Document regular expressions

Merge pull request #3529 from github/mbg/ts/sync-back
Convert `sync_back.py` to TypeScript
2026-05-09 15:20:28 +00:00 · 2026-03-05 16:51:15 +00:00 · 2026-03-05 12:36:22 +00:00 · 2026-03-04 16:07:10 +00:00 · 2026-03-04 15:12:33 +01:00 · 2026-03-04 13:27:40 +00:00
152 changed files with 14968 additions and 9465 deletions
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -49,8 +52,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    all-platform-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: all-platform-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  all-platform-bundle:
    strategy:
@@ -92,7 +94,7 @@ jobs:
      - id: init
        uses: ./../action/init
        with:
-      # Swift is not supported on Ubuntu so we manually exclude it from the list here
+          # Swift is not supported on Ubuntu so we manually exclude it from the list here
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -84,16 +87,16 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false
-          post-processed-sarif-path: ${{ runner.temp }}/post-processed
+          post-processed-sarif-path: '${{ runner.temp }}/post-processed'

      - name: Upload SARIF files
        uses: actions/upload-artifact@v6
        with:
          name: |
            analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
-          path: ${{ runner.temp }}/results/*.sarif
+          path: '${{ runner.temp }}/results/*.sarif'
          retention-days: 7

      - name: Upload post-processed SARIF
@@ -101,7 +104,7 @@ jobs:
        with:
          name: |
            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
-          path: ${{ runner.temp }}/post-processed
+          path: '${{ runner.temp }}/post-processed'
          retention-days: 7
          if-no-files-found: error

@@ -109,7 +112,7 @@ jobs:
        if: contains(matrix.analysis-kinds, 'code-scanning')
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
+          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
          EXPECT_PRESENT: 'false'
        with:
          script: ${{ env.CHECK_SCRIPT }}
@@ -117,7 +120,7 @@ jobs:
        if: contains(matrix.analysis-kinds, 'code-quality')
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.quality.sarif
+          SARIF_PATH: '${{ runner.temp }}/results/javascript.quality.sarif'
          EXPECT_PRESENT: 'true'
        with:
          script: ${{ env.CHECK_SCRIPT }}
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -59,8 +62,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    analyze-ref-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: analyze-ref-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  analyze-ref-input:
    strategy:
@@ -104,13 +106,12 @@ jobs:
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-            github.sha }}
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
      - name: Build code
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -79,7 +82,7 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/autobuild
        env:
-      # Explicitly disable the CLR tracer.
+          # Explicitly disable the CLR tracer.
          COR_ENABLE_PROFILING: ''
          COR_PROFILER: ''
          COR_PROFILER_PATH_64: ''
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -39,8 +42,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    autobuild-direct-tracing-with-working-dir-${{github.ref}}-${{inputs.java-version}}
+  group: autobuild-direct-tracing-with-working-dir-${{github.ref}}-${{inputs.java-version}}
 jobs:
  autobuild-direct-tracing-with-working-dir:
    strategy:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -94,7 +97,7 @@ jobs:
        id: init
        with:
          build-mode: autobuild
-          db-location: ${{ runner.temp }}/customDbLocation
+          db-location: '${{ runner.temp }}/customDbLocation'
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -49,8 +52,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    build-mode-manual-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: build-mode-manual-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  build-mode-manual:
    strategy:
@@ -89,7 +91,7 @@ jobs:
        id: init
        with:
          build-mode: manual
-          db-location: ${{ runner.temp }}/customDbLocation
+          db-location: '${{ runner.temp }}/customDbLocation'
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -61,7 +64,7 @@ jobs:
        id: init
        with:
          build-mode: none
-          db-location: ${{ runner.temp }}/customDbLocation
+          db-location: '${{ runner.temp }}/customDbLocation'
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -74,7 +77,7 @@ jobs:
            exit 1
          fi

-  # The latest nightly supports omitting the autobuild Action when the build mode is specified.
+      # The latest nightly supports omitting the autobuild Action when the build mode is specified.
      - uses: ./../action/autobuild
        if: matrix.version != 'nightly-latest'

@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -65,7 +68,7 @@ jobs:
        id: init
        with:
          build-mode: none
-          db-location: ${{ runner.temp }}/customDbLocation
+          db-location: '${{ runner.temp }}/customDbLocation'
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -63,7 +66,7 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          languages: javascript
      - name: Fail if the CodeQL version is not a nightly
-        if: "!contains(steps.init.outputs.codeql-version, '+')"
+        if: ${{ !contains(steps.init.outputs.codeql-version, '+') }}
        run: exit 1
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -64,7 +67,7 @@ jobs:
        id: init
        with:
          build-mode: none
-          db-location: ${{ runner.temp }}/customDbLocation
+          db-location: '${{ runner.temp }}/customDbLocation'
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -64,18 +67,18 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Upload SARIF
        uses: actions/upload-artifact@v6
        with:
          name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
+          path: '${{ runner.temp }}/results/javascript.sarif'
          retention-days: 7
      - name: Check config properties appear in SARIF
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
+          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
        with:
          script: |
            const fs = require('fs');
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -75,18 +78,18 @@ jobs:
            --ready-for-status-page
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Upload SARIF
        uses: actions/upload-artifact@v6
        with:
          name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
+          path: '${{ runner.temp }}/results/javascript.sarif'
          retention-days: 7
      - name: Check diagnostics appear in SARIF
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
+          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
        with:
          script: |
            const fs = require('fs');
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -49,8 +52,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    export-file-baseline-information-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: export-file-baseline-information-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  export-file-baseline-information:
    strategy:
@@ -98,12 +100,12 @@ jobs:
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
      - name: Upload SARIF
        uses: actions/upload-artifact@v6
        with:
          name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
+          path: '${{ runner.temp }}/results/javascript.sarif'
          retention-days: 7
      - name: Check results
        run: |
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -49,8 +52,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    go-custom-queries-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: go-custom-queries-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  go-custom-queries:
    strategy:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -74,7 +77,7 @@ jobs:
        with:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
-  # Deliberately change Go after the `init` step
+      # Deliberately change Go after the `init` step
      - uses: actions/setup-go@v6
        with:
          go-version: '1.20'
@@ -82,12 +85,12 @@ jobs:
        run: go build main.go
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Check diagnostic appears in SARIF
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: ${{ runner.temp }}/results/go.sarif
+          SARIF_PATH: '${{ runner.temp }}/results/go.sarif'
        with:
          script: |
            const fs = require('fs');
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -39,8 +42,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    go-indirect-tracing-workaround-no-file-program-${{github.ref}}-${{inputs.go-version}}
+  group: go-indirect-tracing-workaround-no-file-program-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-indirect-tracing-workaround-no-file-program:
    strategy:
@@ -84,12 +86,12 @@ jobs:
        run: go build main.go
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Check diagnostic appears in SARIF
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: ${{ runner.temp }}/results/go.sarif
+          SARIF_PATH: '${{ runner.temp }}/results/go.sarif'
        with:
          script: |
            const fs = require('fs');
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -47,7 +50,6 @@ jobs:
    permissions:
      contents: read
      packages: read
-
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -63,7 +65,7 @@ jobs:
      - name: Init with registries
        uses: ./../action/init
        with:
-          db-location: ${{ runner.temp }}/customDbLocation
+          db-location: '${{ runner.temp }}/customDbLocation'
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          config-file: ./.github/codeql/codeql-config-registries.yml
          languages: javascript
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -62,12 +65,12 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
      - name: Upload SARIF
        uses: actions/upload-artifact@v6
        with:
          name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
+          path: '${{ runner.temp }}/results/javascript.sarif'
          retention-days: 7
      - name: Check results
        run: |
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -60,7 +63,7 @@ jobs:
          languages: C#,java-kotlin,swift,typescript
          tools: ${{ steps.prepare-test.outputs.tools-url }}

-      - name: Check languages
+      - name: 'Check languages'
        run: |
          expected_languages="csharp,java,swift,javascript"
          actual_languages=$(jq -r '.languages | join(",")' "$RUNNER_TEMP"/config)
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -59,8 +62,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    local-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: local-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  local-bundle:
    strategy:
@@ -106,7 +108,7 @@ jobs:
      - id: init
        uses: ./../action/init
        with:
-      # Swift is not supported on Ubuntu so we manually exclude it from the list here
+          # Swift is not supported on Ubuntu so we manually exclude it from the list here
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ./codeql-bundle-linux64.tar.zst
      - name: Build code
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -59,8 +62,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    multi-language-autodetect-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: multi-language-autodetect-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  multi-language-autodetect:
    strategy:
@@ -141,9 +143,8 @@ jobs:
      - uses: ./../action/init
        id: init
        with:
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: ${{ runner.os == 'Linux' && 'cpp,csharp,go,java,javascript,python,ruby'
-            || '' }}
+          db-location: '${{ runner.temp }}/customDbLocation'
+          languages: ${{ runner.os == 'Linux' && 'cpp,csharp,go,java,javascript,python,ruby' || '' }}
          tools: ${{ steps.prepare-test.outputs.tools-url }}

      - name: Build code
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -59,8 +62,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  packaging-codescanning-config-inputs-js:
    strategy:
@@ -113,7 +115,7 @@ jobs:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
-          config-file: .github/codeql/codeql-config-packaging3.yml
+          config-file: '.github/codeql/codeql-config-packaging3.yml'
          packs: +codeql-testing/codeql-pack1@1.0.0
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -121,15 +123,14 @@ jobs:
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -49,8 +52,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    packaging-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: packaging-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  packaging-config-inputs-js:
    strategy:
@@ -98,7 +100,7 @@ jobs:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
-          config-file: .github/codeql/codeql-config-packaging3.yml
+          config-file: '.github/codeql/codeql-config-packaging3.yml'
          packs: +codeql-testing/codeql-pack1@1.0.0
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -106,15 +108,14 @@ jobs:
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -49,8 +52,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    packaging-config-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: packaging-config-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  packaging-config-js:
    strategy:
@@ -98,22 +100,21 @@ jobs:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
-          config-file: .github/codeql/codeql-config-packaging.yml
+          config-file: '.github/codeql/codeql-config-packaging.yml'
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -49,8 +52,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    packaging-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: packaging-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  packaging-inputs-js:
    strategy:
@@ -98,7 +100,7 @@ jobs:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
-          config-file: .github/codeql/codeql-config-packaging2.yml
+          config-file: '.github/codeql/codeql-config-packaging2.yml'
          languages: javascript
          packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -106,14 +108,13 @@ jobs:
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -59,8 +62,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    remote-config-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: remote-config-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  remote-config:
    strategy:
@@ -106,8 +108,7 @@ jobs:
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-            github.sha }}
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
      - name: Build code
        run: ./build.sh
      - uses: ./../action/analyze
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -81,8 +84,7 @@ jobs:
          language: javascript-typescript

      - name: Fail if JavaScript/TypeScript configuration present
-        if:
-          fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
+        if: fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
        run: exit 1
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -96,7 +99,7 @@ jobs:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
-          config-file: .github/codeql/codeql-config-packaging3.yml
+          config-file: '.github/codeql/codeql-config-packaging3.yml'
          packs: +codeql-testing/codeql-pack1@1.0.0
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -105,7 +108,7 @@ jobs:
      - uses: ./../action/analyze
        with:
          skip-queries: true
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false

      - name: Assert No Results
@@ -116,7 +119,7 @@ jobs:
          fi
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Assert Results
        run: |
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -68,8 +71,7 @@ jobs:
        id: proxy
        uses: ./../action/start-proxy
        with:
-          registry_secrets: '[{ "type": "nuget_feed", "url": "https://api.nuget.org/v3/index.json"
-            }]'
+          registry_secrets: '[{ "type": "nuget_feed", "url": "https://api.nuget.org/v3/index.json" }]'

      - name: Print proxy outputs
        run: |
@@ -78,8 +80,7 @@ jobs:
          echo "${{ steps.proxy.outputs.proxy_urls }}"

      - name: Fail if proxy outputs are not set
-        if: (!steps.proxy.outputs.proxy_host) || (!steps.proxy.outputs.proxy_port)
-          || (!steps.proxy.outputs.proxy_ca_certificate) || (!steps.proxy.outputs.proxy_urls)
+        if: (!steps.proxy.outputs.proxy_host) || (!steps.proxy.outputs.proxy_port) || (!steps.proxy.outputs.proxy_ca_certificate) || (!steps.proxy.outputs.proxy_urls)
        run: exit 1
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -46,8 +49,7 @@ jobs:
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write # needed to upload the SARIF file
-
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -66,26 +68,20 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Fail
-    # We want this job to pass if the Action correctly uploads the SARIF file for
-    # the failed run.
-    # Setting this step to continue on error means that it is marked as completing
-    # successfully, so will not fail the job.
+        # We want this job to pass if the Action correctly uploads the SARIF file for
+        # the failed run.
+        # Setting this step to continue on error means that it is marked as completing
+        # successfully, so will not fail the job.
        continue-on-error: true
        run: exit 1
      - uses: ./analyze
-    # In a real workflow, this step wouldn't run. Since we used `continue-on-error`
-    # above, we manually disable it with an `if` condition.
+        # In a real workflow, this step wouldn't run. Since we used `continue-on-error`
+        # above, we manually disable it with an `if` condition.
        if: false
        with:
-          category: /test-codeql-version:${{ matrix.version }}
+          category: '/test-codeql-version:${{ matrix.version }}'
    env:
-  # Internal-only environment variable used to indicate that the post-init Action
-  # should expect to upload a SARIF file for the failed run.
      CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF: true
-  # Make sure the uploading SARIF files feature is enabled.
      CODEQL_ACTION_UPLOAD_FAILED_SARIF: true
-  # Upload the failed SARIF file as an integration test of the API endpoint.
      CODEQL_ACTION_TEST_MODE: false
-  # Mark telemetry for this workflow so it can be treated separately.
      CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
-
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -49,8 +52,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    swift-custom-build-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: swift-custom-build-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  swift-custom-build:
    strategy:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -59,8 +62,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    unset-environment-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: unset-environment-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  unset-environment:
    strategy:
@@ -106,7 +108,7 @@ jobs:
        id: init
        with:
          db-location: ${{ runner.temp }}/customDbLocation
-      # Swift is not supported on Ubuntu so we manually exclude it from the list here
+          # Swift is not supported on Ubuntu so we manually exclude it from the list here
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -59,8 +62,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    upload-ref-sha-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: upload-ref-sha-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  upload-ref-sha-input:
    strategy:
@@ -104,19 +106,18 @@ jobs:
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-            github.sha }}
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
      - name: Build code
        run: ./build.sh
-  # Generate some SARIF we can upload with the upload-sarif step
+      # Generate some SARIF we can upload with the upload-sarif step
      - uses: ./../action/analyze
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
          upload: never
      - uses: ./../action/upload-sarif
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -59,8 +62,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    upload-sarif-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: upload-sarif-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  upload-sarif:
    strategy:
@@ -114,11 +116,11 @@ jobs:
          analysis-kinds: ${{ matrix.analysis-kinds }}
      - name: Build code
        run: ./build.sh
-  # Generate some SARIF we can upload with the upload-sarif step
+      # Generate some SARIF we can upload with the upload-sarif step
      - uses: ./../action/analyze
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
          upload: never
          output: ${{ runner.temp }}/results

@@ -127,15 +129,15 @@ jobs:
        uses: ./../action/upload-sarif
        id: upload-sarif
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
          sarif_file: ${{ runner.temp }}/results
          category: |
            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:all-files/
-      - name: Fail for missing output from `upload-sarif` step for `code-scanning`
+      - name: 'Fail for missing output from `upload-sarif` step for `code-scanning`'
        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning)
        run: exit 1
-      - name: Fail for missing output from `upload-sarif` step for `code-quality`
+      - name: 'Fail for missing output from `upload-sarif` step for `code-quality`'
        if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)
        run: exit 1

