Add PR check for CSRA artifact upload

Merge pull request #3566 from github/dependabot/npm_and_yarn/npm-minor-aebc49e072
Bump the npm-minor group with 2 updates
2026-05-09 07:10:22 +00:00 · 2026-03-12 12:24:25 +00:00 · 2026-03-11 20:49:27 +00:00 · 2026-03-11 20:47:14 +00:00 · 2026-03-11 19:51:54 +00:00 · 2026-03-11 19:51:53 +00:00
136 changed files with 6510 additions and 5722 deletions
@@ -25,34 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: all-platform-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: all-platform-bundle-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  all-platform-bundle:
    strategy:
@@ -75,6 +75,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -82,15 +91,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'true'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - id: init
        uses: ./../action/init
        with:
@@ -92,7 +92,7 @@ jobs:
          post-processed-sarif-path: '${{ runner.temp }}/post-processed'

      - name: Upload SARIF files
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
        with:
          name: |
            analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
@@ -100,7 +100,7 @@ jobs:
          retention-days: 7

      - name: Upload post-processed SARIF
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
        with:
          name: |
            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
@@ -25,44 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: analyze-ref-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: analyze-ref-input-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  analyze-ref-input:
    strategy:
@@ -81,6 +71,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -88,20 +87,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -65,6 +65,10 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -72,10 +76,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          languages: csharp
@@ -67,6 +67,11 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install Java
+        uses: actions/setup-java@v5
+        with:
+          java-version: ${{ inputs.java-version || '17' }}
+          distribution: temurin
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -74,11 +79,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Java
-        uses: actions/setup-java@v5
-        with:
-          java-version: ${{ inputs.java-version || '17' }}
-          distribution: temurin
      - name: Test setup
        run: |
          # Make sure that Gradle build succeeds in autobuild-dir ...
@@ -67,13 +67,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
      - name: Install Java
        uses: actions/setup-java@v5
        with:
@@ -87,6 +80,13 @@ jobs:
        run: |-
          gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe"
          echo "$YQ_PATH" >> "$GITHUB_PATH"
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
      - name: Set up Java test repo configuration
        run: |
          mv * .github ../action/tests/multi-language-repo/
@@ -25,34 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: build-mode-manual-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: build-mode-manual-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  build-mode-manual:
    strategy:
@@ -71,6 +71,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -78,15 +87,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        id: init
        with:
@@ -39,10 +39,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: macos-latest
-            version: linked
          - os: ubuntu-latest
            version: linked
+          - os: macos-latest
+            version: linked
          - os: windows-latest
            version: linked
    name: 'Bundle: Caching checks'
@@ -39,10 +39,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: macos-latest
-            version: linked
          - os: ubuntu-latest
            version: linked
+          - os: macos-latest
+            version: linked
          - os: windows-latest
            version: linked
    name: 'Bundle: Zstandard checks'
@@ -82,7 +82,7 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
        with:
          name: ${{ matrix.os }}-zstd-bundle.sarif
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -70,7 +70,7 @@ jobs:
          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
        with:
          name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: '${{ runner.temp }}/results/javascript.sarif'
@@ -81,7 +81,7 @@ jobs:
          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
        with:
          name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: '${{ runner.temp }}/results/javascript.sarif'
@@ -25,34 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: export-file-baseline-information-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: export-file-baseline-information-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  export-file-baseline-information:
    strategy:
@@ -75,6 +75,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -82,15 +91,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        id: init
        with:
@@ -102,7 +102,7 @@ jobs:
        with:
          output: '${{ runner.temp }}/results'
      - name: Upload SARIF
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
        with:
          name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: '${{ runner.temp }}/results/javascript.sarif'
@@ -25,34 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-custom-queries-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: go-custom-queries-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  go-custom-queries:
    strategy:
@@ -73,6 +73,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -80,15 +89,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          languages: go
@@ -61,6 +61,11 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -68,11 +73,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - uses: ./../action/init
        with:
          languages: go
@@ -61,6 +61,11 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -68,11 +73,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Remove `file` program
        run: |
          echo $(which file)
@@ -61,6 +61,11 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -68,11 +73,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - uses: ./../action/init
        with:
          languages: go
@@ -51,32 +51,18 @@ jobs:
        include:
          - os: ubuntu-latest
            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
          - os: ubuntu-latest
            version: linked
          - os: macos-latest
@@ -95,6 +81,11 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -102,11 +93,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - uses: ./../action/init
        with:
          languages: go
@@ -51,32 +51,18 @@ jobs:
        include:
          - os: ubuntu-latest
            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
          - os: ubuntu-latest
            version: linked
          - os: macos-latest
@@ -95,6 +81,11 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -102,11 +93,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - uses: ./../action/init
        with:
          languages: go
@@ -51,32 +51,18 @@ jobs:
        include:
          - os: ubuntu-latest
            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
          - os: ubuntu-latest
            version: linked
          - os: macos-latest
@@ -95,6 +81,11 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -102,11 +93,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - uses: ./../action/init
        with:
          languages: go
@@ -10,16 +10,16 @@ env:
 on:
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 jobs:
  go-custom-queries:
    name: 'Go: Custom queries'
@@ -28,8 +28,8 @@ jobs:
      security-events: read
    uses: ./.github/workflows/__go-custom-queries.yml
    with:
-      go-version: ${{ inputs.go-version }}
      dotnet-version: ${{ inputs.dotnet-version }}
+      go-version: ${{ inputs.go-version }}
  go-indirect-tracing-workaround-diagnostic:
    name: 'Go: diagnostic when Go is changed after init step'
    permissions:
@@ -67,7 +67,7 @@ jobs:
        with:
          output: '${{ runner.temp }}/results'
      - name: Upload SARIF
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
        with:
          name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: '${{ runner.temp }}/results/javascript.sarif'
@@ -25,44 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: local-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: local-bundle-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  local-bundle:
    strategy:
@@ -81,6 +71,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -88,20 +87,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Fetch latest CodeQL bundle
        run: |
          wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst
@@ -25,85 +25,75 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: multi-language-autodetect-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: multi-language-autodetect-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  multi-language-autodetect:
    strategy:
      fail-fast: false
      matrix:
        include:
-          - os: macos-latest
-            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.17.6
          - os: macos-latest
-            version: stable-v2.18.4
+            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.18.4
          - os: macos-latest
-            version: stable-v2.19.4
+            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
          - os: macos-latest
-            version: stable-v2.20.7
+            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
          - os: macos-latest
-            version: stable-v2.21.4
+            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
          - os: macos-latest
-            version: stable-v2.22.4
+            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
          - os: macos-latest
-            version: default
+            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
          - os: macos-latest
-            version: linked
+            version: default
          - os: ubuntu-latest
            version: linked
          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
            version: nightly-latest
-          - os: ubuntu-latest
+          - os: macos-latest
            version: nightly-latest
    name: Multi-language repository
    if: github.triggering_actor != 'dependabot[bot]'
@@ -115,6 +105,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -122,20 +121,14 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
+      - name: Install Python 3.13 for older CLI versions
+        # We need Python 3.13 for older CLI versions because they are not compatible with Python 3.14 or newer.
+        # See https://github.com/github/codeql-action/pull/3212
+        if: matrix.version != 'nightly-latest' && matrix.version != 'linked'
        uses: actions/setup-python@v6
        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+          python-version: '3.13'
+
      - name: Use Xcode 16
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"
@@ -25,44 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  packaging-codescanning-config-inputs-js:
    strategy:
@@ -85,6 +75,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Install Node.js
        uses: actions/setup-node@v6
        with:
@@ -99,20 +98,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: '.github/codeql/codeql-config-packaging3.yml'
@@ -25,34 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: packaging-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: packaging-config-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  packaging-config-inputs-js:
    strategy:
@@ -75,6 +75,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Install Node.js
        uses: actions/setup-node@v6
        with:
@@ -89,15 +98,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: '.github/codeql/codeql-config-packaging3.yml'
@@ -25,34 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: packaging-config-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: packaging-config-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  packaging-config-js:
    strategy:
@@ -75,6 +75,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Install Node.js
        uses: actions/setup-node@v6
        with:
@@ -89,15 +98,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: '.github/codeql/codeql-config-packaging.yml'
@@ -25,34 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: packaging-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: packaging-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  packaging-inputs-js:
    strategy:
@@ -75,6 +75,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Install Node.js
        uses: actions/setup-node@v6
        with:
@@ -89,15 +98,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: '.github/codeql/codeql-config-packaging2.yml'
@@ -25,44 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: remote-config-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: remote-config-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  remote-config:
    strategy:
@@ -83,6 +73,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -90,20 +89,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -39,10 +39,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: default
          - os: ubuntu-latest
            version: linked
+          - os: ubuntu-latest
+            version: default
          - os: ubuntu-latest
            version: nightly-latest
    name: Resolve environment
@@ -0,0 +1,94 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: PR Check - Risk Assessment analysis failure uploads SARIF artifact
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: risk-assessment-failure-${{github.ref}}
+jobs:
+  risk-assessment-failure:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: default
+    name: Risk Assessment analysis failure uploads SARIF artifact
+    if: github.triggering_actor != 'dependabot[bot]'
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v6
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Initialise CodeQL
+        uses: ./../action/init
+        id: init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          languages: javascript
+          analysis-kinds: risk-assessment
+
+      - name: Fail
+        run: exit 1
+    env:
+      CODEQL_ACTION_TEST_MODE: true
+  artifact-present:
+    name: Check artifact
+    if: github.triggering_actor != 'dependabot[bot]'
+    needs:
+      - risk-assessment-failure
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 5
+    runs-on: ubuntu-slim
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v7
+        with:
+          pattern: sarif-artifact-*
+          path: ${{ runner.temp }}/results
+          merge-multiple: true
+      - name: List contents
+        run: |
+          ls -lr
+    env:
+      CODEQL_ACTION_TEST_MODE: true
@@ -25,34 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: split-workflow-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: split-workflow-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  split-workflow:
    strategy:
@@ -81,6 +81,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -88,15 +97,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: '.github/codeql/codeql-config-packaging3.yml'
@@ -25,34 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: swift-custom-build-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: swift-custom-build-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  swift-custom-build:
    strategy:
@@ -75,6 +75,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -82,15 +91,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Use Xcode 16
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"
@@ -25,44 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: unset-environment-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: unset-environment-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  unset-environment:
    strategy:
@@ -83,6 +73,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -90,20 +89,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        id: init
        with:
@@ -25,44 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: upload-ref-sha-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: upload-ref-sha-input-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  upload-ref-sha-input:
    strategy:
@@ -81,6 +71,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -88,20 +87,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -25,44 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: upload-sarif-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: upload-sarif-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  upload-sarif:
    strategy:
@@ -88,6 +78,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -95,20 +94,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -25,44 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: with-checkout-path-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: with-checkout-path-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  with-checkout-path:
    strategy:
@@ -82,6 +72,15 @@ jobs:
      # This ensures we don't accidentally use the original checkout for any part of the test.
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -89,20 +88,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Delete original checkout
        run: |
          # delete the original checkout so we don't accidentally use it.
@@ -89,7 +89,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@v8
      - name: Check expected artifacts exist
        run: |
          LANGUAGES="cpp csharp go java javascript python"
@@ -83,7 +83,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@v8
      - name: Check expected artifacts exist
        run: |
          VERSIONS="stable-v2.20.3 default linked nightly-latest"
@@ -52,19 +52,10 @@ jobs:
      - name: Verify compiled JS up to date
        run: .github/workflows/script/check-js.sh

-      - name: Verify PR checks up to date
-        if: always()
-        run: .github/workflows/script/verify-pr-checks.sh
-
      - name: Run unit tests
        if: always()
        run: npm test

-      - name: Run pr-checks tests
-        if: always()
-        working-directory: pr-checks
-        run: npm ci && npx tsx --test
-
      - name: Lint
        if: always() && matrix.os != 'windows-latest'
        run: npm run lint-ci
@@ -76,6 +67,40 @@ jobs:
          sarif_file: eslint.sarif
          category: eslint

+  # Verifying the PR checks are up-to-date requires Node 24. The PR checks are not dependent
+  # on the main codebase and therefore do not need to be run as part of the same matrix that
+  # we use for the `unit-tests` job.
+  verify-pr-checks:
+    name: Verify PR checks
+    if: github.triggering_actor != 'dependabot[bot]'
+    permissions:
+      contents: read
+    runs-on: ubuntu-slim
+    timeout-minutes: 10
+
+    steps:
+      - name: Prepare git (Windows)
+        if: runner.os == 'Windows'
+        run: git config --global core.autocrlf false
+
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24
+          cache: 'npm'
+
+      - name: Verify PR checks up to date
+        if: always()
+        run: .github/workflows/script/verify-pr-checks.sh
+
+      - name: Run pr-checks tests
+        if: always()
+        working-directory: pr-checks
+        run: npm ci && npx tsx --test
+
  check-node-version:
    if: github.triggering_actor != 'dependabot[bot]'
    name: Check Action Node versions
@@ -29,6 +29,15 @@ jobs:
          fetch-depth: 0
          ref: ${{ env.HEAD_REF }}

+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24
+          cache: 'npm'
+          cache-dependency-path: |
+            package-lock.json
+            pr-checks/package-lock.json
+
      - name: Remove label
        if: github.event_name == 'pull_request'
        env:
@@ -49,9 +58,18 @@ jobs:
          git fetch origin "$BASE_BRANCH"

          # Allow merge conflicts in `lib`, since rebuilding should resolve them.
-          git merge "origin/$BASE_BRANCH" || echo "Merge conflicts detected, continuing."
+          git merge "origin/$BASE_BRANCH"
          MERGE_RESULT=$?

