Merge pull request #3765 from github/backport-v3.34.1-386975555

Merge releases/v4 into releases/v3

.github/actions/check-sarif/action.yml

@@ -16,5 +16,5 @@ inputs:
       Comma separated list of query ids that should NOT be included in this SARIF file.
 
 runs:
-  using: node24
+  using: node20
   main: index.js

.github/actions/release-branches/action.yml

@@ -22,8 +22,7 @@ runs:
         MAJOR_VERSION: ${{ inputs.major_version }}
         LATEST_TAG: ${{ inputs.latest_tag }}
       run: |
-        npm ci
-        npx tsx ./pr-checks/release-branches.ts \
+        python ${{ github.action_path }}/release-branches.py \
             --major-version "$MAJOR_VERSION" \
             --latest-tag "$LATEST_TAG"
       shell: bash

.github/actions/release-branches/release-branches.py

@@ -0,0 +1,55 @@
+import argparse
+import json
+import os
+import configparser
+
+# Name of the remote
+ORIGIN = 'origin'
+
+script_dir = os.path.dirname(os.path.realpath(__file__))
+grandparent_dir = os.path.dirname(os.path.dirname(script_dir))
+
+config = configparser.ConfigParser()
+with open(os.path.join(grandparent_dir, 'releases.ini')) as stream:
+    config.read_string('[default]\n' + stream.read())
+
+OLDEST_SUPPORTED_MAJOR_VERSION = int(config['default']['OLDEST_SUPPORTED_MAJOR_VERSION'])
+
+def main():
+
+  parser = argparse.ArgumentParser()
+  parser.add_argument("--major-version", required=True, type=str, help="The major version of the release")
+  parser.add_argument("--latest-tag", required=True, type=str, help="The most recent tag published to the repository")
+  args = parser.parse_args()
+
+  major_version = args.major_version
+  latest_tag = args.latest_tag
+
+  print("major_version: " + major_version)
+  print("latest_tag: " + latest_tag)
+
+  # If this is a primary release, we backport to all supported branches,
+  # so we check whether the major_version taken from the package.json
+  # is greater than or equal to the latest tag pulled from the repo.
+  # For example...
+  #     'v1' >= 'v2' is False # we're operating from an older release branch and should not backport
+  #     'v2' >= 'v2' is True  # the normal case where we're updating the current version
+  #     'v3' >= 'v2' is True  # in this case we are making the first release of a new major version
+  consider_backports = ( major_version >= latest_tag.split(".")[0] )
+
+  with open(os.environ["GITHUB_OUTPUT"], "a") as f:
+
+    f.write(f"backport_source_branch=releases/{major_version}\n")
+
+    backport_target_branches = []
+
+    if consider_backports:
+      for i in range(int(major_version.strip("v"))-1, 0, -1):
+        branch_name = f"releases/v{i}"
+        if i >= OLDEST_SUPPORTED_MAJOR_VERSION:
+          backport_target_branches.append(branch_name)
+
+    f.write("backport_target_branches="+json.dumps(backport_target_branches)+"\n")
+
+if __name__ == "__main__":
+  main()

.github/actions/release-initialise/action.yml

@@ -15,12 +15,6 @@ runs:
       run: echo "$GITHUB_CONTEXT"
       shell: bash
 
-    - name: Set up Node
-      uses: actions/setup-node@v6
-      with:
-        node-version: 20
-        cache: 'npm'
-
     - name: Set up Python
       uses: actions/setup-python@v6
       with:

.github/actions/verify-debug-artifact-scan-completed/action.yml

@@ -1,6 +1,6 @@
 name: Verify that the best-effort debug artifact scan completed
 description: Verifies that the best-effort debug artifact scan completed successfully during tests
 runs:
-  using: node24
+  using: node20
   main: index.js
   post: post.js

.github/releases.ini

@@ -0,0 +1 @@
+OLDEST_SUPPORTED_MAJOR_VERSION=3

.github/workflows/__rubocop-multi-language.yml

@@ -59,7 +59,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Set up Ruby
-        uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1.295.0
+        uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0
         with:
           ruby-version: 2.6
       - name: Install Code Scanning integration

.github/workflows/post-release-mergeback.yml

@@ -24,7 +24,7 @@ defaults:
 
 jobs:
   merge-back:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     environment: Automation
     if: github.repository == 'github/codeql-action'
     env:

.github/workflows/pr-checks.yml

@@ -54,11 +54,7 @@ jobs:
 
       - name: Run unit tests
         if: always()
-        run: npm run test-coverage
-
-      - name: Check code coverage
-        if: always()
-        run: npm run coverage
+        run: npm test
 
       - name: Lint
         if: always() && matrix.os != 'windows-latest'

.github/workflows/prepare-release.yml

@@ -29,7 +29,7 @@ defaults:
 jobs:
   prepare:
     name: "Prepare release"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     if: github.repository == 'github/codeql-action'
 
     permissions:

.github/workflows/script/update-required-checks.sh

@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+# Update the required checks based on the current branch.
+
+set -euo pipefail
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+REPO_DIR="$(dirname "$SCRIPT_DIR")"
+GRANDPARENT_DIR="$(dirname "$REPO_DIR")"
+source "$GRANDPARENT_DIR/releases.ini"
+
+if ! gh auth status 2>/dev/null; then
+  gh auth status
+  echo "Failed: Not authorized. This script requires admin access to github/codeql-action through the gh CLI."
+  exit 1
+fi
+
+if [ "$#" -eq 1 ]; then
+  # If we were passed an argument, use that as the SHA
+  GITHUB_SHA="$1"
+elif [ "$#" -gt 1 ]; then
+  echo "Usage: $0 [SHA]"
+  echo "Update the required checks based on the SHA, or main."
+  exit 1
+elif [ -z "$GITHUB_SHA" ]; then
+  # If we don't have a SHA, use main
+  GITHUB_SHA="$(git rev-parse main)"
+fi
+
+echo "Getting checks for $GITHUB_SHA"
+
+# Ignore any checks with "https://", CodeQL, LGTM, Update, and ESLint checks.
+CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") or . == "Agent" or . == "Cleanup artifacts" or . == "Prepare" or . == "Upload results" or . == "Label PR with size" | not)] | unique | sort')"
+
+echo "$CHECKS" | jq
+
+# Fail if there are no checks
+if [ -z "$CHECKS" ] || [ "$(echo "$CHECKS" | jq '. | length')" -eq 0 ]; then
+  echo "No checks found for $GITHUB_SHA"
+  exit 1
+fi
+
+echo "{\"contexts\": ${CHECKS}}" > checks.json
+
+echo "Updating main"
+gh api --silent -X "PATCH" "repos/github/codeql-action/branches/main/protection/required_status_checks" --input checks.json
+
+# list all branchs on origin remote matching releases/v*
+BRANCHES="$(git ls-remote --heads origin 'releases/v*' | sed 's?.*refs/heads/??' | sort -V)"
+
+for BRANCH in $BRANCHES; do
+
+  # strip exact 'releases/v' prefix from $BRANCH using count of characters
+  VERSION="${BRANCH:10}"
+
+  if [ "$VERSION" -lt "$OLDEST_SUPPORTED_MAJOR_VERSION" ]; then
+    echo "Skipping $BRANCH"
+    continue
+  fi
+
+  echo "Updating $BRANCH"
+  gh api --silent -X "PATCH" "repos/github/codeql-action/branches/$BRANCH/protection/required_status_checks" --input checks.json
+done
+
+rm checks.json

.github/workflows/update-bundle.yml

@@ -20,7 +20,7 @@ defaults:
 jobs:
   update-bundle:
     if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     permissions:
       contents: write # needed to push commits
       pull-requests: write # needed to create pull requests

.github/workflows/update-release-branch.yml

@@ -26,7 +26,7 @@ jobs:
 
   update:
     timeout-minutes: 45
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     if: github.event_name == 'workflow_dispatch'
     needs: [prepare]
     env:
@@ -77,7 +77,7 @@ jobs:
 
   backport:
     timeout-minutes: 45
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     environment: Automation
     needs: [prepare]
     if: ${{ (github.event_name == 'push') && needs.prepare.outputs.backport_target_branches != '[]' }}

.gitignore

@@ -2,8 +2,6 @@
 node_modules/
 # Build output for tests
 build/
-# Code coverage information
-coverage/
 # Java build files
 .gradle/
 *.class

.vscode/tests.code-snippets

@@ -1,30 +0,0 @@
-{
-  // Place your codeql-action workspace snippets here. Each snippet is defined under a snippet name and has a scope, prefix, body and
-  // description. Add comma separated ids of the languages where the snippet is applicable in the scope field. If scope
-  // is left empty or omitted, the snippet gets applied to all languages. The prefix is what is
-  // used to trigger the snippet and the body will be expanded and inserted. Possible variables are:
-  // $1, $2 for tab stops, $0 for the final cursor position, and ${1:label}, ${2:another} for placeholders.
-  // Placeholders with the same ids are connected.
-  // Example:
-  // "Print to console": {
-  // 	"scope": "javascript,typescript",
-  // 	"prefix": "log",
-  // 	"body": [
-  // 		"console.log('$1');",
-  // 		"$2"
-  // 	],
-  // 	"description": "Log output to console"
-  // }
-  "Test Macro": {
-    "scope": "javascript, typescript",
-    "prefix": "testMacro",
-    "body": [
-      "const ${1:nameMacro} = test.macro({",
-      "  exec: async (t: ExecutionContext<unknown>) => {},",
-      "",
-      "  title: (providedTitle = \"\") => `${2:common title} - \\${providedTitle}`,",
-      "});",
-    ],
-    "description": "An Ava test macro",
-  },
-}

CHANGELOG.md

@@ -2,33 +2,19 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
-## [UNRELEASED]
-
-No user facing changes.
-
-## 4.35.1 - 27 Mar 2026
-
-- Fix incorrect minimum required Git version for [improved incremental analysis](https://github.com/github/roadmap/issues/1158): it should have been 2.36.0, not 2.11.0. [#3781](https://github.com/github/codeql-action/pull/3781)
-
-## 4.35.0 - 27 Mar 2026
-
-- Reduced the minimum Git version required for [improved incremental analysis](https://github.com/github/roadmap/issues/1158) from 2.38.0 to 2.11.0. [#3767](https://github.com/github/codeql-action/pull/3767)
-- Update default CodeQL bundle version to [2.25.1](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1). [#3773](https://github.com/github/codeql-action/pull/3773)
-
-## 4.34.1 - 20 Mar 2026
+## 3.34.1 - 20 Mar 2026
 
 - Downgrade default CodeQL bundle version to [2.24.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3) due to issues with a small percentage of Actions and JavaScript analyses. [#3762](https://github.com/github/codeql-action/pull/3762)
 
-## 4.34.0 - 20 Mar 2026
+## 3.34.0 - 20 Mar 2026
 
 - Added an experimental change which disables TRAP caching when [improved incremental analysis](https://github.com/github/roadmap/issues/1158) is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. [#3569](https://github.com/github/codeql-action/pull/3569)
 - We are rolling out improved incremental analysis to C/C++ analyses that use build mode `none`. We expect this rollout to be complete by the end of April 2026. [#3584](https://github.com/github/codeql-action/pull/3584)
 - Update default CodeQL bundle version to [2.25.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0). [#3585](https://github.com/github/codeql-action/pull/3585)
 
-## 4.33.0 - 16 Mar 2026
+## 3.33.0 - 16 Mar 2026
 
 - Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. [#3562](https://github.com/github/codeql-action/pull/3562)
-
   To opt out of this change:
   - **Repositories owned by an organization:** Create a custom repository property with the name `github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to `true` in the repository's settings. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). Alternatively, if you are using an advanced setup workflow, you can set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
   - **User-owned repositories using default setup:** Switch to an advanced setup workflow and set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
@@ -39,11 +25,11 @@ No user facing changes.
 - Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". [#3564](https://github.com/github/codeql-action/pull/3564)
 - A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. [#3570](https://github.com/github/codeql-action/pull/3570)
 
-## 4.32.6 - 05 Mar 2026
+## 3.32.6 - 05 Mar 2026
 
 - Update default CodeQL bundle version to [2.24.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3). [#3548](https://github.com/github/codeql-action/pull/3548)
 
-## 4.32.5 - 02 Mar 2026
+## 3.32.5 - 02 Mar 2026
 
 - Repositories owned by an organization can now set up the `github-codeql-disable-overlay` custom repository property to disable [improved incremental analysis for CodeQL](https://github.com/github/roadmap/issues/1158). First, create a custom repository property with the name `github-codeql-disable-overlay` and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to `true` to disable improved incremental analysis. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). This feature is not yet available on GitHub Enterprise Server. [#3507](https://github.com/github/codeql-action/pull/3507)
 - Added an experimental change so that when [improved incremental analysis](https://github.com/github/roadmap/issues/1158) fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. [#3487](https://github.com/github/codeql-action/pull/3487)
@@ -53,7 +39,7 @@ No user facing changes.
 - Added an experimental change which allows the `start-proxy` action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. [#3512](https://github.com/github/codeql-action/pull/3512)
 - The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. [#3503](https://github.com/github/codeql-action/pull/3503), [#3504](https://github.com/github/codeql-action/pull/3504)
 
-## 4.32.4 - 20 Feb 2026
+## 3.32.4 - 20 Feb 2026
 
 - Update default CodeQL bundle version to [2.24.2](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2). [#3493](https://github.com/github/codeql-action/pull/3493)
 - Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when [private package registries are configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries). This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. [#3473](https://github.com/github/codeql-action/pull/3473)
@@ -61,88 +47,88 @@ No user facing changes.
 - Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. [#3485](https://github.com/github/codeql-action/pull/3485)
 - Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a [nightly CodeQL CLI release](https://github.com/dsp-testing/codeql-cli-nightlies) instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. [#3484](https://github.com/github/codeql-action/pull/3484)
 
-## 4.32.3 - 13 Feb 2026
+## 3.32.3 - 13 Feb 2026
 
 - Added experimental support for testing connections to [private package registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries). This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. [#3466](https://github.com/github/codeql-action/pull/3466)
 
-## 4.32.2 - 05 Feb 2026
+## 3.32.2 - 05 Feb 2026
 
 - Update default CodeQL bundle version to [2.24.1](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.1). [#3460](https://github.com/github/codeql-action/pull/3460)
 
-## 4.32.1 - 02 Feb 2026
+## 3.32.1 - 02 Feb 2026
 
 - A warning is now shown in Default Setup workflow logs if a [private package registry is configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) using a GitHub Personal Access Token (PAT), but no username is configured. [#3422](https://github.com/github/codeql-action/pull/3422)
 - Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. [#3421](https://github.com/github/codeql-action/pull/3421)
 
-## 4.32.0 - 26 Jan 2026
+## 3.32.0 - 26 Jan 2026
 
 - Update default CodeQL bundle version to [2.24.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0). [#3425](https://github.com/github/codeql-action/pull/3425)
 
-## 4.31.11 - 23 Jan 2026
+## 3.31.11 - 23 Jan 2026
 
 - When running a Default Setup workflow with [Actions debugging enabled](https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging), the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. [#3409](https://github.com/github/codeql-action/pull/3409)
 - Improved error handling throughout the CodeQL Action. [#3415](https://github.com/github/codeql-action/pull/3415)
 - Added experimental support for automatically excluding [generated files](https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github) from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. [#3318](https://github.com/github/codeql-action/pull/3318)
 - The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. [#3403](https://github.com/github/codeql-action/pull/3403)
 
-## 4.31.10 - 12 Jan 2026
+## 3.31.10 - 12 Jan 2026
 
 - Update default CodeQL bundle version to 2.23.9. [#3393](https://github.com/github/codeql-action/pull/3393)
 
-## 4.31.9 - 16 Dec 2025
+## 3.31.9 - 16 Dec 2025
 
 No user facing changes.
 
-## 4.31.8 - 11 Dec 2025
+## 3.31.8 - 11 Dec 2025
 
 - Update default CodeQL bundle version to 2.23.8. [#3354](https://github.com/github/codeql-action/pull/3354)
 
-## 4.31.7 - 05 Dec 2025
+## 3.31.7 - 05 Dec 2025
 
 - Update default CodeQL bundle version to 2.23.7. [#3343](https://github.com/github/codeql-action/pull/3343)
 
-## 4.31.6 - 01 Dec 2025
+## 3.31.6 - 01 Dec 2025
 
 No user facing changes.
 
-## 4.31.5 - 24 Nov 2025
+## 3.31.5 - 24 Nov 2025
 
 - Update default CodeQL bundle version to 2.23.6. [#3321](https://github.com/github/codeql-action/pull/3321)
 
-## 4.31.4 - 18 Nov 2025
+## 3.31.4 - 18 Nov 2025
 
 No user facing changes.
 
-## 4.31.3 - 13 Nov 2025
+## 3.31.3 - 13 Nov 2025
 
 - CodeQL Action v3 will be deprecated in December 2026.  The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see [Upcoming deprecation of CodeQL Action v3](https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/).
 - Update default CodeQL bundle version to 2.23.5. [#3288](https://github.com/github/codeql-action/pull/3288)
 
-## 4.31.2 - 30 Oct 2025
+## 3.31.2 - 30 Oct 2025
 
 No user facing changes.
 
-## 4.31.1 - 30 Oct 2025
+## 3.31.1 - 30 Oct 2025
 
 - The `add-snippets` input has been removed from the `analyze` action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced.
 
-## 4.31.0 - 24 Oct 2025
+## 3.31.0 - 24 Oct 2025
 
 - Bump minimum CodeQL bundle version to 2.17.6. [#3223](https://github.com/github/codeql-action/pull/3223)
 - When SARIF files are uploaded by the `analyze` or `upload-sarif` actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the `upload-sarif` action. For `analyze`, this may affect Advanced Setup for CodeQL users who specify a value other than `always` for the `upload` input. [#3222](https://github.com/github/codeql-action/pull/3222)
 
-## 4.30.9 - 17 Oct 2025
+## 3.30.9 - 17 Oct 2025
 
 - Update default CodeQL bundle version to 2.23.3. [#3205](https://github.com/github/codeql-action/pull/3205)
 - Experimental: A new `setup-codeql` action has been added which is similar to `init`, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#3204](https://github.com/github/codeql-action/pull/3204)
 
-## 4.30.8 - 10 Oct 2025
+## 3.30.8 - 10 Oct 2025
 
 No user facing changes.
 
-## 4.30.7 - 06 Oct 2025
+## 3.30.7 - 06 Oct 2025
 
-- [v4+ only] The CodeQL Action now runs on Node.js v24. [#3169](https://github.com/github/codeql-action/pull/3169)
+No user facing changes.
 
 ## 3.30.6 - 02 Oct 2025
 
@@ -378,17 +364,13 @@ No user facing changes.
 ## 3.26.12 - 07 Oct 2024
 
 - _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.14.5 and earlier. These versions of CodeQL were discontinued on 24 September 2024 alongside GitHub Enterprise Server 3.10, and will be unsupported by CodeQL Action versions 3.27.0 and later and versions 2.27.0 and later. [#2520](https://github.com/github/codeql-action/pull/2520)
-
   - If you are using one of these versions, please update to CodeQL CLI version 2.14.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.
-
   - Alternatively, if you want to continue using a version of the CodeQL CLI between 2.13.5 and 2.14.5, you can replace `github/codeql-action/*@v3` by `github/codeql-action/*@v3.26.11` and `github/codeql-action/*@v2` by `github/codeql-action/*@v2.26.11` in your code scanning workflow to ensure you continue using this version of the CodeQL Action.
 
 ## 3.26.11 - 03 Oct 2024
 
 - _Upcoming breaking change_: Add support for using `actions/download-artifact@v4` to programmatically consume CodeQL Action debug artifacts.
-
   Starting November 30, 2024, GitHub.com customers will [no longer be able to use `actions/download-artifact@v3`](https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/). Therefore, to avoid breakage, customers who programmatically download the CodeQL Action debug artifacts should set the `CODEQL_ACTION_ARTIFACT_V4_UPGRADE` environment variable to `true` and bump `actions/download-artifact@v3` to `actions/download-artifact@v4` in their workflows. The CodeQL Action will enable this behavior by default in early November and workflows that have not yet bumped `actions/download-artifact@v3` to `actions/download-artifact@v4` will begin failing then.
-
   This change is currently unavailable for GitHub Enterprise Server customers, as `actions/upload-artifact@v4` and `actions/download-artifact@v4` are not yet compatible with GHES.
 - Update default CodeQL bundle version to 2.19.1. [#2519](https://github.com/github/codeql-action/pull/2519)
 
@@ -511,12 +493,9 @@ No user facing changes.
 ## 3.25.0 - 15 Apr 2024
 
 - The deprecated feature for extracting dependencies for a Python analysis has been removed. [#2224](https://github.com/github/codeql-action/pull/2224)
-
   As a result, the following inputs and environment variables are now ignored:
-
   - The `setup-python-dependencies` input to the `init` Action
   - The `CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION` environment variable
-
   We recommend removing any references to these from your workflows. For more information, see the release notes for CodeQL Action v3.23.0 and v2.23.0.
 - Automatically overwrite an existing database if found on the filesystem. [#2229](https://github.com/github/codeql-action/pull/2229)
 - Bump the minimum CodeQL bundle version to 2.12.6. [#2232](https://github.com/github/codeql-action/pull/2232)

CONTRIBUTING.md

@@ -69,14 +69,12 @@ Once the mergeback and backport pull request have been merged, the release is co
 
 ## Keeping the PR checks up to date (admin access required)
 
-Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred required jobs that need to pass in order for a PR to turn green. It would be too tedious to maintain that list manually. You can regenerate the set of required checks automatically by running the [sync-checks.ts](pr-checks/sync-checks.ts) script:
+Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred required jobs that need to pass in order for a PR to turn green. It would be too tedious to maintain that list manually. You can regenerate the set of required checks automatically by running the [update-required-checks.sh](.github/workflows/script/update-required-checks.sh) script:
 
-- At a minimum, you must provide an argument for the `--token` input. For example, `--token "$(gh auth token)"` to use the same token that `gh` uses. If no token is provided or the token has insufficient permissions, the script will fail.
-- By default, the script performs a dry run and outputs information about the changes it would make to the branch protection rules. To actually apply the changes, specify the `--apply` flag.
-- If you run the script without any other arguments, it will retrieve the set of workflows that ran for the latest commit on `main`.
-- You can specify a different git ref with the `--ref` input. You will likely want to use this if you have a PR that removes or adds PR checks. For example, `--ref "some/branch/name"` to use the HEAD of the `some/branch/name` branch.
+- If you run the script without an argument, it will retrieve the set of workflows that ran for the latest commit on `main`. Make sure that your local `main` branch is up to date before running the script.
+- You can specify a commit SHA as argument to retrieve the set of workflows for that commit instead. You will likely want to use this if you have a PR that removes or adds PR checks.
 
-After running, go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules for `main`, `v4`, and any other currently supported major versions have been updated.
+After running, go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules for `main`, `v3`, and any other currently supported major versions have been updated.
 
 Note that any updates to checks on `main` need to be backported to all currently supported major version branches, in order to maintain the same set of names for required checks.
 
@@ -124,7 +122,7 @@ To deprecate an older version of the Action:
    - Implement an Actions warning for customers using the deprecated version.
 1. Wait for the deprecation period to pass.
 1. Upgrade the Actions warning for customers using the deprecated version to a non-fatal error, and mention that this version of the Action is no longer supported.
-1. Make a PR to bump the `OLDEST_SUPPORTED_MAJOR_VERSION` in [config.ts](pr-checks/config.ts).  Once this PR is merged, the release process will no longer backport changes to the deprecated release version.
+1. Make a PR to bump the `OLDEST_SUPPORTED_MAJOR_VERSION` in [releases.ini](.github/releases.ini).  Once this PR is merged, the release process will no longer backport changes to the deprecated release version.
 