@@ -144,28 +146,26 @@ jobs:
        id: upload-single-sarif-code-scanning
        if: contains(matrix.analysis-kinds, 'code-scanning')
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
          sarif_file: ${{ runner.temp }}/results/javascript.sarif
          category: |
            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-scanning/
-      - name: Fail for missing output from `upload-single-sarif-code-scanning` step
-        if: contains(matrix.analysis-kinds, 'code-scanning') &&
-          !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)
+      - name: 'Fail for missing output from `upload-single-sarif-code-scanning` step'
+        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)
        run: exit 1
      - name: Upload single SARIF file for Code Quality
        uses: ./../action/upload-sarif
        id: upload-single-sarif-code-quality
        if: contains(matrix.analysis-kinds, 'code-quality')
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
          sarif_file: ${{ runner.temp }}/results/javascript.quality.sarif
          category: |
            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-quality/
-      - name: Fail for missing output from `upload-single-sarif-code-quality` step
-        if: contains(matrix.analysis-kinds, 'code-quality') &&
-          !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)
+      - name: 'Fail for missing output from `upload-single-sarif-code-quality` step'
+        if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)
        run: exit 1

      - name: Change SARIF file extension
@@ -176,12 +176,12 @@ jobs:
        id: upload-single-non-sarif
        if: contains(matrix.analysis-kinds, 'code-scanning')
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
          sarif_file: ${{ runner.temp }}/results/javascript.sarif.json
          category: |
            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:non-sarif/
-      - name: Fail for missing output from `upload-single-non-sarif` step
+      - name: 'Fail for missing output from `upload-single-non-sarif` step'
        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning)
        run: exit 1
    env:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -59,8 +62,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    with-checkout-path-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: with-checkout-path-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  with-checkout-path:
    strategy:
@@ -77,6 +79,7 @@ jobs:
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      # This ensures we don't accidentally use the original checkout for any part of the test.
      - name: Check out repository
        uses: actions/checkout@v6
      - name: Prepare test
@@ -106,8 +109,8 @@ jobs:
          # Actions does not support deleting the current working directory, so we
          # delete the contents of the directory instead.
          rm -rf ./* .github .git
-  # Check out the actions repo again, but at a different location.
-  # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
+      # Check out the actions repo again, but at a different location.
+      # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
      - uses: actions/checkout@v6
        with:
          ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
@@ -116,7 +119,7 @@ jobs:
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      # it's enough to test one compiled language and one interpreted language
+          # it's enough to test one compiled language and one interpreted language
          languages: csharp,javascript
          source-root: x/y/z/some-path/tests/multi-language-repo

@@ -7,6 +7,8 @@ on:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
+  merge_group:
+    types: [checks_requested]
  schedule:
    # Weekly on Sunday.
    - cron: '30 1 * * 0'
@@ -29,34 +31,29 @@ jobs:

    permissions:
      contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read

    steps:
    - uses: actions/checkout@v6
-    - name: Init with default CodeQL bundle from the VM image
-      id: init-default
-      uses: ./init
-      with:
-        languages: javascript
-    - name: Remove empty database
-      # allows us to run init a second time
-      run: |
-        rm -rf "$RUNNER_TEMP/codeql_databases"
-    - name: Init with latest CodeQL bundle
-      id: init-latest
-      uses: ./init
+    - name: Set up default CodeQL bundle
+      id: setup-default
+      uses: ./setup-codeql
+    - name: Set up linked CodeQL bundle
+      id: setup-linked
+      uses: ./setup-codeql
      with:
        tools: linked
-        languages: javascript
-    - name: Compare default and latest CodeQL bundle versions
+    - name: Compare default and linked CodeQL bundle versions
      id: compare
      env:
-        CODEQL_DEFAULT: ${{ steps.init-default.outputs.codeql-path }}
-        CODEQL_LATEST: ${{ steps.init-latest.outputs.codeql-path }}
+        CODEQL_DEFAULT: ${{ steps.setup-default.outputs.codeql-path }}
+        CODEQL_LINKED: ${{ steps.setup-linked.outputs.codeql-path }}
      run: |
        CODEQL_VERSION_DEFAULT="$("$CODEQL_DEFAULT" version --format terse)"
-        CODEQL_VERSION_LATEST="$("$CODEQL_LATEST" version --format terse)"
+        CODEQL_VERSION_LINKED="$("$CODEQL_LINKED" version --format terse)"
        echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
-        echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"
+        echo "Linked CodeQL bundle version is $CODEQL_VERSION_LINKED"

        # If we're running on a pull request, run with both bundles, even if `tools: linked` would
        # be the same as `tools: null`. This allows us to make the job for each of the bundles a
@@ -64,7 +61,7 @@ jobs:
        #
        # If we're running on push or schedule, then we can skip running with `tools: linked` when it would be
        # the same as running with `tools: null`.
-        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
+        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$GITHUB_EVENT_NAME" != "merge_group" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LINKED" ]]; then
          VERSIONS_JSON='[null]'
        else
          VERSIONS_JSON='[null, "linked"]'
@@ -108,7 +105,7 @@ jobs:
      uses: ./analyze
      with:
        category: "/language:javascript"
-        upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && 'always') || 'never' }}
+        upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && github.event_name != 'merge_group' && 'always' ) || 'never' }}

  analyze-other:
    if: github.triggering_actor != 'dependabot[bot]'
@@ -143,3 +140,4 @@ jobs:
      uses: ./analyze
      with:
        category: "/language:${{ matrix.language }}"
+        upload: ${{ (github.event_name != 'merge_group' && 'always') || 'never' }}
@@ -11,6 +11,8 @@ env:
  CODEQL_ACTION_OVERLAY_ANALYSIS: true
  CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT: false
  CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT: true
+  CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_CHECK: false
+  CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS: true

 on:
  push:
@@ -23,9 +25,11 @@ on:
    - synchronize
    - reopened
    - ready_for_review
+  merge_group:
+    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:

 defaults:
  run:
@@ -14,9 +14,11 @@ on:
    - synchronize
    - reopened
    - ready_for_review
+  merge_group:
+    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:

 defaults:
  run:
@@ -39,6 +41,8 @@ jobs:
      CODEQL_ACTION_TEST_MODE: true
    permissions:
      contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read
    timeout-minutes: 45
    runs-on: ubuntu-latest
    steps:
@@ -13,9 +13,11 @@ on:
    - synchronize
    - reopened
    - ready_for_review
+  merge_group:
+    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:

 defaults:
  run:
@@ -38,6 +40,8 @@ jobs:
    timeout-minutes: 45
    permissions:
      contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository
@@ -6,6 +6,8 @@ on:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
+  merge_group:
+    types: [checks_requested]
  workflow_dispatch:

 defaults:
@@ -40,11 +42,6 @@ jobs:
          node-version: ${{ matrix.node-version }}
          cache: 'npm'

-      - name: Set up Python
-        uses: actions/setup-python@v6
-        with:
-          python-version: 3.11
-
      - name: Install dependencies
        run: |
          # Use the system Bash shell to ensure we can run commands like `npm ci`
@@ -66,7 +63,7 @@ jobs:
      - name: Run pr-checks tests
        if: always()
        working-directory: pr-checks
-        run: python -m unittest discover
+        run: npm ci && npx tsx --test

      - name: Lint
        if: always() && matrix.os != 'windows-latest'
@@ -80,7 +77,7 @@ jobs:
          category: eslint

  check-node-version:
-    if: github.event.pull_request && github.triggering_actor != 'dependabot[bot]'
+    if: github.triggering_actor != 'dependabot[bot]'
    name: Check Action Node versions
    runs-on: ubuntu-latest
    timeout-minutes: 45
@@ -7,6 +7,8 @@ on:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
+  merge_group:
+    types: [checks_requested]
  schedule:
    # Weekly on Monday.
    - cron: '0 0 * * 1'
@@ -24,6 +26,8 @@ jobs:
    timeout-minutes: 45
    permissions:
      contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read
    runs-on: windows-latest

    steps:
@@ -11,9 +11,11 @@ on:
    - synchronize
    - reopened
    - ready_for_review
+  merge_group:
+    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:

 defaults:
  run:
@@ -73,24 +73,17 @@ jobs:
          npm run lint -- --fix
          npm run build

-      - name: Set up Python
-        uses: actions/setup-python@v6
-        with:
-          python-version: 3.11
-
      - name: Sync back version updates to generated workflows
        # Only sync back versions on Dependabot update PRs
        if: startsWith(env.HEAD_REF, 'dependabot/')
        working-directory: pr-checks
        run: |
-          python3 sync_back.py -v
+          npm ci
+          npx tsx sync_back.ts --verbose

      - name: Generate workflows
        working-directory: pr-checks
-        run: |
-          python -m pip install --upgrade pip
-          pip install ruamel.yaml==0.17.31
-          python3 sync.py
+        run: ./sync.sh

      - name: "Merge in progress: Finish merge and push"
        if: steps.merge.outputs.merge-in-progress == 'true'
@@ -29,7 +29,7 @@ fi
 echo "Getting checks for $GITHUB_SHA"

 # Ignore any checks with "https://", CodeQL, LGTM, Update, and ESLint checks.
-CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") or . == "Agent" or . == "Cleanup artifacts" or . == "Prepare" or . == "Upload results" | not)] | unique | sort')"
+CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") or . == "Agent" or . == "Cleanup artifacts" or . == "Prepare" or . == "Upload results" or . == "Label PR with size" | not)] | unique | sort')"

 echo "$CHECKS" | jq

@@ -19,7 +19,7 @@ if [ ! -z "$(git status --porcelain)" ]; then
    # If we get a fail here then the PR needs attention
    git diff
    git status
-    >&2 echo "Failed: PR checks are not up to date. Run 'cd pr-checks && python3 sync.py' to update"
+    >&2 echo "Failed: PR checks are not up to date. Run 'cd pr-checks && ./sync.sh' to update"

    echo "### Generated workflows diff" >> $GITHUB_STEP_SUMMARY
    echo "" >> $GITHUB_STEP_SUMMARY
@@ -13,9 +13,11 @@ on:
    - synchronize
    - reopened
    - ready_for_review
+  merge_group:
+    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
 defaults:
  run:
    shell: bash
@@ -6,6 +6,16 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

 No user facing changes.

+## 4.32.5 - 02 Mar 2026
+
+- Repositories owned by an organization can now set up the `github-codeql-disable-overlay` custom repository property to disable [improved incremental analysis for CodeQL](https://github.com/github/roadmap/issues/1158). First, create a custom repository property with the name `github-codeql-disable-overlay` and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to `true` to disable improved incremental analysis. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). This feature is not yet available on GitHub Enterprise Server. [#3507](https://github.com/github/codeql-action/pull/3507)
+- Added an experimental change so that when [improved incremental analysis](https://github.com/github/roadmap/issues/1158) fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. [#3487](https://github.com/github/codeql-action/pull/3487)
+- The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. [#3515](https://github.com/github/codeql-action/pull/3515)
+- Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. [#3516](https://github.com/github/codeql-action/pull/3516)
+- Added an experimental change which lowers the minimum disk space requirement for [improved incremental analysis](https://github.com/github/roadmap/issues/1158), enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. [#3498](https://github.com/github/codeql-action/pull/3498)
+- Added an experimental change which allows the `start-proxy` action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. [#3512](https://github.com/github/codeql-action/pull/3512)
+- The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. [#3503](https://github.com/github/codeql-action/pull/3503), [#3504](https://github.com/github/codeql-action/pull/3504)
+
 ## 4.32.4 - 20 Feb 2026

 - Update default CodeQL bundle version to [2.24.2](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2). [#3493](https://github.com/github/codeql-action/pull/3493)
@@ -92,7 +92,7 @@ We typically deprecate a version of CodeQL when the GitHub Enterprise Server (GH
 1. Remove support for the old version of CodeQL.
    - Bump `CODEQL_MINIMUM_VERSION` in `src/codeql.ts` to the new minimum version of CodeQL.
    - Remove any code that is only needed to support the old version of CodeQL. This is often behind a version guard, so look for instances of version numbers between the old minimum version and the new minimum version in the codebase. A good place to start is the list of version numbers in `src/codeql.ts`.
-    - Update the default set of CodeQL test versions in `pr-checks/sync.py`.
+    - Update the default set of CodeQL test versions in `pr-checks/sync.ts`.
        - Remove the old minimum version of CodeQL.
        - Add the latest patch release for any new CodeQL minor version series that have shipped in GHES.
        - Run the script to update the generated PR checks.
@@ -72,10 +72,12 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n

 | Minimum CodeQL Action | Minimum CodeQL Bundle Version | GitHub Environment | Notes |
 |-----------------------|-------------------------------|--------------------|-------|
-| `v3.28.21`  | `2.21.3` | Enterprise Server 3.18 | |
-| `v3.28.12`  | `2.20.7` | Enterprise Server 3.17 | |
-| `v3.28.6`  | `2.20.3` | Enterprise Server 3.16 | |
-| `v3.28.6`  | `2.20.3` | Enterprise Server 3.15 | |
+| `v4.31.10` | `2.23.9` | Enterprise Server 3.20 | |
+| `v3.29.11` | `2.22.4` | Enterprise Server 3.19 | |
+| `v3.28.21` | `2.21.3` | Enterprise Server 3.18 | |
+| `v3.28.12` | `2.20.7` | Enterprise Server 3.17 | |
+| `v3.28.6` | `2.20.3` | Enterprise Server 3.16 | |
+| `v3.28.6` | `2.20.3` | Enterprise Server 3.15 | |
 | `v3.28.6` | `2.20.3` | Enterprise Server 3.14 | |

