Merge pull request #2757 from github/update-v3.28.9-24e1c2d33

Merge main into releases/v3
Update changelog for v3.28.9
2026-05-03 20:30:09 +00:00 · 2025-02-07 11:34:10 +01:00 · 2025-02-07 10:18:39 +00:00 · 2025-02-06 11:59:36 +01:00 · 2025-02-04 11:22:54 +00:00 · 2025-02-04 11:22:50 +00:00
1448 changed files with 101755 additions and 61635 deletions
@@ -0,0 +1,4 @@
+# Configuration for the CodeQL Actions Queries
+name: "CodeQL Actions Queries config"
+queries:
+  - uses: security-and-quality
@@ -32,7 +32,7 @@ jobs:
    name: All-platform bundle
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -36,7 +36,7 @@ jobs:
    name: "Analyze: 'ref' and 'sha' from inputs"
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -36,7 +36,7 @@ jobs:
    name: autobuild-action
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -38,7 +38,7 @@ jobs:
    name: Autobuild direct tracing (custom working directory)
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -38,7 +38,7 @@ jobs:
    name: Autobuild direct tracing
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -32,7 +32,7 @@ jobs:
    name: Build mode autobuild
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -32,7 +32,7 @@ jobs:
    name: Build mode manual
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -34,7 +34,7 @@ jobs:
    name: Build mode none
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -32,7 +32,7 @@ jobs:
    name: Build mode rollback
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -32,7 +32,7 @@ jobs:
    name: Clean up database cluster directory
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -42,7 +42,7 @@ jobs:
    name: Config export
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -32,7 +32,7 @@ jobs:
    name: Config input
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -36,7 +36,7 @@ jobs:
    name: 'C/C++: disabling autoinstalling dependencies (Linux)'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -32,7 +32,7 @@ jobs:
    name: 'C/C++: autoinstalling dependencies is skipped (macOS)'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -36,7 +36,7 @@ jobs:
    name: 'C/C++: autoinstalling dependencies (Linux)'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -42,7 +42,7 @@ jobs:
    name: Diagnostic export
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -36,7 +36,7 @@ jobs:
    name: Export file baseline information
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -36,7 +36,7 @@ jobs:
    name: Extract directly to toolcache
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -32,7 +32,7 @@ jobs:
    name: Extractor ram and threads options test
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -34,7 +34,7 @@ jobs:
    name: 'Go: Custom queries'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -32,7 +32,7 @@ jobs:
    name: 'Go: diagnostic when Go is changed after init step'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -32,7 +32,7 @@ jobs:
    name: 'Go: diagnostic when `file` is not installed'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -32,7 +32,7 @@ jobs:
    name: 'Go: workaround for indirect tracing'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -62,7 +62,7 @@ jobs:
    name: 'Go: tracing with autobuilder step'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -62,7 +62,7 @@ jobs:
    name: 'Go: tracing with custom build steps'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -62,7 +62,7 @@ jobs:
    name: 'Go: tracing with legacy workflow'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -36,7 +36,7 @@ jobs:
    name: Custom source root
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -32,7 +32,7 @@ jobs:
    name: Job run UUID added to SARIF
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -32,7 +32,7 @@ jobs:
    name: Language aliases
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -62,7 +62,7 @@ jobs:
    name: Multi-language repository
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -48,7 +48,7 @@ jobs:
    name: 'Packaging: Config and input passed to the CLI'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -48,7 +48,7 @@ jobs:
    name: 'Packaging: Config and input'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -48,7 +48,7 @@ jobs:
    name: 'Packaging: Config file'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -48,7 +48,7 @@ jobs:
    name: 'Packaging: Action input'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -34,7 +34,7 @@ jobs:
    name: Remote config file
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -48,7 +48,7 @@ jobs:
    name: Resolve environment
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -32,7 +32,7 @@ jobs:
    name: RuboCop multi-language
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -46,7 +46,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@2654679fe7f7c29875c669398a8ec0791b8a64a1 # v1.215.0
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
@@ -42,7 +42,7 @@ jobs:
    name: Ruby analysis
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -42,7 +42,7 @@ jobs:
    name: Split workflow
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -36,7 +36,7 @@ jobs:
    name: Start proxy
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -36,7 +36,8 @@ jobs:
    name: Submit SARIF after failure
    permissions:
      contents: read
-      security-events: write
+      security-events: write # needed to upload the SARIF file
+
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -32,7 +32,7 @@ jobs:
    name: Swift analysis using autobuild
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -36,7 +36,7 @@ jobs:
    name: Swift analysis using a custom build command
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -32,7 +32,7 @@ jobs:
    name: Autobuild working directory
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -32,7 +32,7 @@ jobs:
    name: Local CodeQL bundle
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -34,7 +34,7 @@ jobs:
    name: Proxy test
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -34,7 +34,7 @@ jobs:
    name: Test unsetting environment variables
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -36,7 +36,7 @@ jobs:
    name: "Upload-sarif: 'ref' and 'sha' from inputs"
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -36,7 +36,7 @@ jobs:
    name: Use a custom `checkout_path`
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -34,7 +34,7 @@ jobs:
    name: Zstandard bundle (streaming)
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -36,7 +36,7 @@ jobs:
    name: Zstandard bundle
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -13,6 +13,9 @@ jobs:
  check-expected-release-files:
    runs-on: ubuntu-latest

+    permissions:
+      contents: read
+
    steps:
      - name: Checkout CodeQL Action
        uses: actions/checkout@v4
@@ -24,7 +24,7 @@ jobs:
      versions: ${{ steps.compare.outputs.versions }}

    permissions:
-      security-events: write
+      contents: read

    steps:
    - uses: actions/checkout@v4
@@ -70,7 +70,7 @@ jobs:
        echo "Suggested matrix config for analysis job: $VERSIONS_JSON"
        echo "versions=${VERSIONS_JSON}" >> $GITHUB_OUTPUT

-  build:
+  analyze-javascript:
    needs: [check-codeql-versions]
    strategy:
      fail-fast: false
@@ -80,6 +80,7 @@ jobs:
    runs-on: ${{ matrix.os }}

    permissions:
+      contents: read
      security-events: write

    steps:
@@ -99,3 +100,27 @@ jobs:
      uses: ./analyze
      with:
        category: "/language:javascript"
+
+
+  analyze-actions:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+    - name: Initialize CodeQL
+      uses: ./init
+      with:
+        languages: actions
+        config-file: ./.github/codeql/codeql-actions-config.yml
+    - name: Perform CodeQL Analysis
+      uses: ./analyze
+      with:
+        category: "/language:actions"
@@ -23,6 +23,11 @@ jobs:
  code-scanning-config-tests:
    continue-on-error: true