 ## Resources
 

analyze/action.yml

@@ -94,6 +94,6 @@ outputs:
   sarif-id:
     description: The ID of the uploaded SARIF file.
 runs:
-  using: node24
+  using: node20
   main: "../lib/analyze-action.js"
   post: "../lib/analyze-action-post.js"

autobuild/action.yml

@@ -15,5 +15,5 @@ inputs:
       $GITHUB_WORKSPACE as its working directory.
     required: false
 runs:
-  using: node24
+  using: node20
   main: '../lib/autobuild-action.js'

eslint.config.mjs

@@ -7,11 +7,7 @@ import noAsyncForeach from "eslint-plugin-no-async-foreach";
 import jsdoc from "eslint-plugin-jsdoc";
 import tseslint from "typescript-eslint";
 import globals from "globals";
-import path from "path";
-import { fileURLToPath } from "url";
 
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = path.dirname(__filename);
 const githubFlatConfigs = github.getFlatConfigs();
 
 export default [
@@ -47,7 +43,7 @@ export default [
     plugins: {
       "import-x": importX,
       "no-async-foreach": fixupPluginRules(noAsyncForeach),
-      jsdoc: jsdoc,
+      "jsdoc": jsdoc,
     },
 
     languageOptions: {
@@ -71,13 +67,7 @@ export default [
 
         typescript: {},
       },
-      "import/ignore": [
-        "sinon",
-        "uuid",
-        "@octokit/plugin-retry",
-        "del",
-        "get-folder-size",
-      ],
+      "import/ignore": ["sinon", "uuid", "@octokit/plugin-retry", "del", "get-folder-size"],
       "import-x/resolver-next": [
         createTypeScriptImportResolver(),
         createNodeResolver({
@@ -153,7 +143,7 @@ export default [
           // We don't currently require full JSDoc coverage, so this rule
           // should not error on missing @param annotations.
           disableMissingParamChecks: true,
-        },
+        }
       ],
     },
   },
@@ -172,9 +162,9 @@ export default [
       "@typescript-eslint/no-unused-vars": [
         "error",
         {
-          args: "all",
-          argsIgnorePattern: "^_",
-        },
+          "args": "all",
+          "argsIgnorePattern": "^_",
+        }
       ],
       "func-style": "off",
     },
@@ -193,11 +183,6 @@ export default [
       // The scripts in `pr-checks` are expected to output to the console.
       "no-console": "off",
 
-      "import/no-extraneous-dependencies": [
-        "error",
-        { packageDir: [__dirname, path.resolve(__dirname, "pr-checks")] },
-      ],
-
       "@typescript-eslint/no-floating-promises": [
         "error",
         {

init/action.yml

@@ -170,6 +170,6 @@ outputs:
   codeql-version:
     description: The version of the CodeQL binary used for analysis
 runs:
-  using: node24
+  using: node20
   main: '../lib/init-action.js'
   post: '../lib/init-action-post.js'

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.1",
-  "cliVersion": "2.25.1",
-  "priorBundleVersion": "codeql-bundle-v2.24.3",
-  "priorCliVersion": "2.24.3"
+  "bundleVersion": "codeql-bundle-v2.24.3",
+  "cliVersion": "2.24.3",
+  "priorBundleVersion": "codeql-bundle-v2.24.2",
+  "priorCliVersion": "2.24.2"
 }

lib/setup-codeql-action.js

@@ -41057,18 +41057,18 @@ var init_dist_src2 = __esm({
   }
 });
 
-// node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/version.js
+// node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/version.js
 var VERSION5;
 var init_version2 = __esm({
-  "node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/version.js"() {
+  "node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/version.js"() {
     VERSION5 = "17.0.0";
   }
 });
 
-// node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/generated/endpoints.js
+// node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/generated/endpoints.js
 var Endpoints, endpoints_default;
 var init_endpoints = __esm({
-  "node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/generated/endpoints.js"() {
+  "node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/generated/endpoints.js"() {
     Endpoints = {
       actions: {
         addCustomLabelsToSelfHostedRunnerForOrg: [
@@ -43362,7 +43362,7 @@ var init_endpoints = __esm({
   }
 });
 
-// node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/endpoints-to-methods.js
+// node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/endpoints-to-methods.js
 function endpointsToMethods(octokit) {
   const newMethods = {};
   for (const scope of endpointMethodsMap.keys()) {
@@ -43413,7 +43413,7 @@ function decorate(octokit, scope, methodName, defaults, decorations) {
 }
 var endpointMethodsMap, handler;
 var init_endpoints_to_methods = __esm({
-  "node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/endpoints-to-methods.js"() {
+  "node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/endpoints-to-methods.js"() {
     init_endpoints();
     endpointMethodsMap = /* @__PURE__ */ new Map();
     for (const [scope, endpoints] of Object.entries(endpoints_default)) {
@@ -43491,7 +43491,7 @@ var init_endpoints_to_methods = __esm({
   }
 });
 
-// node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/index.js
+// node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/index.js
 var dist_src_exports2 = {};
 __export(dist_src_exports2, {
   legacyRestEndpointMethods: () => legacyRestEndpointMethods,
@@ -43511,7 +43511,7 @@ function legacyRestEndpointMethods(octokit) {
   };
 }
 var init_dist_src3 = __esm({
-  "node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/index.js"() {
+  "node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/index.js"() {
     init_version2();
     init_endpoints_to_methods();
     restEndpointMethods.VERSION = VERSION5;
@@ -43519,7 +43519,7 @@ var init_dist_src3 = __esm({
   }
 });
 
-// node_modules/@octokit/plugin-paginate-rest/dist-bundle/index.js
+// node_modules/@actions/github/node_modules/@octokit/plugin-paginate-rest/dist-bundle/index.js
 var dist_bundle_exports = {};
 __export(dist_bundle_exports, {
   composePaginateRest: () => composePaginateRest,
@@ -43645,7 +43645,7 @@ function paginateRest(octokit) {
 }
 var VERSION6, composePaginateRest, paginatingEndpoints;
 var init_dist_bundle5 = __esm({
-  "node_modules/@octokit/plugin-paginate-rest/dist-bundle/index.js"() {
+  "node_modules/@actions/github/node_modules/@octokit/plugin-paginate-rest/dist-bundle/index.js"() {
     VERSION6 = "0.0.0-development";
     composePaginateRest = Object.assign(paginate, {
       iterator
@@ -47805,7 +47805,7 @@ var require_brace_expansion = __commonJS({
         var x = numeric(n[0]);
         var y = numeric(n[1]);
         var width = Math.max(n[0].length, n[1].length);
-        var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1;
+        var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1;
         var test = lte;
         var reverse = y < x;
         if (reverse) {
@@ -60732,7 +60732,7 @@ var require_fxp = __commonJS({
         if (a.some((t3) => i2 === t3.toLowerCase())) throw new Error(`[SECURITY] Invalid ${e2}: "${t2}" is a reserved JavaScript keyword that could cause prototype pollution`);
       }
       function A(t2) {
-        return "boolean" == typeof t2 ? { enabled: t2, maxEntitySize: 1e4, maxExpansionDepth: 10, maxTotalExpansions: 1e3, maxExpandedLength: 1e5, maxEntityCount: 100, allowedTags: null, tagFilter: null } : "object" == typeof t2 && null !== t2 ? { enabled: false !== t2.enabled, maxEntitySize: Math.max(1, t2.maxEntitySize ?? 1e4), maxExpansionDepth: Math.max(1, t2.maxExpansionDepth ?? 10), maxTotalExpansions: Math.max(1, t2.maxTotalExpansions ?? 1e3), maxExpandedLength: Math.max(1, t2.maxExpandedLength ?? 1e5), maxEntityCount: Math.max(1, t2.maxEntityCount ?? 100), allowedTags: t2.allowedTags ?? null, tagFilter: t2.tagFilter ?? null } : A(true);
+        return "boolean" == typeof t2 ? { enabled: t2, maxEntitySize: 1e4, maxExpansionDepth: 10, maxTotalExpansions: 1e3, maxExpandedLength: 1e5, maxEntityCount: 100, allowedTags: null, tagFilter: null } : "object" == typeof t2 && null !== t2 ? { enabled: false !== t2.enabled, maxEntitySize: t2.maxEntitySize ?? 1e4, maxExpansionDepth: t2.maxExpansionDepth ?? 10, maxTotalExpansions: t2.maxTotalExpansions ?? 1e3, maxExpandedLength: t2.maxExpandedLength ?? 1e5, maxEntityCount: t2.maxEntityCount ?? 100, allowedTags: t2.allowedTags ?? null, tagFilter: t2.tagFilter ?? null } : A(true);
       }
       const C = function(t2) {
         const e2 = Object.assign({}, P, t2), i2 = [{ value: e2.attributeNamePrefix, name: "attributeNamePrefix" }, { value: e2.attributesGroupName, name: "attributesGroupName" }, { value: e2.textNodeName, name: "textNodeName" }, { value: e2.cdataPropName, name: "cdataPropName" }, { value: e2.commentPropName, name: "commentPropName" }];
@@ -60773,7 +60773,7 @@ var require_fxp = __commonJS({
               if (r2 && _(t2, "!ENTITY", e2)) {
                 let s3, r3;
                 if (e2 += 7, [s3, r3, e2] = this.readEntityExp(t2, e2 + 1, this.suppressValidationErr), -1 === r3.indexOf("&")) {
-                  if (false !== this.options.enabled && null != this.options.maxEntityCount && n2 >= this.options.maxEntityCount) throw new Error(`Entity count (${n2 + 1}) exceeds maximum allowed (${this.options.maxEntityCount})`);
+                  if (false !== this.options.enabled && this.options.maxEntityCount && n2 >= this.options.maxEntityCount) throw new Error(`Entity count (${n2 + 1}) exceeds maximum allowed (${this.options.maxEntityCount})`);
                   const t3 = s3.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
                   i2[s3] = { regx: RegExp(`&${t3};`, "g"), val: r3 }, n2++;
                 }
@@ -60797,86 +60797,82 @@ var require_fxp = __commonJS({
           return { entities: i2, i: e2 };
         }
         readEntityExp(t2, e2) {
-          const i2 = e2 = j(t2, e2);
-          for (; e2 < t2.length && !/\s/.test(t2[e2]) && '"' !== t2[e2] && "'" !== t2[e2]; ) e2++;
-          let n2 = t2.substring(i2, e2);
-          if (D(n2), e2 = j(t2, e2), !this.suppressValidationErr) {
+          e2 = j(t2, e2);
+          let i2 = "";
+          for (; e2 < t2.length && !/\s/.test(t2[e2]) && '"' !== t2[e2] && "'" !== t2[e2]; ) i2 += t2[e2], e2++;
+          if (D(i2), e2 = j(t2, e2), !this.suppressValidationErr) {
             if ("SYSTEM" === t2.substring(e2, e2 + 6).toUpperCase()) throw new Error("External entities are not supported");
             if ("%" === t2[e2]) throw new Error("Parameter entities are not supported");
           }
-          let s2 = "";
-          if ([e2, s2] = this.readIdentifierVal(t2, e2, "entity"), false !== this.options.enabled && null != this.options.maxEntitySize && s2.length > this.options.maxEntitySize) throw new Error(`Entity "${n2}" size (${s2.length}) exceeds maximum allowed size (${this.options.maxEntitySize})`);
-          return [n2, s2, --e2];
+          let n2 = "";
+          if ([e2, n2] = this.readIdentifierVal(t2, e2, "entity"), false !== this.options.enabled && this.options.maxEntitySize && n2.length > this.options.maxEntitySize) throw new Error(`Entity "${i2}" size (${n2.length}) exceeds maximum allowed size (${this.options.maxEntitySize})`);
+          return [i2, n2, --e2];
         }
         readNotationExp(t2, e2) {
-          const i2 = e2 = j(t2, e2);
-          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) e2++;
-          let n2 = t2.substring(i2, e2);
-          !this.suppressValidationErr && D(n2), e2 = j(t2, e2);
-          const s2 = t2.substring(e2, e2 + 6).toUpperCase();
-          if (!this.suppressValidationErr && "SYSTEM" !== s2 && "PUBLIC" !== s2) throw new Error(`Expected SYSTEM or PUBLIC, found "${s2}"`);
-          e2 += s2.length, e2 = j(t2, e2);
-          let r2 = null, o2 = null;
-          if ("PUBLIC" === s2) [e2, r2] = this.readIdentifierVal(t2, e2, "publicIdentifier"), '"' !== t2[e2 = j(t2, e2)] && "'" !== t2[e2] || ([e2, o2] = this.readIdentifierVal(t2, e2, "systemIdentifier"));
-          else if ("SYSTEM" === s2 && ([e2, o2] = this.readIdentifierVal(t2, e2, "systemIdentifier"), !this.suppressValidationErr && !o2)) throw new Error("Missing mandatory system identifier for SYSTEM notation");
-          return { notationName: n2, publicIdentifier: r2, systemIdentifier: o2, index: --e2 };
+          e2 = j(t2, e2);
+          let i2 = "";
+          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) i2 += t2[e2], e2++;
+          !this.suppressValidationErr && D(i2), e2 = j(t2, e2);
+          const n2 = t2.substring(e2, e2 + 6).toUpperCase();
+          if (!this.suppressValidationErr && "SYSTEM" !== n2 && "PUBLIC" !== n2) throw new Error(`Expected SYSTEM or PUBLIC, found "${n2}"`);
+          e2 += n2.length, e2 = j(t2, e2);
+          let s2 = null, r2 = null;
+          if ("PUBLIC" === n2) [e2, s2] = this.readIdentifierVal(t2, e2, "publicIdentifier"), '"' !== t2[e2 = j(t2, e2)] && "'" !== t2[e2] || ([e2, r2] = this.readIdentifierVal(t2, e2, "systemIdentifier"));
+          else if ("SYSTEM" === n2 && ([e2, r2] = this.readIdentifierVal(t2, e2, "systemIdentifier"), !this.suppressValidationErr && !r2)) throw new Error("Missing mandatory system identifier for SYSTEM notation");
+          return { notationName: i2, publicIdentifier: s2, systemIdentifier: r2, index: --e2 };
         }
         readIdentifierVal(t2, e2, i2) {
           let n2 = "";
           const s2 = t2[e2];
           if ('"' !== s2 && "'" !== s2) throw new Error(`Expected quoted string, found "${s2}"`);
-          const r2 = ++e2;
-          for (; e2 < t2.length && t2[e2] !== s2; ) e2++;
-          if (n2 = t2.substring(r2, e2), t2[e2] !== s2) throw new Error(`Unterminated ${i2} value`);
+          for (e2++; e2 < t2.length && t2[e2] !== s2; ) n2 += t2[e2], e2++;
+          if (t2[e2] !== s2) throw new Error(`Unterminated ${i2} value`);
           return [++e2, n2];
         }
         readElementExp(t2, e2) {
-          const i2 = e2 = j(t2, e2);
-          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) e2++;
-          let n2 = t2.substring(i2, e2);
-          if (!this.suppressValidationErr && !r(n2)) throw new Error(`Invalid element name: "${n2}"`);
-          let s2 = "";
+          e2 = j(t2, e2);
+          let i2 = "";
+          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) i2 += t2[e2], e2++;
+          if (!this.suppressValidationErr && !r(i2)) throw new Error(`Invalid element name: "${i2}"`);
+          let n2 = "";
           if ("E" === t2[e2 = j(t2, e2)] && _(t2, "MPTY", e2)) e2 += 4;
           else if ("A" === t2[e2] && _(t2, "NY", e2)) e2 += 2;
           else if ("(" === t2[e2]) {
-            const i3 = ++e2;
-            for (; e2 < t2.length && ")" !== t2[e2]; ) e2++;
-            if (s2 = t2.substring(i3, e2), ")" !== t2[e2]) throw new Error("Unterminated content model");
+            for (e2++; e2 < t2.length && ")" !== t2[e2]; ) n2 += t2[e2], e2++;
+            if (")" !== t2[e2]) throw new Error("Unterminated content model");
           } else if (!this.suppressValidationErr) throw new Error(`Invalid Element Expression, found "${t2[e2]}"`);
-          return { elementName: n2, contentModel: s2.trim(), index: e2 };
+          return { elementName: i2, contentModel: n2.trim(), index: e2 };
         }
         readAttlistExp(t2, e2) {
-          let i2 = e2 = j(t2, e2);
-          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) e2++;
-          let n2 = t2.substring(i2, e2);
-          for (D(n2), i2 = e2 = j(t2, e2); e2 < t2.length && !/\s/.test(t2[e2]); ) e2++;
-          let s2 = t2.substring(i2, e2);
-          if (!D(s2)) throw new Error(`Invalid attribute name: "${s2}"`);
           e2 = j(t2, e2);
-          let r2 = "";
+          let i2 = "";
+          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) i2 += t2[e2], e2++;
+          D(i2), e2 = j(t2, e2);
+          let n2 = "";
+          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) n2 += t2[e2], e2++;
+          if (!D(n2)) throw new Error(`Invalid attribute name: "${n2}"`);
+          e2 = j(t2, e2);
+          let s2 = "";
           if ("NOTATION" === t2.substring(e2, e2 + 8).toUpperCase()) {
-            if (r2 = "NOTATION", "(" !== t2[e2 = j(t2, e2 += 8)]) throw new Error(`Expected '(', found "${t2[e2]}"`);
+            if (s2 = "NOTATION", "(" !== t2[e2 = j(t2, e2 += 8)]) throw new Error(`Expected '(', found "${t2[e2]}"`);
             e2++;
             let i3 = [];
             for (; e2 < t2.length && ")" !== t2[e2]; ) {
-              const n3 = e2;
-              for (; e2 < t2.length && "|" !== t2[e2] && ")" !== t2[e2]; ) e2++;
-              let s3 = t2.substring(n3, e2);
-              if (s3 = s3.trim(), !D(s3)) throw new Error(`Invalid notation name: "${s3}"`);
-              i3.push(s3), "|" === t2[e2] && (e2++, e2 = j(t2, e2));
+              let n3 = "";
+              for (; e2 < t2.length && "|" !== t2[e2] && ")" !== t2[e2]; ) n3 += t2[e2], e2++;
+              if (n3 = n3.trim(), !D(n3)) throw new Error(`Invalid notation name: "${n3}"`);
+              i3.push(n3), "|" === t2[e2] && (e2++, e2 = j(t2, e2));
             }
             if (")" !== t2[e2]) throw new Error("Unterminated list of notations");
-            e2++, r2 += " (" + i3.join("|") + ")";
+            e2++, s2 += " (" + i3.join("|") + ")";
           } else {
-            const i3 = e2;
-            for (; e2 < t2.length && !/\s/.test(t2[e2]); ) e2++;
-            r2 += t2.substring(i3, e2);
-            const n3 = ["CDATA", "ID", "IDREF", "IDREFS", "ENTITY", "ENTITIES", "NMTOKEN", "NMTOKENS"];
-            if (!this.suppressValidationErr && !n3.includes(r2.toUpperCase())) throw new Error(`Invalid attribute type: "${r2}"`);
+            for (; e2 < t2.length && !/\s/.test(t2[e2]); ) s2 += t2[e2], e2++;
+            const i3 = ["CDATA", "ID", "IDREF", "IDREFS", "ENTITY", "ENTITIES", "NMTOKEN", "NMTOKENS"];
+            if (!this.suppressValidationErr && !i3.includes(s2.toUpperCase())) throw new Error(`Invalid attribute type: "${s2}"`);
           }
           e2 = j(t2, e2);
-          let o2 = "";
-          return "#REQUIRED" === t2.substring(e2, e2 + 8).toUpperCase() ? (o2 = "#REQUIRED", e2 += 8) : "#IMPLIED" === t2.substring(e2, e2 + 7).toUpperCase() ? (o2 = "#IMPLIED", e2 += 7) : [e2, o2] = this.readIdentifierVal(t2, e2, "ATTLIST"), { elementName: n2, attributeName: s2, attributeType: r2, defaultValue: o2, index: e2 };
+          let r2 = "";
+          return "#REQUIRED" === t2.substring(e2, e2 + 8).toUpperCase() ? (r2 = "#REQUIRED", e2 += 8) : "#IMPLIED" === t2.substring(e2, e2 + 7).toUpperCase() ? (r2 = "#IMPLIED", e2 += 7) : [e2, r2] = this.readIdentifierVal(t2, e2, "ATTLIST"), { elementName: i2, attributeName: n2, attributeType: s2, defaultValue: r2, index: e2 };
         }
       }
       const j = (t2, e2) => {
@@ -60891,9 +60887,9 @@ var require_fxp = __commonJS({
         if (r(t2)) return t2;
         throw new Error(`Invalid entity name ${t2}`);
       }
-      const V = /^[-+]?0x[a-fA-F0-9]+$/, k = /^([\-\+])?(0*)([0-9]*(\.[0-9]*)?)$/, M = { hex: true, leadingZeros: true, decimalPoint: ".", eNotation: true, infinity: "original" };
-      const F = /^([-+])?(0*)(\d*(\.\d*)?[eE][-\+]?\d+)$/;
-      class L {
+      const V = /^[-+]?0x[a-fA-F0-9]+$/, k = /^([\-\+])?(0*)([0-9]*(\.[0-9]*)?)$/, F = { hex: true, leadingZeros: true, decimalPoint: ".", eNotation: true };
+      const L = /^([-+])?(0*)(\d*(\.\d*)?[eE][-\+]?\d+)$/;
+      class M {
         constructor(t2 = {}) {
           this.separator = t2.separator || ".", this.path = [], this.siblingStacks = [];
         }
@@ -61100,7 +61096,7 @@ var require_fxp = __commonJS({
               if ("string" == typeof i2 && t3 === i2) return true;
               if (i2 instanceof RegExp && i2.test(t3)) return true;
             }
-          } : () => false, this.entityExpansionCount = 0, this.currentExpandedLength = 0, this.matcher = new L(), this.isCurrentNodeStopNode = false, this.options.stopNodes && this.options.stopNodes.length > 0) {
+          } : () => false, this.entityExpansionCount = 0, this.currentExpandedLength = 0, this.matcher = new M(), this.isCurrentNodeStopNode = false, this.options.stopNodes && this.options.stopNodes.length > 0) {
             this.stopNodeExpressions = [];
             for (let t3 = 0; t3 < this.options.stopNodes.length; t3++) {
               const e3 = this.options.stopNodes[t3];
@@ -61211,7 +61207,7 @@ var require_fxp = __commonJS({
           let o2 = s3.tagName;
           const a2 = s3.rawTagName;
           let h2 = s3.tagExp, l2 = s3.attrExpPresent, p2 = s3.closeIndex;
-          if ({ tagName: o2, tagExp: h2 } = rt(this.options.transformTagName, o2, h2, this.options), this.options.strictReservedNames && (o2 === this.options.commentPropName || o2 === this.options.cdataPropName || o2 === this.options.textNodeName || o2 === this.options.attributesGroupName)) throw new Error(`Invalid tag name: ${o2}`);
+          if ({ tagName: o2, tagExp: h2 } = rt(this.options.transformTagName, o2, h2, this.options), this.options.strictReservedNames && (o2 === this.options.commentPropName || o2 === this.options.cdataPropName)) throw new Error(`Invalid tag name: ${o2}`);
           i2 && n2 && "!xml" !== i2.tagname && (n2 = this.saveTextToParentTag(n2, i2, this.matcher, false));
           const u2 = i2;
           u2 && -1 !== this.options.unpairedTags.indexOf(u2.tagname) && (i2 = this.tagsNodeStack.pop(), this.matcher.pop());
@@ -61349,7 +61345,7 @@ var require_fxp = __commonJS({
         if (e2 && "string" == typeof t2) {
           const e3 = t2.trim();
           return "true" === e3 || "false" !== e3 && (function(t3, e4 = {}) {
-            if (e4 = Object.assign({}, M, e4), !t3 || "string" != typeof t3) return t3;
+            if (e4 = Object.assign({}, F, e4), !t3 || "string" != typeof t3) return t3;
             let i3 = t3.trim();
             if (void 0 !== e4.skipLike && e4.skipLike.test(i3)) return t3;
             if ("0" === t3) return 0;
@@ -61359,50 +61355,35 @@ var require_fxp = __commonJS({
               if (window && window.parseInt) return window.parseInt(t4, 16);
               throw new Error("parseInt, Number.parseInt, window.parseInt are not supported");
             })(i3);
-            if (isFinite(i3)) {
-              if (i3.includes("e") || i3.includes("E")) return (function(t4, e5, i4) {
-                if (!i4.eNotation) return t4;
-                const n3 = e5.match(F);
-                if (n3) {
-                  let s2 = n3[1] || "";
-                  const r2 = -1 === n3[3].indexOf("e") ? "E" : "e", o2 = n3[2], a2 = s2 ? t4[o2.length + 1] === r2 : t4[o2.length] === r2;
-                  return o2.length > 1 && a2 ? t4 : (1 !== o2.length || !n3[3].startsWith(`.${r2}`) && n3[3][0] !== r2) && o2.length > 0 ? i4.leadingZeros && !a2 ? (e5 = (n3[1] || "") + n3[3], Number(e5)) : t4 : Number(e5);
-                }
-                return t4;
-              })(t3, i3, e4);
-              {
-                const s2 = k.exec(i3);
-                if (s2) {
-                  const r2 = s2[1] || "", o2 = s2[2];
-                  let a2 = (n2 = s2[3]) && -1 !== n2.indexOf(".") ? ("." === (n2 = n2.replace(/0+$/, "")) ? n2 = "0" : "." === n2[0] ? n2 = "0" + n2 : "." === n2[n2.length - 1] && (n2 = n2.substring(0, n2.length - 1)), n2) : n2;
-                  const h2 = r2 ? "." === t3[o2.length + 1] : "." === t3[o2.length];
-                  if (!e4.leadingZeros && (o2.length > 1 || 1 === o2.length && !h2)) return t3;
-                  {
-                    const n3 = Number(i3), s3 = String(n3);
-                    if (0 === n3) return n3;
-                    if (-1 !== s3.search(/[eE]/)) return e4.eNotation ? n3 : t3;
-                    if (-1 !== i3.indexOf(".")) return "0" === s3 || s3 === a2 || s3 === `${r2}${a2}` ? n3 : t3;
-                    let h3 = o2 ? a2 : i3;
-                    return o2 ? h3 === s3 || r2 + h3 === s3 ? n3 : t3 : h3 === s3 || h3 === r2 + s3 ? n3 : t3;
-                  }
-                }
-                return t3;
+            if (i3.includes("e") || i3.includes("E")) return (function(t4, e5, i4) {
+              if (!i4.eNotation) return t4;
+              const n3 = e5.match(L);
+              if (n3) {
+                let s2 = n3[1] || "";
+                const r2 = -1 === n3[3].indexOf("e") ? "E" : "e", o2 = n3[2], a2 = s2 ? t4[o2.length + 1] === r2 : t4[o2.length] === r2;
+                return o2.length > 1 && a2 ? t4 : 1 !== o2.length || !n3[3].startsWith(`.${r2}`) && n3[3][0] !== r2 ? i4.leadingZeros && !a2 ? (e5 = (n3[1] || "") + n3[3], Number(e5)) : t4 : Number(e5);
               }
+              return t4;
+            })(t3, i3, e4);
+            {
+              const s2 = k.exec(i3);
+              if (s2) {
+                const r2 = s2[1] || "", o2 = s2[2];
+                let a2 = (n2 = s2[3]) && -1 !== n2.indexOf(".") ? ("." === (n2 = n2.replace(/0+$/, "")) ? n2 = "0" : "." === n2[0] ? n2 = "0" + n2 : "." === n2[n2.length - 1] && (n2 = n2.substring(0, n2.length - 1)), n2) : n2;
+                const h2 = r2 ? "." === t3[o2.length + 1] : "." === t3[o2.length];
+                if (!e4.leadingZeros && (o2.length > 1 || 1 === o2.length && !h2)) return t3;
+                {
+                  const n3 = Number(i3), s3 = String(n3);
+                  if (0 === n3) return n3;
+                  if (-1 !== s3.search(/[eE]/)) return e4.eNotation ? n3 : t3;
+                  if (-1 !== i3.indexOf(".")) return "0" === s3 || s3 === a2 || s3 === `${r2}${a2}` ? n3 : t3;
+                  let h3 = o2 ? a2 : i3;
+                  return o2 ? h3 === s3 || r2 + h3 === s3 ? n3 : t3 : h3 === s3 || h3 === r2 + s3 ? n3 : t3;
+                }
+              }
+              return t3;
             }
             var n2;
-            return (function(t4, e5, i4) {
-              const n3 = e5 === 1 / 0;
-              switch (i4.infinity.toLowerCase()) {
-                case "null":
-                  return null;
-                case "infinity":
-                  return e5;
-                case "string":
-                  return n3 ? "Infinity" : "-Infinity";
-                default:
-                  return t4;
-              }
-            })(t3, Number(i3), e4);
           })(t2, i2);
         }
         return void 0 !== t2 ? t2 : "";
@@ -61514,7 +61495,7 @@ var require_fxp = __commonJS({
           const i3 = e2.stopNodes[t3];
           "string" == typeof i3 ? n2.push(new G(i3)) : i3 instanceof G && n2.push(i3);
         }
-        return mt(t2, e2, i2, new L(), n2);
+        return mt(t2, e2, i2, new M(), n2);
       }
       function mt(t2, e2, i2, n2, s2) {
         let r2 = "", o2 = false;
@@ -61662,7 +61643,7 @@ var require_fxp = __commonJS({
         if (this.options.preserveOrder) return gt(t2, this.options);
         {
           Array.isArray(t2) && this.options.arrayNodeName && this.options.arrayNodeName.length > 1 && (t2 = { [this.options.arrayNodeName]: t2 });
-          const e2 = new L();
+          const e2 = new M();
           return this.j2x(t2, 0, e2).val;
         }
       }, Pt.prototype.j2x = function(t2, e2, i2) {
@@ -100540,8 +100521,8 @@ var require_follow_redirects = __commonJS({
       }
       return parsed;
     }
-    function resolveUrl(relative3, base) {
-      return useNativeURL ? new URL2(relative3, base) : parseUrl2(url.resolve(base, relative3));
+    function resolveUrl(relative2, base) {
+      return useNativeURL ? new URL2(relative2, base) : parseUrl2(url.resolve(base, relative2));
     }
     function validateUrl(input) {
       if (/^\[/.test(input.hostname) && !/^\[[:0-9a-f]+\]$/i.test(input.hostname)) {
@@ -103624,12 +103605,8 @@ function getTemporaryDirectory() {
   const value = process.env["CODEQL_ACTION_TEMP"];
   return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP");
 }
-var PR_DIFF_RANGE_JSON_FILENAME = "pr-diff-range.json";
-function getDiffRangesJsonFilePath() {
-  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
-}
 function getActionVersion() {
-  return "4.35.2";
+  return "3.34.1";
 }
 function getWorkflowEventName() {
   return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -103984,8 +103961,8 @@ var path4 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.25.1";
-var cliVersion = "2.25.1";
+var bundleVersion = "codeql-bundle-v2.24.3";
+var cliVersion = "2.24.3";
 
