Bump version to 2.24.11

Update default bundle to codeql-bundle-v2.16.6
Merge pull request #2228 from github/backport-v2.24.10-4355270be
2026-05-09 23:30:28 +00:00 · 2024-05-15 14:38:52 +01:00 · 2024-05-15 14:38:22 +01:00 · 2024-04-05 10:06:57 -07:00 · 2024-04-05 16:45:18 +00:00 · 2024-04-05 09:11:43 -07:00
19487 changed files with 1089729 additions and 3641874 deletions
@@ -0,0 +1,4 @@
+**/webpack.config.js
+lib/**
+src/testdata/**
+tests/**
@@ -0,0 +1,77 @@
+
+{
+    "parser": "@typescript-eslint/parser",
+    "parserOptions": {
+        "project": "./tsconfig.json"
+    },
+    "plugins": ["@typescript-eslint", "filenames", "github", "import", "no-async-foreach"],
+    "extends": [
+        "eslint:recommended",
+        "plugin:@typescript-eslint/recommended",
+        "plugin:@typescript-eslint/recommended-requiring-type-checking",
+        "plugin:github/recommended",
+        "plugin:github/typescript",
+        "plugin:import/typescript"
+    ],
+    "rules": {
+        "filenames/match-regex": ["error", "^[a-z0-9-]+(\\.test)?$"],
+        "i18n-text/no-en": "off",
+        "import/extensions": ["error", {
+            // Allow importing JSON files
+            "json": {}
+        }],
+        "import/no-amd": "error",
+        "import/no-commonjs": "error",
+        "import/no-cycle": "error",
+        "import/no-dynamic-require": "error",
+        // Disable the rule that checks that devDependencies aren't imported since we use a single
+        // linting configuration file for both source and test code.
+        "import/no-extraneous-dependencies": ["error", {"devDependencies": true}],
+        "import/no-namespace": "off",
+        "import/no-unresolved": "error",
+        "import/no-webpack-loader-syntax": "error",
+        "import/order": ["error", {
+            "alphabetize": {"order": "asc"},
+            "newlines-between": "always"
+        }],
+        "max-len": ["error", {
+            "code": 120,
+            "ignoreUrls": true,
+            "ignoreStrings": true,
+            "ignoreTemplateLiterals": true
+        }],
+        "no-async-foreach/no-async-foreach": "error",
+        "no-console": "off",
+        "no-sequences": "error",
+        "no-shadow": "off",
+        "@typescript-eslint/no-shadow": ["error"],
+        "one-var": ["error", "never"]
+    },
+    "overrides": [{
+        // "temporarily downgraded during transition to eslint
+        "files": "**",
+        "rules": {
+            "@typescript-eslint/ban-types": "off",
+            "@typescript-eslint/explicit-module-boundary-types": "off",
+            "@typescript-eslint/no-explicit-any": "off",
+            "@typescript-eslint/no-unsafe-assignment": "off",
+            "@typescript-eslint/no-unsafe-call": "off",
+            "@typescript-eslint/no-unsafe-member-access": "off",
+            "@typescript-eslint/no-unsafe-return": "off",
+            "@typescript-eslint/no-var-requires": "off",
+            "@typescript-eslint/prefer-regexp-exec": "off",
+            "@typescript-eslint/require-await": "off",
+            "@typescript-eslint/restrict-template-expressions": "off",
+            "func-style": "off",
+            "sort-imports": "off"
+        }
+    }],
+    "settings": {
+        "import/resolver": {
+            "node": {
+                "moduleDirectory": ["node_modules", "src"]
+            },
+            "typescript": {}
+        }
+    }
+}
@@ -29,16 +29,7 @@ inputs:
  tools:
    required: true
    description: |
-      The version of CodeQL passed to the `tools` input of the init action.
-      This can be any of the following:
-
-      - A local path to a tarball containing the CodeQL tools, or
-      - A URL to a GitHub release assets containing the CodeQL tools, or
-      - A special value `linked` which is forcing the use of the CodeQL tools
-        that the action has been bundled with.
-
-      If not specified, the Action will check in several places until it finds
-      the CodeQL tools.
+      The url of codeql to use.

 runs:
  using: composite
@@ -61,12 +52,11 @@ runs:
    - name: Check config
      working-directory: ${{ github.action_path }}
      shell: bash
-      env:
-        EXPECTED_CONFIG_FILE_CONTENTS: '${{ inputs.expected-config-file-contents }}'
-      run: ts-node ./index.ts "$RUNNER_TEMP/user-config.yaml" "$EXPECTED_CONFIG_FILE_CONTENTS"
+      run: ts-node ./index.ts "${{ runner.temp }}/user-config.yaml" '${{ inputs.expected-config-file-contents }}'
+
    - name: Clean up
      shell: bash
      if: always()
      run: |
-        rm -rf $RUNNER_TEMP/codescanning-config-cli-test
-        rm -rf $RUNNER_TEMP/user-config.yaml
+        rm -rf ${{ runner.temp }}/codescanning-config-cli-test
+        rm -rf ${{ runner.temp }}/user-config.yaml
@@ -8,7 +8,7 @@ const actualConfig = loadActualConfig()

 const rawExpectedConfig = process.argv[3].trim()
 if (!rawExpectedConfig) {
-  core.setFailed('No expected configuration provided')
+  core.info('No expected configuration provided')
 } else {
  core.startGroup('Expected generated user config')
  core.info(yaml.dump(JSON.parse(rawExpectedConfig)))
@@ -16,5 +16,5 @@ inputs:
      Comma separated list of query ids that should NOT be included in this SARIF file.

 runs:
-  using: node20
+  using: node16
  main: index.js
@@ -2,16 +2,12 @@ name: "Prepare test"
 description: Performs some preparation to run tests
 inputs:
  version:
-    description: "The version of the CodeQL CLI to use. Can be 'linked', 'default', 'nightly-latest', 'nightly-YYYYMMDD', or 'stable-vX.Y.Z"
+    description: "The version of the CodeQL CLI to use. Can be 'latest', 'default', 'nightly-latest', 'nightly-YYYY-MM-DD', or 'stable-YYYY-MM-DD'."
    required: true
  use-all-platform-bundle:
    description: "If true, we output a tools URL with codeql-bundle.tar.gz file rather than platform-specific URL"
    default: 'false'
    required: false
-  setup-kotlin:
-    description: "If true, we setup kotlin"
-    default: 'true'
-    required: true
 outputs:
  tools-url:
    description: "The value that should be passed as the 'tools' input of the 'init' step."
@@ -29,54 +25,36 @@ runs:
    - id: get-url
      name: Determine URL
      shell: bash
-      env:
-        VERSION: ${{ inputs.version }}
-        USE_ALL_PLATFORM_BUNDLE: ${{ inputs.use-all-platform-bundle }}
      run: |
        set -e # Fail this Action if `gh release list` fails.

-        if [[ "$VERSION" == "linked" ]]; then
-          echo "tools-url=linked" >> "$GITHUB_OUTPUT"
-          exit 0
-        elif [[ "$VERSION" == "default" ]]; then
-          echo "tools-url=" >> "$GITHUB_OUTPUT"
-          exit 0
-        fi
-
-        if [[ "$VERSION" == "nightly-latest" && "$RUNNER_OS" != "Windows" ]]; then
-          extension="tar.zst"
-        else
-          extension="tar.gz"
-        fi
-
-        if [[ "$USE_ALL_PLATFORM_BUNDLE" == "true" ]]; then
-          artifact_name="codeql-bundle.$extension"
+        if [[ ${{ inputs.use-all-platform-bundle }} == "true" ]]; then
+          artifact_name="codeql-bundle.tar.gz"
        elif [[ "$RUNNER_OS" == "Linux" ]]; then
-          artifact_name="codeql-bundle-linux64.$extension"
+          artifact_name="codeql-bundle-linux64.tar.gz"
        elif [[ "$RUNNER_OS" == "macOS" ]]; then
-          artifact_name="codeql-bundle-osx64.$extension"
+          artifact_name="codeql-bundle-osx64.tar.gz"
        elif [[ "$RUNNER_OS" == "Windows" ]]; then
-          artifact_name="codeql-bundle-win64.$extension"
+          artifact_name="codeql-bundle-win64.tar.gz"
        else
          echo "::error::Unrecognized OS $RUNNER_OS"
          exit 1
        fi

-        if [[ "$VERSION" == "nightly-latest" ]]; then
+        if [[ ${{ inputs.version }} == "nightly-latest" ]]; then
          tag=`gh release list --repo dsp-testing/codeql-cli-nightlies -L 1 | cut -f 3`
          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/$tag/$artifact_name" >> $GITHUB_OUTPUT
-        elif [[ "$VERSION" == *"nightly"* ]]; then
-          version=`echo "$VERSION" | sed -e 's/^.*\-//'`
-          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
-        elif [[ "$VERSION" == *"stable"* ]]; then
-          version=`echo "$VERSION" | sed -e 's/^.*\-//'`
+        elif [[ ${{ inputs.version }} == *"nightly"* ]]; then
+          version=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
+          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$version-manual/$artifact_name" >> $GITHUB_OUTPUT
+        elif [[ ${{ inputs.version }} == *"stable"* ]]; then
+          version=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
          echo "tools-url=https://github.com/github/codeql-action/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
+        elif [[ ${{ inputs.version }} == "latest" ]]; then
+          echo "tools-url=latest" >> $GITHUB_OUTPUT
+        elif [[ ${{ inputs.version }} == "default" ]]; then
+          echo "tools-url=" >> $GITHUB_OUTPUT
        else
          echo "::error::Unrecognized version specified!"
          exit 1
        fi
-
-    - uses: fwilhe2/setup-kotlin@9c245a6425255f5e98ba1ce6c15d31fce7eca9da
-      if: ${{ inputs.setup-kotlin == 'true' }}
-      with:
-        version: 1.8.21
@@ -23,16 +23,7 @@ inputs:
  tools:
    required: true
    description: |
-      The version of CodeQL passed to the `tools` input of the init action.
-      This can be any of the following:
-
-      - A local path to a tarball containing the CodeQL tools, or
-      - A URL to a GitHub release assets containing the CodeQL tools, or
-      - A special value `linked` which is forcing the use of the CodeQL tools
-        that the action has been bundled with.
-
-      If not specified, the Action will check in several places until it finds
-      the CodeQL tools.
+      The url of codeql to use.

 runs:
  using: composite
@@ -48,6 +39,7 @@ runs:
    - uses: ./../action/analyze
      with:
        output: ${{ runner.temp }}/results
+        upload-database: false
        upload: never
      env:
        CODEQL_ACTION_TEST_MODE: "true"
@@ -18,11 +18,8 @@ runs:
  using: "composite"
  steps:
    - id: branches
-      env:
-        MAJOR_VERSION: ${{ inputs.major_version }}
-        LATEST_TAG: ${{ inputs.latest_tag }}
      run: |
        python ${{ github.action_path }}/release-branches.py \
-            --major-version "$MAJOR_VERSION" \
-            --latest-tag "$LATEST_TAG"
+            --major-version ${{ inputs.major_version }} \
+            --latest-tag ${{ inputs.latest_tag }}
      shell: bash
@@ -18,12 +18,12 @@ runs:
    - name: Set up Python
      uses: actions/setup-python@v5
      with:
-        python-version: 3.12
+        python-version: 3.8

    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
-        pip install PyGithub==2.3.0 requests
+        pip install PyGithub==1.55 requests
      shell: bash

    - name: Update git config
@@ -11,7 +11,7 @@ runs:
      id: get_swift_version
      if: runner.os == 'Linux'
      shell: bash
-      env:
+      env: 
        CODEQL_PATH: ${{ inputs.codeql-path }}
      run: |
        SWIFT_EXTRACTOR_DIR="$("$CODEQL_PATH" resolve languages --format json | jq -r '.swift[0]')"
@@ -19,7 +19,7 @@ runs:
          VERSION="null"
        else
          VERSION="$("$SWIFT_EXTRACTOR_DIR/tools/linux64/extractor" --version | awk '/version/ { print $3 }')"
-          # Specify 5.x.0, otherwise setup Action will default to latest minor version.
+          # Specify 5.x.0, otherwise setup Action will default to latest minor version. 
          if [ $VERSION = "5.7" ]; then
            VERSION="5.7.0"
          elif [ $VERSION = "5.8" ]; then
@@ -29,11 +29,11 @@ runs:
          # setup-swift does not yet support v5.9.1 Remove this when it does.
          elif [ $VERSION = "5.9.1" ]; then
            VERSION="5.9.0"
-          fi
+          fi 
        fi
        echo "version=$VERSION" | tee -a $GITHUB_OUTPUT

-    - uses: redsun82/setup-swift@362f49f31da2f5f4f851657046bdd1290d03edc8 # Please update the corresponding SHA in the CLI's CodeQL Action Integration Test.
+    - uses: swift-actions/setup-swift@e1dca7c4a36344146bbc2803f0d538462477bb37 # Please update the corresponding SHA in the CLI's CodeQL Action Integration Test.
      if: runner.os == 'Linux' && steps.get_swift_version.outputs.version != 'null'
      with:
        swift-version: "${{ steps.get_swift_version.outputs.version }}"
@@ -1,4 +0,0 @@
-# Configuration for the CodeQL Actions Queries
-name: "CodeQL Actions Queries config"
-queries:
-  - uses: security-and-quality
@@ -1,21 +0,0 @@
-# CodeQL Action - Copilot Instructions
-
-## Generated code
-
-The CodeQL Action is written in TypeScript and compiled to JavaScript. Both the TypeScript sources and the **generated** JavaScript code are contained in this repository. The TypeScript sources are contained in the `src` directory and the JavaScript code is contained in the `lib` directory. A GitHub Actions workflow checks that the JavaScript code in `lib` is up-to-date. Therefore, you should not review any changes to the contents of the `lib` folder and it is expected that the JavaScript code in `lib` closely mirrors the TypeScript code it is generated from.
-
-GitHub Actions workflows in the `.github/workflows` directory whose filenames start with two underscores (e.g. `__all-platform-bundle.yml`) are automatically generated using the `pr-checks/sync.sh` script from template files in the `pr-checks/checks` directory. Therefore, you do not need to review files in the `.github/workflows` directory that start with two underscores. However, you should review changes to the `pr-checks` directory as well as workflows in the `.github/workflows` directory that do not start with underscores.
-
-## Release process
-
- A release-PR is a PR which matches all of the following patterns:
-  - PR title starts with the exact prefix: `Merge main into releases/v`
-    - Equivalent regex: `^Merge main into releases\/v`
-  - AND head (source) branch matches the update-branch pattern:
-    - Regex: `^update-v[0-9]+(?:\.[0-9]+)*(?:-[a-f0-9]+)?` (e.g. `update-v3.29.9-cc722e476`)
-  - AND base (target) branch matches a release branch:
-    - Regex: `^releases\/v` (e.g. `releases/v3`)
-
- Consider all files in release-PRs to have already been reviewed and do not review them, except for the following two files:
-    - `CHANGELOG.md`
-    - `package.json`
@@ -2,6 +2,8 @@ version: 2
 updates:
  - package-ecosystem: npm
    directory: "/"
+    reviewers:
+      - "github/codeql-production-shield"
    schedule:
      interval: weekly
    labels:
@@ -14,16 +16,14 @@ updates:
      # v7 requires ESM
      - dependency-name: "del"
        versions: ["^7.0.0"]
-      # This is broken due to the way configuration files have changed. 
-      # This might be fixed when we move to eslint v9.
-      - dependency-name: "eslint-plugin-import"
-        versions: [">=2.30.0"]
    groups:
      npm:
        patterns:
          - "*"
  - package-ecosystem: github-actions
    directory: "/"
+    reviewers:
+      - "github/codeql-production-shield"
    schedule:
      interval: weekly
    groups:
@@ -32,6 +32,8 @@ updates:
          - "*"
  - package-ecosystem: github-actions
    directory: "/.github/actions/setup-swift/" # All subdirectories outside of "/.github/workflows" must be explicitly included.
+    reviewers:
+      - "github/codeql-production-shield"
    schedule:
      interval: weekly
    groups:
@@ -1,14 +1,5 @@
-
-
-### Risk assessment
-
-For internal use only. Please select the risk level of this change:
-
- **Low risk:** Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.
- **High risk:** Changes are not fully under feature flags, have limited visibility and/or cannot be tested outside of production.
-
 ### Merge / deployment checklist

- Confirm this change is backwards compatible with existing workflows.
- Consider adding a [changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) entry for this change.
- Confirm the [readme](https://github.com/github/codeql-action/blob/main/README.md) and docs have been updated if necessary.
+- [ ] Confirm this change is backwards compatible with existing workflows.
+- [ ] Confirm the [readme](https://github.com/github/codeql-action/blob/main/README.md) has been updated if necessary.
+- [ ] Confirm the [changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) has been updated if necessary.
@@ -1 +1 @@
-OLDEST_SUPPORTED_MAJOR_VERSION=3
+OLDEST_SUPPORTED_MAJOR_VERSION=2
@@ -1,6 +1,5 @@
 import argparse
 import datetime
-import fileinput
 import re
 from github import Github
 import json
@@ -172,19 +171,6 @@ def get_current_version():
  with open('package.json', 'r') as f:
    return json.load(f)['version']

