steps.proxy.outputs.proxy_host) || (!steps.proxy.outputs.proxy_port)
+          || (!steps.proxy.outputs.proxy_ca_certificate) || (!steps.proxy.outputs.proxy_urls)
         run: exit 1
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-start-proxy:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-    name: Start proxy
-    needs:
-      - should-run-start-proxy
-    if: needs.should-run-start-proxy.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__submit-sarif-failure.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: submit-sarif-failure-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-submit-sarif-failure:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   submit-sarif-failure:
     strategy:
       fail-fast: false
@@ -72,12 +43,11 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Submit SARIF after failure
-    needs:
-      - should-run-submit-sarif-failure
-    if: needs.should-run-submit-sarif-failure.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
-      security-events: write
+      security-events: write # needed to upload the SARIF file
+
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -96,40 +66,26 @@ jobs:
           languages: javascript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Fail
-        # We want this job to pass if the Action correctly uploads the SARIF file for
-        # the failed run.
-        # Setting this step to continue on error means that it is marked as completing
-        # successfully, so will not fail the job.
+    # We want this job to pass if the Action correctly uploads the SARIF file for
+    # the failed run.
+    # Setting this step to continue on error means that it is marked as completing
+    # successfully, so will not fail the job.
         continue-on-error: true
         run: exit 1
       - uses: ./analyze
-        # In a real workflow, this step wouldn't run. Since we used `continue-on-error`
-        # above, we manually disable it with an `if` condition.
+    # In a real workflow, this step wouldn't run. Since we used `continue-on-error`
+    # above, we manually disable it with an `if` condition.
         if: false
         with:
-          category: '/test-codeql-version:${{ matrix.version }}'
+          category: /test-codeql-version:${{ matrix.version }}
     env:
+  # Internal-only environment variable used to indicate that the post-init Action
+  # should expect to upload a SARIF file for the failed run.
       CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF: true
+  # Make sure the uploading SARIF files feature is enabled.
       CODEQL_ACTION_UPLOAD_FAILED_SARIF: true
+  # Upload the failed SARIF file as an integration test of the API endpoint.
       CODEQL_ACTION_TEST_MODE: false
+  # Mark telemetry for this workflow so it can be treated separately.
       CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
-  skip-submit-sarif-failure:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Submit SARIF after failure
-    needs:
-      - should-run-submit-sarif-failure
-    if: needs.should-run-submit-sarif-failure.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0
+

.github/workflows/__swift-autobuild.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,35 +28,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: swift-autobuild-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-swift-autobuild:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   swift-autobuild:
     strategy:
       fail-fast: false
@@ -68,9 +39,7 @@ jobs:
           - os: macos-latest
             version: nightly-latest
     name: Swift analysis using autobuild
-    needs:
-      - should-run-swift-autobuild
-    if: needs.should-run-swift-autobuild.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -109,19 +78,3 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-swift-autobuild:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: nightly-latest
-    name: Swift analysis using autobuild
-    needs:
-      - should-run-swift-autobuild
-    if: needs.should-run-swift-autobuild.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__swift-custom-build.yml

@@ -18,68 +18,39 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: swift-custom-build-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-swift-custom-build:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   swift-custom-build:
     strategy:
       fail-fast: false
@@ -92,9 +63,7 @@ jobs:
           - os: macos-latest
             version: nightly-latest
     name: Swift analysis using a custom build command
-    needs:
-      - should-run-swift-custom-build
-    if: needs.should-run-swift-custom-build.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -103,15 +72,6 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -119,6 +79,15 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - name: Use Xcode 16
         if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
         run: sudo xcode-select -s "/Applications/Xcode_16.app"
@@ -145,23 +114,3 @@ jobs:
     env:
       DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
       CODEQL_ACTION_TEST_MODE: true
-  skip-swift-custom-build:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: linked
-          - os: macos-latest
-            version: default
-          - os: macos-latest
-            version: nightly-latest
-    name: Swift analysis using a custom build command
-    needs:
-      - should-run-swift-custom-build
-    if: needs.should-run-swift-custom-build.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__unset-environment.yml

@@ -18,18 +18,10 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
@@ -40,13 +32,13 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
@@ -57,39 +49,18 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: unset-environment-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-unset-environment:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   unset-environment:
     strategy:
       fail-fast: false
@@ -100,9 +71,7 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
     name: Test unsetting environment variables
-    needs:
-      - should-run-unset-environment
-    if: needs.should-run-unset-environment.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -111,20 +80,6 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest' || !matrix.version
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -132,11 +87,25 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         id: init
         with:
           db-location: ${{ runner.temp }}/customDbLocation
-          # Swift is not supported on Ubuntu so we manually exclude it from the list here
+      # Swift is not supported on Ubuntu so we manually exclude it from the list here
           languages: cpp,csharp,go,java,javascript,python,ruby
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
@@ -184,21 +153,3 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-unset-environment:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Test unsetting environment variables
-    needs:
-      - should-run-unset-environment
-    if: needs.should-run-unset-environment.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__upload-ref-sha-input.yml

@@ -18,18 +18,10 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
@@ -40,13 +32,13 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
@@ -57,39 +49,18 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: upload-ref-sha-input-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-upload-ref-sha-input:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   upload-ref-sha-input:
     strategy:
       fail-fast: false
@@ -98,9 +69,7 @@ jobs:
           - os: ubuntu-latest
             version: default
     name: "Upload-sarif: 'ref' and 'sha' from inputs"
-    needs:
-      - should-run-upload-ref-sha-input
-    if: needs.should-run-upload-ref-sha-input.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -109,20 +78,6 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest' || !matrix.version
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -130,38 +85,37 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}
           languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+            github.sha }}
       - name: Build code
         run: ./build.sh
-      # Generate some SARIF we can upload with the upload-sarif step
+  # Generate some SARIF we can upload with the upload-sarif step
       - uses: ./../action/analyze
         with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
           upload: never
       - uses: ./../action/upload-sarif
         with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-upload-ref-sha-input:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: default
-    name: "Upload-sarif: 'ref' and 'sha' from inputs"
-    needs:
-      - should-run-upload-ref-sha-input
-    if: needs.should-run-upload-ref-sha-input.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__upload-sarif.yml

