Specify Accept header for toolcache.downloadTool

Merge pull request #3115 from github/dependabot/npm_and_yarn/npm-75b7851ed5
Bump uuid from 12.0.0 to 13.0.0 in the npm group
2026-05-09 15:20:28 +00:00 · 2025-09-17 18:36:30 +01:00 · 2025-09-15 18:38:40 +01:00 · 2025-09-15 17:18:08 +00:00 · 2025-09-15 17:16:56 +00:00 · 2025-09-15 16:57:27 +01:00
140 changed files with 2856 additions and 961 deletions
@@ -1,4 +0,0 @@
-# Configuration for the CodeQL Actions Queries
-name: "CodeQL Actions Queries config"
-queries:
-  - uses: security-and-quality
@@ -7,9 +7,9 @@ queries:
  # we include both even though one is a superset of the
  # other, because we're testing the parsing logic and
  # that the suites exist in the codeql bundle.
+  - uses: security-and-quality
  - uses: security-experimental
  - uses: security-extended
-  - uses: security-and-quality
 paths-ignore:
-  - tests
  - lib
+  - tests
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  all-platform-bundle:
    strategy:
@@ -70,7 +73,6 @@ jobs:
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
    env:
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  analyze-ref-input:
    strategy:
@@ -74,7 +77,6 @@ jobs:
          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
            github.sha }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  autobuild-action:
    strategy:
@@ -67,7 +70,6 @@ jobs:
          CORECLR_PROFILER_PATH_64: ''
      - uses: ./../action/analyze
      - name: Check database
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/codeql_databases"
          if [[ ! -d csharp ]]; then
@@ -34,6 +34,9 @@ on:
        description: The version of Java to install
        required: false
        default: '17'
+defaults:
+  run:
+    shell: bash
 jobs:
  autobuild-direct-tracing-with-working-dir:
    strategy:
@@ -70,7 +73,6 @@ jobs:
          java-version: ${{ inputs.java-version || '17' }}
          distribution: temurin
      - name: Test setup
-        shell: bash
        run: |
          # Make sure that Gradle build succeeds in autobuild-dir ...
          cp -a ../action/tests/java-repo autobuild-dir
@@ -82,7 +84,6 @@ jobs:
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Check that indirect tracing is disabled
-        shell: bash
        run: |
          if [[ ! -z "${CODEQL_RUNNER}" ]]; then
            echo "Expected indirect tracing to be disabled, but the" \
@@ -34,6 +34,9 @@ on:
        description: The version of Java to install
        required: false
        default: '17'
+defaults:
+  run:
+    shell: bash
 jobs:
  autobuild-direct-tracing:
    strategy:
@@ -70,7 +73,6 @@ jobs:
          java-version: ${{ inputs.java-version || '17' }}
          distribution: temurin
      - name: Set up Java test repo configuration
-        shell: bash
        run: |
          mv * .github ../action/tests/multi-language-repo/
          mv ../action/tests/multi-language-repo/.github/workflows .github
@@ -85,7 +87,6 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}

      - name: Check that indirect tracing is disabled
-        shell: bash
        run: |
          if [[ ! -z "${CODEQL_RUNNER}" ]]; then
            echo "Expected indirect tracing to be disabled, but the" \
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  build-mode-autobuild:
    strategy:
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  build-mode-manual:
    strategy:
@@ -81,7 +84,6 @@ jobs:
          fi

      - name: Build code
-        shell: bash
        run: ./build.sh

      - uses: ./../action/analyze
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  build-mode-none:
    strategy:
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  build-mode-rollback:
    strategy:
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  bundle-toolcache:
    strategy:
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  bundle-zstd:
    strategy:
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  cleanup-db-cluster-dir:
    strategy:
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  config-export:
    strategy:
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  config-input:
    strategy:
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  cpp-deptrace-disabled:
    strategy:
@@ -53,7 +56,6 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Test setup
-        shell: bash
        run: |
          cp -a ../action/tests/cpp-autobuild autobuild-dir
      - uses: ./../action/init
@@ -65,8 +67,7 @@ jobs:
          working-directory: autobuild-dir
        env:
          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: false
-      - shell: bash
-        run: |
+      - run: |
          if ls /usr/bin/errno; then
            echo "C/C++ autobuild installed errno, but it should not have since auto-install dependencies is disabled."
            exit 1
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  cpp-deptrace-enabled-on-macos:
    strategy:
@@ -51,7 +54,6 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Test setup
-        shell: bash
        run: |
          cp -a ../action/tests/cpp-autobuild autobuild-dir
      - uses: ./../action/init
@@ -63,8 +65,7 @@ jobs:
          working-directory: autobuild-dir
        env:
          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-      - shell: bash
-        run: |
+      - run: |
          if ! ls /usr/bin/errno; then
            echo "As expected, CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES is a no-op on macOS"
          else
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  cpp-deptrace-enabled:
    strategy:
@@ -53,7 +56,6 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Test setup
-        shell: bash
        run: |
          cp -a ../action/tests/cpp-autobuild autobuild-dir
      - uses: ./../action/init
@@ -65,8 +67,7 @@ jobs:
          working-directory: autobuild-dir
        env:
          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-      - shell: bash
-        run: |
+      - run: |
          if ! ls /usr/bin/errno; then
            echo "Did not autoinstall errno"
            exit 1
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  diagnostics-export:
    strategy:
@@ -64,7 +67,6 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Add test diagnostics
-        shell: bash
        env:
          CODEQL_PATH: ${{ steps.init.outputs.codeql-path }}
        run: |
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  export-file-baseline-information:
    strategy:
@@ -73,7 +76,6 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -85,7 +87,6 @@ jobs:
          path: ${{ runner.temp }}/results/javascript.sarif
          retention-days: 7
      - name: Check results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          expected_baseline_languages="c csharp go java kotlin javascript python ruby"
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  extractor-ram-threads:
    strategy:
@@ -54,7 +57,6 @@ jobs:
          ram: 230
          threads: 1
      - name: Assert Results
-        shell: bash
        run: |
          if [ "${CODEQL_RAM}" != "230" ]; then
            echo "CODEQL_RAM is '${CODEQL_RAM}' instead of 230"
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  go-custom-queries:
    strategy:
@@ -71,7 +74,6 @@ jobs:
          config-file: ./.github/codeql/custom-queries.yml
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
    env:
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  go-indirect-tracing-workaround-diagnostic:
    strategy:
@@ -72,7 +75,6 @@ jobs:
        with:
          go-version: '1.20'
      - name: Build code
-        shell: bash
        run: go build main.go
      - uses: ./../action/analyze
        with:
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  go-indirect-tracing-workaround-no-file-program:
    strategy:
@@ -73,7 +76,6 @@ jobs:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: go build main.go
      - uses: ./../action/analyze
        with:
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  go-indirect-tracing-workaround:
    strategy:
@@ -68,11 +71,9 @@ jobs:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: go build main.go
      - uses: ./../action/analyze
-      - shell: bash
-        run: |
+      - run: |
          if [[ -z "${CODEQL_ACTION_GO_BINARY}" ]]; then
            echo "Expected the workaround for indirect tracing of static binaries to trigger, but the" \
              "CODEQL_ACTION_GO_BINARY environment variable is not set."
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  go-tracing-autobuilder:
    strategy:
@@ -60,6 +63,10 @@ jobs:
            version: stable-v2.21.4
          - os: macos-latest
            version: stable-v2.21.4
+          - os: ubuntu-latest
+            version: stable-v2.22.4
+          - os: macos-latest
+            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
          - os: macos-latest
@@ -99,8 +106,7 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/autobuild
      - uses: ./../action/analyze
-      - shell: bash
-        run: |
+      - run: |
          if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then
            echo "Expected the Go autobuilder to be run, but the" \
              "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was not true."
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  go-tracing-custom-build-steps:
    strategy:
@@ -60,6 +63,10 @@ jobs:
            version: stable-v2.21.4
          - os: macos-latest
            version: stable-v2.21.4
+          - os: ubuntu-latest
+            version: stable-v2.22.4
+          - os: macos-latest
+            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
          - os: macos-latest
@@ -98,11 +105,9 @@ jobs:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: go build main.go
      - uses: ./../action/analyze
-      - shell: bash
-        run: |
+      - run: |
          # Once we start running Bash 4.2 in all environments, we can replace the
          # `! -z` flag with the more elegant `-v` which confirms that the variable
          # is actually unset and not potentially set to a blank value.
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  go-tracing-legacy-workflow:
    strategy:
@@ -60,6 +63,10 @@ jobs:
            version: stable-v2.21.4
          - os: macos-latest
            version: stable-v2.21.4
+          - os: ubuntu-latest
+            version: stable-v2.22.4
+          - os: macos-latest
+            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
          - os: macos-latest
@@ -98,8 +105,7 @@ jobs:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
-      - shell: bash
-        run: |
+      - run: |
          cd "$RUNNER_TEMP/codeql_databases"
          if [[ ! -d go ]]; then
            echo "Did not find a Go database"
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  init-with-registries:
    strategy:
@@ -78,7 +81,6 @@ jobs:
              token: "${{ secrets.GITHUB_TOKEN }}"

      - name: Verify packages installed
-        shell: bash
        run: |
          PRIVATE_PACK="$HOME/.codeql/packages/codeql-testing/private-pack"
          CODEQL_PACK1="$HOME/.codeql/packages/codeql-testing/codeql-pack1"
@@ -100,7 +102,6 @@ jobs:
          fi

      - name: Verify qlconfig.yml file was created
-        shell: bash
        run: |
          QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
          echo "Expected qlconfig.yml file to be created at $QLCONFIG_PATH"
@@ -115,7 +116,6 @@ jobs:
      - name: Verify contents of qlconfig.yml
    # yq is not available on windows
        if: runner.os != 'Windows'
-        shell: bash
        run: |
          QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
          cat $QLCONFIG_PATH | yq -e '.registries[] | select(.url == "https://ghcr.io/v2/") | select(.packages == "*/*")'
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  javascript-source-root:
    strategy:
@@ -53,7 +56,6 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Move codeql-action
-        shell: bash
        run: |
          mkdir ../new-source-root
          mv * ../new-source-root
@@ -66,7 +68,6 @@ jobs:
        with:
          skip-queries: true
      - name: Assert database exists
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/codeql_databases"
          if [[ ! -d javascript ]]; then
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  job-run-uuid-sarif:
    strategy:
@@ -63,7 +66,6 @@ jobs:
          path: ${{ runner.temp }}/results/javascript.sarif
          retention-days: 7
      - name: Check results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          actual=$(jq -r '.runs[0].properties.jobRunUuid' javascript.sarif)
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  language-aliases:
    strategy:
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  multi-language-autodetect:
    strategy:
@@ -60,6 +63,10 @@ jobs:
            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.22.4
+          - os: ubuntu-latest
+            version: stable-v2.22.4
          - os: macos-latest
            version: default
          - os: ubuntu-latest
@@ -94,7 +101,6 @@ jobs:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Use Xcode 16
-        shell: bash
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"

