Default to StartProxyRemoveUnusedRegistries behaviour

Merge pull request #3894 from github/henrymercer/require-codeql-2.19.4
Bump minimum CodeQL CLI version to 2.19.4
2026-06-02 11:55:22 +00:00 · 2026-05-18 16:17:15 +01:00 · 2026-05-18 14:55:40 +00:00 · 2026-05-18 14:27:03 +01:00 · 2026-05-15 18:13:43 +01:00 · 2026-05-15 14:58:30 +00:00
101 changed files with 256201 additions and 1158 deletions
@@ -16,12 +16,23 @@ No user facing changes.
 """

 # NB: This exact commit message is used to find commits for reverting during backports.
-# Changing it requires a transition period where both old and new versions are supported.
+# Changing it requires a transition period where both old and new versions are supported.
 BACKPORT_COMMIT_MESSAGE = 'Update version and changelog for v'

 # Name of the remote
 ORIGIN = 'origin'

+# Environment variables to check for a GitHub API token.
+TOKEN_ENVIRONMENT_VARIABLES = ('GH_TOKEN', 'GITHUB_TOKEN')
+
+# Gets a GitHub API token from one of the supported environment variables.
+def get_github_token():
+  for variable_name in TOKEN_ENVIRONMENT_VARIABLES:
+    token = os.environ.get(variable_name, '').strip()
+    if token:
+      return token
+  raise Exception('Missing GitHub token. Set GITHUB_TOKEN or GH_TOKEN.')
+
 # Runs git with the given args and returns the stdout.
 # Raises an error if git does not exit successfully (unless passed
 # allow_non_zero_exit_code=True).
@@ -270,12 +281,6 @@ def update_changelog(version):
 def main():
  parser = argparse.ArgumentParser('update-release-branch.py')

-  parser.add_argument(
-    '--github-token',
-    type=str,
-    required=True,
-    help='GitHub token, typically from GitHub Actions.'
-  )
  parser.add_argument(
    '--repository-nwo',
    type=str,
@@ -313,7 +318,7 @@ def main():
  target_branch = args.target_branch
  is_primary_release = args.is_primary_release

-  repo = Github(args.github_token).get_repo(args.repository_nwo)
+  repo = Github(get_github_token()).get_repo(args.repository_nwo)

  # the target branch will be of the form releases/vN, where N is the major version number
  target_branch_major_version = target_branch.strip('releases/v')
@@ -49,10 +49,6 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
          - os: ubuntu-latest
@@ -61,6 +57,10 @@ jobs:
            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
+          - os: ubuntu-latest
+            version: stable-v2.23.9
+          - os: ubuntu-latest
+            version: stable-v2.24.3
          - os: ubuntu-latest
            version: default
          - os: ubuntu-latest
@@ -49,10 +49,6 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
          - os: ubuntu-latest
@@ -61,6 +57,10 @@ jobs:
            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
+          - os: ubuntu-latest
+            version: stable-v2.23.9
+          - os: ubuntu-latest
+            version: stable-v2.24.3
          - os: ubuntu-latest
            version: default
          - os: ubuntu-latest
@@ -49,10 +49,6 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
          - os: ubuntu-latest
@@ -61,6 +57,10 @@ jobs:
            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
+          - os: ubuntu-latest
+            version: stable-v2.23.9
+          - os: ubuntu-latest
+            version: stable-v2.24.3
          - os: ubuntu-latest
            version: default
          - os: ubuntu-latest
@@ -59,41 +59,41 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
-          - os: macos-latest
+          - os: macos-latest-xlarge
            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
-          - os: macos-latest
+          - os: macos-latest-xlarge
            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
-          - os: macos-latest
+          - os: macos-latest-xlarge
            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
-          - os: macos-latest
+          - os: macos-latest-xlarge
            version: stable-v2.22.4
+          - os: ubuntu-latest
+            version: stable-v2.23.9
+          - os: macos-latest-xlarge
+            version: stable-v2.23.9
+          - os: ubuntu-latest
+            version: stable-v2.24.3
+          - os: macos-latest-xlarge
+            version: stable-v2.24.3
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
+          - os: macos-latest-xlarge
            version: default
          - os: ubuntu-latest
            version: linked
-          - os: macos-latest
+          - os: macos-latest-xlarge
            version: linked
          - os: ubuntu-latest
            version: nightly-latest
-          - os: macos-latest
+          - os: macos-latest-xlarge
            version: nightly-latest
    name: Multi-language repository
    if: github.triggering_actor != 'dependabot[bot]'
@@ -40,7 +40,7 @@ jobs:
      matrix:
        include:
          - os: ubuntu-latest
-            version: stable-v2.19.3
+            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.22.1
          - os: ubuntu-latest
@@ -39,7 +39,7 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: macos-latest
+          - os: macos-latest-xlarge
            version: nightly-latest
    name: Swift analysis using autobuild
    if: github.triggering_actor != 'dependabot[bot]'
@@ -77,7 +77,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-14,macos-15]
+        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-14-xlarge,macos-15-xlarge]
        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
    runs-on: ${{ matrix.os }}

@@ -6,13 +6,6 @@ env:
  # Diff informed queries add an additional query filter which is not yet
  # taken into account by these tests.
  CODEQL_ACTION_DIFF_INFORMED_QUERIES: false
-  # Specify overlay enablement manually to ensure stability around the exclude-from-incremental
-  # query filter. Here we only enable for the default code scanning suite.
-  CODEQL_ACTION_OVERLAY_ANALYSIS: true
-  CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT: false
-  CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT: true
-  CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_CHECK: false
-  CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS: true

 on:
  push:
@@ -79,33 +72,13 @@ jobs:
      with:
        version: ${{ matrix.version }}

-    # On PRs, overlay analysis may change the config that is passed to the CLI.
-    # Therefore, we have two variants of the following test, one for PRs and one for other events.
-    - name: Empty file (non-PR)
-      if: github.event_name != 'pull_request'
+    - name: Empty file
      uses: ./../action/.github/actions/check-codescanning-config
      with:
        expected-config-file-contents: "{}"
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}

-    - name: Empty file (PR)
-      if: github.event_name == 'pull_request'
-      uses: ./../action/.github/actions/check-codescanning-config
-      with:
-        expected-config-file-contents: |
-          {
-            "query-filters": [
-              {
-                "exclude": {
-                  "tags": "exclude-from-incremental"
-                }
-              }
-            ]
-          }
-        languages: javascript
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-
    - name: Packs from input
      if: success() || failure()
      uses: ./../action/.github/actions/check-codescanning-config
@@ -64,11 +64,12 @@ jobs:

    - name: Update current release branch
      if: github.event_name == 'workflow_dispatch'
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
        echo SOURCE_BRANCH=${REF_NAME}
        echo TARGET_BRANCH=releases/${MAJOR_VERSION}
        python .github/update-release-branch.py \
-          --github-token ${{ secrets.GITHUB_TOKEN }} \
          --repository-nwo ${{ github.repository }} \
          --source-branch '${{ env.REF_NAME }}' \
          --target-branch 'releases/${{ env.MAJOR_VERSION }}' \
@@ -107,11 +108,12 @@ jobs:
    - uses: ./.github/actions/release-initialise

    - name: Update older release branch
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
        echo SOURCE_BRANCH=${SOURCE_BRANCH}
        echo TARGET_BRANCH=${TARGET_BRANCH}
        python .github/update-release-branch.py \
-          --github-token ${{ secrets.GITHUB_TOKEN }} \
          --repository-nwo ${{ github.repository }} \
          --source-branch ${SOURCE_BRANCH} \
          --target-branch ${TARGET_BRANCH} \
@@ -4,6 +4,13 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

 ## [UNRELEASED]

+- _Breaking change_: Bump the minimum required CodeQL bundle version to 2.19.4. [#3894](https://github.com/github/codeql-action/pull/3894)
+- Add support for SHA-256 Git object IDs. [#3893](https://github.com/github/codeql-action/pull/3893)
+
+## 4.35.5 - 15 May 2026
+
+- We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. [#3899](https://github.com/github/codeql-action/pull/3899)
+- For performance and accuracy reasons, [improved incremental analysis](https://github.com/github/roadmap/issues/1158) will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. [#3791](https://github.com/github/codeql-action/pull/3791)
 - If multiple inputs are provided for the GitHub-internal `analysis-kinds` input, only `code-scanning` will be enabled. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#3892](https://github.com/github/codeql-action/pull/3892)
 - Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. [#3880](https://github.com/github/codeql-action/pull/3880)

@@ -71,7 +71,7 @@ Once the mergeback and backport pull request have been merged, the release is co

 Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred required jobs that need to pass in order for a PR to turn green. It would be too tedious to maintain that list manually. You can regenerate the set of required checks automatically by running the [sync-checks.ts](pr-checks/sync-checks.ts) script:

- At a minimum, you must provide an argument for the `--token` input. For example, `--token "$(gh auth token)"` to use the same token that `gh` uses. If no token is provided or the token has insufficient permissions, the script will fail.
+- At a minimum, you must provide a token with permissions to update branch protection rules. For example, `gh auth token | pr-checks/sync-checks.ts --token-stdin` uses the same token that `gh` uses. You can also set the `GH_TOKEN` or `GITHUB_TOKEN` environment variable. If no token is provided or the token has insufficient permissions, the script will fail.
 - By default, the script performs a dry run and outputs information about the changes it would make to the branch protection rules. To actually apply the changes, specify the `--apply` flag.
 - If you run the script without any other arguments, it will retrieve the set of workflows that ran for the latest commit on `main`.
 - You can specify a different git ref with the `--ref` input. You will likely want to use this if you have a PR that removes or adds PR checks. For example, `--ref "some/branch/name"` to use the HEAD of the `some/branch/name` branch.
@@ -78,8 +78,6 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n
 | `v3.28.21` | `2.21.3` | Enterprise Server 3.18 | |
 | `v3.28.12` | `2.20.7` | Enterprise Server 3.17 | |
 | `v3.28.6` | `2.20.3` | Enterprise Server 3.16 | |
-| `v3.28.6` | `2.20.3` | Enterprise Server 3.15 | |
-| `v3.28.6` | `2.20.3` | Enterprise Server 3.14 | |

 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).

@@ -95,5 +95,5 @@ outputs:
    description: The ID of the uploaded SARIF file.
 runs:
  using: node24
-  main: "../lib/analyze-action.js"
-  post: "../lib/analyze-action-post.js"
+  main: "../lib/analyze-entry.js"
+  post: "../lib/analyze-post-entry.js"
@@ -16,4 +16,4 @@ inputs:
    required: false
 runs:
  using: node24
-  main: '../lib/autobuild-action.js'
+  main: '../lib/autobuild-entry.js'
@@ -1,5 +1,5 @@
-import { copyFile, rm, writeFile } from "node:fs/promises";
-import { dirname, join } from "node:path";
+import { copyFile, readFile, rm, writeFile } from "node:fs/promises";
+import { basename, dirname, join } from "node:path";
 import { fileURLToPath } from "node:url";

 import * as esbuild from "esbuild";
@@ -47,27 +47,6 @@ const copyDefaultsPlugin = {
  },
 };

-/**
- * Mark `lib/` as an ESM scope by writing `lib/package.json` with
- * `{ "type": "module" }`. This lets the bundles use the regular `.js`
- * extension while still being loaded as ESM by Node, without affecting
- * the rest of the repo (the root package.json stays CJS so the tsc
- * output in `build/` and any other consumers are unchanged).
- *
- * @type {esbuild.Plugin}
- */
-const writeLibPackageJsonPlugin = {
-  name: "write-lib-package-json",
-  setup(build) {
-    build.onEnd(async () => {
-      await writeFile(
-        join(OUT_DIR, "package.json"),
-        JSON.stringify({ type: "module" }) + "\n",
-      );
-    });
-  },
-};
-
 /**
 * Log when the build ends.
 *
@@ -83,45 +62,123 @@ const onEndPlugin = {
  },
 };

-// Banner injected into every emitted ESM file so that bundled CommonJS
-// dependencies which call `require(...)` at runtime (e.g. parts of the
-// Azure SDK + undici stack pulled in transitively by `@actions/cache` and
-// `@actions/artifact`), or read `__filename` / `__dirname`, keep working.
-const esmCompatBanner = [
-  `import { createRequire as __codeqlCreateRequire } from "module";`,
-  `import { fileURLToPath as __codeqlFileURLToPath } from "url";`,
-  `import { dirname as __codeqlDirname } from "path";`,
-  `var require = __codeqlCreateRequire(import.meta.url);`,
-  `var __filename = __codeqlFileURLToPath(import.meta.url);`,
-  `var __dirname = __codeqlDirname(__filename);`,
-].join("");
+/** The name of the virtual `entry-points` module. */
+const SHARED_ENTRYPOINT = "entry-points";
+
+/**
+ * This plugin finds all source files that contain Action entry points.
+ * It then generates the virtual `entry-points` module which imports all identified files,
+ * and re-exports their `runWrapper` functions with suitable aliases.
+ * A tiny stub file is emitted for each Action entrypoint. Each stub imports the shared bundle
+ * and calls the respective entry point.
+ *
+ * @type {esbuild.Plugin}
+ */
+const entryPointsPlugin = {
+  name: "entry-points",
+  setup(build) {
+    const namespace = "actions";
+    const actions = [];
+
+    const toPascal = (s) =>
+      s.replace(/(^|-)([a-z0-9])/gi, (_, __, c) => c.toUpperCase());
+
+    // Find the source files containing Action entry points.
+    build.onStart(() => {
+      const actionFiles = globSync("src/*-action{,-post}.ts");
+      for (const actionFile of actionFiles) {
+        const match = basename(actionFile).match(/(.*)-action(-post)?/);
+
+        if (match.length < 2) {
+          throw new Error(`'${actionFile}' didn't match expected pattern.`);
+        }
+
+        const actionName = match[1];
+        const isPost = match[2] !== undefined;
+
+        actions.push({
+          path: actionFile,
+          name: actionName,
+          isPost,
+          pascalCaseName: `${toPascal(actionName)}${isPost ? "Post" : ""}Action`,
+        });
+      }
+    });
+
+    // Resolve the virtual `entry-points` file and set the corresponding namespace.
+    // Ideally, we'd `RegExp.escape` the entrypoint here, but that API isn't supported in Node 20.
+    // Since we're dealing with a hardcoded string, this isn't too much of a problem.
+    build.onResolve({ filter: new RegExp(`^${SHARED_ENTRYPOINT}$`) }, () => {
+      return { path: SHARED_ENTRYPOINT, namespace };
+    });
+
+    // Generate the virtual `entry-points` file based on the Actions we discovered.
+    // Restrict using the namespace. The path filter does not need to discriminate any further.
+    build.onLoad({ filter: /.*/, namespace }, async () => {
+      const wrapperTemplatePath = "entry-wrapper.js.tpl";
+      const wrapperTemplate = await readFile(
+        join(SRC_DIR, wrapperTemplatePath),
+        "utf-8",
+      );
+
+      const actionsSorted = actions.sort((a, b) =>
+        a.name.localeCompare(b.name),
+      );
+      const imports = actionsSorted
+        .map(
+          (action) =>
+            `import * as ${action.pascalCaseName} from "./src/${basename(action.path)}";`,
+        )
+        .join("\n");
+      const wrappers = actionsSorted
+        .map((action) =>
+          wrapperTemplate.replaceAll("__ACTION__", action.pascalCaseName),
+        )
+        .join("\n\n");
+
+      return {
+        contents: `"use strict";\n${imports}\n\n${wrappers}\n`,
+        resolveDir: ".",
+        loader: "ts",
+      };
+    });
+
+    // Emit entry point stubs for each Action using the entry template.
+    build.onEnd(async (result) => {
+      // Read the entry point template.
+      const templatePath = "action-entry.js.tpl";
+      const template = await readFile(join(SRC_DIR, templatePath), "utf-8");
+
+      const makeHeader = (sourceFile) =>
+        `// Automatically generated from '${templatePath}' for 'src/${basename(sourceFile)}'.\n\n`;
+
+      // Write entry point stubs for each Action.
+      for (const action of actions) {
+        await writeFile(
+          join(
+            OUT_DIR,
+            `${action.name}${action.isPost ? "-post" : ""}-entry.js`,
+          ),
+          makeHeader(action.path) +
+            template.replaceAll("__ACTION__", action.pascalCaseName),
+        );
+      }
+    });
+  },
+};