@@ -18,18 +18,10 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
@@ -40,13 +32,13 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
@@ -57,39 +49,18 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: upload-sarif-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-upload-sarif:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   upload-sarif:
     strategy:
       fail-fast: false
@@ -105,9 +76,7 @@ jobs:
             version: default
             analysis-kinds: code-scanning,code-quality
     name: Test different uses of `upload-sarif`
-    needs:
-      - should-run-upload-sarif
-    if: needs.should-run-upload-sarif.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
@@ -116,20 +85,6 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest' || !matrix.version
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -137,6 +92,20 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -144,11 +113,11 @@ jobs:
           analysis-kinds: ${{ matrix.analysis-kinds }}
       - name: Build code
         run: ./build.sh
-      # Generate some SARIF we can upload with the upload-sarif step
+  # Generate some SARIF we can upload with the upload-sarif step
       - uses: ./../action/analyze
         with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
           upload: never
           output: ${{ runner.temp }}/results
 
@@ -157,15 +126,15 @@ jobs:
         uses: ./../action/upload-sarif
         id: upload-sarif
         with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
           sarif_file: ${{ runner.temp }}/results
           category: |
             ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:all-files/
-      - name: 'Fail for missing output from `upload-sarif` step for `code-scanning`'
+      - name: Fail for missing output from `upload-sarif` step for `code-scanning`
         if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning)
         run: exit 1
-      - name: 'Fail for missing output from `upload-sarif` step for `code-quality`'
+      - name: Fail for missing output from `upload-sarif` step for `code-quality`
         if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)
         run: exit 1
 
@@ -174,26 +143,28 @@ jobs:
         id: upload-single-sarif-code-scanning
         if: contains(matrix.analysis-kinds, 'code-scanning')
         with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
           sarif_file: ${{ runner.temp }}/results/javascript.sarif
           category: |
             ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-scanning/
-      - name: 'Fail for missing output from `upload-single-sarif-code-scanning` step'
-        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)
+      - name: Fail for missing output from `upload-single-sarif-code-scanning` step
+        if: contains(matrix.analysis-kinds, 'code-scanning') &&
+          !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)
         run: exit 1
       - name: Upload single SARIF file for Code Quality
         uses: ./../action/upload-sarif
         id: upload-single-sarif-code-quality
         if: contains(matrix.analysis-kinds, 'code-quality')
         with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
           sarif_file: ${{ runner.temp }}/results/javascript.quality.sarif
           category: |
             ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-quality/
-      - name: 'Fail for missing output from `upload-single-sarif-code-quality` step'
-        if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)
+      - name: Fail for missing output from `upload-single-sarif-code-quality` step
+        if: contains(matrix.analysis-kinds, 'code-quality') &&
+          !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)
         run: exit 1
 
       - name: Change SARIF file extension
@@ -204,36 +175,13 @@ jobs:
         id: upload-single-non-sarif
         if: contains(matrix.analysis-kinds, 'code-scanning')
         with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
           sarif_file: ${{ runner.temp }}/results/javascript.sarif.json
           category: |
             ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:non-sarif/
-      - name: 'Fail for missing output from `upload-single-non-sarif` step'
+      - name: Fail for missing output from `upload-single-non-sarif` step
         if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning)
         run: exit 1
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-upload-sarif:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: default
-            analysis-kinds: code-scanning
-          - os: ubuntu-latest
-            version: default
-            analysis-kinds: code-quality
-          - os: ubuntu-latest
-            version: default
-            analysis-kinds: code-scanning,code-quality
-    name: Test different uses of `upload-sarif`
-    needs:
-      - should-run-upload-sarif
-    if: needs.should-run-upload-sarif.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/__with-checkout-path.yml

@@ -18,18 +18,10 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
@@ -40,13 +32,13 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
       go-version:
         type: string
         description: The version of Go to install
@@ -57,39 +49,18 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: with-checkout-path-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}-${{inputs.python-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  should-run-with-checkout-path:
-    name: Decide whether to run this check
-    timeout-minutes: 10
-    runs-on: ubuntu-slim
-    if: github.triggering_actor != 'dependabot[bot]'
-    outputs:
-      run-check: ${{ steps.changed-files-check.outputs.run-check || steps.event-type-check.outputs.run-check }}
-    steps:
-      - name: Run check if this is not a PR
-        id: event-type-check
-        if: github.event_name != 'pull_request'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
-      - name: Check out repository
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v6
-      - name: Determine changed files
-        id: changed-files
-        if: github.event_name == 'pull_request'
-        uses: ./.github/actions/changed-files
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          exclude: '["README.md"]'
-      - name: Run check because of changed files
-        id: changed-files-check
-        if: github.event_name != 'pull_request' && steps.changed-files.outputs.files != '[]'
-        run: echo "run-check=true" >> "$GITHUB_OUTPUT"
   with-checkout-path:
     strategy:
       fail-fast: false
@@ -98,32 +69,15 @@ jobs:
           - os: ubuntu-latest
             version: linked
     name: Use a custom `checkout_path`
-    needs:
-      - should-run-with-checkout-path
-    if: needs.should-run-with-checkout-path.outputs.run-check == 'true'
+    if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
       security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      # This ensures we don't accidentally use the original checkout for any part of the test.
       - name: Check out repository
         uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest' || !matrix.version
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -131,14 +85,28 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - name: Delete original checkout
         run: |
           # delete the original checkout so we don't accidentally use it.
           # Actions does not support deleting the current working directory, so we
           # delete the contents of the directory instead.
           rm -rf ./* .github .git
-      # Check out the actions repo again, but at a different location.
-      # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
+  # Check out the actions repo again, but at a different location.
+  # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
       - uses: actions/checkout@v6
         with:
           ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
@@ -147,7 +115,7 @@ jobs:
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}
-          # it's enough to test one compiled language and one interpreted language
+      # it's enough to test one compiled language and one interpreted language
           languages: csharp,javascript
           source-root: x/y/z/some-path/tests/multi-language-repo
 