@@ -107,7 +113,6 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}

      - name: Build code
-        shell: bash
        run: ./build.sh

      - uses: ./../action/analyze
@@ -116,7 +121,6 @@ jobs:
          upload-database: false

      - name: Check language autodetect for all languages excluding Swift
-        shell: bash
        run: |
          CPP_DB=${{ fromJson(steps.analysis.outputs.db-locations).cpp }}
          if [[ ! -d $CPP_DB ]] || [[ ! $CPP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
@@ -156,7 +160,6 @@ jobs:

      - name: Check language autodetect for Swift on macOS
        if: runner.os == 'macOS'
-        shell: bash
        run: |
          SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}
          if [[ ! -d $SWIFT_DB ]] || [[ ! $SWIFT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  overlay-init-fallback:
    strategy:
@@ -61,7 +64,6 @@ jobs:
        with:
          upload-database: false
      - name: Check database
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/codeql_databases/actions"
          if ! grep -q 'overlayBaseDatabase: false' codeql-database.yml ; then
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  packaging-codescanning-config-inputs-js:
    strategy:
@@ -93,7 +96,6 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -109,7 +111,6 @@ jobs:
          queries-not-run: foo,bar

      - name: Assert Results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          # We should have 4 hits from these rules
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  packaging-config-inputs-js:
    strategy:
@@ -93,7 +96,6 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -109,7 +111,6 @@ jobs:
          queries-not-run: foo,bar

      - name: Assert Results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          # We should have 4 hits from these rules
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  packaging-config-js:
    strategy:
@@ -92,7 +95,6 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -108,7 +110,6 @@ jobs:
          queries-not-run: foo,bar

      - name: Assert Results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          # We should have 4 hits from these rules
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  packaging-inputs-js:
    strategy:
@@ -93,7 +96,6 @@ jobs:
          packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -108,7 +110,6 @@ jobs:
          queries-not-run: foo,bar

      - name: Assert Results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          # We should have 4 hits from these rules
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  quality-queries:
    strategy:
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  remote-config:
    strategy:
@@ -72,7 +75,6 @@ jobs:
          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
            github.sha }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
    env:
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  resolve-environment-action:
    strategy:
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  rubocop-multi-language:
    strategy:
@@ -53,13 +56,10 @@ jobs:
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
-        shell: bash
        run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
      - name: Install dependencies
-        shell: bash
        run: bundle install
      - name: RuboCop run
-        shell: bash
        run: |
          bash -c "
            bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  ruby:
    strategy:
@@ -67,7 +70,6 @@ jobs:
        with:
          upload-database: false
      - name: Check database
-        shell: bash
        run: |
          RUBY_DB="${{ fromJson(steps.analysis.outputs.db-locations).ruby }}"
          if [[ ! -d "$RUBY_DB" ]]; then
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  rust:
    strategy:
@@ -65,7 +68,6 @@ jobs:
        with:
          upload-database: false
      - name: Check database
-        shell: bash
        run: |
          RUST_DB="${{ fromJson(steps.analysis.outputs.db-locations).rust }}"
          if [[ ! -d "$RUST_DB" ]]; then
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  split-workflow:
    strategy:
@@ -80,7 +83,6 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -89,7 +91,6 @@ jobs:
          upload-database: false

      - name: Assert No Results
-        shell: bash
        run: |
          if [ "$(ls -A $RUNNER_TEMP/results)" ]; then
            echo "Expected results directory to be empty after skipping query execution!"
@@ -100,7 +101,6 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Assert Results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          # We should have 4 hits from these rules
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  start-proxy:
    strategy:
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  submit-sarif-failure:
    strategy:
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  swift-autobuild:
    strategy:
@@ -55,7 +58,6 @@ jobs:
          build-mode: autobuild
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Check working directory
-        shell: bash
        run: pwd
      - uses: ./../action/autobuild
        timeout-minutes: 30
@@ -64,7 +66,6 @@ jobs:
        with:
          upload-database: false
      - name: Check database
-        shell: bash
        run: |
          SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
          if [[ ! -d "$SWIFT_DB" ]]; then
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  swift-custom-build:
    strategy:
@@ -68,7 +71,6 @@ jobs:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Use Xcode 16
-        shell: bash
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"
      - uses: ./../action/init
@@ -77,17 +79,14 @@ jobs:
          languages: swift
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Check working directory
-        shell: bash
        run: pwd
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        id: analysis
        with:
          upload-database: false
      - name: Check database
-        shell: bash
        run: |
          SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
          if [[ ! -d "$SWIFT_DB" ]]; then
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  test-autobuild-working-dir:
    strategy:
@@ -49,7 +52,6 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Test setup
-        shell: bash
        run: |
          # Make sure that Gradle build succeeds in autobuild-dir ...
          cp -a ../action/tests/java-repo autobuild-dir
@@ -64,7 +66,6 @@ jobs:
          working-directory: autobuild-dir
      - uses: ./../action/analyze
      - name: Check database
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/codeql_databases"
          if [[ ! -d java ]]; then
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  test-local-codeql:
    strategy:
@@ -64,7 +67,6 @@ jobs:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Fetch a CodeQL bundle
-        shell: bash
        env:
          CODEQL_URL: ${{ steps.prepare-test.outputs.tools-url }}
        run: |
@@ -76,7 +78,6 @@ jobs:
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ./codeql-bundle-linux64.tar.zst
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
    env:
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  test-proxy:
    strategy:
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  unset-environment:
    strategy:
@@ -73,14 +76,12 @@ jobs:
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: env -i PATH="$PATH" HOME="$HOME" ./build.sh
      - uses: ./../action/analyze
        id: analysis
        with:
          upload-database: false
-      - shell: bash
-        run: |
+      - run: |
          CPP_DB="${{ fromJson(steps.analysis.outputs.db-locations).cpp }}"
          if [[ ! -d "$CPP_DB" ]] || [[ ! "$CPP_DB" == "${RUNNER_TEMP}/customDbLocation/cpp" ]]; then
            echo "::error::Did not create a database for CPP, or created it in the wrong location." \
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  upload-quality-sarif:
    strategy:
@@ -75,7 +78,6 @@ jobs:
            github.sha }}
          analysis-kinds: code-scanning,code-quality
      - name: Build code
-        shell: bash
        run: ./build.sh
  # Generate some SARIF we can upload with the upload-sarif step
      - uses: ./../action/analyze
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  upload-ref-sha-input:
    strategy:
@@ -74,7 +77,6 @@ jobs:
          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
            github.sha }}
      - name: Build code
-        shell: bash
        run: ./build.sh
  # Generate some SARIF we can upload with the upload-sarif step
      - uses: ./../action/analyze
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  with-checkout-path:
    strategy:
@@ -68,7 +71,6 @@ jobs:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Delete original checkout
-        shell: bash
        run: |
          # delete the original checkout so we don't accidentally use it.
          # Actions does not support deleting the current working directory, so we
@@ -89,7 +91,6 @@ jobs:
          source-root: x/y/z/some-path/tests/multi-language-repo

      - name: Build code
-        shell: bash
        working-directory: x/y/z/some-path/tests/multi-language-repo
        run: |
          ./build.sh
@@ -101,7 +102,6 @@ jobs:
          sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6

      - name: Verify SARIF after upload
-        shell: bash
        run: |
          EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
          EXPECTED_REF="v1.1.0"
@@ -9,6 +9,10 @@ on:
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]

+defaults:
+  run:
+    shell: bash
+
 jobs:
  check-expected-release-files:
    runs-on: ubuntu-latest
@@ -13,6 +13,10 @@ on:
    - cron: '30 1 * * 0'
  workflow_dispatch:

+defaults:
+  run:
+    shell: bash
+
 env:
  CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks

@@ -91,22 +95,29 @@ jobs:
      id: init
      with:
        languages: javascript
-        config-file: ./.github/codeql/codeql-config.yml
+        config-file: ./.github/codeql/codeql-config-javascript.yml
        tools: ${{ matrix.tools }}
    # confirm steps.init.outputs.codeql-path points to the codeql binary
    - name: Print CodeQL Version
-      run: ${{steps.init.outputs.codeql-path}} version --format=json
+      run: >
+        "$CODEQL" version --format=json
+      env:
+        CODEQL: ${{steps.init.outputs.codeql-path}}
    - name: Perform CodeQL Analysis
      uses: ./analyze
      with:
        category: "/language:javascript"
+        upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && 'always') || 'never' }}

-
-  analyze-actions:
+  analyze-other:
    runs-on: ubuntu-latest

    strategy:
      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+          - language: python

    permissions:
      contents: read
@@ -118,9 +129,15 @@ jobs:
    - name: Initialize CodeQL
      uses: ./init
      with:
-        languages: actions
-        config-file: ./.github/codeql/codeql-actions-config.yml
+        languages: ${{ matrix.language }}
+        build-mode: none
+        config: >
+          paths-ignore:
+            - lib
+            - tests
+          queries:
+            - uses: security-and-quality
    - name: Perform CodeQL Analysis
      uses: ./analyze
      with:
-        category: "/language:actions"
+        category: "/language:${{ matrix.language }}"
@@ -22,6 +22,10 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch: {}

+defaults:
+  run:
+    shell: bash
+
 jobs:
  code-scanning-config-tests:
    continue-on-error: true
@@ -17,6 +17,11 @@ on:
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch: {}
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
  upload-artifacts:
    strategy:
@@ -55,7 +60,6 @@ jobs:
          debug-artifact-name: my-debug-artifacts
          debug-database-name: my-db
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        id: analysis
@@ -75,7 +79,6 @@ jobs:
      - name: Download all artifacts
        uses: actions/download-artifact@v5
      - name: Check expected artifacts exist
-        shell: bash
        run: |
          LANGUAGES="cpp csharp go java javascript python"
          for version in $VERSIONS; do
@@ -16,6 +16,11 @@ on:
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch: {}
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
  upload-artifacts:
    strategy:
@@ -54,7 +59,6 @@ jobs:
          # We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
          languages: cpp,csharp,go,java,javascript,python,ruby
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        id: analysis
@@ -69,7 +73,6 @@ jobs:
      - name: Download all artifacts
        uses: actions/download-artifact@v5
      - name: Check expected artifacts exist
-        shell: bash
        run: |
          VERSIONS="stable-v2.20.3 default linked nightly-latest"
          LANGUAGES="cpp csharp go java javascript python"
@@ -18,6 +18,10 @@ on:
    branches:
      - releases/v*