 const context = await esbuild.context({
  // Include upload-lib.ts as an entry point for use in testing environments.
-  entryPoints: globSync([
-    `${SRC_DIR}/*-action.ts`,
-    `${SRC_DIR}/*-action-post.ts`,
-    "src/upload-lib.ts",
-  ]),
+  entryPoints: [
+    { in: SHARED_ENTRYPOINT, out: SHARED_ENTRYPOINT },
+    join(SRC_DIR, "upload-lib.ts"),
+  ],
  bundle: true,
-  // Use ESM with code splitting so shared modules (Azure storage, undici,
-  // octokit, ...) live in shared chunk files instead of being duplicated
-  // into every entry bundle. Node treats these `.js` files as ESM because
-  // `writeLibPackageJsonPlugin` writes `lib/package.json` with
-  // `"type": "module"`.
-  format: "esm",
-  splitting: true,
-  minify: true,
-  chunkNames: "chunks/chunk-[hash]",
-  banner: { js: esmCompatBanner },
+  format: "cjs",
  outdir: OUT_DIR,
  platform: "node",
-  plugins: [
-    cleanPlugin,
-    copyDefaultsPlugin,
-    writeLibPackageJsonPlugin,
-    onEndPlugin,
-  ],
+  external: ["./entry-points"],
+  plugins: [cleanPlugin, copyDefaultsPlugin, entryPointsPlugin, onEndPlugin],
  target: ["node20"],
  define: {
    __CODEQL_ACTION_VERSION__: JSON.stringify(pkg.version),
@@ -171,5 +171,5 @@ outputs:
    description: The version of the CodeQL binary used for analysis
 runs:
  using: node24
-  main: '../lib/init-action.js'
-  post: '../lib/init-action-post.js'
+  main: '../lib/init-entry.js'
+  post: '../lib/init-post-entry.js'
@@ -1,2 +0,0 @@
-import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
-import{b as y}from"./chunks/chunk-WKICWMYU.js";import"./chunks/chunk-5ZRYQL45.js";import"./chunks/chunk-U2JW7LOC.js";import"./chunks/chunk-GX7WDUZJ.js";import{a as d,b as g}from"./chunks/chunk-HIJVM6IW.js";import{h as f}from"./chunks/chunk-LYJYPMC2.js";import{J as n,La as a,Ta as c,c as b,cc as p,fa as t,k as A,ta as s,zb as m}from"./chunks/chunk-V6LGBXSF.js";var u=b(A());import*as o from"fs";async function C(){try{a();let e=m(),l=await c();if(n(l,e),process.env.CODEQL_ACTION_INIT_HAS_RUN==="true"){let r=await p(s(),e);if(r!==void 0){let v=await(await f(r.codeQLCmd)).getVersion();await y(e,r.gitHubVersion.type,v.version)}}let D=[d(),g()];for(let r of D)if(o.existsSync(r))try{o.rmSync(r,{recursive:!0})}catch(i){e.info(`Failed to remove temporary dependencies directory: ${t(i)}`)}}catch(e){u.setFailed(`analyze post-action step failed: ${t(e)}`)}}C();
@@ -0,0 +1,6 @@
+// Automatically generated from 'action-entry.js.tpl' for 'src/analyze-action.ts'.
+
+"use strict";
+
+const import_entry_points = require("./entry-points");
+void (0, import_entry_points.runAnalyzeAction)();
@@ -0,0 +1,6 @@
+// Automatically generated from 'action-entry.js.tpl' for 'src/analyze-action-post.ts'.
+
+"use strict";
+
+const import_entry_points = require("./entry-points");
+void (0, import_entry_points.runAnalyzePostAction)();
@@ -1,2 +0,0 @@
-import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
-import{a as B,c as U}from"./chunks/chunk-U2JW7LOC.js";import{c as V,e as f,f as p,h as _}from"./chunks/chunk-B34OPX2S.js";import{e as D,h as k}from"./chunks/chunk-LYJYPMC2.js";import{J as w,L as b,O as C,Ta as S,c as H,cc as E,ea as h,fa as y,ga as d,ha as L,k as I,sa as A,ta as R,ua as g,zb as l}from"./chunks/chunk-V6LGBXSF.js";var s=H(I());async function F(o,t,e,c,r,i){b(g());let a=V(i,r),n=await f("autobuild",a,e,o,await d(t),t,i?.message,i?.stack);if(n!==void 0){let u={...n,autobuild_languages:c.join(","),autobuild_failure:r};await p(u)}}async function T(o){let t=l(),e,c,r;try{let i=await f("autobuild","starting",o,e,await d(t),t);i!==void 0&&await p(i);let a=await S();if(w(a,t),L(g(),a),e=await E(R(),t),e===void 0)throw new C("Config file could not be found at expected location. Has the 'init' action been called?");let n=await k(e.codeQLCmd);if(r=await B(n,e,t),r!==void 0){let u=A("working-directory");u&&(t.info(`Changing autobuilder working directory to ${u}`),process.chdir(u));for(let m of r)c=m,await U(e,m,t)}await D(n,e,t)}catch(i){let a=h(i);s.setFailed(`We were unable to automatically build your code. Please replace the call to the autobuild action with your custom build steps. ${a.message}`),await F(e,t,o,r??[],c,a);return}s.exportVariable("CODEQL_ACTION_AUTOBUILD_DID_COMPLETE_SUCCESSFULLY","true"),await F(e,t,o,r??[])}async function v(){let o=new Date,t=l();try{await T(o)}catch(e){s.setFailed(`autobuild action failed. ${y(e)}`),await _("autobuild",o,e,t)}}v();
@@ -0,0 +1,6 @@
+// Automatically generated from 'action-entry.js.tpl' for 'src/autobuild-action.ts'.
+
+"use strict";
+
+const import_entry_points = require("./entry-points");
+void (0, import_entry_points.runAutobuildAction)();
@@ -1,10 +0,0 @@
-import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
-import{g as E}from"./chunk-LYJYPMC2.js";import{$b as v,Bb as L,Da as w,Fa as d,H as g,Ma as C,O as m,c as p,ec as P,fa as c,h as A,i as F,k as V,m as $,n as h,sa as b}from"./chunk-V6LGBXSF.js";var R=p(V()),k=p(F()),S=p($()),O=p(A());import*as n from"fs";import*as l from"path";async function ne(e,o,t,r,i,a,u,s,f){f.startGroup("Setup CodeQL tools");let{codeql:y,toolsDownloadStatusReport:D,toolsSource:I,toolsVersion:_,zstdAvailability:T}=await E(e,o,t,r,i,a,u,s,f,!0);return await y.printVersion(),f.endGroup(),{codeql:y,toolsDownloadStatusReport:D,toolsSource:I,toolsVersion:_,zstdAvailability:T}}async function ie(e,o){return await L("Load language configuration",async()=>await v(e,o))}async function ae(e,o,t,r,i,a,u){n.mkdirSync(t.dbLocation,{recursive:!0}),await P(e,async()=>await o.databaseInitCluster(t,r,i,a,u))}async function se(e,o,t){let r=(await e.getVersion()).overlayVersion;if(r===void 0)return t.warning("The CodeQL CLI does not support overlay analysis."),!1;for(let i of o.languages){let a=g(o,i);if((await e.resolveQueriesStartingPacks([a])).some(s=>!Q(s,r,t)))return!1}return!0}function Q(e,o,t){try{let r=l.join(e,"qlpack.yml");if(n.existsSync(r)||(r=l.join(e,"codeql-pack.yml")),!h(n.readFileSync(r,"utf8")).buildMetadata)return!0;let a=l.join(e,".packinfo");if(!n.existsSync(a))return t.warning(`The query pack at ${e} does not have a .packinfo file, so it cannot support overlay analysis. Recompiling the query pack with the latest CodeQL CLI should solve this problem.`),!1;let s=JSON.parse(n.readFileSync(a,"utf8")).overlayVersion;if(typeof s!="number")return t.warning(`The .packinfo file for the query pack at ${e} does not have the overlayVersion field, which indicates that the pack is not compatible with overlay analysis.`),!1;if(s!==o)return t.warning(`The query pack at ${e} was compiled with overlay version ${s}, but the CodeQL CLI supports overlay version ${o}. The query pack needs to be recompiled to support overlay analysis.`),!1}catch(r){return t.warning(`Error while checking pack at ${e} for overlay compatibility: ${c(r)}`),!1}return!0}async function le(e,o){if(e.includes("python")&&process.platform==="win32"&&!(await o.getVersion()).features?.supportsPython312){let t=l.resolve(__dirname,"../python-setup","check_python12.ps1");await new k.ToolRunner(await O.which("powershell",!0),[t]).exec()}}function ue(e,o,t={},r=n.rmSync){if(n.existsSync(e.dbLocation)&&(n.statSync(e.dbLocation).isFile()||n.readdirSync(e.dbLocation).length>0)){t.disableExistingDirectoryWarning||o.warning(`The database cluster directory ${e.dbLocation} must be empty. Attempting to clean it up.`);try{r(e.dbLocation,{force:!0,maxRetries:3,recursive:!0}),o.info(`Cleaned up database cluster directory ${e.dbLocation}.`)}catch(i){let a=`The CodeQL Action requires an empty database cluster directory. ${b("db-location")?`This is currently configured to be ${e.dbLocation}. `:`By default, this is located at ${e.dbLocation}. You can customize it using the 'db-location' input to the init Action. `}An attempt was made to clean up the directory, but this failed.`;throw w()?new m(`${a} This can happen if another process is using the directory or the directory is owned by a different user. Please clean up the directory manually and rerun the job. Details: ${c(i)}`):new Error(`${a} This shouldn't typically happen on hosted runners. If you are using an advanced setup, please check your workflow, otherwise we recommend rerunning the job. Details: ${c(i)}`)}}}async function pe(e,o,t,r){return e?{enabled:!0,enabledByRepositoryProperty:!1,showDeprecationWarning:!1}:C()?(process.env.CODEQL_ACTION_FILE_COVERAGE_ON_PRS||"").toLocaleLowerCase()==="true"?{enabled:!0,enabledByRepositoryProperty:!1,showDeprecationWarning:!1}:r["github-codeql-file-coverage-on-prs"]===!0?{enabled:!0,enabledByRepositoryProperty:!0,showDeprecationWarning:!1}:await t.getValue("skip_file_coverage_on_prs",o)?{enabled:!1,enabledByRepositoryProperty:!1,showDeprecationWarning:!1}:{enabled:!0,enabledByRepositoryProperty:!1,showDeprecationWarning:!0}:{enabled:!0,enabledByRepositoryProperty:!1,showDeprecationWarning:!1}}function ce(e){if(process.env.CODEQL_ACTION_DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION)return;let o=S.context.payload.repository?.owner.type,t="Starting April 2026, the CodeQL Action will skip computing file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses.",r="set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true`.",i='create a custom repository property with the name `github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to `true` in the repository\'s settings.';o==="Organization"?d()?t+=`
-
-To opt out of this change, ${i}`:t+=`
-
-To opt out of this change, ${r} Alternatively, ${i}`:d()?t+=`
-
-To opt out of this change, switch to an advanced setup workflow and ${r}`:t+=`
-
-To opt out of this change, ${r}`,e.warning(t),R.exportVariable("CODEQL_ACTION_DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION","true")}export{ne as a,ie as b,ae as c,se as d,le as e,ue as f,pe as g,ce as h};
@@ -1,2 +0,0 @@
-import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
-import{g as n,k as p,l as d,n as f}from"./chunk-XFYKKQKY.js";import{oa as l,rb as e}from"./chunk-V6LGBXSF.js";async function w(s,u,m,i,c,y,P){let b=await n(s,c),o={};for(let[t,g]of l(b)){let a=e(t),r=await p(s,u,i,g,y,a);await d(s,P,a,r),m==="always"&&(o[t]=await f(s,i,a,r))}return o}export{w as a};
@@ -1,21 +0,0 @@
-import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
-import{b as Y}from"./chunk-U2JW7LOC.js";import{a as j,b as H}from"./chunk-HIJVM6IW.js";import{e as z}from"./chunk-LYJYPMC2.js";import{Bb as k,Db as U,Eb as q,G as b,H as Q,Lb as B,c as te,ea as A,fa as N,h as ne,hc as v,jc as G,n as x,nb as R,o as O,pb as F,ra as $,ta as M}from"./chunk-V6LGBXSF.js";var K=te(ne());import*as c from"fs";import*as p from"path";import{performance as D}from"perf_hooks";var T=class extends Error{constructor(t,a,r){super(a);this.queriesStatusReport=t;this.message=a;this.error=r;this.name="CodeQLAnalysisError"}queriesStatusReport;message;error};async function ae(n){let e=process.env.CODEQL_PYTHON;e===void 0||e.length===0||n.warning(`The CODEQL_PYTHON environment variable is no longer supported. Please remove it from your workflow. This environment variable was originally used to specify a Python executable that included the dependencies of your Python code, however Python analysis no longer uses these dependencies.
-If you used CODEQL_PYTHON to force the version of Python to analyze as, please use CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION instead, such as 'CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION=2.7' or 'CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION=3.11'.`)}async function re(n,e,t,a){for(let r of t.languages){if(X(t,r,a)){a.debug(`Database for ${r} has already been finalized, skipping extraction.`);continue}await ie(n,t,r)&&(a.startGroup(`Extracting ${r}`),r==="python"&&await ae(a),t.buildMode?(r==="cpp"&&t.buildMode==="autobuild"&&await Y(n,a),r==="java"&&t.buildMode==="none"&&(process.env.CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_DEPENDENCY_DIR=j()),r==="csharp"&&t.buildMode==="none"&&await e.getValue("csharp_cache_bmn")&&(process.env.CODEQL_EXTRACTOR_CSHARP_OPTION_BUILDLESS_DEPENDENCY_DIR=H()),await n.extractUsingBuildMode(t,r)):await n.extractScannedLanguage(t,r),a.endGroup())}}async function ie(n,e,t){return e.buildMode==="none"||e.buildMode==="autobuild"&&process.env.CODEQL_ACTION_AUTOBUILD_DID_COMPLETE_SUCCESSFULLY!=="true"||!e.buildMode&&await n.isScannedLanguage(t)}function X(n,e,t){let a=b(n,e);try{return!("inProgress"in x(c.readFileSync(p.resolve(a,"codeql-database.yml"),"utf8")))}catch{return t.warning(`Could not check whether database for ${e} was finalized. Assuming it is not.`),!1}}async function se(n,e,t,a,r,o){let i=D.now();await re(n,e,t,o);let d=D.now()-i,_=D.now();for(let m of t.languages)X(t,m,o)?o.info(`There is already a finalized database for ${m} at the location where the CodeQL Action places databases, so we did not create one.`):(o.startGroup(`Finalizing ${m}`),await n.finalizeDatabase(b(t,m),a,r,t.debugMode),o.endGroup());let l=D.now()-_;return{scanned_language_extraction_duration_ms:Math.round(d),trap_import_duration_ms:Math.round(l)}}async function Me(n){return await k("Generating diff range extension pack",async()=>{let e=B(n);if(e===void 0){n.info("No precomputed diff ranges found; skipping diff-informed analysis stage.");return}let t=$("checkout_path"),a=ue(n,e,t);return n.info(`Successfully created diff range extension pack at ${a}.`),a})}function oe(n,e){let t=`
-extensions:
-  - addsTo:
-      pack: codeql/util
-      extensible: restrictAlertsTo
-      checkPresence: false
-    data:
-`,a=n.map(r=>{let o=p.join(e,r.path).replaceAll(p.sep,"/");return`      - [${O(o,{forceQuotes:!0}).trim()}, ${r.startLine}, ${r.endLine}]
-`}).join("");return a||(a=`      - ["", 0, 0]
-`),t+a}function ue(n,e,t){e.length===0&&(e=[{path:"",startLine:0,endLine:0}]);let a=p.join(M(),"pr-diff-range");c.mkdirSync(a,{recursive:!0}),c.writeFileSync(p.join(a,"qlpack.yml"),`
-name: codeql-action/pr-diff-range
-version: 0.0.0
-library: true
-extensionTargets:
-  codeql/util: '*'
-dataExtensions:
-  - pr-diff-range.yml
-`);let r=oe(e,t),o=p.join(a,"pr-diff-range.yml");return c.writeFileSync(o,r),n.debug(`Wrote pr-diff-range extension pack to ${o}:
-${r}`),a}var le=new Set(["security-experimental","security-extended","security-and-quality","code-quality","code-scanning"]);function V(n,e){return le.has(e)?`${n}-${e}.qls`:e}function de(n,e){return`${e}${n.sarifExtension}`}async function Fe(n,e,t,a,r,o,i,d,_){let l={},m=[e,t],L=[];i.overlayDatabaseMode!=="overlay-base"&&m.push("--expect-discarded-cache"),l.analysis_is_diff_informed=a!==void 0,a&&(m.push(`--additional-packs=${a}`),m.push("--extension-packs=codeql-action/pr-diff-range"),L.push("diff-informed")),l.analysis_is_overlay=i.overlayDatabaseMode==="overlay",l.analysis_builds_overlay_base_database=i.overlayDatabaseMode==="overlay-base",i.overlayDatabaseMode==="overlay"&&L.push("overlay");let J=L.length>0?`--sarif-run-property=incrementalMode=${L.join(",")}`:void 0,W=G(i);for(let s of i.languages)try{let u=[];if(i.analysisKinds.length>1&&(u.push(Q(i,s)),v(i)))for(let C of R)u.push(V(s,C));d.startGroup(`Running queries for ${s}`);let y=new Date().getTime(),h=b(i,s);await o.databaseRunQueries(h,m,u),d.debug(`Finished running queries for ${s}.`),l[`analyze_builtin_queries_${s}_duration_ms`]=new Date().getTime()-y;let g=new Date,{summary:f,sarifFile:I}=await S(W,s,void 0,i.debugMode),w;i.analysisKinds.length>1&&v(i)&&(w=(await S(F,s,R.map(E=>V(s,E)),i.debugMode)).summary);let P=new Date;if(l[`interpret_results_${s}_duration_ms`]=P.getTime()-g.getTime(),d.endGroup(),f.trim()&&d.info(f),w?.trim()&&d.info(w),i.enableFileCoverageInformation||d.info("To speed up pull request analysis, file coverage information is only enabled when analyzing the default branch and protected branches."),await _.getValue("qa_telemetry_enabled")){let C=ee(I),E={event:"codeql database interpret-results",started_at:g.toISOString(),completed_at:P.toISOString(),exit_status:"success",language:s,properties:{alertCounts:C}};l.event_reports===void 0&&(l.event_reports=[]),l.event_reports.push(E)}}catch(u){throw l.analyze_failure_language=s,new T(l,`Error running analysis for ${s}: ${N(u)}`,A(u))}return l;async function S(s,u,y,h){d.info(`Interpreting ${s.name} results for ${u}`);let g=s.fixCategory(d,r),f=p.join(n,de(s,u));return{summary:await Z(u,y,f,h,g),sarifFile:f}}async function Z(s,u,y,h,g){let f=b(i,s);return await o.databaseInterpretResults(f,u,y,t,h?"-vv":"-v",J,g,i,_)}function ee(s){let u=JSON.parse(c.readFileSync(s,"utf8")),y={};for(let h of u.runs)if(h.results)for(let g of h.results){let f=g.rule?.id||g.ruleId;f&&(y[f]=(y[f]||0)+1)}return y}}async function ke(n,e,t,a,r,o,i){try{await c.promises.rm(e,{force:!0,recursive:!0})}catch(_){if(_?.code!=="ENOENT")throw _}await c.promises.mkdir(e,{recursive:!0});let d=await se(r,n,o,t,a,i);return process.env.CODEQL_ACTION_AUTOBUILD_DID_COMPLETE_SUCCESSFULLY!=="true"&&await z(r,o,i),d}async function Ue(n,e){let t=process.env.CODEQL_ACTION_GO_BINARY;if(process.env.CODEQL_ACTION_DID_AUTOBUILD_GOLANG!=="true"&&t!==void 0){let a=await K.which("go",!0);t!==a&&(e.warning(`Expected \`which go\` to return ${t}, but got ${a}: please ensure that the correct version of Go is installed before the \`codeql-action/init\` Action is used.`),q(n,"go",U("go/workflow/go-installed-after-codeql-init","Go was installed after the `codeql-action/init` Action was run",{markdownMessage:"To avoid interfering with the CodeQL analysis, perform all installation steps before calling the `github/codeql-action/init` Action.",visibility:{statusPage:!0,telemetry:!0,cliSummaryTable:!0},severity:"warning"})))}}export{T as a,X as b,Me as c,Fe as d,ke as e,Ue as f};
@@ -1,2 +0,0 @@
-import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
-import{c as F,fa as m,j as k}from"./chunk-V6LGBXSF.js";var l=F(k());import*as d from"fs";import*as h from"os";import*as f from"path";var S={type:"Personal Access Token (Classic)",pattern:/\bghp_[a-zA-Z0-9]{36}\b/g},z={type:"Personal Access Token (Fine-grained)",pattern:/\bgithub_pat_[a-zA-Z0-9_]+\b/g},b=[S,z,{type:"OAuth Access Token",pattern:/\bgho_[a-zA-Z0-9]{36}\b/g},{type:"User-to-Server Token",pattern:/\bghu_[a-zA-Z0-9]{36}\b/g},{type:"Server-to-Server Token",pattern:/\bghs_[a-zA-Z0-9]{36}\b/g},{type:"Refresh Token",pattern:/\bghr_[a-zA-Z0-9]{36}\b/g},{type:"App Installation Access Token",pattern:/\bghs_[a-zA-Z0-9]{255}\b/g}];function R(e,a=b){for(let{type:t,pattern:s}of a)if(e.match(s))return t}function x(e,a,t){let s=[];try{let i=d.readFileSync(e,"utf8");for(let{type:u,pattern:r}of b){let o=i.match(r);if(o){for(let c=0;c<o.length;c++)s.push({tokenType:u,filePath:a});t.debug(`Found ${o.length} ${u}(s) in ${a}`)}}return s}catch(i){return t.debug(`Could not scan file ${e} for tokens: ${m(i)}`),[]}}async function $(e,a,t,s,i=0){if(i>10)throw new Error(`Maximum archive extraction depth (10) reached for ${e}`);if(process.platform==="win32")throw new Error("Scanning archives is not supported on Windows.");let r={scannedFiles:0,findings:[]};try{let o=d.mkdtempSync(f.join(t,`extract-${i}-`)),c=f.basename(e).toLowerCase();if(c.endsWith(".tar.gz")||c.endsWith(".tgz"))s.debug(`Extracting tar.gz file: ${e}`),await l.exec("tar",["-xzf",e,"-C",o],{silent:!0});else if(c.endsWith(".tar.zst"))s.debug(`Extracting tar.zst file: ${e}`),await l.exec("tar",["--zstd","-xf",e,"-C",o],{silent:!0});else if(c.endsWith(".zst")){s.debug(`Extracting zst file: ${e}`);let p=f.join(o,f.basename(e,".zst"));await l.exec("zstd",["-d",e,"-o",p],{silent:!0})}else if(c.endsWith(".gz")){s.debug(`Extracting gz file: ${e}`);let p=f.join(o,f.basename(e,".gz"));await l.exec("gunzip",["-c",e],{outStream:d.createWriteStream(p),silent:!0})}else c.endsWith(".zip")&&(s.debug(`Extracting zip file: ${e}`),await l.exec("unzip",["-q","-o",e,"-d",o],{silent:!0}));let n=await T(o,a,s,i+1);r.scannedFiles+=n.scannedFiles,r.findings.push(...n.findings),d.rmSync(o,{recursive:!0,force:!0})}catch(o){s.debug(`Could not extract or scan archive file ${e}: ${m(o)}`)}return r}async function A(e,a,t,s,i=0){let u={scannedFiles:1,findings:[]},r=f.basename(e).toLowerCase();if(r.endsWith(".zip")||r.endsWith(".tar.gz")||r.endsWith(".tgz")||r.endsWith(".tar.zst")||r.endsWith(".zst")||r.endsWith(".gz")){let n=await $(e,a,t,s,i);u.scannedFiles+=n.scannedFiles,u.findings.push(...n.findings)}let c=x(e,a,s);return u.findings.push(...c),u}async function T(e,a,t,s=0){let i={scannedFiles:0,findings:[]},u=d.readdirSync(e,{withFileTypes:!0});for(let r of u){let o=f.join(e,r.name),c=f.join(a,r.name);if(r.isDirectory()){let n=await T(o,c,t,s);i.scannedFiles+=n.scannedFiles,i.findings.push(...n.findings)}else if(r.isFile()){let n=await A(o,c,f.dirname(o),t,s);i.scannedFiles+=n.scannedFiles,i.findings.push(...n.findings)}}return i}async function _(e,a){a.info("Starting best-effort check for potential GitHub tokens in debug artifacts (for testing purposes only)...");let t={scannedFiles:0,findings:[]},s=d.mkdtempSync(f.join(h.tmpdir(),"artifact-scan-"));try{for(let n of e){let p=d.statSync(n),y=f.basename(n);if(p.isDirectory()){let g=await T(n,y,a);t.scannedFiles+=g.scannedFiles,t.findings.push(...g.findings)}else if(p.isFile()){let g=await A(n,y,s,a);t.scannedFiles+=g.scannedFiles,t.findings.push(...g.findings)}}let i=new Map,u=new Set;for(let n of t.findings)i.set(n.tokenType,(i.get(n.tokenType)||0)+1),u.add(n.filePath);let r=Array.from(i.entries()).map(([n,p])=>`${p} ${n}${p>1?"s":""}`).join(", "),o=`scanned ${t.scannedFiles} files, found ${t.findings.length} potential token(s) in ${u.size} file(s)`,c=r?`${o} (${r})`:o;if(a.info(`Artifact check complete: ${c}`),t.findings.length>0){let n=Array.from(u).join(", ");throw new Error(`Found ${t.findings.length} potential GitHub token(s) (${r}) in debug artifacts at: ${n}. This is a best-effort check for testing purposes only.`)}}finally{try{d.rmSync(s,{recursive:!0,force:!0})}catch(i){a.debug(`Could not clean up temporary scan directory: ${m(i)}`)}}}export{S as a,z as b,R as c,_ as d};
@@ -1,4 +0,0 @@
-import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
-import{M as w,Pb as F,Vb as H,Ya as E,c as D,fa as b,ta as C,tb as k,wb as _}from"./chunk-V6LGBXSF.js";var h=D(H()),l=D(F());import*as f from"os";import{join as d}from"path";var x="codeql-dependencies",v=1;function Q(){return d(C(),"codeql_java","repository")}async function K(){return[d(f.homedir(),".m2","repository"),d(f.homedir(),".gradle","caches"),Q()]}function U(){return d(C(),"codeql_csharp","repository")}async function A(e,n){let r=[d(f.homedir(),".nuget","packages")];return await n.getValue("csharp_cache_bmn",e)&&r.push(U()),r}async function z(e){if((await(await I(e)).glob()).length!==0)return e}var T=["**/packages.lock.json","**/paket.lock"],j=["**/*.csproj","**/packages.config","**/nuget.config"];async function M(e,n){let r=await m.makePatternCheck(T);if(r!==void 0)return r;if(await n.getValue("csharp_new_cache_key",e))return m.makePatternCheck(j)}var R={java:{getDependencyPaths:K,getHashPatterns:async()=>m.makePatternCheck(["**/pom.xml","**/*.gradle*","**/gradle-wrapper.properties","buildSrc/**/Versions.kt","buildSrc/**/Dependencies.kt","gradle/*.versions.toml","**/versions.properties"])},csharp:{getDependencyPaths:A,getHashPatterns:M},go:{getDependencyPaths:async()=>[d(f.homedir(),"go","pkg","mod")],getHashPatterns:async()=>m.makePatternCheck(["**/go.sum"])}};async function I(e){return l.create(e.join(`