+          if [ "$MERGE_RESULT" -eq 0 ]; then
+            echo "Merge succeeded cleanly."
+          elif [ "$MERGE_RESULT" -eq 1 ]; then
+            echo "Merge conflicts detected (exit code $MERGE_RESULT), continuing."
+          else
+            echo "git merge failed with unexpected exit code $MERGE_RESULT."
+            exit 1
+          fi
+
          if [ "$MERGE_RESULT" -ne 0 ]; then
            echo "merge-in-progress=true" >> $GITHUB_OUTPUT

@@ -104,7 +122,7 @@ jobs:
            # Otherwise, just commit the changes.
            if git rev-parse --verify MERGE_HEAD >/dev/null 2>&1; then
              echo "In progress merge detected, finishing it up."
-              git merge --continue --no-edit
+              git commit --no-edit
            else
              echo "No in-progress merge detected, committing changes."
              git commit -m "Rebuild"
@@ -4,7 +4,19 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

 ## [UNRELEASED]

-No user facing changes.
+- Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. [#3562](https://github.com/github/codeql-action/pull/3562)
+
+  To opt out of this change:
+  - **Repositories owned by an organization:** Create a custom repository property with the name `github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to `true` in the repository's settings. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). Alternatively, if you are using an advanced setup workflow, you can set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
+  - **User-owned repositories using default setup:** Switch to an advanced setup workflow and set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
+  - **User-owned repositories using advanced setup:** Set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
+- Fixed [a bug](https://github.com/github/codeql-action/issues/3555) which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. [#3557](https://github.com/github/codeql-action/pull/3557)
+- The CodeQL Action now loads [custom repository properties](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) on GitHub Enterprise Server, enabling the customization of features such as `github-codeql-disable-overlay` that was previously only available on GitHub.com. [#3559](https://github.com/github/codeql-action/pull/3559)
+- Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". [#3564](https://github.com/github/codeql-action/pull/3564)
+
+## 4.32.6 - 05 Mar 2026
+
+- Update default CodeQL bundle version to [2.24.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3). [#3548](https://github.com/github/codeql-action/pull/3548)

 ## 4.32.5 - 02 Mar 2026

@@ -161,6 +161,7 @@ export default [
      "@typescript-eslint/no-unused-vars": [
        "error",
        {
+          "args": "all",
          "argsIgnorePattern": "^_",
        }
      ],
@@ -45986,7 +45986,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "4.32.6",
+      version: "4.32.7",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -46047,20 +46047,20 @@ var require_package = __commonJS({
        "@types/sarif": "^2.1.7",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^21.0.0",
-        ava: "^6.4.1",
+        ava: "^7.0.0",
        esbuild: "^0.27.3",
        eslint: "^9.39.2",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-github": "^6.0.0",
        "eslint-plugin-import-x": "^4.16.1",
-        "eslint-plugin-jsdoc": "^62.6.0",
+        "eslint-plugin-jsdoc": "^62.7.1",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.1.0",
-        globals: "^17.3.0",
+        globals: "^17.4.0",
        nock: "^14.0.11",
-        sinon: "^21.0.1",
+        sinon: "^21.0.2",
        typescript: "^5.9.3",
-        "typescript-eslint": "^8.56.0"
+        "typescript-eslint": "^8.56.1"
      },
      overrides: {
        "@actions/tool-cache": {
@@ -161404,6 +161404,7 @@ retry.VERSION = VERSION7;

 // src/api-client.ts
 var GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
+var DO_NOT_RETRY_STATUSES = [400, 410, 422, 451];
 function createApiClientWithDetails(apiDetails, { allowExternal = false } = {}) {
  const auth2 = allowExternal && apiDetails.externalRepoAuth || apiDetails.auth;
  const retryingOctokit = githubUtils.GitHub.plugin(retry);
@@ -161418,10 +161419,7 @@ function createApiClientWithDetails(apiDetails, { allowExternal = false } = {})
        error: core5.error
      },
      retry: {
-        // The default is 400, 401, 403, 404, 410, 422, and 451. We have observed transient errors
-        // with authentication, so we remove 401, 403, and 404 from the default list to ensure that
-        // these errors are retried.
-        doNotRetry: [400, 410, 422, 451]
+        doNotRetry: DO_NOT_RETRY_STATUSES
      }
    })
  );
@@ -161733,6 +161731,7 @@ var semver2 = __toESM(require_semver2());
 var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
  return RepositoryPropertyName2;
 })(RepositoryPropertyName || {});
 var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
@@ -161944,6 +161943,12 @@ async function isAnalyzingDefaultBranch() {

 // src/overlay/index.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8";
+var CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP = "2.24.1";
+var CODEQL_OVERLAY_MINIMUM_VERSION_GO = "2.24.2";
+var CODEQL_OVERLAY_MINIMUM_VERSION_JAVA = "2.23.8";
+var CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT = "2.23.9";
+var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9";
+var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9";
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 async function writeBaseDatabaseOidsFile(config, sourceRoot) {
@@ -162086,70 +162091,48 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION
  },
-  ["overlay_analysis_actions" /* OverlayAnalysisActions */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_ACTIONS",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_ACTIONS",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CPP",
-    minimumVersion: void 0
-  },
+  // Per-language overlay feature flags. Each has minimumVersion set to the
+  // minimum CLI version that supports overlay analysis for that language.
+  // Only languages that are GA or in staff-ship should have feature flags here.
  ["overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CSHARP",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
  },
  ["overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_GO",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
  },
  ["overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVA",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
  },
  ["overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
  },
  ["overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_PYTHON",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
  },
  ["overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUBY",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUST",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_SWIFT",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_cpp" /* OverlayAnalysisCpp */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CPP",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
  },
  ["overlay_analysis_csharp" /* OverlayAnalysisCsharp */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CSHARP",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
+  },
+  ["overlay_analysis_go" /* OverlayAnalysisGo */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
  },
  ["overlay_analysis_status_check" /* OverlayAnalysisStatusCheck */]: {
    defaultValue: false,
@@ -162161,25 +162144,20 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_SAVE",
    minimumVersion: void 0
  },
-  ["overlay_analysis_go" /* OverlayAnalysisGo */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
-    minimumVersion: void 0
-  },
  ["overlay_analysis_java" /* OverlayAnalysisJava */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVA",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
  },
  ["overlay_analysis_javascript" /* OverlayAnalysisJavascript */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
  },
  ["overlay_analysis_python" /* OverlayAnalysisPython */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
  },
  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
    defaultValue: false,
@@ -162189,23 +162167,13 @@ var featureConfig = {
  ["overlay_analysis_ruby" /* OverlayAnalysisRuby */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUBY",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_rust" /* OverlayAnalysisRust */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
  },
  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
    minimumVersion: void 0
  },
-  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
-    minimumVersion: void 0
-  },
  ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
@@ -162221,11 +162189,8 @@ var featureConfig = {
  ["skip_file_coverage_on_prs" /* SkipFileCoverageOnPrs */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS",
-    // For testing, this is not behind a CLI version check yet. However
-    // before rolling this out externally, we should set a minimum version here
-    // since current versions of the CodeQL CLI will log if baseline information
-    // cannot be found when interpreting results.
-    minimumVersion: void 0
+    minimumVersion: void 0,
+    toolsFeature: "suppressesMissingFileBaselineWarning" /* SuppressesMissingFileBaselineWarning */
  },
  ["start_proxy_remove_unused_registries" /* StartProxyRemoveUnusedRegistries */]: {
    defaultValue: false,
@@ -162243,11 +162208,6 @@ var featureConfig = {
    minimumVersion: void 0,
    toolsFeature: "bundleSupportsOverlay" /* BundleSupportsOverlay */
  },
-  ["use_repository_properties_v2" /* UseRepositoryProperties */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_USE_REPOSITORY_PROPERTIES",
-    minimumVersion: void 0
-  },
  ["validate_db_config" /* ValidateDbConfig */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_VALIDATE_DB_CONFIG",
@@ -162268,28 +162228,20 @@ var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB = 14e3;
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB * 1e6;
 var OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
 var OVERLAY_ANALYSIS_FEATURES = {
-  actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
-  cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
  csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */,
  go: "overlay_analysis_go" /* OverlayAnalysisGo */,
  java: "overlay_analysis_java" /* OverlayAnalysisJava */,
  javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */,
  python: "overlay_analysis_python" /* OverlayAnalysisPython */,
-  ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */,
-  rust: "overlay_analysis_rust" /* OverlayAnalysisRust */,
-  swift: "overlay_analysis_swift" /* OverlayAnalysisSwift */
+  ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */
 };
 var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
-  actions: "overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */,
-  cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */,
  csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */,
  go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */,
  java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */,
  javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */,
  python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */,
-  ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */,
-  rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
-  swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
+  ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */
 };
 function getPathToParsedConfigFile(tempDir) {
  return path3.join(tempDir, "config");
@@ -45986,7 +45986,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "4.32.6",
+      version: "4.32.7",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -46047,20 +46047,20 @@ var require_package = __commonJS({
        "@types/sarif": "^2.1.7",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^21.0.0",
-        ava: "^6.4.1",
+        ava: "^7.0.0",
        esbuild: "^0.27.3",
        eslint: "^9.39.2",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-github": "^6.0.0",
        "eslint-plugin-import-x": "^4.16.1",
-        "eslint-plugin-jsdoc": "^62.6.0",
+        "eslint-plugin-jsdoc": "^62.7.1",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.1.0",
-        globals: "^17.3.0",
+        globals: "^17.4.0",
        nock: "^14.0.11",
-        sinon: "^21.0.1",
+        sinon: "^21.0.2",
        typescript: "^5.9.3",
-        "typescript-eslint": "^8.56.0"
+        "typescript-eslint": "^8.56.1"
      },
      overrides: {
        "@actions/tool-cache": {
@@ -103423,6 +103423,7 @@ function parseRepositoryNwo(input) {