 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).
@@ -21,6 +21,7 @@ export default [
      "build.mjs",
      "eslint.config.mjs",
      ".github/**/*",
+      "pr-checks/**/*",
    ],
  },
  // eslint recommended config
@@ -159,6 +159,11 @@ inputs:
    description: >-
      Explicitly enable or disable caching of project build dependencies.
    required: false
+  check-run-id:
+    description: >-
+      [Internal] The ID of the check run, as provided by the Actions runtime environment. Do not set this value manually.
+    default: ${{ job.check_run_id }}
+    required: false
 outputs:
  codeql-path:
    description: The path of the CodeQL binary used for analysis
@@ -1,12 +1,12 @@
 {
  "name": "codeql",
-  "version": "4.32.5",
+  "version": "4.32.6",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "codeql",
-      "version": "4.32.5",
+      "version": "4.32.6",
      "license": "MIT",
      "dependencies": {
        "@actions/artifact": "^5.0.3",
@@ -43,6 +43,7 @@
        "@types/js-yaml": "^4.0.9",
        "@types/node": "^20.19.9",
        "@types/node-forge": "^1.3.14",
+        "@types/sarif": "^2.1.7",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^21.0.0",
        "ava": "^6.4.1",
@@ -51,10 +52,10 @@
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-github": "^6.0.0",
        "eslint-plugin-import-x": "^4.16.1",
-        "eslint-plugin-jsdoc": "^62.5.0",
+        "eslint-plugin-jsdoc": "^62.6.0",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        "glob": "^11.1.0",
-        "globals": "^16.5.0",
+        "globals": "^17.3.0",
        "nock": "^14.0.11",
        "sinon": "^21.0.1",
        "typescript": "^5.9.3",
@@ -849,17 +850,17 @@
      }
    },
    "node_modules/@es-joy/jsdoccomment": {
-      "version": "0.83.0",
-      "resolved": "https://registry.npmjs.org/@es-joy/jsdoccomment/-/jsdoccomment-0.83.0.tgz",
-      "integrity": "sha512-e1MHSEPJ4m35zkBvNT6kcdeH1SvMaJDsPC3Xhfseg3hvF50FUE3f46Yn36jgbrPYYXezlWUQnevv23c+lx2MCA==",
+      "version": "0.84.0",
+      "resolved": "https://registry.npmjs.org/@es-joy/jsdoccomment/-/jsdoccomment-0.84.0.tgz",
+      "integrity": "sha512-0xew1CxOam0gV5OMjh2KjFQZsKL2bByX1+q4j3E73MpYIdyUxcZb/xQct9ccUb+ve5KGUYbCUxyPnYB7RbuP+w==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@types/estree": "^1.0.8",
-        "@typescript-eslint/types": "^8.53.1",
+        "@typescript-eslint/types": "^8.54.0",
        "comment-parser": "1.4.5",
        "esquery": "^1.7.0",
-        "jsdoc-type-pratt-parser": "~7.1.0"
+        "jsdoc-type-pratt-parser": "~7.1.1"
      },
      "engines": {
        "node": "^20.19.0 || ^22.13.0 || >=24"
@@ -1607,27 +1608,6 @@
        "url": "https://github.com/sponsors/nzakas"
      }
    },
-    "node_modules/@isaacs/balanced-match": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/@isaacs/balanced-match/-/balanced-match-4.0.1.tgz",
-      "integrity": "sha512-yzMTt9lEb8Gv7zRioUilSglI0c0smZ9k5D65677DLWLtWJaXIS3CqcGyUFByYKlnUj6TkjLVs54fBl6+TiGQDQ==",
-      "license": "MIT",
-      "engines": {
-        "node": "20 || >=22"
-      }
-    },
-    "node_modules/@isaacs/brace-expansion": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/@isaacs/brace-expansion/-/brace-expansion-5.0.1.tgz",
-      "integrity": "sha512-WMz71T1JS624nWj2n2fnYAuPovhv7EUhk69R6i9dsVyzxt5eM3bjwvgk9L+APE1TRscGysAVMANkB0jh0LQZrQ==",
-      "license": "MIT",
-      "dependencies": {
-        "@isaacs/balanced-match": "^4.0.1"
-      },
-      "engines": {
-        "node": "20 || >=22"
-      }
-    },
    "node_modules/@isaacs/cliui": {
      "version": "8.0.2",
      "resolved": "https://registry.npmjs.org/@isaacs/cliui/-/cliui-8.0.2.tgz",
@@ -2543,6 +2523,13 @@
        "@types/node": "*"
      }
    },
+    "node_modules/@types/sarif": {
+      "version": "2.1.7",
+      "resolved": "https://registry.npmjs.org/@types/sarif/-/sarif-2.1.7.tgz",
+      "integrity": "sha512-kRz0VEkJqWLf1LLVN4pT1cg1Z9wAuvI6L97V3m2f5B76Tg8d413ddvLBPTEHAZJlnn4XSvu0FkZtViCQGVyrXQ==",
+      "dev": true,
+      "license": "MIT"
+    },
    "node_modules/@types/semver": {
      "version": "7.7.1",
      "resolved": "https://registry.npmjs.org/@types/semver/-/semver-7.7.1.tgz",
@@ -2836,13 +2823,13 @@
      }
    },
    "node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch": {
-      "version": "9.0.5",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
-      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
+      "version": "9.0.9",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.9.tgz",
+      "integrity": "sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg==",
      "dev": true,
      "license": "ISC",
      "dependencies": {
-        "brace-expansion": "^2.0.1"
+        "brace-expansion": "^2.0.2"
      },
      "engines": {
        "node": ">=16 || 14 >=14.17"
@@ -5019,6 +5006,19 @@
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
      }
    },
+    "node_modules/eslint-plugin-github/node_modules/globals": {
+      "version": "16.5.0",
+      "resolved": "https://registry.npmjs.org/globals/-/globals-16.5.0.tgz",
+      "integrity": "sha512-c/c15i26VrJ4IRt5Z89DnIzCGDn9EcebibhAOjw5ibqEHsE1wLUgkPn9RDmNcUKyU87GeaL633nyJ+pplFR2ZQ==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
    "node_modules/eslint-plugin-i18n-text": {
      "version": "1.0.1",
      "dev": true,
@@ -5122,9 +5122,9 @@
      }
    },
    "node_modules/eslint-plugin-import-x/node_modules/minimatch": {
-      "version": "10.2.2",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.2.tgz",
-      "integrity": "sha512-+G4CpNBxa5MprY+04MbgOw1v7So6n5JY166pFi9KfYwT78fxScCeSNQSNzp6dpPSW2rONOps6Ocam1wFhCgoVw==",
+      "version": "10.2.4",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.4.tgz",
+      "integrity": "sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==",
      "dev": true,
      "license": "BlueOak-1.0.0",
      "dependencies": {
@@ -5146,13 +5146,13 @@
      }
    },
    "node_modules/eslint-plugin-jsdoc": {
-      "version": "62.5.0",
-      "resolved": "https://registry.npmjs.org/eslint-plugin-jsdoc/-/eslint-plugin-jsdoc-62.5.0.tgz",
-      "integrity": "sha512-D+1haMVDzW/ZMoPwOnsbXCK07rJtsq98Z1v+ApvDKxSzYTTcPgmFc/nyUDCGmxm2cP7g7hszyjYHO7Zodl/43w==",
+      "version": "62.6.0",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-jsdoc/-/eslint-plugin-jsdoc-62.6.0.tgz",
+      "integrity": "sha512-Z18zZD1Q2m9usqFbAzb30z+lF8bzE4WiUy+dfOXljJlZ1Jm5uhkuAWfGV97FYyh+WlKfrvpDYs+s1z45eZWMfA==",
      "dev": true,
      "license": "BSD-3-Clause",
      "dependencies": {
-        "@es-joy/jsdoccomment": "~0.83.0",
+        "@es-joy/jsdoccomment": "~0.84.0",
        "@es-joy/resolve.exports": "1.2.0",
        "are-docs-informative": "^0.0.2",
        "comment-parser": "1.4.5",
@@ -5637,10 +5637,22 @@
      "dev": true,
      "license": "MIT"
    },
+    "node_modules/fast-xml-builder": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.0.0.tgz",
+      "integrity": "sha512-fpZuDogrAgnyt9oDDz+5DBz0zgPdPZz6D4IR7iESxRXElrlGTRkHJ9eEt+SACRJwT0FNFrt71DFQIUFBJfX/uQ==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/NaturalIntelligence"
+        }
+      ],
+      "license": "MIT"
+    },
    "node_modules/fast-xml-parser": {
-      "version": "5.3.6",
-      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.3.6.tgz",
-      "integrity": "sha512-QNI3sAvSvaOiaMl8FYU4trnEzCwiRr8XMWgAHzlrWpTSj+QaCSvOf1h82OEP1s4hiAXhnbXSyFWCf4ldZzZRVA==",
+      "version": "5.4.1",
+      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.4.1.tgz",
+      "integrity": "sha512-BQ30U1mKkvXQXXkAGcuyUA/GA26oEB7NzOtsxCDtyu62sjGw5QraKFhx2Em3WQNjPw9PG6MQ9yuIIgkSDfGu5A==",
      "funding": [
        {
          "type": "github",
@@ -5649,6 +5661,7 @@
      ],
      "license": "MIT",
      "dependencies": {
+        "fast-xml-builder": "^1.0.0",
        "strnum": "^2.1.2"
      },
      "bin": {
@@ -6010,25 +6023,46 @@
        "node": ">= 6"
      }
    },
-    "node_modules/glob/node_modules/minimatch": {
-      "version": "10.1.1",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.1.1.tgz",
-      "integrity": "sha512-enIvLvRAFZYXJzkCYG5RKmPfrFArdLv+R+lbQ53BmIMLIry74bjKzX6iHAm8WYamJkhSSEabrWN5D97XnKObjQ==",
-      "license": "BlueOak-1.0.0",
+    "node_modules/glob/node_modules/balanced-match": {
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.4.tgz",
+      "integrity": "sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==",
+      "license": "MIT",
+      "engines": {
+        "node": "18 || 20 || >=22"
+      }
+    },
+    "node_modules/glob/node_modules/brace-expansion": {
+      "version": "5.0.3",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.3.tgz",
+      "integrity": "sha512-fy6KJm2RawA5RcHkLa1z/ScpBeA762UF9KmZQxwIbDtRJrgLzM10depAiEQ+CXYcoiqW1/m96OAAoke2nE9EeA==",
+      "license": "MIT",
      "dependencies": {
-        "@isaacs/brace-expansion": "^5.0.0"
+        "balanced-match": "^4.0.2"
      },
      "engines": {
-        "node": "20 || >=22"
+        "node": "18 || 20 || >=22"
+      }
+    },
+    "node_modules/glob/node_modules/minimatch": {
+      "version": "10.2.4",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.4.tgz",
+      "integrity": "sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==",
+      "license": "BlueOak-1.0.0",
+      "dependencies": {
+        "brace-expansion": "^5.0.2"
+      },
+      "engines": {
+        "node": "18 || 20 || >=22"
      },
      "funding": {
        "url": "https://github.com/sponsors/isaacs"
      }
    },
    "node_modules/globals": {
-      "version": "16.5.0",
-      "resolved": "https://registry.npmjs.org/globals/-/globals-16.5.0.tgz",
-      "integrity": "sha512-c/c15i26VrJ4IRt5Z89DnIzCGDn9EcebibhAOjw5ibqEHsE1wLUgkPn9RDmNcUKyU87GeaL633nyJ+pplFR2ZQ==",
+      "version": "17.3.0",
+      "resolved": "https://registry.npmjs.org/globals/-/globals-17.3.0.tgz",
+      "integrity": "sha512-yMqGUQVVCkD4tqjOJf3TnrvaaHDMYp4VlUSObbkIiuCPe/ofdMBFIAcBbCSRFWOnos6qRiTVStDwqPLUclaxIw==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -6896,9 +6930,9 @@
      }
    },
    "node_modules/jsdoc-type-pratt-parser": {
-      "version": "7.1.0",
-      "resolved": "https://registry.npmjs.org/jsdoc-type-pratt-parser/-/jsdoc-type-pratt-parser-7.1.0.tgz",
-      "integrity": "sha512-SX7q7XyCwzM/MEDCYz0l8GgGbJAACGFII9+WfNYr5SLEKukHWRy2Jk3iWRe7P+lpYJNs7oQ+OSei4JtKGUjd7A==",
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/jsdoc-type-pratt-parser/-/jsdoc-type-pratt-parser-7.1.1.tgz",
+      "integrity": "sha512-/2uqY7x6bsrpi3i9LVU6J89352C0rpMk0as8trXxCtvd4kPk1ke/Eyif6wqfSLvoNJqcDG9Vk4UsXgygzCt2xA==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -7227,7 +7261,9 @@
      }
    },
    "node_modules/minimatch": {
-      "version": "3.1.2",
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
+      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
      "license": "ISC",
      "dependencies": {
        "brace-expansion": "^1.1.7"
@@ -7913,9 +7949,9 @@
      }
    },
    "node_modules/readdir-glob/node_modules/minimatch": {
-      "version": "5.1.6",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-5.1.6.tgz",
-      "integrity": "sha512-lKwV/1brpG6mBUFHtb7NUmtABCb2WZZmm2wNiOA5hAb8VdCS4B3dtMWyvcoViccwAW/COERjXLt0zP1zXUN26g==",
+      "version": "5.1.9",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-5.1.9.tgz",
+      "integrity": "sha512-7o1wEA2RyMP7Iu7GNba9vc0RWWGACJOCZBJX2GJWip0ikV+wcOsgVuY9uE8CPiyQhkGFSlhuSkZPavN7u1c2Fw==",
      "license": "ISC",
      "dependencies": {
        "brace-expansion": "^2.0.1"
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "4.32.5",
+  "version": "4.32.6",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -9,7 +9,7 @@
    "lint": "eslint --report-unused-disable-directives --max-warnings=0 .",
    "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
    "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-    "ava": "npm run transpile && ava --serial --verbose",
+    "ava": "npm run transpile && ava --verbose",
    "test": "npm run ava -- src/",
    "test-debug": "npm run test -- --timeout=20m",
    "transpile": "tsc --build --verbose"
@@ -58,6 +58,7 @@
    "@types/js-yaml": "^4.0.9",
    "@types/node": "^20.19.9",
    "@types/node-forge": "^1.3.14",
+    "@types/sarif": "^2.1.7",
    "@types/semver": "^7.7.1",
    "@types/sinon": "^21.0.0",
    "ava": "^6.4.1",
@@ -66,10 +67,10 @@
    "eslint-import-resolver-typescript": "^3.8.7",
    "eslint-plugin-github": "^6.0.0",
    "eslint-plugin-import-x": "^4.16.1",
-    "eslint-plugin-jsdoc": "^62.5.0",
+    "eslint-plugin-jsdoc": "^62.6.0",
    "eslint-plugin-no-async-foreach": "^0.1.1",
    "glob": "^11.1.0",
-    "globals": "^16.5.0",
+    "globals": "^17.3.0",
    "nock": "^14.0.11",
    "sinon": "^21.0.1",
    "typescript": "^5.9.3",
@@ -1,3 +1 @@
-env
-__pycache__/
-*.pyc
+node_modules/
@@ -5,7 +5,7 @@ description: >
  autobuild Action.
 operatingSystems: ["ubuntu", "windows"]
 versions: ["linked", "nightly-latest"]
-installJava: "true"
+installJava: true
 env:
  CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
 steps:
@@ -2,8 +2,8 @@ name: "Build mode autobuild"
 description: "An end-to-end integration test of a Java repository built using 'build-mode: autobuild'"
 operatingSystems: ["ubuntu", "windows"]
 versions: ["linked", "nightly-latest"]
-installJava: "true"
-installYq: "true"
+installJava: true
+installYq: true
 steps:
  - name: Set up Java test repo configuration
    run: |
@@ -11,5 +11,5 @@ steps:
      tools: ${{ steps.prepare-test.outputs.tools-url }}
      languages: javascript
  - name: Fail if the CodeQL version is not a nightly
-    if: "!contains(steps.init.outputs.codeql-version, '+')"
+    if: ${{ !contains(steps.init.outputs.codeql-version, '+') }}
    run: exit 1
@@ -32,16 +32,16 @@ steps:
      category: |
        ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:all-files/
  - name: "Fail for missing output from `upload-sarif` step for `code-scanning`"
-    if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning)"
+    if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning)
    run: exit 1
  - name: "Fail for missing output from `upload-sarif` step for `code-quality`"
-    if: "contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)"
+    if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)
    run: exit 1

  - name: Upload single SARIF file for Code Scanning
    uses: ./../action/upload-sarif
    id: upload-single-sarif-code-scanning
-    if: "contains(matrix.analysis-kinds, 'code-scanning')"
+    if: contains(matrix.analysis-kinds, 'code-scanning')
    with:
      ref: 'refs/heads/main'
      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
@@ -49,12 +49,12 @@ steps:
      category: |
        ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-scanning/
  - name: "Fail for missing output from `upload-single-sarif-code-scanning` step"
-    if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)"
+    if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)
    run: exit 1
  - name: Upload single SARIF file for Code Quality
    uses: ./../action/upload-sarif
    id: upload-single-sarif-code-quality
-    if: "contains(matrix.analysis-kinds, 'code-quality')"
+    if: contains(matrix.analysis-kinds, 'code-quality')
    with:
      ref: 'refs/heads/main'
      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
@@ -62,16 +62,16 @@ steps:
      category: |
        ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-quality/
  - name: "Fail for missing output from `upload-single-sarif-code-quality` step"
-    if: "contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)"
+    if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)
    run: exit 1

