Adjust retry configuration and add comment

Configure the API client to retry more often when in test mode
Merge pull request #3133 from github/dependabot/npm_and_yarn/npm-4684794bae
2026-05-09 23:30:28 +00:00 · 2025-09-23 12:59:21 +01:00 · 2025-09-23 10:18:39 +01:00 · 2025-09-23 09:34:15 +01:00 · 2025-09-22 17:08:30 +00:00 · 2025-09-22 17:07:06 +00:00
158 changed files with 5564 additions and 2798 deletions
@@ -2,7 +2,7 @@ name: "Prepare test"
 description: Performs some preparation to run tests
 inputs:
  version:
-    description: "The version of the CodeQL CLI to use. Can be 'linked', 'default', 'nightly-latest', 'nightly-YYYYMMDD', or 'stable-vX.Y.Z"
+    description: "The version of the CodeQL CLI to use. Can be 'linked', 'default', 'nightly', 'nightly-latest', 'nightly-YYYYMMDD', or 'stable-vX.Y.Z"
    required: true
  use-all-platform-bundle:
    description: "If true, we output a tools URL with codeql-bundle.tar.gz file rather than platform-specific URL"
@@ -35,7 +35,10 @@ runs:
      run: |
        set -e # Fail this Action if `gh release list` fails.

-        if [[ "$VERSION" == "linked" ]]; then
+        if [[ "$VERSION" == "nightly" || "$VERSION" == "nightly-latest" ]]; then
+          echo "tools-url=nightly" >> "$GITHUB_OUTPUT"
+          exit 0
+        elif [[ "$VERSION" == "linked" ]]; then
          echo "tools-url=linked" >> "$GITHUB_OUTPUT"
          exit 0
        elif [[ "$VERSION" == "default" ]]; then
@@ -43,29 +46,20 @@ runs:
          exit 0
        fi

-        if [[ "$VERSION" == "nightly-latest" && "$RUNNER_OS" != "Windows" ]]; then
-          extension="tar.zst"
-        else
-          extension="tar.gz"
-        fi
-
        if [[ "$USE_ALL_PLATFORM_BUNDLE" == "true" ]]; then
-          artifact_name="codeql-bundle.$extension"
+          artifact_name="codeql-bundle.tar.gz"
        elif [[ "$RUNNER_OS" == "Linux" ]]; then
-          artifact_name="codeql-bundle-linux64.$extension"
+          artifact_name="codeql-bundle-linux64.tar.gz"
        elif [[ "$RUNNER_OS" == "macOS" ]]; then
-          artifact_name="codeql-bundle-osx64.$extension"
+          artifact_name="codeql-bundle-osx64.tar.gz"
        elif [[ "$RUNNER_OS" == "Windows" ]]; then
-          artifact_name="codeql-bundle-win64.$extension"
+          artifact_name="codeql-bundle-win64.tar.gz"
        else
          echo "::error::Unrecognized OS $RUNNER_OS"
          exit 1
        fi

-        if [[ "$VERSION" == "nightly-latest" ]]; then
-          tag=`gh release list --repo dsp-testing/codeql-cli-nightlies -L 1 | cut -f 3`
-          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/$tag/$artifact_name" >> $GITHUB_OUTPUT
-        elif [[ "$VERSION" == *"nightly"* ]]; then
+        if [[ "$VERSION" == *"nightly"* ]]; then
          version=`echo "$VERSION" | sed -e 's/^.*\-//'`
          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
        elif [[ "$VERSION" == *"stable"* ]]; then
@@ -1,4 +0,0 @@
-# Configuration for the CodeQL Actions Queries
-name: "CodeQL Actions Queries config"
-queries:
-  - uses: security-and-quality
@@ -7,9 +7,9 @@ queries:
  # we include both even though one is a superset of the
  # other, because we're testing the parsing logic and
  # that the suites exist in the codeql bundle.
+  - uses: security-and-quality
  - uses: security-experimental
  - uses: security-extended
-  - uses: security-and-quality
 paths-ignore:
-  - tests
  - lib
+  - tests
@@ -34,6 +34,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  all-platform-bundle:
    strategy:
@@ -70,7 +76,6 @@ jobs:
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
    env:
@@ -34,6 +34,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  analyze-ref-input:
    strategy:
@@ -74,7 +80,6 @@ jobs:
          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
            github.sha }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  autobuild-action:
    strategy:
@@ -67,7 +73,6 @@ jobs:
          CORECLR_PROFILER_PATH_64: ''
      - uses: ./../action/analyze
      - name: Check database
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/codeql_databases"
          if [[ ! -d csharp ]]; then
@@ -34,6 +34,12 @@ on:
        description: The version of Java to install
        required: false
        default: '17'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  autobuild-direct-tracing-with-working-dir:
    strategy:
@@ -70,7 +76,6 @@ jobs:
          java-version: ${{ inputs.java-version || '17' }}
          distribution: temurin
      - name: Test setup
-        shell: bash
        run: |
          # Make sure that Gradle build succeeds in autobuild-dir ...
          cp -a ../action/tests/java-repo autobuild-dir
@@ -82,7 +87,6 @@ jobs:
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Check that indirect tracing is disabled
-        shell: bash
        run: |
          if [[ ! -z "${CODEQL_RUNNER}" ]]; then
            echo "Expected indirect tracing to be disabled, but the" \
@@ -34,6 +34,12 @@ on:
        description: The version of Java to install
        required: false
        default: '17'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  autobuild-direct-tracing:
    strategy:
@@ -70,7 +76,6 @@ jobs:
          java-version: ${{ inputs.java-version || '17' }}
          distribution: temurin
      - name: Set up Java test repo configuration
-        shell: bash
        run: |
          mv * .github ../action/tests/multi-language-repo/
          mv ../action/tests/multi-language-repo/.github/workflows .github
@@ -85,7 +90,6 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}

      - name: Check that indirect tracing is disabled
-        shell: bash
        run: |
          if [[ ! -z "${CODEQL_RUNNER}" ]]; then
            echo "Expected indirect tracing to be disabled, but the" \
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  build-mode-autobuild:
    strategy:
@@ -34,6 +34,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  build-mode-manual:
    strategy:
@@ -81,7 +87,6 @@ jobs:
          fi

      - name: Build code
-        shell: bash
        run: ./build.sh

      - uses: ./../action/analyze
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  build-mode-none:
    strategy:
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  build-mode-rollback:
    strategy:
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  bundle-toolcache:
    strategy:
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  bundle-zstd:
    strategy:
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  cleanup-db-cluster-dir:
    strategy:
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  config-export:
    strategy:
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  config-input:
    strategy:
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  cpp-deptrace-disabled:
    strategy:
@@ -53,7 +59,6 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Test setup
-        shell: bash
        run: |
          cp -a ../action/tests/cpp-autobuild autobuild-dir
      - uses: ./../action/init
@@ -65,8 +70,7 @@ jobs:
          working-directory: autobuild-dir
        env:
          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: false
-      - shell: bash
-        run: |
+      - run: |
          if ls /usr/bin/errno; then
            echo "C/C++ autobuild installed errno, but it should not have since auto-install dependencies is disabled."
            exit 1
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  cpp-deptrace-enabled-on-macos:
    strategy:
@@ -51,7 +57,6 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Test setup
-        shell: bash
        run: |
          cp -a ../action/tests/cpp-autobuild autobuild-dir
      - uses: ./../action/init
@@ -63,8 +68,7 @@ jobs:
          working-directory: autobuild-dir
        env:
          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-      - shell: bash
-        run: |
+      - run: |
          if ! ls /usr/bin/errno; then
            echo "As expected, CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES is a no-op on macOS"
          else
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  cpp-deptrace-enabled:
    strategy:
@@ -53,7 +59,6 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Test setup
-        shell: bash
        run: |
          cp -a ../action/tests/cpp-autobuild autobuild-dir
      - uses: ./../action/init
@@ -65,8 +70,7 @@ jobs:
          working-directory: autobuild-dir
        env:
          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-      - shell: bash
-        run: |
+      - run: |
          if ! ls /usr/bin/errno; then
            echo "Did not autoinstall errno"
            exit 1
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  diagnostics-export:
    strategy:
@@ -64,7 +70,6 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Add test diagnostics
-        shell: bash
        env:
          CODEQL_PATH: ${{ steps.init.outputs.codeql-path }}
        run: |
@@ -34,6 +34,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  export-file-baseline-information:
    strategy:
@@ -73,7 +79,6 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -85,7 +90,6 @@ jobs:
          path: ${{ runner.temp }}/results/javascript.sarif
          retention-days: 7
      - name: Check results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          expected_baseline_languages="c csharp go java kotlin javascript python ruby"
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  extractor-ram-threads:
    strategy:
@@ -54,7 +60,6 @@ jobs:
          ram: 230
          threads: 1
      - name: Assert Results
-        shell: bash
        run: |
          if [ "${CODEQL_RAM}" != "230" ]; then
            echo "CODEQL_RAM is '${CODEQL_RAM}' instead of 230"
@@ -34,6 +34,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  go-custom-queries:
    strategy:
@@ -71,7 +77,6 @@ jobs:
          config-file: ./.github/codeql/custom-queries.yml
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
    env:
@@ -34,6 +34,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  go-indirect-tracing-workaround-diagnostic:
    strategy:
@@ -72,7 +78,6 @@ jobs:
        with:
          go-version: '1.20'
      - name: Build code
-        shell: bash
        run: go build main.go
      - uses: ./../action/analyze
        with:
@@ -34,6 +34,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  go-indirect-tracing-workaround-no-file-program:
    strategy:
@@ -73,7 +79,6 @@ jobs:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: go build main.go
      - uses: ./../action/analyze
        with:
@@ -34,6 +34,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  go-indirect-tracing-workaround:
    strategy:
@@ -68,11 +74,9 @@ jobs:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: go build main.go
      - uses: ./../action/analyze
-      - shell: bash
-        run: |
+      - run: |
          if [[ -z "${CODEQL_ACTION_GO_BINARY}" ]]; then
            echo "Expected the workaround for indirect tracing of static binaries to trigger, but the" \
              "CODEQL_ACTION_GO_BINARY environment variable is not set."
@@ -34,6 +34,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  go-tracing-autobuilder:
    strategy:
@@ -60,6 +66,10 @@ jobs:
            version: stable-v2.21.4
          - os: macos-latest
            version: stable-v2.21.4
+          - os: ubuntu-latest
+            version: stable-v2.22.4
+          - os: macos-latest
+            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
          - os: macos-latest
@@ -99,8 +109,7 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/autobuild
      - uses: ./../action/analyze
-      - shell: bash
-        run: |
+      - run: |
          if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then
            echo "Expected the Go autobuilder to be run, but the" \
              "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was not true."
@@ -34,6 +34,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  go-tracing-custom-build-steps:
    strategy:
@@ -60,6 +66,10 @@ jobs:
            version: stable-v2.21.4
          - os: macos-latest
            version: stable-v2.21.4
+          - os: ubuntu-latest
+            version: stable-v2.22.4
+          - os: macos-latest
+            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
          - os: macos-latest
@@ -98,11 +108,9 @@ jobs:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: go build main.go
      - uses: ./../action/analyze
-      - shell: bash
-        run: |
+      - run: |
          # Once we start running Bash 4.2 in all environments, we can replace the
          # `! -z` flag with the more elegant `-v` which confirms that the variable
          # is actually unset and not potentially set to a blank value.
@@ -34,6 +34,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  go-tracing-legacy-workflow:
    strategy:
@@ -60,6 +66,10 @@ jobs:
            version: stable-v2.21.4
          - os: macos-latest
            version: stable-v2.21.4
+          - os: ubuntu-latest
+            version: stable-v2.22.4
+          - os: macos-latest
+            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
          - os: macos-latest
@@ -98,8 +108,7 @@ jobs:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
-      - shell: bash
-        run: |
+      - run: |
          cd "$RUNNER_TEMP/codeql_databases"
          if [[ ! -d go ]]; then
            echo "Did not find a Go database"
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  init-with-registries:
    strategy:
@@ -78,7 +84,6 @@ jobs:
              token: "${{ secrets.GITHUB_TOKEN }}"

      - name: Verify packages installed
-        shell: bash
        run: |
          PRIVATE_PACK="$HOME/.codeql/packages/codeql-testing/private-pack"
          CODEQL_PACK1="$HOME/.codeql/packages/codeql-testing/codeql-pack1"
@@ -100,7 +105,6 @@ jobs:
          fi

      - name: Verify qlconfig.yml file was created
-        shell: bash
        run: |
          QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
          echo "Expected qlconfig.yml file to be created at $QLCONFIG_PATH"
@@ -115,7 +119,6 @@ jobs:
      - name: Verify contents of qlconfig.yml
    # yq is not available on windows
        if: runner.os != 'Windows'
-        shell: bash
        run: |
          QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
          cat $QLCONFIG_PATH | yq -e '.registries[] | select(.url == "https://ghcr.io/v2/") | select(.packages == "*/*")'
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  javascript-source-root:
    strategy:
@@ -53,7 +59,6 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Move codeql-action
-        shell: bash
        run: |
          mkdir ../new-source-root
          mv * ../new-source-root
@@ -66,7 +71,6 @@ jobs:
        with:
          skip-queries: true
      - name: Assert database exists
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/codeql_databases"
          if [[ ! -d javascript ]]; then
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  job-run-uuid-sarif:
    strategy:
@@ -63,7 +69,6 @@ jobs:
          path: ${{ runner.temp }}/results/javascript.sarif
          retention-days: 7
      - name: Check results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          actual=$(jq -r '.runs[0].properties.jobRunUuid' javascript.sarif)
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  language-aliases:
    strategy:
@@ -34,6 +34,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  multi-language-autodetect:
    strategy:
@@ -60,6 +66,10 @@ jobs:
            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.22.4
+          - os: ubuntu-latest
+            version: stable-v2.22.4
          - os: macos-latest
            version: default
          - os: ubuntu-latest
@@ -94,7 +104,6 @@ jobs:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Use Xcode 16
-        shell: bash
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"

@@ -107,7 +116,6 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}

      - name: Build code
-        shell: bash
        run: ./build.sh

      - uses: ./../action/analyze
@@ -116,7 +124,6 @@ jobs:
          upload-database: false

      - name: Check language autodetect for all languages excluding Swift
-        shell: bash
        run: |
          CPP_DB=${{ fromJson(steps.analysis.outputs.db-locations).cpp }}
          if [[ ! -d $CPP_DB ]] || [[ ! $CPP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
@@ -156,7 +163,6 @@ jobs:

      - name: Check language autodetect for Swift on macOS
        if: runner.os == 'macOS'
-        shell: bash
        run: |
          SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}
          if [[ ! -d $SWIFT_DB ]] || [[ ! $SWIFT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  overlay-init-fallback:
    strategy:
@@ -61,7 +67,6 @@ jobs:
        with:
          upload-database: false
      - name: Check database
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/codeql_databases/actions"
          if ! grep -q 'overlayBaseDatabase: false' codeql-database.yml ; then
@@ -34,6 +34,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  packaging-codescanning-config-inputs-js:
    strategy:
@@ -93,7 +99,6 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -109,7 +114,6 @@ jobs:
          queries-not-run: foo,bar

      - name: Assert Results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          # We should have 4 hits from these rules
@@ -34,6 +34,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  packaging-config-inputs-js:
    strategy:
@@ -93,7 +99,6 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -109,7 +114,6 @@ jobs:
          queries-not-run: foo,bar

      - name: Assert Results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          # We should have 4 hits from these rules
@@ -34,6 +34,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  packaging-config-js:
    strategy:
@@ -92,7 +98,6 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -108,7 +113,6 @@ jobs:
          queries-not-run: foo,bar

      - name: Assert Results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          # We should have 4 hits from these rules
@@ -34,6 +34,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  packaging-inputs-js:
    strategy:
@@ -93,7 +99,6 @@ jobs:
          packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -108,7 +113,6 @@ jobs:
          queries-not-run: foo,bar

      - name: Assert Results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          # We should have 4 hits from these rules
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  quality-queries:
    strategy:
@@ -34,6 +34,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  remote-config:
    strategy:
@@ -72,7 +78,6 @@ jobs:
          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
            github.sha }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
    env:
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  resolve-environment-action:
    strategy:
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  rubocop-multi-language:
    strategy:
@@ -53,13 +59,10 @@ jobs:
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
-        shell: bash
        run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
      - name: Install dependencies
-        shell: bash
        run: bundle install
      - name: RuboCop run
-        shell: bash
        run: |
          bash -c "
            bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  ruby:
    strategy:
@@ -67,7 +73,6 @@ jobs:
        with:
          upload-database: false
      - name: Check database
-        shell: bash
        run: |
          RUBY_DB="${{ fromJson(steps.analysis.outputs.db-locations).ruby }}"
          if [[ ! -d "$RUBY_DB" ]]; then
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  rust:
    strategy:
@@ -65,7 +71,6 @@ jobs:
        with:
          upload-database: false
      - name: Check database
-        shell: bash
        run: |
          RUST_DB="${{ fromJson(steps.analysis.outputs.db-locations).rust }}"
          if [[ ! -d "$RUST_DB" ]]; then
@@ -34,6 +34,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  split-workflow:
    strategy:
@@ -80,7 +86,6 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -89,7 +94,6 @@ jobs:
          upload-database: false

