Tests: Update Go to 1.25

Merge pull request #3023 from github/redsun82/rust-test
Improve Rust analysis PR check
2026-05-09 07:10:22 +00:00 · 2025-08-13 10:12:25 +02:00 · 2025-08-12 11:02:27 +01:00 · 2025-08-12 10:30:05 +01:00 · 2025-08-12 02:07:02 +00:00 · 2025-08-12 02:06:25 +00:00
660 changed files with 56063 additions and 74640 deletions
@@ -1,5 +1,14 @@
+
+
+### Risk assessment
+
+For internal use only. Please select the risk level of this change:
+
+- **Low risk:** Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.
+- **High risk:** Changes are not fully under feature flags, have limited visibility and/or cannot be tested outside of production.
+
 ### Merge / deployment checklist

- [ ] Confirm this change is backwards compatible with existing workflows.
- [ ] Confirm the [readme](https://github.com/github/codeql-action/blob/main/README.md) has been updated if necessary.
- [ ] Confirm the [changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) has been updated if necessary.
+- Confirm this change is backwards compatible with existing workflows.
+- Consider adding a [changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) entry for this change.
+- Confirm the [readme](https://github.com/github/codeql-action/blob/main/README.md) and docs have been updated if necessary.
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - All-platform bundle
@@ -48,7 +48,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: '>=1.21.0'
+          go-version: 1.25.0
          cache: false
      - id: init
        uses: ./../action/init
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: "PR Check - Analyze: 'ref' and 'sha' from inputs"
@@ -52,7 +52,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: '>=1.21.0'
+          go-version: 1.25.0
          cache: false
      - uses: ./../action/init
        with:
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - autobuild-action
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Autobuild direct tracing (custom working directory)
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Autobuild direct tracing
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Build mode autobuild
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Build mode manual
@@ -48,7 +48,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: '>=1.21.0'
+          go-version: 1.25.0
          cache: false
      - uses: ./../action/init
        id: init
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Build mode none
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Build mode rollback
@@ -1,9 +1,9 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

-name: PR Check - Extract directly to toolcache
+name: 'PR Check - Bundle: Caching checks'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
@@ -22,7 +22,7 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch: {}
 jobs:
-  extract-direct-to-toolcache:
+  bundle-toolcache:
    strategy:
      fail-fast: false
      matrix:
@@ -33,7 +33,7 @@ jobs:
            version: linked
          - os: windows-latest
            version: linked
-    name: Extract directly to toolcache
+    name: 'Bundle: Caching checks'
    permissions:
      contents: read
      security-events: read
@@ -92,5 +92,4 @@ jobs:
              throw new Error('Multiple CodeQL versions found in toolcache');
            }
    env:
-      CODEQL_ACTION_EXTRACT_TOOLCACHE: true
      CODEQL_ACTION_TEST_MODE: true
@@ -1,9 +1,9 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

-name: PR Check - Zstandard bundle
+name: 'PR Check - Bundle: Zstandard checks'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
@@ -22,7 +22,7 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch: {}
 jobs:
-  zstd-bundle:
+  bundle-zstd:
    strategy:
      fail-fast: false
      matrix:
@@ -33,7 +33,7 @@ jobs:
            version: linked
          - os: windows-latest
            version: linked
-    name: Zstandard bundle
+    name: 'Bundle: Zstandard checks'
    permissions:
      contents: read
      security-events: read
@@ -109,5 +109,4 @@ jobs:
              );
            }
    env:
-      CODEQL_ACTION_ZSTD_BUNDLE: true
      CODEQL_ACTION_TEST_MODE: true
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Clean up database cluster directory
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Config export
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Config input
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - C/C++: disabling autoinstalling dependencies (Linux)'
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - C/C++: autoinstalling dependencies is skipped (macOS)'
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - C/C++: autoinstalling dependencies (Linux)'
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Diagnostic export
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Export file baseline information
@@ -52,7 +52,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: '>=1.21.0'
+          go-version: 1.25.0
          cache: false
      - uses: ./../action/init
        id: init
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Extractor ram and threads options test
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Go: Custom queries'
@@ -50,7 +50,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: '>=1.21.0'
+          go-version: 1.25.0
          cache: false
      - uses: ./../action/init
        with:
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Go: diagnostic when Go is changed after init step'
@@ -48,7 +48,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: '>=1.21.0'
+          go-version: 1.25.0
          cache: false
      - uses: ./../action/init
        with:
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Go: diagnostic when `file` is not installed'
@@ -48,7 +48,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: '>=1.21.0'
+          go-version: 1.25.0
          cache: false
      - name: Remove `file` program
        run: |
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Go: workaround for indirect tracing'
@@ -48,7 +48,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: '>=1.21.0'
+          go-version: 1.25.0
          cache: false
      - uses: ./../action/init
        with:
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Go: tracing with autobuilder step'
@@ -27,10 +27,6 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: stable-v2.16.6
-          - os: macos-latest
-            version: stable-v2.16.6
          - os: ubuntu-latest
            version: stable-v2.17.6
          - os: macos-latest
@@ -47,6 +43,10 @@ jobs:
            version: stable-v2.20.7
          - os: macos-latest
            version: stable-v2.20.7
+          - os: ubuntu-latest
+            version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.21.4
          - os: ubuntu-latest
            version: default
          - os: macos-latest
@@ -78,7 +78,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: '>=1.21.0'
+          go-version: 1.25.0
          cache: false
      - uses: ./../action/init
        with:
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Go: tracing with custom build steps'
@@ -27,10 +27,6 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: stable-v2.16.6
-          - os: macos-latest
-            version: stable-v2.16.6
          - os: ubuntu-latest
            version: stable-v2.17.6
          - os: macos-latest
@@ -47,6 +43,10 @@ jobs:
            version: stable-v2.20.7
          - os: macos-latest
            version: stable-v2.20.7
+          - os: ubuntu-latest
+            version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.21.4
          - os: ubuntu-latest
            version: default
          - os: macos-latest
@@ -78,7 +78,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: '>=1.21.0'
+          go-version: 1.25.0
          cache: false
      - uses: ./../action/init
        with:
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Go: tracing with legacy workflow'
@@ -27,10 +27,6 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: stable-v2.16.6
-          - os: macos-latest
-            version: stable-v2.16.6
          - os: ubuntu-latest
            version: stable-v2.17.6
          - os: macos-latest
@@ -47,6 +43,10 @@ jobs:
            version: stable-v2.20.7
          - os: macos-latest
            version: stable-v2.20.7
+          - os: ubuntu-latest
+            version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.21.4
          - os: ubuntu-latest
            version: default
          - os: macos-latest
@@ -78,7 +78,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: '>=1.21.0'
+          go-version: 1.25.0
          cache: false
      - uses: ./../action/init
        with:
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Packaging: Download using registries'
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Custom source root
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Job run UUID added to SARIF
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Language aliases
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Multi-language repository
@@ -27,10 +27,6 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: macos-latest
-            version: stable-v2.16.6
-          - os: ubuntu-latest
-            version: stable-v2.16.6
          - os: macos-latest
            version: stable-v2.17.6
          - os: ubuntu-latest
@@ -47,6 +43,10 @@ jobs:
            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.20.7
+          - os: macos-latest
+            version: stable-v2.21.4
+          - os: ubuntu-latest
+            version: stable-v2.21.4
          - os: macos-latest
            version: default
          - os: ubuntu-latest
@@ -78,7 +78,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: '>=1.21.0'
+          go-version: 1.25.0
          cache: false
      - uses: ./../action/init
        id: init
@@ -0,0 +1,69 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: PR Check - Overlay database init fallback
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  overlay-init-fallback:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Overlay database init fallback
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        with:
+          languages: actions # Any language without overlay support will do
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+        env:
+          CODEQL_OVERLAY_DATABASE_MODE: overlay-base
+      - uses: ./../action/analyze
+        id: analysis
+        with:
+          upload-database: false
+      - name: Check database
+        shell: bash
+        run: |
+          cd "$RUNNER_TEMP/codeql_databases/actions"
+          if ! grep -q 'overlayBaseDatabase: false' codeql-database.yml ; then
+            echo "This test needs to be updated to use a non-overlay language."
+            exit 1
+          fi
+    env:
+      CODEQL_ACTION_TEST_MODE: true
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Packaging: Config and input passed to the CLI'
@@ -64,7 +64,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: '>=1.21.0'
+          go-version: 1.25.0
          cache: false
      - uses: ./../action/init
        with:
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Packaging: Config and input'
@@ -64,7 +64,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: '>=1.21.0'
+          go-version: 1.25.0
          cache: false
      - uses: ./../action/init
        with:
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Packaging: Config file'
@@ -64,7 +64,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: '>=1.21.0'
+          go-version: 1.25.0
          cache: false
      - uses: ./../action/init
        with:
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Packaging: Action input'
@@ -64,7 +64,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: '>=1.21.0'
+          go-version: 1.25.0
          cache: false
      - uses: ./../action/init
        with:
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Quality queries input
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Remote config file
@@ -50,7 +50,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: '>=1.21.0'
+          go-version: 1.25.0
          cache: false
      - uses: ./../action/init
        with:
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Resolve environment
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - RuboCop multi-language
@@ -46,7 +46,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Set up Ruby
-        uses: ruby/setup-ruby@a4effe49ee8ee5b8b5091268c473a4628afb5651 # v1.245.0
+        uses: ruby/setup-ruby@2a7b30092b0caf9c046252510f9273b4875f3db9 # v1.254.0
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Ruby analysis
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Rust analysis
@@ -27,6 +27,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
+          - os: ubuntu-latest
+            version: stable-v2.19.3
+          - os: ubuntu-latest
+            version: stable-v2.22.1
          - os: ubuntu-latest
            version: linked
          - os: ubuntu-latest
@@ -53,8 +57,6 @@ jobs:
        with:
          languages: rust
          tools: ${{ steps.prepare-test.outputs.tools-url }}
-        env:
-          CODEQL_ACTION_RUST_ANALYSIS: true
      - uses: ./../action/analyze
        id: analysis
        with:
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Split workflow
@@ -58,7 +58,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: '>=1.21.0'
+          go-version: 1.25.0
          cache: false
      - uses: ./../action/init
        with:
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Start proxy
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Submit SARIF after failure
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Swift analysis using autobuild
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Swift analysis using a custom build command
@@ -52,7 +52,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: '>=1.21.0'
+          go-version: 1.25.0
          cache: false
      - uses: ./../action/init
        id: init
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Autobuild working directory
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Local CodeQL bundle
@@ -48,7 +48,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: '>=1.21.0'
+          go-version: 1.25.0
          cache: false
      - name: Fetch a CodeQL bundle
        shell: bash
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Proxy test
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Test unsetting environment variables
@@ -50,7 +50,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: '>=1.21.0'
+          go-version: 1.25.0
          cache: false
      - uses: ./../action/init
        id: init
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Upload-sarif: code quality endpoint'
@@ -52,7 +52,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: '>=1.21.0'
+          go-version: 1.25.0
          cache: false
      - uses: ./../action/init
        with:
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: "PR Check - Upload-sarif: 'ref' and 'sha' from inputs"
@@ -52,7 +52,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: '>=1.21.0'
+          go-version: 1.25.0
          cache: false
      - uses: ./../action/init
        with:
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Use a custom `checkout_path`
@@ -52,7 +52,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: '>=1.21.0'
+          go-version: 1.25.0
          cache: false
      - name: Delete original checkout
        shell: bash
@@ -1,110 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Zstandard bundle (streaming)
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  zstd-bundle-streaming:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: linked
-    name: Zstandard bundle (streaming)
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const fs = require('fs');
-            const path = require('path');
-            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
-            if (codeqlPath !== undefined) {
-              fs.rmdirSync(codeqlPath, { recursive: true });
-            }
-      - id: init
-        uses: ./../action/init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ matrix.os }}-zstd-bundle.sarif
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check diagnostic with expected tools URL appears in SARIF
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
-        with:
-          script: |
-            const fs = require('fs');
-
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
-
-            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
-            const downloadTelemetryNotifications = toolExecutionNotifications.filter(n =>
-              n.descriptor.id === 'codeql-action/bundle-download-telemetry'
-            );
-            if (downloadTelemetryNotifications.length !== 1) {
-              core.setFailed(
-                'Expected exactly one reporting descriptor in the ' +
-                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
-                  `${downloadTelemetryNotifications.length}. All notification reporting descriptors: ` +
-                  `${JSON.stringify(toolExecutionNotifications)}.`
-              );
-            }
-
-            const toolsUrl = downloadTelemetryNotifications[0].properties.attributes.toolsUrl;
-            console.log(`Found tools URL: ${toolsUrl}`);
-
-            if (!toolsUrl.endsWith('.tar.zst')) {
-              core.setFailed(
-                `Expected the tools URL to be a .tar.zst file, but found ${toolsUrl}.`
-              );
-            }
-    env:
-      CODEQL_ACTION_ZSTD_BUNDLE: true
-      CODEQL_ACTION_ZSTD_BUNDLE_STREAMING_EXTRACTION: true
-      CODEQL_ACTION_TEST_MODE: true
@@ -67,12 +67,6 @@ jobs:
        with:
          python-version: 3.11

-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          # When updating this, update the autogenerated code header in `sync.py` too.
-          pip install ruamel.yaml==0.17.31
-
      # Ensure the generated PR check workflows are up to date.
      - name: Verify PR checks up to date
        run: .github/workflows/script/verify-pr-checks.sh
@@ -9,7 +9,7 @@ jobs:
  rebuild:
    name: Rebuild Action
    runs-on: ubuntu-latest
-    if: github.event.label.name == 'Rebuild'
+    if: github.event.label.name == 'Rebuild' || github.event_name == 'workflow_dispatch'

    permissions:
      contents: write # needed to push rebuilt commit
@@ -18,9 +18,11 @@ jobs:
      - name: Checkout
        uses: actions/checkout@v4
        with:
-          ref: ${{ github.event.pull_request.head.ref }}
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.ref || github.event.ref }}

      - name: Remove label
+        if: github.event_name == 'pull_request'
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
@@ -28,21 +30,35 @@ jobs:
          gh pr edit --repo github/codeql-action "$PR_NUMBER" \
            --remove-label "Rebuild"

+      - name: Configure git
+        run: |
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config --global user.name "github-actions[bot]"
+
      - name: Merge in changes from base branch
+        id: merge
        env:
-          BASE_BRANCH: ${{ github.event.pull_request.base.ref }}
+          BASE_BRANCH: ${{ github.event.pull_request.base.ref || 'main' }}
        run: |
          git fetch origin "$BASE_BRANCH"

          # Allow merge conflicts in `lib`, since rebuilding should resolve them.
-          git merge "origin/$BASE_BRANCH" || echo "Merge conflicts detected"
+          git merge "origin/$BASE_BRANCH" || echo "Merge conflicts detected, continuing."
+          MERGE_RESULT=$?

-          # Check for merge conflicts outside of `lib`. Disable git diff's trailing whitespace check
-          # since `node_modules/@types/semver/README.md` fails it.
-          if git -c core.whitespace=-trailing-space diff --check | grep --invert-match '^lib/'; then
-            echo "Merge conflicts detected outside of lib/ directory. Please resolve them manually."
-            git -c core.whitespace=-trailing-space diff --check | grep --invert-match '^lib/' || true
-            exit 1
+          if [ "$MERGE_RESULT" -ne 0 ]; then
+            echo "merge-in-progress=true" >> $GITHUB_OUTPUT
+
+            # Check for merge conflicts outside of `lib`. Disable git diff's trailing whitespace check
+            # since `node_modules/@types/semver/README.md` fails it.
+            if git -c core.whitespace=-trailing-space diff --check | grep --invert-match '^lib/'; then
+              echo "Merge conflicts were detected outside of the lib directory. Please resolve them manually."
+              git -c core.whitespace=-trailing-space diff --check | grep --invert-match '^lib/' || true
+              exit 1
+            fi
+
+            echo "No merge conflicts found outside the lib directory. We should be able to resolve all of" \
+              "these by rebuilding the Action."
          fi

      - name: Compile TypeScript
@@ -63,20 +79,49 @@ jobs:
          pip install ruamel.yaml==0.17.31
          python3 sync.py

-      - name: Check for changes and push
+      - name: "Merge in progress: Finish merge and push"
+        if: steps.merge.outputs.merge-in-progress == 'true'
+        run: |
+          echo "Finishing merge and pushing changes."
+          git add --all
+          git commit --no-edit
+          git push
+
+      - name: "No merge in progress: Check for changes and push"
+        if: steps.merge.outputs.merge-in-progress != 'true'
+        id: push
+        run: |
+          if [ ! -z "$(git status --porcelain)" ]; then
+            echo "Changes detected, committing and pushing."
+            git add --all
+            # If the merge originally had conflicts, finish the merge.
+            # Otherwise, just commit the changes.
+            if git rev-parse --verify MERGE_HEAD >/dev/null 2>&1; then
+              echo "In progress merge detected, finishing it up."
+              git merge --continue
+            else
+              echo "No in-progress merge detected, committing changes."
+              git commit -m "Rebuild"
+            fi
+            echo "Pushing changes"
+            git push
+            echo "changes=true" >> $GITHUB_OUTPUT
+          else
+            echo "No changes detected, nothing to commit."
+          fi
+
+      - name: Notify about rebuild
+        if: >-
+          github.event_name == 'pull_request' &&
+            (
+              steps.merge.outputs.merge-in-progress == 'true' ||
+              steps.push.outputs.changes == 'true'
+            )
        env:
-          BRANCH: ${{ github.event.pull_request.head.ref }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
        run: |
-          if [ ! -z "$(git status --porcelain)" ]; then
-            git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-            git config --global user.name "github-actions[bot]"
-            git add --all
-            git commit -m "Rebuild"
-            git push origin "HEAD:$BRANCH"
-            echo "Pushed a commit to rebuild the Action." \
-              "Please mark the PR as ready for review to trigger PR checks." |
-              gh pr comment --body-file - --repo github/codeql-action "$PR_NUMBER"
-            gh pr ready --undo --repo github/codeql-action "$PR_NUMBER"
-          fi
+          echo "Pushed a commit to rebuild the Action." \
+            "Please mark the PR as ready for review to trigger PR checks." |
+            gh pr comment --body-file - --repo github/codeql-action "$PR_NUMBER"
+          gh pr ready --undo --repo github/codeql-action "$PR_NUMBER"
@@ -12,7 +12,7 @@ fi
 rm -rf .github/workflows/__*

 # Generate the PR checks
-cd pr-checks && python3 sync.py
+pr-checks/sync.sh

 # Check that repo is still clean
 if [ ! -z "$(git status --porcelain)" ]; then
@@ -6,6 +6,31 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

 No user facing changes.

+## 3.29.8 - 08 Aug 2025
+
+- Fix an issue where the Action would autodetect unsupported languages such as HTML. [#3015](https://github.com/github/codeql-action/pull/3015)
+
+## 3.29.7 - 07 Aug 2025
+
+This release rolls back 3.29.6 to address issues with language autodetection. It is identical to 3.29.5.
+
+## 3.29.6 - 07 Aug 2025
+
+- The `cleanup-level` input to the `analyze` Action is now deprecated. The CodeQL Action has written a limited amount of intermediate results to the database since version 2.2.5, and now automatically manages cleanup. [#2999](https://github.com/github/codeql-action/pull/2999)
+- Update default CodeQL bundle version to 2.22.3. [#3000](https://github.com/github/codeql-action/pull/3000)
+
+## 3.29.5 - 29 Jul 2025
+
+- Update default CodeQL bundle version to 2.22.2. [#2986](https://github.com/github/codeql-action/pull/2986)
+
+## 3.29.4 - 23 Jul 2025
+
+No user facing changes.
+
+## 3.29.3 - 21 Jul 2025
+
+No user facing changes.
+
 ## 3.29.2 - 30 Jun 2025

 - Experimental: When the `quality-queries` input for the `init` action is provided with an argument, separate `.quality.sarif` files are produced and uploaded for each language with the results of the specified queries. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#2935](https://github.com/github/codeql-action/pull/2935)
@@ -20,6 +45,14 @@ No user facing changes.
 - Update default CodeQL bundle version to 2.22.0. [#2925](https://github.com/github/codeql-action/pull/2925)
 - Bump minimum CodeQL bundle version to 2.16.6. [#2912](https://github.com/github/codeql-action/pull/2912)

+## 3.28.21 - 28 July 2025
+
+No user facing changes.
+
+## 3.28.20 - 21 July 2025
+
+- Remove support for combining SARIF files from a single upload for GHES 3.18, see [the changelog post](https://github.blog/changelog/2024-05-06-code-scanning-will-stop-combining-runs-from-a-single-upload/). [#2959](https://github.com/github/codeql-action/pull/2959)
+
 ## 3.28.19 - 03 Jun 2025

 - The CodeQL Action no longer includes its own copy of the extractor for the `actions` language, which is currently in public preview.
@@ -70,11 +70,11 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n

 | Minimum CodeQL Action | Minimum CodeQL Bundle Version | GitHub Environment | Notes |
 |-----------------------|-------------------------------|--------------------|-------|
+| `v3.28.21`  | `2.21.3` | Enterprise Server 3.18 | |
 | `v3.28.12`  | `2.20.7` | Enterprise Server 3.17 | |
 | `v3.28.6`  | `2.20.3` | Enterprise Server 3.16 | |
 | `v3.28.6`  | `2.20.3` | Enterprise Server 3.15 | |
 | `v3.28.6` | `2.20.3` | Enterprise Server 3.14 | |
-| `v3.28.6` | `2.20.3` | Enterprise Server 3.13 | |

 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).