@@ -192,19 +160,3 @@ jobs:
           fi
     env:
       CODEQL_ACTION_TEST_MODE: true
-  skip-with-checkout-path:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-    name: Use a custom `checkout_path`
-    needs:
-      - should-run-with-checkout-path
-    if: needs.should-run-with-checkout-path.outputs.run-check != 'true'
-    timeout-minutes: 5
-    runs-on: ubuntu-slim
-    steps:
-      - name: Success
-        run: exit 0

.github/workflows/codeql.yml

@@ -7,8 +7,6 @@ on:
     # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
     # by other workflows.
     types: [opened, synchronize, reopened, ready_for_review]
-  merge_group:
-    types: [checks_requested]
   schedule:
     # Weekly on Sunday.
     - cron: '30 1 * * 0'
@@ -31,29 +29,34 @@ jobs:
 
     permissions:
       contents: read
-      # We currently need `security-events: read` to access feature flags.
-      security-events: read
 
     steps:
     - uses: actions/checkout@v6
-    - name: Set up default CodeQL bundle
-      id: setup-default
-      uses: ./setup-codeql
-    - name: Set up linked CodeQL bundle
-      id: setup-linked
-      uses: ./setup-codeql
+    - name: Init with default CodeQL bundle from the VM image
+      id: init-default
+      uses: ./init
+      with:
+        languages: javascript
+    - name: Remove empty database
+      # allows us to run init a second time
+      run: |
+        rm -rf "$RUNNER_TEMP/codeql_databases"
+    - name: Init with latest CodeQL bundle
+      id: init-latest
+      uses: ./init
       with:
         tools: linked
-    - name: Compare default and linked CodeQL bundle versions
+        languages: javascript
+    - name: Compare default and latest CodeQL bundle versions
       id: compare
       env:
-        CODEQL_DEFAULT: ${{ steps.setup-default.outputs.codeql-path }}
-        CODEQL_LINKED: ${{ steps.setup-linked.outputs.codeql-path }}
+        CODEQL_DEFAULT: ${{ steps.init-default.outputs.codeql-path }}
+        CODEQL_LATEST: ${{ steps.init-latest.outputs.codeql-path }}
       run: |
         CODEQL_VERSION_DEFAULT="$("$CODEQL_DEFAULT" version --format terse)"
-        CODEQL_VERSION_LINKED="$("$CODEQL_LINKED" version --format terse)"
+        CODEQL_VERSION_LATEST="$("$CODEQL_LATEST" version --format terse)"
         echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
-        echo "Linked CodeQL bundle version is $CODEQL_VERSION_LINKED"
+        echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"
 
         # If we're running on a pull request, run with both bundles, even if `tools: linked` would
         # be the same as `tools: null`. This allows us to make the job for each of the bundles a
@@ -61,7 +64,7 @@ jobs:
         #
         # If we're running on push or schedule, then we can skip running with `tools: linked` when it would be
         # the same as running with `tools: null`.
-        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$GITHUB_EVENT_NAME" != "merge_group" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LINKED" ]]; then
+        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
           VERSIONS_JSON='[null]'
         else
           VERSIONS_JSON='[null, "linked"]'
@@ -105,7 +108,7 @@ jobs:
       uses: ./analyze
       with:
         category: "/language:javascript"
-        upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && github.event_name != 'merge_group' && 'always' ) || 'never' }}
+        upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && 'always') || 'never' }}
 
   analyze-other:
     if: github.triggering_actor != 'dependabot[bot]'
@@ -140,4 +143,3 @@ jobs:
       uses: ./analyze
       with:
         category: "/language:${{ matrix.language }}"
-        upload: ${{ (github.event_name != 'merge_group' && 'always') || 'never' }}

.github/workflows/codescanning-config-cli.yml

@@ -6,13 +6,6 @@ env:
   # Diff informed queries add an additional query filter which is not yet
   # taken into account by these tests.
   CODEQL_ACTION_DIFF_INFORMED_QUERIES: false
-  # Specify overlay enablement manually to ensure stability around the exclude-from-incremental
-  # query filter. Here we only enable for the default code scanning suite.
-  CODEQL_ACTION_OVERLAY_ANALYSIS: true
-  CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT: false
-  CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT: true
-  CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_CHECK: false
-  CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS: true
 
 on:
   push:
@@ -25,11 +18,9 @@ on:
     - synchronize
     - reopened
     - ready_for_review
-  merge_group:
-    types: [checks_requested]
   schedule:
     - cron: '0 5 * * *'
-  workflow_dispatch:
+  workflow_dispatch: {}
 
 defaults:
   run:

.github/workflows/debug-artifacts-failure-safe.yml

@@ -14,11 +14,9 @@ on:
     - synchronize
     - reopened
     - ready_for_review
-  merge_group:
-    types: [checks_requested]
   schedule:
     - cron: '0 5 * * *'
-  workflow_dispatch:
+  workflow_dispatch: {}
 
 defaults:
   run:
@@ -41,8 +39,6 @@ jobs:
       CODEQL_ACTION_TEST_MODE: true
     permissions:
       contents: read
-      # We currently need `security-events: read` to access feature flags.
-      security-events: read
     timeout-minutes: 45
     runs-on: ubuntu-latest
     steps:
@@ -62,8 +58,6 @@ jobs:
         uses: actions/setup-dotnet@v5
         with:
           dotnet-version: '9.x'
-      - name: Assert best-effort artifact scan completed
-        uses: ./../action/.github/actions/verify-debug-artifact-scan-completed
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/debug-artifacts-safe.yml

@@ -13,11 +13,9 @@ on:
     - synchronize
     - reopened
     - ready_for_review
-  merge_group:
-    types: [checks_requested]
   schedule:
     - cron: '0 5 * * *'
-  workflow_dispatch:
+  workflow_dispatch: {}
 
 defaults:
   run:
@@ -40,8 +38,6 @@ jobs:
     timeout-minutes: 45
     permissions:
       contents: read
-      # We currently need `security-events: read` to access feature flags.
-      security-events: read
     runs-on: ubuntu-latest
     steps:
       - name: Check out repository
@@ -58,8 +54,6 @@ jobs:
         uses: actions/setup-dotnet@v5
         with:
           dotnet-version: '9.x'
-      - name: Assert best-effort artifact scan completed
-        uses: ./../action/.github/actions/verify-debug-artifact-scan-completed
       - uses: ./../action/init
         id: init
         with:

