Add hasMessage to RecordingLogger

Replace getRecordingLogger implementation with RecordingLogger
Add assertNotLogged test helper
2026-05-10 07:40:28 +00:00 · 2026-02-24 20:45:41 +00:00 · 2026-02-24 20:40:41 +00:00 · 2026-02-24 20:36:24 +00:00
152 changed files with 9524 additions and 15010 deletions
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -52,7 +49,8 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: all-platform-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group:
+    all-platform-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  all-platform-bundle:
    strategy:
@@ -94,7 +92,7 @@ jobs:
      - id: init
        uses: ./../action/init
        with:
-          # Swift is not supported on Ubuntu so we manually exclude it from the list here
+      # Swift is not supported on Ubuntu so we manually exclude it from the list here
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -87,16 +84,16 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false
-          post-processed-sarif-path: '${{ runner.temp }}/post-processed'
+          post-processed-sarif-path: ${{ runner.temp }}/post-processed

      - name: Upload SARIF files
        uses: actions/upload-artifact@v6
        with:
          name: |
            analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
-          path: '${{ runner.temp }}/results/*.sarif'
+          path: ${{ runner.temp }}/results/*.sarif
          retention-days: 7

      - name: Upload post-processed SARIF
@@ -104,7 +101,7 @@ jobs:
        with:
          name: |
            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
-          path: '${{ runner.temp }}/post-processed'
+          path: ${{ runner.temp }}/post-processed
          retention-days: 7
          if-no-files-found: error

@@ -112,7 +109,7 @@ jobs:
        if: contains(matrix.analysis-kinds, 'code-scanning')
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
          EXPECT_PRESENT: 'false'
        with:
          script: ${{ env.CHECK_SCRIPT }}
@@ -120,7 +117,7 @@ jobs:
        if: contains(matrix.analysis-kinds, 'code-quality')
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: '${{ runner.temp }}/results/javascript.quality.sarif'
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.quality.sarif
          EXPECT_PRESENT: 'true'
        with:
          script: ${{ env.CHECK_SCRIPT }}
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -62,7 +59,8 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: analyze-ref-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group:
+    analyze-ref-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  analyze-ref-input:
    strategy:
@@ -106,12 +104,13 @@ jobs:
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+            github.sha }}
      - name: Build code
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -82,7 +79,7 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/autobuild
        env:
-          # Explicitly disable the CLR tracer.
+      # Explicitly disable the CLR tracer.
          COR_ENABLE_PROFILING: ''
          COR_PROFILER: ''
          COR_PROFILER_PATH_64: ''
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -42,7 +39,8 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: autobuild-direct-tracing-with-working-dir-${{github.ref}}-${{inputs.java-version}}
+  group:
+    autobuild-direct-tracing-with-working-dir-${{github.ref}}-${{inputs.java-version}}
 jobs:
  autobuild-direct-tracing-with-working-dir:
    strategy:
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -97,7 +94,7 @@ jobs:
        id: init
        with:
          build-mode: autobuild
-          db-location: '${{ runner.temp }}/customDbLocation'
+          db-location: ${{ runner.temp }}/customDbLocation
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -52,7 +49,8 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: build-mode-manual-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group:
+    build-mode-manual-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  build-mode-manual:
    strategy:
@@ -91,7 +89,7 @@ jobs:
        id: init
        with:
          build-mode: manual
-          db-location: '${{ runner.temp }}/customDbLocation'
+          db-location: ${{ runner.temp }}/customDbLocation
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -64,7 +61,7 @@ jobs:
        id: init
        with:
          build-mode: none
-          db-location: '${{ runner.temp }}/customDbLocation'
+          db-location: ${{ runner.temp }}/customDbLocation
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -77,7 +74,7 @@ jobs:
            exit 1
          fi

-      # The latest nightly supports omitting the autobuild Action when the build mode is specified.
+  # The latest nightly supports omitting the autobuild Action when the build mode is specified.
      - uses: ./../action/autobuild
        if: matrix.version != 'nightly-latest'

@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -68,7 +65,7 @@ jobs:
        id: init
        with:
          build-mode: none
-          db-location: '${{ runner.temp }}/customDbLocation'
+          db-location: ${{ runner.temp }}/customDbLocation
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -66,7 +63,7 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          languages: javascript
      - name: Fail if the CodeQL version is not a nightly
-        if: ${{ !contains(steps.init.outputs.codeql-version, '+') }}
+        if: "!contains(steps.init.outputs.codeql-version, '+')"
        run: exit 1
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -67,7 +64,7 @@ jobs:
        id: init
        with:
          build-mode: none
-          db-location: '${{ runner.temp }}/customDbLocation'
+          db-location: ${{ runner.temp }}/customDbLocation
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -67,18 +64,18 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
        uses: actions/upload-artifact@v6
        with:
          name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: '${{ runner.temp }}/results/javascript.sarif'
+          path: ${{ runner.temp }}/results/javascript.sarif
          retention-days: 7
      - name: Check config properties appear in SARIF
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
        with:
          script: |
            const fs = require('fs');
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -78,18 +75,18 @@ jobs:
            --ready-for-status-page
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
        uses: actions/upload-artifact@v6
        with:
          name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: '${{ runner.temp }}/results/javascript.sarif'
+          path: ${{ runner.temp }}/results/javascript.sarif
          retention-days: 7
      - name: Check diagnostics appear in SARIF
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
        with:
          script: |
            const fs = require('fs');
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -52,7 +49,8 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: export-file-baseline-information-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group:
+    export-file-baseline-information-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  export-file-baseline-information:
    strategy:
@@ -100,12 +98,12 @@ jobs:
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
      - name: Upload SARIF
        uses: actions/upload-artifact@v6
        with:
          name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: '${{ runner.temp }}/results/javascript.sarif'
+          path: ${{ runner.temp }}/results/javascript.sarif
          retention-days: 7
      - name: Check results
        run: |
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -52,7 +49,8 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-custom-queries-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group:
+    go-custom-queries-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  go-custom-queries:
    strategy:
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -77,7 +74,7 @@ jobs:
        with:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      # Deliberately change Go after the `init` step
+  # Deliberately change Go after the `init` step
      - uses: actions/setup-go@v6
        with:
          go-version: '1.20'
@@ -85,12 +82,12 @@ jobs:
        run: go build main.go
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Check diagnostic appears in SARIF
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: '${{ runner.temp }}/results/go.sarif'
+          SARIF_PATH: ${{ runner.temp }}/results/go.sarif
        with:
          script: |
            const fs = require('fs');
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -42,7 +39,8 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-indirect-tracing-workaround-no-file-program-${{github.ref}}-${{inputs.go-version}}
+  group:
+    go-indirect-tracing-workaround-no-file-program-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-indirect-tracing-workaround-no-file-program:
    strategy:
@@ -86,12 +84,12 @@ jobs:
        run: go build main.go
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Check diagnostic appears in SARIF
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: '${{ runner.temp }}/results/go.sarif'
+          SARIF_PATH: ${{ runner.temp }}/results/go.sarif
        with:
          script: |
            const fs = require('fs');
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -50,6 +47,7 @@ jobs:
    permissions:
      contents: read
      packages: read
+
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -65,7 +63,7 @@ jobs:
      - name: Init with registries
        uses: ./../action/init
        with:
-          db-location: '${{ runner.temp }}/customDbLocation'
+          db-location: ${{ runner.temp }}/customDbLocation
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          config-file: ./.github/codeql/codeql-config-registries.yml
          languages: javascript
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -65,12 +62,12 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
      - name: Upload SARIF
        uses: actions/upload-artifact@v6
        with:
          name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: '${{ runner.temp }}/results/javascript.sarif'
+          path: ${{ runner.temp }}/results/javascript.sarif
          retention-days: 7
      - name: Check results
        run: |
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -63,7 +60,7 @@ jobs:
          languages: C#,java-kotlin,swift,typescript
          tools: ${{ steps.prepare-test.outputs.tools-url }}

-      - name: 'Check languages'
+      - name: Check languages
        run: |
          expected_languages="csharp,java,swift,javascript"
          actual_languages=$(jq -r '.languages | join(",")' "$RUNNER_TEMP"/config)
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -62,7 +59,8 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: local-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group:
+    local-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  local-bundle:
    strategy:
@@ -108,7 +106,7 @@ jobs:
      - id: init
        uses: ./../action/init
        with:
-          # Swift is not supported on Ubuntu so we manually exclude it from the list here
+      # Swift is not supported on Ubuntu so we manually exclude it from the list here
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ./codeql-bundle-linux64.tar.zst
      - name: Build code
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -62,7 +59,8 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: multi-language-autodetect-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group:
+    multi-language-autodetect-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  multi-language-autodetect:
    strategy:
@@ -143,8 +141,9 @@ jobs:
      - uses: ./../action/init
        id: init
        with:
-          db-location: '${{ runner.temp }}/customDbLocation'
-          languages: ${{ runner.os == 'Linux' && 'cpp,csharp,go,java,javascript,python,ruby' || '' }}
+          db-location: ${{ runner.temp }}/customDbLocation
+          languages: ${{ runner.os == 'Linux' && 'cpp,csharp,go,java,javascript,python,ruby'
+            || '' }}
          tools: ${{ steps.prepare-test.outputs.tools-url }}

      - name: Build code
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -62,7 +59,8 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group:
+    packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  packaging-codescanning-config-inputs-js:
    strategy:
@@ -115,7 +113,7 @@ jobs:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
-          config-file: '.github/codeql/codeql-config-packaging3.yml'
+          config-file: .github/codeql/codeql-config-packaging3.yml
          packs: +codeql-testing/codeql-pack1@1.0.0
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -123,14 +121,15 @@ jobs:
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run:
+            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -52,7 +49,8 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: packaging-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group:
+    packaging-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  packaging-config-inputs-js:
    strategy:
@@ -100,7 +98,7 @@ jobs:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
-          config-file: '.github/codeql/codeql-config-packaging3.yml'
+          config-file: .github/codeql/codeql-config-packaging3.yml
          packs: +codeql-testing/codeql-pack1@1.0.0
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -108,14 +106,15 @@ jobs:
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run:
+            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -52,7 +49,8 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: packaging-config-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group:
+    packaging-config-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  packaging-config-js:
    strategy:
@@ -100,21 +98,22 @@ jobs:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
-          config-file: '.github/codeql/codeql-config-packaging.yml'
+          config-file: .github/codeql/codeql-config-packaging.yml
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run:
+            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -52,7 +49,8 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: packaging-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group:
+    packaging-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  packaging-inputs-js:
    strategy:
@@ -100,7 +98,7 @@ jobs:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
-          config-file: '.github/codeql/codeql-config-packaging2.yml'
+          config-file: .github/codeql/codeql-config-packaging2.yml
          languages: javascript
          packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -108,13 +106,14 @@ jobs:
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run:
+            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -62,7 +59,8 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: remote-config-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group:
+    remote-config-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  remote-config:
    strategy:
@@ -108,7 +106,8 @@ jobs:
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+            github.sha }}
      - name: Build code
        run: ./build.sh
      - uses: ./../action/analyze
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -84,7 +81,8 @@ jobs:
          language: javascript-typescript

      - name: Fail if JavaScript/TypeScript configuration present
-        if: fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
+        if:
+          fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
        run: exit 1
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -99,7 +96,7 @@ jobs:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
-          config-file: '.github/codeql/codeql-config-packaging3.yml'
+          config-file: .github/codeql/codeql-config-packaging3.yml
          packs: +codeql-testing/codeql-pack1@1.0.0
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -108,7 +105,7 @@ jobs:
      - uses: ./../action/analyze
        with:
          skip-queries: true
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false

      - name: Assert No Results
@@ -119,7 +116,7 @@ jobs:
          fi
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Assert Results
        run: |
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -71,7 +68,8 @@ jobs:
        id: proxy
        uses: ./../action/start-proxy
        with:
-          registry_secrets: '[{ "type": "nuget_feed", "url": "https://api.nuget.org/v3/index.json" }]'
+          registry_secrets: '[{ "type": "nuget_feed", "url": "https://api.nuget.org/v3/index.json"
+            }]'

      - name: Print proxy outputs
        run: |
@@ -80,7 +78,8 @@ jobs:
          echo "${{ steps.proxy.outputs.proxy_urls }}"