-`))}async function S(e,n,r,t,a,o){let s=await t.getHashPatterns(e,n);return s===void 0&&o.info(`Skipping ${a} of dependency cache for ${r} as we cannot calculate a hash for the cache key.`),s}async function oe(e,n,r,t){let a=[],o=[];for(let s of r){let p=R[s];if(p===void 0){t.info(`Skipping download of dependency cache for ${s} as we have no caching configuration for it.`);continue}let c=await S(e,n,s,p,"download",t);if(c===void 0){a.push({language:s,hit_kind:"no-hash"});continue}let u=await L(e,n,s,c),i=[await $(e,n,s)];t.info(`Downloading cache for ${s} with key ${u} and restore keys ${i.join(", ")}`);let y=performance.now(),g=await h.restoreCache(await p.getDependencyPaths(e,n),u,i),N=Math.round(performance.now()-y);if(g!==void 0){t.info(`Cache hit on key ${g} for ${s}.`);let P="partial";g===u&&(P="exact"),a.push({language:s,hit_kind:P,download_duration_ms:N}),o.push(g)}else a.push({language:s,hit_kind:"miss"}),t.info(`No suitable cache found for ${s}.`)}return{statusReport:a,restoredKeys:o}}async function re(e,n,r,t){let a=[];for(let o of r.languages){let s=R[o];if(s===void 0){t.info(`Skipping upload of dependency cache for ${o} as we have no caching configuration for it.`);continue}let p=await S(e,n,o,s,"upload",t);if(p===void 0){a.push({language:o,result:"no-hash"});continue}let c=await L(e,n,o,p);if(r.dependencyCachingRestoredKeys.includes(c)){a.push({language:o,result:"duplicate"});continue}let u=await k(await s.getDependencyPaths(e,n),t,!0);if(u===0){a.push({language:o,result:"empty"}),t.info(`Skipping upload of dependency cache for ${o} since it is empty.`);continue}t.info(`Uploading cache of size ${u} for ${o} with key ${c}...`);try{let i=performance.now();await h.saveCache(await s.getDependencyPaths(e,n),c);let y=Math.round(performance.now()-i);a.push({language:o,result:"stored",upload_size_bytes:Math.round(u),upload_duration_ms:y})}catch(i){if(i instanceof h.ReserveCacheError)t.info(`Not uploading cache for ${o}, because ${c} is already in use.`),t.debug(i.message),a.push({language:o,result:"duplicate"});else throw i}}return a}async function L(e,n,r,t){let a=await l.hashFiles(t.join(`
-`));return`${await $(e,n,r)}${a}`}async function V(e,n,r){let t=[],a=async o=>{await n.getValue(o,e)&&t.push(o)};return r==="csharp"&&(await a("csharp_new_cache_key"),await a("csharp_cache_bmn")),t.length>0?`${_(t)}-`:""}async function $(e,n,r){let t=w("RUNNER_OS"),a=process.env.CODEQL_ACTION_DEPENDENCY_CACHE_PREFIX,o=x;a!==void 0&&a.length>0&&(o=`${o}-${a}`);let s=await V(e,n,r);return`${o}-${s}${v}-${t}-${r}-`}async function se(e){try{let n=await E(x),r=n.reduce((t,a)=>t+(a.size_in_bytes??0),0);return{count:n.length,size_bytes:r}}catch(n){e.warning(`Unable to retrieve information about dependency cache usage: ${b(n)}`)}}var m={makePatternCheck:z};export{Q as a,U as b,oe as c,re as d,se as e};
@@ -1,2 +0,0 @@
-import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
-import{Ea as C,M as w,Ua as $,X as W,Z as E,c as P,k as L,n as d}from"./chunk-V6LGBXSF.js";var u=P(L());import*as c from"fs";import*as x from"path";import O from"zlib";function T(e){return Object.entries(e).reduce((r,[t,o])=>(r[t]={message:o,code:t},r),{})}var h=T({MissingPushHook:"Please specify an on.push hook to analyze and see code scanning alerts from the default branch on the Security tab.",CheckoutWrongHead:"git checkout HEAD^2 is no longer necessary. Please remove this step as Code Scanning recommends analyzing the merge commit for best results.",InconsistentActionVersion:"Not all workflow steps that use `github/codeql-action` actions use the same version. Please ensure that all such steps use the same version to avoid compatibility issues."});async function j(e,r){let t=await r.betterResolveLanguages();if(!t.aliases)return;let o=t.aliases,n={};for(let s of e){let a=o[s]||s;n[a]||(n[a]=[]),n[a].push(s)}return n}async function S(e,r){let t=[],o=process.env.GITHUB_JOB;if(o){let i=e?.jobs?.[o];if(i?.strategy?.matrix?.language){let f=i.strategy.matrix.language;if(Array.isArray(f)){let y=await j(f,r);if(y!==void 0)for(let[v,b]of Object.entries(y))b.length>1&&t.push({message:`CodeQL language '${v}' is referenced by more than one entry in the 'language' matrix parameter for job '${o}'. This may result in duplicate alerts. Please edit the 'language' matrix parameter to keep only one of the following: ${b.map(A=>`'${A}'`).join(", ")}.`,code:"DuplicateLanguageInMatrix"})}}let g=i?.steps;if(Array.isArray(g)){for(let f of g)if(f?.run==="git checkout HEAD^2"){t.push(h.CheckoutWrongHead);break}}}let n=[];for(let i of Object.values(e?.jobs||{}))if(Array.isArray(i.steps)){for(let g of i.steps)if(g.uses?.startsWith("github/codeql-action/")){let f=g.uses.split("@");f.length>=2&&n.push(f[f.length-1])}}n.length>0&&!n.every(i=>i===n[0])&&t.push(h.InconsistentActionVersion);let s=p("push",e),a=p("pull_request",e),l=p("workflow_call",e);return a&&!s&&!l&&t.push(h.MissingPushHook),t}function p(e,r){return r.on?typeof r.on=="string"?r.on===e:Array.isArray(r.on)?r.on.includes(e):Object.prototype.hasOwnProperty.call(r.on,e):!1}async function I(e,r){let t;try{t=await q(r)}catch(n){return`error: getWorkflow() failed: ${String(n)}`}let o;try{o=await S(t,e)}catch(n){return`error: getWorkflowErrors() failed: ${String(n)}`}if(o.length>0){let n;try{n=_(o)}catch(s){return`error: formatWorkflowErrors() failed: ${String(s)}`}u.warning(n)}return R(o)}function _(e){let r=e.length===1?"issue was":"issues were",t=e.map(o=>o.message).join(" ");return`${e.length} ${r} detected with this workflow: ${t}`}function R(e){if(e.length!==0)return e.map(r=>r.code).join(",")}async function q(e){let r=process.env.CODE_SCANNING_WORKFLOW_FILE;if(r)return e.debug("Using the workflow specified by the CODE_SCANNING_WORKFLOW_FILE environment variable."),d(O.gunzipSync(Buffer.from(r,"base64")).toString());let t=await D(e);return d(c.readFileSync(t,"utf-8"))}async function D(e){let r=await $(),t=x.join(w("GITHUB_WORKSPACE"),r);if(c.existsSync(t))return e.debug(`Derived the following absolute path for the currently executing workflow: ${t}.`),t;throw new Error(`Expected to find a code scanning workflow file at ${t}, but no such file existed. This can happen if the currently running workflow checks out a branch that doesn't contain the corresponding workflow file.`)}function H(e,r){if(e.uses)throw new Error(`Could not get steps calling ${r} since the job calls a reusable workflow.`);let t=e.steps;if(!Array.isArray(t))throw new Error(`Could not get steps calling ${r} since job.steps was not an array.`);return t.filter(o=>o.uses?.includes(r))}function k(e,r,t,o,n){let s=`Could not get ${o} input to ${t} since`;if(!e.jobs)throw new Error(`${s} the workflow has no jobs.`);if(!e.jobs[r])throw new Error(`${s} the workflow has no job named ${r}.`);let a=H(e.jobs[r],t);if(a.length===0)throw new Error(`${s} the ${r} job does not call ${t}.`);if(a.length>1)throw new Error(`${s} the ${r} job calls ${t} multiple times.`);let l=a[0].with?.[o]?.toString();if(l!==void 0&&n!==void 0){l=l.replace(/\${{\s+/,"${{").replace(/\s+}}/,"}}");for(let[i,g]of Object.entries(n))l=l.replace(`\${{matrix.${i}}}`,g)}if(l?.includes("${{"))throw new Error(`Could not get ${o} input to ${t} since it contained an unrecognized dynamic value.`);return l}function m(){return W()||E()==="codeql-action-pr-checks"?"./analyze":"github/codeql-action/analyze"}function M(e,r,t){return k(e,r,m(),"category",t)}function V(e,r,t){return k(e,r,m(),"upload",t)}function X(e,r,t){return k(e,r,m(),"checkout_path",t)||w("GITHUB_WORKSPACE")}async function Y(e,r){if(!C()&&process.env.CODEQL_ACTION_SKIP_WORKFLOW_VALIDATION!=="true"){u.startGroup("Validating workflow");let t=await z.validateWorkflow(r,e);t===void 0?e.info("Detected no issues with the code scanning workflow."):e.debug(`Unable to validate code scanning workflow: ${t}`),u.endGroup()}}var z={validateWorkflow:I};export{q as a,M as b,V as c,X as d,Y as e};
@@ -1,2 +0,0 @@
-import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
-import{h as b}from"./chunk-LYJYPMC2.js";import{Oa as f,Ta as m,c as g,k as L,kb as p,la as s,lb as c,ta as l,va as d}from"./chunk-V6LGBXSF.js";var r=g(L());async function B(i,e,o){if(e.buildMode==="none"||e.buildMode==="manual"){o.info(`Using build mode "${e.buildMode}", nothing to autobuild. See https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes for more information.`);return}let t=await s(e.languages,async u=>await i.isTracedLanguage(u));if(t.length===0){o.info("None of the languages in this project require extra build steps");return}let n=t.filter(u=>u!=="go"),a=[];return n[0]!==void 0&&a.push(n[0]),t.length!==n.length&&a.push("go"),o.debug(`Will autobuild ${a.join(" and ")}.`),n.length>1&&o.warning(`We will only automatically build ${a.join(" and ")} code. If you wish to scan ${n.slice(1).join(" and ")}, you must replace the autobuild step of your workflow with custom build steps. See https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#about-specifying-build-steps-manually for more information.`),a}async function w(i,e){let o=p.cpp_dependency_installation_enabled.envVar,t="C++ automatic installation of dependencies",n=await m(),a=f();await c(n,a,l(),e).getValue("cpp_dependency_installation_enabled",i)?process.env.RUNNER_ENVIRONMENT==="self-hosted"&&process.env[o]!=="true"?(e.info(`Disabling ${t} as we are on a self-hosted runner.${d()!=="dynamic"?` To override this, set the ${o} environment variable to 'true' in your workflow. See https://docs.github.com/en/actions/learn-github-actions/variables#defining-environment-variables-for-a-single-workflow for more information.`:""}`),r.exportVariable(o,"false")):(e.info(`Enabling ${t}. This can be disabled by setting the ${o} environment variable to 'false'. See https://docs.github.com/en/actions/learn-github-actions/variables#defining-environment-variables-for-a-single-workflow for more information.`),r.exportVariable(o,"true")):(e.info(`Disabling ${t}.`),r.exportVariable(o,"false"))}async function Q(i,e,o){o.startGroup(`Attempting to automatically build ${e} code`);let t=await b(i.codeQLCmd);e==="cpp"&&await w(t,o),i.buildMode?await t.extractUsingBuildMode(i,e):await t.runAutobuild(i,e),e==="go"&&r.exportVariable("CODEQL_ACTION_DID_AUTOBUILD_GOLANG","true"),o.endGroup()}export{B as a,w as b,Q as c};
@@ -0,0 +1,6 @@
+// Automatically generated from 'action-entry.js.tpl' for 'src/init-action.ts'.
+
+"use strict";
+
+const import_entry_points = require("./entry-points");
+void (0, import_entry_points.runInitAction)();
@@ -0,0 +1,6 @@
+// Automatically generated from 'action-entry.js.tpl' for 'src/init-action-post.ts'.
+
+"use strict";
+
+const import_entry_points = require("./entry-points");
+void (0, import_entry_points.runInitPostAction)();
@@ -1 +0,0 @@
-{"type":"module"}
@@ -1,2 +0,0 @@
-import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
-import{c as A,e as u,f as d,h as V}from"./chunks/chunk-B34OPX2S.js";import{a as C,h as B}from"./chunks/chunk-LYJYPMC2.js";import{J as l,O as f,Ta as h,c as N,ca as g,cc as k,ea as p,fa as v,ga as c,ha as w,k as O,ra as E,sa as R,ta as y,ua as b,zb as m}from"./chunks/chunk-V6LGBXSF.js";var i=N(O());async function $(n,e,t,a){e.startGroup(`Attempting to resolve build environment for ${a}`);let r=await B(n);t!==void 0&&e.info(`Using ${t} as the working directory.`);let o=await r.resolveBuildEnvironment(t,a);return e.endGroup(),o}var F="environment";async function T(n){let e=m(),t;try{let r=await u("resolve-environment","starting",n,t,await c(e),e);r!==void 0&&await d(r);let o=await h();if(l(o,e),w(b(),o),t=await k(y(),e),t===void 0)throw new f("Config file could not be found at expected location. Has the 'init' action been called?");let s=R("working-directory"),L=await $(t.codeQLCmd,e,s,E("language"));i.setOutput(F,L)}catch(r){let o=p(r);if(o instanceof C)i.setOutput(F,{}),e.warning(`Failed to resolve a build environment suitable for automatically building your code. ${o.message}`);else{i.setFailed(`Failed to resolve a build environment suitable for automatically building your code. ${o.message}`);let s=await u("resolve-environment",A(o),n,t,await c(e),e,o.message,o.stack);s!==void 0&&await d(s)}return}let a=await u("resolve-environment","success",n,t,await c(e),e);a!==void 0&&await d(a)}async function U(){let n=new Date,e=m();try{await T(n)}catch(t){i.setFailed(`resolve-environment action failed: ${v(t)}`),await V("resolve-environment",n,t,e)}await g()}U();
@@ -0,0 +1,6 @@
+// Automatically generated from 'action-entry.js.tpl' for 'src/resolve-environment-action.ts'.
+
+"use strict";
+
+const import_entry_points = require("./entry-points");
+void (0, import_entry_points.runResolveEnvironmentAction)();
@@ -1,2 +0,0 @@
-import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
-import{a as P}from"./chunks/chunk-2R674E4A.js";import{c as H,e as g,f as m,h as O}from"./chunks/chunk-B34OPX2S.js";import{b as N}from"./chunks/chunk-LYJYPMC2.js";import{J as T,L as C,M as R,O as E,Oa as b,Ta as Q,_b as B,c as G,ca as I,ea as v,fa as h,ga as f,ha as k,k as K,lb as F,mb as q,ra as A,sa as d,ta as S,ua as _,zb as D}from"./chunks/chunk-V6LGBXSF.js";var r=G(K());async function M(n,o,e,l,c,u,a){let s=await g("setup-codeql",H(a),n,void 0,await f(u),u,a?.message,a?.stack);if(s===void 0)return;let t={...s,tools_input:d("tools")||"",tools_resolved_version:c,tools_source:l||"UNKNOWN",workflow_languages:""},i={};o?.downloadDurationMs!==void 0&&(i.tools_download_duration_ms=o.downloadDurationMs),e!==void 0&&(i.tools_feature_flags_valid=e),await m({...t,...i})}async function J(n){let o=D(),e,l,c,u,a;try{C(_());let s={auth:A("token"),externalRepoAuth:d("external-repository-token"),url:R("GITHUB_SERVER_URL"),apiURL:R("GITHUB_API_URL")},t=await Q();T(t,o),k(_(),t);let i=b(),w=F(t,i,S(),o),L=N();o.info(`Job run UUID is ${L}.`),r.exportVariable("JOB_RUN_UUID",L);let U=await g("setup-codeql","starting",n,void 0,await f(o),o);U!==void 0&&await m(U);let V=await w.getEnabledDefaultCliVersions(t.type);c=V.toolsFeatureFlagsValid;let x=B(d("languages")),y=await q(o,w),p=await P(d("tools"),s,S(),t.type,V,x,y.length===1&&y[0]==="code-scanning",w,o);e=p.codeql,l=p.toolsDownloadStatusReport,a=p.toolsVersion,u=p.toolsSource,r.setOutput("codeql-path",e.getPath()),r.setOutput("codeql-version",(await e.getVersion()).version),r.exportVariable("CODEQL_ACTION_SETUP_CODEQL_HAS_RUN","true")}catch(s){let t=v(s);r.setFailed(t.message);let i=await g("setup-codeql",t instanceof E?"user-error":"failure",n,void 0,await f(o),o,t.message,t.stack);i!==void 0&&await m(i);return}await M(n,l,c,u,a,o)}async function $(){let n=new Date,o=D();try{await J(n)}catch(e){r.setFailed(`setup-codeql action failed: ${h(e)}`),await O("setup-codeql",n,e,o)}await I()}$();
@@ -0,0 +1,6 @@
+// Automatically generated from 'action-entry.js.tpl' for 'src/setup-codeql-action.ts'.
+
+"use strict";
+
+const import_entry_points = require("./entry-points");
+void (0, import_entry_points.runSetupCodeqlAction)();
@@ -1,2 +0,0 @@
-import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
-import{e as l}from"./chunks/chunk-WKICWMYU.js";import"./chunks/chunk-5ZRYQL45.js";import"./chunks/chunk-U2JW7LOC.js";import"./chunks/chunk-GX7WDUZJ.js";import"./chunks/chunk-HIJVM6IW.js";import"./chunks/chunk-LYJYPMC2.js";import{J as a,La as g,Ta as c,c as m,cc as f,fa as s,k as d,ta as r,zb as p}from"./chunks/chunk-V6LGBXSF.js";var o=m(d());async function y(){let t=p();try{g();let i=o.getState("proxy-process-pid");i&&process.kill(Number(i));let e=await f(r(),t);if(e?.debugMode||o.isDebug()){let u=o.getState("proxy-log-file");if(t.info("Debug mode is on. Uploading proxy log as Actions debugging artifact..."),e?.gitHubVersion.type===void 0){t.warning("Did not upload debug artifacts because cannot determine the GitHub variant running.");return}let n=await c();a(n,t),await l(t,[u],r(),"proxy-log-file",n.type)}}catch(i){t.warning(`start-proxy post-action step failed: ${s(i)}`)}}y();
@@ -0,0 +1,6 @@
+// Automatically generated from 'action-entry.js.tpl' for 'src/start-proxy-action.ts'.
+
+"use strict";
+
+const import_entry_points = require("./entry-points");
+void (0, import_entry_points.runStartProxyAction)();
@@ -0,0 +1,6 @@
+// Automatically generated from 'action-entry.js.tpl' for 'src/start-proxy-action-post.ts'.
+
+"use strict";
+
+const import_entry_points = require("./entry-points");
+void (0, import_entry_points.runStartProxyPostAction)();
@@ -1,2 +0,0 @@
-import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
-import{b as u}from"./chunks/chunk-WKICWMYU.js";import"./chunks/chunk-5ZRYQL45.js";import"./chunks/chunk-U2JW7LOC.js";import"./chunks/chunk-GX7WDUZJ.js";import"./chunks/chunk-HIJVM6IW.js";import"./chunks/chunk-LYJYPMC2.js";import{Ab as c,J as e,La as a,Ta as n,c as f,fa as o,k as p,zb as s}from"./chunks/chunk-V6LGBXSF.js";var r=f(p());async function d(){try{a();let t=s(),i=await n();if(e(i,t),process.env.CODEQL_ACTION_INIT_HAS_RUN!=="true"){if(i.type===void 0){r.warning("Did not upload debug artifacts because cannot determine the GitHub variant running.");return}await c("Uploading combined SARIF debug artifact",()=>u(t,i.type,void 0))}}catch(t){r.setFailed(`upload-sarif post-action step failed: ${o(t)}`)}}d();
@@ -1,2 +0,0 @@
-import { createRequire as __codeqlCreateRequire } from "module";import { fileURLToPath as __codeqlFileURLToPath } from "url";import { dirname as __codeqlDirname } from "path";var require = __codeqlCreateRequire(import.meta.url);var __filename = __codeqlFileURLToPath(import.meta.url);var __dirname = __codeqlDirname(__filename);
-import{a as O}from"./chunks/chunk-3ABJF3VX.js";import{a as B,o as F}from"./chunks/chunk-XFYKKQKY.js";import"./chunks/chunk-2R674E4A.js";import{a as _,c as v,e as u,f as d,h as N}from"./chunks/chunk-B34OPX2S.js";import"./chunks/chunk-LYJYPMC2.js";import{Ka as k,L as R,O as l,Oa as m,Ta as D,Y as y,c as V,ea as U,fa as h,ga as c,ha as b,k as L,lb as E,ra as p,sa as I,ta as A,ua as g,zb as S}from"./chunks/chunk-V6LGBXSF.js";var i=V(L());async function C(e,t,a){let o=await u("upload-sarif","success",e,void 0,await c(a),a);if(o!==void 0){let r={...o,...t};await d(r)}}async function H(e){let t=S();try{R(g());let a=await D();b(g(),a),k();let o=m(),r=E(a,o,A(),t),s=await u("upload-sarif","starting",e,void 0,await c(t),t);s!==void 0&&await d(s);let w=p("sarif_file"),P=p("checkout_path"),q=I("category"),f=await O(t,r,"always",P,w,q);if(Object.keys(f).length===0)throw new l(`No SARIF files found to upload in "${w}".`);let n=f["code-scanning"];n!==void 0&&i.setOutput("sarif-id",n.sarifID),i.setOutput("sarif-ids",JSON.stringify(f)),y()?i.debug("SARIF upload disabled by an environment variable. Waiting for processing is disabled."):p("wait-for-processing")==="true"&&n!==void 0&&await F(m(),n.sarifID,t),await C(e,n?.statusReport||{},t)}catch(a){let o=_("upload-sarif")&&a instanceof B?new l(a.message):U(a),r=o.message;i.setFailed(r);let s=await u("upload-sarif",v(o),e,void 0,await c(t),t,r,o.stack);s!==void 0&&await d(s);return}}async function T(){let e=new Date,t=S();try{await H(e)}catch(a){i.setFailed(`codeql/upload-sarif action failed: ${h(a)}`),await N("upload-sarif",e,a,t)}}T();
@@ -0,0 +1,6 @@
+// Automatically generated from 'action-entry.js.tpl' for 'src/upload-sarif-action.ts'.
+
+"use strict";
+
+const import_entry_points = require("./entry-points");
+void (0, import_entry_points.runUploadSarifAction)();
@@ -0,0 +1,6 @@
+// Automatically generated from 'action-entry.js.tpl' for 'src/upload-sarif-action-post.ts'.
+
+"use strict";
+
+const import_entry_points = require("./entry-points");
+void (0, import_entry_points.runUploadSarifPostAction)();
@@ -1,12 +1,12 @@
 {
  "name": "codeql",
-  "version": "4.35.5",
+  "version": "4.36.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "codeql",
-      "version": "4.35.5",
+      "version": "4.36.0",
      "license": "MIT",
      "workspaces": [
        "pr-checks"
@@ -59,7 +59,7 @@
        "glob": "^11.1.0",
        "globals": "^17.6.0",
        "nock": "^14.0.12",
-        "sinon": "^21.1.2",
+        "sinon": "^22.0.0",
        "typescript": "^6.0.3",
        "typescript-eslint": "^8.59.2"
      }
@@ -2379,9 +2379,9 @@
      }
    },
    "node_modules/@sinonjs/fake-timers": {
-      "version": "15.3.2",
-      "resolved": "https://registry.npmjs.org/@sinonjs/fake-timers/-/fake-timers-15.3.2.tgz",
-      "integrity": "sha512-mrn35Jl2pCpns+mE3HaZa1yPN5EYCRgiMI+135COjr2hr8Cls9DXqIZ57vZe2cz7y2XVSq92tcs6kGQcT1J8Rw==",
+      "version": "15.4.0",
+      "resolved": "https://registry.npmjs.org/@sinonjs/fake-timers/-/fake-timers-15.4.0.tgz",
+      "integrity": "sha512-DsG+8/LscQIQg68J6Ef3dv10u6nVyetYn923s3/sus5eaGfTo1of5WMZSLf0UJc9KDuKPilPH0UDJCjvNbDNCA==",
      "dev": true,
      "license": "BSD-3-Clause",
      "dependencies": {
@@ -4458,9 +4458,9 @@
      }
    },
    "node_modules/diff": {
-      "version": "8.0.4",
-      "resolved": "https://registry.npmjs.org/diff/-/diff-8.0.4.tgz",
-      "integrity": "sha512-DPi0FmjiSU5EvQV0++GFDOJ9ASQUVFh5kD+OzOnYdi7n3Wpm9hWWGfB/O2blfHcMVTL5WkQXSnRiK9makhrcnw==",
+      "version": "9.0.0",
+      "resolved": "https://registry.npmjs.org/diff/-/diff-9.0.0.tgz",
+      "integrity": "sha512-svtcdpS8CgJyqAjEQIXdb3OjhFVVYjzGAPO8WGCmRbrml64SPw/jJD4GoE98aR7r25A0XcgrK3F02yw9R/vhQw==",
      "dev": true,
      "license": "BSD-3-Clause",
      "engines": {
@@ -8511,16 +8511,16 @@
      }
    },
    "node_modules/sinon": {
-      "version": "21.1.2",
-      "resolved": "https://registry.npmjs.org/sinon/-/sinon-21.1.2.tgz",
-      "integrity": "sha512-FS6mN+/bx7e2ajpXkEmOcWB6xBzWiuNoAQT18/+a20SS4U7FSYl8Ms7N6VTUxN/1JAjkx7aXp+THMC8xdpp0gA==",
+      "version": "22.0.0",
+      "resolved": "https://registry.npmjs.org/sinon/-/sinon-22.0.0.tgz",
+      "integrity": "sha512-sq/6DpdXOrLyfbKlXLg/Usc7xu8YXPeLkOFZRvA3bNUSA2lhbrZ06yuXbH1fkzBPCbz9O10+7hznzUsjaYNm0Q==",
      "dev": true,
      "license": "BSD-3-Clause",
      "dependencies": {
        "@sinonjs/commons": "^3.0.1",
-        "@sinonjs/fake-timers": "^15.3.2",
+        "@sinonjs/fake-timers": "^15.4.0",
        "@sinonjs/samsam": "^10.0.2",
-        "diff": "^8.0.4"
+        "diff": "^9.0.0"
      },
      "funding": {
        "type": "opencollective",
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "4.35.5",
+  "version": "4.36.0",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -12,7 +12,8 @@
    "ava": "npm run transpile && ava --verbose",
    "test": "npm run ava -- src/",
    "test-debug": "npm run test -- --timeout=20m",
-    "transpile": "tsc --build --verbose tsconfig.json"
+    "transpile": "tsc --build --verbose tsconfig.json",
+    "update-pr-checks": "./pr-checks/sync.sh"
  },
  "license": "MIT",
  "workspaces": [
@@ -66,7 +67,7 @@
    "glob": "^11.1.0",
    "globals": "^17.6.0",
    "nock": "^14.0.12",
-    "sinon": "^21.1.2",
+    "sinon": "^22.0.0",
    "typescript": "^6.0.3",
    "typescript-eslint": "^8.59.2"
  },
@@ -2,7 +2,8 @@ name: "Multi-language repository"
 description: "An end-to-end integration test of a multi-language repository using automatic language detection"
 operatingSystems:
  - ubuntu
-  - macos
+  - os: macos
+    runner-image: macos-latest-xlarge
 env:
  CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
 installGo: true
@@ -2,7 +2,7 @@ name: "Rust analysis"
 description: "Tests creation of a Rust database"
 versions:
  # experimental rust support introduced, requires action to set `CODEQL_ENABLE_EXPERIMENTAL_FEATURES`
-  - stable-v2.19.3
+  - stable-v2.19.4
  # first public preview version
  - stable-v2.22.1
  - linked
@@ -3,7 +3,8 @@ description: "Tests creation of a Swift database using autobuild"
 versions:
  - nightly-latest
 operatingSystems:
-  - macos
+  - os: macos
+    runner-image: macos-latest-xlarge
 steps:
  - uses: ./../action/init
    id: init
@@ -7,7 +7,13 @@ Tests for the sync-checks.ts script
 import * as assert from "node:assert/strict";
 import { describe, it } from "node:test";