 // src/overlay/index.ts
 var fs3 = __toESM(require("fs"));
@@ -104073,26 +104050,14 @@ var decodeGitFilePath = function(filePath) {
   }
   return filePath;
 };
-var getGitRoot = async function(sourceRoot) {
-  try {
-    const stdout = await runGitCommand(
-      sourceRoot,
-      ["rev-parse", "--show-toplevel"],
-      `Cannot find Git repository root from the source root ${sourceRoot}.`
-    );
-    return stdout.trim();
-  } catch {
-    return void 0;
-  }
-};
 var getFileOidsUnderPath = async function(basePath) {
   const stdout = await runGitCommand(
     basePath,
-    ["ls-files", "--recurse-submodules", "--stage"],
+    ["ls-files", "--recurse-submodules", "--format=%(objectname)_%(path)"],
     "Cannot list Git OIDs of tracked files."
   );
   const fileOidMap = {};
-  const regex = /^[0-9]+ ([0-9a-f]{40}) [0-9]+\t(.+)$/;
+  const regex = /^([0-9a-f]{40})_(.+)$/;
   for (const line of stdout.split("\n")) {
     if (line) {
       const match = line.match(regex);
@@ -104232,12 +104197,10 @@ async function readBaseDatabaseOidsFile(config, logger) {
 async function writeOverlayChangesFile(config, sourceRoot, logger) {
   const baseFileOids = await readBaseDatabaseOidsFile(config, logger);
   const overlayFileOids = await getFileOidsUnderPath(sourceRoot);
-  const oidChangedFiles = computeChangedFiles(baseFileOids, overlayFileOids);
+  const changedFiles = computeChangedFiles(baseFileOids, overlayFileOids);
   logger.info(
-    `Found ${oidChangedFiles.length} changed file(s) under ${sourceRoot} from OID comparison.`
+    `Found ${changedFiles.length} changed file(s) under ${sourceRoot}.`
   );
-  const diffRangeFiles = await getDiffRangeFilePaths(sourceRoot, logger);
-  const changedFiles = [.../* @__PURE__ */ new Set([...oidChangedFiles, ...diffRangeFiles])];
   const changedFilesJson = JSON.stringify({ changes: changedFiles });
   const overlayChangesFile = path3.join(
     getTemporaryDirectory(),
@@ -104263,52 +104226,6 @@ function computeChangedFiles(baseFileOids, overlayFileOids) {
   }
   return changes;
 }
-async function getDiffRangeFilePaths(sourceRoot, logger) {
-  const jsonFilePath = getDiffRangesJsonFilePath();
-  if (!fs3.existsSync(jsonFilePath)) {
-    logger.debug(
-      `No diff ranges JSON file found at ${jsonFilePath}; skipping.`
-    );
-    return [];
-  }
-  let contents;
-  try {
-    contents = await fs3.promises.readFile(jsonFilePath, "utf8");
-  } catch (e) {
-    logger.warning(
-      `Failed to read diff ranges JSON file at ${jsonFilePath}: ${e}`
-    );
-    return [];
-  }
-  let diffRanges;
-  try {
-    diffRanges = JSON.parse(contents);
-  } catch (e) {
-    logger.warning(
-      `Failed to parse diff ranges JSON file at ${jsonFilePath}: ${e}`
-    );
-    return [];
-  }
-  logger.debug(
-    `Read ${diffRanges.length} diff range(s) from ${jsonFilePath} for overlay changes.`
-  );
-  const repoRoot = await getGitRoot(sourceRoot);
-  if (repoRoot === void 0) {
-    if (getOptionalInput("source-root")) {
-      throw new Error(
-        "Cannot determine git root to convert diff range paths relative to source-root. Failing to avoid omitting files from the analysis."
-      );
-    }
-    logger.warning(
-      "Cannot determine git root; returning diff range paths as-is."
-    );
-    return [...new Set(diffRanges.map((r) => r.path))];
-  }
-  const relativePaths = diffRanges.map(
-    (r) => path3.relative(sourceRoot, path3.join(repoRoot, r.path)).replaceAll(path3.sep, "/")
-  ).filter((rel) => !rel.startsWith(".."));
-  return [...new Set(relativePaths)];
-}
 
 // src/tools-features.ts
 var semver3 = __toESM(require_semver2());

lib/start-proxy-action-post.js

@@ -41057,18 +41057,18 @@ var init_dist_src2 = __esm({
   }
 });
 
-// node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/version.js
+// node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/version.js
 var VERSION5;
 var init_version2 = __esm({
-  "node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/version.js"() {
+  "node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/version.js"() {
     VERSION5 = "17.0.0";
   }
 });
 
-// node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/generated/endpoints.js
+// node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/generated/endpoints.js
 var Endpoints, endpoints_default;
 var init_endpoints = __esm({
-  "node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/generated/endpoints.js"() {
+  "node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/generated/endpoints.js"() {
     Endpoints = {
       actions: {
         addCustomLabelsToSelfHostedRunnerForOrg: [
@@ -43362,7 +43362,7 @@ var init_endpoints = __esm({
   }
 });
 
-// node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/endpoints-to-methods.js
+// node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/endpoints-to-methods.js
 function endpointsToMethods(octokit) {
   const newMethods = {};
   for (const scope of endpointMethodsMap.keys()) {
@@ -43413,7 +43413,7 @@ function decorate(octokit, scope, methodName, defaults, decorations) {
 }
 var endpointMethodsMap, handler;
 var init_endpoints_to_methods = __esm({
-  "node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/endpoints-to-methods.js"() {
+  "node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/endpoints-to-methods.js"() {
     init_endpoints();
     endpointMethodsMap = /* @__PURE__ */ new Map();
     for (const [scope, endpoints] of Object.entries(endpoints_default)) {
@@ -43491,7 +43491,7 @@ var init_endpoints_to_methods = __esm({
   }
 });
 
-// node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/index.js
+// node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/index.js
 var dist_src_exports2 = {};
 __export(dist_src_exports2, {
   legacyRestEndpointMethods: () => legacyRestEndpointMethods,
@@ -43511,7 +43511,7 @@ function legacyRestEndpointMethods(octokit) {
   };
 }
 var init_dist_src3 = __esm({
-  "node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/index.js"() {
+  "node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/index.js"() {
     init_version2();
     init_endpoints_to_methods();
     restEndpointMethods.VERSION = VERSION5;
@@ -43519,7 +43519,7 @@ var init_dist_src3 = __esm({
   }
 });
 
-// node_modules/@octokit/plugin-paginate-rest/dist-bundle/index.js
+// node_modules/@actions/github/node_modules/@octokit/plugin-paginate-rest/dist-bundle/index.js
 var dist_bundle_exports = {};
 __export(dist_bundle_exports, {
   composePaginateRest: () => composePaginateRest,
@@ -43645,7 +43645,7 @@ function paginateRest(octokit) {
 }
 var VERSION6, composePaginateRest, paginatingEndpoints;
 var init_dist_bundle5 = __esm({
-  "node_modules/@octokit/plugin-paginate-rest/dist-bundle/index.js"() {
+  "node_modules/@actions/github/node_modules/@octokit/plugin-paginate-rest/dist-bundle/index.js"() {
     VERSION6 = "0.0.0-development";
     composePaginateRest = Object.assign(paginate, {
       iterator
@@ -49102,7 +49102,7 @@ var require_brace_expansion = __commonJS({
         var x = numeric(n[0]);
         var y = numeric(n[1]);
         var width = Math.max(n[0].length, n[1].length);
-        var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1;
+        var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1;
         var test = lte;
         var reverse = y < x;
         if (reverse) {
@@ -62029,7 +62029,7 @@ var require_fxp = __commonJS({
         if (a.some((t3) => i2 === t3.toLowerCase())) throw new Error(`[SECURITY] Invalid ${e2}: "${t2}" is a reserved JavaScript keyword that could cause prototype pollution`);
       }
       function A(t2) {
-        return "boolean" == typeof t2 ? { enabled: t2, maxEntitySize: 1e4, maxExpansionDepth: 10, maxTotalExpansions: 1e3, maxExpandedLength: 1e5, maxEntityCount: 100, allowedTags: null, tagFilter: null } : "object" == typeof t2 && null !== t2 ? { enabled: false !== t2.enabled, maxEntitySize: Math.max(1, t2.maxEntitySize ?? 1e4), maxExpansionDepth: Math.max(1, t2.maxExpansionDepth ?? 10), maxTotalExpansions: Math.max(1, t2.maxTotalExpansions ?? 1e3), maxExpandedLength: Math.max(1, t2.maxExpandedLength ?? 1e5), maxEntityCount: Math.max(1, t2.maxEntityCount ?? 100), allowedTags: t2.allowedTags ?? null, tagFilter: t2.tagFilter ?? null } : A(true);
+        return "boolean" == typeof t2 ? { enabled: t2, maxEntitySize: 1e4, maxExpansionDepth: 10, maxTotalExpansions: 1e3, maxExpandedLength: 1e5, maxEntityCount: 100, allowedTags: null, tagFilter: null } : "object" == typeof t2 && null !== t2 ? { enabled: false !== t2.enabled, maxEntitySize: t2.maxEntitySize ?? 1e4, maxExpansionDepth: t2.maxExpansionDepth ?? 10, maxTotalExpansions: t2.maxTotalExpansions ?? 1e3, maxExpandedLength: t2.maxExpandedLength ?? 1e5, maxEntityCount: t2.maxEntityCount ?? 100, allowedTags: t2.allowedTags ?? null, tagFilter: t2.tagFilter ?? null } : A(true);
       }
       const C = function(t2) {
         const e2 = Object.assign({}, P, t2), i2 = [{ value: e2.attributeNamePrefix, name: "attributeNamePrefix" }, { value: e2.attributesGroupName, name: "attributesGroupName" }, { value: e2.textNodeName, name: "textNodeName" }, { value: e2.cdataPropName, name: "cdataPropName" }, { value: e2.commentPropName, name: "commentPropName" }];
@@ -62070,7 +62070,7 @@ var require_fxp = __commonJS({
               if (r2 && _2(t2, "!ENTITY", e2)) {
                 let s3, r3;
                 if (e2 += 7, [s3, r3, e2] = this.readEntityExp(t2, e2 + 1, this.suppressValidationErr), -1 === r3.indexOf("&")) {
-                  if (false !== this.options.enabled && null != this.options.maxEntityCount && n2 >= this.options.maxEntityCount) throw new Error(`Entity count (${n2 + 1}) exceeds maximum allowed (${this.options.maxEntityCount})`);
+                  if (false !== this.options.enabled && this.options.maxEntityCount && n2 >= this.options.maxEntityCount) throw new Error(`Entity count (${n2 + 1}) exceeds maximum allowed (${this.options.maxEntityCount})`);
                   const t3 = s3.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
                   i2[s3] = { regx: RegExp(`&${t3};`, "g"), val: r3 }, n2++;
                 }
@@ -62094,86 +62094,82 @@ var require_fxp = __commonJS({
           return { entities: i2, i: e2 };
         }
         readEntityExp(t2, e2) {
-          const i2 = e2 = j(t2, e2);
-          for (; e2 < t2.length && !/\s/.test(t2[e2]) && '"' !== t2[e2] && "'" !== t2[e2]; ) e2++;
-          let n2 = t2.substring(i2, e2);
-          if (D(n2), e2 = j(t2, e2), !this.suppressValidationErr) {
+          e2 = j(t2, e2);
+          let i2 = "";
+          for (; e2 < t2.length && !/\s/.test(t2[e2]) && '"' !== t2[e2] && "'" !== t2[e2]; ) i2 += t2[e2], e2++;
+          if (D(i2), e2 = j(t2, e2), !this.suppressValidationErr) {
             if ("SYSTEM" === t2.substring(e2, e2 + 6).toUpperCase()) throw new Error("External entities are not supported");
             if ("%" === t2[e2]) throw new Error("Parameter entities are not supported");
           }
-          let s2 = "";
-          if ([e2, s2] = this.readIdentifierVal(t2, e2, "entity"), false !== this.options.enabled && null != this.options.maxEntitySize && s2.length > this.options.maxEntitySize) throw new Error(`Entity "${n2}" size (${s2.length}) exceeds maximum allowed size (${this.options.maxEntitySize})`);
-          return [n2, s2, --e2];
+          let n2 = "";
+          if ([e2, n2] = this.readIdentifierVal(t2, e2, "entity"), false !== this.options.enabled && this.options.maxEntitySize && n2.length > this.options.maxEntitySize) throw new Error(`Entity "${i2}" size (${n2.length}) exceeds maximum allowed size (${this.options.maxEntitySize})`);
+          return [i2, n2, --e2];
         }
         readNotationExp(t2, e2) {
-          const i2 = e2 = j(t2, e2);
-          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) e2++;
-          let n2 = t2.substring(i2, e2);
-          !this.suppressValidationErr && D(n2), e2 = j(t2, e2);
-          const s2 = t2.substring(e2, e2 + 6).toUpperCase();
-          if (!this.suppressValidationErr && "SYSTEM" !== s2 && "PUBLIC" !== s2) throw new Error(`Expected SYSTEM or PUBLIC, found "${s2}"`);
-          e2 += s2.length, e2 = j(t2, e2);
-          let r2 = null, o2 = null;
-          if ("PUBLIC" === s2) [e2, r2] = this.readIdentifierVal(t2, e2, "publicIdentifier"), '"' !== t2[e2 = j(t2, e2)] && "'" !== t2[e2] || ([e2, o2] = this.readIdentifierVal(t2, e2, "systemIdentifier"));
-          else if ("SYSTEM" === s2 && ([e2, o2] = this.readIdentifierVal(t2, e2, "systemIdentifier"), !this.suppressValidationErr && !o2)) throw new Error("Missing mandatory system identifier for SYSTEM notation");
-          return { notationName: n2, publicIdentifier: r2, systemIdentifier: o2, index: --e2 };
+          e2 = j(t2, e2);
+          let i2 = "";
+          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) i2 += t2[e2], e2++;
+          !this.suppressValidationErr && D(i2), e2 = j(t2, e2);
+          const n2 = t2.substring(e2, e2 + 6).toUpperCase();
+          if (!this.suppressValidationErr && "SYSTEM" !== n2 && "PUBLIC" !== n2) throw new Error(`Expected SYSTEM or PUBLIC, found "${n2}"`);
+          e2 += n2.length, e2 = j(t2, e2);
+          let s2 = null, r2 = null;
+          if ("PUBLIC" === n2) [e2, s2] = this.readIdentifierVal(t2, e2, "publicIdentifier"), '"' !== t2[e2 = j(t2, e2)] && "'" !== t2[e2] || ([e2, r2] = this.readIdentifierVal(t2, e2, "systemIdentifier"));
+          else if ("SYSTEM" === n2 && ([e2, r2] = this.readIdentifierVal(t2, e2, "systemIdentifier"), !this.suppressValidationErr && !r2)) throw new Error("Missing mandatory system identifier for SYSTEM notation");
+          return { notationName: i2, publicIdentifier: s2, systemIdentifier: r2, index: --e2 };
         }
         readIdentifierVal(t2, e2, i2) {
           let n2 = "";
           const s2 = t2[e2];
           if ('"' !== s2 && "'" !== s2) throw new Error(`Expected quoted string, found "${s2}"`);
-          const r2 = ++e2;
-          for (; e2 < t2.length && t2[e2] !== s2; ) e2++;
-          if (n2 = t2.substring(r2, e2), t2[e2] !== s2) throw new Error(`Unterminated ${i2} value`);
+          for (e2++; e2 < t2.length && t2[e2] !== s2; ) n2 += t2[e2], e2++;
+          if (t2[e2] !== s2) throw new Error(`Unterminated ${i2} value`);
           return [++e2, n2];
         }
         readElementExp(t2, e2) {
-          const i2 = e2 = j(t2, e2);
-          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) e2++;
-          let n2 = t2.substring(i2, e2);
-          if (!this.suppressValidationErr && !r(n2)) throw new Error(`Invalid element name: "${n2}"`);
-          let s2 = "";
+          e2 = j(t2, e2);
+          let i2 = "";
+          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) i2 += t2[e2], e2++;
+          if (!this.suppressValidationErr && !r(i2)) throw new Error(`Invalid element name: "${i2}"`);
+          let n2 = "";
           if ("E" === t2[e2 = j(t2, e2)] && _2(t2, "MPTY", e2)) e2 += 4;
           else if ("A" === t2[e2] && _2(t2, "NY", e2)) e2 += 2;
           else if ("(" === t2[e2]) {
-            const i3 = ++e2;
-            for (; e2 < t2.length && ")" !== t2[e2]; ) e2++;
-            if (s2 = t2.substring(i3, e2), ")" !== t2[e2]) throw new Error("Unterminated content model");
+            for (e2++; e2 < t2.length && ")" !== t2[e2]; ) n2 += t2[e2], e2++;
+            if (")" !== t2[e2]) throw new Error("Unterminated content model");
           } else if (!this.suppressValidationErr) throw new Error(`Invalid Element Expression, found "${t2[e2]}"`);
-          return { elementName: n2, contentModel: s2.trim(), index: e2 };
+          return { elementName: i2, contentModel: n2.trim(), index: e2 };
         }
         readAttlistExp(t2, e2) {
-          let i2 = e2 = j(t2, e2);
-          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) e2++;
-          let n2 = t2.substring(i2, e2);
-          for (D(n2), i2 = e2 = j(t2, e2); e2 < t2.length && !/\s/.test(t2[e2]); ) e2++;
-          let s2 = t2.substring(i2, e2);
-          if (!D(s2)) throw new Error(`Invalid attribute name: "${s2}"`);
           e2 = j(t2, e2);
-          let r2 = "";
+          let i2 = "";
+          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) i2 += t2[e2], e2++;
+          D(i2), e2 = j(t2, e2);
+          let n2 = "";
+          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) n2 += t2[e2], e2++;
+          if (!D(n2)) throw new Error(`Invalid attribute name: "${n2}"`);
+          e2 = j(t2, e2);
+          let s2 = "";
           if ("NOTATION" === t2.substring(e2, e2 + 8).toUpperCase()) {
-            if (r2 = "NOTATION", "(" !== t2[e2 = j(t2, e2 += 8)]) throw new Error(`Expected '(', found "${t2[e2]}"`);
+            if (s2 = "NOTATION", "(" !== t2[e2 = j(t2, e2 += 8)]) throw new Error(`Expected '(', found "${t2[e2]}"`);
             e2++;
             let i3 = [];
             for (; e2 < t2.length && ")" !== t2[e2]; ) {
-              const n3 = e2;
-              for (; e2 < t2.length && "|" !== t2[e2] && ")" !== t2[e2]; ) e2++;
-              let s3 = t2.substring(n3, e2);
-              if (s3 = s3.trim(), !D(s3)) throw new Error(`Invalid notation name: "${s3}"`);
-              i3.push(s3), "|" === t2[e2] && (e2++, e2 = j(t2, e2));
+              let n3 = "";
+              for (; e2 < t2.length && "|" !== t2[e2] && ")" !== t2[e2]; ) n3 += t2[e2], e2++;
+              if (n3 = n3.trim(), !D(n3)) throw new Error(`Invalid notation name: "${n3}"`);
+              i3.push(n3), "|" === t2[e2] && (e2++, e2 = j(t2, e2));
             }
             if (")" !== t2[e2]) throw new Error("Unterminated list of notations");
-            e2++, r2 += " (" + i3.join("|") + ")";
+            e2++, s2 += " (" + i3.join("|") + ")";
           } else {
-            const i3 = e2;
-            for (; e2 < t2.length && !/\s/.test(t2[e2]); ) e2++;
-            r2 += t2.substring(i3, e2);
-            const n3 = ["CDATA", "ID", "IDREF", "IDREFS", "ENTITY", "ENTITIES", "NMTOKEN", "NMTOKENS"];
-            if (!this.suppressValidationErr && !n3.includes(r2.toUpperCase())) throw new Error(`Invalid attribute type: "${r2}"`);
+            for (; e2 < t2.length && !/\s/.test(t2[e2]); ) s2 += t2[e2], e2++;
+            const i3 = ["CDATA", "ID", "IDREF", "IDREFS", "ENTITY", "ENTITIES", "NMTOKEN", "NMTOKENS"];
+            if (!this.suppressValidationErr && !i3.includes(s2.toUpperCase())) throw new Error(`Invalid attribute type: "${s2}"`);
           }
           e2 = j(t2, e2);
-          let o2 = "";
-          return "#REQUIRED" === t2.substring(e2, e2 + 8).toUpperCase() ? (o2 = "#REQUIRED", e2 += 8) : "#IMPLIED" === t2.substring(e2, e2 + 7).toUpperCase() ? (o2 = "#IMPLIED", e2 += 7) : [e2, o2] = this.readIdentifierVal(t2, e2, "ATTLIST"), { elementName: n2, attributeName: s2, attributeType: r2, defaultValue: o2, index: e2 };
+          let r2 = "";
+          return "#REQUIRED" === t2.substring(e2, e2 + 8).toUpperCase() ? (r2 = "#REQUIRED", e2 += 8) : "#IMPLIED" === t2.substring(e2, e2 + 7).toUpperCase() ? (r2 = "#IMPLIED", e2 += 7) : [e2, r2] = this.readIdentifierVal(t2, e2, "ATTLIST"), { elementName: i2, attributeName: n2, attributeType: s2, defaultValue: r2, index: e2 };
         }
       }
       const j = (t2, e2) => {
@@ -62188,9 +62184,9 @@ var require_fxp = __commonJS({
         if (r(t2)) return t2;
         throw new Error(`Invalid entity name ${t2}`);
       }
-      const V = /^[-+]?0x[a-fA-F0-9]+$/, k = /^([\-\+])?(0*)([0-9]*(\.[0-9]*)?)$/, M = { hex: true, leadingZeros: true, decimalPoint: ".", eNotation: true, infinity: "original" };
-      const F = /^([-+])?(0*)(\d*(\.\d*)?[eE][-\+]?\d+)$/;
-      class L {
+      const V = /^[-+]?0x[a-fA-F0-9]+$/, k = /^([\-\+])?(0*)([0-9]*(\.[0-9]*)?)$/, F = { hex: true, leadingZeros: true, decimalPoint: ".", eNotation: true };
+      const L = /^([-+])?(0*)(\d*(\.\d*)?[eE][-\+]?\d+)$/;
+      class M {
         constructor(t2 = {}) {
           this.separator = t2.separator || ".", this.path = [], this.siblingStacks = [];
         }
@@ -62397,7 +62393,7 @@ var require_fxp = __commonJS({
               if ("string" == typeof i2 && t3 === i2) return true;
               if (i2 instanceof RegExp && i2.test(t3)) return true;
             }
-          } : () => false, this.entityExpansionCount = 0, this.currentExpandedLength = 0, this.matcher = new L(), this.isCurrentNodeStopNode = false, this.options.stopNodes && this.options.stopNodes.length > 0) {
+          } : () => false, this.entityExpansionCount = 0, this.currentExpandedLength = 0, this.matcher = new M(), this.isCurrentNodeStopNode = false, this.options.stopNodes && this.options.stopNodes.length > 0) {
             this.stopNodeExpressions = [];
             for (let t3 = 0; t3 < this.options.stopNodes.length; t3++) {
               const e3 = this.options.stopNodes[t3];
@@ -62508,7 +62504,7 @@ var require_fxp = __commonJS({
           let o2 = s3.tagName;
           const a2 = s3.rawTagName;
           let h2 = s3.tagExp, l2 = s3.attrExpPresent, p2 = s3.closeIndex;
-          if ({ tagName: o2, tagExp: h2 } = rt(this.options.transformTagName, o2, h2, this.options), this.options.strictReservedNames && (o2 === this.options.commentPropName || o2 === this.options.cdataPropName || o2 === this.options.textNodeName || o2 === this.options.attributesGroupName)) throw new Error(`Invalid tag name: ${o2}`);
+          if ({ tagName: o2, tagExp: h2 } = rt(this.options.transformTagName, o2, h2, this.options), this.options.strictReservedNames && (o2 === this.options.commentPropName || o2 === this.options.cdataPropName)) throw new Error(`Invalid tag name: ${o2}`);
           i2 && n2 && "!xml" !== i2.tagname && (n2 = this.saveTextToParentTag(n2, i2, this.matcher, false));
           const u2 = i2;
           u2 && -1 !== this.options.unpairedTags.indexOf(u2.tagname) && (i2 = this.tagsNodeStack.pop(), this.matcher.pop());
@@ -62646,7 +62642,7 @@ var require_fxp = __commonJS({
         if (e2 && "string" == typeof t2) {
           const e3 = t2.trim();
           return "true" === e3 || "false" !== e3 && (function(t3, e4 = {}) {
-            if (e4 = Object.assign({}, M, e4), !t3 || "string" != typeof t3) return t3;
+            if (e4 = Object.assign({}, F, e4), !t3 || "string" != typeof t3) return t3;
             let i3 = t3.trim();
             if (void 0 !== e4.skipLike && e4.skipLike.test(i3)) return t3;
             if ("0" === t3) return 0;
@@ -62656,50 +62652,35 @@ var require_fxp = __commonJS({
               if (window && window.parseInt) return window.parseInt(t4, 16);
               throw new Error("parseInt, Number.parseInt, window.parseInt are not supported");
             })(i3);
-            if (isFinite(i3)) {
-              if (i3.includes("e") || i3.includes("E")) return (function(t4, e5, i4) {
-                if (!i4.eNotation) return t4;
-                const n3 = e5.match(F);
-                if (n3) {
-                  let s2 = n3[1] || "";
-                  const r2 = -1 === n3[3].indexOf("e") ? "E" : "e", o2 = n3[2], a2 = s2 ? t4[o2.length + 1] === r2 : t4[o2.length] === r2;
-                  return o2.length > 1 && a2 ? t4 : (1 !== o2.length || !n3[3].startsWith(`.${r2}`) && n3[3][0] !== r2) && o2.length > 0 ? i4.leadingZeros && !a2 ? (e5 = (n3[1] || "") + n3[3], Number(e5)) : t4 : Number(e5);
-                }
-                return t4;
-              })(t3, i3, e4);
-              {
-                const s2 = k.exec(i3);
-                if (s2) {
-                  const r2 = s2[1] || "", o2 = s2[2];
-                  let a2 = (n2 = s2[3]) && -1 !== n2.indexOf(".") ? ("." === (n2 = n2.replace(/0+$/, "")) ? n2 = "0" : "." === n2[0] ? n2 = "0" + n2 : "." === n2[n2.length - 1] && (n2 = n2.substring(0, n2.length - 1)), n2) : n2;
-                  const h2 = r2 ? "." === t3[o2.length + 1] : "." === t3[o2.length];
-                  if (!e4.leadingZeros && (o2.length > 1 || 1 === o2.length && !h2)) return t3;
-                  {
-                    const n3 = Number(i3), s3 = String(n3);
-                    if (0 === n3) return n3;
-                    if (-1 !== s3.search(/[eE]/)) return e4.eNotation ? n3 : t3;
-                    if (-1 !== i3.indexOf(".")) return "0" === s3 || s3 === a2 || s3 === `${r2}${a2}` ? n3 : t3;
-                    let h3 = o2 ? a2 : i3;
-                    return o2 ? h3 === s3 || r2 + h3 === s3 ? n3 : t3 : h3 === s3 || h3 === r2 + s3 ? n3 : t3;
-                  }
-                }
-                return t3;
+            if (i3.includes("e") || i3.includes("E")) return (function(t4, e5, i4) {
+              if (!i4.eNotation) return t4;
+              const n3 = e5.match(L);
+              if (n3) {
+                let s2 = n3[1] || "";
+                const r2 = -1 === n3[3].indexOf("e") ? "E" : "e", o2 = n3[2], a2 = s2 ? t4[o2.length + 1] === r2 : t4[o2.length] === r2;
+                return o2.length > 1 && a2 ? t4 : 1 !== o2.length || !n3[3].startsWith(`.${r2}`) && n3[3][0] !== r2 ? i4.leadingZeros && !a2 ? (e5 = (n3[1] || "") + n3[3], Number(e5)) : t4 : Number(e5);
               }
+              return t4;
+            })(t3, i3, e4);
+            {
+              const s2 = k.exec(i3);
+              if (s2) {
+                const r2 = s2[1] || "", o2 = s2[2];
+                let a2 = (n2 = s2[3]) && -1 !== n2.indexOf(".") ? ("." === (n2 = n2.replace(/0+$/, "")) ? n2 = "0" : "." === n2[0] ? n2 = "0" + n2 : "." === n2[n2.length - 1] && (n2 = n2.substring(0, n2.length - 1)), n2) : n2;
+                const h2 = r2 ? "." === t3[o2.length + 1] : "." === t3[o2.length];
+                if (!e4.leadingZeros && (o2.length > 1 || 1 === o2.length && !h2)) return t3;
+                {
+                  const n3 = Number(i3), s3 = String(n3);
+                  if (0 === n3) return n3;
+                  if (-1 !== s3.search(/[eE]/)) return e4.eNotation ? n3 : t3;
+                  if (-1 !== i3.indexOf(".")) return "0" === s3 || s3 === a2 || s3 === `${r2}${a2}` ? n3 : t3;
+                  let h3 = o2 ? a2 : i3;
+                  return o2 ? h3 === s3 || r2 + h3 === s3 ? n3 : t3 : h3 === s3 || h3 === r2 + s3 ? n3 : t3;
+                }
+              }
+              return t3;
             }
             var n2;
-            return (function(t4, e5, i4) {
-              const n3 = e5 === 1 / 0;
-              switch (i4.infinity.toLowerCase()) {
-                case "null":
-                  return null;
-                case "infinity":
-                  return e5;
-                case "string":
-                  return n3 ? "Infinity" : "-Infinity";
-                default:
-                  return t4;
-              }
-            })(t3, Number(i3), e4);
           })(t2, i2);
         }
         return void 0 !== t2 ? t2 : "";
@@ -62811,7 +62792,7 @@ var require_fxp = __commonJS({
           const i3 = e2.stopNodes[t3];
           "string" == typeof i3 ? n2.push(new G(i3)) : i3 instanceof G && n2.push(i3);
         }
-        return mt(t2, e2, i2, new L(), n2);
+        return mt(t2, e2, i2, new M(), n2);
       }
       function mt(t2, e2, i2, n2, s2) {
         let r2 = "", o2 = false;
@@ -62959,7 +62940,7 @@ var require_fxp = __commonJS({
         if (this.options.preserveOrder) return gt(t2, this.options);
         {
           Array.isArray(t2) && this.options.arrayNodeName && this.options.arrayNodeName.length > 1 && (t2 = { [this.options.arrayNodeName]: t2 });
-          const e2 = new L();
+          const e2 = new M();
           return this.j2x(t2, 0, e2).val;
         }
       }, Pt.prototype.j2x = function(t2, e2, i2) {
@@ -115635,7 +115616,7 @@ var require_commonjs19 = __commonJS({
     var openPattern = /\\{/g;
     var closePattern = /\\}/g;
     var commaPattern = /\\,/g;
-    var periodPattern = /\\\./g;
+    var periodPattern = /\\./g;
     exports2.EXPANSION_MAX = 1e5;
     function numeric(str2) {
       return !isNaN(str2) ? parseInt(str2, 10) : str2.charCodeAt(0);
@@ -115730,7 +115711,7 @@ var require_commonjs19 = __commonJS({
           const x = numeric(n[0]);
           const y = numeric(n[1]);
           const width = Math.max(n[0].length, n[1].length);
-          let incr = n.length === 3 && n[2] !== void 0 ? Math.max(Math.abs(numeric(n[2])), 1) : 1;
+          let incr = n.length === 3 && n[2] !== void 0 ? Math.abs(numeric(n[2])) : 1;
           let test = lte;
           const reverse = y < x;
           if (reverse) {
@@ -161498,7 +161479,7 @@ function getTemporaryDirectory() {
   return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP");
 }
 function getActionVersion() {
-  return "4.35.2";
+  return "3.34.1";
 }
 var persistedInputsKey = "persisted_inputs";
 var restoreInputs = function() {

