Dependabot: Group major updates

Make it easier to process `@actions/*` Node version updates for instance.
2026-05-12 08:40:13 +00:00 · 2025-12-16 13:45:05 +00:00
131 changed files with 499471 additions and 555723 deletions
@@ -1,6 +0,0 @@
-name: Verify that the best-effort debug artifact scan completed
-description: Verifies that the best-effort debug artifact scan completed successfully during tests
-runs:
-  using: node24
-  main: index.js
-  post: post.js
@@ -1,2 +0,0 @@
-// The main step is a no-op, since we can only verify artifact scan completion in the post step.
-console.log("Will verify artifact scan completion in the post step.");
@@ -1,11 +0,0 @@
-// Post step - runs after the workflow completes, when artifact scan has finished
-const process = require("process");
-
-const scanFinished = process.env.CODEQL_ACTION_ARTIFACT_SCAN_FINISHED;
-
-if (scanFinished !== "true") {
-  console.error("Error: Best-effort artifact scan did not complete. Expected CODEQL_ACTION_ARTIFACT_SCAN_FINISHED=true");
-  process.exit(1);
-}
-
-console.log("✓ Best-effort artifact scan completed successfully");
@@ -8,11 +8,19 @@ updates:
      - Rebuild
    # Ignore incompatible dependency updates
    ignore:
-      # This is broken due to the way configuration files have changed.
+      # There is a type incompatibility issue between v0.0.9 and our other dependencies.
+      - dependency-name: "@octokit/plugin-retry"
+        versions: ["~6.0.0"]
+      # This is broken due to the way configuration files have changed. 
      # This might be fixed when we move to eslint v9.
      - dependency-name: "eslint-plugin-import"
        versions: [">=2.30.0"]
    groups:
+      npm-major:
+        patterns:
+          - "*"
+        update-types:
+          - "major"
      npm-minor:
        patterns:
          - "*"
@@ -28,6 +36,11 @@ updates:
    labels:
      - Rebuild
    groups:
+      actions-major:
+        patterns:
+          - "*"
+        update-types:
+          - "major"
      actions-minor:
        patterns:
          - "*"
@@ -48,9 +48,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    all-platform-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  all-platform-bundle:
    strategy:
@@ -58,9 +58,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    analyze-ref-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  analyze-ref-input:
    strategy:
@@ -38,8 +38,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: autobuild-action-${{github.ref}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  autobuild-action:
    strategy:
@@ -38,9 +38,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    autobuild-direct-tracing-with-working-dir-${{github.ref}}-${{inputs.java-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  autobuild-direct-tracing-with-working-dir:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: autobuild-working-dir-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  autobuild-working-dir:
    strategy:
@@ -38,8 +38,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: build-mode-autobuild-${{github.ref}}-${{inputs.java-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  build-mode-autobuild:
    strategy:
@@ -76,14 +76,6 @@ jobs:
        with:
          java-version: ${{ inputs.java-version || '17' }}
          distribution: temurin
-      - name: Install yq
-        if: runner.os == 'Windows'
-        env:
-          YQ_PATH: ${{ runner.temp }}/yq
-          YQ_VERSION: v4.50.1
-        run: |-
-          gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe"
-          echo "$YQ_PATH" >> "$GITHUB_PATH"
      - name: Set up Java test repo configuration
        run: |
          mv * .github ../action/tests/multi-language-repo/
@@ -98,6 +90,11 @@ jobs:
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

+      - name: Install yq
+        if: runner.os == 'Windows'
+        run: |
+          choco install yq -y
+
      - name: Validate database build mode
        run: |
          metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
@@ -48,9 +48,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    build-mode-manual-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  build-mode-manual:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: build-mode-none-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  build-mode-none:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: build-mode-rollback-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  build-mode-rollback:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: bundle-from-toolcache-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  bundle-from-toolcache:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: bundle-toolcache-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  bundle-toolcache:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: bundle-zstd-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  bundle-zstd:
    strategy:
@@ -1,87 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - CCR
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ccr-${{github.ref}}
-jobs:
-  ccr:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: stable-v2.18.4
-          - os: ubuntu-latest
-            version: stable-v2.19.4
-          - os: ubuntu-latest
-            version: stable-v2.20.7
-          - os: ubuntu-latest
-            version: stable-v2.21.4
-          - os: ubuntu-latest
-            version: stable-v2.22.4
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: CCR
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        id: init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - uses: ./../action/analyze
-        id: analysis
-        with:
-          upload-database: false
-
-    env:
-      CODEQL_ACTION_ANALYSIS_KEY: dynamic/copilot-pull-request-reviewer/codeql-action-test
-      CODEQL_ACTION_TEST_MODE: true
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: cleanup-db-cluster-dir-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  cleanup-db-cluster-dir:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: config-export-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  config-export:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: config-input-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  config-input:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: cpp-deptrace-disabled-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  cpp-deptrace-disabled:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: cpp-deptrace-enabled-on-macos-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  cpp-deptrace-enabled-on-macos:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: cpp-deptrace-enabled-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  cpp-deptrace-enabled:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: diagnostics-export-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  diagnostics-export:
    strategy:
@@ -48,9 +48,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    export-file-baseline-information-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  export-file-baseline-information:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: extractor-ram-threads-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  extractor-ram-threads:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: global-proxy-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  global-proxy:
    strategy:
@@ -76,7 +76,6 @@ jobs:
      - uses: ./../action/analyze
    env:
      https_proxy: http://squid-proxy:3128
-      CODEQL_ACTION_TOLERATE_MISSING_GIT_VERSION: true
      CODEQL_ACTION_TEST_MODE: true
    container:
      image: ubuntu:22.04
@@ -48,9 +48,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    go-custom-queries-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  go-custom-queries:
    strategy:
@@ -38,8 +38,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-indirect-tracing-workaround-diagnostic-${{github.ref}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  go-indirect-tracing-workaround-diagnostic:
    strategy:
@@ -38,9 +38,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    go-indirect-tracing-workaround-no-file-program-${{github.ref}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  go-indirect-tracing-workaround-no-file-program:
    strategy:
@@ -38,8 +38,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-indirect-tracing-workaround-${{github.ref}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  go-indirect-tracing-workaround:
    strategy:
@@ -38,8 +38,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-tracing-autobuilder-${{github.ref}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  go-tracing-autobuilder:
    strategy:
@@ -38,8 +38,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-tracing-custom-build-steps-${{github.ref}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  go-tracing-custom-build-steps:
    strategy:
@@ -38,8 +38,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-tracing-legacy-workflow-${{github.ref}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  go-tracing-legacy-workflow:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: init-with-registries-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  init-with-registries:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: javascript-source-root-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  javascript-source-root:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: job-run-uuid-sarif-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  job-run-uuid-sarif:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: language-aliases-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  language-aliases:
    strategy:
@@ -58,9 +58,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    local-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  local-bundle:
    strategy:
@@ -58,9 +58,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    multi-language-autodetect-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  multi-language-autodetect:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: overlay-init-fallback-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  overlay-init-fallback:
    strategy:
@@ -58,9 +58,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  packaging-codescanning-config-inputs-js:
    strategy:
@@ -48,9 +48,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    packaging-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  packaging-config-inputs-js:
    strategy:
@@ -48,9 +48,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    packaging-config-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  packaging-config-js:
    strategy:
@@ -48,9 +48,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    packaging-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  packaging-inputs-js:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: quality-queries-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  quality-queries:
    strategy:
@@ -58,9 +58,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    remote-config-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  remote-config:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: resolve-environment-action-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  resolve-environment-action:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: rubocop-multi-language-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  rubocop-multi-language:
    strategy:
@@ -56,7 +56,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Set up Ruby
-        uses: ruby/setup-ruby@90be1154f987f4dc0fe0dd0feedac9e473aa4ba8 # v1.286.0
+        uses: ruby/setup-ruby@ac793fdd38cc468a4dd57246fa9d0e868aba9085 # v1.270.0
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ruby-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  ruby:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: rust-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  rust:
    strategy:
@@ -48,8 +48,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: split-workflow-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  split-workflow:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: start-proxy-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  start-proxy:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: submit-sarif-failure-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  submit-sarif-failure:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: swift-autobuild-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  swift-autobuild:
    strategy:
@@ -48,9 +48,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    swift-custom-build-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  swift-custom-build:
    strategy:
@@ -58,9 +58,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    unset-environment-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  unset-environment:
    strategy:
@@ -58,9 +58,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    upload-ref-sha-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  upload-ref-sha-input:
    strategy:
@@ -58,9 +58,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    upload-sarif-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  upload-sarif:
    strategy:
@@ -58,9 +58,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    with-checkout-path-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  with-checkout-path:
    strategy:
@@ -6,11 +6,6 @@ env:
  # Diff informed queries add an additional query filter which is not yet
  # taken into account by these tests.
  CODEQL_ACTION_DIFF_INFORMED_QUERIES: false
-  # Specify overlay enablement manually to ensure stability around the exclude-from-incremental
-  # query filter. Here we only enable for the default code scanning suite.
-  CODEQL_ACTION_OVERLAY_ANALYSIS: true
-  CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT: false
-  CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT: true