-import { CheckInfo, Exclusions, Options, removeExcluded } from "./sync-checks";
+import {
+  CheckInfo,
+  Exclusions,
+  Options,
+  removeExcluded,
+  resolveToken,
+} from "./sync-checks";

 const defaultOptions: Options = {
  apply: false,
@@ -58,3 +64,46 @@ describe("removeExcluded", async () => {
    assert.deepEqual(retained, expectedExactMatches);
  });
 });
+
+describe("resolveToken", async () => {
+  await it("reads the token from standard input", async () => {
+    const token = await resolveToken(
+      { tokenStdin: true },
+      { env: {}, readStdin: async () => " stdin-token\n" },
+    );
+    assert.equal(token, "stdin-token");
+  });
+
+  await it("reads the token from the GH_TOKEN environment variable", async () => {
+    const token = await resolveToken(
+      {},
+      { env: { GH_TOKEN: "env-token" }, readStdin: async () => "" },
+    );
+    assert.equal(token, "env-token");
+  });
+
+  await it("reads the token from the GITHUB_TOKEN environment variable", async () => {
+    const token = await resolveToken(
+      {},
+      { env: { GITHUB_TOKEN: "env-token" }, readStdin: async () => "" },
+    );
+    assert.equal(token, "env-token");
+  });
+
+  await it("rejects an empty standard input token", async () => {
+    await assert.rejects(
+      resolveToken(
+        { tokenStdin: true },
+        { env: {}, readStdin: async () => "\n" },
+      ),
+      /No token received on standard input/,
+    );
+  });
+
+  await it("rejects missing token sources", async () => {
+    await assert.rejects(
+      resolveToken({}, { env: {}, readStdin: async () => "" }),
+      /Missing authentication token/,
+    );
+  });
+});
@@ -15,8 +15,8 @@ import {

 /** Represents the command-line options. */
 export interface Options {
-  /** The token to use to authenticate to the GitHub API. */
-  token?: string;
+  /** Whether to read the GitHub API token from standard input. */
+  tokenStdin?: boolean;
  /** The git ref to use the checks for. */
  ref?: string;
  /** Whether to actually apply the changes or not. */
@@ -31,6 +31,65 @@ const codeqlActionRepo = {
  repo: "codeql-action",
 };

+/** Environment variables to check for a GitHub API token. */
+const TOKEN_ENVIRONMENT_VARIABLES = ["GH_TOKEN", "GITHUB_TOKEN"];
+
+/** Represents the sources from which we can retrieve the GitHub API token. */
+interface TokenSource {
+  /** Environment variables to inspect. */
+  env: NodeJS.ProcessEnv;
+  /** Reads a token from standard input. */
+  readStdin: () => Promise<string>;
+}
+
+/** Reads the GitHub API token from standard input. */
+async function readTokenFromStdin(): Promise<string> {
+  let token = "";
+  process.stdin.setEncoding("utf8");
+  for await (const chunk of process.stdin) {
+    token += chunk;
+  }
+  return token.trim();
+}
+
+/** Gets a GitHub API token from one of the supported environment variables. */
+function getTokenFromEnvironment(env: NodeJS.ProcessEnv): string | undefined {
+  for (const variableName of TOKEN_ENVIRONMENT_VARIABLES) {
+    const token = env[variableName]?.trim();
+    if (token) {
+      return token;
+    }
+  }
+  return undefined;
+}
+
+/** Gets the token to use to authenticate to the GitHub API. */
+export async function resolveToken(
+  options: Pick<Options, "tokenStdin">,
+  tokenSource: TokenSource = {
+    env: process.env,
+    readStdin: readTokenFromStdin,
+  },
+): Promise<string> {
+  if (options.tokenStdin) {
+    const token = (await tokenSource.readStdin()).trim();
+    if (token.length === 0) {
+      throw new Error("No token received on standard input.");
+    }
+    return token;
+  }
+
+  const environmentToken = getTokenFromEnvironment(tokenSource.env);
+  if (environmentToken !== undefined) {
+    return environmentToken;
+  }
+
+  throw new Error(
+    "Missing authentication token. Set GH_TOKEN/GITHUB_TOKEN or pipe a token " +
+      "to --token-stdin.",
+  );
+}
+
 /** Represents a configuration of which checks should not be set up as required checks. */
 export interface Exclusions {
  /** A list of strings that, if contained in a check name, are excluded. */
@@ -205,9 +264,10 @@ async function updateBranch(
 async function main(): Promise<void> {
  const { values: options } = parseArgs({
    options: {
-      // The token to use to authenticate to the API.
-      token: {
-        type: "string",
+      // Read the token to use to authenticate to the API from standard input.
+      "token-stdin": {
+        type: "boolean",
+        default: false,
      },
      // The git ref for which to retrieve the check runs.
      ref: {
@@ -228,16 +288,16 @@ async function main(): Promise<void> {
    strict: true,
  });

-  if (options.token === undefined) {
-    throw new Error("Missing --token");
-  }
+  const token = await resolveToken({
+    tokenStdin: options["token-stdin"],
+  });

  console.info(
    `Oldest supported major version is: ${OLDEST_SUPPORTED_MAJOR_VERSION}`,
  );

  // Initialise the API client.
-  const client = getApiClient(options.token);
+  const client = getApiClient(token);

  // Find the check runs for the specified `ref` that we will later set as the required checks
  // for the main and release branches.
@@ -28,6 +28,24 @@ interface WorkflowInput {
 /** A partial mapping from known input names to input definitions. */
 type WorkflowInputs = Partial<Record<KnownInputName, WorkflowInput>>;

+/** An operating system identifier. */
+type OperatingSystemIdentifier = "ubuntu" | "macos" | "windows";
+
+/**
+ * Represents an operating system matrix entry for a generated PR check workflow.
+ *
+ * Either a string containing the OS identifier or an object containing the OS identifier and an
+ * optional runner image label.
+ */
+type OperatingSystem =
+  | OperatingSystemIdentifier
+  | {
+      /** OS identifier. */
+      os: OperatingSystemIdentifier;
+      /** Optional runner image label. */
+      "runner-image"?: string;
+    };
+
 /**
 * Represents PR check specifications.
 */
@@ -36,8 +54,8 @@ interface Specification extends JobSpecification {
  inputs?: Record<string, WorkflowInput>;
  /** CodeQL bundle versions to test against. Defaults to `DEFAULT_TEST_VERSIONS`. */
  versions?: string[];
-  /** Operating system prefixes used to select runner images (e.g. `["ubuntu", "macos"]`). */
-  operatingSystems?: string[];
+  /** Operating system prefixes, either as strings or with explicit runner image labels. */
+  operatingSystems?: OperatingSystem[];
  /** Per-OS version overrides. If specified for an OS, only those versions are tested on that OS. */
  osCodeQlVersions?: Record<string, string[]>;
  /** Whether to use the all-platform CodeQL bundle. */
@@ -97,10 +115,6 @@ type LanguageSetups = Partial<Record<BuiltInLanguage, LanguageSetup>>;
 // The default set of CodeQL Bundle versions to use for the PR checks.
 const defaultTestVersions = [
  // The oldest supported CodeQL version. If bumping, update `CODEQL_MINIMUM_VERSION` in `codeql.ts`
-  "stable-v2.17.6",
-  // The last CodeQL release in the 2.18 series.
-  "stable-v2.18.4",
-  // The last CodeQL release in the 2.19 series.
  "stable-v2.19.4",
  // The last CodeQL release in the 2.20 series.
  "stable-v2.20.7",
@@ -108,6 +122,10 @@ const defaultTestVersions = [
  "stable-v2.21.4",
  // The last CodeQL release in the 2.22 series.
  "stable-v2.22.4",
+  // The last CodeQL release in the 2.23 series.
+  "stable-v2.23.9",
+  // The last CodeQL release in the 2.24 series.
+  "stable-v2.24.3",
  // The default version of CodeQL for Dotcom, as determined by feature flags.
  "default",
  // The version of CodeQL shipped with the Action in `defaults.json`. During the release process
@@ -311,10 +329,19 @@ function generateJobMatrix(
      );
    }