+defaults:
+  run:
+    shell: bash
+
 jobs:
  merge-back:
    runs-on: ubuntu-latest
@@ -8,6 +8,10 @@ on:
    types: [opened, synchronize, reopened, ready_for_review]
  workflow_dispatch:

+defaults:
+  run:
+    shell: bash
+
 jobs:
  unit-tests:
    name: Unit Tests
@@ -22,6 +26,10 @@ jobs:
    timeout-minutes: 45

    steps:
+      - name: Prepare git (Windows)
+        if: runner.os == 'Windows'
+        run: git config --global core.autocrlf false
+
      - uses: actions/checkout@v5
      
      - name: Set up Node.js
@@ -22,6 +22,10 @@ on:
    paths:
      - .github/workflows/prepare-release.yml

+defaults:
+  run:
+    shell: bash
+
 jobs:
  prepare:
    name: "Prepare release"
@@ -4,6 +4,10 @@ on:
  release:
    types: [published]

+defaults:
+  run:
+    shell: bash
+
 jobs:
  publish:
    runs-on: ubuntu-latest
@@ -12,6 +12,10 @@ on:
    - cron: '0 0 * * 1'
  workflow_dispatch:

+defaults:
+  run:
+    shell: bash
+
 jobs:
  test-setup-python-scripts:
    env:
@@ -15,6 +15,10 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch: {}

+defaults:
+  run:
+    shell: bash
+
 jobs:
  query-filters:
    name: Query Filters Tests
@@ -5,6 +5,10 @@ on:
    types: [labeled]
  workflow_dispatch:

+defaults:
+  run:
+    shell: bash
+
 jobs:
  rebuild:
    name: Rebuild Action
@@ -14,6 +14,10 @@ on:
      - .github/workflows/rollback-release.yml
      - .github/actions/prepare-mergeback-branch/**

+defaults:
+  run:
+    shell: bash
+
 jobs:
  prepare:
    name: "Prepare release"
@@ -53,7 +57,6 @@ jobs:

      - name: Create tag for testing
        if: github.event_name != 'workflow_dispatch'
-        shell: bash
        run: git tag v0.0.0

      # We start by preparing the mergeback branch, mainly so that we have the updated changelog
@@ -96,7 +99,6 @@ jobs:
          echo "::endgroup::"

      - name: Create tags
-        shell: bash
        env:
          # We usually expect to checkout `inputs.rollback-tag` (required for `workflow_dispatch`),
          # but use `v0.0.0` for testing.
@@ -111,7 +113,6 @@ jobs:
      - name: Push tags
        # skip when testing
        if: github.event_name == 'workflow_dispatch'
-        shell: bash
        env:
          RELEASE_TAG: ${{ needs.prepare.outputs.version }}
          MAJOR_VERSION_TAG: ${{ needs.prepare.outputs.major_version }}
@@ -160,7 +161,6 @@ jobs:
          echo "Created draft rollback release at $RELEASE_URL" >> $GITHUB_STEP_SUMMARY

      - name: Update changelog
-        shell: bash
        env:
          NEW_CHANGELOG: "${{ runner.temp }}/new_changelog.md"
          NEW_BRANCH: "${{ steps.mergeback-branch.outputs.new-branch }}"
@@ -16,6 +16,9 @@ on:
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  test-codeql-bundle-all:
    strategy:
@@ -46,7 +49,6 @@ jobs:
        languages: cpp,csharp,go,java,javascript,python,ruby 
        tools: ${{ steps.prepare-test.outputs.tools-url }}
    - name: Build code
-      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
    env:
@@ -13,6 +13,10 @@ on:
    # to filter pre-release attribute.
    types: [published]

+defaults:
+  run:
+    shell: bash
+
 jobs:
  update-bundle:
    if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
@@ -7,6 +7,10 @@ on:
        type: string
        required: true

+defaults:
+  run:
+    shell: bash
+
 jobs:
  update:
    name: Update code and create PR
@@ -20,7 +24,6 @@ jobs:
    steps:
      - name: Check release tag format
        id: checks
-        shell: bash
        run: |
          if ! [[ $RELEASE_TAG =~ ^codeql-bundle-v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            echo "Invalid release tag: expected a CodeQL bundle tag in the 'codeql-bundle-vM.N.P' format."
@@ -30,7 +33,6 @@ jobs:
          echo "target_branch=dependency-proxy/$RELEASE_TAG" >> $GITHUB_OUTPUT

      - name: Check that the release exists
-        shell: bash
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
        run: |
@@ -46,20 +48,17 @@ jobs:
          ref: main

      - name: Update git config
-        shell: bash
        run: |
          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git config --global user.name "github-actions[bot]"

      - name: Update release tag and version
-        shell: bash
        run: |
          NOW=$(date +"%Y%m%d%H%M%S") # only used to make sure we don't fetch stale binaries from the toolcache
          sed -i "s|https://github.com/github/codeql-action/releases/download/codeql-bundle-v[0-9.]\+/|https://github.com/github/codeql-action/releases/download/$RELEASE_TAG/|g" ./src/start-proxy-action.ts
          sed -i "s/\"v2.0.[0-9]\+\"/\"v2.0.$NOW\"/g" ./src/start-proxy-action.ts

      - name: Compile TypeScript and commit changes
-        shell: bash
        env:
          TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }}
        run: |
@@ -72,7 +71,6 @@ jobs:
          git commit -m "Update release used by \`start-proxy\` action"

      - name: Push changes and open PR
-        shell: bash
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
          TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }}
@@ -11,6 +11,10 @@ on:
    branches:
      - releases/*

+defaults:
+  run:
+    shell: bash
+
 jobs:

  prepare:
@@ -5,6 +5,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 ## [UNRELEASED]

 - We have improved the CodeQL Action's ability to validate that the workflow it is used in does not use different versions of the CodeQL Action for different workflow steps. Mixing different versions of the CodeQL Action in the same workflow is unsupported and can lead to unpredictable results. A warning will now be emitted from the `codeql-action/init` step if different versions of the CodeQL Action are detected in the workflow file. Additionally, an error will now be thrown by the other CodeQL Action steps if they load a configuration file that was generated by a different version of the `codeql-action/init` step. [#3099](https://github.com/github/codeql-action/pull/3099) and [#3100](https://github.com/github/codeql-action/pull/3100)
+- We added support for reducing the size of dependency caches for Java analyses, which will reduce cache usage and speed up workflows. This will be enabled automatically at a later time. [#3107](https://github.com/github/codeql-action/pull/3107)

 ## 3.30.3 - 10 Sep 2025

@@ -26486,7 +26486,7 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
@@ -26536,7 +26536,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -77685,7 +77686,7 @@ var require_brace_expansion2 = __commonJS({
        var isSequence = isNumericSequence || isAlphaSequence;
        var isOptions = m.body.indexOf(",") >= 0;
        if (!isSequence && !isOptions) {
-          if (m.post.match(/,.*\}/)) {
+          if (m.post.match(/,(?!,).*\}/)) {
            str2 = m.pre + "{" + m.body + escClose + m.post;
            return expand(str2);
          }
@@ -117918,6 +117919,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };

@@ -32335,7 +32335,7 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
@@ -32385,7 +32385,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -91152,6 +91153,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -91677,7 +91683,7 @@ var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
 var semver7 = __toESM(require_semver2());

-// node_modules/uuid/dist/stringify.js
+// node_modules/uuid/dist-node/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
  byteToHex.push((i + 256).toString(16).slice(1));
@@ -91686,7 +91692,7 @@ function unsafeStringify(arr, offset = 0) {
  return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }

-// node_modules/uuid/dist/rng.js
+// node_modules/uuid/dist-node/rng.js
 var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
@@ -91698,11 +91704,11 @@ function rng() {
  return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }

-// node_modules/uuid/dist/native.js
+// node_modules/uuid/dist-node/native.js
 var import_node_crypto2 = require("node:crypto");
 var native_default = { randomUUID: import_node_crypto2.randomUUID };

-// node_modules/uuid/dist/v4.js
+// node_modules/uuid/dist-node/v4.js
 function _v4(options, buf, offset) {
  options = options || {};
  const rnds = options.random ?? options.rng?.() ?? rng();
@@ -93241,7 +93247,7 @@ function getDefaultCacheConfig() {
 async function makeGlobber(patterns) {
  return glob.create(patterns.join("\n"));
 }
-async function uploadDependencyCaches(config, logger) {
+async function uploadDependencyCaches(config, logger, minimizeJavaJars) {
  for (const language of config.languages) {
    const cacheConfig = getDefaultCacheConfig()[language];
    if (cacheConfig === void 0) {
@@ -93264,7 +93270,7 @@ async function uploadDependencyCaches(config, logger) {
      );
      continue;
    }
-    const key = await cacheKey2(language, cacheConfig);
+    const key = await cacheKey2(language, cacheConfig, minimizeJavaJars);
    logger.info(
      `Uploading cache of size ${size} for ${language} with key ${key}...`
    );
@@ -93282,17 +93288,20 @@ async function uploadDependencyCaches(config, logger) {
    }
  }
 }
-async function cacheKey2(language, cacheConfig) {
+async function cacheKey2(language, cacheConfig, minimizeJavaJars = false) {
  const hash2 = await glob.hashFiles(cacheConfig.hash.join("\n"));
-  return `${await cachePrefix2(language)}${hash2}`;
+  return `${await cachePrefix2(language, minimizeJavaJars)}${hash2}`;
 }
-async function cachePrefix2(language) {
+async function cachePrefix2(language, minimizeJavaJars) {
  const runnerOs = getRequiredEnvParam("RUNNER_OS");
  const customPrefix = process.env["CODEQL_ACTION_DEPENDENCY_CACHE_PREFIX" /* DEPENDENCY_CACHING_PREFIX */];
  let prefix = CODEQL_DEPENDENCY_CACHE_PREFIX;
  if (customPrefix !== void 0 && customPrefix.length > 0) {
    prefix = `${prefix}-${customPrefix}`;
  }
+  if (language === "java" /* java */ && minimizeJavaJars) {
+    prefix = `minify-${prefix}`;
+  }
  return `${prefix}-${CODEQL_DEPENDENCY_CACHE_VERSION}-${runnerOs}-${language}-`;
 }