      - name: Assert No Results
-        shell: bash
        run: |
          if [ "$(ls -A $RUNNER_TEMP/results)" ]; then
            echo "Expected results directory to be empty after skipping query execution!"
@@ -100,7 +104,6 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Assert Results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          # We should have 4 hits from these rules
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  start-proxy:
    strategy:
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  submit-sarif-failure:
    strategy:
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  swift-autobuild:
    strategy:
@@ -55,7 +61,6 @@ jobs:
          build-mode: autobuild
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Check working directory
-        shell: bash
        run: pwd
      - uses: ./../action/autobuild
        timeout-minutes: 30
@@ -64,7 +69,6 @@ jobs:
        with:
          upload-database: false
      - name: Check database
-        shell: bash
        run: |
          SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
          if [[ ! -d "$SWIFT_DB" ]]; then
@@ -34,6 +34,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  swift-custom-build:
    strategy:
@@ -68,7 +74,6 @@ jobs:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Use Xcode 16
-        shell: bash
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"
      - uses: ./../action/init
@@ -77,17 +82,14 @@ jobs:
          languages: swift
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Check working directory
-        shell: bash
        run: pwd
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        id: analysis
        with:
          upload-database: false
      - name: Check database
-        shell: bash
        run: |
          SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
          if [[ ! -d "$SWIFT_DB" ]]; then
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  test-autobuild-working-dir:
    strategy:
@@ -49,7 +55,6 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Test setup
-        shell: bash
        run: |
          # Make sure that Gradle build succeeds in autobuild-dir ...
          cp -a ../action/tests/java-repo autobuild-dir
@@ -64,7 +69,6 @@ jobs:
          working-directory: autobuild-dir
      - uses: ./../action/analyze
      - name: Check database
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/codeql_databases"
          if [[ ! -d java ]]; then
@@ -34,6 +34,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  test-local-codeql:
    strategy:
@@ -41,7 +47,7 @@ jobs:
      matrix:
        include:
          - os: ubuntu-latest
-            version: nightly-latest
+            version: linked
    name: Local CodeQL bundle
    permissions:
      contents: read
@@ -63,12 +69,9 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Fetch a CodeQL bundle
-        shell: bash
-        env:
-          CODEQL_URL: ${{ steps.prepare-test.outputs.tools-url }}
+      - name: Fetch latest CodeQL bundle
        run: |
-          wget "$CODEQL_URL"
+          wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst
      - id: init
        uses: ./../action/init
        with:
@@ -76,7 +79,6 @@ jobs:
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ./codeql-bundle-linux64.tar.zst
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
    env:
@@ -24,6 +24,12 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  test-proxy:
    strategy:
@@ -34,6 +34,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  unset-environment:
    strategy:
@@ -73,14 +79,12 @@ jobs:
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: env -i PATH="$PATH" HOME="$HOME" ./build.sh
      - uses: ./../action/analyze
        id: analysis
        with:
          upload-database: false
-      - shell: bash
-        run: |
+      - run: |
          CPP_DB="${{ fromJson(steps.analysis.outputs.db-locations).cpp }}"
          if [[ ! -d "$CPP_DB" ]] || [[ ! "$CPP_DB" == "${RUNNER_TEMP}/customDbLocation/cpp" ]]; then
            echo "::error::Did not create a database for CPP, or created it in the wrong location." \
@@ -34,6 +34,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  upload-quality-sarif:
    strategy:
@@ -70,12 +76,9 @@ jobs:
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-            github.sha }}
-          analysis-kinds: code-scanning,code-quality
+          languages: csharp,java,javascript,python
+          analysis-kinds: code-quality
      - name: Build code
-        shell: bash
        run: ./build.sh
  # Generate some SARIF we can upload with the upload-sarif step
      - uses: ./../action/analyze
@@ -84,8 +87,12 @@ jobs:
          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
          upload: never
      - uses: ./../action/upload-sarif
+        id: upload-sarif
        with:
          ref: refs/heads/main
          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+      - name: Check output from `upload-sarif` step
+        if: fromJSON(steps.upload-sarif.outputs.sarif-ids)[0].analysis != 'code-quality'
+        run: exit 1
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -34,6 +34,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  upload-ref-sha-input:
    strategy:
@@ -74,7 +80,6 @@ jobs:
          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
            github.sha }}
      - name: Build code
-        shell: bash
        run: ./build.sh
  # Generate some SARIF we can upload with the upload-sarif step
      - uses: ./../action/analyze
@@ -34,6 +34,12 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  with-checkout-path:
    strategy:
@@ -68,7 +74,6 @@ jobs:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Delete original checkout
-        shell: bash
        run: |
          # delete the original checkout so we don't accidentally use it.
          # Actions does not support deleting the current working directory, so we
@@ -89,7 +94,6 @@ jobs:
          source-root: x/y/z/some-path/tests/multi-language-repo

      - name: Build code
-        shell: bash
        working-directory: x/y/z/some-path/tests/multi-language-repo
        run: |
          ./build.sh
@@ -101,7 +105,6 @@ jobs:
          sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6

      - name: Verify SARIF after upload
-        shell: bash
        run: |
          EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
          EXPECTED_REF="v1.1.0"
@@ -9,6 +9,10 @@ on:
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]

+defaults:
+  run:
+    shell: bash
+
 jobs:
  check-expected-release-files:
    runs-on: ubuntu-latest
@@ -13,6 +13,10 @@ on:
    - cron: '30 1 * * 0'
  workflow_dispatch:

+defaults:
+  run:
+    shell: bash
+
 env:
  CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks

@@ -91,22 +95,29 @@ jobs:
      id: init
      with:
        languages: javascript
-        config-file: ./.github/codeql/codeql-config.yml
+        config-file: ./.github/codeql/codeql-config-javascript.yml
        tools: ${{ matrix.tools }}
    # confirm steps.init.outputs.codeql-path points to the codeql binary
    - name: Print CodeQL Version
-      run: ${{steps.init.outputs.codeql-path}} version --format=json
+      run: >
+        "$CODEQL" version --format=json
+      env:
+        CODEQL: ${{steps.init.outputs.codeql-path}}
    - name: Perform CodeQL Analysis
      uses: ./analyze
      with:
        category: "/language:javascript"
+        upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && 'always') || 'never' }}

-
-  analyze-actions:
+  analyze-other:
    runs-on: ubuntu-latest

    strategy:
      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+          - language: python

    permissions:
      contents: read
@@ -118,9 +129,15 @@ jobs:
    - name: Initialize CodeQL
      uses: ./init
      with:
-        languages: actions
-        config-file: ./.github/codeql/codeql-actions-config.yml
+        languages: ${{ matrix.language }}
+        build-mode: none
+        config: >
+          paths-ignore:
+            - lib
+            - tests
+          queries:
+            - uses: security-and-quality
    - name: Perform CodeQL Analysis
      uses: ./analyze
      with:
-        category: "/language:actions"
+        category: "/language:${{ matrix.language }}"
@@ -22,6 +22,10 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch: {}

+defaults:
+  run:
+    shell: bash
+
 jobs:
  code-scanning-config-tests:
    continue-on-error: true
@@ -17,6 +17,11 @@ on:
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch: {}
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
  upload-artifacts:
    strategy:
@@ -55,7 +60,6 @@ jobs:
          debug-artifact-name: my-debug-artifacts
          debug-database-name: my-db
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        id: analysis
@@ -75,7 +79,6 @@ jobs:
      - name: Download all artifacts
        uses: actions/download-artifact@v5
      - name: Check expected artifacts exist
-        shell: bash
        run: |
          LANGUAGES="cpp csharp go java javascript python"
          for version in $VERSIONS; do
@@ -16,6 +16,11 @@ on:
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch: {}
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
  upload-artifacts:
    strategy:
@@ -54,7 +59,6 @@ jobs:
          # We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
          languages: cpp,csharp,go,java,javascript,python,ruby
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        id: analysis
@@ -69,7 +73,6 @@ jobs:
      - name: Download all artifacts
        uses: actions/download-artifact@v5
      - name: Check expected artifacts exist
-        shell: bash
        run: |
          VERSIONS="stable-v2.20.3 default linked nightly-latest"
          LANGUAGES="cpp csharp go java javascript python"
@@ -18,6 +18,10 @@ on:
    branches:
      - releases/v*

+defaults:
+  run:
+    shell: bash
+
 jobs:
  merge-back:
    runs-on: ubuntu-latest
@@ -8,6 +8,10 @@ on:
    types: [opened, synchronize, reopened, ready_for_review]
  workflow_dispatch:

+defaults:
+  run:
+    shell: bash
+
 jobs:
  unit-tests:
    name: Unit Tests
@@ -22,6 +26,10 @@ jobs:
    timeout-minutes: 45

    steps:
+      - name: Prepare git (Windows)
+        if: runner.os == 'Windows'
+        run: git config --global core.autocrlf false
+
      - uses: actions/checkout@v5
      
      - name: Set up Node.js
@@ -22,6 +22,10 @@ on:
    paths:
      - .github/workflows/prepare-release.yml

+defaults:
+  run:
+    shell: bash
+
 jobs:
  prepare:
    name: "Prepare release"
@@ -4,6 +4,10 @@ on:
  release:
    types: [published]

+defaults:
+  run:
+    shell: bash
+
 jobs:
  publish:
    runs-on: ubuntu-latest
@@ -12,6 +12,10 @@ on:
    - cron: '0 0 * * 1'
  workflow_dispatch:

+defaults:
+  run:
+    shell: bash
+
 jobs:
  test-setup-python-scripts:
    env:
@@ -15,6 +15,10 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch: {}

+defaults:
+  run:
+    shell: bash
+
 jobs:
  query-filters:
    name: Query Filters Tests
@@ -5,6 +5,10 @@ on:
    types: [labeled]
  workflow_dispatch:

+defaults:
+  run:
+    shell: bash
+
 jobs:
  rebuild:
    name: Rebuild Action
@@ -14,6 +14,10 @@ on:
      - .github/workflows/rollback-release.yml
      - .github/actions/prepare-mergeback-branch/**

+defaults:
+  run:
+    shell: bash
+
 jobs:
  prepare:
    name: "Prepare release"
@@ -53,7 +57,6 @@ jobs:

      - name: Create tag for testing
        if: github.event_name != 'workflow_dispatch'
-        shell: bash
        run: git tag v0.0.0

      # We start by preparing the mergeback branch, mainly so that we have the updated changelog
@@ -96,7 +99,6 @@ jobs:
          echo "::endgroup::"

      - name: Create tags
-        shell: bash
        env:
          # We usually expect to checkout `inputs.rollback-tag` (required for `workflow_dispatch`),
          # but use `v0.0.0` for testing.
@@ -111,7 +113,6 @@ jobs:
      - name: Push tags
        # skip when testing
        if: github.event_name == 'workflow_dispatch'
-        shell: bash
        env:
          RELEASE_TAG: ${{ needs.prepare.outputs.version }}
          MAJOR_VERSION_TAG: ${{ needs.prepare.outputs.major_version }}
@@ -160,7 +161,6 @@ jobs:
          echo "Created draft rollback release at $RELEASE_URL" >> $GITHUB_STEP_SUMMARY

      - name: Update changelog
-        shell: bash
        env:
          NEW_CHANGELOG: "${{ runner.temp }}/new_changelog.md"
          NEW_BRANCH: "${{ steps.mergeback-branch.outputs.new-branch }}"
@@ -1,6 +1,8 @@
 #!/usr/bin/env bash
 # Update the required checks based on the current branch.

+set -euo pipefail
+
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 REPO_DIR="$(dirname "$SCRIPT_DIR")"
 GRANDPARENT_DIR="$(dirname "$REPO_DIR")"
@@ -31,6 +33,12 @@ CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs -

 echo "$CHECKS" | jq

+# Fail if there are no checks
+if [ -z "$CHECKS" ] || [ "$(echo "$CHECKS" | jq '. | length')" -eq 0 ]; then
+  echo "No checks found for $GITHUB_SHA"
+  exit 1
+fi
+
 echo "{\"contexts\": ${CHECKS}}" > checks.json

 echo "Updating main"
@@ -16,6 +16,9 @@ on:
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  test-codeql-bundle-all:
    strategy:
@@ -46,7 +49,6 @@ jobs:
        languages: cpp,csharp,go,java,javascript,python,ruby 
        tools: ${{ steps.prepare-test.outputs.tools-url }}
    - name: Build code
-      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
    env:
@@ -13,6 +13,10 @@ on:
    # to filter pre-release attribute.
    types: [published]

+defaults:
+  run:
+    shell: bash
+
 jobs:
  update-bundle:
    if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
@@ -7,6 +7,10 @@ on:
        type: string
        required: true

+defaults:
+  run:
+    shell: bash
+
 jobs:
  update:
    name: Update code and create PR
@@ -20,7 +24,6 @@ jobs:
    steps:
      - name: Check release tag format
        id: checks
-        shell: bash
        run: |
          if ! [[ $RELEASE_TAG =~ ^codeql-bundle-v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            echo "Invalid release tag: expected a CodeQL bundle tag in the 'codeql-bundle-vM.N.P' format."
@@ -30,7 +33,6 @@ jobs:
          echo "target_branch=dependency-proxy/$RELEASE_TAG" >> $GITHUB_OUTPUT

      - name: Check that the release exists
-        shell: bash
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
        run: |
@@ -46,20 +48,17 @@ jobs:
          ref: main

      - name: Update git config
-        shell: bash
        run: |
          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git config --global user.name "github-actions[bot]"

      - name: Update release tag and version
-        shell: bash
        run: |
          NOW=$(date +"%Y%m%d%H%M%S") # only used to make sure we don't fetch stale binaries from the toolcache
          sed -i "s|https://github.com/github/codeql-action/releases/download/codeql-bundle-v[0-9.]\+/|https://github.com/github/codeql-action/releases/download/$RELEASE_TAG/|g" ./src/start-proxy-action.ts
          sed -i "s/\"v2.0.[0-9]\+\"/\"v2.0.$NOW\"/g" ./src/start-proxy-action.ts

      - name: Compile TypeScript and commit changes
-        shell: bash
        env:
          TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }}
        run: |
@@ -72,7 +71,6 @@ jobs:
          git commit -m "Update release used by \`start-proxy\` action"

      - name: Push changes and open PR
-        shell: bash
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
          TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }}
@@ -11,6 +11,10 @@ on:
    branches:
      - releases/*

+defaults:
+  run:
+    shell: bash
+
 jobs:

  prepare:
@@ -5,6 +5,8 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 ## [UNRELEASED]

 - We have improved the CodeQL Action's ability to validate that the workflow it is used in does not use different versions of the CodeQL Action for different workflow steps. Mixing different versions of the CodeQL Action in the same workflow is unsupported and can lead to unpredictable results. A warning will now be emitted from the `codeql-action/init` step if different versions of the CodeQL Action are detected in the workflow file. Additionally, an error will now be thrown by the other CodeQL Action steps if they load a configuration file that was generated by a different version of the `codeql-action/init` step. [#3099](https://github.com/github/codeql-action/pull/3099) and [#3100](https://github.com/github/codeql-action/pull/3100)
+- We added support for reducing the size of dependency caches for Java analyses, which will reduce cache usage and speed up workflows. This will be enabled automatically at a later time. [#3107](https://github.com/github/codeql-action/pull/3107)
+- You can now run the latest CodeQL nightly bundle by passing `tools: nightly` to the `init` action. In general, the nightly bundle is unstable and we only recommend running it when directed by GitHub staff. [#3130](https://github.com/github/codeql-action/pull/3130)

 ## 3.30.3 - 10 Sep 2025

@@ -58,7 +58,7 @@ inputs:
    # If changing this, make sure to update workflow.ts accordingly.
    default: ${{ github.workspace }}
  ref:
-    description: "The ref where results will be uploaded. If not provided, the Action will use the GITHUB_REF environment variable. If provided, the sha input must be provided as well. This input is ignored for pull requests from forks."
+    description: "The ref where results will be uploaded. If not provided, the Action will use the GITHUB_REF environment variable. If provided, the sha input must be provided as well. This input is ignored for pull requests from forks. Expected format: refs/heads/<branch name>, refs/tags/<tag>, refs/pull/<number>/merge, or refs/pull/<number>/head."
    required: false
  sha:
    description: "The sha of the HEAD of the ref where results will be uploaded. If not provided, the Action will use the GITHUB_SHA environment variable. If provided, the ref input must be provided as well. This input is ignored for pull requests from forks."
@@ -12,6 +12,9 @@ inputs:
      - The URL of a CodeQL Bundle tarball GitHub release asset, or
      - A special value `linked` which uses the version of the CodeQL tools
        that the Action has been bundled with.
+      - A special value `nightly` which uses the latest nightly version of the
+        CodeQL tools. Note that this is unstable and not recommended for
+        production use.

      If not specified, the Action will check in several places until it finds
      the CodeQL tools.
@@ -26447,7 +26447,7 @@ var require_package = __commonJS({
        lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
        "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
        "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/**.test.ts --serial --verbose",
+        test: "npm run transpile && ava src/ --serial --verbose",
        "test-debug": "npm run test -- --timeout=20m",
        transpile: "tsc --build --verbose"
      },
@@ -26486,15 +26486,15 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.3.2",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.35.0",
+        "@eslint/js": "^9.36.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
-        "@octokit/types": "^14.1.0",
+        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
        "@types/console-log-level": "^1.4.5",
        "@types/follow-redirects": "^1.14.4",
@@ -26503,10 +26503,10 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.43.0",
+        "@typescript-eslint/eslint-plugin": "^8.44.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.9",
+        esbuild: "^0.25.10",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
@@ -26536,7 +26536,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -77685,7 +77686,7 @@ var require_brace_expansion2 = __commonJS({
        var isSequence = isNumericSequence || isAlphaSequence;
        var isOptions = m.body.indexOf(",") >= 0;
        if (!isSequence && !isOptions) {
-          if (m.post.match(/,.*\}/)) {
+          if (m.post.match(/,(?!,).*\}/)) {
            str2 = m.pre + "{" + m.body + escClose + m.post;
            return expand(str2);
          }
@@ -94795,7 +94796,7 @@ var require_commonjs16 = __commonJS({
    var TYPEMASK = 1023;
    var entToType = (s) => s.isFile() ? IFREG : s.isDirectory() ? IFDIR : s.isSymbolicLink() ? IFLNK : s.isCharacterDevice() ? IFCHR : s.isBlockDevice() ? IFBLK : s.isSocket() ? IFSOCK : s.isFIFO() ? IFIFO : UNKNOWN;
    var normalizeCache = /* @__PURE__ */ new Map();
-    var normalize3 = (s) => {
+    var normalize2 = (s) => {
      const c = normalizeCache.get(s);
      if (c)
        return c;
@@ -94808,7 +94809,7 @@ var require_commonjs16 = __commonJS({
      const c = normalizeNocaseCache.get(s);
      if (c)
        return c;
-      const n = normalize3(s.toLowerCase());
+      const n = normalize2(s.toLowerCase());
      normalizeNocaseCache.set(s, n);
      return n;
    };
@@ -94977,7 +94978,7 @@ var require_commonjs16 = __commonJS({
       */
      constructor(name, type2 = UNKNOWN, root, roots, nocase, children, opts) {
        this.name = name;
-        this.#matchName = nocase ? normalizeNocase(name) : normalize3(name);
+        this.#matchName = nocase ? normalizeNocase(name) : normalize2(name);
        this.#type = type2 & TYPEMASK;
        this.nocase = nocase;
        this.roots = roots;
@@ -95070,7 +95071,7 @@ var require_commonjs16 = __commonJS({
          return this.parent || this;
        }
        const children = this.children();
-        const name = this.nocase ? normalizeNocase(pathPart) : normalize3(pathPart);
+        const name = this.nocase ? normalizeNocase(pathPart) : normalize2(pathPart);
        for (const p of children) {
          if (p.#matchName === name) {
            return p;
@@ -95315,7 +95316,7 @@ var require_commonjs16 = __commonJS({
       * directly.
       */
      isNamed(n) {
-        return !this.nocase ? this.#matchName === normalize3(n) : this.#matchName === normalizeNocase(n);
+        return !this.nocase ? this.#matchName === normalize2(n) : this.#matchName === normalizeNocase(n);
      }
      /**
       * Return the Path object corresponding to the target of a symbolic link.
@@ -95454,7 +95455,7 @@ var require_commonjs16 = __commonJS({
      #readdirMaybePromoteChild(e, c) {
        for (let p = c.provisional; p < c.length; p++) {
          const pchild = c[p];
-          const name = this.nocase ? normalizeNocase(e.name) : normalize3(e.name);
+          const name = this.nocase ? normalizeNocase(e.name) : normalize2(e.name);
          if (name !== pchild.#matchName) {
            continue;
          }
@@ -103285,7 +103286,7 @@ var require_tr46 = __commonJS({
      TRANSITIONAL: 0,
      NONTRANSITIONAL: 1
    };
-    function normalize3(str2) {
+    function normalize2(str2) {
      return str2.split("\0").map(function(s) {
        return s.normalize("NFC");
      }).join("\0");
@@ -103365,7 +103366,7 @@ var require_tr46 = __commonJS({
        processing_option = PROCESSING_OPTIONS.NONTRANSITIONAL;
      }
      var error2 = false;
-      if (normalize3(label) !== label || label[3] === "-" && label[4] === "-" || label[0] === "-" || label[label.length - 1] === "-" || label.indexOf(".") !== -1 || label.search(combiningMarksRegex) === 0) {
+      if (normalize2(label) !== label || label[3] === "-" && label[4] === "-" || label[0] === "-" || label[label.length - 1] === "-" || label.indexOf(".") !== -1 || label.search(combiningMarksRegex) === 0) {
        error2 = true;
      }
      var len = countSymbols(label);
@@ -103383,7 +103384,7 @@ var require_tr46 = __commonJS({
    }
    function processing(domain_name, useSTD3, processing_option) {
      var result = mapChars(domain_name, useSTD3, processing_option);
-      result.string = normalize3(result.string);
+      result.string = normalize2(result.string);
      var labels = result.string.split(".");
      for (var i = 0; i < labels.length; ++i) {
        try {
@@ -117075,6 +117076,9 @@ function getCachedCodeQlVersion() {
 async function codeQlVersionAtLeast(codeql, requiredVersion) {
  return semver.gte((await codeql.getVersion()).version, requiredVersion);
 }
+function isInTestMode() {
+  return process.env["CODEQL_ACTION_TEST_MODE" /* TEST_MODE */] === "true";
+}
 function wrapError(error2) {
  return error2 instanceof Error ? error2 : new Error(String(error2));
 }
@@ -117194,6 +117198,9 @@ var githubUtils = __toESM(require_utils4());
 var retry = __toESM(require_dist_node15());
 var import_console_log_level = __toESM(require_console_log_level());
 var GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
+function getRetryConfig() {
+  return isInTestMode() ? { retries: 10, retryAfterBaseValue: 1e4 } : { retries: 3, retryAfterBaseValue: 1e3 };
+}
 function createApiClientWithDetails(apiDetails, { allowExternal = false } = {}) {
  const auth = allowExternal && apiDetails.externalRepoAuth || apiDetails.auth;
  const retryingOctokit = githubUtils.GitHub.plugin(retry.retry);
@@ -117201,7 +117208,8 @@ function createApiClientWithDetails(apiDetails, { allowExternal = false } = {})
    githubUtils.getOctokitOptions(auth, {
      baseUrl: apiDetails.apiURL,
      userAgent: `CodeQL-Action/${getActionVersion()}`,
-      log: (0, import_console_log_level.default)({ level: "debug" })
+      log: (0, import_console_log_level.default)({ level: "debug" }),
+      retry: getRetryConfig()
    })
  );
 }
@@ -117486,7 +117494,6 @@ function wrapCliConfigurationError(cliError) {
 // src/config-utils.ts
 var fs3 = __toESM(require("fs"));
 var path3 = __toESM(require("path"));
-var semver4 = __toESM(require_semver2());