.github/workflows/label-pr-size.yml

@@ -17,7 +17,6 @@ jobs:
   sizeup:
     name: Label PR with size
     runs-on: ubuntu-slim
-    if: github.event.pull_request.merged != true
 
     steps:
       - name: Run sizeup

.github/workflows/post-release-mergeback.yml

@@ -123,13 +123,24 @@ jobs:
       - name: Prepare partial Changelog
         env:
           PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
+          VERSION: "${{ steps.getVersion.outputs.version }}"
         run: |
-          python .github/workflows/script/prepare_changelog.py CHANGELOG.md > $PARTIAL_CHANGELOG
+          python .github/workflows/script/prepare_changelog.py CHANGELOG.md "$VERSION" > $PARTIAL_CHANGELOG
 
           echo "::group::Partial CHANGELOG"
           cat $PARTIAL_CHANGELOG
           echo "::endgroup::"
 
+      - name: Create mergeback branch and PR
+        if: ${{ steps.check.outputs.exists != 'true' && endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }}
+        uses: ./.github/actions/prepare-mergeback-branch
+        with:
+          base: "${{ env.BASE_BRANCH }}"
+          head: "${{ env.HEAD_BRANCH }}"
+          branch: "${{ steps.getVersion.outputs.newBranch }}"
+          version: "${{ steps.getVersion.outputs.version }}"
+          token: "${{ secrets.GITHUB_TOKEN }}"
+
       - name: Generate token
         uses: actions/create-github-app-token@v2.2.1
         id: app-token
@@ -150,13 +161,3 @@ jobs:
             --latest=false \
             --title "$VERSION" \
             --notes-file "$PARTIAL_CHANGELOG"
-
-      - name: Create mergeback branch and PR
-        if: ${{ endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }}
-        uses: ./.github/actions/prepare-mergeback-branch
-        with:
-          base: "${{ env.BASE_BRANCH }}"
-          head: "${{ env.HEAD_BRANCH }}"
-          branch: "${{ steps.getVersion.outputs.newBranch }}"
-          version: "${{ steps.getVersion.outputs.version }}"
-          token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/pr-checks.yml

@@ -6,8 +6,6 @@ on:
     # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
     # by other workflows.
     types: [opened, synchronize, reopened, ready_for_review]
-  merge_group:
-    types: [checks_requested]
   workflow_dispatch:
 
 defaults:
@@ -42,6 +40,11 @@ jobs:
           node-version: ${{ matrix.node-version }}
           cache: 'npm'
 
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: 3.11
+
       - name: Install dependencies
         run: |
           # Use the system Bash shell to ensure we can run commands like `npm ci`
@@ -63,7 +66,7 @@ jobs:
       - name: Run pr-checks tests
         if: always()
         working-directory: pr-checks
-        run: npm ci && npx tsx --test
+        run: python -m unittest discover
 
       - name: Lint
         if: always() && matrix.os != 'windows-latest'
@@ -77,7 +80,7 @@ jobs:
           category: eslint
 
   check-node-version:
-    if: github.triggering_actor != 'dependabot[bot]'
+    if: github.event.pull_request && github.triggering_actor != 'dependabot[bot]'
     name: Check Action Node versions
     runs-on: ubuntu-latest
     timeout-minutes: 45

.github/workflows/python312-windows.yml

@@ -7,8 +7,6 @@ on:
     # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
     # by other workflows.
     types: [opened, synchronize, reopened, ready_for_review]
-  merge_group:
-    types: [checks_requested]
   schedule:
     # Weekly on Monday.
     - cron: '0 0 * * 1'
@@ -26,8 +24,6 @@ jobs:
     timeout-minutes: 45
     permissions:
       contents: read
-      # We currently need `security-events: read` to access feature flags.
-      security-events: read
     runs-on: windows-latest
 
     steps:

.github/workflows/query-filters.yml

@@ -11,11 +11,9 @@ on:
     - synchronize
     - reopened
     - ready_for_review
-  merge_group:
-    types: [checks_requested]
   schedule:
     - cron: '0 5 * * *'
-  workflow_dispatch:
+  workflow_dispatch: {}
 
 defaults:
   run:

.github/workflows/rebuild.yml

@@ -73,17 +73,24 @@ jobs:
           npm run lint -- --fix
           npm run build
 
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: 3.11
+
       - name: Sync back version updates to generated workflows
         # Only sync back versions on Dependabot update PRs
         if: startsWith(env.HEAD_REF, 'dependabot/')
         working-directory: pr-checks
         run: |
-          npm ci
-          npx tsx sync_back.ts --verbose
+          python3 sync_back.py -v
 
       - name: Generate workflows
         working-directory: pr-checks
-        run: ./sync.sh
+        run: |
+          python -m pip install --upgrade pip
+          pip install ruamel.yaml==0.17.31
+          python3 sync.py
 
       - name: "Merge in progress: Finish merge and push"
         if: steps.merge.outputs.merge-in-progress == 'true'
@@ -104,7 +111,7 @@ jobs:
             # Otherwise, just commit the changes.
             if git rev-parse --verify MERGE_HEAD >/dev/null 2>&1; then
               echo "In progress merge detected, finishing it up."
-              git merge --continue --no-edit
+              git merge --continue
             else
               echo "No in-progress merge detected, committing changes."
               git commit -m "Rebuild"