 // src/api-client.ts
 var GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
+var DO_NOT_RETRY_STATUSES = [400, 410, 422, 451];
 function createApiClientWithDetails(apiDetails, { allowExternal = false } = {}) {
  const auth2 = allowExternal && apiDetails.externalRepoAuth || apiDetails.auth;
  const retryingOctokit = githubUtils.GitHub.plugin(retry);
@@ -103437,10 +103438,7 @@ function createApiClientWithDetails(apiDetails, { allowExternal = false } = {})
        error: core5.error
      },
      retry: {
-        // The default is 400, 401, 403, 404, 410, 422, and 451. We have observed transient errors
-        // with authentication, so we remove 401, 403, and 404 from the default list to ensure that
-        // these errors are retried.
-        doNotRetry: [400, 410, 422, 451]
+        doNotRetry: DO_NOT_RETRY_STATUSES
      }
    })
  );
@@ -103786,6 +103784,7 @@ var semver2 = __toESM(require_semver2());
 var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
  return RepositoryPropertyName2;
 })(RepositoryPropertyName || {});
 var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
@@ -103820,8 +103819,8 @@ var path3 = __toESM(require("path"));
 var semver5 = __toESM(require_semver2());

 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.24.2";
-var cliVersion = "2.24.2";
+var bundleVersion = "codeql-bundle-v2.24.3";
+var cliVersion = "2.24.3";

 // src/overlay/index.ts
 var fs2 = __toESM(require("fs"));
@@ -103995,6 +103994,12 @@ async function isAnalyzingDefaultBranch() {

 // src/overlay/index.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8";
+var CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP = "2.24.1";
+var CODEQL_OVERLAY_MINIMUM_VERSION_GO = "2.24.2";
+var CODEQL_OVERLAY_MINIMUM_VERSION_JAVA = "2.23.8";
+var CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT = "2.23.9";
+var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9";
+var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9";
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 async function writeBaseDatabaseOidsFile(config, sourceRoot) {
@@ -104135,70 +104140,48 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION
  },
-  ["overlay_analysis_actions" /* OverlayAnalysisActions */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_ACTIONS",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_ACTIONS",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CPP",
-    minimumVersion: void 0
-  },
+  // Per-language overlay feature flags. Each has minimumVersion set to the
+  // minimum CLI version that supports overlay analysis for that language.
+  // Only languages that are GA or in staff-ship should have feature flags here.
  ["overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CSHARP",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
  },
  ["overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_GO",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
  },
  ["overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVA",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
  },
  ["overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
  },
  ["overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_PYTHON",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
  },
  ["overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUBY",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUST",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_SWIFT",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_cpp" /* OverlayAnalysisCpp */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CPP",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
  },
  ["overlay_analysis_csharp" /* OverlayAnalysisCsharp */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CSHARP",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
+  },
+  ["overlay_analysis_go" /* OverlayAnalysisGo */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
  },
  ["overlay_analysis_status_check" /* OverlayAnalysisStatusCheck */]: {
    defaultValue: false,
@@ -104210,25 +104193,20 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_SAVE",
    minimumVersion: void 0
  },
-  ["overlay_analysis_go" /* OverlayAnalysisGo */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
-    minimumVersion: void 0
-  },
  ["overlay_analysis_java" /* OverlayAnalysisJava */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVA",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
  },
  ["overlay_analysis_javascript" /* OverlayAnalysisJavascript */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
  },
  ["overlay_analysis_python" /* OverlayAnalysisPython */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
  },
  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
    defaultValue: false,
@@ -104238,23 +104216,13 @@ var featureConfig = {
  ["overlay_analysis_ruby" /* OverlayAnalysisRuby */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUBY",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_rust" /* OverlayAnalysisRust */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
  },
  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
    minimumVersion: void 0
  },
-  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
-    minimumVersion: void 0
-  },
  ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
@@ -104270,11 +104238,8 @@ var featureConfig = {
  ["skip_file_coverage_on_prs" /* SkipFileCoverageOnPrs */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS",
-    // For testing, this is not behind a CLI version check yet. However
-    // before rolling this out externally, we should set a minimum version here
-    // since current versions of the CodeQL CLI will log if baseline information
-    // cannot be found when interpreting results.
-    minimumVersion: void 0
+    minimumVersion: void 0,
+    toolsFeature: "suppressesMissingFileBaselineWarning" /* SuppressesMissingFileBaselineWarning */
  },
  ["start_proxy_remove_unused_registries" /* StartProxyRemoveUnusedRegistries */]: {
    defaultValue: false,
@@ -104292,11 +104257,6 @@ var featureConfig = {
    minimumVersion: void 0,
    toolsFeature: "bundleSupportsOverlay" /* BundleSupportsOverlay */
  },
-  ["use_repository_properties_v2" /* UseRepositoryProperties */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_USE_REPOSITORY_PROPERTIES",
-    minimumVersion: void 0
-  },
  ["validate_db_config" /* ValidateDbConfig */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_VALIDATE_DB_CONFIG",
@@ -104640,28 +104600,20 @@ var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB = 14e3;
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB * 1e6;
 var OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
 var OVERLAY_ANALYSIS_FEATURES = {
-  actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
-  cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
  csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */,
  go: "overlay_analysis_go" /* OverlayAnalysisGo */,
  java: "overlay_analysis_java" /* OverlayAnalysisJava */,
  javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */,
  python: "overlay_analysis_python" /* OverlayAnalysisPython */,
-  ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */,
-  rust: "overlay_analysis_rust" /* OverlayAnalysisRust */,
-  swift: "overlay_analysis_swift" /* OverlayAnalysisSwift */
+  ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */
 };
 var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
-  actions: "overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */,
-  cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */,
  csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */,
  go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */,
  java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */,
  javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */,
  python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */,
-  ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */,
-  rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
-  swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
+  ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */
 };
 function getPathToParsedConfigFile(tempDir) {
  return path4.join(tempDir, "config");
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.24.2",
-  "cliVersion": "2.24.2",
-  "priorBundleVersion": "codeql-bundle-v2.24.1",
-  "priorCliVersion": "2.24.1"
+  "bundleVersion": "codeql-bundle-v2.24.3",
+  "cliVersion": "2.24.3",
+  "priorBundleVersion": "codeql-bundle-v2.24.2",
+  "priorCliVersion": "2.24.2"
 }
@@ -45986,7 +45986,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "4.32.6",
+      version: "4.32.7",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -46047,20 +46047,20 @@ var require_package = __commonJS({
        "@types/sarif": "^2.1.7",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^21.0.0",
-        ava: "^6.4.1",
+        ava: "^7.0.0",
        esbuild: "^0.27.3",
        eslint: "^9.39.2",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-github": "^6.0.0",
        "eslint-plugin-import-x": "^4.16.1",
-        "eslint-plugin-jsdoc": "^62.6.0",
+        "eslint-plugin-jsdoc": "^62.7.1",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.1.0",
-        globals: "^17.3.0",
+        globals: "^17.4.0",
        nock: "^14.0.11",
-        sinon: "^21.0.1",
+        sinon: "^21.0.2",
        typescript: "^5.9.3",
-        "typescript-eslint": "^8.56.0"
+        "typescript-eslint": "^8.56.1"
      },
      overrides: {
        "@actions/tool-cache": {
@@ -103431,6 +103431,7 @@ function parseRepositoryNwo(input) {

 // src/api-client.ts
 var GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
+var DO_NOT_RETRY_STATUSES = [400, 410, 422, 451];
 function createApiClientWithDetails(apiDetails, { allowExternal = false } = {}) {
  const auth2 = allowExternal && apiDetails.externalRepoAuth || apiDetails.auth;
  const retryingOctokit = githubUtils.GitHub.plugin(retry);
@@ -103445,10 +103446,7 @@ function createApiClientWithDetails(apiDetails, { allowExternal = false } = {})
        error: core5.error
      },
      retry: {
-        // The default is 400, 401, 403, 404, 410, 422, and 451. We have observed transient errors
-        // with authentication, so we remove 401, 403, and 404 from the default list to ensure that
-        // these errors are retried.
-        doNotRetry: [400, 410, 422, 451]
+        doNotRetry: DO_NOT_RETRY_STATUSES
      }
    })
  );
@@ -103785,6 +103783,7 @@ var semver2 = __toESM(require_semver2());
 var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
  return RepositoryPropertyName2;
 })(RepositoryPropertyName || {});
 var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
@@ -103988,6 +103987,12 @@ async function isAnalyzingDefaultBranch() {

 // src/overlay/index.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8";
+var CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP = "2.24.1";
+var CODEQL_OVERLAY_MINIMUM_VERSION_GO = "2.24.2";
+var CODEQL_OVERLAY_MINIMUM_VERSION_JAVA = "2.23.8";
+var CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT = "2.23.9";
+var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9";
+var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9";
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 async function writeBaseDatabaseOidsFile(config, sourceRoot) {
@@ -104126,70 +104131,48 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION
  },
-  ["overlay_analysis_actions" /* OverlayAnalysisActions */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_ACTIONS",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_ACTIONS",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CPP",
-    minimumVersion: void 0
-  },
+  // Per-language overlay feature flags. Each has minimumVersion set to the
+  // minimum CLI version that supports overlay analysis for that language.
+  // Only languages that are GA or in staff-ship should have feature flags here.
  ["overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CSHARP",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
  },
  ["overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_GO",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
  },
  ["overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVA",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
  },
  ["overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
  },
  ["overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_PYTHON",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
  },
  ["overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUBY",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUST",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_SWIFT",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_cpp" /* OverlayAnalysisCpp */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CPP",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
  },
  ["overlay_analysis_csharp" /* OverlayAnalysisCsharp */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CSHARP",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
+  },
+  ["overlay_analysis_go" /* OverlayAnalysisGo */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
  },
  ["overlay_analysis_status_check" /* OverlayAnalysisStatusCheck */]: {
    defaultValue: false,
@@ -104201,25 +104184,20 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_SAVE",
    minimumVersion: void 0
  },
-  ["overlay_analysis_go" /* OverlayAnalysisGo */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
-    minimumVersion: void 0
-  },
  ["overlay_analysis_java" /* OverlayAnalysisJava */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVA",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
  },
  ["overlay_analysis_javascript" /* OverlayAnalysisJavascript */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
  },
  ["overlay_analysis_python" /* OverlayAnalysisPython */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
  },
  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
    defaultValue: false,
@@ -104229,23 +104207,13 @@ var featureConfig = {
  ["overlay_analysis_ruby" /* OverlayAnalysisRuby */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUBY",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_rust" /* OverlayAnalysisRust */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
  },
  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
    minimumVersion: void 0
  },
-  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
-    minimumVersion: void 0
-  },
  ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
@@ -104261,11 +104229,8 @@ var featureConfig = {
  ["skip_file_coverage_on_prs" /* SkipFileCoverageOnPrs */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS",
-    // For testing, this is not behind a CLI version check yet. However
-    // before rolling this out externally, we should set a minimum version here
-    // since current versions of the CodeQL CLI will log if baseline information
-    // cannot be found when interpreting results.
-    minimumVersion: void 0
+    minimumVersion: void 0,
+    toolsFeature: "suppressesMissingFileBaselineWarning" /* SuppressesMissingFileBaselineWarning */
  },
  ["start_proxy_remove_unused_registries" /* StartProxyRemoveUnusedRegistries */]: {
    defaultValue: false,
@@ -104283,11 +104248,6 @@ var featureConfig = {
    minimumVersion: void 0,
    toolsFeature: "bundleSupportsOverlay" /* BundleSupportsOverlay */
  },
-  ["use_repository_properties_v2" /* UseRepositoryProperties */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_USE_REPOSITORY_PROPERTIES",
-    minimumVersion: void 0
-  },
  ["validate_db_config" /* ValidateDbConfig */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_VALIDATE_DB_CONFIG",
@@ -104308,28 +104268,20 @@ var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB = 14e3;
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB * 1e6;
 var OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
 var OVERLAY_ANALYSIS_FEATURES = {
-  actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
-  cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
  csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */,
  go: "overlay_analysis_go" /* OverlayAnalysisGo */,
  java: "overlay_analysis_java" /* OverlayAnalysisJava */,
  javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */,
  python: "overlay_analysis_python" /* OverlayAnalysisPython */,
-  ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */,
-  rust: "overlay_analysis_rust" /* OverlayAnalysisRust */,
-  swift: "overlay_analysis_swift" /* OverlayAnalysisSwift */
+  ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */
 };
 var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
-  actions: "overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */,
-  cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */,
  csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */,
  go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */,
  java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */,
  javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */,
  python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */,
-  ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */,
-  rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
-  swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
+  ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */
 };
 function getPathToParsedConfigFile(tempDir) {
  return path3.join(tempDir, "config");
@@ -45986,7 +45986,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "4.32.6",
+      version: "4.32.7",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -46047,20 +46047,20 @@ var require_package = __commonJS({
        "@types/sarif": "^2.1.7",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^21.0.0",
-        ava: "^6.4.1",
+        ava: "^7.0.0",
        esbuild: "^0.27.3",
        eslint: "^9.39.2",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-github": "^6.0.0",
        "eslint-plugin-import-x": "^4.16.1",
-        "eslint-plugin-jsdoc": "^62.6.0",
+        "eslint-plugin-jsdoc": "^62.7.1",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.1.0",
-        globals: "^17.3.0",
+        globals: "^17.4.0",
        nock: "^14.0.11",
-        sinon: "^21.0.1",
+        sinon: "^21.0.2",
        typescript: "^5.9.3",
-        "typescript-eslint": "^8.56.0"
+        "typescript-eslint": "^8.56.1"
      },
      overrides: {
        "@actions/tool-cache": {
@@ -161287,6 +161287,7 @@ retry.VERSION = VERSION7;