 // src/analyses.ts
 var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
@@ -117499,8 +117506,17 @@ var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
 // src/caching-utils.ts
 var core6 = __toESM(require_core());

+// src/config/db-config.ts
+var semver2 = __toESM(require_semver2());
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
 // src/feature-flags.ts
-var semver3 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());

 // src/overlay-database-utils.ts
 var fs2 = __toESM(require("fs"));
@@ -117746,13 +117762,13 @@ function computeChangedFiles(baseFileOids, overlayFileOids) {
 }

 // src/tools-features.ts
-var semver2 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 function isSupportedToolsFeature(versionInfo, feature) {
  return !!versionInfo.features && versionInfo.features[feature];
 }
 var SafeArtifactUploadVersion = "2.20.3";
 function isSafeArtifactUpload(codeQlVersion) {
-  return !codeQlVersion ? true : semver2.gte(codeQlVersion, SafeArtifactUploadVersion);
+  return !codeQlVersion ? true : semver3.gte(codeQlVersion, SafeArtifactUploadVersion);
 }

 // src/feature-flags.ts
@@ -117918,6 +117934,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };

@@ -117949,12 +117970,6 @@ var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
  rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
  swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
 };
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
 function getPathToParsedConfigFile(tempDir) {
  return path3.join(tempDir, "config");
 }
@@ -27722,7 +27722,7 @@ var require_pattern = __commonJS({
      const absolute = [];
      const relative2 = [];
      for (const pattern of patterns) {
-        if (isAbsolute3(pattern)) {
+        if (isAbsolute2(pattern)) {
          absolute.push(pattern);
        } else {
          relative2.push(pattern);
@@ -27731,10 +27731,10 @@ var require_pattern = __commonJS({
      return [absolute, relative2];
    }
    exports2.partitionAbsoluteAndRelative = partitionAbsoluteAndRelative;
-    function isAbsolute3(pattern) {
+    function isAbsolute2(pattern) {
      return path20.isAbsolute(pattern);
    }
-    exports2.isAbsolute = isAbsolute3;
+    exports2.isAbsolute = isAbsolute2;
  }
 });

@@ -32296,7 +32296,7 @@ var require_package = __commonJS({
        lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
        "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
        "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/**.test.ts --serial --verbose",
+        test: "npm run transpile && ava src/ --serial --verbose",
        "test-debug": "npm run test -- --timeout=20m",
        transpile: "tsc --build --verbose"
      },
@@ -32335,15 +32335,15 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.3.2",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.35.0",
+        "@eslint/js": "^9.36.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
-        "@octokit/types": "^14.1.0",
+        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
        "@types/console-log-level": "^1.4.5",
        "@types/follow-redirects": "^1.14.4",
@@ -32352,10 +32352,10 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.43.0",
+        "@typescript-eslint/eslint-plugin": "^8.44.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.9",
+        esbuild: "^0.25.10",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
@@ -32385,7 +32385,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -89753,7 +89754,7 @@ async function tryGetFolderBytes(cacheDir, logger, quiet = false) {
  }
 }
 var hadTimeout = false;
-async function withTimeout(timeoutMs, promise, onTimeout) {
+async function waitForResultWithTimeLimit(timeoutMs, promise, onTimeout) {
  let finished2 = false;
  const mainTask = async () => {
    const result = await promise;
@@ -90176,6 +90177,9 @@ function parseRepositoryNwo(input) {

 // src/api-client.ts
 var GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
+function getRetryConfig() {
+  return isInTestMode() ? { retries: 10, retryAfterBaseValue: 1e4 } : { retries: 3, retryAfterBaseValue: 1e3 };
+}
 function createApiClientWithDetails(apiDetails, { allowExternal = false } = {}) {
  const auth = allowExternal && apiDetails.externalRepoAuth || apiDetails.auth;
  const retryingOctokit = githubUtils.GitHub.plugin(retry.retry);
@@ -90183,7 +90187,8 @@ function createApiClientWithDetails(apiDetails, { allowExternal = false } = {})
    githubUtils.getOctokitOptions(auth, {
      baseUrl: apiDetails.apiURL,
      userAgent: `CodeQL-Action/${getActionVersion()}`,
-      log: (0, import_console_log_level.default)({ level: "debug" })
+      log: (0, import_console_log_level.default)({ level: "debug" }),
+      retry: getRetryConfig()
    })
  );
 }
@@ -90554,7 +90559,6 @@ function wrapCliConfigurationError(cliError) {
 // src/config-utils.ts
 var fs9 = __toESM(require("fs"));
 var path10 = __toESM(require("path"));
-var semver4 = __toESM(require_semver2());

 // src/caching-utils.ts
 var core6 = __toESM(require_core());
@@ -90568,6 +90572,15 @@ function shouldStoreCache(kind) {
  return kind === "full" /* Full */ || kind === "store" /* Store */;
 }

+// src/config/db-config.ts
+var semver2 = __toESM(require_semver2());
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
 // src/diff-informed-analysis-utils.ts
 var fs8 = __toESM(require("fs"));
 var path9 = __toESM(require("path"));
@@ -90575,7 +90588,7 @@ var path9 = __toESM(require("path"));
 // src/feature-flags.ts
 var fs7 = __toESM(require("fs"));
 var path8 = __toESM(require("path"));
-var semver3 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());

 // src/defaults.json
 var bundleVersion = "codeql-bundle-v2.23.0";
@@ -90871,7 +90884,7 @@ function computeChangedFiles(baseFileOids, overlayFileOids) {
 }
 var CACHE_VERSION = 1;
 var CACHE_PREFIX = "codeql-overlay-base-database";
-var MAX_CACHE_OPERATION_MS = 12e4;
+var MAX_CACHE_OPERATION_MS = 6e5;
 function checkOverlayBaseDatabase(config, logger, warningPrefix) {
  const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config);
  if (!fs6.existsSync(baseDatabaseOidsFilePath)) {
@@ -90939,7 +90952,7 @@ async function uploadOverlayBaseDatabaseToCache(codeql, config, logger) {
    `Uploading overlay-base database to Actions cache with key ${cacheSaveKey}`
  );
  try {
-    const cacheId = await withTimeout(
+    const cacheId = await waitForResultWithTimeLimit(
      MAX_CACHE_OPERATION_MS,
      actionsCache.saveCache([dbLocation], cacheSaveKey),
      () => {
@@ -90981,7 +90994,7 @@ function createCacheKeyHash(components) {
 }

 // src/tools-features.ts
-var semver2 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 function isSupportedToolsFeature(versionInfo, feature) {
  return !!versionInfo.features && versionInfo.features[feature];
 }
@@ -91152,6 +91165,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -91260,7 +91278,7 @@ var GitHubFeatureFlags = class {
      DEFAULT_VERSION_FEATURE_FLAG_PREFIX.length,
      f.length - DEFAULT_VERSION_FEATURE_FLAG_SUFFIX.length
    ).replace(/_/g, ".");
-    if (!semver3.valid(version)) {
+    if (!semver4.valid(version)) {
      this.logger.warning(
        `Ignoring feature flag ${f} as it does not specify a valid CodeQL version.`
      );
@@ -91492,7 +91510,7 @@ async function uploadTrapCaches(codeql, config, logger) {
      process.env.GITHUB_SHA || "unknown"
    );
    logger.info(`Uploading TRAP cache to Actions cache with key ${key}`);
-    await withTimeout(
+    await waitForResultWithTimeLimit(
      MAX_CACHE_OPERATION_MS2,
      actionsCache2.saveCache([cacheDir], key),
      () => {
@@ -91609,12 +91627,6 @@ var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
  rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
  swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
 };
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
 function getPathToParsedConfigFile(tempDir) {
  return path10.join(tempDir, "config");
 }
@@ -91677,7 +91689,7 @@ var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
 var semver7 = __toESM(require_semver2());

-// node_modules/uuid/dist/stringify.js
+// node_modules/uuid/dist-node/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
  byteToHex.push((i + 256).toString(16).slice(1));
@@ -91686,7 +91698,7 @@ function unsafeStringify(arr, offset = 0) {
  return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }

-// node_modules/uuid/dist/rng.js
+// node_modules/uuid/dist-node/rng.js
 var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
@@ -91698,11 +91710,11 @@ function rng() {
  return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }

-// node_modules/uuid/dist/native.js
+// node_modules/uuid/dist-node/native.js
 var import_node_crypto2 = require("node:crypto");
 var native_default = { randomUUID: import_node_crypto2.randomUUID };

-// node_modules/uuid/dist/v4.js
+// node_modules/uuid/dist-node/v4.js
 function _v4(options, buf, offset) {
  options = options || {};
  const rnds = options.random ?? options.rng?.() ?? rng();
@@ -92045,7 +92057,10 @@ function sanitizeUrlForStatusReport(url2) {

 // src/setup-codeql.ts
 var CODEQL_DEFAULT_ACTION_REPOSITORY = "github/codeql-action";
+var CODEQL_NIGHTLIES_REPOSITORY_OWNER = "dsp-testing";
+var CODEQL_NIGHTLIES_REPOSITORY_NAME = "codeql-cli-nightlies";
 var CODEQL_BUNDLE_VERSION_ALIAS = ["linked", "latest"];
+var CODEQL_NIGHTLY_TOOLS_INPUTS = ["nightly", "nightly-latest"];
 function getCodeQLBundleExtension(compressionMethod) {
  switch (compressionMethod) {
    case "gzip":
@@ -92188,7 +92203,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
  return void 0;
 }
 async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, logger) {
-  if (toolsInput && !CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput) && !toolsInput.startsWith("http")) {
+  if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) {
    logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
    const compressionMethod2 = inferCompressionMethod(toolsInput);
    if (compressionMethod2 === void 0) {
@@ -92217,6 +92232,12 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
  let cliVersion2;
  let tagName;
  let url2;
+  if (toolsInput !== void 0 && CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput)) {
+    logger.info(
+      `Using the latest CodeQL CLI nightly, as requested by 'tools: ${toolsInput}'.`
+    );
+    toolsInput = await getNightlyToolsUrl(logger);
+  }
  if (forceShippedTools) {
    cliVersion2 = cliVersion;
    tagName = bundleVersion;
@@ -92500,6 +92521,34 @@ async function useZstdBundle(cliVersion2, tarSupportsZstd) {
 function getTempExtractionDir(tempDir) {
  return path12.join(tempDir, v4_default());
 }
+async function getNightlyToolsUrl(logger) {
+  const zstdAvailability = await isZstdAvailable(logger);
+  const compressionMethod = await useZstdBundle(
+    CODEQL_VERSION_ZSTD_BUNDLE,
+    zstdAvailability.available
+  ) ? "zstd" : "gzip";
+  try {
+    const release3 = await getApiClient().rest.repos.listReleases({
+      owner: CODEQL_NIGHTLIES_REPOSITORY_OWNER,
+      repo: CODEQL_NIGHTLIES_REPOSITORY_NAME,
+      per_page: 1,
+      page: 1,
+      prerelease: true
+    });
+    const latestRelease = release3.data[0];
+    if (!latestRelease) {
+      throw new Error("Could not find the latest nightly release.");
+    }
+    return `https://github.com/${CODEQL_NIGHTLIES_REPOSITORY_OWNER}/${CODEQL_NIGHTLIES_REPOSITORY_NAME}/releases/download/${latestRelease.tag_name}/${getCodeQLBundleName(compressionMethod)}`;
+  } catch (e) {
+    throw new Error(
+      `Failed to retrieve the latest nightly release: ${wrapError(e)}`
+    );
+  }
+}
+function isReservedToolsValue(tools) {
+  return CODEQL_BUNDLE_VERSION_ALIAS.includes(tools) || CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools);
+}

 // src/tracer-config.ts
 var fs13 = __toESM(require("fs"));
@@ -93241,7 +93290,7 @@ function getDefaultCacheConfig() {
 async function makeGlobber(patterns) {
  return glob.create(patterns.join("\n"));
 }
-async function uploadDependencyCaches(config, logger) {
+async function uploadDependencyCaches(config, logger, minimizeJavaJars) {
  for (const language of config.languages) {
    const cacheConfig = getDefaultCacheConfig()[language];
    if (cacheConfig === void 0) {
@@ -93264,7 +93313,7 @@ async function uploadDependencyCaches(config, logger) {
      );
      continue;
    }
-    const key = await cacheKey2(language, cacheConfig);
+    const key = await cacheKey2(language, cacheConfig, minimizeJavaJars);
    logger.info(
      `Uploading cache of size ${size} for ${language} with key ${key}...`
    );
@@ -93282,17 +93331,20 @@ async function uploadDependencyCaches(config, logger) {
    }
  }
 }
-async function cacheKey2(language, cacheConfig) {
+async function cacheKey2(language, cacheConfig, minimizeJavaJars = false) {
  const hash2 = await glob.hashFiles(cacheConfig.hash.join("\n"));
-  return `${await cachePrefix2(language)}${hash2}`;
+  return `${await cachePrefix2(language, minimizeJavaJars)}${hash2}`;
 }
-async function cachePrefix2(language) {
+async function cachePrefix2(language, minimizeJavaJars) {
  const runnerOs = getRequiredEnvParam("RUNNER_OS");
  const customPrefix = process.env["CODEQL_ACTION_DEPENDENCY_CACHE_PREFIX" /* DEPENDENCY_CACHING_PREFIX */];
  let prefix = CODEQL_DEPENDENCY_CACHE_PREFIX;
  if (customPrefix !== void 0 && customPrefix.length > 0) {
    prefix = `${prefix}-${customPrefix}`;
  }
+  if (language === "java" /* java */ && minimizeJavaJars) {
+    prefix = `minify-${prefix}`;
+  }
  return `${prefix}-${CODEQL_DEPENDENCY_CACHE_VERSION}-${runnerOs}-${language}-`;
 }