@@ -19,9 +19,10 @@ inputs:
    # If changing this, make sure to update workflow.ts accordingly.
    default: "always"
  cleanup-level:
-    description: "Level of cleanup to perform on CodeQL databases at the end of the analyze step. This should either be 'none' to skip cleanup, or be a valid argument for the --cache-cleanup flag of the CodeQL CLI command 'codeql database cleanup' as documented at https://codeql.github.com/docs/codeql-cli/manual/database-cleanup"
+    description: >-
+      DEPRECATED. This option is ignored since, for performance reasons, the CodeQL Action automatically
+      manages cleanup of intermediate results.
    required: false
-    default: "brutal"
  ram:
    description: >-
      The amount of memory in MB that can be used by CodeQL for database finalization and query execution.
@@ -138,6 +138,7 @@ export default [
    rules: {
      "@typescript-eslint/no-explicit-any": "off",
      "@typescript-eslint/no-unsafe-assignment": "off",
+      "@typescript-eslint/no-unsafe-enum-comparison": "off",
      "@typescript-eslint/no-unsafe-member-access": "off",
      "@typescript-eslint/no-var-requires": "off",
      "@typescript-eslint/prefer-regexp-exec": "off",
@@ -51,6 +51,7 @@ exports.ensureEndsInPeriod = ensureEndsInPeriod;
 exports.runTool = runTool;
 exports.getPullRequestBranches = getPullRequestBranches;
 exports.isAnalyzingPullRequest = isAnalyzingPullRequest;
+exports.fixCodeQualityCategory = fixCodeQualityCategory;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const core = __importStar(require("@actions/core"));
@@ -264,7 +265,7 @@ function prettyPrintInvocation(cmd, args) {
 * An error from a tool invocation, with associated exit code, stderr, etc.
 */
 class CommandInvocationError extends Error {
-    constructor(cmd, args, exitCode, stderr, stdout) {
+    constructor(cmd, args, exitCode, stderr, stdout = "") {
        const prettyCommand = prettyPrintInvocation(cmd, args);
        const lastLine = ensureEndsInPeriod(stderr.trim().split("\n").pop()?.trim() || "n/a");
        super(`Failed to run "${prettyCommand}". ` +
@@ -392,4 +393,38 @@ function getPullRequestBranches() {
 function isAnalyzingPullRequest() {
    return getPullRequestBranches() !== undefined;
 }
+/**
+ * A workaround for code quality to map category names from old default setup workflows
+ * to ones that the code quality service expects.
+ */
+const qualityCategoryMapping = {
+    "c#": "csharp",
+    cpp: "c-cpp",
+    c: "c-cpp",
+    "c++": "c-cpp",
+    java: "java-kotlin",
+    javascript: "javascript-typescript",
+    typescript: "javascript-typescript",
+    kotlin: "java-kotlin",
+};
+/** Adjusts the category string for a Code Quality SARIF file if an "old"
+ * category identifier is used by Default Setup.
+ */
+function fixCodeQualityCategory(logger, category) {
+    // The `category` should always be set by Default Setup. We perform this check
+    // to avoid potential issues if Code Quality supports Advanced Setup in the future
+    // and before this workaround is removed.
+    if (category !== undefined &&
+        isDefaultSetup() &&
+        category.startsWith("/language:")) {
+        const language = category.substring("/language:".length);
+        const mappedLanguage = qualityCategoryMapping[language];
+        if (mappedLanguage) {
+            const newCategory = `/language:${mappedLanguage}`;
+            logger.info(`Adjusted category for Code Quality from '${category}' to '${newCategory}'.`);
+            return newCategory;
+        }
+    }
+    return category;
+}
 //# sourceMappingURL=actions-util.js.map
@@ -41,6 +41,7 @@ const ava_1 = __importDefault(require("ava"));
 const actions_util_1 = require("./actions-util");
 const api_client_1 = require("./api-client");
 const environment_1 = require("./environment");
+const logging_1 = require("./logging");
 const testing_utils_1 = require("./testing-utils");
 const util_1 = require("./util");
 (0, testing_utils_1.setupTests)(ava_1.default);
@@ -165,4 +166,27 @@ function withMockedEnv(envVars, testFn) {
    (0, util_1.initializeEnvironment)("1.2.3");
    t.deepEqual(process.env[environment_1.EnvVar.VERSION], "1.2.3");
 });
+(0, ava_1.default)("fixCodeQualityCategory", (t) => {
+    withMockedEnv({
+        GITHUB_EVENT_NAME: "dynamic",
+    }, () => {
+        const logger = (0, logging_1.getRunnerLogger)(true);
+        // Categories that should get adjusted.
+        t.is((0, actions_util_1.fixCodeQualityCategory)(logger, "/language:c#"), "/language:csharp");
+        t.is((0, actions_util_1.fixCodeQualityCategory)(logger, "/language:cpp"), "/language:c-cpp");
+        t.is((0, actions_util_1.fixCodeQualityCategory)(logger, "/language:c"), "/language:c-cpp");
+        t.is((0, actions_util_1.fixCodeQualityCategory)(logger, "/language:java"), "/language:java-kotlin");
+        t.is((0, actions_util_1.fixCodeQualityCategory)(logger, "/language:javascript"), "/language:javascript-typescript");
+        t.is((0, actions_util_1.fixCodeQualityCategory)(logger, "/language:typescript"), "/language:javascript-typescript");
+        t.is((0, actions_util_1.fixCodeQualityCategory)(logger, "/language:kotlin"), "/language:java-kotlin");
+        // Categories that should not get adjusted.
+        t.is((0, actions_util_1.fixCodeQualityCategory)(logger, "/language:csharp"), "/language:csharp");
+        t.is((0, actions_util_1.fixCodeQualityCategory)(logger, "/language:go"), "/language:go");
+        t.is((0, actions_util_1.fixCodeQualityCategory)(logger, "/language:actions"), "/language:actions");
+        // Other cases.
+        t.is((0, actions_util_1.fixCodeQualityCategory)(logger, undefined), undefined);
+        t.is((0, actions_util_1.fixCodeQualityCategory)(logger, "random string"), "random string");
+        t.is((0, actions_util_1.fixCodeQualityCategory)(logger, "kotlin"), "kotlin");
+    });
+});
 //# sourceMappingURL=actions-util.test.js.map
@@ -78,7 +78,6 @@ const util = __importStar(require("./util"));
        requiredInputStub.withArgs("upload-database").returns("false");
        requiredInputStub.withArgs("output").returns("out");
        const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
-        optionalInputStub.withArgs("cleanup-level").returns("none");
        optionalInputStub.withArgs("expect-error").returns("false");
        sinon.stub(api, "getGitHubVersion").resolves(gitHubVersion);
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
@@ -97,8 +96,10 @@ const util = __importStar(require("./util"));
        // runFinalize and runQueries are correctly captured by spies, we explicitly
        // wait for the action promise to complete before starting verification.
        await analyzeAction.runPromise;
+        t.assert(runFinalizeStub.calledOnce);
        t.deepEqual(runFinalizeStub.firstCall.args[1], "--threads=-1");
        t.deepEqual(runFinalizeStub.firstCall.args[2], "--ram=4992");
+        t.assert(runQueriesStub.calledOnce);
        t.deepEqual(runQueriesStub.firstCall.args[3], "--threads=-1");
        t.deepEqual(runQueriesStub.firstCall.args[1], "--ram=4992");
    });
@@ -1 +1 @@
-{"version":3,"file":"analyze-action-env.test.js","sourceRoot":"","sources":["../src/analyze-action-env.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,mDAAqC;AACrC,kDAAoC;AACpC,4DAA8C;AAC9C,sDAAwC;AACxC,8DAAgD;AAChD,mDAIyB;AACzB,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,4EAA4E;AAC5E,4EAA4E;AAC5E,+EAA+E;AAC/E,+EAA+E;AAC/E,gFAAgF;AAChF,iCAAiC;AAEjC,IAAA,aAAI,EAAC,8DAA8D,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC/E,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,sCAAsC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,wBAAwB,CAAC;QACzD,KAAK;aACF,IAAI,CAAC,YAAY,EAAE,wBAAwB,CAAC;aAC5C,QAAQ,CAAC,EAAmC,CAAC,CAAC;QACjD,KAAK,CAAC,IAAI,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC,QAAQ,EAAE,CAAC;QACxD,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE,0BAA0B,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAEhE,MAAM,aAAa,GAAuB;YACxC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;SAChC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC;YAC5C,aAAa;YACb,sBAAsB,EAAE,EAAE;YAC1B,SAAS,EAAE,EAAE;YACb,KAAK,EAAE,EAAE;YACT,UAAU,EAAE,EAAE;SACkB,CAAC,CAAC;QACpC,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC1D,iBAAiB,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC/D,iBAAiB,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACpD,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC5D,iBAAiB,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC5D,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC5D,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,IAAA,0CAA0B,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEpC,uEAAuE;QACvE,0EAA0E;QAC1E,iBAAiB;QACjB,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,IAAI,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC;QAEnC,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAC3D,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QACzD,iEAAiE;QACjE,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;QAElD,uEAAuE;QACvE,oEAAoE;QACpE,4EAA4E;QAC5E,wEAAwE;QACxE,MAAM,aAAa,CAAC,UAAU,CAAC;QAE/B,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC/D,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;QAC7D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC9D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
+{"version":3,"file":"analyze-action-env.test.js","sourceRoot":"","sources":["../src/analyze-action-env.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,mDAAqC;AACrC,kDAAoC;AACpC,4DAA8C;AAC9C,sDAAwC;AACxC,8DAAgD;AAChD,mDAIyB;AACzB,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,4EAA4E;AAC5E,4EAA4E;AAC5E,+EAA+E;AAC/E,+EAA+E;AAC/E,gFAAgF;AAChF,iCAAiC;AAEjC,IAAA,aAAI,EAAC,8DAA8D,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC/E,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,sCAAsC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,wBAAwB,CAAC;QACzD,KAAK;aACF,IAAI,CAAC,YAAY,EAAE,wBAAwB,CAAC;aAC5C,QAAQ,CAAC,EAAmC,CAAC,CAAC;QACjD,KAAK,CAAC,IAAI,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC,QAAQ,EAAE,CAAC;QACxD,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE,0BAA0B,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAEhE,MAAM,aAAa,GAAuB;YACxC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;SAChC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC;YAC5C,aAAa;YACb,sBAAsB,EAAE,EAAE;YAC1B,SAAS,EAAE,EAAE;YACb,KAAK,EAAE,EAAE;YACT,UAAU,EAAE,EAAE;SACkB,CAAC,CAAC;QACpC,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC1D,iBAAiB,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC/D,iBAAiB,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACpD,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC5D,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC5D,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,IAAA,0CAA0B,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEpC,uEAAuE;QACvE,0EAA0E;QAC1E,iBAAiB;QACjB,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,IAAI,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC;QAEnC,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAC3D,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QACzD,iEAAiE;QACjE,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;QAElD,uEAAuE;QACvE,oEAAoE;QACpE,4EAA4E;QAC5E,wEAAwE;QACxE,MAAM,aAAa,CAAC,UAAU,CAAC;QAE/B,CAAC,CAAC,MAAM,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC;QACrC,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC/D,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;QAC7D,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;QACpC,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC9D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
@@ -77,7 +77,6 @@ const util = __importStar(require("./util"));
        requiredInputStub.withArgs("upload-database").returns("false");
        requiredInputStub.withArgs("output").returns("out");
        const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
-        optionalInputStub.withArgs("cleanup-level").returns("none");
        optionalInputStub.withArgs("expect-error").returns("false");
        sinon.stub(api, "getGitHubVersion").resolves(gitHubVersion);
        sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
@@ -97,8 +96,10 @@ const util = __importStar(require("./util"));
        // runFinalize and runQueries are correctly captured by spies, we explicitly
        // wait for the action promise to complete before starting verification.
        await analyzeAction.runPromise;
+        t.assert(runFinalizeStub.calledOnce);
        t.deepEqual(runFinalizeStub.firstCall.args[1], "--threads=-1");
        t.deepEqual(runFinalizeStub.firstCall.args[2], "--ram=3012");
+        t.assert(runQueriesStub.calledOnce);
        t.deepEqual(runQueriesStub.firstCall.args[3], "--threads=-1");
        t.deepEqual(runQueriesStub.firstCall.args[1], "--ram=3012");
    });
@@ -1 +1 @@
-{"version":3,"file":"analyze-action-input.test.js","sourceRoot":"","sources":["../src/analyze-action-input.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,mDAAqC;AACrC,kDAAoC;AACpC,4DAA8C;AAC9C,sDAAwC;AACxC,8DAAgD;AAChD,mDAIyB;AACzB,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,4EAA4E;AAC5E,4EAA4E;AAC5E,+EAA+E;AAC/E,+EAA+E;AAC/E,gFAAgF;AAChF,iCAAiC;AAEjC,IAAA,aAAI,EAAC,sDAAsD,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvE,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,sCAAsC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,wBAAwB,CAAC;QACzD,KAAK;aACF,IAAI,CAAC,YAAY,EAAE,wBAAwB,CAAC;aAC5C,QAAQ,CAAC,EAAmC,CAAC,CAAC;QACjD,KAAK,CAAC,IAAI,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC,QAAQ,EAAE,CAAC;QACxD,MAAM,aAAa,GAAuB;YACxC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;SAChC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC;YAC5C,aAAa;YACb,sBAAsB,EAAE,EAAE;YAC1B,SAAS,EAAE,EAAE;YACb,KAAK,EAAE,EAAE;YACT,UAAU,EAAE,EAAE;SACkB,CAAC,CAAC;QACpC,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC1D,iBAAiB,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC/D,iBAAiB,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACpD,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC5D,iBAAiB,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC5D,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC5D,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE,0BAA0B,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAChE,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,IAAA,0CAA0B,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEpC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,GAAG,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC;QAEnC,4DAA4D;QAC5D,iBAAiB,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACpD,iBAAiB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAElD,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAC3D,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QACzD,iEAAiE;QACjE,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;QAElD,uEAAuE;QACvE,oEAAoE;QACpE,4EAA4E;QAC5E,wEAAwE;QACxE,MAAM,aAAa,CAAC,UAAU,CAAC;QAE/B,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC/D,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;QAC7D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC9D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
+{"version":3,"file":"analyze-action-input.test.js","sourceRoot":"","sources":["../src/analyze-action-input.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,mDAAqC;AACrC,kDAAoC;AACpC,4DAA8C;AAC9C,sDAAwC;AACxC,8DAAgD;AAChD,mDAIyB;AACzB,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,4EAA4E;AAC5E,4EAA4E;AAC5E,+EAA+E;AAC/E,+EAA+E;AAC/E,gFAAgF;AAChF,iCAAiC;AAEjC,IAAA,aAAI,EAAC,sDAAsD,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvE,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,sCAAsC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,wBAAwB,CAAC;QACzD,KAAK;aACF,IAAI,CAAC,YAAY,EAAE,wBAAwB,CAAC;aAC5C,QAAQ,CAAC,EAAmC,CAAC,CAAC;QACjD,KAAK,CAAC,IAAI,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC,QAAQ,EAAE,CAAC;QACxD,MAAM,aAAa,GAAuB;YACxC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;SAChC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC;YAC5C,aAAa;YACb,sBAAsB,EAAE,EAAE;YAC1B,SAAS,EAAE,EAAE;YACb,KAAK,EAAE,EAAE;YACT,UAAU,EAAE,EAAE;SACkB,CAAC,CAAC;QACpC,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC1D,iBAAiB,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC/D,iBAAiB,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACpD,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC5D,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC5D,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE,0BAA0B,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAChE,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,IAAA,0CAA0B,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEpC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,GAAG,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC;QAEnC,4DAA4D;QAC5D,iBAAiB,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACpD,iBAAiB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAElD,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAC3D,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QACzD,iEAAiE;QACjE,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;QAElD,uEAAuE;QACvE,oEAAoE;QACpE,4EAA4E;QAC5E,wEAAwE;QACxE,MAAM,aAAa,CAAC,UAAU,CAAC;QAE/B,CAAC,CAAC,MAAM,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC;QACrC,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC/D,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;QAC7D,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;QACpC,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC9D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
@@ -95,8 +95,8 @@ function hasBadExpectErrorInput() {
 * indicating whether Go extraction has extracted at least one file.
 */
 function doesGoExtractionOutputExist(config) {
-    const golangDbDirectory = util.getCodeQLDatabasePath(config, languages_1.Language.go);
-    const trapDirectory = path_1.default.join(golangDbDirectory, "trap", languages_1.Language.go);
+    const golangDbDirectory = util.getCodeQLDatabasePath(config, languages_1.KnownLanguage.go);
+    const trapDirectory = path_1.default.join(golangDbDirectory, "trap", languages_1.KnownLanguage.go);
    return (fs.existsSync(trapDirectory) &&
        fs
            .readdirSync(trapDirectory)
@@ -123,7 +123,7 @@ function doesGoExtractionOutputExist(config) {
 * whether any extraction output already exists for Go.
 */
 async function runAutobuildIfLegacyGoWorkflow(config, logger) {
-    if (!config.languages.includes(languages_1.Language.go)) {
+    if (!config.languages.includes(languages_1.KnownLanguage.go)) {
        return;
    }
    if (config.buildMode) {
@@ -134,7 +134,7 @@ async function runAutobuildIfLegacyGoWorkflow(config, logger) {
        logger.debug("Won't run Go autobuild since it has already been run.");
        return;
    }
-    if ((0, analyze_1.dbIsFinalized)(config, languages_1.Language.go, logger)) {
+    if ((0, analyze_1.dbIsFinalized)(config, languages_1.KnownLanguage.go, logger)) {
        logger.debug("Won't run Go autobuild since there is already a finalized database for Go.");
        return;
    }
@@ -149,7 +149,7 @@ async function runAutobuildIfLegacyGoWorkflow(config, logger) {
        return;
    }
    logger.debug("Running Go autobuild because extraction output (TRAP files) for Go code has not been found.");
-    await (0, autobuild_1.runAutobuild)(config, languages_1.Language.go, logger);
+    await (0, autobuild_1.runAutobuild)(config, languages_1.KnownLanguage.go, logger);
 }
 async function run() {
    const startedAt = new Date();
@@ -161,14 +161,6 @@ async function run() {
    let dbCreationTimings = undefined;
    let didUploadTrapCaches = false;
    util.initializeEnvironment(actionsUtil.getActionVersion());
-    // Unset the CODEQL_PROXY_* environment variables, as they are not needed
-    // and can cause issues with the CodeQL CLI
-    // Check for CODEQL_PROXY_HOST: and if it is empty but set, unset it
-    if (process.env.CODEQL_PROXY_HOST === "") {
-        delete process.env.CODEQL_PROXY_HOST;
-        delete process.env.CODEQL_PROXY_PORT;
-        delete process.env.CODEQL_PROXY_CA_CERTIFICATE;
-    }
    // Make inputs accessible in the `post` step, details at
    // https://github.com/github/codeql-action/issues/2553
    actionsUtil.persistInputs();
@@ -186,6 +178,18 @@ async function run() {
        if (hasBadExpectErrorInput()) {
            throw new util.ConfigurationError("`expect-error` input parameter is for internal use only. It should only be set by codeql-action or a fork.");
        }
+        // Unset the CODEQL_PROXY_* environment variables when using older CodeQL
+        // CLIs, as they are not needed and can cause issues.
+        if (process.env.CODEQL_PROXY_HOST === "" &&
+            !(await util.codeQlVersionAtLeast(codeql, "2.20.7"))) {
+            delete process.env.CODEQL_PROXY_HOST;
+            delete process.env.CODEQL_PROXY_PORT;
+            delete process.env.CODEQL_PROXY_CA_CERTIFICATE;
+        }
+        if (actionsUtil.getOptionalInput("cleanup-level") !== "") {
+            logger.info("The 'cleanup-level' input is ignored since the CodeQL Action now automatically " +
+                "manages database cleanup. This input can safely be removed from your workflow.");
+        }
        const apiDetails = (0, api_client_1.getApiDetails)();
        const outputDir = actionsUtil.getRequiredInput("output");
        core.exportVariable(environment_1.EnvVar.SARIF_RESULTS_OUTPUT_DIR, outputDir);
@@ -202,19 +206,8 @@ async function run() {
        await (0, analyze_1.warnIfGoInstalledAfterInit)(config, logger);
        await runAutobuildIfLegacyGoWorkflow(config, logger);
        dbCreationTimings = await (0, analyze_1.runFinalize)(outputDir, threads, memory, codeql, config, logger);
-        // An overlay-base database should always use the 'overlay' cleanup level
-        // to preserve the cached intermediate results.
-        //
-        // Note that we may be overriding the 'cleanup-level' input parameter.
-        const cleanupLevel = config.augmentationProperties.overlayDatabaseMode ===
-            overlay_database_utils_1.OverlayDatabaseMode.OverlayBase
-            ? "overlay"
-            : actionsUtil.getOptionalInput("cleanup-level") || "brutal";
        if (actionsUtil.getRequiredInput("skip-queries") !== "true") {
-            runStats = await (0, analyze_1.runQueries)(outputDir, memory, util.getAddSnippetsFlag(actionsUtil.getRequiredInput("add-snippets")), threads, cleanupLevel, diffRangePackDir, actionsUtil.getOptionalInput("category"), config, logger, features);
-        }
-        if (cleanupLevel !== "none") {
-            await (0, analyze_1.runCleanup)(config, cleanupLevel, logger);
+            runStats = await (0, analyze_1.runQueries)(outputDir, memory, util.getAddSnippetsFlag(actionsUtil.getRequiredInput("add-snippets")), threads, diffRangePackDir, actionsUtil.getOptionalInput("category"), codeql, config, logger, features);
        }
        const dbLocations = {};
        for (const language of config.languages) {
@@ -227,17 +220,19 @@ async function run() {
            uploadResult = await uploadLib.uploadFiles(outputDir, actionsUtil.getRequiredInput("checkout_path"), actionsUtil.getOptionalInput("category"), features, logger, uploadLib.CodeScanningTarget);
            core.setOutput("sarif-id", uploadResult.sarifID);
            if (config.augmentationProperties.qualityQueriesInput !== undefined) {
-                const qualityUploadResult = await uploadLib.uploadFiles(outputDir, actionsUtil.getRequiredInput("checkout_path"), actionsUtil.getOptionalInput("category"), features, logger, uploadLib.CodeQualityTarget);
+                const qualityUploadResult = await uploadLib.uploadFiles(outputDir, actionsUtil.getRequiredInput("checkout_path"), actionsUtil.fixCodeQualityCategory(logger, actionsUtil.getOptionalInput("category")), features, logger, uploadLib.CodeQualityTarget);
                core.setOutput("quality-sarif-id", qualityUploadResult.sarifID);
            }
        }
        else {
            logger.info("Not uploading results");
        }
-        // Possibly upload the database bundles for remote queries
-        await (0, database_upload_1.uploadDatabases)(repositoryNwo, config, apiDetails, logger);
-        // Possibly upload the overlay-base database to actions cache
+        // Possibly upload the overlay-base database to actions cache.
+        // If databases are to be uploaded, they will first be cleaned up at the overlay level.
        await (0, overlay_database_utils_1.uploadOverlayBaseDatabaseToCache)(codeql, config, logger);
+        // Possibly upload the database bundles for remote queries.
+        // If databases are to be uploaded, they will first be cleaned up at the clear level.
+        await (0, database_upload_1.uploadDatabases)(repositoryNwo, codeql, config, apiDetails, logger);
        // Possibly upload the TRAP caches for later re-use
        const trapCacheUploadStartTime = perf_hooks_1.performance.now();
        didUploadTrapCaches = await (0, trap_caching_1.uploadTrapCaches)(codeql, config, logger);
@@ -44,7 +44,6 @@ exports.resolveQuerySuiteAlias = resolveQuerySuiteAlias;
 exports.runQueries = runQueries;
 exports.runFinalize = runFinalize;
 exports.warnIfGoInstalledAfterInit = warnIfGoInstalledAfterInit;
-exports.runCleanup = runCleanup;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const perf_hooks_1 = require("perf_hooks");
@@ -54,7 +53,6 @@ const yaml = __importStar(require("js-yaml"));
 const actions_util_1 = require("./actions-util");
 const api_client_1 = require("./api-client");
 const autobuild_1 = require("./autobuild");
-const codeql_1 = require("./codeql");
 const dependency_caching_1 = require("./dependency-caching");
 const diagnostics_1 = require("./diagnostics");
 const diff_informed_analysis_utils_1 = require("./diff-informed-analysis-utils");