-# `npm version` doesn't always work because of merge conflicts, so we
-# replace the version in package.json textually.
-def replace_version_package_json(prev_version, new_version):
-  prev_line_is_codeql = False
-  for line in fileinput.input('package.json', inplace = True, encoding='utf-8'):
-    if prev_line_is_codeql and f'\"version\": \"{prev_version}\"' in line:
-      print(line.replace(prev_version, new_version), end='')
-    else:
-      prev_line_is_codeql = False
-      print(line, end='') 
-    if '\"name\": \"codeql\",' in line:
-        prev_line_is_codeql = True 
-
 def get_today_string():
  today = datetime.datetime.today()
  return '{:%d %b %Y}'.format(today)
@@ -200,17 +186,16 @@ def process_changelog_for_backports(source_branch_major_version, target_branch_m
  with open('CHANGELOG.md', 'r') as f:

    # until we find the first section, just duplicate all lines
-    found_first_section = False
-    while not found_first_section:
+    while True:
      line = f.readline()
      if not line:
        raise Exception('Could not find any change sections in CHANGELOG.md') # EOF

+      output += line
      if line.startswith('## '):
        line = line.replace(f'## {source_branch_major_version}', f'## {target_branch_major_version}')
-        found_first_section = True
-
-      output += line
+        # we have found the first section, so now handle things differently
+        break

    # found_content tracks whether we hit two headings in a row
    found_content = False
@@ -388,9 +373,9 @@ def main():
      run_git('commit', '--no-edit')

    # Migrate the package version number from a vLatest version number to a vOlder version number
-    print(f'Setting version number to {version} in package.json')
-    replace_version_package_json(get_current_version(), version) # We rely on the `Update dependencies` workflow to update package-lock.json
-    run_git('add', 'package.json')
+    print(f'Setting version number to {version}')
+    subprocess.check_output(['npm', 'version', version, '--no-git-tag-version'])
+    run_git('add', 'package.json', 'package-lock.json')

    # Migrate the changelog notes from vLatest version numbers to vOlder version numbers
    print(f'Migrating changelog notes from v{source_branch_major_version} to v{target_branch_major_version}')
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: PR Check - All-platform bundle
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,24 +21,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+  workflow_dispatch: {}
 jobs:
  all-platform-bundle:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
@@ -45,33 +32,48 @@ jobs:
    name: All-platform bundle
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'true'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - id: init
        uses: ./../action/init
        with:
-      # Swift is not supported on Ubuntu so we manually exclude it from the list here
-          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/.github/actions/setup-swift
+        with:
+          codeql-path: ${{ steps.init.outputs.codeql-path }}
      - name: Build code
        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
+        with:
+          upload-database: false
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: "PR Check - Analyze: 'ref' and 'sha' from inputs"
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,53 +21,51 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+  workflow_dispatch: {}
 jobs:
  analyze-ref-input:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
            version: default
          - os: macos-latest
            version: default
-          - os: windows-2025
+          - os: windows-latest
            version: default
    name: "Analyze: 'ref' and 'sha' from inputs"
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -78,6 +77,7 @@ jobs:
        run: ./build.sh
      - uses: ./../action/analyze
        with:
+          upload-database: false
          ref: refs/heads/main
          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
    env:
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: PR Check - autobuild-action
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,38 +21,51 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
+  workflow_dispatch: {}
 jobs:
  autobuild-action:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: linked
+            version: latest
          - os: macos-latest
-            version: linked
-          - os: windows-2025
-            version: linked
+            version: latest
+          - os: windows-latest
+            version: latest
    name: autobuild-action
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - uses: ./../action/init
        with:
          languages: csharp
@@ -66,6 +80,8 @@ jobs:
          CORECLR_PROFILER: ''
          CORECLR_PROFILER_PATH_64: ''
      - uses: ./../action/analyze
+        with:
+          upload-database: false
      - name: Check database
        shell: bash
        run: |
@@ -1,98 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Autobuild direct tracing (custom working directory)
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      java-version:
-        type: string
-        description: The version of Java to install
-        required: false
-        default: '17'
-  workflow_call:
-    inputs:
-      java-version:
-        type: string
-        description: The version of Java to install
-        required: false
-        default: '17'
-jobs:
-  autobuild-direct-tracing-with-working-dir:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: windows-2025
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: windows-2025
-            version: nightly-latest
-    name: Autobuild direct tracing (custom working directory)
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Java
-        uses: actions/setup-java@v4
-        with:
-          java-version: ${{ inputs.java-version || '17' }}
-          distribution: temurin
-      - name: Test setup
-        shell: bash
-        run: |
-          # Make sure that Gradle build succeeds in autobuild-dir ...
-          cp -a ../action/tests/java-repo autobuild-dir
-          # ... and fails if attempted in the current directory
-          echo > build.gradle
-      - uses: ./../action/init
-        with:
-          build-mode: autobuild
-          languages: java
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Check that indirect tracing is disabled
-        shell: bash
-        run: |
-          if [[ ! -z "${CODEQL_RUNNER}" ]]; then
-            echo "Expected indirect tracing to be disabled, but the" \
-              "CODEQL_RUNNER environment variable is set."
-            exit 1
-          fi
-      - uses: ./../action/autobuild
-        with:
-          working-directory: autobuild-dir
-      - uses: ./../action/analyze
-    env:
-      CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
-      CODEQL_ACTION_TEST_MODE: true
@@ -1,99 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Autobuild direct tracing
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      java-version:
-        type: string
-        description: The version of Java to install
-        required: false
-        default: '17'
-  workflow_call:
-    inputs:
-      java-version:
-        type: string
-        description: The version of Java to install
-        required: false
-        default: '17'
-jobs:
-  autobuild-direct-tracing:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: windows-2025
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: windows-2025
-            version: nightly-latest
-    name: Autobuild direct tracing
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Java
-        uses: actions/setup-java@v4
-        with:
-          java-version: ${{ inputs.java-version || '17' }}
-          distribution: temurin
-      - name: Set up Java test repo configuration
-        shell: bash
-        run: |
-          mv * .github ../action/tests/multi-language-repo/
-          mv ../action/tests/multi-language-repo/.github/workflows .github
-          mv ../action/tests/java-repo/* .
-
-      - uses: ./../action/init
-        id: init
-        with:
-          build-mode: autobuild
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: java
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Check that indirect tracing is disabled
-        shell: bash
-        run: |
-          if [[ ! -z "${CODEQL_RUNNER}" ]]; then
-            echo "Expected indirect tracing to be disabled, but the" \
-              "CODEQL_RUNNER environment variable is set."
-            exit 1
-          fi
-
-      - uses: ./../action/analyze
-    env:
-      CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
-      CODEQL_ACTION_TEST_MODE: true
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: PR Check - Build mode autobuild
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,14 +21,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
+  workflow_dispatch: {}
 jobs:
  build-mode-autobuild:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
@@ -35,19 +32,36 @@ jobs:
    name: Build mode autobuild
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - name: Set up Java test repo configuration
        run: |
          mv * .github ../action/tests/multi-language-repo/
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: PR Check - Build mode manual
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,24 +21,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+  workflow_dispatch: {}
 jobs:
  build-mode-manual:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
@@ -45,24 +32,36 @@ jobs:
    name: Build mode manual
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - uses: ./../action/init
        id: init
        with:
@@ -80,6 +79,10 @@ jobs:
            exit 1
          fi

+      - uses: ./../action/.github/actions/setup-swift
+        with:
+          codeql-path: ${{ steps.init.outputs.codeql-path }}
+
      - name: Build code
        shell: bash
        run: ./build.sh
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: PR Check - Build mode none
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,36 +21,49 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
+  workflow_dispatch: {}
 jobs:
  build-mode-none:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: linked
+            version: latest
          - os: ubuntu-latest
            version: nightly-latest
    name: Build mode none
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - uses: ./../action/init
        id: init
        with:
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: PR Check - Build mode rollback
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,14 +21,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
+  workflow_dispatch: {}
 jobs:
  build-mode-rollback:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
@@ -35,19 +32,36 @@ jobs:
    name: Build mode rollback
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - name: Set up Java test repo configuration
        run: |
          mv * .github ../action/tests/multi-language-repo/
@@ -1,98 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: 'PR Check - Bundle: Caching checks'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-jobs:
-  bundle-toolcache:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: linked
-          - os: windows-2025
-            version: linked
-    name: 'Bundle: Caching checks'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const fs = require('fs');
-            const path = require('path');
-            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
-            fs.rmdirSync(codeqlPath, { recursive: true });
-      - name: Install @actions/tool-cache
-        run: npm install @actions/tool-cache
-      - name: Check toolcache does not contain CodeQL
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const toolcache = require('@actions/tool-cache');
-            const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
-            if (allCodeqlVersions.length !== 0) {
-              throw new Error(`CodeQL should not be found in the toolcache, but found ${allCodeqlVersions}`);
-            }
-            console.log('No versions of CodeQL found in the toolcache');
-      - id: init
-        uses: ./../action/init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Check CodeQL is installed within the toolcache
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const toolcache = require('@actions/tool-cache');
-            const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
-            console.log(`Found CodeQL versions: ${allCodeqlVersions}`);
-            if (allCodeqlVersions.length === 0) {
-              throw new Error('CodeQL not found in toolcache');
-            }
-            if (allCodeqlVersions.length > 1) {
-              throw new Error('Multiple CodeQL versions found in toolcache');
-            }
-    env:
-      CODEQL_ACTION_TEST_MODE: true
@@ -1,115 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: 'PR Check - Bundle: Zstandard checks'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-jobs:
-  bundle-zstd:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: linked
-          - os: windows-2025
-            version: linked
-    name: 'Bundle: Zstandard checks'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const fs = require('fs');
-            const path = require('path');
-            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
-            if (codeqlPath !== undefined) {
-              fs.rmdirSync(codeqlPath, { recursive: true });
-            }
-      - id: init
-        uses: ./../action/init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ matrix.os }}-zstd-bundle.sarif
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check diagnostic with expected tools URL appears in SARIF
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
-        with:
-          script: |
-            const fs = require('fs');
-
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
-
-            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
-            const downloadTelemetryNotifications = toolExecutionNotifications.filter(n =>
-              n.descriptor.id === 'codeql-action/bundle-download-telemetry'
-            );
-            if (downloadTelemetryNotifications.length !== 1) {
-              core.setFailed(
-                'Expected exactly one reporting descriptor in the ' +
-                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
-                  `${downloadTelemetryNotifications.length}. All notification reporting descriptors: ` +
-                  `${JSON.stringify(toolExecutionNotifications)}.`
-              );
-            }
-
-            const toolsUrl = downloadTelemetryNotifications[0].properties.attributes.toolsUrl;
-            console.log(`Found tools URL: ${toolsUrl}`);
-
-            const expectedExtension = process.env['RUNNER_OS'] === 'Windows' ? '.tar.gz' : '.tar.zst';
-
-            if (!toolsUrl.endsWith(expectedExtension)) {
-              core.setFailed(
-                `Expected the tools URL to be a ${expectedExtension} file, but found ${toolsUrl}.`
-              );
-            }
-    env:
-      CODEQL_ACTION_TEST_MODE: true
@@ -1,72 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Clean up database cluster directory
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-jobs:
-  cleanup-db-cluster-dir:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-    name: Clean up database cluster directory
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Add a file to the database cluster directory
-        run: |
-          mkdir -p "${{ runner.temp }}/customDbLocation/javascript"
-          touch "${{ runner.temp }}/customDbLocation/javascript/a-file-to-clean-up.txt"
-
-      - uses: ./../action/init
-        id: init
-        with:
-          build-mode: none
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Validate file cleaned up
-        run: |
-          if [[ -f "${{ runner.temp }}/customDbLocation/javascript/a-file-to-clean-up.txt" ]]; then
-            echo "File was not cleaned up"
-            exit 1
-          fi
-          echo "File was cleaned up"
-    env:
-      CODEQL_ACTION_TEST_MODE: true
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: PR Check - Config export
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,44 +21,57 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
+  workflow_dispatch: {}
 jobs:
  config-export:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: linked
+            version: latest
          - os: macos-latest
-            version: linked
-          - os: windows-2025
-            version: linked
+            version: latest
+          - os: windows-latest
+            version: latest
          - os: ubuntu-latest
            version: nightly-latest
          - os: macos-latest
            version: nightly-latest
-          - os: windows-2025
+          - os: windows-latest
            version: nightly-latest
    name: Config export
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - uses: ./../action/init
        with:
          languages: javascript
@@ -68,7 +82,7 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
        with:
          name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: PR Check - Config input
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,34 +21,47 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
+  workflow_dispatch: {}
 jobs:
  config-input:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: linked
+            version: latest
    name: Config input
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - name: Copy queries into workspace
        run: |
          cp -a ../action/queries .
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: 'PR Check - C/C++: disabling autoinstalling dependencies (Linux)'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,18 +21,14 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
+  workflow_dispatch: {}
 jobs:
  cpp-deptrace-disabled:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: linked
+            version: latest
          - os: ubuntu-latest
            version: default
          - os: ubuntu-latest
@@ -39,19 +36,36 @@ jobs:
    name: 'C/C++: disabling autoinstalling dependencies (Linux)'
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - name: Test setup
        shell: bash
        run: |
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: 'PR Check - C/C++: autoinstalling dependencies is skipped (macOS)'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,36 +21,47 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
+  workflow_dispatch: {}
 jobs:
  cpp-deptrace-enabled-on-macos:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: macos-latest
-            version: linked
          - os: macos-latest
            version: nightly-latest
    name: 'C/C++: autoinstalling dependencies is skipped (macOS)'
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - name: Test setup
        shell: bash
        run: |
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: 'PR Check - C/C++: autoinstalling dependencies (Linux)'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,18 +21,14 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
+  workflow_dispatch: {}
 jobs:
  cpp-deptrace-enabled:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: linked
+            version: latest
          - os: ubuntu-latest
            version: default
          - os: ubuntu-latest
@@ -39,19 +36,36 @@ jobs:
    name: 'C/C++: autoinstalling dependencies (Linux)'
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - name: Test setup
        shell: bash
        run: |
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: PR Check - Diagnostic export
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,44 +21,63 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
+  workflow_dispatch: {}
 jobs:
  diagnostics-export:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: linked
+            version: stable-20230317
          - os: macos-latest
-            version: linked
-          - os: windows-2025
-            version: linked
+            version: stable-20230317
+          - os: windows-latest
+            version: stable-20230317
+          - os: ubuntu-latest
+            version: latest
+          - os: macos-latest
+            version: latest
+          - os: windows-latest
+            version: latest
          - os: ubuntu-latest
            version: nightly-latest
          - os: macos-latest
            version: nightly-latest
-          - os: windows-2025
+          - os: windows-latest
            version: nightly-latest
    name: Diagnostic export
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - uses: ./../action/init
        id: init
        with:
@@ -68,19 +88,23 @@ jobs:
        env:
          CODEQL_PATH: ${{ steps.init.outputs.codeql-path }}
        run: |
-          "$CODEQL_PATH" database add-diagnostic \
-            "$RUNNER_TEMP/codeql_databases/javascript" \
-            --file-path /path/to/file \
-            --plaintext-message "Plaintext message" \
-            --source-id "lang/diagnostics/example" \
-            --source-name "Diagnostic name" \
-            --ready-for-status-page
+          for i in {1..2}; do
+            # Use the same location twice to test the workaround for the bug in CodeQL CLI 2.12.5 that
+            # produces an invalid diagnostic with multiple identical location objects.
+            "$CODEQL_PATH" database add-diagnostic \
+              "$RUNNER_TEMP/codeql_databases/javascript" \
+              --file-path /path/to/file \
+              --plaintext-message "Plaintext message $i" \
+              --source-id "lang/diagnostics/example" \
+              --source-name "Diagnostic name" \
+              --ready-for-status-page
+          done
      - uses: ./../action/analyze
        with:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
        with:
          name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -94,7 +118,7 @@ jobs:
            const fs = require('fs');

            function checkStatusPageNotification(n) {
-              const expectedMessage = 'Plaintext message';
+              const expectedMessage = 'Plaintext message 1\n\nCodeQL also found 1 other diagnostic like this. See the workflow log for details.';
              if (n.message.text !== expectedMessage) {
                core.setFailed(`Expected the status page diagnostic to have the message '${expectedMessage}', but found '${n.message.text}'.`);
              }
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: PR Check - Export file baseline information
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,60 +21,57 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+  workflow_dispatch: {}
 jobs:
  export-file-baseline-information:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
            version: nightly-latest
          - os: macos-latest
            version: nightly-latest
-          - os: windows-2025
+          - os: windows-latest
            version: nightly-latest
    name: Export file baseline information
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - uses: ./../action/init
        id: init
        with:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/.github/actions/setup-swift
-        if: runner.os == 'macOS'
        with:
          codeql-path: ${{ steps.init.outputs.codeql-path }}
      - name: Build code
@@ -83,7 +81,7 @@ jobs:
        with:
          output: ${{ runner.temp }}/results
      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
        with:
          name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -93,7 +91,7 @@ jobs:
        run: |
          cd "$RUNNER_TEMP/results"
          expected_baseline_languages="c csharp go java kotlin javascript python ruby"
-          if [[ $RUNNER_OS == "macOS" ]]; then
+          if [[ $RUNNER_OS != "Windows" ]]; then
            expected_baseline_languages+=" swift"
          fi