@@ -95581,113 +95633,98 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
  }
  return payloadObj;
 }
-async function maybeUploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
+async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
  const sarifPaths = getSarifFilePaths(
    inputSarifPath,
    uploadTarget.sarifPredicate
  );
-  return maybeUploadSpecifiedFiles(
+  return uploadSpecifiedFiles(
    sarifPaths,
    checkoutPath,
    category,
    features,
    logger,
-    uploadTarget,
-    uploadKind
+    uploadTarget
  );
 }
-async function maybeUploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
+async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
+  logger.startGroup(`Uploading ${uploadTarget.name} results`);
+  logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
+  const gitHubVersion = await getGitHubVersion();
+  let sarif;
+  if (sarifPaths.length > 1) {
+    for (const sarifPath of sarifPaths) {
+      const parsedSarif = readSarifFile(sarifPath);
+      validateSarifFileSchema(parsedSarif, sarifPath, logger);
+    }
+    sarif = await combineSarifFilesUsingCLI(
+      sarifPaths,
+      gitHubVersion,
+      features,
+      logger
+    );
+  } else {
+    const sarifPath = sarifPaths[0];
+    sarif = readSarifFile(sarifPath);
+    validateSarifFileSchema(sarif, sarifPath, logger);
+    await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
+  }
+  sarif = filterAlertsByDiffRange(logger, sarif);
+  sarif = await addFingerprints(sarif, checkoutPath, logger);
+  const analysisKey = await getAnalysisKey();
+  const environment = getRequiredInput("matrix");
+  sarif = populateRunAutomationDetails(
+    sarif,
+    category,
+    analysisKey,
+    environment
+  );
+  const toolNames = getToolNames(sarif);
+  logger.debug(`Validating that each SARIF run has a unique category`);
+  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
+  logger.debug(`Serializing SARIF for upload`);
+  const sarifPayload = JSON.stringify(sarif);
  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
-  const upload = uploadKind === "always";
-  if (!upload && !dumpDir) {
-    logger.info(`Skipping upload of ${uploadTarget.name} results`);
-    return void 0;
-  }
-  logger.startGroup(`Processing ${uploadTarget.name} results`);
-  try {
-    logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
-    const gitHubVersion = await getGitHubVersion();
-    let sarif;
-    if (sarifPaths.length > 1) {
-      for (const sarifPath of sarifPaths) {
-        const parsedSarif = readSarifFile(sarifPath);
-        validateSarifFileSchema(parsedSarif, sarifPath, logger);
-      }
-      sarif = await combineSarifFilesUsingCLI(
-        sarifPaths,
-        gitHubVersion,
-        features,
-        logger
-      );
-    } else {
-      const sarifPath = sarifPaths[0];
-      sarif = readSarifFile(sarifPath);
-      validateSarifFileSchema(sarif, sarifPath, logger);
-      await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
-    }
-    sarif = filterAlertsByDiffRange(logger, sarif);
-    sarif = await addFingerprints(sarif, checkoutPath, logger);
-    const analysisKey = await getAnalysisKey();
-    const environment = getRequiredInput("matrix");
-    sarif = populateRunAutomationDetails(
-      sarif,
-      category,
-      analysisKey,
-      environment
-    );
-    const toolNames = getToolNames(sarif);
-    logger.debug(`Validating that each SARIF run has a unique category`);
-    validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
-    logger.debug(`Serializing SARIF for upload`);
-    const sarifPayload = JSON.stringify(sarif);
-    if (dumpDir) {
-      dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
-    }
-    if (!upload) {
-      logger.info(
-        `Skipping upload of ${uploadTarget.name} results because upload kind is "${uploadKind}"`
-      );
-      return void 0;
-    }
-    logger.debug(`Compressing serialized SARIF`);
-    const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
-    const checkoutURI = url.pathToFileURL(checkoutPath).href;
-    const payload = buildPayload(
-      await getCommitOid(checkoutPath),
-      await getRef(),
-      analysisKey,
-      getRequiredEnvParam("GITHUB_WORKFLOW"),
-      zippedSarif,
-      getWorkflowRunID(),
-      getWorkflowRunAttempt(),
-      checkoutURI,
-      environment,
-      toolNames,
-      await determineBaseBranchHeadCommitOid()
-    );
-    const rawUploadSizeBytes = sarifPayload.length;
-    logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
-    const zippedUploadSizeBytes = zippedSarif.length;
-    logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
-    const numResultInSarif = countResultsInSarif(sarifPayload);
-    logger.debug(`Number of results in upload: ${numResultInSarif}`);
-    const sarifID = await uploadPayload(
-      payload,
-      getRepositoryNwo(),
-      logger,
-      uploadTarget.target
-    );
-    return {
-      statusReport: {
-        raw_upload_size_bytes: rawUploadSizeBytes,
-        zipped_upload_size_bytes: zippedUploadSizeBytes,
-        num_results_in_sarif: numResultInSarif
-      },
-      sarifID
-    };
-  } finally {
-    logger.endGroup();
+  if (dumpDir) {
+    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
  }
+  logger.debug(`Compressing serialized SARIF`);
+  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
+  const checkoutURI = url.pathToFileURL(checkoutPath).href;
+  const payload = buildPayload(
+    await getCommitOid(checkoutPath),
+    await getRef(),
+    analysisKey,
+    getRequiredEnvParam("GITHUB_WORKFLOW"),
+    zippedSarif,
+    getWorkflowRunID(),
+    getWorkflowRunAttempt(),
+    checkoutURI,
+    environment,
+    toolNames,
+    await determineBaseBranchHeadCommitOid()
+  );
+  const rawUploadSizeBytes = sarifPayload.length;
+  logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
+  const zippedUploadSizeBytes = zippedSarif.length;
+  logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
+  const numResultInSarif = countResultsInSarif(sarifPayload);
+  logger.debug(`Number of results in upload: ${numResultInSarif}`);
+  const sarifID = await uploadPayload(
+    payload,
+    getRepositoryNwo(),
+    logger,
+    uploadTarget.target
+  );
+  logger.endGroup();
+  return {
+    statusReport: {
+      raw_upload_size_bytes: rawUploadSizeBytes,
+      zipped_upload_size_bytes: zippedUploadSizeBytes,
+      num_results_in_sarif: numResultInSarif
+    },
+    sarifID
+  };
 }
 function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
  if (!fs18.existsSync(outputDir)) {
@@ -96048,26 +96085,21 @@ async function run() {
    }
    core14.setOutput("db-locations", dbLocations);
    core14.setOutput("sarif-output", import_path4.default.resolve(outputDir));
-    const uploadInput = getUploadValue(
-      getOptionalInput("upload")
-    );
-    if (runStats) {
+    const uploadInput = getOptionalInput("upload");
+    if (runStats && getUploadValue(uploadInput) === "always") {
      if (isCodeScanningEnabled(config)) {
-        uploadResult = await maybeUploadFiles(
+        uploadResult = await uploadFiles(
          outputDir,
          getRequiredInput("checkout_path"),
          getOptionalInput("category"),
          features,
          logger,
-          CodeScanning,
-          uploadInput
+          CodeScanning
        );
-        if (uploadResult) {
-          core14.setOutput("sarif-id", uploadResult.sarifID);
-        }
+        core14.setOutput("sarif-id", uploadResult.sarifID);
      }
      if (isCodeQualityEnabled(config)) {
-        const qualityUploadResult = await maybeUploadFiles(
+        const qualityUploadResult = await uploadFiles(
          outputDir,
          getRequiredInput("checkout_path"),
          fixCodeQualityCategory(
@@ -96076,15 +96108,12 @@ async function run() {
          ),
          features,
          logger,
-          CodeQuality,
-          uploadInput
+          CodeQuality
        );
-        if (qualityUploadResult) {
-          core14.setOutput("quality-sarif-id", qualityUploadResult.sarifID);
-        }
+        core14.setOutput("quality-sarif-id", qualityUploadResult.sarifID);
      }
    } else {
-      logger.info("No query status report, skipping upload");
+      logger.info("Not uploading results");
    }
    await uploadOverlayBaseDatabaseToCache(codeql, config, logger);
    await uploadDatabases(repositoryNwo, codeql, config, apiDetails, logger);
@@ -96097,7 +96126,11 @@ async function run() {
      logger
    );
    if (shouldStoreCache(config.dependencyCachingEnabled)) {
-      await uploadDependencyCaches(config, logger);
+      const minimizeJavaJars = await features.getValue(
+        "java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */,
+        codeql
+      );
+      await uploadDependencyCaches(config, logger, minimizeJavaJars);
    }
    if (isInTestMode()) {
      logger.debug("In test mode. Waiting for processing is disabled.");
@@ -26447,7 +26447,7 @@ var require_package = __commonJS({
        lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
        "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
        "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/**.test.ts --serial --verbose",
+        test: "npm run transpile && ava src/ --serial --verbose",
        "test-debug": "npm run test -- --timeout=20m",
        transpile: "tsc --build --verbose"
      },
@@ -26486,15 +26486,15 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.3.2",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.35.0",
+        "@eslint/js": "^9.36.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
-        "@octokit/types": "^14.1.0",
+        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
        "@types/console-log-level": "^1.4.5",
        "@types/follow-redirects": "^1.14.4",
@@ -26503,10 +26503,10 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.43.0",
+        "@typescript-eslint/eslint-plugin": "^8.44.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.9",
+        esbuild: "^0.25.10",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
@@ -26536,7 +26536,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -77901,6 +77902,9 @@ function parseRepositoryNwo(input) {

 // src/api-client.ts
 var GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
+function getRetryConfig() {
+  return isInTestMode() ? { retries: 10, retryAfterBaseValue: 1e4 } : { retries: 3, retryAfterBaseValue: 1e3 };
+}
 function createApiClientWithDetails(apiDetails, { allowExternal = false } = {}) {
  const auth = allowExternal && apiDetails.externalRepoAuth || apiDetails.auth;
  const retryingOctokit = githubUtils.GitHub.plugin(retry.retry);
@@ -77908,7 +77912,8 @@ function createApiClientWithDetails(apiDetails, { allowExternal = false } = {})
    githubUtils.getOctokitOptions(auth, {
      baseUrl: apiDetails.apiURL,
      userAgent: `CodeQL-Action/${getActionVersion()}`,
-      log: (0, import_console_log_level.default)({ level: "debug" })
+      log: (0, import_console_log_level.default)({ level: "debug" }),
+      retry: getRetryConfig()
    })
  );
 }
@@ -78228,7 +78233,6 @@ function wrapCliConfigurationError(cliError) {
 // src/config-utils.ts
 var fs4 = __toESM(require("fs"));
 var path4 = __toESM(require("path"));
-var semver4 = __toESM(require_semver2());

 // src/analyses.ts
 var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
@@ -78241,10 +78245,19 @@ var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
 // src/caching-utils.ts
 var core6 = __toESM(require_core());

+// src/config/db-config.ts
+var semver2 = __toESM(require_semver2());
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
 // src/feature-flags.ts
 var fs3 = __toESM(require("fs"));
 var path3 = __toESM(require("path"));
-var semver3 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());

 // src/defaults.json
 var bundleVersion = "codeql-bundle-v2.23.0";
@@ -78486,7 +78499,7 @@ function computeChangedFiles(baseFileOids, overlayFileOids) {
 }

 // src/tools-features.ts
-var semver2 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 function isSupportedToolsFeature(versionInfo, feature) {
  return !!versionInfo.features && versionInfo.features[feature];
 }
@@ -78656,6 +78669,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -78764,7 +78782,7 @@ var GitHubFeatureFlags = class {
      DEFAULT_VERSION_FEATURE_FLAG_PREFIX.length,
      f.length - DEFAULT_VERSION_FEATURE_FLAG_SUFFIX.length
    ).replace(/_/g, ".");
-    if (!semver3.valid(version)) {
+    if (!semver4.valid(version)) {
      this.logger.warning(
        `Ignoring feature flag ${f} as it does not specify a valid CodeQL version.`
      );
@@ -78951,12 +78969,6 @@ var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
  rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
  swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
 };
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
 function getPathToParsedConfigFile(tempDir) {
  return path4.join(tempDir, "config");
 }
@@ -27722,7 +27722,7 @@ var require_pattern = __commonJS({
      const absolute = [];
      const relative2 = [];
      for (const pattern of patterns) {
-        if (isAbsolute3(pattern)) {
+        if (isAbsolute2(pattern)) {
          absolute.push(pattern);
        } else {
          relative2.push(pattern);
@@ -27731,10 +27731,10 @@ var require_pattern = __commonJS({
      return [absolute, relative2];
    }
    exports2.partitionAbsoluteAndRelative = partitionAbsoluteAndRelative;
-    function isAbsolute3(pattern) {
+    function isAbsolute2(pattern) {
      return path19.isAbsolute(pattern);
    }
-    exports2.isAbsolute = isAbsolute3;
+    exports2.isAbsolute = isAbsolute2;
  }
 });

@@ -32296,7 +32296,7 @@ var require_package = __commonJS({
        lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
        "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
        "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/**.test.ts --serial --verbose",
+        test: "npm run transpile && ava src/ --serial --verbose",
        "test-debug": "npm run test -- --timeout=20m",
        transpile: "tsc --build --verbose"
      },
@@ -32335,15 +32335,15 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.3.2",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.35.0",
+        "@eslint/js": "^9.36.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
-        "@octokit/types": "^14.1.0",
+        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
        "@types/console-log-level": "^1.4.5",
        "@types/follow-redirects": "^1.14.4",
@@ -32352,10 +32352,10 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.43.0",
+        "@typescript-eslint/eslint-plugin": "^8.44.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.9",
+        esbuild: "^0.25.10",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
@@ -32385,7 +32385,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -83534,7 +83535,7 @@ var require_brace_expansion2 = __commonJS({
        var isSequence = isNumericSequence || isAlphaSequence;
        var isOptions = m.body.indexOf(",") >= 0;
        if (!isSequence && !isOptions) {
-          if (m.post.match(/,.*\}/)) {
+          if (m.post.match(/,(?!,).*\}/)) {
            str2 = m.pre + "{" + m.body + escClose + m.post;
            return expand(str2);
          }
@@ -100644,7 +100645,7 @@ var require_commonjs16 = __commonJS({
    var TYPEMASK = 1023;
    var entToType = (s) => s.isFile() ? IFREG : s.isDirectory() ? IFDIR : s.isSymbolicLink() ? IFLNK : s.isCharacterDevice() ? IFCHR : s.isBlockDevice() ? IFBLK : s.isSocket() ? IFSOCK : s.isFIFO() ? IFIFO : UNKNOWN;
    var normalizeCache = /* @__PURE__ */ new Map();
-    var normalize4 = (s) => {
+    var normalize3 = (s) => {
      const c = normalizeCache.get(s);
      if (c)
        return c;
@@ -100657,7 +100658,7 @@ var require_commonjs16 = __commonJS({
      const c = normalizeNocaseCache.get(s);
      if (c)
        return c;
-      const n = normalize4(s.toLowerCase());
+      const n = normalize3(s.toLowerCase());
      normalizeNocaseCache.set(s, n);
      return n;
    };
@@ -100826,7 +100827,7 @@ var require_commonjs16 = __commonJS({
       */
      constructor(name, type2 = UNKNOWN, root, roots, nocase, children, opts) {
        this.name = name;
-        this.#matchName = nocase ? normalizeNocase(name) : normalize4(name);
+        this.#matchName = nocase ? normalizeNocase(name) : normalize3(name);
        this.#type = type2 & TYPEMASK;
        this.nocase = nocase;
        this.roots = roots;
@@ -100919,7 +100920,7 @@ var require_commonjs16 = __commonJS({
          return this.parent || this;
        }
        const children = this.children();
-        const name = this.nocase ? normalizeNocase(pathPart) : normalize4(pathPart);
+        const name = this.nocase ? normalizeNocase(pathPart) : normalize3(pathPart);
        for (const p of children) {
          if (p.#matchName === name) {
            return p;
@@ -101164,7 +101165,7 @@ var require_commonjs16 = __commonJS({
       * directly.
       */
      isNamed(n) {
-        return !this.nocase ? this.#matchName === normalize4(n) : this.#matchName === normalizeNocase(n);
+        return !this.nocase ? this.#matchName === normalize3(n) : this.#matchName === normalizeNocase(n);
      }
      /**
       * Return the Path object corresponding to the target of a symbolic link.
@@ -101303,7 +101304,7 @@ var require_commonjs16 = __commonJS({
      #readdirMaybePromoteChild(e, c) {
        for (let p = c.provisional; p < c.length; p++) {
          const pchild = c[p];
-          const name = this.nocase ? normalizeNocase(e.name) : normalize4(e.name);
+          const name = this.nocase ? normalizeNocase(e.name) : normalize3(e.name);
          if (name !== pchild.#matchName) {
            continue;
          }
@@ -109134,7 +109135,7 @@ var require_tr46 = __commonJS({
      TRANSITIONAL: 0,
      NONTRANSITIONAL: 1
    };
-    function normalize4(str2) {
+    function normalize3(str2) {
      return str2.split("\0").map(function(s) {
        return s.normalize("NFC");
      }).join("\0");
@@ -109214,7 +109215,7 @@ var require_tr46 = __commonJS({
        processing_option = PROCESSING_OPTIONS.NONTRANSITIONAL;
      }
      var error2 = false;
-      if (normalize4(label) !== label || label[3] === "-" && label[4] === "-" || label[0] === "-" || label[label.length - 1] === "-" || label.indexOf(".") !== -1 || label.search(combiningMarksRegex) === 0) {
+      if (normalize3(label) !== label || label[3] === "-" && label[4] === "-" || label[0] === "-" || label[label.length - 1] === "-" || label.indexOf(".") !== -1 || label.search(combiningMarksRegex) === 0) {
        error2 = true;
      }
      var len = countSymbols(label);
@@ -109232,7 +109233,7 @@ var require_tr46 = __commonJS({
    }
    function processing(domain_name, useSTD3, processing_option) {
      var result = mapChars(domain_name, useSTD3, processing_option);
-      result.string = normalize4(result.string);
+      result.string = normalize3(result.string);
      var labels = result.string.split(".");
      for (var i = 0; i < labels.length; ++i) {
        try {
@@ -128395,6 +128396,9 @@ function parseRepositoryNwo(input) {

 // src/api-client.ts
 var GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
+function getRetryConfig() {
+  return isInTestMode() ? { retries: 10, retryAfterBaseValue: 1e4 } : { retries: 3, retryAfterBaseValue: 1e3 };
+}
 function createApiClientWithDetails(apiDetails, { allowExternal = false } = {}) {
  const auth = allowExternal && apiDetails.externalRepoAuth || apiDetails.auth;
  const retryingOctokit = githubUtils.GitHub.plugin(retry.retry);
@@ -128402,7 +128406,8 @@ function createApiClientWithDetails(apiDetails, { allowExternal = false } = {})
    githubUtils.getOctokitOptions(auth, {
      baseUrl: apiDetails.apiURL,
      userAgent: `CodeQL-Action/${getActionVersion()}`,
-      log: (0, import_console_log_level.default)({ level: "debug" })
+      log: (0, import_console_log_level.default)({ level: "debug" }),
+      retry: getRetryConfig()
    })
  );
 }
@@ -128745,7 +128750,6 @@ function wrapCliConfigurationError(cliError) {
 // src/config-utils.ts
 var fs9 = __toESM(require("fs"));
 var path10 = __toESM(require("path"));
-var semver4 = __toESM(require_semver2());

 // src/analyses.ts
 var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
@@ -128774,6 +128778,15 @@ var CodeQuality = {
 // src/caching-utils.ts
 var core6 = __toESM(require_core());

+// src/config/db-config.ts
+var semver2 = __toESM(require_semver2());
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
 // src/diff-informed-analysis-utils.ts
 var fs8 = __toESM(require("fs"));
 var path9 = __toESM(require("path"));
@@ -128781,7 +128794,7 @@ var path9 = __toESM(require("path"));
 // src/feature-flags.ts
 var fs7 = __toESM(require("fs"));
 var path8 = __toESM(require("path"));
-var semver3 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());

 // src/defaults.json
 var bundleVersion = "codeql-bundle-v2.23.0";
@@ -129076,13 +129089,13 @@ function computeChangedFiles(baseFileOids, overlayFileOids) {
 }

 // src/tools-features.ts
-var semver2 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 function isSupportedToolsFeature(versionInfo, feature) {
  return !!versionInfo.features && versionInfo.features[feature];
 }
 var SafeArtifactUploadVersion = "2.20.3";
 function isSafeArtifactUpload(codeQlVersion) {
-  return !codeQlVersion ? true : semver2.gte(codeQlVersion, SafeArtifactUploadVersion);
+  return !codeQlVersion ? true : semver3.gte(codeQlVersion, SafeArtifactUploadVersion);
 }

 // src/feature-flags.ts
@@ -129251,6 +129264,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -129359,7 +129377,7 @@ var GitHubFeatureFlags = class {
      DEFAULT_VERSION_FEATURE_FLAG_PREFIX.length,
      f.length - DEFAULT_VERSION_FEATURE_FLAG_SUFFIX.length
    ).replace(/_/g, ".");
-    if (!semver3.valid(version)) {
+    if (!semver4.valid(version)) {
      this.logger.warning(
        `Ignoring feature flag ${f} as it does not specify a valid CodeQL version.`
      );
@@ -129564,12 +129582,6 @@ var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
  rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
  swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
 };
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
 function getPathToParsedConfigFile(tempDir) {
  return path10.join(tempDir, "config");
 }
@@ -129620,7 +129632,7 @@ var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
 var semver7 = __toESM(require_semver2());

-// node_modules/uuid/dist/stringify.js
+// node_modules/uuid/dist-node/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
  byteToHex.push((i + 256).toString(16).slice(1));
@@ -129629,7 +129641,7 @@ function unsafeStringify(arr, offset = 0) {
  return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }

-// node_modules/uuid/dist/rng.js
+// node_modules/uuid/dist-node/rng.js
 var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
@@ -129641,11 +129653,11 @@ function rng() {
  return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }

-// node_modules/uuid/dist/native.js
+// node_modules/uuid/dist-node/native.js
 var import_node_crypto2 = require("node:crypto");
 var native_default = { randomUUID: import_node_crypto2.randomUUID };

-// node_modules/uuid/dist/v4.js
+// node_modules/uuid/dist-node/v4.js
 function _v4(options, buf, offset) {
  options = options || {};
  const rnds = options.random ?? options.rng?.() ?? rng();
@@ -129988,7 +130000,10 @@ function sanitizeUrlForStatusReport(url2) {