@@ -93,13 +91,13 @@ async function runExtraction(codeql, config, logger) {
            logger.debug(`Database for ${language} has already been finalized, skipping extraction.`);
            continue;
        }
-        if (shouldExtractLanguage(config, language)) {
+        if (await shouldExtractLanguage(codeql, config, language)) {
            logger.startGroup(`Extracting ${language}`);
-            if (language === languages_1.Language.python) {
+            if (language === languages_1.KnownLanguage.python) {
                await setupPythonExtractor(logger);
            }
            if (config.buildMode) {
-                if (language === languages_1.Language.cpp &&
+                if (language === languages_1.KnownLanguage.cpp &&
                    config.buildMode === util_1.BuildMode.Autobuild) {
                    await (0, autobuild_1.setupCppAutobuild)(codeql, logger);
                }
@@ -107,7 +105,8 @@ async function runExtraction(codeql, config, logger) {
                // database scratch directory by default. For dependency caching purposes, we want
                // a stable path that caches can be restored into and that we can cache at the
                // end of the workflow (i.e. that does not get removed when the scratch directory is).
-                if (language === languages_1.Language.java && config.buildMode === util_1.BuildMode.None) {
+                if (language === languages_1.KnownLanguage.java &&
+                    config.buildMode === util_1.BuildMode.None) {
                    process.env["CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_DEPENDENCY_DIR"] =
                        (0, dependency_caching_1.getJavaTempDependencyDir)();
                }
@@ -120,11 +119,11 @@ async function runExtraction(codeql, config, logger) {
        }
    }
 }
-function shouldExtractLanguage(config, language) {
+async function shouldExtractLanguage(codeql, config, language) {
    return (config.buildMode === util_1.BuildMode.None ||
        (config.buildMode === util_1.BuildMode.Autobuild &&
            process.env[environment_1.EnvVar.AUTOBUILD_DID_COMPLETE_SUCCESSFULLY] !== "true") ||
-        (!config.buildMode && (0, languages_1.isScannedLanguage)(language)));
+        (!config.buildMode && (await codeql.isScannedLanguage(language))));
 }
 function dbIsFinalized(config, language, logger) {
    const dbPath = util.getCodeQLDatabasePath(config, language);
@@ -410,11 +409,13 @@ function resolveQuerySuiteAlias(language, maybeSuite) {
    return maybeSuite;
 }
 // Runs queries and creates sarif files in the given folder
-async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag, cleanupLevel, diffRangePackDir, automationDetailsId, config, logger, features) {
+async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag, diffRangePackDir, automationDetailsId, codeql, config, logger, features) {
    const statusReport = {};
    const queryFlags = [memoryFlag, threadsFlag];
    const incrementalMode = [];
-    if (cleanupLevel !== "overlay") {
+    // Preserve cached intermediate results for overlay-base databases.
+    if (config.augmentationProperties.overlayDatabaseMode !==
+        overlay_database_utils_1.OverlayDatabaseMode.OverlayBase) {
        queryFlags.push("--expect-discarded-cache");
    }
    statusReport.analysis_is_diff_informed = diffRangePackDir !== undefined;
@@ -423,6 +424,12 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
        queryFlags.push("--extension-packs=codeql-action/pr-diff-range");
        incrementalMode.push("diff-informed");
    }
+    statusReport.analysis_is_overlay =
+        config.augmentationProperties.overlayDatabaseMode ===
+            overlay_database_utils_1.OverlayDatabaseMode.Overlay;
+    statusReport.analysis_builds_overlay_base_database =
+        config.augmentationProperties.overlayDatabaseMode ===
+            overlay_database_utils_1.OverlayDatabaseMode.OverlayBase;
    if (config.augmentationProperties.overlayDatabaseMode ===
        overlay_database_utils_1.OverlayDatabaseMode.Overlay) {
        incrementalMode.push("overlay");
@@ -430,13 +437,12 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
    const sarifRunPropertyFlag = incrementalMode.length > 0
        ? `--sarif-run-property=incrementalMode=${incrementalMode.join(",")}`
        : undefined;
-    const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
    for (const language of config.languages) {
        try {
            const sarifFile = path.join(sarifFolder, `${language}.sarif`);
            const queries = [];
            if (config.augmentationProperties.qualityQueriesInput !== undefined) {
-                queries.push(path.join(util.getCodeQLDatabasePath(config, language), "temp", "config-queries.qls"));
+                queries.push(util.getGeneratedSuitePath(config, language));
                for (const qualityQuery of config.augmentationProperties
                    .qualityQueriesInput) {
                    queries.push(resolveQuerySuiteAlias(language, qualityQuery.uses));
@@ -457,19 +463,22 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
                new Date().getTime() - startTimeRunQueries;
            logger.startGroup(`Interpreting results for ${language}`);
            const startTimeInterpretResults = new Date();
-            const analysisSummary = await runInterpretResults(language, undefined, sarifFile, config.debugMode);
+            const analysisSummary = await runInterpretResults(language, undefined, sarifFile, config.debugMode, automationDetailsId);
+            let qualityAnalysisSummary;
            if (config.augmentationProperties.qualityQueriesInput !== undefined) {
                logger.info(`Interpreting quality results for ${language}`);
+                const qualityCategory = (0, actions_util_1.fixCodeQualityCategory)(logger, automationDetailsId);
                const qualitySarifFile = path.join(sarifFolder, `${language}.quality.sarif`);
-                const qualityAnalysisSummary = await runInterpretResults(language, config.augmentationProperties.qualityQueriesInput.map((i) => resolveQuerySuiteAlias(language, i.uses)), qualitySarifFile, config.debugMode);
-                // TODO: move
-                logger.info(qualityAnalysisSummary);
+                qualityAnalysisSummary = await runInterpretResults(language, config.augmentationProperties.qualityQueriesInput.map((i) => resolveQuerySuiteAlias(language, i.uses)), qualitySarifFile, config.debugMode, qualityCategory);
            }
            const endTimeInterpretResults = new Date();
            statusReport[`interpret_results_${language}_duration_ms`] =
                endTimeInterpretResults.getTime() - startTimeInterpretResults.getTime();
            logger.endGroup();
            logger.info(analysisSummary);
+            if (qualityAnalysisSummary) {
+                logger.info(qualityAnalysisSummary);
+            }
            if (await features.getValue(feature_flags_1.Feature.QaTelemetryEnabled)) {
                const perQueryAlertCounts = getPerQueryAlertCounts(sarifFile);
                const perQueryAlertCountEventReport = {
@@ -494,9 +503,9 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
        }
    }
    return statusReport;
-    async function runInterpretResults(language, queries, sarifFile, enableDebugLogging) {
+    async function runInterpretResults(language, queries, sarifFile, enableDebugLogging, category) {
        const databasePath = util.getCodeQLDatabasePath(config, language);
-        return await codeql.databaseInterpretResults(databasePath, queries, sarifFile, addSnippetsFlag, threadsFlag, enableDebugLogging ? "-vv" : "-v", sarifRunPropertyFlag, automationDetailsId, config, features);
+        return await codeql.databaseInterpretResults(databasePath, queries, sarifFile, addSnippetsFlag, threadsFlag, enableDebugLogging ? "-vv" : "-v", sarifRunPropertyFlag, category, config, features);
    }
    /** Get an object with all queries and their counts parsed from a SARIF file path. */
    function getPerQueryAlertCounts(sarifPath) {
@@ -548,7 +557,7 @@ async function warnIfGoInstalledAfterInit(config, logger) {
        const goBinaryPath = await io.which("go", true);
        if (goInitPath !== goBinaryPath) {
            logger.warning(`Expected \`which go\` to return ${goInitPath}, but got ${goBinaryPath}: please ensure that the correct version of Go is installed before the \`codeql-action/init\` Action is used.`);
-            (0, diagnostics_1.addDiagnostic)(config, languages_1.Language.go, (0, diagnostics_1.makeDiagnostic)("go/workflow/go-installed-after-codeql-init", "Go was installed after the `codeql-action/init` Action was run", {
+            (0, diagnostics_1.addDiagnostic)(config, languages_1.KnownLanguage.go, (0, diagnostics_1.makeDiagnostic)("go/workflow/go-installed-after-codeql-init", "Go was installed after the `codeql-action/init` Action was run", {
                markdownMessage: "To avoid interfering with the CodeQL analysis, perform all installation steps before calling the `github/codeql-action/init` Action.",
                visibility: {
                    statusPage: true,
@@ -560,15 +569,6 @@ async function warnIfGoInstalledAfterInit(config, logger) {
        }
    }
 }
-async function runCleanup(config, cleanupLevel, logger) {
-    logger.startGroup("Cleaning up databases");
-    for (const language of config.languages) {
-        const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
-        const databasePath = util.getCodeQLDatabasePath(config, language);
-        await codeql.databaseCleanup(databasePath, cleanupLevel);
-    }
-    logger.endGroup();
-}
 exports.exportedForTesting = {
    getDiffRanges,
 };
@@ -63,10 +63,9 @@ const util = __importStar(require("./util"));
        const addSnippetsFlag = "";
        const threadsFlag = "";
        sinon.stub(uploadLib, "validateSarifFileSchema");
-        for (const language of Object.values(languages_1.Language)) {
-            (0, codeql_1.setCodeQL)({
+        for (const language of Object.values(languages_1.KnownLanguage)) {
+            const codeql = (0, codeql_1.createStubCodeQL)({
                databaseRunQueries: async () => { },
-                packDownload: async () => ({ packs: [] }),
                databaseInterpretResults: async (_db, _queriesRun, sarifFile) => {
                    fs.writeFileSync(sarifFile, JSON.stringify({
                        runs: [
@@ -114,9 +113,11 @@ const util = __importStar(require("./util"));
            fs.mkdirSync(util.getCodeQLDatabasePath(config, language), {
                recursive: true,
            });
-            const statusReport = await (0, analyze_1.runQueries)(tmpDir, memoryFlag, addSnippetsFlag, threadsFlag, "brutal", undefined, undefined, config, (0, logging_1.getRunnerLogger)(true), (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.QaTelemetryEnabled]));
+            const statusReport = await (0, analyze_1.runQueries)(tmpDir, memoryFlag, addSnippetsFlag, threadsFlag, undefined, undefined, codeql, config, (0, logging_1.getRunnerLogger)(true), (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.QaTelemetryEnabled]));
            t.deepEqual(Object.keys(statusReport).sort(), [
+                "analysis_builds_overlay_base_database",
                "analysis_is_diff_informed",
+                "analysis_is_overlay",
                `analyze_builtin_queries_${language}_duration_ms`,
                "event_reports",
                `interpret_results_${language}_duration_ms`,
@@ -316,14 +317,14 @@ function runGetDiffRanges(changes, patch) {
 (0, ava_1.default)("resolveQuerySuiteAlias", (t) => {
    // default query suite names should resolve to something language-specific ending in `.qls`.
    for (const suite of analyze_1.defaultSuites) {
-        const resolved = (0, analyze_1.resolveQuerySuiteAlias)(languages_1.Language.go, suite);
+        const resolved = (0, analyze_1.resolveQuerySuiteAlias)(languages_1.KnownLanguage.go, suite);
        t.assert(resolved.endsWith(".qls"), "Resolved default suite doesn't end in .qls");
-        t.assert(resolved.indexOf(languages_1.Language.go) >= 0, "Resolved default suite doesn't contain language name");
+        t.assert(resolved.indexOf(languages_1.KnownLanguage.go) >= 0, "Resolved default suite doesn't contain language name");
    }
    // other inputs should be returned unchanged
    const names = ["foo", "bar", "codeql/go-queries@1.0"];
    for (const name of names) {
-        t.deepEqual((0, analyze_1.resolveQuerySuiteAlias)(languages_1.Language.go, name), name);
+        t.deepEqual((0, analyze_1.resolveQuerySuiteAlias)(languages_1.KnownLanguage.go, name), name);
    }
 });
 //# sourceMappingURL=analyze.test.js.map
@@ -1 +1 @@
-{ "maximumVersion": "3.18", "minimumVersion": "3.13" }
+{ "maximumVersion": "3.18", "minimumVersion": "3.14" }
@@ -46,7 +46,7 @@ const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
 const repository_1 = require("./repository");
 const util_1 = require("./util");
-async function determineAutobuildLanguages(_codeql, config, logger) {
+async function determineAutobuildLanguages(codeql, config, logger) {
    if (config.buildMode === util_1.BuildMode.None ||
        config.buildMode === util_1.BuildMode.Manual) {
        logger.info(`Using build mode "${config.buildMode}", nothing to autobuild. ` +
@@ -57,8 +57,8 @@ async function determineAutobuildLanguages(_codeql, config, logger) {
    // We want pick the dominant language in the repo from the ones we're able to build
    // The languages are sorted in order specified by user or by lines of code if we got
    // them from the GitHub API, so try to build the first language on the list.
-    const autobuildLanguages = config.languages.filter((l) => (0, languages_1.isTracedLanguage)(l));
-    if (!autobuildLanguages) {
+    const autobuildLanguages = await (0, util_1.asyncFilter)(config.languages, async (language) => await codeql.isTracedLanguage(language));
+    if (autobuildLanguages.length === 0) {
        logger.info("None of the languages in this project require extra build steps");
        return undefined;
    }
@@ -89,7 +89,7 @@ async function determineAutobuildLanguages(_codeql, config, logger) {
     * This special case behavior should be removed as part of the next major
     * version of the CodeQL Action.
     */
-    const autobuildLanguagesWithoutGo = autobuildLanguages.filter((l) => l !== languages_1.Language.go);
+    const autobuildLanguagesWithoutGo = autobuildLanguages.filter((l) => l !== languages_1.KnownLanguage.go);
    const languages = [];
    // First run the autobuilder for the first non-Go traced language, if one
    // exists.
@@ -99,7 +99,7 @@ async function determineAutobuildLanguages(_codeql, config, logger) {
    // If Go is requested, run the Go autobuilder last to ensure it doesn't
    // interfere with the other autobuilder.
    if (autobuildLanguages.length !== autobuildLanguagesWithoutGo.length) {
-        languages.push(languages_1.Language.go);
+        languages.push(languages_1.KnownLanguage.go);
    }
    logger.debug(`Will autobuild ${languages.join(" and ")}.`);
    // In general the autobuilders for other traced languages may conflict with
@@ -145,7 +145,7 @@ async function setupCppAutobuild(codeql, logger) {
 async function runAutobuild(config, language, logger) {
    logger.startGroup(`Attempting to automatically build ${language} code`);
    const codeQL = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
-    if (language === languages_1.Language.cpp) {
+    if (language === languages_1.KnownLanguage.cpp) {
        await setupCppAutobuild(codeQL, logger);
    }
    if (config.buildMode) {
@@ -154,7 +154,7 @@ async function runAutobuild(config, language, logger) {
    else {
        await codeQL.runAutobuild(config, language);
    }
-    if (language === languages_1.Language.go) {
+    if (language === languages_1.KnownLanguage.go) {
        core.exportVariable(environment_1.EnvVar.DID_AUTOBUILD_GOLANG, "true");
    }
    logger.endGroup();
@@ -1 +1 @@
-{"version":3,"file":"autobuild.js","sourceRoot":"","sources":["../src/autobuild.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAcA,kEAiGC;AAED,8CAmCC;AAED,oCAmBC;AAzKD,oDAAsC;AAEtC,iDAA6E;AAC7E,6CAAgD;AAChD,qCAA6C;AAE7C,uCAAmC;AACnC,+CAAuC;AACvC,mDAAmE;AACnE,2CAAyD;AAEzD,6CAAgD;AAChD,iCAAmC;AAE5B,KAAK,UAAU,2BAA2B,CAC/C,OAAe,EACf,MAA0B,EAC1B,MAAc;IAEd,IACE,MAAM,CAAC,SAAS,KAAK,gBAAS,CAAC,IAAI;QACnC,MAAM,CAAC,SAAS,KAAK,gBAAS,CAAC,MAAM,EACrC,CAAC;QACD,MAAM,CAAC,IAAI,CACT,qBAAqB,MAAM,CAAC,SAAS,2BAA2B;YAC9D,OAAO,gBAAM,CAAC,kBAAkB,wBAAwB,CAC3D,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,0CAA0C;IAC1C,mFAAmF;IACnF,oFAAoF;IACpF,4EAA4E;IAC5E,MAAM,kBAAkB,GAAG,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACvD,IAAA,4BAAgB,EAAC,CAAC,CAAC,CACpB,CAAC;IAEF,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxB,MAAM,CAAC,IAAI,CACT,iEAAiE,CAClE,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;IACH,MAAM,2BAA2B,GAAG,kBAAkB,CAAC,MAAM,CAC3D,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,oBAAQ,CAAC,EAAE,CACzB,CAAC;IAEF,MAAM,SAAS,GAAe,EAAE,CAAC;IACjC,yEAAyE;IACzE,UAAU;IACV,IAAI,2BAA2B,CAAC,CAAC,CAAC,KAAK,SAAS,EAAE,CAAC;QACjD,SAAS,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,CAAC,CAAC,CAAC;IACjD,CAAC;IACD,uEAAuE;IACvE,wCAAwC;IACxC,IAAI,kBAAkB,CAAC,MAAM,KAAK,2BAA2B,CAAC,MAAM,EAAE,CAAC;QACrE,SAAS,CAAC,IAAI,CAAC,oBAAQ,CAAC,EAAE,CAAC,CAAC;IAC9B,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,kBAAkB,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAE3D,2EAA2E;IAC3E,4EAA4E;IAC5E,2CAA2C;IAC3C,uEAAuE;IACvE,2EAA2E;IAC3E,uEAAuE;IACvE,yCAAyC;IACzC,IAAI,2BAA2B,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3C,MAAM,CAAC,OAAO,CACZ,oCAAoC,SAAS,CAAC,IAAI,CAChD,OAAO,CACR,8BAA8B,2BAA2B;aACvD,KAAK,CAAC,CAAC,CAAC;aACR,IAAI,CACH,OAAO,CACR,kFAAkF;YACnF,OAAO,gBAAM,CAAC,4BAA4B,wBAAwB,CACrE,CAAC;IACJ,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAEM,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,MAAc;IACpE,MAAM,MAAM,GAAG,6BAAa,CAAC,uBAAO,CAAC,yBAAyB,CAAC,CAAC,MAAM,CAAC;IACvE,MAAM,WAAW,GAAG,4CAA4C,CAAC;IACjE,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;IAC/C,MAAM,aAAa,GAAG,IAAA,6BAAgB,GAAE,CAAC;IACzC,MAAM,QAAQ,GAAG,IAAI,wBAAQ,CAC3B,aAAa,EACb,aAAa,EACb,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;IACF,IAAI,MAAM,QAAQ,CAAC,QAAQ,CAAC,uBAAO,CAAC,yBAAyB,EAAE,MAAM,CAAC,EAAE,CAAC;QACvE,yEAAyE;QACzE,IACE,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,KAAK,aAAa;YACnD,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,MAAM,EAC9B,CAAC;YACD,MAAM,CAAC,IAAI,CACT,aAAa,WAAW,sCACtB,IAAA,mCAAoB,GAAE,KAAK,SAAS;gBAClC,CAAC,CAAC,8BAA8B,MAAM,yDAAyD,gBAAM,CAAC,oBAAoB,wBAAwB;gBAClJ,CAAC,CAAC,EACN,EAAE,CACH,CAAC;YACF,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACvC,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CACT,YAAY,WAAW,yCAAyC,MAAM,yCAAyC,gBAAM,CAAC,oBAAoB,wBAAwB,CACnK,CAAC;YACF,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC,aAAa,WAAW,GAAG,CAAC,CAAC;QACzC,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACvC,CAAC;AACH,CAAC;AAEM,KAAK,UAAU,YAAY,CAChC,MAA0B,EAC1B,QAAkB,EAClB,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,qCAAqC,QAAQ,OAAO,CAAC,CAAC;IACxE,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,IAAI,QAAQ,KAAK,oBAAQ,CAAC,GAAG,EAAE,CAAC;QAC9B,MAAM,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1C,CAAC;IACD,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,MAAM,MAAM,CAAC,qBAAqB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IACvD,CAAC;SAAM,CAAC;QACN,MAAM,MAAM,CAAC,YAAY,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC9C,CAAC;IACD,IAAI,QAAQ,KAAK,oBAAQ,CAAC,EAAE,EAAE,CAAC;QAC7B,IAAI,CAAC,cAAc,CAAC,oBAAM,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;IAC3D,CAAC;IACD,MAAM,CAAC,QAAQ,EAAE,CAAC;AACpB,CAAC"}
+{"version":3,"file":"autobuild.js","sourceRoot":"","sources":["../src/autobuild.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAcA,kEAkGC;AAED,8CAmCC;AAED,oCAmBC;AA1KD,oDAAsC;AAEtC,iDAA6E;AAC7E,6CAAgD;AAChD,qCAA6C;AAE7C,uCAAmC;AACnC,+CAAuC;AACvC,mDAAmE;AACnE,2CAAsD;AAEtD,6CAAgD;AAChD,iCAAgD;AAEzC,KAAK,UAAU,2BAA2B,CAC/C,MAAc,EACd,MAA0B,EAC1B,MAAc;IAEd,IACE,MAAM,CAAC,SAAS,KAAK,gBAAS,CAAC,IAAI;QACnC,MAAM,CAAC,SAAS,KAAK,gBAAS,CAAC,MAAM,EACrC,CAAC;QACD,MAAM,CAAC,IAAI,CACT,qBAAqB,MAAM,CAAC,SAAS,2BAA2B;YAC9D,OAAO,gBAAM,CAAC,kBAAkB,wBAAwB,CAC3D,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,0CAA0C;IAC1C,mFAAmF;IACnF,oFAAoF;IACpF,4EAA4E;IAC5E,MAAM,kBAAkB,GAAG,MAAM,IAAA,kBAAW,EAC1C,MAAM,CAAC,SAAS,EAChB,KAAK,EAAE,QAAQ,EAAE,EAAE,CAAC,MAAM,MAAM,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAC5D,CAAC;IAEF,IAAI,kBAAkB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpC,MAAM,CAAC,IAAI,CACT,iEAAiE,CAClE,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;IACH,MAAM,2BAA2B,GAAG,kBAAkB,CAAC,MAAM,CAC3D,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,yBAAa,CAAC,EAAE,CAC9B,CAAC;IAEF,MAAM,SAAS,GAAe,EAAE,CAAC;IACjC,yEAAyE;IACzE,UAAU;IACV,IAAI,2BAA2B,CAAC,CAAC,CAAC,KAAK,SAAS,EAAE,CAAC;QACjD,SAAS,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,CAAC,CAAC,CAAC;IACjD,CAAC;IACD,uEAAuE;IACvE,wCAAwC;IACxC,IAAI,kBAAkB,CAAC,MAAM,KAAK,2BAA2B,CAAC,MAAM,EAAE,CAAC;QACrE,SAAS,CAAC,IAAI,CAAC,yBAAa,CAAC,EAAE,CAAC,CAAC;IACnC,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,kBAAkB,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAE3D,2EAA2E;IAC3E,4EAA4E;IAC5E,2CAA2C;IAC3C,uEAAuE;IACvE,2EAA2E;IAC3E,uEAAuE;IACvE,yCAAyC;IACzC,IAAI,2BAA2B,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3C,MAAM,CAAC,OAAO,CACZ,oCAAoC,SAAS,CAAC,IAAI,CAChD,OAAO,CACR,8BAA8B,2BAA2B;aACvD,KAAK,CAAC,CAAC,CAAC;aACR,IAAI,CACH,OAAO,CACR,kFAAkF;YACnF,OAAO,gBAAM,CAAC,4BAA4B,wBAAwB,CACrE,CAAC;IACJ,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAEM,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,MAAc;IACpE,MAAM,MAAM,GAAG,6BAAa,CAAC,uBAAO,CAAC,yBAAyB,CAAC,CAAC,MAAM,CAAC;IACvE,MAAM,WAAW,GAAG,4CAA4C,CAAC;IACjE,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;IAC/C,MAAM,aAAa,GAAG,IAAA,6BAAgB,GAAE,CAAC;IACzC,MAAM,QAAQ,GAAG,IAAI,wBAAQ,CAC3B,aAAa,EACb,aAAa,EACb,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;IACF,IAAI,MAAM,QAAQ,CAAC,QAAQ,CAAC,uBAAO,CAAC,yBAAyB,EAAE,MAAM,CAAC,EAAE,CAAC;QACvE,yEAAyE;QACzE,IACE,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,KAAK,aAAa;YACnD,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,MAAM,EAC9B,CAAC;YACD,MAAM,CAAC,IAAI,CACT,aAAa,WAAW,sCACtB,IAAA,mCAAoB,GAAE,KAAK,SAAS;gBAClC,CAAC,CAAC,8BAA8B,MAAM,yDAAyD,gBAAM,CAAC,oBAAoB,wBAAwB;gBAClJ,CAAC,CAAC,EACN,EAAE,CACH,CAAC;YACF,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACvC,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CACT,YAAY,WAAW,yCAAyC,MAAM,yCAAyC,gBAAM,CAAC,oBAAoB,wBAAwB,CACnK,CAAC;YACF,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC,aAAa,WAAW,GAAG,CAAC,CAAC;QACzC,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACvC,CAAC;AACH,CAAC;AAEM,KAAK,UAAU,YAAY,CAChC,MAA0B,EAC1B,QAAkB,EAClB,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,qCAAqC,QAAQ,OAAO,CAAC,CAAC;IACxE,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,IAAI,QAAQ,KAAK,yBAAa,CAAC,GAAG,EAAE,CAAC;QACnC,MAAM,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1C,CAAC;IACD,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,MAAM,MAAM,CAAC,qBAAqB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IACvD,CAAC;SAAM,CAAC;QACN,MAAM,MAAM,CAAC,YAAY,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC9C,CAAC;IACD,IAAI,QAAQ,KAAK,yBAAa,CAAC,EAAE,EAAE,CAAC;QAClC,IAAI,CAAC,cAAc,CAAC,oBAAM,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;IAC3D,CAAC;IACD,MAAM,CAAC,QAAQ,EAAE,CAAC;AACpB,CAAC"}
@@ -1,11 +1,16 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.cliErrorsConfig = exports.CliConfigErrorCategory = exports.CliError = void 0;
-exports.getCliConfigCategoryIfExists = getCliConfigCategoryIfExists;
 exports.wrapCliConfigurationError = wrapCliConfigurationError;
 const actions_util_1 = require("./actions-util");
 const doc_url_1 = require("./doc-url");
 const util_1 = require("./util");
+const SUPPORTED_PLATFORMS = [
+    ["linux", "x64"],
+    ["win32", "x64"],
+    ["darwin", "x64"],
+    ["darwin", "arm64"],
+];
 /**
 * An error from a CodeQL CLI invocation, with associated exit code, stderr, etc.
 */
@@ -124,6 +129,7 @@ var CliConfigErrorCategory;
    CliConfigErrorCategory["NoSourceCodeSeen"] = "NoSourceCodeSeen";
    CliConfigErrorCategory["NoSupportedBuildCommandSucceeded"] = "NoSupportedBuildCommandSucceeded";
    CliConfigErrorCategory["NoSupportedBuildSystemDetected"] = "NoSupportedBuildSystemDetected";
+    CliConfigErrorCategory["NotFoundInRegistry"] = "NotFoundInRegistry";
    CliConfigErrorCategory["OutOfMemoryOrDisk"] = "OutOfMemoryOrDisk";
    CliConfigErrorCategory["PackCannotBeFound"] = "PackCannotBeFound";
    CliConfigErrorCategory["PackMissingAuth"] = "PackMissingAuth";
@@ -150,7 +156,7 @@ exports.cliErrorsConfig = {
    },
    [CliConfigErrorCategory.GradleBuildFailed]: {
        cliErrorMessageCandidates: [
-            new RegExp("[autobuild] FAILURE: Build failed with an exception."),
+            new RegExp("\\[autobuild\\] FAILURE: Build failed with an exception."),
        ],
    },
    // Version of CodeQL CLI is incompatible with this version of the CodeQL Action
@@ -243,6 +249,11 @@ exports.cliErrorsConfig = {
            new RegExp("does not support the .* build mode. Please try using one of the following build modes instead"),
        ],
    },
+    [CliConfigErrorCategory.NotFoundInRegistry]: {
+        cliErrorMessageCandidates: [
+            new RegExp("'.*' not found in the registry '.*'"),
+        ],
+    },
 };
 /**
 * Check if the given CLI error or exit code, if applicable, apply to any known
@@ -266,11 +277,29 @@ function getCliConfigCategoryIfExists(cliError) {
    return undefined;
 }
 /**
- * Changes an error received from the CLI to a ConfigurationError with optionally an extra
- * error message appended, if it exists in a known set of configuration errors. Otherwise,