 on:
  push:
@@ -58,8 +58,6 @@ jobs:
        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: '9.x'
-      - name: Assert best-effort artifact scan completed
-        uses: ./../action/.github/actions/verify-debug-artifact-scan-completed
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -54,8 +54,6 @@ jobs:
        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: '9.x'
-      - name: Assert best-effort artifact scan completed
-        uses: ./../action/.github/actions/verify-debug-artifact-scan-completed
      - uses: ./../action/init
        id: init
        with:
@@ -123,13 +123,24 @@ jobs:
      - name: Prepare partial Changelog
        env:
          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
+          VERSION: "${{ steps.getVersion.outputs.version }}"
        run: |
-          python .github/workflows/script/prepare_changelog.py CHANGELOG.md > $PARTIAL_CHANGELOG
+          python .github/workflows/script/prepare_changelog.py CHANGELOG.md "$VERSION" > $PARTIAL_CHANGELOG

          echo "::group::Partial CHANGELOG"
          cat $PARTIAL_CHANGELOG
          echo "::endgroup::"

+      - name: Create mergeback branch and PR
+        if: ${{ steps.check.outputs.exists != 'true' && endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }}
+        uses: ./.github/actions/prepare-mergeback-branch
+        with:
+          base: "${{ env.BASE_BRANCH }}"
+          head: "${{ env.HEAD_BRANCH }}"
+          branch: "${{ steps.getVersion.outputs.newBranch }}"
+          version: "${{ steps.getVersion.outputs.version }}"
+          token: "${{ secrets.GITHUB_TOKEN }}"
+
      - name: Generate token
        uses: actions/create-github-app-token@v2.2.1
        id: app-token
@@ -150,13 +161,3 @@ jobs:
            --latest=false \
            --title "$VERSION" \
            --notes-file "$PARTIAL_CHANGELOG"
-
-      - name: Create mergeback branch and PR
-        if: ${{ endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }}
-        uses: ./.github/actions/prepare-mergeback-branch
-        with:
-          base: "${{ env.BASE_BRANCH }}"
-          head: "${{ env.HEAD_BRANCH }}"
-          branch: "${{ steps.getVersion.outputs.newBranch }}"
-          version: "${{ steps.getVersion.outputs.version }}"
-          token: "${{ secrets.GITHUB_TOKEN }}"
@@ -127,8 +127,9 @@ jobs:
        env:
          NEW_CHANGELOG: "${{ runner.temp }}/new_changelog.md"
          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
+          VERSION: "${{ needs.prepare.outputs.version }}"
        run: |
-          python .github/workflows/script/prepare_changelog.py $NEW_CHANGELOG > $PARTIAL_CHANGELOG
+          python .github/workflows/script/prepare_changelog.py $NEW_CHANGELOG "$VERSION" > $PARTIAL_CHANGELOG

          echo "::group::Partial CHANGELOG"
          cat $PARTIAL_CHANGELOG
@@ -1,14 +1,9 @@
-#!/usr/bin/env python3
 import os
 import re

-cli_version = os.environ['CLI_VERSION']
-
-# The GitHub Release for the new bundle version.
-bundle_release_url = f"https://github.com/github/codeql-action/releases/tag/codeql-bundle-v{cli_version}"
 # Get the PR number from the PR URL.
 pr_number = os.environ['PR_URL'].split('/')[-1]
-changelog_note = f"- Update default CodeQL bundle version to [{cli_version}]({bundle_release_url}). [#{pr_number}]({os.environ['PR_URL']})"
+changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"

 # If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
 with open('CHANGELOG.md', 'r') as f:
@@ -1,4 +1,3 @@
-#!/usr/bin/env python3
 import os
 import sys

@@ -7,7 +6,7 @@ EMPTY_CHANGELOG = 'No changes.\n\n'
 # Prepare the changelog for the new release
 # This function will extract the part of the changelog that
 # we want to include in the new release.
-def extract_changelog_snippet(changelog_file):
+def extract_changelog_snippet(changelog_file, version_tag):
  output = ''
  if (not os.path.exists(changelog_file)):
    output = EMPTY_CHANGELOG
@@ -16,20 +15,23 @@ def extract_changelog_snippet(changelog_file):
    with open(changelog_file, 'r') as f:
      lines = f.readlines()

-      # Include only the contents of the first section
+      # Include everything up to, but excluding the second heading
      found_first_section = False
-      for line in lines:
+      for i, line in enumerate(lines):
        if line.startswith('## '):
          if found_first_section:
            break
          found_first_section = True
-        elif found_first_section:
-          output += line
+        output += line

-  return output.strip()
+  output += f"See the full [CHANGELOG.md](https://github.com/github/codeql-action/blob/{version_tag}/CHANGELOG.md) for more information."
+
+  return output


-if len(sys.argv) < 2:
-  raise Exception('Expecting argument: changelog_file')
+if len(sys.argv) < 3:
+  raise Exception('Expecting argument: changelog_file version_tag')
 changelog_file = sys.argv[1]
-print(extract_changelog_snippet(changelog_file))
+version_tag = sys.argv[2]
+
+print(extract_changelog_snippet(changelog_file, version_tag))
@@ -57,24 +57,6 @@ jobs:
      - name: Update bundle
        uses: ./.github/actions/update-bundle

-      - name: Bump Action minor version if new CodeQL minor version series
-        id: bump-action-version
-        run: |
-          prior_cli_version=$(jq -r '.priorCliVersion' src/defaults.json)
-          cli_version=$(jq -r '.cliVersion' src/defaults.json)
-
-          prior_minor=$(echo "$prior_cli_version" | cut -d. -f2)
-          current_minor=$(echo "$cli_version" | cut -d. -f2)
-
-          if [[ "$current_minor" != "$prior_minor" ]]; then
-            echo "New CodeQL minor version series ($prior_cli_version -> $cli_version), bumping Action minor version"
-            npm version minor --no-git-tag-version
-            echo "bumped=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "Same minor version series ($prior_cli_version -> $cli_version), skipping Action version bump"
-            echo "bumped=false" >> "$GITHUB_OUTPUT"
-          fi
-
      - name: Rebuild Action
        run: npm run build

@@ -89,19 +71,11 @@ jobs:
      - name: Open pull request
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          ACTION_VERSION_BUMPED: ${{ steps.bump-action-version.outputs.bumped }}
        run: |
          cli_version=$(jq -r '.cliVersion' src/defaults.json)
-          action_version=$(jq -r '.version' package.json)
-
-          pr_body="This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version."
-          if [[ "$ACTION_VERSION_BUMPED" == "true" ]]; then
-            pr_body+=$'\n\n'"Since this is a new CodeQL minor version series, this PR also bumps the Action version to $action_version."
-          fi
-
          pr_url=$(gh pr create \
            --title "Update default bundle to $cli_version" \
-            --body "$pr_body" \
+            --body "This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version." \
            --assignee "$GITHUB_ACTOR" \
            --draft \
          )
@@ -6,25 +6,6 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

 No user facing changes.