 // src/api-client.ts
 var GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
+var DO_NOT_RETRY_STATUSES = [400, 410, 422, 451];
 function createApiClientWithDetails(apiDetails, { allowExternal = false } = {}) {
  const auth2 = allowExternal && apiDetails.externalRepoAuth || apiDetails.auth;
  const retryingOctokit = githubUtils.GitHub.plugin(retry);
@@ -161301,10 +161302,7 @@ function createApiClientWithDetails(apiDetails, { allowExternal = false } = {})
        error: core5.error
      },
      retry: {
-        // The default is 400, 401, 403, 404, 410, 422, and 451. We have observed transient errors
-        // with authentication, so we remove 401, 403, and 404 from the default list to ensure that
-        // these errors are retried.
-        doNotRetry: [400, 410, 422, 451]
+        doNotRetry: DO_NOT_RETRY_STATUSES
      }
    })
  );
@@ -161368,6 +161366,7 @@ var semver2 = __toESM(require_semver2());
 var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
  return RepositoryPropertyName2;
 })(RepositoryPropertyName || {});
 var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
@@ -161410,6 +161409,12 @@ var semver3 = __toESM(require_semver2());

 // src/overlay/index.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8";
+var CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP = "2.24.1";
+var CODEQL_OVERLAY_MINIMUM_VERSION_GO = "2.24.2";
+var CODEQL_OVERLAY_MINIMUM_VERSION_JAVA = "2.23.8";
+var CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT = "2.23.9";
+var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9";
+var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9";
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;

@@ -161492,70 +161497,48 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION
  },
-  ["overlay_analysis_actions" /* OverlayAnalysisActions */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_ACTIONS",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_ACTIONS",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CPP",
-    minimumVersion: void 0
-  },
+  // Per-language overlay feature flags. Each has minimumVersion set to the
+  // minimum CLI version that supports overlay analysis for that language.
+  // Only languages that are GA or in staff-ship should have feature flags here.
  ["overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CSHARP",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
  },
  ["overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_GO",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
  },
  ["overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVA",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
  },
  ["overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
  },
  ["overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_PYTHON",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
  },
  ["overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUBY",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUST",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_SWIFT",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_cpp" /* OverlayAnalysisCpp */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CPP",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
  },
  ["overlay_analysis_csharp" /* OverlayAnalysisCsharp */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CSHARP",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
+  },
+  ["overlay_analysis_go" /* OverlayAnalysisGo */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
  },
  ["overlay_analysis_status_check" /* OverlayAnalysisStatusCheck */]: {
    defaultValue: false,
@@ -161567,25 +161550,20 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_SAVE",
    minimumVersion: void 0
  },
-  ["overlay_analysis_go" /* OverlayAnalysisGo */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
-    minimumVersion: void 0
-  },
  ["overlay_analysis_java" /* OverlayAnalysisJava */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVA",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
  },
  ["overlay_analysis_javascript" /* OverlayAnalysisJavascript */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
  },
  ["overlay_analysis_python" /* OverlayAnalysisPython */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
  },
  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
    defaultValue: false,
@@ -161595,23 +161573,13 @@ var featureConfig = {
  ["overlay_analysis_ruby" /* OverlayAnalysisRuby */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUBY",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_rust" /* OverlayAnalysisRust */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
  },
  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
    minimumVersion: void 0
  },
-  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
-    minimumVersion: void 0
-  },
  ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
@@ -161627,11 +161595,8 @@ var featureConfig = {
  ["skip_file_coverage_on_prs" /* SkipFileCoverageOnPrs */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS",
-    // For testing, this is not behind a CLI version check yet. However
-    // before rolling this out externally, we should set a minimum version here
-    // since current versions of the CodeQL CLI will log if baseline information
-    // cannot be found when interpreting results.
-    minimumVersion: void 0
+    minimumVersion: void 0,
+    toolsFeature: "suppressesMissingFileBaselineWarning" /* SuppressesMissingFileBaselineWarning */
  },
  ["start_proxy_remove_unused_registries" /* StartProxyRemoveUnusedRegistries */]: {
    defaultValue: false,
@@ -161649,11 +161614,6 @@ var featureConfig = {
    minimumVersion: void 0,
    toolsFeature: "bundleSupportsOverlay" /* BundleSupportsOverlay */
  },
-  ["use_repository_properties_v2" /* UseRepositoryProperties */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_USE_REPOSITORY_PROPERTIES",
-    minimumVersion: void 0
-  },
  ["validate_db_config" /* ValidateDbConfig */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_VALIDATE_DB_CONFIG",
@@ -161674,28 +161634,20 @@ var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB = 14e3;
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB * 1e6;
 var OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
 var OVERLAY_ANALYSIS_FEATURES = {
-  actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
-  cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
  csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */,
  go: "overlay_analysis_go" /* OverlayAnalysisGo */,
  java: "overlay_analysis_java" /* OverlayAnalysisJava */,
  javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */,
  python: "overlay_analysis_python" /* OverlayAnalysisPython */,
-  ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */,
-  rust: "overlay_analysis_rust" /* OverlayAnalysisRust */,
-  swift: "overlay_analysis_swift" /* OverlayAnalysisSwift */
+  ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */
 };
 var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
-  actions: "overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */,
-  cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */,
  csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */,
  go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */,
  java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */,
  javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */,
  python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */,
-  ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */,
-  rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
-  swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
+  ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */
 };
 function getPathToParsedConfigFile(tempDir) {
  return path.join(tempDir, "config");
@@ -45986,7 +45986,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "4.32.6",
+      version: "4.32.7",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -46047,20 +46047,20 @@ var require_package = __commonJS({
        "@types/sarif": "^2.1.7",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^21.0.0",
-        ava: "^6.4.1",
+        ava: "^7.0.0",
        esbuild: "^0.27.3",
        eslint: "^9.39.2",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-github": "^6.0.0",
        "eslint-plugin-import-x": "^4.16.1",
-        "eslint-plugin-jsdoc": "^62.6.0",
+        "eslint-plugin-jsdoc": "^62.7.1",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.1.0",
-        globals: "^17.3.0",
+        globals: "^17.4.0",
        nock: "^14.0.11",
-        sinon: "^21.0.1",
+        sinon: "^21.0.2",
        typescript: "^5.9.3",
-        "typescript-eslint": "^8.56.0"
+        "typescript-eslint": "^8.56.1"
      },
      overrides: {
        "@actions/tool-cache": {
@@ -120510,6 +120510,7 @@ function parseRepositoryNwo(input) {

 // src/api-client.ts
 var GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
+var DO_NOT_RETRY_STATUSES = [400, 410, 422, 451];
 function createApiClientWithDetails(apiDetails, { allowExternal = false } = {}) {
  const auth2 = allowExternal && apiDetails.externalRepoAuth || apiDetails.auth;
  const retryingOctokit = githubUtils.GitHub.plugin(retry);
@@ -120524,10 +120525,7 @@ function createApiClientWithDetails(apiDetails, { allowExternal = false } = {})
        error: core5.error
      },
      retry: {
-        // The default is 400, 401, 403, 404, 410, 422, and 451. We have observed transient errors
-        // with authentication, so we remove 401, 403, and 404 from the default list to ensure that
-        // these errors are retried.
-        doNotRetry: [400, 410, 422, 451]
+        doNotRetry: DO_NOT_RETRY_STATUSES
      }
    })
  );
@@ -120612,8 +120610,8 @@ var path = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());

 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.24.2";
-var cliVersion = "2.24.2";
+var bundleVersion = "codeql-bundle-v2.24.3";
+var cliVersion = "2.24.3";

 // src/overlay/index.ts
 var actionsCache = __toESM(require_cache5());
@@ -120731,6 +120729,12 @@ function getActionsLogger() {

 // src/overlay/index.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8";
+var CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP = "2.24.1";
+var CODEQL_OVERLAY_MINIMUM_VERSION_GO = "2.24.2";
+var CODEQL_OVERLAY_MINIMUM_VERSION_JAVA = "2.23.8";
+var CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT = "2.23.9";
+var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9";
+var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9";
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;

@@ -120815,70 +120819,48 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION
  },
-  ["overlay_analysis_actions" /* OverlayAnalysisActions */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_ACTIONS",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_ACTIONS",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CPP",
-    minimumVersion: void 0
-  },
+  // Per-language overlay feature flags. Each has minimumVersion set to the
+  // minimum CLI version that supports overlay analysis for that language.
+  // Only languages that are GA or in staff-ship should have feature flags here.
  ["overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CSHARP",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
  },
  ["overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_GO",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
  },
  ["overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVA",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
  },
  ["overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
  },
  ["overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_PYTHON",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
  },
  ["overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUBY",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUST",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_SWIFT",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_cpp" /* OverlayAnalysisCpp */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CPP",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
  },
  ["overlay_analysis_csharp" /* OverlayAnalysisCsharp */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CSHARP",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
+  },
+  ["overlay_analysis_go" /* OverlayAnalysisGo */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
  },
  ["overlay_analysis_status_check" /* OverlayAnalysisStatusCheck */]: {
    defaultValue: false,
@@ -120890,25 +120872,20 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_SAVE",
    minimumVersion: void 0
  },
-  ["overlay_analysis_go" /* OverlayAnalysisGo */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
-    minimumVersion: void 0
-  },
  ["overlay_analysis_java" /* OverlayAnalysisJava */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVA",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
  },
  ["overlay_analysis_javascript" /* OverlayAnalysisJavascript */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
  },
  ["overlay_analysis_python" /* OverlayAnalysisPython */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
  },
  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
    defaultValue: false,
@@ -120918,23 +120895,13 @@ var featureConfig = {
  ["overlay_analysis_ruby" /* OverlayAnalysisRuby */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUBY",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_rust" /* OverlayAnalysisRust */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
  },
  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
    minimumVersion: void 0
  },
-  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
-    minimumVersion: void 0
-  },
  ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
@@ -120950,11 +120917,8 @@ var featureConfig = {
  ["skip_file_coverage_on_prs" /* SkipFileCoverageOnPrs */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS",
-    // For testing, this is not behind a CLI version check yet. However
-    // before rolling this out externally, we should set a minimum version here
-    // since current versions of the CodeQL CLI will log if baseline information
-    // cannot be found when interpreting results.
-    minimumVersion: void 0
+    minimumVersion: void 0,
+    toolsFeature: "suppressesMissingFileBaselineWarning" /* SuppressesMissingFileBaselineWarning */
  },
  ["start_proxy_remove_unused_registries" /* StartProxyRemoveUnusedRegistries */]: {
    defaultValue: false,
@@ -120972,11 +120936,6 @@ var featureConfig = {
    minimumVersion: void 0,
    toolsFeature: "bundleSupportsOverlay" /* BundleSupportsOverlay */
  },
-  ["use_repository_properties_v2" /* UseRepositoryProperties */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_USE_REPOSITORY_PROPERTIES",
-    minimumVersion: void 0
-  },
  ["validate_db_config" /* ValidateDbConfig */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_VALIDATE_DB_CONFIG",
@@ -121391,6 +121350,7 @@ var semver5 = __toESM(require_semver2());
 var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
  return RepositoryPropertyName2;
 })(RepositoryPropertyName || {});
 var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
@@ -121418,28 +121378,20 @@ var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB = 14e3;
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB * 1e6;
 var OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
 var OVERLAY_ANALYSIS_FEATURES = {
-  actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
-  cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
  csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */,
  go: "overlay_analysis_go" /* OverlayAnalysisGo */,
  java: "overlay_analysis_java" /* OverlayAnalysisJava */,
  javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */,
  python: "overlay_analysis_python" /* OverlayAnalysisPython */,
-  ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */,
-  rust: "overlay_analysis_rust" /* OverlayAnalysisRust */,
-  swift: "overlay_analysis_swift" /* OverlayAnalysisSwift */
+  ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */
 };
 var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
-  actions: "overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */,
-  cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */,
  csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */,
  go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */,
  java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */,
  javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */,
  python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */,
-  ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */,
-  rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
-  swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
+  ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */
 };