      - name: Fail if proxy outputs are not set
-        if: (!steps.proxy.outputs.proxy_host) || (!steps.proxy.outputs.proxy_port) || (!steps.proxy.outputs.proxy_ca_certificate) || (!steps.proxy.outputs.proxy_urls)
+        if: (!steps.proxy.outputs.proxy_host) || (!steps.proxy.outputs.proxy_port)
+          || (!steps.proxy.outputs.proxy_ca_certificate) || (!steps.proxy.outputs.proxy_urls)
        run: exit 1
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -49,7 +46,8 @@ jobs:
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: write # needed to upload the SARIF file
+
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -68,20 +66,26 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Fail
-        # We want this job to pass if the Action correctly uploads the SARIF file for
-        # the failed run.
-        # Setting this step to continue on error means that it is marked as completing
-        # successfully, so will not fail the job.
+    # We want this job to pass if the Action correctly uploads the SARIF file for
+    # the failed run.
+    # Setting this step to continue on error means that it is marked as completing
+    # successfully, so will not fail the job.
        continue-on-error: true
        run: exit 1
      - uses: ./analyze
-        # In a real workflow, this step wouldn't run. Since we used `continue-on-error`
-        # above, we manually disable it with an `if` condition.
+    # In a real workflow, this step wouldn't run. Since we used `continue-on-error`
+    # above, we manually disable it with an `if` condition.
        if: false
        with:
-          category: '/test-codeql-version:${{ matrix.version }}'
+          category: /test-codeql-version:${{ matrix.version }}
    env:
+  # Internal-only environment variable used to indicate that the post-init Action
+  # should expect to upload a SARIF file for the failed run.
      CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF: true
+  # Make sure the uploading SARIF files feature is enabled.
      CODEQL_ACTION_UPLOAD_FAILED_SARIF: true
+  # Upload the failed SARIF file as an integration test of the API endpoint.
      CODEQL_ACTION_TEST_MODE: false
+  # Mark telemetry for this workflow so it can be treated separately.
      CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
+
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -52,7 +49,8 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: swift-custom-build-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group:
+    swift-custom-build-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  swift-custom-build:
    strategy:
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -62,7 +59,8 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: unset-environment-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group:
+    unset-environment-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  unset-environment:
    strategy:
@@ -108,7 +106,7 @@ jobs:
        id: init
        with:
          db-location: ${{ runner.temp }}/customDbLocation
-          # Swift is not supported on Ubuntu so we manually exclude it from the list here
+      # Swift is not supported on Ubuntu so we manually exclude it from the list here
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -62,7 +59,8 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: upload-ref-sha-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group:
+    upload-ref-sha-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  upload-ref-sha-input:
    strategy:
@@ -106,18 +104,19 @@ jobs:
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+            github.sha }}
      - name: Build code
        run: ./build.sh
-      # Generate some SARIF we can upload with the upload-sarif step
+  # Generate some SARIF we can upload with the upload-sarif step
      - uses: ./../action/analyze
        with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
          upload: never
      - uses: ./../action/upload-sarif
        with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -62,7 +59,8 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: upload-sarif-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group:
+    upload-sarif-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  upload-sarif:
    strategy:
@@ -116,11 +114,11 @@ jobs:
          analysis-kinds: ${{ matrix.analysis-kinds }}
      - name: Build code
        run: ./build.sh
-      # Generate some SARIF we can upload with the upload-sarif step
+  # Generate some SARIF we can upload with the upload-sarif step
      - uses: ./../action/analyze
        with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
          upload: never
          output: ${{ runner.temp }}/results

@@ -129,15 +127,15 @@ jobs:
        uses: ./../action/upload-sarif
        id: upload-sarif
        with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
          sarif_file: ${{ runner.temp }}/results
          category: |
            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:all-files/
-      - name: 'Fail for missing output from `upload-sarif` step for `code-scanning`'
+      - name: Fail for missing output from `upload-sarif` step for `code-scanning`
        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning)
        run: exit 1
-      - name: 'Fail for missing output from `upload-sarif` step for `code-quality`'
+      - name: Fail for missing output from `upload-sarif` step for `code-quality`
        if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)
        run: exit 1

@@ -146,26 +144,28 @@ jobs:
        id: upload-single-sarif-code-scanning
        if: contains(matrix.analysis-kinds, 'code-scanning')
        with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
          sarif_file: ${{ runner.temp }}/results/javascript.sarif
          category: |
            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-scanning/
-      - name: 'Fail for missing output from `upload-single-sarif-code-scanning` step'
-        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)
+      - name: Fail for missing output from `upload-single-sarif-code-scanning` step
+        if: contains(matrix.analysis-kinds, 'code-scanning') &&
+          !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)
        run: exit 1
      - name: Upload single SARIF file for Code Quality
        uses: ./../action/upload-sarif
        id: upload-single-sarif-code-quality
        if: contains(matrix.analysis-kinds, 'code-quality')
        with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
          sarif_file: ${{ runner.temp }}/results/javascript.quality.sarif
          category: |
            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-quality/
-      - name: 'Fail for missing output from `upload-single-sarif-code-quality` step'
-        if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)
+      - name: Fail for missing output from `upload-single-sarif-code-quality` step
+        if: contains(matrix.analysis-kinds, 'code-quality') &&
+          !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)
        run: exit 1

      - name: Change SARIF file extension
@@ -176,12 +176,12 @@ jobs:
        id: upload-single-non-sarif
        if: contains(matrix.analysis-kinds, 'code-scanning')
        with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
          sarif_file: ${{ runner.temp }}/results/javascript.sarif.json
          category: |
            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:non-sarif/
-      - name: 'Fail for missing output from `upload-single-non-sarif` step'
+      - name: Fail for missing output from `upload-single-non-sarif` step
        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning)
        run: exit 1
    env:
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -62,7 +59,8 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: with-checkout-path-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group:
+    with-checkout-path-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  with-checkout-path:
    strategy:
@@ -79,7 +77,6 @@ jobs:
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      # This ensures we don't accidentally use the original checkout for any part of the test.
      - name: Check out repository
        uses: actions/checkout@v6
      - name: Prepare test
@@ -109,8 +106,8 @@ jobs:
          # Actions does not support deleting the current working directory, so we
          # delete the contents of the directory instead.
          rm -rf ./* .github .git
-      # Check out the actions repo again, but at a different location.
-      # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
+  # Check out the actions repo again, but at a different location.
+  # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
      - uses: actions/checkout@v6
        with:
          ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
@@ -119,7 +116,7 @@ jobs:
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          # it's enough to test one compiled language and one interpreted language
+      # it's enough to test one compiled language and one interpreted language
          languages: csharp,javascript
          source-root: x/y/z/some-path/tests/multi-language-repo

@@ -7,8 +7,6 @@ on:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
-  merge_group:
-    types: [checks_requested]
  schedule:
    # Weekly on Sunday.
    - cron: '30 1 * * 0'
@@ -31,29 +29,34 @@ jobs:

    permissions:
      contents: read
-      # We currently need `security-events: read` to access feature flags.
-      security-events: read

    steps:
    - uses: actions/checkout@v6
-    - name: Set up default CodeQL bundle
-      id: setup-default
-      uses: ./setup-codeql
-    - name: Set up linked CodeQL bundle
-      id: setup-linked
-      uses: ./setup-codeql
+    - name: Init with default CodeQL bundle from the VM image
+      id: init-default
+      uses: ./init
+      with:
+        languages: javascript
+    - name: Remove empty database
+      # allows us to run init a second time
+      run: |
+        rm -rf "$RUNNER_TEMP/codeql_databases"
+    - name: Init with latest CodeQL bundle
+      id: init-latest
+      uses: ./init
      with:
        tools: linked
-    - name: Compare default and linked CodeQL bundle versions
+        languages: javascript
+    - name: Compare default and latest CodeQL bundle versions
      id: compare
      env:
-        CODEQL_DEFAULT: ${{ steps.setup-default.outputs.codeql-path }}
-        CODEQL_LINKED: ${{ steps.setup-linked.outputs.codeql-path }}
+        CODEQL_DEFAULT: ${{ steps.init-default.outputs.codeql-path }}
+        CODEQL_LATEST: ${{ steps.init-latest.outputs.codeql-path }}
      run: |
        CODEQL_VERSION_DEFAULT="$("$CODEQL_DEFAULT" version --format terse)"
-        CODEQL_VERSION_LINKED="$("$CODEQL_LINKED" version --format terse)"
+        CODEQL_VERSION_LATEST="$("$CODEQL_LATEST" version --format terse)"
        echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
-        echo "Linked CodeQL bundle version is $CODEQL_VERSION_LINKED"
+        echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"

        # If we're running on a pull request, run with both bundles, even if `tools: linked` would
        # be the same as `tools: null`. This allows us to make the job for each of the bundles a
@@ -61,7 +64,7 @@ jobs:
        #
        # If we're running on push or schedule, then we can skip running with `tools: linked` when it would be
        # the same as running with `tools: null`.
-        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$GITHUB_EVENT_NAME" != "merge_group" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LINKED" ]]; then
+        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
          VERSIONS_JSON='[null]'
        else
          VERSIONS_JSON='[null, "linked"]'
@@ -105,7 +108,7 @@ jobs:
      uses: ./analyze
      with:
        category: "/language:javascript"
-        upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && github.event_name != 'merge_group' && 'always' ) || 'never' }}
+        upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && 'always') || 'never' }}

  analyze-other:
    if: github.triggering_actor != 'dependabot[bot]'
@@ -140,4 +143,3 @@ jobs:
      uses: ./analyze
      with:
        category: "/language:${{ matrix.language }}"
-        upload: ${{ (github.event_name != 'merge_group' && 'always') || 'never' }}
@@ -11,8 +11,6 @@ env:
  CODEQL_ACTION_OVERLAY_ANALYSIS: true
  CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT: false
  CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT: true
-  CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_CHECK: false
-  CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS: true

 on:
  push:
@@ -25,11 +23,9 @@ on:
    - synchronize
    - reopened
    - ready_for_review
-  merge_group:
-    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
+  workflow_dispatch: {}

 defaults:
  run:
@@ -14,11 +14,9 @@ on:
    - synchronize
    - reopened
    - ready_for_review
-  merge_group:
-    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
+  workflow_dispatch: {}

 defaults:
  run:
@@ -41,8 +39,6 @@ jobs:
      CODEQL_ACTION_TEST_MODE: true
    permissions:
      contents: read
-      # We currently need `security-events: read` to access feature flags.
-      security-events: read
    timeout-minutes: 45
    runs-on: ubuntu-latest
    steps:
@@ -13,11 +13,9 @@ on:
    - synchronize
    - reopened
    - ready_for_review
-  merge_group:
-    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
+  workflow_dispatch: {}

 defaults:
  run:
@@ -40,8 +38,6 @@ jobs:
    timeout-minutes: 45
    permissions:
      contents: read
-      # We currently need `security-events: read` to access feature flags.
-      security-events: read
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository
@@ -6,8 +6,6 @@ on:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
-  merge_group:
-    types: [checks_requested]
  workflow_dispatch:

 defaults:
@@ -42,6 +40,11 @@ jobs:
          node-version: ${{ matrix.node-version }}
          cache: 'npm'

+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: 3.11
+
      - name: Install dependencies
        run: |
          # Use the system Bash shell to ensure we can run commands like `npm ci`
@@ -63,7 +66,7 @@ jobs:
      - name: Run pr-checks tests
        if: always()
        working-directory: pr-checks
-        run: npm ci && npx tsx --test
+        run: python -m unittest discover

      - name: Lint
        if: always() && matrix.os != 'windows-latest'
@@ -77,7 +80,7 @@ jobs:
          category: eslint

  check-node-version:
-    if: github.triggering_actor != 'dependabot[bot]'
+    if: github.event.pull_request && github.triggering_actor != 'dependabot[bot]'
    name: Check Action Node versions
    runs-on: ubuntu-latest
    timeout-minutes: 45
@@ -7,8 +7,6 @@ on:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
-  merge_group:
-    types: [checks_requested]
  schedule:
    # Weekly on Monday.
    - cron: '0 0 * * 1'
@@ -26,8 +24,6 @@ jobs:
    timeout-minutes: 45
    permissions:
      contents: read
-      # We currently need `security-events: read` to access feature flags.
-      security-events: read
    runs-on: windows-latest

    steps:
@@ -11,11 +11,9 @@ on:
    - synchronize
    - reopened
    - ready_for_review
-  merge_group:
-    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
+  workflow_dispatch: {}

 defaults:
  run:
@@ -73,17 +73,24 @@ jobs:
          npm run lint -- --fix
          npm run build

+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: 3.11
+
      - name: Sync back version updates to generated workflows
        # Only sync back versions on Dependabot update PRs
        if: startsWith(env.HEAD_REF, 'dependabot/')
        working-directory: pr-checks
        run: |
-          npm ci
-          npx tsx sync_back.ts --verbose
+          python3 sync_back.py -v

      - name: Generate workflows
        working-directory: pr-checks
-        run: ./sync.sh
+        run: |
+          python -m pip install --upgrade pip
+          pip install ruamel.yaml==0.17.31
+          python3 sync.py

      - name: "Merge in progress: Finish merge and push"
        if: steps.merge.outputs.merge-in-progress == 'true'
@@ -29,7 +29,7 @@ fi
 echo "Getting checks for $GITHUB_SHA"

 # Ignore any checks with "https://", CodeQL, LGTM, Update, and ESLint checks.
-CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") or . == "Agent" or . == "Cleanup artifacts" or . == "Prepare" or . == "Upload results" or . == "Label PR with size" | not)] | unique | sort')"
+CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") or . == "Agent" or . == "Cleanup artifacts" or . == "Prepare" or . == "Upload results" | not)] | unique | sort')"

 echo "$CHECKS" | jq

@@ -19,7 +19,7 @@ if [ ! -z "$(git status --porcelain)" ]; then
    # If we get a fail here then the PR needs attention
    git diff
    git status
-    >&2 echo "Failed: PR checks are not up to date. Run 'cd pr-checks && ./sync.sh' to update"
+    >&2 echo "Failed: PR checks are not up to date. Run 'cd pr-checks && python3 sync.py' to update"

    echo "### Generated workflows diff" >> $GITHUB_STEP_SUMMARY
    echo "" >> $GITHUB_STEP_SUMMARY
@@ -13,11 +13,9 @@ on:
    - synchronize
    - reopened
    - ready_for_review
-  merge_group:
-    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
+  workflow_dispatch: {}
 defaults:
  run:
    shell: bash
@@ -6,16 +6,6 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

 No user facing changes.