.github/workflows/rollback-release.yml

@@ -127,8 +127,9 @@ jobs:
         env:
           NEW_CHANGELOG: "${{ runner.temp }}/new_changelog.md"
           PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
+          VERSION: "${{ needs.prepare.outputs.version }}"
         run: |
-          python .github/workflows/script/prepare_changelog.py $NEW_CHANGELOG > $PARTIAL_CHANGELOG
+          python .github/workflows/script/prepare_changelog.py $NEW_CHANGELOG "$VERSION" > $PARTIAL_CHANGELOG
 
           echo "::group::Partial CHANGELOG"
           cat $PARTIAL_CHANGELOG

.github/workflows/script/bundle_changelog.py

@@ -1,14 +1,9 @@
-#!/usr/bin/env python3
 import os
 import re
 
-cli_version = os.environ['CLI_VERSION']
-
-# The GitHub Release for the new bundle version.
-bundle_release_url = f"https://github.com/github/codeql-action/releases/tag/codeql-bundle-v{cli_version}"
 # Get the PR number from the PR URL.
 pr_number = os.environ['PR_URL'].split('/')[-1]
-changelog_note = f"- Update default CodeQL bundle version to [{cli_version}]({bundle_release_url}). [#{pr_number}]({os.environ['PR_URL']})"
+changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
 
 # If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
 with open('CHANGELOG.md', 'r') as f:

.github/workflows/script/prepare_changelog.py

@@ -1,4 +1,3 @@
-#!/usr/bin/env python3
 import os
 import sys
 
@@ -7,7 +6,7 @@ EMPTY_CHANGELOG = 'No changes.\n\n'
 # Prepare the changelog for the new release
 # This function will extract the part of the changelog that
 # we want to include in the new release.
-def extract_changelog_snippet(changelog_file):
+def extract_changelog_snippet(changelog_file, version_tag):
   output = ''
   if (not os.path.exists(changelog_file)):
     output = EMPTY_CHANGELOG
@@ -16,20 +15,23 @@ def extract_changelog_snippet(changelog_file):
     with open(changelog_file, 'r') as f:
       lines = f.readlines()
 
-      # Include only the contents of the first section
+      # Include everything up to, but excluding the second heading
       found_first_section = False
-      for line in lines:
+      for i, line in enumerate(lines):
         if line.startswith('## '):
           if found_first_section:
             break
           found_first_section = True
-        elif found_first_section:
-          output += line
+        output += line
 
-  return output.strip()
+  output += f"See the full [CHANGELOG.md](https://github.com/github/codeql-action/blob/{version_tag}/CHANGELOG.md) for more information."
+
+  return output
 
 
-if len(sys.argv) < 2:
-  raise Exception('Expecting argument: changelog_file')
+if len(sys.argv) < 3:
+  raise Exception('Expecting argument: changelog_file version_tag')
 changelog_file = sys.argv[1]
-print(extract_changelog_snippet(changelog_file))
+version_tag = sys.argv[2]
+
+print(extract_changelog_snippet(changelog_file, version_tag))

.github/workflows/script/update-required-checks.sh

@@ -29,7 +29,7 @@ fi
 echo "Getting checks for $GITHUB_SHA"
 
 # Ignore any checks with "https://", CodeQL, LGTM, Update, and ESLint checks.
-CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") or . == "Agent" or . == "Cleanup artifacts" or . == "Prepare" or . == "Upload results" or . == "Label PR with size" | not)] | unique | sort')"
+CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") or . == "Agent" or . == "Cleanup artifacts" or . == "Prepare" or . == "Upload results" | not)] | unique | sort')"
 
 echo "$CHECKS" | jq
 

.github/workflows/script/verify-pr-checks.sh

@@ -19,7 +19,7 @@ if [ ! -z "$(git status --porcelain)" ]; then
     # If we get a fail here then the PR needs attention
     git diff
     git status
-    >&2 echo "Failed: PR checks are not up to date. Run 'cd pr-checks && ./sync.sh' to update"
+    >&2 echo "Failed: PR checks are not up to date. Run 'cd pr-checks && python3 sync.py' to update"
 
     echo "### Generated workflows diff" >> $GITHUB_STEP_SUMMARY
     echo "" >> $GITHUB_STEP_SUMMARY

.github/workflows/test-codeql-bundle-all.yml

@@ -13,11 +13,9 @@ on:
     - synchronize
     - reopened
     - ready_for_review
-  merge_group:
-    types: [checks_requested]
   schedule:
     - cron: '0 5 * * *'
-  workflow_dispatch:
+  workflow_dispatch: {}
 defaults:
   run:
     shell: bash

.github/workflows/update-bundle.yml

@@ -57,24 +57,6 @@ jobs:
       - name: Update bundle
         uses: ./.github/actions/update-bundle
 
-      - name: Bump Action minor version if new CodeQL minor version series
-        id: bump-action-version
-        run: |
-          prior_cli_version=$(jq -r '.priorCliVersion' src/defaults.json)
-          cli_version=$(jq -r '.cliVersion' src/defaults.json)
-
-          prior_minor=$(echo "$prior_cli_version" | cut -d. -f2)
-          current_minor=$(echo "$cli_version" | cut -d. -f2)
-
-          if [[ "$current_minor" != "$prior_minor" ]]; then
-            echo "New CodeQL minor version series ($prior_cli_version -> $cli_version), bumping Action minor version"
-            npm version minor --no-git-tag-version
-            echo "bumped=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "Same minor version series ($prior_cli_version -> $cli_version), skipping Action version bump"
-            echo "bumped=false" >> "$GITHUB_OUTPUT"
-          fi
-
       - name: Rebuild Action
         run: npm run build
 
@@ -89,19 +71,11 @@ jobs:
       - name: Open pull request
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          ACTION_VERSION_BUMPED: ${{ steps.bump-action-version.outputs.bumped }}
         run: |
           cli_version=$(jq -r '.cliVersion' src/defaults.json)
-          action_version=$(jq -r '.version' package.json)
-
-          pr_body="This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version."
-          if [[ "$ACTION_VERSION_BUMPED" == "true" ]]; then
-            pr_body+=$'\n\n'"Since this is a new CodeQL minor version series, this PR also bumps the Action version to $action_version."
-          fi
-
           pr_url=$(gh pr create \
             --title "Update default bundle to $cli_version" \
-            --body "$pr_body" \
+            --body "This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version." \
             --assignee "$GITHUB_ACTOR" \
             --draft \
           )

CHANGELOG.md

@@ -2,110 +2,60 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
-## [UNRELEASED]
+## 3.31.9 - 16 Dec 2025
 
 No user facing changes.
 