-    const runnerImages = ["ubuntu-latest", "macos-latest", "windows-latest"];
+    const defaultRunnerImages = [
+      "ubuntu-latest",
+      "macos-latest",
+      "windows-latest",
+    ];
    const operatingSystems = checkSpecification.operatingSystems ?? ["ubuntu"];

-    for (const operatingSystem of operatingSystems) {
+    for (const operatingSystemConfig of operatingSystems) {
+      const operatingSystem =
+        typeof operatingSystemConfig === "string"
+          ? operatingSystemConfig
+          : operatingSystemConfig.os;
+
      // If osCodeQlVersions is set for this OS, only include the specified CodeQL versions.
      const allowedVersions =
        checkSpecification.osCodeQlVersions?.[operatingSystem];
@@ -322,9 +349,13 @@ function generateJobMatrix(
        continue;
      }

-      const runnerImagesForOs = runnerImages.filter((image) =>
-        image.startsWith(operatingSystem),
-      );
+      const runnerImagesForOs =
+        typeof operatingSystemConfig === "string" ||
+        operatingSystemConfig["runner-image"] === undefined
+          ? defaultRunnerImages.filter((image) =>
+              image.startsWith(operatingSystem),
+            )
+          : [operatingSystemConfig["runner-image"]];

      for (const runnerImage of runnerImagesForOs) {
        matrix.push({
@@ -22,4 +22,4 @@ outputs:
    description: The inferred build environment configuration.
 runs:
  using: node24
-  main: '../lib/resolve-environment-action.js'
+  main: '../lib/resolve-environment-entry.js'
@@ -55,4 +55,4 @@ outputs:
    description: The version of the CodeQL binary that was installed.
 runs:
  using: node24
-  main: '../lib/setup-codeql-action.js'
+  main: '../lib/setup-codeql-entry.js'
@@ -0,0 +1,4 @@
+"use strict";
+
+const import_entry_points = require("./entry-points");
+void (0, import_entry_points.run__ACTION__)();
@@ -1,90 +0,0 @@
-import test from "ava";
-import * as sinon from "sinon";
-
-import * as actionsUtil from "./actions-util";
-import * as analyze from "./analyze";
-import * as api from "./api-client";
-import * as configUtils from "./config-utils";
-import * as gitUtils from "./git-utils";
-import * as statusReport from "./status-report";
-import {
-  setupTests,
-  setupActionsVars,
-  mockFeatureFlagApiEndpoint,
-} from "./testing-utils";
-import * as util from "./util";
-
-setupTests(test);
-
-// This test needs to be in its own file so that ava would run it in its own
-// nodejs process. The code being tested is in analyze-action.ts, which runs
-// immediately on load. So the file needs to be loaded during part of the test,
-// and that can happen only once per nodejs process. If multiple such tests are
-// in the same test file, ava would run them in the same nodejs process, and all
-// but the first test would fail.
-
-test("analyze action with RAM & threads from environment variables", async (t) => {
-  // This test frequently times out on Windows with the default timeout, so we bump
-  // it a bit to 20s.
-  t.timeout(1000 * 20);
-  await util.withTmpDir(async (tmpDir) => {
-    setupActionsVars(tmpDir, tmpDir);
-    sinon
-      .stub(statusReport, "createStatusReportBase")
-      .resolves({} as statusReport.StatusReportBase);
-    sinon.stub(statusReport, "sendStatusReport").resolves();
-    sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
-
-    const gitHubVersion: util.GitHubVersion = {
-      type: util.GitHubVariant.DOTCOM,
-    };
-    sinon.stub(configUtils, "getConfig").resolves({
-      gitHubVersion,
-      augmentationProperties: {},
-      languages: [],
-      packs: [],
-      trapCaches: {},
-    } as unknown as configUtils.Config);
-    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
-    requiredInputStub.withArgs("token").returns("fake-token");
-    requiredInputStub.withArgs("upload-database").returns("false");
-    requiredInputStub.withArgs("output").returns("out");
-    const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
-    optionalInputStub.withArgs("expect-error").returns("false");
-    sinon.stub(api, "getGitHubVersion").resolves(gitHubVersion);
-    mockFeatureFlagApiEndpoint(200, {});
-
-    // When there are no action inputs for RAM and threads, the action uses
-    // environment variables (passed down from the init action) to set RAM and
-    // threads usage.
-    process.env["CODEQL_THREADS"] = "-1";
-    process.env["CODEQL_RAM"] = "4992";
-
-    const runFinalizeStub = sinon.stub(analyze, "runFinalize");
-    const runQueriesStub = sinon.stub(analyze, "runQueries");
-    // eslint-disable-next-line @typescript-eslint/no-require-imports
-    const analyzeAction = require("./analyze-action");
-
-    // When analyze-action.ts loads, it runs an async function from the top
-    // level but does not wait for it to finish. To ensure that calls to
-    // runFinalize and runQueries are correctly captured by spies, we explicitly
-    // wait for the action promise to complete before starting verification.
-    await analyzeAction.runPromise;
-
-    t.assert(
-      runFinalizeStub.calledOnceWith(
-        sinon.match.any,
-        sinon.match.any,
-        "--threads=-1",
-        "--ram=4992",
-      ),
-    );
-    t.assert(
-      runQueriesStub.calledOnceWith(
-        sinon.match.any,
-        "--ram=4992",
-        "--threads=-1",
-      ),
-    );
-  });
-});
@@ -1,88 +0,0 @@
-import test from "ava";
-import * as sinon from "sinon";
-
-import * as actionsUtil from "./actions-util";
-import * as analyze from "./analyze";
-import * as api from "./api-client";
-import * as configUtils from "./config-utils";
-import * as gitUtils from "./git-utils";
-import * as statusReport from "./status-report";
-import {
-  setupTests,
-  setupActionsVars,
-  mockFeatureFlagApiEndpoint,
-} from "./testing-utils";
-import * as util from "./util";
-
-setupTests(test);
-
-// This test needs to be in its own file so that ava would run it in its own
-// nodejs process. The code being tested is in analyze-action.ts, which runs
-// immediately on load. So the file needs to be loaded during part of the test,
-// and that can happen only once per nodejs process. If multiple such tests are
-// in the same test file, ava would run them in the same nodejs process, and all
-// but the first test would fail.
-
-test("analyze action with RAM & threads from action inputs", async (t) => {
-  t.timeout(1000 * 20);
-  await util.withTmpDir(async (tmpDir) => {
-    setupActionsVars(tmpDir, tmpDir);
-    sinon
-      .stub(statusReport, "createStatusReportBase")
-      .resolves({} as statusReport.StatusReportBase);
-    sinon.stub(statusReport, "sendStatusReport").resolves();
-    const gitHubVersion: util.GitHubVersion = {
-      type: util.GitHubVariant.DOTCOM,
-    };
-    sinon.stub(configUtils, "getConfig").resolves({
-      gitHubVersion,
-      augmentationProperties: {},
-      languages: [],
-      packs: [],
-      trapCaches: {},
-    } as unknown as configUtils.Config);
-    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
-    requiredInputStub.withArgs("token").returns("fake-token");
-    requiredInputStub.withArgs("upload-database").returns("false");
-    requiredInputStub.withArgs("output").returns("out");
-    const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
-    optionalInputStub.withArgs("expect-error").returns("false");
-    sinon.stub(api, "getGitHubVersion").resolves(gitHubVersion);
-    sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
-    mockFeatureFlagApiEndpoint(200, {});
-
-    process.env["CODEQL_THREADS"] = "1";
-    process.env["CODEQL_RAM"] = "4992";
-
-    // Action inputs have precedence over environment variables.
-    optionalInputStub.withArgs("threads").returns("-1");
-    optionalInputStub.withArgs("ram").returns("3012");
-
-    const runFinalizeStub = sinon.stub(analyze, "runFinalize");
-    const runQueriesStub = sinon.stub(analyze, "runQueries");
-    // eslint-disable-next-line @typescript-eslint/no-require-imports
-    const analyzeAction = require("./analyze-action");
-
-    // When analyze-action.ts loads, it runs an async function from the top
-    // level but does not wait for it to finish. To ensure that calls to
-    // runFinalize and runQueries are correctly captured by spies, we explicitly
-    // wait for the action promise to complete before starting verification.
-    await analyzeAction.runPromise;
-
-    t.assert(
-      runFinalizeStub.calledOnceWith(
-        sinon.match.any,
-        sinon.match.any,
-        "--threads=-1",
-        "--ram=3012",
-      ),
-    );
-    t.assert(
-      runQueriesStub.calledOnceWith(
-        sinon.match.any,
-        "--ram=3012",
-        "--threads=-1",
-      ),
-    );
-  });
-});
@@ -20,7 +20,7 @@ import { EnvVar } from "./environment";
 import { getActionsLogger } from "./logging";
 import { checkGitHubVersionInRange, getErrorMessage } from "./util";

-async function runWrapper() {
+export async function runWrapper() {
  // To capture errors appropriately, keep as much code within the try-catch as
  // possible, and only use safe functions outside.

@@ -72,5 +72,3 @@ async function runWrapper() {
    );
  }
 }
-
-void runWrapper();
@@ -0,0 +1,142 @@
+import test from "ava";
+import * as sinon from "sinon";
+
+import * as actionsUtil from "./actions-util";
+import * as analyze from "./analyze";
+import { runWrapper } from "./analyze-action";
+import * as api from "./api-client";
+import * as configUtils from "./config-utils";
+import * as gitUtils from "./git-utils";
+import * as statusReport from "./status-report";
+import {
+  setupTests,
+  setupActionsVars,
+  mockFeatureFlagApiEndpoint,
+} from "./testing-utils";
+import * as util from "./util";
+
+setupTests(test);
+
+test.serial(
+  "analyze action with RAM & threads from environment variables",
+  async (t) => {
+    // This test frequently times out on Windows with the default timeout, so we bump
+    // it a bit to 20s.
+    t.timeout(1000 * 20);
+    await util.withTmpDir(async (tmpDir) => {
+      setupActionsVars(tmpDir, tmpDir);
+      sinon
+        .stub(statusReport, "createStatusReportBase")
+        .resolves({} as statusReport.StatusReportBase);
+      sinon.stub(statusReport, "sendStatusReport").resolves();
+      sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
+
+      const gitHubVersion: util.GitHubVersion = {
+        type: util.GitHubVariant.DOTCOM,
+      };
+      sinon.stub(configUtils, "getConfig").resolves({
+        gitHubVersion,
+        augmentationProperties: {},
+        languages: [],
+        packs: [],
+        trapCaches: {},
+      } as unknown as configUtils.Config);
+      const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+      requiredInputStub.withArgs("token").returns("fake-token");
+      requiredInputStub.withArgs("upload-database").returns("false");
+      requiredInputStub.withArgs("output").returns("out");
+      const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
+      optionalInputStub.withArgs("expect-error").returns("false");
+      sinon.stub(api, "getGitHubVersion").resolves(gitHubVersion);
+      mockFeatureFlagApiEndpoint(200, {});
+
+      // When there are no action inputs for RAM and threads, the action uses
+      // environment variables (passed down from the init action) to set RAM and
+      // threads usage.
+      process.env["CODEQL_THREADS"] = "-1";
+      process.env["CODEQL_RAM"] = "4992";
+
+      const runFinalizeStub = sinon.stub(analyze, "runFinalize");
+      const runQueriesStub = sinon.stub(analyze, "runQueries");
+
+      await runWrapper();
+
+      t.assert(
+        runFinalizeStub.calledOnceWith(
+          sinon.match.any,
+          sinon.match.any,
+          "--threads=-1",
+          "--ram=4992",
+        ),
+      );
+      t.assert(
+        runQueriesStub.calledOnceWith(
+          sinon.match.any,
+          "--ram=4992",
+          "--threads=-1",
+        ),
+      );
+    });
+  },
+);
+
+test.serial(
+  "analyze action with RAM & threads from action inputs",
+  async (t) => {
+    t.timeout(1000 * 20);
+    await util.withTmpDir(async (tmpDir) => {
+      setupActionsVars(tmpDir, tmpDir);
+      sinon
+        .stub(statusReport, "createStatusReportBase")
+        .resolves({} as statusReport.StatusReportBase);
+      sinon.stub(statusReport, "sendStatusReport").resolves();
+      const gitHubVersion: util.GitHubVersion = {
+        type: util.GitHubVariant.DOTCOM,
+      };
+      sinon.stub(configUtils, "getConfig").resolves({
+        gitHubVersion,
+        augmentationProperties: {},
+        languages: [],
+        packs: [],
+        trapCaches: {},
+      } as unknown as configUtils.Config);
+      const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+      requiredInputStub.withArgs("token").returns("fake-token");
+      requiredInputStub.withArgs("upload-database").returns("false");
+      requiredInputStub.withArgs("output").returns("out");
+      const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
+      optionalInputStub.withArgs("expect-error").returns("false");
+      sinon.stub(api, "getGitHubVersion").resolves(gitHubVersion);
+      sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
+      mockFeatureFlagApiEndpoint(200, {});
+
+      process.env["CODEQL_THREADS"] = "1";
+      process.env["CODEQL_RAM"] = "4992";
+
+      // Action inputs have precedence over environment variables.
+      optionalInputStub.withArgs("threads").returns("-1");
+      optionalInputStub.withArgs("ram").returns("3012");
+
+      const runFinalizeStub = sinon.stub(analyze, "runFinalize");
+      const runQueriesStub = sinon.stub(analyze, "runQueries");
+
+      await runWrapper();
+
+      t.assert(
+        runFinalizeStub.calledOnceWith(
+          sinon.match.any,
+          sinon.match.any,
+          "--threads=-1",
+          "--ram=3012",
+        ),
+      );
+      t.assert(
+        runQueriesStub.calledOnceWith(
+          sinon.match.any,
+          "--ram=3012",
+          "--threads=-1",
+        ),
+      );
+    });
+  },
+);
@@ -523,14 +523,11 @@ async function run(startedAt: Date) {
  }
 }

-// Module-level startedAt so it can be accessed by runWrapper for error reporting
-const startedAt = new Date();
-export const runPromise = run(startedAt);
-
-async function runWrapper() {
+export async function runWrapper() {
+  const startedAt = new Date();
  const logger = getActionsLogger();
  try {
-    await runPromise;
+    await run(startedAt);
  } catch (error) {
    core.setFailed(`analyze action failed: ${util.getErrorMessage(error)}`);
    await sendUnhandledErrorStatusReport(
@@ -542,5 +539,3 @@ async function runWrapper() {
  }
  await util.checkForTimeout();
 }
-
-void runWrapper();
@@ -141,14 +141,9 @@ test("scanArtifactsForTokens handles files without tokens", async (t) => {
  }
 });

-// This test is slow (extracts and scans a zip artifact), so by default we only run it in CI. Set
-// RUN_SLOW_TESTS=1 to run it locally.
-if (
-  os.platform() !== "win32" &&
-  (process.env.CI === "true" || process.env.RUN_SLOW_TESTS === "1")
-) {
+// `scanArchiveFile` does not support Windows, so we skip this test there.
+if (os.platform() !== "win32") {
  test("scanArtifactsForTokens finds token in debug artifacts", async (t) => {
-    t.timeout(15000); // 15 seconds
    const messages: LoggedMessage[] = [];
    const logger = getRecordingLogger(messages, { logToConsole: false });
    // The zip here is a regression test based on
@@ -142,7 +142,7 @@ async function run(startedAt: Date) {
  await sendCompletedStatusReport(config, logger, startedAt, languages ?? []);
 }

-async function runWrapper() {
+export async function runWrapper() {
  const startedAt = new Date();
  const logger = getActionsLogger();
  try {
@@ -157,5 +157,3 @@ async function runWrapper() {
    );
  }
 }
-
-void runWrapper();
@@ -1072,7 +1072,7 @@ test.serial(
 );

 test.serial(
-  "Avoids duplicating --overwrite flag if specified in CODEQL_ACTION_EXTRA_OPTIONS",
+  "Avoids duplicating --force-overwrite flag if specified in CODEQL_ACTION_EXTRA_OPTIONS",
  async (t) => {
    const runnerConstructorStub = stubToolRunnerConstructor();
    const codeqlObject = await stubCodeql();
@@ -1080,7 +1080,7 @@ test.serial(
    sinon.stub(io, "which").resolves("");

    process.env["CODEQL_ACTION_EXTRA_OPTIONS"] =
-      '{ "database": { "init": ["--overwrite"] } }';
+      '{ "database": { "init": ["--force-overwrite"] } }';

    await codeqlObject.databaseInitCluster(
      stubConfig,
@@ -1093,9 +1093,9 @@ test.serial(
    t.true(runnerConstructorStub.calledOnce);
    const args = runnerConstructorStub.firstCall.args[1] as string[];
    t.is(
-      args.filter((option: string) => option === "--overwrite").length,
+      args.filter((option: string) => option === "--force-overwrite").length,
      1,
-      "--overwrite should only be passed once",
+      "--force-overwrite should only be passed once",
    );

    // Clean up
@@ -277,7 +277,7 @@ let cachedCodeQL: CodeQL | undefined = undefined;
 * The version flags below can be used to conditionally enable certain features
 * on versions newer than this.
 */
-const CODEQL_MINIMUM_VERSION = "2.17.6";
+const CODEQL_MINIMUM_VERSION = "2.19.4";

 /**
 * This version will shortly become the oldest version of CodeQL that the Action will run with.
@@ -592,13 +592,6 @@ async function getCodeQLForCmd(
        extraArgs.push(`--qlconfig-file=${qlconfigFile}`);
      }

-      const overwriteFlag = isSupportedToolsFeature(
-        await this.getVersion(),
-        ToolsFeature.ForceOverwrite,
-      )
-        ? "--force-overwrite"
-        : "--overwrite";
-
      const overlayDatabaseMode = config.overlayDatabaseMode;
      if (overlayDatabaseMode === OverlayDatabaseMode.Overlay) {
        const overlayChangesFile = await writeOverlayChangesFile(
@@ -625,7 +618,7 @@ async function getCodeQLForCmd(
          "init",
          ...(overlayDatabaseMode === OverlayDatabaseMode.Overlay
            ? []
-            : [overwriteFlag]),
+            : ["--force-overwrite"]),
          "--db-cluster",
          config.dbLocation,
          `--source-root=${sourceRoot}`,
@@ -636,7 +629,14 @@ async function getCodeQLForCmd(
            // Some user configs specify `--no-calculate-baseline` as an additional
            // argument to `codeql database init`. Therefore ignore the baseline file
            // options here to avoid specifying the same argument twice and erroring.
-            ignoringOptions: ["--overwrite", ...baselineFilesOptions],
+            //
+            // Ignore `--overwrite` to avoid passing both `--force-overwrite` and `--overwrite` if
+            // the user has configured `--overwrite`.
+            ignoringOptions: [
+              "--force-overwrite",
+              "--overwrite",
+              ...baselineFilesOptions,
+            ],
          }),
        ],
        { stdin: externalRepositoryToken },
@@ -853,7 +853,7 @@ async function getCodeQLForCmd(
        "--sarif-group-rules-by-pack",
        "--sarif-include-query-help=always",
        "--sublanguage-file-coverage",
-        ...(await getJobRunUuidSarifOptions(this)),
+        ...(await getJobRunUuidSarifOptions()),
        ...getExtraOptionsFromEnv(["database", "interpret-results"]),
      ];
      if (sarifRunPropertyFlag !== undefined) {
@@ -1283,13 +1283,8 @@ function applyAutobuildAzurePipelinesTimeoutFix() {
  ].join(" ");
 }