@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: PR Check - Extractor ram and threads options test
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,34 +21,47 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
+  workflow_dispatch: {}
 jobs:
  extractor-ram-threads:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: linked
+            version: latest
    name: Extractor ram and threads options test
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - uses: ./../action/init
        with:
          languages: java
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: 'PR Check - Go: Custom queries'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,51 +21,87 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+  workflow_dispatch: {}
 jobs:
  go-custom-queries:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: linked
+            version: stable-20221211
+          - os: macos-latest
+            version: stable-20221211
+          - os: windows-latest
+            version: stable-20221211
          - os: ubuntu-latest
+            version: stable-20230418
+          - os: macos-latest
+            version: stable-20230418
+          - os: windows-latest
+            version: stable-20230418
+          - os: ubuntu-latest
+            version: stable-v2.13.5
+          - os: macos-latest
+            version: stable-v2.13.5
+          - os: windows-latest
+            version: stable-v2.13.5
+          - os: ubuntu-latest
+            version: stable-v2.14.6
+          - os: macos-latest
+            version: stable-v2.14.6
+          - os: windows-latest
+            version: stable-v2.14.6
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: default
+          - os: windows-latest
+            version: default
+          - os: ubuntu-latest
+            version: latest
+          - os: macos-latest
+            version: latest
+          - os: windows-latest
+            version: latest
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+          - os: windows-latest
            version: nightly-latest
    name: 'Go: Custom queries'
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - uses: ./../action/init
        with:
          languages: go
@@ -74,6 +111,8 @@ jobs:
        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
+        with:
+          upload-database: false
    env:
      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
      CODEQL_ACTION_TEST_MODE: true
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: 'PR Check - Go: diagnostic when Go is changed after init step'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,49 +21,51 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+  workflow_dispatch: {}
 jobs:
  go-indirect-tracing-workaround-diagnostic:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: default
+            version: stable-v2.14.6
    name: 'Go: diagnostic when Go is changed after init step'
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+      - uses: actions/setup-go@v5
        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+      # We need a Go version that ships with statically linked binaries on Linux
+          go-version: '>=1.21.0'
      - uses: ./../action/init
        with:
          languages: go
@@ -1,106 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: 'PR Check - Go: diagnostic when `file` is not installed'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-jobs:
-  go-indirect-tracing-workaround-no-file-program:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: default
-    name: 'Go: diagnostic when `file` is not installed'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Remove `file` program
-        run: |
-          echo $(which file)
-          sudo rm -rf $(which file)
-          echo $(which file)
-      - uses: ./../action/init
-        with:
-          languages: go
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        shell: bash
-        run: go build main.go
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Check diagnostic appears in SARIF
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/go.sarif
-        with:
-          script: |
-            const fs = require('fs');
-
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
-
-            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
-            const statusPageNotifications = toolExecutionNotifications.filter(n =>
-              n.descriptor.id === 'go/workflow/file-program-unavailable' && n.properties?.visibility?.statusPage
-            );
-            if (statusPageNotifications.length !== 1) {
-              core.setFailed(
-                'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
-                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
-                  `${statusPageNotifications.length}. All notification reporting descriptors: ` +
-                  `${JSON.stringify(toolExecutionNotifications)}.`
-              );
-            }
-    env:
-      CODEQL_ACTION_TEST_MODE: true
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: 'PR Check - Go: workaround for indirect tracing'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,49 +21,51 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+  workflow_dispatch: {}
 jobs:
  go-indirect-tracing-workaround:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: default
+            version: stable-v2.14.6
    name: 'Go: workaround for indirect tracing'
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+      - uses: actions/setup-go@v5
        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+      # We need a Go version that ships with statically linked binaries on Linux
+          go-version: '>=1.21.0'
      - uses: ./../action/init
        with:
          languages: go
@@ -71,6 +74,8 @@ jobs:
        shell: bash
        run: go build main.go
      - uses: ./../action/analyze
+        with:
+          upload-database: false
      - shell: bash
        run: |
          if [[ -z "${CODEQL_ACTION_GO_BINARY}" ]]; then
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: 'PR Check - Go: tracing with autobuilder step'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,54 +21,36 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+  workflow_dispatch: {}
 jobs:
  go-tracing-autobuilder:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: stable-v2.17.6
+            version: stable-20221211
          - os: macos-latest
-            version: stable-v2.17.6
+            version: stable-20221211
          - os: ubuntu-latest
-            version: stable-v2.18.4
+            version: stable-20230418
          - os: macos-latest
-            version: stable-v2.18.4
+            version: stable-20230418
          - os: ubuntu-latest
-            version: stable-v2.19.4
+            version: stable-v2.13.5
          - os: macos-latest
-            version: stable-v2.19.4
+            version: stable-v2.13.5
          - os: ubuntu-latest
-            version: stable-v2.20.7
+            version: stable-v2.14.6
          - os: macos-latest
-            version: stable-v2.20.7
-          - os: ubuntu-latest
-            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.21.4
+            version: stable-v2.14.6
          - os: ubuntu-latest
            version: default
          - os: macos-latest
            version: default
          - os: ubuntu-latest
-            version: linked
+            version: latest
          - os: macos-latest
-            version: linked
+            version: latest
          - os: ubuntu-latest
            version: nightly-latest
          - os: macos-latest
@@ -75,23 +58,41 @@ jobs:
    name: 'Go: tracing with autobuilder step'
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+      - uses: actions/setup-go@v5
        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          go-version: ~1.22.0
+      # to avoid potentially misleading autobuilder results where we expect it to download
+      # dependencies successfully, but they actually come from a warm cache
          cache: false
      - uses: ./../action/init
        with:
@@ -99,6 +100,8 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/autobuild
      - uses: ./../action/analyze
+        with:
+          upload-database: false
      - shell: bash
        run: |
          if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: 'PR Check - Go: tracing with custom build steps'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,54 +21,36 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+  workflow_dispatch: {}
 jobs:
  go-tracing-custom-build-steps:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: stable-v2.17.6
+            version: stable-20221211
          - os: macos-latest
-            version: stable-v2.17.6
+            version: stable-20221211
          - os: ubuntu-latest
-            version: stable-v2.18.4
+            version: stable-20230418
          - os: macos-latest
-            version: stable-v2.18.4
+            version: stable-20230418
          - os: ubuntu-latest
-            version: stable-v2.19.4
+            version: stable-v2.13.5
          - os: macos-latest
-            version: stable-v2.19.4
+            version: stable-v2.13.5
          - os: ubuntu-latest
-            version: stable-v2.20.7
+            version: stable-v2.14.6
          - os: macos-latest
-            version: stable-v2.20.7
-          - os: ubuntu-latest
-            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.21.4
+            version: stable-v2.14.6
          - os: ubuntu-latest
            version: default
          - os: macos-latest
            version: default
          - os: ubuntu-latest
-            version: linked
+            version: latest
          - os: macos-latest
-            version: linked
+            version: latest
          - os: ubuntu-latest
            version: nightly-latest
          - os: macos-latest
@@ -75,23 +58,41 @@ jobs:
    name: 'Go: tracing with custom build steps'
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+      - uses: actions/setup-go@v5
        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          go-version: ~1.22.0
+      # to avoid potentially misleading autobuilder results where we expect it to download
+      # dependencies successfully, but they actually come from a warm cache
          cache: false
      - uses: ./../action/init
        with:
@@ -101,6 +102,8 @@ jobs:
        shell: bash
        run: go build main.go
      - uses: ./../action/analyze
+        with:
+          upload-database: false
      - shell: bash
        run: |
          # Once we start running Bash 4.2 in all environments, we can replace the
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: 'PR Check - Go: tracing with legacy workflow'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,54 +21,36 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+  workflow_dispatch: {}
 jobs:
  go-tracing-legacy-workflow:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: stable-v2.17.6
+            version: stable-20221211
          - os: macos-latest
-            version: stable-v2.17.6
+            version: stable-20221211
          - os: ubuntu-latest
-            version: stable-v2.18.4
+            version: stable-20230418
          - os: macos-latest
-            version: stable-v2.18.4
+            version: stable-20230418
          - os: ubuntu-latest
-            version: stable-v2.19.4
+            version: stable-v2.13.5
          - os: macos-latest
-            version: stable-v2.19.4
+            version: stable-v2.13.5
          - os: ubuntu-latest
-            version: stable-v2.20.7
+            version: stable-v2.14.6
          - os: macos-latest
-            version: stable-v2.20.7
-          - os: ubuntu-latest
-            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.21.4
+            version: stable-v2.14.6
          - os: ubuntu-latest
            version: default
          - os: macos-latest
            version: default
          - os: ubuntu-latest
-            version: linked
+            version: latest
          - os: macos-latest
-            version: linked
+            version: latest
          - os: ubuntu-latest
            version: nightly-latest
          - os: macos-latest
@@ -75,29 +58,49 @@ jobs:
    name: 'Go: tracing with legacy workflow'
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+      - uses: actions/setup-go@v5
        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          go-version: ~1.22.0
+      # to avoid potentially misleading autobuilder results where we expect it to download
+      # dependencies successfully, but they actually come from a warm cache
          cache: false
      - uses: ./../action/init
        with:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
+        with:
+          upload-database: false
      - shell: bash
        run: |
          cd "$RUNNER_TEMP/codeql_databases"
@@ -1,77 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: Manual Check - go
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    paths:
-      - .github/workflows/__go.yml
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-jobs:
-  go-custom-queries:
-    name: 'Go: Custom queries'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__go-custom-queries.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  go-indirect-tracing-workaround-diagnostic:
-    name: 'Go: diagnostic when Go is changed after init step'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  go-indirect-tracing-workaround-no-file-program:
-    name: 'Go: diagnostic when `file` is not installed'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  go-indirect-tracing-workaround:
-    name: 'Go: workaround for indirect tracing'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__go-indirect-tracing-workaround.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  go-tracing-autobuilder:
-    name: 'Go: tracing with autobuilder step'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__go-tracing-autobuilder.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  go-tracing-custom-build-steps:
-    name: 'Go: tracing with custom build steps'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__go-tracing-custom-build-steps.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  go-tracing-legacy-workflow:
-    name: 'Go: tracing with legacy workflow'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__go-tracing-legacy-workflow.yml
-    with:
-      go-version: ${{ inputs.go-version }}
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: 'PR Check - Packaging: Download using registries'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,33 +21,29 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
+  workflow_dispatch: {}
 jobs:
  init-with-registries:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
            version: default
          - os: macos-latest
            version: default
-          - os: windows-2025
+          - os: windows-latest
            version: default
          - os: ubuntu-latest
-            version: linked
+            version: latest
          - os: macos-latest
-            version: linked
-          - os: windows-2025
-            version: linked
+            version: latest
+          - os: windows-latest
+            version: latest
          - os: ubuntu-latest
            version: nightly-latest
          - os: macos-latest
            version: nightly-latest
-          - os: windows-2025
+          - os: windows-latest
            version: nightly-latest
    name: 'Packaging: Download using registries'
    permissions:
@@ -56,15 +53,32 @@ jobs:
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - name: Init with registries
        uses: ./../action/init
        with:
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: PR Check - Custom source root
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,18 +21,14 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
+  workflow_dispatch: {}
 jobs:
  javascript-source-root:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: linked
+            version: latest
          - os: ubuntu-latest
            version: default
          - os: ubuntu-latest
@@ -39,19 +36,36 @@ jobs:
    name: Custom source root
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - name: Move codeql-action
        shell: bash
        run: |
@@ -64,7 +78,9 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
        with:
+          upload-database: false
          skip-queries: true
+          upload: never
      - name: Assert database exists
        shell: bash
        run: |
@@ -1,77 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Job run UUID added to SARIF
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-jobs:
-  job-run-uuid-sarif:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Job run UUID added to SARIF
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        id: init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check results
-        shell: bash
-        run: |
-          cd "$RUNNER_TEMP/results"
-          actual=$(jq -r '.runs[0].properties.jobRunUuid' javascript.sarif)
-          if [[ "$actual" != "$JOB_RUN_UUID" ]]; then
-            echo "Expected SARIF output to contain job run UUID '$JOB_RUN_UUID', but found '$actual'."
-            exit 1
-          else
-            echo "Found job run UUID '$actual'."
-          fi
-    env:
-      CODEQL_ACTION_TEST_MODE: true
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: PR Check - Language aliases
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,34 +21,47 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
+  workflow_dispatch: {}
 jobs:
  language-aliases:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: linked
+            version: latest
    name: Language aliases
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - uses: ./../action/init
        with:
          languages: C#,java-kotlin,swift,typescript
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: PR Check - Multi-language repository
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,89 +21,80 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+  workflow_dispatch: {}
 jobs:
  multi-language-autodetect:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: macos-latest
-            version: stable-v2.17.6
          - os: ubuntu-latest
-            version: stable-v2.17.6
+            version: stable-20221211
          - os: macos-latest
-            version: stable-v2.18.4
+            version: stable-20221211
          - os: ubuntu-latest
-            version: stable-v2.18.4
+            version: stable-20230418
          - os: macos-latest
-            version: stable-v2.19.4
+            version: stable-20230418
          - os: ubuntu-latest
-            version: stable-v2.19.4
+            version: stable-v2.13.5
          - os: macos-latest
-            version: stable-v2.20.7
+            version: stable-v2.13.5
          - os: ubuntu-latest
-            version: stable-v2.20.7
+            version: stable-v2.14.6
          - os: macos-latest
-            version: stable-v2.21.4
-          - os: ubuntu-latest
-            version: stable-v2.21.4
-          - os: macos-latest
-            version: default
+            version: stable-v2.14.6
          - os: ubuntu-latest
            version: default
          - os: macos-latest
-            version: linked
+            version: default
          - os: ubuntu-latest
-            version: linked
+            version: latest
          - os: macos-latest
+            version: latest
+          - os: ubuntu-latest
            version: nightly-latest
-          - os: ubuntu-latest
+          - os: macos-latest
            version: nightly-latest
    name: Multi-language repository
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - uses: ./../action/init
        id: init
        with:
          db-location: ${{ runner.temp }}/customDbLocation
-          languages: ${{ runner.os == 'Linux' && 'cpp,csharp,go,java,javascript,python,ruby'
-            || '' }}
          tools: ${{ steps.prepare-test.outputs.tools-url }}

      - uses: ./../action/.github/actions/setup-swift
-        if: runner.os == 'macOS'
        with:
          codeql-path: ${{ steps.init.outputs.codeql-path }}