+ * Check if we are running on an unsupported platform/architecture combination.
+ */
+function isUnsupportedPlatform() {
+    return !SUPPORTED_PLATFORMS.some(([platform, arch]) => platform === process.platform && arch === process.arch);
+}
+/**
+ * Transform a CLI error into a ConfigurationError for an unsupported platform.
+ */
+function getUnsupportedPlatformError(cliError) {
+    return new util_1.ConfigurationError("The CodeQL CLI does not support the platform/architecture combination of " +
+        `${process.platform}/${process.arch} ` +
+        `(see ${doc_url_1.DocUrl.SYSTEM_REQUIREMENTS}). ` +
+        `The underlying error was: ${cliError.message}`);
+}
+/**
+ * Changes an error received from the CLI to a ConfigurationError with the message
+ * optionally being transformed, if it is a known configuration error. Otherwise,
 * simply returns the original error.
 */
 function wrapCliConfigurationError(cliError) {
+    if (isUnsupportedPlatform()) {
+        return getUnsupportedPlatformError(cliError);
+    }
    const cliConfigErrorCategory = getCliConfigCategoryIfExists(cliError);
    if (cliConfigErrorCategory === undefined) {
        return cliError;
@@ -0,0 +1,220 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const ava_1 = __importDefault(require("ava"));
+const sinon = __importStar(require("sinon"));
+const actions_util_1 = require("./actions-util");
+const cli_errors_1 = require("./cli-errors");
+const testing_utils_1 = require("./testing-utils");
+const util_1 = require("./util");
+(0, testing_utils_1.setupTests)(ava_1.default);
+(0, ava_1.default)("CliError constructor with fatal errors", (t) => {
+    const commandError = new actions_util_1.CommandInvocationError("codeql", ["database", "finalize"], 32, "Running TRAP import for CodeQL database...\nA fatal error occurred: Evaluator heap must be at least 384.00 MiB\nA fatal error occurred: Dataset import failed with code 2");
+    const cliError = new cli_errors_1.CliError(commandError);
+    t.is(cliError.exitCode, 32);
+    t.is(cliError.stderr, "Running TRAP import for CodeQL database...\nA fatal error occurred: Evaluator heap must be at least 384.00 MiB\nA fatal error occurred: Dataset import failed with code 2");
+    t.true(cliError.message.includes("A fatal error occurred: Dataset import failed with code 2."));
+    t.true(cliError.message.includes("Context: A fatal error occurred: Evaluator heap must be at least 384.00 MiB."));
+});
+(0, ava_1.default)("CliError constructor with single fatal error", (t) => {
+    const commandError = new actions_util_1.CommandInvocationError("codeql", ["database", "create"], 1, "A fatal error occurred: Out of memory");
+    const cliError = new cli_errors_1.CliError(commandError);
+    t.is(cliError.exitCode, 1);
+    t.true(cliError.message.includes("A fatal error occurred: Out of memory"));
+    t.false(cliError.message.includes("Context:"));
+});
+(0, ava_1.default)("CliError constructor with autobuild errors", (t) => {
+    const commandError = new actions_util_1.CommandInvocationError("codeql", ["database", "create"], 1, "[autobuild] [ERROR] Build failed\n[autobuild] [ERROR] Compilation error");
+    const cliError = new cli_errors_1.CliError(commandError);
+    t.is(cliError.exitCode, 1);
+    t.true(cliError.message.includes("We were unable to automatically build your code"));
+    t.true(cliError.message.includes("Build failed\nCompilation error"));
+});
+(0, ava_1.default)("CliError constructor with truncated autobuild errors", (t) => {
+    const stderr = Array.from({ length: 12 }, (_, i) => `[autobuild] [ERROR] Error ${i + 1}`).join("\n");
+    const commandError = new actions_util_1.CommandInvocationError("codeql", ["database", "create"], 1, stderr);
+    const cliError = new cli_errors_1.CliError(commandError);
+    t.true(cliError.message.includes("(truncated)"));
+    // Should only include first 10 errors plus truncation message
+    const errorLines = cliError.message
+        .split("Encountered the following error: ")[1]
+        .split("\n");
+    t.is(errorLines.length, 11); // 10 errors + "(truncated)"
+});
+(0, ava_1.default)("CliError constructor with generic error", (t) => {
+    const commandError = new actions_util_1.CommandInvocationError("codeql", ["version"], 1, "Some generic error message\nLast line of error");
+    const cliError = new cli_errors_1.CliError(commandError);
+    t.is(cliError.exitCode, 1);
+    t.true(cliError.message.includes('Encountered a fatal error while running "codeql version"'));
+    t.true(cliError.message.includes("Exit code was 1 and last log line was: Last line of error."));
+});
+(0, ava_1.default)("CliError constructor with empty stderr", (t) => {
+    const commandError = new actions_util_1.CommandInvocationError("codeql", ["version"], 1, "");
+    const cliError = new cli_errors_1.CliError(commandError);
+    t.true(cliError.message.includes("last log line was: n/a"));
+});
+for (const [platform, arch] of [
+    ["weird_plat", "x64"],
+    ["linux", "arm64"],
+    ["win32", "arm64"],
+]) {
+    (0, ava_1.default)(`wrapCliConfigurationError - ${platform}/${arch} unsupported`, (t) => {
+        sinon.stub(process, "platform").value(platform);
+        sinon.stub(process, "arch").value(arch);
+        const commandError = new actions_util_1.CommandInvocationError("codeql", ["version"], 1, "Some error");
+        const cliError = new cli_errors_1.CliError(commandError);
+        const wrappedError = (0, cli_errors_1.wrapCliConfigurationError)(cliError);
+        t.true(wrappedError instanceof util_1.ConfigurationError);
+        t.true(wrappedError.message.includes("CodeQL CLI does not support the platform/architecture combination"));
+        t.true(wrappedError.message.includes(`${platform}/${arch}`));
+    });
+}
+(0, ava_1.default)("wrapCliConfigurationError - supported platform", (t) => {
+    const commandError = new actions_util_1.CommandInvocationError("codeql", ["version"], 1, "Some error");
+    const cliError = new cli_errors_1.CliError(commandError);
+    const wrappedError = (0, cli_errors_1.wrapCliConfigurationError)(cliError);
+    // Should return the original error since platform is supported
+    t.is(wrappedError, cliError);
+});
+(0, ava_1.default)("wrapCliConfigurationError - autobuild error", (t) => {
+    const commandError = new actions_util_1.CommandInvocationError("codeql", ["database", "create"], 1, "We were unable to automatically build your code");
+    const cliError = new cli_errors_1.CliError(commandError);
+    const wrappedError = (0, cli_errors_1.wrapCliConfigurationError)(cliError);
+    t.true(wrappedError instanceof util_1.ConfigurationError);
+    t.true(wrappedError.message.includes("We were unable to automatically build your code"));
+});
+(0, ava_1.default)("wrapCliConfigurationError - init called twice", (t) => {
+    const commandError = new actions_util_1.CommandInvocationError("codeql", ["database", "create"], 1, "Refusing to create databases /some/path but could not process any of it");
+    const cliError = new cli_errors_1.CliError(commandError);
+    const wrappedError = (0, cli_errors_1.wrapCliConfigurationError)(cliError);
+    t.true(wrappedError instanceof util_1.ConfigurationError);
+    t.true(wrappedError.message.includes('Is the "init" action called twice in the same job?'));
+});
+(0, ava_1.default)("wrapCliConfigurationError - no source code seen by exit code", (t) => {
+    const commandError = new actions_util_1.CommandInvocationError("codeql", ["database", "finalize"], 32, "Some other error message");
+    const cliError = new cli_errors_1.CliError(commandError);
+    const wrappedError = (0, cli_errors_1.wrapCliConfigurationError)(cliError);
+    t.true(wrappedError instanceof util_1.ConfigurationError);
+});
+(0, ava_1.default)("wrapCliConfigurationError - no source code seen by message", (t) => {
+    const commandError = new actions_util_1.CommandInvocationError("codeql", ["database", "finalize"], 1, "CodeQL detected code written in JavaScript but could not process any of it");
+    const cliError = new cli_errors_1.CliError(commandError);
+    const wrappedError = (0, cli_errors_1.wrapCliConfigurationError)(cliError);
+    t.true(wrappedError instanceof util_1.ConfigurationError);
+});
+(0, ava_1.default)("wrapCliConfigurationError - out of memory error with additional message", (t) => {
+    const commandError = new actions_util_1.CommandInvocationError("codeql", ["database", "analyze"], 1, "CodeQL is out of memory.");
+    const cliError = new cli_errors_1.CliError(commandError);
+    const wrappedError = (0, cli_errors_1.wrapCliConfigurationError)(cliError);
+    t.true(wrappedError instanceof util_1.ConfigurationError);
+    t.true(wrappedError.message.includes("For more information, see https://gh.io/troubleshooting-code-scanning/out-of-disk-or-memory"));
+});
+(0, ava_1.default)("wrapCliConfigurationError - gradle build failed", (t) => {
+    const commandError = new actions_util_1.CommandInvocationError("codeql", ["database", "create"], 1, "[autobuild] FAILURE: Build failed with an exception.");
+    const cliError = new cli_errors_1.CliError(commandError);
+    const wrappedError = (0, cli_errors_1.wrapCliConfigurationError)(cliError);
+    t.true(wrappedError instanceof util_1.ConfigurationError);
+});
+(0, ava_1.default)("wrapCliConfigurationError - maven build failed", (t) => {
+    const commandError = new actions_util_1.CommandInvocationError("codeql", ["database", "create"], 1, "[autobuild] [ERROR] Failed to execute goal");
+    const cliError = new cli_errors_1.CliError(commandError);
+    const wrappedError = (0, cli_errors_1.wrapCliConfigurationError)(cliError);
+    t.true(wrappedError instanceof util_1.ConfigurationError);
+});
+(0, ava_1.default)("wrapCliConfigurationError - swift build failed", (t) => {
+    const commandError = new actions_util_1.CommandInvocationError("codeql", ["database", "create"], 1, "[autobuilder/build] [build-command-failed] `autobuild` failed to run the build command");
+    const cliError = new cli_errors_1.CliError(commandError);
+    const wrappedError = (0, cli_errors_1.wrapCliConfigurationError)(cliError);
+    t.true(wrappedError instanceof util_1.ConfigurationError);
+});
+(0, ava_1.default)("wrapCliConfigurationError - pack cannot be found", (t) => {
+    const commandError = new actions_util_1.CommandInvocationError("codeql", ["pack", "install"], 1, "Query pack my-pack cannot be found. Check the spelling of the pack.");
+    const cliError = new cli_errors_1.CliError(commandError);
+    const wrappedError = (0, cli_errors_1.wrapCliConfigurationError)(cliError);
+    t.true(wrappedError instanceof util_1.ConfigurationError);
+});
+(0, ava_1.default)("wrapCliConfigurationError - pack missing auth", (t) => {
+    const commandError = new actions_util_1.CommandInvocationError("codeql", ["pack", "download"], 1, "GitHub Container registry returned 403 Forbidden");
+    const cliError = new cli_errors_1.CliError(commandError);
+    const wrappedError = (0, cli_errors_1.wrapCliConfigurationError)(cliError);
+    t.true(wrappedError instanceof util_1.ConfigurationError);
+});
+(0, ava_1.default)("wrapCliConfigurationError - invalid config file", (t) => {
+    const commandError = new actions_util_1.CommandInvocationError("codeql", ["database", "create"], 1, "Config file .codeql/config.yml is not valid");
+    const cliError = new cli_errors_1.CliError(commandError);
+    const wrappedError = (0, cli_errors_1.wrapCliConfigurationError)(cliError);
+    t.true(wrappedError instanceof util_1.ConfigurationError);
+});
+(0, ava_1.default)("wrapCliConfigurationError - incompatible CLI version", (t) => {
+    const commandError = new actions_util_1.CommandInvocationError("codeql", ["version"], 1, "is not compatible with this CodeQL CLI");
+    const cliError = new cli_errors_1.CliError(commandError);
+    const wrappedError = (0, cli_errors_1.wrapCliConfigurationError)(cliError);
+    t.true(wrappedError instanceof util_1.ConfigurationError);
+});
+(0, ava_1.default)("wrapCliConfigurationError - unknown error remains unchanged", (t) => {
+    const commandError = new actions_util_1.CommandInvocationError("codeql", ["version"], 1, "Some unknown error that doesn't match any patterns");
+    const cliError = new cli_errors_1.CliError(commandError);
+    const wrappedError = (0, cli_errors_1.wrapCliConfigurationError)(cliError);
+    // Should return the original CliError since it doesn't match any known patterns
+    t.is(wrappedError, cliError);
+    t.true(wrappedError instanceof cli_errors_1.CliError);
+    t.false(wrappedError instanceof util_1.ConfigurationError);
+});
+// Test all error categories to ensure they're properly configured
+(0, ava_1.default)("all CLI config error categories have valid configurations", (t) => {
+    const allCategories = Object.values(cli_errors_1.CliConfigErrorCategory);
+    for (const category of allCategories) {
+        // Each category should be a string
+        t.is(typeof category, "string");
+        // Create a test error that matches this category
+        let testError;
+        switch (category) {
+            case cli_errors_1.CliConfigErrorCategory.NoSourceCodeSeen:
+                // This category matches by exit code
+                testError = new cli_errors_1.CliError(new actions_util_1.CommandInvocationError("codeql", [], 32, "some error"));
+                break;
+            default:
+                // For other categories, we'll test with a generic message that should not match
+                testError = new cli_errors_1.CliError(new actions_util_1.CommandInvocationError("codeql", [], 1, "generic error"));
+                break;
+        }
+        // The test should not throw an error when processing
+        t.notThrows(() => (0, cli_errors_1.wrapCliConfigurationError)(testError));
+    }
+});
+//# sourceMappingURL=cli-errors.test.js.map
@@ -36,7 +36,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.setupCodeQL = setupCodeQL;
 exports.getCodeQL = getCodeQL;
 exports.setCodeQL = setCodeQL;
-exports.getCachedCodeQL = getCachedCodeQL;
+exports.createStubCodeQL = createStubCodeQL;
 exports.getCodeQLForTesting = getCodeQLForTesting;
 exports.getCodeQLForCmd = getCodeQLForCmd;
 exports.getExtraOptions = getExtraOptions;
@@ -50,6 +50,7 @@ const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
 const yaml = __importStar(require("js-yaml"));
 const actions_util_1 = require("./actions-util");
 const cli_errors_1 = require("./cli-errors");
+const config_utils_1 = require("./config-utils");
 const doc_url_1 = require("./doc-url");
 const environment_1 = require("./environment");
 const feature_flags_1 = require("./feature-flags");
@@ -62,7 +63,6 @@ const util = __importStar(require("./util"));
 const util_1 = require("./util");
 /**
 * Stores the CodeQL object, and is populated by `setupCodeQL` or `getCodeQL`.
- * Can be overridden in tests using `setCodeQL`.
 */
 let cachedCodeQL = undefined;
 /**
@@ -77,15 +77,15 @@ const CODEQL_MINIMUM_VERSION = "2.16.6";
 /**
 * This version will shortly become the oldest version of CodeQL that the Action will run with.
 */
-const CODEQL_NEXT_MINIMUM_VERSION = "2.16.6";
+const CODEQL_NEXT_MINIMUM_VERSION = "2.17.6";
 /**
 * This is the version of GHES that was most recently deprecated.
 */
-const GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.12";
+const GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.13";
 /**
 * This is the deprecation date for the version of GHES that was most recently deprecated.
 */
-const GHES_MOST_RECENT_DEPRECATION_DATE = "2025-04-03";
+const GHES_MOST_RECENT_DEPRECATION_DATE = "2025-06-19";
 /** The CLI verbosity level to use for extraction in debug mode. */
 const EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
 /*
@@ -112,9 +112,9 @@ const CODEQL_VERSION_CACHE_CLEANUP = "2.17.1";
 *        version requirement. Must be set to true outside tests.
 * @returns a { CodeQL, toolsVersion } object.
 */
-async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger, features, checkVersion) {
+async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger, checkVersion) {
    try {
-        const { codeqlFolder, toolsDownloadStatusReport, toolsSource, toolsVersion, zstdAvailability, } = await setupCodeql.setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, features, defaultCliVersion, logger);
+        const { codeqlFolder, toolsDownloadStatusReport, toolsSource, toolsVersion, zstdAvailability, } = await setupCodeql.setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger);
        logger.debug(`Bundle download status report: ${JSON.stringify(toolsDownloadStatusReport)}`);
        let codeqlCmd = path.join(codeqlFolder, "codeql", "codeql");
        if (process.platform === "win32") {
@@ -149,6 +149,16 @@ async function getCodeQL(cmd) {
    }
    return cachedCodeQL;
 }
+/**
+ * Overrides the CodeQL object. Only for use in tests that cannot override
+ * CodeQL via dependency injection.
+ *
+ * Accepts a partial object. Any undefined methods will be implemented
+ * to immediately throw an exception indicating which method is missing.
+ */
+function setCodeQL(codeql) {
+    cachedCodeQL = createStubCodeQL(codeql);
+}
 function resolveFunction(partialCodeql, methodName, defaultImplementation) {
    if (typeof partialCodeql[methodName] !== "function") {
        if (defaultImplementation !== undefined) {
@@ -162,13 +172,13 @@ function resolveFunction(partialCodeql, methodName, defaultImplementation) {
    return partialCodeql[methodName];
 }
 /**
- * Set the functionality for CodeQL methods. Only for use in tests.
+ * Creates a stub CodeQL object. Only for use in tests.
 *
- * Accepts a partial object and any undefined methods will be implemented
+ * Accepts a partial object. Any undefined methods will be implemented
 * to immediately throw an exception indicating which method is missing.
 */
-function setCodeQL(partialCodeql) {
-    cachedCodeQL = {
+function createStubCodeQL(partialCodeql) {
+    return {
        getPath: resolveFunction(partialCodeql, "getPath", () => "/tmp/dummy-path"),
        getVersion: resolveFunction(partialCodeql, "getVersion", async () => ({
            version: "1.0.0",
@@ -176,6 +186,8 @@ function setCodeQL(partialCodeql) {
        printVersion: resolveFunction(partialCodeql, "printVersion"),
        supportsFeature: resolveFunction(partialCodeql, "supportsFeature", async (feature) => !!partialCodeql.getVersion &&
            (0, tools_features_1.isSupportedToolsFeature)(await partialCodeql.getVersion(), feature)),
+        isTracedLanguage: resolveFunction(partialCodeql, "isTracedLanguage"),
+        isScannedLanguage: resolveFunction(partialCodeql, "isScannedLanguage"),
        databaseInitCluster: resolveFunction(partialCodeql, "databaseInitCluster"),
        runAutobuild: resolveFunction(partialCodeql, "runAutobuild"),
        extractScannedLanguage: resolveFunction(partialCodeql, "extractScannedLanguage"),
@@ -183,10 +195,8 @@ function setCodeQL(partialCodeql) {
        finalizeDatabase: resolveFunction(partialCodeql, "finalizeDatabase"),
        resolveLanguages: resolveFunction(partialCodeql, "resolveLanguages"),
        betterResolveLanguages: resolveFunction(partialCodeql, "betterResolveLanguages", async () => ({ aliases: {}, extractors: {} })),
-        resolveQueries: resolveFunction(partialCodeql, "resolveQueries"),
        resolveBuildEnvironment: resolveFunction(partialCodeql, "resolveBuildEnvironment"),
-        packDownload: resolveFunction(partialCodeql, "packDownload"),
-        databaseCleanup: resolveFunction(partialCodeql, "databaseCleanup"),
+        databaseCleanupCluster: resolveFunction(partialCodeql, "databaseCleanupCluster"),
        databaseBundle: resolveFunction(partialCodeql, "databaseBundle"),
        databaseRunQueries: resolveFunction(partialCodeql, "databaseRunQueries"),
        databaseInterpretResults: resolveFunction(partialCodeql, "databaseInterpretResults"),
@@ -194,22 +204,9 @@ function setCodeQL(partialCodeql) {
        databaseExportDiagnostics: resolveFunction(partialCodeql, "databaseExportDiagnostics"),
        diagnosticsExport: resolveFunction(partialCodeql, "diagnosticsExport"),
        resolveExtractor: resolveFunction(partialCodeql, "resolveExtractor"),
+        resolveQueriesStartingPacks: resolveFunction(partialCodeql, "resolveQueriesStartingPacks"),
        mergeResults: resolveFunction(partialCodeql, "mergeResults"),
    };
-    return cachedCodeQL;
-}
-/**
- * Get the cached CodeQL object. Should only be used from tests.
- *
- * TODO: Work out a good way for tests to get this from the test context
- * instead of having to have this method.
- */
-function getCachedCodeQL() {
-    if (cachedCodeQL === undefined) {
-        // Should never happen as setCodeQL is called by testing-utils.setupTests
-        throw new Error("cachedCodeQL undefined");
-    }
-    return cachedCodeQL;
 }
 /**
 * Get a real, newly created CodeQL instance for testing. The instance refers to
@@ -254,6 +251,14 @@ async function getCodeQLForCmd(cmd, checkVersion) {
        async supportsFeature(feature) {
            return (0, tools_features_1.isSupportedToolsFeature)(await this.getVersion(), feature);
        },
+        async isTracedLanguage(language) {
+            const extractorPath = await this.resolveExtractor(language);
+            const tracingConfigPath = path.join(extractorPath, "tools", "tracing-config.lua");
+            return fs.existsSync(tracingConfigPath);
+        },
+        async isScannedLanguage(language) {
+            return !(await this.isTracedLanguage(language));
+        },
        async databaseInitCluster(config, sourceRoot, processName, qlconfigFile, logger) {
            const extraArgs = config.languages.map((language) => `--language=${language}`);
            if (await (0, tracer_config_1.shouldEnableIndirectTracing)(codeql, config)) {
@@ -261,7 +266,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                extraArgs.push(...(await getTrapCachingExtractorConfigArgs(config)));
                extraArgs.push(`--trace-process-name=${processName}`);
            }
-            const codeScanningConfigFile = await generateCodeScanningConfig(config, logger);
+            const codeScanningConfigFile = await writeCodeScanningConfigFile(config, logger);
            const externalRepositoryToken = (0, actions_util_1.getOptionalInput)("external-repository-token");
            extraArgs.push(`--codescanning-config=${codeScanningConfigFile}`);
            if (externalRepositoryToken) {
@@ -413,25 +418,6 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                throw new Error(`Unexpected output from codeql resolve languages with --format=betterjson: ${e}`);
            }
        },
-        async resolveQueries(queries, extraSearchPath) {
-            const codeqlArgs = [
-                "resolve",
-                "queries",
-                ...queries,
-                "--format=bylanguage",
-                ...getExtraOptionsFromEnv(["resolve", "queries"]),
-            ];
-            if (extraSearchPath !== undefined) {
-                codeqlArgs.push("--additional-packs", extraSearchPath);
-            }
-            const output = await runCli(cmd, codeqlArgs);
-            try {
-                return JSON.parse(output);
-            }
-            catch (e) {
-                throw new Error(`Unexpected output from codeql resolve queries: ${e}`);
-            }
-        },
        async resolveBuildEnvironment(workingDir, language) {
            const codeqlArgs = [
                "resolve",
@@ -521,62 +507,21 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            ];
            return await runCli(cmd, codeqlArgs);
        },
-        /**
-         * Download specified packs into the package cache. If the specified
-         * package and version already exists (e.g., from a previous analysis run),
-         * then it is not downloaded again (unless the extra option `--force` is
-         * specified).
-         *
-         * If no version is specified, then the latest version is
-         * downloaded. The check to determine what the latest version is is done
-         * each time this package is requested.
-         *
-         * Optionally, a `qlconfigFile` is included. If used, then this file
-         * is used to determine which registry each pack is downloaded from.
-         */
-        async packDownload(packs, qlconfigFile) {
-            const qlconfigArg = qlconfigFile
-                ? [`--qlconfig-file=${qlconfigFile}`]
-                : [];
-            const codeqlArgs = [
-                "pack",
-                "download",
-                ...qlconfigArg,
-                "--format=json",
-                "--resolve-query-specs",
-                ...getExtraOptionsFromEnv(["pack", "download"]),
-                ...packs,
-            ];
-            const output = await runCli(cmd, codeqlArgs);
-            try {
-                const parsedOutput = JSON.parse(output);
-                if (Array.isArray(parsedOutput.packs) &&
-                    // TODO PackDownloadOutput will not include the version if it is not specified
-                    // in the input. The version is always the latest version available.
-                    // It should be added to the output, but this requires a CLI change
-                    parsedOutput.packs.every((p) => p.name /* && p.version */)) {
-                    return parsedOutput;
-                }
-                else {
-                    throw new Error("Unexpected output from pack download");
-                }
-            }
-            catch (e) {
-                throw new Error(`Attempted to download specified packs but got an error:\n${output}\n${e}`);
-            }
-        },
-        async databaseCleanup(databasePath, cleanupLevel) {
+        async databaseCleanupCluster(config, cleanupLevel) {