 // src/status-report.ts
@@ -45986,7 +45986,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "4.32.6",
+      version: "4.32.7",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -46047,20 +46047,20 @@ var require_package = __commonJS({
        "@types/sarif": "^2.1.7",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^21.0.0",
-        ava: "^6.4.1",
+        ava: "^7.0.0",
        esbuild: "^0.27.3",
        eslint: "^9.39.2",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-github": "^6.0.0",
        "eslint-plugin-import-x": "^4.16.1",
-        "eslint-plugin-jsdoc": "^62.6.0",
+        "eslint-plugin-jsdoc": "^62.7.1",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.1.0",
-        globals: "^17.3.0",
+        globals: "^17.4.0",
        nock: "^14.0.11",
-        sinon: "^21.0.1",
+        sinon: "^21.0.2",
        typescript: "^5.9.3",
-        "typescript-eslint": "^8.56.0"
+        "typescript-eslint": "^8.56.1"
      },
      overrides: {
        "@actions/tool-cache": {
@@ -161287,6 +161287,7 @@ retry.VERSION = VERSION7;

 // src/api-client.ts
 var GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
+var DO_NOT_RETRY_STATUSES = [400, 410, 422, 451];
 function createApiClientWithDetails(apiDetails, { allowExternal = false } = {}) {
  const auth2 = allowExternal && apiDetails.externalRepoAuth || apiDetails.auth;
  const retryingOctokit = githubUtils.GitHub.plugin(retry);
@@ -161301,10 +161302,7 @@ function createApiClientWithDetails(apiDetails, { allowExternal = false } = {})
        error: core5.error
      },
      retry: {
-        // The default is 400, 401, 403, 404, 410, 422, and 451. We have observed transient errors
-        // with authentication, so we remove 401, 403, and 404 from the default list to ensure that
-        // these errors are retried.
-        doNotRetry: [400, 410, 422, 451]
+        doNotRetry: DO_NOT_RETRY_STATUSES
      }
    })
  );
@@ -161518,6 +161516,7 @@ var semver2 = __toESM(require_semver2());
 var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
  return RepositoryPropertyName2;
 })(RepositoryPropertyName || {});
 var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
@@ -161568,6 +161567,12 @@ var semver3 = __toESM(require_semver2());

 // src/overlay/index.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8";
+var CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP = "2.24.1";
+var CODEQL_OVERLAY_MINIMUM_VERSION_GO = "2.24.2";
+var CODEQL_OVERLAY_MINIMUM_VERSION_JAVA = "2.23.8";
+var CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT = "2.23.9";
+var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9";
+var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9";
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;

@@ -161654,70 +161659,48 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION
  },
-  ["overlay_analysis_actions" /* OverlayAnalysisActions */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_ACTIONS",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_ACTIONS",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CPP",
-    minimumVersion: void 0
-  },
+  // Per-language overlay feature flags. Each has minimumVersion set to the
+  // minimum CLI version that supports overlay analysis for that language.
+  // Only languages that are GA or in staff-ship should have feature flags here.
  ["overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CSHARP",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
  },
  ["overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_GO",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
  },
  ["overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVA",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
  },
  ["overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
  },
  ["overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_PYTHON",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
  },
  ["overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUBY",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUST",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_SWIFT",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_cpp" /* OverlayAnalysisCpp */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CPP",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
  },
  ["overlay_analysis_csharp" /* OverlayAnalysisCsharp */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CSHARP",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
+  },
+  ["overlay_analysis_go" /* OverlayAnalysisGo */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
  },
  ["overlay_analysis_status_check" /* OverlayAnalysisStatusCheck */]: {
    defaultValue: false,
@@ -161729,25 +161712,20 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_SAVE",
    minimumVersion: void 0
  },
-  ["overlay_analysis_go" /* OverlayAnalysisGo */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
-    minimumVersion: void 0
-  },
  ["overlay_analysis_java" /* OverlayAnalysisJava */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVA",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
  },
  ["overlay_analysis_javascript" /* OverlayAnalysisJavascript */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
  },
  ["overlay_analysis_python" /* OverlayAnalysisPython */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
  },
  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
    defaultValue: false,
@@ -161757,23 +161735,13 @@ var featureConfig = {
  ["overlay_analysis_ruby" /* OverlayAnalysisRuby */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUBY",
-    minimumVersion: void 0
-  },
-  ["overlay_analysis_rust" /* OverlayAnalysisRust */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
-    minimumVersion: void 0
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
  },
  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
    minimumVersion: void 0
  },
-  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
-    minimumVersion: void 0
-  },
  ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
@@ -161789,11 +161757,8 @@ var featureConfig = {
  ["skip_file_coverage_on_prs" /* SkipFileCoverageOnPrs */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS",
-    // For testing, this is not behind a CLI version check yet. However
-    // before rolling this out externally, we should set a minimum version here
-    // since current versions of the CodeQL CLI will log if baseline information
-    // cannot be found when interpreting results.
-    minimumVersion: void 0
+    minimumVersion: void 0,
+    toolsFeature: "suppressesMissingFileBaselineWarning" /* SuppressesMissingFileBaselineWarning */
  },
  ["start_proxy_remove_unused_registries" /* StartProxyRemoveUnusedRegistries */]: {
    defaultValue: false,
@@ -161811,11 +161776,6 @@ var featureConfig = {
    minimumVersion: void 0,
    toolsFeature: "bundleSupportsOverlay" /* BundleSupportsOverlay */
  },
-  ["use_repository_properties_v2" /* UseRepositoryProperties */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_USE_REPOSITORY_PROPERTIES",
-    minimumVersion: void 0
-  },
  ["validate_db_config" /* ValidateDbConfig */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_VALIDATE_DB_CONFIG",
@@ -161836,28 +161796,20 @@ var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB = 14e3;
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB * 1e6;
 var OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
 var OVERLAY_ANALYSIS_FEATURES = {
-  actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
-  cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
  csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */,
  go: "overlay_analysis_go" /* OverlayAnalysisGo */,
  java: "overlay_analysis_java" /* OverlayAnalysisJava */,
  javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */,
  python: "overlay_analysis_python" /* OverlayAnalysisPython */,
-  ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */,
-  rust: "overlay_analysis_rust" /* OverlayAnalysisRust */,
-  swift: "overlay_analysis_swift" /* OverlayAnalysisSwift */
+  ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */
 };
 var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
-  actions: "overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */,
-  cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */,
  csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */,
  go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */,
  java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */,
  javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */,
  python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */,
-  ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */,
-  rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
-  swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
+  ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */
 };

 // src/setup-codeql.ts
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "4.32.6",
+  "version": "4.32.7",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -61,20 +61,20 @@
    "@types/sarif": "^2.1.7",
    "@types/semver": "^7.7.1",
    "@types/sinon": "^21.0.0",
-    "ava": "^6.4.1",
+    "ava": "^7.0.0",
    "esbuild": "^0.27.3",
    "eslint": "^9.39.2",
    "eslint-import-resolver-typescript": "^3.8.7",
    "eslint-plugin-github": "^6.0.0",
    "eslint-plugin-import-x": "^4.16.1",
-    "eslint-plugin-jsdoc": "^62.6.0",
+    "eslint-plugin-jsdoc": "^62.7.1",
    "eslint-plugin-no-async-foreach": "^0.1.1",
    "glob": "^11.1.0",
-    "globals": "^17.3.0",
+    "globals": "^17.4.0",
    "nock": "^14.0.11",
-    "sinon": "^21.0.1",
+    "sinon": "^21.0.2",
    "typescript": "^5.9.3",
-    "typescript-eslint": "^8.56.0"
+    "typescript-eslint": "^8.56.1"
  },
  "overrides": {
    "@actions/tool-cache": {
@@ -1,7 +1,11 @@
 name: "All-platform bundle"
 description: "Tests using an all-platform CodeQL Bundle"
-operatingSystems: ["ubuntu", "macos", "windows"]
-versions: ["nightly-latest"]
+operatingSystems:
+  - ubuntu
+  - macos
+  - windows
+versions:
+  - nightly-latest
 useAllPlatformBundle: "true"
 installGo: true
 installDotNet: true
@@ -1,7 +1,13 @@
 name: "Analysis kinds"
 description: "Tests basic functionality for different `analysis-kinds` inputs."
-versions: ["linked", "nightly-latest"]
-analysisKinds: ["code-scanning", "code-quality", "code-scanning,code-quality", "risk-assessment"]
+versions:
+  - linked
+  - nightly-latest
+analysisKinds:
+  - code-scanning
+  - code-quality
+  - code-scanning,code-quality
+  - risk-assessment
 env:
  CODEQL_ACTION_RISK_ASSESSMENT_ID: 1
  CHECK_SCRIPT: |
@@ -40,7 +46,7 @@ steps:
      post-processed-sarif-path: "${{ runner.temp }}/post-processed"

  - name: Upload SARIF files
-    uses: actions/upload-artifact@v6
+    uses: actions/upload-artifact@v7
    with:
      name: |
        analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
@@ -48,7 +54,7 @@ steps:
      retention-days: 7