@@ -154,8 +146,10 @@ jobs:
            exit 1
          fi

-      - name: Check language autodetect for Swift on macOS
-        if: runner.os == 'macOS'
+      - name: Check language autodetect for Swift
+        if: >-
+          env.CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT == 'true' ||
+              (runner.os != 'Windows' && matrix.version == 'nightly-latest')
        shell: bash
        run: |
          SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}
@@ -1,72 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Overlay database init fallback
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-jobs:
-  overlay-init-fallback:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Overlay database init fallback
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: actions # Any language without overlay support will do
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-        env:
-          CODEQL_OVERLAY_DATABASE_MODE: overlay-base
-      - uses: ./../action/analyze
-        id: analysis
-        with:
-          upload-database: false
-      - name: Check database
-        shell: bash
-        run: |
-          cd "$RUNNER_TEMP/codeql_databases/actions"
-          if ! grep -q 'overlayBaseDatabase: false' codeql-database.yml ; then
-            echo "This test needs to be updated to use a non-overlay language."
-            exit 1
-          fi
-    env:
-      CODEQL_ACTION_TEST_MODE: true
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: 'PR Check - Packaging: Config and input passed to the CLI'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,65 +21,63 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+  workflow_dispatch: {}
 jobs:
  packaging-codescanning-config-inputs-js:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: linked
+            version: latest
          - os: macos-latest
-            version: linked
-          - os: windows-2025
-            version: linked
+            version: latest
+          - os: windows-latest
+            version: latest
          - os: ubuntu-latest
            version: default
          - os: macos-latest
            version: default
-          - os: windows-2025
+          - os: windows-latest
            version: default
          - os: ubuntu-latest
            version: nightly-latest
          - os: macos-latest
            version: nightly-latest
-          - os: windows-2025
+          - os: windows-latest
            version: nightly-latest
    name: 'Packaging: Config and input passed to the CLI'
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging3.yml
@@ -97,7 +96,7 @@ jobs:
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
+          queries-run: 
            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: 'PR Check - Packaging: Config and input'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,65 +21,63 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+  workflow_dispatch: {}
 jobs:
  packaging-config-inputs-js:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: linked
+            version: latest
          - os: macos-latest
-            version: linked
-          - os: windows-2025
-            version: linked
+            version: latest
+          - os: windows-latest
+            version: latest
          - os: ubuntu-latest
            version: default
          - os: macos-latest
            version: default
-          - os: windows-2025
+          - os: windows-latest
            version: default
          - os: ubuntu-latest
            version: nightly-latest
          - os: macos-latest
            version: nightly-latest
-          - os: windows-2025
+          - os: windows-latest
            version: nightly-latest
    name: 'Packaging: Config and input'
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging3.yml
@@ -97,7 +96,7 @@ jobs:
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
+          queries-run: 
            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: 'PR Check - Packaging: Config file'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,65 +21,63 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+  workflow_dispatch: {}
 jobs:
  packaging-config-js:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: linked
+            version: latest
          - os: macos-latest
-            version: linked
-          - os: windows-2025
-            version: linked
+            version: latest
+          - os: windows-latest
+            version: latest
          - os: ubuntu-latest
            version: default
          - os: macos-latest
            version: default
-          - os: windows-2025
+          - os: windows-latest
            version: default
          - os: ubuntu-latest
            version: nightly-latest
          - os: macos-latest
            version: nightly-latest
-          - os: windows-2025
+          - os: windows-latest
            version: nightly-latest
    name: 'Packaging: Config file'
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging.yml
@@ -96,7 +95,7 @@ jobs:
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
+          queries-run: 
            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: 'PR Check - Packaging: Action input'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,65 +21,63 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+  workflow_dispatch: {}
 jobs:
  packaging-inputs-js:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: linked
+            version: latest
          - os: macos-latest
-            version: linked
-          - os: windows-2025
-            version: linked
+            version: latest
+          - os: windows-latest
+            version: latest
          - os: ubuntu-latest
            version: default
          - os: macos-latest
            version: default
-          - os: windows-2025
+          - os: windows-latest
            version: default
          - os: ubuntu-latest
            version: nightly-latest
          - os: macos-latest
            version: nightly-latest
-          - os: windows-2025
+          - os: windows-latest
            version: nightly-latest
    name: 'Packaging: Action input'
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging2.yml
@@ -96,7 +95,7 @@ jobs:
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
+          queries-run: 
            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

@@ -1,120 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Quality queries input
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-jobs:
-  quality-queries:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-2025
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-2025
-            version: nightly-latest
-    name: Quality queries input
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: javascript
-          quality-queries: code-quality
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Upload security SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: quality-queries-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Upload quality SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: quality-queries-${{ matrix.os }}-${{ matrix.version }}.quality.sarif.json
-          path: ${{ runner.temp }}/results/javascript.quality.sarif
-          retention-days: 7
-      - name: Check quality query does not appear in security SARIF
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
-          EXPECT_PRESENT: 'false'
-        with:
-          script: ${{ env.CHECK_SCRIPT }}
-      - name: Check quality query appears in quality SARIF
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.quality.sarif
-          EXPECT_PRESENT: 'true'
-        with:
-          script: ${{ env.CHECK_SCRIPT }}
-    env:
-      CHECK_SCRIPT: |
-        const fs = require('fs');
-
-        const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-        const expectPresent = JSON.parse(process.env['EXPECT_PRESENT']);
-        const run = sarif.runs[0];
-        const extensions = run.tool.extensions;
-
-        if (extensions === undefined) {
-          core.setFailed('`extensions` property not found in the SARIF run property bag.');
-        }
-
-        // ID of a query we want to check the presence for
-        const targetId = 'js/regex/always-matches';
-        const found = extensions.find(extension => extension.rules && extension.rules.find(rule => rule.id === targetId));
-
-        if (found && expectPresent) {
-          console.log(`Found rule with id '${targetId}'.`);
-        } else if (!found && !expectPresent) {
-          console.log(`Rule with id '${targetId}' was not found.`);
-        } else {
-          core.setFailed(`${ found ? "Found" : "Didn't find" } rule ${targetId}`);
-        }
-      CODEQL_ACTION_TEST_MODE: true
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: PR Check - Remote config file
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,51 +21,87 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+  workflow_dispatch: {}
 jobs:
  remote-config:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: linked
+            version: stable-20221211
+          - os: macos-latest
+            version: stable-20221211
+          - os: windows-latest
+            version: stable-20221211
          - os: ubuntu-latest
+            version: stable-20230418
+          - os: macos-latest
+            version: stable-20230418
+          - os: windows-latest
+            version: stable-20230418
+          - os: ubuntu-latest
+            version: stable-v2.13.5
+          - os: macos-latest
+            version: stable-v2.13.5
+          - os: windows-latest
+            version: stable-v2.13.5
+          - os: ubuntu-latest
+            version: stable-v2.14.6
+          - os: macos-latest
+            version: stable-v2.14.6
+          - os: windows-latest
+            version: stable-v2.14.6
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: default
+          - os: windows-latest
+            version: default
+          - os: ubuntu-latest
+            version: latest
+          - os: macos-latest
+            version: latest
+          - os: windows-latest
+            version: latest
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+          - os: windows-latest
            version: nightly-latest
    name: Remote config file
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: PR Check - Resolve environment
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,53 +21,73 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
+  workflow_dispatch: {}
 jobs:
  resolve-environment-action:
    strategy:
-      fail-fast: false
      matrix:
        include:
+          - os: ubuntu-latest
+            version: stable-v2.13.4
+          - os: macos-latest
+            version: stable-v2.13.4
+          - os: windows-latest
+            version: stable-v2.13.4
          - os: ubuntu-latest
            version: default
          - os: macos-latest
            version: default
-          - os: windows-2025
+          - os: windows-latest
            version: default
          - os: ubuntu-latest
-            version: linked
+            version: latest
          - os: macos-latest
-            version: linked
-          - os: windows-2025
-            version: linked
+            version: latest
+          - os: windows-latest
+            version: latest
          - os: ubuntu-latest
            version: nightly-latest
          - os: macos-latest
            version: nightly-latest
-          - os: windows-2025
+          - os: windows-latest
            version: nightly-latest
    name: Resolve environment
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - uses: ./../action/init
        with:
-          languages: go,javascript-typescript
+          languages: ${{ matrix.version == 'stable-v2.13.4' && 'go' || 'go,javascript-typescript'
+            }}
          tools: ${{ steps.prepare-test.outputs.tools-url }}

      - name: Resolve environment for Go
@@ -80,13 +101,14 @@ jobs:
        run: exit 1

      - name: Resolve environment for JavaScript/TypeScript
+        if: matrix.version != 'stable-v2.13.4'
        uses: ./../action/resolve-environment
        id: resolve-environment-js
        with:
          language: javascript-typescript

      - name: Fail if JavaScript/TypeScript configuration present
-        if:
+        if: matrix.version != 'stable-v2.13.4' && 
          fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
        run: exit 1
    env:
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: PR Check - RuboCop multi-language
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,14 +21,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
+  workflow_dispatch: {}
 jobs:
  rubocop-multi-language:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
@@ -35,21 +32,38 @@ jobs:
    name: RuboCop multi-language
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - name: Set up Ruby
-        uses: ruby/setup-ruby@2a7b30092b0caf9c046252510f9273b4875f3db9 # v1.254.0
+        uses: ruby/setup-ruby@v1
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: PR Check - Ruby analysis
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,20 +21,16 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
+  workflow_dispatch: {}
 jobs:
  ruby:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: linked
+            version: latest
          - os: macos-latest
-            version: linked
+            version: latest
          - os: ubuntu-latest
            version: default
          - os: macos-latest
@@ -45,19 +42,36 @@ jobs:
    name: Ruby analysis
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - uses: ./../action/init
        with:
          languages: ruby
@@ -1,76 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Rust analysis
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-jobs:
-  rust:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: stable-v2.19.3
-          - os: ubuntu-latest
-            version: stable-v2.22.1
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Rust analysis
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: rust
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        id: analysis
-        with:
-          upload-database: false
-      - name: Check database
-        shell: bash
-        run: |
-          RUST_DB="${{ fromJson(steps.analysis.outputs.db-locations).rust }}"
-          if [[ ! -d "$RUST_DB" ]]; then
-            echo "Did not create a database for Rust."
-            exit 1
-          fi
-    env:
-      CODEQL_ACTION_TEST_MODE: true
@@ -0,0 +1,111 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - Scaling reserved RAM
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  scaling-reserved-ram:
+    strategy:
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: stable-20221211
+          - os: macos-latest
+            version: stable-20221211
+          - os: ubuntu-latest
+            version: stable-20230418
+          - os: macos-latest
+            version: stable-20230418
+          - os: ubuntu-latest
+            version: stable-v2.13.5
+          - os: macos-latest
+            version: stable-v2.13.5
+          - os: ubuntu-latest
+            version: stable-v2.14.6
+          - os: macos-latest
+            version: stable-v2.14.6
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: default
+          - os: ubuntu-latest
+            version: latest
+          - os: macos-latest
+            version: latest
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+    name: Scaling reserved RAM
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+      - uses: ./../action/init
+        id: init
+        with:
+          db-location: ${{ runner.temp }}/customDbLocation
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+      - uses: ./../action/.github/actions/setup-swift
+        with:
+          codeql-path: ${{ steps.init.outputs.codeql-path }}
+
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+
+      - uses: ./../action/analyze
+        id: analysis
+        with:
+          upload-database: false
+    env:
+      CODEQL_ACTION_SCALING_RESERVED_RAM: true
+      CODEQL_ACTION_TEST_MODE: true
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: PR Check - Split workflow
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,30 +21,16 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+  workflow_dispatch: {}
 jobs:
  split-workflow:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: linked
+            version: latest
          - os: macos-latest
-            version: linked
+            version: latest
          - os: ubuntu-latest
            version: default
          - os: macos-latest
@@ -55,24 +42,36 @@ jobs:
    name: Split workflow
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging3.yml
@@ -1,78 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Start proxy
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-jobs:
-  start-proxy:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-2025
-            version: linked
-    name: Start proxy
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: csharp
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Setup proxy for registries
-        id: proxy
-        uses: ./../action/start-proxy
-        with:
-          registry_secrets: '[{ "type": "nuget_feed", "url": "https://api.nuget.org/v3/index.json"
-            }]'
-
-      - name: Print proxy outputs
-        run: |
-          echo "${{ steps.proxy.outputs.proxy_host }}"
-          echo "${{ steps.proxy.outputs.proxy_port }}"
-          echo "${{ steps.proxy.outputs.proxy_urls }}"
-
-      - name: Fail if proxy outputs are not set
-        if: (!steps.proxy.outputs.proxy_host) || (!steps.proxy.outputs.proxy_port)
-          || (!steps.proxy.outputs.proxy_ca_certificate) || (!steps.proxy.outputs.proxy_urls)
-        run: exit 1
-    env:
-      CODEQL_ACTION_TEST_MODE: true
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: PR Check - Submit SARIF after failure
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,18 +21,14 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
+  workflow_dispatch: {}
 jobs:
  submit-sarif-failure:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: linked
+            version: latest
          - os: ubuntu-latest
            version: default
          - os: ubuntu-latest
@@ -39,25 +36,40 @@ jobs:
    name: Submit SARIF after failure
    permissions:
      contents: read
-      security-events: write # needed to upload the SARIF file
-
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: actions/checkout@v5
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+      - uses: actions/checkout@v4
      - uses: ./init
        with:
          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Fail
    # We want this job to pass if the Action correctly uploads the SARIF file for
    # the failed run.
@@ -1,78 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Swift analysis using autobuild
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-jobs:
-  swift-autobuild:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: nightly-latest
-    name: Swift analysis using autobuild
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        id: init
-        with:
-          languages: swift
-          build-mode: autobuild
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/.github/actions/setup-swift
-        with:
-          codeql-path: ${{steps.init.outputs.codeql-path}}
-      - name: Check working directory
-        shell: bash
-        run: pwd
-      - uses: ./../action/autobuild
-        timeout-minutes: 30
-      - uses: ./../action/analyze
-        id: analysis
-        with:
-          upload-database: false
-      - name: Check database
-        shell: bash
-        run: |
-          SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
-          if [[ ! -d "$SWIFT_DB" ]]; then
-            echo "Did not create a database for Swift."
-            exit 1
-          fi
-    env:
-      CODEQL_ACTION_TEST_MODE: true
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: PR Check - Swift analysis using a custom build command
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,53 +21,57 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+  workflow_dispatch: {}
 jobs:
  swift-custom-build:
    strategy:
-      fail-fast: false
      matrix:
        include:
+          - os: ubuntu-latest
+            version: latest
          - os: macos-latest
-            version: linked
+            version: latest
+          - os: ubuntu-latest
+            version: default
          - os: macos-latest
            version: default
+          - os: ubuntu-latest
+            version: nightly-latest
          - os: macos-latest
            version: nightly-latest
    name: Swift analysis using a custom build command
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - uses: ./../action/init
        id: init
        with:
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: PR Check - Autobuild working directory
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,34 +21,47 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
+  workflow_dispatch: {}
 jobs:
  test-autobuild-working-dir:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: linked
+            version: latest
    name: Autobuild working directory
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - name: Test setup
        shell: bash
        run: |
@@ -63,6 +77,8 @@ jobs:
        with:
          working-directory: autobuild-dir
      - uses: ./../action/analyze
+        with:
+          upload-database: false
      - name: Check database
        shell: bash
        run: |
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: PR Check - Local CodeQL bundle
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,24 +21,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+  workflow_dispatch: {}
 jobs:
  test-local-codeql:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
@@ -45,24 +32,36 @@ jobs:
    name: Local CodeQL bundle
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - name: Fetch a CodeQL bundle
        shell: bash
        env:
@@ -72,12 +71,15 @@ jobs:
      - id: init
        uses: ./../action/init
        with:
-      # Swift is not supported on Ubuntu so we manually exclude it from the list here
-          languages: cpp,csharp,go,java,javascript,python,ruby
-          tools: ./codeql-bundle-linux64.tar.zst
+          tools: ./codeql-bundle-linux64.tar.gz
+      - uses: ./../action/.github/actions/setup-swift
+        with:
+          codeql-path: ${{ steps.init.outputs.codeql-path }}
      - name: Build code
        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
+        with:
+          upload-database: false
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: PR Check - Proxy test
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,58 +21,60 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
+  workflow_dispatch: {}
 jobs:
  test-proxy:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
+            version: latest
    name: Proxy test
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-  # These steps are required to initialise the `gh` cli in a container that doesn't
-  # come pre-installed with it. The reason for that is that this is later
-  # needed by the `prepare-test` workflow to find the latest release of CodeQL.
-      - name: Set up GitHub CLI
-        run: |
-          apt update
-          apt install -y curl libreadline8 gnupg2 software-properties-common zstd
-          curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
-          apt-key add /usr/share/keyrings/githubcli-archive-keyring.gpg
-          apt-add-repository https://cli.github.com/packages
-          apt install -y gh
-        env: {}
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'false'
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - uses: ./../action/init
        with:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
+        with:
+          upload-database: false
    env:
      https_proxy: http://squid-proxy:3128
      CODEQL_ACTION_TEST_MODE: true
    container:
      image: ubuntu:22.04
+      options: --dns 127.0.0.1
    services:
      squid-proxy:
        image: ubuntu/squid:latest
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: PR Check - Test unsetting environment variables
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,61 +21,73 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+  workflow_dispatch: {}
 jobs:
  unset-environment:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: linked
+            version: stable-20221211
+          - os: ubuntu-latest
+            version: stable-20230418
+          - os: ubuntu-latest
+            version: stable-v2.13.5
+          - os: ubuntu-latest
+            version: stable-v2.14.6
+          - os: ubuntu-latest
+            version: default
+          - os: ubuntu-latest
+            version: latest
          - os: ubuntu-latest
            version: nightly-latest
    name: Test unsetting environment variables
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - uses: ./../action/init
        id: init
        with:
          db-location: ${{ runner.temp }}/customDbLocation
-      # Swift is not supported on Ubuntu so we manually exclude it from the list here
-          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/.github/actions/setup-swift
+        with:
+          codeql-path: ${{ steps.init.outputs.codeql-path }}
      - name: Build code
        shell: bash
-        run: env -i PATH="$PATH" HOME="$HOME" ./build.sh
+    # Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
+    # workaround for our PR checks.
+        run: env -i CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN=true PATH="$PATH" HOME="$HOME"
+          ./build.sh
      - uses: ./../action/analyze
        id: analysis
        with:
@@ -1,91 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: 'PR Check - Upload-sarif: code quality endpoint'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-jobs:
-  upload-quality-sarif:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-2025
-            version: default
-    name: 'Upload-sarif: code quality endpoint'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - uses: ./../action/init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-            github.sha }}
-          quality-queries: code-quality
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-  # Generate some SARIF we can upload with the upload-sarif step
-      - uses: ./../action/analyze
-        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
-          upload: never
-      - uses: ./../action/upload-sarif
-        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
-    env:
-      CODEQL_ACTION_TEST_MODE: true
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: "PR Check - Upload-sarif: 'ref' and 'sha' from inputs"
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,53 +21,51 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+  workflow_dispatch: {}
 jobs:
  upload-ref-sha-input:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
            version: default
          - os: macos-latest
            version: default
-          - os: windows-2025
+          - os: windows-latest
            version: default
    name: "Upload-sarif: 'ref' and 'sha' from inputs"
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -76,9 +75,9 @@ jobs:
      - name: Build code
        shell: bash
        run: ./build.sh
-  # Generate some SARIF we can upload with the upload-sarif step
      - uses: ./../action/analyze
        with:
+          upload-database: false
          ref: refs/heads/main
          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
          upload: never
@@ -1,12 +1,13 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.