@@ -95581,113 +95590,98 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
  }
  return payloadObj;
 }
-async function maybeUploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
+async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
  const sarifPaths = getSarifFilePaths(
    inputSarifPath,
    uploadTarget.sarifPredicate
  );
-  return maybeUploadSpecifiedFiles(
+  return uploadSpecifiedFiles(
    sarifPaths,
    checkoutPath,
    category,
    features,
    logger,
-    uploadTarget,
-    uploadKind
+    uploadTarget
  );
 }
-async function maybeUploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
+async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
+  logger.startGroup(`Uploading ${uploadTarget.name} results`);
+  logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
+  const gitHubVersion = await getGitHubVersion();
+  let sarif;
+  if (sarifPaths.length > 1) {
+    for (const sarifPath of sarifPaths) {
+      const parsedSarif = readSarifFile(sarifPath);
+      validateSarifFileSchema(parsedSarif, sarifPath, logger);
+    }
+    sarif = await combineSarifFilesUsingCLI(
+      sarifPaths,
+      gitHubVersion,
+      features,
+      logger
+    );
+  } else {
+    const sarifPath = sarifPaths[0];
+    sarif = readSarifFile(sarifPath);
+    validateSarifFileSchema(sarif, sarifPath, logger);
+    await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
+  }
+  sarif = filterAlertsByDiffRange(logger, sarif);
+  sarif = await addFingerprints(sarif, checkoutPath, logger);
+  const analysisKey = await getAnalysisKey();
+  const environment = getRequiredInput("matrix");
+  sarif = populateRunAutomationDetails(
+    sarif,
+    category,
+    analysisKey,
+    environment
+  );
+  const toolNames = getToolNames(sarif);
+  logger.debug(`Validating that each SARIF run has a unique category`);
+  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
+  logger.debug(`Serializing SARIF for upload`);
+  const sarifPayload = JSON.stringify(sarif);
  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
-  const upload = uploadKind === "always";
-  if (!upload && !dumpDir) {
-    logger.info(`Skipping upload of ${uploadTarget.name} results`);
-    return void 0;
-  }
-  logger.startGroup(`Processing ${uploadTarget.name} results`);
-  try {
-    logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
-    const gitHubVersion = await getGitHubVersion();
-    let sarif;
-    if (sarifPaths.length > 1) {
-      for (const sarifPath of sarifPaths) {
-        const parsedSarif = readSarifFile(sarifPath);
-        validateSarifFileSchema(parsedSarif, sarifPath, logger);
-      }
-      sarif = await combineSarifFilesUsingCLI(
-        sarifPaths,
-        gitHubVersion,
-        features,
-        logger
-      );
-    } else {
-      const sarifPath = sarifPaths[0];
-      sarif = readSarifFile(sarifPath);
-      validateSarifFileSchema(sarif, sarifPath, logger);
-      await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
-    }
-    sarif = filterAlertsByDiffRange(logger, sarif);
-    sarif = await addFingerprints(sarif, checkoutPath, logger);
-    const analysisKey = await getAnalysisKey();
-    const environment = getRequiredInput("matrix");
-    sarif = populateRunAutomationDetails(
-      sarif,
-      category,
-      analysisKey,
-      environment
-    );
-    const toolNames = getToolNames(sarif);
-    logger.debug(`Validating that each SARIF run has a unique category`);
-    validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
-    logger.debug(`Serializing SARIF for upload`);
-    const sarifPayload = JSON.stringify(sarif);
-    if (dumpDir) {
-      dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
-    }
-    if (!upload) {
-      logger.info(
-        `Skipping upload of ${uploadTarget.name} results because upload kind is "${uploadKind}"`
-      );
-      return void 0;
-    }
-    logger.debug(`Compressing serialized SARIF`);
-    const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
-    const checkoutURI = url.pathToFileURL(checkoutPath).href;
-    const payload = buildPayload(
-      await getCommitOid(checkoutPath),
-      await getRef(),
-      analysisKey,
-      getRequiredEnvParam("GITHUB_WORKFLOW"),
-      zippedSarif,
-      getWorkflowRunID(),
-      getWorkflowRunAttempt(),
-      checkoutURI,
-      environment,
-      toolNames,
-      await determineBaseBranchHeadCommitOid()
-    );
-    const rawUploadSizeBytes = sarifPayload.length;
-    logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
-    const zippedUploadSizeBytes = zippedSarif.length;
-    logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
-    const numResultInSarif = countResultsInSarif(sarifPayload);
-    logger.debug(`Number of results in upload: ${numResultInSarif}`);
-    const sarifID = await uploadPayload(
-      payload,
-      getRepositoryNwo(),
-      logger,
-      uploadTarget.target
-    );
-    return {
-      statusReport: {
-        raw_upload_size_bytes: rawUploadSizeBytes,
-        zipped_upload_size_bytes: zippedUploadSizeBytes,
-        num_results_in_sarif: numResultInSarif
-      },
-      sarifID
-    };
-  } finally {
-    logger.endGroup();
+  if (dumpDir) {
+    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
  }
+  logger.debug(`Compressing serialized SARIF`);
+  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
+  const checkoutURI = url.pathToFileURL(checkoutPath).href;
+  const payload = buildPayload(
+    await getCommitOid(checkoutPath),
+    await getRef(),
+    analysisKey,
+    getRequiredEnvParam("GITHUB_WORKFLOW"),
+    zippedSarif,
+    getWorkflowRunID(),
+    getWorkflowRunAttempt(),
+    checkoutURI,
+    environment,
+    toolNames,
+    await determineBaseBranchHeadCommitOid()
+  );
+  const rawUploadSizeBytes = sarifPayload.length;
+  logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
+  const zippedUploadSizeBytes = zippedSarif.length;
+  logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
+  const numResultInSarif = countResultsInSarif(sarifPayload);
+  logger.debug(`Number of results in upload: ${numResultInSarif}`);
+  const sarifID = await uploadPayload(
+    payload,
+    getRepositoryNwo(),
+    logger,
+    uploadTarget.target
+  );
+  logger.endGroup();
+  return {
+    statusReport: {
+      raw_upload_size_bytes: rawUploadSizeBytes,
+      zipped_upload_size_bytes: zippedUploadSizeBytes,
+      num_results_in_sarif: numResultInSarif
+    },
+    sarifID
+  };
 }
 function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
  if (!fs18.existsSync(outputDir)) {
@@ -96048,26 +96042,21 @@ async function run() {
    }
    core14.setOutput("db-locations", dbLocations);
    core14.setOutput("sarif-output", import_path4.default.resolve(outputDir));
-    const uploadInput = getUploadValue(
-      getOptionalInput("upload")
-    );
-    if (runStats) {
+    const uploadInput = getOptionalInput("upload");
+    if (runStats && getUploadValue(uploadInput) === "always") {
      if (isCodeScanningEnabled(config)) {
-        uploadResult = await maybeUploadFiles(
+        uploadResult = await uploadFiles(
          outputDir,
          getRequiredInput("checkout_path"),
          getOptionalInput("category"),
          features,
          logger,
-          CodeScanning,
-          uploadInput
+          CodeScanning
        );
-        if (uploadResult) {
-          core14.setOutput("sarif-id", uploadResult.sarifID);
-        }
+        core14.setOutput("sarif-id", uploadResult.sarifID);
      }
      if (isCodeQualityEnabled(config)) {
-        const qualityUploadResult = await maybeUploadFiles(
+        const qualityUploadResult = await uploadFiles(
          outputDir,
          getRequiredInput("checkout_path"),
          fixCodeQualityCategory(
@@ -96076,15 +96065,12 @@ async function run() {
          ),
          features,
          logger,
-          CodeQuality,
-          uploadInput
+          CodeQuality
        );
-        if (qualityUploadResult) {
-          core14.setOutput("quality-sarif-id", qualityUploadResult.sarifID);
-        }
+        core14.setOutput("quality-sarif-id", qualityUploadResult.sarifID);
      }
    } else {
-      logger.info("No query status report, skipping upload");
+      logger.info("Not uploading results");
    }
    await uploadOverlayBaseDatabaseToCache(codeql, config, logger);
    await uploadDatabases(repositoryNwo, codeql, config, apiDetails, logger);
@@ -96097,7 +96083,11 @@ async function run() {
      logger
    );
    if (shouldStoreCache(config.dependencyCachingEnabled)) {
-      await uploadDependencyCaches(config, logger);
+      const minimizeJavaJars = await features.getValue(
+        "java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */,
+        codeql
+      );
+      await uploadDependencyCaches(config, logger, minimizeJavaJars);
    }
    if (isInTestMode()) {
      logger.debug("In test mode. Waiting for processing is disabled.");
@@ -26486,7 +26486,7 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
@@ -26536,7 +26536,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -78656,6 +78657,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -32335,7 +32335,7 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
@@ -32385,7 +32385,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -83534,7 +83535,7 @@ var require_brace_expansion2 = __commonJS({
        var isSequence = isNumericSequence || isAlphaSequence;
        var isOptions = m.body.indexOf(",") >= 0;
        if (!isSequence && !isOptions) {
-          if (m.post.match(/,.*\}/)) {
+          if (m.post.match(/,(?!,).*\}/)) {
            str2 = m.pre + "{" + m.body + escClose + m.post;
            return expand(str2);
          }
@@ -129251,6 +129252,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -129620,7 +129626,7 @@ var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
 var semver7 = __toESM(require_semver2());

-// node_modules/uuid/dist/stringify.js
+// node_modules/uuid/dist-node/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
  byteToHex.push((i + 256).toString(16).slice(1));
@@ -129629,7 +129635,7 @@ function unsafeStringify(arr, offset = 0) {
  return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }

-// node_modules/uuid/dist/rng.js
+// node_modules/uuid/dist-node/rng.js
 var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
@@ -129641,11 +129647,11 @@ function rng() {
  return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }

-// node_modules/uuid/dist/native.js
+// node_modules/uuid/dist-node/native.js
 var import_node_crypto2 = require("node:crypto");
 var native_default = { randomUUID: import_node_crypto2.randomUUID };