-## 4.32.5 - 02 Mar 2026
-
- Repositories owned by an organization can now set up the `github-codeql-disable-overlay` custom repository property to disable [improved incremental analysis for CodeQL](https://github.com/github/roadmap/issues/1158). First, create a custom repository property with the name `github-codeql-disable-overlay` and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to `true` to disable improved incremental analysis. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). This feature is not yet available on GitHub Enterprise Server. [#3507](https://github.com/github/codeql-action/pull/3507)
- Added an experimental change so that when [improved incremental analysis](https://github.com/github/roadmap/issues/1158) fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. [#3487](https://github.com/github/codeql-action/pull/3487)
- The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. [#3515](https://github.com/github/codeql-action/pull/3515)
- Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. [#3516](https://github.com/github/codeql-action/pull/3516)
- Added an experimental change which lowers the minimum disk space requirement for [improved incremental analysis](https://github.com/github/roadmap/issues/1158), enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. [#3498](https://github.com/github/codeql-action/pull/3498)
- Added an experimental change which allows the `start-proxy` action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. [#3512](https://github.com/github/codeql-action/pull/3512)
- The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. [#3503](https://github.com/github/codeql-action/pull/3503), [#3504](https://github.com/github/codeql-action/pull/3504)
-
 ## 4.32.4 - 20 Feb 2026

 - Update default CodeQL bundle version to [2.24.2](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2). [#3493](https://github.com/github/codeql-action/pull/3493)
@@ -92,7 +92,7 @@ We typically deprecate a version of CodeQL when the GitHub Enterprise Server (GH
 1. Remove support for the old version of CodeQL.
    - Bump `CODEQL_MINIMUM_VERSION` in `src/codeql.ts` to the new minimum version of CodeQL.
    - Remove any code that is only needed to support the old version of CodeQL. This is often behind a version guard, so look for instances of version numbers between the old minimum version and the new minimum version in the codebase. A good place to start is the list of version numbers in `src/codeql.ts`.
-    - Update the default set of CodeQL test versions in `pr-checks/sync.ts`.
+    - Update the default set of CodeQL test versions in `pr-checks/sync.py`.
        - Remove the old minimum version of CodeQL.
        - Add the latest patch release for any new CodeQL minor version series that have shipped in GHES.
        - Run the script to update the generated PR checks.
@@ -72,12 +72,10 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n

 | Minimum CodeQL Action | Minimum CodeQL Bundle Version | GitHub Environment | Notes |
 |-----------------------|-------------------------------|--------------------|-------|
-| `v4.31.10` | `2.23.9` | Enterprise Server 3.20 | |
-| `v3.29.11` | `2.22.4` | Enterprise Server 3.19 | |
-| `v3.28.21` | `2.21.3` | Enterprise Server 3.18 | |
-| `v3.28.12` | `2.20.7` | Enterprise Server 3.17 | |
-| `v3.28.6` | `2.20.3` | Enterprise Server 3.16 | |
-| `v3.28.6` | `2.20.3` | Enterprise Server 3.15 | |
+| `v3.28.21`  | `2.21.3` | Enterprise Server 3.18 | |
+| `v3.28.12`  | `2.20.7` | Enterprise Server 3.17 | |
+| `v3.28.6`  | `2.20.3` | Enterprise Server 3.16 | |
+| `v3.28.6`  | `2.20.3` | Enterprise Server 3.15 | |
 | `v3.28.6` | `2.20.3` | Enterprise Server 3.14 | |

 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).
@@ -21,7 +21,6 @@ export default [
      "build.mjs",
      "eslint.config.mjs",
      ".github/**/*",
-      "pr-checks/**/*",
    ],
  },
  // eslint recommended config
@@ -159,11 +159,6 @@ inputs:
    description: >-
      Explicitly enable or disable caching of project build dependencies.
    required: false
-  check-run-id:
-    description: >-
-      [Internal] The ID of the check run, as provided by the Actions runtime environment. Do not set this value manually.
-    default: ${{ job.check_run_id }}
-    required: false
 outputs:
  codeql-path:
    description: The path of the CodeQL binary used for analysis
@@ -1,12 +1,12 @@
 {
  "name": "codeql",
-  "version": "4.32.6",
+  "version": "4.32.5",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "codeql",
-      "version": "4.32.6",
+      "version": "4.32.5",
      "license": "MIT",
      "dependencies": {
        "@actions/artifact": "^5.0.3",
@@ -43,7 +43,6 @@
        "@types/js-yaml": "^4.0.9",
        "@types/node": "^20.19.9",
        "@types/node-forge": "^1.3.14",
-        "@types/sarif": "^2.1.7",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^21.0.0",
        "ava": "^6.4.1",
@@ -52,10 +51,10 @@
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-github": "^6.0.0",
        "eslint-plugin-import-x": "^4.16.1",
-        "eslint-plugin-jsdoc": "^62.6.0",
+        "eslint-plugin-jsdoc": "^62.5.0",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        "glob": "^11.1.0",
-        "globals": "^17.3.0",
+        "globals": "^16.5.0",
        "nock": "^14.0.11",
        "sinon": "^21.0.1",
        "typescript": "^5.9.3",
@@ -850,17 +849,17 @@
      }
    },
    "node_modules/@es-joy/jsdoccomment": {
-      "version": "0.84.0",
-      "resolved": "https://registry.npmjs.org/@es-joy/jsdoccomment/-/jsdoccomment-0.84.0.tgz",
-      "integrity": "sha512-0xew1CxOam0gV5OMjh2KjFQZsKL2bByX1+q4j3E73MpYIdyUxcZb/xQct9ccUb+ve5KGUYbCUxyPnYB7RbuP+w==",
+      "version": "0.83.0",
+      "resolved": "https://registry.npmjs.org/@es-joy/jsdoccomment/-/jsdoccomment-0.83.0.tgz",
+      "integrity": "sha512-e1MHSEPJ4m35zkBvNT6kcdeH1SvMaJDsPC3Xhfseg3hvF50FUE3f46Yn36jgbrPYYXezlWUQnevv23c+lx2MCA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@types/estree": "^1.0.8",
-        "@typescript-eslint/types": "^8.54.0",
+        "@typescript-eslint/types": "^8.53.1",
        "comment-parser": "1.4.5",
        "esquery": "^1.7.0",
-        "jsdoc-type-pratt-parser": "~7.1.1"
+        "jsdoc-type-pratt-parser": "~7.1.0"
      },
      "engines": {
        "node": "^20.19.0 || ^22.13.0 || >=24"
@@ -1608,6 +1607,27 @@
        "url": "https://github.com/sponsors/nzakas"
      }
    },
+    "node_modules/@isaacs/balanced-match": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/@isaacs/balanced-match/-/balanced-match-4.0.1.tgz",
+      "integrity": "sha512-yzMTt9lEb8Gv7zRioUilSglI0c0smZ9k5D65677DLWLtWJaXIS3CqcGyUFByYKlnUj6TkjLVs54fBl6+TiGQDQ==",
+      "license": "MIT",
+      "engines": {
+        "node": "20 || >=22"
+      }
+    },
+    "node_modules/@isaacs/brace-expansion": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/@isaacs/brace-expansion/-/brace-expansion-5.0.1.tgz",
+      "integrity": "sha512-WMz71T1JS624nWj2n2fnYAuPovhv7EUhk69R6i9dsVyzxt5eM3bjwvgk9L+APE1TRscGysAVMANkB0jh0LQZrQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@isaacs/balanced-match": "^4.0.1"
+      },
+      "engines": {
+        "node": "20 || >=22"
+      }
+    },
    "node_modules/@isaacs/cliui": {
      "version": "8.0.2",
      "resolved": "https://registry.npmjs.org/@isaacs/cliui/-/cliui-8.0.2.tgz",
@@ -2523,13 +2543,6 @@
        "@types/node": "*"
      }
    },
-    "node_modules/@types/sarif": {
-      "version": "2.1.7",
-      "resolved": "https://registry.npmjs.org/@types/sarif/-/sarif-2.1.7.tgz",
-      "integrity": "sha512-kRz0VEkJqWLf1LLVN4pT1cg1Z9wAuvI6L97V3m2f5B76Tg8d413ddvLBPTEHAZJlnn4XSvu0FkZtViCQGVyrXQ==",
-      "dev": true,
-      "license": "MIT"
-    },
    "node_modules/@types/semver": {
      "version": "7.7.1",
      "resolved": "https://registry.npmjs.org/@types/semver/-/semver-7.7.1.tgz",
@@ -2823,13 +2836,13 @@
      }
    },
    "node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch": {
-      "version": "9.0.9",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.9.tgz",
-      "integrity": "sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg==",
+      "version": "9.0.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
+      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
      "dev": true,
      "license": "ISC",
      "dependencies": {
-        "brace-expansion": "^2.0.2"
+        "brace-expansion": "^2.0.1"
      },
      "engines": {
        "node": ">=16 || 14 >=14.17"
@@ -5006,19 +5019,6 @@
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
      }
    },
-    "node_modules/eslint-plugin-github/node_modules/globals": {
-      "version": "16.5.0",
-      "resolved": "https://registry.npmjs.org/globals/-/globals-16.5.0.tgz",
-      "integrity": "sha512-c/c15i26VrJ4IRt5Z89DnIzCGDn9EcebibhAOjw5ibqEHsE1wLUgkPn9RDmNcUKyU87GeaL633nyJ+pplFR2ZQ==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=18"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
-    },
    "node_modules/eslint-plugin-i18n-text": {