 name: PR Check - Use a custom `checkout_path`
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -20,53 +21,51 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+  workflow_dispatch: {}
 jobs:
  with-checkout-path:
    strategy:
-      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: linked
+            version: latest
          - os: macos-latest
-            version: linked
-          - os: windows-2025
-            version: linked
+            version: latest
+          - os: windows-latest
+            version: latest
    name: Use a custom `checkout_path`
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          matrix.os == 'macos-latest' && (
+
+          matrix.version == 'stable-20221211' ||
+
+          matrix.version == 'stable-20230418' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+      - name: Set environment variable for Swift enablement
+        if: runner.os != 'Windows' && matrix.version == '20221211'
+        shell: bash
+        run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
      - name: Delete original checkout
        shell: bash
        run: |
@@ -76,7 +75,7 @@ jobs:
          rm -rf ./* .github .git
  # Check out the actions repo again, but at a different location.
  # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
          path: x/y/z/some-path
@@ -99,6 +98,14 @@ jobs:
          checkout_path: x/y/z/some-path/tests/multi-language-repo
          ref: v1.1.0
          sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+          upload: never
+          upload-database: false
+
+      - uses: ./../action/upload-sarif
+        with:
+          ref: v1.1.0
+          sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+          checkout_path: x/y/z/some-path/tests/multi-language-repo

      - name: Verify SARIF after upload
        shell: bash
@@ -13,12 +13,9 @@ jobs:
  check-expected-release-files:
    runs-on: ubuntu-latest

-    permissions:
-      contents: read
-
    steps:
      - name: Checkout CodeQL Action
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Check Expected Release Files
        run: |
          bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"
@@ -24,10 +24,10 @@ jobs:
      versions: ${{ steps.compare.outputs.versions }}

    permissions:
-      contents: read
+      security-events: write

    steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v4
    - name: Init with default CodeQL bundle from the VM image
      id: init-default
      uses: ./init
@@ -41,7 +41,7 @@ jobs:
      id: init-latest
      uses: ./init
      with:
-        tools: linked
+        tools: latest
        languages: javascript
    - name: Compare default and latest CodeQL bundle versions
      id: compare
@@ -54,38 +54,36 @@ jobs:
        echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
        echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"

-        # If we're running on a pull request, run with both bundles, even if `tools: linked` would
+        # If we're running on a pull request, run with both bundles, even if `tools: latest` would
        # be the same as `tools: null`. This allows us to make the job for each of the bundles a
        # required status check.
        #
-        # If we're running on push or schedule, then we can skip running with `tools: linked` when it would be
+        # If we're running on push or schedule, then we can skip running with `tools: latest` when it would be
        # the same as running with `tools: null`.
        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
          VERSIONS_JSON='[null]'
        else
-          VERSIONS_JSON='[null, "linked"]'
+          VERSIONS_JSON='[null, "latest"]'
        fi

        # Output a JSON-encoded list with the distinct versions to test against.
        echo "Suggested matrix config for analysis job: $VERSIONS_JSON"
        echo "versions=${VERSIONS_JSON}" >> $GITHUB_OUTPUT

-  analyze-javascript:
+  build:
    needs: [check-codeql-versions]
    strategy:
-      fail-fast: false
      matrix:
-        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-13,macos-14,macos-15]
+        os: [ubuntu-20.04,ubuntu-22.04,windows-2019,windows-2022,macos-11,macos-12,macos-13]
        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
    runs-on: ${{ matrix.os }}

    permissions:
-      contents: read
      security-events: write

    steps:
    - name: Checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@v4
    - name: Initialize CodeQL
      uses: ./init
      id: init
@@ -98,29 +96,3 @@ jobs:
      run: ${{steps.init.outputs.codeql-path}} version --format=json
    - name: Perform CodeQL Analysis
      uses: ./analyze
-      with:
-        category: "/language:javascript"
-
-
-  analyze-actions:
-    runs-on: ubuntu-latest
-
-    strategy:
-      fail-fast: false
-
-    permissions:
-      contents: read
-      security-events: write
-
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v5
-    - name: Initialize CodeQL
-      uses: ./init
-      with:
-        languages: actions
-        config-file: ./.github/codeql/codeql-actions-config.yml
-    - name: Perform CodeQL Analysis
-      uses: ./analyze
-      with:
-        category: "/language:actions"
@@ -3,9 +3,6 @@
 name: Code-Scanning config CLI tests
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  # Diff informed queries add an additional query filter which is not yet
-  # taken into account by these tests.
-  CODEQL_ACTION_DIFF_INFORMED_QUERIES: false

 on:
  push:
@@ -26,19 +23,13 @@ jobs:
  code-scanning-config-tests:
    continue-on-error: true

-    permissions:
-      contents: read
-      packages: read
-      security-events: read
-
    strategy:
-      fail-fast: false
      matrix:
        include:
        - os: ubuntu-latest
-          version: linked
+          version: latest
        - os: macos-latest
-          version: linked
+          version: latest
        - os: ubuntu-latest
          version: default
        - os: macos-latest
@@ -54,7 +45,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v4
    - name: Prepare test
      id: prepare-test
      uses: ./.github/actions/prepare-test
@@ -1,102 +0,0 @@
-# Checks logs, SARIF, and database bundle debug artifacts exist
-# when the analyze step fails.
-name: PR Check - Debug artifacts after failure
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-on:
-  push:
-    branches:
-    - main
-    - releases/v*
-  pull_request:
-    types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  upload-artifacts:
-    strategy:
-      fail-fast: false
-      matrix:
-        version:
-        - stable-v2.20.3
-        - default
-        - linked
-        - nightly-latest
-    name: Upload debug artifacts after failure in analyze
-    continue-on-error: true
-    env:
-      CODEQL_ACTION_TEST_MODE: true
-    permissions:
-      contents: read
-    timeout-minutes: 45
-    runs-on: ubuntu-latest
-    steps:
-      - name: Dump GitHub event
-        run: cat "${GITHUB_EVENT_PATH}"
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ^1.13.1
-      - uses: ./../action/init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          debug: true
-          debug-artifact-name: my-debug-artifacts
-          debug-database-name: my-db
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        id: analysis
-        env:
-          # Forces a failure in this step.
-          CODEQL_ACTION_EXTRA_OPTIONS: '{ "database": { "finalize": ["--invalid-option"] } }'
-        with:
-          expect-error: true
-  download-and-check-artifacts:
-    name: Download and check debug artifacts after failure in analyze
-    needs: upload-artifacts
-    timeout-minutes: 45
-    permissions:
-      contents: read
-    runs-on: ubuntu-latest
-    steps:
-      - name: Download all artifacts
-        uses: actions/download-artifact@v5
-      - name: Check expected artifacts exist
-        shell: bash
-        run: |
-          LANGUAGES="cpp csharp go java javascript python"
-          for version in $VERSIONS; do
-            echo "Artifacts from version $version:"
-            pushd "./my-debug-artifacts-${version//./}"
-            for language in $LANGUAGES; do
-              echo "- Checking $language"
-              if [[ ! -f "my-db-$language-partial.zip" ]] ; then
-                echo "Missing a partial database bundle for $language"
-                exit 1
-              fi
-              if [[ ! -d "log" ]] ; then
-                echo "Missing database initialization logs"
-                exit 1
-              fi
-              if [[ ! "$language" == "go" ]] && [[ ! -d "$language/log" ]] ; then
-                echo "Missing logs for $language"
-                exit 1
-              fi
-            done
-            popd
-          done
-        env:
-          GO111MODULE: auto
@@ -0,0 +1,90 @@
+# Checks logs, SARIF, and database bundle debug artifacts exist
+# when the analyze step fails.
+name: PR Check - Debug artifacts after failure
+env:
+  # Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
+  # workaround for our PR checks.
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: true
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+on:
+  push:
+    branches:
+    - main
+    - releases/v*
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  upload-artifacts:
+    name: Upload debug artifacts after failure in analyze
+    continue-on-error: true
+    env:
+      CODEQL_ACTION_TEST_MODE: true
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    steps:
+      - name: Dump GitHub event
+        run: cat "${GITHUB_EVENT_PATH}"
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: latest
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ^1.13.1
+      - uses: ./../action/init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          debug: true
+          debug-artifact-name: my-debug-artifacts
+          debug-database-name: my-db
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+      - uses: ./../action/analyze
+        id: analysis
+        env: 
+          # Forces a failure in this step.
+          CODEQL_ACTION_EXTRA_OPTIONS: '{ "database": { "finalize": ["--invalid-option"] } }'
+        with:
+          expect-error: true
+  download-and-check-artifacts:
+    name: Download and check debug artifacts after failure in analyze
+    needs: upload-artifacts
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v3
+      - name: Check expected artifacts exist
+        shell: bash
+        run: |
+          LANGUAGES="cpp csharp go java javascript python"
+          cd "./my-debug-artifacts"
+          echo "Artifacts from run:"
+          for language in $LANGUAGES; do
+            echo "- Checking $language"
+            if [[ ! -f "my-db-$language-partial.zip" ]] ; then
+              echo "Missing a partial database bundle for $language"
+              exit 1
+            fi
+            if [[ ! -d "log" ]] ; then
+              echo "Missing database initialization logs"
+              exit 1
+            fi
+            if [[ ! "$language" == "go" ]] && [[ ! -d "$language/log" ]] ; then
+              echo "Missing logs for $language"
+              exit 1
+            fi
+          done
+        env:
+          GO111MODULE: auto
@@ -1,97 +0,0 @@
-# Checks logs, SARIF, and database bundle debug artifacts exist.
-name: PR Check - Debug artifact upload
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-on:
-  push:
-    branches:
-    - main
-    - releases/v*
-  pull_request:
-    types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  upload-artifacts:
-    strategy:
-      fail-fast: false
-      matrix:
-        version:
-        - stable-v2.20.3
-        - default
-        - linked
-        - nightly-latest
-    name: Upload debug artifacts
-    env:
-      CODEQL_ACTION_TEST_MODE: true
-    timeout-minutes: 45
-    permissions:
-      contents: read
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ^1.13.1
-      - uses: ./../action/init
-        id: init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          debug: true
-          debug-artifact-name: my-debug-artifacts
-          debug-database-name: my-db
-          # We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
-          languages: cpp,csharp,go,java,javascript,python,ruby
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        id: analysis
-  download-and-check-artifacts:
-    name: Download and check debug artifacts
-    needs: upload-artifacts
-    timeout-minutes: 45
-    permissions:
-      contents: read
-    runs-on: ubuntu-latest
-    steps:
-      - name: Download all artifacts
-        uses: actions/download-artifact@v5
-      - name: Check expected artifacts exist
-        shell: bash
-        run: |
-          VERSIONS="stable-v2.20.3 default linked nightly-latest"
-          LANGUAGES="cpp csharp go java javascript python"
-          for version in $VERSIONS; do
-            pushd "./my-debug-artifacts-${version//./}"
-            echo "Artifacts from version $version:"
-            for language in $LANGUAGES; do
-              echo "- Checking $language"
-              if [[ ! -f "$language.sarif" ]] ; then
-                echo "Missing a SARIF file for $language"
-                exit 1
-              fi
-              if [[ ! -f "my-db-$language.zip" ]] ; then
-                echo "Missing a database bundle for $language"
-                exit 1
-              fi
-              if [[ ! -d "$language/log" ]] ; then
-                echo "Missing logs for $language"
-                exit 1
-              fi
-            done
-            popd
-          done
-        env:
-          GO111MODULE: auto
@@ -0,0 +1,99 @@
+# Checks logs, SARIF, and database bundle debug artifacts exist.
+name: PR Check - Debug artifact upload
+env:
+  # Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
+  # workaround for our PR checks.
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: true
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+on:
+  push:
+    branches:
+    - main
+    - releases/v*
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  upload-artifacts:
+    strategy:
+      matrix:
+        version:
+        - stable-20221211
+        - stable-20230418
+        - stable-v2.13.5
+        - stable-v2.14.6
+        - default
+        - latest
+        - nightly-latest
+    name: Upload debug artifacts
+    env:
+      CODEQL_ACTION_TEST_MODE: true
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ^1.13.1
+      - uses: ./../action/init
+        id: init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          debug: true
+          debug-artifact-name: my-debug-artifacts
+          debug-database-name: my-db
+      - uses: ./../action/.github/actions/setup-swift
+        with:
+          codeql-path: ${{ steps.init.outputs.codeql-path }}
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+      - uses: ./../action/analyze
+        id: analysis
+  download-and-check-artifacts:
+    name: Download and check debug artifacts
+    needs: upload-artifacts
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v3
+      - name: Check expected artifacts exist
+        shell: bash
+        run: |
+          VERSIONS="stable-20221211 stable-20230418 stable-v2.13.5 stable-v2.14.6 default latest nightly-latest"
+          LANGUAGES="cpp csharp go java javascript python"
+          for version in $VERSIONS; do
+            pushd "./my-debug-artifacts-${version//./}"
+            echo "Artifacts from version $version:"
+            for language in $LANGUAGES; do
+              echo "- Checking $language"
+              if [[ ! -f "$language.sarif" ]] ; then
+                echo "Missing a SARIF file for $language"
+                exit 1
+              fi
+              if [[ ! -f "my-db-$language.zip" ]] ; then
+                echo "Missing a database bundle for $language"
+                exit 1
+              fi
+              if [[ ! -d "$language/log" ]] ; then
+                echo "Missing logs for $language"
+                exit 1
+              fi
+            done
+            popd
+          done
+        env:
+          GO111MODULE: auto
@@ -22,17 +22,14 @@ jobs:
      CODEQL_ACTION_TEST_MODE: true
    timeout-minutes: 45
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      security-events: read
    steps:
    - name: Check out repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v4
    - name: Prepare test
      id: prepare-test
      uses: ./.github/actions/prepare-test
      with:
-        version: linked
+        version: latest
    - uses: ./../action/init
      with:
        languages: javascript
@@ -40,6 +37,8 @@ jobs:
    - uses: ./../action/analyze
      with:
        output: ${{ runner.temp }}/results
+        upload-database: false
+        upload: never

    - name: Check Sarif
      uses: ./../action/.github/actions/check-sarif
@@ -21,16 +21,11 @@ on:
 jobs:
  merge-back:
    runs-on: ubuntu-latest
-    environment: Automation
    if: github.repository == 'github/codeql-action'
    env:
      BASE_BRANCH: "${{ github.event.inputs.baseBranch || 'main' }}"
      HEAD_BRANCH: "${{ github.head_ref || github.ref }}"

-    permissions:
-      contents: write # needed to create tags and push commits
-      pull-requests: write
-
    steps:
      - name: Dump environment
        run: env
@@ -40,7 +35,7 @@ jobs:
          GITHUB_CONTEXT: '${{ toJson(github) }}'
        run: echo "${GITHUB_CONTEXT}"

-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 0  # ensure we have all tags and can push commits
      - uses: actions/setup-node@v4
@@ -113,17 +108,6 @@ jobs:
          # - `--force` since we're overwriting the `vN` tag
          git push origin --atomic --force refs/tags/"${VERSION}" refs/tags/"${major_version_tag}"