-## 4.32.0 - 26 Jan 2026
-
- Update default CodeQL bundle version to [2.24.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0). [#3425](https://github.com/github/codeql-action/pull/3425)
-
-## 4.31.11 - 23 Jan 2026
-
- When running a Default Setup workflow with [Actions debugging enabled](https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging), the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. [#3409](https://github.com/github/codeql-action/pull/3409)
- Improved error handling throughout the CodeQL Action. [#3415](https://github.com/github/codeql-action/pull/3415)
- Added experimental support for automatically excluding [generated files](https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github) from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. [#3318](https://github.com/github/codeql-action/pull/3318)
- The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. [#3403](https://github.com/github/codeql-action/pull/3403)
-
-## 4.31.10 - 12 Jan 2026
-
- Update default CodeQL bundle version to 2.23.9. [#3393](https://github.com/github/codeql-action/pull/3393)
-
-## 4.31.9 - 16 Dec 2025
-
-No user facing changes.
-
 ## 4.31.8 - 11 Dec 2025

 - Update default CodeQL bundle version to 2.23.8. [#3354](https://github.com/github/codeql-action/pull/3354)
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.24.0",
-  "cliVersion": "2.24.0",
-  "priorBundleVersion": "codeql-bundle-v2.23.9",
-  "priorCliVersion": "2.23.9"
+  "bundleVersion": "codeql-bundle-v2.23.8",
+  "cliVersion": "2.23.8",
+  "priorBundleVersion": "codeql-bundle-v2.23.7",
+  "priorCliVersion": "2.23.7"
 }
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "4.32.1",
+  "version": "4.31.9",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -24,17 +24,17 @@
  },
  "license": "MIT",
  "dependencies": {
-    "@actions/artifact": "^5.0.2",
+    "@actions/artifact": "^4.0.0",
    "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2",
-    "@actions/cache": "^5.0.3",
-    "@actions/core": "^2.0.2",
-    "@actions/exec": "^2.0.0",
-    "@actions/github": "^8.0.0",
+    "@actions/cache": "^4.1.0",
+    "@actions/core": "^1.11.1",
+    "@actions/exec": "^1.1.1",
+    "@actions/github": "^6.0.0",
    "@actions/glob": "^0.5.0",
    "@actions/http-client": "^3.0.0",
    "@actions/io": "^2.0.0",
-    "@actions/tool-cache": "^3.0.0",
-    "@octokit/plugin-retry": "^8.0.0",
+    "@actions/tool-cache": "^2.0.2",
+    "@octokit/plugin-retry": "^6.0.0",
    "@schemastore/package": "0.0.10",
    "archiver": "^7.0.1",
    "fast-deep-equal": "^3.1.3",
@@ -49,9 +49,9 @@
  },
  "devDependencies": {
    "@ava/typescript": "6.0.0",
-    "@eslint/compat": "^2.0.1",
+    "@eslint/compat": "^2.0.0",
    "@eslint/eslintrc": "^3.3.3",
-    "@eslint/js": "^9.39.2",
+    "@eslint/js": "^9.39.1",
    "@microsoft/eslint-formatter-sarif": "^3.1.0",
    "@octokit/types": "^16.0.0",
    "@types/archiver": "^7.0.0",
@@ -61,20 +61,20 @@
    "@types/node-forge": "^1.3.14",
    "@types/semver": "^7.7.1",
    "@types/sinon": "^21.0.0",
-    "@typescript-eslint/eslint-plugin": "^8.53.1",
+    "@typescript-eslint/eslint-plugin": "^8.48.1",
    "@typescript-eslint/parser": "^8.48.0",
    "ava": "^6.4.1",
-    "esbuild": "^0.27.2",
+    "esbuild": "^0.27.1",
    "eslint": "^8.57.1",
    "eslint-import-resolver-typescript": "^3.8.7",
    "eslint-plugin-filenames": "^1.3.2",
    "eslint-plugin-github": "^5.1.8",
    "eslint-plugin-import": "2.29.1",
-    "eslint-plugin-jsdoc": "^62.2.0",
+    "eslint-plugin-jsdoc": "^61.5.0",
    "eslint-plugin-no-async-foreach": "^0.1.1",
    "glob": "^11.1.0",
    "nock": "^14.0.10",
-    "sinon": "^21.0.1",
+    "sinon": "^21.0.0",
    "typescript": "^5.9.3"
  },
  "overrides": {
@@ -3,7 +3,6 @@ description: "An end-to-end integration test of a Java repository built using 'b
 operatingSystems: ["ubuntu", "windows"]
 versions: ["linked", "nightly-latest"]
 installJava: "true"
-installYq: "true"
 steps:
  - name: Set up Java test repo configuration
    run: |
@@ -19,6 +18,11 @@ steps:
      languages: java
      tools: ${{ steps.prepare-test.outputs.tools-url }}

+  - name: Install yq
+    if: runner.os == 'Windows'
+    run: |
+      choco install yq -y
+
  - name: Validate database build mode
    run: |
      metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
@@ -1,16 +0,0 @@
-name: "CCR"
-description: "A standard analysis in CCR mode"
-env:
-  CODEQL_ACTION_ANALYSIS_KEY: "dynamic/copilot-pull-request-reviewer/codeql-action-test"
-steps:
-  - uses: ./../action/init
-    id: init
-    with:
-      languages: javascript
-      tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-  - uses: ./../action/analyze
-    id: analysis
-    with:
-      upload-database: false
-
@@ -23,7 +23,6 @@ services:
      - 3128:3128
 env:
  https_proxy: http://squid-proxy:3128
-  CODEQL_ACTION_TOLERATE_MISSING_GIT_VERSION: true
 steps:
  - uses: ./../action/init
    with:
@@ -4,7 +4,7 @@ description: "Tests using RuboCop to analyze a multi-language repository and the
 versions: ["default"]
 steps:
  - name: Set up Ruby
-    uses: ruby/setup-ruby@90be1154f987f4dc0fe0dd0feedac9e473aa4ba8 # v1.286.0
+    uses: ruby/setup-ruby@ac793fdd38cc468a4dd57246fa9d0e868aba9085 # v1.270.0
    with:
      ruby-version: 2.6
  - name: Install Code Scanning integration
@@ -1,7 +1,7 @@
 #!/usr/bin/env python

 import ruamel.yaml
-from ruamel.yaml.scalarstring import SingleQuotedScalarString, LiteralScalarString
+from ruamel.yaml.scalarstring import SingleQuotedScalarString
 import pathlib
 import os

@@ -223,25 +223,6 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
            }
        })