      "version": "1.0.1",
      "dev": true,
@@ -5122,9 +5122,9 @@
      }
    },
    "node_modules/eslint-plugin-import-x/node_modules/minimatch": {
-      "version": "10.2.4",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.4.tgz",
-      "integrity": "sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==",
+      "version": "10.2.2",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.2.tgz",
+      "integrity": "sha512-+G4CpNBxa5MprY+04MbgOw1v7So6n5JY166pFi9KfYwT78fxScCeSNQSNzp6dpPSW2rONOps6Ocam1wFhCgoVw==",
      "dev": true,
      "license": "BlueOak-1.0.0",
      "dependencies": {
@@ -5146,13 +5146,13 @@
      }
    },
    "node_modules/eslint-plugin-jsdoc": {
-      "version": "62.6.0",
-      "resolved": "https://registry.npmjs.org/eslint-plugin-jsdoc/-/eslint-plugin-jsdoc-62.6.0.tgz",
-      "integrity": "sha512-Z18zZD1Q2m9usqFbAzb30z+lF8bzE4WiUy+dfOXljJlZ1Jm5uhkuAWfGV97FYyh+WlKfrvpDYs+s1z45eZWMfA==",
+      "version": "62.5.0",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-jsdoc/-/eslint-plugin-jsdoc-62.5.0.tgz",
+      "integrity": "sha512-D+1haMVDzW/ZMoPwOnsbXCK07rJtsq98Z1v+ApvDKxSzYTTcPgmFc/nyUDCGmxm2cP7g7hszyjYHO7Zodl/43w==",
      "dev": true,
      "license": "BSD-3-Clause",
      "dependencies": {
-        "@es-joy/jsdoccomment": "~0.84.0",
+        "@es-joy/jsdoccomment": "~0.83.0",
        "@es-joy/resolve.exports": "1.2.0",
        "are-docs-informative": "^0.0.2",
        "comment-parser": "1.4.5",
@@ -5637,22 +5637,10 @@
      "dev": true,
      "license": "MIT"
    },
-    "node_modules/fast-xml-builder": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.0.0.tgz",
-      "integrity": "sha512-fpZuDogrAgnyt9oDDz+5DBz0zgPdPZz6D4IR7iESxRXElrlGTRkHJ9eEt+SACRJwT0FNFrt71DFQIUFBJfX/uQ==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/NaturalIntelligence"
-        }
-      ],
-      "license": "MIT"
-    },
    "node_modules/fast-xml-parser": {
-      "version": "5.4.1",
-      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.4.1.tgz",
-      "integrity": "sha512-BQ30U1mKkvXQXXkAGcuyUA/GA26oEB7NzOtsxCDtyu62sjGw5QraKFhx2Em3WQNjPw9PG6MQ9yuIIgkSDfGu5A==",
+      "version": "5.3.6",
+      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.3.6.tgz",
+      "integrity": "sha512-QNI3sAvSvaOiaMl8FYU4trnEzCwiRr8XMWgAHzlrWpTSj+QaCSvOf1h82OEP1s4hiAXhnbXSyFWCf4ldZzZRVA==",
      "funding": [
        {
          "type": "github",
@@ -5661,7 +5649,6 @@
      ],
      "license": "MIT",
      "dependencies": {
-        "fast-xml-builder": "^1.0.0",
        "strnum": "^2.1.2"
      },
      "bin": {
@@ -6023,46 +6010,25 @@
        "node": ">= 6"
      }
    },
-    "node_modules/glob/node_modules/balanced-match": {
-      "version": "4.0.4",
-      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.4.tgz",
-      "integrity": "sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==",
-      "license": "MIT",
-      "engines": {
-        "node": "18 || 20 || >=22"
-      }
-    },
-    "node_modules/glob/node_modules/brace-expansion": {
-      "version": "5.0.3",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.3.tgz",
-      "integrity": "sha512-fy6KJm2RawA5RcHkLa1z/ScpBeA762UF9KmZQxwIbDtRJrgLzM10depAiEQ+CXYcoiqW1/m96OAAoke2nE9EeA==",
-      "license": "MIT",
-      "dependencies": {
-        "balanced-match": "^4.0.2"
-      },
-      "engines": {
-        "node": "18 || 20 || >=22"
-      }
-    },
    "node_modules/glob/node_modules/minimatch": {
-      "version": "10.2.4",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.4.tgz",
-      "integrity": "sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==",
+      "version": "10.1.1",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.1.1.tgz",
+      "integrity": "sha512-enIvLvRAFZYXJzkCYG5RKmPfrFArdLv+R+lbQ53BmIMLIry74bjKzX6iHAm8WYamJkhSSEabrWN5D97XnKObjQ==",
      "license": "BlueOak-1.0.0",
      "dependencies": {
-        "brace-expansion": "^5.0.2"
+        "@isaacs/brace-expansion": "^5.0.0"
      },
      "engines": {
-        "node": "18 || 20 || >=22"
+        "node": "20 || >=22"
      },
      "funding": {
        "url": "https://github.com/sponsors/isaacs"
      }
    },
    "node_modules/globals": {
-      "version": "17.3.0",
-      "resolved": "https://registry.npmjs.org/globals/-/globals-17.3.0.tgz",
-      "integrity": "sha512-yMqGUQVVCkD4tqjOJf3TnrvaaHDMYp4VlUSObbkIiuCPe/ofdMBFIAcBbCSRFWOnos6qRiTVStDwqPLUclaxIw==",
+      "version": "16.5.0",
+      "resolved": "https://registry.npmjs.org/globals/-/globals-16.5.0.tgz",
+      "integrity": "sha512-c/c15i26VrJ4IRt5Z89DnIzCGDn9EcebibhAOjw5ibqEHsE1wLUgkPn9RDmNcUKyU87GeaL633nyJ+pplFR2ZQ==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -6930,9 +6896,9 @@
      }
    },
    "node_modules/jsdoc-type-pratt-parser": {
-      "version": "7.1.1",
-      "resolved": "https://registry.npmjs.org/jsdoc-type-pratt-parser/-/jsdoc-type-pratt-parser-7.1.1.tgz",
-      "integrity": "sha512-/2uqY7x6bsrpi3i9LVU6J89352C0rpMk0as8trXxCtvd4kPk1ke/Eyif6wqfSLvoNJqcDG9Vk4UsXgygzCt2xA==",
+      "version": "7.1.0",
+      "resolved": "https://registry.npmjs.org/jsdoc-type-pratt-parser/-/jsdoc-type-pratt-parser-7.1.0.tgz",
+      "integrity": "sha512-SX7q7XyCwzM/MEDCYz0l8GgGbJAACGFII9+WfNYr5SLEKukHWRy2Jk3iWRe7P+lpYJNs7oQ+OSei4JtKGUjd7A==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -7261,9 +7227,7 @@
      }
    },
    "node_modules/minimatch": {
-      "version": "3.1.5",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
-      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
+      "version": "3.1.2",
      "license": "ISC",
      "dependencies": {
        "brace-expansion": "^1.1.7"
@@ -7949,9 +7913,9 @@
      }
    },
    "node_modules/readdir-glob/node_modules/minimatch": {
-      "version": "5.1.9",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-5.1.9.tgz",
-      "integrity": "sha512-7o1wEA2RyMP7Iu7GNba9vc0RWWGACJOCZBJX2GJWip0ikV+wcOsgVuY9uE8CPiyQhkGFSlhuSkZPavN7u1c2Fw==",
+      "version": "5.1.6",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-5.1.6.tgz",
+      "integrity": "sha512-lKwV/1brpG6mBUFHtb7NUmtABCb2WZZmm2wNiOA5hAb8VdCS4B3dtMWyvcoViccwAW/COERjXLt0zP1zXUN26g==",
      "license": "ISC",
      "dependencies": {
        "brace-expansion": "^2.0.1"
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "4.32.6",
+  "version": "4.32.5",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -9,7 +9,7 @@
    "lint": "eslint --report-unused-disable-directives --max-warnings=0 .",
    "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
    "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-    "ava": "npm run transpile && ava --verbose",
+    "ava": "npm run transpile && ava --serial --verbose",
    "test": "npm run ava -- src/",
    "test-debug": "npm run test -- --timeout=20m",
    "transpile": "tsc --build --verbose"
@@ -58,7 +58,6 @@
    "@types/js-yaml": "^4.0.9",
    "@types/node": "^20.19.9",
    "@types/node-forge": "^1.3.14",
-    "@types/sarif": "^2.1.7",
    "@types/semver": "^7.7.1",
    "@types/sinon": "^21.0.0",
    "ava": "^6.4.1",
@@ -67,10 +66,10 @@
    "eslint-import-resolver-typescript": "^3.8.7",
    "eslint-plugin-github": "^6.0.0",
    "eslint-plugin-import-x": "^4.16.1",
-    "eslint-plugin-jsdoc": "^62.6.0",
+    "eslint-plugin-jsdoc": "^62.5.0",
    "eslint-plugin-no-async-foreach": "^0.1.1",
    "glob": "^11.1.0",
-    "globals": "^17.3.0",
+    "globals": "^16.5.0",
    "nock": "^14.0.11",
    "sinon": "^21.0.1",
    "typescript": "^5.9.3",
@@ -1 +1,3 @@
-node_modules/
+env
+__pycache__/
+*.pyc
@@ -5,7 +5,7 @@ description: >
  autobuild Action.
 operatingSystems: ["ubuntu", "windows"]
 versions: ["linked", "nightly-latest"]
-installJava: true
+installJava: "true"
 env:
  CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
 steps:
@@ -2,8 +2,8 @@ name: "Build mode autobuild"
 description: "An end-to-end integration test of a Java repository built using 'build-mode: autobuild'"
 operatingSystems: ["ubuntu", "windows"]
 versions: ["linked", "nightly-latest"]
-installJava: true
-installYq: true
+installJava: "true"
+installYq: "true"
 steps:
  - name: Set up Java test repo configuration
    run: |
@@ -11,5 +11,5 @@ steps:
      tools: ${{ steps.prepare-test.outputs.tools-url }}
      languages: javascript
  - name: Fail if the CodeQL version is not a nightly
-    if: ${{ !contains(steps.init.outputs.codeql-version, '+') }}
+    if: "!contains(steps.init.outputs.codeql-version, '+')"
    run: exit 1
@@ -32,16 +32,16 @@ steps:
      category: |
        ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:all-files/
  - name: "Fail for missing output from `upload-sarif` step for `code-scanning`"
-    if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning)
+    if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning)"
    run: exit 1
  - name: "Fail for missing output from `upload-sarif` step for `code-quality`"
-    if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)
+    if: "contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)"
    run: exit 1