 // src/setup-codeql.ts
 var CODEQL_DEFAULT_ACTION_REPOSITORY = "github/codeql-action";
+var CODEQL_NIGHTLIES_REPOSITORY_OWNER = "dsp-testing";
+var CODEQL_NIGHTLIES_REPOSITORY_NAME = "codeql-cli-nightlies";
 var CODEQL_BUNDLE_VERSION_ALIAS = ["linked", "latest"];
+var CODEQL_NIGHTLY_TOOLS_INPUTS = ["nightly", "nightly-latest"];
 function getCodeQLBundleExtension(compressionMethod) {
  switch (compressionMethod) {
    case "gzip":
@@ -130131,7 +130146,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
  return void 0;
 }
 async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, logger) {
-  if (toolsInput && !CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput) && !toolsInput.startsWith("http")) {
+  if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) {
    logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
    const compressionMethod2 = inferCompressionMethod(toolsInput);
    if (compressionMethod2 === void 0) {
@@ -130160,6 +130175,12 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
  let cliVersion2;
  let tagName;
  let url2;
+  if (toolsInput !== void 0 && CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput)) {
+    logger.info(
+      `Using the latest CodeQL CLI nightly, as requested by 'tools: ${toolsInput}'.`
+    );
+    toolsInput = await getNightlyToolsUrl(logger);
+  }
  if (forceShippedTools) {
    cliVersion2 = cliVersion;
    tagName = bundleVersion;
@@ -130443,6 +130464,34 @@ async function useZstdBundle(cliVersion2, tarSupportsZstd) {
 function getTempExtractionDir(tempDir) {
  return path12.join(tempDir, v4_default());
 }
+async function getNightlyToolsUrl(logger) {
+  const zstdAvailability = await isZstdAvailable(logger);
+  const compressionMethod = await useZstdBundle(
+    CODEQL_VERSION_ZSTD_BUNDLE,
+    zstdAvailability.available
+  ) ? "zstd" : "gzip";
+  try {
+    const release3 = await getApiClient().rest.repos.listReleases({
+      owner: CODEQL_NIGHTLIES_REPOSITORY_OWNER,
+      repo: CODEQL_NIGHTLIES_REPOSITORY_NAME,
+      per_page: 1,
+      page: 1,
+      prerelease: true
+    });
+    const latestRelease = release3.data[0];
+    if (!latestRelease) {
+      throw new Error("Could not find the latest nightly release.");
+    }
+    return `https://github.com/${CODEQL_NIGHTLIES_REPOSITORY_OWNER}/${CODEQL_NIGHTLIES_REPOSITORY_NAME}/releases/download/${latestRelease.tag_name}/${getCodeQLBundleName(compressionMethod)}`;
+  } catch (e) {
+    throw new Error(
+      `Failed to retrieve the latest nightly release: ${wrapError(e)}`
+    );
+  }
+}
+function isReservedToolsValue(tools) {
+  return CODEQL_BUNDLE_VERSION_ALIAS.includes(tools) || CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools);
+}

 // src/tracer-config.ts
 async function shouldEnableIndirectTracing(codeql, config) {
@@ -133019,123 +133068,97 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
  return payloadObj;
 }
 async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
-  return maybeUploadFiles(
-    inputSarifPath,
-    checkoutPath,
-    category,
-    features,
-    logger,
-    uploadTarget,
-    "always"
-  );
-}
-async function maybeUploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
  const sarifPaths = getSarifFilePaths(
    inputSarifPath,
    uploadTarget.sarifPredicate
  );
-  return maybeUploadSpecifiedFiles(
+  return uploadSpecifiedFiles(
    sarifPaths,
    checkoutPath,
    category,
    features,
    logger,
-    uploadTarget,
-    uploadKind
+    uploadTarget
  );
 }
-async function maybeUploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
+async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
+  logger.startGroup(`Uploading ${uploadTarget.name} results`);
+  logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
+  const gitHubVersion = await getGitHubVersion();
+  let sarif;
+  if (sarifPaths.length > 1) {
+    for (const sarifPath of sarifPaths) {
+      const parsedSarif = readSarifFile(sarifPath);
+      validateSarifFileSchema(parsedSarif, sarifPath, logger);
+    }
+    sarif = await combineSarifFilesUsingCLI(
+      sarifPaths,
+      gitHubVersion,
+      features,
+      logger
+    );
+  } else {
+    const sarifPath = sarifPaths[0];
+    sarif = readSarifFile(sarifPath);
+    validateSarifFileSchema(sarif, sarifPath, logger);
+    await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
+  }
+  sarif = filterAlertsByDiffRange(logger, sarif);
+  sarif = await addFingerprints(sarif, checkoutPath, logger);
+  const analysisKey = await getAnalysisKey();
+  const environment = getRequiredInput("matrix");
+  sarif = populateRunAutomationDetails(
+    sarif,
+    category,
+    analysisKey,
+    environment
+  );
+  const toolNames = getToolNames(sarif);
+  logger.debug(`Validating that each SARIF run has a unique category`);
+  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
+  logger.debug(`Serializing SARIF for upload`);
+  const sarifPayload = JSON.stringify(sarif);
  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
-  const upload = uploadKind === "always";
-  if (!upload && !dumpDir) {
-    logger.info(`Skipping upload of ${uploadTarget.name} results`);
-    return void 0;
-  }
-  logger.startGroup(`Processing ${uploadTarget.name} results`);
-  try {
-    logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
-    const gitHubVersion = await getGitHubVersion();
-    let sarif;
-    if (sarifPaths.length > 1) {
-      for (const sarifPath of sarifPaths) {
-        const parsedSarif = readSarifFile(sarifPath);
-        validateSarifFileSchema(parsedSarif, sarifPath, logger);
-      }
-      sarif = await combineSarifFilesUsingCLI(
-        sarifPaths,
-        gitHubVersion,
-        features,
-        logger
-      );
-    } else {
-      const sarifPath = sarifPaths[0];
-      sarif = readSarifFile(sarifPath);
-      validateSarifFileSchema(sarif, sarifPath, logger);
-      await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
-    }
-    sarif = filterAlertsByDiffRange(logger, sarif);
-    sarif = await addFingerprints(sarif, checkoutPath, logger);
-    const analysisKey = await getAnalysisKey();
-    const environment = getRequiredInput("matrix");
-    sarif = populateRunAutomationDetails(
-      sarif,
-      category,
-      analysisKey,
-      environment
-    );
-    const toolNames = getToolNames(sarif);
-    logger.debug(`Validating that each SARIF run has a unique category`);
-    validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
-    logger.debug(`Serializing SARIF for upload`);
-    const sarifPayload = JSON.stringify(sarif);
-    if (dumpDir) {
-      dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
-    }
-    if (!upload) {
-      logger.info(
-        `Skipping upload of ${uploadTarget.name} results because upload kind is "${uploadKind}"`
-      );
-      return void 0;
-    }
-    logger.debug(`Compressing serialized SARIF`);
-    const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
-    const checkoutURI = url.pathToFileURL(checkoutPath).href;
-    const payload = buildPayload(
-      await getCommitOid(checkoutPath),
-      await getRef(),
-      analysisKey,
-      getRequiredEnvParam("GITHUB_WORKFLOW"),
-      zippedSarif,
-      getWorkflowRunID(),
-      getWorkflowRunAttempt(),
-      checkoutURI,
-      environment,
-      toolNames,
-      await determineBaseBranchHeadCommitOid()
-    );
-    const rawUploadSizeBytes = sarifPayload.length;
-    logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
-    const zippedUploadSizeBytes = zippedSarif.length;
-    logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
-    const numResultInSarif = countResultsInSarif(sarifPayload);
-    logger.debug(`Number of results in upload: ${numResultInSarif}`);
-    const sarifID = await uploadPayload(
-      payload,
-      getRepositoryNwo(),
-      logger,
-      uploadTarget.target
-    );
-    return {
-      statusReport: {
-        raw_upload_size_bytes: rawUploadSizeBytes,
-        zipped_upload_size_bytes: zippedUploadSizeBytes,
-        num_results_in_sarif: numResultInSarif
-      },
-      sarifID
-    };
-  } finally {
-    logger.endGroup();
+  if (dumpDir) {
+    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
  }
+  logger.debug(`Compressing serialized SARIF`);
+  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
+  const checkoutURI = url.pathToFileURL(checkoutPath).href;
+  const payload = buildPayload(
+    await getCommitOid(checkoutPath),
+    await getRef(),
+    analysisKey,
+    getRequiredEnvParam("GITHUB_WORKFLOW"),
+    zippedSarif,
+    getWorkflowRunID(),
+    getWorkflowRunAttempt(),
+    checkoutURI,
+    environment,
+    toolNames,
+    await determineBaseBranchHeadCommitOid()
+  );
+  const rawUploadSizeBytes = sarifPayload.length;
+  logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
+  const zippedUploadSizeBytes = zippedSarif.length;
+  logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
+  const numResultInSarif = countResultsInSarif(sarifPayload);
+  logger.debug(`Number of results in upload: ${numResultInSarif}`);
+  const sarifID = await uploadPayload(
+    payload,
+    getRepositoryNwo(),
+    logger,
+    uploadTarget.target
+  );
+  logger.endGroup();
+  return {
+    statusReport: {
+      raw_upload_size_bytes: rawUploadSizeBytes,
+      zipped_upload_size_bytes: zippedUploadSizeBytes,
+      num_results_in_sarif: numResultInSarif
+    },
+    sarifID
+  };
 }
 function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
  if (!fs17.existsSync(outputDir)) {
@@ -26447,7 +26447,7 @@ var require_package = __commonJS({
        lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
        "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
        "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/**.test.ts --serial --verbose",
+        test: "npm run transpile && ava src/ --serial --verbose",
        "test-debug": "npm run test -- --timeout=20m",
        transpile: "tsc --build --verbose"
      },
@@ -26486,15 +26486,15 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.3.2",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.35.0",
+        "@eslint/js": "^9.36.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
-        "@octokit/types": "^14.1.0",
+        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
        "@types/console-log-level": "^1.4.5",
        "@types/follow-redirects": "^1.14.4",
@@ -26503,10 +26503,10 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.43.0",
+        "@typescript-eslint/eslint-plugin": "^8.44.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.9",
+        esbuild: "^0.25.10",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
@@ -26536,7 +26536,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -77909,6 +77910,9 @@ function parseRepositoryNwo(input) {

 // src/api-client.ts
 var GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
+function getRetryConfig() {
+  return isInTestMode() ? { retries: 10, retryAfterBaseValue: 1e4 } : { retries: 3, retryAfterBaseValue: 1e3 };
+}
 function createApiClientWithDetails(apiDetails, { allowExternal = false } = {}) {
  const auth = allowExternal && apiDetails.externalRepoAuth || apiDetails.auth;
  const retryingOctokit = githubUtils.GitHub.plugin(retry.retry);
@@ -77916,7 +77920,8 @@ function createApiClientWithDetails(apiDetails, { allowExternal = false } = {})
    githubUtils.getOctokitOptions(auth, {
      baseUrl: apiDetails.apiURL,
      userAgent: `CodeQL-Action/${getActionVersion()}`,
-      log: (0, import_console_log_level.default)({ level: "debug" })
+      log: (0, import_console_log_level.default)({ level: "debug" }),
+      retry: getRetryConfig()
    })
  );
 }
@@ -78227,7 +78232,6 @@ function wrapCliConfigurationError(cliError) {
 // src/config-utils.ts
 var fs3 = __toESM(require("fs"));
 var path3 = __toESM(require("path"));
-var semver4 = __toESM(require_semver2());

 // src/analyses.ts
 var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
@@ -78240,8 +78244,17 @@ var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
 // src/caching-utils.ts
 var core6 = __toESM(require_core());

+// src/config/db-config.ts
+var semver2 = __toESM(require_semver2());
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
 // src/feature-flags.ts
-var semver3 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());

 // src/overlay-database-utils.ts
 var fs2 = __toESM(require("fs"));
@@ -78479,7 +78492,7 @@ function computeChangedFiles(baseFileOids, overlayFileOids) {
 }

 // src/tools-features.ts
-var semver2 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 function isSupportedToolsFeature(versionInfo, feature) {
  return !!versionInfo.features && versionInfo.features[feature];
 }
@@ -78647,6 +78660,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };

@@ -78678,12 +78696,6 @@ var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
  rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
  swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
 };
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
 function getPathToParsedConfigFile(tempDir) {
  return path3.join(tempDir, "config");
 }
@@ -26447,7 +26447,7 @@ var require_package = __commonJS({
        lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
        "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
        "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/**.test.ts --serial --verbose",
+        test: "npm run transpile && ava src/ --serial --verbose",
        "test-debug": "npm run test -- --timeout=20m",
        transpile: "tsc --build --verbose"
      },
@@ -26486,15 +26486,15 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.3.2",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.35.0",
+        "@eslint/js": "^9.36.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
-        "@octokit/types": "^14.1.0",
+        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
        "@types/console-log-level": "^1.4.5",
        "@types/follow-redirects": "^1.14.4",
@@ -26503,10 +26503,10 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.43.0",
+        "@typescript-eslint/eslint-plugin": "^8.44.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.9",
+        esbuild: "^0.25.10",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
@@ -26536,7 +26536,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -76345,7 +76346,7 @@ var require_brace_expansion2 = __commonJS({
        var isSequence = isNumericSequence || isAlphaSequence;
        var isOptions = m.body.indexOf(",") >= 0;
        if (!isSequence && !isOptions) {
-          if (m.post.match(/,.*\}/)) {
+          if (m.post.match(/,(?!,).*\}/)) {
            str2 = m.pre + "{" + m.body + escClose + m.post;
            return expand(str2);
          }
@@ -93455,7 +93456,7 @@ var require_commonjs16 = __commonJS({
    var TYPEMASK = 1023;
    var entToType = (s) => s.isFile() ? IFREG : s.isDirectory() ? IFDIR : s.isSymbolicLink() ? IFLNK : s.isCharacterDevice() ? IFCHR : s.isBlockDevice() ? IFBLK : s.isSocket() ? IFSOCK : s.isFIFO() ? IFIFO : UNKNOWN;
    var normalizeCache = /* @__PURE__ */ new Map();
-    var normalize2 = (s) => {
+    var normalize = (s) => {
      const c = normalizeCache.get(s);
      if (c)
        return c;
@@ -93468,7 +93469,7 @@ var require_commonjs16 = __commonJS({
      const c = normalizeNocaseCache.get(s);
      if (c)
        return c;
-      const n = normalize2(s.toLowerCase());
+      const n = normalize(s.toLowerCase());
      normalizeNocaseCache.set(s, n);
      return n;
    };
@@ -93637,7 +93638,7 @@ var require_commonjs16 = __commonJS({
       */
      constructor(name, type2 = UNKNOWN, root, roots, nocase, children, opts) {
        this.name = name;
-        this.#matchName = nocase ? normalizeNocase(name) : normalize2(name);
+        this.#matchName = nocase ? normalizeNocase(name) : normalize(name);
        this.#type = type2 & TYPEMASK;
        this.nocase = nocase;
        this.roots = roots;
@@ -93730,7 +93731,7 @@ var require_commonjs16 = __commonJS({
          return this.parent || this;
        }
        const children = this.children();
-        const name = this.nocase ? normalizeNocase(pathPart) : normalize2(pathPart);
+        const name = this.nocase ? normalizeNocase(pathPart) : normalize(pathPart);
        for (const p of children) {
          if (p.#matchName === name) {
            return p;
@@ -93975,7 +93976,7 @@ var require_commonjs16 = __commonJS({
       * directly.
       */
      isNamed(n) {
-        return !this.nocase ? this.#matchName === normalize2(n) : this.#matchName === normalizeNocase(n);
+        return !this.nocase ? this.#matchName === normalize(n) : this.#matchName === normalizeNocase(n);
      }
      /**
       * Return the Path object corresponding to the target of a symbolic link.
@@ -94114,7 +94115,7 @@ var require_commonjs16 = __commonJS({
      #readdirMaybePromoteChild(e, c) {
        for (let p = c.provisional; p < c.length; p++) {
          const pchild = c[p];
-          const name = this.nocase ? normalizeNocase(e.name) : normalize2(e.name);
+          const name = this.nocase ? normalizeNocase(e.name) : normalize(e.name);
          if (name !== pchild.#matchName) {
            continue;
          }
@@ -101945,7 +101946,7 @@ var require_tr46 = __commonJS({
      TRANSITIONAL: 0,
      NONTRANSITIONAL: 1
    };
-    function normalize2(str2) {
+    function normalize(str2) {
      return str2.split("\0").map(function(s) {
        return s.normalize("NFC");
      }).join("\0");
@@ -102025,7 +102026,7 @@ var require_tr46 = __commonJS({
        processing_option = PROCESSING_OPTIONS.NONTRANSITIONAL;
      }
      var error2 = false;
-      if (normalize2(label) !== label || label[3] === "-" && label[4] === "-" || label[0] === "-" || label[label.length - 1] === "-" || label.indexOf(".") !== -1 || label.search(combiningMarksRegex) === 0) {
+      if (normalize(label) !== label || label[3] === "-" && label[4] === "-" || label[0] === "-" || label[label.length - 1] === "-" || label.indexOf(".") !== -1 || label.search(combiningMarksRegex) === 0) {
        error2 = true;
      }
      var len = countSymbols(label);
@@ -102043,7 +102044,7 @@ var require_tr46 = __commonJS({
    }
    function processing(domain_name, useSTD3, processing_option) {
      var result = mapChars(domain_name, useSTD3, processing_option);
-      result.string = normalize2(result.string);
+      result.string = normalize(result.string);
      var labels = result.string.split(".");
      for (var i = 0; i < labels.length; ++i) {
        try {
@@ -117041,6 +117042,9 @@ var ConfigurationError = class extends Error {
    super(message);
  }
 };
+function isInTestMode() {
+  return process.env["CODEQL_ACTION_TEST_MODE" /* TEST_MODE */] === "true";
+}
 function getErrorMessage(error2) {
  return error2 instanceof Error ? error2.message : String(error2);
 }
@@ -117077,6 +117081,9 @@ var githubUtils = __toESM(require_utils4());
 var retry = __toESM(require_dist_node15());
 var import_console_log_level = __toESM(require_console_log_level());
 var GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
+function getRetryConfig() {
+  return isInTestMode() ? { retries: 10, retryAfterBaseValue: 1e4 } : { retries: 3, retryAfterBaseValue: 1e3 };
+}
 function createApiClientWithDetails(apiDetails, { allowExternal = false } = {}) {
  const auth = allowExternal && apiDetails.externalRepoAuth || apiDetails.auth;
  const retryingOctokit = githubUtils.GitHub.plugin(retry.retry);
@@ -117084,7 +117091,8 @@ function createApiClientWithDetails(apiDetails, { allowExternal = false } = {})
    githubUtils.getOctokitOptions(auth, {
      baseUrl: apiDetails.apiURL,
      userAgent: `CodeQL-Action/${getActionVersion()}`,
-      log: (0, import_console_log_level.default)({ level: "debug" })
+      log: (0, import_console_log_level.default)({ level: "debug" }),
+      retry: getRetryConfig()
    })
  );
 }
@@ -117126,7 +117134,6 @@ async function getGitHubVersion() {
 // src/config-utils.ts
 var fs = __toESM(require("fs"));
 var path = __toESM(require("path"));
-var semver4 = __toESM(require_semver2());

 // src/analyses.ts
 var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
@@ -117139,8 +117146,17 @@ var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
 // src/caching-utils.ts
 var core6 = __toESM(require_core());

+// src/config/db-config.ts
+var semver2 = __toESM(require_semver2());
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
 // src/feature-flags.ts
-var semver3 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());