-// node_modules/uuid/dist/v4.js
+// node_modules/uuid/dist-node/v4.js
 function _v4(options, buf, offset) {
  options = options || {};
  const rnds = options.random ?? options.rng?.() ?? rng();
@@ -133019,123 +133025,97 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
  return payloadObj;
 }
 async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
-  return maybeUploadFiles(
-    inputSarifPath,
-    checkoutPath,
-    category,
-    features,
-    logger,
-    uploadTarget,
-    "always"
-  );
-}
-async function maybeUploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
  const sarifPaths = getSarifFilePaths(
    inputSarifPath,
    uploadTarget.sarifPredicate
  );
-  return maybeUploadSpecifiedFiles(
+  return uploadSpecifiedFiles(
    sarifPaths,
    checkoutPath,
    category,
    features,
    logger,
-    uploadTarget,
-    uploadKind
+    uploadTarget
  );
 }
-async function maybeUploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
+async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
+  logger.startGroup(`Uploading ${uploadTarget.name} results`);
+  logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
+  const gitHubVersion = await getGitHubVersion();
+  let sarif;
+  if (sarifPaths.length > 1) {
+    for (const sarifPath of sarifPaths) {
+      const parsedSarif = readSarifFile(sarifPath);
+      validateSarifFileSchema(parsedSarif, sarifPath, logger);
+    }
+    sarif = await combineSarifFilesUsingCLI(
+      sarifPaths,
+      gitHubVersion,
+      features,
+      logger
+    );
+  } else {
+    const sarifPath = sarifPaths[0];
+    sarif = readSarifFile(sarifPath);
+    validateSarifFileSchema(sarif, sarifPath, logger);
+    await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
+  }
+  sarif = filterAlertsByDiffRange(logger, sarif);
+  sarif = await addFingerprints(sarif, checkoutPath, logger);
+  const analysisKey = await getAnalysisKey();
+  const environment = getRequiredInput("matrix");
+  sarif = populateRunAutomationDetails(
+    sarif,
+    category,
+    analysisKey,
+    environment
+  );
+  const toolNames = getToolNames(sarif);
+  logger.debug(`Validating that each SARIF run has a unique category`);
+  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
+  logger.debug(`Serializing SARIF for upload`);
+  const sarifPayload = JSON.stringify(sarif);
  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
-  const upload = uploadKind === "always";
-  if (!upload && !dumpDir) {
-    logger.info(`Skipping upload of ${uploadTarget.name} results`);
-    return void 0;
-  }
-  logger.startGroup(`Processing ${uploadTarget.name} results`);
-  try {
-    logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
-    const gitHubVersion = await getGitHubVersion();
-    let sarif;
-    if (sarifPaths.length > 1) {
-      for (const sarifPath of sarifPaths) {
-        const parsedSarif = readSarifFile(sarifPath);
-        validateSarifFileSchema(parsedSarif, sarifPath, logger);
-      }
-      sarif = await combineSarifFilesUsingCLI(
-        sarifPaths,
-        gitHubVersion,
-        features,
-        logger
-      );
-    } else {
-      const sarifPath = sarifPaths[0];
-      sarif = readSarifFile(sarifPath);
-      validateSarifFileSchema(sarif, sarifPath, logger);
-      await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
-    }
-    sarif = filterAlertsByDiffRange(logger, sarif);
-    sarif = await addFingerprints(sarif, checkoutPath, logger);
-    const analysisKey = await getAnalysisKey();
-    const environment = getRequiredInput("matrix");
-    sarif = populateRunAutomationDetails(
-      sarif,
-      category,
-      analysisKey,
-      environment
-    );
-    const toolNames = getToolNames(sarif);
-    logger.debug(`Validating that each SARIF run has a unique category`);
-    validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
-    logger.debug(`Serializing SARIF for upload`);
-    const sarifPayload = JSON.stringify(sarif);
-    if (dumpDir) {
-      dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
-    }
-    if (!upload) {
-      logger.info(
-        `Skipping upload of ${uploadTarget.name} results because upload kind is "${uploadKind}"`
-      );
-      return void 0;
-    }
-    logger.debug(`Compressing serialized SARIF`);
-    const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
-    const checkoutURI = url.pathToFileURL(checkoutPath).href;
-    const payload = buildPayload(
-      await getCommitOid(checkoutPath),
-      await getRef(),
-      analysisKey,
-      getRequiredEnvParam("GITHUB_WORKFLOW"),
-      zippedSarif,
-      getWorkflowRunID(),
-      getWorkflowRunAttempt(),
-      checkoutURI,
-      environment,
-      toolNames,
-      await determineBaseBranchHeadCommitOid()
-    );
-    const rawUploadSizeBytes = sarifPayload.length;
-    logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
-    const zippedUploadSizeBytes = zippedSarif.length;
-    logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
-    const numResultInSarif = countResultsInSarif(sarifPayload);
-    logger.debug(`Number of results in upload: ${numResultInSarif}`);
-    const sarifID = await uploadPayload(
-      payload,
-      getRepositoryNwo(),
-      logger,
-      uploadTarget.target
-    );
-    return {
-      statusReport: {
-        raw_upload_size_bytes: rawUploadSizeBytes,
-        zipped_upload_size_bytes: zippedUploadSizeBytes,
-        num_results_in_sarif: numResultInSarif
-      },
-      sarifID
-    };
-  } finally {
-    logger.endGroup();
+  if (dumpDir) {
+    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
  }
+  logger.debug(`Compressing serialized SARIF`);
+  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
+  const checkoutURI = url.pathToFileURL(checkoutPath).href;
+  const payload = buildPayload(
+    await getCommitOid(checkoutPath),
+    await getRef(),
+    analysisKey,
+    getRequiredEnvParam("GITHUB_WORKFLOW"),
+    zippedSarif,
+    getWorkflowRunID(),
+    getWorkflowRunAttempt(),
+    checkoutURI,
+    environment,
+    toolNames,
+    await determineBaseBranchHeadCommitOid()
+  );
+  const rawUploadSizeBytes = sarifPayload.length;
+  logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
+  const zippedUploadSizeBytes = zippedSarif.length;
+  logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
+  const numResultInSarif = countResultsInSarif(sarifPayload);
+  logger.debug(`Number of results in upload: ${numResultInSarif}`);
+  const sarifID = await uploadPayload(
+    payload,
+    getRepositoryNwo(),
+    logger,
+    uploadTarget.target
+  );
+  logger.endGroup();
+  return {
+    statusReport: {
+      raw_upload_size_bytes: rawUploadSizeBytes,
+      zipped_upload_size_bytes: zippedUploadSizeBytes,
+      num_results_in_sarif: numResultInSarif
+    },
+    sarifID
+  };
 }
 function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
  if (!fs17.existsSync(outputDir)) {
@@ -32335,7 +32335,7 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
@@ -32385,7 +32385,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -81686,7 +81687,7 @@ var core13 = __toESM(require_core());
 var io6 = __toESM(require_io());
 var semver8 = __toESM(require_semver2());

-// node_modules/uuid/dist/stringify.js
+// node_modules/uuid/dist-node/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
  byteToHex.push((i + 256).toString(16).slice(1));
@@ -81695,7 +81696,7 @@ function unsafeStringify(arr, offset = 0) {
  return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }

-// node_modules/uuid/dist/rng.js
+// node_modules/uuid/dist-node/rng.js
 var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
@@ -81707,11 +81708,11 @@ function rng() {
  return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }

-// node_modules/uuid/dist/native.js
+// node_modules/uuid/dist-node/native.js
 var import_node_crypto2 = require("node:crypto");
 var native_default = { randomUUID: import_node_crypto2.randomUUID };

-// node_modules/uuid/dist/v4.js
+// node_modules/uuid/dist-node/v4.js
 function _v4(options, buf, offset) {
  options = options || {};
  const rnds = options.random ?? options.rng?.() ?? rng();
@@ -86751,6 +86752,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -87968,7 +87974,7 @@ function getDefaultCacheConfig() {
 async function makeGlobber(patterns) {
  return glob.create(patterns.join("\n"));
 }
-async function downloadDependencyCaches(languages, logger) {
+async function downloadDependencyCaches(languages, logger, minimizeJavaJars) {
  const restoredCaches = [];
  for (const language of languages) {
    const cacheConfig = getDefaultCacheConfig()[language];
@@ -87985,8 +87991,10 @@ async function downloadDependencyCaches(languages, logger) {
      );
      continue;
    }
-    const primaryKey = await cacheKey2(language, cacheConfig);
-    const restoreKeys = [await cachePrefix2(language)];
+    const primaryKey = await cacheKey2(language, cacheConfig, minimizeJavaJars);
+    const restoreKeys = [
+      await cachePrefix2(language, minimizeJavaJars)
+    ];
    logger.info(
      `Downloading cache for ${language} with key ${primaryKey} and restore keys ${restoreKeys.join(
        ", "
@@ -88006,17 +88014,20 @@ async function downloadDependencyCaches(languages, logger) {
  }
  return restoredCaches;
 }
-async function cacheKey2(language, cacheConfig) {
+async function cacheKey2(language, cacheConfig, minimizeJavaJars = false) {
  const hash = await glob.hashFiles(cacheConfig.hash.join("\n"));
-  return `${await cachePrefix2(language)}${hash}`;
+  return `${await cachePrefix2(language, minimizeJavaJars)}${hash}`;
 }
-async function cachePrefix2(language) {
+async function cachePrefix2(language, minimizeJavaJars) {
  const runnerOs = getRequiredEnvParam("RUNNER_OS");
  const customPrefix = process.env["CODEQL_ACTION_DEPENDENCY_CACHE_PREFIX" /* DEPENDENCY_CACHING_PREFIX */];
  let prefix = CODEQL_DEPENDENCY_CACHE_PREFIX;
  if (customPrefix !== void 0 && customPrefix.length > 0) {
    prefix = `${prefix}-${customPrefix}`;
  }
+  if (language === "java" /* java */ && minimizeJavaJars) {
+    prefix = `minify-${prefix}`;
+  }
  return `${prefix}-${CODEQL_DEPENDENCY_CACHE_VERSION}-${runnerOs}-${language}-`;
 }