            const cacheCleanupFlag = (await util.codeQlVersionAtLeast(this, CODEQL_VERSION_CACHE_CLEANUP))
                ? "--cache-cleanup"
                : "--mode";
-            const codeqlArgs = [
-                "database",
-                "cleanup",
-                databasePath,
-                `${cacheCleanupFlag}=${cleanupLevel}`,
-                ...getExtraOptionsFromEnv(["database", "cleanup"]),
-            ];
-            await runCli(cmd, codeqlArgs);
+            for (const language of config.languages) {
+                const databasePath = util.getCodeQLDatabasePath(config, language);
+                const codeqlArgs = [
+                    "database",
+                    "cleanup",
+                    databasePath,
+                    `${cacheCleanupFlag}=${cleanupLevel}`,
+                    ...getExtraOptionsFromEnv(["database", "cleanup"]),
+                ];
+                await runCli(cmd, codeqlArgs);
+            }
        },
        async databaseBundle(databasePath, outputFilePath, databaseName) {
            const args = [
@@ -644,6 +589,22 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            }).exec();
            return JSON.parse(extractorPath);
        },
+        async resolveQueriesStartingPacks(queries) {
+            const codeqlArgs = [
+                "resolve",
+                "queries",
+                "--format=startingpacks",
+                ...getExtraOptionsFromEnv(["resolve", "queries"]),
+                ...queries,
+            ];
+            const output = await runCli(cmd, codeqlArgs, { noStreamStdout: true });
+            try {
+                return JSON.parse(output);
+            }
+            catch (e) {
+                throw new Error(`Unexpected output from codeql resolve queries --format=startingpacks: ${e}`);
+            }
+        },
        async mergeResults(sarifFiles, outputFile, { mergeRunsFromEqualCategory = false, }) {
            const args = [
                "github",
@@ -756,57 +717,9 @@ async function runCli(cmd, args = [], opts = {}) {
 * @param config The configuration to use.
 * @returns the path to the generated user configuration file.
 */
-async function generateCodeScanningConfig(config, logger) {
+async function writeCodeScanningConfigFile(config, logger) {
    const codeScanningConfigFile = getGeneratedCodeScanningConfigPath(config);
-    // make a copy so we can modify it
-    const augmentedConfig = (0, util_1.cloneObject)(config.originalUserInput);
-    // Inject the queries from the input
-    if (config.augmentationProperties.queriesInput) {
-        if (config.augmentationProperties.queriesInputCombines) {
-            augmentedConfig.queries = (augmentedConfig.queries || []).concat(config.augmentationProperties.queriesInput);
-        }
-        else {
-            augmentedConfig.queries = config.augmentationProperties.queriesInput;
-        }
-    }
-    if (augmentedConfig.queries?.length === 0) {
-        delete augmentedConfig.queries;
-    }
-    // Inject the packs from the input
-    if (config.augmentationProperties.packsInput) {
-        if (config.augmentationProperties.packsInputCombines) {
-            // At this point, we already know that this is a single-language analysis
-            if (Array.isArray(augmentedConfig.packs)) {
-                augmentedConfig.packs = (augmentedConfig.packs || []).concat(config.augmentationProperties.packsInput);
-            }
-            else if (!augmentedConfig.packs) {
-                augmentedConfig.packs = config.augmentationProperties.packsInput;
-            }
-            else {
-                // At this point, we know there is only one language.
-                // If there were more than one language, an error would already have been thrown.
-                const language = Object.keys(augmentedConfig.packs)[0];
-                augmentedConfig.packs[language] = augmentedConfig.packs[language].concat(config.augmentationProperties.packsInput);
-            }
-        }
-        else {
-            augmentedConfig.packs = config.augmentationProperties.packsInput;
-        }
-    }
-    if (Array.isArray(augmentedConfig.packs) && !augmentedConfig.packs.length) {
-        delete augmentedConfig.packs;
-    }
-    augmentedConfig["query-filters"] = [
-        // Ordering matters. If the first filter is an inclusion, it implicitly
-        // excludes all queries that are not included. If it is an exclusion,
-        // it implicitly includes all queries that are not excluded. So user
-        // filters (if any) should always be first to preserve intent.
-        ...(augmentedConfig["query-filters"] || []),
-        ...(config.augmentationProperties.extraQueryExclusions || []),
-    ];
-    if (augmentedConfig["query-filters"]?.length === 0) {
-        delete augmentedConfig["query-filters"];
-    }
+    const augmentedConfig = (0, config_utils_1.generateCodeScanningConfig)(config.originalUserInput, config.augmentationProperties);
    logger.info(`Writing augmented user configuration file to ${codeScanningConfigFile}`);
    logger.startGroup("Augmented user configuration file contents");
    logger.info(yaml.dump(augmentedConfig));
@@ -61,18 +61,17 @@ const util = __importStar(require("./util"));
 const util_1 = require("./util");
 (0, testing_utils_1.setupTests)(ava_1.default);
 let stubConfig;
-const NO_FEATURES = (0, testing_utils_1.createFeatures)([]);
 ava_1.default.beforeEach(() => {
    (0, util_1.initializeEnvironment)("1.2.3");
    stubConfig = (0, testing_utils_1.createTestConfig)({
-        languages: [languages_1.Language.cpp],
+        languages: [languages_1.KnownLanguage.cpp],
    });
 });
 async function installIntoToolcache({ apiDetails = testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, cliVersion, isPinned, tagName, tmpDir, }) {
    const url = (0, testing_utils_1.mockBundleDownloadApi)({ apiDetails, isPinned, tagName });
    await codeql.setupCodeQL(cliVersion !== undefined ? undefined : url, apiDetails, tmpDir, util.GitHubVariant.GHES, cliVersion !== undefined
        ? { cliVersion, tagName }
-        : testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), NO_FEATURES, false);
+        : testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
 }
 function mockReleaseApi({ apiDetails = testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, assetNames, tagName, }) {
    return (0, nock_1.default)(apiDetails.apiURL)
@@ -96,6 +95,15 @@ function mockApiDetails(apiDetails) {
    process.env["GITHUB_SERVER_URL"] = apiDetails.url;
    process.env["GITHUB_API_URL"] = apiDetails.apiURL || "";
 }
+async function stubCodeql() {
+    const codeqlObject = await codeql.getCodeQLForTesting();
+    sinon.stub(codeqlObject, "getVersion").resolves((0, testing_utils_1.makeVersionInfo)("2.17.6"));
+    sinon
+        .stub(codeqlObject, "isTracedLanguage")
+        .withArgs(languages_1.KnownLanguage.cpp)
+        .resolves(true);
+    return codeqlObject;
+}
 (0, ava_1.default)("downloads and caches explicitly requested bundles that aren't in the toolcache", async (t) => {
    await util.withTmpDir(async (tmpDir) => {
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
@@ -106,7 +114,7 @@ function mockApiDetails(apiDetails) {
                tagName: `codeql-bundle-${version}`,
                isPinned: false,
            });
-            const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), NO_FEATURES, false);
+            const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
            t.assert(toolcache.find("CodeQL", `0.0.0-${version}`));
            t.is(result.toolsVersion, `0.0.0-${version}`);
            t.is(result.toolsSource, setup_codeql_1.ToolsSource.Download);
@@ -121,7 +129,7 @@ function mockApiDetails(apiDetails) {
            tagName: `codeql-bundle-v2.15.0`,
            isPinned: false,
        });
-        const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), NO_FEATURES, false);
+        const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
        t.is(toolcache.findAllVersions("CodeQL").length, 1);
        t.assert(toolcache.find("CodeQL", `2.15.0`));
        t.is(result.toolsVersion, `2.15.0`);
@@ -142,7 +150,7 @@ function mockApiDetails(apiDetails) {
        const url = (0, testing_utils_1.mockBundleDownloadApi)({
            tagName: "codeql-bundle-20200610",
        });
-        const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), NO_FEATURES, false);
+        const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
        t.assert(toolcache.find("CodeQL", "0.0.0-20200610"));
        t.deepEqual(result.toolsVersion, "0.0.0-20200610");
        t.is(result.toolsSource, setup_codeql_1.ToolsSource.Download);
@@ -170,7 +178,7 @@ for (const { tagName, expectedToolcacheVersion, } of EXPLICITLY_REQUESTED_BUNDLE
            const url = (0, testing_utils_1.mockBundleDownloadApi)({
                tagName,
            });
-            const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), NO_FEATURES, false);
+            const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
            t.assert(toolcache.find("CodeQL", expectedToolcacheVersion));
            t.deepEqual(result.toolsVersion, expectedToolcacheVersion);
            t.is(result.toolsSource, setup_codeql_1.ToolsSource.Download);
@@ -193,7 +201,7 @@ for (const toolcacheVersion of [
                .withArgs("CodeQL", toolcacheVersion)
                .returns("path/to/cached/codeql");
            sinon.stub(toolcache, "findAllVersions").returns([toolcacheVersion]);
-            const result = await codeql.setupCodeQL(undefined, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), NO_FEATURES, false);
+            const result = await codeql.setupCodeQL(undefined, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
            t.is(result.toolsVersion, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION.cliVersion);
            t.is(result.toolsSource, setup_codeql_1.ToolsSource.Toolcache);
            t.is(result.toolsDownloadStatusReport?.combinedDurationMs, undefined);
@@ -213,7 +221,7 @@ for (const toolcacheVersion of [
        const result = await codeql.setupCodeQL(undefined, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.GHES, {
            cliVersion: defaults.cliVersion,
            tagName: defaults.bundleVersion,
-        }, (0, logging_1.getRunnerLogger)(true), NO_FEATURES, false);
+        }, (0, logging_1.getRunnerLogger)(true), false);
        t.deepEqual(result.toolsVersion, "0.0.0-20200601");
        t.is(result.toolsSource, setup_codeql_1.ToolsSource.Toolcache);
        t.is(result.toolsDownloadStatusReport?.combinedDurationMs, undefined);
@@ -237,7 +245,7 @@ for (const toolcacheVersion of [
        const result = await codeql.setupCodeQL(undefined, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.GHES, {
            cliVersion: defaults.cliVersion,
            tagName: defaults.bundleVersion,
-        }, (0, logging_1.getRunnerLogger)(true), NO_FEATURES, false);
+        }, (0, logging_1.getRunnerLogger)(true), false);
        t.deepEqual(result.toolsVersion, defaults.cliVersion);
        t.is(result.toolsSource, setup_codeql_1.ToolsSource.Download);
        if (result.toolsDownloadStatusReport) {
@@ -258,7 +266,7 @@ for (const toolcacheVersion of [
        (0, testing_utils_1.mockBundleDownloadApi)({
            tagName: defaults.bundleVersion,
        });
-        const result = await codeql.setupCodeQL("latest", testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), NO_FEATURES, false);
+        const result = await codeql.setupCodeQL("latest", testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
        t.deepEqual(result.toolsVersion, defaults.cliVersion);
        t.is(result.toolsSource, setup_codeql_1.ToolsSource.Download);
        if (result.toolsDownloadStatusReport) {
@@ -282,7 +290,7 @@ for (const toolcacheVersion of [
            platformSpecific: false,
            tagName: "codeql-bundle-20230203",
        });
-        const result = await codeql.setupCodeQL("https://github.com/codeql-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz", testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), NO_FEATURES, false);
+        const result = await codeql.setupCodeQL("https://github.com/codeql-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz", testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
        t.is(result.toolsVersion, "0.0.0-20230203");
        t.is(result.toolsSource, setup_codeql_1.ToolsSource.Download);
        if (result.toolsDownloadStatusReport) {
@@ -328,8 +336,7 @@ const injectedConfigMacro = ava_1.default.macro({
    exec: async (t, augmentationProperties, configOverride, expectedConfig) => {
        await util.withTmpDir(async (tempDir) => {
            const runnerConstructorStub = stubToolRunnerConstructor();
-            const codeqlObject = await codeql.getCodeQLForTesting();
-            sinon.stub(codeqlObject, "getVersion").resolves((0, testing_utils_1.makeVersionInfo)("1.0.0"));
+            const codeqlObject = await stubCodeql();
            const thisStubConfig = {
                ...stubConfig,
                ...configOverride,
@@ -467,8 +474,7 @@ const injectedConfigMacro = ava_1.default.macro({
 (0, ava_1.default)("passes a code scanning config AND qlconfig to the CLI", async (t) => {
    await util.withTmpDir(async (tempDir) => {
        const runnerConstructorStub = stubToolRunnerConstructor();
-        const codeqlObject = await codeql.getCodeQLForTesting();
-        sinon.stub(codeqlObject, "getVersion").resolves((0, testing_utils_1.makeVersionInfo)("2.17.6"));
+        const codeqlObject = await stubCodeql();
        await codeqlObject.databaseInitCluster({ ...stubConfig, tempDir }, "", undefined, "/path/to/qlconfig.yml", (0, logging_1.getRunnerLogger)(true));
        const args = runnerConstructorStub.firstCall.args[1];
        // should have used a config file
@@ -482,8 +488,7 @@ const injectedConfigMacro = ava_1.default.macro({
 (0, ava_1.default)("does not pass a qlconfig to the CLI when it is undefined", async (t) => {
    await util.withTmpDir(async (tempDir) => {
        const runnerConstructorStub = stubToolRunnerConstructor();
-        const codeqlObject = await codeql.getCodeQLForTesting();
-        sinon.stub(codeqlObject, "getVersion").resolves((0, testing_utils_1.makeVersionInfo)("2.17.6"));
+        const codeqlObject = await stubCodeql();
        await codeqlObject.databaseInitCluster({ ...stubConfig, tempDir }, "", undefined, undefined, // undefined qlconfigFile
        (0, logging_1.getRunnerLogger)(true));
        const args = runnerConstructorStub.firstCall.args[1];
@@ -543,8 +548,7 @@ for (const { codeqlVersion, flagPassed, githubVersion, negativeFlagPassed, } of
    const cliStderr = `Running TRAP import for CodeQL database at /home/runner/work/_temp/codeql_databases/javascript...\n` +
        `${heapError}\n${datasetImportError}.`;
    stubToolRunnerConstructor(32, cliStderr);
-    const codeqlObject = await codeql.getCodeQLForTesting();
-    sinon.stub(codeqlObject, "getVersion").resolves((0, testing_utils_1.makeVersionInfo)("2.17.6"));
+    const codeqlObject = await stubCodeql();
    // io throws because of the test CodeQL object.
    sinon.stub(io, "which").resolves("");
    await t.throwsAsync(async () => await codeqlObject.finalizeDatabase("db", "--threads=2", "--ram=2048", false), {
@@ -570,7 +574,7 @@ for (const { codeqlVersion, flagPassed, githubVersion, negativeFlagPassed, } of
    sinon.stub(codeqlObject, "resolveExtractor").resolves("/path/to/extractor");
    // io throws because of the test CodeQL object.
    sinon.stub(io, "which").resolves("");
-    await t.throwsAsync(async () => await codeqlObject.runAutobuild(stubConfig, languages_1.Language.java), {
+    await t.throwsAsync(async () => await codeqlObject.runAutobuild(stubConfig, languages_1.KnownLanguage.java), {
        instanceOf: util.ConfigurationError,
        message: "We were unable to automatically build your code. Please provide manual build steps. " +
            `See ${doc_url_1.DocUrl.AUTOMATIC_BUILD_FAILED} for more information. ` +
@@ -583,12 +587,11 @@ for (const { codeqlVersion, flagPassed, githubVersion, negativeFlagPassed, } of
 (0, ava_1.default)("runTool truncates long autobuilder errors", async (t) => {
    const stderr = Array.from({ length: 20 }, (_, i) => `[2019-09-18 12:00:00] [autobuild] [ERROR] line${i + 1}`).join("\n");
    stubToolRunnerConstructor(1, stderr);
-    const codeqlObject = await codeql.getCodeQLForTesting();
-    sinon.stub(codeqlObject, "getVersion").resolves((0, testing_utils_1.makeVersionInfo)("2.17.6"));
+    const codeqlObject = await stubCodeql();
    sinon.stub(codeqlObject, "resolveExtractor").resolves("/path/to/extractor");
    // io throws because of the test CodeQL object.
    sinon.stub(io, "which").resolves("");
-    await t.throwsAsync(async () => await codeqlObject.runAutobuild(stubConfig, languages_1.Language.java), {
+    await t.throwsAsync(async () => await codeqlObject.runAutobuild(stubConfig, languages_1.KnownLanguage.java), {
        instanceOf: util.ConfigurationError,
        message: "We were unable to automatically build your code. Please provide manual build steps. " +
            `See ${doc_url_1.DocUrl.AUTOMATIC_BUILD_FAILED} for more information. ` +
@@ -618,8 +621,7 @@ for (const { codeqlVersion, flagPassed, githubVersion, negativeFlagPassed, } of
 (0, ava_1.default)("runTool outputs last line of stderr if fatal error could not be found", async (t) => {
    const cliStderr = "line1\nline2\nline3\nline4\nline5";
    stubToolRunnerConstructor(32, cliStderr);
-    const codeqlObject = await codeql.getCodeQLForTesting();
-    sinon.stub(codeqlObject, "getVersion").resolves((0, testing_utils_1.makeVersionInfo)("2.17.6"));
+    const codeqlObject = await stubCodeql();
    // io throws because of the test CodeQL object.
    sinon.stub(io, "which").resolves("");
    await t.throwsAsync(async () => await codeqlObject.finalizeDatabase("db", "--threads=2", "--ram=2048", false), {
@@ -630,8 +632,7 @@ for (const { codeqlVersion, flagPassed, githubVersion, negativeFlagPassed, } of
 });
 (0, ava_1.default)("Avoids duplicating --overwrite flag if specified in CODEQL_ACTION_EXTRA_OPTIONS", async (t) => {
    const runnerConstructorStub = stubToolRunnerConstructor();
-    const codeqlObject = await codeql.getCodeQLForTesting();
-    sinon.stub(codeqlObject, "getVersion").resolves((0, testing_utils_1.makeVersionInfo)("2.17.6"));
+    const codeqlObject = await stubCodeql();
    // io throws because of the test CodeQL object.
    sinon.stub(io, "which").resolves("");
    process.env["CODEQL_ACTION_EXTRA_OPTIONS"] =
@@ -42,8 +42,11 @@ exports.getConfigFileFormatInvalidMessage = getConfigFileFormatInvalidMessage;
 exports.getConfigFileDirectoryGivenMessage = getConfigFileDirectoryGivenMessage;
 exports.getNoLanguagesError = getNoLanguagesError;
 exports.getUnknownLanguagesError = getUnknownLanguagesError;
-exports.getLanguagesInRepo = getLanguagesInRepo;
+exports.getSupportedLanguageMap = getSupportedLanguageMap;
+exports.hasActionsWorkflows = hasActionsWorkflows;
+exports.getRawLanguagesInRepo = getRawLanguagesInRepo;
 exports.getLanguages = getLanguages;
+exports.getRawLanguagesNoAutodetect = getRawLanguagesNoAutodetect;
 exports.getRawLanguages = getRawLanguages;
 exports.getDefaultConfig = getDefaultConfig;
 exports.calculateAugmentation = calculateAugmentation;
@@ -58,6 +61,7 @@ exports.getConfig = getConfig;
 exports.generateRegistries = generateRegistries;
 exports.wrapEnvironment = wrapEnvironment;
 exports.parseBuildModeInput = parseBuildModeInput;
+exports.generateCodeScanningConfig = generateCodeScanningConfig;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const perf_hooks_1 = require("perf_hooks");
@@ -126,29 +130,63 @@ function getNoLanguagesError() {
 function getUnknownLanguagesError(languages) {
    return `Did not recognize the following languages: ${languages.join(", ")}`;
 }
+async function getSupportedLanguageMap(codeql) {
+    const resolveResult = await codeql.betterResolveLanguages();
+    const supportedLanguages = {};
+    // Populate canonical language names
+    for (const extractor of Object.keys(resolveResult.extractors)) {
+        // Require the language to be a known language.
+        // This is a temporary workaround since we have extractors that are not
+        // supported languages, such as `csv`, `html`, `properties`, `xml`, and
+        // `yaml`. We should replace this with a more robust solution in the future.
+        if (languages_1.KnownLanguage[extractor] !== undefined) {
+            supportedLanguages[extractor] = extractor;
+        }
+    }
+    // Populate language aliases
+    if (resolveResult.aliases) {
+        for (const [alias, extractor] of Object.entries(resolveResult.aliases)) {
+            supportedLanguages[alias] = extractor;
+        }
+    }
+    return supportedLanguages;
+}
+const baseWorkflowsPath = ".github/workflows";
 /**
- * Gets the set of languages in the current repository that are
- * scannable by CodeQL.
+ * Determines if there exists a `.github/workflows` directory with at least
+ * one file in it, which we use as an indicator that there are Actions
+ * workflows in the workspace. This doesn't perfectly detect whether there
+ * are actually workflows, but should be a good approximation.
+ *
+ * Alternatively, we could check specifically for yaml files, or call the
+ * API to check if it knows about workflows.
+ *
+ * @returns True if the non-empty directory exists, false if not.
 */
-async function getLanguagesInRepo(repository, logger) {
-    logger.debug(`GitHub repo ${repository.owner} ${repository.repo}`);
+function hasActionsWorkflows(sourceRoot) {
+    const workflowsPath = path.resolve(sourceRoot, baseWorkflowsPath);
+    const stats = fs.lstatSync(workflowsPath);
+    return (stats !== undefined &&
+        stats.isDirectory() &&
+        fs.readdirSync(workflowsPath).length > 0);
+}
+/**
+ * Gets the set of languages in the current repository.
+ */
+async function getRawLanguagesInRepo(repository, sourceRoot, logger) {
+    logger.debug(`Automatically detecting languages (${repository.owner}/${repository.repo})`);
    const response = await api.getApiClient().rest.repos.listLanguages({
        owner: repository.owner,
        repo: repository.repo,
    });
    logger.debug(`Languages API response: ${JSON.stringify(response)}`);
-    // The GitHub API is going to return languages in order of popularity,
-    // When we pick a language to autobuild we want to pick the most popular traced language
-    // Since sets in javascript maintain insertion order, using a set here and then splatting it
-    // into an array gives us an array of languages ordered by popularity
-    const languages = new Set();
-    for (const lang of Object.keys(response.data)) {
-        const parsedLang = (0, languages_1.parseLanguage)(lang);
-        if (parsedLang !== undefined) {
-            languages.add(parsedLang);
-        }
+    const result = Object.keys(response.data).map((language) => language.trim().toLowerCase());
+    if (hasActionsWorkflows(sourceRoot)) {
+        logger.debug(`Found a .github/workflows directory`);
+        result.push("actions");
    }
-    return [...languages];
+    logger.debug(`Raw languages in repository: ${result.join(", ")}`);
+    return result;
 }
 /**
 * Get the languages to analyse.
@@ -160,48 +198,44 @@ async function getLanguagesInRepo(repository, logger) {
 * If no languages could be detected from either the workflow or the repository
 * then throw an error.
 */
-async function getLanguages(codeQL, languagesInput, repository, logger) {
+async function getLanguages(codeql, languagesInput, repository, sourceRoot, logger) {
    // Obtain languages without filtering them.
-    const { rawLanguages, autodetected } = await getRawLanguages(languagesInput, repository, logger);
-    let languages = rawLanguages;
-    if (autodetected) {
-        const supportedLanguages = Object.keys(await codeQL.resolveLanguages());
-        languages = languages
-            .map(languages_1.parseLanguage)
-            .filter((value) => value && supportedLanguages.includes(value))
-            .map((value) => value);
-        logger.info(`Automatically detected languages: ${languages.join(", ")}`);
-    }
-    else {
-        const aliases = (await codeQL.betterResolveLanguages()).aliases;
-        if (aliases) {
-            languages = languages.map((lang) => aliases[lang] || lang);
+    const { rawLanguages, autodetected } = await getRawLanguages(languagesInput, repository, sourceRoot, logger);
+    const languageMap = await getSupportedLanguageMap(codeql);
+    const languagesSet = new Set();
+    const unknownLanguages = [];
+    // Make sure they are supported
+    for (const language of rawLanguages) {
+        const extractorName = languageMap[language];
+        if (extractorName === undefined) {
+            unknownLanguages.push(language);
        }
-        logger.info(`Languages from configuration: ${languages.join(", ")}`);
+        else {
+            languagesSet.add(extractorName);
+        }
+    }
+    const languages = Array.from(languagesSet);
+    if (!autodetected && unknownLanguages.length > 0) {
+        throw new util_1.ConfigurationError(getUnknownLanguagesError(unknownLanguages));
    }
    // If the languages parameter was not given and no languages were
    // detected then fail here as this is a workflow configuration error.
    if (languages.length === 0) {
        throw new util_1.ConfigurationError(getNoLanguagesError());
    }
-    // Make sure they are supported
-    const parsedLanguages = [];
-    const unknownLanguages = [];
-    for (const language of languages) {
-        const parsedLanguage = (0, languages_1.parseLanguage)(language);
-        if (parsedLanguage === undefined) {
-            unknownLanguages.push(language);
-        }
-        else if (!parsedLanguages.includes(parsedLanguage)) {