+    permissions:
+      contents: read
+      packages: read
+      security-events: read
+
    strategy:
      fail-fast: false
      matrix:
@@ -19,10 +19,20 @@ on:
  workflow_dispatch: {}
 jobs:
  upload-artifacts:
+    strategy:
+      fail-fast: false
+      matrix:
+        version:
+        - stable-v2.20.3
+        - default
+        - linked
+        - nightly-latest
    name: Upload debug artifacts after failure in analyze
    continue-on-error: true
    env:
      CODEQL_ACTION_TEST_MODE: true
+    permissions:
+      contents: read
    timeout-minutes: 45
    runs-on: ubuntu-latest
    steps:
@@ -34,7 +44,7 @@ jobs:
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
-          version: linked
+          version: ${{ matrix.version }}
      - uses: actions/setup-go@v5
        with:
          go-version: ^1.13.1
@@ -58,6 +68,8 @@ jobs:
    name: Download and check debug artifacts after failure in analyze
    needs: upload-artifacts
    timeout-minutes: 45
+    permissions:
+      contents: read
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
@@ -66,22 +78,25 @@ jobs:
        shell: bash
        run: |
          LANGUAGES="cpp csharp go java javascript python"
-          cd "./my-debug-artifacts"
-          echo "Artifacts from run:"
-          for language in $LANGUAGES; do
-            echo "- Checking $language"
-            if [[ ! -f "my-db-$language-partial.zip" ]] ; then
-              echo "Missing a partial database bundle for $language"
-              exit 1
-            fi
-            if [[ ! -d "log" ]] ; then
-              echo "Missing database initialization logs"
-              exit 1
-            fi
-            if [[ ! "$language" == "go" ]] && [[ ! -d "$language/log" ]] ; then
-              echo "Missing logs for $language"
-              exit 1
-            fi
+          for version in $VERSIONS; do
+            echo "Artifacts from version $version:"
+            pushd "./my-debug-artifacts-${version//./}"
+            for language in $LANGUAGES; do
+              echo "- Checking $language"
+              if [[ ! -f "my-db-$language-partial.zip" ]] ; then
+                echo "Missing a partial database bundle for $language"
+                exit 1
+              fi
+              if [[ ! -d "log" ]] ; then
+                echo "Missing database initialization logs"
+                exit 1
+              fi
+              if [[ ! "$language" == "go" ]] && [[ ! -d "$language/log" ]] ; then
+                echo "Missing logs for $language"
+                exit 1
+              fi
+            done
+            popd
          done
        env:
          GO111MODULE: auto
@@ -22,11 +22,7 @@ jobs:
      fail-fast: false
      matrix:
        version:
-        - stable-v2.15.5
-        - stable-v2.16.6
-        - stable-v2.17.6
-        - stable-v2.18.4
-        - stable-v2.19.4
+        - stable-v2.20.3
        - default
        - linked
        - nightly-latest
@@ -34,6 +30,8 @@ jobs:
    env:
      CODEQL_ACTION_TEST_MODE: true
    timeout-minutes: 45
+    permissions:
+      contents: read
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository
@@ -64,6 +62,8 @@ jobs:
    name: Download and check debug artifacts
    needs: upload-artifacts
    timeout-minutes: 45
+    permissions:
+      contents: read
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
@@ -71,7 +71,7 @@ jobs:
      - name: Check expected artifacts exist
        shell: bash
        run: |
-          VERSIONS="stable-v2.15.5 stable-v2.16.6 stable-v2.17.6 stable-v2.18.4 stable-v2.19.4 default linked nightly-latest"
+          VERSIONS="stable-v2.20.3 default linked nightly-latest"
          LANGUAGES="cpp csharp go java javascript python"
          for version in $VERSIONS; do
            pushd "./my-debug-artifacts-${version//./}"
@@ -24,7 +24,7 @@ jobs:
    runs-on: ubuntu-latest
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    steps:
    - name: Check out repository
      uses: actions/checkout@v4
@@ -27,6 +27,10 @@ jobs:
      BASE_BRANCH: "${{ github.event.inputs.baseBranch || 'main' }}"
      HEAD_BRANCH: "${{ github.head_ref || github.ref }}"

+    permissions:
+      contents: write # needed to create tags and push commits
+      pull-requests: write
+
    steps:
      - name: Dump environment
        run: env
@@ -164,7 +168,7 @@ jobs:
            --draft

      - name: Generate token
-        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755
+        uses: actions/create-github-app-token@136412a57a7081aa63c935a2cc2918f76c34f514
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -15,7 +15,7 @@ jobs:
    timeout-minutes: 45
    permissions:
      contents: read
-      security-events: write
+      security-events: write # needed to upload ESLint results

    strategy:
      fail-fast: false
@@ -40,6 +40,8 @@ jobs:
  check-node-modules:
    if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
    name: Check modules up to date
+    permissions:
+      contents: read
    runs-on: macos-latest
    timeout-minutes: 45

@@ -51,6 +53,8 @@ jobs:
  check-file-contents:
    if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
    name: Check file contents
+    permissions:
+      contents: read
    runs-on: ubuntu-latest
    timeout-minutes: 45

@@ -81,6 +85,8 @@ jobs:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
+    permissions:
+      contents: read
    runs-on: ${{ matrix.os }}
    timeout-minutes: 45

@@ -101,6 +107,9 @@ jobs:
    env:
      BASE_REF: ${{ github.base_ref }}

+    permissions:
+      contents: read
+
    steps:
      - uses: actions/checkout@v4
      - id: head-version
@@ -17,6 +17,8 @@ jobs:
    env:
      CODEQL_ACTION_TEST_MODE: true
    timeout-minutes: 45
+    permissions:
+      contents: read
    runs-on: windows-latest

    steps:
@@ -20,6 +20,8 @@ jobs:
    name: Query Filters Tests
    timeout-minutes: 45
    runs-on: ubuntu-latest
+    permissions:
+      contents: read # This permission is needed to allow the GitHub Actions workflow to read the contents of the repository.
    steps:
    - name: Check out repository
      uses: actions/checkout@v4
@@ -11,6 +11,9 @@ jobs:
    runs-on: ubuntu-latest
    if: github.event.label.name == 'Rebuild'

+    permissions:
+      contents: write # needed to push rebuilt commit
+      pull-requests: write # needed to comment on the PR
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -27,7 +27,7 @@ jobs:
    name: 'CodeQL Bundle All'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -17,6 +17,9 @@ jobs:
  update-bundle:
    if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
    runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed to push commits
+      pull-requests: write # needed to create pull requests
    steps:
      - name: Dump environment
        run: env
@@ -9,6 +9,9 @@ jobs:
    timeout-minutes: 45
    runs-on: macos-latest
    if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action')
+    permissions:
+      contents: write # needed to push the updated dependencies
+      pull-requests: write # needed to comment on the PR
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4
@@ -22,6 +22,8 @@ jobs:
      latest_tag: ${{ steps.versions.outputs.latest_tag }}
      backport_source_branch: ${{ steps.branches.outputs.backport_source_branch }}
      backport_target_branches: ${{ steps.branches.outputs.backport_target_branches }}
+    permissions:
+      contents: read
    steps:
    - uses: actions/checkout@v4
      with:
@@ -63,6 +65,9 @@ jobs:
      REPOSITORY: "${{ github.repository }}"
      MAJOR_VERSION: "${{ needs.prepare.outputs.major_version }}"
      LATEST_TAG: "${{ needs.prepare.outputs.latest_tag }}"
+    permissions:
+      contents: write # needed to push commits
+      pull-requests: write # needed to create pull request
    steps:
    - uses: actions/checkout@v4
      with:
@@ -114,9 +119,12 @@ jobs:
    env:
      SOURCE_BRANCH: ${{ needs.prepare.outputs.backport_source_branch }}
      TARGET_BRANCH: ${{ matrix.target_branch }}
+    permissions:
+      contents: write # needed to push commits
+      pull-requests: write # needed to create pull request
    steps:
    - name: Generate token
-      uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755
+      uses: actions/create-github-app-token@136412a57a7081aa63c935a2cc2918f76c34f514
      id: app-token
      with:
        app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -10,20 +10,23 @@ jobs:
    name: Update Supported Enterprise Server Versions
    timeout-minutes: 45
    runs-on: ubuntu-latest
-    if: ${{ github.repository == 'github/codeql-action' }}
+    if: github.repository == 'github/codeql-action'
+    permissions:
+      contents: write # needed to push commits
+      pull-requests: write # needed to create pull request

    steps:
      - name: Setup Python
        uses: actions/setup-python@v5
        with:
-          python-version: "3.7"
+          python-version: "3.13"
      - name: Checkout CodeQL Action
        uses: actions/checkout@v4
      - name: Checkout Enterprise Releases
        uses: actions/checkout@v4
        with:
          repository: github/enterprise-releases
-          ssh-key: ${{ secrets.ENTERPRISE_RELEASES_SSH_KEY }}
+          token: ${{ secrets.ENTERPRISE_RELEASE_TOKEN }}
          path: ${{ github.workspace }}/enterprise-releases/
      - name: Update Supported Enterprise Server Versions
        run: |
@@ -2,10 +2,36 @@

 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.

-## [UNRELEASED]
+## 3.28.9 - 07 Feb 2025
+
+- Update default CodeQL bundle version to 2.20.4. [#2753](https://github.com/github/codeql-action/pull/2753)
+
+## 3.28.8 - 29 Jan 2025
+
+- Enable support for Kotlin 2.1.10 when running with CodeQL CLI v2.20.3. [#2744](https://github.com/github/codeql-action/pull/2744)
+
+## 3.28.7 - 29 Jan 2025

 No user facing changes.