-## 4.32.5 - 02 Mar 2026
-
-- Repositories owned by an organization can now set up the `github-codeql-disable-overlay` custom repository property to disable [improved incremental analysis for CodeQL](https://github.com/github/roadmap/issues/1158). First, create a custom repository property with the name `github-codeql-disable-overlay` and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to `true` to disable improved incremental analysis. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). This feature is not yet available on GitHub Enterprise Server. [#3507](https://github.com/github/codeql-action/pull/3507)
-- Added an experimental change so that when [improved incremental analysis](https://github.com/github/roadmap/issues/1158) fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. [#3487](https://github.com/github/codeql-action/pull/3487)
-- The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. [#3515](https://github.com/github/codeql-action/pull/3515)
-- Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. [#3516](https://github.com/github/codeql-action/pull/3516)
-- Added an experimental change which lowers the minimum disk space requirement for [improved incremental analysis](https://github.com/github/roadmap/issues/1158), enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. [#3498](https://github.com/github/codeql-action/pull/3498)
-- Added an experimental change which allows the `start-proxy` action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. [#3512](https://github.com/github/codeql-action/pull/3512)
-- The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. [#3503](https://github.com/github/codeql-action/pull/3503), [#3504](https://github.com/github/codeql-action/pull/3504)
-
-## 4.32.4 - 20 Feb 2026
-
-- Update default CodeQL bundle version to [2.24.2](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2). [#3493](https://github.com/github/codeql-action/pull/3493)
-- Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when [private package registries are configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries). This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. [#3473](https://github.com/github/codeql-action/pull/3473)
-- When the CodeQL Action is run [with debugging enabled in Default Setup](https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-analysis-errors/logs-not-detailed-enough#creating-codeql-debugging-artifacts-for-codeql-default-setup) and [private package registries are configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries), the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. [#3486](https://github.com/github/codeql-action/pull/3486)
-- Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. [#3485](https://github.com/github/codeql-action/pull/3485)
-- Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a [nightly CodeQL CLI release](https://github.com/dsp-testing/codeql-cli-nightlies) instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. [#3484](https://github.com/github/codeql-action/pull/3484)
-
-## 4.32.3 - 13 Feb 2026
-
-- Added experimental support for testing connections to [private package registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries). This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. [#3466](https://github.com/github/codeql-action/pull/3466)
-
-## 4.32.2 - 05 Feb 2026
-
-- Update default CodeQL bundle version to [2.24.1](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.1). [#3460](https://github.com/github/codeql-action/pull/3460)
-
-## 4.32.1 - 02 Feb 2026
-
-- A warning is now shown in Default Setup workflow logs if a [private package registry is configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) using a GitHub Personal Access Token (PAT), but no username is configured. [#3422](https://github.com/github/codeql-action/pull/3422)
-- Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. [#3421](https://github.com/github/codeql-action/pull/3421)
-
-## 4.32.0 - 26 Jan 2026
-
-- Update default CodeQL bundle version to [2.24.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0). [#3425](https://github.com/github/codeql-action/pull/3425)
-
-## 4.31.11 - 23 Jan 2026
-
-- When running a Default Setup workflow with [Actions debugging enabled](https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging), the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. [#3409](https://github.com/github/codeql-action/pull/3409)
-- Improved error handling throughout the CodeQL Action. [#3415](https://github.com/github/codeql-action/pull/3415)
-- Added experimental support for automatically excluding [generated files](https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github) from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. [#3318](https://github.com/github/codeql-action/pull/3318)
-- The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. [#3403](https://github.com/github/codeql-action/pull/3403)
-
-## 4.31.10 - 12 Jan 2026
-
-- Update default CodeQL bundle version to 2.23.9. [#3393](https://github.com/github/codeql-action/pull/3393)
-
-## 4.31.9 - 16 Dec 2025
-
-No user facing changes.
-
-## 4.31.8 - 11 Dec 2025
+## 3.31.8 - 11 Dec 2025
 
 - Update default CodeQL bundle version to 2.23.8. [#3354](https://github.com/github/codeql-action/pull/3354)
 
-## 4.31.7 - 05 Dec 2025
+## 3.31.7 - 05 Dec 2025
 
 - Update default CodeQL bundle version to 2.23.7. [#3343](https://github.com/github/codeql-action/pull/3343)
 
-## 4.31.6 - 01 Dec 2025
+## 3.31.6 - 01 Dec 2025
 
 No user facing changes.
 
-## 4.31.5 - 24 Nov 2025
+## 3.31.5 - 24 Nov 2025
 
 - Update default CodeQL bundle version to 2.23.6. [#3321](https://github.com/github/codeql-action/pull/3321)
 
-## 4.31.4 - 18 Nov 2025
+## 3.31.4 - 18 Nov 2025
 
 No user facing changes.
 
-## 4.31.3 - 13 Nov 2025
+## 3.31.3 - 13 Nov 2025
 
 - CodeQL Action v3 will be deprecated in December 2026.  The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see [Upcoming deprecation of CodeQL Action v3](https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/).
 - Update default CodeQL bundle version to 2.23.5. [#3288](https://github.com/github/codeql-action/pull/3288)
 
-## 4.31.2 - 30 Oct 2025
+## 3.31.2 - 30 Oct 2025
 
 No user facing changes.
 
-## 4.31.1 - 30 Oct 2025
+## 3.31.1 - 30 Oct 2025
 
 - The `add-snippets` input has been removed from the `analyze` action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced.
 
-## 4.31.0 - 24 Oct 2025
+## 3.31.0 - 24 Oct 2025
 
 - Bump minimum CodeQL bundle version to 2.17.6. [#3223](https://github.com/github/codeql-action/pull/3223)
 - When SARIF files are uploaded by the `analyze` or `upload-sarif` actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the `upload-sarif` action. For `analyze`, this may affect Advanced Setup for CodeQL users who specify a value other than `always` for the `upload` input. [#3222](https://github.com/github/codeql-action/pull/3222)
 
-## 4.30.9 - 17 Oct 2025
+## 3.30.9 - 17 Oct 2025
 
 - Update default CodeQL bundle version to 2.23.3. [#3205](https://github.com/github/codeql-action/pull/3205)
 - Experimental: A new `setup-codeql` action has been added which is similar to `init`, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#3204](https://github.com/github/codeql-action/pull/3204)
 
-## 4.30.8 - 10 Oct 2025
+## 3.30.8 - 10 Oct 2025
 
 No user facing changes.
 