  - name: Upload single SARIF file for Code Scanning
    uses: ./../action/upload-sarif
    id: upload-single-sarif-code-scanning
-    if: contains(matrix.analysis-kinds, 'code-scanning')
+    if: "contains(matrix.analysis-kinds, 'code-scanning')"
    with:
      ref: 'refs/heads/main'
      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
@@ -49,12 +49,12 @@ steps:
      category: |
        ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-scanning/
  - name: "Fail for missing output from `upload-single-sarif-code-scanning` step"
-    if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)
+    if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)"
    run: exit 1
  - name: Upload single SARIF file for Code Quality
    uses: ./../action/upload-sarif
    id: upload-single-sarif-code-quality
-    if: contains(matrix.analysis-kinds, 'code-quality')
+    if: "contains(matrix.analysis-kinds, 'code-quality')"
    with:
      ref: 'refs/heads/main'
      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
@@ -62,16 +62,16 @@ steps:
      category: |
        ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-quality/
  - name: "Fail for missing output from `upload-single-sarif-code-quality` step"
-    if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)
+    if: "contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)"
    run: exit 1

  - name: Change SARIF file extension
-    if: contains(matrix.analysis-kinds, 'code-scanning')
+    if: "contains(matrix.analysis-kinds, 'code-scanning')"
    run: mv ${{ runner.temp }}/results/javascript.sarif ${{ runner.temp }}/results/javascript.sarif.json
  - name: Upload single non-`.sarif` file
    uses: ./../action/upload-sarif
    id: upload-single-non-sarif
-    if: contains(matrix.analysis-kinds, 'code-scanning')
+    if: "contains(matrix.analysis-kinds, 'code-scanning')"
    with:
      ref: 'refs/heads/main'
      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
@@ -79,5 +79,5 @@ steps:
      category: |
        ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:non-sarif/
  - name: "Fail for missing output from `upload-single-non-sarif` step"
-    if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning)
+    if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning)"
    run: exit 1
@@ -1,605 +0,0 @@
-{
-  "name": "pr-checks",
-  "lockfileVersion": 3,
-  "requires": true,
-  "packages": {
-    "": {
-      "dependencies": {
-        "yaml": "^2.8.2"
-      },
-      "devDependencies": {
-        "@types/node": "^20.19.9",
-        "tsx": "^4.21.0",
-        "typescript": "^5.9.3"
-      }
-    },
-    "node_modules/@esbuild/aix-ppc64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.3.tgz",
-      "integrity": "sha512-9fJMTNFTWZMh5qwrBItuziu834eOCUcEqymSH7pY+zoMVEZg3gcPuBNxH1EvfVYe9h0x/Ptw8KBzv7qxb7l8dg==",
-      "cpu": [
-        "ppc64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "aix"
-      ],
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/@esbuild/android-arm": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.3.tgz",
-      "integrity": "sha512-i5D1hPY7GIQmXlXhs2w8AWHhenb00+GxjxRncS2ZM7YNVGNfaMxgzSGuO8o8SJzRc/oZwU2bcScvVERk03QhzA==",
-      "cpu": [
-        "arm"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "android"
-      ],
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/@esbuild/android-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.3.tgz",
-      "integrity": "sha512-YdghPYUmj/FX2SYKJ0OZxf+iaKgMsKHVPF1MAq/P8WirnSpCStzKJFjOjzsW0QQ7oIAiccHdcqjbHmJxRb/dmg==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "android"
-      ],
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/@esbuild/android-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.3.tgz",
-      "integrity": "sha512-IN/0BNTkHtk8lkOM8JWAYFg4ORxBkZQf9zXiEOfERX/CzxW3Vg1ewAhU7QSWQpVIzTW+b8Xy+lGzdYXV6UZObQ==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "android"
-      ],
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/@esbuild/darwin-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.3.tgz",
-      "integrity": "sha512-Re491k7ByTVRy0t3EKWajdLIr0gz2kKKfzafkth4Q8A5n1xTHrkqZgLLjFEHVD+AXdUGgQMq+Godfq45mGpCKg==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "darwin"
-      ],
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/@esbuild/darwin-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.3.tgz",
-      "integrity": "sha512-vHk/hA7/1AckjGzRqi6wbo+jaShzRowYip6rt6q7VYEDX4LEy1pZfDpdxCBnGtl+A5zq8iXDcyuxwtv3hNtHFg==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "darwin"
-      ],
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/@esbuild/freebsd-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.3.tgz",
-      "integrity": "sha512-ipTYM2fjt3kQAYOvo6vcxJx3nBYAzPjgTCk7QEgZG8AUO3ydUhvelmhrbOheMnGOlaSFUoHXB6un+A7q4ygY9w==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "freebsd"
-      ],
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/@esbuild/freebsd-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.3.tgz",
-      "integrity": "sha512-dDk0X87T7mI6U3K9VjWtHOXqwAMJBNN2r7bejDsc+j03SEjtD9HrOl8gVFByeM0aJksoUuUVU9TBaZa2rgj0oA==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "freebsd"
-      ],
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/@esbuild/linux-arm": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.3.tgz",
-      "integrity": "sha512-s6nPv2QkSupJwLYyfS+gwdirm0ukyTFNl3KTgZEAiJDd+iHZcbTPPcWCcRYH+WlNbwChgH2QkE9NSlNrMT8Gfw==",
-      "cpu": [
-        "arm"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/@esbuild/linux-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.3.tgz",
-      "integrity": "sha512-sZOuFz/xWnZ4KH3YfFrKCf1WyPZHakVzTiqji3WDc0BCl2kBwiJLCXpzLzUBLgmp4veFZdvN5ChW4Eq/8Fc2Fg==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/@esbuild/linux-ia32": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.3.tgz",
-      "integrity": "sha512-yGlQYjdxtLdh0a3jHjuwOrxQjOZYD/C9PfdbgJJF3TIZWnm/tMd/RcNiLngiu4iwcBAOezdnSLAwQDPqTmtTYg==",
-      "cpu": [
-        "ia32"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/@esbuild/linux-loong64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.3.tgz",
-      "integrity": "sha512-WO60Sn8ly3gtzhyjATDgieJNet/KqsDlX5nRC5Y3oTFcS1l0KWba+SEa9Ja1GfDqSF1z6hif/SkpQJbL63cgOA==",
-      "cpu": [
-        "loong64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/@esbuild/linux-mips64el": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.3.tgz",
-      "integrity": "sha512-APsymYA6sGcZ4pD6k+UxbDjOFSvPWyZhjaiPyl/f79xKxwTnrn5QUnXR5prvetuaSMsb4jgeHewIDCIWljrSxw==",
-      "cpu": [
-        "mips64el"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/@esbuild/linux-ppc64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.3.tgz",
-      "integrity": "sha512-eizBnTeBefojtDb9nSh4vvVQ3V9Qf9Df01PfawPcRzJH4gFSgrObw+LveUyDoKU3kxi5+9RJTCWlj4FjYXVPEA==",
-      "cpu": [
-        "ppc64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/@esbuild/linux-riscv64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.3.tgz",
-      "integrity": "sha512-3Emwh0r5wmfm3ssTWRQSyVhbOHvqegUDRd0WhmXKX2mkHJe1SFCMJhagUleMq+Uci34wLSipf8Lagt4LlpRFWQ==",
-      "cpu": [
-        "riscv64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/@esbuild/linux-s390x": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.3.tgz",
-      "integrity": "sha512-pBHUx9LzXWBc7MFIEEL0yD/ZVtNgLytvx60gES28GcWMqil8ElCYR4kvbV2BDqsHOvVDRrOxGySBM9Fcv744hw==",
-      "cpu": [
-        "s390x"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/@esbuild/linux-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.3.tgz",
-      "integrity": "sha512-Czi8yzXUWIQYAtL/2y6vogER8pvcsOsk5cpwL4Gk5nJqH5UZiVByIY8Eorm5R13gq+DQKYg0+JyQoytLQas4dA==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/@esbuild/netbsd-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.3.tgz",
-      "integrity": "sha512-sDpk0RgmTCR/5HguIZa9n9u+HVKf40fbEUt+iTzSnCaGvY9kFP0YKBWZtJaraonFnqef5SlJ8/TiPAxzyS+UoA==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "netbsd"
-      ],
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/@esbuild/netbsd-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.3.tgz",
-      "integrity": "sha512-P14lFKJl/DdaE00LItAukUdZO5iqNH7+PjoBm+fLQjtxfcfFE20Xf5CrLsmZdq5LFFZzb5JMZ9grUwvtVYzjiA==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "netbsd"
-      ],
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/@esbuild/openbsd-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.3.tgz",
-      "integrity": "sha512-AIcMP77AvirGbRl/UZFTq5hjXK+2wC7qFRGoHSDrZ5v5b8DK/GYpXW3CPRL53NkvDqb9D+alBiC/dV0Fb7eJcw==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "openbsd"
-      ],
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/@esbuild/openbsd-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.3.tgz",
-      "integrity": "sha512-DnW2sRrBzA+YnE70LKqnM3P+z8vehfJWHXECbwBmH/CU51z6FiqTQTHFenPlHmo3a8UgpLyH3PT+87OViOh1AQ==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "openbsd"
-      ],
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/@esbuild/openharmony-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.3.tgz",
-      "integrity": "sha512-NinAEgr/etERPTsZJ7aEZQvvg/A6IsZG/LgZy+81wON2huV7SrK3e63dU0XhyZP4RKGyTm7aOgmQk0bGp0fy2g==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "openharmony"
-      ],
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/@esbuild/sunos-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.3.tgz",
-      "integrity": "sha512-PanZ+nEz+eWoBJ8/f8HKxTTD172SKwdXebZ0ndd953gt1HRBbhMsaNqjTyYLGLPdoWHy4zLU7bDVJztF5f3BHA==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "sunos"
-      ],
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/@esbuild/win32-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.3.tgz",
-      "integrity": "sha512-B2t59lWWYrbRDw/tjiWOuzSsFh1Y/E95ofKz7rIVYSQkUYBjfSgf6oeYPNWHToFRr2zx52JKApIcAS/D5TUBnA==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "win32"
-      ],
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/@esbuild/win32-ia32": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.3.tgz",
-      "integrity": "sha512-QLKSFeXNS8+tHW7tZpMtjlNb7HKau0QDpwm49u0vUp9y1WOF+PEzkU84y9GqYaAVW8aH8f3GcBck26jh54cX4Q==",
-      "cpu": [
-        "ia32"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "win32"
-      ],
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/@esbuild/win32-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.3.tgz",
-      "integrity": "sha512-4uJGhsxuptu3OcpVAzli+/gWusVGwZZHTlS63hh++ehExkVT8SgiEf7/uC/PclrPPkLhZqGgCTjd0VWLo6xMqA==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "win32"
-      ],
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/@types/node": {
-      "version": "20.19.35",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.35.tgz",
-      "integrity": "sha512-Uarfe6J91b9HAUXxjvSOdiO2UPOKLm07Q1oh0JHxoZ1y8HoqxDAu3gVrsrOHeiio0kSsoVBt4wFrKOm0dKxVPQ==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "undici-types": "~6.21.0"
-      }
-    },
-    "node_modules/esbuild": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.3.tgz",
-      "integrity": "sha512-8VwMnyGCONIs6cWue2IdpHxHnAjzxnw2Zr7MkVxB2vjmQ2ivqGFb4LEG3SMnv0Gb2F/G/2yA8zUaiL1gywDCCg==",
-      "dev": true,
-      "hasInstallScript": true,
-      "license": "MIT",
-      "bin": {
-        "esbuild": "bin/esbuild"
-      },
-      "engines": {
-        "node": ">=18"
-      },
-      "optionalDependencies": {
-        "@esbuild/aix-ppc64": "0.27.3",
-        "@esbuild/android-arm": "0.27.3",
-        "@esbuild/android-arm64": "0.27.3",
-        "@esbuild/android-x64": "0.27.3",
-        "@esbuild/darwin-arm64": "0.27.3",
-        "@esbuild/darwin-x64": "0.27.3",
-        "@esbuild/freebsd-arm64": "0.27.3",
-        "@esbuild/freebsd-x64": "0.27.3",
-        "@esbuild/linux-arm": "0.27.3",
-        "@esbuild/linux-arm64": "0.27.3",
-        "@esbuild/linux-ia32": "0.27.3",
-        "@esbuild/linux-loong64": "0.27.3",
-        "@esbuild/linux-mips64el": "0.27.3",
-        "@esbuild/linux-ppc64": "0.27.3",
-        "@esbuild/linux-riscv64": "0.27.3",
-        "@esbuild/linux-s390x": "0.27.3",
-        "@esbuild/linux-x64": "0.27.3",
-        "@esbuild/netbsd-arm64": "0.27.3",
-        "@esbuild/netbsd-x64": "0.27.3",
-        "@esbuild/openbsd-arm64": "0.27.3",
-        "@esbuild/openbsd-x64": "0.27.3",
-        "@esbuild/openharmony-arm64": "0.27.3",
-        "@esbuild/sunos-x64": "0.27.3",
-        "@esbuild/win32-arm64": "0.27.3",
-        "@esbuild/win32-ia32": "0.27.3",
-        "@esbuild/win32-x64": "0.27.3"
-      }
-    },
-    "node_modules/fsevents": {
-      "version": "2.3.3",
-      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz",
-      "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==",
-      "dev": true,
-      "hasInstallScript": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "darwin"
-      ],
-      "engines": {
-        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
-      }
-    },
-    "node_modules/get-tsconfig": {
-      "version": "4.13.6",
-      "resolved": "https://registry.npmjs.org/get-tsconfig/-/get-tsconfig-4.13.6.tgz",
-      "integrity": "sha512-shZT/QMiSHc/YBLxxOkMtgSid5HFoauqCE3/exfsEcwg1WkeqjG+V40yBbBrsD+jW2HDXcs28xOfcbm2jI8Ddw==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "resolve-pkg-maps": "^1.0.0"
-      },
-      "funding": {
-        "url": "https://github.com/privatenumber/get-tsconfig?sponsor=1"
-      }
-    },
-    "node_modules/resolve-pkg-maps": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/resolve-pkg-maps/-/resolve-pkg-maps-1.0.0.tgz",
-      "integrity": "sha512-seS2Tj26TBVOC2NIc2rOe2y2ZO7efxITtLZcGSOnHHNOQ7CkiUBfw0Iw2ck6xkIhPwLhKNLS8BO+hEpngQlqzw==",
-      "dev": true,
-      "license": "MIT",
-      "funding": {
-        "url": "https://github.com/privatenumber/resolve-pkg-maps?sponsor=1"
-      }
-    },
-    "node_modules/tsx": {
-      "version": "4.21.0",
-      "resolved": "https://registry.npmjs.org/tsx/-/tsx-4.21.0.tgz",
-      "integrity": "sha512-5C1sg4USs1lfG0GFb2RLXsdpXqBSEhAaA/0kPL01wxzpMqLILNxIxIOKiILz+cdg/pLnOUxFYOR5yhHU666wbw==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "esbuild": "~0.27.0",
-        "get-tsconfig": "^4.7.5"
-      },
-      "bin": {
-        "tsx": "dist/cli.mjs"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      },
-      "optionalDependencies": {
-        "fsevents": "~2.3.3"
-      }
-    },
-    "node_modules/typescript": {
-      "version": "5.9.3",
-      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz",
-      "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
-      "dev": true,
-      "license": "Apache-2.0",
-      "bin": {
-        "tsc": "bin/tsc",
-        "tsserver": "bin/tsserver"
-      },
-      "engines": {
-        "node": ">=14.17"
-      }
-    },
-    "node_modules/undici-types": {
-      "version": "6.21.0",
-      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.21.0.tgz",
-      "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==",
-      "dev": true,
-      "license": "MIT"
-    },
-    "node_modules/yaml": {
-      "version": "2.8.2",
-      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.2.tgz",
-      "integrity": "sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A==",
-      "license": "ISC",
-      "bin": {
-        "yaml": "bin.mjs"
-      },
-      "engines": {
-        "node": ">= 14.6"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/eemeli"
-      }
-    }
-  }
-}
@@ -1,12 +0,0 @@
-{
-  "private": true,
-  "description": "Dependencies for the sync.ts",
-  "dependencies": {
-    "yaml": "^2.8.2"
-  },
-  "devDependencies": {
-    "@types/node": "^20.19.9",
-    "tsx": "^4.21.0",
-    "typescript": "^5.9.3"
-  }
-}
@@ -6,9 +6,9 @@ to one of the files in this directory.