+## 3.28.6 - 27 Jan 2025
+
+- Re-enable debug artifact upload for CLI versions 2.20.3 or greater. [#2726](https://github.com/github/codeql-action/pull/2726)
+
+## 3.28.5 - 24 Jan 2025
+
+- Update default CodeQL bundle version to 2.20.3. [#2717](https://github.com/github/codeql-action/pull/2717)
+
+## 3.28.4 - 23 Jan 2025
+
+No user facing changes.
+
+## 3.28.3 - 22 Jan 2025
+
+- Update default CodeQL bundle version to 2.20.2. [#2707](https://github.com/github/codeql-action/pull/2707)
+- Fix an issue downloading the CodeQL Bundle from a GitHub Enterprise Server instance which occurred when the CodeQL Bundle had been synced to the instance using the [CodeQL Action sync tool](https://github.com/github/codeql-action-sync-tool) and the Actions runner did not have Zstandard installed. [#2710](https://github.com/github/codeql-action/pull/2710)
+- Uploading debug artifacts for CodeQL analysis is temporarily disabled. [#2712](https://github.com/github/codeql-action/pull/2712)
+
 ## 3.28.2 - 21 Jan 2025

 No user facing changes.
@@ -41,6 +41,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const core = __importStar(require("@actions/core"));
 const actionsUtil = __importStar(require("./actions-util"));
 const api_client_1 = require("./api-client");
+const codeql_1 = require("./codeql");
 const config_utils_1 = require("./config-utils");
 const debugArtifacts = __importStar(require("./debug-artifacts"));
 const environment_1 = require("./environment");
@@ -57,7 +58,9 @@ async function runWrapper() {
        if (process.env[environment_1.EnvVar.INIT_ACTION_HAS_RUN] === "true") {
            const config = await (0, config_utils_1.getConfig)(actionsUtil.getTemporaryDirectory(), logger);
            if (config !== undefined) {
-                await (0, logging_1.withGroup)("Uploading combined SARIF debug artifact", () => debugArtifacts.uploadCombinedSarifArtifacts(logger, config.gitHubVersion.type));
+                const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
+                const version = await codeql.getVersion();
+                await (0, logging_1.withGroup)("Uploading combined SARIF debug artifact", () => debugArtifacts.uploadCombinedSarifArtifacts(logger, config.gitHubVersion.type, version.version));
            }
        }
    }
@@ -1 +1 @@
-{"version":3,"file":"analyze-action-post.js","sourceRoot":"","sources":["../src/analyze-action-post.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;GAIG;AACH,oDAAsC;AAEtC,4DAA8C;AAC9C,6CAAgD;AAChD,iDAA2C;AAC3C,kEAAoD;AACpD,+CAAuC;AACvC,uCAAwD;AACxD,iCAAoE;AAEpE,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,WAAW,CAAC,aAAa,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,kFAAkF;QAClF,wFAAwF;QACxF,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAM,CAAC,mBAAmB,CAAC,KAAK,MAAM,EAAE,CAAC;YACvD,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAC5B,WAAW,CAAC,qBAAqB,EAAE,EACnC,MAAM,CACP,CAAC;YACF,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,MAAM,IAAA,mBAAS,EAAC,yCAAyC,EAAE,GAAG,EAAE,CAC9D,cAAc,CAAC,4BAA4B,CACzC,MAAM,EACN,MAAM,CAAC,aAAa,CAAC,IAAI,CAC1B,CACF,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CACZ,oCAAoC,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CAC7D,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"analyze-action-post.js","sourceRoot":"","sources":["../src/analyze-action-post.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;GAIG;AACH,oDAAsC;AAEtC,4DAA8C;AAC9C,6CAAgD;AAChD,qCAAqC;AACrC,iDAA2C;AAC3C,kEAAoD;AACpD,+CAAuC;AACvC,uCAAwD;AACxD,iCAAoE;AAEpE,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,WAAW,CAAC,aAAa,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,kFAAkF;QAClF,wFAAwF;QACxF,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAM,CAAC,mBAAmB,CAAC,KAAK,MAAM,EAAE,CAAC;YACvD,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAC5B,WAAW,CAAC,qBAAqB,EAAE,EACnC,MAAM,CACP,CAAC;YACF,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;gBACjD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,UAAU,EAAE,CAAC;gBAC1C,MAAM,IAAA,mBAAS,EAAC,yCAAyC,EAAE,GAAG,EAAE,CAC9D,cAAc,CAAC,4BAA4B,CACzC,MAAM,EACN,MAAM,CAAC,aAAa,CAAC,IAAI,EACzB,OAAO,CAAC,OAAO,CAChB,CACF,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CACZ,oCAAoC,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CAC7D,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
@@ -160,6 +160,14 @@ async function run() {
    let dbCreationTimings = undefined;
    let didUploadTrapCaches = false;
    util.initializeEnvironment(actionsUtil.getActionVersion());
+    // Unset the CODEQL_PROXY_* environment variables, as they are not needed
+    // and can cause issues with the CodeQL CLI
+    // Check for CODEQL_PROXY_HOST: and if it is empty but set, unset it
+    if (process.env.CODEQL_PROXY_HOST === "") {
+        delete process.env.CODEQL_PROXY_HOST;
+        delete process.env.CODEQL_PROXY_PORT;
+        delete process.env.CODEQL_PROXY_CA_CERTIFICATE;
+    }
    // Make inputs accessible in the `post` step, details at
    // https://github.com/github/codeql-action/issues/2553
    actionsUtil.persistInputs();
@@ -53,6 +53,7 @@ const analyze_1 = require("./analyze");
 const codeql_1 = require("./codeql");
 const environment_1 = require("./environment");
 const logging_1 = require("./logging");
+const tools_features_1 = require("./tools-features");
 const util_1 = require("./util");
 function sanitizeArtifactName(name) {
    return name.replace(/[^a-zA-Z0-9_\\-]+/g, "");
@@ -61,7 +62,7 @@ function sanitizeArtifactName(name) {
 * Upload Actions SARIF artifacts for debugging when CODEQL_ACTION_DEBUG_COMBINED_SARIF
 * environment variable is set
 */
-async function uploadCombinedSarifArtifacts(logger, gitHubVariant) {
+async function uploadCombinedSarifArtifacts(logger, gitHubVariant, codeQlVersion) {
    const tempDir = (0, actions_util_1.getTemporaryDirectory)();
    // Upload Actions SARIF artifacts for debugging when environment variable is set
    if (process.env["CODEQL_ACTION_DEBUG_COMBINED_SARIF"] === "true") {
@@ -80,7 +81,7 @@ async function uploadCombinedSarifArtifacts(logger, gitHubVariant) {
            }
        }
        try {
-            await uploadDebugArtifacts(logger, toUpload, baseTempDir, "combined-sarif-artifacts", gitHubVariant);
+            await uploadDebugArtifacts(logger, toUpload, baseTempDir, "combined-sarif-artifacts", gitHubVariant, codeQlVersion);
        }
        catch (e) {
            logger.warning(`Failed to upload combined SARIF files as Actions debugging artifact. Reason: ${(0, util_1.getErrorMessage)(e)}`);
@@ -140,7 +141,7 @@ async function tryBundleDatabase(config, language, logger) {
 *
 * Logs and suppresses any errors that occur.
 */
-async function tryUploadAllAvailableDebugArtifacts(config, logger) {
+async function tryUploadAllAvailableDebugArtifacts(config, logger, codeQlVersion) {
    const filesToUpload = [];
    try {
        for (const language of config.languages) {
@@ -180,18 +181,23 @@ async function tryUploadAllAvailableDebugArtifacts(config, logger) {
        return;
    }
    try {
-        await (0, logging_1.withGroup)("Uploading debug artifacts", async () => uploadDebugArtifacts(logger, filesToUpload, config.dbLocation, config.debugArtifactName, config.gitHubVersion.type));