-## 4.30.7 - 06 Oct 2025
+## 3.30.7 - 06 Oct 2025
 
-- [v4+ only] The CodeQL Action now runs on Node.js v24. [#3169](https://github.com/github/codeql-action/pull/3169)
+No user facing changes.
 
 ## 3.30.6 - 02 Oct 2025
 
@@ -341,17 +291,13 @@ No user facing changes.
 ## 3.26.12 - 07 Oct 2024
 
 - _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.14.5 and earlier. These versions of CodeQL were discontinued on 24 September 2024 alongside GitHub Enterprise Server 3.10, and will be unsupported by CodeQL Action versions 3.27.0 and later and versions 2.27.0 and later. [#2520](https://github.com/github/codeql-action/pull/2520)
-
   - If you are using one of these versions, please update to CodeQL CLI version 2.14.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.
-
   - Alternatively, if you want to continue using a version of the CodeQL CLI between 2.13.5 and 2.14.5, you can replace `github/codeql-action/*@v3` by `github/codeql-action/*@v3.26.11` and `github/codeql-action/*@v2` by `github/codeql-action/*@v2.26.11` in your code scanning workflow to ensure you continue using this version of the CodeQL Action.
 
 ## 3.26.11 - 03 Oct 2024
 
 - _Upcoming breaking change_: Add support for using `actions/download-artifact@v4` to programmatically consume CodeQL Action debug artifacts.
-
   Starting November 30, 2024, GitHub.com customers will [no longer be able to use `actions/download-artifact@v3`](https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/). Therefore, to avoid breakage, customers who programmatically download the CodeQL Action debug artifacts should set the `CODEQL_ACTION_ARTIFACT_V4_UPGRADE` environment variable to `true` and bump `actions/download-artifact@v3` to `actions/download-artifact@v4` in their workflows. The CodeQL Action will enable this behavior by default in early November and workflows that have not yet bumped `actions/download-artifact@v3` to `actions/download-artifact@v4` will begin failing then.
-
   This change is currently unavailable for GitHub Enterprise Server customers, as `actions/upload-artifact@v4` and `actions/download-artifact@v4` are not yet compatible with GHES.
 - Update default CodeQL bundle version to 2.19.1. [#2519](https://github.com/github/codeql-action/pull/2519)
 
@@ -474,12 +420,9 @@ No user facing changes.
 ## 3.25.0 - 15 Apr 2024
 
 - The deprecated feature for extracting dependencies for a Python analysis has been removed. [#2224](https://github.com/github/codeql-action/pull/2224)
-
   As a result, the following inputs and environment variables are now ignored:
-
   - The `setup-python-dependencies` input to the `init` Action
   - The `CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION` environment variable
-
   We recommend removing any references to these from your workflows. For more information, see the release notes for CodeQL Action v3.23.0 and v2.23.0.
 - Automatically overwrite an existing database if found on the filesystem. [#2229](https://github.com/github/codeql-action/pull/2229)
 - Bump the minimum CodeQL bundle version to 2.12.6. [#2232](https://github.com/github/codeql-action/pull/2232)

CONTRIBUTING.md

@@ -92,7 +92,7 @@ We typically deprecate a version of CodeQL when the GitHub Enterprise Server (GH
 1. Remove support for the old version of CodeQL.
     - Bump `CODEQL_MINIMUM_VERSION` in `src/codeql.ts` to the new minimum version of CodeQL.
     - Remove any code that is only needed to support the old version of CodeQL. This is often behind a version guard, so look for instances of version numbers between the old minimum version and the new minimum version in the codebase. A good place to start is the list of version numbers in `src/codeql.ts`.
-    - Update the default set of CodeQL test versions in `pr-checks/sync.ts`.
+    - Update the default set of CodeQL test versions in `pr-checks/sync.py`.
         - Remove the old minimum version of CodeQL.
         - Add the latest patch release for any new CodeQL minor version series that have shipped in GHES.
         - Run the script to update the generated PR checks.

README.md

@@ -72,22 +72,14 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n
 
 | Minimum CodeQL Action | Minimum CodeQL Bundle Version | GitHub Environment | Notes |
 |-----------------------|-------------------------------|--------------------|-------|
-| `v4.31.10` | `2.23.9` | Enterprise Server 3.20 | |
-| `v3.29.11` | `2.22.4` | Enterprise Server 3.19 | |
-| `v3.28.21` | `2.21.3` | Enterprise Server 3.18 | |
-| `v3.28.12` | `2.20.7` | Enterprise Server 3.17 | |
-| `v3.28.6` | `2.20.3` | Enterprise Server 3.16 | |
-| `v3.28.6` | `2.20.3` | Enterprise Server 3.15 | |
+| `v3.28.21`  | `2.21.3` | Enterprise Server 3.18 | |
+| `v3.28.12`  | `2.20.7` | Enterprise Server 3.17 | |
+| `v3.28.6`  | `2.20.3` | Enterprise Server 3.16 | |
+| `v3.28.6`  | `2.20.3` | Enterprise Server 3.15 | |
 | `v3.28.6` | `2.20.3` | Enterprise Server 3.14 | |
 
 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).
 