-    installYq = is_truthy(checkSpecification.get('installYq', ''))
-
-    if installYq:
-        steps.append({
-            'name': 'Install yq',
-            'if': "runner.os == 'Windows'",
-            'env': {
-                'YQ_PATH': '${{ runner.temp }}/yq',
-                # This is essentially an arbitrary version of `yq`, which happened to be the one that
-                # `choco` fetched when we moved away from using that here.
-                # See https://github.com/github/codeql-action/pull/3423
-                'YQ_VERSION': 'v4.50.1'
-            },
-            'run': LiteralScalarString(
-                'gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe"\n'
-                'echo "$YQ_PATH" >> "$GITHUB_PATH"'
-            ),
-        })
-
    # If container initialisation steps are present in the check specification,
    # make sure to execute them first.
    if 'container' in checkSpecification and 'container-init-steps' in checkSpecification:
@@ -290,10 +271,6 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):

    raw_file = this_dir.parent / ".github" / "workflows" / f"__{checkName}.yml.raw"
    with open(raw_file, 'w', newline='\n') as output_stream:
-        extraGroupName = ""
-        for inputName in workflowInputs.keys():
-            extraGroupName += "-${{inputs." + inputName + "}}"
-
        writeHeader(output_stream)
        yaml.dump({
            'name': f"PR Check - {checkSpecification['name']}",
@@ -328,15 +305,9 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
                # For other events, the new workflows should wait until earlier ones have finished.
                # This should help reduce the number of concurrent workflows on the repo, and
                # consequently the number of concurrent API requests.
-                # Note, the `|| false` is intentional to rule out that this somehow ends up being
-                # `true` since we observed workflows for non-`pull_request` events getting cancelled.
-                'cancel-in-progress': "${{ github.event_name == 'pull_request' || false }}",
-                # The group is determined by the workflow name, the ref, and the input values.
-                # The base name is hard-coded to avoid issues when the workflow is triggered by
-                # a `workflow_call` event (where `github.workflow` would be the name of the caller).
-                # The input values are added, since they may result in different behaviour for a
-                # given workflow on the same ref.
-                'group': checkName + "-${{github.ref}}" + extraGroupName
+                'cancel-in-progress': "${{ github.event_name == 'pull_request' }}",
+                # The group is determined by the workflow name + the ref
+                'group': "${{ github.workflow }}-${{ github.ref }}"
            },
            'jobs': {
                checkName: checkJob
@@ -5,9 +5,6 @@ import {
  fixCodeQualityCategory,
  getPullRequestBranches,
  isAnalyzingPullRequest,
-  isCCR,
-  isDefaultSetup,
-  isDynamicWorkflow,
 } from "./actions-util";
 import { computeAutomationID } from "./api-client";
 import { EnvVar } from "./environment";
@@ -249,24 +246,3 @@ test("fixCodeQualityCategory", (t) => {
    },
  );
 });
-
-test("isDynamicWorkflow() returns true if event name is `dynamic`", (t) => {
-  process.env.GITHUB_EVENT_NAME = "dynamic";
-  t.assert(isDynamicWorkflow());
-  process.env.GITHUB_EVENT_NAME = "push";
-  t.false(isDynamicWorkflow());
-});
-
-test("isCCR() returns true when expected", (t) => {
-  process.env.GITHUB_EVENT_NAME = "dynamic";
-  process.env[EnvVar.ANALYSIS_KEY] = "dynamic/copilot-pull-request-reviewer";
-  t.assert(isCCR());
-  t.false(isDefaultSetup());
-});
-
-test("isDefaultSetup() returns true when expected", (t) => {
-  process.env.GITHUB_EVENT_NAME = "dynamic";
-  process.env[EnvVar.ANALYSIS_KEY] = "dynamic/github-code-scanning";
-  t.assert(isDefaultSetup());
-  t.false(isCCR());
-});
@@ -8,7 +8,6 @@ import * as io from "@actions/io";
 import { JSONSchemaForNPMPackageJsonFiles } from "@schemastore/package";

 import type { Config } from "./config-utils";
-import { EnvVar } from "./environment";
 import { Logger } from "./logging";
 import {
  doesDirectoryExist,
@@ -255,15 +254,7 @@ export function isDynamicWorkflow(): boolean {

 /** Determines whether we are running in default setup. */
 export function isDefaultSetup(): boolean {
-  return isDynamicWorkflow() && !isCCR();
-}
-
-/* The analysis key prefix used for CCR. */
-const CCR_KEY_PREFIX = "dynamic/copilot-pull-request-reviewer";
-
-/** Determines whether we are running in CCR. */
-export function isCCR(): boolean {
-  return process.env[EnvVar.ANALYSIS_KEY]?.startsWith(CCR_KEY_PREFIX) || false;
+  return isDynamicWorkflow();
 }

 export function prettyPrintInvocation(cmd: string, args: string[]): string {
@@ -21,9 +21,6 @@ import { getActionsLogger } from "./logging";
 import { checkGitHubVersionInRange, getErrorMessage } from "./util";

 async function runWrapper() {
-  // To capture errors appropriately, keep as much code within the try-catch as
-  // possible, and only use safe functions outside.
-
  try {
    actionsUtil.restoreInputs();
    const logger = getActionsLogger();
@@ -20,10 +20,7 @@ import { runAutobuild } from "./autobuild";
 import { getTotalCacheSize, shouldStoreCache } from "./caching-utils";
 import { getCodeQL } from "./codeql";
 import { Config, getConfig } from "./config-utils";
-import {
-  cleanupAndUploadDatabases,
-  DatabaseUploadResult,
-} from "./database-upload";
+import { cleanupAndUploadDatabases } from "./database-upload";
 import {
  DependencyCacheUploadStatusReport,
  uploadDependencyCaches,
@@ -41,7 +38,6 @@ import {
  createStatusReportBase,
  DatabaseCreationTimings,
  getActionsStatus,
-  sendUnhandledErrorStatusReport,
  StatusReportBase,
 } from "./status-report";
 import {
@@ -58,13 +54,15 @@ interface AnalysisStatusReport
  extends uploadLib.UploadStatusReport,
    QueriesStatusReport {}

+interface DependencyCachingUploadStatusReport {
+  dependency_caching_upload_results?: DependencyCacheUploadStatusReport;
+}
+
 interface FinishStatusReport
  extends StatusReportBase,
    DatabaseCreationTimings,
-    AnalysisStatusReport {
-  dependency_caching_upload_results?: DependencyCacheUploadStatusReport;
-  database_upload_results: DatabaseUploadResult[];
-}
+    AnalysisStatusReport,
+    DependencyCachingUploadStatusReport {}

 interface FinishWithTrapUploadStatusReport extends FinishStatusReport {
  /** Size of TRAP caches that we uploaded, in bytes. */
@@ -83,7 +81,6 @@ async function sendStatusReport(
  didUploadTrapCaches: boolean,
  trapCacheCleanup: TrapCacheCleanupStatusReport | undefined,
  dependencyCacheResults: DependencyCacheUploadStatusReport | undefined,
-  databaseUploadResults: DatabaseUploadResult[],
  logger: Logger,
 ) {
  const status = getActionsStatus(error, stats?.analyze_failure_language);
@@ -104,7 +101,6 @@ async function sendStatusReport(
      ...(dbCreationTimings || {}),
      ...(trapCacheCleanup || {}),
      dependency_caching_upload_results: dependencyCacheResults,
-      database_upload_results: databaseUploadResults,
    };
    if (config && didUploadTrapCaches) {
      const trapCacheUploadStatusReport: FinishWithTrapUploadStatusReport = {
@@ -209,10 +205,8 @@ async function runAutobuildIfLegacyGoWorkflow(config: Config, logger: Logger) {
  await runAutobuild(config, KnownLanguage.go, logger);
 }