  - name: Change SARIF file extension
-    if: "contains(matrix.analysis-kinds, 'code-scanning')"
+    if: contains(matrix.analysis-kinds, 'code-scanning')
    run: mv ${{ runner.temp }}/results/javascript.sarif ${{ runner.temp }}/results/javascript.sarif.json
  - name: Upload single non-`.sarif` file
    uses: ./../action/upload-sarif
    id: upload-single-non-sarif
-    if: "contains(matrix.analysis-kinds, 'code-scanning')"
+    if: contains(matrix.analysis-kinds, 'code-scanning')
    with:
      ref: 'refs/heads/main'
      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
@@ -79,5 +79,5 @@ steps:
      category: |
        ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:non-sarif/
  - name: "Fail for missing output from `upload-single-non-sarif` step"
-    if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning)"
+    if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning)
    run: exit 1
@@ -0,0 +1,605 @@
+{
+  "name": "pr-checks",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "dependencies": {
+        "yaml": "^2.8.2"
+      },
+      "devDependencies": {
+        "@types/node": "^20.19.9",
+        "tsx": "^4.21.0",
+        "typescript": "^5.9.3"
+      }
+    },
+    "node_modules/@esbuild/aix-ppc64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.3.tgz",
+      "integrity": "sha512-9fJMTNFTWZMh5qwrBItuziu834eOCUcEqymSH7pY+zoMVEZg3gcPuBNxH1EvfVYe9h0x/Ptw8KBzv7qxb7l8dg==",
+      "cpu": [
+        "ppc64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "aix"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/android-arm": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.3.tgz",
+      "integrity": "sha512-i5D1hPY7GIQmXlXhs2w8AWHhenb00+GxjxRncS2ZM7YNVGNfaMxgzSGuO8o8SJzRc/oZwU2bcScvVERk03QhzA==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/android-arm64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.3.tgz",
+      "integrity": "sha512-YdghPYUmj/FX2SYKJ0OZxf+iaKgMsKHVPF1MAq/P8WirnSpCStzKJFjOjzsW0QQ7oIAiccHdcqjbHmJxRb/dmg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/android-x64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.3.tgz",
+      "integrity": "sha512-IN/0BNTkHtk8lkOM8JWAYFg4ORxBkZQf9zXiEOfERX/CzxW3Vg1ewAhU7QSWQpVIzTW+b8Xy+lGzdYXV6UZObQ==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/darwin-arm64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.3.tgz",
+      "integrity": "sha512-Re491k7ByTVRy0t3EKWajdLIr0gz2kKKfzafkth4Q8A5n1xTHrkqZgLLjFEHVD+AXdUGgQMq+Godfq45mGpCKg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/darwin-x64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.3.tgz",
+      "integrity": "sha512-vHk/hA7/1AckjGzRqi6wbo+jaShzRowYip6rt6q7VYEDX4LEy1pZfDpdxCBnGtl+A5zq8iXDcyuxwtv3hNtHFg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/freebsd-arm64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.3.tgz",
+      "integrity": "sha512-ipTYM2fjt3kQAYOvo6vcxJx3nBYAzPjgTCk7QEgZG8AUO3ydUhvelmhrbOheMnGOlaSFUoHXB6un+A7q4ygY9w==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/freebsd-x64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.3.tgz",
+      "integrity": "sha512-dDk0X87T7mI6U3K9VjWtHOXqwAMJBNN2r7bejDsc+j03SEjtD9HrOl8gVFByeM0aJksoUuUVU9TBaZa2rgj0oA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-arm": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.3.tgz",
+      "integrity": "sha512-s6nPv2QkSupJwLYyfS+gwdirm0ukyTFNl3KTgZEAiJDd+iHZcbTPPcWCcRYH+WlNbwChgH2QkE9NSlNrMT8Gfw==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-arm64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.3.tgz",
+      "integrity": "sha512-sZOuFz/xWnZ4KH3YfFrKCf1WyPZHakVzTiqji3WDc0BCl2kBwiJLCXpzLzUBLgmp4veFZdvN5ChW4Eq/8Fc2Fg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-ia32": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.3.tgz",
+      "integrity": "sha512-yGlQYjdxtLdh0a3jHjuwOrxQjOZYD/C9PfdbgJJF3TIZWnm/tMd/RcNiLngiu4iwcBAOezdnSLAwQDPqTmtTYg==",
+      "cpu": [
+        "ia32"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-loong64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.3.tgz",
+      "integrity": "sha512-WO60Sn8ly3gtzhyjATDgieJNet/KqsDlX5nRC5Y3oTFcS1l0KWba+SEa9Ja1GfDqSF1z6hif/SkpQJbL63cgOA==",
+      "cpu": [
+        "loong64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-mips64el": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.3.tgz",
+      "integrity": "sha512-APsymYA6sGcZ4pD6k+UxbDjOFSvPWyZhjaiPyl/f79xKxwTnrn5QUnXR5prvetuaSMsb4jgeHewIDCIWljrSxw==",
+      "cpu": [
+        "mips64el"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-ppc64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.3.tgz",
+      "integrity": "sha512-eizBnTeBefojtDb9nSh4vvVQ3V9Qf9Df01PfawPcRzJH4gFSgrObw+LveUyDoKU3kxi5+9RJTCWlj4FjYXVPEA==",
+      "cpu": [
+        "ppc64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-riscv64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.3.tgz",
+      "integrity": "sha512-3Emwh0r5wmfm3ssTWRQSyVhbOHvqegUDRd0WhmXKX2mkHJe1SFCMJhagUleMq+Uci34wLSipf8Lagt4LlpRFWQ==",
+      "cpu": [
+        "riscv64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-s390x": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.3.tgz",
+      "integrity": "sha512-pBHUx9LzXWBc7MFIEEL0yD/ZVtNgLytvx60gES28GcWMqil8ElCYR4kvbV2BDqsHOvVDRrOxGySBM9Fcv744hw==",
+      "cpu": [
+        "s390x"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-x64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.3.tgz",
+      "integrity": "sha512-Czi8yzXUWIQYAtL/2y6vogER8pvcsOsk5cpwL4Gk5nJqH5UZiVByIY8Eorm5R13gq+DQKYg0+JyQoytLQas4dA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/netbsd-arm64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.3.tgz",
+      "integrity": "sha512-sDpk0RgmTCR/5HguIZa9n9u+HVKf40fbEUt+iTzSnCaGvY9kFP0YKBWZtJaraonFnqef5SlJ8/TiPAxzyS+UoA==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "netbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/netbsd-x64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.3.tgz",
+      "integrity": "sha512-P14lFKJl/DdaE00LItAukUdZO5iqNH7+PjoBm+fLQjtxfcfFE20Xf5CrLsmZdq5LFFZzb5JMZ9grUwvtVYzjiA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "netbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/openbsd-arm64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.3.tgz",
+      "integrity": "sha512-AIcMP77AvirGbRl/UZFTq5hjXK+2wC7qFRGoHSDrZ5v5b8DK/GYpXW3CPRL53NkvDqb9D+alBiC/dV0Fb7eJcw==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/openbsd-x64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.3.tgz",
+      "integrity": "sha512-DnW2sRrBzA+YnE70LKqnM3P+z8vehfJWHXECbwBmH/CU51z6FiqTQTHFenPlHmo3a8UgpLyH3PT+87OViOh1AQ==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/openharmony-arm64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.3.tgz",
+      "integrity": "sha512-NinAEgr/etERPTsZJ7aEZQvvg/A6IsZG/LgZy+81wON2huV7SrK3e63dU0XhyZP4RKGyTm7aOgmQk0bGp0fy2g==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openharmony"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/sunos-x64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.3.tgz",
+      "integrity": "sha512-PanZ+nEz+eWoBJ8/f8HKxTTD172SKwdXebZ0ndd953gt1HRBbhMsaNqjTyYLGLPdoWHy4zLU7bDVJztF5f3BHA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "sunos"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/win32-arm64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.3.tgz",
+      "integrity": "sha512-B2t59lWWYrbRDw/tjiWOuzSsFh1Y/E95ofKz7rIVYSQkUYBjfSgf6oeYPNWHToFRr2zx52JKApIcAS/D5TUBnA==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/win32-ia32": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.3.tgz",
+      "integrity": "sha512-QLKSFeXNS8+tHW7tZpMtjlNb7HKau0QDpwm49u0vUp9y1WOF+PEzkU84y9GqYaAVW8aH8f3GcBck26jh54cX4Q==",
+      "cpu": [
+        "ia32"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/win32-x64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.3.tgz",
+      "integrity": "sha512-4uJGhsxuptu3OcpVAzli+/gWusVGwZZHTlS63hh++ehExkVT8SgiEf7/uC/PclrPPkLhZqGgCTjd0VWLo6xMqA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@types/node": {
+      "version": "20.19.35",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.35.tgz",
+      "integrity": "sha512-Uarfe6J91b9HAUXxjvSOdiO2UPOKLm07Q1oh0JHxoZ1y8HoqxDAu3gVrsrOHeiio0kSsoVBt4wFrKOm0dKxVPQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "undici-types": "~6.21.0"
+      }
+    },
+    "node_modules/esbuild": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.3.tgz",
+      "integrity": "sha512-8VwMnyGCONIs6cWue2IdpHxHnAjzxnw2Zr7MkVxB2vjmQ2ivqGFb4LEG3SMnv0Gb2F/G/2yA8zUaiL1gywDCCg==",
+      "dev": true,
+      "hasInstallScript": true,
+      "license": "MIT",
+      "bin": {
+        "esbuild": "bin/esbuild"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "optionalDependencies": {
+        "@esbuild/aix-ppc64": "0.27.3",
+        "@esbuild/android-arm": "0.27.3",
+        "@esbuild/android-arm64": "0.27.3",
+        "@esbuild/android-x64": "0.27.3",
+        "@esbuild/darwin-arm64": "0.27.3",
+        "@esbuild/darwin-x64": "0.27.3",
+        "@esbuild/freebsd-arm64": "0.27.3",
+        "@esbuild/freebsd-x64": "0.27.3",
+        "@esbuild/linux-arm": "0.27.3",
+        "@esbuild/linux-arm64": "0.27.3",
+        "@esbuild/linux-ia32": "0.27.3",
+        "@esbuild/linux-loong64": "0.27.3",
+        "@esbuild/linux-mips64el": "0.27.3",
+        "@esbuild/linux-ppc64": "0.27.3",
+        "@esbuild/linux-riscv64": "0.27.3",
+        "@esbuild/linux-s390x": "0.27.3",
+        "@esbuild/linux-x64": "0.27.3",
+        "@esbuild/netbsd-arm64": "0.27.3",
+        "@esbuild/netbsd-x64": "0.27.3",
+        "@esbuild/openbsd-arm64": "0.27.3",
+        "@esbuild/openbsd-x64": "0.27.3",
+        "@esbuild/openharmony-arm64": "0.27.3",
+        "@esbuild/sunos-x64": "0.27.3",
+        "@esbuild/win32-arm64": "0.27.3",
+        "@esbuild/win32-ia32": "0.27.3",
+        "@esbuild/win32-x64": "0.27.3"
+      }
+    },
+    "node_modules/fsevents": {
+      "version": "2.3.3",
+      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz",
+      "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==",
+      "dev": true,
+      "hasInstallScript": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
+      }
+    },
+    "node_modules/get-tsconfig": {
+      "version": "4.13.6",
+      "resolved": "https://registry.npmjs.org/get-tsconfig/-/get-tsconfig-4.13.6.tgz",
+      "integrity": "sha512-shZT/QMiSHc/YBLxxOkMtgSid5HFoauqCE3/exfsEcwg1WkeqjG+V40yBbBrsD+jW2HDXcs28xOfcbm2jI8Ddw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "resolve-pkg-maps": "^1.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/privatenumber/get-tsconfig?sponsor=1"
+      }
+    },
+    "node_modules/resolve-pkg-maps": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/resolve-pkg-maps/-/resolve-pkg-maps-1.0.0.tgz",
+      "integrity": "sha512-seS2Tj26TBVOC2NIc2rOe2y2ZO7efxITtLZcGSOnHHNOQ7CkiUBfw0Iw2ck6xkIhPwLhKNLS8BO+hEpngQlqzw==",
+      "dev": true,
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/privatenumber/resolve-pkg-maps?sponsor=1"
+      }
+    },
+    "node_modules/tsx": {
+      "version": "4.21.0",
+      "resolved": "https://registry.npmjs.org/tsx/-/tsx-4.21.0.tgz",
+      "integrity": "sha512-5C1sg4USs1lfG0GFb2RLXsdpXqBSEhAaA/0kPL01wxzpMqLILNxIxIOKiILz+cdg/pLnOUxFYOR5yhHU666wbw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "esbuild": "~0.27.0",
+        "get-tsconfig": "^4.7.5"
+      },
+      "bin": {
+        "tsx": "dist/cli.mjs"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      },
+      "optionalDependencies": {
+        "fsevents": "~2.3.3"
+      }
+    },
+    "node_modules/typescript": {
+      "version": "5.9.3",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz",
+      "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "bin": {
+        "tsc": "bin/tsc",
+        "tsserver": "bin/tsserver"
+      },
+      "engines": {
+        "node": ">=14.17"
+      }
+    },
+    "node_modules/undici-types": {
+      "version": "6.21.0",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.21.0.tgz",
+      "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/yaml": {
+      "version": "2.8.2",
+      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.2.tgz",
+      "integrity": "sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A==",
+      "license": "ISC",
+      "bin": {
+        "yaml": "bin.mjs"
+      },
+      "engines": {
+        "node": ">= 14.6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/eemeli"
+      }
+    }
+  }
+}
@@ -0,0 +1,12 @@
+{
+  "private": true,
+  "description": "Dependencies for the sync.ts",
+  "dependencies": {
+    "yaml": "^2.8.2"
+  },
+  "devDependencies": {
+    "@types/node": "^20.19.9",
+    "tsx": "^4.21.0",
+    "typescript": "^5.9.3"
+  }
+}
@@ -6,9 +6,9 @@ to one of the files in this directory.