+        await (0, logging_1.withGroup)("Uploading debug artifacts", async () => uploadDebugArtifacts(logger, filesToUpload, config.dbLocation, config.debugArtifactName, config.gitHubVersion.type, codeQlVersion));
    }
    catch (e) {
        logger.warning(`Failed to upload debug artifacts. Reason: ${(0, util_1.getErrorMessage)(e)}`);
    }
 }
-async function uploadDebugArtifacts(logger, toUpload, rootDir, artifactName, ghVariant) {
+async function uploadDebugArtifacts(logger, toUpload, rootDir, artifactName, ghVariant, codeQlVersion) {
    if (toUpload.length === 0) {
-        return;
+        return "no-artifacts-to-upload";
+    }
+    const uploadSupported = (0, tools_features_1.isSafeArtifactUpload)(codeQlVersion);
+    if (!uploadSupported) {
+        core.info(`Skipping debug artifact upload because the current CLI does not support safe upload. Please upgrade to CLI v${tools_features_1.SafeArtifactUploadVersion} or later.`);
+        return "upload-not-supported";
    }
    let suffix = "";
-    const matrix = (0, actions_util_1.getRequiredInput)("matrix");
+    const matrix = (0, actions_util_1.getOptionalInput)("matrix");
    if (matrix) {
        try {
            for (const [, matrixVal] of Object.entries(JSON.parse(matrix)).sort())
@@ -207,10 +213,12 @@ async function uploadDebugArtifacts(logger, toUpload, rootDir, artifactName, ghV
            // ensure we don't keep the debug artifacts around for too long since they can be large.
            retentionDays: 7,
        });
+        return "upload-successful";
    }
    catch (e) {
        // A failure to upload debug artifacts should not fail the entire action.
        core.warning(`Failed to upload debug artifacts: ${e}`);
+        return "upload-failed";
    }
 }
 // `@actions/artifact@v2` is not yet supported on GHES so the legacy version of the client will be used on GHES
@@ -46,9 +46,47 @@ const util_1 = require("./util");
    t.deepEqual(debugArtifacts.sanitizeArtifactName("hello===123"), "hello123");
    t.deepEqual(debugArtifacts.sanitizeArtifactName("*m)a&n^y%i££n+v!a:l[i]d"), "manyinvalid");
 });
-(0, ava_1.default)("uploadDebugArtifacts", async (t) => {
+// These next tests check the correctness of the logic to determine whether or not
+// artifacts are uploaded in debug mode. Since it's not easy to mock the actual
+// call to upload an artifact, we just check that we get an "upload-failed" result,
+// instead of actually uploading the artifact.
+//
+// For tests where we expect artifact upload to be blocked, we check for a different
+// response from the function.
+(0, ava_1.default)("uploadDebugArtifacts when artifacts empty should emit 'no-artifacts-to-upload'", async (t) => {
    // Test that no error is thrown if artifacts list is empty.
    const logger = (0, logging_1.getActionsLogger)();
-    await t.notThrowsAsync(debugArtifacts.uploadDebugArtifacts(logger, [], "rootDir", "artifactName", util_1.GitHubVariant.DOTCOM));
+    await t.notThrowsAsync(async () => {
+        const uploaded = await debugArtifacts.uploadDebugArtifacts(logger, [], "i-dont-exist", "artifactName", util_1.GitHubVariant.DOTCOM, undefined);
+        t.is(uploaded, "no-artifacts-to-upload", "Should not have uploaded any artifacts");
+    });
+});
+(0, ava_1.default)("uploadDebugArtifacts when no codeql version is used should invoke artifact upload", async (t) => {
+    // Test that the artifact is uploaded.
+    const logger = (0, logging_1.getActionsLogger)();
+    await t.notThrowsAsync(async () => {
+        const uploaded = await debugArtifacts.uploadDebugArtifacts(logger, ["hucairz"], "i-dont-exist", "artifactName", util_1.GitHubVariant.DOTCOM, undefined);
+        t.is(uploaded, 
+        // The failure is expected since we don't want to actually upload any artifacts in unit tests.
+        "upload-failed", "Expect failure to upload artifacts since root dir does not exist");
+    });
+});
+(0, ava_1.default)("uploadDebugArtifacts when new codeql version is used should invoke artifact upload", async (t) => {
+    // Test that the artifact is uploaded.
+    const logger = (0, logging_1.getActionsLogger)();
+    await t.notThrowsAsync(async () => {
+        const uploaded = await debugArtifacts.uploadDebugArtifacts(logger, ["hucairz"], "i-dont-exist", "artifactName", util_1.GitHubVariant.DOTCOM, "2.20.3");
+        t.is(uploaded, 
+        // The failure is expected since we don't want to actually upload any artifacts in unit tests.
+        "upload-failed", "Expect failure to upload artifacts since root dir does not exist");
+    });
+});
+(0, ava_1.default)("uploadDebugArtifacts when old codeql is used should avoid trying to upload artifacts", async (t) => {
+    // Test that the artifact is not uploaded.
+    const logger = (0, logging_1.getActionsLogger)();
+    await t.notThrowsAsync(async () => {
+        const uploaded = await debugArtifacts.uploadDebugArtifacts(logger, ["hucairz"], "i-dont-exist", "artifactName", util_1.GitHubVariant.DOTCOM, "2.20.2");
+        t.is(uploaded, "upload-not-supported", "Expected artifact upload to be blocked because of old CodeQL version");
+    });
 });
 //# sourceMappingURL=debug-artifacts.test.js.map
@@ -1 +1 @@
-{"version":3,"file":"debug-artifacts.test.js","sourceRoot":"","sources":["../src/debug-artifacts.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AAEvB,kEAAoD;AACpD,uCAA6C;AAC7C,iCAAuC;AAEvC,IAAA,aAAI,EAAC,sBAAsB,EAAE,CAAC,CAAC,EAAE,EAAE;IACjC,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,cAAc,CAAC,EACnD,cAAc,CACf,CAAC;IACF,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,cAAc,CAAC,EACnD,YAAY,CACb,CAAC;IACF,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,oBAAoB,CAAC,aAAa,CAAC,EAAE,UAAU,CAAC,CAAC;IAC5E,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,yBAAyB,CAAC,EAC9D,aAAa,CACd,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,sBAAsB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvC,2DAA2D;IAC3D,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,CAAC,CAAC,cAAc,CACpB,cAAc,CAAC,oBAAoB,CACjC,MAAM,EACN,EAAE,EACF,SAAS,EACT,cAAc,EACd,oBAAa,CAAC,MAAM,CACrB,CACF,CAAC;AACJ,CAAC,CAAC,CAAC"}
+{"version":3,"file":"debug-artifacts.test.js","sourceRoot":"","sources":["../src/debug-artifacts.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AAEvB,kEAAoD;AACpD,uCAA6C;AAC7C,iCAAuC;AAEvC,IAAA,aAAI,EAAC,sBAAsB,EAAE,CAAC,CAAC,EAAE,EAAE;IACjC,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,cAAc,CAAC,EACnD,cAAc,CACf,CAAC;IACF,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,cAAc,CAAC,EACnD,YAAY,CACb,CAAC;IACF,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,oBAAoB,CAAC,aAAa,CAAC,EAAE,UAAU,CAAC,CAAC;IAC5E,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,yBAAyB,CAAC,EAC9D,aAAa,CACd,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,kFAAkF;AAClF,+EAA+E;AAC/E,mFAAmF;AACnF,8CAA8C;AAC9C,EAAE;AACF,oFAAoF;AACpF,8BAA8B;AAE9B,IAAA,aAAI,EAAC,gFAAgF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACjG,2DAA2D;IAC3D,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,CAAC,CAAC,cAAc,CAAC,KAAK,IAAI,EAAE;QAChC,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,oBAAoB,CACxD,MAAM,EACN,EAAE,EACF,cAAc,EACd,cAAc,EACd,oBAAa,CAAC,MAAM,EACpB,SAAS,CACV,CAAC;QACF,CAAC,CAAC,EAAE,CACF,QAAQ,EACR,wBAAwB,EACxB,wCAAwC,CACzC,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,mFAAmF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACpG,sCAAsC;IACtC,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