 ## Updating workflows

-Run `./sync.sh` to invoke the workflow generator and re-generate the workflow files in `.github/workflows/` based on the templates in `pr-checks/checks/`.
-
-Alternatively, you can use `just`:
-
 1. Install https://github.com/casey/just by whichever way you prefer.
 2. Run `just update-pr-checks` in your terminal.
+
+### If you don't want to install `just`
+
+Manually run each step in the `justfile`.
@@ -0,0 +1,399 @@
+#!/usr/bin/env python
+
+import ruamel.yaml
+from ruamel.yaml.scalarstring import SingleQuotedScalarString, LiteralScalarString
+import pathlib
+import os
+
+# The default set of CodeQL Bundle versions to use for the PR checks.
+defaultTestVersions = [
+    # The oldest supported CodeQL version. If bumping, update `CODEQL_MINIMUM_VERSION` in `codeql.ts`
+    "stable-v2.17.6",
+    # The last CodeQL release in the 2.18 series.
+    "stable-v2.18.4",
+    # The last CodeQL release in the 2.19 series.
+    "stable-v2.19.4",
+    # The last CodeQL release in the 2.20 series.
+    "stable-v2.20.7",
+    # The last CodeQL release in the 2.21 series.
+    "stable-v2.21.4",
+    # The last CodeQL release in the 2.22 series.
+    "stable-v2.22.4",
+    # The default version of CodeQL for Dotcom, as determined by feature flags.
+    "default",
+    # The version of CodeQL shipped with the Action in `defaults.json`. During the release process
+    # for a new CodeQL release, there will be a period of time during which this will be newer than
+    # the default version on Dotcom.
+    "linked",
+    # A nightly build directly from the our private repo, built in the last 24 hours.
+    "nightly-latest"
+]
+
+# When updating the ruamel.yaml version here, update the PR check in
+# `.github/workflows/pr-checks.yml` too.
+header = """# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+"""
+
+
+def is_truthy(value):
+    if isinstance(value, str):
+        return value.lower() == 'true'
+    return bool(value)
+
+
+
+class NonAliasingRTRepresenter(ruamel.yaml.representer.RoundTripRepresenter):
+    def ignore_aliases(self, data):
+        return True
+
+
+def writeHeader(checkStream):
+    checkStream.write(header)
+
+
+yaml = ruamel.yaml.YAML()
+yaml.Representer = NonAliasingRTRepresenter
+yaml.indent(mapping=2, sequence=4, offset=2)
+
+this_dir = pathlib.Path(__file__).resolve().parent
+
+allJobs = {}
+collections = {}
+for file in sorted((this_dir / 'checks').glob('*.yml')):
+    with open(file, 'r') as checkStream:
+        checkSpecification = yaml.load(checkStream)
+    matrix = []
+
+    workflowInputs = {}
+    if 'inputs' in checkSpecification:
+        workflowInputs = checkSpecification['inputs']
+
+    for version in checkSpecification.get('versions', defaultTestVersions):
+        if version == "latest":
+            raise ValueError('Did not recognize "version: latest". Did you mean "version: linked"?')
+
+        runnerImages = ["ubuntu-latest", "macos-latest", "windows-latest"]
+        operatingSystems = checkSpecification.get('operatingSystems', ["ubuntu"])
+
+        for operatingSystem in operatingSystems:
+            runnerImagesForOs = [image for image in runnerImages if image.startswith(operatingSystem)]
+
+            for runnerImage in runnerImagesForOs:
+                matrix.append({
+                    'os': runnerImage,
+                    'version': version
+                })
+
+        useAllPlatformBundle = "false" # Default to false
+        if checkSpecification.get('useAllPlatformBundle'):
+            useAllPlatformBundle = checkSpecification['useAllPlatformBundle']
+
+
+    if 'analysisKinds' in checkSpecification:
+        newMatrix = []
+        for matrixInclude in matrix:
+            for analysisKind in checkSpecification.get('analysisKinds'):
+                newMatrix.append(
+                    matrixInclude |
+                    { 'analysis-kinds': analysisKind }
+                )
+        matrix = newMatrix
+
+    # Construct the workflow steps needed for this check.
+    steps = [
+        {
+            'name': 'Check out repository',
+            'uses': 'actions/checkout@v6'
+        },
+    ]
+
+    installNode = is_truthy(checkSpecification.get('installNode', ''))
+
+    if installNode:
+        steps.extend([
+            {
+                'name': 'Install Node.js',
+                'uses': 'actions/setup-node@v6',
+                'with': {
+                    'node-version': '20.x',
+                    'cache': 'npm',
+                },
+            },
+            {
+                'name': 'Install dependencies',
+                'run': 'npm ci',
+            },
+        ])
+
+    steps.append({
+        'name': 'Prepare test',
+        'id': 'prepare-test',
+        'uses': './.github/actions/prepare-test',
+        'with': {
+            'version': '${{ matrix.version }}',
+            'use-all-platform-bundle': useAllPlatformBundle,
+            # If the action is being run from a container, then do not setup kotlin.
+            # This is because the kotlin binaries cannot be downloaded from the container.
+            'setup-kotlin': str(not 'container' in checkSpecification).lower(),
+        }
+    })
+
+    installGo = is_truthy(checkSpecification.get('installGo', ''))
+
+    if installGo:
+        baseGoVersionExpr = '>=1.21.0'
+        workflowInputs['go-version'] = {
+            'type': 'string',
+            'description': 'The version of Go to install',
+            'required': False,
+            'default': baseGoVersionExpr,
+        }
+
+        steps.append({
+            'name': 'Install Go',
+            'uses': 'actions/setup-go@v6',
+            'with': {
+                'go-version': '${{ inputs.go-version || \'' + baseGoVersionExpr + '\' }}',
+                # to avoid potentially misleading autobuilder results where we expect it to download
+                # dependencies successfully, but they actually come from a warm cache
+                'cache': False
+            }
+        })
+
+    installJava = is_truthy(checkSpecification.get('installJava', ''))
+
+    if installJava:
+        baseJavaVersionExpr = '17'
+        workflowInputs['java-version'] = {
+            'type': 'string',
+            'description': 'The version of Java to install',
+            'required': False,
+            'default': baseJavaVersionExpr,
+        }
+
+        steps.append({
+            'name': 'Install Java',
+            'uses': 'actions/setup-java@v5',
+            'with': {
+                'java-version': '${{ inputs.java-version || \'' + baseJavaVersionExpr + '\' }}',
+                'distribution': 'temurin'
+            }
+        })
+
+    installPython = is_truthy(checkSpecification.get('installPython', ''))
+
+    if installPython:
+        basePythonVersionExpr = '3.13'
+        workflowInputs['python-version'] = {
+            'type': 'string',
+            'description': 'The version of Python to install',
+            'required': False,
+            'default': basePythonVersionExpr,
+        }
+
+        steps.append({
+            'name': 'Install Python',
+            'if': 'matrix.version != \'nightly-latest\'',
+            'uses': 'actions/setup-python@v6',
+            'with': {
+                'python-version': '${{ inputs.python-version || \'' + basePythonVersionExpr + '\' }}'
+            }
+        })
+
+    installDotNet = is_truthy(checkSpecification.get('installDotNet', ''))
+
+    if installDotNet:
+        baseDotNetVersionExpr = '9.x'
+        workflowInputs['dotnet-version'] = {
+            'type': 'string',
+            'description': 'The version of .NET to install',
+            'required': False,
+            'default': baseDotNetVersionExpr,
+        }
+
+        steps.append({
+            'name': 'Install .NET',
+            'uses': 'actions/setup-dotnet@v5',
+            'with': {
+                'dotnet-version': '${{ inputs.dotnet-version || \'' + baseDotNetVersionExpr + '\' }}'
+            }
+        })
+
+    installYq = is_truthy(checkSpecification.get('installYq', ''))
+
+    if installYq:
+        steps.append({
+            'name': 'Install yq',
+            'if': "runner.os == 'Windows'",
+            'env': {
+                'YQ_PATH': '${{ runner.temp }}/yq',
+                # This is essentially an arbitrary version of `yq`, which happened to be the one that
+                # `choco` fetched when we moved away from using that here.
+                # See https://github.com/github/codeql-action/pull/3423
+                'YQ_VERSION': 'v4.50.1'
+            },
+            'run': LiteralScalarString(
+                'gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe"\n'
+                'echo "$YQ_PATH" >> "$GITHUB_PATH"'
+            ),
+        })
+
+    # If container initialisation steps are present in the check specification,
+    # make sure to execute them first.
+    if 'container' in checkSpecification and 'container-init-steps' in checkSpecification:
+        steps.insert(0, checkSpecification['container-init-steps'])
+
+
+    steps.extend(checkSpecification['steps'])
+
+    checkJob = {
+        'strategy': {
+            'fail-fast': False,
+            'matrix': {
+                'include': matrix
+            }
+        },
+        'name': checkSpecification['name'],
+        'if': 'github.triggering_actor != \'dependabot[bot]\'',
+        'permissions': {
+            'contents': 'read',
+            'security-events': 'read'
+        },
+        'timeout-minutes': 45,
+        'runs-on': '${{ matrix.os }}',
+        'steps': steps,
+    }
+    if 'permissions' in checkSpecification:
+        checkJob['permissions'] = checkSpecification['permissions']
+
+    for key in ["env", "container", "services"]:
+        if key in checkSpecification:
+            checkJob[key] = checkSpecification[key]
+
+    checkJob['env'] = checkJob.get('env', {})
+    if 'CODEQL_ACTION_TEST_MODE' not in checkJob['env']:
+        checkJob['env']['CODEQL_ACTION_TEST_MODE'] = True
+    checkName = file.stem
+
+    # If this check belongs to a named collection, record it.
+    if 'collection' in checkSpecification:
+        collection_name = checkSpecification['collection']
+        collections.setdefault(collection_name, []).append({
+            'specification': checkSpecification,
+            'checkName': checkName,
+            'inputs': workflowInputs
+        })
+
+    raw_file = this_dir.parent / ".github" / "workflows" / f"__{checkName}.yml.raw"
+    with open(raw_file, 'w', newline='\n') as output_stream:
+        extraGroupName = ""
+        for inputName in workflowInputs.keys():
+            extraGroupName += "-${{inputs." + inputName + "}}"
+
+        writeHeader(output_stream)
+        yaml.dump({
+            'name': f"PR Check - {checkSpecification['name']}",
+            'env': {
+                'GITHUB_TOKEN': '${{ secrets.GITHUB_TOKEN }}',
+                'GO111MODULE': 'auto'
+            },
+            'on': {
+                'push': {
+                    'branches': ['main', 'releases/v*']
+                },
+                'pull_request': {
+                    'types': ["opened", "synchronize", "reopened", "ready_for_review"]
+                },
+                'schedule': [{'cron': SingleQuotedScalarString('0 5 * * *')}],
+                'workflow_dispatch': {
+                    'inputs': workflowInputs
+                },
+                'workflow_call': {
+                    'inputs': workflowInputs
+                }
+            },
+            'defaults': {
+                'run': {
+                    'shell': 'bash',
+                },
+            },
+            'concurrency': {
+                # Cancel in-progress workflows in the same 'group' for pull_request events,
+                # but not other event types. This should have the effect that workflows on PRs
+                # get cancelled if there is a newer workflow in the same concurrency group.
+                # For other events, the new workflows should wait until earlier ones have finished.
+                # This should help reduce the number of concurrent workflows on the repo, and
+                # consequently the number of concurrent API requests.
+                # Note, the `|| false` is intentional to rule out that this somehow ends up being
+                # `true` since we observed workflows for non-`pull_request` events getting cancelled.
+                'cancel-in-progress': "${{ github.event_name == 'pull_request' || false }}",
+                # The group is determined by the workflow name, the ref, and the input values.
+                # The base name is hard-coded to avoid issues when the workflow is triggered by
+                # a `workflow_call` event (where `github.workflow` would be the name of the caller).
+                # The input values are added, since they may result in different behaviour for a
+                # given workflow on the same ref.
+                'group': checkName + "-${{github.ref}}" + extraGroupName
+            },
+            'jobs': {
+                checkName: checkJob
+            }
+        }, output_stream)
+
+    with open(raw_file, 'r') as input_stream:
+        with open(this_dir.parent / ".github" / "workflows" / f"__{checkName}.yml", 'w', newline='\n') as output_stream:
+            content = input_stream.read()
+            output_stream.write("\n".join(list(map(lambda x:x.rstrip(), content.splitlines()))+['']))
+    os.remove(raw_file)
+
+# write workflow files for collections
+for collection_name in collections:
+    jobs = {}
+    combinedInputs = {}
+
+    for check in collections[collection_name]:
+        checkName = check['checkName']
+        checkSpecification = check['specification']
+        checkInputs = check['inputs']
+        checkWith = {}
+
+        combinedInputs |= checkInputs
+
+        for inputName in checkInputs.keys():
+            checkWith[inputName] = "${{ inputs." + inputName + " }}"
+
+        jobs[checkName] = {
+            'name': checkSpecification['name'],
+            'permissions': {
+                'contents': 'read',
+                'security-events': 'read'
+            },
+            'uses': "./.github/workflows/" + f"__{checkName}.yml",
+            'with': checkWith
+        }
+
+    raw_file = this_dir.parent / ".github" / "workflows" / f"__{collection_name}.yml.raw"
+    with open(raw_file, 'w') as output_stream:
+        writeHeader(output_stream)
+        yaml.dump({
+            'name': f"Manual Check - {collection_name}",
+            'env': {
+                'GITHUB_TOKEN': '${{ secrets.GITHUB_TOKEN }}',
+                'GO111MODULE': 'auto'
+            },
+            'on': {
+                'workflow_dispatch': {
+                    'inputs': combinedInputs
+                },
+            },
+            'jobs': jobs
+        }, output_stream)
+
+    with open(raw_file, 'r') as input_stream:
+        with open(this_dir.parent / ".github" / "workflows" / f"__{collection_name}.yml", 'w', newline='\n') as output_stream:
+            content = input_stream.read()
+            output_stream.write("\n".join(list(map(lambda x:x.rstrip(), content.splitlines()))+['']))
+    os.remove(raw_file)
@@ -2,14 +2,8 @@
 set -e

 cd "$(dirname "$0")"
+python3 -m venv env
+source env/*/activate
+pip3 install ruamel.yaml==0.17.31
+python3 sync.py