lib/start-proxy-action.js

@@ -41057,18 +41057,18 @@ var init_dist_src2 = __esm({
   }
 });
 
-// node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/version.js
+// node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/version.js
 var VERSION5;
 var init_version2 = __esm({
-  "node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/version.js"() {
+  "node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/version.js"() {
     VERSION5 = "17.0.0";
   }
 });
 
-// node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/generated/endpoints.js
+// node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/generated/endpoints.js
 var Endpoints, endpoints_default;
 var init_endpoints = __esm({
-  "node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/generated/endpoints.js"() {
+  "node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/generated/endpoints.js"() {
     Endpoints = {
       actions: {
         addCustomLabelsToSelfHostedRunnerForOrg: [
@@ -43362,7 +43362,7 @@ var init_endpoints = __esm({
   }
 });
 
-// node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/endpoints-to-methods.js
+// node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/endpoints-to-methods.js
 function endpointsToMethods(octokit) {
   const newMethods = {};
   for (const scope of endpointMethodsMap.keys()) {
@@ -43413,7 +43413,7 @@ function decorate(octokit, scope, methodName, defaults, decorations) {
 }
 var endpointMethodsMap, handler;
 var init_endpoints_to_methods = __esm({
-  "node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/endpoints-to-methods.js"() {
+  "node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/endpoints-to-methods.js"() {
     init_endpoints();
     endpointMethodsMap = /* @__PURE__ */ new Map();
     for (const [scope, endpoints] of Object.entries(endpoints_default)) {
@@ -43491,7 +43491,7 @@ var init_endpoints_to_methods = __esm({
   }
 });
 
-// node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/index.js
+// node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/index.js
 var dist_src_exports2 = {};
 __export(dist_src_exports2, {
   legacyRestEndpointMethods: () => legacyRestEndpointMethods,
@@ -43511,7 +43511,7 @@ function legacyRestEndpointMethods(octokit) {
   };
 }
 var init_dist_src3 = __esm({
-  "node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/index.js"() {
+  "node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/index.js"() {
     init_version2();
     init_endpoints_to_methods();
     restEndpointMethods.VERSION = VERSION5;
@@ -43519,7 +43519,7 @@ var init_dist_src3 = __esm({
   }
 });
 
-// node_modules/@octokit/plugin-paginate-rest/dist-bundle/index.js
+// node_modules/@actions/github/node_modules/@octokit/plugin-paginate-rest/dist-bundle/index.js
 var dist_bundle_exports = {};
 __export(dist_bundle_exports, {
   composePaginateRest: () => composePaginateRest,
@@ -43645,7 +43645,7 @@ function paginateRest(octokit) {
 }
 var VERSION6, composePaginateRest, paginatingEndpoints;
 var init_dist_bundle5 = __esm({
-  "node_modules/@octokit/plugin-paginate-rest/dist-bundle/index.js"() {
+  "node_modules/@actions/github/node_modules/@octokit/plugin-paginate-rest/dist-bundle/index.js"() {
     VERSION6 = "0.0.0-development";
     composePaginateRest = Object.assign(paginate, {
       iterator
@@ -47805,7 +47805,7 @@ var require_brace_expansion = __commonJS({
         var x = numeric(n[0]);
         var y = numeric(n[1]);
         var width = Math.max(n[0].length, n[1].length);
-        var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1;
+        var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1;
         var test = lte;
         var reverse = y < x;
         if (reverse) {
@@ -60732,7 +60732,7 @@ var require_fxp = __commonJS({
         if (a.some((t3) => i2 === t3.toLowerCase())) throw new Error(`[SECURITY] Invalid ${e2}: "${t2}" is a reserved JavaScript keyword that could cause prototype pollution`);
       }
       function A(t2) {
-        return "boolean" == typeof t2 ? { enabled: t2, maxEntitySize: 1e4, maxExpansionDepth: 10, maxTotalExpansions: 1e3, maxExpandedLength: 1e5, maxEntityCount: 100, allowedTags: null, tagFilter: null } : "object" == typeof t2 && null !== t2 ? { enabled: false !== t2.enabled, maxEntitySize: Math.max(1, t2.maxEntitySize ?? 1e4), maxExpansionDepth: Math.max(1, t2.maxExpansionDepth ?? 10), maxTotalExpansions: Math.max(1, t2.maxTotalExpansions ?? 1e3), maxExpandedLength: Math.max(1, t2.maxExpandedLength ?? 1e5), maxEntityCount: Math.max(1, t2.maxEntityCount ?? 100), allowedTags: t2.allowedTags ?? null, tagFilter: t2.tagFilter ?? null } : A(true);
+        return "boolean" == typeof t2 ? { enabled: t2, maxEntitySize: 1e4, maxExpansionDepth: 10, maxTotalExpansions: 1e3, maxExpandedLength: 1e5, maxEntityCount: 100, allowedTags: null, tagFilter: null } : "object" == typeof t2 && null !== t2 ? { enabled: false !== t2.enabled, maxEntitySize: t2.maxEntitySize ?? 1e4, maxExpansionDepth: t2.maxExpansionDepth ?? 10, maxTotalExpansions: t2.maxTotalExpansions ?? 1e3, maxExpandedLength: t2.maxExpandedLength ?? 1e5, maxEntityCount: t2.maxEntityCount ?? 100, allowedTags: t2.allowedTags ?? null, tagFilter: t2.tagFilter ?? null } : A(true);
       }
       const C = function(t2) {
         const e2 = Object.assign({}, P, t2), i2 = [{ value: e2.attributeNamePrefix, name: "attributeNamePrefix" }, { value: e2.attributesGroupName, name: "attributesGroupName" }, { value: e2.textNodeName, name: "textNodeName" }, { value: e2.cdataPropName, name: "cdataPropName" }, { value: e2.commentPropName, name: "commentPropName" }];
@@ -60773,7 +60773,7 @@ var require_fxp = __commonJS({
               if (r2 && _(t2, "!ENTITY", e2)) {
                 let s3, r3;
                 if (e2 += 7, [s3, r3, e2] = this.readEntityExp(t2, e2 + 1, this.suppressValidationErr), -1 === r3.indexOf("&")) {
-                  if (false !== this.options.enabled && null != this.options.maxEntityCount && n2 >= this.options.maxEntityCount) throw new Error(`Entity count (${n2 + 1}) exceeds maximum allowed (${this.options.maxEntityCount})`);
+                  if (false !== this.options.enabled && this.options.maxEntityCount && n2 >= this.options.maxEntityCount) throw new Error(`Entity count (${n2 + 1}) exceeds maximum allowed (${this.options.maxEntityCount})`);
                   const t3 = s3.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
                   i2[s3] = { regx: RegExp(`&${t3};`, "g"), val: r3 }, n2++;
                 }
@@ -60797,86 +60797,82 @@ var require_fxp = __commonJS({
           return { entities: i2, i: e2 };
         }
         readEntityExp(t2, e2) {
-          const i2 = e2 = j(t2, e2);
-          for (; e2 < t2.length && !/\s/.test(t2[e2]) && '"' !== t2[e2] && "'" !== t2[e2]; ) e2++;
-          let n2 = t2.substring(i2, e2);
-          if (D(n2), e2 = j(t2, e2), !this.suppressValidationErr) {
+          e2 = j(t2, e2);
+          let i2 = "";
+          for (; e2 < t2.length && !/\s/.test(t2[e2]) && '"' !== t2[e2] && "'" !== t2[e2]; ) i2 += t2[e2], e2++;
+          if (D(i2), e2 = j(t2, e2), !this.suppressValidationErr) {
             if ("SYSTEM" === t2.substring(e2, e2 + 6).toUpperCase()) throw new Error("External entities are not supported");
             if ("%" === t2[e2]) throw new Error("Parameter entities are not supported");
           }
-          let s2 = "";
-          if ([e2, s2] = this.readIdentifierVal(t2, e2, "entity"), false !== this.options.enabled && null != this.options.maxEntitySize && s2.length > this.options.maxEntitySize) throw new Error(`Entity "${n2}" size (${s2.length}) exceeds maximum allowed size (${this.options.maxEntitySize})`);
-          return [n2, s2, --e2];
+          let n2 = "";
+          if ([e2, n2] = this.readIdentifierVal(t2, e2, "entity"), false !== this.options.enabled && this.options.maxEntitySize && n2.length > this.options.maxEntitySize) throw new Error(`Entity "${i2}" size (${n2.length}) exceeds maximum allowed size (${this.options.maxEntitySize})`);
+          return [i2, n2, --e2];
         }
         readNotationExp(t2, e2) {
-          const i2 = e2 = j(t2, e2);
-          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) e2++;
-          let n2 = t2.substring(i2, e2);
-          !this.suppressValidationErr && D(n2), e2 = j(t2, e2);
-          const s2 = t2.substring(e2, e2 + 6).toUpperCase();
-          if (!this.suppressValidationErr && "SYSTEM" !== s2 && "PUBLIC" !== s2) throw new Error(`Expected SYSTEM or PUBLIC, found "${s2}"`);
-          e2 += s2.length, e2 = j(t2, e2);
-          let r2 = null, o2 = null;
-          if ("PUBLIC" === s2) [e2, r2] = this.readIdentifierVal(t2, e2, "publicIdentifier"), '"' !== t2[e2 = j(t2, e2)] && "'" !== t2[e2] || ([e2, o2] = this.readIdentifierVal(t2, e2, "systemIdentifier"));
-          else if ("SYSTEM" === s2 && ([e2, o2] = this.readIdentifierVal(t2, e2, "systemIdentifier"), !this.suppressValidationErr && !o2)) throw new Error("Missing mandatory system identifier for SYSTEM notation");
-          return { notationName: n2, publicIdentifier: r2, systemIdentifier: o2, index: --e2 };
+          e2 = j(t2, e2);
+          let i2 = "";
+          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) i2 += t2[e2], e2++;
+          !this.suppressValidationErr && D(i2), e2 = j(t2, e2);
+          const n2 = t2.substring(e2, e2 + 6).toUpperCase();
+          if (!this.suppressValidationErr && "SYSTEM" !== n2 && "PUBLIC" !== n2) throw new Error(`Expected SYSTEM or PUBLIC, found "${n2}"`);
+          e2 += n2.length, e2 = j(t2, e2);
+          let s2 = null, r2 = null;
+          if ("PUBLIC" === n2) [e2, s2] = this.readIdentifierVal(t2, e2, "publicIdentifier"), '"' !== t2[e2 = j(t2, e2)] && "'" !== t2[e2] || ([e2, r2] = this.readIdentifierVal(t2, e2, "systemIdentifier"));
+          else if ("SYSTEM" === n2 && ([e2, r2] = this.readIdentifierVal(t2, e2, "systemIdentifier"), !this.suppressValidationErr && !r2)) throw new Error("Missing mandatory system identifier for SYSTEM notation");
+          return { notationName: i2, publicIdentifier: s2, systemIdentifier: r2, index: --e2 };
         }
         readIdentifierVal(t2, e2, i2) {
           let n2 = "";
           const s2 = t2[e2];
           if ('"' !== s2 && "'" !== s2) throw new Error(`Expected quoted string, found "${s2}"`);
-          const r2 = ++e2;
-          for (; e2 < t2.length && t2[e2] !== s2; ) e2++;
-          if (n2 = t2.substring(r2, e2), t2[e2] !== s2) throw new Error(`Unterminated ${i2} value`);
+          for (e2++; e2 < t2.length && t2[e2] !== s2; ) n2 += t2[e2], e2++;
+          if (t2[e2] !== s2) throw new Error(`Unterminated ${i2} value`);
           return [++e2, n2];
         }
         readElementExp(t2, e2) {
-          const i2 = e2 = j(t2, e2);
-          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) e2++;
-          let n2 = t2.substring(i2, e2);
-          if (!this.suppressValidationErr && !r(n2)) throw new Error(`Invalid element name: "${n2}"`);
-          let s2 = "";
+          e2 = j(t2, e2);
+          let i2 = "";
+          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) i2 += t2[e2], e2++;
+          if (!this.suppressValidationErr && !r(i2)) throw new Error(`Invalid element name: "${i2}"`);
+          let n2 = "";
           if ("E" === t2[e2 = j(t2, e2)] && _(t2, "MPTY", e2)) e2 += 4;
           else if ("A" === t2[e2] && _(t2, "NY", e2)) e2 += 2;
           else if ("(" === t2[e2]) {
-            const i3 = ++e2;
-            for (; e2 < t2.length && ")" !== t2[e2]; ) e2++;
-            if (s2 = t2.substring(i3, e2), ")" !== t2[e2]) throw new Error("Unterminated content model");
+            for (e2++; e2 < t2.length && ")" !== t2[e2]; ) n2 += t2[e2], e2++;
+            if (")" !== t2[e2]) throw new Error("Unterminated content model");
           } else if (!this.suppressValidationErr) throw new Error(`Invalid Element Expression, found "${t2[e2]}"`);
-          return { elementName: n2, contentModel: s2.trim(), index: e2 };
+          return { elementName: i2, contentModel: n2.trim(), index: e2 };
         }
         readAttlistExp(t2, e2) {
-          let i2 = e2 = j(t2, e2);
-          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) e2++;
-          let n2 = t2.substring(i2, e2);
-          for (D(n2), i2 = e2 = j(t2, e2); e2 < t2.length && !/\s/.test(t2[e2]); ) e2++;
-          let s2 = t2.substring(i2, e2);
-          if (!D(s2)) throw new Error(`Invalid attribute name: "${s2}"`);
           e2 = j(t2, e2);
-          let r2 = "";
+          let i2 = "";
+          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) i2 += t2[e2], e2++;
+          D(i2), e2 = j(t2, e2);
+          let n2 = "";
+          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) n2 += t2[e2], e2++;
+          if (!D(n2)) throw new Error(`Invalid attribute name: "${n2}"`);
+          e2 = j(t2, e2);
+          let s2 = "";
           if ("NOTATION" === t2.substring(e2, e2 + 8).toUpperCase()) {
-            if (r2 = "NOTATION", "(" !== t2[e2 = j(t2, e2 += 8)]) throw new Error(`Expected '(', found "${t2[e2]}"`);
+            if (s2 = "NOTATION", "(" !== t2[e2 = j(t2, e2 += 8)]) throw new Error(`Expected '(', found "${t2[e2]}"`);
             e2++;
             let i3 = [];
             for (; e2 < t2.length && ")" !== t2[e2]; ) {
-              const n3 = e2;
-              for (; e2 < t2.length && "|" !== t2[e2] && ")" !== t2[e2]; ) e2++;
-              let s3 = t2.substring(n3, e2);
-              if (s3 = s3.trim(), !D(s3)) throw new Error(`Invalid notation name: "${s3}"`);
-              i3.push(s3), "|" === t2[e2] && (e2++, e2 = j(t2, e2));
+              let n3 = "";
+              for (; e2 < t2.length && "|" !== t2[e2] && ")" !== t2[e2]; ) n3 += t2[e2], e2++;
+              if (n3 = n3.trim(), !D(n3)) throw new Error(`Invalid notation name: "${n3}"`);
+              i3.push(n3), "|" === t2[e2] && (e2++, e2 = j(t2, e2));
             }
             if (")" !== t2[e2]) throw new Error("Unterminated list of notations");
-            e2++, r2 += " (" + i3.join("|") + ")";
+            e2++, s2 += " (" + i3.join("|") + ")";
           } else {
-            const i3 = e2;
-            for (; e2 < t2.length && !/\s/.test(t2[e2]); ) e2++;
-            r2 += t2.substring(i3, e2);
-            const n3 = ["CDATA", "ID", "IDREF", "IDREFS", "ENTITY", "ENTITIES", "NMTOKEN", "NMTOKENS"];
-            if (!this.suppressValidationErr && !n3.includes(r2.toUpperCase())) throw new Error(`Invalid attribute type: "${r2}"`);
+            for (; e2 < t2.length && !/\s/.test(t2[e2]); ) s2 += t2[e2], e2++;
+            const i3 = ["CDATA", "ID", "IDREF", "IDREFS", "ENTITY", "ENTITIES", "NMTOKEN", "NMTOKENS"];
+            if (!this.suppressValidationErr && !i3.includes(s2.toUpperCase())) throw new Error(`Invalid attribute type: "${s2}"`);
           }
           e2 = j(t2, e2);
-          let o2 = "";
-          return "#REQUIRED" === t2.substring(e2, e2 + 8).toUpperCase() ? (o2 = "#REQUIRED", e2 += 8) : "#IMPLIED" === t2.substring(e2, e2 + 7).toUpperCase() ? (o2 = "#IMPLIED", e2 += 7) : [e2, o2] = this.readIdentifierVal(t2, e2, "ATTLIST"), { elementName: n2, attributeName: s2, attributeType: r2, defaultValue: o2, index: e2 };
+          let r2 = "";
+          return "#REQUIRED" === t2.substring(e2, e2 + 8).toUpperCase() ? (r2 = "#REQUIRED", e2 += 8) : "#IMPLIED" === t2.substring(e2, e2 + 7).toUpperCase() ? (r2 = "#IMPLIED", e2 += 7) : [e2, r2] = this.readIdentifierVal(t2, e2, "ATTLIST"), { elementName: i2, attributeName: n2, attributeType: s2, defaultValue: r2, index: e2 };
         }
       }
       const j = (t2, e2) => {
@@ -60891,9 +60887,9 @@ var require_fxp = __commonJS({
         if (r(t2)) return t2;
         throw new Error(`Invalid entity name ${t2}`);
       }
-      const V = /^[-+]?0x[a-fA-F0-9]+$/, k = /^([\-\+])?(0*)([0-9]*(\.[0-9]*)?)$/, M = { hex: true, leadingZeros: true, decimalPoint: ".", eNotation: true, infinity: "original" };
-      const F = /^([-+])?(0*)(\d*(\.\d*)?[eE][-\+]?\d+)$/;
-      class L {
+      const V = /^[-+]?0x[a-fA-F0-9]+$/, k = /^([\-\+])?(0*)([0-9]*(\.[0-9]*)?)$/, F = { hex: true, leadingZeros: true, decimalPoint: ".", eNotation: true };
+      const L = /^([-+])?(0*)(\d*(\.\d*)?[eE][-\+]?\d+)$/;
+      class M {
         constructor(t2 = {}) {
           this.separator = t2.separator || ".", this.path = [], this.siblingStacks = [];
         }
@@ -61100,7 +61096,7 @@ var require_fxp = __commonJS({
               if ("string" == typeof i2 && t3 === i2) return true;
               if (i2 instanceof RegExp && i2.test(t3)) return true;
             }
-          } : () => false, this.entityExpansionCount = 0, this.currentExpandedLength = 0, this.matcher = new L(), this.isCurrentNodeStopNode = false, this.options.stopNodes && this.options.stopNodes.length > 0) {
+          } : () => false, this.entityExpansionCount = 0, this.currentExpandedLength = 0, this.matcher = new M(), this.isCurrentNodeStopNode = false, this.options.stopNodes && this.options.stopNodes.length > 0) {
             this.stopNodeExpressions = [];
             for (let t3 = 0; t3 < this.options.stopNodes.length; t3++) {
               const e3 = this.options.stopNodes[t3];
@@ -61211,7 +61207,7 @@ var require_fxp = __commonJS({
           let o2 = s3.tagName;
           const a2 = s3.rawTagName;
           let h2 = s3.tagExp, l2 = s3.attrExpPresent, p2 = s3.closeIndex;
-          if ({ tagName: o2, tagExp: h2 } = rt(this.options.transformTagName, o2, h2, this.options), this.options.strictReservedNames && (o2 === this.options.commentPropName || o2 === this.options.cdataPropName || o2 === this.options.textNodeName || o2 === this.options.attributesGroupName)) throw new Error(`Invalid tag name: ${o2}`);
+          if ({ tagName: o2, tagExp: h2 } = rt(this.options.transformTagName, o2, h2, this.options), this.options.strictReservedNames && (o2 === this.options.commentPropName || o2 === this.options.cdataPropName)) throw new Error(`Invalid tag name: ${o2}`);
           i2 && n2 && "!xml" !== i2.tagname && (n2 = this.saveTextToParentTag(n2, i2, this.matcher, false));
           const u2 = i2;
           u2 && -1 !== this.options.unpairedTags.indexOf(u2.tagname) && (i2 = this.tagsNodeStack.pop(), this.matcher.pop());
@@ -61349,7 +61345,7 @@ var require_fxp = __commonJS({
         if (e2 && "string" == typeof t2) {
           const e3 = t2.trim();
           return "true" === e3 || "false" !== e3 && (function(t3, e4 = {}) {
-            if (e4 = Object.assign({}, M, e4), !t3 || "string" != typeof t3) return t3;
+            if (e4 = Object.assign({}, F, e4), !t3 || "string" != typeof t3) return t3;
             let i3 = t3.trim();
             if (void 0 !== e4.skipLike && e4.skipLike.test(i3)) return t3;
             if ("0" === t3) return 0;
@@ -61359,50 +61355,35 @@ var require_fxp = __commonJS({
               if (window && window.parseInt) return window.parseInt(t4, 16);
               throw new Error("parseInt, Number.parseInt, window.parseInt are not supported");
             })(i3);
-            if (isFinite(i3)) {
-              if (i3.includes("e") || i3.includes("E")) return (function(t4, e5, i4) {
-                if (!i4.eNotation) return t4;
-                const n3 = e5.match(F);
-                if (n3) {
-                  let s2 = n3[1] || "";
-                  const r2 = -1 === n3[3].indexOf("e") ? "E" : "e", o2 = n3[2], a2 = s2 ? t4[o2.length + 1] === r2 : t4[o2.length] === r2;
-                  return o2.length > 1 && a2 ? t4 : (1 !== o2.length || !n3[3].startsWith(`.${r2}`) && n3[3][0] !== r2) && o2.length > 0 ? i4.leadingZeros && !a2 ? (e5 = (n3[1] || "") + n3[3], Number(e5)) : t4 : Number(e5);
-                }
-                return t4;
-              })(t3, i3, e4);
-              {
-                const s2 = k.exec(i3);
-                if (s2) {
-                  const r2 = s2[1] || "", o2 = s2[2];
-                  let a2 = (n2 = s2[3]) && -1 !== n2.indexOf(".") ? ("." === (n2 = n2.replace(/0+$/, "")) ? n2 = "0" : "." === n2[0] ? n2 = "0" + n2 : "." === n2[n2.length - 1] && (n2 = n2.substring(0, n2.length - 1)), n2) : n2;
-                  const h2 = r2 ? "." === t3[o2.length + 1] : "." === t3[o2.length];
-                  if (!e4.leadingZeros && (o2.length > 1 || 1 === o2.length && !h2)) return t3;
-                  {
-                    const n3 = Number(i3), s3 = String(n3);
-                    if (0 === n3) return n3;
-                    if (-1 !== s3.search(/[eE]/)) return e4.eNotation ? n3 : t3;
-                    if (-1 !== i3.indexOf(".")) return "0" === s3 || s3 === a2 || s3 === `${r2}${a2}` ? n3 : t3;
-                    let h3 = o2 ? a2 : i3;
-                    return o2 ? h3 === s3 || r2 + h3 === s3 ? n3 : t3 : h3 === s3 || h3 === r2 + s3 ? n3 : t3;
-                  }
-                }
-                return t3;
+            if (i3.includes("e") || i3.includes("E")) return (function(t4, e5, i4) {
+              if (!i4.eNotation) return t4;
+              const n3 = e5.match(L);
+              if (n3) {
+                let s2 = n3[1] || "";
+                const r2 = -1 === n3[3].indexOf("e") ? "E" : "e", o2 = n3[2], a2 = s2 ? t4[o2.length + 1] === r2 : t4[o2.length] === r2;
+                return o2.length > 1 && a2 ? t4 : 1 !== o2.length || !n3[3].startsWith(`.${r2}`) && n3[3][0] !== r2 ? i4.leadingZeros && !a2 ? (e5 = (n3[1] || "") + n3[3], Number(e5)) : t4 : Number(e5);
               }
+              return t4;
+            })(t3, i3, e4);
+            {
+              const s2 = k.exec(i3);
+              if (s2) {
+                const r2 = s2[1] || "", o2 = s2[2];
+                let a2 = (n2 = s2[3]) && -1 !== n2.indexOf(".") ? ("." === (n2 = n2.replace(/0+$/, "")) ? n2 = "0" : "." === n2[0] ? n2 = "0" + n2 : "." === n2[n2.length - 1] && (n2 = n2.substring(0, n2.length - 1)), n2) : n2;
+                const h2 = r2 ? "." === t3[o2.length + 1] : "." === t3[o2.length];
+                if (!e4.leadingZeros && (o2.length > 1 || 1 === o2.length && !h2)) return t3;
+                {
+                  const n3 = Number(i3), s3 = String(n3);
+                  if (0 === n3) return n3;
+                  if (-1 !== s3.search(/[eE]/)) return e4.eNotation ? n3 : t3;
+                  if (-1 !== i3.indexOf(".")) return "0" === s3 || s3 === a2 || s3 === `${r2}${a2}` ? n3 : t3;
+                  let h3 = o2 ? a2 : i3;
+                  return o2 ? h3 === s3 || r2 + h3 === s3 ? n3 : t3 : h3 === s3 || h3 === r2 + s3 ? n3 : t3;
+                }
+              }
+              return t3;
             }
             var n2;
-            return (function(t4, e5, i4) {
-              const n3 = e5 === 1 / 0;
-              switch (i4.infinity.toLowerCase()) {
-                case "null":
-                  return null;
-                case "infinity":
-                  return e5;
-                case "string":
-                  return n3 ? "Infinity" : "-Infinity";
-                default:
-                  return t4;
-              }
-            })(t3, Number(i3), e4);
           })(t2, i2);
         }
         return void 0 !== t2 ? t2 : "";
@@ -61514,7 +61495,7 @@ var require_fxp = __commonJS({
           const i3 = e2.stopNodes[t3];
           "string" == typeof i3 ? n2.push(new G(i3)) : i3 instanceof G && n2.push(i3);
         }
-        return mt(t2, e2, i2, new L(), n2);
+        return mt(t2, e2, i2, new M(), n2);
       }
       function mt(t2, e2, i2, n2, s2) {
         let r2 = "", o2 = false;
@@ -61662,7 +61643,7 @@ var require_fxp = __commonJS({
         if (this.options.preserveOrder) return gt(t2, this.options);
         {
           Array.isArray(t2) && this.options.arrayNodeName && this.options.arrayNodeName.length > 1 && (t2 = { [this.options.arrayNodeName]: t2 });
-          const e2 = new L();
+          const e2 = new M();
           return this.j2x(t2, 0, e2).val;
         }
       }, Pt.prototype.j2x = function(t2, e2, i2) {
@@ -102716,7 +102697,6 @@ var require_oids = __commonJS({
     _IN("2.5.4.15", "businessCategory");
     _IN("2.5.4.17", "postalCode");
     _IN("2.5.4.42", "givenName");
-    _IN("2.5.4.65", "pseudonym");
     _IN("1.3.6.1.4.1.311.60.2.1.2", "jurisdictionOfIncorporationStateOrProvinceName");
     _IN("1.3.6.1.4.1.311.60.2.1.3", "jurisdictionOfIncorporationCountryName");
     _IN("2.16.840.1.113730.1.1", "nsCertType");
@@ -106329,11 +106309,6 @@ var require_jsbn = __commonJS({
       this.multiplyTo(a, r);
       return r;
     }
-    function bnSquare() {
-      var r = nbi();
-      this.squareTo(r);
-      return r;
-    }
     function bnDivide(a) {
       var r = nbi();
       this.divRemTo(a, r, null);
@@ -106557,9 +106532,6 @@ var require_jsbn = __commonJS({
       return r;
     }
     function bnModInverse(m) {
-      if (this.signum() == 0) {
-        return BigInteger.ZERO;
-      }
       var ac = m.isEven();
       if (this.isEven() && ac || m.signum() == 0) return BigInteger.ZERO;
       var u = m.clone(), v = this.clone();
@@ -106604,7 +106576,7 @@ var require_jsbn = __commonJS({
       if (d.signum() < 0) return d.add(m);
       else return d;
     }
-    var lowprimes = [2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283, 293, 307, 311, 313, 317, 331, 337, 347, 349, 353, 359, 367, 373, 379, 383, 389, 397, 401, 409, 419, 421, 431, 433, 439, 443, 449, 457, 461, 463, 467, 479, 487, 491, 499, 503, 509, 521, 523, 541, 547, 557, 563, 569, 571, 577, 587, 593, 599, 601, 607, 613, 617, 619, 631, 641, 643, 647, 653, 659, 661, 673, 677, 683, 691, 701, 709, 719, 727, 733, 739, 743, 751, 757, 761, 769, 773, 787, 797, 809, 811, 821, 823, 827, 829, 839, 853, 857, 859, 863, 877, 881, 883, 887, 907, 911, 919, 929, 937, 941, 947, 953, 967, 971, 977, 983, 991, 997];
+    var lowprimes = [2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283, 293, 307, 311, 313, 317, 331, 337, 347, 349, 353, 359, 367, 373, 379, 383, 389, 397, 401, 409, 419, 421, 431, 433, 439, 443, 449, 457, 461, 463, 467, 479, 487, 491, 499, 503, 509];
     var lplim = (1 << 26) / lowprimes[lowprimes.length - 1];
     function bnIsProbablePrime(t) {
       var i, x = this.abs();
@@ -106702,7 +106674,6 @@ var require_jsbn = __commonJS({
     BigInteger.prototype.pow = bnPow;
     BigInteger.prototype.gcd = bnGCD;
     BigInteger.prototype.isProbablePrime = bnIsProbablePrime;
-    BigInteger.prototype.square = bnSquare;
   }
 });
 