-async function getJobRunUuidSarifOptions(codeql: CodeQL) {
+async function getJobRunUuidSarifOptions() {
  const jobRunUuid = process.env[EnvVar.JOB_RUN_UUID];

-  return jobRunUuid &&
-    (await codeql.supportsFeature(
-      ToolsFeature.DatabaseInterpretResultsSupportsSarifRunProperty,
-    ))
-    ? [`--sarif-run-property=jobRunUuid=${jobRunUuid}`]
-    : [];
+  return jobRunUuid ? [`--sarif-run-property=jobRunUuid=${jobRunUuid}`] : [];
 }
@@ -21,6 +21,7 @@ import { GitVersionInfo } from "./git-utils";
 import { BuiltInLanguage, Language } from "./languages";
 import { getRunnerLogger } from "./logging";
 import { CODEQL_OVERLAY_MINIMUM_VERSION } from "./overlay";
+import * as overlayDiagnostics from "./overlay/diagnostics";
 import { OverlayDisabledReason } from "./overlay/diagnostics";
 import { OverlayDatabaseMode } from "./overlay/overlay-database-mode";
 import * as overlayStatus from "./overlay/status";
@@ -2143,3 +2144,87 @@ test.serial(
    });
  },
 );
+
+test("applyIncrementalAnalysisSettings: no-op when mode is not Overlay and diff ranges are unavailable", async (t) => {
+  const config = createTestConfig({});
+  config.overlayDatabaseMode = OverlayDatabaseMode.None;
+  const codeql = createStubCodeQL({});
+  const logger = getRunnerLogger(true);
+
+  await configUtils.applyIncrementalAnalysisSettings(
+    config,
+    false,
+    codeql,
+    logger,
+  );
+
+  t.is(config.overlayDatabaseMode, OverlayDatabaseMode.None);
+  t.deepEqual(config.extraQueryExclusions, []);
+});
+
+test("applyIncrementalAnalysisSettings: keeps overlay mode and adds exclusions when diff ranges are available", async (t) => {
+  const config = createTestConfig({
+    overlayDatabaseMode: OverlayDatabaseMode.Overlay,
+  });
+  const codeql = createStubCodeQL({});
+  const logger = getRunnerLogger(true);
+
+  await configUtils.applyIncrementalAnalysisSettings(
+    config,
+    true,
+    codeql,
+    logger,
+  );
+
+  t.is(config.overlayDatabaseMode, OverlayDatabaseMode.Overlay);
+  t.deepEqual(config.extraQueryExclusions, [
+    { exclude: { tags: "exclude-from-incremental" } },
+  ]);
+});
+
+test("applyIncrementalAnalysisSettings: disables overlay analysis when diff ranges are unavailable", async (t) => {
+  const config = createTestConfig({
+    overlayDatabaseMode: OverlayDatabaseMode.Overlay,
+  });
+  config.useOverlayDatabaseCaching = true;
+  const codeql = createStubCodeQL({});
+  const logger = getRunnerLogger(true);
+  const addDiagnosticsStub = sinon
+    .stub(overlayDiagnostics, "addOverlayDisablementDiagnostics")
+    .resolves();
+
+  await configUtils.applyIncrementalAnalysisSettings(
+    config,
+    false,
+    codeql,
+    logger,
+  );
+
+  t.is(config.overlayDatabaseMode, OverlayDatabaseMode.None);
+  t.is(config.useOverlayDatabaseCaching, false);
+  t.deepEqual(config.extraQueryExclusions, []);
+  t.true(addDiagnosticsStub.calledOnce);
+  t.is(
+    addDiagnosticsStub.firstCall.args[2],
+    OverlayDisabledReason.DiffInformedAnalysisNotEnabled,
+  );
+});
+
+test("applyIncrementalAnalysisSettings: adds exclusions for diff-informed-only runs", async (t) => {
+  const config = createTestConfig({});
+  config.overlayDatabaseMode = OverlayDatabaseMode.None;
+  const codeql = createStubCodeQL({});
+  const logger = getRunnerLogger(true);
+
+  await configUtils.applyIncrementalAnalysisSettings(
+    config,
+    true,
+    codeql,
+    logger,
+  );
+
+  t.is(config.overlayDatabaseMode, OverlayDatabaseMode.None);
+  t.deepEqual(config.extraQueryExclusions, [
+    { exclude: { tags: "exclude-from-incremental" } },
+  ]);
+});
@@ -31,7 +31,7 @@ import {
  addNoLanguageDiagnostic,
  makeTelemetryDiagnostic,
 } from "./diagnostics";
-import { shouldPerformDiffInformedAnalysis } from "./diff-informed-analysis-utils";
+import { prepareDiffInformedAnalysis } from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
 import * as errorMessages from "./error-messages";
 import { Feature, FeatureEnablement } from "./feature-flags";
@@ -1077,6 +1077,48 @@ function hasQueryCustomisation(userConfig: UserConfig): boolean {
  );
 }

+/**
+ * Finalize the incremental-analysis configuration for this run.
+ *
+ * Overlay analysis has only been validated in combination with diff-informed
+ * analysis, so if `Overlay` mode was selected for a pull request but the diff
+ * ranges could not be computed, fall back to a full non-overlay analysis.
+ *
+ * Query exclusions for incremental-only queries are then applied whenever the
+ * diff ranges are available — which, after the fallback above, is exactly the
+ * set of runs where any kind of incremental analysis (overlay or
+ * diff-informed) is in effect.
+ */
+export async function applyIncrementalAnalysisSettings(
+  config: Config,
+  hasDiffRanges: boolean,
+  codeql: CodeQL,
+  logger: Logger,
+): Promise<void> {
+  if (
+    config.overlayDatabaseMode === OverlayDatabaseMode.Overlay &&
+    !hasDiffRanges
+  ) {
+    logger.info(
+      `Reverting overlay database mode to ${OverlayDatabaseMode.None} ` +
+        "because the PR diff ranges could not be computed.",
+    );
+    config.overlayDatabaseMode = OverlayDatabaseMode.None;
+    config.useOverlayDatabaseCaching = false;
+    await addOverlayDisablementDiagnostics(
+      config,
+      codeql,
+      OverlayDisabledReason.DiffInformedAnalysisNotEnabled,
+    );
+  }
+
+  if (hasDiffRanges) {
+    config.extraQueryExclusions.push({
+      exclude: { tags: "exclude-from-incremental" },
+    });
+  }
+}
+
 /**
 * Load and return the config.
 *
@@ -1231,18 +1273,18 @@ export async function initConfig(
    );
  }

-  if (
-    config.overlayDatabaseMode === OverlayDatabaseMode.Overlay ||
-    (await shouldPerformDiffInformedAnalysis(
-      inputs.codeql,
-      inputs.features,
-      logger,
-    ))
-  ) {
-    config.extraQueryExclusions.push({
-      exclude: { tags: "exclude-from-incremental" },
-    });
-  }
+  const hasDiffRanges = await prepareDiffInformedAnalysis(
+    inputs.codeql,
+    inputs.features,
+    logger,
+  );
+
+  await applyIncrementalAnalysisSettings(
+    config,
+    hasDiffRanges,
+    inputs.codeql,
+    logger,
+  );

  if (await isTrapCachingEnabled(features, config.overlayDatabaseMode)) {
    const { trapCaches, trapCacheDownloadTime } = await downloadCacheWithTime(
@@ -5,14 +5,16 @@ import * as actionsUtil from "./actions-util";
 import type { PullRequestBranches } from "./actions-util";
 import * as apiClient from "./api-client";
 import {
-  shouldPerformDiffInformedAnalysis,
+  getDiffInformedAnalysisBranches,
+  prepareDiffInformedAnalysis,
  exportedForTesting,
 } from "./diff-informed-analysis-utils";
-import { Feature, initFeatures } from "./feature-flags";
+import { Feature, FeatureEnablement, initFeatures } from "./feature-flags";
 import { getRunnerLogger } from "./logging";
 import { parseRepositoryNwo } from "./repository";
 import {
  setupTests,
+  createFeatures,
  mockCodeQLVersion,
  mockFeatureFlagApiEndpoint,
  setupActionsVars,
@@ -73,28 +75,25 @@ const testShouldPerformDiffInformedAnalysis = makeMacro({
        [Feature.DiffInformedQueries]: testCase.featureEnabled,
      });

-      const getGitHubVersionStub = sinon
+      sinon
        .stub(apiClient, "getGitHubVersion")
        .resolves(testCase.gitHubVersion);
-      const getPullRequestBranchesStub = sinon
+      sinon
        .stub(actionsUtil, "getPullRequestBranches")
        .returns(testCase.pullRequestBranches);

-      const result = await shouldPerformDiffInformedAnalysis(
+      const branches = await getDiffInformedAnalysisBranches(
        codeql,
        features,
        logger,
      );

-      t.is(result, expectedResult);
+      t.is(branches !== undefined, expectedResult);

      delete process.env.CODEQL_ACTION_DIFF_INFORMED_QUERIES;
-
-      getGitHubVersionStub.restore();
-      getPullRequestBranchesStub.restore();
    });
  },
-  title: (title) => `shouldPerformDiffInformedAnalysis: ${title}`,
+  title: (title) => `getDiffInformedAnalysisBranches: ${title}`,
 });

 testShouldPerformDiffInformedAnalysis.serial(
@@ -178,6 +177,135 @@ testShouldPerformDiffInformedAnalysis.serial(
  false,
 );

+test.serial(
+  "prepareDiffInformedAnalysis: returns false when not a pull request",
+  async (t) => {
+    await withTmpDir(async (tmpDir) => {
+      setupActionsVars(tmpDir, tmpDir);
+      const logger = getRunnerLogger(true);
+      const codeql = mockCodeQLVersion("2.21.0");
+      const features = createFeatures([Feature.DiffInformedQueries]);
+
+      sinon.stub(actionsUtil, "getPullRequestBranches").returns(undefined);
+      sinon
+        .stub(apiClient, "getGitHubVersion")
+        .resolves({ type: GitHubVariant.DOTCOM });
+
+      const result = await prepareDiffInformedAnalysis(
+        codeql,
+        features,
+        logger,
+      );
+
+      t.false(result);
+    });
+  },
+);
+
+test.serial(
+  "prepareDiffInformedAnalysis: returns false when applicability check throws",
+  async (t) => {
+    await withTmpDir(async (tmpDir) => {
+      setupActionsVars(tmpDir, tmpDir);
+      const logger = getRunnerLogger(true);
+      const codeql = mockCodeQLVersion("2.21.0");
+      // A features implementation whose getValue rejects, simulating an
+      // unexpected failure when determining whether diff-informed analysis
+      // should run.
+      const features: FeatureEnablement = {
+        getEnabledDefaultCliVersions: async () => {
+          throw new Error("not implemented");
+        },
+        getValue: async () => {
+          throw new Error("feature flag lookup failed");
+        },
+      };
+
+      const result = await prepareDiffInformedAnalysis(
+        codeql,
+        features,
+        logger,
+      );
+
+      t.false(result);
+    });
+  },
+);
+
+test.serial(
+  "prepareDiffInformedAnalysis: returns true when the diff is fetched successfully",
+  async (t) => {
+    await withTmpDir(async (tmpDir) => {
+      setupActionsVars(tmpDir, tmpDir);
+      const logger = getRunnerLogger(true);
+      const codeql = mockCodeQLVersion("2.21.0");
+      const features = createFeatures([Feature.DiffInformedQueries]);
+
+      sinon
+        .stub(actionsUtil, "getPullRequestBranches")
+        .returns({ base: "main", head: "feature" });
+      sinon
+        .stub(apiClient, "getGitHubVersion")
+        .resolves({ type: GitHubVariant.DOTCOM });
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
+      sinon.stub(apiClient, "getApiClient").returns({
+        rest: {
+          repos: {
+            compareCommitsWithBasehead: sinon
+              .stub()
+              .resolves({ data: { files: [] } }),
+          },
+        },
+      } as any);
+
+      const result = await prepareDiffInformedAnalysis(
+        codeql,
+        features,
+        logger,
+      );
+
+      t.true(result);
+    });
+  },
+);
+
+test.serial(
+  "prepareDiffInformedAnalysis: returns false when the diff API call fails",
+  async (t) => {
+    await withTmpDir(async (tmpDir) => {
+      setupActionsVars(tmpDir, tmpDir);
+      const logger = getRunnerLogger(true);
+      const codeql = mockCodeQLVersion("2.21.0");
+      const features = createFeatures([Feature.DiffInformedQueries]);
+
+      sinon
+        .stub(actionsUtil, "getPullRequestBranches")
+        .returns({ base: "main", head: "feature" });
+      sinon
+        .stub(apiClient, "getGitHubVersion")
+        .resolves({ type: GitHubVariant.DOTCOM });
+      const notFoundError: any = new Error("Not Found");
+      notFoundError.status = 404;
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
+      sinon.stub(apiClient, "getApiClient").returns({
+        rest: {
+          repos: {
+            compareCommitsWithBasehead: sinon.stub().rejects(notFoundError),
+          },
+        },
+      } as any);
+
+      const result = await prepareDiffInformedAnalysis(
+        codeql,
+        features,
+        logger,
+      );
+
+      t.false(result);
+    });
+  },
+);
+
 function runGetDiffRanges(changes: number, patch: string[] | undefined): any {
  return exportedForTesting.getDiffRanges(
    {
@@ -5,9 +5,9 @@ import type { PullRequestBranches } from "./actions-util";
 import { getApiClient, getGitHubVersion } from "./api-client";
 import type { CodeQL } from "./codeql";
 import { Feature, FeatureEnablement } from "./feature-flags";
-import { Logger } from "./logging";
+import { Logger, withGroupAsync } from "./logging";
 import { getRepositoryNwoFromEnv } from "./repository";
-import { GitHubVariant, satisfiesGHESVersion } from "./util";
+import { getErrorMessage, GitHubVariant, satisfiesGHESVersion } from "./util";

 /**
 * This interface is an abbreviated version of the file diff object returned by
@@ -21,20 +21,6 @@ interface FileDiff {
  patch?: string | undefined;
 }

-/**
- * Check if the action should perform diff-informed analysis.
- */
-export async function shouldPerformDiffInformedAnalysis(
-  codeql: CodeQL,
-  features: FeatureEnablement,
-  logger: Logger,
-): Promise<boolean> {
-  return (
-    (await getDiffInformedAnalysisBranches(codeql, features, logger)) !==
-    undefined
-  );
-}
-
 /**
 * Get the branches to use for diff-informed analysis.
 *
@@ -69,6 +55,46 @@ export async function getDiffInformedAnalysisBranches(
  return branches;
 }

+/**
+ * Prepares the diff ranges needed for diff-informed analysis for the current
+ * run.
+ *
+ * @returns `true` if the diff ranges were successfully computed and persisted
+ *   and are therefore available for use, `false` otherwise.
+ */
+export async function prepareDiffInformedAnalysis(
+  codeql: CodeQL,
+  features: FeatureEnablement,
+  logger: Logger,
+): Promise<boolean> {
+  let branches: PullRequestBranches | undefined;
+  try {
+    branches = await getDiffInformedAnalysisBranches(codeql, features, logger);
+  } catch (e) {
+    // If we cannot determine whether diff-informed analysis applies (for
+    // example, because a feature-flag lookup failed), treat it as not
+    // applicable rather than triggering the overlay fallback.
+    logger.warning(
+      `Failed to determine branch information for diff-informed analysis: ${getErrorMessage(e)}`,
+    );
+    return false;
+  }
+  if (!branches) {
+    return false;
+  }
+
+  return await withGroupAsync("Computing PR diff ranges", async () => {
+    try {
+      return await computeAndPersistDiffRanges(branches, logger);
+    } catch (e) {
+      logger.warning(
+        `Failed to compute diff-informed analysis ranges: ${getErrorMessage(e)}`,
+      );
+      return false;
+    }
+  });
+}
+
 export interface DiffThunkRange {
  /** Relative path from the repository root, using forward slashes as separators. */
  path: string;
@@ -151,6 +177,33 @@ export async function getPullRequestEditedDiffRanges(
  return results;
 }

+/**
+ * Compute and persist the diff ranges for a pull request. This fetches the
+ * diff from the GitHub API and writes it to the diff ranges JSON file so that
+ * CodeQL can use it for diff-informed analysis.
+ *
+ * @param branches The base and head branches of the pull request, as returned
+ *   by `getDiffInformedAnalysisBranches`.
+ * @param logger
+ * @returns `true` if the diff ranges were successfully computed and persisted,
+ *   otherwise `false`.
+ */
+export async function computeAndPersistDiffRanges(
+  branches: PullRequestBranches,
+  logger: Logger,
+): Promise<boolean> {
+  const ranges = await getPullRequestEditedDiffRanges(branches, logger);
+  if (ranges === undefined) {
+    return false;
+  }
+  writeDiffRangesJsonFile(logger, ranges);
+  const distinctFiles = new Set(ranges.map((r) => r.path)).size;
+  logger.info(
+    `Persisted ${ranges.length} diff range(s) across ${distinctFiles} file(s).`,
+  );
+  return true;
+}
+
 async function getFileDiffsWithBasehead(
  branches: PullRequestBranches,
  logger: Logger,
@@ -0,0 +1,3 @@
+export async function run__ACTION__() {
+  return await __ACTION__.runWrapper();
+}
@@ -26,6 +26,9 @@ const DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";

 /**
 * The first version of the CodeQL Bundle that shipped with zstd-compressed bundles.
+ *
+ * This is now below the minimum version of CodeQL, but we keep this around because we currently set
+ * up CodeQL before checking that the version is new enough.
 */
 export const CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0";

@@ -126,7 +129,6 @@ export enum Feature {
  QaTelemetryEnabled = "qa_telemetry_enabled",
  /** Note that this currently only disables baseline file coverage information. */
  SkipFileCoverageOnPrs = "skip_file_coverage_on_prs",
-  StartProxyRemoveUnusedRegistries = "start_proxy_remove_unused_registries",
  StartProxyUseFeaturesRelease = "start_proxy_use_features_release",
  UploadOverlayDbToApi = "upload_overlay_db_to_api",
  ValidateDbConfig = "validate_db_config",
@@ -362,11 +364,6 @@ export const featureConfig = {
    minimumVersion: undefined,
    toolsFeature: ToolsFeature.SuppressesMissingFileBaselineWarning,
  },
-  [Feature.StartProxyRemoveUnusedRegistries]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_START_PROXY_REMOVE_UNUSED_REGISTRIES",
-    minimumVersion: undefined,
-  },
  [Feature.StartProxyUseFeaturesRelease]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_START_PROXY_USE_FEATURES_RELEASE",
@@ -33,7 +33,6 @@ test.serial(

      const actualRef = await gitUtils.getRef();
      t.deepEqual(actualRef, expectedRef);
-      callback.restore();
    });
  },
 );
@@ -54,7 +53,6 @@ test.serial(

      const actualRef = await gitUtils.getRef();
      t.deepEqual(actualRef, expectedRef);
-      callback.restore();
    });
  },
 );
@@ -73,7 +71,6 @@ test.serial(

      const actualRef = await gitUtils.getRef();
      t.deepEqual(actualRef, "refs/pull/1/head");
-      callback.restore();
    });
  },
 );
@@ -100,8 +97,6 @@ test.serial(

      const actualRef = await gitUtils.getRef();
      t.deepEqual(actualRef, "refs/pull/2/merge");
-      callback.restore();
-      getAdditionalInputStub.restore();
    });
  },
 );
@@ -161,7 +156,6 @@ test.serial(
            "Both 'ref' and 'sha' are required if one of them is provided.",
        },
      );
-      getAdditionalInputStub.restore();
    });
  },
 );
@@ -188,7 +182,6 @@ test.serial(
            "Both 'ref' and 'sha' are required if one of them is provided.",
        },
      );
-      getAdditionalInputStub.restore();
    });
  },
 );
@@ -242,7 +235,6 @@ test.serial("isAnalyzingDefaultBranch()", async (t) => {
    process.env["GITHUB_EVENT_NAME"] = "schedule";
    process.env["GITHUB_REF"] = "refs/heads/main";
    t.deepEqual(await gitUtils.isAnalyzingDefaultBranch(), false);
-    getAdditionalInputStub.restore();
  });
 });