-            parsedLanguages.push(parsedLanguage);
-        }
+    if (autodetected) {
+        logger.info(`Autodetected languages: ${languages.join(", ")}`);
    }
-    // Any unknown languages here would have come directly from the input
-    // since we filter unknown languages coming from the GitHub API.
-    if (unknownLanguages.length > 0) {
-        throw new util_1.ConfigurationError(getUnknownLanguagesError(unknownLanguages));
+    else {
+        logger.info(`Languages from configuration: ${languages.join(", ")}`);
    }
-    return parsedLanguages;
+    return languages;
+}
+function getRawLanguagesNoAutodetect(languagesInput) {
+    return (languagesInput || "")
+        .split(",")
+        .map((x) => x.trim().toLowerCase())
+        .filter((x) => x.length > 0);
 }
 /**
 * Gets the set of languages in the current repository without checking to
@@ -213,30 +247,25 @@ async function getLanguages(codeQL, languagesInput, repository, logger) {
 * @returns A tuple containing a list of languages in this repository that might be
 * analyzable and whether or not this list was determined automatically.
 */
-async function getRawLanguages(languagesInput, repository, logger) {
-    // Obtain from action input 'languages' if set
-    let rawLanguages = (languagesInput || "")
-        .split(",")
-        .map((x) => x.trim().toLowerCase())
-        .filter((x) => x.length > 0);
-    let autodetected;
-    if (rawLanguages.length) {
-        autodetected = false;
+async function getRawLanguages(languagesInput, repository, sourceRoot, logger) {
+    // If the user has specified languages, use those.
+    const languagesFromInput = getRawLanguagesNoAutodetect(languagesInput);
+    if (languagesFromInput.length > 0) {
+        return { rawLanguages: languagesFromInput, autodetected: false };
    }
-    else {
-        autodetected = true;
-        // Obtain all languages in the repo that can be analysed
-        rawLanguages = (await getLanguagesInRepo(repository, logger));
-    }
-    return { rawLanguages, autodetected };
+    // Otherwise, autodetect languages in the repository.
+    return {
+        rawLanguages: await getRawLanguagesInRepo(repository, sourceRoot, logger),
+        autodetected: true,
+    };
 }
 /**
- * Get the default config for when the user has not supplied one.
+ * Get the default config, populated without user configuration file.
 */
 async function getDefaultConfig({ languagesInput, queriesInput, qualityQueriesInput, packsInput, buildModeInput, dbLocation, trapCachingEnabled, dependencyCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeql, sourceRoot, githubVersion, features, logger, }) {
-    const languages = await getLanguages(codeql, languagesInput, repository, logger);
+    const languages = await getLanguages(codeql, languagesInput, repository, sourceRoot, logger);
    const buildMode = await parseBuildModeInput(buildModeInput, languages, features, logger);
-    const augmentationProperties = await calculateAugmentation(codeql, repository, features, packsInput, queriesInput, qualityQueriesInput, languages, sourceRoot, buildMode, logger);
+    const augmentationProperties = await calculateAugmentation(packsInput, queriesInput, qualityQueriesInput, languages);
    const { trapCaches, trapCacheDownloadTime } = await downloadCacheWithTime(trapCachingEnabled, codeql, languages, logger);
    return {
        languages,
@@ -265,11 +294,7 @@ async function downloadCacheWithTime(trapCachingEnabled, codeQL, languages, logg
    }
    return { trapCaches, trapCacheDownloadTime };
 }
-/**
- * Load the config from the given file.
- */
-async function loadConfig({ languagesInput, queriesInput, qualityQueriesInput, packsInput, buildModeInput, configFile, dbLocation, trapCachingEnabled, dependencyCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeql, workspacePath, sourceRoot, githubVersion, apiDetails, features, logger, }) {
-    let parsedYAML;
+async function loadUserConfig(configFile, workspacePath, apiDetails, tempDir) {
    if (isLocal(configFile)) {
        if (configFile !== userConfigFromActionPath(tempDir)) {
            // If the config file is not generated by the Action, it should be relative to the workspace.
@@ -279,31 +304,11 @@ async function loadConfig({ languagesInput, queriesInput, qualityQueriesInput, p
                throw new util_1.ConfigurationError(getConfigFileOutsideWorkspaceErrorMessage(configFile));
            }
        }
-        parsedYAML = getLocalConfig(configFile);
+        return getLocalConfig(configFile);
    }
    else {
-        parsedYAML = await getRemoteConfig(configFile, apiDetails);
+        return await getRemoteConfig(configFile, apiDetails);
    }
-    const languages = await getLanguages(codeql, languagesInput, repository, logger);
-    const buildMode = await parseBuildModeInput(buildModeInput, languages, features, logger);
-    const augmentationProperties = await calculateAugmentation(codeql, repository, features, packsInput, queriesInput, qualityQueriesInput, languages, sourceRoot, buildMode, logger);
-    const { trapCaches, trapCacheDownloadTime } = await downloadCacheWithTime(trapCachingEnabled, codeql, languages, logger);
-    return {
-        languages,
-        buildMode,
-        originalUserInput: parsedYAML,
-        tempDir,
-        codeQLCmd: codeql.getPath(),
-        gitHubVersion: githubVersion,
-        dbLocation: dbLocationOrDefault(dbLocation, tempDir),
-        debugMode,
-        debugArtifactName,
-        debugDatabaseName,
-        augmentationProperties,
-        trapCaches,
-        trapCacheDownloadTime,
-        dependencyCachingEnabled: (0, caching_utils_1.getCachingKind)(dependencyCachingEnabled),
-    };
 }
 /**
 * Calculates how the codeql config file needs to be augmented before passing
@@ -312,17 +317,11 @@ async function loadConfig({ languagesInput, queriesInput, qualityQueriesInput, p
 * and the CLI does not know about these inputs so we need to inject them into
 * the config file sent to the CLI.
 *
- * @param codeql The CodeQL object.
- * @param repository The repository to analyze.
- * @param features The feature enablement object.
 * @param rawPacksInput The packs input from the action configuration.
 * @param rawQueriesInput The queries input from the action configuration.
 * @param languages The languages that the config file is for. If the packs input
 *    is non-empty, then there must be exactly one language. Otherwise, an
 *    error is thrown.
- * @param sourceRoot The source root of the repository.
- * @param buildMode The build mode to use.
- * @param logger The logger to use for logging.
 *
 * @returns The properties that need to be augmented in the config file.
 *
@@ -330,30 +329,21 @@ async function loadConfig({ languagesInput, queriesInput, qualityQueriesInput, p
 *     not have exactly one language.
 */
 // exported for testing.
-async function calculateAugmentation(codeql, repository, features, rawPacksInput, rawQueriesInput, rawQualityQueriesInput, languages, sourceRoot, buildMode, logger) {
+async function calculateAugmentation(rawPacksInput, rawQueriesInput, rawQualityQueriesInput, languages) {
    const packsInputCombines = shouldCombine(rawPacksInput);
    const packsInput = parsePacksFromInput(rawPacksInput, languages, packsInputCombines);
    const queriesInputCombines = shouldCombine(rawQueriesInput);
    const queriesInput = parseQueriesFromInput(rawQueriesInput, queriesInputCombines);
-    const { overlayDatabaseMode, useOverlayDatabaseCaching } = await getOverlayDatabaseMode(codeql, repository, features, languages, sourceRoot, buildMode, logger);
-    logger.info(`Using overlay database mode: ${overlayDatabaseMode} ` +
-        `${useOverlayDatabaseCaching ? "with" : "without"} caching.`);
    const qualityQueriesInput = parseQueriesFromInput(rawQualityQueriesInput, false);
-    const extraQueryExclusions = [];
-    if (await (0, diff_informed_analysis_utils_1.shouldPerformDiffInformedAnalysis)(codeql, features, logger)) {
-        extraQueryExclusions.push({
-            exclude: { tags: "exclude-from-incremental" },
-        });
-    }
    return {
        packsInputCombines,
        packsInput: packsInput?.[languages[0]],
        queriesInput,
        queriesInputCombines,
        qualityQueriesInput,
-        extraQueryExclusions,
-        overlayDatabaseMode,
-        useOverlayDatabaseCaching,
+        extraQueryExclusions: [],
+        overlayDatabaseMode: overlay_database_utils_1.OverlayDatabaseMode.None,
+        useOverlayDatabaseCaching: false,
    };
 }
 function parseQueriesFromInput(rawQueriesInput, queriesInputCombines) {
@@ -368,6 +358,64 @@ function parseQueriesFromInput(rawQueriesInput, queriesInputCombines) {
    }
    return trimmedInput.split(",").map((query) => ({ uses: query.trim() }));
 }
+const OVERLAY_ANALYSIS_FEATURES = {
+    actions: feature_flags_1.Feature.OverlayAnalysisActions,
+    cpp: feature_flags_1.Feature.OverlayAnalysisCpp,
+    csharp: feature_flags_1.Feature.OverlayAnalysisCsharp,
+    go: feature_flags_1.Feature.OverlayAnalysisGo,
+    java: feature_flags_1.Feature.OverlayAnalysisJava,
+    javascript: feature_flags_1.Feature.OverlayAnalysisJavascript,
+    python: feature_flags_1.Feature.OverlayAnalysisPython,
+    ruby: feature_flags_1.Feature.OverlayAnalysisRuby,
+    rust: feature_flags_1.Feature.OverlayAnalysisRust,
+    swift: feature_flags_1.Feature.OverlayAnalysisSwift,
+};
+const OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
+    actions: feature_flags_1.Feature.OverlayAnalysisCodeScanningActions,
+    cpp: feature_flags_1.Feature.OverlayAnalysisCodeScanningCpp,
+    csharp: feature_flags_1.Feature.OverlayAnalysisCodeScanningCsharp,
+    go: feature_flags_1.Feature.OverlayAnalysisCodeScanningGo,
+    java: feature_flags_1.Feature.OverlayAnalysisCodeScanningJava,
+    javascript: feature_flags_1.Feature.OverlayAnalysisCodeScanningJavascript,
+    python: feature_flags_1.Feature.OverlayAnalysisCodeScanningPython,
+    ruby: feature_flags_1.Feature.OverlayAnalysisCodeScanningRuby,
+    rust: feature_flags_1.Feature.OverlayAnalysisCodeScanningRust,
+    swift: feature_flags_1.Feature.OverlayAnalysisCodeScanningSwift,
+};
+async function isOverlayAnalysisFeatureEnabled(repository, features, codeql, languages, codeScanningConfig) {
+    // TODO: Remove the repository owner check once support for overlay analysis
+    // stabilizes, and no more backward-incompatible changes are expected.
+    if (!["github", "dsp-testing"].includes(repository.owner)) {
+        return false;
+    }
+    if (!(await features.getValue(feature_flags_1.Feature.OverlayAnalysis, codeql))) {
+        return false;
+    }
+    let enableForCodeScanningOnly = false;
+    for (const language of languages) {
+        const feature = OVERLAY_ANALYSIS_FEATURES[language];
+        if (feature && (await features.getValue(feature, codeql))) {
+            continue;
+        }
+        const codeScanningFeature = OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES[language];
+        if (codeScanningFeature &&
+            (await features.getValue(codeScanningFeature, codeql))) {
+            enableForCodeScanningOnly = true;
+            continue;
+        }
+        return false;
+    }
+    if (enableForCodeScanningOnly) {
+        // A code-scanning configuration runs only the (default) code-scanning suite
+        // if the default queries are not disabled, and no packs, queries, or
+        // query-filters are specified.
+        return (codeScanningConfig["disable-default-queries"] !== true &&
+            codeScanningConfig.packs === undefined &&
+            codeScanningConfig.queries === undefined &&
+            codeScanningConfig["query-filters"] === undefined);
+    }
+    return true;
+}
 /**
 * Calculate and validate the overlay database mode and caching to use.
 *
@@ -389,7 +437,7 @@ function parseQueriesFromInput(rawQueriesInput, queriesInputCombines) {
 * @returns An object containing the overlay database mode and whether the
 * action should perform overlay-base database caching.
 */
-async function getOverlayDatabaseMode(codeql, repository, features, languages, sourceRoot, buildMode, logger) {
+async function getOverlayDatabaseMode(codeql, repository, features, languages, sourceRoot, buildMode, codeScanningConfig, logger) {
    let overlayDatabaseMode = overlay_database_utils_1.OverlayDatabaseMode.None;
    let useOverlayDatabaseCaching = false;
    const modeEnv = process.env.CODEQL_OVERLAY_DATABASE_MODE;
@@ -402,11 +450,7 @@ async function getOverlayDatabaseMode(codeql, repository, features, languages, s
        logger.info(`Setting overlay database mode to ${overlayDatabaseMode} ` +
            "from the CODEQL_OVERLAY_DATABASE_MODE environment variable.");
    }
-    else if (
-    // TODO: Remove the repository owner check once support for overlay analysis
-    // stabilizes, and no more backward-incompatible changes are expected.
-    ["github", "dsp-testing"].includes(repository.owner) &&
-        (await features.getValue(feature_flags_1.Feature.OverlayAnalysis, codeql))) {
+    else if (await isOverlayAnalysisFeatureEnabled(repository, features, codeql, languages, codeScanningConfig)) {
        if ((0, actions_util_1.isAnalyzingPullRequest)()) {
            overlayDatabaseMode = overlay_database_utils_1.OverlayDatabaseMode.Overlay;
            useOverlayDatabaseCaching = true;
@@ -427,7 +471,8 @@ async function getOverlayDatabaseMode(codeql, repository, features, languages, s
    if (overlayDatabaseMode === overlay_database_utils_1.OverlayDatabaseMode.None) {
        return nonOverlayAnalysis;
    }
-    if (buildMode !== util_1.BuildMode.None && languages.some(languages_1.isTracedLanguage)) {
+    if (buildMode !== util_1.BuildMode.None &&
+        (await Promise.all(languages.map(async (l) => await codeql.isTracedLanguage(l)))).some(Boolean)) {
        logger.warning(`Cannot build an ${overlayDatabaseMode} database because ` +
            `build-mode is set to "${buildMode}" instead of "none". ` +
            "Falling back to creating a normal full database instead.");
@@ -586,7 +631,6 @@ function userConfigFromActionPath(tempDir) {
 * a default config. The parsed config is then stored to a known location.
 */
 async function initConfig(inputs) {
-    let config;
    const { logger, tempDir } = inputs;
    // if configInput is set, it takes precedence over configFile
    if (inputs.configInput) {
@@ -597,14 +641,31 @@ async function initConfig(inputs) {
        fs.writeFileSync(inputs.configFile, inputs.configInput);
        logger.debug(`Using config from action input: ${inputs.configFile}`);
    }
-    // If no config file was provided create an empty one
+    let userConfig = {};
    if (!inputs.configFile) {
        logger.debug("No configuration file was provided");
-        config = await getDefaultConfig(inputs);
    }
    else {
-        // Convince the type checker that inputs.configFile is defined.
-        config = await loadConfig({ ...inputs, configFile: inputs.configFile });
+        logger.debug(`Using configuration file: ${inputs.configFile}`);
+        userConfig = await loadUserConfig(inputs.configFile, inputs.workspacePath, inputs.apiDetails, tempDir);
+    }
+    const config = await getDefaultConfig(inputs);
+    const augmentationProperties = config.augmentationProperties;
+    config.originalUserInput = userConfig;
+    // The choice of overlay database mode depends on the selection of languages
+    // and queries, which in turn depends on the user config and the augmentation
+    // properties. So we need to calculate the overlay database mode after the
+    // rest of the config has been populated.
+    const { overlayDatabaseMode, useOverlayDatabaseCaching } = await getOverlayDatabaseMode(inputs.codeql, inputs.repository, inputs.features, config.languages, inputs.sourceRoot, config.buildMode, generateCodeScanningConfig(userConfig, augmentationProperties), logger);
+    logger.info(`Using overlay database mode: ${overlayDatabaseMode} ` +
+        `${useOverlayDatabaseCaching ? "with" : "without"} caching.`);
+    augmentationProperties.overlayDatabaseMode = overlayDatabaseMode;
+    augmentationProperties.useOverlayDatabaseCaching = useOverlayDatabaseCaching;
+    if (overlayDatabaseMode === overlay_database_utils_1.OverlayDatabaseMode.Overlay ||
+        (await (0, diff_informed_analysis_utils_1.shouldPerformDiffInformedAnalysis)(inputs.codeql, inputs.features, logger))) {
+        augmentationProperties.extraQueryExclusions.push({
+            exclude: { tags: "exclude-from-incremental" },
+        });
    }
    // Save the config so we can easily access it again in the future
    await saveConfig(config, logger);
@@ -795,16 +856,68 @@ async function parseBuildModeInput(input, languages, features, logger) {
    if (!Object.values(util_1.BuildMode).includes(input)) {
        throw new util_1.ConfigurationError(`Invalid build mode: '${input}'. Supported build modes are: ${Object.values(util_1.BuildMode).join(", ")}.`);
    }
-    if (languages.includes(languages_1.Language.csharp) &&
+    if (languages.includes(languages_1.KnownLanguage.csharp) &&
        (await features.getValue(feature_flags_1.Feature.DisableCsharpBuildless))) {
        logger.warning("Scanning C# code without a build is temporarily unavailable. Falling back to 'autobuild' build mode.");
        return util_1.BuildMode.Autobuild;
    }
-    if (languages.includes(languages_1.Language.java) &&
+    if (languages.includes(languages_1.KnownLanguage.java) &&
        (await features.getValue(feature_flags_1.Feature.DisableJavaBuildlessEnabled))) {
        logger.warning("Scanning Java code without a build is temporarily unavailable. Falling back to 'autobuild' build mode.");
        return util_1.BuildMode.Autobuild;
    }
    return input;
 }
+function generateCodeScanningConfig(originalUserInput, augmentationProperties) {
+    // make a copy so we can modify it
+    const augmentedConfig = (0, util_1.cloneObject)(originalUserInput);
+    // Inject the queries from the input
+    if (augmentationProperties.queriesInput) {
+        if (augmentationProperties.queriesInputCombines) {
+            augmentedConfig.queries = (augmentedConfig.queries || []).concat(augmentationProperties.queriesInput);
+        }
+        else {
+            augmentedConfig.queries = augmentationProperties.queriesInput;
+        }
+    }
+    if (augmentedConfig.queries?.length === 0) {
+        delete augmentedConfig.queries;
+    }
+    // Inject the packs from the input
+    if (augmentationProperties.packsInput) {
+        if (augmentationProperties.packsInputCombines) {
+            // At this point, we already know that this is a single-language analysis
+            if (Array.isArray(augmentedConfig.packs)) {
+                augmentedConfig.packs = (augmentedConfig.packs || []).concat(augmentationProperties.packsInput);
+            }
+            else if (!augmentedConfig.packs) {
+                augmentedConfig.packs = augmentationProperties.packsInput;
+            }
+            else {
+                // At this point, we know there is only one language.
+                // If there were more than one language, an error would already have been thrown.
+                const language = Object.keys(augmentedConfig.packs)[0];
+                augmentedConfig.packs[language] = augmentedConfig.packs[language].concat(augmentationProperties.packsInput);
+            }
+        }
+        else {
+            augmentedConfig.packs = augmentationProperties.packsInput;
+        }
+    }
+    if (Array.isArray(augmentedConfig.packs) && !augmentedConfig.packs.length) {
+        delete augmentedConfig.packs;
+    }
+    augmentedConfig["query-filters"] = [
+        // Ordering matters. If the first filter is an inclusion, it implicitly
+        // excludes all queries that are not included. If it is an exclusion,
+        // it implicitly includes all queries that are not excluded. So user
+        // filters (if any) should always be first to preserve intent.
+        ...(augmentedConfig["query-filters"] || []),
+        ...augmentationProperties.extraQueryExclusions,
+    ];
+    if (augmentedConfig["query-filters"]?.length === 0) {
+        delete augmentedConfig["query-filters"];
+    }
+    return augmentedConfig;
+}
 //# sourceMappingURL=config-utils.js.map
@@ -74,7 +74,16 @@ function createTestInitConfigInputs(overrides) {
        debugDatabaseName: "",
        repository: { owner: "github", repo: "example" },
        tempDir: "",
-        codeql: {},
+        codeql: (0, codeql_1.createStubCodeQL)({
+            async betterResolveLanguages() {
+                return {
+                    extractors: {
+                        html: [{ extractor_root: "" }],
+                        javascript: [{ extractor_root: "" }],
+                    },
+                };
+            },
+        }),
        workspacePath: "",
        sourceRoot: "",
        githubVersion,
@@ -126,20 +135,15 @@ function mockListLanguages(languages) {
    return await (0, util_1.withTmpDir)(async (tempDir) => {
        const logger = (0, logging_1.getRunnerLogger)(true);
        const languages = "javascript,python";
-        const codeql = (0, codeql_1.setCodeQL)({
-            async resolveQueries() {
+        const codeql = (0, codeql_1.createStubCodeQL)({
+            async betterResolveLanguages() {
                return {
-                    byLanguage: {
-                        javascript: { queries: ["query1.ql"] },
-                        python: { queries: ["query2.ql"] },
+                    extractors: {
+                        javascript: [{ extractor_root: "" }],
+                        python: [{ extractor_root: "" }],
                    },
-                    noDeclaredLanguage: {},
-                    multipleDeclaredLanguages: {},
                };
            },
-            async packDownload() {
-                return { packs: [] };
-            },
        });
        const config = await configUtils.initConfig(createTestInitConfigInputs({
            languagesInput: languages,
@@ -159,20 +163,15 @@ function mockListLanguages(languages) {
 (0, ava_1.default)("loading config saves config", async (t) => {
    return await (0, util_1.withTmpDir)(async (tempDir) => {
        const logger = (0, logging_1.getRunnerLogger)(true);
-        const codeql = (0, codeql_1.setCodeQL)({
-            async resolveQueries() {
+        const codeql = (0, codeql_1.createStubCodeQL)({
+            async betterResolveLanguages() {
                return {
-                    byLanguage: {
-                        javascript: { queries: ["query1.ql"] },
-                        python: { queries: ["query2.ql"] },
+                    extractors: {
+                        javascript: [{ extractor_root: "" }],
+                        python: [{ extractor_root: "" }],
                    },
-                    noDeclaredLanguage: {},
-                    multipleDeclaredLanguages: {},
                };
            },
-            async packDownload() {
-                return { packs: [] };
-            },
        });
        // Sanity check the saved config file does not already exist
        t.false(fs.existsSync(configUtils.getPathToParsedConfigFile(tempDir)));
@@ -203,7 +202,6 @@ function mockListLanguages(languages) {
            await configUtils.initConfig(createTestInitConfigInputs({
                configFile: "../input",
                tempDir,
-                codeql: (0, codeql_1.getCachedCodeQL)(),
                workspacePath: tempDir,
            }));
            throw new Error("initConfig did not throw error");
@@ -221,7 +219,6 @@ function mockListLanguages(languages) {
            await configUtils.initConfig(createTestInitConfigInputs({
                configFile,
                tempDir,
-                codeql: (0, codeql_1.getCachedCodeQL)(),
                workspacePath: tempDir,
            }));
            throw new Error("initConfig did not throw error");
@@ -241,7 +238,6 @@ function mockListLanguages(languages) {
                languagesInput,
                configFile,
                tempDir,
-                codeql: (0, codeql_1.getCachedCodeQL)(),
                workspacePath: tempDir,
            }));
            throw new Error("initConfig did not throw error");
@@ -253,22 +249,14 @@ function mockListLanguages(languages) {
 });
 (0, ava_1.default)("load non-empty input", async (t) => {
    return await (0, util_1.withTmpDir)(async (tempDir) => {
-        const codeql = (0, codeql_1.setCodeQL)({
-            async resolveQueries() {
+        const codeql = (0, codeql_1.createStubCodeQL)({
+            async betterResolveLanguages() {
                return {
-                    byLanguage: {
-                        javascript: {
-                            "/foo/a.ql": {},
-                            "/bar/b.ql": {},
-                        },
+                    extractors: {
+                        javascript: [{ extractor_root: "" }],
                    },
-                    noDeclaredLanguage: {},
-                    multipleDeclaredLanguages: {},
                };
            },
-            async packDownload() {
-                return { packs: [] };
-            },
        });
        // Just create a generic config object with non-default values for all fields
        const inputFileContents = `
@@ -284,7 +272,7 @@ function mockListLanguages(languages) {
        fs.mkdirSync(path.join(tempDir, "foo"));
        // And the config we expect it to parse to
        const expectedConfig = {
-            languages: [languages_1.Language.javascript],
+            languages: [languages_1.KnownLanguage.javascript],
            buildMode: util_1.BuildMode.None,
            originalUserInput: {
                name: "my config",
@@ -321,24 +309,6 @@ function mockListLanguages(languages) {
        t.deepEqual(actualConfig, expectedConfig);
    });
 });
-/**