,CAAC,CAAC,cAAc,CAAC,KAAK,IAAI,EAAE;QAChC,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,oBAAoB,CACxD,MAAM,EACN,CAAC,SAAS,CAAC,EACX,cAAc,EACd,cAAc,EACd,oBAAa,CAAC,MAAM,EACpB,SAAS,CACV,CAAC;QACF,CAAC,CAAC,EAAE,CACF,QAAQ;QACR,8FAA8F;QAC9F,eAAe,EACf,kEAAkE,CACnE,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,oFAAoF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrG,sCAAsC;IACtC,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,CAAC,CAAC,cAAc,CAAC,KAAK,IAAI,EAAE;QAChC,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,oBAAoB,CACxD,MAAM,EACN,CAAC,SAAS,CAAC,EACX,cAAc,EACd,cAAc,EACd,oBAAa,CAAC,MAAM,EACpB,QAAQ,CACT,CAAC;QACF,CAAC,CAAC,EAAE,CACF,QAAQ;QACR,8FAA8F;QAC9F,eAAe,EACf,kEAAkE,CACnE,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,sFAAsF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvG,0CAA0C;IAC1C,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,CAAC,CAAC,cAAc,CAAC,KAAK,IAAI,EAAE;QAChC,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,oBAAoB,CACxD,MAAM,EACN,CAAC,SAAS,CAAC,EACX,cAAc,EACd,cAAc,EACd,oBAAa,CAAC,MAAM,EACpB,QAAQ,CACT,CAAC;QACF,CAAC,CAAC,EAAE,CACF,QAAQ,EACR,sBAAsB,EACtB,sEAAsE,CACvE,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
@@ -1,6 +1,6 @@
 {
-    "bundleVersion": "codeql-bundle-v2.20.1",
-    "cliVersion": "2.20.1",
-    "priorBundleVersion": "codeql-bundle-v2.20.0",
-    "priorCliVersion": "2.20.0"
+    "bundleVersion": "codeql-bundle-v2.20.4",
+    "cliVersion": "2.20.4",
+    "priorBundleVersion": "codeql-bundle-v2.20.3",
+    "priorCliVersion": "2.20.3"
 }
@@ -142,7 +142,9 @@ async function run(uploadAllAvailableDebugArtifacts, printDebugLogs, config, rep
    // Upload appropriate Actions artifacts for debugging
    if (config.debugMode) {
        logger.info("Debug mode is on. Uploading available database bundles and logs as Actions debugging artifacts...");
-        await uploadAllAvailableDebugArtifacts(config, logger, features);
+        const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
+        const version = await codeql.getVersion();
+        await uploadAllAvailableDebugArtifacts(config, logger, version.version);
        await printDebugLogs(config);
    }
    if (actionsUtil.isSelfHostedRunner()) {
@@ -64,9 +64,10 @@ async function runWrapper() {
        config = await (0, config_utils_1.getConfig)((0, actions_util_1.getTemporaryDirectory)(), logger);
        if (config === undefined) {
            logger.warning("Debugging artifacts are unavailable since the 'init' Action failed before it could produce any.");
-            return;
        }
-        uploadFailedSarifResult = await initActionPostHelper.run(debugArtifacts.tryUploadAllAvailableDebugArtifacts, actions_util_1.printDebugLogs, config, repositoryNwo, features, logger);
+        else {
+            uploadFailedSarifResult = await initActionPostHelper.run(debugArtifacts.tryUploadAllAvailableDebugArtifacts, actions_util_1.printDebugLogs, config, repositoryNwo, features, logger);
+        }
    }
    catch (unwrappedError) {
        const error = (0, util_1.wrapError)(unwrappedError);
@@ -1 +1 @@
-{"version":3,"file":"init-action-post.js","sourceRoot":"","sources":["../src/init-action-post.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,oDAAsC;AAEtC,iDAIwB;AACxB,6CAAgD;AAChD,iDAAmD;AACnD,kEAAoD;AACpD,mDAA2C;AAC3C,gFAAkE;AAClE,uCAA6C;AAC7C,6CAAkD;AAClD,mDAOyB;AACzB,iCAKgB;AAOhB,KAAK,UAAU,UAAU;IACvB,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IAAI,MAA0B,CAAC;IAC/B,IAAI,uBAES,CAAC;IACd,IAAI,CAAC;QACH,qCAAqC;QACrC,IAAA,4BAAa,GAAE,CAAC;QAEhB,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,MAAM,aAAa,GAAG,IAAA,+BAAkB,EACtC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CACzC,CAAC;QACF,MAAM,QAAQ,GAAG,IAAI,wBAAQ,CAC3B,aAAa,EACb,aAAa,EACb,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;QAEF,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,IAAA,oCAAqB,GAAE,EAAE,MAAM,CAAC,CAAC;QAC1D,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,MAAM,CAAC,OAAO,CACZ,iGAAiG,CAClG,CAAC;YACF,OAAO;QACT,CAAC;QAED,uBAAuB,GAAG,MAAM,oBAAoB,CAAC,GAAG,CACtD,cAAc,CAAC,mCAAmC,EAClD,6BAAc,EACd,MAAM,EACN,aAAa,EACb,QAAQ,EACR,MAAM,CACP,CAAC;IACJ,CAAC;IAAC,OAAO,cAAc,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,IAAA,gBAAS,EAAC,cAAc,CAAC,CAAC;QACxC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAE9B,MAAM,gBAAgB,GAAG,MAAM,IAAA,sCAAsB,EACnD,0BAAU,CAAC,QAAQ,EACnB,IAAA,gCAAgB,EAAC,KAAK,CAAC,EACvB,SAAS,EACT,MAAM,EACN,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,MAAM,EACN,KAAK,CAAC,OAAO,EACb,KAAK,CAAC,KAAK,CACZ,CAAC;QACF,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,IAAA,gCAAgB,EAAC,gBAAgB,CAAC,CAAC;QAC3C,CAAC;QACD,OAAO;IACT,CAAC;IACD,MAAM,SAAS,GAAG,oBAAoB,CAAC,iBAAiB,EAAE,CAAC;IAC3D,MAAM,CAAC,IAAI,CAAC,yBAAyB,IAAA,uCAAuB,EAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAE5E,MAAM,gBAAgB,GAAG,MAAM,IAAA,sCAAsB,EACnD,0BAAU,CAAC,QAAQ,EACnB,SAAS,EACT,SAAS,EACT,MAAM,EACN,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,MAAM,CACP,CAAC;IACF,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;QACnC,MAAM,YAAY,GAAyB;YACzC,GAAG,gBAAgB;YACnB,GAAG,uBAAuB;YAC1B,UAAU,EAAE,oBAAoB,CAAC,iBAAiB,EAAE;SACrD,CAAC;QACF,MAAM,IAAA,gCAAgB,EAAC,YAAY,CAAC,CAAC;IACvC,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"init-action-post.js","sourceRoot":"","sources":["../src/init-action-post.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,oDAAsC;AAEtC,iDAIwB;AACxB,6CAAgD;AAChD,iDAAmD;AACnD,kEAAoD;AACpD,mDAA2C;AAC3C,gFAAkE;AAClE,uCAA6C;AAC7C,6CAAkD;AAClD,mDAOyB;AACzB,iCAKgB;AAOhB,KAAK,UAAU,UAAU;IACvB,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IAAI,MAA0B,CAAC;IAC/B,IAAI,uBAES,CAAC;IACd,IAAI,CAAC;QACH,qCAAqC;QACrC,IAAA,4BAAa,GAAE,CAAC;QAEhB,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,MAAM,aAAa,GAAG,IAAA,+BAAkB,EACtC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CACzC,CAAC;QACF,MAAM,QAAQ,GAAG,IAAI,wBAAQ,CAC3B,aAAa,EACb,aAAa,EACb,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;QAEF,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,IAAA,oCAAqB,GAAE,EAAE,MAAM,CAAC,CAAC;QAC1D,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,MAAM,CAAC,OAAO,CACZ,iGAAiG,CAClG,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,uBAAuB,GAAG,MAAM,oBAAoB,CAAC,GAAG,CACtD,cAAc,CAAC,mCAAmC,EAClD,6BAAc,EACd,MAAM,EACN,aAAa,EACb,QAAQ,EACR,MAAM,CACP,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,cAAc,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,IAAA,gBAAS,EAAC,cAAc,CAAC,CAAC;QACxC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAE9B,MAAM,gBAAgB,GAAG,MAAM,IAAA,sCAAsB,EACnD,0BAAU,CAAC,QAAQ,EACnB,IAAA,gCAAgB,EAAC,KAAK,CAAC,EACvB,SAAS,EACT,MAAM,EACN,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,MAAM,EACN,KAAK,CAAC,OAAO,EACb,KAAK,CAAC,KAAK,CACZ,CAAC;QACF,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,IAAA,gCAAgB,EAAC,gBAAgB,CAAC,CAAC;QAC3C,CAAC;QACD,OAAO;IACT,CAAC;IACD,MAAM,SAAS,GAAG,oBAAoB,CAAC,iBAAiB,EAAE,CAAC;IAC3D,MAAM,CAAC,IAAI,CAAC,yBAAyB,IAAA,uCAAuB,EAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAE5E,MAAM,gBAAgB,GAAG,MAAM,IAAA,sCAAsB,EACnD,0BAAU,CAAC,QAAQ,EACnB,SAAS,EACT,SAAS,EACT,MAAM,EACN,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,MAAM,CACP,CAAC;IACF,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;QACnC,MAAM,YAAY,GAAyB;YACzC,GAAG,gBAAgB;YACnB,GAAG,uBAAuB;YAC1B,UAAU,EAAE,oBAAoB,CAAC,iBAAiB,EAAE;SACrD,CAAC;QACF,MAAM,IAAA,gCAAgB,EAAC,YAAY,CAAC,CAAC;IACvC,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