-# Run `npm ci` in CI or `npm install` otherwise.
-if [ "$GITHUB_ACTIONS" = "true" ]; then
-  echo "In Actions, running 'npm ci' for 'sync.ts'..."
-  npm ci
-else
-  echo "Running 'npm install' for 'sync.ts'..."
-  npm install --no-audit --no-fund
-fi
-
-npx tsx sync.ts
@@ -1,525 +0,0 @@
-#!/usr/bin/env npx tsx
-
-import * as fs from "fs";
-import * as path from "path";
-
-import * as yaml from "yaml";
-
-/** Known workflow input names. */
-enum KnownInputName {
-  GoVersion = "go-version",
-  JavaVersion = "java-version",
-  PythonVersion = "python-version",
-  DotnetVersion = "dotnet-version",
-}
-
-/**
- * Represents workflow input definitions.
- */
-interface WorkflowInput {
-  type: string;
-  description: string;
-  required: boolean;
-  default: string;
-}
-
-/** A partial mapping from known input names to input definitions. */
-type WorkflowInputs = Partial<Record<KnownInputName, WorkflowInput>>;
-
-/**
- * Represents PR check specifications.
- */
-interface Specification {
-  /** The display name for the check. */
-  name: string;
-  /** The workflow steps specific to this check. */
-  steps: any[];
-  /** Workflow-level input definitions forwarded to `workflow_dispatch`/`workflow_call`. */
-  inputs?: Record<string, WorkflowInput>;
-  /** CodeQL bundle versions to test against. Defaults to `DEFAULT_TEST_VERSIONS`. */
-  versions?: string[];
-  /** Operating system prefixes used to select runner images (e.g. `["ubuntu", "macos"]`). */
-  operatingSystems?: string[];
-  /** Whether to use the all-platform CodeQL bundle. */
-  useAllPlatformBundle?: string;
-  /** Values for the `analysis-kinds` matrix dimension. */
-  analysisKinds?: string[];
-
-  installNode?: boolean;
-  installGo?: boolean;
-  installJava?: boolean;
-  installPython?: boolean;
-  installDotNet?: boolean;
-  installYq?: boolean;
-
-  /** Container image configuration for the job. */
-  container?: any;
-  /** Service containers for the job. */
-  services?: any;
-
-  /** Custom permissions override for the job. */
-  permissions?: Record<string, string>;
-  /** Extra environment variables for the job. */
-  env?: Record<string, any>;
-
-  /** If set, this check is part of a named collection that gets its own caller workflow. */
-  collection?: string;
-}
-
-// The default set of CodeQL Bundle versions to use for the PR checks.
-const defaultTestVersions = [
-  // The oldest supported CodeQL version. If bumping, update `CODEQL_MINIMUM_VERSION` in `codeql.ts`
-  "stable-v2.17.6",
-  // The last CodeQL release in the 2.18 series.
-  "stable-v2.18.4",
-  // The last CodeQL release in the 2.19 series.
-  "stable-v2.19.4",
-  // The last CodeQL release in the 2.20 series.
-  "stable-v2.20.7",
-  // The last CodeQL release in the 2.21 series.
-  "stable-v2.21.4",
-  // The last CodeQL release in the 2.22 series.
-  "stable-v2.22.4",
-  // The default version of CodeQL for Dotcom, as determined by feature flags.
-  "default",
-  // The version of CodeQL shipped with the Action in `defaults.json`. During the release process
-  // for a new CodeQL release, there will be a period of time during which this will be newer than
-  // the default version on Dotcom.
-  "linked",
-  // A nightly build directly from the our private repo, built in the last 24 hours.
-  "nightly-latest",
-];
-
-const THIS_DIR = __dirname;
-const CHECKS_DIR = path.join(THIS_DIR, "checks");
-const OUTPUT_DIR = path.join(THIS_DIR, "..", ".github", "workflows");
-
-/**
- * Loads and parses a YAML file.
- */
-function loadYaml(filePath: string): yaml.Document {
-  const content = fs.readFileSync(filePath, "utf8");
-  return yaml.parseDocument(content);
-}
-
-/**
- * Serialize a value to YAML and write it to a file, prepended with the
- * standard header comment.
- */
-function writeYaml(filePath: string, workflow: any): void {
-  const header = `# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-`;
-  const workflowDoc = new yaml.Document(workflow, {
-    aliasDuplicateObjects: false,
-  });
-  const yamlStr = yaml.stringify(workflowDoc, {
-    aliasDuplicateObjects: false,
-    singleQuote: true,
-    lineWidth: 0,
-  });
-  fs.writeFileSync(filePath, stripTrailingWhitespace(header + yamlStr), "utf8");
-}
-
-/**
- * Strip trailing whitespace from each line.
- */
-function stripTrailingWhitespace(content: string): string {
-  return content
-    .split("\n")
-    .map((line) => line.trimEnd())
-    .join("\n");
-}
-
-/**
- * Main entry point for the sync script.
- */
-function main(): void {
-  // Ensure the output directory exists.
-  fs.mkdirSync(OUTPUT_DIR, { recursive: true });
-
-  // Discover and sort all check specification files.
-  const checkFiles = fs
-    .readdirSync(CHECKS_DIR)
-    .filter((f) => f.endsWith(".yml"))
-    .sort()
-    .map((f) => path.join(CHECKS_DIR, f));
-
-  console.log(`Found ${checkFiles.length} check specification(s).`);
-
-  const collections: Record<
-    string,
-    Array<{
-      specification: Specification;
-      checkName: string;
-      inputs: Record<string, WorkflowInput>;
-    }>
-  > = {};
-
-  for (const file of checkFiles) {
-    const checkName = path.basename(file, ".yml");
-    const specDocument = loadYaml(file);
-    const checkSpecification = specDocument.toJS() as Specification;
-
-    console.log(`Processing: ${checkName} — "${checkSpecification.name}"`);
-
-    const workflowInputs: WorkflowInputs = {};
-    let matrix: Array<Record<string, any>> = [];
-
-    for (const version of checkSpecification.versions ?? defaultTestVersions) {
-      if (version === "latest") {
-        throw new Error(
-          'Did not recognise "version: latest". Did you mean "version: linked"?',
-        );
-      }
-
-      const runnerImages = ["ubuntu-latest", "macos-latest", "windows-latest"];
-      const operatingSystems = checkSpecification.operatingSystems ?? [
-        "ubuntu",
-      ];
-
-      for (const operatingSystem of operatingSystems) {
-        const runnerImagesForOs = runnerImages.filter((image) =>
-          image.startsWith(operatingSystem),
-        );
-
-        for (const runnerImage of runnerImagesForOs) {
-          matrix.push({
-            os: runnerImage,
-            version,
-          });
-        }
-      }
-    }
-
-    const useAllPlatformBundle = checkSpecification.useAllPlatformBundle
-      ? checkSpecification.useAllPlatformBundle
-      : "false";
-
-    if (checkSpecification.analysisKinds) {
-      const newMatrix: Array<Record<string, any>> = [];
-      for (const matrixInclude of matrix) {
-        for (const analysisKind of checkSpecification.analysisKinds) {
-          newMatrix.push({
-            ...matrixInclude,
-            "analysis-kinds": analysisKind,
-          });
-        }
-      }
-      matrix = newMatrix;
-    }
-
-    // Construct the workflow steps needed for this check.
-    const steps: any[] = [
-      {
-        name: "Check out repository",
-        uses: "actions/checkout@v6",
-      },
-    ];
-
-    const installNode = checkSpecification.installNode;
-
-    if (installNode) {
-      steps.push(
-        {
-          name: "Install Node.js",
-          uses: "actions/setup-node@v6",
-          with: {
-            "node-version": "20.x",
-            cache: "npm",
-          },
-        },
-        {
-          name: "Install dependencies",
-          run: "npm ci",
-        },
-      );
-    }
-
-    steps.push({
-      name: "Prepare test",
-      id: "prepare-test",
-      uses: "./.github/actions/prepare-test",
-      with: {
-        version: "${{ matrix.version }}",
-        "use-all-platform-bundle": useAllPlatformBundle,
-        // If the action is being run from a container, then do not setup kotlin.
-        // This is because the kotlin binaries cannot be downloaded from the container.
-        "setup-kotlin": "container" in checkSpecification ? "false" : "true",
-      },
-    });
-
-    const installGo = checkSpecification.installGo;
-
-    if (installGo) {
-      const baseGoVersionExpr = ">=1.21.0";
-      workflowInputs[KnownInputName.GoVersion] = {
-        type: "string",
-        description: "The version of Go to install",
-        required: false,
-        default: baseGoVersionExpr,
-      };
-
-      steps.push({
-        name: "Install Go",
-        uses: "actions/setup-go@v6",
-        with: {
-          "go-version":
-            "${{ inputs.go-version || '" + baseGoVersionExpr + "' }}",
-          // to avoid potentially misleading autobuilder results where we expect it to download
-          // dependencies successfully, but they actually come from a warm cache
-          cache: false,
-        },
-      });
-    }
-
-    const installJava = checkSpecification.installJava;
-
-    if (installJava) {
-      const baseJavaVersionExpr = "17";
-      workflowInputs[KnownInputName.JavaVersion] = {
-        type: "string",
-        description: "The version of Java to install",
-        required: false,
-        default: baseJavaVersionExpr,
-      };
-
-      steps.push({
-        name: "Install Java",
-        uses: "actions/setup-java@v5",
-        with: {
-          "java-version":
-            "${{ inputs.java-version || '" + baseJavaVersionExpr + "' }}",
-          distribution: "temurin",
-        },
-      });
-    }
-
-    const installPython = checkSpecification.installPython;
-
-    if (installPython) {
-      const basePythonVersionExpr = "3.13";
-      workflowInputs[KnownInputName.PythonVersion] = {
-        type: "string",
-        description: "The version of Python to install",
-        required: false,
-        default: basePythonVersionExpr,
-      };
-
-      steps.push({
-        name: "Install Python",
-        if: "matrix.version != 'nightly-latest'",
-        uses: "actions/setup-python@v6",
-        with: {
-          "python-version":
-            "${{ inputs.python-version || '" + basePythonVersionExpr + "' }}",
-        },
-      });
-    }
-
-    const installDotNet = checkSpecification.installDotNet;
-
-    if (installDotNet) {
-      const baseDotNetVersionExpr = "9.x";
-      workflowInputs[KnownInputName.DotnetVersion] = {
-        type: "string",
-        description: "The version of .NET to install",
-        required: false,
-        default: baseDotNetVersionExpr,
-      };
-
-      steps.push({
-        name: "Install .NET",
-        uses: "actions/setup-dotnet@v5",
-        with: {
-          "dotnet-version":
-            "${{ inputs.dotnet-version || '" + baseDotNetVersionExpr + "' }}",
-        },
-      });
-    }
-
-    const installYq = checkSpecification.installYq;
-
-    if (installYq) {
-      steps.push({
-        name: "Install yq",
-        if: "runner.os == 'Windows'",
-        env: {
-          YQ_PATH: "${{ runner.temp }}/yq",
-          // This is essentially an arbitrary version of `yq`, which happened to be the one that
-          // `choco` fetched when we moved away from using that here.
-          // See https://github.com/github/codeql-action/pull/3423
-          YQ_VERSION: "v4.50.1",
-        },
-        run:
-          'gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe"\n' +
-          'echo "$YQ_PATH" >> "$GITHUB_PATH"',
-      });
-    }
-
-    // Extract the sequence of steps from the YAML document to persist as much formatting as possible.
-    const specSteps = specDocument.get("steps") as yaml.YAMLSeq;
-
-    // A handful of workflow specifications use double quotes for values, while we generally use single quotes.
-    // This replaces double quotes with single quotes for consistency.
-    yaml.visit(specSteps, {
-      Scalar(_key, node) {
-        if (node.type === "QUOTE_DOUBLE") {
-          node.type = "QUOTE_SINGLE";
-        }
-      },
-    });
-
-    // Add the generated steps in front of the ones from the specification.
-    specSteps.items.unshift(...steps);
-
-    const checkJob: Record<string, any> = {
-      strategy: {
-        "fail-fast": false,
-        matrix: {
-          include: matrix,
-        },
-      },
-      name: checkSpecification.name,
-      if: "github.triggering_actor != 'dependabot[bot]'",
-      permissions: {
-        contents: "read",
-        "security-events": "read",
-      },
-      "timeout-minutes": 45,
-      "runs-on": "${{ matrix.os }}",
-      steps: specSteps,
-    };
-
-    if (checkSpecification.permissions) {
-      checkJob.permissions = checkSpecification.permissions;
-    }
-
-    for (const key of ["env", "container", "services"] as const) {
-      if (checkSpecification[key] !== undefined) {
-        checkJob[key] = checkSpecification[key];
-      }
-    }
-
-    checkJob.env = checkJob.env ?? {};
-    if (!("CODEQL_ACTION_TEST_MODE" in checkJob.env)) {
-      checkJob.env.CODEQL_ACTION_TEST_MODE = true;
-    }
-
-    // If this check belongs to a named collection, record it.
-    if (checkSpecification.collection) {
-      const collectionName = checkSpecification.collection;
-      if (!collections[collectionName]) {
-        collections[collectionName] = [];
-      }
-      collections[collectionName].push({
-        specification: checkSpecification,
-        checkName,
-        inputs: workflowInputs,
-      });
-    }
-
-    let extraGroupName = "";
-    for (const inputName of Object.keys(workflowInputs)) {
-      extraGroupName += "-${{inputs." + inputName + "}}";
-    }
-
-    const cron = new yaml.Scalar("0 5 * * *");
-    cron.type = yaml.Scalar.QUOTE_SINGLE;
-
-    const workflow = {
-      name: `PR Check - ${checkSpecification.name}`,
-      env: {
-        GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}",
-        GO111MODULE: "auto",
-      },
-      on: {
-        push: {
-          branches: ["main", "releases/v*"],
-        },
-        pull_request: {
-          types: ["opened", "synchronize", "reopened", "ready_for_review"],
-        },
-        merge_group: {
-          types: ["checks_requested"],
-        },
-        schedule: [{ cron }],
-        workflow_dispatch: {
-          inputs: workflowInputs,
-        },
-        workflow_call: {
-          inputs: workflowInputs,
-        },
-      },
-      defaults: {
-        run: {
-          shell: "bash",
-        },
-      },
-      concurrency: {
-        "cancel-in-progress":
-          "${{ github.event_name == 'pull_request' || false }}",
-        group: checkName + "-${{github.ref}}" + extraGroupName,
-      },
-      jobs: {
-        [checkName]: checkJob,
-      },
-    };
-
-    const outputPath = path.join(OUTPUT_DIR, `__${checkName}.yml`);
-    writeYaml(outputPath, workflow);
-  }
-
-  // Write workflow files for collections.
-  for (const collectionName of Object.keys(collections)) {
-    const jobs: Record<string, any> = {};
-    let combinedInputs: Record<string, WorkflowInput> = {};
-
-    for (const check of collections[collectionName]) {
-      const { checkName, specification, inputs: checkInputs } = check;
-      const checkWith: Record<string, string> = {};
-
-      combinedInputs = { ...combinedInputs, ...checkInputs };