-      - name: Prepare partial Changelog
-        env:
-          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
-          VERSION: "${{ steps.getVersion.outputs.version }}"
-        run: |
-          python .github/workflows/script/prepare_changelog.py CHANGELOG.md "$VERSION" > $PARTIAL_CHANGELOG
-
-          echo "::group::Partial CHANGELOG"
-          cat $PARTIAL_CHANGELOG
-          echo "::endgroup::"
-
      - name: Create mergeback branch
        if: ${{ steps.check.outputs.exists != 'true' && endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }}
        env:
@@ -166,23 +150,3 @@ jobs:
            --body "${pr_body}" \
            --assignee "${GITHUB_ACTOR}" \
            --draft
-
-      - name: Generate token
-        uses: actions/create-github-app-token@v2.1.1
-        id: app-token
-        with:
-          app-id: ${{ vars.AUTOMATION_APP_ID }}
-          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
-
-      - name: Create the GitHub release
-        env:
-          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
-          VERSION: "${{ steps.getVersion.outputs.version }}"
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: |
-          # Do not mark this release as latest. The most recent CLI release must be marked as latest.
-          gh release create \
-            "$VERSION" \
-            --latest=false \
-            --title "$VERSION" \
-            --notes-file "$PARTIAL_CHANGELOG"
@@ -2,6 +2,7 @@ name: PR Checks

 on:
  push:
+    branches: [main, releases/v*]
  pull_request:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
@@ -13,79 +14,89 @@ jobs:
    name: Check JS
    runs-on: ubuntu-latest
    timeout-minutes: 45
-    permissions:
-      contents: read
-      security-events: write # needed to upload ESLint results

    strategy:
-      fail-fast: false
+      matrix:
+        node-types-version: [16.11, current] # we backport this matrix job in order to maintain the same check names

    steps:
      - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4

      - name: Lint
-        id: lint
-        run: npm run-script lint-ci
+        run: npm run-script lint

-      - name: Upload sarif
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: eslint.sarif
-          category: eslint
+      - name: Update version of @types/node
+        if: matrix.node-types-version != 'current'
+        env:
+          NODE_TYPES_VERSION: ${{ matrix.node-types-version }}
+        run: |
+          # Export `NODE_TYPES_VERSION` so it's available to jq
+          export NODE_TYPES_VERSION="${NODE_TYPES_VERSION}"
+          contents=$(jq '.devDependencies."@types/node" = env.NODE_TYPES_VERSION' package.json)
+          echo "${contents}" > package.json
+          # Usually we run `npm install` on macOS to ensure that we pick up macOS-only dependencies.
+          # However we're not checking in the updated lockfile here, so it's fine to run
+          # `npm install` on Linux.
+          npm install
+
+          if [ ! -z "$(git status --porcelain)" ]; then
+            git config --global user.email "github-actions@github.com"
+            git config --global user.name "github-actions[bot]"
+            # The period in `git add --all .` ensures that we stage deleted files too.
+            git add --all .
+            git commit -m "Use @types/node=${NODE_TYPES_VERSION}"
+          fi

      - name: Check generated JS
+        if: matrix.node-types-version != 'current' # we do not need to test the newer node on the v2 branch
        run: .github/workflows/script/check-js.sh

  check-node-modules:
-    if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
    name: Check modules up to date
-    permissions:
-      contents: read
    runs-on: macos-latest
    timeout-minutes: 45

    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Check node modules up to date
        run: .github/workflows/script/check-node-modules.sh

  check-file-contents:
-    if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
    name: Check file contents
-    permissions:
-      contents: read
    runs-on: ubuntu-latest
    timeout-minutes: 45

    steps:
      - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: 3.11

+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          # When updating this, update the autogenerated code header in `sync.py` too.
+          pip install ruamel.yaml==0.17.31
+
      # Ensure the generated PR check workflows are up to date.
      - name: Verify PR checks up to date
        run: .github/workflows/script/verify-pr-checks.sh

  npm-test:
-    if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
    name: Unit Test
    needs: [check-js, check-node-modules]
    strategy:
-      fail-fast: false
      matrix:
-        os: [ubuntu-latest, macos-latest, windows-2025]
-    permissions:
-      contents: read
+        os: [ubuntu-latest, macos-latest, windows-latest]
    runs-on: ${{ matrix.os }}
    timeout-minutes: 45

    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: npm test
        run: |
          # Run any commands referenced in package.json using Bash, otherwise
@@ -94,18 +105,15 @@ jobs:
          npm test

  check-node-version:
-    if: github.event.pull_request
+    if: ${{ github.event.pull_request }}
    name: Check Action Node versions
    runs-on: ubuntu-latest
    timeout-minutes: 45
    env:
      BASE_REF: ${{ github.base_ref }}

-    permissions:
-      contents: read
-
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - id: head-version
        name: Verify all Actions use the same Node version
        run: |
@@ -120,7 +128,7 @@ jobs:
      - id: checkout-base
        name: 'Backport: Check out base ref'
        if: ${{ startsWith(github.head_ref, 'backport-') }}
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          ref: ${{ env.BASE_REF }}

@@ -1,35 +0,0 @@
-name: 'Publish Immutable Action Version'
-
-on:
-  release:
-    types: [published]
-
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
-      packages: write
-
-    steps:
-      - name: Check release name
-        id: check
-        env:
-          RELEASE_NAME: ${{ github.event.release.name }}
-        run: |
-          echo "Release name: ${{ github.event.release.name }}"
-          if [[ $RELEASE_NAME == v* ]]; then
-            echo "This is a CodeQL Action release. Create an Immutable Action"
-            echo "is-action-release=true" >> $GITHUB_OUTPUT
-          else
-            echo "This is a CodeQL Bundle release. Do not create an Immutable Action"
-            echo "is-action-release=false" >> $GITHUB_OUTPUT
-          fi
-      - name: Checking out
-        if: steps.check.outputs.is-action-release == 'true'
-        uses: actions/checkout@v5
-      - name: Publish
-        if: steps.check.outputs.is-action-release == 'true'
-        id: publish
-        uses: actions/publish-immutable-action@v0.0.4
@@ -0,0 +1,174 @@
+name: Test Python Package Installation
+
+on:
+  push:
+    branches: [main, releases/v*]
+  pull_request:
+    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
+    # by other workflows.
+    types: [opened, synchronize, reopened, ready_for_review]
+    paths:
+      # Changes to this workflow.
+      - '.github/workflows/python-deps.yml'
+      # Changes to the Python package installation scripts and their tests.
+      - 'python-setup/**'
+      # Changes to the default CodeQL bundle version.
+      - '**/defaults.json'
+  schedule:
+    # Weekly on Monday.
+    - cron: '0 0 * * 1'
+  workflow_dispatch:
+
+jobs:
+  test-setup-python-scripts:
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    strategy:
+        fail-fast: false
+        matrix:
+          os: [ubuntu-20.04, ubuntu-22.04, macos-latest]
+          python_deps_type: [pipenv, poetry, requirements, setup_py]
+          python_version: [3]
+
+
+    env:
+      PYTHON_DEPS_TYPE: ${{ matrix.python_deps_type }}
+      PYTHON_VERSION: ${{ matrix.python_version }}
+
+    steps:
+    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+    - uses: actions/checkout@v4
+
+    - name: Initialize CodeQL
+      uses: ./init
+      id: init
+      with:
+        tools: latest
+        languages: python
+        setup-python-dependencies: false
+
+    - name: Test Auto Package Installation
+      run: |
+        set -x
+        $GITHUB_WORKSPACE/python-setup/install_tools.sh
+
+        cd $GITHUB_WORKSPACE/python-setup/tests/${PYTHON_DEPS_TYPE}/requests-${PYTHON_VERSION}
+
+        case ${{ matrix.os }} in
+            ubuntu-20.04*)     basePath="/opt";;
+            ubuntu-22.04*)     basePath="/opt";;
+            macos-latest*)    basePath="/Users/runner";;
+        esac
+        echo ${basePath}
+
+        $GITHUB_WORKSPACE/python-setup/auto_install_packages.py "$(dirname ${{steps.init.outputs.codeql-path}})"
+    - name: Setup for extractor
+      run: |
+        echo $CODEQL_PYTHON
+        # only run if $CODEQL_PYTHON is set
+        if [ ! -z $CODEQL_PYTHON ]; then
+            $GITHUB_WORKSPACE/python-setup/tests/from_python_exe.py $CODEQL_PYTHON;
+        fi
+
+    - name: Verify packages installed
+      run: |
+        $GITHUB_WORKSPACE/python-setup/tests/check_requests.sh ${PYTHON_VERSION} 2.31.0
+
+  # This one shouldn't fail, but also won't install packages
+  test-setup-python-scripts-non-standard-location:
+    runs-on: ${{ matrix.os }}
+    strategy:
+        fail-fast: false
+        matrix:
+          os: [ubuntu-20.04, ubuntu-22.04, macos-latest]
+
+    steps:
+    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+    - uses: actions/checkout@v4
+
+    - name: Initialize CodeQL
+      uses: ./init
+      id: init
+      with:
+        tools: latest
+        languages: python
+        setup-python-dependencies: false
+
+    - name: Test Auto Package Installation
+      run: |
+        set -x
+        $GITHUB_WORKSPACE/python-setup/install_tools.sh
+
+        cd $GITHUB_WORKSPACE/python-setup/tests/requirements/non-standard-location
+
+        case ${{ matrix.os }} in
+            ubuntu-20.04*)     basePath="/opt";;
+            ubuntu-22.04*)     basePath="/opt";;
+            macos-latest*)    basePath="/Users/runner";;
+        esac
+        echo ${basePath}
+
+        $GITHUB_WORKSPACE/python-setup/auto_install_packages.py "$(dirname ${{steps.init.outputs.codeql-path}})"
+
+    - name: Setup for extractor
+      run: |
+        echo $CODEQL_PYTHON
+        # only run if $CODEQL_PYTHON is set
+        if [ ! -z $CODEQL_PYTHON ]; then
+            $GITHUB_WORKSPACE/python-setup/tests/from_python_exe.py $CODEQL_PYTHON;
+        fi
+
+    - name: Verify packages installed
+      run: |
+        test -z $LGTM_INDEX_IMPORT_PATH
+
+  test-setup-python-scripts-windows:
+    runs-on: windows-latest
+    strategy:
+        fail-fast: false
+        matrix:
+          python_deps_type: [pipenv, poetry, requirements, setup_py]
+          python_version: [3]
+
+    env:
+      CODEQL_ACTION_TEST_MODE: true
+      PYTHON_DEPS_TYPE: ${{ matrix.python_deps_type }}
+      PYTHON_VERSION: ${{ matrix.python_version }}
+
+    steps:
+    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+    - uses: actions/checkout@v4
+
+    - uses: actions/setup-python@v5
+      with:
+        python-version: ${{ matrix.python_version }}
+
+    - name: Initialize CodeQL
+      id: init
+      uses: ./init
+      with:
+        tools: latest
+        languages: python
+        setup-python-dependencies: false
+
+    - name: Test Auto Package Installation
+      env:
+        CODEQL_PATH: ${{ steps.init.outputs.codeql-path }}
+      run: |
+        $cmd = $Env:GITHUB_WORKSPACE + "\\python-setup\\install_tools.ps1"
+        powershell -File $cmd
+
+        cd $Env:GITHUB_WORKSPACE\\python-setup/tests/$Env:PYTHON_DEPS_TYPE/requests-$Env:PYTHON_VERSION
+        $codeql_dist = (get-item $Env:CODEQL_PATH).Directory.FullName
+        py -3 $Env:GITHUB_WORKSPACE\\python-setup\\auto_install_packages.py $codeql_dist
+
+    - name: Setup for extractor
+      run: |
+        echo $Env:CODEQL_PYTHON
+
+        py -3 $Env:GITHUB_WORKSPACE\\python-setup\\tests\\from_python_exe.py $Env:CODEQL_PYTHON
+
+    - name: Verify packages installed
+      run: |
+        $cmd = $Env:GITHUB_WORKSPACE + "\\python-setup\\tests\\check_requests.ps1"
+        powershell -File $cmd $Env:PYTHON_VERSION 2.31.0
@@ -14,19 +14,15 @@ on:

 jobs:
  test-setup-python-scripts:
-    env:
-      CODEQL_ACTION_TEST_MODE: true
    timeout-minutes: 45
-    permissions:
-      contents: read
-    runs-on: windows-2025
+    runs-on: windows-latest

    steps:
    - uses: actions/setup-python@v5
      with:
        python-version: 3.12

-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v4

    - name: Prepare test
      uses: ./.github/actions/prepare-test
@@ -36,8 +32,11 @@ jobs:
    - name: Initialize CodeQL
      uses: ./../action/init
      with:
-        tools: linked
+        tools: latest
        languages: python

    - name: Analyze
      uses: ./../action/analyze
+      with:
+        upload: false
+        upload-database: false
@@ -20,16 +20,14 @@ jobs:
    name: Query Filters Tests
    timeout-minutes: 45
    runs-on: ubuntu-latest
-    permissions:
-      contents: read # This permission is needed to allow the GitHub Actions workflow to read the contents of the repository.
    steps:
    - name: Check out repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v4
    - name: Prepare test
      id: prepare-test
      uses: ./.github/actions/prepare-test
      with:
-        version: linked
+        version: latest

    - name: Check SARIF for default queries with Single include, Single exclude
      uses: ./../action/.github/actions/query-filter-test
@@ -9,20 +9,15 @@ jobs:
  rebuild:
    name: Rebuild Action
    runs-on: ubuntu-latest
-    if: github.event.label.name == 'Rebuild' || github.event_name == 'workflow_dispatch'
+    if: github.event.label.name == 'Rebuild'

-    permissions:
-      contents: write # needed to push rebuilt commit
-      pull-requests: write # needed to comment on the PR
    steps:
      - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.ref || github.event.ref }}
+          ref: ${{ github.event.pull_request.head.ref }}

      - name: Remove label
-        if: github.event_name == 'pull_request'
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
@@ -30,35 +25,21 @@ jobs:
          gh pr edit --repo github/codeql-action "$PR_NUMBER" \
            --remove-label "Rebuild"

-      - name: Configure git
-        run: |
-          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --global user.name "github-actions[bot]"
-
      - name: Merge in changes from base branch
-        id: merge
        env:
-          BASE_BRANCH: ${{ github.event.pull_request.base.ref || 'main' }}
+          BASE_BRANCH: ${{ github.event.pull_request.base.ref }}
        run: |
          git fetch origin "$BASE_BRANCH"

          # Allow merge conflicts in `lib`, since rebuilding should resolve them.
-          git merge "origin/$BASE_BRANCH" || echo "Merge conflicts detected, continuing."
-          MERGE_RESULT=$?
+          git merge "origin/$BASE_BRANCH" || echo "Merge conflicts detected"

-          if [ "$MERGE_RESULT" -ne 0 ]; then
-            echo "merge-in-progress=true" >> $GITHUB_OUTPUT
-
-            # Check for merge conflicts outside of `lib`. Disable git diff's trailing whitespace check
-            # since `node_modules/@types/semver/README.md` fails it.
-            if git -c core.whitespace=-trailing-space diff --check | grep --invert-match '^lib/'; then
-              echo "Merge conflicts were detected outside of the lib directory. Please resolve them manually."
-              git -c core.whitespace=-trailing-space diff --check | grep --invert-match '^lib/' || true
-              exit 1
-            fi
-
-            echo "No merge conflicts found outside the lib directory. We should be able to resolve all of" \
-              "these by rebuilding the Action."
+          # Check for merge conflicts outside of `lib`. Disable git diff's trailing whitespace check
+          # since `node_modules/@types/semver/README.md` fails it.
+          if git -c core.whitespace=-trailing-space diff --check | grep --invert-match '^lib/'; then
+            echo "Merge conflicts detected outside of lib/ directory. Please resolve them manually."
+            git -c core.whitespace=-trailing-space diff --check | grep --invert-match '^lib/' || true
+            exit 1
          fi

      - name: Compile TypeScript
@@ -79,49 +60,19 @@ jobs:
          pip install ruamel.yaml==0.17.31
          python3 sync.py