 ## Updating workflows

+Run `./sync.sh` to invoke the workflow generator and re-generate the workflow files in `.github/workflows/` based on the templates in `pr-checks/checks/`.
+
+Alternatively, you can use `just`:
+
 1. Install https://github.com/casey/just by whichever way you prefer.
 2. Run `just update-pr-checks` in your terminal.
-
-### If you don't want to install `just`
-
-Manually run each step in the `justfile`.
@@ -1,399 +0,0 @@
-#!/usr/bin/env python
-
-import ruamel.yaml
-from ruamel.yaml.scalarstring import SingleQuotedScalarString, LiteralScalarString
-import pathlib
-import os
-
-# The default set of CodeQL Bundle versions to use for the PR checks.
-defaultTestVersions = [
-    # The oldest supported CodeQL version. If bumping, update `CODEQL_MINIMUM_VERSION` in `codeql.ts`
-    "stable-v2.17.6",
-    # The last CodeQL release in the 2.18 series.
-    "stable-v2.18.4",
-    # The last CodeQL release in the 2.19 series.
-    "stable-v2.19.4",
-    # The last CodeQL release in the 2.20 series.
-    "stable-v2.20.7",
-    # The last CodeQL release in the 2.21 series.
-    "stable-v2.21.4",
-    # The last CodeQL release in the 2.22 series.
-    "stable-v2.22.4",
-    # The default version of CodeQL for Dotcom, as determined by feature flags.
-    "default",
-    # The version of CodeQL shipped with the Action in `defaults.json`. During the release process
-    # for a new CodeQL release, there will be a period of time during which this will be newer than
-    # the default version on Dotcom.
-    "linked",
-    # A nightly build directly from the our private repo, built in the last 24 hours.
-    "nightly-latest"
-]
-
-# When updating the ruamel.yaml version here, update the PR check in
-# `.github/workflows/pr-checks.yml` too.
-header = """# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-"""
-
-
-def is_truthy(value):
-    if isinstance(value, str):
-        return value.lower() == 'true'
-    return bool(value)
-
-
-
-class NonAliasingRTRepresenter(ruamel.yaml.representer.RoundTripRepresenter):
-    def ignore_aliases(self, data):
-        return True
-
-
-def writeHeader(checkStream):
-    checkStream.write(header)
-
-
-yaml = ruamel.yaml.YAML()
-yaml.Representer = NonAliasingRTRepresenter
-yaml.indent(mapping=2, sequence=4, offset=2)
-
-this_dir = pathlib.Path(__file__).resolve().parent
-
-allJobs = {}
-collections = {}
-for file in sorted((this_dir / 'checks').glob('*.yml')):
-    with open(file, 'r') as checkStream:
-        checkSpecification = yaml.load(checkStream)
-    matrix = []
-
-    workflowInputs = {}
-    if 'inputs' in checkSpecification:
-        workflowInputs = checkSpecification['inputs']
-
-    for version in checkSpecification.get('versions', defaultTestVersions):
-        if version == "latest":
-            raise ValueError('Did not recognize "version: latest". Did you mean "version: linked"?')
-
-        runnerImages = ["ubuntu-latest", "macos-latest", "windows-latest"]
-        operatingSystems = checkSpecification.get('operatingSystems', ["ubuntu"])
-
-        for operatingSystem in operatingSystems:
-            runnerImagesForOs = [image for image in runnerImages if image.startswith(operatingSystem)]
-
-            for runnerImage in runnerImagesForOs:
-                matrix.append({
-                    'os': runnerImage,
-                    'version': version
-                })
-
-        useAllPlatformBundle = "false" # Default to false
-        if checkSpecification.get('useAllPlatformBundle'):
-            useAllPlatformBundle = checkSpecification['useAllPlatformBundle']
-
-
-    if 'analysisKinds' in checkSpecification:
-        newMatrix = []
-        for matrixInclude in matrix:
-            for analysisKind in checkSpecification.get('analysisKinds'):
-                newMatrix.append(
-                    matrixInclude |
-                    { 'analysis-kinds': analysisKind }
-                )
-        matrix = newMatrix
-
-    # Construct the workflow steps needed for this check.
-    steps = [
-        {
-            'name': 'Check out repository',
-            'uses': 'actions/checkout@v6'
-        },
-    ]
-
-    installNode = is_truthy(checkSpecification.get('installNode', ''))
-
-    if installNode:
-        steps.extend([
-            {
-                'name': 'Install Node.js',
-                'uses': 'actions/setup-node@v6',
-                'with': {
-                    'node-version': '20.x',
-                    'cache': 'npm',
-                },
-            },
-            {
-                'name': 'Install dependencies',
-                'run': 'npm ci',
-            },
-        ])
-
-    steps.append({
-        'name': 'Prepare test',
-        'id': 'prepare-test',
-        'uses': './.github/actions/prepare-test',
-        'with': {
-            'version': '${{ matrix.version }}',
-            'use-all-platform-bundle': useAllPlatformBundle,
-            # If the action is being run from a container, then do not setup kotlin.
-            # This is because the kotlin binaries cannot be downloaded from the container.
-            'setup-kotlin': str(not 'container' in checkSpecification).lower(),
-        }
-    })
-
-    installGo = is_truthy(checkSpecification.get('installGo', ''))
-
-    if installGo:
-        baseGoVersionExpr = '>=1.21.0'
-        workflowInputs['go-version'] = {
-            'type': 'string',
-            'description': 'The version of Go to install',
-            'required': False,
-            'default': baseGoVersionExpr,
-        }
-
-        steps.append({
-            'name': 'Install Go',
-            'uses': 'actions/setup-go@v6',
-            'with': {
-                'go-version': '${{ inputs.go-version || \'' + baseGoVersionExpr + '\' }}',
-                # to avoid potentially misleading autobuilder results where we expect it to download
-                # dependencies successfully, but they actually come from a warm cache
-                'cache': False
-            }
-        })
-
-    installJava = is_truthy(checkSpecification.get('installJava', ''))
-
-    if installJava:
-        baseJavaVersionExpr = '17'
-        workflowInputs['java-version'] = {
-            'type': 'string',
-            'description': 'The version of Java to install',
-            'required': False,
-            'default': baseJavaVersionExpr,
-        }
-
-        steps.append({
-            'name': 'Install Java',
-            'uses': 'actions/setup-java@v5',
-            'with': {
-                'java-version': '${{ inputs.java-version || \'' + baseJavaVersionExpr + '\' }}',
-                'distribution': 'temurin'
-            }
-        })
-
-    installPython = is_truthy(checkSpecification.get('installPython', ''))
-
-    if installPython:
-        basePythonVersionExpr = '3.13'
-        workflowInputs['python-version'] = {
-            'type': 'string',
-            'description': 'The version of Python to install',
-            'required': False,
-            'default': basePythonVersionExpr,
-        }
-
-        steps.append({
-            'name': 'Install Python',
-            'if': 'matrix.version != \'nightly-latest\'',
-            'uses': 'actions/setup-python@v6',
-            'with': {
-                'python-version': '${{ inputs.python-version || \'' + basePythonVersionExpr + '\' }}'
-            }
-        })
-
-    installDotNet = is_truthy(checkSpecification.get('installDotNet', ''))
-
-    if installDotNet:
-        baseDotNetVersionExpr = '9.x'
-        workflowInputs['dotnet-version'] = {
-            'type': 'string',
-            'description': 'The version of .NET to install',
-            'required': False,
-            'default': baseDotNetVersionExpr,
-        }
-
-        steps.append({
-            'name': 'Install .NET',
-            'uses': 'actions/setup-dotnet@v5',
-            'with': {
-                'dotnet-version': '${{ inputs.dotnet-version || \'' + baseDotNetVersionExpr + '\' }}'
-            }
-        })
-
-    installYq = is_truthy(checkSpecification.get('installYq', ''))
-
-    if installYq:
-        steps.append({
-            'name': 'Install yq',
-            'if': "runner.os == 'Windows'",
-            'env': {
-                'YQ_PATH': '${{ runner.temp }}/yq',
-                # This is essentially an arbitrary version of `yq`, which happened to be the one that
-                # `choco` fetched when we moved away from using that here.
-                # See https://github.com/github/codeql-action/pull/3423
-                'YQ_VERSION': 'v4.50.1'
-            },
-            'run': LiteralScalarString(
-                'gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe"\n'
-                'echo "$YQ_PATH" >> "$GITHUB_PATH"'
-            ),
-        })
-
-    # If container initialisation steps are present in the check specification,
-    # make sure to execute them first.
-    if 'container' in checkSpecification and 'container-init-steps' in checkSpecification:
-        steps.insert(0, checkSpecification['container-init-steps'])
-
-
-    steps.extend(checkSpecification['steps'])
-
-    checkJob = {
-        'strategy': {
-            'fail-fast': False,
-            'matrix': {
-                'include': matrix
-            }
-        },
-        'name': checkSpecification['name'],
-        'if': 'github.triggering_actor != \'dependabot[bot]\'',
-        'permissions': {
-            'contents': 'read',
-            'security-events': 'read'
-        },
-        'timeout-minutes': 45,
-        'runs-on': '${{ matrix.os }}',
-        'steps': steps,
-    }
-    if 'permissions' in checkSpecification:
-        checkJob['permissions'] = checkSpecification['permissions']
-
-    for key in ["env", "container", "services"]:
-        if key in checkSpecification:
-            checkJob[key] = checkSpecification[key]
-
-    checkJob['env'] = checkJob.get('env', {})
-    if 'CODEQL_ACTION_TEST_MODE' not in checkJob['env']:
-        checkJob['env']['CODEQL_ACTION_TEST_MODE'] = True
-    checkName = file.stem
-
-    # If this check belongs to a named collection, record it.
-    if 'collection' in checkSpecification:
-        collection_name = checkSpecification['collection']
-        collections.setdefault(collection_name, []).append({
-            'specification': checkSpecification,
-            'checkName': checkName,
-            'inputs': workflowInputs
-        })
-
-    raw_file = this_dir.parent / ".github" / "workflows" / f"__{checkName}.yml.raw"
-    with open(raw_file, 'w', newline='\n') as output_stream:
-        extraGroupName = ""
-        for inputName in workflowInputs.keys():
-            extraGroupName += "-${{inputs." + inputName + "}}"
-
-        writeHeader(output_stream)
-        yaml.dump({
-            'name': f"PR Check - {checkSpecification['name']}",
-            'env': {
-                'GITHUB_TOKEN': '${{ secrets.GITHUB_TOKEN }}',
-                'GO111MODULE': 'auto'
-            },
-            'on': {
-                'push': {
-                    'branches': ['main', 'releases/v*']
-                },
-                'pull_request': {
-                    'types': ["opened", "synchronize", "reopened", "ready_for_review"]
-                },
-                'schedule': [{'cron': SingleQuotedScalarString('0 5 * * *')}],
-                'workflow_dispatch': {
-                    'inputs': workflowInputs
-                },
-                'workflow_call': {
-                    'inputs': workflowInputs
-                }
-            },
-            'defaults': {
-                'run': {
-                    'shell': 'bash',
-                },
-            },
-            'concurrency': {
-                # Cancel in-progress workflows in the same 'group' for pull_request events,
-                # but not other event types. This should have the effect that workflows on PRs
-                # get cancelled if there is a newer workflow in the same concurrency group.
-                # For other events, the new workflows should wait until earlier ones have finished.
-                # This should help reduce the number of concurrent workflows on the repo, and
-                # consequently the number of concurrent API requests.
-                # Note, the `|| false` is intentional to rule out that this somehow ends up being
-                # `true` since we observed workflows for non-`pull_request` events getting cancelled.
-                'cancel-in-progress': "${{ github.event_name == 'pull_request' || false }}",
-                # The group is determined by the workflow name, the ref, and the input values.
-                # The base name is hard-coded to avoid issues when the workflow is triggered by
-                # a `workflow_call` event (where `github.workflow` would be the name of the caller).
-                # The input values are added, since they may result in different behaviour for a
-                # given workflow on the same ref.
-                'group': checkName + "-${{github.ref}}" + extraGroupName
-            },
-            'jobs': {
-                checkName: checkJob
-            }
-        }, output_stream)
-
-    with open(raw_file, 'r') as input_stream:
-        with open(this_dir.parent / ".github" / "workflows" / f"__{checkName}.yml", 'w', newline='\n') as output_stream:
-            content = input_stream.read()
-            output_stream.write("\n".join(list(map(lambda x:x.rstrip(), content.splitlines()))+['']))
-    os.remove(raw_file)
-
-# write workflow files for collections
-for collection_name in collections:
-    jobs = {}
-    combinedInputs = {}
-
-    for check in collections[collection_name]:
-        checkName = check['checkName']
-        checkSpecification = check['specification']
-        checkInputs = check['inputs']
-        checkWith = {}
-
-        combinedInputs |= checkInputs
-
-        for inputName in checkInputs.keys():
-            checkWith[inputName] = "${{ inputs." + inputName + " }}"
-
-        jobs[checkName] = {
-            'name': checkSpecification['name'],
-            'permissions': {
-                'contents': 'read',
-                'security-events': 'read'
-            },
-            'uses': "./.github/workflows/" + f"__{checkName}.yml",
-            'with': checkWith
-        }
-
-    raw_file = this_dir.parent / ".github" / "workflows" / f"__{collection_name}.yml.raw"
-    with open(raw_file, 'w') as output_stream:
-        writeHeader(output_stream)
-        yaml.dump({
-            'name': f"Manual Check - {collection_name}",
-            'env': {
-                'GITHUB_TOKEN': '${{ secrets.GITHUB_TOKEN }}',
-                'GO111MODULE': 'auto'
-            },
-            'on': {
-                'workflow_dispatch': {
-                    'inputs': combinedInputs
-                },
-            },
-            'jobs': jobs
-        }, output_stream)
-
-    with open(raw_file, 'r') as input_stream:
-        with open(this_dir.parent / ".github" / "workflows" / f"__{collection_name}.yml", 'w', newline='\n') as output_stream:
-            content = input_stream.read()
-            output_stream.write("\n".join(list(map(lambda x:x.rstrip(), content.splitlines()))+['']))
-    os.remove(raw_file)
@@ -2,8 +2,14 @@
 set -e

 cd "$(dirname "$0")"
-python3 -m venv env
-source env/*/activate
-pip3 install ruamel.yaml==0.17.31
-python3 sync.py