@@ -254,8 +246,6 @@ test.serial("determineBaseBranchHeadCommitOid non-pullrequest", async (t) => {
  const result = await gitUtils.determineBaseBranchHeadCommitOid(__dirname);
  t.deepEqual(result, undefined);
  t.deepEqual(0, infoStub.callCount);
-
-  infoStub.restore();
 });

 test.serial(
@@ -276,8 +266,6 @@ test.serial(
      "git call failed. Will calculate the base branch SHA on the server. Error: " +
        "The checkout path provided to the action does not appear to be a git repository.",
    );
-
-    infoStub.restore();
  },
 );

@@ -301,10 +289,27 @@ test.serial("determineBaseBranchHeadCommitOid other error", async (t) => {
      "The checkout path provided to the action does not appear to be a git repository.",
    ),
  );
-
-  infoStub.restore();
 });

+test.serial(
+  "determineBaseBranchHeadCommitOid accepts SHA-256 OIDs",
+  async (t) => {
+    const mergeSha = "a".repeat(64);
+    const baseOid = "b".repeat(64);
+    const headOid = "c".repeat(64);
+
+    process.env["GITHUB_EVENT_NAME"] = "pull_request";
+    process.env["GITHUB_SHA"] = mergeSha;
+
+    sinon
+      .stub(gitUtils as any, "runGitCommand")
+      .resolves(`commit ${mergeSha}\nparent ${baseOid}\nparent ${headOid}\n`);
+
+    const result = await gitUtils.determineBaseBranchHeadCommitOid(__dirname);
+    t.deepEqual(result, baseOid);
+  },
+);
+
 test.serial("decodeGitFilePath unquoted strings", async (t) => {
  t.deepEqual(gitUtils.decodeGitFilePath("foo"), "foo");
  t.deepEqual(gitUtils.decodeGitFilePath("foo bar"), "foo bar");
@@ -436,6 +441,64 @@ test.serial("getFileOidsUnderPath handles quoted paths", async (t) => {
  });
 });

+test.serial("getFileOidsUnderPath handles SHA-256 OIDs", async (t) => {
+  await withTmpDir(async (tmpDir) => {
+    const sha256OidA =
+      "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2c0d4b7e8f9a1234567890ab";
+    const sha256OidB =
+      "aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899";
+
+    sinon
+      .stub(gitUtils as any, "runGitCommand")
+      .callsFake(async (_cwd: any, args: any) => {
+        if (args[0] === "rev-parse") {
+          return `${tmpDir}\n`;
+        }
+        return (
+          `100644 ${sha256OidA} 0\tlib/sha256-file-a.js\n` +
+          `100644 ${sha256OidB} 0\tsrc/sha256-file-b.ts`
+        );
+      });
+
+    const result = await gitUtils.getFileOidsUnderPath("/fake/path");
+
+    t.deepEqual(result, {
+      "lib/sha256-file-a.js": sha256OidA,
+      "src/sha256-file-b.ts": sha256OidB,
+    });
+  });
+});
+
+test.serial(
+  "getFileOidsUnderPath rejects OIDs of unsupported length",
+  async (t) => {
+    await withTmpDir(async (tmpDir) => {
+      // 50-char OID: not a valid SHA-1 (40) or SHA-256 (64) length. The regex
+      // must not accept this even though every character is a valid hex digit.
+      const invalidLine =
+        "100644 30d998ded095371488be3a729eb61d86ed721a1830d998ded0 0\tlib/bad.js";
+      sinon
+        .stub(gitUtils as any, "runGitCommand")
+        .callsFake(async (_cwd: any, args: any) => {
+          if (args[0] === "rev-parse") {
+            return `${tmpDir}\n`;
+          }
+          return invalidLine;
+        });
+
+      await t.throwsAsync(
+        async () => {
+          await gitUtils.getFileOidsUnderPath("/fake/path");
+        },
+        {
+          instanceOf: Error,
+          message: `Unexpected "git ls-files" output: ${invalidLine}`,
+        },
+      );
+    });
+  },
+);
+
 test.serial("getFileOidsUnderPath handles empty output", async (t) => {
  await withTmpDir(async (tmpDir) => {
    sinon
@@ -163,11 +163,12 @@ export const determineBaseBranchHeadCommitOid = async function (
      }
    }

-    // Let's confirm our assumptions: We had a merge commit and the parsed parent data looks correct
+    // Let's confirm our assumptions: We had a merge commit and the parsed parent
+    // data looks correct. OIDs are either 40 (SHA-1) or 64 (SHA-256) hex characters.
    if (
      commitOid === mergeSha &&
-      headOid.length === 40 &&
-      baseOid.length === 40
+      (headOid.length === 40 || headOid.length === 64) &&
+      (baseOid.length === 40 || baseOid.length === 64)
    ) {
      return baseOid;
    }
@@ -296,7 +297,8 @@ export const getFileOidsUnderPath = async function (
  // 100644 4c51bc1d9e86cd86e01b0f340cb8ce095c33b283 0\tsrc/git-utils.test.ts
  // 100644 6b792ea543ce75d7a8a03df591e3c85311ecb64f 0\tsrc/git-utils.ts
  // The fields are: <mode> <oid> <stage>\t<path>
-  const regex = /^[0-9]+ ([0-9a-f]{40}) [0-9]+\t(.+)$/;
+  // The OID is either 40 (SHA-1) or 64 (SHA-256) hex characters.
+  const regex = /^[0-9]+ ([0-9a-f]{40}|[0-9a-f]{64}) [0-9]+\t(.+)$/;
  for (const line of stdout.split("\n")) {
    if (line) {
      const match = line.match(regex);
@@ -207,7 +207,7 @@ function getJobStatusFromEnvironment(): JobStatus | undefined {
  return undefined;
 }

-async function runWrapper() {
+export async function runWrapper() {
  const startedAt = new Date();
  const logger = getActionsLogger();
  try {
@@ -222,5 +222,3 @@ async function runWrapper() {
    );
  }
 }
-
-void runWrapper();
@@ -37,11 +37,6 @@ import {
  makeDiagnostic,
  makeTelemetryDiagnostic,
 } from "./diagnostics";
-import {
-  getDiffInformedAnalysisBranches,
-  getPullRequestEditedDiffRanges,
-  writeDiffRangesJsonFile,
-} from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
 import { Feature, FeatureEnablement, initFeatures } from "./feature-flags";
 import {
@@ -434,7 +429,6 @@ async function run(startedAt: Date) {
    }

    await checkInstallPython311(config.languages, codeql);
-    await computeAndPersistDiffRanges(codeql, features, logger);
  } catch (unwrappedError) {
    const error = wrapError(unwrappedError);
    core.setFailed(error.message);
@@ -830,42 +824,6 @@ async function loadRepositoryProperties(
  }
 }

-/**
- * Compute and persist diff ranges when diff-informed analysis is enabled
- * (feature flag + PR context). This writes the standard pr-diff-range.json
- * file for later reuse in the analyze step. Failures are logged but non-fatal.
- */
-async function computeAndPersistDiffRanges(
-  codeql: CodeQL,
-  features: FeatureEnablement,
-  logger: Logger,
-): Promise<void> {
-  await withGroupAsync("Computing PR diff ranges", async () => {
-    try {
-      const branches = await getDiffInformedAnalysisBranches(
-        codeql,
-        features,
-        logger,
-      );
-      if (!branches) {
-        return;
-      }
-      const ranges = await getPullRequestEditedDiffRanges(branches, logger);
-      if (ranges === undefined) {
-        return;
-      }
-      writeDiffRangesJsonFile(logger, ranges);
-      const distinctFiles = new Set(ranges.map((r) => r.path)).size;
-      logger.info(
-        `Persisted ${ranges.length} diff range(s) across ${distinctFiles} file(s).`,
-      );
-    } catch (e) {
-      logger.warning(
-        `Failed to compute and persist PR diff ranges: ${getErrorMessage(e)}`,
-      );
-    }
-  });
-}
 async function recordZstdAvailability(
  config: configUtils.Config,
  zstdAvailability: ZstdAvailability,
@@ -880,7 +838,7 @@ async function recordZstdAvailability(
  );
 }

-async function runWrapper() {
+export async function runWrapper() {
  const startedAt = new Date();
  const logger = getActionsLogger();
  try {
@@ -896,5 +854,3 @@ async function runWrapper() {
  }
  await checkForTimeout();
 }
-
-void runWrapper();
@@ -80,65 +80,46 @@ const testDownloadOverlayBaseDatabaseFromCache = makeMacro({
        await fs.promises.writeFile(baseDatabaseOidsFile, JSON.stringify({}));
      }

-      const stubs: sinon.SinonStub[] = [];
+      sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");

-      const getAutomationIDStub = sinon
-        .stub(apiClient, "getAutomationID")
-        .resolves("test-automation-id/");
-      stubs.push(getAutomationIDStub);
-
-      const isInTestModeStub = sinon
-        .stub(utils, "isInTestMode")
-        .returns(testCase.isInTestMode);
-      stubs.push(isInTestModeStub);
+      sinon.stub(utils, "isInTestMode").returns(testCase.isInTestMode);

      if (testCase.restoreCacheResult instanceof Error) {
-        const restoreCacheStub = sinon
+        sinon
          .stub(actionsCache, "restoreCache")
          .rejects(testCase.restoreCacheResult);
-        stubs.push(restoreCacheStub);
      } else {
-        const restoreCacheStub = sinon
+        sinon
          .stub(actionsCache, "restoreCache")
          .resolves(testCase.restoreCacheResult);
-        stubs.push(restoreCacheStub);
      }

-      const tryGetFolderBytesStub = sinon
+      sinon
        .stub(utils, "tryGetFolderBytes")
        .resolves(testCase.tryGetFolderBytesSucceeds ? 1024 * 1024 : undefined);
-      stubs.push(tryGetFolderBytesStub);

      const codeql = mockCodeQLVersion(testCase.codeQLVersion);

      if (testCase.resolveDatabaseOutput instanceof Error) {
-        const resolveDatabaseStub = sinon
+        sinon
          .stub(codeql, "resolveDatabase")
          .rejects(testCase.resolveDatabaseOutput);
-        stubs.push(resolveDatabaseStub);
      } else {
-        const resolveDatabaseStub = sinon
+        sinon
          .stub(codeql, "resolveDatabase")
          .resolves(testCase.resolveDatabaseOutput);
-        stubs.push(resolveDatabaseStub);
      }

-      try {
-        const result = await downloadOverlayBaseDatabaseFromCache(
-          codeql,
-          config,
-          logger,
-        );
+      const result = await downloadOverlayBaseDatabaseFromCache(
+        codeql,
+        config,
+        logger,
+      );

-        if (expectDownloadSuccess) {
-          t.truthy(result);
-        } else {
-          t.is(result, undefined);
-        }
-      } finally {
-        for (const stub of stubs) {
-          stub.restore();
-        }
+      if (expectDownloadSuccess) {
+        t.truthy(result);
+      } else {
+        t.is(result, undefined);
      }
    });
  },
@@ -39,6 +39,15 @@ export enum OverlayDisabledReason {
  NotPullRequestOrDefaultBranch = "not-pull-request-or-default-branch",
  /** The top-level overlay analysis feature flag is not enabled. */
  OverallFeatureNotEnabled = "overall-feature-not-enabled",
+  /**
+   * Overlay analysis was selected for a pull request, but diff-informed
+   * analysis was not enabled for the run (for example, because the
+   * `DiffInformedQueries` feature flag is off, the GHES version is too old,
+   * or the PR diff ranges could not be computed). Overlay analysis has only
+   * been validated in combination with diff-informed analysis, so we fall
+   * back to a non-overlay analysis in this case.
+   */
+  DiffInformedAnalysisNotEnabled = "diff-informed-analysis-not-enabled",
  /** Overlay analysis was skipped because it previously failed with similar hardware resources. */
  SkippedDueToCachedStatus = "skipped-due-to-cached-status",
  /** Disk usage could not be determined during the overlay status check. */
@@ -50,31 +50,21 @@ test.serial(
        "modified.js": "ddd444", // Changed OID
        "added.js": "eee555", // New file
      };
-      const getFileOidsStubForOverlay = sinon
-        .stub(gitUtils, "getFileOidsUnderPath")
-        .resolves(currentOids);
+      sinon.stub(gitUtils, "getFileOidsUnderPath").resolves(currentOids);

      // Write the overlay changes file, which uses the mocked overlay OIDs
      // and the base database OIDs file
      const diffRangeFilePath = path.join(tempDir, "pr-diff-range.json");
-      const getTempDirStub = sinon
-        .stub(actionsUtil, "getTemporaryDirectory")
-        .returns(tempDir);
-      const getDiffRangesStub = sinon
+      sinon.stub(actionsUtil, "getTemporaryDirectory").returns(tempDir);
+      sinon
        .stub(actionsUtil, "getDiffRangesJsonFilePath")
        .returns(diffRangeFilePath);
-      const getGitRootStub = sinon
-        .stub(gitUtils, "getGitRoot")
-        .resolves(sourceRoot);
+      sinon.stub(gitUtils, "getGitRoot").resolves(sourceRoot);
      const changesFilePath = await writeOverlayChangesFile(
        config,
        sourceRoot,
        logger,
      );
-      getFileOidsStubForOverlay.restore();
-      getTempDirStub.restore();
-      getDiffRangesStub.restore();
-      getGitRootStub.restore();

      const fileContent = await fs.promises.readFile(changesFilePath, "utf-8");
      const parsedContent = JSON.parse(fileContent) as { changes: string[] };
@@ -128,20 +118,14 @@ test.serial(
        "modified.js": "ddd444", // Changed OID
        "reverted.js": "eee555", // Same OID as base -- not detected by OID comparison
      };
-      const getFileOidsStubForOverlay = sinon
-        .stub(gitUtils, "getFileOidsUnderPath")
-        .resolves(currentOids);
+      sinon.stub(gitUtils, "getFileOidsUnderPath").resolves(currentOids);

      const diffRangeFilePath = path.join(tempDir, "pr-diff-range.json");
-      const getTempDirStub = sinon
-        .stub(actionsUtil, "getTemporaryDirectory")
-        .returns(tempDir);
-      const getDiffRangesStub = sinon
+      sinon.stub(actionsUtil, "getTemporaryDirectory").returns(tempDir);
+      sinon
        .stub(actionsUtil, "getDiffRangesJsonFilePath")
        .returns(diffRangeFilePath);
-      const getGitRootStub = sinon
-        .stub(gitUtils, "getGitRoot")
-        .resolves(sourceRoot);
+      sinon.stub(gitUtils, "getGitRoot").resolves(sourceRoot);

      // Write a pr-diff-range.json file with diff ranges including
      // "reverted.js" (unchanged OIDs) and "modified.js" (already in OID changes)
@@ -159,10 +143,6 @@ test.serial(
        sourceRoot,
        logger,
      );
-      getFileOidsStubForOverlay.restore();
-      getTempDirStub.restore();
-      getDiffRangesStub.restore();
-      getGitRootStub.restore();

      const fileContent = await fs.promises.readFile(changesFilePath, "utf-8");
      const parsedContent = JSON.parse(fileContent) as { changes: string[] };
@@ -208,20 +188,14 @@ test.serial(
        "unchanged.js": "aaa111",
        "modified.js": "ddd444",
      };
-      const getFileOidsStubForOverlay = sinon
-        .stub(gitUtils, "getFileOidsUnderPath")
-        .resolves(currentOids);
+      sinon.stub(gitUtils, "getFileOidsUnderPath").resolves(currentOids);

      const diffRangeFilePath = path.join(tempDir, "pr-diff-range.json");
-      const getTempDirStub = sinon
-        .stub(actionsUtil, "getTemporaryDirectory")
-        .returns(tempDir);
-      const getDiffRangesStub = sinon
+      sinon.stub(actionsUtil, "getTemporaryDirectory").returns(tempDir);
+      sinon
        .stub(actionsUtil, "getDiffRangesJsonFilePath")
        .returns(diffRangeFilePath);
-      const getGitRootStub = sinon
-        .stub(gitUtils, "getGitRoot")
-        .resolves(sourceRoot);
+      sinon.stub(gitUtils, "getGitRoot").resolves(sourceRoot);

      // No pr-diff-range.json file exists - should work the same as before
      const changesFilePath = await writeOverlayChangesFile(
@@ -229,10 +203,6 @@ test.serial(
        sourceRoot,
        logger,
      );
-      getFileOidsStubForOverlay.restore();
-      getTempDirStub.restore();
-      getDiffRangesStub.restore();
-      getGitRootStub.restore();

      const fileContent = await fs.promises.readFile(changesFilePath, "utf-8");
      const parsedContent = JSON.parse(fileContent) as { changes: string[] };
@@ -281,21 +251,15 @@ test.serial(
        "app.js": "aaa111",
        "lib/util.js": "bbb222",
      };
-      const getFileOidsStubForOverlay = sinon
-        .stub(gitUtils, "getFileOidsUnderPath")
-        .resolves(currentOids);
+      sinon.stub(gitUtils, "getFileOidsUnderPath").resolves(currentOids);

      const diffRangeFilePath = path.join(tempDir, "pr-diff-range.json");
-      const getTempDirStub = sinon
-        .stub(actionsUtil, "getTemporaryDirectory")
-        .returns(tempDir);
-      const getDiffRangesStub = sinon
+      sinon.stub(actionsUtil, "getTemporaryDirectory").returns(tempDir);
+      sinon
        .stub(actionsUtil, "getDiffRangesJsonFilePath")
        .returns(diffRangeFilePath);
      // getGitRoot returns the repo root (parent of sourceRoot)
-      const getGitRootStub = sinon
-        .stub(gitUtils, "getGitRoot")
-        .resolves(repoRoot);
+      sinon.stub(gitUtils, "getGitRoot").resolves(repoRoot);

      // Diff ranges use repo-root-relative paths (as returned by the GitHub compare API)
      await fs.promises.writeFile(
@@ -312,10 +276,6 @@ test.serial(
        sourceRoot,
        logger,
      );
-      getFileOidsStubForOverlay.restore();
-      getTempDirStub.restore();
-      getDiffRangesStub.restore();
-      getGitRootStub.restore();

      const fileContent = await fs.promises.readFile(changesFilePath, "utf-8");
      const parsedContent = JSON.parse(fileContent) as { changes: string[] };
@@ -117,7 +117,7 @@ async function run(startedAt: Date) {
  }
 }

-async function runWrapper() {
+export async function runWrapper() {
  const startedAt = new Date();
  const logger = getActionsLogger();
  try {
@@ -137,5 +137,3 @@ async function runWrapper() {
  }
  await checkForTimeout();
 }
-
-void runWrapper();
@@ -196,7 +196,7 @@ async function run(startedAt: Date): Promise<void> {
 }

 /** Run the action and catch any unhandled errors. */
-async function runWrapper(): Promise<void> {
+export async function runWrapper(): Promise<void> {
  const startedAt = new Date();
  const logger = getActionsLogger();
  try {
@@ -212,5 +212,3 @@ async function runWrapper(): Promise<void> {
  }
  await checkForTimeout();
 }
-
-void runWrapper();
@@ -12,7 +12,7 @@ import { uploadArtifacts } from "./debug-artifacts";
 import { getActionsLogger } from "./logging";
 import { checkGitHubVersionInRange, getErrorMessage } from "./util";

-async function runWrapper() {
+export async function runWrapper() {
  // To capture errors appropriately, keep as much code within the try-catch as
  // possible, and only use safe functions outside.