 // src/overlay-database-utils.ts
 var actionsCache = __toESM(require_cache3());
@@ -117162,7 +117178,7 @@ var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;

 // src/tools-features.ts
-var semver2 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());

 // src/feature-flags.ts
 var featureConfig = {
@@ -117327,6 +117343,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };

@@ -117358,12 +117379,6 @@ var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
  rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
  swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
 };
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
 function getPathToParsedConfigFile(tempDir) {
  return path.join(tempDir, "config");
 }
@@ -29019,7 +29019,7 @@ var require_pattern = __commonJS({
      const absolute = [];
      const relative2 = [];
      for (const pattern of patterns) {
-        if (isAbsolute3(pattern)) {
+        if (isAbsolute2(pattern)) {
          absolute.push(pattern);
        } else {
          relative2.push(pattern);
@@ -29028,10 +29028,10 @@ var require_pattern = __commonJS({
      return [absolute, relative2];
    }
    exports2.partitionAbsoluteAndRelative = partitionAbsoluteAndRelative;
-    function isAbsolute3(pattern) {
+    function isAbsolute2(pattern) {
      return path15.isAbsolute(pattern);
    }
-    exports2.isAbsolute = isAbsolute3;
+    exports2.isAbsolute = isAbsolute2;
  }
 });

@@ -33593,7 +33593,7 @@ var require_package = __commonJS({
        lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
        "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
        "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/**.test.ts --serial --verbose",
+        test: "npm run transpile && ava src/ --serial --verbose",
        "test-debug": "npm run test -- --timeout=20m",
        transpile: "tsc --build --verbose"
      },
@@ -33632,15 +33632,15 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.3.2",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.35.0",
+        "@eslint/js": "^9.36.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
-        "@octokit/types": "^14.1.0",
+        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
        "@types/console-log-level": "^1.4.5",
        "@types/follow-redirects": "^1.14.4",
@@ -33649,10 +33649,10 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.43.0",
+        "@typescript-eslint/eslint-plugin": "^8.44.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.9",
+        esbuild: "^0.25.10",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
@@ -33682,7 +33682,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -84782,7 +84783,6 @@ __export(upload_lib_exports, {
  buildPayload: () => buildPayload,
  findSarifFilesInDir: () => findSarifFilesInDir,
  getSarifFilePaths: () => getSarifFilePaths,
-  maybeUploadFiles: () => maybeUploadFiles,
  populateRunAutomationDetails: () => populateRunAutomationDetails,
  readSarifFile: () => readSarifFile,
  shouldConsiderConfigurationError: () => shouldConsiderConfigurationError,
@@ -88523,6 +88523,9 @@ function parseRepositoryNwo(input) {

 // src/api-client.ts
 var GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
+function getRetryConfig() {
+  return isInTestMode() ? { retries: 10, retryAfterBaseValue: 1e4 } : { retries: 3, retryAfterBaseValue: 1e3 };
+}
 function createApiClientWithDetails(apiDetails, { allowExternal = false } = {}) {
  const auth = allowExternal && apiDetails.externalRepoAuth || apiDetails.auth;
  const retryingOctokit = githubUtils.GitHub.plugin(retry.retry);
@@ -88530,7 +88533,8 @@ function createApiClientWithDetails(apiDetails, { allowExternal = false } = {})
    githubUtils.getOctokitOptions(auth, {
      baseUrl: apiDetails.apiURL,
      userAgent: `CodeQL-Action/${getActionVersion()}`,
-      log: (0, import_console_log_level.default)({ level: "debug" })
+      log: (0, import_console_log_level.default)({ level: "debug" }),
+      retry: getRetryConfig()
    })
  );
 }
@@ -88873,7 +88877,6 @@ function wrapCliConfigurationError(cliError) {
 // src/config-utils.ts
 var fs7 = __toESM(require("fs"));
 var path9 = __toESM(require("path"));
-var semver4 = __toESM(require_semver2());

 // src/analyses.ts
 var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
@@ -88886,12 +88889,21 @@ var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
 // src/caching-utils.ts
 var core6 = __toESM(require_core());

+// src/config/db-config.ts
+var semver2 = __toESM(require_semver2());
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
 // src/diff-informed-analysis-utils.ts
 var fs6 = __toESM(require("fs"));
 var path8 = __toESM(require("path"));

 // src/feature-flags.ts
-var semver3 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());

 // src/defaults.json
 var bundleVersion = "codeql-bundle-v2.23.0";
@@ -89175,7 +89187,7 @@ function computeChangedFiles(baseFileOids, overlayFileOids) {
 }

 // src/tools-features.ts
-var semver2 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 function isSupportedToolsFeature(versionInfo, feature) {
  return !!versionInfo.features && versionInfo.features[feature];
 }
@@ -89344,6 +89356,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };

@@ -89393,12 +89410,6 @@ var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
  rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
  swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
 };
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
 function getPathToParsedConfigFile(tempDir) {
  return path9.join(tempDir, "config");
 }
@@ -89449,7 +89460,7 @@ var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
 var semver7 = __toESM(require_semver2());

-// node_modules/uuid/dist/stringify.js
+// node_modules/uuid/dist-node/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
  byteToHex.push((i + 256).toString(16).slice(1));
@@ -89458,7 +89469,7 @@ function unsafeStringify(arr, offset = 0) {
  return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }

-// node_modules/uuid/dist/rng.js
+// node_modules/uuid/dist-node/rng.js
 var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
@@ -89470,11 +89481,11 @@ function rng() {
  return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }

-// node_modules/uuid/dist/native.js
+// node_modules/uuid/dist-node/native.js
 var import_node_crypto2 = require("node:crypto");
 var native_default = { randomUUID: import_node_crypto2.randomUUID };

-// node_modules/uuid/dist/v4.js
+// node_modules/uuid/dist-node/v4.js
 function _v4(options, buf, offset) {
  options = options || {};
  const rnds = options.random ?? options.rng?.() ?? rng();
@@ -89817,7 +89828,10 @@ function sanitizeUrlForStatusReport(url2) {

 // src/setup-codeql.ts
 var CODEQL_DEFAULT_ACTION_REPOSITORY = "github/codeql-action";
+var CODEQL_NIGHTLIES_REPOSITORY_OWNER = "dsp-testing";
+var CODEQL_NIGHTLIES_REPOSITORY_NAME = "codeql-cli-nightlies";
 var CODEQL_BUNDLE_VERSION_ALIAS = ["linked", "latest"];
+var CODEQL_NIGHTLY_TOOLS_INPUTS = ["nightly", "nightly-latest"];
 function getCodeQLBundleExtension(compressionMethod) {
  switch (compressionMethod) {
    case "gzip":
@@ -89960,7 +89974,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
  return void 0;
 }
 async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, logger) {
-  if (toolsInput && !CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput) && !toolsInput.startsWith("http")) {
+  if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) {
    logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
    const compressionMethod2 = inferCompressionMethod(toolsInput);
    if (compressionMethod2 === void 0) {
@@ -89989,6 +90003,12 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
  let cliVersion2;
  let tagName;
  let url2;
+  if (toolsInput !== void 0 && CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput)) {
+    logger.info(
+      `Using the latest CodeQL CLI nightly, as requested by 'tools: ${toolsInput}'.`
+    );
+    toolsInput = await getNightlyToolsUrl(logger);
+  }
  if (forceShippedTools) {
    cliVersion2 = cliVersion;
    tagName = bundleVersion;
@@ -90272,6 +90292,34 @@ async function useZstdBundle(cliVersion2, tarSupportsZstd) {
 function getTempExtractionDir(tempDir) {
  return path11.join(tempDir, v4_default());
 }
+async function getNightlyToolsUrl(logger) {
+  const zstdAvailability = await isZstdAvailable(logger);
+  const compressionMethod = await useZstdBundle(
+    CODEQL_VERSION_ZSTD_BUNDLE,
+    zstdAvailability.available
+  ) ? "zstd" : "gzip";
+  try {
+    const release = await getApiClient().rest.repos.listReleases({
+      owner: CODEQL_NIGHTLIES_REPOSITORY_OWNER,
+      repo: CODEQL_NIGHTLIES_REPOSITORY_NAME,
+      per_page: 1,
+      page: 1,
+      prerelease: true
+    });
+    const latestRelease = release.data[0];
+    if (!latestRelease) {
+      throw new Error("Could not find the latest nightly release.");
+    }
+    return `https://github.com/${CODEQL_NIGHTLIES_REPOSITORY_OWNER}/${CODEQL_NIGHTLIES_REPOSITORY_NAME}/releases/download/${latestRelease.tag_name}/${getCodeQLBundleName(compressionMethod)}`;
+  } catch (e) {
+    throw new Error(
+      `Failed to retrieve the latest nightly release: ${wrapError(e)}`
+    );
+  }
+}
+function isReservedToolsValue(tools) {
+  return CODEQL_BUNDLE_VERSION_ALIAS.includes(tools) || CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools);
+}

 // src/tracer-config.ts
 async function shouldEnableIndirectTracing(codeql, config) {
@@ -92392,134 +92440,97 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
  return payloadObj;
 }
 async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
-  return maybeUploadFiles(
-    inputSarifPath,
-    checkoutPath,
-    category,
-    features,
-    logger,
-    uploadTarget,
-    "always"
-  );
-}
-async function maybeUploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
  const sarifPaths = getSarifFilePaths(
    inputSarifPath,
    uploadTarget.sarifPredicate
  );
-  return maybeUploadSpecifiedFiles(
+  return uploadSpecifiedFiles(
    sarifPaths,
    checkoutPath,
    category,
    features,
    logger,
-    uploadTarget,
-    uploadKind
+    uploadTarget
  );
 }
 async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
-  return maybeUploadSpecifiedFiles(
-    sarifPaths,
-    checkoutPath,
+  logger.startGroup(`Uploading ${uploadTarget.name} results`);
+  logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
+  const gitHubVersion = await getGitHubVersion();
+  let sarif;
+  if (sarifPaths.length > 1) {
+    for (const sarifPath of sarifPaths) {
+      const parsedSarif = readSarifFile(sarifPath);
+      validateSarifFileSchema(parsedSarif, sarifPath, logger);
+    }
+    sarif = await combineSarifFilesUsingCLI(
+      sarifPaths,
+      gitHubVersion,
+      features,
+      logger
+    );
+  } else {
+    const sarifPath = sarifPaths[0];
+    sarif = readSarifFile(sarifPath);
+    validateSarifFileSchema(sarif, sarifPath, logger);
+    await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
+  }
+  sarif = filterAlertsByDiffRange(logger, sarif);
+  sarif = await addFingerprints(sarif, checkoutPath, logger);
+  const analysisKey = await getAnalysisKey();
+  const environment = getRequiredInput("matrix");
+  sarif = populateRunAutomationDetails(
+    sarif,
    category,
-    features,
-    logger,
-    uploadTarget,
-    "always"
+    analysisKey,
+    environment
  );
-}
-async function maybeUploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
+  const toolNames = getToolNames(sarif);
+  logger.debug(`Validating that each SARIF run has a unique category`);
+  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
+  logger.debug(`Serializing SARIF for upload`);
+  const sarifPayload = JSON.stringify(sarif);
  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
-  const upload = uploadKind === "always";
-  if (!upload && !dumpDir) {
-    logger.info(`Skipping upload of ${uploadTarget.name} results`);
-    return void 0;
-  }
-  logger.startGroup(`Processing ${uploadTarget.name} results`);
-  try {
-    logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
-    const gitHubVersion = await getGitHubVersion();
-    let sarif;
-    if (sarifPaths.length > 1) {
-      for (const sarifPath of sarifPaths) {
-        const parsedSarif = readSarifFile(sarifPath);
-        validateSarifFileSchema(parsedSarif, sarifPath, logger);
-      }
-      sarif = await combineSarifFilesUsingCLI(
-        sarifPaths,
-        gitHubVersion,
-        features,
-        logger
-      );
-    } else {
-      const sarifPath = sarifPaths[0];
-      sarif = readSarifFile(sarifPath);
-      validateSarifFileSchema(sarif, sarifPath, logger);
-      await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
-    }
-    sarif = filterAlertsByDiffRange(logger, sarif);
-    sarif = await addFingerprints(sarif, checkoutPath, logger);
-    const analysisKey = await getAnalysisKey();
-    const environment = getRequiredInput("matrix");
-    sarif = populateRunAutomationDetails(
-      sarif,
-      category,
-      analysisKey,
-      environment
-    );
-    const toolNames = getToolNames(sarif);
-    logger.debug(`Validating that each SARIF run has a unique category`);
-    validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
-    logger.debug(`Serializing SARIF for upload`);
-    const sarifPayload = JSON.stringify(sarif);
-    if (dumpDir) {
-      dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
-    }
-    if (!upload) {
-      logger.info(
-        `Skipping upload of ${uploadTarget.name} results because upload kind is "${uploadKind}"`
-      );
-      return void 0;
-    }
-    logger.debug(`Compressing serialized SARIF`);
-    const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
-    const checkoutURI = url.pathToFileURL(checkoutPath).href;
-    const payload = buildPayload(
-      await getCommitOid(checkoutPath),
-      await getRef(),
-      analysisKey,
-      getRequiredEnvParam("GITHUB_WORKFLOW"),
-      zippedSarif,
-      getWorkflowRunID(),
-      getWorkflowRunAttempt(),
-      checkoutURI,
-      environment,
-      toolNames,
-      await determineBaseBranchHeadCommitOid()
-    );
-    const rawUploadSizeBytes = sarifPayload.length;
-    logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
-    const zippedUploadSizeBytes = zippedSarif.length;
-    logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
-    const numResultInSarif = countResultsInSarif(sarifPayload);
-    logger.debug(`Number of results in upload: ${numResultInSarif}`);
-    const sarifID = await uploadPayload(
-      payload,
-      getRepositoryNwo(),
-      logger,
-      uploadTarget.target
-    );
-    return {
-      statusReport: {
-        raw_upload_size_bytes: rawUploadSizeBytes,
-        zipped_upload_size_bytes: zippedUploadSizeBytes,
-        num_results_in_sarif: numResultInSarif
-      },
-      sarifID
-    };
-  } finally {
-    logger.endGroup();
+  if (dumpDir) {
+    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
  }
+  logger.debug(`Compressing serialized SARIF`);
+  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
+  const checkoutURI = url.pathToFileURL(checkoutPath).href;
+  const payload = buildPayload(
+    await getCommitOid(checkoutPath),
+    await getRef(),
+    analysisKey,
+    getRequiredEnvParam("GITHUB_WORKFLOW"),
+    zippedSarif,
+    getWorkflowRunID(),
+    getWorkflowRunAttempt(),
+    checkoutURI,
+    environment,
+    toolNames,
+    await determineBaseBranchHeadCommitOid()
+  );
+  const rawUploadSizeBytes = sarifPayload.length;
+  logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
+  const zippedUploadSizeBytes = zippedSarif.length;
+  logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
+  const numResultInSarif = countResultsInSarif(sarifPayload);
+  logger.debug(`Number of results in upload: ${numResultInSarif}`);
+  const sarifID = await uploadPayload(
+    payload,
+    getRepositoryNwo(),
+    logger,
+    uploadTarget.target
+  );
+  logger.endGroup();
+  return {
+    statusReport: {
+      raw_upload_size_bytes: rawUploadSizeBytes,
+      zipped_upload_size_bytes: zippedUploadSizeBytes,
+      num_results_in_sarif: numResultInSarif
+    },
+    sarifID
+  };
 }
 function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
  if (!fs13.existsSync(outputDir)) {
@@ -92693,7 +92704,6 @@ function filterAlertsByDiffRange(logger, sarif) {
  buildPayload,
  findSarifFilesInDir,
  getSarifFilePaths,
-  maybeUploadFiles,
  populateRunAutomationDetails,
  readSarifFile,
  shouldConsiderConfigurationError,
@@ -26447,7 +26447,7 @@ var require_package = __commonJS({
        lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
        "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
        "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/**.test.ts --serial --verbose",
+        test: "npm run transpile && ava src/ --serial --verbose",
        "test-debug": "npm run test -- --timeout=20m",
        transpile: "tsc --build --verbose"
      },
@@ -26486,15 +26486,15 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.3.2",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.35.0",
+        "@eslint/js": "^9.36.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
-        "@octokit/types": "^14.1.0",
+        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
        "@types/console-log-level": "^1.4.5",
        "@types/follow-redirects": "^1.14.4",
@@ -26503,10 +26503,10 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.43.0",
+        "@typescript-eslint/eslint-plugin": "^8.44.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.9",
+        esbuild: "^0.25.10",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
@@ -26536,7 +26536,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -70467,7 +70468,7 @@ var require_brace_expansion = __commonJS({
        var isSequence = isNumericSequence || isAlphaSequence;
        var isOptions = m.body.indexOf(",") >= 0;
        if (!isSequence && !isOptions) {
-          if (m.post.match(/,.*\}/)) {
+          if (m.post.match(/,(?!,).*\}/)) {
            str2 = m.pre + "{" + m.body + escClose + m.post;
            return expand(str2);
          }
@@ -117041,6 +117042,9 @@ var ConfigurationError = class extends Error {
    super(message);
  }
 };
+function isInTestMode() {
+  return process.env["CODEQL_ACTION_TEST_MODE" /* TEST_MODE */] === "true";
+}
 function getErrorMessage(error2) {
  return error2 instanceof Error ? error2.message : String(error2);
 }
@@ -117081,6 +117085,9 @@ var githubUtils = __toESM(require_utils4());
 var retry = __toESM(require_dist_node15());
 var import_console_log_level = __toESM(require_console_log_level());
 var GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
+function getRetryConfig() {
+  return isInTestMode() ? { retries: 10, retryAfterBaseValue: 1e4 } : { retries: 3, retryAfterBaseValue: 1e3 };
+}
 function createApiClientWithDetails(apiDetails, { allowExternal = false } = {}) {
  const auth = allowExternal && apiDetails.externalRepoAuth || apiDetails.auth;
  const retryingOctokit = githubUtils.GitHub.plugin(retry.retry);
@@ -117088,7 +117095,8 @@ function createApiClientWithDetails(apiDetails, { allowExternal = false } = {})
    githubUtils.getOctokitOptions(auth, {
      baseUrl: apiDetails.apiURL,
      userAgent: `CodeQL-Action/${getActionVersion()}`,
-      log: (0, import_console_log_level.default)({ level: "debug" })
+      log: (0, import_console_log_level.default)({ level: "debug" }),
+      retry: getRetryConfig()
    })
  );
 }
@@ -117286,14 +117294,20 @@ var cliErrorsConfig = {
  }
 };

-// src/config-utils.ts
-var semver4 = __toESM(require_semver2());
-
 // src/caching-utils.ts
 var core6 = __toESM(require_core());

+// src/config/db-config.ts
+var semver2 = __toESM(require_semver2());
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
 // src/feature-flags.ts
-var semver3 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());

 // src/overlay-database-utils.ts
 var actionsCache = __toESM(require_cache3());
@@ -117323,10 +117337,10 @@ var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;

 // src/tools-features.ts
-var semver2 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 var SafeArtifactUploadVersion = "2.20.3";
 function isSafeArtifactUpload(codeQlVersion) {
-  return !codeQlVersion ? true : semver2.gte(codeQlVersion, SafeArtifactUploadVersion);
+  return !codeQlVersion ? true : semver3.gte(codeQlVersion, SafeArtifactUploadVersion);
 }

 // src/feature-flags.ts
@@ -117492,6 +117506,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };

@@ -117523,12 +117542,6 @@ var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
  rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
  swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
 };
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();

 // src/setup-codeql.ts
 var toolcache3 = __toESM(require_tool_cache());
@@ -27722,7 +27722,7 @@ var require_pattern = __commonJS({
      const absolute = [];
      const relative2 = [];
      for (const pattern of patterns) {
-        if (isAbsolute3(pattern)) {
+        if (isAbsolute2(pattern)) {
          absolute.push(pattern);
        } else {
          relative2.push(pattern);
@@ -27731,10 +27731,10 @@ var require_pattern = __commonJS({
      return [absolute, relative2];
    }
    exports2.partitionAbsoluteAndRelative = partitionAbsoluteAndRelative;
-    function isAbsolute3(pattern) {
+    function isAbsolute2(pattern) {
      return path16.isAbsolute(pattern);
    }
-    exports2.isAbsolute = isAbsolute3;
+    exports2.isAbsolute = isAbsolute2;
  }
 });

@@ -32296,7 +32296,7 @@ var require_package = __commonJS({
        lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
        "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
        "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/**.test.ts --serial --verbose",
+        test: "npm run transpile && ava src/ --serial --verbose",
        "test-debug": "npm run test -- --timeout=20m",
        transpile: "tsc --build --verbose"
      },
@@ -32335,15 +32335,15 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.3.2",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.35.0",
+        "@eslint/js": "^9.36.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
-        "@octokit/types": "^14.1.0",
+        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
        "@types/console-log-level": "^1.4.5",
        "@types/follow-redirects": "^1.14.4",
@@ -32352,10 +32352,10 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.43.0",
+        "@typescript-eslint/eslint-plugin": "^8.44.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.9",
+        esbuild: "^0.25.10",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
@@ -32385,7 +32385,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -88774,6 +88775,9 @@ function parseRepositoryNwo(input) {

 // src/api-client.ts
 var GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
+function getRetryConfig() {
+  return isInTestMode() ? { retries: 10, retryAfterBaseValue: 1e4 } : { retries: 3, retryAfterBaseValue: 1e3 };
+}
 function createApiClientWithDetails(apiDetails, { allowExternal = false } = {}) {
  const auth = allowExternal && apiDetails.externalRepoAuth || apiDetails.auth;
  const retryingOctokit = githubUtils.GitHub.plugin(retry.retry);
@@ -88781,7 +88785,8 @@ function createApiClientWithDetails(apiDetails, { allowExternal = false } = {})
    githubUtils.getOctokitOptions(auth, {
      baseUrl: apiDetails.apiURL,
      userAgent: `CodeQL-Action/${getActionVersion()}`,
-      log: (0, import_console_log_level.default)({ level: "debug" })
+      log: (0, import_console_log_level.default)({ level: "debug" }),
+      retry: getRetryConfig()
    })
  );
 }
@@ -89339,6 +89344,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -89613,11 +89623,19 @@ var core9 = __toESM(require_core());
 // src/config-utils.ts
 var fs8 = __toESM(require("fs"));
 var path10 = __toESM(require("path"));
-var semver4 = __toESM(require_semver2());

 // src/caching-utils.ts
 var core8 = __toESM(require_core());

+// src/config/db-config.ts
+var semver4 = __toESM(require_semver2());
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
 // src/diff-informed-analysis-utils.ts
 var fs7 = __toESM(require("fs"));
 var path9 = __toESM(require("path"));
@@ -89666,12 +89684,6 @@ var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
  rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
  swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
 };
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
 function getPathToParsedConfigFile(tempDir) {
  return path10.join(tempDir, "config");
 }
@@ -90149,7 +90161,7 @@ var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
 var semver7 = __toESM(require_semver2());

-// node_modules/uuid/dist/stringify.js
+// node_modules/uuid/dist-node/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
  byteToHex.push((i + 256).toString(16).slice(1));
@@ -90158,7 +90170,7 @@ function unsafeStringify(arr, offset = 0) {
  return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }

-// node_modules/uuid/dist/rng.js
+// node_modules/uuid/dist-node/rng.js
 var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
@@ -90170,11 +90182,11 @@ function rng() {
  return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }

-// node_modules/uuid/dist/native.js
+// node_modules/uuid/dist-node/native.js
 var import_node_crypto2 = require("node:crypto");
 var native_default = { randomUUID: import_node_crypto2.randomUUID };

-// node_modules/uuid/dist/v4.js
+// node_modules/uuid/dist-node/v4.js
 function _v4(options, buf, offset) {
  options = options || {};
  const rnds = options.random ?? options.rng?.() ?? rng();
@@ -90517,7 +90529,10 @@ function sanitizeUrlForStatusReport(url2) {

 // src/setup-codeql.ts
 var CODEQL_DEFAULT_ACTION_REPOSITORY = "github/codeql-action";
+var CODEQL_NIGHTLIES_REPOSITORY_OWNER = "dsp-testing";
+var CODEQL_NIGHTLIES_REPOSITORY_NAME = "codeql-cli-nightlies";
 var CODEQL_BUNDLE_VERSION_ALIAS = ["linked", "latest"];
+var CODEQL_NIGHTLY_TOOLS_INPUTS = ["nightly", "nightly-latest"];
 function getCodeQLBundleExtension(compressionMethod) {
  switch (compressionMethod) {
    case "gzip":
@@ -90660,7 +90675,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
  return void 0;
 }
 async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, logger) {
-  if (toolsInput && !CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput) && !toolsInput.startsWith("http")) {
+  if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) {
    logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
    const compressionMethod2 = inferCompressionMethod(toolsInput);
    if (compressionMethod2 === void 0) {
@@ -90689,6 +90704,12 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
  let cliVersion2;
  let tagName;
  let url2;
+  if (toolsInput !== void 0 && CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput)) {
+    logger.info(
+      `Using the latest CodeQL CLI nightly, as requested by 'tools: ${toolsInput}'.`
+    );
+    toolsInput = await getNightlyToolsUrl(logger);
+  }
  if (forceShippedTools) {
    cliVersion2 = cliVersion;
    tagName = bundleVersion;
@@ -90972,6 +90993,34 @@ async function useZstdBundle(cliVersion2, tarSupportsZstd) {
 function getTempExtractionDir(tempDir) {
  return path12.join(tempDir, v4_default());
 }
+async function getNightlyToolsUrl(logger) {
+  const zstdAvailability = await isZstdAvailable(logger);
+  const compressionMethod = await useZstdBundle(
+    CODEQL_VERSION_ZSTD_BUNDLE,
+    zstdAvailability.available
+  ) ? "zstd" : "gzip";
+  try {
+    const release3 = await getApiClient().rest.repos.listReleases({
+      owner: CODEQL_NIGHTLIES_REPOSITORY_OWNER,
+      repo: CODEQL_NIGHTLIES_REPOSITORY_NAME,
+      per_page: 1,
+      page: 1,
+      prerelease: true
+    });
+    const latestRelease = release3.data[0];
+    if (!latestRelease) {
+      throw new Error("Could not find the latest nightly release.");
+    }
+    return `https://github.com/${CODEQL_NIGHTLIES_REPOSITORY_OWNER}/${CODEQL_NIGHTLIES_REPOSITORY_NAME}/releases/download/${latestRelease.tag_name}/${getCodeQLBundleName(compressionMethod)}`;
+  } catch (e) {
+    throw new Error(
+      `Failed to retrieve the latest nightly release: ${wrapError(e)}`
+    );
+  }
+}
+function isReservedToolsValue(tools) {
+  return CODEQL_BUNDLE_VERSION_ALIAS.includes(tools) || CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools);
+}

 // src/tracer-config.ts
 async function shouldEnableIndirectTracing(codeql, config) {
@@ -92979,23 +93028,6 @@ function findSarifFilesInDir(sarifPath, isSarif) {
  walkSarifFiles(sarifPath);
  return sarifFiles;
 }
-function getSarifFilePaths(sarifPath, isSarif) {
-  if (!fs14.existsSync(sarifPath)) {
-    throw new ConfigurationError(`Path does not exist: ${sarifPath}`);
-  }
-  let sarifFiles;
-  if (fs14.lstatSync(sarifPath).isDirectory()) {
-    sarifFiles = findSarifFilesInDir(sarifPath, isSarif);
-    if (sarifFiles.length === 0) {
-      throw new ConfigurationError(
-        `No SARIF files found to upload in "${sarifPath}".`
-      );
-    }
-  } else {
-    sarifFiles = [sarifPath];
-  }
-  return sarifFiles;
-}
 function countResultsInSarif(sarif) {
  let numResults = 0;
  const parsedSarif = JSON.parse(sarif);
@@ -93091,135 +93123,84 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
  }
  return payloadObj;
 }
-async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
-  return maybeUploadFiles(
-    inputSarifPath,
-    checkoutPath,
-    category,
-    features,
-    logger,
-    uploadTarget,
-    "always"
-  );
-}
-async function maybeUploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
-  const sarifPaths = getSarifFilePaths(
-    inputSarifPath,
-    uploadTarget.sarifPredicate
-  );
-  return maybeUploadSpecifiedFiles(
-    sarifPaths,
-    checkoutPath,
-    category,
-    features,
-    logger,
-    uploadTarget,
-    uploadKind
-  );
-}
 async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
-  return maybeUploadSpecifiedFiles(
-    sarifPaths,
-    checkoutPath,
+  logger.startGroup(`Uploading ${uploadTarget.name} results`);
+  logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
+  const gitHubVersion = await getGitHubVersion();
+  let sarif;
+  if (sarifPaths.length > 1) {
+    for (const sarifPath of sarifPaths) {
+      const parsedSarif = readSarifFile(sarifPath);
+      validateSarifFileSchema(parsedSarif, sarifPath, logger);
+    }
+    sarif = await combineSarifFilesUsingCLI(
+      sarifPaths,
+      gitHubVersion,
+      features,
+      logger
+    );
+  } else {
+    const sarifPath = sarifPaths[0];
+    sarif = readSarifFile(sarifPath);
+    validateSarifFileSchema(sarif, sarifPath, logger);
+    await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
+  }
+  sarif = filterAlertsByDiffRange(logger, sarif);
+  sarif = await addFingerprints(sarif, checkoutPath, logger);
+  const analysisKey = await getAnalysisKey();
+  const environment = getRequiredInput("matrix");
+  sarif = populateRunAutomationDetails(
+    sarif,
    category,
-    features,
-    logger,
-    uploadTarget,
-    "always"
+    analysisKey,
+    environment
  );
-}
-async function maybeUploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
+  const toolNames = getToolNames(sarif);
+  logger.debug(`Validating that each SARIF run has a unique category`);
+  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
+  logger.debug(`Serializing SARIF for upload`);
+  const sarifPayload = JSON.stringify(sarif);
  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
-  const upload = uploadKind === "always";
-  if (!upload && !dumpDir) {
-    logger.info(`Skipping upload of ${uploadTarget.name} results`);
-    return void 0;
-  }
-  logger.startGroup(`Processing ${uploadTarget.name} results`);
-  try {
-    logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
-    const gitHubVersion = await getGitHubVersion();
-    let sarif;
-    if (sarifPaths.length > 1) {
-      for (const sarifPath of sarifPaths) {
-        const parsedSarif = readSarifFile(sarifPath);
-        validateSarifFileSchema(parsedSarif, sarifPath, logger);
-      }
-      sarif = await combineSarifFilesUsingCLI(
-        sarifPaths,
-        gitHubVersion,
-        features,
-        logger
-      );
-    } else {
-      const sarifPath = sarifPaths[0];
-      sarif = readSarifFile(sarifPath);
-      validateSarifFileSchema(sarif, sarifPath, logger);
-      await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
-    }
-    sarif = filterAlertsByDiffRange(logger, sarif);
-    sarif = await addFingerprints(sarif, checkoutPath, logger);
-    const analysisKey = await getAnalysisKey();
-    const environment = getRequiredInput("matrix");
-    sarif = populateRunAutomationDetails(
-      sarif,
-      category,
-      analysisKey,
-      environment
-    );
-    const toolNames = getToolNames(sarif);
-    logger.debug(`Validating that each SARIF run has a unique category`);
-    validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
-    logger.debug(`Serializing SARIF for upload`);
-    const sarifPayload = JSON.stringify(sarif);
-    if (dumpDir) {
-      dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
-    }
-    if (!upload) {
-      logger.info(
-        `Skipping upload of ${uploadTarget.name} results because upload kind is "${uploadKind}"`
-      );
-      return void 0;
-    }
-    logger.debug(`Compressing serialized SARIF`);
-    const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
-    const checkoutURI = url.pathToFileURL(checkoutPath).href;
-    const payload = buildPayload(
-      await getCommitOid(checkoutPath),
-      await getRef(),
-      analysisKey,
-      getRequiredEnvParam("GITHUB_WORKFLOW"),
-      zippedSarif,
-      getWorkflowRunID(),
-      getWorkflowRunAttempt(),
-      checkoutURI,
-      environment,
-      toolNames,
-      await determineBaseBranchHeadCommitOid()
-    );
-    const rawUploadSizeBytes = sarifPayload.length;
-    logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
-    const zippedUploadSizeBytes = zippedSarif.length;
-    logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
-    const numResultInSarif = countResultsInSarif(sarifPayload);
-    logger.debug(`Number of results in upload: ${numResultInSarif}`);
-    const sarifID = await uploadPayload(
-      payload,
-      getRepositoryNwo(),
-      logger,
-      uploadTarget.target
-    );
-    return {
-      statusReport: {
-        raw_upload_size_bytes: rawUploadSizeBytes,
-        zipped_upload_size_bytes: zippedUploadSizeBytes,
-        num_results_in_sarif: numResultInSarif
-      },
-      sarifID
-    };
-  } finally {
-    logger.endGroup();
+  if (dumpDir) {
+    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
  }
+  logger.debug(`Compressing serialized SARIF`);
+  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
+  const checkoutURI = url.pathToFileURL(checkoutPath).href;
+  const payload = buildPayload(
+    await getCommitOid(checkoutPath),
+    await getRef(),
+    analysisKey,
+    getRequiredEnvParam("GITHUB_WORKFLOW"),
+    zippedSarif,
+    getWorkflowRunID(),
+    getWorkflowRunAttempt(),
+    checkoutURI,
+    environment,
+    toolNames,
+    await determineBaseBranchHeadCommitOid()
+  );
+  const rawUploadSizeBytes = sarifPayload.length;
+  logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
+  const zippedUploadSizeBytes = zippedSarif.length;
+  logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
+  const numResultInSarif = countResultsInSarif(sarifPayload);
+  logger.debug(`Number of results in upload: ${numResultInSarif}`);
+  const sarifID = await uploadPayload(
+    payload,
+    getRepositoryNwo(),
+    logger,
+    uploadTarget.target
+  );
+  logger.endGroup();
+  return {
+    statusReport: {
+      raw_upload_size_bytes: rawUploadSizeBytes,
+      zipped_upload_size_bytes: zippedUploadSizeBytes,
+      num_results_in_sarif: numResultInSarif
+    },
+    sarifID
+  };
 }
 function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
  if (!fs14.existsSync(outputDir)) {
@@ -93389,6 +93370,30 @@ function filterAlertsByDiffRange(logger, sarif) {
 }

 // src/upload-sarif-action.ts
+async function findAndUpload(logger, features, sarifPath, pathStats, checkoutPath, analysis, category) {
+  let sarifFiles;
+  if (pathStats.isDirectory()) {
+    sarifFiles = findSarifFilesInDir(
+      sarifPath,
+      analysis.sarifPredicate
+    );
+  } else if (pathStats.isFile() && analysis.sarifPredicate(sarifPath)) {
+    sarifFiles = [sarifPath];
+  } else {
+    return void 0;
+  }
+  if (sarifFiles.length !== 0) {
+    return await uploadSpecifiedFiles(
+      sarifFiles,
+      checkoutPath,
+      category,
+      features,
+      logger,
+      analysis
+    );
+  }
+  return void 0;
+}
 async function sendSuccessStatusReport(startedAt, uploadStats, logger) {
  const statusReportBase = await createStatusReportBase(
    "upload-sarif" /* UploadSarif */,
@@ -93435,41 +93440,59 @@ async function run() {
    const sarifPath = getRequiredInput("sarif_file");
    const checkoutPath = getRequiredInput("checkout_path");
    const category = getOptionalInput("category");
-    const uploadResult = await uploadFiles(
-      sarifPath,
-      checkoutPath,
-      category,
-      features,
-      logger,
-      CodeScanning
-    );
-    core13.setOutput("sarif-id", uploadResult.sarifID);
-    if (fs15.lstatSync(sarifPath).isDirectory()) {
-      const qualitySarifFiles = findSarifFilesInDir(
-        sarifPath,
-        CodeQuality.sarifPredicate
-      );
-      if (qualitySarifFiles.length !== 0) {
-        await uploadSpecifiedFiles(
-          qualitySarifFiles,
-          checkoutPath,
-          fixCodeQualityCategory(logger, category),
-          features,
-          logger,
-          CodeQuality
-        );
-      }
+    const pathStats = fs15.lstatSync(sarifPath, { throwIfNoEntry: false });
+    if (pathStats === void 0) {
+      throw new ConfigurationError(`Path does not exist: ${sarifPath}.`);
    }
+    const sarifIds = [];
+    const uploadResult = await findAndUpload(
+      logger,
+      features,
+      sarifPath,
+      pathStats,
+      checkoutPath,
+      CodeScanning,
+      category
+    );
+    if (uploadResult !== void 0) {
+      core13.setOutput("sarif-id", uploadResult.sarifID);
+      sarifIds.push({
+        analysis: "code-scanning" /* CodeScanning */,
+        id: uploadResult.sarifID
+      });
+    }
+    const qualityUploadResult = await findAndUpload(
+      logger,
+      features,
+      sarifPath,
+      pathStats,
+      checkoutPath,
+      CodeQuality,
+      fixCodeQualityCategory(logger, category)
+    );
+    if (qualityUploadResult !== void 0) {
+      sarifIds.push({
+        analysis: "code-quality" /* CodeQuality */,
+        id: qualityUploadResult.sarifID
+      });
+    }
+    core13.setOutput("sarif-ids", JSON.stringify(sarifIds));
    if (isInTestMode()) {
      core13.debug("In test mode. Waiting for processing is disabled.");
    } else if (getRequiredInput("wait-for-processing") === "true") {
-      await waitForProcessing(
-        getRepositoryNwo(),
-        uploadResult.sarifID,
-        logger
-      );
+      if (uploadResult !== void 0) {
+        await waitForProcessing(
+          getRepositoryNwo(),
+          uploadResult.sarifID,
+          logger
+        );
+      }
    }
-    await sendSuccessStatusReport(startedAt, uploadResult.statusReport, logger);
+    await sendSuccessStatusReport(
+      startedAt,
+      uploadResult?.statusReport || {},
+      logger
+    );
  } catch (unwrappedError) {
    const error2 = isThirdPartyAnalysis("upload-sarif" /* UploadSarif */) && unwrappedError instanceof InvalidSarifUploadError ? new ConfigurationError(unwrappedError.message) : wrapError(unwrappedError);
    const message = error2.message;
@@ -9,7 +9,7 @@
    "lint": "eslint --report-unused-disable-directives --max-warnings=0 .",
    "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
    "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-    "test": "npm run transpile && ava src/**.test.ts --serial --verbose",
+    "test": "npm run transpile && ava src/ --serial --verbose",
    "test-debug": "npm run test -- --timeout=20m",
    "transpile": "tsc --build --verbose"
  },
@@ -48,15 +48,15 @@
    "node-forge": "^1.3.1",
    "octokit": "^5.0.3",
    "semver": "^7.7.2",
-    "uuid": "^12.0.0"
+    "uuid": "^13.0.0"
  },
  "devDependencies": {
    "@ava/typescript": "6.0.0",
    "@eslint/compat": "^1.3.2",
    "@eslint/eslintrc": "^3.3.1",
-    "@eslint/js": "^9.35.0",
+    "@eslint/js": "^9.36.0",
    "@microsoft/eslint-formatter-sarif": "^3.1.0",
-    "@octokit/types": "^14.1.0",
+    "@octokit/types": "^15.0.0",
    "@types/archiver": "^6.0.3",
    "@types/console-log-level": "^1.4.5",
    "@types/follow-redirects": "^1.14.4",
@@ -65,10 +65,10 @@
    "@types/node-forge": "^1.3.14",
    "@types/semver": "^7.7.1",
    "@types/sinon": "^17.0.4",
-    "@typescript-eslint/eslint-plugin": "^8.43.0",
+    "@typescript-eslint/eslint-plugin": "^8.44.0",
    "@typescript-eslint/parser": "^8.41.0",
    "ava": "^6.4.1",
-    "esbuild": "^0.25.9",
+    "esbuild": "^0.25.10",
    "eslint": "^8.57.1",
    "eslint-import-resolver-typescript": "^3.8.7",
    "eslint-plugin-filenames": "^1.3.2",
@@ -98,6 +98,7 @@
    },
    "eslint-plugin-jsx-a11y": {
      "semver": ">=6.3.1"
-    }
+    },
+    "brace-expansion@2.0.1": "2.0.2"
  }
 }
@@ -12,6 +12,5 @@ steps:
      languages: cpp,csharp,go,java,javascript,python,ruby
      tools: ${{ steps.prepare-test.outputs.tools-url }}
  - name: Build code
-    shell: bash
    run: ./build.sh
  - uses: ./../action/analyze
@@ -9,7 +9,6 @@ steps:
      languages: cpp,csharp,java,javascript,python
      config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
  - name: Build code
-    shell: bash
    run: ./build.sh
  - uses: ./../action/analyze
    with:
@@ -17,7 +17,6 @@ steps:
      CORECLR_PROFILER_PATH_64: ""
  - uses: ./../action/analyze
  - name: Check database
-    shell: bash
    run: |
      cd "$RUNNER_TEMP/codeql_databases"
      if [[ ! -d csharp ]]; then
@@ -10,7 +10,6 @@ env:
  CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
 steps:
  - name: Test setup
-    shell: bash
    run: |
      # Make sure that Gradle build succeeds in autobuild-dir ...
      cp -a ../action/tests/java-repo autobuild-dir
@@ -22,7 +21,6 @@ steps:
      languages: java
      tools: ${{ steps.prepare-test.outputs.tools-url }}
  - name: Check that indirect tracing is disabled
-    shell: bash
    run: |
      if [[ ! -z "${CODEQL_RUNNER}" ]]; then
        echo "Expected indirect tracing to be disabled, but the" \
@@ -7,7 +7,6 @@ env:
  CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
 steps:
  - name: Set up Java test repo configuration
-    shell: bash
    run: |
      mv * .github ../action/tests/multi-language-repo/
      mv ../action/tests/multi-language-repo/.github/workflows .github
@@ -22,7 +21,6 @@ steps:
      tools: ${{ steps.prepare-test.outputs.tools-url }}