-async function run(startedAt: Date) {
-  // To capture errors appropriately, keep as much code within the try-catch as
-  // possible, and only use safe functions outside.
-
+async function run() {
+  const startedAt = new Date();
  let uploadResults:
    | Partial<Record<analyses.AnalysisKind, UploadResult>>
    | undefined = undefined;
@@ -224,16 +218,14 @@ async function run(startedAt: Date) {
  let dbCreationTimings: DatabaseCreationTimings | undefined = undefined;
  let didUploadTrapCaches = false;
  let dependencyCacheResults: DependencyCacheUploadStatusReport | undefined;
-  let databaseUploadResults: DatabaseUploadResult[] = [];
+  util.initializeEnvironment(actionsUtil.getActionVersion());
+
+  // Make inputs accessible in the `post` step, details at
+  // https://github.com/github/codeql-action/issues/2553
+  actionsUtil.persistInputs();
+
  const logger = getActionsLogger();
-
  try {
-    util.initializeEnvironment(actionsUtil.getActionVersion());
-
-    // Make inputs accessible in the `post` step, details at
-    // https://github.com/github/codeql-action/issues/2553
-    actionsUtil.persistInputs();
-
    const statusReportBase = await createStatusReportBase(
      ActionName.Analyze,
      "starting",
@@ -397,7 +389,7 @@ async function run(startedAt: Date) {
    // Possibly upload the database bundles for remote queries.
    // Note: Take care with the ordering of this call since databases may be cleaned up
    // at the `overlay` or `clear` level.
-    databaseUploadResults = await cleanupAndUploadDatabases(
+    await cleanupAndUploadDatabases(
      repositoryNwo,
      codeql,
      config,
@@ -469,7 +461,6 @@ async function run(startedAt: Date) {
      didUploadTrapCaches,
      trapCacheCleanupTelemetry,
      dependencyCacheResults,
-      databaseUploadResults,
      logger,
    );
    return;
@@ -492,7 +483,6 @@ async function run(startedAt: Date) {
      didUploadTrapCaches,
      trapCacheCleanupTelemetry,
      dependencyCacheResults,
-      databaseUploadResults,
      logger,
    );
  } else if (runStats !== undefined) {
@@ -506,7 +496,6 @@ async function run(startedAt: Date) {
      didUploadTrapCaches,
      trapCacheCleanupTelemetry,
      dependencyCacheResults,
-      databaseUploadResults,
      logger,
    );
  } else {
@@ -520,28 +509,18 @@ async function run(startedAt: Date) {
      didUploadTrapCaches,
      trapCacheCleanupTelemetry,
      dependencyCacheResults,
-      databaseUploadResults,
      logger,
    );
  }
 }

-// Module-level startedAt so it can be accessed by runWrapper for error reporting
-const startedAt = new Date();
-export const runPromise = run(startedAt);
+export const runPromise = run();

 async function runWrapper() {
-  const logger = getActionsLogger();
  try {
    await runPromise;
  } catch (error) {
    core.setFailed(`analyze action failed: ${util.getErrorMessage(error)}`);
-    await sendUnhandledErrorStatusReport(
-      ActionName.Analyze,
-      startedAt,
-      error,
-      logger,
-    );
  }
  await util.checkForTimeout();
 }
@@ -3,7 +3,6 @@ import * as githubUtils from "@actions/github/lib/utils";
 import * as retry from "@octokit/plugin-retry";

 import { getActionVersion, getRequiredInput } from "./actions-util";
-import { EnvVar } from "./environment";
 import { Logger } from "./logging";
 import { getRepositoryNwo, RepositoryNwo } from "./repository";
 import {
@@ -190,7 +189,9 @@ export async function getWorkflowRelativePath(): Promise<string> {
 * the GitHub API, but after that the result will be cached.
 */
 export async function getAnalysisKey(): Promise<string> {
-  let analysisKey = process.env[EnvVar.ANALYSIS_KEY];
+  const analysisKeyEnvVar = "CODEQL_ACTION_ANALYSIS_KEY";
+
+  let analysisKey = process.env[analysisKeyEnvVar];
  if (analysisKey !== undefined) {
    return analysisKey;
  }
@@ -199,7 +200,7 @@ export async function getAnalysisKey(): Promise<string> {
  const jobName = getRequiredEnvParam("GITHUB_JOB");

  analysisKey = `${workflowPath}:${jobName}`;
-  core.exportVariable(EnvVar.ANALYSIS_KEY, analysisKey);
+  core.exportVariable(analysisKeyEnvVar, analysisKey);
  return analysisKey;
 }