+# Run `npm ci` in CI or `npm install` otherwise.
+if [ "$GITHUB_ACTIONS" = "true" ]; then
+  echo "In Actions, running 'npm ci' for 'sync.ts'..."
+  npm ci
+else
+  echo "Running 'npm install' for 'sync.ts'..."
+  npm install --no-audit --no-fund
+fi
+
+npx tsx sync.ts
@@ -0,0 +1,525 @@
+#!/usr/bin/env npx tsx
+
+import * as fs from "fs";
+import * as path from "path";
+
+import * as yaml from "yaml";
+
+/** Known workflow input names. */
+enum KnownInputName {
+  GoVersion = "go-version",
+  JavaVersion = "java-version",
+  PythonVersion = "python-version",
+  DotnetVersion = "dotnet-version",
+}
+
+/**
+ * Represents workflow input definitions.
+ */
+interface WorkflowInput {
+  type: string;
+  description: string;
+  required: boolean;
+  default: string;
+}
+
+/** A partial mapping from known input names to input definitions. */
+type WorkflowInputs = Partial<Record<KnownInputName, WorkflowInput>>;
+
+/**
+ * Represents PR check specifications.
+ */
+interface Specification {
+  /** The display name for the check. */
+  name: string;
+  /** The workflow steps specific to this check. */
+  steps: any[];
+  /** Workflow-level input definitions forwarded to `workflow_dispatch`/`workflow_call`. */
+  inputs?: Record<string, WorkflowInput>;
+  /** CodeQL bundle versions to test against. Defaults to `DEFAULT_TEST_VERSIONS`. */
+  versions?: string[];
+  /** Operating system prefixes used to select runner images (e.g. `["ubuntu", "macos"]`). */
+  operatingSystems?: string[];
+  /** Whether to use the all-platform CodeQL bundle. */
+  useAllPlatformBundle?: string;
+  /** Values for the `analysis-kinds` matrix dimension. */
+  analysisKinds?: string[];
+
+  installNode?: boolean;
+  installGo?: boolean;
+  installJava?: boolean;
+  installPython?: boolean;
+  installDotNet?: boolean;
+  installYq?: boolean;
+
+  /** Container image configuration for the job. */
+  container?: any;
+  /** Service containers for the job. */
+  services?: any;
+
+  /** Custom permissions override for the job. */
+  permissions?: Record<string, string>;
+  /** Extra environment variables for the job. */
+  env?: Record<string, any>;
+
+  /** If set, this check is part of a named collection that gets its own caller workflow. */
+  collection?: string;
+}
+
+// The default set of CodeQL Bundle versions to use for the PR checks.
+const defaultTestVersions = [
+  // The oldest supported CodeQL version. If bumping, update `CODEQL_MINIMUM_VERSION` in `codeql.ts`
+  "stable-v2.17.6",
+  // The last CodeQL release in the 2.18 series.
+  "stable-v2.18.4",
+  // The last CodeQL release in the 2.19 series.
+  "stable-v2.19.4",
+  // The last CodeQL release in the 2.20 series.
+  "stable-v2.20.7",
+  // The last CodeQL release in the 2.21 series.
+  "stable-v2.21.4",
+  // The last CodeQL release in the 2.22 series.
+  "stable-v2.22.4",
+  // The default version of CodeQL for Dotcom, as determined by feature flags.
+  "default",
+  // The version of CodeQL shipped with the Action in `defaults.json`. During the release process
+  // for a new CodeQL release, there will be a period of time during which this will be newer than
+  // the default version on Dotcom.
+  "linked",
+  // A nightly build directly from the our private repo, built in the last 24 hours.
+  "nightly-latest",
+];
+
+const THIS_DIR = __dirname;
+const CHECKS_DIR = path.join(THIS_DIR, "checks");
+const OUTPUT_DIR = path.join(THIS_DIR, "..", ".github", "workflows");
+
+/**
+ * Loads and parses a YAML file.
+ */
+function loadYaml(filePath: string): yaml.Document {
+  const content = fs.readFileSync(filePath, "utf8");
+  return yaml.parseDocument(content);
+}
+
+/**
+ * Serialize a value to YAML and write it to a file, prepended with the
+ * standard header comment.
+ */
+function writeYaml(filePath: string, workflow: any): void {
+  const header = `# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+`;
+  const workflowDoc = new yaml.Document(workflow, {
+    aliasDuplicateObjects: false,
+  });
+  const yamlStr = yaml.stringify(workflowDoc, {
+    aliasDuplicateObjects: false,
+    singleQuote: true,
+    lineWidth: 0,
+  });
+  fs.writeFileSync(filePath, stripTrailingWhitespace(header + yamlStr), "utf8");
+}
+
+/**
+ * Strip trailing whitespace from each line.
+ */
+function stripTrailingWhitespace(content: string): string {
+  return content
+    .split("\n")
+    .map((line) => line.trimEnd())
+    .join("\n");
+}
+
+/**
+ * Main entry point for the sync script.
+ */
+function main(): void {
+  // Ensure the output directory exists.
+  fs.mkdirSync(OUTPUT_DIR, { recursive: true });
+
+  // Discover and sort all check specification files.
+  const checkFiles = fs
+    .readdirSync(CHECKS_DIR)
+    .filter((f) => f.endsWith(".yml"))
+    .sort()
+    .map((f) => path.join(CHECKS_DIR, f));
+
+  console.log(`Found ${checkFiles.length} check specification(s).`);
+
+  const collections: Record<
+    string,
+    Array<{
+      specification: Specification;
+      checkName: string;
+      inputs: Record<string, WorkflowInput>;
+    }>
+  > = {};
+
+  for (const file of checkFiles) {
+    const checkName = path.basename(file, ".yml");
+    const specDocument = loadYaml(file);
+    const checkSpecification = specDocument.toJS() as Specification;
+
+    console.log(`Processing: ${checkName} — "${checkSpecification.name}"`);
+
+    const workflowInputs: WorkflowInputs = {};
+    let matrix: Array<Record<string, any>> = [];
+
+    for (const version of checkSpecification.versions ?? defaultTestVersions) {
+      if (version === "latest") {
+        throw new Error(
+          'Did not recognise "version: latest". Did you mean "version: linked"?',
+        );
+      }
+
+      const runnerImages = ["ubuntu-latest", "macos-latest", "windows-latest"];
+      const operatingSystems = checkSpecification.operatingSystems ?? [
+        "ubuntu",
+      ];
+
+      for (const operatingSystem of operatingSystems) {
+        const runnerImagesForOs = runnerImages.filter((image) =>
+          image.startsWith(operatingSystem),
+        );
+
+        for (const runnerImage of runnerImagesForOs) {
+          matrix.push({
+            os: runnerImage,
+            version,
+          });
+        }
+      }
+    }
+
+    const useAllPlatformBundle = checkSpecification.useAllPlatformBundle
+      ? checkSpecification.useAllPlatformBundle
+      : "false";
+
+    if (checkSpecification.analysisKinds) {
+      const newMatrix: Array<Record<string, any>> = [];
+      for (const matrixInclude of matrix) {
+        for (const analysisKind of checkSpecification.analysisKinds) {
+          newMatrix.push({
+            ...matrixInclude,
+            "analysis-kinds": analysisKind,
+          });
+        }
+      }
+      matrix = newMatrix;
+    }
+
+    // Construct the workflow steps needed for this check.
+    const steps: any[] = [
+      {
+        name: "Check out repository",
+        uses: "actions/checkout@v6",
+      },
+    ];
+
+    const installNode = checkSpecification.installNode;
+
+    if (installNode) {
+      steps.push(
+        {
+          name: "Install Node.js",
+          uses: "actions/setup-node@v6",
+          with: {
+            "node-version": "20.x",
+            cache: "npm",
+          },
+        },
+        {
+          name: "Install dependencies",
+          run: "npm ci",
+        },
+      );
+    }
+
+    steps.push({
+      name: "Prepare test",
+      id: "prepare-test",
+      uses: "./.github/actions/prepare-test",
+      with: {
+        version: "${{ matrix.version }}",
+        "use-all-platform-bundle": useAllPlatformBundle,
+        // If the action is being run from a container, then do not setup kotlin.
+        // This is because the kotlin binaries cannot be downloaded from the container.
+        "setup-kotlin": "container" in checkSpecification ? "false" : "true",
+      },
+    });
+
+    const installGo = checkSpecification.installGo;
+
+    if (installGo) {
+      const baseGoVersionExpr = ">=1.21.0";
+      workflowInputs[KnownInputName.GoVersion] = {
+        type: "string",
+        description: "The version of Go to install",
+        required: false,
+        default: baseGoVersionExpr,
+      };
+
+      steps.push({
+        name: "Install Go",
+        uses: "actions/setup-go@v6",
+        with: {
+          "go-version":
+            "${{ inputs.go-version || '" + baseGoVersionExpr + "' }}",
+          // to avoid potentially misleading autobuilder results where we expect it to download
+          // dependencies successfully, but they actually come from a warm cache
+          cache: false,
+        },
+      });
+    }
+
+    const installJava = checkSpecification.installJava;
+
+    if (installJava) {
+      const baseJavaVersionExpr = "17";
+      workflowInputs[KnownInputName.JavaVersion] = {
+        type: "string",
+        description: "The version of Java to install",
+        required: false,
+        default: baseJavaVersionExpr,
+      };
+
+      steps.push({
+        name: "Install Java",
+        uses: "actions/setup-java@v5",
+        with: {
+          "java-version":
+            "${{ inputs.java-version || '" + baseJavaVersionExpr + "' }}",
+          distribution: "temurin",
+        },
+      });
+    }
+
+    const installPython = checkSpecification.installPython;
+
+    if (installPython) {
+      const basePythonVersionExpr = "3.13";
+      workflowInputs[KnownInputName.PythonVersion] = {
+        type: "string",
+        description: "The version of Python to install",
+        required: false,
+        default: basePythonVersionExpr,
+      };
+
+      steps.push({
+        name: "Install Python",
+        if: "matrix.version != 'nightly-latest'",
+        uses: "actions/setup-python@v6",
+        with: {
+          "python-version":
+            "${{ inputs.python-version || '" + basePythonVersionExpr + "' }}",
+        },
+      });
+    }
+
+    const installDotNet = checkSpecification.installDotNet;
+
+    if (installDotNet) {
+      const baseDotNetVersionExpr = "9.x";
+      workflowInputs[KnownInputName.DotnetVersion] = {
+        type: "string",
+        description: "The version of .NET to install",
+        required: false,
+        default: baseDotNetVersionExpr,
+      };
+
+      steps.push({
+        name: "Install .NET",
+        uses: "actions/setup-dotnet@v5",
+        with: {
+          "dotnet-version":
+            "${{ inputs.dotnet-version || '" + baseDotNetVersionExpr + "' }}",
+        },
+      });
+    }
+
+    const installYq = checkSpecification.installYq;
+
+    if (installYq) {
+      steps.push({
+        name: "Install yq",
+        if: "runner.os == 'Windows'",
+        env: {
+          YQ_PATH: "${{ runner.temp }}/yq",
+          // This is essentially an arbitrary version of `yq`, which happened to be the one that
+          // `choco` fetched when we moved away from using that here.
+          // See https://github.com/github/codeql-action/pull/3423
+          YQ_VERSION: "v4.50.1",
+        },
+        run:
+          'gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe"\n' +
+          'echo "$YQ_PATH" >> "$GITHUB_PATH"',
+      });
+    }
+
+    // Extract the sequence of steps from the YAML document to persist as much formatting as possible.
+    const specSteps = specDocument.get("steps") as yaml.YAMLSeq;
+
+    // A handful of workflow specifications use double quotes for values, while we generally use single quotes.
+    // This replaces double quotes with single quotes for consistency.
+    yaml.visit(specSteps, {
+      Scalar(_key, node) {
+        if (node.type === "QUOTE_DOUBLE") {
+          node.type = "QUOTE_SINGLE";
+        }
+      },
+    });
+
+    // Add the generated steps in front of the ones from the specification.
+    specSteps.items.unshift(...steps);
+
+    const checkJob: Record<string, any> = {
+      strategy: {
+        "fail-fast": false,
+        matrix: {
+          include: matrix,
+        },
+      },
+      name: checkSpecification.name,
+      if: "github.triggering_actor != 'dependabot[bot]'",
+      permissions: {
+        contents: "read",
+        "security-events": "read",
+      },
+      "timeout-minutes": 45,
+      "runs-on": "${{ matrix.os }}",
+      steps: specSteps,
+    };
+
+    if (checkSpecification.permissions) {
+      checkJob.permissions = checkSpecification.permissions;
+    }
+
+    for (const key of ["env", "container", "services"] as const) {
+      if (checkSpecification[key] !== undefined) {
+        checkJob[key] = checkSpecification[key];
+      }
+    }
+
+    checkJob.env = checkJob.env ?? {};
+    if (!("CODEQL_ACTION_TEST_MODE" in checkJob.env)) {
+      checkJob.env.CODEQL_ACTION_TEST_MODE = true;
+    }
+
+    // If this check belongs to a named collection, record it.
+    if (checkSpecification.collection) {
+      const collectionName = checkSpecification.collection;
+      if (!collections[collectionName]) {
+        collections[collectionName] = [];
+      }
+      collections[collectionName].push({
+        specification: checkSpecification,
+        checkName,
+        inputs: workflowInputs,
+      });
+    }
+
+    let extraGroupName = "";
+    for (const inputName of Object.keys(workflowInputs)) {
+      extraGroupName += "-${{inputs." + inputName + "}}";
+    }
+
+    const cron = new yaml.Scalar("0 5 * * *");
+    cron.type = yaml.Scalar.QUOTE_SINGLE;
+
+    const workflow = {
+      name: `PR Check - ${checkSpecification.name}`,
+      env: {
+        GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}",
+        GO111MODULE: "auto",
+      },
+      on: {
+        push: {
+          branches: ["main", "releases/v*"],
+        },
+        pull_request: {
+          types: ["opened", "synchronize", "reopened", "ready_for_review"],
+        },
+        merge_group: {
+          types: ["checks_requested"],
+        },
+        schedule: [{ cron }],
+        workflow_dispatch: {
+          inputs: workflowInputs,
+        },
+        workflow_call: {
+          inputs: workflowInputs,
+        },
+      },
+      defaults: {
+        run: {
+          shell: "bash",
+        },
+      },
+      concurrency: {
+        "cancel-in-progress":
+          "${{ github.event_name == 'pull_request' || false }}",
+        group: checkName + "-${{github.ref}}" + extraGroupName,
+      },
+      jobs: {
+        [checkName]: checkJob,
+      },
+    };
+
+    const outputPath = path.join(OUTPUT_DIR, `__${checkName}.yml`);
+    writeYaml(outputPath, workflow);
+  }
+
+  // Write workflow files for collections.
+  for (const collectionName of Object.keys(collections)) {
+    const jobs: Record<string, any> = {};
+    let combinedInputs: Record<string, WorkflowInput> = {};
+
+    for (const check of collections[collectionName]) {
+      const { checkName, specification, inputs: checkInputs } = check;
+      const checkWith: Record<string, string> = {};
+
+      combinedInputs = { ...combinedInputs, ...checkInputs };
+
+      for (const inputName of Object.keys(checkInputs)) {
+        checkWith[inputName] = "${{ inputs." + inputName + " }}";
+      }
+
+      jobs[checkName] = {
+        name: specification.name,
+        permissions: {
+          contents: "read",
+          "security-events": "read",
+        },
+        uses: `./.github/workflows/__${checkName}.yml`,
+        with: checkWith,
+      };
+    }
+
+    const collectionWorkflow = {
+      name: `Manual Check - ${collectionName}`,
+      env: {
+        GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}",
+        GO111MODULE: "auto",
+      },
+      on: {
+        workflow_dispatch: {
+          inputs: combinedInputs,
+        },
+      },
+      jobs,
+    };
+
+    const outputPath = path.join(OUTPUT_DIR, `__${collectionName}.yml`);
+    writeYaml(outputPath, collectionWorkflow);
+  }
+
+  console.log(