  - name: Upload post-processed SARIF
-    uses: actions/upload-artifact@v6
+    uses: actions/upload-artifact@v7
    with:
      name: |
        post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
@@ -1,8 +1,8 @@
 name: "Analyze: 'ref' and 'sha' from inputs"
 description: "Checks that specifying 'ref' and 'sha' as inputs works"
-versions: ["default"]
+versions:
+  - default
 installGo: true
-installPython: true
 installDotNet: true
 steps:
  - uses: ./../action/init
@@ -1,7 +1,11 @@
 name: "autobuild-action"
 description: "Tests that the C# autobuild action works"
-operatingSystems: ["ubuntu", "macos", "windows"]
-versions: ["linked"]
+operatingSystems:
+  - ubuntu
+  - macos
+  - windows
+versions:
+  - linked
 installDotNet: true
 steps:
  - uses: ./../action/init
@@ -3,8 +3,12 @@ description: >
  An end-to-end integration test of a Java repository built using 'build-mode: autobuild',
  with direct tracing enabled and a custom working directory specified as the input to the
  autobuild Action.
-operatingSystems: ["ubuntu", "windows"]
-versions: ["linked", "nightly-latest"]
+operatingSystems:
+  - ubuntu
+  - windows
+versions:
+  - linked
+  - nightly-latest
 installJava: true
 env:
  CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
@@ -1,6 +1,7 @@
 name: "Autobuild working directory"
 description: "Tests working-directory input of autobuild action"
-versions: ["linked"]
+versions:
+  - linked
 steps:
  - name: Test setup
    run: |
@@ -1,7 +1,11 @@
 name: "Build mode autobuild"
 description: "An end-to-end integration test of a Java repository built using 'build-mode: autobuild'"
-operatingSystems: ["ubuntu", "windows"]
-versions: ["linked", "nightly-latest"]
+operatingSystems:
+  - ubuntu
+  - windows
+versions:
+  - linked
+  - nightly-latest
 installJava: true
 installYq: true
 steps:
@@ -1,6 +1,7 @@
 name: "Build mode manual"
 description: "An end-to-end integration test of a Java repository built using 'build-mode: manual'"
-versions: ["nightly-latest"]
+versions:
+  - nightly-latest
 installGo: true
 installDotNet: true
 steps:
@@ -1,6 +1,8 @@
 name: "Build mode none"
 description: "An end-to-end integration test of a Java repository built using 'build-mode: none'"
-versions: ["linked", "nightly-latest"]
+versions:
+  - linked
+  - nightly-latest
 steps:
  - uses: ./../action/init
    id: init
@@ -1,6 +1,7 @@
 name: "Build mode rollback"
 description: "The build mode is rolled back from none to autobuild when the relevant feature flag is enabled."
-versions: ["nightly-latest"]
+versions:
+  - nightly-latest
 env:
  CODEQL_ACTION_DISABLE_JAVA_BUILDLESS: true
 steps:
@@ -3,8 +3,8 @@ description: "The CodeQL bundle should be cached within the toolcache"
 versions:
  - linked
 operatingSystems:
-  - macos
  - ubuntu
+  - macos
  - windows
 steps:
  - name: Remove CodeQL from toolcache
@@ -3,8 +3,8 @@ description: "A Zstandard CodeQL bundle should be extracted on supported operati
 versions:
  - linked
 operatingSystems:
-  - macos
  - ubuntu
+  - macos
  - windows
 steps:
  - name: Remove CodeQL from toolcache
@@ -27,7 +27,7 @@ steps:
      output: ${{ runner.temp }}/results
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v6
+    uses: actions/upload-artifact@v7
    with:
      name: ${{ matrix.os }}-zstd-bundle.sarif
      path: ${{ runner.temp }}/results/javascript.sarif
@@ -1,6 +1,7 @@
 name: "Clean up database cluster directory"
 description: "The database cluster directory is cleaned up if it is not empty."
-versions: ["linked"]
+versions:
+  - linked
 steps:
  - name: Add a file to the database cluster directory
    run: |
@@ -1,6 +1,8 @@
 name: "Config export"
 description: "Tests that the code scanning configuration file is exported to SARIF correctly."
-versions: ["linked", "nightly-latest"]
+versions:
+  - linked
+  - nightly-latest
 steps:
  - uses: ./../action/init
    with:
@@ -12,7 +14,7 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v6
+    uses: actions/upload-artifact@v7
    with:
      name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -1,7 +1,8 @@
 name: "Config input"
 description: "Tests specifying configuration using the config input"
 installNode: true
-versions: ["linked"]
+versions:
+  - linked
 steps:
  - name: Copy queries into workspace
    run: |
@@ -1,6 +1,9 @@
 name: "C/C++: disabling autoinstalling dependencies (Linux)"
 description: "Checks that running C/C++ autobuild with autoinstalling dependencies explicitly disabled works"
-versions: ["linked", "default", "nightly-latest"]
+versions:
+  - linked
+  - default
+  - nightly-latest
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
@@ -1,7 +1,10 @@
 name: "C/C++: autoinstalling dependencies is skipped (macOS)"
 description: "Checks that running C/C++ autobuild with autoinstalling dependencies explicitly enabled is a no-op on macOS"
-operatingSystems: ["macos"]
-versions: ["linked", "nightly-latest"]
+operatingSystems:
+  - macos
+versions:
+  - linked
+  - nightly-latest
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
@@ -1,6 +1,9 @@
 name: "C/C++: autoinstalling dependencies (Linux)"
 description: "Checks that running C/C++ autobuild with autoinstalling dependencies works"
-versions: ["linked", "default", "nightly-latest"]
+versions:
+  - linked
+  - default
+  - nightly-latest
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
@@ -1,6 +1,8 @@
 name: "Diagnostic export"
 description: "Tests that manually added diagnostics are correctly exported to SARIF."
-versions: ["linked", "nightly-latest"]
+versions:
+  - linked
+  - nightly-latest
 env:
  CODEQL_ACTION_EXPORT_DIAGNOSTICS: true
 steps:
@@ -25,7 +27,7 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v6
+    uses: actions/upload-artifact@v7
    with:
      name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -1,7 +1,11 @@
 name: "Export file baseline information"
 description: "Tests that file baseline information is exported when the feature is enabled"
-operatingSystems: ["ubuntu", "macos", "windows"]
-versions: ["nightly-latest"]
+operatingSystems:
+  - ubuntu
+  - macos
+  - windows
+versions:
+  - nightly-latest
 installGo: true
 installDotNet: true
 env:
@@ -19,7 +23,7 @@ steps:
    with:
      output: "${{ runner.temp }}/results"
  - name: Upload SARIF
-    uses: actions/upload-artifact@v6
+    uses: actions/upload-artifact@v7
    with:
      name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -1,6 +1,7 @@
 name: "Extractor ram and threads options test"
 description: "Tests passing RAM and threads limits to extractors"
-versions: ["linked"]
+versions:
+  - linked
 steps:
  - uses: ./../action/init
    with:
@@ -1,6 +1,8 @@
 name: "Proxy test"
 description: "Tests using a proxy specified by the https_proxy environment variable"
-versions: ["linked", "nightly-latest"]
+versions:
+  - linked
+  - nightly-latest
 container:
  image: ubuntu:22.04
 services:
@@ -2,7 +2,8 @@ name: "Go: diagnostic when Go is changed after init step"
 description: "Checks that we emit a diagnostic if Go is changed after the init step"
 # only Linux is affected
 # pinned to a version which does not support statically linked binaries for indirect tracing
-versions: ["default"]
+versions:
+  - default
 installGo: true
 collection: go
 steps:
@@ -2,7 +2,8 @@ name: "Go: diagnostic when `file` is not installed"
 description: "Checks that we emit a diagnostic if the `file` program is not installed"
 # only Linux is affected
 # pinned to a version which does not support statically linked binaries for indirect tracing
-versions: ["default"]
+versions:
+  - default
 installGo: true
 collection: go
 steps:
@@ -2,7 +2,8 @@ name: "Go: workaround for indirect tracing"
 description: "Checks that our workaround for indirect tracing for Go 1.21+ on Linux works"
 # only Linux is affected
 # pinned to a version which does not support statically linked binaries for indirect tracing
-versions: ["default"]
+versions:
+  - default
 installGo: true
 collection: go
 steps:
@@ -1,7 +1,13 @@
 name: "Go: tracing with autobuilder step"
 description: "Checks that Go tracing works when using an autobuilder step"
 collection: go
-operatingSystems: ["ubuntu", "macos"]
+operatingSystems:
+  - ubuntu
+  - macos
+osCodeQlVersions:
+  macos:
+    - linked
+    - nightly-latest
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 installGo: true
@@ -1,7 +1,13 @@
 name: "Go: tracing with custom build steps"
 description: "Checks that Go tracing traces the build when using custom build steps"
 collection: go
-operatingSystems: ["ubuntu", "macos"]
+operatingSystems:
+  - ubuntu
+  - macos
+osCodeQlVersions:
+  macos:
+    - linked
+    - nightly-latest
 installGo: true
 steps:
  - uses: ./../action/init
@@ -1,7 +1,13 @@
 name: "Go: tracing with legacy workflow"
 description: "Checks that we run the autobuilder in legacy workflows with neither an autobuild step nor manual build steps"
 collection: go
-operatingSystems: ["ubuntu", "macos"]
+operatingSystems:
+  - ubuntu
+  - macos
+osCodeQlVersions:
+  macos:
+    - linked
+    - nightly-latest
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 installGo: true
@@ -4,12 +4,11 @@
 # basic mechanics of multi-registry auth is working.
 name: "Packaging: Download using registries"
 description: "Checks that specifying a registries block and associated auth works as expected"
-versions: [
-    # This feature is not compatible with older CLIs
-    "default",
-    "linked",
-    "nightly-latest",
-]
+versions:
+  # This feature is not compatible with older CLIs
+  - default
+  - linked
+  - nightly-latest