@@ -90622,8 +90633,16 @@ exec ${goBinaryPath} "$@"`
        core13.exportVariable(envVar, "false");
      }
    }
+    const minimizeJavaJars = await features.getValue(
+      "java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */,
+      codeql
+    );
    if (shouldRestoreCache(config.dependencyCachingEnabled)) {
-      await downloadDependencyCaches(config.languages, logger);
+      await downloadDependencyCaches(
+        config.languages,
+        logger,
+        minimizeJavaJars
+      );
    }
    if (await codeQlVersionAtLeast(codeql, "2.17.1")) {
    } else {
@@ -90656,6 +90675,16 @@ exec ${goBinaryPath} "$@"`
        core13.exportVariable("CODEQL_EXTRACTOR_PYTHON_EXTRACT_STDLIB", "true");
      }
    }
+    if (process.env["CODEQL_EXTRACTOR_JAVA_OPTION_MINIMIZE_DEPENDENCY_JARS" /* JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS */]) {
+      logger.debug(
+        `${"CODEQL_EXTRACTOR_JAVA_OPTION_MINIMIZE_DEPENDENCY_JARS" /* JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS */} is already set to '${process.env["CODEQL_EXTRACTOR_JAVA_OPTION_MINIMIZE_DEPENDENCY_JARS" /* JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS */]}', so the Action will not override it.`
+      );
+    } else if (minimizeJavaJars && config.dependencyCachingEnabled && config.buildMode === "none" /* None */ && config.languages.includes("java" /* java */)) {
+      core13.exportVariable(
+        "CODEQL_EXTRACTOR_JAVA_OPTION_MINIMIZE_DEPENDENCY_JARS" /* JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS */,
+        "true"
+      );
+    }
    const { registriesAuthTokens, qlconfigFile } = await generateRegistries(
      getOptionalInput("registries"),
      config.tempDir,
@@ -26486,7 +26486,7 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
@@ -26536,7 +26536,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -78647,6 +78648,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };

@@ -26486,7 +26486,7 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
@@ -26536,7 +26536,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -76345,7 +76346,7 @@ var require_brace_expansion2 = __commonJS({
        var isSequence = isNumericSequence || isAlphaSequence;
        var isOptions = m.body.indexOf(",") >= 0;
        if (!isSequence && !isOptions) {
-          if (m.post.match(/,.*\}/)) {
+          if (m.post.match(/,(?!,).*\}/)) {
            str2 = m.pre + "{" + m.body + escClose + m.post;
            return expand(str2);
          }
@@ -117327,6 +117328,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };

@@ -33632,7 +33632,7 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
@@ -33682,7 +33682,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -84782,7 +84783,6 @@ __export(upload_lib_exports, {
  buildPayload: () => buildPayload,
  findSarifFilesInDir: () => findSarifFilesInDir,
  getSarifFilePaths: () => getSarifFilePaths,
-  maybeUploadFiles: () => maybeUploadFiles,
  populateRunAutomationDetails: () => populateRunAutomationDetails,
  readSarifFile: () => readSarifFile,
  shouldConsiderConfigurationError: () => shouldConsiderConfigurationError,
@@ -89344,6 +89344,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };

@@ -89449,7 +89454,7 @@ var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
 var semver7 = __toESM(require_semver2());

-// node_modules/uuid/dist/stringify.js
+// node_modules/uuid/dist-node/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
  byteToHex.push((i + 256).toString(16).slice(1));
@@ -89458,7 +89463,7 @@ function unsafeStringify(arr, offset = 0) {
  return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }

-// node_modules/uuid/dist/rng.js
+// node_modules/uuid/dist-node/rng.js
 var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
@@ -89470,11 +89475,11 @@ function rng() {
  return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }

-// node_modules/uuid/dist/native.js
+// node_modules/uuid/dist-node/native.js
 var import_node_crypto2 = require("node:crypto");
 var native_default = { randomUUID: import_node_crypto2.randomUUID };

-// node_modules/uuid/dist/v4.js
+// node_modules/uuid/dist-node/v4.js
 function _v4(options, buf, offset) {
  options = options || {};
  const rnds = options.random ?? options.rng?.() ?? rng();
@@ -92392,134 +92397,97 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
  return payloadObj;
 }
 async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
-  return maybeUploadFiles(
-    inputSarifPath,
-    checkoutPath,
-    category,
-    features,
-    logger,
-    uploadTarget,
-    "always"
-  );
-}
-async function maybeUploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
  const sarifPaths = getSarifFilePaths(
    inputSarifPath,
    uploadTarget.sarifPredicate
  );
-  return maybeUploadSpecifiedFiles(
+  return uploadSpecifiedFiles(
    sarifPaths,
    checkoutPath,
    category,
    features,
    logger,
-    uploadTarget,
-    uploadKind
+    uploadTarget
  );
 }
 async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
-  return maybeUploadSpecifiedFiles(
-    sarifPaths,
-    checkoutPath,
+  logger.startGroup(`Uploading ${uploadTarget.name} results`);
+  logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
+  const gitHubVersion = await getGitHubVersion();
+  let sarif;
+  if (sarifPaths.length > 1) {
+    for (const sarifPath of sarifPaths) {
+      const parsedSarif = readSarifFile(sarifPath);
+      validateSarifFileSchema(parsedSarif, sarifPath, logger);
+    }
+    sarif = await combineSarifFilesUsingCLI(
+      sarifPaths,
+      gitHubVersion,
+      features,
+      logger
+    );
+  } else {
+    const sarifPath = sarifPaths[0];
+    sarif = readSarifFile(sarifPath);
+    validateSarifFileSchema(sarif, sarifPath, logger);
+    await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
+  }
+  sarif = filterAlertsByDiffRange(logger, sarif);
+  sarif = await addFingerprints(sarif, checkoutPath, logger);
+  const analysisKey = await getAnalysisKey();
+  const environment = getRequiredInput("matrix");
+  sarif = populateRunAutomationDetails(
+    sarif,
    category,
-    features,
-    logger,
-    uploadTarget,
-    "always"
+    analysisKey,
+    environment
  );
-}
-async function maybeUploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
+  const toolNames = getToolNames(sarif);
+  logger.debug(`Validating that each SARIF run has a unique category`);
+  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
+  logger.debug(`Serializing SARIF for upload`);
+  const sarifPayload = JSON.stringify(sarif);
  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
-  const upload = uploadKind === "always";
-  if (!upload && !dumpDir) {
-    logger.info(`Skipping upload of ${uploadTarget.name} results`);
-    return void 0;
-  }
-  logger.startGroup(`Processing ${uploadTarget.name} results`);
-  try {
-    logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
-    const gitHubVersion = await getGitHubVersion();
-    let sarif;
-    if (sarifPaths.length > 1) {
-      for (const sarifPath of sarifPaths) {
-        const parsedSarif = readSarifFile(sarifPath);
-        validateSarifFileSchema(parsedSarif, sarifPath, logger);
-      }
-      sarif = await combineSarifFilesUsingCLI(
-        sarifPaths,
-        gitHubVersion,
-        features,
-        logger
-      );
-    } else {
-      const sarifPath = sarifPaths[0];
-      sarif = readSarifFile(sarifPath);
-      validateSarifFileSchema(sarif, sarifPath, logger);
-      await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
-    }
-    sarif = filterAlertsByDiffRange(logger, sarif);
-    sarif = await addFingerprints(sarif, checkoutPath, logger);
-    const analysisKey = await getAnalysisKey();
-    const environment = getRequiredInput("matrix");
-    sarif = populateRunAutomationDetails(
-      sarif,
-      category,
-      analysisKey,
-      environment
-    );
-    const toolNames = getToolNames(sarif);
-    logger.debug(`Validating that each SARIF run has a unique category`);
-    validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
-    logger.debug(`Serializing SARIF for upload`);
-    const sarifPayload = JSON.stringify(sarif);
-    if (dumpDir) {
-      dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
-    }
-    if (!upload) {
-      logger.info(
-        `Skipping upload of ${uploadTarget.name} results because upload kind is "${uploadKind}"`
-      );
-      return void 0;
-    }
-    logger.debug(`Compressing serialized SARIF`);
-    const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
-    const checkoutURI = url.pathToFileURL(checkoutPath).href;
-    const payload = buildPayload(
-      await getCommitOid(checkoutPath),
-      await getRef(),
-      analysisKey,
-      getRequiredEnvParam("GITHUB_WORKFLOW"),
-      zippedSarif,
-      getWorkflowRunID(),
-      getWorkflowRunAttempt(),
-      checkoutURI,
-      environment,
-      toolNames,
-      await determineBaseBranchHeadCommitOid()
-    );
-    const rawUploadSizeBytes = sarifPayload.length;
-    logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
-    const zippedUploadSizeBytes = zippedSarif.length;
-    logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
-    const numResultInSarif = countResultsInSarif(sarifPayload);
-    logger.debug(`Number of results in upload: ${numResultInSarif}`);
-    const sarifID = await uploadPayload(
-      payload,
-      getRepositoryNwo(),
-      logger,
-      uploadTarget.target
-    );
-    return {
-      statusReport: {
-        raw_upload_size_bytes: rawUploadSizeBytes,
-        zipped_upload_size_bytes: zippedUploadSizeBytes,
-        num_results_in_sarif: numResultInSarif
-      },
-      sarifID
-    };
-  } finally {
-    logger.endGroup();
+  if (dumpDir) {
+    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
  }
+  logger.debug(`Compressing serialized SARIF`);
+  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
+  const checkoutURI = url.pathToFileURL(checkoutPath).href;
+  const payload = buildPayload(
+    await getCommitOid(checkoutPath),
+    await getRef(),
+    analysisKey,
+    getRequiredEnvParam("GITHUB_WORKFLOW"),
+    zippedSarif,
+    getWorkflowRunID(),
+    getWorkflowRunAttempt(),
+    checkoutURI,
+    environment,
+    toolNames,
+    await determineBaseBranchHeadCommitOid()
+  );
+  const rawUploadSizeBytes = sarifPayload.length;
+  logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
+  const zippedUploadSizeBytes = zippedSarif.length;
+  logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
+  const numResultInSarif = countResultsInSarif(sarifPayload);
+  logger.debug(`Number of results in upload: ${numResultInSarif}`);
+  const sarifID = await uploadPayload(
+    payload,
+    getRepositoryNwo(),
+    logger,
+    uploadTarget.target
+  );
+  logger.endGroup();
+  return {
+    statusReport: {
+      raw_upload_size_bytes: rawUploadSizeBytes,
+      zipped_upload_size_bytes: zippedUploadSizeBytes,
+      num_results_in_sarif: numResultInSarif
+    },
+    sarifID
+  };
 }
 function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
  if (!fs13.existsSync(outputDir)) {
@@ -92693,7 +92661,6 @@ function filterAlertsByDiffRange(logger, sarif) {
  buildPayload,
  findSarifFilesInDir,
  getSarifFilePaths,
-  maybeUploadFiles,
  populateRunAutomationDetails,
  readSarifFile,
  shouldConsiderConfigurationError,
@@ -26486,7 +26486,7 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
@@ -26536,7 +26536,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -70467,7 +70468,7 @@ var require_brace_expansion = __commonJS({
        var isSequence = isNumericSequence || isAlphaSequence;
        var isOptions = m.body.indexOf(",") >= 0;
        if (!isSequence && !isOptions) {
-          if (m.post.match(/,.*\}/)) {
+          if (m.post.match(/,(?!,).*\}/)) {
            str2 = m.pre + "{" + m.body + escClose + m.post;
            return expand(str2);
          }
@@ -117492,6 +117493,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };

@@ -32335,7 +32335,7 @@ var require_package = __commonJS({
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
        semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
@@ -32385,7 +32385,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -89339,6 +89340,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -90149,7 +90155,7 @@ var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
 var semver7 = __toESM(require_semver2());

-// node_modules/uuid/dist/stringify.js
+// node_modules/uuid/dist-node/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
  byteToHex.push((i + 256).toString(16).slice(1));
@@ -90158,7 +90164,7 @@ function unsafeStringify(arr, offset = 0) {
  return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }

-// node_modules/uuid/dist/rng.js
+// node_modules/uuid/dist-node/rng.js
 var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
@@ -90170,11 +90176,11 @@ function rng() {
  return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }

-// node_modules/uuid/dist/native.js
+// node_modules/uuid/dist-node/native.js
 var import_node_crypto2 = require("node:crypto");
 var native_default = { randomUUID: import_node_crypto2.randomUUID };

-// node_modules/uuid/dist/v4.js
+// node_modules/uuid/dist-node/v4.js
 function _v4(options, buf, offset) {
  options = options || {};
  const rnds = options.random ?? options.rng?.() ?? rng();
@@ -93092,134 +93098,97 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
  return payloadObj;
 }
 async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
-  return maybeUploadFiles(
-    inputSarifPath,
-    checkoutPath,
-    category,
-    features,
-    logger,
-    uploadTarget,
-    "always"
-  );
-}
-async function maybeUploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
  const sarifPaths = getSarifFilePaths(
    inputSarifPath,
    uploadTarget.sarifPredicate
  );
-  return maybeUploadSpecifiedFiles(
+  return uploadSpecifiedFiles(
    sarifPaths,
    checkoutPath,
    category,
    features,
    logger,
-    uploadTarget,
-    uploadKind
+    uploadTarget
  );
 }
 async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
-  return maybeUploadSpecifiedFiles(
-    sarifPaths,
-    checkoutPath,
+  logger.startGroup(`Uploading ${uploadTarget.name} results`);
+  logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
+  const gitHubVersion = await getGitHubVersion();
+  let sarif;
+  if (sarifPaths.length > 1) {
+    for (const sarifPath of sarifPaths) {
+      const parsedSarif = readSarifFile(sarifPath);
+      validateSarifFileSchema(parsedSarif, sarifPath, logger);
+    }
+    sarif = await combineSarifFilesUsingCLI(
+      sarifPaths,
+      gitHubVersion,
+      features,
+      logger
+    );
+  } else {
+    const sarifPath = sarifPaths[0];
+    sarif = readSarifFile(sarifPath);
+    validateSarifFileSchema(sarif, sarifPath, logger);
+    await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
+  }
+  sarif = filterAlertsByDiffRange(logger, sarif);
+  sarif = await addFingerprints(sarif, checkoutPath, logger);
+  const analysisKey = await getAnalysisKey();
+  const environment = getRequiredInput("matrix");
+  sarif = populateRunAutomationDetails(
+    sarif,
    category,
-    features,
-    logger,
-    uploadTarget,
-    "always"
+    analysisKey,
+    environment
  );
-}
-async function maybeUploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget, uploadKind) {
+  const toolNames = getToolNames(sarif);
+  logger.debug(`Validating that each SARIF run has a unique category`);
+  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
+  logger.debug(`Serializing SARIF for upload`);
+  const sarifPayload = JSON.stringify(sarif);
  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
-  const upload = uploadKind === "always";
-  if (!upload && !dumpDir) {
-    logger.info(`Skipping upload of ${uploadTarget.name} results`);
-    return void 0;
-  }
-  logger.startGroup(`Processing ${uploadTarget.name} results`);
-  try {
-    logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
-    const gitHubVersion = await getGitHubVersion();
-    let sarif;
-    if (sarifPaths.length > 1) {
-      for (const sarifPath of sarifPaths) {
-        const parsedSarif = readSarifFile(sarifPath);
-        validateSarifFileSchema(parsedSarif, sarifPath, logger);
-      }
-      sarif = await combineSarifFilesUsingCLI(
-        sarifPaths,
-        gitHubVersion,
-        features,
-        logger
-      );
-    } else {
-      const sarifPath = sarifPaths[0];
-      sarif = readSarifFile(sarifPath);
-      validateSarifFileSchema(sarif, sarifPath, logger);
-      await throwIfCombineSarifFilesDisabled([sarif], gitHubVersion);
-    }
-    sarif = filterAlertsByDiffRange(logger, sarif);
-    sarif = await addFingerprints(sarif, checkoutPath, logger);
-    const analysisKey = await getAnalysisKey();
-    const environment = getRequiredInput("matrix");
-    sarif = populateRunAutomationDetails(
-      sarif,
-      category,
-      analysisKey,
-      environment
-    );
-    const toolNames = getToolNames(sarif);
-    logger.debug(`Validating that each SARIF run has a unique category`);
-    validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
-    logger.debug(`Serializing SARIF for upload`);
-    const sarifPayload = JSON.stringify(sarif);
-    if (dumpDir) {
-      dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
-    }
-    if (!upload) {
-      logger.info(
-        `Skipping upload of ${uploadTarget.name} results because upload kind is "${uploadKind}"`
-      );
-      return void 0;
-    }
-    logger.debug(`Compressing serialized SARIF`);
-    const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
-    const checkoutURI = url.pathToFileURL(checkoutPath).href;
-    const payload = buildPayload(
-      await getCommitOid(checkoutPath),
-      await getRef(),
-      analysisKey,
-      getRequiredEnvParam("GITHUB_WORKFLOW"),
-      zippedSarif,
-      getWorkflowRunID(),
-      getWorkflowRunAttempt(),
-      checkoutURI,
-      environment,
-      toolNames,
-      await determineBaseBranchHeadCommitOid()
-    );
-    const rawUploadSizeBytes = sarifPayload.length;
-    logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
-    const zippedUploadSizeBytes = zippedSarif.length;
-    logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
-    const numResultInSarif = countResultsInSarif(sarifPayload);
-    logger.debug(`Number of results in upload: ${numResultInSarif}`);
-    const sarifID = await uploadPayload(
-      payload,
-      getRepositoryNwo(),
-      logger,
-      uploadTarget.target
-    );
-    return {
-      statusReport: {
-        raw_upload_size_bytes: rawUploadSizeBytes,
-        zipped_upload_size_bytes: zippedUploadSizeBytes,
-        num_results_in_sarif: numResultInSarif
-      },
-      sarifID
-    };
-  } finally {
-    logger.endGroup();
+  if (dumpDir) {
+    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
  }
+  logger.debug(`Compressing serialized SARIF`);
+  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
+  const checkoutURI = url.pathToFileURL(checkoutPath).href;
+  const payload = buildPayload(
+    await getCommitOid(checkoutPath),
+    await getRef(),
+    analysisKey,
+    getRequiredEnvParam("GITHUB_WORKFLOW"),
+    zippedSarif,
+    getWorkflowRunID(),
+    getWorkflowRunAttempt(),
+    checkoutURI,
+    environment,
+    toolNames,
+    await determineBaseBranchHeadCommitOid()
+  );
+  const rawUploadSizeBytes = sarifPayload.length;
+  logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
+  const zippedUploadSizeBytes = zippedSarif.length;
+  logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
+  const numResultInSarif = countResultsInSarif(sarifPayload);
+  logger.debug(`Number of results in upload: ${numResultInSarif}`);
+  const sarifID = await uploadPayload(
+    payload,
+    getRepositoryNwo(),
+    logger,
+    uploadTarget.target
+  );
+  logger.endGroup();
+  return {
+    statusReport: {
+      raw_upload_size_bytes: rawUploadSizeBytes,
+      zipped_upload_size_bytes: zippedUploadSizeBytes,
+      num_results_in_sarif: numResultInSarif
+    },
+    sarifID
+  };
 }
 function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
  if (!fs14.existsSync(outputDir)) {
@@ -34,7 +34,7 @@
        "node-forge": "^1.3.1",
        "octokit": "^5.0.3",
        "semver": "^7.7.2",
-        "uuid": "^12.0.0"
+        "uuid": "^13.0.0"
      },
      "devDependencies": {
        "@ava/typescript": "6.0.0",
@@ -3164,9 +3164,9 @@
      }
    },
    "node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
-      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
+      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -7792,9 +7792,9 @@
      }
    },
    "node_modules/readdir-glob/node_modules/brace-expansion": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
-      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
+      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
      "license": "MIT",
      "dependencies": {
        "balanced-match": "^1.0.0"
@@ -9076,16 +9076,16 @@
      "license": "MIT"
    },
    "node_modules/uuid": {
-      "version": "12.0.0",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-12.0.0.tgz",
-      "integrity": "sha512-USe1zesMYh4fjCA8ZH5+X5WIVD0J4V1Jksm1bFTVBX2F/cwSXt0RO5w/3UXbdLKmZX65MiWV+hwhSS8p6oBTGA==",
+      "version": "13.0.0",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-13.0.0.tgz",
+      "integrity": "sha512-XQegIaBTVUjSHliKqcnFqYypAd4S+WCYt5NIeRs6w/UAry7z8Y9j5ZwRRL4kzq9U3sD6v+85er9FvkEaBpji2w==",
      "funding": [
        "https://github.com/sponsors/broofa",
        "https://github.com/sponsors/ctavan"
      ],
      "license": "MIT",
      "bin": {
-        "uuid": "dist/bin/uuid"
+        "uuid": "dist-node/bin/uuid"
      }
    },
    "node_modules/webidl-conversions": {
@@ -48,7 +48,7 @@
    "node-forge": "^1.3.1",
    "octokit": "^5.0.3",
    "semver": "^7.7.2",
-    "uuid": "^12.0.0"
+    "uuid": "^13.0.0"
  },
  "devDependencies": {
    "@ava/typescript": "6.0.0",
@@ -98,6 +98,7 @@
    },
    "eslint-plugin-jsx-a11y": {
      "semver": ">=6.3.1"
-    }
+    },
+    "brace-expansion@2.0.1": "2.0.2"
  }
 }
@@ -12,6 +12,5 @@ steps:
      languages: cpp,csharp,go,java,javascript,python,ruby
      tools: ${{ steps.prepare-test.outputs.tools-url }}
  - name: Build code
-    shell: bash
    run: ./build.sh
  - uses: ./../action/analyze
@@ -9,7 +9,6 @@ steps:
      languages: cpp,csharp,java,javascript,python
      config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
  - name: Build code
-    shell: bash
    run: ./build.sh
  - uses: ./../action/analyze
    with:
@@ -17,7 +17,6 @@ steps:
      CORECLR_PROFILER_PATH_64: ""
  - uses: ./../action/analyze
  - name: Check database
-    shell: bash
    run: |
      cd "$RUNNER_TEMP/codeql_databases"
      if [[ ! -d csharp ]]; then
@@ -10,7 +10,6 @@ env:
  CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
 steps:
  - name: Test setup
-    shell: bash
    run: |
      # Make sure that Gradle build succeeds in autobuild-dir ...
      cp -a ../action/tests/java-repo autobuild-dir
@@ -22,7 +21,6 @@ steps:
      languages: java
      tools: ${{ steps.prepare-test.outputs.tools-url }}
  - name: Check that indirect tracing is disabled
-    shell: bash
    run: |
      if [[ ! -z "${CODEQL_RUNNER}" ]]; then
        echo "Expected indirect tracing to be disabled, but the" \
@@ -7,7 +7,6 @@ env:
  CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
 steps:
  - name: Set up Java test repo configuration
-    shell: bash
    run: |
      mv * .github ../action/tests/multi-language-repo/
      mv ../action/tests/multi-language-repo/.github/workflows .github
@@ -22,7 +21,6 @@ steps:
      tools: ${{ steps.prepare-test.outputs.tools-url }}