@@ -317,6 +317,11 @@ async function run() {
        if (await features.getValue(feature_flags_1.Feature.DisableKotlinAnalysisEnabled)) {
            core.exportVariable("CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN", "true");
        }
+        const kotlinLimitVar = "CODEQL_EXTRACTOR_KOTLIN_OVERRIDE_MAXIMUM_VERSION_LIMIT";
+        if ((await (0, util_1.codeQlVersionAtLeast)(codeql, "2.20.3")) &&
+            !(await (0, util_1.codeQlVersionAtLeast)(codeql, "2.20.4"))) {
+            core.exportVariable(kotlinLimitVar, "2.1.20");
+        }
        if (config.languages.includes(languages_1.Language.cpp)) {
            const envVar = "CODEQL_EXTRACTOR_CPP_TRAP_CACHING";
            if (process.env[envVar]) {
@@ -70,11 +70,18 @@ var ToolsSource;
 })(ToolsSource || (exports.ToolsSource = ToolsSource = {}));
 exports.CODEQL_DEFAULT_ACTION_REPOSITORY = "github/codeql-action";
 const CODEQL_BUNDLE_VERSION_ALIAS = ["linked", "latest"];
-function getCodeQLBundleExtension(useZstd) {
-    return useZstd ? ".tar.zst" : ".tar.gz";
+function getCodeQLBundleExtension(compressionMethod) {
+    switch (compressionMethod) {
+        case "gzip":
+            return ".tar.gz";
+        case "zstd":
+            return ".tar.zst";
+        default:
+            util.assertNever(compressionMethod);
+    }
 }
-function getCodeQLBundleName(useZstd) {
-    const extension = getCodeQLBundleExtension(useZstd);
+function getCodeQLBundleName(compressionMethod) {
+    const extension = getCodeQLBundleExtension(compressionMethod);
    let platform;
    if (process.platform === "win32") {
        platform = "win64";
@@ -100,7 +107,7 @@ function getCodeQLActionRepository(logger) {
    }
    return util.getRequiredEnvParam("GITHUB_ACTION_REPOSITORY");
 }
-async function getCodeQLBundleDownloadURL(tagName, apiDetails, useZstd, logger) {
+async function getCodeQLBundleDownloadURL(tagName, apiDetails, compressionMethod, logger) {
    const codeQLActionRepository = getCodeQLActionRepository(logger);
    const potentialDownloadSources = [
        // This GitHub instance, and this Action.
@@ -115,7 +122,7 @@ async function getCodeQLBundleDownloadURL(tagName, apiDetails, useZstd, logger)
    const uniqueDownloadSources = potentialDownloadSources.filter((source, index, self) => {
        return !self.slice(0, index).some((other) => (0, fast_deep_equal_1.default)(source, other));
    });
-    const codeQLBundleName = getCodeQLBundleName(useZstd);
+    const codeQLBundleName = getCodeQLBundleName(compressionMethod);
    for (const downloadSource of uniqueDownloadSources) {
        const [apiURL, repository] = downloadSource;
        // If we've reached the final case, short-circuit the API check since we know the bundle exists and is public.
@@ -132,13 +139,13 @@ async function getCodeQLBundleDownloadURL(tagName, apiDetails, useZstd, logger)
            });
            for (const asset of release.data.assets) {
                if (asset.name === codeQLBundleName) {
-                    logger.info(`Found CodeQL bundle in ${downloadSource[1]} on ${downloadSource[0]} with URL ${asset.url}.`);
+                    logger.info(`Found CodeQL bundle ${codeQLBundleName} in ${repository} on ${apiURL} with URL ${asset.url}.`);
                    return asset.url;
                }
            }
        }
        catch (e) {
-            logger.info(`Looked for CodeQL bundle in ${downloadSource[1]} on ${downloadSource[0]} but got error ${e}.`);
+            logger.info(`Looked for CodeQL bundle ${codeQLBundleName} in ${repository} on ${apiURL} but got error ${e}.`);
        }
    }
    return `https://github.com/${exports.CODEQL_DEFAULT_ACTION_REPOSITORY}/releases/download/${tagName}/${codeQLBundleName}`;
@@ -221,8 +228,14 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
        !CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput) &&
        !toolsInput.startsWith("http")) {
        logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
+        const compressionMethod = tar.inferCompressionMethod(toolsInput);
+        if (compressionMethod === undefined) {
+            throw new util.ConfigurationError(`Could not infer compression method from path ${toolsInput}. Please specify a path ` +
+                "ending in '.tar.gz' or '.tar.zst'.");
+        }
        return {
            codeqlTarPath: toolsInput,
+            compressionMethod,
            sourceType: "local",
            toolsVersion: "local",
        };
@@ -356,9 +369,22 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
            return result;
        }
    }
+    let compressionMethod;
    if (!url) {
-        url = await getCodeQLBundleDownloadURL(tagName, apiDetails, cliVersion !== undefined &&
-            (await useZstdBundle(cliVersion, tarSupportsZstd)), logger);
+        compressionMethod =
+            cliVersion !== undefined &&
+                (await useZstdBundle(cliVersion, tarSupportsZstd))
+                ? "zstd"
+                : "gzip";
+        url = await getCodeQLBundleDownloadURL(tagName, apiDetails, compressionMethod, logger);
+    }
+    else {
+        const method = tar.inferCompressionMethod(url);
+        if (method === undefined) {
+            throw new util.ConfigurationError(`Could not infer compression method from URL ${url}. Please specify a URL ` +
+                "ending in '.tar.gz' or '.tar.zst'.");
+        }
+        compressionMethod = method;
    }
    if (cliVersion) {
        logger.info(`Using CodeQL CLI version ${cliVersion} sourced from ${url} .`);
@@ -370,6 +396,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
        bundleVersion: tagName && tryGetBundleVersionFromTagName(tagName, logger),
        cliVersion,
        codeqlURL: url,
+        compressionMethod,
        sourceType: "download",
        toolsVersion: cliVersion ?? humanReadableVersion,
    };
@@ -390,7 +417,7 @@ async function tryGetFallbackToolcacheVersion(cliVersion, tagName, logger) {
 }
 // Exported using `export const` for testing purposes. Specifically, we want to
 // be able to stub this function and have other functions in this file use that stub.
-const downloadCodeQL = async function (codeqlURL, maybeBundleVersion, maybeCliVersion, apiDetails, tarVersion, tempDir, features, logger) {
+const downloadCodeQL = async function (codeqlURL, compressionMethod, maybeBundleVersion, maybeCliVersion, apiDetails, tarVersion, tempDir, features, logger) {
    const parsedCodeQLURL = new URL(codeqlURL);
    const searchParams = new URLSearchParams(parsedCodeQLURL.search);
    const headers = {
@@ -417,7 +444,7 @@ const downloadCodeQL = async function (codeqlURL, maybeBundleVersion, maybeCliVe
    const extractedBundlePath = extractToToolcache
        ? toolcacheInfo.path
        : getTempExtractionDir(tempDir);
-    let statusReport = await (0, tools_download_1.downloadAndExtract)(codeqlURL, extractedBundlePath, authorization, { "User-Agent": "CodeQL Action", ...headers }, tarVersion, logger);
+    let statusReport = await (0, tools_download_1.downloadAndExtract)(codeqlURL, compressionMethod, extractedBundlePath, authorization, { "User-Agent": "CodeQL Action", ...headers }, tarVersion, logger);
    if (!toolcacheInfo) {