-## Keeping the CodeQL Action up to date in advanced setups
-
-If you are using an [advanced setup](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning), we recommend referencing the CodeQL Action using a major version tag (e.g. `v4`) in your workflow file. This ensures your workflow automatically picks up the latest release within that major version, including bug fixes, new features, and updated CodeQL CLI versions.
-
-If you pin to a specific commit SHA or patch version tag, ensure you keep it updated (e.g. via [Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot)). Some CodeQL Action features are enabled by server-side flags that may be removed over time, which can cause old versions to lose functionality.
-
 ## Troubleshooting
 
 Read about [troubleshooting code scanning](https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning).

analyze/action.yml

@@ -94,6 +94,6 @@ outputs:
   sarif-id:
     description: The ID of the uploaded SARIF file.
 runs:
-  using: node24
+  using: node20
   main: "../lib/analyze-action.js"
   post: "../lib/analyze-action-post.js"

autobuild/action.yml

@@ -15,5 +15,5 @@ inputs:
       $GITHUB_WORKSPACE as its working directory.
     required: false
 runs:
-  using: node24
+  using: node20
   main: '../lib/autobuild-action.js'

eslint.config.mjs

@@ -1,14 +1,27 @@
-import { fixupPluginRules } from "@eslint/compat";
+// Automatically generated by running npx @eslint/migrate-config .eslintrc.json
+
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+
+import { fixupConfigRules, fixupPluginRules } from "@eslint/compat";
+import { FlatCompat } from "@eslint/eslintrc";
 import js from "@eslint/js";
+import typescriptEslint from "@typescript-eslint/eslint-plugin";
+import tsParser from "@typescript-eslint/parser";
+import filenames from "eslint-plugin-filenames";
 import github from "eslint-plugin-github";
-import { importX, createNodeResolver } from "eslint-plugin-import-x";
-import { createTypeScriptImportResolver } from "eslint-import-resolver-typescript";
+import _import from "eslint-plugin-import";
 import noAsyncForeach from "eslint-plugin-no-async-foreach";
 import jsdoc from "eslint-plugin-jsdoc";
-import tseslint from "typescript-eslint";
 import globals from "globals";
 
-const githubFlatConfigs = github.getFlatConfigs();
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+const compat = new FlatCompat({
+  baseDirectory: __dirname,
+  recommendedConfig: js.configs.recommended,
+  allConfig: js.configs.all,
+});
 
 export default [
   {
@@ -21,32 +34,31 @@ export default [
       "build.mjs",
       "eslint.config.mjs",
       ".github/**/*",
-      "pr-checks/**/*",
     ],
   },
-  // eslint recommended config
-  js.configs.recommended,
-  // Type-checked rules from typescript-eslint
-  ...tseslint.configs.recommendedTypeChecked,
-  ...tseslint.configs.strict,
-  // eslint-plugin-github recommended config
-  githubFlatConfigs.recommended,
-  // eslint-plugin-github typescript config
-  ...githubFlatConfigs.typescript,
-  // import-x TypeScript settings
-  // This is needed for import-x rules to properly parse TypeScript files.
-  {
-    settings: importX.flatConfigs.typescript.settings,
-  },
+  ...fixupConfigRules(
+    compat.extends(
+      "eslint:recommended",
+      "plugin:@typescript-eslint/recommended",
+      "plugin:@typescript-eslint/recommended-requiring-type-checking",
+      "plugin:github/recommended",
+      "plugin:github/typescript",
+      "plugin:import/typescript",
+    ),
+  ),
   {
     plugins: {
-      "import-x": importX,
-      "no-async-foreach": fixupPluginRules(noAsyncForeach),
+      "@typescript-eslint": fixupPluginRules(typescriptEslint),
+      filenames: fixupPluginRules(filenames),
+      github: fixupPluginRules(github),
+      import: fixupPluginRules(_import),
+      "no-async-foreach": noAsyncForeach,
       "jsdoc": jsdoc,
     },
 
     languageOptions: {
-      ecmaVersion: "latest",
+      parser: tsParser,
+      ecmaVersion: 5,
       sourceType: "module",
 
       globals: {
@@ -67,16 +79,10 @@ export default [
         typescript: {},
       },
       "import/ignore": ["sinon", "uuid", "@octokit/plugin-retry", "del", "get-folder-size"],
-      "import-x/resolver-next": [
-        createTypeScriptImportResolver(),
-        createNodeResolver({
-          extensions: [".ts", ".js", ".json"],
-        }),
-      ],
     },
 
     rules: {
-      "github/filenames-match-regex": ["error", "^[a-z0-9-]+(\\.test)?$"],
+      "filenames/match-regex": ["error", "^[a-z0-9-]+(\\.test)?$"],
       "i18n-text/no-en": "off",
 
       "import/extensions": [
@@ -88,10 +94,7 @@ export default [
 
       "import/no-amd": "error",
       "import/no-commonjs": "error",
-      // import/no-cycle does not seem to work with ESLint 9.
-      // Use import-x/no-cycle from eslint-plugin-import-x instead.
-      "import/no-cycle": "off",
-      "import-x/no-cycle": "error",
+      "import/no-cycle": "error",
       "import/no-dynamic-require": "error",
 
       "import/no-extraneous-dependencies": [
@@ -129,8 +132,6 @@ export default [
       "no-async-foreach/no-async-foreach": "error",
       "no-sequences": "error",
       "no-shadow": "off",
-      // This is overly restrictive with unsetting `EnvVar`s
-      "@typescript-eslint/no-dynamic-delete": "off",
       "@typescript-eslint/no-shadow": "error",
       "@typescript-eslint/prefer-optional-chain": "error",
       "one-var": ["error", "never"],

init/action.yml

@@ -159,17 +159,12 @@ inputs:
     description: >-
       Explicitly enable or disable caching of project build dependencies.
     required: false
-  check-run-id:
-    description: >-
-      [Internal] The ID of the check run, as provided by the Actions runtime environment. Do not set this value manually.
-    default: ${{ job.check_run_id }}
-    required: false
 outputs:
   codeql-path:
     description: The path of the CodeQL binary used for analysis
   codeql-version:
     description: The version of the CodeQL binary used for analysis
 runs:
-  using: node24
+  using: node20
   main: '../lib/init-action.js'
   post: '../lib/init-action-post.js'

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.24.2",
-  "cliVersion": "2.24.2",
-  "priorBundleVersion": "codeql-bundle-v2.24.1",
-  "priorCliVersion": "2.24.1"
+  "bundleVersion": "codeql-bundle-v2.23.8",
+  "cliVersion": "2.23.8",
+  "priorBundleVersion": "codeql-bundle-v2.23.7",
+  "priorCliVersion": "2.23.7"
 }