@@ -107898,26 +107869,22 @@ var require_rsa = __commonJS({
         }
         if (options === void 0) {
           options = {
-            _parseAllDigestBytes: true,
-            _skipPaddingChecks: false
+            _parseAllDigestBytes: true
           };
         }
         if (!("_parseAllDigestBytes" in options)) {
           options._parseAllDigestBytes = true;
         }
-        if (!("_skipPaddingChecks" in options)) {
-          options._skipPaddingChecks = false;
-        }
         if (scheme === "RSASSA-PKCS1-V1_5") {
           scheme = {
             verify: function(digest2, d2) {
-              d2 = _decodePkcs1_v1_5(d2, key, true, void 0, options);
+              d2 = _decodePkcs1_v1_5(d2, key, true);
               var obj = asn1.fromDer(d2, {
                 parseAllBytes: options._parseAllDigestBytes
               });
               var capture = {};
               var errors = [];
-              if (!asn1.validate(obj, digestInfoValidator, capture, errors) || obj.value.length !== 2) {
+              if (!asn1.validate(obj, digestInfoValidator, capture, errors)) {
                 var error3 = new Error(
                   "ASN.1 object does not contain a valid RSASSA-PKCS1-v1_5 DigestInfo value."
                 );
@@ -107945,7 +107912,7 @@ var require_rsa = __commonJS({
         } else if (scheme === "NONE" || scheme === "NULL" || scheme === null) {
           scheme = {
             verify: function(digest2, d2) {
-              d2 = _decodePkcs1_v1_5(d2, key, true, void 0, options);
+              d2 = _decodePkcs1_v1_5(d2, key, true);
               return digest2 === d2;
             }
           };
@@ -108237,12 +108204,12 @@ var require_rsa = __commonJS({
       eb.putBytes(m);
       return eb;
     }
-    function _decodePkcs1_v1_5(em, key, pub, ml, options) {
+    function _decodePkcs1_v1_5(em, key, pub, ml) {
       var k = Math.ceil(key.n.bitLength() / 8);
       var eb = forge.util.createBuffer(em);
       var first = eb.getByte();
       var bt = eb.getByte();
-      if (first !== 0 || pub && bt !== 0 && bt !== 1 || !pub && bt !== 2 || pub && bt === 0 && typeof ml === "undefined") {
+      if (first !== 0 || pub && bt !== 0 && bt !== 1 || !pub && bt != 2 || pub && bt === 0 && typeof ml === "undefined") {
         throw new Error("Encryption block is invalid.");
       }
       var padNum = 0;
@@ -108262,9 +108229,6 @@ var require_rsa = __commonJS({
           }
           ++padNum;
         }
-        if (padNum < 8 && !(options ? options._skipPaddingChecks : false)) {
-          throw new Error("Encryption block is invalid.");
-        }
       } else if (bt === 2) {
         padNum = 0;
         while (eb.length() > 1) {
@@ -108274,9 +108238,6 @@ var require_rsa = __commonJS({
           }
           ++padNum;
         }
-        if (padNum < 8 && !(options ? options._skipPaddingChecks : false)) {
-          throw new Error("Encryption block is invalid.");
-        }
       }
       var zero = eb.getByte();
       if (zero !== 0 || padNum !== k - 3 - eb.length()) {
@@ -111734,12 +111695,6 @@ var require_x509 = __commonJS({
               };
             }
           }
-          if (error3 === null && bcExt === null) {
-            error3 = {
-              message: "Certificate is missing basicConstraints extension and cannot be used as a CA.",
-              error: pki2.certificateError.bad_certificate
-            };
-          }
           if (error3 === null && bcExt !== null && !bcExt.cA) {
             error3 = {
               message: "Certificate basicConstraints indicates the certificate is not a CA.",
@@ -115791,9 +115746,6 @@ var require_ed25519 = __commonJS({
       if (unpackneg(q, pk)) {
         return -1;
       }
-      if (!_isCanonicalSignatureScalar(sm, 32)) {
-        return -1;
-      }
       for (i = 0; i < n; ++i) {
         m[i] = sm[i];
       }
@@ -115819,18 +115771,6 @@ var require_ed25519 = __commonJS({
       mlen = n;
       return mlen;
     }
-    function _isCanonicalSignatureScalar(bytes, offset) {
-      var i;
-      for (i = 31; i >= 0; --i) {
-        if (bytes[offset + i] < L[i]) {
-          return true;
-        }
-        if (bytes[offset + i] > L[i]) {
-          return false;
-        }
-      }
-      return false;
-    }
     function modL(r, x) {
       var carry, i, j, k;
       for (i = 63; i >= 32; --i) {
@@ -120718,7 +120658,7 @@ function getTemporaryDirectory() {
   return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP");
 }
 function getActionVersion() {
-  return "4.35.2";
+  return "3.34.1";
 }
 function getWorkflowEventName() {
   return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -120965,8 +120905,8 @@ var path = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.25.1";
-var cliVersion = "2.25.1";
+var bundleVersion = "codeql-bundle-v2.24.3";
+var cliVersion = "2.24.3";
 
 // src/overlay/index.ts
 var actionsCache = __toESM(require_cache5());
@@ -122283,10 +122223,7 @@ function getCredentials(logger, registrySecrets, registriesCredentials, language
         );
       }
     }
-    const noUsername = !hasUsername(authConfig) || !isDefined2(authConfig.username);
-    const passwordIsPAT = isUsernamePassword(authConfig) && isDefined2(authConfig.password) && isPAT(authConfig.password);
-    const tokenIsPAT = isToken(authConfig) && isDefined2(authConfig.token) && isPAT(authConfig.token);
-    if (noUsername && (passwordIsPAT || tokenIsPAT)) {
+    if ((!hasUsername(authConfig) || !isDefined2(authConfig.username)) && isUsernamePassword(authConfig) && isDefined2(authConfig.password) && isPAT(authConfig.password) || isToken(authConfig) && isDefined2(authConfig.token) && isPAT(authConfig.token)) {
       logger.warning(
         `A ${e.type} private registry is configured for ${e.host || e.url} using a GitHub Personal Access Token (PAT), but no username was provided. This may not work correctly. When configuring a private registry using a PAT, select "Username and password" and enter the username of the user who generated the PAT.`
       );

lib/upload-sarif-action-post.js

@@ -41057,18 +41057,18 @@ var init_dist_src2 = __esm({
   }
 });
 
-// node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/version.js
+// node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/version.js
 var VERSION5;
 var init_version2 = __esm({
-  "node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/version.js"() {
+  "node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/version.js"() {
     VERSION5 = "17.0.0";
   }
 });
 
-// node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/generated/endpoints.js
+// node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/generated/endpoints.js
 var Endpoints, endpoints_default;
 var init_endpoints = __esm({
-  "node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/generated/endpoints.js"() {
+  "node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/generated/endpoints.js"() {
     Endpoints = {
       actions: {
         addCustomLabelsToSelfHostedRunnerForOrg: [
@@ -43362,7 +43362,7 @@ var init_endpoints = __esm({
   }
 });
 
-// node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/endpoints-to-methods.js
+// node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/endpoints-to-methods.js
 function endpointsToMethods(octokit) {
   const newMethods = {};
   for (const scope of endpointMethodsMap.keys()) {
@@ -43413,7 +43413,7 @@ function decorate(octokit, scope, methodName, defaults, decorations) {
 }
 var endpointMethodsMap, handler;
 var init_endpoints_to_methods = __esm({
-  "node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/endpoints-to-methods.js"() {
+  "node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/endpoints-to-methods.js"() {
     init_endpoints();
     endpointMethodsMap = /* @__PURE__ */ new Map();
     for (const [scope, endpoints] of Object.entries(endpoints_default)) {
@@ -43491,7 +43491,7 @@ var init_endpoints_to_methods = __esm({
   }
 });
 
-// node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/index.js
+// node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/index.js
 var dist_src_exports2 = {};
 __export(dist_src_exports2, {
   legacyRestEndpointMethods: () => legacyRestEndpointMethods,
@@ -43511,7 +43511,7 @@ function legacyRestEndpointMethods(octokit) {
   };
 }
 var init_dist_src3 = __esm({
-  "node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/index.js"() {
+  "node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/index.js"() {
     init_version2();
     init_endpoints_to_methods();
     restEndpointMethods.VERSION = VERSION5;
@@ -43519,7 +43519,7 @@ var init_dist_src3 = __esm({
   }
 });
 