 permissions:
  contents: read
@@ -1,6 +1,10 @@
 name: "Custom source root"
 description: "Checks that the argument specifying a non-default source root works"
-versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
+# This feature is not compatible with old CLIs
+versions:
+  - linked
+  - default
+  - nightly-latest
 steps:
  - name: Move codeql-action
    run: |
@@ -1,6 +1,7 @@
 name: "Job run UUID added to SARIF"
 description: "Tests that the job run UUID is added to the SARIF output"
-versions: ["nightly-latest"]
+versions:
+  - nightly-latest
 steps:
  - uses: ./../action/init
    id: init
@@ -11,7 +12,7 @@ steps:
    with:
      output: "${{ runner.temp }}/results"
  - name: Upload SARIF
-    uses: actions/upload-artifact@v6
+    uses: actions/upload-artifact@v7
    with:
      name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -1,6 +1,7 @@
 name: "Language aliases"
 description: "Tests that language aliases are resolved correctly"
-versions: ["linked"]
+versions:
+  - linked
 steps:
  - uses: ./../action/init
    with:
@@ -1,8 +1,8 @@
 name: "Local CodeQL bundle"
 description: "Tests using a CodeQL bundle from a local file rather than a URL"
-versions: ["linked"]
+versions:
+  - linked
 installGo: true
-installPython: true
 installDotNet: true
 steps:
  - name: Fetch latest CodeQL bundle
@@ -1,12 +1,21 @@
 name: "Multi-language repository"
-description: "An end-to-end integration test of a multi-language repository using automatic language detection for macOS"
-operatingSystems: ["macos", "ubuntu"]
+description: "An end-to-end integration test of a multi-language repository using automatic language detection"
+operatingSystems:
+  - ubuntu
+  - macos
 env:
  CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
 installGo: true
-installPython: true
 installDotNet: true
 steps:
+  - name: Install Python 3.13 for older CLI versions
+    # We need Python 3.13 for older CLI versions because they are not compatible with Python 3.14 or newer.
+    # See https://github.com/github/codeql-action/pull/3212
+    if: matrix.version != 'nightly-latest' && matrix.version != 'linked'
+    uses: actions/setup-python@v6
+    with:
+      python-version: "3.13"
+
  - name: Use Xcode 16
    if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
    run: sudo xcode-select -s "/Applications/Xcode_16.app"
@@ -1,6 +1,8 @@
 name: "Overlay database init fallback"
 description: "Tests that overlay init action succeeds with non-overlay packs"
-versions: ["linked", "nightly-latest"]
+versions:
+  - linked
+  - nightly-latest
 steps:
  - uses: ./../action/init
    with:
@@ -1,9 +1,12 @@
 name: "Packaging: Config and input passed to the CLI"
 description: "Checks that specifying packages using a combination of a config file and input to the Action works"
-versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
+# This feature is not compatible with old CLIs
+versions:
+  - linked
+  - default
+  - nightly-latest
 installGo: true
 installNode: true
-installPython: true
 installDotNet: true
 steps:
  - uses: ./../action/init
@@ -1,6 +1,10 @@
 name: "Packaging: Config and input"
 description: "Checks that specifying packages using a combination of a config file and input to the Action works"
-versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
+# This feature is not compatible with old CLIs
+versions:
+  - linked
+  - default
+  - nightly-latest
 installGo: true
 installNode: true
 installDotNet: true
@@ -1,6 +1,10 @@
 name: "Packaging: Config file"
 description: "Checks that specifying packages using only a config file works"
-versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
+# This feature is not compatible with old CLIs
+versions:
+  - linked
+  - default
+  - nightly-latest
 installGo: true
 installNode: true
 installDotNet: true
@@ -1,6 +1,10 @@
 name: "Packaging: Action input"
 description: "Checks that specifying packages using the input to the Action works"
-versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
+# This feature is not compatible with old CLIs
+versions:
+  - linked
+  - default
+  - nightly-latest
 installGo: true
 installNode: true
 installDotNet: true
@@ -6,7 +6,6 @@ versions:
  - linked
  - nightly-latest
 installGo: true
-installPython: true
 installDotNet: true
 steps:
  - uses: ./../action/init
@@ -1,6 +1,9 @@
 name: "Resolve environment"
 description: "Tests that the resolve-environment action works for Go and JavaScript/TypeScript"
-versions: ["default", "linked", "nightly-latest"]
+versions:
+  - linked
+  - default
+  - nightly-latest
 steps:
  - uses: ./../action/init
    with:
@@ -0,0 +1,33 @@
+name: Risk Assessment analysis failure uploads SARIF artifact
+description: Check that a SARIF file is uploaded as artifact if Risk Assessment fails
+versions: ["default"]
+
+permissions:
+  contents: read
+  security-events: write # needed to upload the SARIF file
+
+steps:
+  - name: Initialise CodeQL
+    uses: ./../action/init
+    id: init
+    with:
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+      languages: javascript
+      analysis-kinds: risk-assessment
+
+  - name: Fail
+    run: exit 1
+
+validationJobs:
+  artifact-present:
+    name: Check artifact
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v7
+        with:
+          pattern: sarif-artifact-*
+          path: ${{ runner.temp }}/results
+          merge-multiple: true
+      - name: List contents
+        run: |
+          ls -lr
@@ -1,7 +1,8 @@
 name: "RuboCop multi-language"
 description: "Tests using RuboCop to analyze a multi-language repository and then using the CodeQL Action to upload the resulting SARIF"
 # This check doesn't use CodeQL, so the `version` matrix variable is unused.
-versions: ["default"]
+versions:
+  - default
 steps:
  - name: Set up Ruby
    uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Michael B. Gale	cdc1c97c42	Add PR check for CSRA artifact upload	2026-03-12 12:24:25 +00:00
Henry Mercer	1dbebad653	Merge pull request #3566 from github/dependabot/npm_and_yarn/npm-minor-aebc49e072 Bump the npm-minor group with 2 updates	2026-03-11 20:49:27 +00:00
Henry Mercer	82d7a77abc	Merge pull request #3567 from github/dependabot/npm_and_yarn/ava-7.0.0 Bump ava from 6.4.1 to 7.0.0	2026-03-11 20:47:14 +00:00
github-actions[bot]	0d0df94d93	Rebuild	2026-03-11 19:51:54 +00:00
github-actions[bot]	373dec9f22	Rebuild	2026-03-11 19:51:53 +00:00
Henry Mercer	9771a765ac	Merge branch 'main' into dependabot/npm_and_yarn/npm-minor-aebc49e072	2026-03-11 19:49:56 +00:00
Henry Mercer	363219d88d	Merge branch 'main' into dependabot/npm_and_yarn/ava-7.0.0	2026-03-11 19:49:53 +00:00
Henry Mercer	378e4b367d	Merge pull request #3568 from github/henrymercer/fix-rebuild Fix rebuild Action	2026-03-11 19:18:28 +00:00
Henry Mercer	309fd2aac7	Merge pull request #3565 from github/henrymercer/go-macos-checks PR checks: Only run Go macOS tests on latest CodeQL versions	2026-03-11 19:11:16 +00:00
Henry Mercer	567ca73ff8	Address review comments	2026-03-11 18:40:22 +00:00
Henry Mercer	5f3f250f83	Fix finishing up in progress merge	2026-03-11 18:24:00 +00:00
Henry Mercer	6fb1c2a300	Fix merge in progress detection	2026-03-11 18:23:04 +00:00
Henry Mercer	44720043ea	CI: Set up Node.js 24 in rebuild workflow	2026-03-11 18:18:30 +00:00
dependabot[bot]	f9f5edb76f	Bump ava from 6.4.1 to 7.0.0 Bumps [ava](https://github.com/avajs/ava) from 6.4.1 to 7.0.0. - [Release notes](https://github.com/avajs/ava/releases) - [Commits](https://github.com/avajs/ava/compare/v6.4.1...v7.0.0) --- updated-dependencies: - dependency-name: ava dependency-version: 7.0.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-11 17:53:48 +00:00
dependabot[bot]	de2997a8c8	Bump the npm-minor group with 2 updates Bumps the npm-minor group with 2 updates: [globals](https://github.com/sindresorhus/globals) and [sinon](https://github.com/sinonjs/sinon). Updates `globals` from 17.3.0 to 17.4.0 - [Release notes](https://github.com/sindresorhus/globals/releases) - [Commits](https://github.com/sindresorhus/globals/compare/v17.3.0...v17.4.0) Updates `sinon` from 21.0.1 to 21.0.2 - [Release notes](https://github.com/sinonjs/sinon/releases) - [Changelog](https://github.com/sinonjs/sinon/blob/main/docs/changelog.md) - [Commits](https://github.com/sinonjs/sinon/compare/v21.0.1...v21.0.2) --- updated-dependencies: - dependency-name: globals dependency-version: 17.4.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor - dependency-name: sinon dependency-version: 21.0.2 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-11 17:53:18 +00:00
Henry Mercer	117bf916af	Sort OS list and versions consistently	2026-03-11 17:11:07 +00:00
Henry Mercer	30ecc82e64	PR checks: Replace inline arrays Lists are easier to modify	2026-03-11 17:11:07 +00:00
Henry Mercer	4174779474	PR checks: Only run Go macOS tests on latest CodeQL versions	2026-03-11 17:10:56 +00:00
Henry Mercer	2bc06587aa	PR checks: Add support for per-OS CodeQL version	2026-03-11 17:10:45 +00:00
Michael B. Gale	1a97b0f94e	Merge pull request #3541 from github/mbg/pr-checks/validation-jobs Add support for validation jobs to `sync.ts`, and refactor	2026-03-11 14:43:46 +00:00
Michael B. Gale	d1a7580bd3	Verify PR checks in a different job, with newer Node	2026-03-11 12:29:36 +00:00
Michael B. Gale	89f63211ed	Use `version` in error message	2026-03-11 12:18:41 +00:00
Michael B. Gale	6570ad3440	Extend base `tsconfig.json`	2026-03-11 12:16:28 +00:00
Michael B. Gale	be7fe2bca6	Make it more explicit by construction that known inputs always have the same specifications	2026-03-11 12:14:41 +00:00
Michael B. Gale	2e1f08fe70	Remove `installPython` condition in `sync.ts` The behaviour of `installPython` now mirrors other `install*` options	2026-03-11 11:55:59 +00:00
Michael B. Gale	b9b42bed94	Remove last use of `installPython` - Add explicit `setup-python` step with condition to the workflow that was still using it - This allows simplifying the logic in `sync.ts`	2026-03-11 11:55:16 +00:00
Henry Mercer	997acaf7eb	Merge pull request #3562 from github/henrymercer/skip-file-coverage-rollout Prepare for rolling out skipping computing file coverage information on PRs	2026-03-11 11:33:21 +00:00
Henry Mercer	2e7e91fd63	Merge pull request #3550 from github/sam-robson/overlay-per-lang-min-bundle-version feat: add minimumVersion values for language overlay flags	2026-03-11 10:28:14 +00:00
Henry Mercer	5cb13d6ab8	Merge pull request #3564 from github/henrymercer/fix-database-upload-retries Fix retries when uploading databases	2026-03-10 16:56:27 +00:00
Henry Mercer	a63886bff5	Refactor: Extract separate function for `uploadBundledDatabase`	2026-03-10 16:36:02 +00:00
Henry Mercer	a11c6cbbc8	Merge branch 'main' into henrymercer/skip-file-coverage-rollout	2026-03-10 16:25:21 +00:00
Henry Mercer	cf972cde0e	Update database upload tests to use `checkExpectedLogMessages`	2026-03-10 15:52:14 +00:00
Henry Mercer	ee5ede79f7	Address review comments	2026-03-10 15:51:28 +00:00
Henry Mercer	e07c3055d7	Tweak changelog formatting	2026-03-10 15:43:28 +00:00
Henry Mercer	55a0f2b2aa	Add environment variable override	2026-03-10 15:41:40 +00:00
Sam Robson	79ea59d97e	Merge branch 'main' into sam-robson/overlay-per-lang-min-bundle-version	2026-03-10 14:13:22 +00:00
Henry Mercer	bef08edf32	Update to log deprecation warning Move rollout to April	2026-03-10 13:14:00 +00:00
Henry Mercer	edfcb0a509	Update tests	2026-03-10 12:49:58 +00:00
Henry Mercer	ca969a91db	Add changelog note	2026-03-10 12:34:47 +00:00
Henry Mercer	13c548978d	Fix retries when uploading databases	2026-03-10 12:34:18 +00:00
Michael B. Gale	87c3b7b6a1	Merge pull request #3519 from github/mbg/csra/upload-failed-sarif-artifact Upload failed SARIF for risk assessments in `init-post` step	2026-03-10 11:53:12 +00:00
Henry Mercer	ce321daddb	Merge branch 'main' into henrymercer/skip-file-coverage-rollout	2026-03-10 11:46:08 +00:00
Henry Mercer	55ae11793a	Reduce duplication of `getFileCoverageInformationEnabled`	2026-03-10 11:42:53 +00:00