- * Returns the provided queries, just in the right format for a resolved query
- * This way we can test by seeing which returned items are in the final
- * configuration.
- */
-function queriesToResolvedQueryForm(queries) {
-    const dummyResolvedQueries = {};
-    for (const q of queries) {
-        dummyResolvedQueries[q] = {};
-    }
-    return {
-        byLanguage: {
-            javascript: dummyResolvedQueries,
-        },
-        noDeclaredLanguage: {},
-        multipleDeclaredLanguages: {},
-    };
-}
 (0, ava_1.default)("Using config input and file together, config input should be used.", async (t) => {
    return await (0, util_1.withTmpDir)(async (tempDir) => {
        process.env["RUNNER_TEMP"] = tempDir;
@@ -359,14 +329,14 @@ function queriesToResolvedQueryForm(queries) {
          - c/d@1.2.3
    `;
        fs.mkdirSync(path.join(tempDir, "foo"));
-        const resolveQueriesArgs = [];
-        const codeql = (0, codeql_1.setCodeQL)({
-            async resolveQueries(queries, extraSearchPath) {
-                resolveQueriesArgs.push({ queries, extraSearchPath });
-                return queriesToResolvedQueryForm(queries);
-            },
-            async packDownload() {
-                return { packs: [] };
+        const codeql = (0, codeql_1.createStubCodeQL)({
+            async betterResolveLanguages() {
+                return {
+                    extractors: {
+                        javascript: [{ extractor_root: "" }],
+                        python: [{ extractor_root: "" }],
+                    },
+                };
            },
        });
        // Only JS, python packs will be ignored
@@ -384,21 +354,14 @@ function queriesToResolvedQueryForm(queries) {
 });
 (0, ava_1.default)("API client used when reading remote config", async (t) => {
    return await (0, util_1.withTmpDir)(async (tempDir) => {
-        const codeql = (0, codeql_1.setCodeQL)({
-            async resolveQueries() {
+        const codeql = (0, codeql_1.createStubCodeQL)({
+            async betterResolveLanguages() {
                return {
-                    byLanguage: {
-                        javascript: {
-                            "foo.ql": {},
-                        },
+                    extractors: {
+                        javascript: [{ extractor_root: "" }],
                    },
-                    noDeclaredLanguage: {},
-                    multipleDeclaredLanguages: {},
                };
            },
-            async packDownload() {
-                return { packs: [] };
-            },
        });
        const inputFileContents = `
      name: my config
@@ -439,7 +402,6 @@ function queriesToResolvedQueryForm(queries) {
            await configUtils.initConfig(createTestInitConfigInputs({
                configFile: repoReference,
                tempDir,
-                codeql: (0, codeql_1.getCachedCodeQL)(),
                workspacePath: tempDir,
            }));
            throw new Error("initConfig did not throw error");
@@ -460,7 +422,6 @@ function queriesToResolvedQueryForm(queries) {
            await configUtils.initConfig(createTestInitConfigInputs({
                configFile: repoReference,
                tempDir,
-                codeql: (0, codeql_1.getCachedCodeQL)(),
                workspacePath: tempDir,
            }));
            throw new Error("initConfig did not throw error");
@@ -473,13 +434,10 @@ function queriesToResolvedQueryForm(queries) {
 (0, ava_1.default)("No detected languages", async (t) => {
    return await (0, util_1.withTmpDir)(async (tempDir) => {
        mockListLanguages([]);
-        const codeql = (0, codeql_1.setCodeQL)({
+        const codeql = (0, codeql_1.createStubCodeQL)({
            async resolveLanguages() {
                return {};
            },
-            async packDownload() {
-                return { packs: [] };
-            },
        });
        try {
            await configUtils.initConfig(createTestInitConfigInputs({
@@ -501,7 +459,6 @@ function queriesToResolvedQueryForm(queries) {
            await configUtils.initConfig(createTestInitConfigInputs({
                languagesInput,
                tempDir,
-                codeql: (0, codeql_1.getCachedCodeQL)(),
                workspacePath: tempDir,
            }));
            throw new Error("initConfig did not throw error");
@@ -531,17 +488,17 @@ const parsePacksErrorMacro = ava_1.default.macro({
 * Test macro for testing when the packs block is invalid
 */
 const invalidPackNameMacro = ava_1.default.macro({
-    exec: (t, name) => parsePacksErrorMacro.exec(t, name, [languages_1.Language.cpp], new RegExp(`^"${name}" is not a valid pack$`)),
+    exec: (t, name) => parsePacksErrorMacro.exec(t, name, [languages_1.KnownLanguage.cpp], new RegExp(`^"${name}" is not a valid pack$`)),
    title: (_providedTitle, arg) => `Invalid pack string: ${arg}`,
 });
 (0, ava_1.default)("no packs", parsePacksMacro, "", [], undefined);
-(0, ava_1.default)("two packs", parsePacksMacro, "a/b,c/d@1.2.3", [languages_1.Language.cpp], {
-    [languages_1.Language.cpp]: ["a/b", "c/d@1.2.3"],
+(0, ava_1.default)("two packs", parsePacksMacro, "a/b,c/d@1.2.3", [languages_1.KnownLanguage.cpp], {
+    [languages_1.KnownLanguage.cpp]: ["a/b", "c/d@1.2.3"],
 });
-(0, ava_1.default)("two packs with spaces", parsePacksMacro, " a/b , c/d@1.2.3 ", [languages_1.Language.cpp], {
-    [languages_1.Language.cpp]: ["a/b", "c/d@1.2.3"],
+(0, ava_1.default)("two packs with spaces", parsePacksMacro, " a/b , c/d@1.2.3 ", [languages_1.KnownLanguage.cpp], {
+    [languages_1.KnownLanguage.cpp]: ["a/b", "c/d@1.2.3"],
 });
-(0, ava_1.default)("two packs with language", parsePacksErrorMacro, "a/b,c/d@1.2.3", [languages_1.Language.cpp, languages_1.Language.java], new RegExp("Cannot specify a 'packs' input in a multi-language analysis. " +
+(0, ava_1.default)("two packs with language", parsePacksErrorMacro, "a/b,c/d@1.2.3", [languages_1.KnownLanguage.cpp, languages_1.KnownLanguage.java], new RegExp("Cannot specify a 'packs' input in a multi-language analysis. " +
    "Use a codeql-config.yml file instead and specify packs by language."));
 (0, ava_1.default)("packs with other valid names", parsePacksMacro, [
    // ranges are ok
@@ -560,8 +517,8 @@ const invalidPackNameMacro = ava_1.default.macro({
    // this is valid, too. It will fail if it doesn't match a path
    // (globbing is not done)
    "c/d@1.2.3:+*)_(",
-].join(","), [languages_1.Language.cpp], {
-    [languages_1.Language.cpp]: [
+].join(","), [languages_1.KnownLanguage.cpp], {
+    [languages_1.KnownLanguage.cpp]: [
        "c/d@1.0",
        "c/d@~1.0.0",
        "c/d@~1.0.0:a/b",
@@ -629,26 +586,24 @@ const packSpecPrettyPrintingMacro = ava_1.default.macro({
 const mockLogger = (0, logging_1.getRunnerLogger)(true);
 const calculateAugmentationMacro = ava_1.default.macro({
    exec: async (t, _title, rawPacksInput, rawQueriesInput, rawQualityQueriesInput, languages, expectedAugmentationProperties) => {
-        const actualAugmentationProperties = await configUtils.calculateAugmentation((0, codeql_1.getCachedCodeQL)(), { owner: "github", repo: "repo" }, (0, testing_utils_1.createFeatures)([]), rawPacksInput, rawQueriesInput, rawQualityQueriesInput, languages, "", // sourceRoot
-        undefined, // buildMode
-        mockLogger);
+        const actualAugmentationProperties = await configUtils.calculateAugmentation(rawPacksInput, rawQueriesInput, rawQualityQueriesInput, languages);
        t.deepEqual(actualAugmentationProperties, expectedAugmentationProperties);
    },
    title: (_, title) => `Calculate Augmentation: ${title}`,
 });
-(0, ava_1.default)(calculateAugmentationMacro, "All empty", undefined, undefined, undefined, [languages_1.Language.javascript], {
+(0, ava_1.default)(calculateAugmentationMacro, "All empty", undefined, undefined, undefined, [languages_1.KnownLanguage.javascript], {
    ...configUtils.defaultAugmentationProperties,
 });
-(0, ava_1.default)(calculateAugmentationMacro, "With queries", undefined, " a, b , c, d", undefined, [languages_1.Language.javascript], {
+(0, ava_1.default)(calculateAugmentationMacro, "With queries", undefined, " a, b , c, d", undefined, [languages_1.KnownLanguage.javascript], {
    ...configUtils.defaultAugmentationProperties,
    queriesInput: [{ uses: "a" }, { uses: "b" }, { uses: "c" }, { uses: "d" }],
 });
-(0, ava_1.default)(calculateAugmentationMacro, "With queries combining", undefined, "   +   a, b , c, d ", undefined, [languages_1.Language.javascript], {
+(0, ava_1.default)(calculateAugmentationMacro, "With queries combining", undefined, "   +   a, b , c, d ", undefined, [languages_1.KnownLanguage.javascript], {
    ...configUtils.defaultAugmentationProperties,
    queriesInputCombines: true,
    queriesInput: [{ uses: "a" }, { uses: "b" }, { uses: "c" }, { uses: "d" }],
 });
-(0, ava_1.default)(calculateAugmentationMacro, "With quality queries", undefined, undefined, " a, b , c, d", [languages_1.Language.javascript], {
+(0, ava_1.default)(calculateAugmentationMacro, "With quality queries", undefined, undefined, " a, b , c, d", [languages_1.KnownLanguage.javascript], {
    ...configUtils.defaultAugmentationProperties,
    qualityQueriesInput: [
        { uses: "a" },
@@ -657,7 +612,7 @@ const calculateAugmentationMacro = ava_1.default.macro({
        { uses: "d" },
    ],
 });
-(0, ava_1.default)(calculateAugmentationMacro, "With security and quality queries", undefined, " a, b , c, d", "e, f , g,h", [languages_1.Language.javascript], {
+(0, ava_1.default)(calculateAugmentationMacro, "With security and quality queries", undefined, " a, b , c, d", "e, f , g,h", [languages_1.KnownLanguage.javascript], {
    ...configUtils.defaultAugmentationProperties,
    queriesInput: [{ uses: "a" }, { uses: "b" }, { uses: "c" }, { uses: "d" }],
    qualityQueriesInput: [
@@ -667,28 +622,26 @@ const calculateAugmentationMacro = ava_1.default.macro({
        { uses: "h" },
    ],
 });
-(0, ava_1.default)(calculateAugmentationMacro, "With packs", "   codeql/a , codeql/b   , codeql/c  , codeql/d  ", undefined, undefined, [languages_1.Language.javascript], {
+(0, ava_1.default)(calculateAugmentationMacro, "With packs", "   codeql/a , codeql/b   , codeql/c  , codeql/d  ", undefined, undefined, [languages_1.KnownLanguage.javascript], {
    ...configUtils.defaultAugmentationProperties,
    packsInput: ["codeql/a", "codeql/b", "codeql/c", "codeql/d"],
 });
-(0, ava_1.default)(calculateAugmentationMacro, "With packs combining", "   +   codeql/a, codeql/b, codeql/c, codeql/d", undefined, undefined, [languages_1.Language.javascript], {
+(0, ava_1.default)(calculateAugmentationMacro, "With packs combining", "   +   codeql/a, codeql/b, codeql/c, codeql/d", undefined, undefined, [languages_1.KnownLanguage.javascript], {
    ...configUtils.defaultAugmentationProperties,
    packsInputCombines: true,
    packsInput: ["codeql/a", "codeql/b", "codeql/c", "codeql/d"],
 });
 const calculateAugmentationErrorMacro = ava_1.default.macro({
    exec: async (t, _title, rawPacksInput, rawQueriesInput, rawQualityQueriesInput, languages, expectedError) => {
-        await t.throwsAsync(() => configUtils.calculateAugmentation((0, codeql_1.getCachedCodeQL)(), { owner: "github", repo: "repo" }, (0, testing_utils_1.createFeatures)([]), rawPacksInput, rawQueriesInput, rawQualityQueriesInput, languages, "", // sourceRoot
-        undefined, // buildMode
-        mockLogger), { message: expectedError });
+        await t.throwsAsync(() => configUtils.calculateAugmentation(rawPacksInput, rawQueriesInput, rawQualityQueriesInput, languages), { message: expectedError });
    },
    title: (_, title) => `Calculate Augmentation Error: ${title}`,
 });
-(0, ava_1.default)(calculateAugmentationErrorMacro, "Plus (+) with nothing else (queries)", undefined, "   +   ", undefined, [languages_1.Language.javascript], /The workflow property "queries" is invalid/);
-(0, ava_1.default)(calculateAugmentationErrorMacro, "Plus (+) with nothing else (packs)", "   +   ", undefined, undefined, [languages_1.Language.javascript], /The workflow property "packs" is invalid/);
-(0, ava_1.default)(calculateAugmentationErrorMacro, "Packs input with multiple languages", "   +  a/b, c/d ", undefined, undefined, [languages_1.Language.javascript, languages_1.Language.java], /Cannot specify a 'packs' input in a multi-language analysis/);
+(0, ava_1.default)(calculateAugmentationErrorMacro, "Plus (+) with nothing else (queries)", undefined, "   +   ", undefined, [languages_1.KnownLanguage.javascript], /The workflow property "queries" is invalid/);
+(0, ava_1.default)(calculateAugmentationErrorMacro, "Plus (+) with nothing else (packs)", "   +   ", undefined, undefined, [languages_1.KnownLanguage.javascript], /The workflow property "packs" is invalid/);
+(0, ava_1.default)(calculateAugmentationErrorMacro, "Packs input with multiple languages", "   +  a/b, c/d ", undefined, undefined, [languages_1.KnownLanguage.javascript, languages_1.KnownLanguage.java], /Cannot specify a 'packs' input in a multi-language analysis/);
 (0, ava_1.default)(calculateAugmentationErrorMacro, "Packs input with no languages", "   +  a/b, c/d ", undefined, undefined, [], /No languages specified/);
-(0, ava_1.default)(calculateAugmentationErrorMacro, "Invalid packs", " a-pack-without-a-scope ", undefined, undefined, [languages_1.Language.javascript], /"a-pack-without-a-scope" is not a valid pack/);
+(0, ava_1.default)(calculateAugmentationErrorMacro, "Invalid packs", " a-pack-without-a-scope ", undefined, undefined, [languages_1.KnownLanguage.javascript], /"a-pack-without-a-scope" is not a valid pack/);
 (0, ava_1.default)("no generateRegistries when registries is undefined", async (t) => {
    return await (0, util_1.withTmpDir)(async (tmpDir) => {
        const registriesInput = undefined;
@@ -720,7 +673,6 @@ const mockRepositoryNwo = (0, repository_1.parseRepositoryNwo)("owner/repo");
 [
    {
        name: "languages from input",
-        codeqlResolvedLanguages: ["javascript", "java", "python"],
        languagesInput: "jAvAscript, \n jaVa",
        languagesInRepository: ["SwiFt", "other"],
        expectedLanguages: ["javascript", "java"],
@@ -728,7 +680,6 @@ const mockRepositoryNwo = (0, repository_1.parseRepositoryNwo)("owner/repo");
    },
    {
        name: "languages from github api",
-        codeqlResolvedLanguages: ["javascript", "java", "python"],
        languagesInput: "",
        languagesInRepository: ["  jAvAscript\n \t", " jaVa", "SwiFt", "other"],
        expectedLanguages: ["javascript", "java"],
@@ -736,7 +687,6 @@ const mockRepositoryNwo = (0, repository_1.parseRepositoryNwo)("owner/repo");
    },
    {
        name: "aliases from input",
-        codeqlResolvedLanguages: ["javascript", "csharp", "cpp", "java", "python"],
        languagesInput: "  typEscript\n \t, C#, c , KoTlin",
        languagesInRepository: ["SwiFt", "other"],
        expectedLanguages: ["javascript", "csharp", "cpp", "java"],
@@ -744,7 +694,6 @@ const mockRepositoryNwo = (0, repository_1.parseRepositoryNwo)("owner/repo");
    },
    {
        name: "duplicate languages from input",
-        codeqlResolvedLanguages: ["javascript", "java", "python"],
        languagesInput: "jAvAscript, \n jaVa, kotlin, typescript",
        languagesInRepository: ["SwiFt", "other"],
        expectedLanguages: ["javascript", "java"],
@@ -752,7 +701,6 @@ const mockRepositoryNwo = (0, repository_1.parseRepositoryNwo)("owner/repo");
    },
    {
        name: "aliases from github api",
-        codeqlResolvedLanguages: ["javascript", "csharp", "cpp", "java", "python"],
        languagesInput: "",
        languagesInRepository: ["  typEscript\n \t", " C#", "c", "other"],
        expectedLanguages: ["javascript", "csharp", "cpp"],
@@ -760,7 +708,6 @@ const mockRepositoryNwo = (0, repository_1.parseRepositoryNwo)("owner/repo");
    },
    {
        name: "no languages",
-        codeqlResolvedLanguages: ["javascript", "java", "python"],
        languagesInput: "",
        languagesInRepository: [],
        expectedApiCall: true,
@@ -768,30 +715,56 @@ const mockRepositoryNwo = (0, repository_1.parseRepositoryNwo)("owner/repo");
    },
    {
        name: "unrecognized languages from input",
-        codeqlResolvedLanguages: ["javascript", "java", "python"],
        languagesInput: "a, b, c, javascript",
        languagesInRepository: [],
        expectedApiCall: false,
        expectedError: configUtils.getUnknownLanguagesError(["a", "b"]),
    },
+    {
+        name: "extractors that aren't languages aren't included (specified)",
+        languagesInput: "html",
+        languagesInRepository: [],
+        expectedApiCall: false,
+        expectedError: configUtils.getUnknownLanguagesError(["html"]),
+    },
+    {
+        name: "extractors that aren't languages aren't included (autodetected)",
+        languagesInput: "",
+        languagesInRepository: ["html", "javascript"],
+        expectedApiCall: true,
+        expectedLanguages: ["javascript"],
+    },
 ].forEach((args) => {
    (0, ava_1.default)(`getLanguages: ${args.name}`, async (t) => {
        const mockRequest = (0, testing_utils_1.mockLanguagesInRepo)(args.languagesInRepository);
-        const languages = args.codeqlResolvedLanguages.reduce((acc, lang) => ({
-            ...acc,
-            [lang]: true,
-        }), {});
-        const codeQL = (0, codeql_1.setCodeQL)({
-            resolveLanguages: () => Promise.resolve(languages),
+        const stubExtractorEntry = {
+            extractor_root: "",
+        };
+        const codeQL = (0, codeql_1.createStubCodeQL)({
+            betterResolveLanguages: () => Promise.resolve({
+                aliases: {
+                    "c#": languages_1.KnownLanguage.csharp,
+                    c: languages_1.KnownLanguage.cpp,
+                    kotlin: languages_1.KnownLanguage.java,
+                    typescript: languages_1.KnownLanguage.javascript,
+                },
+                extractors: {
+                    cpp: [stubExtractorEntry],
+                    csharp: [stubExtractorEntry],
+                    java: [stubExtractorEntry],
+                    javascript: [stubExtractorEntry],
+                    python: [stubExtractorEntry],
+                },
+            }),
        });
        if (args.expectedLanguages) {
            // happy path
-            const actualLanguages = await configUtils.getLanguages(codeQL, args.languagesInput, mockRepositoryNwo, mockLogger);
+            const actualLanguages = await configUtils.getLanguages(codeQL, args.languagesInput, mockRepositoryNwo, ".", mockLogger);
            t.deepEqual(actualLanguages.sort(), args.expectedLanguages.sort());
        }
        else {
            // there is an error
-            await t.throwsAsync(async () => await configUtils.getLanguages(codeQL, args.languagesInput, mockRepositoryNwo, mockLogger), { message: args.expectedError });
+            await t.throwsAsync(async () => await configUtils.getLanguages(codeQL, args.languagesInput, mockRepositoryNwo, ".", mockLogger), { message: args.expectedError });
        }
        t.deepEqual(mockRequest.called, args.expectedApiCall);
    });
@@ -799,12 +772,12 @@ const mockRepositoryNwo = (0, repository_1.parseRepositoryNwo)("owner/repo");
 for (const { displayName, language, feature } of [
    {
        displayName: "Java",
-        language: languages_1.Language.java,
+        language: languages_1.KnownLanguage.java,
        feature: feature_flags_1.Feature.DisableJavaBuildlessEnabled,
    },
    {
        displayName: "C#",
-        language: languages_1.Language.csharp,
+        language: languages_1.KnownLanguage.csharp,
        feature: feature_flags_1.Feature.DisableCsharpBuildless,
    },
 ]) {
@@ -816,7 +789,7 @@ for (const { displayName, language, feature } of [
    });
    (0, ava_1.default)(`Build mode not overridden for other languages when disable ${displayName} buildless feature flag enabled`, async (t) => {
        const messages = [];
-        const buildMode = await configUtils.parseBuildModeInput("none", [languages_1.Language.python], (0, testing_utils_1.createFeatures)([feature]), (0, testing_utils_1.getRecordingLogger)(messages));
+        const buildMode = await configUtils.parseBuildModeInput("none", [languages_1.KnownLanguage.python], (0, testing_utils_1.createFeatures)([feature]), (0, testing_utils_1.getRecordingLogger)(messages));
        t.is(buildMode, util_1.BuildMode.None);
        t.deepEqual(messages, []);
    });
@@ -834,14 +807,15 @@ for (const { displayName, language, feature } of [
 }
 const defaultOverlayDatabaseModeTestSetup = {
    overlayDatabaseEnvVar: undefined,
-    isFeatureEnabled: false,
+    features: [],
    isPullRequest: false,
    isDefaultBranch: false,
    repositoryOwner: "github",
    buildMode: util_1.BuildMode.None,
-    languages: [languages_1.Language.javascript],
-    codeqlVersion: "2.21.0",
+    languages: [languages_1.KnownLanguage.javascript],
+    codeqlVersion: overlay_database_utils_1.CODEQL_OVERLAY_MINIMUM_VERSION,
    gitRoot: "/some/git/root",
+    codeScanningConfig: {},
 };
 const getOverlayDatabaseModeMacro = ava_1.default.macro({
    exec: async (t, _title, setupOverrides, expected) => {
@@ -862,7 +836,7 @@ const getOverlayDatabaseModeMacro = ava_1.default.macro({
                        setup.overlayDatabaseEnvVar;
                }
                // Mock feature flags
-                const features = (0, testing_utils_1.createFeatures)(setup.isFeatureEnabled ? [feature_flags_1.Feature.OverlayAnalysis] : []);
+                const features = (0, testing_utils_1.createFeatures)(setup.features);
                // Mock isAnalyzingPullRequest function
                sinon
                    .stub(actionsUtil, "isAnalyzingPullRequest")
@@ -874,6 +848,12 @@ const getOverlayDatabaseModeMacro = ava_1.default.macro({
                };
                // Set up CodeQL mock
                const codeql = (0, testing_utils_1.mockCodeQLVersion)(setup.codeqlVersion);
+                // Mock traced languages
+                sinon
+                    .stub(codeql, "isTracedLanguage")
+                    .callsFake(async (lang) => {
+                    return [languages_1.KnownLanguage.java].includes(lang);
+                });
                // Mock git root detection
                if (setup.gitRoot !== undefined) {
                    sinon.stub(gitUtils, "getGitRoot").resolves(setup.gitRoot);
@@ -883,7 +863,7 @@ const getOverlayDatabaseModeMacro = ava_1.default.macro({
                    .stub(gitUtils, "isAnalyzingDefaultBranch")
                    .resolves(setup.isDefaultBranch);
                const result = await configUtils.getOverlayDatabaseMode(codeql, repository, features, setup.languages, tempDir, // sourceRoot
-                setup.buildMode, logger);
+                setup.buildMode, setup.codeScanningConfig, logger);
                t.deepEqual(result, expected);
            }
            finally {
@@ -919,32 +899,227 @@ const getOverlayDatabaseModeMacro = ava_1.default.macro({
    useOverlayDatabaseCaching: false,
 });
 (0, ava_1.default)(getOverlayDatabaseModeMacro, "Ignore feature flag when analyzing non-default branch", {
-    isFeatureEnabled: true,
+    languages: [languages_1.KnownLanguage.javascript],
+    features: [feature_flags_1.Feature.OverlayAnalysis, feature_flags_1.Feature.OverlayAnalysisJavascript],
 }, {
    overlayDatabaseMode: overlay_database_utils_1.OverlayDatabaseMode.None,
    useOverlayDatabaseCaching: false,
 });
 (0, ava_1.default)(getOverlayDatabaseModeMacro, "Overlay-base database on default branch when feature enabled", {
-    isFeatureEnabled: true,
+    languages: [languages_1.KnownLanguage.javascript],
+    features: [feature_flags_1.Feature.OverlayAnalysis, feature_flags_1.Feature.OverlayAnalysisJavascript],
    isDefaultBranch: true,
 }, {
    overlayDatabaseMode: overlay_database_utils_1.OverlayDatabaseMode.OverlayBase,
    useOverlayDatabaseCaching: true,
 });
-(0, ava_1.default)(getOverlayDatabaseModeMacro, "No overlay-base database on default branch when feature disabled", {
+(0, ava_1.default)(getOverlayDatabaseModeMacro, "Overlay-base database on default branch when feature enabled with custom analysis", {
+    languages: [languages_1.KnownLanguage.javascript],
+    features: [feature_flags_1.Feature.OverlayAnalysis, feature_flags_1.Feature.OverlayAnalysisJavascript],
+    codeScanningConfig: {
+        packs: ["some-custom-pack@1.0.0"],
+    },
+    isDefaultBranch: true,
+}, {
+    overlayDatabaseMode: overlay_database_utils_1.OverlayDatabaseMode.OverlayBase,
+    useOverlayDatabaseCaching: true,
+});
+(0, ava_1.default)(getOverlayDatabaseModeMacro, "Overlay-base database on default branch when code-scanning feature enabled", {
+    languages: [languages_1.KnownLanguage.javascript],
+    features: [
+        feature_flags_1.Feature.OverlayAnalysis,
+        feature_flags_1.Feature.OverlayAnalysisCodeScanningJavascript,
+    ],
+    isDefaultBranch: true,
+}, {
+    overlayDatabaseMode: overlay_database_utils_1.OverlayDatabaseMode.OverlayBase,
+    useOverlayDatabaseCaching: true,
+});
+(0, ava_1.default)(getOverlayDatabaseModeMacro, "No overlay-base database on default branch when code-scanning feature enabled with disable-default-queries", {
+    languages: [languages_1.KnownLanguage.javascript],
+    features: [
+        feature_flags_1.Feature.OverlayAnalysis,
+        feature_flags_1.Feature.OverlayAnalysisCodeScanningJavascript,
+    ],
+    codeScanningConfig: {
+        "disable-default-queries": true,
+    },
+    isDefaultBranch: true,
+}, {
+    overlayDatabaseMode: overlay_database_utils_1.OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+});
+(0, ava_1.default)(getOverlayDatabaseModeMacro, "No overlay-base database on default branch when code-scanning feature enabled with packs", {
+    languages: [languages_1.KnownLanguage.javascript],
+    features: [