  - name: Check that indirect tracing is disabled
-    shell: bash
    run: |
      if [[ ! -z "${CODEQL_RUNNER}" ]]; then
        echo "Expected indirect tracing to be disabled, but the" \
@@ -22,7 +22,6 @@ steps:
      fi

  - name: Build code
-    shell: bash
    run: ./build.sh

  - uses: ./../action/analyze
@@ -6,7 +6,6 @@ env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
  - name: Test setup
-    shell: bash
    run: |
      cp -a ../action/tests/cpp-autobuild autobuild-dir
  - uses: ./../action/init
@@ -18,8 +17,7 @@ steps:
      working-directory: autobuild-dir
    env:
      CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: false
-  - shell: bash
-    run: |
+  - run: |
      if ls /usr/bin/errno; then
        echo "C/C++ autobuild installed errno, but it should not have since auto-install dependencies is disabled."
        exit 1
@@ -6,7 +6,6 @@ env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
  - name: Test setup
-    shell: bash
    run: |
      cp -a ../action/tests/cpp-autobuild autobuild-dir
  - uses: ./../action/init
@@ -18,8 +17,7 @@ steps:
      working-directory: autobuild-dir
    env:
      CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-  - shell: bash
-    run: |
+  - run: |
      if ! ls /usr/bin/errno; then
        echo "As expected, CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES is a no-op on macOS"
      else
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Michael B. Gale	456086d251	Adjust retry configuration and add comment	2025-09-23 12:59:21 +01:00
Michael B. Gale	d71accc5fa	Configure the API client to retry more often when in test mode	2025-09-23 10:18:39 +01:00
Michael B. Gale	7f44048739	Merge pull request #3133 from github/dependabot/npm_and_yarn/npm-4684794bae Bump the npm group with 5 updates	2025-09-23 09:34:15 +01:00
github-actions[bot]	8a84c17a9d	Rebuild	2025-09-22 17:08:30 +00:00
dependabot[bot]	3837f2e205	Bump the npm group with 5 updates Bumps the npm group with 5 updates: \| Package \| From \| To \| \| --- \| --- \| --- \| \| [@eslint/js](https://github.com/eslint/eslint/tree/HEAD/packages/js) \| `9.35.0` \| `9.36.0` \| \| [@octokit/types](https://github.com/octokit/types.ts) \| `14.1.0` \| `15.0.0` \| \| [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) \| `8.43.0` \| `8.44.0` \| \| [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) \| `8.43.0` \| `8.44.0` \| \| [esbuild](https://github.com/evanw/esbuild) \| `0.25.9` \| `0.25.10` \| Updates `@eslint/js` from 9.35.0 to 9.36.0 - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md) - [Commits](https://github.com/eslint/eslint/commits/v9.36.0/packages/js) Updates `@octokit/types` from 14.1.0 to 15.0.0 - [Release notes](https://github.com/octokit/types.ts/releases) - [Commits](https://github.com/octokit/types.ts/compare/v14.1.0...v15.0.0) Updates `@typescript-eslint/eslint-plugin` from 8.43.0 to 8.44.0 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.44.0/packages/eslint-plugin) Updates `@typescript-eslint/parser` from 8.43.0 to 8.44.0 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.44.0/packages/parser) Updates `esbuild` from 0.25.9 to 0.25.10 - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md) - [Commits](https://github.com/evanw/esbuild/compare/v0.25.9...v0.25.10) --- updated-dependencies: - dependency-name: "@eslint/js" dependency-version: 9.36.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm - dependency-name: "@octokit/types" dependency-version: 15.0.0 dependency-type: direct:development update-type: version-update:semver-major dependency-group: npm - dependency-name: "@typescript-eslint/eslint-plugin" dependency-version: 8.44.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm - dependency-name: "@typescript-eslint/parser" dependency-version: 8.44.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm - dependency-name: esbuild dependency-version: 0.25.10 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm ... Signed-off-by: dependabot[bot] <support@github.com>	2025-09-22 17:07:06 +00:00
Henry Mercer	b8806eca8c	Merge pull request #3131 from github/henrymercer/required-checks-safety CI: Improve safety of update required checks script	2025-09-22 15:37:35 +01:00
Henry Mercer	33da5f0b36	Use jq to check array length Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2025-09-22 15:21:20 +01:00
Henry Mercer	8a9ef89a8a	Update required checks: Fail if no check runs found	2025-09-22 16:08:45 +02:00
Henry Mercer	6b6d1ddcf9	Update required checks: Fail on error	2025-09-22 16:08:31 +02:00
Henry Mercer	2b07444ab3	Merge pull request #3130 from github/henrymercer/request-nightly Support requesting latest nightly with `tools: nightly`	2025-09-22 14:59:43 +01:00
Henry Mercer	5ab5aef079	Document `nightly` tools input in `action.yml`	2025-09-22 15:48:23 +02:00
Henry Mercer	4901f549de	Lint	2025-09-22 14:01:09 +02:00
Henry Mercer	e2e36b17af	Add helper function for reserved tools values	2025-09-22 13:59:40 +02:00
Henry Mercer	bd516303e1	Specify bundle URL in local bundle PR check	2025-09-22 13:32:04 +02:00
Michael B. Gale	6117099fe1	Merge pull request #3127 from github/mbg/refactor/db-config-and-errors Refactor database configuration from `config-utils` into its own file	2025-09-22 12:23:54 +01:00
Henry Mercer	79e0afb999	Run local CodeQL check using linked bundle	2025-09-22 13:21:11 +02:00
Henry Mercer	a25c57cebe	Wrap API call to provide better error message	2025-09-22 13:20:16 +02:00
Henry Mercer	48017e960d	Add changelog note	2025-09-22 12:57:53 +02:00
Henry Mercer	39be66afb0	Add log message	2025-09-22 12:54:42 +02:00
Henry Mercer	67427c612a	Update prepare-test docs	2025-09-22 12:49:36 +02:00
Henry Mercer	9e8cbee7cb	Process nightly CI runs using `tools: nightly`	2025-09-22 12:49:36 +02:00
Henry Mercer	0f4529ee05	Enable requesting latest nightly with "tools: nightly"	2025-09-22 12:49:35 +02:00
Michael B. Gale	0c4919df84	Merge pull request #3128 from github/mbg/ci/concurrency	2025-09-22 11:45:22 +01:00
Michael B. Gale	2d8d6395ef	Add missing "not" in comment	2025-09-20 14:23:28 +01:00
Michael B. Gale	6fcf631e73	Add `concurrency` settings to PR checks	2025-09-20 14:19:07 +01:00
Michael B. Gale	a067418f51	Ava: Run all tests in `src/` directory	2025-09-20 14:10:04 +01:00
Michael B. Gale	0337c4c06e	Merge pull request #3123 from github/mbg/fix/upload-sarif-cq-only	2025-09-19 18:48:48 +01:00
Chuan-kai Lin	c22ae04dd3	Merge pull request #3125 from github/cklin/overlay-restore-timeout Overlay: use restoreCache() timeout	2025-09-19 10:25:21 -07:00
Chuan-kai Lin	80273e2bc1	Overlay: use restoreCache() timeout This commit changes overlay-base database download to pass the segmentTimeoutInMs option to restoreCache(), so that restoreCache() itself can properly abort slow downloads. The waitForResultWithTimeLimit() wrapper around restoreCache() remains as a second line of defense, but with a higher 10-minute time limit, to guard against cache restore hangs outside segment downloads.	2025-09-19 09:40:09 -07:00
Michael B. Gale	dc1166cacb	Move tests for functions now in `db-config`	2025-09-19 17:16:41 +01:00
Michael B. Gale	ddc6d540f0	Move `AugmentationProperties` out of `config-utils`	2025-09-19 17:08:17 +01:00
Michael B. Gale	6222edff53	Move error messages from `config-utils` to their own file	2025-09-19 17:08:09 +01:00
Michael B. Gale	3305d21389	Move `UserConfig` to its own file	2025-09-19 17:08:00 +01:00
Michael B. Gale	db37d924ee	Fix condition	2025-09-19 16:17:34 +01:00
Michael B. Gale	6249793233	Disable `cpp` in `upload-quality-sarif` check	2025-09-19 16:17:33 +01:00
Michael B. Gale	e33b0ab3ac	Update `upload-quality-sarif` check to only use `code-quality`	2025-09-19 16:17:33 +01:00
Michael B. Gale	7bea0e2e12	Fix outdated comment	2025-09-19 16:17:33 +01:00
Michael B. Gale	d378195403	Add new `sarif-ids` output to `upload-sarif` action Unlike `sarif-id` which is for the single Code Scanning SARIF id, `sarif-ids` contains stringified JSON object with details of all SARIF ids.	2025-09-19 16:17:31 +01:00
Chuan-kai Lin	12dda79905	Merge pull request #3124 from github/cklin/rename-withtimeout Rename withTimeout() to waitForResultWithTimeLimit()	2025-09-18 13:34:56 -07:00
Michael B. Gale	a2ce099060	Use `findAndUpload` for Code Scanning	2025-09-18 16:29:25 +01:00
Michael B. Gale	696b467654	Handle single file case in `findAndUpload`	2025-09-18 16:29:23 +01:00
Michael B. Gale	c8e017d3e7	Move `isDirectory` check into `findAndUpload`	2025-09-18 16:28:39 +01:00
Chuan-kai Lin	8185897cad	Rename withTimeout() to waitForResultWithTimeLimit() The name withTimeout() gives the impression that it would limit the execution of the promise to the given time bound. But that is not the case: it is only the _waiting_ that is limited, and the promise would keep running beyond the time bound. This commit renames withTimeout() to waitForResultWithTimeLimit() so that developers are more likely to understand the actual behavior of this function.	2025-09-18 08:27:36 -07:00
Michael B. Gale	a6161a8092	Call `lstatSync` on `sarifPath` earlier and check that the path exists then	2025-09-18 14:13:17 +01:00
Michael B. Gale	35454d39b2	Refactor CQ SARIF upload in `upload-sarif` into a function	2025-09-18 14:13:14 +01:00
Henry Mercer	b73659a4ff	Merge pull request #3122 from felickz/main Update ref description in action.ymls to include expected format for uploads	2025-09-18 09:52:36 +01:00
Chad Bentz	2f35a47982	Update upload-sarif/action.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2025-09-17 19:07:57 -04:00
Chad Bentz	242ca1c0a1	Update ref description in action.ymls to include expected format for uploads	2025-09-17 19:02:50 -04:00
Henry Mercer	573acd9552	Merge pull request #3115 from github/dependabot/npm_and_yarn/npm-75b7851ed5 Bump uuid from 12.0.0 to 13.0.0 in the npm group	2025-09-15 18:38:40 +01:00
github-actions[bot]	668f0f00da	Rebuild	2025-09-15 17:18:08 +00:00
dependabot[bot]	0b263ec528	Bump uuid from 12.0.0 to 13.0.0 in the npm group Bumps the npm group with 1 update: [uuid](https://github.com/uuidjs/uuid). Updates `uuid` from 12.0.0 to 13.0.0 - [Release notes](https://github.com/uuidjs/uuid/releases) - [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md) - [Commits](https://github.com/uuidjs/uuid/compare/v12.0.0...v13.0.0) --- updated-dependencies: - dependency-name: uuid dependency-version: 13.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: npm ... Signed-off-by: dependabot[bot] <support@github.com>	2025-09-15 17:16:56 +00:00
Michael B. Gale	9e5383b3b1	Merge pull request #3113 from github/nickrolfe/minimize-jars-followup Only enable Java dependency minimisation when caching is enabled	2025-09-15 16:57:27 +01:00
Henry Mercer	8279538f3d	Merge pull request #3114 from github/henrymercer/pr-checks-codeql-2.22 Run PR checks over CodeQL v2.22 release series	2025-09-15 16:52:03 +01:00
Henry Mercer	86f23c3336	Run PR checks over CodeQL v2.22 release series	2025-09-15 16:34:20 +01:00
Henry Mercer	77c3d2533d	Merge pull request #3112 from github/henrymercer/scan-python CI: Configure Python analysis	2025-09-15 16:25:56 +01:00
Henry Mercer	1069ace04e	Update .github/workflows/codeql.yml	2025-09-15 16:09:21 +01:00
Nick Rolfe	4014b75309	Only enable JAVA dependency minimisation when caching is enabled	2025-09-15 15:11:28 +01:00
Henry Mercer	bce0fa7b27	Remove build mode from matrix	2025-09-15 14:45:40 +01:00
Henry Mercer	8105843d42	Specify `paths-ignore` for other languages	2025-09-15 14:20:15 +01:00
Henry Mercer	61b8b636e3	Only upload a single matrix case for JS	2025-09-15 14:15:05 +01:00
Henry Mercer	73ead84d0a	Reorder strategy properties	2025-09-15 14:12:47 +01:00
Henry Mercer	793fe1783c	CI: Configure Python analysis	2025-09-15 14:10:32 +01:00
Paolo Tranquilli	aa90e97ad2	Merge pull request #3091 from github/redsun82/fix-windows-ci Set `shell: bash` by default on all workflows	2025-09-12 18:47:08 +02:00
Paolo Tranquilli	2b7d487cf8	Update .github/workflows/codeql.yml Co-authored-by: Henry Mercer <henrymercer@github.com>	2025-09-12 18:20:44 +02:00
Paolo Tranquilli	f92cc3a0e7	Merge pull request #3065 from github/redsun82/update-brace-expansion Use brace-expansion >2.0.1	2025-09-12 16:06:42 +02:00
Nick Rolfe	185266a022	Merge pull request #3107 from github/nickrolfe/minimize-jars Add feature flag to roll out JAR minimization in the Java extractor	2025-09-12 13:09:42 +01:00
Paolo Tranquilli	a1244387b0	Merge branch 'main' into redsun82/update-brace-expansion	2025-09-12 13:44:46 +02:00
Michael B. Gale	dc9a47dceb	Merge pull request #3110 from github/mbg/proxy/fetch-from-release Fetch proxy binaries from `defaults.json` release	2025-09-12 12:38:15 +01:00
Nick Rolfe	3ca9525ddd	Add changelog entry for Java dependency minimization rollout	2025-09-12 12:10:05 +01:00
Nick Rolfe	0abf548bb3	Add feature flag to roll out JAR minimization in the Java extractor	2025-09-12 12:09:34 +01:00
Michael B. Gale	e2636d2e4f	Change "current release" to "linked release"	2025-09-12 11:15:03 +01:00
Michael B. Gale	9df23425dc	Search release pointed at by `defaults.json` for registry proxy artifact	2025-09-11 18:56:19 +01:00
Paolo Tranquilli	4e1dadc5b3	Fix accidental removal of `- shell: bash` lines	2025-09-11 17:54:28 +02:00
Paolo Tranquilli	856e1e5c78	Address review	2025-09-11 17:54:00 +02:00
Paolo Tranquilli	d797efbb26	Merge branch 'main' into redsun82/fix-windows-ci	2025-09-11 17:41:08 +02:00
Michael B. Gale	ffcbb4c0c1	Move `UPDATEJOB_PROXY` constants to `start-proxy.ts`	2025-09-11 15:34:29 +01:00
Michael B. Gale	3bf58bb047	Merge branch 'main' into redsun82/fix-windows-ci	2025-09-09 19:35:16 +01:00
Paolo Tranquilli	c778749ed4	fix `codeql.yml` codeql invocation on windows	2025-09-09 14:08:29 +02:00
Paolo Tranquilli	0c065fa4cf	Sort out windows CRLF mess	2025-09-09 14:00:28 +02:00
Paolo Tranquilli	1b8f0ffedf	Set `shell: bash` by default on all workflows	2025-09-09 12:19:45 +02:00
Paolo Tranquilli	d42097d387	Build	2025-09-08 14:05:29 +02:00
Paolo Tranquilli	16f15bc9a7	Merge branch 'main' into redsun82/update-brace-expansion	2025-09-08 14:03:32 +02:00
Paolo Tranquilli	f11caf4aad	Override `brace-expansion` from `2.0.1` to `2.0.2`	2025-09-08 10:53:44 +02:00