+    `\nDone. Wrote ${checkFiles.length} workflow file(s) to ${OUTPUT_DIR}`,
+  );
+}
+
+main();
@@ -1,185 +0,0 @@
-#!/usr/bin/env python3
-"""
-Sync-back script to automatically update action versions in source templates
-from the generated workflow files after Dependabot updates.
-
-This script scans the generated workflow files (.github/workflows/__*.yml) to find
-all external action versions used, then updates:
-1. Hardcoded action versions in pr-checks/sync.py
-2. Action version references in template files in pr-checks/checks/
-
-The script automatically detects all actions used in generated workflows and
-preserves version comments (e.g., # v1.2.3) when syncing versions.
-
-This ensures that when Dependabot updates action versions in generated workflows,
-those changes are properly synced back to the source templates. Regular workflow
-files are updated directly by Dependabot and don't need sync-back.
-"""
-
-import os
-import re
-import glob
-import argparse
-import sys
-from pathlib import Path
-from typing import Dict, List
-
-
-def scan_generated_workflows(workflow_dir: str) -> Dict[str, str]:
-    """
-    Scan generated workflow files to extract the latest action versions.
-
-    Args:
-        workflow_dir: Path to .github/workflows directory
-
-    Returns:
-        Dictionary mapping action names to their latest versions (including comments)
-    """
-    action_versions = {}
-    generated_files = glob.glob(os.path.join(workflow_dir, "__*.yml"))
-
-    for file_path in generated_files:
-        with open(file_path, 'r') as f:
-            content = f.read()
-
-        # Find all action uses in the file, including potential comments
-        # This pattern captures: action_name@version_with_possible_comment
-        pattern = r'uses:\s+([^/\s]+/[^@\s]+)@([^@\n]+)'
-        matches = re.findall(pattern, content)
-
-        for action_name, version_with_comment in matches:
-            # Only track non-local actions (those with / but not starting with ./)
-            if not action_name.startswith('./'):
-                # Assume that version numbers are consistent (this should be the case on a Dependabot update PR)
-                action_versions[action_name] = version_with_comment.rstrip()
-
-    return action_versions
-
-
-def update_sync_py(sync_py_path: str, action_versions: Dict[str, str]) -> bool:
-    """
-    Update hardcoded action versions in pr-checks/sync.py
-
-    Args:
-        sync_py_path: Path to sync.py file
-        action_versions: Dictionary of action names to versions (may include comments)
-
-    Returns:
-        True if file was modified, False otherwise
-    """
-    if not os.path.exists(sync_py_path):
-        raise FileNotFoundError(f"Could not find {sync_py_path}")
-
-    with open(sync_py_path, 'r') as f:
-        content = f.read()
-
-    original_content = content
-
-    # Update hardcoded action versions
-    for action_name, version_with_comment in action_versions.items():
-        # Extract just the version part (before any comment) for sync.py
-        version = version_with_comment.split('#')[0].strip() if '#' in version_with_comment else version_with_comment.strip()
-
-        # Look for patterns like 'uses': 'actions/setup-node@v4'
-        # Note that this will break if we store an Action uses reference in a
-        # variable - that's a risk we're happy to take since in that case the
-        # PR checks will just fail.
-        pattern = rf"('uses':\s*'){re.escape(action_name)}@(?:[^']+)(')"
-        replacement = rf"\1{action_name}@{version}\2"
-        content = re.sub(pattern, replacement, content)
-
-    if content != original_content:
-        with open(sync_py_path, 'w') as f:
-            f.write(content)
-        print(f"Updated {sync_py_path}")
-        return True
-    else:
-        print(f"No changes needed in {sync_py_path}")
-        return False
-
-
-def update_template_files(checks_dir: str, action_versions: Dict[str, str]) -> List[str]:
-    """
-    Update action versions in template files in pr-checks/checks/
-
-    Args:
-        checks_dir: Path to pr-checks/checks directory
-        action_versions: Dictionary of action names to versions (may include comments)
-
-    Returns:
-        List of files that were modified
-    """
-    modified_files = []
-    template_files = glob.glob(os.path.join(checks_dir, "*.yml"))
-
-    for file_path in template_files:
-        with open(file_path, 'r') as f:
-            content = f.read()
-
-        original_content = content
-
-        # Update action versions
-        for action_name, version_with_comment in action_versions.items():
-            # Look for patterns like 'uses: actions/setup-node@v4' or 'uses: actions/setup-node@sha # comment'
-            pattern = rf"(uses:\s+{re.escape(action_name)})@(?:[^@\n]+)"
-            replacement = rf"\1@{version_with_comment}"
-            content = re.sub(pattern, replacement, content)
-
-        if content != original_content:
-            with open(file_path, 'w') as f:
-                f.write(content)
-            modified_files.append(file_path)
-            print(f"Updated {file_path}")
-
-    return modified_files
-
-
-def main():
-    parser = argparse.ArgumentParser(description="Sync action versions from generated workflows back to templates")
-    parser.add_argument("--verbose", "-v", action="store_true", help="Enable verbose output")
-    args = parser.parse_args()
-
-    # Get the repository root (assuming script is in pr-checks/)
-    script_dir = Path(__file__).parent
-    repo_root = script_dir.parent
-
-    workflow_dir = repo_root / ".github" / "workflows"
-    checks_dir = script_dir / "checks"
-    sync_py_path = script_dir / "sync.py"
-
-    print("Scanning generated workflows for latest action versions...")
-    action_versions = scan_generated_workflows(str(workflow_dir))
-
-    if args.verbose:
-        print("Found action versions:")
-        for action, version in action_versions.items():
-            print(f"  {action}@{version}")
-
-    if not action_versions:
-        print("No action versions found in generated workflows")
-        return 1
-
-    # Update files
-    print("\nUpdating source files...")
-    modified_files = []
-
-    # Update sync.py
-    if update_sync_py(str(sync_py_path), action_versions):
-        modified_files.append(str(sync_py_path))
-
-    # Update template files
-    template_modified = update_template_files(str(checks_dir), action_versions)
-    modified_files.extend(template_modified)
-
-    if modified_files:
-        print(f"\nSync completed. Modified {len(modified_files)} files:")
-        for file_path in modified_files:
-            print(f"  {file_path}")
-    else:
-        print("\nNo files needed updating - all action versions are already in sync")
-
-    return 0
-
-
-if __name__ == "__main__":
-    sys.exit(main())
@@ -0,0 +1,250 @@
+#!/usr/bin/env npx tsx
+
+/*
+Tests for the sync_back.ts script
+*/
+
+import * as assert from "node:assert/strict";
+import * as fs from "node:fs";
+import * as os from "node:os";
+import * as path from "node:path";
+import { afterEach, beforeEach, describe, it } from "node:test";
+
+import {
+  scanGeneratedWorkflows,
+  updateSyncTs,
+  updateTemplateFiles,
+} from "./sync_back";
+
+let testDir: string;
+let workflowDir: string;
+let checksDir: string;
+let syncTsPath: string;
+
+beforeEach(() => {
+  /** Set up temporary directories and files for testing */
+  testDir = fs.mkdtempSync(path.join(os.tmpdir(), "sync-back-test-"));
+  workflowDir = path.join(testDir, ".github", "workflows");
+  checksDir = path.join(testDir, "pr-checks", "checks");
+  fs.mkdirSync(workflowDir, { recursive: true });
+  fs.mkdirSync(checksDir, { recursive: true });
+
+  // Create sync.ts file path
+  syncTsPath = path.join(testDir, "pr-checks", "sync.ts");
+});
+
+afterEach(() => {
+  /** Clean up temporary directories */
+  fs.rmSync(testDir, { recursive: true, force: true });
+});
+
+describe("scanGeneratedWorkflows", () => {
+  it("basic workflow scanning", () => {
+    /** Test basic workflow scanning functionality */
+    const workflowContent = `
+name: Test Workflow
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v5
+      - uses: actions/setup-go@v6
+`;
+
+    fs.writeFileSync(path.join(workflowDir, "__test.yml"), workflowContent);
+
+    const result = scanGeneratedWorkflows(workflowDir);
+
+    assert.equal(result["actions/checkout"], "v4");
+    assert.equal(result["actions/setup-node"], "v5");
+    assert.equal(result["actions/setup-go"], "v6");
+  });
+
+  it("scanning workflows with version comments", () => {
+    /** Test scanning workflows with version comments */
+    const workflowContent = `
+name: Test Workflow
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0
+      - uses: actions/setup-python@v6 # Latest Python
+`;
+
+    fs.writeFileSync(path.join(workflowDir, "__test.yml"), workflowContent);
+
+    const result = scanGeneratedWorkflows(workflowDir);
+
+    assert.equal(result["actions/checkout"], "v4");
+    assert.equal(
+      result["ruby/setup-ruby"],
+      "44511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0",
+    );
+    assert.equal(result["actions/setup-python"], "v6 # Latest Python");
+  });
+
+  it("ignores local actions", () => {
+    /** Test that local actions (starting with ./) are ignored */
+    const workflowContent = `
+name: Test Workflow
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/local-action
+      - uses: ./another-local-action@v1
+`;
+
+    fs.writeFileSync(path.join(workflowDir, "__test.yml"), workflowContent);
+
+    const result = scanGeneratedWorkflows(workflowDir);
+
+    assert.equal(result["actions/checkout"], "v4");
+    assert.equal("./.github/actions/local-action" in result, false);
+    assert.equal("./another-local-action" in result, false);
+  });
+});
+
+describe("updateSyncTs", () => {
+  it("updates sync.ts file", () => {
+    /** Test updating sync.ts file */
+    const syncTsContent = `
+const steps = [
+  {
+    uses: "actions/setup-node@v4",
+    with: { "node-version": "16" },
+  },
+  {
+    uses: "actions/setup-go@v5",
+    with: { "go-version": "1.19" },
+  },
+];
+`;
+
+    fs.writeFileSync(syncTsPath, syncTsContent);
+
+    const actionVersions = {
+      "actions/setup-node": "v5",
+      "actions/setup-go": "v6",
+    };
+
+    const result = updateSyncTs(syncTsPath, actionVersions);
+    assert.equal(result, true);
+
+    const updatedContent = fs.readFileSync(syncTsPath, "utf8");
+
+    assert.ok(updatedContent.includes('uses: "actions/setup-node@v5"'));
+    assert.ok(updatedContent.includes('uses: "actions/setup-go@v6"'));
+  });
+
+  it("strips comments from versions", () => {
+    /** Test updating sync.ts file when versions have comments */
+    const syncTsContent = `
+const steps = [
+  {
+    uses: "actions/setup-node@v4",
+    with: { "node-version": "16" },
+  },
+];
+`;
+
+    fs.writeFileSync(syncTsPath, syncTsContent);
+
+    const actionVersions = {
+      "actions/setup-node": "v5 # Latest version",
+    };
+
+    const result = updateSyncTs(syncTsPath, actionVersions);
+    assert.equal(result, true);
+
+    const updatedContent = fs.readFileSync(syncTsPath, "utf8");
+
+    // sync.ts should get the version without comment
+    assert.ok(updatedContent.includes('uses: "actions/setup-node@v5"'));
+    assert.ok(!updatedContent.includes("# Latest version"));
+  });
+
+  it("returns false when no changes are needed", () => {
+    /** Test that updateSyncTs returns false when no changes are needed */
+    const syncTsContent = `
+const steps = [
+  {
+    uses: "actions/setup-node@v5",
+    with: { "node-version": "16" },
+  },
+];
+`;
+
+    fs.writeFileSync(syncTsPath, syncTsContent);
+
+    const actionVersions = {
+      "actions/setup-node": "v5",
+    };
+
+    const result = updateSyncTs(syncTsPath, actionVersions);
+    assert.equal(result, false);
+  });
+});
+
+describe("updateTemplateFiles", () => {
+  it("updates template files", () => {
+    /** Test updating template files */
+    const templateContent = `
+name: Test Template
+steps:
+  - uses: actions/checkout@v3
+  - uses: actions/setup-node@v4
+    with:
+      node-version: 16
+`;
+
+    const templatePath = path.join(checksDir, "test.yml");
+    fs.writeFileSync(templatePath, templateContent);
+
+    const actionVersions = {
+      "actions/checkout": "v4",
+      "actions/setup-node": "v5 # Latest",
+    };
+
+    const result = updateTemplateFiles(checksDir, actionVersions);
+    assert.equal(result.length, 1);
+    assert.ok(result.includes(templatePath));
+
+    const updatedContent = fs.readFileSync(templatePath, "utf8");
+
+    assert.ok(updatedContent.includes("uses: actions/checkout@v4"));
+    assert.ok(updatedContent.includes("uses: actions/setup-node@v5 # Latest"));
+  });
+
+  it("preserves version comments", () => {
+    /** Test that updating template files preserves version comments */
+    const templateContent = `
+name: Test Template
+steps:
+  - uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb # v1.256.0
+`;
+
+    const templatePath = path.join(checksDir, "test.yml");
+    fs.writeFileSync(templatePath, templateContent);
+
+    const actionVersions = {
+      "ruby/setup-ruby":
+        "55511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0",
+    };
+
+    const result = updateTemplateFiles(checksDir, actionVersions);
+    assert.equal(result.length, 1);
+
+    const updatedContent = fs.readFileSync(templatePath, "utf8");
+
+    assert.ok(
+      updatedContent.includes(
+        "uses: ruby/setup-ruby@55511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0",
+      ),
+    );
+  });
+});
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Michael B. Gale	6531f80d49	Document regular expressions	2026-03-05 16:51:15 +00:00
Michael B. Gale	b1b5550715	Merge pull request #3529 from github/mbg/ts/sync-back Convert `sync_back.py` to TypeScript	2026-03-05 12:36:22 +00:00
Henry Mercer	b6dfacb528	Merge pull request #3542 from github/henrymercer/parallel-unit-tests Run some unit tests in parallel	2026-03-04 16:07:10 +00:00
Henry Mercer	6123416ead	Merge remote-tracking branch 'origin/main' into henrymercer/parallel-unit-tests	2026-03-04 15:12:33 +01:00
Henry Mercer	a6594f96a3	Merge pull request #3540 from github/henrymercer/stub-actions-vars Testing: Provide default value for more environment variables in `setupActionsVars`	2026-03-04 13:27:40 +00:00
Henry Mercer	71d7981285	Address review comments	2026-03-04 13:27:59 +01:00
Henry Mercer	e9e9733cb5	Merge branch 'main' into henrymercer/stub-actions-vars	2026-03-04 13:26:43 +01:00
Henry Mercer	8e17ec94b4	Merge branch 'main' into henrymercer/parallel-unit-tests	2026-03-04 13:25:01 +01:00
Henry Mercer	aae94187c1	Fix test name	2026-03-04 13:09:10 +01:00
Henry Mercer	36148cccb9	Run more actions util tests serially	2026-03-04 13:08:37 +01:00
Henry Mercer	a5b959e10d	Merge pull request #3537 from github/henrymercer/overlay-status-record-job Record the job that published an overlay status	2026-03-04 11:49:52 +00:00
Michael B. Gale	d1ac77f26d	Merge pull request #3527 from github/mbg/start-proxy/remove-unused Remove unused registry types from `LANGUAGE_TO_REGISTRY_TYPE`	2026-03-04 11:48:08 +00:00
Henry Mercer	675af55c60	Run some unit tests in parallel	2026-03-04 12:40:22 +01:00
Henry Mercer	281b265245	Address review comments	2026-03-04 12:16:54 +01:00
Henry Mercer	335f08ccc6	Merge pull request #3539 from github/update-supported-enterprise-server-versions Update supported GitHub Enterprise Server versions	2026-03-04 11:01:18 +00:00
github-actions[bot]	4593dc2f8f	Update supported GitHub Enterprise Server versions	2026-03-04 00:23:29 +00:00
Henry Mercer	d4f1b14259	Use new `setupActionsVars` pattern	2026-03-03 19:24:18 +01:00
Henry Mercer	8a884bdb36	Extend `setupActionsVars`	2026-03-03 19:09:57 +01:00