-// node_modules/@octokit/plugin-paginate-rest/dist-bundle/index.js
+// node_modules/@actions/github/node_modules/@octokit/plugin-paginate-rest/dist-bundle/index.js
 var dist_bundle_exports = {};
 __export(dist_bundle_exports, {
   composePaginateRest: () => composePaginateRest,
@@ -43645,7 +43645,7 @@ function paginateRest(octokit) {
 }
 var VERSION6, composePaginateRest, paginatingEndpoints;
 var init_dist_bundle5 = __esm({
-  "node_modules/@octokit/plugin-paginate-rest/dist-bundle/index.js"() {
+  "node_modules/@actions/github/node_modules/@octokit/plugin-paginate-rest/dist-bundle/index.js"() {
     VERSION6 = "0.0.0-development";
     composePaginateRest = Object.assign(paginate, {
       iterator
@@ -64242,7 +64242,7 @@ var require_fxp = __commonJS({
         if (a.some((t3) => i2 === t3.toLowerCase())) throw new Error(`[SECURITY] Invalid ${e2}: "${t2}" is a reserved JavaScript keyword that could cause prototype pollution`);
       }
       function A(t2) {
-        return "boolean" == typeof t2 ? { enabled: t2, maxEntitySize: 1e4, maxExpansionDepth: 10, maxTotalExpansions: 1e3, maxExpandedLength: 1e5, maxEntityCount: 100, allowedTags: null, tagFilter: null } : "object" == typeof t2 && null !== t2 ? { enabled: false !== t2.enabled, maxEntitySize: Math.max(1, t2.maxEntitySize ?? 1e4), maxExpansionDepth: Math.max(1, t2.maxExpansionDepth ?? 10), maxTotalExpansions: Math.max(1, t2.maxTotalExpansions ?? 1e3), maxExpandedLength: Math.max(1, t2.maxExpandedLength ?? 1e5), maxEntityCount: Math.max(1, t2.maxEntityCount ?? 100), allowedTags: t2.allowedTags ?? null, tagFilter: t2.tagFilter ?? null } : A(true);
+        return "boolean" == typeof t2 ? { enabled: t2, maxEntitySize: 1e4, maxExpansionDepth: 10, maxTotalExpansions: 1e3, maxExpandedLength: 1e5, maxEntityCount: 100, allowedTags: null, tagFilter: null } : "object" == typeof t2 && null !== t2 ? { enabled: false !== t2.enabled, maxEntitySize: t2.maxEntitySize ?? 1e4, maxExpansionDepth: t2.maxExpansionDepth ?? 10, maxTotalExpansions: t2.maxTotalExpansions ?? 1e3, maxExpandedLength: t2.maxExpandedLength ?? 1e5, maxEntityCount: t2.maxEntityCount ?? 100, allowedTags: t2.allowedTags ?? null, tagFilter: t2.tagFilter ?? null } : A(true);
       }
       const C = function(t2) {
         const e2 = Object.assign({}, P, t2), i2 = [{ value: e2.attributeNamePrefix, name: "attributeNamePrefix" }, { value: e2.attributesGroupName, name: "attributesGroupName" }, { value: e2.textNodeName, name: "textNodeName" }, { value: e2.cdataPropName, name: "cdataPropName" }, { value: e2.commentPropName, name: "commentPropName" }];
@@ -64283,7 +64283,7 @@ var require_fxp = __commonJS({
               if (r2 && _2(t2, "!ENTITY", e2)) {
                 let s3, r3;
                 if (e2 += 7, [s3, r3, e2] = this.readEntityExp(t2, e2 + 1, this.suppressValidationErr), -1 === r3.indexOf("&")) {
-                  if (false !== this.options.enabled && null != this.options.maxEntityCount && n2 >= this.options.maxEntityCount) throw new Error(`Entity count (${n2 + 1}) exceeds maximum allowed (${this.options.maxEntityCount})`);
+                  if (false !== this.options.enabled && this.options.maxEntityCount && n2 >= this.options.maxEntityCount) throw new Error(`Entity count (${n2 + 1}) exceeds maximum allowed (${this.options.maxEntityCount})`);
                   const t3 = s3.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
                   i2[s3] = { regx: RegExp(`&${t3};`, "g"), val: r3 }, n2++;
                 }
@@ -64307,86 +64307,82 @@ var require_fxp = __commonJS({
           return { entities: i2, i: e2 };
         }
         readEntityExp(t2, e2) {
-          const i2 = e2 = j(t2, e2);
-          for (; e2 < t2.length && !/\s/.test(t2[e2]) && '"' !== t2[e2] && "'" !== t2[e2]; ) e2++;
-          let n2 = t2.substring(i2, e2);
-          if (D(n2), e2 = j(t2, e2), !this.suppressValidationErr) {
+          e2 = j(t2, e2);
+          let i2 = "";
+          for (; e2 < t2.length && !/\s/.test(t2[e2]) && '"' !== t2[e2] && "'" !== t2[e2]; ) i2 += t2[e2], e2++;
+          if (D(i2), e2 = j(t2, e2), !this.suppressValidationErr) {
             if ("SYSTEM" === t2.substring(e2, e2 + 6).toUpperCase()) throw new Error("External entities are not supported");
             if ("%" === t2[e2]) throw new Error("Parameter entities are not supported");
           }
-          let s2 = "";
-          if ([e2, s2] = this.readIdentifierVal(t2, e2, "entity"), false !== this.options.enabled && null != this.options.maxEntitySize && s2.length > this.options.maxEntitySize) throw new Error(`Entity "${n2}" size (${s2.length}) exceeds maximum allowed size (${this.options.maxEntitySize})`);
-          return [n2, s2, --e2];
+          let n2 = "";
+          if ([e2, n2] = this.readIdentifierVal(t2, e2, "entity"), false !== this.options.enabled && this.options.maxEntitySize && n2.length > this.options.maxEntitySize) throw new Error(`Entity "${i2}" size (${n2.length}) exceeds maximum allowed size (${this.options.maxEntitySize})`);
+          return [i2, n2, --e2];
         }
         readNotationExp(t2, e2) {
-          const i2 = e2 = j(t2, e2);
-          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) e2++;
-          let n2 = t2.substring(i2, e2);
-          !this.suppressValidationErr && D(n2), e2 = j(t2, e2);
-          const s2 = t2.substring(e2, e2 + 6).toUpperCase();
-          if (!this.suppressValidationErr && "SYSTEM" !== s2 && "PUBLIC" !== s2) throw new Error(`Expected SYSTEM or PUBLIC, found "${s2}"`);
-          e2 += s2.length, e2 = j(t2, e2);
-          let r2 = null, o2 = null;
-          if ("PUBLIC" === s2) [e2, r2] = this.readIdentifierVal(t2, e2, "publicIdentifier"), '"' !== t2[e2 = j(t2, e2)] && "'" !== t2[e2] || ([e2, o2] = this.readIdentifierVal(t2, e2, "systemIdentifier"));
-          else if ("SYSTEM" === s2 && ([e2, o2] = this.readIdentifierVal(t2, e2, "systemIdentifier"), !this.suppressValidationErr && !o2)) throw new Error("Missing mandatory system identifier for SYSTEM notation");
-          return { notationName: n2, publicIdentifier: r2, systemIdentifier: o2, index: --e2 };
+          e2 = j(t2, e2);
+          let i2 = "";
+          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) i2 += t2[e2], e2++;
+          !this.suppressValidationErr && D(i2), e2 = j(t2, e2);
+          const n2 = t2.substring(e2, e2 + 6).toUpperCase();
+          if (!this.suppressValidationErr && "SYSTEM" !== n2 && "PUBLIC" !== n2) throw new Error(`Expected SYSTEM or PUBLIC, found "${n2}"`);
+          e2 += n2.length, e2 = j(t2, e2);
+          let s2 = null, r2 = null;
+          if ("PUBLIC" === n2) [e2, s2] = this.readIdentifierVal(t2, e2, "publicIdentifier"), '"' !== t2[e2 = j(t2, e2)] && "'" !== t2[e2] || ([e2, r2] = this.readIdentifierVal(t2, e2, "systemIdentifier"));
+          else if ("SYSTEM" === n2 && ([e2, r2] = this.readIdentifierVal(t2, e2, "systemIdentifier"), !this.suppressValidationErr && !r2)) throw new Error("Missing mandatory system identifier for SYSTEM notation");
+          return { notationName: i2, publicIdentifier: s2, systemIdentifier: r2, index: --e2 };
         }
         readIdentifierVal(t2, e2, i2) {
           let n2 = "";
           const s2 = t2[e2];
           if ('"' !== s2 && "'" !== s2) throw new Error(`Expected quoted string, found "${s2}"`);
-          const r2 = ++e2;
-          for (; e2 < t2.length && t2[e2] !== s2; ) e2++;
-          if (n2 = t2.substring(r2, e2), t2[e2] !== s2) throw new Error(`Unterminated ${i2} value`);
+          for (e2++; e2 < t2.length && t2[e2] !== s2; ) n2 += t2[e2], e2++;
+          if (t2[e2] !== s2) throw new Error(`Unterminated ${i2} value`);
           return [++e2, n2];
         }
         readElementExp(t2, e2) {
-          const i2 = e2 = j(t2, e2);
-          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) e2++;
-          let n2 = t2.substring(i2, e2);
-          if (!this.suppressValidationErr && !r(n2)) throw new Error(`Invalid element name: "${n2}"`);
-          let s2 = "";
+          e2 = j(t2, e2);
+          let i2 = "";
+          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) i2 += t2[e2], e2++;
+          if (!this.suppressValidationErr && !r(i2)) throw new Error(`Invalid element name: "${i2}"`);
+          let n2 = "";
           if ("E" === t2[e2 = j(t2, e2)] && _2(t2, "MPTY", e2)) e2 += 4;
           else if ("A" === t2[e2] && _2(t2, "NY", e2)) e2 += 2;
           else if ("(" === t2[e2]) {
-            const i3 = ++e2;
-            for (; e2 < t2.length && ")" !== t2[e2]; ) e2++;
-            if (s2 = t2.substring(i3, e2), ")" !== t2[e2]) throw new Error("Unterminated content model");
+            for (e2++; e2 < t2.length && ")" !== t2[e2]; ) n2 += t2[e2], e2++;
+            if (")" !== t2[e2]) throw new Error("Unterminated content model");
           } else if (!this.suppressValidationErr) throw new Error(`Invalid Element Expression, found "${t2[e2]}"`);
-          return { elementName: n2, contentModel: s2.trim(), index: e2 };
+          return { elementName: i2, contentModel: n2.trim(), index: e2 };
         }
         readAttlistExp(t2, e2) {
-          let i2 = e2 = j(t2, e2);
-          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) e2++;
-          let n2 = t2.substring(i2, e2);
-          for (D(n2), i2 = e2 = j(t2, e2); e2 < t2.length && !/\s/.test(t2[e2]); ) e2++;
-          let s2 = t2.substring(i2, e2);
-          if (!D(s2)) throw new Error(`Invalid attribute name: "${s2}"`);
           e2 = j(t2, e2);
-          let r2 = "";
+          let i2 = "";
+          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) i2 += t2[e2], e2++;
+          D(i2), e2 = j(t2, e2);
+          let n2 = "";
+          for (; e2 < t2.length && !/\s/.test(t2[e2]); ) n2 += t2[e2], e2++;
+          if (!D(n2)) throw new Error(`Invalid attribute name: "${n2}"`);
+          e2 = j(t2, e2);
+          let s2 = "";
           if ("NOTATION" === t2.substring(e2, e2 + 8).toUpperCase()) {
-            if (r2 = "NOTATION", "(" !== t2[e2 = j(t2, e2 += 8)]) throw new Error(`Expected '(', found "${t2[e2]}"`);
+            if (s2 = "NOTATION", "(" !== t2[e2 = j(t2, e2 += 8)]) throw new Error(`Expected '(', found "${t2[e2]}"`);
             e2++;
             let i3 = [];
             for (; e2 < t2.length && ")" !== t2[e2]; ) {
-              const n3 = e2;
-              for (; e2 < t2.length && "|" !== t2[e2] && ")" !== t2[e2]; ) e2++;
-              let s3 = t2.substring(n3, e2);
-              if (s3 = s3.trim(), !D(s3)) throw new Error(`Invalid notation name: "${s3}"`);
-              i3.push(s3), "|" === t2[e2] && (e2++, e2 = j(t2, e2));
+              let n3 = "";
+              for (; e2 < t2.length && "|" !== t2[e2] && ")" !== t2[e2]; ) n3 += t2[e2], e2++;
+              if (n3 = n3.trim(), !D(n3)) throw new Error(`Invalid notation name: "${n3}"`);
+              i3.push(n3), "|" === t2[e2] && (e2++, e2 = j(t2, e2));
             }
             if (")" !== t2[e2]) throw new Error("Unterminated list of notations");
-            e2++, r2 += " (" + i3.join("|") + ")";
+            e2++, s2 += " (" + i3.join("|") + ")";
           } else {
-            const i3 = e2;
-            for (; e2 < t2.length && !/\s/.test(t2[e2]); ) e2++;
-            r2 += t2.substring(i3, e2);
-            const n3 = ["CDATA", "ID", "IDREF", "IDREFS", "ENTITY", "ENTITIES", "NMTOKEN", "NMTOKENS"];
-            if (!this.suppressValidationErr && !n3.includes(r2.toUpperCase())) throw new Error(`Invalid attribute type: "${r2}"`);
+            for (; e2 < t2.length && !/\s/.test(t2[e2]); ) s2 += t2[e2], e2++;
+            const i3 = ["CDATA", "ID", "IDREF", "IDREFS", "ENTITY", "ENTITIES", "NMTOKEN", "NMTOKENS"];
+            if (!this.suppressValidationErr && !i3.includes(s2.toUpperCase())) throw new Error(`Invalid attribute type: "${s2}"`);
           }
           e2 = j(t2, e2);
-          let o2 = "";
-          return "#REQUIRED" === t2.substring(e2, e2 + 8).toUpperCase() ? (o2 = "#REQUIRED", e2 += 8) : "#IMPLIED" === t2.substring(e2, e2 + 7).toUpperCase() ? (o2 = "#IMPLIED", e2 += 7) : [e2, o2] = this.readIdentifierVal(t2, e2, "ATTLIST"), { elementName: n2, attributeName: s2, attributeType: r2, defaultValue: o2, index: e2 };
+          let r2 = "";
+          return "#REQUIRED" === t2.substring(e2, e2 + 8).toUpperCase() ? (r2 = "#REQUIRED", e2 += 8) : "#IMPLIED" === t2.substring(e2, e2 + 7).toUpperCase() ? (r2 = "#IMPLIED", e2 += 7) : [e2, r2] = this.readIdentifierVal(t2, e2, "ATTLIST"), { elementName: i2, attributeName: n2, attributeType: s2, defaultValue: r2, index: e2 };
         }
       }
       const j = (t2, e2) => {
@@ -64401,9 +64397,9 @@ var require_fxp = __commonJS({
         if (r(t2)) return t2;
         throw new Error(`Invalid entity name ${t2}`);
       }
-      const V = /^[-+]?0x[a-fA-F0-9]+$/, k = /^([\-\+])?(0*)([0-9]*(\.[0-9]*)?)$/, M = { hex: true, leadingZeros: true, decimalPoint: ".", eNotation: true, infinity: "original" };
-      const F = /^([-+])?(0*)(\d*(\.\d*)?[eE][-\+]?\d+)$/;
-      class L {
+      const V = /^[-+]?0x[a-fA-F0-9]+$/, k = /^([\-\+])?(0*)([0-9]*(\.[0-9]*)?)$/, F = { hex: true, leadingZeros: true, decimalPoint: ".", eNotation: true };
+      const L = /^([-+])?(0*)(\d*(\.\d*)?[eE][-\+]?\d+)$/;
+      class M {
         constructor(t2 = {}) {
           this.separator = t2.separator || ".", this.path = [], this.siblingStacks = [];
         }
@@ -64610,7 +64606,7 @@ var require_fxp = __commonJS({
               if ("string" == typeof i2 && t3 === i2) return true;
               if (i2 instanceof RegExp && i2.test(t3)) return true;
             }
-          } : () => false, this.entityExpansionCount = 0, this.currentExpandedLength = 0, this.matcher = new L(), this.isCurrentNodeStopNode = false, this.options.stopNodes && this.options.stopNodes.length > 0) {
+          } : () => false, this.entityExpansionCount = 0, this.currentExpandedLength = 0, this.matcher = new M(), this.isCurrentNodeStopNode = false, this.options.stopNodes && this.options.stopNodes.length > 0) {
             this.stopNodeExpressions = [];
             for (let t3 = 0; t3 < this.options.stopNodes.length; t3++) {
               const e3 = this.options.stopNodes[t3];
@@ -64721,7 +64717,7 @@ var require_fxp = __commonJS({
           let o2 = s3.tagName;
           const a2 = s3.rawTagName;
           let h2 = s3.tagExp, l2 = s3.attrExpPresent, p2 = s3.closeIndex;
-          if ({ tagName: o2, tagExp: h2 } = rt(this.options.transformTagName, o2, h2, this.options), this.options.strictReservedNames && (o2 === this.options.commentPropName || o2 === this.options.cdataPropName || o2 === this.options.textNodeName || o2 === this.options.attributesGroupName)) throw new Error(`Invalid tag name: ${o2}`);
+          if ({ tagName: o2, tagExp: h2 } = rt(this.options.transformTagName, o2, h2, this.options), this.options.strictReservedNames && (o2 === this.options.commentPropName || o2 === this.options.cdataPropName)) throw new Error(`Invalid tag name: ${o2}`);
           i2 && n2 && "!xml" !== i2.tagname && (n2 = this.saveTextToParentTag(n2, i2, this.matcher, false));
           const u2 = i2;
           u2 && -1 !== this.options.unpairedTags.indexOf(u2.tagname) && (i2 = this.tagsNodeStack.pop(), this.matcher.pop());
@@ -64859,7 +64855,7 @@ var require_fxp = __commonJS({
         if (e2 && "string" == typeof t2) {
           const e3 = t2.trim();
           return "true" === e3 || "false" !== e3 && (function(t3, e4 = {}) {
-            if (e4 = Object.assign({}, M, e4), !t3 || "string" != typeof t3) return t3;
+            if (e4 = Object.assign({}, F, e4), !t3 || "string" != typeof t3) return t3;
             let i3 = t3.trim();
             if (void 0 !== e4.skipLike && e4.skipLike.test(i3)) return t3;
             if ("0" === t3) return 0;
@@ -64869,50 +64865,35 @@ var require_fxp = __commonJS({
               if (window && window.parseInt) return window.parseInt(t4, 16);
               throw new Error("parseInt, Number.parseInt, window.parseInt are not supported");
             })(i3);
-            if (isFinite(i3)) {
-              if (i3.includes("e") || i3.includes("E")) return (function(t4, e5, i4) {
-                if (!i4.eNotation) return t4;
-                const n3 = e5.match(F);
-                if (n3) {
-                  let s2 = n3[1] || "";
-                  const r2 = -1 === n3[3].indexOf("e") ? "E" : "e", o2 = n3[2], a2 = s2 ? t4[o2.length + 1] === r2 : t4[o2.length] === r2;
-                  return o2.length > 1 && a2 ? t4 : (1 !== o2.length || !n3[3].startsWith(`.${r2}`) && n3[3][0] !== r2) && o2.length > 0 ? i4.leadingZeros && !a2 ? (e5 = (n3[1] || "") + n3[3], Number(e5)) : t4 : Number(e5);
-                }
-                return t4;
-              })(t3, i3, e4);
-              {
-                const s2 = k.exec(i3);
-                if (s2) {
-                  const r2 = s2[1] || "", o2 = s2[2];
-                  let a2 = (n2 = s2[3]) && -1 !== n2.indexOf(".") ? ("." === (n2 = n2.replace(/0+$/, "")) ? n2 = "0" : "." === n2[0] ? n2 = "0" + n2 : "." === n2[n2.length - 1] && (n2 = n2.substring(0, n2.length - 1)), n2) : n2;
-                  const h2 = r2 ? "." === t3[o2.length + 1] : "." === t3[o2.length];
-                  if (!e4.leadingZeros && (o2.length > 1 || 1 === o2.length && !h2)) return t3;
-                  {
-                    const n3 = Number(i3), s3 = String(n3);
-                    if (0 === n3) return n3;
-                    if (-1 !== s3.search(/[eE]/)) return e4.eNotation ? n3 : t3;
-                    if (-1 !== i3.indexOf(".")) return "0" === s3 || s3 === a2 || s3 === `${r2}${a2}` ? n3 : t3;
-                    let h3 = o2 ? a2 : i3;
-                    return o2 ? h3 === s3 || r2 + h3 === s3 ? n3 : t3 : h3 === s3 || h3 === r2 + s3 ? n3 : t3;
-                  }
-                }
-                return t3;
+            if (i3.includes("e") || i3.includes("E")) return (function(t4, e5, i4) {
+              if (!i4.eNotation) return t4;
+              const n3 = e5.match(L);
+              if (n3) {
+                let s2 = n3[1] || "";
+                const r2 = -1 === n3[3].indexOf("e") ? "E" : "e", o2 = n3[2], a2 = s2 ? t4[o2.length + 1] === r2 : t4[o2.length] === r2;
+                return o2.length > 1 && a2 ? t4 : 1 !== o2.length || !n3[3].startsWith(`.${r2}`) && n3[3][0] !== r2 ? i4.leadingZeros && !a2 ? (e5 = (n3[1] || "") + n3[3], Number(e5)) : t4 : Number(e5);
               }
+              return t4;
+            })(t3, i3, e4);
+            {
+              const s2 = k.exec(i3);
+              if (s2) {
+                const r2 = s2[1] || "", o2 = s2[2];
+                let a2 = (n2 = s2[3]) && -1 !== n2.indexOf(".") ? ("." === (n2 = n2.replace(/0+$/, "")) ? n2 = "0" : "." === n2[0] ? n2 = "0" + n2 : "." === n2[n2.length - 1] && (n2 = n2.substring(0, n2.length - 1)), n2) : n2;
+                const h2 = r2 ? "." === t3[o2.length + 1] : "." === t3[o2.length];
+                if (!e4.leadingZeros && (o2.length > 1 || 1 === o2.length && !h2)) return t3;
+                {
+                  const n3 = Number(i3), s3 = String(n3);
+                  if (0 === n3) return n3;
+                  if (-1 !== s3.search(/[eE]/)) return e4.eNotation ? n3 : t3;
+                  if (-1 !== i3.indexOf(".")) return "0" === s3 || s3 === a2 || s3 === `${r2}${a2}` ? n3 : t3;
+                  let h3 = o2 ? a2 : i3;
+                  return o2 ? h3 === s3 || r2 + h3 === s3 ? n3 : t3 : h3 === s3 || h3 === r2 + s3 ? n3 : t3;
+                }
+              }
+              return t3;
             }
             var n2;
-            return (function(t4, e5, i4) {
-              const n3 = e5 === 1 / 0;
-              switch (i4.infinity.toLowerCase()) {
-                case "null":
-                  return null;
-                case "infinity":
-                  return e5;
-                case "string":
-                  return n3 ? "Infinity" : "-Infinity";
-                default:
-                  return t4;
-              }
-            })(t3, Number(i3), e4);
           })(t2, i2);
         }
         return void 0 !== t2 ? t2 : "";
@@ -65024,7 +65005,7 @@ var require_fxp = __commonJS({
           const i3 = e2.stopNodes[t3];
           "string" == typeof i3 ? n2.push(new G(i3)) : i3 instanceof G && n2.push(i3);
         }
-        return mt(t2, e2, i2, new L(), n2);
+        return mt(t2, e2, i2, new M(), n2);
       }
       function mt(t2, e2, i2, n2, s2) {
         let r2 = "", o2 = false;
@@ -65172,7 +65153,7 @@ var require_fxp = __commonJS({
         if (this.options.preserveOrder) return gt(t2, this.options);
         {
           Array.isArray(t2) && this.options.arrayNodeName && this.options.arrayNodeName.length > 1 && (t2 = { [this.options.arrayNodeName]: t2 });
-          const e2 = new L();
+          const e2 = new M();
           return this.j2x(t2, 0, e2).val;
         }
       }, Pt.prototype.j2x = function(t2, e2, i2) {
@@ -107819,7 +107800,7 @@ var require_commonjs19 = __commonJS({
     var openPattern = /\\{/g;
     var closePattern = /\\}/g;
     var commaPattern = /\\,/g;
-    var periodPattern = /\\\./g;
+    var periodPattern = /\\./g;
     exports2.EXPANSION_MAX = 1e5;
     function numeric(str2) {
       return !isNaN(str2) ? parseInt(str2, 10) : str2.charCodeAt(0);
@@ -107914,7 +107895,7 @@ var require_commonjs19 = __commonJS({
           const x = numeric(n[0]);
           const y = numeric(n[1]);
           const width = Math.max(n[0].length, n[1].length);
-          let incr = n.length === 3 && n[2] !== void 0 ? Math.max(Math.abs(numeric(n[2])), 1) : 1;
+          let incr = n.length === 3 && n[2] !== void 0 ? Math.abs(numeric(n[2])) : 1;
           let test = lte;
           const reverse = y < x;
           if (reverse) {
@@ -151293,7 +151274,7 @@ var require_brace_expansion2 = __commonJS({
         var x = numeric(n[0]);
         var y = numeric(n[1]);
         var width = Math.max(n[0].length, n[1].length);
-        var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1;
+        var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1;
         var test = lte;
         var reverse = y < x;
         if (reverse) {
@@ -161498,7 +161479,7 @@ function getTemporaryDirectory() {
   return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP");
 }
 function getActionVersion() {
-  return "4.35.2";
+  return "3.34.1";
 }
 var persistedInputsKey = "persisted_inputs";
 var restoreInputs = function() {

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "4.35.2",
+  "version": "3.34.1",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
@@ -12,9 +12,7 @@
     "ava": "npm run transpile && ava --verbose",
     "test": "npm run ava -- src/",
     "test-debug": "npm run test -- --timeout=20m",
-    "test-coverage": "c8 npm run test",
-    "transpile": "tsc --build --verbose",
-    "coverage": "c8 report --check-coverage"
+    "transpile": "tsc --build --verbose"
   },
   "license": "MIT",
   "workspaces": [
@@ -32,6 +30,7 @@
     "@actions/io": "^2.0.0",
     "@actions/tool-cache": "^3.0.1",
     "@octokit/plugin-retry": "^8.0.0",
+    "@schemastore/package": "0.0.10",
     "archiver": "^7.0.1",
     "fast-deep-equal": "^3.1.3",
     "follow-redirects": "^1.15.11",
@@ -40,7 +39,7 @@
     "js-yaml": "^4.1.1",
     "jsonschema": "1.4.1",
     "long": "^5.3.2",
-    "node-forge": "^1.4.0",
+    "node-forge": "^1.3.3",
     "semver": "^7.7.4",
     "uuid": "^13.0.0"
   },
@@ -58,20 +57,19 @@
     "@types/semver": "^7.7.1",
     "@types/sinon": "^21.0.0",
     "ava": "^7.0.0",
-    "c8": "^11.0.0",
-    "esbuild": "^0.27.4",
+    "esbuild": "^0.27.3",
     "eslint": "^9.39.2",
     "eslint-import-resolver-typescript": "^3.8.7",
     "eslint-plugin-github": "^6.0.0",
-    "eslint-plugin-import-x": "^4.16.2",
-    "eslint-plugin-jsdoc": "^62.8.0",
+    "eslint-plugin-import-x": "^4.16.1",
+    "eslint-plugin-jsdoc": "^62.7.1",
     "eslint-plugin-no-async-foreach": "^0.1.1",
     "glob": "^11.1.0",
     "globals": "^17.4.0",
     "nock": "^14.0.11",
-    "sinon": "^21.0.3",
+    "sinon": "^21.0.2",
     "typescript": "^5.9.3",
-    "typescript-eslint": "^8.57.1"
+    "typescript-eslint": "^8.57.0"
   },
   "overrides": {
     "@actions/tool-cache": {
@@ -94,10 +92,5 @@
     },
     "brace-expansion@2.0.1": "2.0.2",
     "glob": "^11.1.0"
-  },
-  "c8": {
-    "functions": 80,
-    "lines": 80,
-    "branches": 80
   }
 }

pr-checks/checks/rubocop-multi-language.yml

@@ -5,7 +5,7 @@ versions:
   - default
 steps:
   - name: Set up Ruby
-    uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1.295.0
+    uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0
     with:
       ruby-version: 2.6
   - name: Install Code Scanning integration

pr-checks/config.ts

@@ -1,10 +0,0 @@
-import path from "path";
-
-/** The oldest supported major version of the CodeQL Action. */
-export const OLDEST_SUPPORTED_MAJOR_VERSION = 3;
-
-/** The `pr-checks` directory. */
-export const PR_CHECKS_DIR = __dirname;
-
-/** The path of the file configuring which checks shouldn't be required. */
-export const PR_CHECK_EXCLUDED_FILE = path.join(PR_CHECKS_DIR, "excluded.yml");

pr-checks/excluded.yml

@@ -1,16 +0,0 @@
-# PR checks to exclude from required checks
-contains:
-  - "https://"
-  - "Update"
-  - "ESLint"
-  - "update"
-  - "test-setup-python-scripts"
-is:
-  - "CodeQL"
-  - "Dependabot"
-  - "check-expected-release-files"
-  - "Agent"
-  - "Cleanup artifacts"
-  - "Prepare"
-  - "Upload results"
-  - "Label PR with size"

pr-checks/package.json

@@ -2,15 +2,11 @@
   "private": true,
   "description": "Dependencies for the sync.ts",
   "dependencies": {
-    "@actions/core": "^2.0.3",
-    "@actions/github": "^8.0.1",
-    "@octokit/core": "^7.0.6",
-    "@octokit/plugin-paginate-rest": ">=9.2.2",
-    "@octokit/plugin-rest-endpoint-methods": "^17.0.0",
-    "yaml": "^2.8.3"
+    "yaml": "^2.8.2"
   },
   "devDependencies": {
     "@types/node": "^20.19.9",
-    "tsx": "^4.21.0"
+    "tsx": "^4.21.0",
+    "typescript": "^5.9.3"
   }
 }

pr-checks/release-branches.test.ts

@@ -1,61 +0,0 @@
-#!/usr/bin/env npx tsx
-
-/*
-Tests for the release-branches.ts script
-*/
-
-import * as assert from "node:assert/strict";
-import { describe, it } from "node:test";
-
-import { computeBackportBranches } from "./release-branches";
-
-describe("computeBackportBranches", async () => {
-  await it("rejects invalid major versions", () => {
-    // The majorVersion is expected to be in vN format.
-    assert.throws(() => computeBackportBranches("3", "v4.28.0", 3));
-    assert.throws(() => computeBackportBranches("v3.1", "v4.28.0", 3));
-  });
-
-  await it("rejects invalid latest tags", () => {
-    // The latestTag is expected to be in vN.M.P format.
-    assert.throws(() => computeBackportBranches("v3", "v4", 3));
-    assert.throws(() => computeBackportBranches("v3", "4", 3));
-    assert.throws(() => computeBackportBranches("v3", "v4.28", 3));
-    assert.throws(() => computeBackportBranches("v3", "4.28", 3));
-    assert.throws(() => computeBackportBranches("v3", "4.28.0", 3));
-  });
-
-  await it("sets backport source branch based on major version", () => {
-    // Test that the backport source branch is releases/v{majorVersion}
-    const result = computeBackportBranches("v3", "v4.28.0", 3);
-    assert.equal(result.backportSourceBranch, "releases/v3");
-  });
-
-  await it("no backport targets when major version is the oldest supported", () => {
-    // When majorVersion equals the major version of latestTag and we do not support older major versions,
-    // then there are no older supported branches to backport to.
-    const result = computeBackportBranches("v3", "v3.28.0", 3);
-    assert.deepEqual(result.backportTargetBranches, []);
-  });
-
-  await it("backports to older supported major versions", () => {
-    const result = computeBackportBranches("v4", "v4.1.0", 3);
-    assert.equal(result.backportSourceBranch, "releases/v4");
-    assert.deepEqual(result.backportTargetBranches, ["releases/v3"]);
-  });
-
-  await it("backports to multiple older supported branches", () => {
-    const result = computeBackportBranches("v5", "v5.0.0", 3);
-    assert.equal(result.backportSourceBranch, "releases/v5");
-    assert.deepEqual(result.backportTargetBranches, [
-      "releases/v4",
-      "releases/v3",
-    ]);
-  });
-
-  await it("does not backport when major version is older than latest tag", () => {
-    const result = computeBackportBranches("v2", "v3.28.0", 2);
-    assert.equal(result.backportSourceBranch, "releases/v2");
-    assert.deepEqual(result.backportTargetBranches, []);
-  });
-});

pr-checks/release-branches.ts

@@ -1,121 +0,0 @@
-#!/usr/bin/env npx tsx
-
-import { parseArgs } from "node:util";
-
-import * as core from "@actions/core";
-
-import { OLDEST_SUPPORTED_MAJOR_VERSION } from "./config";
-
-/** The results of checking which release branches to backport to.  */
-export interface BackportInfo {
-  /** The source release branch. */
-  backportSourceBranch: string;
-  /**
-   * The computed release branches we should backport to.
-   * Will be empty if there are no branches we need to backport to.
-   */
-  backportTargetBranches: string[];
-}
-
-/**
- * Compute the backport source and target branches for a release.
- *
- * @param majorVersion - The major version string (e.g. "v4").
- * @param latestTag - The most recent tag published to the repository (e.g. "v4.32.6").
- * @param oldestSupportedMajorVersion - The oldest supported major version number.
- * @returns The names of the source branch and target branches.
- */
-export function computeBackportBranches(
-  majorVersion: string,
-  latestTag: string,
-  oldestSupportedMajorVersion: number,
-): BackportInfo {
-  // Perform some sanity checks on the inputs.
-  // For `majorVersion`, we expect exactly `vN` for some `N`.
-  const majorVersionMatch = majorVersion.match(/^v(\d+)$/);
-  if (!majorVersionMatch) {
-    throw new Error("--major-version value must be in `vN` format.");
-  }
-
-  // For latestTag, we expect something starting with `vN.M.P`
-  const latestTagMatch = latestTag.match(/^v(\d+)\.\d+\.\d+/);
-  if (!latestTagMatch) {
-    throw new Error(
-      `--latest-tag value must be in 'vN.M.P' format, but '${latestTag}' is not.`,
-    );
-  }
-
-  const majorVersionNumber = Number.parseInt(majorVersionMatch[1]);
-  const latestTagMajor = Number.parseInt(latestTagMatch[1]);
-
-  // If this is a primary release, we backport to all supported branches,
-  // so we check whether the majorVersion taken from the package.json
-  // is greater than or equal to the latest tag pulled from the repo.
-  // For example...
-  //     'v1' >= 'v2' is False # we're operating from an older release branch and should not backport
-  //     'v2' >= 'v2' is True  # the normal case where we're updating the current version
-  //     'v3' >= 'v2' is True  # in this case we are making the first release of a new major version
-  const considerBackports = majorVersionNumber >= latestTagMajor;
-
-  const backportSourceBranch = `releases/v${majorVersionNumber}`;
-  const backportTargetBranches: string[] = [];
-
-  if (considerBackports) {
-    for (let i = majorVersionNumber - 1; i > 0; i--) {
-      const branchName = `releases/v${i}`;
-      if (i >= oldestSupportedMajorVersion) {
-        backportTargetBranches.push(branchName);
-      }
-    }
-  }
-
-  return { backportSourceBranch, backportTargetBranches };
-}
-
-async function main() {
-  const { values: options } = parseArgs({
-    options: {
-      // The major version of the release in `vN` format (e.g. `v4`).
-      "major-version": {
-        type: "string",
-      },
-      // The most recent tag published to the repository (e.g. `v4.28.0`).
-      "latest-tag": {
-        type: "string",
-      },
-    },
-    strict: true,
-  });
-
-  if (options["major-version"] === undefined) {
-    throw Error("--major-version is required");
-  }
-  if (options["latest-tag"] === undefined) {
-    throw Error("--latest-tag is required");
-  }
-
-  const majorVersion = options["major-version"];
-  const latestTag = options["latest-tag"];
-
-  console.log(`Major version: ${majorVersion}`);
-  console.log(`Latest tag: ${latestTag}`);
-
-  const result = computeBackportBranches(
-    majorVersion,
-    latestTag,
-    OLDEST_SUPPORTED_MAJOR_VERSION,
-  );
-
-  core.setOutput("backport_source_branch", result.backportSourceBranch);
-  core.setOutput(
-    "backport_target_branches",
-    JSON.stringify(result.backportTargetBranches),
-  );
-
-  process.exit(0);
-}
-
-// Only call `main` if this script was run directly.
-if (require.main === module) {
-  void main();
-}