        logger.debug("Could not cache CodeQL tools because we could not determine the bundle version from the " +
            `URL ${codeqlURL}.`);
@@ -509,8 +536,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, featu
    let toolsSource;
    switch (source.sourceType) {
        case "local": {
-            const compressionMethod = tar.inferCompressionMethod(source.codeqlTarPath);
-            codeqlFolder = await tar.extract(source.codeqlTarPath, getTempExtractionDir(tempDir), compressionMethod, zstdAvailability.version, logger);
+            codeqlFolder = await tar.extract(source.codeqlTarPath, getTempExtractionDir(tempDir), source.compressionMethod, zstdAvailability.version, logger);
            toolsSource = ToolsSource.Local;
            break;
        }
@@ -520,7 +546,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, featu
            toolsSource = ToolsSource.Toolcache;
            break;
        case "download": {
-            const result = await (0, exports.downloadCodeQL)(source.codeqlURL, source.bundleVersion, source.cliVersion, apiDetails, zstdAvailability.version, tempDir, features, logger);
+            const result = await (0, exports.downloadCodeQL)(source.codeqlURL, source.compressionMethod, source.bundleVersion, source.cliVersion, apiDetails, zstdAvailability.version, tempDir, features, logger);
            toolsVersion = result.toolsVersion;
            codeqlFolder = result.codeqlFolder;
            toolsDownloadStatusReport = result.statusReport;
@@ -39,28 +39,14 @@ const core = __importStar(require("@actions/core"));
 const toolcache = __importStar(require("@actions/tool-cache"));
 const node_forge_1 = require("node-forge");
 const actionsUtil = __importStar(require("./actions-util"));
-const languages_1 = require("./languages");
 const logging_1 = require("./logging");
+const start_proxy_1 = require("./start-proxy");
 const util = __importStar(require("./util"));
 const UPDATEJOB_PROXY = "update-job-proxy";
 const UPDATEJOB_PROXY_VERSION = "v2.0.20241023203727";
 const UPDATEJOB_PROXY_URL_PREFIX = "https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.18.1/";
-const PROXY_USER = "proxy_user";
 const KEY_SIZE = 2048;
 const KEY_EXPIRY_YEARS = 2;
-const LANGUAGE_TO_REGISTRY_TYPE = {
-    java: "maven_repository",
-    csharp: "nuget_feed",
-    javascript: "npm_registry",
-    python: "python_index",
-    ruby: "rubygems_server",
-    rust: "cargo_registry",
-    // We do not have an established proxy type for these languages, thus leaving empty.
-    actions: "",
-    cpp: "",
-    go: "",
-    swift: "",
-};
 const CERT_SUBJECT = [
    {
        name: "commonName",
@@ -112,16 +98,18 @@ async function runWrapper() {
    const proxyLogFilePath = path.resolve(tempDir, "proxy.log");
    core.saveState("proxy-log-file", proxyLogFilePath);
    // Get the configuration options
-    const credentials = getCredentials(logger);
+    const credentials = (0, start_proxy_1.getCredentials)(logger, actionsUtil.getOptionalInput("registry_secrets"), actionsUtil.getOptionalInput("registries_credentials"), actionsUtil.getOptionalInput("language"));
+    if (credentials.length === 0) {
+        logger.info("No credentials found, skipping proxy setup.");
+        return;
+    }
    logger.info(`Credentials loaded for the following registries:\n ${credentials
        .map((c) => credentialToStr(c))
        .join("\n")}`);
    const ca = generateCertificateAuthority();
-    const proxyAuth = getProxyAuth();
    const proxyConfig = {
        all_credentials: credentials,
        ca,
-        proxy_auth: proxyAuth,
    };
    // Start the Proxy
    const proxyBin = await getProxyBinaryPath();
@@ -178,64 +166,6 @@ async function startProxy(binPath, config, logFilePath, logger) {
        core.setFailed(`start-proxy action failed: ${util.getErrorMessage(error)}`);
    }
 }
-// getCredentials returns registry credentials from action inputs.
-// It prefers `registries_credentials` over `registry_secrets`.
-// If neither is set, it returns an empty array.
-function getCredentials(logger) {
-    const registriesCredentials = actionsUtil.getOptionalInput("registries_credentials");
-    const registrySecrets = actionsUtil.getOptionalInput("registry_secrets");
-    const languageString = actionsUtil.getOptionalInput("language");
-    const language = languageString ? (0, languages_1.parseLanguage)(languageString) : undefined;
-    const registryTypeForLanguage = language
-        ? LANGUAGE_TO_REGISTRY_TYPE[language]
-        : undefined;
-    let credentialsStr;
-    if (registriesCredentials !== undefined) {
-        logger.info(`Using registries_credentials input.`);
-        credentialsStr = Buffer.from(registriesCredentials, "base64").toString();
-    }
-    else if (registrySecrets !== undefined) {
-        logger.info(`Using registry_secrets input.`);
-        credentialsStr = registrySecrets;
-    }
-    else {
-        logger.info(`No credentials defined.`);
-        return [];
-    }
-    // Parse and validate the credentials
-    const parsed = JSON.parse(credentialsStr);
-    const out = [];
-    for (const e of parsed) {
-        if (e.url === undefined && e.host === undefined) {
-            throw new Error("Invalid credentials - must specify host or url");
-        }
-        // Filter credentials based on language if specified. `type` is the registry type.
-        // E.g., "maven_feed" for Java/Kotlin, "nuget_repository" for C#.
-        if (e.type !== registryTypeForLanguage) {
-            continue;
-        }
-        out.push({
-            type: e.type,
-            host: e.host,
-            url: e.url,
-            username: e.username,
-            password: e.password,
-            token: e.token,
-        });
-    }
-    return out;
-}
-// getProxyAuth returns the authentication information for the proxy itself.
-function getProxyAuth() {
-    const proxy_password = actionsUtil.getOptionalInput("proxy_password");
-    if (proxy_password) {
-        return {
-            username: PROXY_USER,
-            password: proxy_password,
-        };
-    }
-    return;
-}
 async function getProxyBinaryPath() {
    const proxyFileName = process.platform === "win32" ? `${UPDATEJOB_PROXY}.exe` : UPDATEJOB_PROXY;
    const platform = process.platform === "win32"
@@ -0,0 +1,83 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getCredentials = getCredentials;
+const languages_1 = require("./languages");
+const util_1 = require("./util");
+const LANGUAGE_TO_REGISTRY_TYPE = {
+    java: "maven_repository",
+    csharp: "nuget_feed",
+    javascript: "npm_registry",
+    python: "python_index",
+    ruby: "rubygems_server",
+    rust: "cargo_registry",
+    // We do not have an established proxy type for these languages, thus leaving empty.
+    actions: "",
+    cpp: "",
+    go: "",
+    swift: "",
+};
+// getCredentials returns registry credentials from action inputs.
+// It prefers `registries_credentials` over `registry_secrets`.
+// If neither is set, it returns an empty array.
+function getCredentials(logger, registrySecrets, registriesCredentials, languageString) {
+    const language = languageString ? (0, languages_1.parseLanguage)(languageString) : undefined;
+    const registryTypeForLanguage = language
+        ? LANGUAGE_TO_REGISTRY_TYPE[language]
+        : undefined;
+    let credentialsStr;