-      - name: "Merge in progress: Finish merge and push"
-        if: steps.merge.outputs.merge-in-progress == 'true'
-        run: |
-          echo "Finishing merge and pushing changes."
-          git add --all
-          git commit --no-edit
-          git push
-
-      - name: "No merge in progress: Check for changes and push"
-        if: steps.merge.outputs.merge-in-progress != 'true'
-        id: push
-        run: |
-          if [ ! -z "$(git status --porcelain)" ]; then
-            echo "Changes detected, committing and pushing."
-            git add --all
-            # If the merge originally had conflicts, finish the merge.
-            # Otherwise, just commit the changes.
-            if git rev-parse --verify MERGE_HEAD >/dev/null 2>&1; then
-              echo "In progress merge detected, finishing it up."
-              git merge --continue
-            else
-              echo "No in-progress merge detected, committing changes."
-              git commit -m "Rebuild"
-            fi
-            echo "Pushing changes"
-            git push
-            echo "changes=true" >> $GITHUB_OUTPUT
-          else
-            echo "No changes detected, nothing to commit."
-          fi
-
-      - name: Notify about rebuild
-        if: >-
-          github.event_name == 'pull_request' &&
-            (
-              steps.merge.outputs.merge-in-progress == 'true' ||
-              steps.push.outputs.changes == 'true'
-            )
+      - name: Check for changes and push
        env:
+          BRANCH: ${{ github.event.pull_request.head.ref }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
        run: |
-          echo "Pushed a commit to rebuild the Action." \
-            "Please mark the PR as ready for review to trigger PR checks." |
-            gh pr comment --body-file - --repo github/codeql-action "$PR_NUMBER"
-          gh pr ready --undo --repo github/codeql-action "$PR_NUMBER"
+          if [ ! -z "$(git status --porcelain)" ]; then
+            git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+            git config --global user.name "github-actions[bot]"
+            git commit -am "Rebuild"
+            git push origin "HEAD:$BRANCH"
+            echo "Pushed a commit to rebuild the Action." \
+              "Please mark the PR as ready for review to trigger PR checks." |
+              gh pr comment --body-file - --repo github/codeql-action "$PR_NUMBER"
+            gh pr ready --undo --repo github/codeql-action "$PR_NUMBER"
+          fi
@@ -7,7 +7,7 @@ if [ ! -z "$(git status --porcelain)" ]; then
    >&2 echo "Failed: Repo should be clean before testing!"
    exit 1
 fi
-# Wipe the lib directory in case there are extra unnecessary files in there
+# Wipe the lib directory incase there are extra unnecessary files in there
 rm -rf lib
 # Generate the JavaScript files
 npm run-script build
@@ -1,37 +0,0 @@
-import os
-import sys
-
-EMPTY_CHANGELOG = 'No changes.\n\n'
-
-# Prepare the changelog for the new release
-# This function will extract the part of the changelog that
-# we want to include in the new release.
-def extract_changelog_snippet(changelog_file, version_tag):
-  output = ''
-  if (not os.path.exists(changelog_file)):
-    output = EMPTY_CHANGELOG
-
-  else:
-    with open('CHANGELOG.md', 'r') as f:
-      lines = f.readlines()
-
-      # Include everything up to, but excluding the second heading
-      found_first_section = False
-      for i, line in enumerate(lines):
-        if line.startswith('## '):
-          if found_first_section:
-            break
-          found_first_section = True
-        output += line
-
-  output += f"See the full [CHANGELOG.md](https://github.com/github/codeql-action/blob/{version_tag}/CHANGELOG.md) for more information."
-
-  return output
-
-
-if len(sys.argv) < 3:
-  raise Exception('Expecting argument: changelog_file version_tag')
-changelog_file = sys.argv[1]
-version_tag = sys.argv[2]
-
-print(extract_changelog_snippet(changelog_file, version_tag))
@@ -1,12 +1,9 @@
-#!/bin/bash
-set -eu
-
-if [ "$1" != "update" ] && [ "$1" != "check-only" ]; then
+if [ "$1" != "update" && "$1" != "check-only" ]; then
    >&2 echo "Failed: Invalid argument. Must be 'update' or 'check-only'"
    exit 1
 fi

-npm install --force -g npm@9.2.0
+sudo npm install --force -g npm@9.2.0

 # clean the npm cache to ensure we don't have any files owned by root
 sudo npm cache clean --force
@@ -27,8 +27,8 @@ fi

 echo "Getting checks for $GITHUB_SHA"

-# Ignore any checks with "https://", CodeQL, LGTM, Update, and ESLint checks.
-CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") | not)] | unique | sort')"
+# Ignore any checks with "https://", CodeQL, LGTM, and Update checks.
+CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("update") or contains("test-setup-python-scripts") | not)] | unique | sort')"

 echo "$CHECKS" | jq

@@ -12,7 +12,7 @@ fi
 rm -rf .github/workflows/__*

 # Generate the PR checks
-pr-checks/sync.sh
+cd pr-checks && python3 sync.py

 # Check that repo is still clean
 if [ ! -z "$(git status --porcelain)" ]; then
@@ -2,6 +2,9 @@ name: 'PR Check - CodeQL Bundle All'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  # Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
+  # workaround for our PR checks.
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -19,7 +22,6 @@ on:
 jobs:
  test-codeql-bundle-all:
    strategy:
-      fail-fast: false
      matrix:
        include:
        - os: ubuntu-latest
@@ -27,12 +29,12 @@ jobs:
    name: 'CodeQL Bundle All'
    permissions:
      contents: read
-      security-events: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v4
    - name: Prepare test
      id: prepare-test
      uses: ./.github/actions/prepare-test
@@ -42,12 +44,15 @@ jobs:
    - id: init
      uses: ./../action/init
      with:
-        # We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
-        languages: cpp,csharp,go,java,javascript,python,ruby 
        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/.github/actions/setup-swift
+      with:
+        codeql-path: ${{ steps.init.outputs.codeql-path }}
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
+      with:
+        upload-database: false
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -17,9 +17,6 @@ jobs:
  update-bundle:
    if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
    runs-on: ubuntu-latest
-    permissions:
-      contents: write # needed to push commits
-      pull-requests: write # needed to create pull requests
    steps:
      - name: Dump environment
        run: env
@@ -29,7 +26,7 @@ jobs:
          GITHUB_CONTEXT: '${{ toJson(github) }}'
        run: echo "$GITHUB_CONTEXT"

-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4

      - name: Update git config
        run: |
@@ -57,7 +54,7 @@ jobs:
          cli_version=$(jq -r '.cliVersion' src/defaults.json)
          pr_url=$(gh pr create \
            --title "Update default bundle to $cli_version" \
-            --body "This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version." \
+            --body "This pull request updates the default CodeQL bundle, as used with \`tools: latest\` and on GHES, to $cli_version." \
            --assignee "$GITHUB_ACTOR" \
            --draft \
          )
@@ -9,12 +9,9 @@ jobs:
    timeout-minutes: 45
    runs-on: macos-latest
    if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action')
-    permissions:
-      contents: write # needed to push the updated dependencies
-      pull-requests: write # needed to comment on the PR
    steps:
    - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v4

    - name: Remove PR label
      env:
@@ -1,101 +0,0 @@
-name: Update dependency proxy release assets
-on:
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: "The tag of CodeQL Bundle release that contains the proxy binaries as release assets"
-        type: string
-        required: true
-
-jobs:
-  update:
-    name: Update code and create PR
-    timeout-minutes: 15
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write # needed to push the updated files
-      pull-requests: write # needed to create the PR
-    env:
-      RELEASE_TAG: ${{ inputs.tag }}
-    steps:
-      - name: Check release tag format
-        id: checks
-        shell: bash
-        run: |
-          if ! [[ $RELEASE_TAG =~ ^codeql-bundle-v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-            echo "Invalid release tag: expected a CodeQL bundle tag in the 'codeql-bundle-vM.N.P' format."
-            exit 1
-          fi
-
-          echo "target_branch=dependency-proxy/$RELEASE_TAG" >> $GITHUB_OUTPUT
-
-      - name: Check that the release exists
-        shell: bash
-        env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-        run: |
-          (gh release view --repo "$GITHUB_REPOSITORY" --json "assets" "$RELEASE_TAG" && echo "Release found.") || exit 1
-
-      - name: Install Node
-        uses: actions/setup-node@v4
-
-      - name: Checkout repository
-        uses: actions/checkout@v5
-        with:
-          fetch-depth: 0  # ensure we have all tags and can push commits
-          ref: main
-
-      - name: Update git config
-        shell: bash
-        run: |
-          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --global user.name "github-actions[bot]"
-
-      - name: Update release tag and version
-        shell: bash
-        run: |
-          NOW=$(date +"%Y%m%d%H%M%S") # only used to make sure we don't fetch stale binaries from the toolcache
-          sed -i "s|https://github.com/github/codeql-action/releases/download/codeql-bundle-v[0-9.]\+/|https://github.com/github/codeql-action/releases/download/$RELEASE_TAG/|g" ./src/start-proxy-action.ts
-          sed -i "s/\"v2.0.[0-9]\+\"/\"v2.0.$NOW\"/g" ./src/start-proxy-action.ts
-
-      - name: Compile TypeScript and commit changes
-        shell: bash
-        env:
-          TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }}
-        run: |
-          set -exu
-          git checkout -b "$TARGET_BRANCH"
-
-          npm run build
-          git add ./src/start-proxy-action.ts
-          git add ./lib
-          git commit -m "Update release used by \`start-proxy\` action"
-
-      - name: Push changes and open PR
-        shell: bash
-        env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-          TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }}
-          PR_FLAG: ${{ (github.event_name == 'workflow_dispatch' && '--draft') || '--dry-run' }}
-        run: |
-          set -exu
-          pr_title="Update release used by \`start-proxy\` to \`$RELEASE_TAG\`"
-          pr_body=$(cat << EOF
-            This PR updates the \`start-proxy\` action to use the private registry proxy binaries that
-            are attached as release assets to the \`$RELEASE_TAG\` release.
-
-
-            Please do the following before merging:
-
-            - [ ] Verify that the changes to the code are correct.
-            - [ ] Mark the PR as ready for review to trigger the CI.
-          EOF
-          )
-
-          git push origin "$TARGET_BRANCH"
-          gh pr create \
-            --head "$TARGET_BRANCH" \
-            --base "main" \
-            --title "${pr_title}" \
-            --body "${pr_body}" \
-            $PR_FLAG
@@ -22,10 +22,8 @@ jobs:
      latest_tag: ${{ steps.versions.outputs.latest_tag }}
      backport_source_branch: ${{ steps.branches.outputs.backport_source_branch }}
      backport_target_branches: ${{ steps.branches.outputs.backport_target_branches }}
-    permissions:
-      contents: read
    steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v4
      with:
        fetch-depth: 0  # Need full history for calculation of diffs
    - uses: ./.github/actions/release-initialise
@@ -65,11 +63,8 @@ jobs:
      REPOSITORY: "${{ github.repository }}"
      MAJOR_VERSION: "${{ needs.prepare.outputs.major_version }}"
      LATEST_TAG: "${{ needs.prepare.outputs.latest_tag }}"
-    permissions:
-      contents: write # needed to push commits
-      pull-requests: write # needed to create pull request
    steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v4
      with:
        fetch-depth: 0  # Need full history for calculation of diffs
    - uses: ./.github/actions/release-initialise
@@ -109,7 +104,6 @@ jobs:
  backport:
    timeout-minutes: 45
    runs-on: ubuntu-latest
-    environment: Automation
    needs: [prepare]
    if: ${{ (github.event_name == 'push') && needs.prepare.outputs.backport_target_branches != '[]' }}
    strategy:
@@ -119,22 +113,10 @@ jobs:
    env:
      SOURCE_BRANCH: ${{ needs.prepare.outputs.backport_source_branch }}
      TARGET_BRANCH: ${{ matrix.target_branch }}
-    permissions:
-      contents: write # needed to push commits
-      pull-requests: write # needed to create pull request
    steps:
-    - name: Generate token
-      uses: actions/create-github-app-token@v2.1.1
-      id: app-token
-      with:
-        app-id: ${{ vars.AUTOMATION_APP_ID }}
-        private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
-
-    - name: Checkout
-      uses: actions/checkout@v5
+    - uses: actions/checkout@v4
      with:
        fetch-depth: 0  # Need full history for calculation of diffs
-        token: ${{ steps.app-token.outputs.token }}
    - uses: ./.github/actions/release-initialise

    - name: Update older release branch
@@ -10,23 +10,20 @@ jobs:
    name: Update Supported Enterprise Server Versions
    timeout-minutes: 45
    runs-on: ubuntu-latest
-    if: github.repository == 'github/codeql-action'
-    permissions:
-      contents: write # needed to push commits
-      pull-requests: write # needed to create pull request
+    if: ${{ github.repository == 'github/codeql-action' }}

    steps:
      - name: Setup Python
        uses: actions/setup-python@v5
        with:
-          python-version: "3.13"
+          python-version: "3.7"
      - name: Checkout CodeQL Action
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Checkout Enterprise Releases
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          repository: github/enterprise-releases
-          token: ${{ secrets.ENTERPRISE_RELEASE_TOKEN }}
+          ssh-key: ${{ secrets.ENTERPRISE_RELEASES_SSH_KEY }}
          path: ${{ github.workspace }}/enterprise-releases/
      - name: Update Supported Enterprise Server Versions
        run: |
@@ -57,8 +54,7 @@ jobs:
            git push origin update-supported-enterprise-server-versions

            body="This PR updates the list of supported GitHub Enterprise Server versions, either because a new "
-            body+="version is about to be feature frozen, or because an old release has been deprecated."
-            body+=$'\n\n'
+            body+="version is about to be feature frozen, or because an old release has been deprecated.\n\n"
            body+="If an old release has been deprecated, please follow the instructions in CONTRIBUTING.md to "
            body+="deprecate the corresponding version of CodeQL."