+        feature_flags_1.Feature.OverlayAnalysis,
+        feature_flags_1.Feature.OverlayAnalysisCodeScanningJavascript,
+    ],
+    codeScanningConfig: {
+        packs: ["some-custom-pack@1.0.0"],
+    },
+    isDefaultBranch: true,
+}, {
+    overlayDatabaseMode: overlay_database_utils_1.OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+});
+(0, ava_1.default)(getOverlayDatabaseModeMacro, "No overlay-base database on default branch when code-scanning feature enabled with queries", {
+    languages: [languages_1.KnownLanguage.javascript],
+    features: [
+        feature_flags_1.Feature.OverlayAnalysis,
+        feature_flags_1.Feature.OverlayAnalysisCodeScanningJavascript,
+    ],
+    codeScanningConfig: {
+        queries: [{ uses: "some-query.ql" }],
+    },
+    isDefaultBranch: true,
+}, {
+    overlayDatabaseMode: overlay_database_utils_1.OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+});
+(0, ava_1.default)(getOverlayDatabaseModeMacro, "No overlay-base database on default branch when code-scanning feature enabled with query-filters", {
+    languages: [languages_1.KnownLanguage.javascript],
+    features: [
+        feature_flags_1.Feature.OverlayAnalysis,
+        feature_flags_1.Feature.OverlayAnalysisCodeScanningJavascript,
+    ],
+    codeScanningConfig: {
+        "query-filters": [{ include: { "security-severity": "high" } }],
+    },
+    isDefaultBranch: true,
+}, {
+    overlayDatabaseMode: overlay_database_utils_1.OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+});
+(0, ava_1.default)(getOverlayDatabaseModeMacro, "No overlay-base database on default branch when only language-specific feature enabled", {
+    languages: [languages_1.KnownLanguage.javascript],
+    features: [feature_flags_1.Feature.OverlayAnalysisJavascript],
+    isDefaultBranch: true,
+}, {
+    overlayDatabaseMode: overlay_database_utils_1.OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+});
+(0, ava_1.default)(getOverlayDatabaseModeMacro, "No overlay-base database on default branch when only code-scanning feature enabled", {
+    languages: [languages_1.KnownLanguage.javascript],
+    features: [feature_flags_1.Feature.OverlayAnalysisCodeScanningJavascript],
+    isDefaultBranch: true,
+}, {
+    overlayDatabaseMode: overlay_database_utils_1.OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+});
+(0, ava_1.default)(getOverlayDatabaseModeMacro, "No overlay-base database on default branch when language-specific feature disabled", {
+    languages: [languages_1.KnownLanguage.javascript],
+    features: [feature_flags_1.Feature.OverlayAnalysis],
    isDefaultBranch: true,
 }, {
    overlayDatabaseMode: overlay_database_utils_1.OverlayDatabaseMode.None,
    useOverlayDatabaseCaching: false,
 });
 (0, ava_1.default)(getOverlayDatabaseModeMacro, "Overlay analysis on PR when feature enabled", {
-    isFeatureEnabled: true,
+    languages: [languages_1.KnownLanguage.javascript],
+    features: [feature_flags_1.Feature.OverlayAnalysis, feature_flags_1.Feature.OverlayAnalysisJavascript],
    isPullRequest: true,
 }, {
    overlayDatabaseMode: overlay_database_utils_1.OverlayDatabaseMode.Overlay,
    useOverlayDatabaseCaching: true,
 });
-(0, ava_1.default)(getOverlayDatabaseModeMacro, "No overlay analysis on PR when feature disabled", {
+(0, ava_1.default)(getOverlayDatabaseModeMacro, "Overlay analysis on PR when feature enabled with custom analysis", {
+    languages: [languages_1.KnownLanguage.javascript],
+    features: [feature_flags_1.Feature.OverlayAnalysis, feature_flags_1.Feature.OverlayAnalysisJavascript],
+    codeScanningConfig: {
+        packs: ["some-custom-pack@1.0.0"],
+    },
+    isPullRequest: true,
+}, {
+    overlayDatabaseMode: overlay_database_utils_1.OverlayDatabaseMode.Overlay,
+    useOverlayDatabaseCaching: true,
+});
+(0, ava_1.default)(getOverlayDatabaseModeMacro, "Overlay analysis on PR when code-scanning feature enabled", {
+    languages: [languages_1.KnownLanguage.javascript],
+    features: [
+        feature_flags_1.Feature.OverlayAnalysis,
+        feature_flags_1.Feature.OverlayAnalysisCodeScanningJavascript,
+    ],
+    isPullRequest: true,
+}, {
+    overlayDatabaseMode: overlay_database_utils_1.OverlayDatabaseMode.Overlay,
+    useOverlayDatabaseCaching: true,
+});
+(0, ava_1.default)(getOverlayDatabaseModeMacro, "No overlay analysis on PR when code-scanning feature enabled with disable-default-queries", {
+    languages: [languages_1.KnownLanguage.javascript],
+    features: [
+        feature_flags_1.Feature.OverlayAnalysis,
+        feature_flags_1.Feature.OverlayAnalysisCodeScanningJavascript,
+    ],
+    codeScanningConfig: {
+        "disable-default-queries": true,
+    },
+    isPullRequest: true,
+}, {
+    overlayDatabaseMode: overlay_database_utils_1.OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+});
+(0, ava_1.default)(getOverlayDatabaseModeMacro, "No overlay analysis on PR when code-scanning feature enabled with packs", {
+    languages: [languages_1.KnownLanguage.javascript],
+    features: [
+        feature_flags_1.Feature.OverlayAnalysis,
+        feature_flags_1.Feature.OverlayAnalysisCodeScanningJavascript,
+    ],
+    codeScanningConfig: {
+        packs: ["some-custom-pack@1.0.0"],
+    },
+    isPullRequest: true,
+}, {
+    overlayDatabaseMode: overlay_database_utils_1.OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+});
+(0, ava_1.default)(getOverlayDatabaseModeMacro, "No overlay analysis on PR when code-scanning feature enabled with queries", {
+    languages: [languages_1.KnownLanguage.javascript],
+    features: [
+        feature_flags_1.Feature.OverlayAnalysis,
+        feature_flags_1.Feature.OverlayAnalysisCodeScanningJavascript,
+    ],
+    codeScanningConfig: {
+        queries: [{ uses: "some-query.ql" }],
+    },
+    isPullRequest: true,
+}, {
+    overlayDatabaseMode: overlay_database_utils_1.OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+});
+(0, ava_1.default)(getOverlayDatabaseModeMacro, "No overlay analysis on PR when code-scanning feature enabled with query-filters", {
+    languages: [languages_1.KnownLanguage.javascript],
+    features: [
+        feature_flags_1.Feature.OverlayAnalysis,
+        feature_flags_1.Feature.OverlayAnalysisCodeScanningJavascript,
+    ],
+    codeScanningConfig: {
+        "query-filters": [{ include: { "security-severity": "high" } }],
+    },
+    isPullRequest: true,
+}, {
+    overlayDatabaseMode: overlay_database_utils_1.OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+});
+(0, ava_1.default)(getOverlayDatabaseModeMacro, "No overlay analysis on PR when only language-specific feature enabled", {
+    languages: [languages_1.KnownLanguage.javascript],
+    features: [feature_flags_1.Feature.OverlayAnalysisJavascript],
+    isPullRequest: true,
+}, {
+    overlayDatabaseMode: overlay_database_utils_1.OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+});
+(0, ava_1.default)(getOverlayDatabaseModeMacro, "No overlay analysis on PR when only code-scanning feature enabled", {
+    languages: [languages_1.KnownLanguage.javascript],
+    features: [feature_flags_1.Feature.OverlayAnalysisCodeScanningJavascript],
+    isPullRequest: true,
+}, {
+    overlayDatabaseMode: overlay_database_utils_1.OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+});
+(0, ava_1.default)(getOverlayDatabaseModeMacro, "No overlay analysis on PR when language-specific feature disabled", {
+    languages: [languages_1.KnownLanguage.javascript],
+    features: [feature_flags_1.Feature.OverlayAnalysis],
    isPullRequest: true,
 }, {
    overlayDatabaseMode: overlay_database_utils_1.OverlayDatabaseMode.None,
@@ -965,7 +1140,8 @@ const getOverlayDatabaseModeMacro = ava_1.default.macro({
    useOverlayDatabaseCaching: false,
 });
 (0, ava_1.default)(getOverlayDatabaseModeMacro, "Overlay PR analysis by feature flag for dsp-testing", {
-    isFeatureEnabled: true,
+    languages: [languages_1.KnownLanguage.javascript],
+    features: [feature_flags_1.Feature.OverlayAnalysis, feature_flags_1.Feature.OverlayAnalysisJavascript],
    isPullRequest: true,
    repositoryOwner: "dsp-testing",
 }, {
@@ -973,7 +1149,8 @@ const getOverlayDatabaseModeMacro = ava_1.default.macro({
    useOverlayDatabaseCaching: true,
 });
 (0, ava_1.default)(getOverlayDatabaseModeMacro, "No overlay PR analysis by feature flag for other-org", {
-    isFeatureEnabled: true,
+    languages: [languages_1.KnownLanguage.javascript],
+    features: [feature_flags_1.Feature.OverlayAnalysis, feature_flags_1.Feature.OverlayAnalysisJavascript],
    isPullRequest: true,
    repositoryOwner: "other-org",
 }, {
@@ -983,7 +1160,7 @@ const getOverlayDatabaseModeMacro = ava_1.default.macro({
 (0, ava_1.default)(getOverlayDatabaseModeMacro, "Fallback due to autobuild with traced language", {
    overlayDatabaseEnvVar: "overlay",
    buildMode: util_1.BuildMode.Autobuild,
-    languages: [languages_1.Language.java],
+    languages: [languages_1.KnownLanguage.java],
 }, {
    overlayDatabaseMode: overlay_database_utils_1.OverlayDatabaseMode.None,
    useOverlayDatabaseCaching: false,
@@ -991,7 +1168,7 @@ const getOverlayDatabaseModeMacro = ava_1.default.macro({
 (0, ava_1.default)(getOverlayDatabaseModeMacro, "Fallback due to no build mode with traced language", {
    overlayDatabaseEnvVar: "overlay",
    buildMode: undefined,
-    languages: [languages_1.Language.java],
+    languages: [languages_1.KnownLanguage.java],
 }, {
    overlayDatabaseMode: overlay_database_utils_1.OverlayDatabaseMode.None,
    useOverlayDatabaseCaching: false,
@@ -1010,4 +1187,15 @@ const getOverlayDatabaseModeMacro = ava_1.default.macro({
    overlayDatabaseMode: overlay_database_utils_1.OverlayDatabaseMode.None,
    useOverlayDatabaseCaching: false,
 });
+// Exercise language-specific overlay analysis features code paths
+for (const language in languages_1.KnownLanguage) {
+    (0, ava_1.default)(getOverlayDatabaseModeMacro, `Check default overlay analysis feature for ${language}`, {
+        languages: [language],
+        features: [feature_flags_1.Feature.OverlayAnalysis],
+        isPullRequest: true,
+    }, {
+        overlayDatabaseMode: overlay_database_utils_1.OverlayDatabaseMode.None,
+        useOverlayDatabaseCaching: false,
+    });
+}
 //# sourceMappingURL=config-utils.test.js.map
@@ -37,11 +37,11 @@ exports.uploadDatabases = uploadDatabases;
 const fs = __importStar(require("fs"));
 const actionsUtil = __importStar(require("./actions-util"));
 const api_client_1 = require("./api-client");
-const codeql_1 = require("./codeql");
 const gitUtils = __importStar(require("./git-utils"));
+const logging_1 = require("./logging");
 const util = __importStar(require("./util"));
 const util_1 = require("./util");
-async function uploadDatabases(repositoryNwo, config, apiDetails, logger) {
+async function uploadDatabases(repositoryNwo, codeql, config, apiDetails, logger) {
    if (actionsUtil.getRequiredInput("upload-database") !== "true") {
        logger.debug("Database upload disabled in workflow. Skipping upload.");
        return;
@@ -61,8 +61,12 @@ async function uploadDatabases(repositoryNwo, config, apiDetails, logger) {
        logger.debug("Not analyzing default branch. Skipping upload.");
        return;
    }
+    // Clean up the database, since intermediate results may still be written to the
+    // database if there is high RAM pressure.
+    await (0, logging_1.withGroupAsync)("Cleaning up databases", async () => {
+        await codeql.databaseCleanupCluster(config, "clear");
+    });
    const client = (0, api_client_1.getApiClient)();
-    const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
    const uploadsUrl = new URL((0, util_1.parseGitHubUrl)(apiDetails.url));
    uploadsUrl.hostname = `uploads.${uploadsUrl.hostname}`;
    // Octokit expects the baseUrl to not have a trailing slash,
@@ -1 +1 @@
-{"version":3,"file":"database-upload.js","sourceRoot":"","sources":["../src/database-upload.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAYA,0CAmFC;AA/FD,uCAAyB;AAEzB,4DAA8C;AAC9C,6CAA8D;AAC9D,qCAAqC;AAErC,sDAAwC;AAGxC,6CAA+B;AAC/B,iCAAkD;AAE3C,KAAK,UAAU,eAAe,CACnC,aAA4B,EAC5B,MAAc,EACd,UAA4B,EAC5B,MAAc;IAEd,IAAI,WAAW,CAAC,gBAAgB,CAAC,iBAAiB,CAAC,KAAK,MAAM,EAAE,CAAC;QAC/D,MAAM,CAAC,KAAK,CAAC,wDAAwD,CAAC,CAAC;QACvE,OAAO;IACT,CAAC;IAED,IAAI,IAAI,CAAC,YAAY,EAAE,EAAE,CAAC;QACxB,MAAM,CAAC,KAAK,CAAC,yCAAyC,CAAC,CAAC;QACxD,OAAO;IACT,CAAC;IAED,iDAAiD;IACjD,IACE,MAAM,CAAC,aAAa,CAAC,IAAI,KAAK,IAAI,CAAC,aAAa,CAAC,MAAM;QACvD,MAAM,CAAC,aAAa,CAAC,IAAI,KAAK,IAAI,CAAC,aAAa,CAAC,UAAU,EAC3D,CAAC;QACD,MAAM,CAAC,KAAK,CAAC,6DAA6D,CAAC,CAAC;QAC5E,OAAO;IACT,CAAC;IAED,IAAI,CAAC,CAAC,MAAM,QAAQ,CAAC,wBAAwB,EAAE,CAAC,EAAE,CAAC;QACjD,4EAA4E;QAC5E,MAAM,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;QAC/D,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,IAAA,yBAAY,GAAE,CAAC;IAC9B,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAEjD,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,IAAA,qBAAc,EAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3D,UAAU,CAAC,QAAQ,GAAG,WAAW,UAAU,CAAC,QAAQ,EAAE,CAAC;IAEvD,4DAA4D;IAC5D,0CAA0C;IAC1C,IAAI,cAAc,GAAG,UAAU,CAAC,QAAQ,EAAE,CAAC;IAC3C,IAAI,cAAc,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACjC,cAAc,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC/C,CAAC;IAED,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACxC,IAAI,CAAC;YACH,8BAA8B;YAC9B,2EAA2E;YAC3E,8EAA8E;YAC9E,wEAAwE;YACxE,MAAM,SAAS,GAAG,MAAM,IAAA,eAAQ,EAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;YACrE,MAAM,aAAa,GAAG,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC;YAClD,MAAM,mBAAmB,GAAG,EAAE,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC;YAC3D,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,YAAY,CAC3C,WAAW,CAAC,gBAAgB,CAAC,eAAe,CAAC,CAC9C,CAAC;YACF,IAAI,CAAC;gBACH,MAAM,MAAM,CAAC,OAAO,CAClB,qGAAqG,EACrG;oBACE,OAAO,EAAE,cAAc;oBACvB,KAAK,EAAE,aAAa,CAAC,KAAK;oBAC1B,IAAI,EAAE,aAAa,CAAC,IAAI;oBACxB,QAAQ;oBACR,IAAI,EAAE,GAAG,QAAQ,WAAW;oBAC5B,UAAU,EAAE,SAAS;oBACrB,IAAI,EAAE,mBAAmB;oBACzB,OAAO,EAAE;wBACP,aAAa,EAAE,SAAS,UAAU,CAAC,IAAI,EAAE;wBACzC,cAAc,EAAE,iBAAiB;wBACjC,gBAAgB,EAAE,aAAa;qBAChC;iBACF,CACF,CAAC;gBACF,MAAM,CAAC,KAAK,CAAC,sCAAsC,QAAQ,EAAE,CAAC,CAAC;YACjE,CAAC;oBAAS,CAAC;gBACT,mBAAmB,CAAC,KAAK,EAAE,CAAC;YAC9B,CAAC;QACH,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,4CAA4C;YAC5C,MAAM,CAAC,OAAO,CAAC,iCAAiC,QAAQ,KAAK,CAAC,EAAE,CAAC,CAAC;QACpE,CAAC;IACH,CAAC;AACH,CAAC"}
+{"version":3,"file":"database-upload.js","sourceRoot":"","sources":["../src/database-upload.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAYA,0CAyFC;AArGD,uCAAyB;AAEzB,4DAA8C;AAC9C,6CAA8D;AAG9D,sDAAwC;AACxC,uCAAmD;AAEnD,6CAA+B;AAC/B,iCAAkD;AAE3C,KAAK,UAAU,eAAe,CACnC,aAA4B,EAC5B,MAAc,EACd,MAAc,EACd,UAA4B,EAC5B,MAAc;IAEd,IAAI,WAAW,CAAC,gBAAgB,CAAC,iBAAiB,CAAC,KAAK,MAAM,EAAE,CAAC;QAC/D,MAAM,CAAC,KAAK,CAAC,wDAAwD,CAAC,CAAC;QACvE,OAAO;IACT,CAAC;IAED,IAAI,IAAI,CAAC,YAAY,EAAE,EAAE,CAAC;QACxB,MAAM,CAAC,KAAK,CAAC,yCAAyC,CAAC,CAAC;QACxD,OAAO;IACT,CAAC;IAED,iDAAiD;IACjD,IACE,MAAM,CAAC,aAAa,CAAC,IAAI,KAAK,IAAI,CAAC,aAAa,CAAC,MAAM;QACvD,MAAM,CAAC,aAAa,CAAC,IAAI,KAAK,IAAI,CAAC,aAAa,CAAC,UAAU,EAC3D,CAAC;QACD,MAAM,CAAC,KAAK,CAAC,6DAA6D,CAAC,CAAC;QAC5E,OAAO;IACT,CAAC;IAED,IAAI,CAAC,CAAC,MAAM,QAAQ,CAAC,wBAAwB,EAAE,CAAC,EAAE,CAAC;QACjD,4EAA4E;QAC5E,MAAM,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;QAC/D,OAAO;IACT,CAAC;IAED,gFAAgF;IAChF,0CAA0C;IAC1C,MAAM,IAAA,wBAAc,EAAC,uBAAuB,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,MAAM,CAAC,sBAAsB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,IAAA,yBAAY,GAAE,CAAC;IAE9B,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,IAAA,qBAAc,EAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3D,UAAU,CAAC,QAAQ,GAAG,WAAW,UAAU,CAAC,QAAQ,EAAE,CAAC;IAEvD,4DAA4D;IAC5D,0CAA0C;IAC1C,IAAI,cAAc,GAAG,UAAU,CAAC,QAAQ,EAAE,CAAC;IAC3C,IAAI,cAAc,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACjC,cAAc,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC/C,CAAC;IAED,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACxC,IAAI,CAAC;YACH,8BAA8B;YAC9B,2EAA2E;YAC3E,8EAA8E;YAC9E,wEAAwE;YACxE,MAAM,SAAS,GAAG,MAAM,IAAA,eAAQ,EAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;YACrE,MAAM,aAAa,GAAG,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC;YAClD,MAAM,mBAAmB,GAAG,EAAE,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC;YAC3D,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,YAAY,CAC3C,WAAW,CAAC,gBAAgB,CAAC,eAAe,CAAC,CAC9C,CAAC;YACF,IAAI,CAAC;gBACH,MAAM,MAAM,CAAC,OAAO,CAClB,qGAAqG,EACrG;oBACE,OAAO,EAAE,cAAc;oBACvB,KAAK,EAAE,aAAa,CAAC,KAAK;oBAC1B,IAAI,EAAE,aAAa,CAAC,IAAI;oBACxB,QAAQ;oBACR,IAAI,EAAE,GAAG,QAAQ,WAAW;oBAC5B,UAAU,EAAE,SAAS;oBACrB,IAAI,EAAE,mBAAmB;oBACzB,OAAO,EAAE;wBACP,aAAa,EAAE,SAAS,UAAU,CAAC,IAAI,EAAE;wBACzC,cAAc,EAAE,iBAAiB;wBACjC,gBAAgB,EAAE,aAAa;qBAChC;iBACF,CACF,CAAC;gBACF,MAAM,CAAC,KAAK,CAAC,sCAAsC,QAAQ,EAAE,CAAC,CAAC;YACjE,CAAC;oBAAS,CAAC;gBACT,mBAAmB,CAAC,KAAK,EAAE,CAAC;YAC9B,CAAC;QACH,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,4CAA4C;YAC5C,MAAM,CAAC,OAAO,CAAC,iCAAiC,QAAQ,KAAK,CAAC,EAAE,CAAC,CAAC;QACpE,CAAC;IACH,CAAC;AACH,CAAC"}
@@ -60,7 +60,7 @@ const testApiDetails = {
 };
 function getTestConfig(tmpDir) {
    return (0, testing_utils_1.createTestConfig)({
-        languages: [languages_1.Language.javascript],
+        languages: [languages_1.KnownLanguage.javascript],
        dbLocation: tmpDir,
    });
 }
@@ -79,6 +79,16 @@ async function mockHttpRequests(databaseUploadStatusCode) {
    sinon.stub(apiClient, "getApiClient").value(() => client);
    return databaseUploadSpy;
 }
+function getCodeQL() {
+    return (0, codeql_1.createStubCodeQL)({
+        async databaseBundle(_, outputFilePath) {
+            fs.writeFileSync(outputFilePath, "");
+        },
+        async databaseCleanupCluster() {
+            // Do nothing, as we are not testing cleanup here.
+        },
+    });
+}
 (0, ava_1.default)("Abort database upload if 'upload-database' input set to false", async (t) => {
    await (0, util_1.withTmpDir)(async (tmpDir) => {
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
@@ -88,7 +98,7 @@ async function mockHttpRequests(databaseUploadStatusCode) {
            .returns("false");
        sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
        const loggedMessages = [];
-        await (0, database_upload_1.uploadDatabases)(testRepoName, getTestConfig(tmpDir), testApiDetails, (0, testing_utils_1.getRecordingLogger)(loggedMessages));
+        await (0, database_upload_1.uploadDatabases)(testRepoName, getCodeQL(), getTestConfig(tmpDir), testApiDetails, (0, testing_utils_1.getRecordingLogger)(loggedMessages));
        t.assert(loggedMessages.find((v) => v.type === "debug" &&
            v.message ===
                "Database upload disabled in workflow. Skipping upload.") !== undefined);
@@ -105,7 +115,7 @@ async function mockHttpRequests(databaseUploadStatusCode) {
        const config = getTestConfig(tmpDir);
        config.gitHubVersion = { type: util_1.GitHubVariant.GHES, version: "3.0" };
        const loggedMessages = [];
-        await (0, database_upload_1.uploadDatabases)(testRepoName, config, testApiDetails, (0, testing_utils_1.getRecordingLogger)(loggedMessages));
+        await (0, database_upload_1.uploadDatabases)(testRepoName, getCodeQL(), config, testApiDetails, (0, testing_utils_1.getRecordingLogger)(loggedMessages));
        t.assert(loggedMessages.find((v) => v.type === "debug" &&
            v.message ===
                "Not running against github.com or GHEC-DR. Skipping upload.") !== undefined);
@@ -120,7 +130,7 @@ async function mockHttpRequests(databaseUploadStatusCode) {
            .returns("true");
        sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(false);
        const loggedMessages = [];
-        await (0, database_upload_1.uploadDatabases)(testRepoName, getTestConfig(tmpDir), testApiDetails, (0, testing_utils_1.getRecordingLogger)(loggedMessages));
+        await (0, database_upload_1.uploadDatabases)(testRepoName, getCodeQL(), getTestConfig(tmpDir), testApiDetails, (0, testing_utils_1.getRecordingLogger)(loggedMessages));
        t.assert(loggedMessages.find((v) => v.type === "debug" &&
            v.message === "Not analyzing default branch. Skipping upload.") !== undefined);
    });
@@ -134,13 +144,8 @@ async function mockHttpRequests(databaseUploadStatusCode) {
            .returns("true");
        sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
        await mockHttpRequests(500);
-        (0, codeql_1.setCodeQL)({
-            async databaseBundle(_, outputFilePath) {
-                fs.writeFileSync(outputFilePath, "");
-            },
-        });
        const loggedMessages = [];
-        await (0, database_upload_1.uploadDatabases)(testRepoName, getTestConfig(tmpDir), testApiDetails, (0, testing_utils_1.getRecordingLogger)(loggedMessages));
+        await (0, database_upload_1.uploadDatabases)(testRepoName, getCodeQL(), getTestConfig(tmpDir), testApiDetails, (0, testing_utils_1.getRecordingLogger)(loggedMessages));
        t.assert(loggedMessages.find((v) => v.type === "warning" &&
            v.message ===
                "Failed to upload database for javascript: Error: some error message") !== undefined);
@@ -155,13 +160,8 @@ async function mockHttpRequests(databaseUploadStatusCode) {
            .returns("true");
        sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
        await mockHttpRequests(201);
-        (0, codeql_1.setCodeQL)({
-            async databaseBundle(_, outputFilePath) {
-                fs.writeFileSync(outputFilePath, "");
-            },
-        });
        const loggedMessages = [];
-        await (0, database_upload_1.uploadDatabases)(testRepoName, getTestConfig(tmpDir), testApiDetails, (0, testing_utils_1.getRecordingLogger)(loggedMessages));
+        await (0, database_upload_1.uploadDatabases)(testRepoName, getCodeQL(), getTestConfig(tmpDir), testApiDetails, (0, testing_utils_1.getRecordingLogger)(loggedMessages));
        t.assert(loggedMessages.find((v) => v.type === "debug" &&
            v.message === "Successfully uploaded database for javascript") !== undefined);
    });
@@ -175,13 +175,8 @@ async function mockHttpRequests(databaseUploadStatusCode) {
            .returns("true");
        sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
        const databaseUploadSpy = await mockHttpRequests(201);
-        (0, codeql_1.setCodeQL)({
-            async databaseBundle(_, outputFilePath) {
-                fs.writeFileSync(outputFilePath, "");
-            },
-        });
        const loggedMessages = [];
-        await (0, database_upload_1.uploadDatabases)(testRepoName, getTestConfig(tmpDir), {
+        await (0, database_upload_1.uploadDatabases)(testRepoName, getCodeQL(), getTestConfig(tmpDir), {
            auth: "1234",
            url: "https://tenant.ghe.com",
            apiURL: undefined,
@@ -50,7 +50,6 @@ const archiver_1 = __importDefault(require("archiver"));
 const del_1 = __importDefault(require("del"));
 const actions_util_1 = require("./actions-util");
 const analyze_1 = require("./analyze");
-const codeql_1 = require("./codeql");
 const environment_1 = require("./environment");
 const logging_1 = require("./logging");
 const tools_features_1 = require("./tools-features");
@@ -120,11 +119,11 @@ function tryPrepareSarifDebugArtifact(config, language, logger) {
 *
 * @return The path to the database bundle, or undefined if an error occurs.
 */
-async function tryBundleDatabase(config, language, logger) {
+async function tryBundleDatabase(codeql, config, language, logger) {
    try {
        if ((0, analyze_1.dbIsFinalized)(config, language, logger)) {
            try {
-                return await createDatabaseBundleCli(config, language);
+                return await createDatabaseBundleCli(codeql, config, language);
            }
            catch (e) {
                logger.warning(`Failed to bundle database for ${language} using the CLI. ` +
@@ -143,7 +142,7 @@ async function tryBundleDatabase(config, language, logger) {
 *
 * Logs and suppresses any errors that occur.
 */
-async function tryUploadAllAvailableDebugArtifacts(config, logger, codeQlVersion) {
+async function tryUploadAllAvailableDebugArtifacts(codeql, config, logger, codeQlVersion) {
    const filesToUpload = [];
    try {
        for (const language of config.languages) {
@@ -170,7 +169,7 @@ async function tryUploadAllAvailableDebugArtifacts(config, logger, codeQlVersion
                }
                // Add database bundle
                logger.info("Preparing database bundle debug artifact...");
-                const databaseBundle = await tryBundleDatabase(config, language, logger);
+                const databaseBundle = await tryBundleDatabase(codeql, config, language, logger);
                if (databaseBundle) {
                    filesToUpload.push(databaseBundle);
                    logger.info("Database bundle debug artifact ready for upload.");
@@ -269,8 +268,8 @@ async function createPartialDatabaseBundle(config, language) {
 /**
 * Runs `codeql database bundle` command and returns the path.
 */
-async function createDatabaseBundleCli(config, language) {
-    const databaseBundlePath = await (0, util_1.bundleDb)(config, language, await (0, codeql_1.getCodeQL)(config.codeQLCmd), `${config.debugDatabaseName}-${language}`);
+async function createDatabaseBundleCli(codeql, config, language) {
+    const databaseBundlePath = await (0, util_1.bundleDb)(config, language, codeql, `${config.debugDatabaseName}-${language}`);
    return databaseBundlePath;
 }
 //# sourceMappingURL=debug-artifacts.js.map
@@ -1,6 +1,6 @@
 {
-    "bundleVersion": "codeql-bundle-v2.22.1",
-    "cliVersion": "2.22.1",
-    "priorBundleVersion": "codeql-bundle-v2.22.0",
-    "priorCliVersion": "2.22.0"
+    "bundleVersion": "codeql-bundle-v2.22.3",
+    "cliVersion": "2.22.3",
+    "priorBundleVersion": "codeql-bundle-v2.22.2",
+    "priorCliVersion": "2.22.2"
 }
--- a/Show More
+++ b/Show More