@@ -62,5 +62,3 @@ async function runWrapper() {
    );
  }
 }
-
-void runWrapper();
@@ -5,7 +5,7 @@ import * as core from "@actions/core";

 import * as actionsUtil from "./actions-util";
 import { getGitHubVersion } from "./api-client";
-import { Feature, FeatureEnablement, initFeatures } from "./feature-flags";
+import { FeatureEnablement, initFeatures } from "./feature-flags";
 import { BuiltInLanguage, parseBuiltInLanguage } from "./languages";
 import { getActionsLogger, Logger } from "./logging";
 import { getRepositoryNwo } from "./repository";
@@ -57,18 +57,12 @@ async function run(startedAt: Date) {
    const languageInput = actionsUtil.getOptionalInput("language");
    language = languageInput ? parseBuiltInLanguage(languageInput) : undefined;

-    // Query the FF for whether we should use the reduced registry mapping.
-    const skipUnusedRegistries = await features.getValue(
-      Feature.StartProxyRemoveUnusedRegistries,
-    );
-
    // Get the registry configurations from one of the inputs.
    const credentials = getCredentials(
      logger,
      actionsUtil.getOptionalInput("registry_secrets"),
      actionsUtil.getOptionalInput("registries_credentials"),
      language,
-      skipUnusedRegistries,
    );

    if (credentials.length === 0) {
@@ -128,7 +122,7 @@ async function run(startedAt: Date) {
  }
 }

-async function runWrapper() {
+export async function runWrapper() {
  const startedAt = new Date();
  const logger = getActionsLogger();

@@ -204,5 +198,3 @@ async function startProxy(

  return { host, port, cert: config.ca.cert, registries: registry_urls };
 }
-
-void runWrapper();
@@ -585,7 +585,6 @@ test("getCredentials validates 'replaces-base' correctly", async (t) => {
    undefined,
    credentialsInput,
    BuiltInLanguage.java,
-    false,
  );

  t.is(credentials.length, 3);
@@ -604,8 +603,7 @@ test("getCredentials validates 'replaces-base' correctly", async (t) => {
      getRunnerLogger(true),
      undefined,
      toEncodedJSON([{ ...baseInvalid, "replaces-base": null }]),
-      BuiltInLanguage.actions,
-      false,
+      BuiltInLanguage.java,
    ),
  );
  t.throws(() =>
@@ -613,8 +611,7 @@ test("getCredentials validates 'replaces-base' correctly", async (t) => {
      getRunnerLogger(true),
      undefined,
      toEncodedJSON([{ ...baseInvalid, "replaces-base": 123 }]),
-      BuiltInLanguage.actions,
-      false,
+      BuiltInLanguage.java,
    ),
  );
  t.throws(() =>
@@ -622,13 +619,12 @@ test("getCredentials validates 'replaces-base' correctly", async (t) => {
      getRunnerLogger(true),
      undefined,
      toEncodedJSON([{ ...baseInvalid, "replaces-base": "true" }]),
-      BuiltInLanguage.actions,
-      false,
+      BuiltInLanguage.java,
    ),
  );
 });

-test("getCredentials returns all credentials for Actions when using LANGUAGE_TO_REGISTRY_TYPE", async (t) => {
+test("getCredentials returns no credentials for Actions", async (t) => {
  const credentialsInput = toEncodedJSON(mixedCredentials);

  const credentials = startProxyExports.getCredentials(
@@ -636,20 +632,6 @@ test("getCredentials returns all credentials for Actions when using LANGUAGE_TO_
    undefined,
    credentialsInput,
    BuiltInLanguage.actions,
-    false,
-  );
-  t.is(credentials.length, mixedCredentials.length);
-});
-
-test("getCredentials returns no credentials for Actions when using NEW_LANGUAGE_TO_REGISTRY_TYPE", async (t) => {
-  const credentialsInput = toEncodedJSON(mixedCredentials);
-
-  const credentials = startProxyExports.getCredentials(
-    getRunnerLogger(true),
-    undefined,
-    credentialsInput,
-    BuiltInLanguage.actions,
-    true,
  );
  t.deepEqual(credentials, []);
 });
@@ -189,17 +189,7 @@ function isPAT(value: string) {

 type RegistryMapping = Partial<Record<BuiltInLanguage, string[]>>;

-const LANGUAGE_TO_REGISTRY_TYPE: RegistryMapping = {
-  java: ["maven_repository"],
-  csharp: ["nuget_feed"],
-  javascript: ["npm_registry"],
-  python: ["python_index"],
-  ruby: ["rubygems_server"],
-  rust: ["cargo_registry"],
-  go: ["goproxy_server", "git_source"],
-} as const;
-
-const NEW_LANGUAGE_TO_REGISTRY_TYPE: Required<RegistryMapping> = {
+const LANGUAGE_TO_REGISTRY_TYPE: Required<RegistryMapping> = {
  actions: [],
  cpp: [],
  java: ["maven_repository"],
@@ -251,13 +241,9 @@ export function getCredentials(
  registrySecrets: string | undefined,
  registriesCredentials: string | undefined,
  language: BuiltInLanguage | undefined,
-  skipUnusedRegistries: boolean = false,
 ): Credential[] {
-  const registryMapping = skipUnusedRegistries
-    ? NEW_LANGUAGE_TO_REGISTRY_TYPE
-    : LANGUAGE_TO_REGISTRY_TYPE;
  const registryTypeForLanguage = language
-    ? registryMapping[language]
+    ? LANGUAGE_TO_REGISTRY_TYPE[language]
    : undefined;

  let credentialsStr: string;
@@ -6,9 +6,13 @@ import { ToolsFeature, isSupportedToolsFeature } from "./tools-features";
 test("isSupportedToolsFeature", async (t) => {
  const versionInfo = makeVersionInfo("1.0.0");

-  t.false(isSupportedToolsFeature(versionInfo, ToolsFeature.ForceOverwrite));
+  t.false(
+    isSupportedToolsFeature(versionInfo, ToolsFeature.BundleSupportsOverlay),
+  );

-  versionInfo.features = { forceOverwrite: true };
+  versionInfo.features = { bundleSupportsOverlay: true };

-  t.true(isSupportedToolsFeature(versionInfo, ToolsFeature.ForceOverwrite));
+  t.true(
+    isSupportedToolsFeature(versionInfo, ToolsFeature.BundleSupportsOverlay),
+  );
 });
@@ -6,8 +6,6 @@ export enum ToolsFeature {
  BuiltinExtractorsSpecifyDefaultQueries = "builtinExtractorsSpecifyDefaultQueries",
  BundleSupportsIncludeOption = "bundleSupportsIncludeOption",
  BundleSupportsOverlay = "bundleSupportsOverlay",
-  DatabaseInterpretResultsSupportsSarifRunProperty = "databaseInterpretResultsSupportsSarifRunProperty",
-  ForceOverwrite = "forceOverwrite",
  IndirectTracingSupportsStaticBinaries = "indirectTracingSupportsStaticBinaries",
  SuppressesMissingFileBaselineWarning = "suppressesMissingFileBaselineWarning",
 }
@@ -12,7 +12,7 @@ import { EnvVar } from "./environment";
 import { getActionsLogger, withGroup } from "./logging";
 import { checkGitHubVersionInRange, getErrorMessage } from "./util";

-async function runWrapper() {
+export async function runWrapper() {
  // To capture errors appropriately, keep as much code within the try-catch as
  // possible, and only use safe functions outside.

@@ -48,5 +48,3 @@ async function runWrapper() {
    );
  }
 }
-
-void runWrapper();
@@ -165,7 +165,7 @@ async function run(startedAt: Date) {
  }
 }

-async function runWrapper() {
+export async function runWrapper() {
  const startedAt = new Date();
  const logger = getActionsLogger();
  try {
@@ -182,5 +182,3 @@ async function runWrapper() {
    );
  }
 }
-
-void runWrapper();
@@ -418,9 +418,7 @@ for (const [
    `checkActionVersion ${reportErrorDescription} for ${versionsDescription}`,
    async (t) => {
      const warningSpy = sinon.spy(core, "warning");
-      const versionStub = sinon
-        .stub(api, "getGitHubVersion")
-        .resolves(githubVersion);
+      sinon.stub(api, "getGitHubVersion").resolves(githubVersion);

      // call checkActionVersion twice and assert below that warning is reported only once
      util.checkActionVersion(version, await api.getGitHubVersion());
@@ -437,7 +435,6 @@ for (const [
      } else {
        t.false(warningSpy.called);
      }
-      versionStub.restore();
    },
  );
 }
@@ -30,5 +30,5 @@ outputs:
    description: A stringified JSON array of objects containing the types and URLs of the configured registries.
 runs:
  using: node24
-  main: "../lib/start-proxy-action.js"
-  post: "../lib/start-proxy-action-post.js"
+  main: "../lib/start-proxy-entry.js"
+  post: "../lib/start-proxy-post-entry.js"
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Michael B. Gale	3dc99aad86	Default to `StartProxyRemoveUnusedRegistries` behaviour	2026-05-18 16:17:15 +01:00
Henry Mercer	c8a3492b26	Merge pull request #3894 from github/henrymercer/require-codeql-2.19.4 Bump minimum CodeQL CLI version to 2.19.4	2026-05-18 14:55:40 +00:00
Henry Mercer	e94195c896	Move changelog note to right place	2026-05-18 14:27:03 +01:00
Henry Mercer	05e8f288eb	Merge branch 'main' into henrymercer/require-codeql-2.19.4	2026-05-15 18:13:43 +01:00
Michael B. Gale	b71f5aebfc	Merge pull request #3898 from github/dependabot/npm_and_yarn/sinon-22.0.0 Bump sinon from 21.1.2 to 22.0.0	2026-05-15 14:58:30 +00:00
Henry Mercer	2365a46087	Merge pull request #3908 from github/henrymercer/token-stdin Update scripts to read tokens more securely	2026-05-15 14:54:00 +00:00
Henry Mercer	cf51dca1af	Merge pull request #3893 from github/henrymercer/sha256 Add support for SHA-256 Git object IDs	2026-05-15 14:53:55 +00:00
Michael B. Gale	b30a935ea5	Merge branch 'main' into dependabot/npm_and_yarn/sinon-22.0.0	2026-05-15 15:42:13 +01:00
Henry Mercer	5b815f25ca	Merge branch 'main' into henrymercer/sha256	2026-05-15 14:58:14 +01:00
Henry Mercer	93c8a9ed99	Update `update-release-branch.py` to take token from stdin	2026-05-15 14:53:43 +01:00
Henry Mercer	2a02de1a14	Read token from stdin in `sync-checks.ts` Also allow specifying the token using an environment variable.	2026-05-15 14:53:43 +01:00
Henry Mercer	67f403822c	Merge pull request #3903 from github/henrymercer/macos-larger-runners PR checks: Run slowest macOS checks on larger runners	2026-05-15 13:32:01 +00:00
Michael B. Gale	bbef5ff663	Merge pull request #3904 from github/mbg/esbuild/split-follow-up Address review comments for #3899	2026-05-15 12:48:02 +00:00
Michael B. Gale	7187b6ecc7	Merge pull request #3906 from github/mergeback/v4.35.5-to-main-9e0d7b8d Mergeback v4.35.5 refs/heads/releases/v4 into main	2026-05-15 11:50:42 +00:00
github-actions[bot]	f1ce9f4421	Rebuild	2026-05-15 11:30:22 +00:00
github-actions[bot]	06c7e6fdd5	Update changelog and version after v4.35.5	2026-05-15 11:24:05 +00:00
Michael B. Gale	9e0d7b8d25	Merge pull request #3905 from github/update-v4.35.5-d4b485515 Merge main into releases/v4	2026-05-15 12:22:46 +01:00
Michael B. Gale	6d7d59927c	Add changelog entry for #3899	2026-05-15 11:58:39 +01:00
github-actions[bot]	51f7e38c69	Update changelog for v4.35.5	2026-05-15 10:48:24 +00:00
Henry Mercer	b43bb7bd69	Merge branch 'main' into henrymercer/sha256	2026-05-15 11:41:47 +01:00
Michael B. Gale	064674dfa3	Fix typo Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>	2026-05-15 11:35:47 +01:00
Michael B. Gale	ab5047bf8f	Add missing semicolons	2026-05-15 11:27:58 +01:00
Michael B. Gale	2320f9d058	"action" to "Action" in `build.mjs`	2026-05-15 11:26:51 +01:00
Michael B. Gale	46959216a2	Rename `analyze-action-env.test.ts` to `analyze-action.test.ts`	2026-05-15 11:25:12 +01:00
Michael B. Gale	9e1f914560	Merge `analyze-action-input` test into `analyze-action-env` file The tests still can't run in parallel so I had to change `test` to `test.serial`, which caused a bunch of formatting changes.	2026-05-15 11:24:28 +01:00
Michael B. Gale	db84cb5ccb	Remove outdated comments for `analyze-action` tests	2026-05-15 11:22:17 +01:00
Michael B. Gale	d4b485515e	Merge pull request #3899 from github/mbg/esbuild/split Reduce duplication across JS bundles by creating one bundle with smaller entry point wrappers	2026-05-15 10:11:56 +00:00
Henry Mercer	931147e852	Improve OS types and docs	2026-05-15 11:10:02 +01:00
Michael B. Gale	127de8117f	Merge remote-tracking branch 'origin/main' into mbg/esbuild/split	2026-05-14 19:14:01 +01:00
Michael B. Gale	7fde13f26a	Use src + basename in header to avoid issues on Windows	2026-05-14 19:10:19 +01:00
Michael B. Gale	dfa61e7305	Improve pattern matching and error handling	2026-05-14 18:36:41 +01:00
Michael B. Gale	52aafec073	Import and call `runWrapper` normally in `analyze` tests	2026-05-14 18:32:40 +01:00
Michael B. Gale	0d08c01f78	Auto-generate shared bundle	2026-05-14 18:27:46 +01:00
Henry Mercer	1b65777c19	Address review comments	2026-05-14 18:13:20 +01:00
Michael B. Gale	14085a675c	Auto-generate entry points	2026-05-14 18:13:01 +01:00
Henry Mercer	a32db48565	Move checks back to default runners These jobs are not rate-limiting so we don't need to run them on larger runners.	2026-05-14 17:57:11 +01:00
Henry Mercer	aa005faaad	PR checks: Run slowest macOS checks on larger runners	2026-05-14 17:29:44 +01:00
Henry Mercer	fcdf5dd4cf	Add PR checks shortcut to `package.json`	2026-05-14 17:22:02 +01:00
Henry Mercer	e8d3fa290e	Merge branch 'main' into henrymercer/sha256	2026-05-14 17:10:41 +01:00
Sam Robson	eb17ca4f4d	Merge pull request #3791 from github/sam-robson/overlay-fallback Fall back to non-overlay analysis when diff-informed analysis is unavailable	2026-05-14 15:41:25 +00:00
Sam Robson	a41c444cd9	Merge branch 'main' into sam-robson/overlay-fallback	2026-05-14 15:51:24 +01:00
Michael B. Gale	d7e50c23fe	Fix linter errors	2026-05-14 15:24:33 +01:00
Michael B. Gale	bb30f3132d	Avoid top-level promise in `analyze-action`	2026-05-14 15:14:03 +01:00
Henry Mercer	336884853e	Merge pull request #3901 from github/henrymercer/minify-test-debug-artifacts Minify test debug artifacts	2026-05-14 14:09:36 +00:00
Michael B. Gale	2f137c9dc6	Add remaining new entry points	2026-05-14 14:55:33 +01:00
Henry Mercer	4795ef8153	Remove now unnecessary test skipping	2026-05-14 14:47:33 +01:00
Michael B. Gale	f0489abddd	Update action specs for new entry points	2026-05-14 14:47:23 +01:00
Henry Mercer	2e202367c7	Reduce size of test debug artifacts	2026-05-14 14:47:13 +01:00
Sam Robson	9d7243005b	Merge remote-tracking branch 'origin/main' into sam-robson/overlay-fallback * origin/main: (40 commits) Bump the npm-minor group across 1 directory with 3 updates Bump actions/create-github-app-token Nit: Tweak JSDoc for `getRawLanguagesNoAutodetect` Enable only `code-scanning` Use overlay-aware version for code scanning exclusively Add changelog entry Rebuild Bump five transitive dependencies Throw error if multiple analysis kinds are specified Bump fast-xml-builder from 1.1.5 to 1.2.0 Improve tests Improve error message Remove dead code Remove `makeOverlayMatchFeatures` indirection Add JSDoc for `getRawLanguagesNoAutodetect` Enable overlay-aware version selection in `setup-codeql` Minor: Introduce constant to avoid duplication Improve changelog note Rebuild Update changelog and version after v4.35.4 ... # Conflicts: # lib/init-action.js # src/diff-informed-analysis-utils.test.ts	2026-05-14 13:39:44 +01:00
Michael B. Gale	237b03b3c3	WIP: Reduce bundle duplication	2026-05-14 12:47:34 +01:00
dependabot[bot]	d4eab006fa	Bump sinon from 21.1.2 to 22.0.0 Bumps [sinon](https://github.com/sinonjs/sinon) from 21.1.2 to 22.0.0. - [Release notes](https://github.com/sinonjs/sinon/releases) - [Changelog](https://github.com/sinonjs/sinon/blob/main/docs/changelog.md) - [Commits](https://github.com/sinonjs/sinon/compare/v21.1.2...v22.0.0) --- updated-dependencies: - dependency-name: sinon dependency-version: 22.0.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-14 10:34:00 +00:00
Henry Mercer	3c8c0ae6cb	Remove unnecessary sinon `restore` calls	2026-05-13 18:53:33 +01:00
Henry Mercer	93d215d874	Merge branch 'main' into henrymercer/sha256	2026-05-13 18:44:38 +01:00
Henry Mercer	9c3aedb4cd	Update PR check testing matrix	2026-05-13 14:25:03 +01:00
Henry Mercer	a66f7bbb5a	Merge branch 'main' into henrymercer/sha256	2026-05-13 10:51:44 +01:00
Henry Mercer	b986640672	Add note about `CODEQL_VERSION_ZSTD_BUNDLE`	2026-05-12 19:26:23 +01:00
Henry Mercer	a333d64ec4	Remove `DatabaseInterpretResultsSupportsSarifRunProperty` tools feature This feature has been supported since CodeQL CLI v2.19.0	2026-05-12 19:26:21 +01:00
Henry Mercer	97fb30df6b	Remove `ForceOverwrite` tools feature This feature has been supported since CodeQL CLI v2.18.0, which is below the new minimum version.	2026-05-12 19:26:20 +01:00
Henry Mercer	d122da3c9f	Bump minimum CodeQL CLI version to 2.19.4	2026-05-12 19:26:20 +01:00
Henry Mercer	de3e561d12	Improve regex clarity	2026-05-12 19:06:04 +01:00
Henry Mercer	6a4e35fad9	Add support for SHA-256 Git object IDs	2026-05-12 18:24:21 +01:00
Sam Robson	9d6b456c59	Merge branch 'main' into sam-robson/overlay-fallback	2026-05-06 20:26:20 +01:00
Sam Robson	e259d26055	refactor: rename overlay-disabled reason and add changelog entry	2026-05-06 20:23:20 +01:00
Sam Robson	8ab64a211d	Merge branch 'main' into sam-robson/overlay-fallback	2026-05-01 16:35:49 +01:00
Sam Robson	f8b93c30a6	Merge branch 'main' into sam-robson/overlay-fallback	2026-05-01 11:28:43 +01:00
Sam Robson	80a72986d3	fix: re-import withGroupAsync in init-action.ts after merge	2026-04-30 16:48:45 +01:00
Sam Robson	e9e36aec74	test: drop codescanning-config-cli scenario for overlay without diff-informed	2026-04-30 16:39:05 +01:00
Sam Robson	4ed52dcbfa	Merge branch 'main' into sam-robson/overlay-fallback	2026-04-30 16:24:23 +01:00
Sam Robson	3cc8dd3e59	refactor: report missing PR diff ranges via OverlayDisabledReason and disable overlay	2026-04-30 16:12:30 +01:00
Sam Robson	5ded561dcd	Merge branch 'main' into sam-robson/overlay-fallback	2026-04-24 06:39:07 +01:00
Sam Robson	faca00d3ae	refactor: address review feedback on overlay fallback	2026-04-23 20:38:10 +01:00
Sam Robson	5d1c58464f	refactor: fall back to non-overlay analysis when diff-informed analysis is unavailable	2026-04-23 12:10:22 +01:00