Henry Mercer	129d771399	Add check run ID	2026-03-03 19:04:04 +01:00
Henry Mercer	a05f541a6e	Record the job that published an overlay status This makes it easier to find the job that produced the status.	2026-03-03 16:56:18 +01:00
Michael B. Gale	40f0fa95c4	Merge pull request #3535 from github/mbg/ci/no-skip-overlay Disable overlay status check for CS config test workflow	2026-03-03 12:26:50 +00:00
Michael B. Gale	9bf973324f	Merge pull request #3528 from github/mbg/refactor/sarif Refactor SARIF-related types and functions into a separate module	2026-03-03 12:10:30 +00:00
Michael B. Gale	1175fd9b5d	Add some docs to some newer overlay `Features` To make it easier to see what they do at a glance	2026-03-03 12:06:46 +00:00
Michael B. Gale	1faad73c9a	Disable resource checks as well	2026-03-03 12:06:46 +00:00
Michael B. Gale	6b246e4709	Disable overlay status check for CS config test workflow	2026-03-03 11:53:33 +00:00
Michael B. Gale	0a5b95cdcc	Update `pr-checks` README	2026-03-03 11:45:18 +00:00
Michael B. Gale	77fc89c78d	Remove python files from `pr-checks`	2026-03-03 11:42:49 +00:00
Michael B. Gale	bf9bf1c027	Remove python setup from `rebuild` workflow	2026-03-03 11:41:24 +00:00
Michael B. Gale	24fa947692	Update `pr-checks` to run new tests	2026-03-03 11:40:54 +00:00
Michael B. Gale	aaed7b75f9	Merge remote-tracking branch 'origin/main' into mbg/ts/sync-back	2026-03-03 11:36:59 +00:00
Michael B. Gale	2a2f4c30a1	Add docs for `automationId`	2026-03-03 11:35:43 +00:00
Michael B. Gale	6d060bbaa1	Return `Partial<Log>` from `readSarifFile` Our previous definition had `tools` as a mandatory field, so this also makes some changes to deal with the case where that may be `undefined` by treating it as equivalent to `[]`.	2026-03-03 11:34:01 +00:00
Michael B. Gale	28b449d8c7	Improve version handling in `combineSarifFiles`	2026-03-03 11:18:47 +00:00
Michael B. Gale	1721ce7afd	Address minor review comments	2026-03-03 11:05:37 +00:00
Michael B. Gale	ff2daa0aba	Merge pull request #3526 from github/mbg/pr-checks/ts Convert `sync.py` to TypeScript	2026-03-03 10:49:56 +00:00
Michael B. Gale	b43d146e37	Do not alias types	2026-03-02 20:47:19 +00:00
Michael B. Gale	66e08d2b3f	Make entries in new mapping mandatory	2026-03-02 18:08:53 +00:00
Michael B. Gale	9a31859f78	Use `@types/sarif`	2026-03-02 18:04:11 +00:00
Michael B. Gale	ae9cb02459	Add dependency on `@types/sarif`	2026-03-02 17:41:41 +00:00
Michael B. Gale	c0b22b827b	Replace filename in `CONTRIBUTING.md`	2026-03-02 15:40:32 +00:00
Michael B. Gale	d09af9d5b8	Type workflow input names	2026-03-02 15:39:46 +00:00
Michael B. Gale	e7ec96cee0	Remove `isTruthy`: consistently use booleans in templates	2026-03-02 15:34:11 +00:00
Michael B. Gale	41d5a06bfd	Address basic style comments	2026-03-02 15:32:30 +00:00
Michael B. Gale	4ca06280ba	Merge remote-tracking branch 'origin/main' into mbg/pr-checks/ts	2026-03-02 14:03:56 +00:00
Henry Mercer	b895512248	Merge pull request #3532 from github/mergeback/v4.32.5-to-main-c793b717 Mergeback v4.32.5 refs/heads/releases/v4 into main	2026-03-02 11:59:49 +00:00
github-actions[bot]	6059d3ceb5	Rebuild	2026-03-02 11:35:32 +00:00
github-actions[bot]	bab3951531	Merge remote-tracking branch 'origin/main' into mergeback/v4.32.5-to-main-c793b717	2026-03-02 11:34:42 +00:00
github-actions[bot]	93ec0f487d	Update changelog and version after v4.32.5	2026-03-02 11:13:35 +00:00
Henry Mercer	c793b717bc	Merge pull request #3523 from github/update-v4.32.5-ca42bf226 Merge main into releases/v4	2026-03-02 11:11:20 +00:00
Henry Mercer	06cd615ad8	Soften language re overlay failures	2026-03-02 11:48:45 +01:00
Henry Mercer	f5516c6630	Improve changelog	2026-03-02 11:45:27 +01:00
Henry Mercer	97519e197e	Update release date	2026-03-02 10:03:22 +00:00
Michael B. Gale	a6892dcba5	Use `sync_back.ts` in `rebuild` workflow	2026-03-01 16:04:35 +00:00
Michael B. Gale	8eb0202e9d	Port tests	2026-03-01 16:04:35 +00:00
Michael B. Gale	dd779fa7d3	Add `updateTemplateFiles`	2026-03-01 16:04:35 +00:00
Michael B. Gale	f05cfae018	Add `updateSyncTs`	2026-03-01 16:04:35 +00:00
Michael B. Gale	e1b83ccb74	Add `scanGeneratedWorkflows`	2026-03-01 16:04:35 +00:00
Michael B. Gale	6a6bd778b6	Add initial `sync_back.ts` script	2026-03-01 16:04:35 +00:00
Michael B. Gale	f0f92a1dc8	Remove `sync.py`	2026-03-01 16:03:47 +00:00
Michael B. Gale	e931a2475a	Replace remaining uses of `sync.py`	2026-03-01 16:03:35 +00:00
Michael B. Gale	8bfaf96434	Run `npm ci` in actions	2026-03-01 15:20:30 +00:00
Michael B. Gale	8a1cd7656d	Put change behind a FF	2026-03-01 15:07:47 +00:00
Michael B. Gale	3b16d31abc	Delete unused `fixInvalidNotifications` function	2026-03-01 14:26:41 +00:00
Michael B. Gale	40aec383a1	Move more SARIF helpers to `sarif` module	2026-03-01 14:22:49 +00:00
Michael B. Gale	2fce45b8e6	Add wrapper around `JSON.parse` to `sarif` module	2026-03-01 14:10:25 +00:00
Michael B. Gale	d7cfd19fb8	Move SARIF types out of `util.ts`	2026-03-01 13:42:46 +00:00
Michael B. Gale	68d73442fa	Remove unused registry types from `LANGUAGE_TO_REGISTRY_TYPE`	2026-02-28 23:24:41 +00:00
Michael B. Gale	f91cab1409	Adjust quotes and re-generate workflows	2026-02-28 18:13:05 +00:00
Michael B. Gale	5876a93a5f	Switch `sync.sh` script to only use `sync.ts`	2026-02-28 17:58:00 +00:00
Michael B. Gale	0ea8490473	Switch from `js-yaml` to `yaml` for better output formatting	2026-02-28 17:55:41 +00:00
Michael B. Gale	a85af80f34	Generate and write collections	2026-02-28 16:47:22 +00:00
Michael B. Gale	47671ab7aa	Track collections	2026-02-28 16:46:47 +00:00
Michael B. Gale	96e6b655c1	Add tool-specific setup steps	2026-02-28 16:32:32 +00:00
Michael B. Gale	57c7bc6885	Add `analysisKinds`	2026-02-28 16:32:32 +00:00
Michael B. Gale	d52917b510	Add `useAllPlatformBundle`	2026-02-28 16:32:32 +00:00
Michael B. Gale	b948e562f4	Add basic job steps	2026-02-28 16:32:31 +00:00
Michael B. Gale	c889588a2c	Add `env`, `container`, and `services`	2026-02-28 16:32:31 +00:00
Michael B. Gale	b77ebbe4d8	Add `CODEQL_ACTION_TEST_MODE`	2026-02-28 16:32:31 +00:00
Michael B. Gale	9a0fe9e006	Add permissions	2026-02-28 16:32:31 +00:00
Michael B. Gale	dd78add36d	Add matrix to job	2026-02-28 16:32:31 +00:00
Michael B. Gale	e62a268a73	Add job construction	2026-02-28 16:32:31 +00:00
Michael B. Gale	63b4776d64	Add matrix construction	2026-02-28 16:32:30 +00:00
Michael B. Gale	6932b1cda2	Add `concurrency` settings	2026-02-28 16:32:30 +00:00
Michael B. Gale	40aefb0faf	Add basic workflow construction	2026-02-28 16:32:30 +00:00
Michael B. Gale	efe64e03d9	Add `isTruthy` helper	2026-02-28 16:32:30 +00:00
Michael B. Gale	898d46e783	Strip trailing whitespace in output	2026-02-28 16:32:30 +00:00
Michael B. Gale	04c1e601ab	Add `defaultTestVersions` constant	2026-02-28 16:18:04 +00:00
Michael B. Gale	2f77cd04d4	Add specification types	2026-02-28 16:06:14 +00:00
Michael B. Gale	c7e378f003	Scaffold project for `sync.ts` script	2026-02-28 15:58:47 +00:00
Henry Mercer	0ec47d036c	Merge pull request #3524 from github/henrymercer/checks-use-setup-codeql CI: Update CodeQL Action test to use `setup-codeql`	2026-02-27 17:02:44 +00:00
Henry Mercer	59245fd159	Add missing permissions to access feature flags	2026-02-27 17:39:20 +01:00
Henry Mercer	05259a1d08	Add more changelog notes	2026-02-27 17:24:17 +01:00
Henry Mercer	389c8322d5	CI: Update CodeQL Action test to use `setup-codeql`	2026-02-27 17:06:16 +01:00
Henry Mercer	01ee2f785a	Add changelog notes	2026-02-27 16:09:38 +01:00
github-actions[bot]	c72d9a4933	Update changelog for v4.32.5	2026-02-27 14:37:26 +00:00
Henry Mercer	ca42bf226a	Merge pull request #3522 from github/henrymercer/update-supported-versions-table Update supported Action / Bundle / GHES version table	2026-02-27 13:57:17 +00:00
Henry Mercer	6704d80ac6	Merge pull request #3520 from github/dependabot/npm_and_yarn/fast-xml-parser-5.4.1 Bump fast-xml-parser from 5.3.6 to 5.4.1	2026-02-27 13:57:12 +00:00
Henry Mercer	76348c0f12	Merge pull request #3521 from github/dependabot/npm_and_yarn/minimatch-3.1.5 Bump minimatch from 3.1.3 to 3.1.5	2026-02-27 13:57:06 +00:00
Henry Mercer	3a42a998ef	Update supported Action / Bundle / GHES version table	2026-02-27 13:37:42 +00:00
Henry Mercer	8ab0431fc3	Merge pull request #3514 from github/dependabot/npm_and_yarn/globals-17.3.0 Bump globals from 16.5.0 to 17.3.0	2026-02-27 13:28:04 +00:00
Henry Mercer	2c92579346	Merge pull request #3513 from github/dependabot/npm_and_yarn/npm-minor-e1092f1102 Bump eslint-plugin-jsdoc from 62.5.0 to 62.6.0 in the npm-minor group	2026-02-27 13:27:19 +00:00
github-actions[bot]	2475286230	Rebuild	2026-02-27 13:23:45 +00:00
github-actions[bot]	236fbf7645	Rebuild	2026-02-27 13:23:30 +00:00
dependabot[bot]	29181f28d5	Bump minimatch from 3.1.3 to 3.1.5 Bumps [minimatch](https://github.com/isaacs/minimatch) from 3.1.3 to 3.1.5. - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](https://github.com/isaacs/minimatch/compare/v3.1.3...v3.1.5) --- updated-dependencies: - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2026-02-27 13:21:47 +00:00
dependabot[bot]	a0735d7c2a	Bump fast-xml-parser from 5.3.6 to 5.4.1 Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 5.3.6 to 5.4.1. - [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases) - [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md) - [Commits](https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.3.6...v5.4.1) --- updated-dependencies: - dependency-name: fast-xml-parser dependency-version: 5.4.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2026-02-27 13:21:34 +00:00
Henry Mercer	b35e0349aa	Merge pull request #3518 from github/mbg/ci/merge-queue-codeql Disable CodeQL upload for merge queue and exclude PR size workflow from required checks	2026-02-27 12:56:04 +00:00
Michael B. Gale	4406eba03e	Skip uploads in merge queue	2026-02-27 12:14:56 +00:00
Henry Mercer	1b897f3911	Fix conditions in code scanning config checks DIff-informed analysis isn't enabled in the merge queue.	2026-02-27 12:10:38 +00:00
Henry Mercer	adf58cf166	Merge pull request #3515 from github/henrymercer/drop-ram-limit Skip overlay memory check for CodeQL 2.24.3 and later	2026-02-27 11:17:11 +00:00
Michael B. Gale	b7d3fb98df	Exclude "Label PR with size" from required checks	2026-02-26 18:25:26 +00:00
Michael B. Gale	4e8e79431d	Run CodeQL with `linked` tools for merge queue	2026-02-26 18:25:26 +00:00
github-actions[bot]	52c2a032f3	Rebuild	2026-02-26 17:22:24 +00:00
Henry Mercer	ba1288cb3c	Merge branch 'main' into dependabot/npm_and_yarn/globals-17.3.0	2026-02-26 17:20:10 +00:00
Henry Mercer	29765a3c71	Skip overlay memory check for CodeQL 2.24.3 and later	2026-02-26 16:53:26 +00:00
github-actions[bot]	068e80c14c	Rebuild	2026-02-26 16:42:43 +00:00
Michael B. Gale	154969e08b	Merge branch 'main' into dependabot/npm_and_yarn/npm-minor-e1092f1102	2026-02-26 16:40:19 +00:00
Michael B. Gale	b0ed4dedcb	Merge pull request #3511 from github/henrymercer/merge-queue Add `merge_group` trigger to required checks to prepare for merge queue	2026-02-26 16:33:14 +00:00
Michael B. Gale	3c83f578ed	Merge pull request #3516 from github/mbg/start-proxy/reduce-connection-check-severity	2026-02-26 16:32:00 +00:00
Henry Mercer	20f148b36e	Merge pull request #3507 from github/henrymercer/overlay-repo-property Add a repository property for disabling overlay	2026-02-26 16:21:03 +00:00
Henry Mercer	4068616de4	Merge branch 'main' into henrymercer/overlay-repo-property	2026-02-26 15:27:25 +00:00
Michael B. Gale	0d5f70631a	Merge branch 'main' into mbg/start-proxy/reduce-connection-check-severity	2026-02-26 15:16:23 +00:00
Michael B. Gale	ae14a1f513	Merge branch 'main' into henrymercer/merge-queue	2026-02-26 15:11:41 +00:00
Michael B. Gale	a577f702b9	Merge pull request #3512 from github/mbg/start-proxy/use-default-cli Use `getDefaultCliVersion` for `start-proxy`	2026-02-26 15:11:18 +00:00
Michael B. Gale	bce0deb953	Fix log message / returned version	2026-02-26 13:55:47 +00:00
Michael B. Gale	db33d20bf4	Put change behind a FF	2026-02-26 13:10:52 +00:00
Michael B. Gale	3c911485ed	Address Copilot's review comments	2026-02-26 13:07:03 +00:00
Michael B. Gale	1ec5b701fc	Reduce log levels for registry connection checks	2026-02-26 11:53:26 +00:00
dependabot[bot]	9bdf640d99	Bump globals from 16.5.0 to 17.3.0 Bumps [globals](https://github.com/sindresorhus/globals) from 16.5.0 to 17.3.0. - [Release notes](https://github.com/sindresorhus/globals/releases) - [Commits](https://github.com/sindresorhus/globals/compare/v16.5.0...v17.3.0) --- updated-dependencies: - dependency-name: globals dependency-version: 17.3.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-02-25 17:53:31 +00:00
dependabot[bot]	b2beb85441	Bump eslint-plugin-jsdoc from 62.5.0 to 62.6.0 in the npm-minor group Bumps the npm-minor group with 1 update: [eslint-plugin-jsdoc](https://github.com/gajus/eslint-plugin-jsdoc). Updates `eslint-plugin-jsdoc` from 62.5.0 to 62.6.0 - [Release notes](https://github.com/gajus/eslint-plugin-jsdoc/releases) - [Commits](https://github.com/gajus/eslint-plugin-jsdoc/compare/v62.5.0...v62.6.0) --- updated-dependencies: - dependency-name: eslint-plugin-jsdoc dependency-version: 62.6.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-02-25 17:53:10 +00:00
Michael B. Gale	f657c4e1eb	Use `getDefaultCliVersion` for `start-proxy`	2026-02-25 17:43:15 +00:00
Henry Mercer	f379c46d49	Address review comments	2026-02-25 15:26:48 +00:00
Henry Mercer	8105503f1a	Add `merge_group` trigger to required checks to prepare for merge queue	2026-02-25 15:12:37 +00:00
Henry Mercer	056b0912cf	Merge branch 'main' into henrymercer/overlay-repo-property	2026-02-25 14:43:34 +00:00
Henry Mercer	445a2a9bb2	Record overlay disablement reason	2026-02-25 14:36:03 +00:00
Henry Mercer	182427800c	Add disabled reason	2026-02-25 14:22:13 +00:00
Henry Mercer	c0fc915677	Merge pull request #3509 from github/dependabot/npm_and_yarn/multi-871638c4a1 Bump minimatch	2026-02-25 13:43:36 +00:00
Michael B. Gale	18898a6dd3	Merge pull request #3504 from github/mbg/ff/remove-ImprovedProxyCertificates Remove FF gate for improved CA generation	2026-02-25 13:25:57 +00:00
Henry Mercer	70db156dcb	Add diagnostic when overlay disabled by repo property	2026-02-25 11:48:10 +00:00
Henry Mercer	9c61a2ddf4	Reorganize properties file	2026-02-25 11:35:34 +00:00
github-actions[bot]	123b3011fa	Rebuild	2026-02-25 00:19:51 +00:00
dependabot[bot]	0aafb58a10	Bump minimatch Bumps and [minimatch](https://github.com/isaacs/minimatch). These dependencies needed to be updated together. Updates `minimatch` from 10.1.1 to 10.2.2 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](https://github.com/isaacs/minimatch/compare/v10.1.1...v10.2.2) Updates `minimatch` from 5.1.6 to 5.1.7 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](https://github.com/isaacs/minimatch/compare/v10.1.1...v10.2.2) Updates `minimatch` from 3.1.2 to 3.1.3 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](https://github.com/isaacs/minimatch/compare/v10.1.1...v10.2.2) Updates `minimatch` from 9.0.5 to 9.0.6 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](https://github.com/isaacs/minimatch/compare/v10.1.1...v10.2.2) --- updated-dependencies: - dependency-name: minimatch dependency-version: 10.2.2 dependency-type: indirect - dependency-name: minimatch dependency-version: 5.1.7 dependency-type: indirect - dependency-name: minimatch dependency-version: 3.1.3 dependency-type: indirect - dependency-name: minimatch dependency-version: 9.0.6 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2026-02-25 00:17:44 +00:00
Henry Mercer	2808ca726e	Improve validation and address review comments	2026-02-24 19:56:43 +00:00
Henry Mercer	ed39a1ea5c	Add repository property for disabling overlay	2026-02-24 18:58:08 +00:00
Henry Mercer	7ea93ee2e1	Add support for boolean repository properties	2026-02-24 18:48:32 +00:00
Michael B. Gale	83c236af2b	Remove FF gate for improved CA generation	2026-02-24 11:25:57 +00:00