@@ -1,98 +0,0 @@
-import * as fs from "fs";
-import * as os from "os";
-import * as path from "path";
-
-import test from "ava";
-
-import { scanArtifactsForTokens } from "./artifact-scanner";
-import { getRunnerLogger } from "./logging";
-import { getRecordingLogger, LoggedMessage } from "./testing-utils";
-
-test("scanArtifactsForTokens detects GitHub tokens in files", async (t) => {
-  const logger = getRunnerLogger(true);
-  const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), "scanner-test-"));
-
-  try {
-    // Create a test file with a fake GitHub token
-    const testFile = path.join(tempDir, "test.txt");
-    fs.writeFileSync(
-      testFile,
-      "This is a test file with token ghp_1234567890123456789012345678901234AB",
-    );
-
-    const error = await t.throwsAsync(
-      async () => await scanArtifactsForTokens([testFile], logger),
-    );
-
-    t.regex(
-      error?.message || "",
-      /Found 1 potential GitHub token.*Personal Access Token/,
-    );
-    t.regex(error?.message || "", /test\.txt/);
-  } finally {
-    // Clean up
-    fs.rmSync(tempDir, { recursive: true, force: true });
-  }
-});
-
-test("scanArtifactsForTokens handles files without tokens", async (t) => {
-  const logger = getRunnerLogger(true);
-  const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), "scanner-test-"));
-
-  try {
-    // Create a test file without tokens
-    const testFile = path.join(tempDir, "test.txt");
-    fs.writeFileSync(
-      testFile,
-      "This is a test file without any sensitive data",
-    );
-
-    await t.notThrowsAsync(
-      async () => await scanArtifactsForTokens([testFile], logger),
-    );
-  } finally {
-    // Clean up
-    fs.rmSync(tempDir, { recursive: true, force: true });
-  }
-});
-
-if (os.platform() !== "win32") {
-  test("scanArtifactsForTokens finds token in debug artifacts", async (t) => {
-    t.timeout(15000); // 15 seconds
-    const messages: LoggedMessage[] = [];
-    const logger = getRecordingLogger(messages, { logToConsole: false });
-    // The zip here is a regression test based on
-    // https://github.com/github/codeql-action/security/advisories/GHSA-vqf5-2xx6-9wfm
-    const testZip = path.join(
-      __dirname,
-      "..",
-      "src",
-      "testdata",
-      "debug-artifacts-with-fake-token.zip",
-    );
-
-    // This zip file contains a nested structure with a fake token in:
-    // my-db-java-partial.zip/trap/java/invocations/kotlin.9017231652989744319.trap
-    const error = await t.throwsAsync(
-      async () => await scanArtifactsForTokens([testZip], logger),
-    );
-
-    t.regex(
-      error?.message || "",
-      /Found.*potential GitHub token/,
-      "Should detect token in nested zip",
-    );
-    t.regex(
-      error?.message || "",
-      /kotlin\.9017231652989744319\.trap/,
-      "Should report the .trap file containing the token",
-    );
-
-    const logOutput = messages.map((msg) => msg.message).join("\n");
-    t.regex(
-      logOutput,
-      /^Extracting gz file: .*\.gz$/m,
-      "Logs should show that .gz files were extracted",
-    );
-  });
-}
@@ -1,379 +0,0 @@
-import * as fs from "fs";
-import * as os from "os";
-import * as path from "path";
-
-import * as exec from "@actions/exec";
-
-import { Logger } from "./logging";
-import { getErrorMessage } from "./util";
-
-/**
- * GitHub token patterns to scan for.
- * These patterns match various GitHub token formats.
- */
-const GITHUB_TOKEN_PATTERNS = [
-  {
-    name: "Personal Access Token",
-    pattern: /\bghp_[a-zA-Z0-9]{36}\b/g,
-  },
-  {
-    name: "OAuth Access Token",
-    pattern: /\bgho_[a-zA-Z0-9]{36}\b/g,
-  },
-  {
-    name: "User-to-Server Token",
-    pattern: /\bghu_[a-zA-Z0-9]{36}\b/g,
-  },
-  {
-    name: "Server-to-Server Token",
-    pattern: /\bghs_[a-zA-Z0-9]{36}\b/g,
-  },
-  {
-    name: "Refresh Token",
-    pattern: /\bghr_[a-zA-Z0-9]{36}\b/g,
-  },
-  {
-    name: "App Installation Access Token",
-    pattern: /\bghs_[a-zA-Z0-9]{255}\b/g,
-  },
-];
-
-interface TokenFinding {
-  tokenType: string;
-  filePath: string;
-}
-
-interface ScanResult {
-  scannedFiles: number;
-  findings: TokenFinding[];
-}
-
-/**
- * Scans a file for GitHub tokens.
- *
- * @param filePath Path to the file to scan
- * @param relativePath Relative path for display purposes
- * @param logger Logger instance
- * @returns Array of token findings in the file
- */
-function scanFileForTokens(
-  filePath: string,
-  relativePath: string,
-  logger: Logger,
-): TokenFinding[] {
-  const findings: TokenFinding[] = [];
-  try {
-    const content = fs.readFileSync(filePath, "utf8");
-
-    for (const { name, pattern } of GITHUB_TOKEN_PATTERNS) {
-      const matches = content.match(pattern);
-      if (matches) {
-        for (let i = 0; i < matches.length; i++) {
-          findings.push({ tokenType: name, filePath: relativePath });
-        }
-        logger.debug(`Found ${matches.length} ${name}(s) in ${relativePath}`);
-      }
-    }
-
-    return findings;
-  } catch (e) {
-    // If we can't read the file as text, it's likely binary or inaccessible
-    logger.debug(
-      `Could not scan file ${filePath} for tokens: ${getErrorMessage(e)}`,
-    );
-    return [];
-  }
-}
-
-/**
- * Recursively extracts and scans archive files (.zip, .gz, .tar.gz).
- *
- * @param archivePath Path to the archive file
- * @param relativeArchivePath Relative path of the archive for display
- * @param extractDir Directory to extract to
- * @param logger Logger instance
- * @param depth Current recursion depth (to prevent infinite loops)
- * @returns Scan results
- */
-async function scanArchiveFile(
-  archivePath: string,
-  relativeArchivePath: string,
-  extractDir: string,
-  logger: Logger,
-  depth: number = 0,
-): Promise<ScanResult> {
-  const MAX_DEPTH = 10; // Prevent infinite recursion
-  if (depth > MAX_DEPTH) {
-    throw new Error(
-      `Maximum archive extraction depth (${MAX_DEPTH}) reached for ${archivePath}`,
-    );
-  }
-
-  const result: ScanResult = {
-    scannedFiles: 0,
-    findings: [],
-  };
-
-  try {
-    const tempExtractDir = fs.mkdtempSync(
-      path.join(extractDir, `extract-${depth}-`),
-    );
-
-    // Determine archive type and extract accordingly
-    const fileName = path.basename(archivePath).toLowerCase();
-    if (fileName.endsWith(".tar.gz") || fileName.endsWith(".tgz")) {
-      // Extract tar.gz files
-      logger.debug(`Extracting tar.gz file: ${archivePath}`);
-      await exec.exec("tar", ["-xzf", archivePath, "-C", tempExtractDir], {
-        silent: true,
-      });
-    } else if (fileName.endsWith(".tar.zst")) {
-      // Extract tar.zst files
-      logger.debug(`Extracting tar.zst file: ${archivePath}`);
-      await exec.exec(
-        "tar",
-        ["--zstd", "-xf", archivePath, "-C", tempExtractDir],
-        {
-          silent: true,
-        },
-      );
-    } else if (fileName.endsWith(".zst")) {
-      // Extract .zst files (single file compression)
-      logger.debug(`Extracting zst file: ${archivePath}`);
-      const outputFile = path.join(
-        tempExtractDir,
-        path.basename(archivePath, ".zst"),
-      );
-      await exec.exec("zstd", ["-d", archivePath, "-o", outputFile], {
-        silent: true,
-      });
-    } else if (fileName.endsWith(".gz")) {
-      // Extract .gz files (single file compression)
-      logger.debug(`Extracting gz file: ${archivePath}`);
-      const outputFile = path.join(
-        tempExtractDir,
-        path.basename(archivePath, ".gz"),
-      );
-      await exec.exec("gunzip", ["-c", archivePath], {
-        outStream: fs.createWriteStream(outputFile),
-        silent: true,
-      });
-    } else if (fileName.endsWith(".zip")) {
-      // Extract zip files
-      logger.debug(`Extracting zip file: ${archivePath}`);
-      await exec.exec(
-        "unzip",
-        ["-q", "-o", archivePath, "-d", tempExtractDir],
-        {
-          silent: true,
-        },
-      );
-    }
-
-    // Scan the extracted contents
-    const scanResult = await scanDirectory(
-      tempExtractDir,
-      relativeArchivePath,
-      logger,
-      depth + 1,
-    );
-    result.scannedFiles += scanResult.scannedFiles;
-    result.findings.push(...scanResult.findings);
-
-    // Clean up extracted files
-    fs.rmSync(tempExtractDir, { recursive: true, force: true });
-  } catch (e) {
-    logger.debug(
-      `Could not extract or scan archive file ${archivePath}: ${getErrorMessage(e)}`,
-    );
-  }
-
-  return result;
-}
-
-/**
- * Scans a single file, including recursive archive extraction if applicable.
- *
- * @param fullPath Full path to the file
- * @param relativePath Relative path for display
- * @param extractDir Directory to use for extraction (for archive files)
- * @param logger Logger instance
- * @param depth Current recursion depth
- * @returns Scan results
- */
-async function scanFile(
-  fullPath: string,
-  relativePath: string,
-  extractDir: string,
-  logger: Logger,
-  depth: number = 0,
-): Promise<ScanResult> {
-  const result: ScanResult = {
-    scannedFiles: 1,
-    findings: [],
-  };
-
-  // Check if it's an archive file and recursively scan it
-  const fileName = path.basename(fullPath).toLowerCase();
-  const isArchive =
-    fileName.endsWith(".zip") ||
-    fileName.endsWith(".tar.gz") ||
-    fileName.endsWith(".tgz") ||
-    fileName.endsWith(".tar.zst") ||
-    fileName.endsWith(".zst") ||
-    fileName.endsWith(".gz");
-
-  if (isArchive) {
-    const archiveResult = await scanArchiveFile(
-      fullPath,
-      relativePath,
-      extractDir,
-      logger,
-      depth,
-    );
-    result.scannedFiles += archiveResult.scannedFiles;
-    result.findings.push(...archiveResult.findings);
-  }
-
-  // Scan the file itself for tokens (unless it's a pure binary archive format)
-  const fileFindings = scanFileForTokens(fullPath, relativePath, logger);
-  result.findings.push(...fileFindings);
-
-  return result;
-}
-
-/**
- * Recursively scans a directory for GitHub tokens.
- *
- * @param dirPath Directory path to scan
- * @param baseRelativePath Base relative path for computing display paths
- * @param logger Logger instance
- * @param depth Current recursion depth
- * @returns Scan results
- */
-async function scanDirectory(
-  dirPath: string,
-  baseRelativePath: string,
-  logger: Logger,
-  depth: number = 0,
-): Promise<ScanResult> {
-  const result: ScanResult = {
-    scannedFiles: 0,
-    findings: [],
-  };
-
-  const entries = fs.readdirSync(dirPath, { withFileTypes: true });
-
-  for (const entry of entries) {
-    const fullPath = path.join(dirPath, entry.name);
-    const relativePath = path.join(baseRelativePath, entry.name);
-
-    if (entry.isDirectory()) {
-      const subResult = await scanDirectory(
-        fullPath,
-        relativePath,
-        logger,
-        depth,
-      );
-      result.scannedFiles += subResult.scannedFiles;
-      result.findings.push(...subResult.findings);
-    } else if (entry.isFile()) {
-      const fileResult = await scanFile(
-        fullPath,
-        relativePath,
-        path.dirname(fullPath),
-        logger,
-        depth,
-      );
-      result.scannedFiles += fileResult.scannedFiles;
-      result.findings.push(...fileResult.findings);
-    }
-  }
-
-  return result;
-}
-
-/**
- * Scans a list of files and directories for GitHub tokens.
- * Recursively extracts and scans archive files (.zip, .gz, .tar.gz).
- *
- * @param filesToScan List of file paths to scan
- * @param logger Logger instance
- * @returns Scan results
- */
-export async function scanArtifactsForTokens(
-  filesToScan: string[],
-  logger: Logger,
-): Promise<void> {
-  logger.info(
-    "Starting best-effort check for potential GitHub tokens in debug artifacts (for testing purposes only)...",
-  );
-
-  const result: ScanResult = {
-    scannedFiles: 0,
-    findings: [],
-  };
-
-  // Create a temporary directory for extraction
-  const tempScanDir = fs.mkdtempSync(path.join(os.tmpdir(), "artifact-scan-"));
-
-  try {
-    for (const filePath of filesToScan) {
-      const stats = fs.statSync(filePath);
-      const fileName = path.basename(filePath);
-
-      if (stats.isDirectory()) {
-        const dirResult = await scanDirectory(filePath, fileName, logger);
-        result.scannedFiles += dirResult.scannedFiles;
-        result.findings.push(...dirResult.findings);
-      } else if (stats.isFile()) {
-        const fileResult = await scanFile(
-          filePath,
-          fileName,
-          tempScanDir,
-          logger,
-        );
-        result.scannedFiles += fileResult.scannedFiles;
-        result.findings.push(...fileResult.findings);
-      }
-    }
-
-    // Compute statistics from findings
-    const tokenTypesCounts = new Map<string, number>();
-    const filesWithTokens = new Set<string>();
-    for (const finding of result.findings) {
-      tokenTypesCounts.set(
-        finding.tokenType,
-        (tokenTypesCounts.get(finding.tokenType) || 0) + 1,
-      );
-      filesWithTokens.add(finding.filePath);
-    }
-
-    const tokenTypesSummary = Array.from(tokenTypesCounts.entries())
-      .map(([type, count]) => `${count} ${type}${count > 1 ? "s" : ""}`)
-      .join(", ");
-
-    const baseSummary = `scanned ${result.scannedFiles} files, found ${result.findings.length} potential token(s) in ${filesWithTokens.size} file(s)`;
-    const summaryWithTypes = tokenTypesSummary
-      ? `${baseSummary} (${tokenTypesSummary})`
-      : baseSummary;
-
-    logger.info(`Artifact check complete: ${summaryWithTypes}`);
-
-    if (result.findings.length > 0) {
-      const fileList = Array.from(filesWithTokens).join(", ");
-      throw new Error(
-        `Found ${result.findings.length} potential GitHub token(s) (${tokenTypesSummary}) in debug artifacts at: ${fileList}. This is a best-effort check for testing purposes only.`,
-      );
-    }
-  } finally {
-    // Clean up temporary directory
-    try {
-      fs.rmSync(tempScanDir, { recursive: true, force: true });
-    } catch (e) {
-      logger.debug(
-        `Could not clean up temporary scan directory: ${getErrorMessage(e)}`,
-      );
-    }
-  }
-}
@@ -17,7 +17,6 @@ import {
  getActionsStatus,
  createStatusReportBase,
  sendStatusReport,
-  sendUnhandledErrorStatusReport,
  ActionName,
 } from "./status-report";
 import { endTracingForCluster } from "./tracer-config";
@@ -69,10 +68,8 @@ async function sendCompletedStatusReport(
  }
 }