-
-      for (const inputName of Object.keys(checkInputs)) {
-        checkWith[inputName] = "${{ inputs." + inputName + " }}";
-      }
-
-      jobs[checkName] = {
-        name: specification.name,
-        permissions: {
-          contents: "read",
-          "security-events": "read",
-        },
-        uses: `./.github/workflows/__${checkName}.yml`,
-        with: checkWith,
-      };
-    }
-
-    const collectionWorkflow = {
-      name: `Manual Check - ${collectionName}`,
-      env: {
-        GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}",
-        GO111MODULE: "auto",
-      },
-      on: {
-        workflow_dispatch: {
-          inputs: combinedInputs,
-        },
-      },
-      jobs,
-    };
-
-    const outputPath = path.join(OUTPUT_DIR, `__${collectionName}.yml`);
-    writeYaml(outputPath, collectionWorkflow);
-  }
-
-  console.log(
-    `\nDone. Wrote ${checkFiles.length} workflow file(s) to ${OUTPUT_DIR}`,
-  );
-}
-
-main();
@@ -0,0 +1,185 @@
+#!/usr/bin/env python3
+"""
+Sync-back script to automatically update action versions in source templates
+from the generated workflow files after Dependabot updates.
+
+This script scans the generated workflow files (.github/workflows/__*.yml) to find
+all external action versions used, then updates:
+1. Hardcoded action versions in pr-checks/sync.py
+2. Action version references in template files in pr-checks/checks/
+
+The script automatically detects all actions used in generated workflows and
+preserves version comments (e.g., # v1.2.3) when syncing versions.
+
+This ensures that when Dependabot updates action versions in generated workflows,
+those changes are properly synced back to the source templates. Regular workflow
+files are updated directly by Dependabot and don't need sync-back.
+"""
+
+import os
+import re
+import glob
+import argparse
+import sys
+from pathlib import Path
+from typing import Dict, List
+
+
+def scan_generated_workflows(workflow_dir: str) -> Dict[str, str]:
+    """
+    Scan generated workflow files to extract the latest action versions.
+
+    Args:
+        workflow_dir: Path to .github/workflows directory
+
+    Returns:
+        Dictionary mapping action names to their latest versions (including comments)
+    """
+    action_versions = {}
+    generated_files = glob.glob(os.path.join(workflow_dir, "__*.yml"))
+
+    for file_path in generated_files:
+        with open(file_path, 'r') as f:
+            content = f.read()
+
+        # Find all action uses in the file, including potential comments
+        # This pattern captures: action_name@version_with_possible_comment
+        pattern = r'uses:\s+([^/\s]+/[^@\s]+)@([^@\n]+)'
+        matches = re.findall(pattern, content)
+
+        for action_name, version_with_comment in matches:
+            # Only track non-local actions (those with / but not starting with ./)
+            if not action_name.startswith('./'):
+                # Assume that version numbers are consistent (this should be the case on a Dependabot update PR)
+                action_versions[action_name] = version_with_comment.rstrip()
+
+    return action_versions
+
+
+def update_sync_py(sync_py_path: str, action_versions: Dict[str, str]) -> bool:
+    """
+    Update hardcoded action versions in pr-checks/sync.py
+
+    Args:
+        sync_py_path: Path to sync.py file
+        action_versions: Dictionary of action names to versions (may include comments)
+
+    Returns:
+        True if file was modified, False otherwise
+    """
+    if not os.path.exists(sync_py_path):
+        raise FileNotFoundError(f"Could not find {sync_py_path}")
+
+    with open(sync_py_path, 'r') as f:
+        content = f.read()
+
+    original_content = content
+
+    # Update hardcoded action versions
+    for action_name, version_with_comment in action_versions.items():
+        # Extract just the version part (before any comment) for sync.py
+        version = version_with_comment.split('#')[0].strip() if '#' in version_with_comment else version_with_comment.strip()
+
+        # Look for patterns like 'uses': 'actions/setup-node@v4'
+        # Note that this will break if we store an Action uses reference in a
+        # variable - that's a risk we're happy to take since in that case the
+        # PR checks will just fail.
+        pattern = rf"('uses':\s*'){re.escape(action_name)}@(?:[^']+)(')"
+        replacement = rf"\1{action_name}@{version}\2"
+        content = re.sub(pattern, replacement, content)
+
+    if content != original_content:
+        with open(sync_py_path, 'w') as f:
+            f.write(content)
+        print(f"Updated {sync_py_path}")
+        return True
+    else:
+        print(f"No changes needed in {sync_py_path}")
+        return False
+
+
+def update_template_files(checks_dir: str, action_versions: Dict[str, str]) -> List[str]:
+    """
+    Update action versions in template files in pr-checks/checks/
+
+    Args:
+        checks_dir: Path to pr-checks/checks directory
+        action_versions: Dictionary of action names to versions (may include comments)
+
+    Returns:
+        List of files that were modified
+    """
+    modified_files = []
+    template_files = glob.glob(os.path.join(checks_dir, "*.yml"))
+
+    for file_path in template_files:
+        with open(file_path, 'r') as f:
+            content = f.read()
+
+        original_content = content
+
+        # Update action versions
+        for action_name, version_with_comment in action_versions.items():
+            # Look for patterns like 'uses: actions/setup-node@v4' or 'uses: actions/setup-node@sha # comment'
+            pattern = rf"(uses:\s+{re.escape(action_name)})@(?:[^@\n]+)"
+            replacement = rf"\1@{version_with_comment}"
+            content = re.sub(pattern, replacement, content)
+
+        if content != original_content:
+            with open(file_path, 'w') as f:
+                f.write(content)
+            modified_files.append(file_path)
+            print(f"Updated {file_path}")
+
+    return modified_files
+
+
+def main():
+    parser = argparse.ArgumentParser(description="Sync action versions from generated workflows back to templates")
+    parser.add_argument("--verbose", "-v", action="store_true", help="Enable verbose output")
+    args = parser.parse_args()
+
+    # Get the repository root (assuming script is in pr-checks/)
+    script_dir = Path(__file__).parent
+    repo_root = script_dir.parent
+
+    workflow_dir = repo_root / ".github" / "workflows"
+    checks_dir = script_dir / "checks"
+    sync_py_path = script_dir / "sync.py"
+
+    print("Scanning generated workflows for latest action versions...")
+    action_versions = scan_generated_workflows(str(workflow_dir))
+
+    if args.verbose:
+        print("Found action versions:")
+        for action, version in action_versions.items():
+            print(f"  {action}@{version}")
+
+    if not action_versions:
+        print("No action versions found in generated workflows")
+        return 1
+
+    # Update files
+    print("\nUpdating source files...")
+    modified_files = []
+
+    # Update sync.py
+    if update_sync_py(str(sync_py_path), action_versions):
+        modified_files.append(str(sync_py_path))
+
+    # Update template files
+    template_modified = update_template_files(str(checks_dir), action_versions)
+    modified_files.extend(template_modified)
+
+    if modified_files:
+        print(f"\nSync completed. Modified {len(modified_files)} files:")
+        for file_path in modified_files:
+            print(f"  {file_path}")
+    else:
+        print("\nNo files needed updating - all action versions are already in sync")
+
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())
@@ -1,250 +0,0 @@
-#!/usr/bin/env npx tsx
-
-/*
-Tests for the sync_back.ts script
-*/
-
-import * as assert from "node:assert/strict";
-import * as fs from "node:fs";
-import * as os from "node:os";
-import * as path from "node:path";
-import { afterEach, beforeEach, describe, it } from "node:test";
-
-import {
-  scanGeneratedWorkflows,
-  updateSyncTs,
-  updateTemplateFiles,
-} from "./sync_back";
-
-let testDir: string;
-let workflowDir: string;
-let checksDir: string;
-let syncTsPath: string;
-
-beforeEach(() => {
-  /** Set up temporary directories and files for testing */
-  testDir = fs.mkdtempSync(path.join(os.tmpdir(), "sync-back-test-"));
-  workflowDir = path.join(testDir, ".github", "workflows");
-  checksDir = path.join(testDir, "pr-checks", "checks");
-  fs.mkdirSync(workflowDir, { recursive: true });
-  fs.mkdirSync(checksDir, { recursive: true });
-
-  // Create sync.ts file path
-  syncTsPath = path.join(testDir, "pr-checks", "sync.ts");
-});
-
-afterEach(() => {
-  /** Clean up temporary directories */
-  fs.rmSync(testDir, { recursive: true, force: true });
-});
-
-describe("scanGeneratedWorkflows", () => {
-  it("basic workflow scanning", () => {
-    /** Test basic workflow scanning functionality */
-    const workflowContent = `
-name: Test Workflow
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v5
-      - uses: actions/setup-go@v6
-`;
-
-    fs.writeFileSync(path.join(workflowDir, "__test.yml"), workflowContent);
-
-    const result = scanGeneratedWorkflows(workflowDir);
-
-    assert.equal(result["actions/checkout"], "v4");
-    assert.equal(result["actions/setup-node"], "v5");
-    assert.equal(result["actions/setup-go"], "v6");
-  });
-
-  it("scanning workflows with version comments", () => {
-    /** Test scanning workflows with version comments */
-    const workflowContent = `
-name: Test Workflow
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0
-      - uses: actions/setup-python@v6 # Latest Python
-`;
-
-    fs.writeFileSync(path.join(workflowDir, "__test.yml"), workflowContent);
-
-    const result = scanGeneratedWorkflows(workflowDir);
-
-    assert.equal(result["actions/checkout"], "v4");
-    assert.equal(
-      result["ruby/setup-ruby"],
-      "44511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0",
-    );
-    assert.equal(result["actions/setup-python"], "v6 # Latest Python");
-  });
-
-  it("ignores local actions", () => {
-    /** Test that local actions (starting with ./) are ignored */
-    const workflowContent = `
-name: Test Workflow
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: ./.github/actions/local-action
-      - uses: ./another-local-action@v1
-`;
-
-    fs.writeFileSync(path.join(workflowDir, "__test.yml"), workflowContent);
-
-    const result = scanGeneratedWorkflows(workflowDir);
-
-    assert.equal(result["actions/checkout"], "v4");
-    assert.equal("./.github/actions/local-action" in result, false);
-    assert.equal("./another-local-action" in result, false);
-  });
-});
-
-describe("updateSyncTs", () => {
-  it("updates sync.ts file", () => {
-    /** Test updating sync.ts file */
-    const syncTsContent = `
-const steps = [
-  {
-    uses: "actions/setup-node@v4",
-    with: { "node-version": "16" },
-  },
-  {
-    uses: "actions/setup-go@v5",
-    with: { "go-version": "1.19" },
-  },
-];
-`;
-
-    fs.writeFileSync(syncTsPath, syncTsContent);
-
-    const actionVersions = {
-      "actions/setup-node": "v5",
-      "actions/setup-go": "v6",
-    };
-
-    const result = updateSyncTs(syncTsPath, actionVersions);
-    assert.equal(result, true);
-
-    const updatedContent = fs.readFileSync(syncTsPath, "utf8");
-
-    assert.ok(updatedContent.includes('uses: "actions/setup-node@v5"'));
-    assert.ok(updatedContent.includes('uses: "actions/setup-go@v6"'));
-  });
-
-  it("strips comments from versions", () => {
-    /** Test updating sync.ts file when versions have comments */
-    const syncTsContent = `
-const steps = [
-  {
-    uses: "actions/setup-node@v4",
-    with: { "node-version": "16" },
-  },
-];
-`;
-
-    fs.writeFileSync(syncTsPath, syncTsContent);
-
-    const actionVersions = {
-      "actions/setup-node": "v5 # Latest version",
-    };
-
-    const result = updateSyncTs(syncTsPath, actionVersions);
-    assert.equal(result, true);
-
-    const updatedContent = fs.readFileSync(syncTsPath, "utf8");
-
-    // sync.ts should get the version without comment
-    assert.ok(updatedContent.includes('uses: "actions/setup-node@v5"'));
-    assert.ok(!updatedContent.includes("# Latest version"));
-  });
-
-  it("returns false when no changes are needed", () => {
-    /** Test that updateSyncTs returns false when no changes are needed */
-    const syncTsContent = `
-const steps = [
-  {
-    uses: "actions/setup-node@v5",
-    with: { "node-version": "16" },
-  },
-];
-`;
-
-    fs.writeFileSync(syncTsPath, syncTsContent);
-
-    const actionVersions = {
-      "actions/setup-node": "v5",
-    };
-
-    const result = updateSyncTs(syncTsPath, actionVersions);
-    assert.equal(result, false);
-  });
-});
-
-describe("updateTemplateFiles", () => {
-  it("updates template files", () => {
-    /** Test updating template files */
-    const templateContent = `
-name: Test Template
-steps:
-  - uses: actions/checkout@v3
-  - uses: actions/setup-node@v4
-    with:
-      node-version: 16
-`;
-
-    const templatePath = path.join(checksDir, "test.yml");
-    fs.writeFileSync(templatePath, templateContent);
-
-    const actionVersions = {
-      "actions/checkout": "v4",
-      "actions/setup-node": "v5 # Latest",
-    };
-
-    const result = updateTemplateFiles(checksDir, actionVersions);
-    assert.equal(result.length, 1);
-    assert.ok(result.includes(templatePath));
-
-    const updatedContent = fs.readFileSync(templatePath, "utf8");
-
-    assert.ok(updatedContent.includes("uses: actions/checkout@v4"));
-    assert.ok(updatedContent.includes("uses: actions/setup-node@v5 # Latest"));
-  });
-
-  it("preserves version comments", () => {
-    /** Test that updating template files preserves version comments */
-    const templateContent = `
-name: Test Template
-steps:
-  - uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb # v1.256.0
-`;
-
-    const templatePath = path.join(checksDir, "test.yml");
-    fs.writeFileSync(templatePath, templateContent);
-
-    const actionVersions = {
-      "ruby/setup-ruby":
-        "55511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0",
-    };
-
-    const result = updateTemplateFiles(checksDir, actionVersions);
-    assert.equal(result.length, 1);
-
-    const updatedContent = fs.readFileSync(templatePath, "utf8");
-
-    assert.ok(
-      updatedContent.includes(
-        "uses: ruby/setup-ruby@55511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0",
-      ),
-    );
-  });
-});
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Michael B. Gale	f56d0ec51b	Add `hasMessage` to `RecordingLogger`	2026-02-24 20:45:41 +00:00
Michael B. Gale	33edb83959	Replace `getRecordingLogger` implementation with `RecordingLogger`	2026-02-24 20:40:41 +00:00
Michael B. Gale	33276bfbdb	Add `assertNotLogged` test helper	2026-02-24 20:36:24 +00:00