  - name: Check that indirect tracing is disabled
-    shell: bash
    run: |
      if [[ ! -z "${CODEQL_RUNNER}" ]]; then
        echo "Expected indirect tracing to be disabled, but the" \
@@ -22,7 +22,6 @@ steps:
      fi

  - name: Build code
-    shell: bash
    run: ./build.sh

  - uses: ./../action/analyze
@@ -6,7 +6,6 @@ env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
  - name: Test setup
-    shell: bash
    run: |
      cp -a ../action/tests/cpp-autobuild autobuild-dir
  - uses: ./../action/init
@@ -18,8 +17,7 @@ steps:
      working-directory: autobuild-dir
    env:
      CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: false
-  - shell: bash
-    run: |
+  - run: |
      if ls /usr/bin/errno; then
        echo "C/C++ autobuild installed errno, but it should not have since auto-install dependencies is disabled."
        exit 1
@@ -6,7 +6,6 @@ env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
  - name: Test setup
-    shell: bash
    run: |
      cp -a ../action/tests/cpp-autobuild autobuild-dir
  - uses: ./../action/init
@@ -18,8 +17,7 @@ steps:
      working-directory: autobuild-dir
    env:
      CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-  - shell: bash
-    run: |
+  - run: |
      if ! ls /usr/bin/errno; then
        echo "As expected, CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES is a no-op on macOS"
      else
@@ -6,7 +6,6 @@ env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
  - name: Test setup
-    shell: bash
    run: |
      cp -a ../action/tests/cpp-autobuild autobuild-dir
  - uses: ./../action/init
@@ -18,8 +17,7 @@ steps:
      working-directory: autobuild-dir
    env:
      CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-  - shell: bash
-    run: |
+  - run: |
      if ! ls /usr/bin/errno; then
        echo "Did not autoinstall errno"
        exit 1
@@ -10,7 +10,6 @@ steps:
      languages: javascript
      tools: ${{ steps.prepare-test.outputs.tools-url }}
  - name: Add test diagnostics
-    shell: bash
    env:
      CODEQL_PATH: ${{ steps.init.outputs.codeql-path }}
    run: |
@@ -11,7 +11,6 @@ steps:
      languages: javascript
      tools: ${{ steps.prepare-test.outputs.tools-url }}
  - name: Build code
-    shell: bash
    run: ./build.sh
  - uses: ./../action/analyze
    with:
@@ -23,7 +22,6 @@ steps:
      path: "${{ runner.temp }}/results/javascript.sarif"
      retention-days: 7
  - name: Check results
-    shell: bash
    run: |
      cd "$RUNNER_TEMP/results"
      expected_baseline_languages="c csharp go java kotlin javascript python ruby"
@@ -9,7 +9,6 @@ steps:
      ram: 230
      threads: 1
  - name: Assert Results
-    shell: bash
    run: |
      if [ "${CODEQL_RAM}" != "230" ]; then
        echo "CODEQL_RAM is '${CODEQL_RAM}' instead of 230"
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Michael B. Gale	3b026814fb	Specify `Accept` header for `toolcache.downloadTool`	2025-09-17 18:36:30 +01:00
Henry Mercer	573acd9552	Merge pull request #3115 from github/dependabot/npm_and_yarn/npm-75b7851ed5 Bump uuid from 12.0.0 to 13.0.0 in the npm group	2025-09-15 18:38:40 +01:00
github-actions[bot]	668f0f00da	Rebuild	2025-09-15 17:18:08 +00:00
dependabot[bot]	0b263ec528	Bump uuid from 12.0.0 to 13.0.0 in the npm group Bumps the npm group with 1 update: [uuid](https://github.com/uuidjs/uuid). Updates `uuid` from 12.0.0 to 13.0.0 - [Release notes](https://github.com/uuidjs/uuid/releases) - [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md) - [Commits](https://github.com/uuidjs/uuid/compare/v12.0.0...v13.0.0) --- updated-dependencies: - dependency-name: uuid dependency-version: 13.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: npm ... Signed-off-by: dependabot[bot] <support@github.com>	2025-09-15 17:16:56 +00:00
Michael B. Gale	9e5383b3b1	Merge pull request #3113 from github/nickrolfe/minimize-jars-followup Only enable Java dependency minimisation when caching is enabled	2025-09-15 16:57:27 +01:00
Henry Mercer	8279538f3d	Merge pull request #3114 from github/henrymercer/pr-checks-codeql-2.22 Run PR checks over CodeQL v2.22 release series	2025-09-15 16:52:03 +01:00
Henry Mercer	86f23c3336	Run PR checks over CodeQL v2.22 release series	2025-09-15 16:34:20 +01:00
Henry Mercer	77c3d2533d	Merge pull request #3112 from github/henrymercer/scan-python CI: Configure Python analysis	2025-09-15 16:25:56 +01:00
Henry Mercer	1069ace04e	Update .github/workflows/codeql.yml	2025-09-15 16:09:21 +01:00
Nick Rolfe	4014b75309	Only enable JAVA dependency minimisation when caching is enabled	2025-09-15 15:11:28 +01:00
Henry Mercer	bce0fa7b27	Remove build mode from matrix	2025-09-15 14:45:40 +01:00
Henry Mercer	8105843d42	Specify `paths-ignore` for other languages	2025-09-15 14:20:15 +01:00
Henry Mercer	61b8b636e3	Only upload a single matrix case for JS	2025-09-15 14:15:05 +01:00
Henry Mercer	73ead84d0a	Reorder strategy properties	2025-09-15 14:12:47 +01:00
Henry Mercer	793fe1783c	CI: Configure Python analysis	2025-09-15 14:10:32 +01:00
Paolo Tranquilli	aa90e97ad2	Merge pull request #3091 from github/redsun82/fix-windows-ci Set `shell: bash` by default on all workflows	2025-09-12 18:47:08 +02:00
Paolo Tranquilli	2b7d487cf8	Update .github/workflows/codeql.yml Co-authored-by: Henry Mercer <henrymercer@github.com>	2025-09-12 18:20:44 +02:00
Paolo Tranquilli	f92cc3a0e7	Merge pull request #3065 from github/redsun82/update-brace-expansion Use brace-expansion >2.0.1	2025-09-12 16:06:42 +02:00
Nick Rolfe	185266a022	Merge pull request #3107 from github/nickrolfe/minimize-jars Add feature flag to roll out JAR minimization in the Java extractor	2025-09-12 13:09:42 +01:00
Paolo Tranquilli	a1244387b0	Merge branch 'main' into redsun82/update-brace-expansion	2025-09-12 13:44:46 +02:00
Michael B. Gale	dc9a47dceb	Merge pull request #3110 from github/mbg/proxy/fetch-from-release Fetch proxy binaries from `defaults.json` release	2025-09-12 12:38:15 +01:00
Nick Rolfe	3ca9525ddd	Add changelog entry for Java dependency minimization rollout	2025-09-12 12:10:05 +01:00
Nick Rolfe	0abf548bb3	Add feature flag to roll out JAR minimization in the Java extractor	2025-09-12 12:09:34 +01:00
Michael B. Gale	e2636d2e4f	Change "current release" to "linked release"	2025-09-12 11:15:03 +01:00
Michael B. Gale	9df23425dc	Search release pointed at by `defaults.json` for registry proxy artifact	2025-09-11 18:56:19 +01:00
Paolo Tranquilli	4e1dadc5b3	Fix accidental removal of `- shell: bash` lines	2025-09-11 17:54:28 +02:00
Paolo Tranquilli	856e1e5c78	Address review	2025-09-11 17:54:00 +02:00
Paolo Tranquilli	d797efbb26	Merge branch 'main' into redsun82/fix-windows-ci	2025-09-11 17:41:08 +02:00
Michael B. Gale	ffcbb4c0c1	Move `UPDATEJOB_PROXY` constants to `start-proxy.ts`	2025-09-11 15:34:29 +01:00
Michael B. Gale	3bf58bb047	Merge branch 'main' into redsun82/fix-windows-ci	2025-09-09 19:35:16 +01:00
Paolo Tranquilli	c778749ed4	fix `codeql.yml` codeql invocation on windows	2025-09-09 14:08:29 +02:00
Paolo Tranquilli	0c065fa4cf	Sort out windows CRLF mess	2025-09-09 14:00:28 +02:00
Paolo Tranquilli	1b8f0ffedf	Set `shell: bash` by default on all workflows	2025-09-09 12:19:45 +02:00
Paolo Tranquilli	d42097d387	Build	2025-09-08 14:05:29 +02:00
Paolo Tranquilli	16f15bc9a7	Merge branch 'main' into redsun82/update-brace-expansion	2025-09-08 14:03:32 +02:00
Paolo Tranquilli	f11caf4aad	Override `brace-expansion` from `2.0.1` to `2.0.2`	2025-09-08 10:53:44 +02:00