Henry Mercer	3d2bdbbd3b	Simplify default repo properties	2026-03-10 11:33:00 +00:00
Sam Robson	8bddab0644	Merge branch 'main' into sam-robson/overlay-per-lang-min-bundle-version	2026-03-09 20:23:29 +00:00
Michael B. Gale	746f940d10	Merge remote-tracking branch 'origin/main' into mbg/csra/upload-failed-sarif-artifact	2026-03-09 18:32:36 +00:00
Michael B. Gale	babab88e54	Merge pull request #3561 from github/henrymercer/eslint-unused-vars Linting: Require unused function parameters to start with `_`	2026-03-09 18:00:46 +00:00
Michael B. Gale	0ad7d7be2f	Merge pull request #3560 from github/henrymercer/ghes-3.13-cleanup Clean up pre GHES 3.14 code paths	2026-03-09 18:00:31 +00:00
Michael B. Gale	8ba8180559	Merge remote-tracking branch 'origin/main' into mbg/pr-checks/validation-jobs	2026-03-09 17:58:41 +00:00
Henry Mercer	3592fe5d7a	Address review comments	2026-03-09 17:32:57 +00:00
Henry Mercer	3c97288d80	Merge pull request #3559 from github/henrymercer/ghes-repository-properties Load custom repository properties on GHES and remove feature flag	2026-03-09 17:26:59 +00:00
Henry Mercer	6773afd159	Add changelog note	2026-03-09 17:14:12 +00:00
Henry Mercer	a3fdd0e0b5	Add telemetry diagnostic to track whether repo property is used	2026-03-09 17:13:41 +00:00
Henry Mercer	9e8c05933f	Add ability to override via repository property	2026-03-09 17:08:13 +00:00
Henry Mercer	c102a6d8cd	Require tools feature flag And now that we have this, drop the restriction to `github` org.	2026-03-09 17:07:10 +00:00
Sam Robson	867f2b0e0a	test: verify overlay analysis is disabled for languages without per-language feature flags	2026-03-09 16:46:38 +00:00
Sam Robson	e04697664c	feat: add minimumVersion values for existing language-specific overlay feature flags	2026-03-09 16:45:20 +00:00
Henry Mercer	fdecf48e22	Linting: Require unused function parameters to start with `_`	2026-03-09 16:43:17 +00:00
Henry Mercer	ab180c9eeb	Clean up pre GHES 3.14 code paths	2026-03-09 16:35:29 +00:00
Henry Mercer	1b7fa1a121	Drop unused variable	2026-03-09 16:30:34 +00:00
Henry Mercer	b0642f9e86	Remove unused imports	2026-03-09 16:25:20 +00:00
Henry Mercer	a770e76359	Add changelog note	2026-03-09 16:20:52 +00:00
Henry Mercer	8924dfb7d0	Remove GHES feature gate All supported versions of GHES support the repository properties API.	2026-03-09 16:19:32 +00:00
Henry Mercer	b35c0d37b1	Clean up repository properties feature flag	2026-03-09 16:15:04 +00:00
Michael B. Gale	b39251fe78	Merge pull request #3557 from github/mbg/repo-props/multi-select Fix handling of non-`string` values from repository properties API	2026-03-09 14:48:17 +00:00
Michael B. Gale	f054eea342	Merge pull request #3549 from github/mbg/pr-checks/remove-python-setup Remove `installPython` from checks which should no longer need it	2026-03-09 14:48:05 +00:00
Michael B. Gale	6f90eb695f	Add changelog entry	2026-03-09 14:24:29 +00:00
Michael B. Gale	5ddbbbe614	Install python if there is no `matrix.version`	2026-03-09 14:16:23 +00:00
Michael B. Gale	da11f44114	Run `prepare-test` after setup steps	2026-03-09 14:13:22 +00:00
Michael B. Gale	149fd14ac7	Add unknown property with `string[]` value	2026-03-09 13:12:37 +00:00
Michael B. Gale	5311ed41ea	Include type in error message	2026-03-09 13:09:34 +00:00
Michael B. Gale	58314dce95	Export types that weren't already	2026-03-09 13:03:47 +00:00
Michael B. Gale	58991590bd	Validate `value` types returned by API against expectations	2026-03-09 12:46:24 +00:00
Michael B. Gale	9c75a5f60c	Only validate property `value` type if we care about the property	2026-03-09 12:13:48 +00:00
Michael B. Gale	8e70ae21a1	Update `GitHubRepositoryProperty` to match schema	2026-03-09 12:03:34 +00:00
Óscar San José	d1a65275e8	Merge pull request #3552 from github/mergeback/v4.32.6-to-main-0d579ffd Mergeback v4.32.6 refs/heads/releases/v4 into main	2026-03-06 10:03:43 +00:00
github-actions[bot]	0ccdcb8c0a	Rebuild	2026-03-05 19:44:36 +00:00
github-actions[bot]	05a48207b3	Update changelog and version after v4.32.6	2026-03-05 19:33:19 +00:00
Óscar San José	0d579ffd05	Merge pull request #3551 from github/update-v4.32.6-72d2d850d Merge main into releases/v4	2026-03-05 20:29:07 +01:00
github-actions[bot]	d4c6be7cf1	Update changelog for v4.32.6	2026-03-05 18:58:14 +00:00
Michael B. Gale	0da2e79318	Remove `installPython` from checks which should no longer need it	2026-03-05 16:17:19 +00:00
Michael B. Gale	2a0060496c	Fix condition	2026-03-05 16:07:10 +00:00
Michael B. Gale	103db93efa	Make it more explicit that `getSetupSteps` just needs a `JobSpecification`	2026-03-05 16:06:03 +00:00
Óscar San José	72d2d850d1	Merge pull request #3548 from github/update-bundle/codeql-bundle-v2.24.3 Update default bundle to 2.24.3	2026-03-05 16:02:55 +00:00
Michael B. Gale	23f983ce00	Merge pull request #3544 from github/dependabot/github_actions/dot-github/workflows/actions/download-artifact-8 Bump actions/download-artifact from 7 to 8 in /.github/workflows	2026-03-05 15:54:50 +00:00
Michael B. Gale	79fdef791d	Fix `generateValidationJobs` typing	2026-03-05 15:54:33 +00:00
Michael B. Gale	3d478129f2	Add `tsconfig.json` for `pr-checks`	2026-03-05 15:54:17 +00:00
Michael B. Gale	832e97ccad	Merge pull request #3545 from github/dependabot/github_actions/dot-github/workflows/actions/upload-artifact-7 Bump actions/upload-artifact from 6 to 7 in /.github/workflows	2026-03-05 15:52:06 +00:00
Michael B. Gale	5ef38c0b13	Merge pull request #3546 from github/dependabot/npm_and_yarn/tar-7.5.10 Bump tar from 7.5.7 to 7.5.10	2026-03-05 15:48:25 +00:00
Michael B. Gale	56ebdff8ae	Merge branch 'main' into mbg/pr-checks/validation-jobs	2026-03-05 15:39:28 +00:00
github-actions[bot]	80c9cda739	Add changelog note	2026-03-05 15:34:29 +00:00
github-actions[bot]	f2669dd916	Update default bundle to codeql-bundle-v2.24.3	2026-03-05 15:34:19 +00:00
Michael B. Gale	bd03c44cf4	Merge branch 'main' into dependabot/github_actions/dot-github/workflows/actions/download-artifact-8	2026-03-05 15:32:00 +00:00
dependabot[bot]	102d7627b6	Bump tar from 7.5.7 to 7.5.10 Bumps [tar](https://github.com/isaacs/node-tar) from 7.5.7 to 7.5.10. - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](https://github.com/isaacs/node-tar/compare/v7.5.7...v7.5.10) --- updated-dependencies: - dependency-name: tar dependency-version: 7.5.10 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-05 14:47:50 +00:00
Henry Mercer	0c0c5dc2f1	Merge pull request #3543 from github/dependabot/npm_and_yarn/npm-minor-af60a9b329 Bump the npm-minor group with 2 updates	2026-03-05 13:40:16 +00:00
github-actions[bot]	e96635d9ff	Rebuild	2026-03-05 13:19:38 +00:00
github-actions[bot]	77f9a86c60	Rebuild	2026-03-05 13:19:28 +00:00
github-actions[bot]	e681b9fb11	Merge remote-tracking branch 'origin/main' into dependabot/github_actions/dot-github/workflows/actions/upload-artifact-7	2026-03-05 13:18:44 +00:00
github-actions[bot]	bc4b00aadc	Merge remote-tracking branch 'origin/main' into dependabot/npm_and_yarn/npm-minor-af60a9b329	2026-03-05 13:18:38 +00:00
Henry Mercer	05b6a6cfaa	Merge pull request #3538 from github/henrymercer/breakdown-overlay-disabled-reason Break down overlay disabled reason	2026-03-05 13:13:13 +00:00
dependabot[bot]	31d26f2397	Bump actions/upload-artifact from 6 to 7 in /.github/workflows Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6 to 7. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v6...v7) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-04 18:01:17 +00:00
dependabot[bot]	4d433615e7	Bump actions/download-artifact from 7 to 8 in /.github/workflows Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7 to 8. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/v7...v8) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: '8' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-04 18:00:15 +00:00
dependabot[bot]	545356f200	Bump the npm-minor group with 2 updates Bumps the npm-minor group with 2 updates: [eslint-plugin-jsdoc](https://github.com/gajus/eslint-plugin-jsdoc) and [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint). Updates `eslint-plugin-jsdoc` from 62.6.0 to 62.7.1 - [Release notes](https://github.com/gajus/eslint-plugin-jsdoc/releases) - [Commits](https://github.com/gajus/eslint-plugin-jsdoc/compare/v62.6.0...v62.7.1) Updates `typescript-eslint` from 8.56.0 to 8.56.1 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.56.1/packages/typescript-eslint) --- updated-dependencies: - dependency-name: eslint-plugin-jsdoc dependency-version: 62.7.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor - dependency-name: typescript-eslint dependency-version: 8.56.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-04 17:53:15 +00:00
Henry Mercer	6d1c37ed8f	Fix some tests that should be serial	2026-03-04 18:02:17 +01:00
Henry Mercer	759b5db350	Merge branch 'main' into henrymercer/breakdown-overlay-disabled-reason # Conflicts: # src/config-utils.test.ts	2026-03-04 17:54:35 +01:00
Henry Mercer	60a0e2bf96	Update method naming and JSDoc	2026-03-04 17:50:30 +01:00
Henry Mercer	7449e3294d	Rename to `EnabledOverlayConfig`	2026-03-04 17:38:56 +01:00
Henry Mercer	4cd47adfe1	Address review comments	2026-03-04 17:38:24 +01:00
Henry Mercer	5fa8dad095	Use `Result`s for enablement return types	2026-03-04 17:36:42 +01:00
Henry Mercer	6a77217a46	Add disabled by env var disablement reason	2026-03-04 17:27:44 +01:00
Henry Mercer	be20394012	Rename to `usesDefaultQueriesOnly`	2026-03-04 13:56:56 +01:00
Henry Mercer	d1c255c293	Update `NonDefaultQueries` documentation	2026-03-04 13:55:29 +01:00
Henry Mercer	b371ccd8ea	Refactor `getOverlayDatabaseMode` and add new disablement reason	2026-03-04 13:53:12 +01:00
Michael B. Gale	2b6077152e	Add support for additional, validation jobs	2026-03-04 11:37:17 +00:00
Michael B. Gale	95fc2f11fb	Move `yq` setup code into `getSetupSteps`	2026-03-04 11:37:17 +00:00
Michael B. Gale	92ab799fe0	Refactor job generation into `generateJob`	2026-03-04 11:37:17 +00:00
Michael B. Gale	369d73b98f	Refactor matrix generation into its own function	2026-03-04 11:37:16 +00:00
Michael B. Gale	97a3705788	Organise language-specific setup information	2026-03-04 11:37:16 +00:00
Henry Mercer	776fd85f8c	Address review comments	2026-03-03 18:48:23 +01:00
Henry Mercer	f654d61146	Add JSDoc	2026-03-03 17:24:47 +01:00
Henry Mercer	eddf33655d	Sort `OverlayDisabledReason` enum	2026-03-03 17:22:36 +01:00
Henry Mercer	9f77ff18bb	Make "insufficient resources" reason more specific	2026-03-03 17:21:59 +01:00
Henry Mercer	0158d05946	Make "feature not enabled" reason more specific	2026-03-03 17:17:07 +01:00
Michael B. Gale	5db3a9e947	Extract `JobSpecification` type from `Specification`	2026-03-03 14:15:45 +00:00
Michael B. Gale	f3663cdc32	Fix typos in comments	2026-02-28 15:18:25 +00:00
Michael B. Gale	e995ba3522	Add more tests/assertions	2026-02-27 12:52:54 +00:00
Michael B. Gale	1e7e52a330	Add tests where upload should get skipped	2026-02-27 12:40:04 +00:00
Michael B. Gale	383b86ddcb	Refactor some test setup code into `mockRiskAssessmentEnv`	2026-02-27 12:27:32 +00:00
Michael B. Gale	ca32b84657	Ensure correct failed SARIF file names for CSRA	2026-02-26 19:56:07 +00:00
Michael B. Gale	ce97dfe405	Sanitise artifact name	2026-02-26 19:47:55 +00:00
Michael B. Gale	003044eb84	Add test	2026-02-26 19:18:32 +00:00
Michael B. Gale	5b9d1f4fdf	Simplify `prepareFailedSarif` for risk assessments	2026-02-26 19:18:29 +00:00
Michael B. Gale	f265dd9392	Separate `generateFailedSarif` out of `prepareFailedSarif`	2026-02-26 18:44:50 +00:00
Michael B. Gale	44b66a8064	Upload failed SARIF as artifact for risk assessments	2026-02-26 18:40:00 +00:00
Michael B. Gale	60ca40ecd4	Refactor `prepareFailedSarif` out of `maybeUploadFailedSarif`	2026-02-26 18:07:00 +00:00
Michael B. Gale	56d1ccc87a	Change skipped reason message	2026-02-26 17:51:06 +00:00
Michael B. Gale	e9ce32d807	Change order of checks in `tryUploadSarifIfRunFailed`	2026-02-26 17:51:06 +00:00
Michael B. Gale	0f3e632580	Rename secondary `run` to `uploadFailureInfo`	2026-02-26 17:47:32 +00:00