pr-checks/sync-checks.test.ts

@@ -1,60 +0,0 @@
-#!/usr/bin/env npx tsx
-
-/*
-Tests for the sync-checks.ts script
-*/
-
-import * as assert from "node:assert/strict";
-import { describe, it } from "node:test";
-
-import { CheckInfo, Exclusions, Options, removeExcluded } from "./sync-checks";
-
-const defaultOptions: Options = {
-  apply: false,
-  verbose: false,
-};
-
-const toCheckInfo = (name: string) =>
-  ({ context: name, app_id: -1 }) satisfies CheckInfo;
-
-const expectedPartialMatches = ["PR Check - Foo", "https://example.com"].map(
-  toCheckInfo,
-);
-
-const expectedExactMatches = ["CodeQL", "Update"].map(toCheckInfo);
-
-const testChecks = expectedExactMatches.concat(expectedPartialMatches);
-
-const emptyExclusions: Exclusions = {
-  is: [],
-  contains: [],
-};
-
-describe("removeExcluded", async () => {
-  await it("retains all checks if no exclusions are configured", () => {
-    const retained = removeExcluded(
-      defaultOptions,
-      emptyExclusions,
-      testChecks,
-    );
-    assert.deepEqual(retained, testChecks);
-  });
-
-  await it("removes exact matches", () => {
-    const retained = removeExcluded(
-      defaultOptions,
-      { ...emptyExclusions, is: ["CodeQL", "Update"] },
-      testChecks,
-    );
-    assert.deepEqual(retained, expectedPartialMatches);
-  });
-
-  await it("removes partial matches", () => {
-    const retained = removeExcluded(
-      defaultOptions,
-      { ...emptyExclusions, contains: ["https://", "PR Check"] },
-      testChecks,
-    );
-    assert.deepEqual(retained, expectedExactMatches);
-  });
-});

pr-checks/sync-checks.ts

@@ -1,299 +0,0 @@
-#!/usr/bin/env npx tsx
-
-/** Update the required checks based on the current branch. */
-
-import * as fs from "fs";
-import { parseArgs } from "node:util";
-
-import * as githubUtils from "@actions/github/lib/utils";
-import { type Octokit } from "@octokit/core";
-import { type PaginateInterface } from "@octokit/plugin-paginate-rest";
-import { type Api } from "@octokit/plugin-rest-endpoint-methods";
-import * as yaml from "yaml";
-
-import {
-  OLDEST_SUPPORTED_MAJOR_VERSION,
-  PR_CHECK_EXCLUDED_FILE,
-} from "./config";
-
-/** Represents the command-line options. */
-export interface Options {
-  /** The token to use to authenticate to the GitHub API. */
-  token?: string;
-  /** The git ref to use the checks for. */
-  ref?: string;
-  /** Whether to actually apply the changes or not. */
-  apply: boolean;
-  /** Whether to output additional information. */
-  verbose: boolean;
-}
-
-/** Identifies the CodeQL Action repository. */
-const codeqlActionRepo = {
-  owner: "github",
-  repo: "codeql-action",
-};
-
-/** Represents a configuration of which checks should not be set up as required checks. */
-export interface Exclusions {
-  /** A list of strings that, if contained in a check name, are excluded. */
-  contains: string[];
-  /** A list of check names that are excluded if their name is an exact match. */
-  is: string[];
-}
-
-/** Loads the configuration for which checks to exclude. */
-function loadExclusions(): Exclusions {
-  return yaml.parse(
-    fs.readFileSync(PR_CHECK_EXCLUDED_FILE, "utf-8"),
-  ) as Exclusions;
-}
-
-/** The type of the Octokit client. */
-type ApiClient = Octokit & Api & { paginate: PaginateInterface };
-
-/** Constructs an `ApiClient` using `token` for authentication. */
-function getApiClient(token: string): ApiClient {
-  const opts = githubUtils.getOctokitOptions(token);
-  return new githubUtils.GitHub(opts);
-}
-
-/**
- * Represents information about a check run. We track the `app_id` that generated the check,
- * because the API will require it in addition to the name in the future.
- */
-export interface CheckInfo {
-  /** The display name of the check. */
-  context: string;
-  /** The ID of the app that generated the check. */
-  app_id: number;
-}
-
-/** Removes entries from `checkInfos` based on the configuration. */
-export function removeExcluded(
-  options: Options,
-  exclusions: Exclusions,
-  checkInfos: CheckInfo[],
-): CheckInfo[] {
-  if (options.verbose) {
-    console.log(exclusions);
-  }
-
-  return checkInfos.filter((checkInfo) => {
-    if (exclusions.is.includes(checkInfo.context)) {
-      console.info(
-        `Excluding '${checkInfo.context}' because it is an exact exclusion.`,
-      );
-      return false;
-    }
-
-    for (const containsStr of exclusions.contains) {
-      if (checkInfo.context.includes(containsStr)) {
-        console.info(
-          `Excluding '${checkInfo.context}' because it contains '${containsStr}'.`,
-        );
-        return false;
-      }
-    }
-
-    // Keep.
-    return true;
-  });
-}
-
-/** Gets a list of check run names for `ref`. */
-async function getChecksFor(
-  options: Options,
-  client: ApiClient,
-  ref: string,
-): Promise<CheckInfo[]> {
-  console.info(`Getting checks for '${ref}'`);
-
-  const response = await client.paginate(
-    "GET /repos/{owner}/{repo}/commits/{ref}/check-runs",
-    {
-      ...codeqlActionRepo,
-      ref,
-    },
-  );
-
-  if (response.length === 0) {
-    throw new Error(`No checks found for '${ref}'.`);
-  }
-
-  console.info(`Retrieved ${response.length} check runs.`);
-
-  const notSkipped = response.filter(
-    (checkRun) => checkRun.conclusion !== "skipped",
-  );
-  console.info(`Of those: ${notSkipped.length} were not skipped.`);
-
-  // We use the ID of the app that generated the check run when returned by the API,
-  // but default to -1 to tell the API that any check with the given name should be
-  // required.
-  const checkInfos = notSkipped.map((check) => ({
-    context: check.name,
-    app_id: check.app?.id || -1,
-  }));
-
-  // Load the configuration for which checks to exclude and apply it before
-  // returning the checks.
-  const exclusions = loadExclusions();
-  return removeExcluded(options, exclusions, checkInfos);
-}
-
-/** Gets the current list of release branches. */
-async function getReleaseBranches(client: ApiClient): Promise<string[]> {
-  const refs = await client.rest.git.listMatchingRefs({
-    ...codeqlActionRepo,
-    ref: "heads/releases/v",
-  });
-  return refs.data.map((ref) => ref.ref).sort();
-}
-
-/** Updates the required status checks for `branch` to `checks`. */
-async function patchBranchProtectionRule(
-  client: ApiClient,
-  branch: string,
-  checks: Set<string>,
-) {
-  await client.rest.repos.setStatusCheckContexts({
-    ...codeqlActionRepo,
-    branch,
-    contexts: Array.from(checks),
-  });
-}
-
-/** Sets `checkNames` as required checks for `branch`. */
-async function updateBranch(
-  options: Options,
-  client: ApiClient,
-  branch: string,
-  checkNames: Set<string>,
-) {
-  console.info(`Updating '${branch}'...`);
-
-  // Query the current set of required checks for this branch.
-  const currentContexts = await client.rest.repos.getAllStatusCheckContexts({
-    ...codeqlActionRepo,
-    branch,
-  });
-
-  // Identify which required checks we will remove and which ones we will add.
-  const currentCheckNames = new Set(currentContexts.data);
-  let additions = 0;
-  let removals = 0;
-  let unchanged = 0;
-
-  for (const currentCheck of currentCheckNames) {
-    if (!checkNames.has(currentCheck)) {
-      console.info(`- Removing '${currentCheck}' for branch '${branch}'`);
-      removals++;
-    } else {
-      unchanged++;
-    }
-  }
-  for (const newCheck of checkNames) {
-    if (!currentCheckNames.has(newCheck)) {
-      console.info(`+ Adding '${newCheck}' for branch '${branch}'`);
-      additions++;
-    }
-  }
-
-  console.info(
-    `For '${branch}': ${removals} removals; ${additions} additions; ${unchanged} unchanged`,
-  );
-
-  // Perform the update if there are changes and `--apply` was specified.
-  if (unchanged === checkNames.size && removals === 0 && additions === 0) {
-    console.info("Not applying changes because there is nothing to do.");
-  } else if (options.apply) {
-    await patchBranchProtectionRule(client, branch, checkNames);
-  } else {
-    console.info("Not applying changes because `--apply` was not specified.");
-  }
-}
-
-async function main(): Promise<void> {
-  const { values: options } = parseArgs({
-    options: {
-      // The token to use to authenticate to the API.
-      token: {
-        type: "string",
-      },
-      // The git ref for which to retrieve the check runs.
-      ref: {
-        type: "string",
-        default: "main",
-      },
-      // By default, we perform a dry-run. Setting `apply` to `true` actually applies the changes.
-      apply: {
-        type: "boolean",
-        default: false,
-      },
-      // Whether to output additional information.
-      verbose: {
-        type: "boolean",
-        default: false,
-      },
-    },
-    strict: true,
-  });
-
-  if (options.token === undefined) {
-    throw new Error("Missing --token");
-  }
-
-  console.info(
-    `Oldest supported major version is: ${OLDEST_SUPPORTED_MAJOR_VERSION}`,
-  );
-
-  // Initialise the API client.
-  const client = getApiClient(options.token);
-
-  // Find the check runs for the specified `ref` that we will later set as the required checks
-  // for the main and release branches.
-  const checkInfos = await getChecksFor(options, client, options.ref);
-  const checkNames = new Set(checkInfos.map((info) => info.context));
-
-  // Update the main branch.
-  await updateBranch(options, client, "main", checkNames);
-
-  // Retrieve the refs of the release branches.
-  const releaseBranches = await getReleaseBranches(client);
-  console.info(
-    `Found ${releaseBranches.length} release branches: ${releaseBranches.join(", ")}`,
-  );
-
-  for (const releaseBranchRef of releaseBranches) {
-    // Sanity check that the ref name is in the expected format and extract the major version.
-    const releaseBranchMatch = releaseBranchRef.match(
-      /^refs\/heads\/(releases\/v(\d+))/,
-    );
-    if (!releaseBranchMatch) {
-      console.warn(
-        `Branch ref '${releaseBranchRef}' not in the expected format.`,
-      );
-      continue;
-    }
-    const releaseBranch = releaseBranchMatch[1];
-    const releaseBranchMajor = Number.parseInt(releaseBranchMatch[2]);
-
-    // Update the required checks for this major version if it is still supported.
-    if (releaseBranchMajor < OLDEST_SUPPORTED_MAJOR_VERSION) {
-      console.info(
-        `Skipping '${releaseBranch}' since it is older than v${OLDEST_SUPPORTED_MAJOR_VERSION}`,
-      );
-      continue;
-    } else {
-      await updateBranch(options, client, releaseBranch, checkNames);
-    }
-  }
-
-  process.exit(0);
-}
-
-// Only call `main` if this script was run directly.
-if (require.main === module) {
-  void main();
-}

resolve-environment/action.yml

@@ -21,5 +21,5 @@ outputs:
   environment:
     description: The inferred build environment configuration.
 runs:
-  using: node24
+  using: node20
   main: '../lib/resolve-environment-action.js'

setup-codeql/action.yml

@@ -35,5 +35,5 @@ outputs:
   codeql-version:
     description: The version of the CodeQL binary that was installed.
 runs:
-  using: node24
+  using: node20
   main: '../lib/setup-codeql-action.js'

src/actions-util.ts

@@ -53,12 +53,6 @@ export function getTemporaryDirectory(): string {
     : getRequiredEnvParam("RUNNER_TEMP");
 }
 
-const PR_DIFF_RANGE_JSON_FILENAME = "pr-diff-range.json";
-
-export function getDiffRangesJsonFilePath(): string {
-  return path.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
-}
-
 export function getActionVersion(): string {
   return __CODEQL_ACTION_VERSION__;
 }

src/analyze-action.ts

@@ -28,6 +28,7 @@ import {
   DependencyCacheUploadStatusReport,
   uploadDependencyCaches,
 } from "./dependency-caching";
+import { getDiffInformedAnalysisBranches } from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
 import { initFeatures } from "./feature-flags";
 import { KnownLanguage } from "./languages";
@@ -304,8 +305,14 @@ async function run(startedAt: Date) {
       logger,
     );
 
-    // Setup diff informed analysis if needed (based on whether init created the file)
-    const diffRangePackDir = await setupDiffInformedQueryRun(logger);
+    const branches = await getDiffInformedAnalysisBranches(
+      codeql,
+      features,
+      logger,
+    );
+    const diffRangePackDir = branches
+      ? await setupDiffInformedQueryRun(branches, logger)
+      : undefined;
 
     await warnIfGoInstalledAfterInit(config, logger);
     await runAutobuildIfLegacyGoWorkflow(config, logger);

src/analyze.ts

@@ -5,7 +5,11 @@ import { performance } from "perf_hooks";
 import * as io from "@actions/io";
 import * as yaml from "js-yaml";
 
-import { getTemporaryDirectory, getRequiredInput } from "./actions-util";
+import {
+  getTemporaryDirectory,
+  getRequiredInput,
+  PullRequestBranches,
+} from "./actions-util";
 import * as analyses from "./analyses";
 import { setupCppAutobuild } from "./autobuild";
 import { type CodeQL } from "./codeql";
@@ -17,7 +21,8 @@ import {
 import { addDiagnostic, makeDiagnostic } from "./diagnostics";
 import {
   DiffThunkRange,
-  readDiffRangesJsonFile,
+  writeDiffRangesJsonFile,
+  getPullRequestEditedDiffRanges,
 } from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
 import { FeatureEnablement, Feature } from "./feature-flags";
@@ -232,19 +237,16 @@ async function finalizeDatabaseCreation(
  * the diff range information, or `undefined` if the feature is disabled.
  */
 export async function setupDiffInformedQueryRun(
+  branches: PullRequestBranches,
   logger: Logger,
 ): Promise<string | undefined> {
   return await withGroupAsync(
     "Generating diff range extension pack",
     async () => {
-      const diffRanges = readDiffRangesJsonFile(logger);
-      if (diffRanges === undefined) {
-        logger.info(
-          "No precomputed diff ranges found; skipping diff-informed analysis stage.",
-        );
-        return undefined;
-      }
-
+      logger.info(
+        `Calculating diff ranges for ${branches.base}...${branches.head}`,
+      );
+      const diffRanges = await getPullRequestEditedDiffRanges(branches, logger);
       const checkoutPath = getRequiredInput("checkout_path");
       const packDir = writeDiffRangeDataExtensionPack(
         logger,
@@ -366,6 +368,10 @@ dataExtensions:
     `Wrote pr-diff-range extension pack to ${extensionFilePath}:\n${extensionContents}`,
   );
 
+  // Write the diff ranges to a JSON file, for action-side alert filtering by the
+  // upload-lib module.
+  writeDiffRangesJsonFile(logger, ranges);
+
   return diffRangeDir;
 }
 

src/artifact-scanner.test.ts

@@ -143,7 +143,7 @@ test("scanArtifactsForTokens handles files without tokens", async (t) => {
 
 if (os.platform() !== "win32") {
   test("scanArtifactsForTokens finds token in debug artifacts", async (t) => {
-    t.timeout(30 * 1000); // 30 seconds
+    t.timeout(15000); // 15 seconds
     const messages: LoggedMessage[] = [];
     const logger = getRecordingLogger(messages, { logToConsole: false });
     // The zip here is a regression test based on

src/config-utils.test.ts

@@ -1936,7 +1936,7 @@ test.serial(
   "Fallback due to old git version",
   {
     overlayDatabaseEnvVar: "overlay",
-    gitVersion: new GitVersionInfo("2.10.0", "2.10.0"), // Version below required 2.11.0
+    gitVersion: new GitVersionInfo("2.30.0", "2.30.0"), // Version below required 2.38.0
   },
   {
     disabledReason: OverlayDisabledReason.IncompatibleGit,

src/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.1",
-  "cliVersion": "2.25.1",
-  "priorBundleVersion": "codeql-bundle-v2.24.3",
-  "priorCliVersion": "2.24.3"
+  "bundleVersion": "codeql-bundle-v2.24.3",
+  "cliVersion": "2.24.3",
+  "priorBundleVersion": "codeql-bundle-v2.24.2",
+  "priorCliVersion": "2.24.2"
 }

src/diff-informed-analysis-utils.ts

@@ -1,4 +1,5 @@
 import * as fs from "fs";
+import * as path from "path";
 
 import * as actionsUtil from "./actions-util";
 import type { PullRequestBranches } from "./actions-util";
@@ -76,12 +77,16 @@ export interface DiffThunkRange {
   endLine: number;
 }
 
+function getDiffRangesJsonFilePath(): string {
+  return path.join(actionsUtil.getTemporaryDirectory(), "pr-diff-range.json");
+}
+
 export function writeDiffRangesJsonFile(
   logger: Logger,
   ranges: DiffThunkRange[],
 ): void {
   const jsonContents = JSON.stringify(ranges, null, 2);
-  const jsonFilePath = actionsUtil.getDiffRangesJsonFilePath();
+  const jsonFilePath = getDiffRangesJsonFilePath();
   fs.writeFileSync(jsonFilePath, jsonContents);
   logger.debug(
     `Wrote pr-diff-range JSON file to ${jsonFilePath}:\n${jsonContents}`,
@@ -91,7 +96,7 @@ export function writeDiffRangesJsonFile(
 export function readDiffRangesJsonFile(
   logger: Logger,
 ): DiffThunkRange[] | undefined {
-  const jsonFilePath = actionsUtil.getDiffRangesJsonFilePath();
+  const jsonFilePath = getDiffRangesJsonFilePath();
   if (!fs.existsSync(jsonFilePath)) {
     logger.debug(`Diff ranges JSON file does not exist at ${jsonFilePath}`);
     return undefined;
@@ -100,14 +105,7 @@ export function readDiffRangesJsonFile(
   logger.debug(
     `Read pr-diff-range JSON file from ${jsonFilePath}:\n${jsonContents}`,
   );
-  try {
-    return JSON.parse(jsonContents) as DiffThunkRange[];
-  } catch (e) {
-    logger.warning(
-      `Failed to parse diff ranges JSON file at ${jsonFilePath}: ${e}`,
-    );
-    return undefined;
-  }
+  return JSON.parse(jsonContents) as DiffThunkRange[];
 }
 
 /**

src/git-utils.test.ts

@@ -347,9 +347,9 @@ test.serial("getFileOidsUnderPath returns correct file mapping", async (t) => {
   const runGitCommandStub = sinon
     .stub(gitUtils as any, "runGitCommand")
     .resolves(
-      "100644 30d998ded095371488be3a729eb61d86ed721a18 0\tlib/git-utils.js\n" +
-        "100644 d89514599a9a99f22b4085766d40af7b99974827 0\tlib/git-utils.js.map\n" +
-        "100644 a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96 0\tsrc/git-utils.ts",
+      "30d998ded095371488be3a729eb61d86ed721a18_lib/git-utils.js\n" +
+        "d89514599a9a99f22b4085766d40af7b99974827_lib/git-utils.js.map\n" +
+        "a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96_src/git-utils.ts",
     );
 
   const result = await gitUtils.getFileOidsUnderPath("/fake/path");
@@ -362,7 +362,7 @@ test.serial("getFileOidsUnderPath returns correct file mapping", async (t) => {
 
   t.deepEqual(runGitCommandStub.firstCall.args, [
     "/fake/path",
-    ["ls-files", "--recurse-submodules", "--stage"],
+    ["ls-files", "--recurse-submodules", "--format=%(objectname)_%(path)"],
     "Cannot list Git OIDs of tracked files.",
   ]);
 });
@@ -371,9 +371,9 @@ test.serial("getFileOidsUnderPath handles quoted paths", async (t) => {
   sinon
     .stub(gitUtils as any, "runGitCommand")
     .resolves(
-      "100644 30d998ded095371488be3a729eb61d86ed721a18 0\tlib/normal-file.js\n" +
-        '100644 d89514599a9a99f22b4085766d40af7b99974827 0\t"lib/file with spaces.js"\n' +
-        '100644 a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96 0\t"lib/file\\twith\\ttabs.js"',
+      "30d998ded095371488be3a729eb61d86ed721a18_lib/normal-file.js\n" +
+        'd89514599a9a99f22b4085766d40af7b99974827_"lib/file with spaces.js"\n' +
+        'a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96_"lib/file\\twith\\ttabs.js"',
     );
 
   const result = await gitUtils.getFileOidsUnderPath("/fake/path");
@@ -398,9 +398,9 @@ test.serial(
     sinon
       .stub(gitUtils as any, "runGitCommand")
       .resolves(
-        "100644 30d998ded095371488be3a729eb61d86ed721a18 0\tlib/git-utils.js\n" +
+        "30d998ded095371488be3a729eb61d86ed721a18_lib/git-utils.js\n" +
           "invalid-line-format\n" +
-          "100644 a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96 0\tsrc/git-utils.ts",
+          "a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96_src/git-utils.ts",
       );
 
     await t.throwsAsync(

src/git-utils.ts

@@ -14,11 +14,10 @@ import {
 import { ConfigurationError, getRequiredEnvParam } from "./util";
 
 /**
- * Minimum Git version required for overlay analysis. Support for using the `git ls-files
- * --recurse-submodules` option with `--stage` was added in Git 2.36.0. For more information, see
- * `getFileOidsUnderPath`.
+ * Minimum Git version required for overlay analysis. The `git ls-files --format`
+ * option, which is used by `getFileOidsUnderPath`, was introduced in Git 2.38.0.
  */
-export const GIT_MINIMUM_VERSION_FOR_OVERLAY = "2.36.0";
+export const GIT_MINIMUM_VERSION_FOR_OVERLAY = "2.38.0";
 
 /**
  * Git version information
@@ -253,28 +252,24 @@ export const getGitRoot = async function (
  *
  * @param basePath A path into the Git repository.
  * @returns a map from file paths (relative to `basePath`) to Git OIDs.
- * @throws {Error} if "git ls-files" produces unexpected output.
+ * @throws {Error} if "git ls-tree" produces unexpected output.
  */
 export const getFileOidsUnderPath = async function (
   basePath: string,
 ): Promise<{ [key: string]: string }> {
   // Without the --full-name flag, the path is relative to the current working
   // directory of the git command, which is basePath.
-  //
-  // We use --stage rather than --format here because --stage has been available since Git 2.36.0,
-  // while --format was only introduced in Git 2.38.0.
   const stdout = await runGitCommand(
     basePath,
-    ["ls-files", "--recurse-submodules", "--stage"],
+    ["ls-files", "--recurse-submodules", "--format=%(objectname)_%(path)"],
     "Cannot list Git OIDs of tracked files.",
   );
 
   const fileOidMap: { [key: string]: string } = {};
-  // With --stage, the output is a list of lines like:
-  // 100644 4c51bc1d9e86cd86e01b0f340cb8ce095c33b283 0\tsrc/git-utils.test.ts
-  // 100644 6b792ea543ce75d7a8a03df591e3c85311ecb64f 0\tsrc/git-utils.ts
-  // The fields are: <mode> <oid> <stage>\t<path>
-  const regex = /^[0-9]+ ([0-9a-f]{40}) [0-9]+\t(.+)$/;
+  // With --format=%(objectname)_%(path), the output is a list of lines like:
+  // 30d998ded095371488be3a729eb61d86ed721a18_lib/git-utils.js
+  // d89514599a9a99f22b4085766d40af7b99974827_lib/git-utils.js.map
+  const regex = /^([0-9a-f]{40})_(.+)$/;
   for (const line of stdout.split("\n")) {
     if (line) {
       const match = line.match(regex);

src/init-action.ts

@@ -37,11 +37,6 @@ import {
   makeDiagnostic,
   makeTelemetryDiagnostic,
 } from "./diagnostics";
-import {
-  getDiffInformedAnalysisBranches,
-  getPullRequestEditedDiffRanges,
-  writeDiffRangesJsonFile,
-} from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
 import { Feature, FeatureEnablement, initFeatures } from "./feature-flags";
 import {
@@ -59,7 +54,7 @@ import {
   runDatabaseInitCluster,
 } from "./init";
 import { JavaEnvVars, KnownLanguage } from "./languages";
-import { getActionsLogger, Logger, withGroupAsync } from "./logging";
+import { getActionsLogger, Logger } from "./logging";
 import {
   downloadOverlayBaseDatabaseFromCache,
   OverlayBaseDatabaseDownloadStats,
@@ -418,7 +413,6 @@ async function run(startedAt: Date) {
     }
 
     await checkInstallPython311(config.languages, codeql);
-    await computeAndPersistDiffRanges(codeql, features, logger);
   } catch (unwrappedError) {
     const error = wrapError(unwrappedError);
     core.setFailed(error.message);
@@ -839,42 +833,6 @@ async function loadRepositoryProperties(
   }
 }
 
-/**
- * Compute and persist diff ranges when diff-informed analysis is enabled
- * (feature flag + PR context). This writes the standard pr-diff-range.json
- * file for later reuse in the analyze step. Failures are logged but non-fatal.
- */
-async function computeAndPersistDiffRanges(
-  codeql: CodeQL,
-  features: FeatureEnablement,
-  logger: Logger,
-): Promise<void> {
-  await withGroupAsync("Computing PR diff ranges", async () => {
-    try {
-      const branches = await getDiffInformedAnalysisBranches(
-        codeql,
-        features,
-        logger,
-      );
-      if (!branches) {
-        return;
-      }
-      const ranges = await getPullRequestEditedDiffRanges(branches, logger);
-      if (ranges === undefined) {
-        return;
-      }
-      writeDiffRangesJsonFile(logger, ranges);
-      const distinctFiles = new Set(ranges.map((r) => r.path)).size;
-      logger.info(
-        `Persisted ${ranges.length} diff range(s) across ${distinctFiles} file(s).`,
-      );
-    } catch (e) {
-      logger.warning(
-        `Failed to compute and persist PR diff ranges: ${getErrorMessage(e)}`,
-      );
-    }
-  });
-}
 async function recordZstdAvailability(
   config: configUtils.Config,
   zstdAvailability: ZstdAvailability,

src/overlay/index.test.ts

@@ -34,14 +34,12 @@ test.serial(
   "writeOverlayChangesFile generates correct changes file",
   async (t) => {
     await withTmpDir(async (tmpDir) => {
-      const [dbLocation, sourceRoot, tempDir] = ["db", "src", "temp"].map((d) =>
-        path.join(tmpDir, d),
-      );
-      await Promise.all(
-        [dbLocation, sourceRoot, tempDir].map((d) =>
-          fs.promises.mkdir(d, { recursive: true }),
-        ),
-      );
+      const dbLocation = path.join(tmpDir, "db");
+      await fs.promises.mkdir(dbLocation, { recursive: true });
+      const sourceRoot = path.join(tmpDir, "src");
+      await fs.promises.mkdir(sourceRoot, { recursive: true });
+      const tempDir = path.join(tmpDir, "temp");
+      await fs.promises.mkdir(tempDir, { recursive: true });
 
       const logger = getRunnerLogger(true);
       const config = createTestConfig({ dbLocation });
@@ -72,16 +70,9 @@ test.serial(
 