-async function run(startedAt: Date) {
-  // To capture errors appropriately, keep as much code within the try-catch as
-  // possible, and only use safe functions outside.
-
+async function run() {
+  const startedAt = new Date();
  const logger = getActionsLogger();
  let config: Config | undefined;
  let currentLanguage: Language | undefined;
@@ -143,18 +140,10 @@ async function run(startedAt: Date) {
 }

 async function runWrapper() {
-  const startedAt = new Date();
-  const logger = getActionsLogger();
  try {
-    await run(startedAt);
+    await run();
  } catch (error) {
    core.setFailed(`autobuild action failed. ${getErrorMessage(error)}`);
-    await sendUnhandledErrorStatusReport(
-      ActionName.Autobuild,
-      startedAt,
-      error,
-      logger,
-    );
  }
 }

@@ -147,20 +147,11 @@ export interface CodeQL {
  ): Promise<void>;
  /**
   * Run 'codeql database bundle'.
-   *
-   * @param alsoIncludeRelativePaths Additional paths that should be included in the bundle if
-   * supported by the version of the CodeQL CLI.
-   *
-   * These paths are relative to the database root.
-   *
-   * Older versions of the CodeQL CLI do not support including additional paths in the bundle.
-   * In those cases, this parameter will be ignored.
   */
  databaseBundle(
    databasePath: string,
    outputFilePath: string,
    dbName: string,
-    alsoIncludeRelativePaths: string[],
  ): Promise<void>;
  /**
   * Run 'codeql database run-queries'. If no `queries` are specified, then the CLI
@@ -920,7 +911,6 @@ async function getCodeQLForCmd(
      databasePath: string,
      outputFilePath: string,
      databaseName: string,
-      alsoIncludeRelativePaths: string[],
    ): Promise<void> {
      const args = [
        "database",
@@ -930,16 +920,6 @@ async function getCodeQLForCmd(
        `--name=${databaseName}`,
        ...getExtraOptionsFromEnv(["database", "bundle"]),
      ];
-      if (
-        await this.supportsFeature(ToolsFeature.BundleSupportsIncludeOption)
-      ) {
-        args.push(
-          ...alsoIncludeRelativePaths.flatMap((relativePath) => [
-            "--include",
-            relativePath,
-          ]),
-        );
-      }
      await new toolrunner.ToolRunner(cmd, args).exec();
    },
    async databaseExportDiagnostics(
@@ -15,7 +15,6 @@ import * as configUtils from "./config-utils";
 import * as errorMessages from "./error-messages";
 import { Feature } from "./feature-flags";
 import * as gitUtils from "./git-utils";
-import { GitVersionInfo } from "./git-utils";
 import { KnownLanguage, Language } from "./languages";
 import { getRunnerLogger } from "./logging";
 import {
@@ -979,7 +978,6 @@ interface OverlayDatabaseModeTestSetup {
  languages: Language[];
  codeqlVersion: string;
  gitRoot: string | undefined;
-  gitVersion: GitVersionInfo | undefined;
  codeScanningConfig: configUtils.UserConfig;
  diskUsage: DiskUsage | undefined;
  memoryFlagValue: number;
@@ -994,10 +992,6 @@ const defaultOverlayDatabaseModeTestSetup: OverlayDatabaseModeTestSetup = {
  languages: [KnownLanguage.javascript],
  codeqlVersion: CODEQL_OVERLAY_MINIMUM_VERSION,
  gitRoot: "/some/git/root",
-  gitVersion: new GitVersionInfo(
-    gitUtils.GIT_MINIMUM_VERSION_FOR_OVERLAY,
-    gitUtils.GIT_MINIMUM_VERSION_FOR_OVERLAY,
-  ),
  codeScanningConfig: {},
  diskUsage: {
    numAvailableBytes: 50_000_000_000,
@@ -1076,7 +1070,6 @@ const getOverlayDatabaseModeMacro = test.macro({
          setup.buildMode,
          undefined,
          setup.codeScanningConfig,
-          setup.gitVersion,
          logger,
        );

@@ -1780,32 +1773,6 @@ test(
  },
 );