@@ -5,7 +5,3 @@ node_modules/.cache/
 *.class
 # macOS
 .DS_Store
-# eslint sarif report
-eslint.sarif
-# for local incremental compilation
-tsconfig.tsbuildinfo
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Henry Mercer	dceb4dabff	Bump version to 2.24.11	2024-05-15 14:38:52 +01:00
Henry Mercer	5f30722379	Update default bundle to codeql-bundle-v2.16.6	2024-05-15 14:38:22 +01:00
Chuan-kai Lin	ffd3158cb9	Merge pull request #2228 from github/backport-v2.24.10-4355270be Merge releases/v3 into releases/v2	2024-04-05 10:06:57 -07:00
github-actions[bot]	82478fb458	Update checked-in dependencies	2024-04-05 16:45:18 +00:00
Chuan-kai Lin	2a96432c79	Resolve conflicts in codeql.ts	2024-04-05 09:11:43 -07:00
github-actions[bot]	93075ceec3	Update version and changelog for v2.24.10	2024-04-05 09:10:26 -07:00
github-actions[bot]	a023017ea9	Merge remote-tracking branch 'origin/releases/v3' into backport-v2.24.10-4355270be # Conflicts: # lib/codeql.js # src/codeql.ts	2024-04-05 15:02:14 +00:00
github-actions[bot]	794eacf375	Revert "Update checked-in dependencies" This reverts commit `61ddd48e03`.	2024-04-05 15:02:13 +00:00
github-actions[bot]	a1559aa4a9	Revert "Update version and changelog for v2.24.9" This reverts commit `abca38cf8c`.	2024-04-05 15:02:13 +00:00
Arthur Baars	a82bad7182	Merge pull request #2210 from github/backport-v2.24.9-1b1aada46 Merge releases/v3 into releases/v2	2024-03-22 12:05:51 +01:00
github-actions[bot]	61ddd48e03	Update checked-in dependencies	2024-03-22 10:40:56 +00:00
github-actions[bot]	abca38cf8c	Update version and changelog for v2.24.9	2024-03-22 10:37:25 +00:00
github-actions[bot]	763babe7ac	Merge remote-tracking branch 'origin/releases/v3' into backport-v2.24.9-1b1aada46	2024-03-22 10:37:20 +00:00
github-actions[bot]	72d46cb780	Revert "Update checked-in dependencies" This reverts commit `f018a9586e`.	2024-03-22 10:37:20 +00:00
github-actions[bot]	0b21c947c0	Revert "Update version and changelog for v2.24.8" This reverts commit `6007966519`.	2024-03-22 10:37:20 +00:00
Henry Mercer	c2dc67199a	Merge pull request #2202 from github/backport-v2.24.8-05963f47d Merge releases/v3 into releases/v2	2024-03-18 15:29:52 +00:00
github-actions[bot]	f018a9586e	Update checked-in dependencies	2024-03-18 15:12:05 +00:00
github-actions[bot]	6007966519	Update version and changelog for v2.24.8	2024-03-18 15:12:02 +00:00
Henry Mercer	efed72eb8f	Remove duplicate header	2024-03-18 15:10:38 +00:00
github-actions[bot]	bcca54f232	Merge remote-tracking branch 'origin/releases/v3' into backport-v2.24.8-05963f47d	2024-03-18 13:57:49 +00:00
github-actions[bot]	76d48637f2	Revert "Update checked-in dependencies" This reverts commit `6046c633c7`.	2024-03-18 13:57:49 +00:00
github-actions[bot]	4821ae1424	Revert "Update version and changelog for v2.24.7" This reverts commit `570dc010e8`.	2024-03-18 13:57:49 +00:00
Angela P Wen	e56cfd0877	Merge pull request #2194 from github/backport-v2.24.7-3ab410190 Merge releases/v3 into releases/v2	2024-03-12 11:24:48 -07:00
github-actions[bot]	6046c633c7	Update checked-in dependencies	2024-03-12 17:53:59 +00:00
Angela P Wen	ed2b6b741f	Manually fix changelog latest version	2024-03-12 13:52:46 -04:00
github-actions[bot]	570dc010e8	Update version and changelog for v2.24.7	2024-03-12 17:49:48 +00:00
github-actions[bot]	1a8046c7f3	Merge remote-tracking branch 'origin/releases/v3' into backport-v2.24.7-3ab410190	2024-03-12 17:49:46 +00:00
github-actions[bot]	8c395e0c45	Revert "Update checked-in dependencies" This reverts commit `2f52385615`.	2024-03-12 17:49:46 +00:00
github-actions[bot]	de22b302a6	Revert "Update version and changelog for v2.24.6" This reverts commit `272cd56763`.	2024-03-12 17:49:45 +00:00
Angela P Wen	928ff8c822	Merge pull request #2180 from github/backport-v2.24.6-8a470fdda Merge releases/v3 into releases/v2	2024-03-01 02:19:43 -08:00
github-actions[bot]	2f52385615	Update checked-in dependencies	2024-02-29 19:02:49 +00:00
Angela P Wen	272cd56763	Update version and changelog for v2.24.6	2024-02-29 19:02:49 +00:00
Angela P Wen	3839e215cc	Merge remote-tracking branch 'origin/releases/v3' into backport-v2.24.6-8a470fdda	2024-02-29 19:02:44 +00:00
Angela P Wen	61f4d893e6	Revert "Update checked-in dependencies" This reverts commit `045d9f3939`.	2024-02-29 17:28:33 +00:00
Angela P Wen	30ad6c3d9e	Revert "Update version and changelog for v2.24.5 - fixed" This reverts commit `a3c8eb3ab0`.	2024-02-29 17:28:33 +00:00
Nick Fyson	78df51c1cc	Merge pull request #2167 from github/nickfyson/fix-v2-changelog-history	2024-02-23 18:07:21 +00:00
github-actions[bot]	045d9f3939	Update checked-in dependencies	2024-02-23 14:57:36 +00:00
nickfyson	a3c8eb3ab0	Update version and changelog for v2.24.5 - fixed	2024-02-23 14:54:56 +00:00
github-actions[bot]	6078595fdf	Update checked-in dependencies	2024-02-23 14:48:52 +00:00
nickfyson	395cdfe20c	restore conflict-free state with head v3 branch	2024-02-23 14:39:06 +00:00
Chris Smowton	a56a03b370	Merge pull request #2166 from github/backport-v2.24.5-633baf86c Merge releases/v3 into releases/v2	2024-02-23 10:56:40 +00:00
github-actions[bot]	05053827ef	Update checked-in dependencies	2024-02-23 10:38:04 +00:00
Nick Fyson	fa5685c7f0	fix the mergeback changelog	2024-02-23 10:36:52 +00:00
github-actions[bot]	8c3591c19a	Update version and changelog for v2.24.5	2024-02-23 10:28:27 +00:00
github-actions[bot]	557a8d2306	Merge remote-tracking branch 'origin/releases/v3' into backport-v2.24.5-633baf86c	2024-02-23 10:28:27 +00:00
github-actions[bot]	7351df07bb	Revert "Update checked-in dependencies" This reverts commit `b882b63a68`.	2024-02-23 10:28:27 +00:00
github-actions[bot]	d15fdd879b	Revert "Update version and changelog for v2.24.4" This reverts commit `8b0f3e6135`.	2024-02-23 10:28:26 +00:00
Nick Fyson	80eb8d5395	Merge pull request #2159 from github/backport-v2.24.4-e2e140ad1 Merge releases/v3 into releases/v2	2024-02-22 13:47:24 +00:00
Nick Fyson	0ddabac401	manually fix problem with changelog produced by automation	2024-02-22 12:45:43 +00:00
github-actions[bot]	b882b63a68	Update checked-in dependencies	2024-02-22 12:00:01 +00:00
github-actions[bot]	8b0f3e6135	Update version and changelog for v2.24.4	2024-02-22 10:38:34 +00:00
github-actions[bot]	8601b9e70a	Merge remote-tracking branch 'origin/releases/v3' into backport-v2.24.4-e2e140ad1	2024-02-22 10:38:31 +00:00
github-actions[bot]	bd94b4c175	Revert "Update checked-in dependencies" This reverts commit `460939e7d8`.	2024-02-22 10:38:31 +00:00
github-actions[bot]	755340a6bd	Revert "Update version and changelog for v2.24.3" This reverts commit `47c8d615ed`.	2024-02-22 10:38:31 +00:00
Angela P Wen	4a8f20f6b9	Merge pull request #2150 from github/backport-v2.24.3-379614612 Merge releases/v3 into releases/v2	2024-02-15 05:14:12 -08:00
github-actions[bot]	460939e7d8	Update checked-in dependencies	2024-02-15 12:55:25 +00:00
Angela P Wen	ceebdeb9fa	Manually fix changelog notes	2024-02-15 12:53:40 +00:00
github-actions[bot]	47c8d615ed	Update version and changelog for v2.24.3	2024-02-15 12:47:29 +00:00
github-actions[bot]	c232c5de9c	Merge remote-tracking branch 'origin/releases/v3' into backport-v2.24.3-379614612	2024-02-15 12:47:28 +00:00
github-actions[bot]	2452b7d8af	Revert "Update checked-in dependencies" This reverts commit `4f50fb3be5`.	2024-02-15 12:47:28 +00:00
github-actions[bot]	4ffed09d48	Revert "Update version and changelog for v2.24.2" This reverts commit `02022337ac`.	2024-02-15 12:47:27 +00:00
Angela P Wen	8b6a45a6ec	Merge pull request #2144 from github/backport-v2.24.2-ece8414c7 Merge releases/v3 into releases/v2	2024-02-15 03:34:09 -08:00
Henry Mercer	2ccdcd5135	Remove duplicate changelog entry	2024-02-15 11:11:50 +00:00
github-actions[bot]	4f50fb3be5	Update checked-in dependencies	2024-02-15 11:10:16 +00:00
Henry Mercer	02022337ac	Update version and changelog for v2.24.2	2024-02-15 11:08:37 +00:00
Henry Mercer	3dafabe4d9	Merge remote-tracking branch 'origin/releases/v3' into backport-v2.24.2-ece8414c7	2024-02-15 11:08:04 +00:00
Henry Mercer	40cd785140	Revert "Update checked-in dependencies" This reverts commit `05d809f630`.	2024-02-15 11:07:08 +00:00
Henry Mercer	10746dd61e	Revert "Update version and changelog for v2.24.1" This reverts commit `d8c4c3a4eb`.	2024-02-15 11:07:08 +00:00
Dave Bartolomeo	1a077f8f6c	Merge pull request #2133 from github/backport-v2.24.1-e675ced7a Merge releases/v3 into releases/v2	2024-02-13 07:50:23 -08:00
github-actions[bot]	05d809f630	Update checked-in dependencies	2024-02-13 15:32:00 +00:00
Henry Mercer	d8c4c3a4eb	Update version and changelog for v2.24.1	2024-02-13 15:28:16 +00:00
Henry Mercer	b301568384	Merge remote-tracking branch 'origin/releases/v3' into backport-v2.24.1-e675ced7a	2024-02-13 15:28:12 +00:00
Henry Mercer	f5c8be0ac1	Revert "Update checked-in dependencies" This reverts commit `f822fa3067`.	2024-02-13 15:23:47 +00:00
Henry Mercer	4504810aa1	Revert "Update version and changelog for v2.24.0" This reverts commit `3ed798ed18`.	2024-02-13 15:23:47 +00:00
Henry Mercer	dc021d495c	Merge pull request #2115 from github/backport-v2.24.0-e8893c57a Merge releases/v3 into releases/v2	2024-02-02 19:23:13 +00:00
github-actions[bot]	f822fa3067	Update checked-in dependencies	2024-02-02 18:37:21 +00:00
github-actions[bot]	3ed798ed18	Update version and changelog for v2.24.0	2024-02-02 18:32:37 +00:00
github-actions[bot]	5b498ba405	Merge remote-tracking branch 'origin/releases/v3' into backport-v2.24.0-e8893c57a	2024-02-02 18:32:36 +00:00
github-actions[bot]	7dde705407	Revert "Update checked-in dependencies" This reverts commit `c98f2c953c`.	2024-02-02 18:32:36 +00:00
github-actions[bot]	c004a3e831	Revert "Update version and changelog for v2.23.2" This reverts commit `554c990fe8`.	2024-02-02 18:32:36 +00:00
Henry Mercer	2f93e4319b	Merge pull request #2102 from github/backport-v2.23.2-b7bf0a3ed Merge releases/v3 into releases/v2	2024-01-26 15:16:55 +00:00
github-actions[bot]	c98f2c953c	Update checked-in dependencies	2024-01-26 14:39:53 +00:00
github-actions[bot]	554c990fe8	Update version and changelog for v2.23.2	2024-01-26 14:35:10 +00:00
github-actions[bot]	abe5934e80	Merge remote-tracking branch 'origin/releases/v3' into backport-v2.23.2-b7bf0a3ed	2024-01-26 14:35:04 +00:00
github-actions[bot]	8879ae88d9	Revert "Update checked-in dependencies" This reverts commit `554005d264`.	2024-01-26 14:35:04 +00:00
github-actions[bot]	01e8d7f881	Revert "Update version and changelog for v2.23.1" This reverts commit `fb29452d38`.	2024-01-26 14:35:04 +00:00
Henry Mercer	4759df8df7	Merge pull request #2091 from github/backport-v2.23.1-0b21cf249 Merge releases/v3 into releases/v2	2024-01-17 17:39:22 +00:00
github-actions[bot]	554005d264	Update checked-in dependencies	2024-01-17 16:52:17 +00:00
github-actions[bot]	fb29452d38	Update version and changelog for v2.23.1	2024-01-17 16:25:35 +00:00
github-actions[bot]	13884cb7d7	Merge remote-tracking branch 'origin/releases/v3' into backport-v2.23.1-0b21cf249	2024-01-17 16:25:34 +00:00
github-actions[bot]	ac64986f93	Revert "Update checked-in dependencies" This reverts commit `e24bd8fed4`.	2024-01-17 16:25:34 +00:00
github-actions[bot]	cdcacf8b4f	Revert "Update version and changelog for v2.23.0" This reverts commit `8f2682add5`.	2024-01-17 16:25:34 +00:00
Henry Mercer	8b7fcbfac2	Merge pull request #2069 from github/backport-v2.23.0-e5f05b81d Merge releases/v3 into releases/v2	2024-01-08 13:43:00 +00:00
github-actions[bot]	e24bd8fed4	Update checked-in dependencies	2024-01-08 13:12:16 +00:00
Henry Mercer	8f2682add5	Update version and changelog for v2.23.0	2024-01-08 13:05:17 +00:00
Henry Mercer	8f5ae1a11a	Merge remote-tracking branch 'origin/releases/v3' into backport-v2.23.0-e5f05b81d	2024-01-08 13:04:05 +00:00
Henry Mercer	99d337aef5	Revert "Update checked-in dependencies" This reverts commit `d6286c6fdb`.	2024-01-08 13:04:04 +00:00
Henry Mercer	997d889b5d	Revert "Update version and changelog for v2.22.12" This reverts commit `9c74de20cb`.	2024-01-08 13:04:04 +00:00
Angela P Wen	1500a13138	Merge pull request #2054 from github/backport-v2.22.12-012739e50 * Bump the npm group with 4 updates Bumps the npm group with 4 updates: [@octokit/types](https://github.com/octokit/types.ts), [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin), [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) and [typescript](https://github.com/Microsoft/TypeScript). Updates `@octokit/types` from 12.3.0 to 12.4.0 - [Release notes](https://github.com/octokit/types.ts/releases) - [Commits](https://github.com/octokit/types.ts/compare/v12.3.0...v12.4.0) Updates `@typescript-eslint/eslint-plugin` from 6.13.2 to 6.14.0 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.14.0/packages/eslint-plugin) Updates `@typescript-eslint/parser` from 6.13.2 to 6.14.0 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.14.0/packages/parser) Updates `typescript` from 5.3.2 to 5.3.3 - [Release notes](https://github.com/Microsoft/TypeScript/releases) - [Commits](https://github.com/Microsoft/TypeScript/compare/v5.3.2...v5.3.3) --- updated-dependencies: - dependency-name: "@octokit/types" dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm - dependency-name: "@typescript-eslint/eslint-plugin" dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm - dependency-name: "@typescript-eslint/parser" dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm - dependency-name: typescript dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm ... Signed-off-by: dependabot[bot] <support@github.com> * Update checked-in dependencies * Update changelog and version after v3.22.11 * Update checked-in dependencies * improve handling of changelog processing for backports * change version numbers inside processing function as well * Apply suggestions from code review Co-authored-by: Henry Mercer <henry.mercer@me.com> * rename regex for clarity * preserve trailing whitespace when transforming CHANGELOG * raise explicit exception if EOF found when looking for changelog sections * add note on versioning approach to changelog * Bump the npm group with 2 updates (#2045) * Bump the npm group with 2 updates Bumps the npm group with 2 updates: [eslint](https://github.com/eslint/eslint) and [eslint-plugin-import](https://github.com/import-js/eslint-plugin-import). Updates `eslint` from 8.55.0 to 8.56.0 - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md) - [Commits](https://github.com/eslint/eslint/compare/v8.55.0...v8.56.0) Updates `eslint-plugin-import` from 2.29.0 to 2.29.1 - [Release notes](https://github.com/import-js/eslint-plugin-import/releases) - [Changelog](https://github.com/import-js/eslint-plugin-import/blob/main/CHANGELOG.md) - [Commits](https://github.com/import-js/eslint-plugin-import/compare/v2.29.0...v2.29.1) --- updated-dependencies: - dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm - dependency-name: eslint-plugin-import dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm ... Signed-off-by: dependabot[bot] <support@github.com> * Update checked-in dependencies --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * clarify comment on versions in the changelog * clarify comment on versions in the changelog * Update default bundle to codeql-bundle-v2.15.5 * Add changelog note * update required checks script to handle release branches * add note about backporting check changes to v2 branch * Fix type error * Typecast `OLDEST_SUPPORTED_MAJOR_VERSION` when defined * Update changelog for v3.22.12 * Revert "Update version and changelog for v2.22.11" This reverts commit `e763762131`. * Revert "Update checked-in dependencies" This reverts commit `20d1a9b175`. * Update version and changelog for v2.22.12 * Update checked-in dependencies * Resolve conflicts in v3->v2.22.12 merge --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Henry Mercer <henry.mercer@me.com> Co-authored-by: Nick Fyson <nickfyson@github.com> Co-authored-by: Aditya Sharad <6874315+adityasharad@users.noreply.github.com> Co-authored-by: Angela P Wen <angelapwen@github.com> Co-authored-by: Aditya Sharad <adityasharad@github.com>	2023-12-22 08:39:43 -08:00
Aditya Sharad	0d318c9f1a	Resolve conflicts in v3->v2.22.12 merge	2023-12-22 06:58:29 -08:00
github-actions[bot]	d6286c6fdb	Update checked-in dependencies	2023-12-22 04:01:00 +00:00
github-actions[bot]	9c74de20cb	Update version and changelog for v2.22.12	2023-12-22 00:47:08 +00:00
github-actions[bot]	49a6ae4966	Merge remote-tracking branch 'origin/releases/v3' into backport-v2.22.12-012739e50 # Conflicts: # CONTRIBUTING.md	2023-12-22 00:47:04 +00:00
github-actions[bot]	3366e3bbdd	Revert "Update checked-in dependencies" This reverts commit `20d1a9b175`.	2023-12-22 00:47:03 +00:00
github-actions[bot]	844fc3cd56	Revert "Update version and changelog for v2.22.11" This reverts commit `e763762131`.	2023-12-22 00:47:03 +00:00
Nick Fyson	5a201efe22	Merge pull request #2048 from github/nickfyson/backport-js-checks	2023-12-20 19:21:03 +00:00
nickfyson	c9f92aa25f	backport checks changes to v2 branch	2023-12-20 14:23:29 +00:00
Nick Fyson	03e7845b7b	Merge pull request #2036 from github/backport-v2.22.11-b374143c1 Merge releases/v3 into releases/v2	2023-12-13 20:40:33 +00:00
github-actions[bot]	54f10077ea	Rebuild	2023-12-13 20:11:03 +00:00
github-actions[bot]	20d1a9b175	Update checked-in dependencies	2023-12-13 20:08:43 +00:00
Nick Fyson	c28d79bb2e	Update src/codeql.ts Co-authored-by: Henry Mercer <henry.mercer@me.com>	2023-12-13 20:05:23 +00:00
nickfyson	241e8b42b2	Revert "switch check sarif action to node20" This reverts commit `0bc194ee69`.	2023-12-13 20:05:23 +00:00
nickfyson	8bc67d15e2	Revert "update javascript files" This reverts commit `3a9f6a89e0`.	2023-12-13 20:05:23 +00:00
nickfyson	e106171cbb	Revert "reintroduce PR check that confirm action can be still be compiled on node16" This reverts commit `5b52b36d41`.	2023-12-13 20:05:23 +00:00
nickfyson	231f9f1b59	Revert "upgrade node type definitions" This reverts commit `f2d0c2e7ae`.	2023-12-13 20:05:23 +00:00
nickfyson	47334bf4e9	Revert "change to node20 for all actions" This reverts commit `d651fbc494`.	2023-12-13 20:05:23 +00:00
github-actions[bot]	e763762131	Update version and changelog for v2.22.11	2023-12-13 20:05:18 +00:00