       // Write the overlay changes file, which uses the mocked overlay OIDs
       // and the base database OIDs file
-      const diffRangeFilePath = path.join(tempDir, "pr-diff-range.json");
       const getTempDirStub = sinon
         .stub(actionsUtil, "getTemporaryDirectory")
         .returns(tempDir);
-      const getDiffRangesStub = sinon
-        .stub(actionsUtil, "getDiffRangesJsonFilePath")
-        .returns(diffRangeFilePath);
-      const getGitRootStub = sinon
-        .stub(gitUtils, "getGitRoot")
-        .resolves(sourceRoot);
       const changesFilePath = await writeOverlayChangesFile(
         config,
         sourceRoot,
@@ -89,8 +80,6 @@ test.serial(
       );
       getFileOidsStubForOverlay.restore();
       getTempDirStub.restore();
-      getDiffRangesStub.restore();
-      getGitRootStub.restore();
 
       const fileContent = await fs.promises.readFile(changesFilePath, "utf-8");
       const parsedContent = JSON.parse(fileContent) as { changes: string[] };
@@ -104,247 +93,6 @@ test.serial(
   },
 );
 
-test.serial(
-  "writeOverlayChangesFile merges additional diff files into overlay changes",
-  async (t) => {
-    await withTmpDir(async (tmpDir) => {
-      const [dbLocation, sourceRoot, tempDir] = ["db", "src", "temp"].map((d) =>
-        path.join(tmpDir, d),
-      );
-      await Promise.all(
-        [dbLocation, sourceRoot, tempDir].map((d) =>
-          fs.promises.mkdir(d, { recursive: true }),
-        ),
-      );
-
-      const logger = getRunnerLogger(true);
-      const config = createTestConfig({ dbLocation });
-
-      // Mock the getFileOidsUnderPath function to return base OIDs
-      // "reverted.js" has the same OID in both base and current, simulating
-      // a revert PR where the file content matches the overlay-base
-      const baseOids = {
-        "unchanged.js": "aaa111",
-        "modified.js": "bbb222",
-        "reverted.js": "eee555",
-      };
-      const getFileOidsStubForBase = sinon
-        .stub(gitUtils, "getFileOidsUnderPath")
-        .resolves(baseOids);
-
-      // Write the base database OIDs file
-      await writeBaseDatabaseOidsFile(config, sourceRoot);
-      getFileOidsStubForBase.restore();
-
-      // Mock the getFileOidsUnderPath function to return overlay OIDs
-      // "reverted.js" has the same OID as the base -- OID comparison alone
-      // would NOT include it, only additionalChangedFiles causes it to appear
-      const currentOids = {
-        "unchanged.js": "aaa111",
-        "modified.js": "ddd444", // Changed OID
-        "reverted.js": "eee555", // Same OID as base -- not detected by OID comparison
-      };
-      const getFileOidsStubForOverlay = sinon
-        .stub(gitUtils, "getFileOidsUnderPath")
-        .resolves(currentOids);
-
-      const diffRangeFilePath = path.join(tempDir, "pr-diff-range.json");
-      const getTempDirStub = sinon
-        .stub(actionsUtil, "getTemporaryDirectory")
-        .returns(tempDir);
-      const getDiffRangesStub = sinon
-        .stub(actionsUtil, "getDiffRangesJsonFilePath")
-        .returns(diffRangeFilePath);
-      const getGitRootStub = sinon
-        .stub(gitUtils, "getGitRoot")
-        .resolves(sourceRoot);
-
-      // Write a pr-diff-range.json file with diff ranges including
-      // "reverted.js" (unchanged OIDs) and "modified.js" (already in OID changes)
-      await fs.promises.writeFile(
-        diffRangeFilePath,
-        JSON.stringify([
-          { path: "reverted.js", startLine: 1, endLine: 10 },
-          { path: "modified.js", startLine: 1, endLine: 5 },
-          { path: "diff-only.js", startLine: 1, endLine: 3 },
-        ]),
-      );
-
-      const changesFilePath = await writeOverlayChangesFile(
-        config,
-        sourceRoot,
-        logger,
-      );
-      getFileOidsStubForOverlay.restore();
-      getTempDirStub.restore();
-      getDiffRangesStub.restore();
-      getGitRootStub.restore();
-
-      const fileContent = await fs.promises.readFile(changesFilePath, "utf-8");
-      const parsedContent = JSON.parse(fileContent) as { changes: string[] };
-
-      t.deepEqual(
-        parsedContent.changes.sort(),
-        ["diff-only.js", "modified.js", "reverted.js"],
-        "Should include OID-changed files, diff-only files, and deduplicate overlapping files",
-      );
-    });
-  },
-);
-
-test.serial(
-  "writeOverlayChangesFile works without additional diff files",
-  async (t) => {
-    await withTmpDir(async (tmpDir) => {
-      const [dbLocation, sourceRoot, tempDir] = ["db", "src", "temp"].map((d) =>
-        path.join(tmpDir, d),
-      );
-      await Promise.all(
-        [dbLocation, sourceRoot, tempDir].map((d) =>
-          fs.promises.mkdir(d, { recursive: true }),
-        ),
-      );
-
-      const logger = getRunnerLogger(true);
-      const config = createTestConfig({ dbLocation });
-
-      // Mock the getFileOidsUnderPath function to return base OIDs
-      const baseOids = {
-        "unchanged.js": "aaa111",
-        "modified.js": "bbb222",
-      };
-      const getFileOidsStubForBase = sinon
-        .stub(gitUtils, "getFileOidsUnderPath")
-        .resolves(baseOids);
-
-      await writeBaseDatabaseOidsFile(config, sourceRoot);
-      getFileOidsStubForBase.restore();
-
-      const currentOids = {
-        "unchanged.js": "aaa111",
-        "modified.js": "ddd444",
-      };
-      const getFileOidsStubForOverlay = sinon
-        .stub(gitUtils, "getFileOidsUnderPath")
-        .resolves(currentOids);
-
-      const diffRangeFilePath = path.join(tempDir, "pr-diff-range.json");
-      const getTempDirStub = sinon
-        .stub(actionsUtil, "getTemporaryDirectory")
-        .returns(tempDir);
-      const getDiffRangesStub = sinon
-        .stub(actionsUtil, "getDiffRangesJsonFilePath")
-        .returns(diffRangeFilePath);
-      const getGitRootStub = sinon
-        .stub(gitUtils, "getGitRoot")
-        .resolves(sourceRoot);
-
-      // No pr-diff-range.json file exists - should work the same as before
-      const changesFilePath = await writeOverlayChangesFile(
-        config,
-        sourceRoot,
-        logger,
-      );
-      getFileOidsStubForOverlay.restore();
-      getTempDirStub.restore();
-      getDiffRangesStub.restore();
-      getGitRootStub.restore();
-
-      const fileContent = await fs.promises.readFile(changesFilePath, "utf-8");
-      const parsedContent = JSON.parse(fileContent) as { changes: string[] };
-
-      t.deepEqual(
-        parsedContent.changes.sort(),
-        ["modified.js"],
-        "Should only include OID-changed files when no additional files provided",
-      );
-    });
-  },
-);
-
-test.serial(
-  "writeOverlayChangesFile converts diff range paths to sourceRoot-relative when sourceRoot is a subdirectory",
-  async (t) => {
-    await withTmpDir(async (tmpDir) => {
-      // Simulate: repo root = tmpDir, sourceRoot = tmpDir/src
-      const repoRoot = tmpDir;
-      const sourceRoot = path.join(tmpDir, "src");
-      const [dbLocation, tempDir] = ["db", "temp"].map((d) =>
-        path.join(tmpDir, d),
-      );
-      await Promise.all(
-        [dbLocation, sourceRoot, tempDir].map((d) =>
-          fs.promises.mkdir(d, { recursive: true }),
-        ),
-      );
-
-      const logger = getRunnerLogger(true);
-      const config = createTestConfig({ dbLocation });
-
-      // Base OIDs (sourceRoot-relative paths)
-      const baseOids = {
-        "app.js": "aaa111",
-        "lib/util.js": "bbb222",
-      };
-      const getFileOidsStubForBase = sinon
-        .stub(gitUtils, "getFileOidsUnderPath")
-        .resolves(baseOids);
-      await writeBaseDatabaseOidsFile(config, sourceRoot);
-      getFileOidsStubForBase.restore();
-
-      // Current OIDs — same as base (no OID changes)
-      const currentOids = {
-        "app.js": "aaa111",
-        "lib/util.js": "bbb222",
-      };
-      const getFileOidsStubForOverlay = sinon
-        .stub(gitUtils, "getFileOidsUnderPath")
-        .resolves(currentOids);
-
-      const diffRangeFilePath = path.join(tempDir, "pr-diff-range.json");
-      const getTempDirStub = sinon
-        .stub(actionsUtil, "getTemporaryDirectory")
-        .returns(tempDir);
-      const getDiffRangesStub = sinon
-        .stub(actionsUtil, "getDiffRangesJsonFilePath")
-        .returns(diffRangeFilePath);
-      // getGitRoot returns the repo root (parent of sourceRoot)
-      const getGitRootStub = sinon
-        .stub(gitUtils, "getGitRoot")
-        .resolves(repoRoot);
-
-      // Diff ranges use repo-root-relative paths (as returned by the GitHub compare API)
-      await fs.promises.writeFile(
-        diffRangeFilePath,
-        JSON.stringify([
-          { path: "src/app.js", startLine: 1, endLine: 10 },
-          { path: "src/lib/util.js", startLine: 5, endLine: 8 },
-          { path: "other/outside.js", startLine: 1, endLine: 3 }, // not under sourceRoot
-        ]),
-      );
-
-      const changesFilePath = await writeOverlayChangesFile(
-        config,
-        sourceRoot,
-        logger,
-      );
-      getFileOidsStubForOverlay.restore();
-      getTempDirStub.restore();
-      getDiffRangesStub.restore();
-      getGitRootStub.restore();
-
-      const fileContent = await fs.promises.readFile(changesFilePath, "utf-8");
-      const parsedContent = JSON.parse(fileContent) as { changes: string[] };
-
-      t.deepEqual(
-        parsedContent.changes.sort(),
-        ["app.js", "lib/util.js"],
-        "Should convert repo-root-relative paths to sourceRoot-relative and filter out files outside sourceRoot",
-      );
-    });
-  },
-);
-
 interface DownloadOverlayBaseDatabaseTestCase {
   overlayDatabaseMode: OverlayDatabaseMode;
   useOverlayDatabaseCaching: boolean;

src/overlay/index.ts

@@ -3,9 +3,7 @@ import * as path from "path";
 
 import * as actionsCache from "@actions/cache";
 
-import * as actionsUtil from "../actions-util";
 import {
-  getOptionalInput,
   getRequiredInput,
   getTemporaryDirectory,
   getWorkflowRunAttempt,
@@ -15,7 +13,7 @@ import { getAutomationID } from "../api-client";
 import { createCacheKeyHash } from "../caching-utils";
 import { type CodeQL } from "../codeql";
 import { type Config } from "../config-utils";
-import { getCommitOid, getFileOidsUnderPath, getGitRoot } from "../git-utils";
+import { getCommitOid, getFileOidsUnderPath } from "../git-utils";
 import { Logger, withGroupAsync } from "../logging";
 import {
   CleanupLevel,
@@ -132,17 +130,11 @@ export async function writeOverlayChangesFile(
 ): Promise<string> {
   const baseFileOids = await readBaseDatabaseOidsFile(config, logger);
   const overlayFileOids = await getFileOidsUnderPath(sourceRoot);
-  const oidChangedFiles = computeChangedFiles(baseFileOids, overlayFileOids);
+  const changedFiles = computeChangedFiles(baseFileOids, overlayFileOids);
   logger.info(
-    `Found ${oidChangedFiles.length} changed file(s) under ${sourceRoot} from OID comparison.`,
+    `Found ${changedFiles.length} changed file(s) under ${sourceRoot}.`,
   );
 
-  // Merge in any file paths from precomputed PR diff ranges to ensure the
-  // overlay always includes all files from the PR diff, even in edge cases
-  // like revert PRs where OID comparison shows no change.
-  const diffRangeFiles = await getDiffRangeFilePaths(sourceRoot, logger);
-  const changedFiles = [...new Set([...oidChangedFiles, ...diffRangeFiles])];
-
   const changedFilesJson = JSON.stringify({ changes: changedFiles });
   const overlayChangesFile = path.join(
     getTemporaryDirectory(),
@@ -173,69 +165,6 @@ function computeChangedFiles(
   return changes;
 }
 
-async function getDiffRangeFilePaths(
-  sourceRoot: string,
-  logger: Logger,
-): Promise<string[]> {
-  const jsonFilePath = actionsUtil.getDiffRangesJsonFilePath();
-
-  if (!fs.existsSync(jsonFilePath)) {
-    logger.debug(
-      `No diff ranges JSON file found at ${jsonFilePath}; skipping.`,
-    );
-    return [];
-  }
-
-  let contents: string;
-  try {
-    contents = await fs.promises.readFile(jsonFilePath, "utf8");
-  } catch (e) {
-    logger.warning(
-      `Failed to read diff ranges JSON file at ${jsonFilePath}: ${e}`,
-    );
-    return [];
-  }
-
-  let diffRanges: Array<{ path: string }>;
-  try {
-    diffRanges = JSON.parse(contents) as Array<{ path: string }>;
-  } catch (e) {
-    logger.warning(
-      `Failed to parse diff ranges JSON file at ${jsonFilePath}: ${e}`,
-    );
-    return [];
-  }
-  logger.debug(
-    `Read ${diffRanges.length} diff range(s) from ${jsonFilePath} for overlay changes.`,
-  );
-
-  // Diff-range paths are relative to the repo root (from the GitHub compare
-  // API), but overlay changed files must be relative to sourceRoot (to match
-  // getFileOidsUnderPath output). Convert and filter accordingly.
-  const repoRoot = await getGitRoot(sourceRoot);
-  if (repoRoot === undefined) {
-    if (getOptionalInput("source-root")) {
-      throw new Error(
-        "Cannot determine git root to convert diff range paths relative to source-root. " +
-          "Failing to avoid omitting files from the analysis.",
-      );
-    }
-    logger.warning(
-      "Cannot determine git root; returning diff range paths as-is.",
-    );
-    return [...new Set(diffRanges.map((r) => r.path))];
-  }
-
-  const relativePaths = diffRanges
-    .map((r) =>
-      path
-        .relative(sourceRoot, path.join(repoRoot, r.path))
-        .replaceAll(path.sep, "/"),
-    )
-    .filter((rel) => !rel.startsWith(".."));
-  return [...new Set(relativePaths)];
-}
-
 // Constants for database caching
 const CACHE_VERSION = 1;
 const CACHE_PREFIX = "codeql-overlay-base-database";

src/start-proxy.test.ts

@@ -14,9 +14,9 @@ import * as startProxyExports from "./start-proxy";
 import { parseLanguage } from "./start-proxy";
 import * as statusReport from "./status-report";
 import {
-  assertNotLogged,
   checkExpectedLogMessages,
   createFeatures,
+  getRecordingLogger,
   makeTestToken,
   RecordingLogger,
   setupTests,
@@ -439,156 +439,42 @@ test("getCredentials accepts OIDC configurations", (t) => {
   t.assert(credentials.some((c) => startProxyExports.isJFrogConfig(c)));
 });
 
-const getCredentialsMacro = test.macro({
-  exec: async (
-    t: ExecutionContext<unknown>,
-    credentials: startProxyExports.RawCredential[],
-    checkAccepted: (
-      t: ExecutionContext<unknown>,
-      logger: RecordingLogger,
-      results: startProxyExports.Credential[],
-    ) => void,
-  ) => {
-    const logger = new RecordingLogger();
-    const credentialsString = toEncodedJSON(credentials);
+test("getCredentials logs a warning when a PAT is used without a username", async (t) => {
+  const loggedMessages = [];
+  const logger = getRecordingLogger(loggedMessages);
+  const likelyWrongCredentials = toEncodedJSON([
+    {
+      type: "git_server",
+      host: "https://github.com/",
+      password: `ghp_${makeTestToken()}`,
+    },
+  ]);
 
-    const results = startProxyExports.getCredentials(
-      logger,
-      undefined,
-      credentialsString,
-      undefined,
-    );
+  const results = startProxyExports.getCredentials(
+    logger,
+    undefined,
+    likelyWrongCredentials,
+    undefined,
+  );
 
-    checkAccepted(t, logger, results);
-  },
+  // The configuration should be accepted, despite the likely problem.
+  t.assert(results);
+  t.is(results.length, 1);
+  t.is(results[0].type, "git_server");
+  t.is(results[0].host, "https://github.com/");
 
-  title: (providedTitle = "") => `getCredentials - ${providedTitle}`,
+  if (startProxyExports.isUsernamePassword(results[0])) {
+    t.assert(results[0].password?.startsWith("ghp_"));
+  } else {
+    t.fail("Expected a `UsernamePassword`-based credential.");
+  }
+
+  // A warning should have been logged.
+  checkExpectedLogMessages(t, loggedMessages, [
+    "using a GitHub Personal Access Token (PAT), but no username was provided",
+  ]);
 });
 
-test(
-  "warns for PAT-like password without a username",
-  getCredentialsMacro,
-  [
-    {
-      type: "git_server",
-      host: "https://github.com/",
-      password: `ghp_${makeTestToken()}`,
-    },
-  ],
-  (t, logger, results) => {
-    // The configurations should be accepted, despite the likely problem.
-    t.assert(results);
-    t.is(results.length, 1);
-    t.is(results[0].type, "git_server");
-    t.is(results[0].host, "https://github.com/");
-
-    if (startProxyExports.isUsernamePassword(results[0])) {
-      t.assert(results[0].password?.startsWith("ghp_"));
-    } else {
-      t.fail("Expected a `UsernamePassword`-based credential.");
-    }
-
-    // A warning should have been logged.
-    checkExpectedLogMessages(t, logger.messages, [
-      "using a GitHub Personal Access Token (PAT), but no username was provided",
-    ]);
-  },
-);
-
-test(
-  "no warning for PAT-like password with a username",
-  getCredentialsMacro,
-  [
-    {
-      type: "git_server",
-      host: "https://github.com/",
-      username: "someone",
-      password: `ghp_${makeTestToken()}`,
-    },
-  ],
-  (t, logger, results) => {
-    // The configurations should be accepted, despite the likely problem.
-    t.assert(results);
-    t.is(results.length, 1);
-    t.is(results[0].type, "git_server");
-    t.is(results[0].host, "https://github.com/");
-
-    if (startProxyExports.isUsernamePassword(results[0])) {
-      t.assert(results[0].password?.startsWith("ghp_"));
-    } else {
-      t.fail("Expected a `UsernamePassword`-based credential.");
-    }
-
-    assertNotLogged(
-      t,
-      logger,
-      "using a GitHub Personal Access Token (PAT), but no username was provided",
-    );
-  },
-);
-
-test(
-  "warns for PAT-like token without a username",
-  getCredentialsMacro,
-  [
-    {
-      type: "git_server",
-      host: "https://github.com/",
-      token: `ghp_${makeTestToken()}`,
-    },
-  ],
-  (t, logger, results) => {
-    // The configurations should be accepted, despite the likely problem.
-    t.assert(results);
-    t.is(results.length, 1);
-    t.is(results[0].type, "git_server");
-    t.is(results[0].host, "https://github.com/");
-
-    if (startProxyExports.isToken(results[0])) {
-      t.assert(results[0].token?.startsWith("ghp_"));
-    } else {
-      t.fail("Expected a `Token`-based credential.");
-    }
-
-    // A warning should have been logged.
-    checkExpectedLogMessages(t, logger.messages, [
-      "using a GitHub Personal Access Token (PAT), but no username was provided",
-    ]);
-  },
-);
-
-test(
-  "no warning for PAT-like token with a username",
-  getCredentialsMacro,
-  [
-    {
-      type: "git_server",
-      host: "https://github.com/",
-      username: "someone",
-      token: `ghp_${makeTestToken()}`,
-    },
-  ],
-  (t, logger, results) => {
-    // The configurations should be accepted, despite the likely problem.
-    t.assert(results);
-    t.is(results.length, 1);
-    t.is(results[0].type, "git_server");
-    t.is(results[0].host, "https://github.com/");
-
-    if (startProxyExports.isToken(results[0])) {
-      t.assert(results[0].token?.startsWith("ghp_"));
-    } else {
-      t.fail("Expected a `Token`-based credential.");
-    }
-
-    assertNotLogged(
-      t,
-      logger,
-      "using a GitHub Personal Access Token (PAT), but no username was provided",
-    );
-  },
-);
-
 test("getCredentials returns all credentials for Actions when using LANGUAGE_TO_REGISTRY_TYPE", async (t) => {
   const credentialsInput = toEncodedJSON(mixedCredentials);
 

src/start-proxy.ts

@@ -447,18 +447,15 @@ export function getCredentials(
     }
 
     // If the password or token looks like a GitHub PAT, warn if no username is configured.
-    const noUsername =
-      !hasUsername(authConfig) || !isDefined(authConfig.username);
-    const passwordIsPAT =
-      isUsernamePassword(authConfig) &&
-      isDefined(authConfig.password) &&
-      isPAT(authConfig.password);
-    const tokenIsPAT =
-      isToken(authConfig) &&
-      isDefined(authConfig.token) &&
-      isPAT(authConfig.token);
-
-    if (noUsername && (passwordIsPAT || tokenIsPAT)) {
+    if (
+      ((!hasUsername(authConfig) || !isDefined(authConfig.username)) &&
+        isUsernamePassword(authConfig) &&
+        isDefined(authConfig.password) &&
+        isPAT(authConfig.password)) ||
+      (isToken(authConfig) &&
+        isDefined(authConfig.token) &&
+        isPAT(authConfig.token))
+    ) {
       logger.warning(
         `A ${e.type} private registry is configured for ${e.host || e.url} using a GitHub Personal Access Token (PAT), but no username was provided. ` +
           `This may not work correctly. When configuring a private registry using a PAT, select "Username and password" and enter the username of the user ` +

src/testing-utils.ts

@@ -185,8 +185,8 @@ export interface LoggedMessage {
 
 export class RecordingLogger implements Logger {
   messages: LoggedMessage[] = [];
-  readonly groups: string[] = [];
-  readonly unfinishedGroups: Set<string> = new Set();
+  groups: string[] = [];
+  unfinishedGroups: Set<string> = new Set();
   private currentGroup: string | undefined = undefined;
 
   constructor(private readonly logToConsole: boolean = true) {}
@@ -200,19 +200,6 @@ export class RecordingLogger implements Logger {
     }
   }
 
-  /**
-   * Checks whether the logged messages contain `messageOrRegExp`.
-   *
-   * If `messageOrRegExp` is a string, this function returns true as long as
-   * `messageOrRegExp` appears as part of one of the `messages`.
-   *
-   * If `messageOrRegExp` is a regular expression, this function returns true as long as
-   * one of the `messages` matches `messageOrRegExp`.
-   */
-  hasMessage(messageOrRegExp: string | RegExp): boolean {
-    return hasLoggedMessage(this.messages, messageOrRegExp);
-  }
-
   isDebug() {
     return true;
   }
@@ -251,37 +238,41 @@ export function getRecordingLogger(
   messages: LoggedMessage[],
   { logToConsole }: { logToConsole?: boolean } = { logToConsole: true },
 ): Logger {
-  const logger = new RecordingLogger(logToConsole);
-  logger.messages = messages;
-  return logger;
+  return {
+    debug: (message: string) => {
+      messages.push({ type: "debug", message });
+      if (logToConsole) {
+        // eslint-disable-next-line no-console
+        console.debug(message);
+      }
+    },
+    info: (message: string) => {
+      messages.push({ type: "info", message });
+      if (logToConsole) {
+        // eslint-disable-next-line no-console
+        console.info(message);
+      }
+    },
+    warning: (message: string | Error) => {
+      messages.push({ type: "warning", message });
+      if (logToConsole) {
+        // eslint-disable-next-line no-console
+        console.warn(message);
+      }
+    },
+    error: (message: string | Error) => {
+      messages.push({ type: "error", message });
+      if (logToConsole) {
+        // eslint-disable-next-line no-console
+        console.error(message);
+      }
+    },
+    isDebug: () => true,
+    startGroup: () => undefined,
+    endGroup: () => undefined,
+  };
 }
 
-/**
- * Checks whether `messages` contains `messageOrRegExp`.
- *
- * If `messageOrRegExp` is a string, this function returns true as long as
- * `messageOrRegExp` appears as part of one of the `messages`.
- *
- * If `messageOrRegExp` is a regular expression, this function returns true as long as
- * one of the `messages` matches `messageOrRegExp`.
- */
-function hasLoggedMessage(
-  messages: LoggedMessage[],
-  messageOrRegExp: string | RegExp,
-): boolean {
-  const check = (val: string) =>
-    typeof messageOrRegExp === "string"
-      ? val.includes(messageOrRegExp)
-      : messageOrRegExp.test(val);
-
-  return messages.some(
-    (msg) => typeof msg.message === "string" && check(msg.message),
-  );
-}
-
-/**
- * Checks that `messages` contains all of `expectedMessages`.
- */
 export function checkExpectedLogMessages(
   t: ExecutionContext<any>,
   messages: LoggedMessage[],
@@ -290,7 +281,13 @@ export function checkExpectedLogMessages(
   const missingMessages: string[] = [];
 
   for (const expectedMessage of expectedMessages) {
-    if (!hasLoggedMessage(messages, expectedMessage)) {
+    if (
+      !messages.some(
+        (msg) =>
+          typeof msg.message === "string" &&
+          msg.message.includes(expectedMessage),
+      )
+    ) {
       missingMessages.push(expectedMessage);
     }
   }
@@ -307,20 +304,6 @@ export function checkExpectedLogMessages(
   }
 }
 
-/**
- * Asserts that `message` should not have been logged to `logger`.
- */
-export function assertNotLogged(
-  t: ExecutionContext<any>,
-  logger: RecordingLogger,
-  message: string | RegExp,
-) {
-  t.false(
-    logger.hasMessage(message),
-    `'${message}' should not have been logged, but was.`,
-  );
-}
-
 /**
  * Initialises a recording logger and calls `body` with it.
  *

start-proxy/action.yml

@@ -29,6 +29,6 @@ outputs:
   proxy_urls:
     description: A stringified JSON array of objects containing the types and URLs of the configured registries.
 runs:
-  using: node24
+  using: node20
   main: "../lib/start-proxy-action.js"
   post: "../lib/start-proxy-action-post.js"

upload-sarif/action.yml

@@ -41,6 +41,6 @@ outputs:
 
       { "code-scanning": "some-id", "code-quality": "some-other-id" }
 runs:
-  using: node24
+  using: node20
   main: '../lib/upload-sarif-action.js'
   post: '../lib/upload-sarif-action-post.js'