-test(
-  getOverlayDatabaseModeMacro,
-  "Fallback due to old git version",
-  {
-    overlayDatabaseEnvVar: "overlay",
-    gitVersion: new GitVersionInfo("2.30.0", "2.30.0"), // Version below required 2.38.0
-  },
-  {
-    overlayDatabaseMode: OverlayDatabaseMode.None,
-    useOverlayDatabaseCaching: false,
-  },
-);
-
-test(
-  getOverlayDatabaseModeMacro,
-  "Fallback when git version cannot be determined",
-  {
-    overlayDatabaseEnvVar: "overlay",
-    gitVersion: undefined,
-  },
-  {
-    overlayDatabaseMode: OverlayDatabaseMode.None,
-    useOverlayDatabaseCaching: false,
-  },
-);
-
 // Exercise language-specific overlay analysis features code paths
 for (const language in KnownLanguage) {
  test(
@@ -4,11 +4,7 @@ import { performance } from "perf_hooks";

 import * as yaml from "js-yaml";

-import {
-  getActionVersion,
-  isAnalyzingPullRequest,
-  isCCR,
-} from "./actions-util";
+import { getActionVersion, isAnalyzingPullRequest } from "./actions-util";
 import {
  AnalysisConfig,
  AnalysisKind,
@@ -26,20 +22,11 @@ import {
  parseUserConfig,
  UserConfig,
 } from "./config/db-config";
-import { addDiagnostic, makeTelemetryDiagnostic } from "./diagnostics";
 import { shouldPerformDiffInformedAnalysis } from "./diff-informed-analysis-utils";
-import { EnvVar } from "./environment";
 import * as errorMessages from "./error-messages";
 import { Feature, FeatureEnablement } from "./feature-flags";
 import { RepositoryProperties } from "./feature-flags/properties";
-import {
-  getGeneratedFiles,
-  getGitRoot,
-  getGitVersionOrThrow,
-  GIT_MINIMUM_VERSION_FOR_OVERLAY,
-  GitVersionInfo,
-  isAnalyzingDefaultBranch,
-} from "./git-utils";
+import { getGitRoot, isAnalyzingDefaultBranch } from "./git-utils";
 import { KnownLanguage, Language } from "./languages";
 import { Logger } from "./logging";
 import {
@@ -58,9 +45,6 @@ import {
  isDefined,
  checkDiskUsage,
  getCodeQLMemoryLimit,
-  getErrorMessage,
-  isInTestMode,
-  joinAtMost,
 } from "./util";

 export * from "./config/db-config";
@@ -725,7 +709,6 @@ export async function getOverlayDatabaseMode(
  buildMode: BuildMode | undefined,
  ramInput: string | undefined,
  codeScanningConfig: UserConfig,
-  gitVersion: GitVersionInfo | undefined,
  logger: Logger,
 ): Promise<{
  overlayDatabaseMode: OverlayDatabaseMode;
@@ -828,22 +811,6 @@ export async function getOverlayDatabaseMode(
    );
    return nonOverlayAnalysis;
  }
-  if (gitVersion === undefined) {
-    logger.warning(
-      `Cannot build an ${overlayDatabaseMode} database because ` +
-        "the Git version could not be determined. " +
-        "Falling back to creating a normal full database instead.",
-    );
-    return nonOverlayAnalysis;
-  }
-  if (!gitVersion.isAtLeast(GIT_MINIMUM_VERSION_FOR_OVERLAY)) {
-    logger.warning(
-      `Cannot build an ${overlayDatabaseMode} database because ` +
-        `the installed Git version is older than ${GIT_MINIMUM_VERSION_FOR_OVERLAY}. ` +
-        "Falling back to creating a normal full database instead.",
-    );
-    return nonOverlayAnalysis;
-  }

  return {
    overlayDatabaseMode,
@@ -936,57 +903,6 @@ export async function initConfig(
    config.computedConfig["query-filters"] = [];
  }

-  let gitVersion: GitVersionInfo | undefined = undefined;
-  try {
-    gitVersion = await getGitVersionOrThrow();
-    logger.info(`Using Git version ${gitVersion.fullVersion}`);
-    await logGitVersionTelemetry(config, gitVersion);
-  } catch (e) {
-    logger.warning(`Could not determine Git version: ${getErrorMessage(e)}`);
-    // Throw the error in test mode so it's more visible, unless the environment
-    // variable is set to tolerate this, for example because we're running in a
-    // Docker container where git may not be available.
-    if (
-      isInTestMode() &&
-      process.env[EnvVar.TOLERATE_MISSING_GIT_VERSION] !== "true"
-    ) {
-      throw e;
-    }
-  }
-
-  // If we are in CCR or the corresponding FF is enabled, try to determine
-  // which files in the repository are marked as generated and add them to
-  // the `paths-ignore` configuration.
-  if ((await features.getValue(Feature.IgnoreGeneratedFiles)) && isCCR()) {
-    try {
-      const generatedFilesCheckStartedAt = performance.now();
-      const generatedFiles = await getGeneratedFiles(inputs.sourceRoot);
-      const generatedFilesDuration = Math.round(
-        performance.now() - generatedFilesCheckStartedAt,
-      );
-
-      if (generatedFiles.length > 0) {
-        config.computedConfig["paths-ignore"] ??= [];
-        config.computedConfig["paths-ignore"].push(...generatedFiles);
-        logger.info(
-          `Detected ${generatedFiles.length} generated file(s), which will be excluded from analysis: ${joinAtMost(generatedFiles, ", ", 10)}`,
-        );
-      } else {
-        logger.info(`Found no generated files.`);
-      }
-
-      await logGeneratedFilesTelemetry(
-        config,
-        generatedFilesDuration,
-        generatedFiles.length,
-      );
-    } catch (error) {
-      logger.info(`Cannot ignore generated files: ${getErrorMessage(error)}`);
-    }
-  } else {
-    logger.debug(`Skipping check for generated files.`);
-  }
-
  // The choice of overlay database mode depends on the selection of languages
  // and queries, which in turn depends on the user config and the augmentation
  // properties. So we need to calculate the overlay database mode after the
@@ -1000,7 +916,6 @@ export async function initConfig(
      config.buildMode,
      inputs.ramInput,
      config.computedConfig,
-      gitVersion,
      logger,
    );
  logger.info(
@@ -1401,55 +1316,3 @@ export function getPrimaryAnalysisConfig(config: Config): AnalysisConfig {
    ? CodeScanning
    : CodeQuality;
 }
-
-/** Logs the Git version as a telemetry diagnostic. */
-async function logGitVersionTelemetry(
-  config: Config,
-  gitVersion: GitVersionInfo,
-): Promise<void> {
-  if (config.languages.length > 0) {
-    addDiagnostic(
-      config,
-      // Arbitrarily choose the first language. We could also choose all languages, but that
-      // increases the risk of misinterpreting the data.
-      config.languages[0],
-      makeTelemetryDiagnostic(
-        "codeql-action/git-version-telemetry",
-        "Git version telemetry",
-        {
-          fullVersion: gitVersion.fullVersion,
-          truncatedVersion: gitVersion.truncatedVersion,
-        },
-      ),
-    );
-  }
-}
-
-/**
- * Logs the time it took to identify generated files and how many were discovered as
- * a telemetry diagnostic.
- * */
-async function logGeneratedFilesTelemetry(
-  config: Config,
-  duration: number,
-  generatedFilesCount: number,
-): Promise<void> {
-  if (config.languages.length < 1) {
-    return;
-  }
-
-  addDiagnostic(
-    config,
-    // Arbitrarily choose the first language. We could also choose all languages, but that
-    // increases the risk of misinterpreting the data.
-    config.languages[0],
-    makeTelemetryDiagnostic(
-      "codeql-action/generated-files-telemetry",
-      "Generated files telemetry",
-      {
-        duration,
-        generatedFilesCount,
-      },
-    ),
-  );
-}
--- a/Show More
+++ b/Show More