+    if (registriesCredentials !== undefined) {
+        logger.info(`Using registries_credentials input.`);
+        credentialsStr = Buffer.from(registriesCredentials, "base64").toString();
+    }
+    else if (registrySecrets !== undefined) {
+        logger.info(`Using registry_secrets input.`);
+        credentialsStr = registrySecrets;
+    }
+    else {
+        logger.info(`No credentials defined.`);
+        return [];
+    }
+    // Parse and validate the credentials
+    let parsed;
+    try {
+        parsed = JSON.parse(credentialsStr);
+    }
+    catch {
+        // Don't log the error since it might contain sensitive information.
+        logger.error("Failed to parse the credentials data.");
+        throw new util_1.ConfigurationError("Invalid credentials format.");
+    }
+    const out = [];
+    for (const e of parsed) {
+        if (e.url === undefined && e.host === undefined) {
+            // The proxy needs one of these to work. If both are defined, the url has the precedence.
+            throw new util_1.ConfigurationError("Invalid credentials - must specify host or url");
+        }
+        // Filter credentials based on language if specified. `type` is the registry type.
+        // E.g., "maven_feed" for Java/Kotlin, "nuget_repository" for C#.
+        if (registryTypeForLanguage && e.type !== registryTypeForLanguage) {
+            continue;
+        }
+        const isPrintable = (str) => {
+            return str ? /^[\x20-\x7E]*$/.test(str) : true;
+        };
+        if (!isPrintable(e.type) ||
+            !isPrintable(e.host) ||
+            !isPrintable(e.url) ||
+            !isPrintable(e.username) ||
+            !isPrintable(e.password) ||
+            !isPrintable(e.token)) {
+            throw new util_1.ConfigurationError("Invalid credentials - fields must contain only printable characters");
+        }
+        out.push({
+            type: e.type,
+            host: e.host,
+            url: e.url,
+            username: e.username,
+            password: e.password,
+            token: e.token,
+        });
+    }
+    return out;
+}
+//# sourceMappingURL=start-proxy.js.map
@@ -0,0 +1 @@
+{"version":3,"file":"start-proxy.js","sourceRoot":"","sources":["../src/start-proxy.ts"],"names":[],"mappings":";;AA8BA,wCA2EC;AAzGD,2CAAsD;AAEtD,iCAA4C;AAW5C,MAAM,yBAAyB,GAA6B;IAC1D,IAAI,EAAE,kBAAkB;IACxB,MAAM,EAAE,YAAY;IACpB,UAAU,EAAE,cAAc;IAC1B,MAAM,EAAE,cAAc;IACtB,IAAI,EAAE,iBAAiB;IACvB,IAAI,EAAE,gBAAgB;IACtB,oFAAoF;IACpF,OAAO,EAAE,EAAE;IACX,GAAG,EAAE,EAAE;IACP,EAAE,EAAE,EAAE;IACN,KAAK,EAAE,EAAE;CACD,CAAC;AAEX,kEAAkE;AAClE,+DAA+D;AAC/D,gDAAgD;AAChD,SAAgB,cAAc,CAC5B,MAAc,EACd,eAAmC,EACnC,qBAAyC,EACzC,cAAkC;IAElC,MAAM,QAAQ,GAAG,cAAc,CAAC,CAAC,CAAC,IAAA,yBAAa,EAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC5E,MAAM,uBAAuB,GAAG,QAAQ;QACtC,CAAC,CAAC,yBAAyB,CAAC,QAAQ,CAAC;QACrC,CAAC,CAAC,SAAS,CAAC;IAEd,IAAI,cAAsB,CAAC;IAC3B,IAAI,qBAAqB,KAAK,SAAS,EAAE,CAAC;QACxC,MAAM,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;QACnD,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,qBAAqB,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC3E,CAAC;SAAM,IAAI,eAAe,KAAK,SAAS,EAAE,CAAC;QACzC,MAAM,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;QAC7C,cAAc,GAAG,eAAe,CAAC;IACnC,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;QACvC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,qCAAqC;IACrC,IAAI,MAAoB,CAAC;IACzB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,CAAiB,CAAC;IACtD,CAAC;IAAC,MAAM,CAAC;QACP,oEAAoE;QACpE,MAAM,CAAC,KAAK,CAAC,uCAAuC,CAAC,CAAC;QACtD,MAAM,IAAI,yBAAkB,CAAC,6BAA6B,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,GAAG,GAAiB,EAAE,CAAC;IAC7B,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,IAAI,CAAC,CAAC,GAAG,KAAK,SAAS,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAChD,yFAAyF;YACzF,MAAM,IAAI,yBAAkB,CAC1B,gDAAgD,CACjD,CAAC;QACJ,CAAC;QAED,kFAAkF;QAClF,iEAAiE;QACjE,IAAI,uBAAuB,IAAI,CAAC,CAAC,IAAI,KAAK,uBAAuB,EAAE,CAAC;YAClE,SAAS;QACX,CAAC;QAED,MAAM,WAAW,GAAG,CAAC,GAAuB,EAAW,EAAE;YACvD,OAAO,GAAG,CAAC,CAAC,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACjD,CAAC,CAAC;QAEF,IACE,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC;YACpB,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC;YACpB,CAAC,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC;YACnB,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ,CAAC;YACxB,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ,CAAC;YACxB,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,EACrB,CAAC;YACD,MAAM,IAAI,yBAAkB,CAC1B,qEAAqE,CACtE,CAAC;QACJ,CAAC;QAED,GAAG,CAAC,IAAI,CAAC;YACP,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,GAAG,EAAE,CAAC,CAAC,GAAG;YACV,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,KAAK,EAAE,CAAC,CAAC,KAAK;SACf,CAAC,CAAC;IACL,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}
@@ -0,0 +1,99 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const ava_1 = __importDefault(require("ava"));
+const logging_1 = require("./logging");
+const startProxyExports = __importStar(require("./start-proxy"));
+const testing_utils_1 = require("./testing-utils");
+(0, testing_utils_1.setupTests)(ava_1.default);
+(0, ava_1.default)("getCredentials prefers registriesCredentials over registrySecrets", async (t) => {
+    const registryCredentials = Buffer.from(JSON.stringify([
+        { type: "npm_registry", host: "npm.pkg.github.com", token: "abc" },
+    ])).toString("base64");
+    const registrySecrets = JSON.stringify([
+        { type: "npm_registry", host: "registry.npmjs.org", token: "def" },
+    ]);
+    const credentials = startProxyExports.getCredentials((0, logging_1.getRunnerLogger)(true), registrySecrets, registryCredentials, undefined);
+    t.is(credentials.length, 1);
+    t.is(credentials[0].host, "npm.pkg.github.com");
+});
+(0, ava_1.default)("getCredentials throws error when credential missing host and url", async (t) => {
+    const registryCredentials = Buffer.from(JSON.stringify([{ type: "npm_registry", token: "abc" }])).toString("base64");
+    t.throws(() => startProxyExports.getCredentials((0, logging_1.getRunnerLogger)(true), undefined, registryCredentials, undefined), {
+        message: "Invalid credentials - must specify host or url",
+    });
+});
+(0, ava_1.default)("getCredentials filters by language when specified", async (t) => {
+    const mixedCredentials = [
+        { type: "npm_registry", host: "npm.pkg.github.com", token: "abc" },
+        { type: "maven_repository", host: "maven.pkg.github.com", token: "def" },
+        { type: "nuget_feed", host: "nuget.pkg.github.com", token: "ghi" },
+    ];
+    const credentials = startProxyExports.getCredentials((0, logging_1.getRunnerLogger)(true), undefined, Buffer.from(JSON.stringify(mixedCredentials)).toString("base64"), "java");
+    t.is(credentials.length, 1);
+    t.is(credentials[0].type, "maven_repository");
+});
+(0, ava_1.default)("getCredentials returns all credentials when no language specified", async (t) => {
+    const mixedCredentials = [
+        { type: "npm_registry", host: "npm.pkg.github.com", token: "abc" },
+        { type: "maven_repository", host: "maven.pkg.github.com", token: "def" },
+        { type: "nuget_feed", host: "nuget.pkg.github.com", token: "ghi" },
+    ];
+    const credentialsInput = Buffer.from(JSON.stringify(mixedCredentials)).toString("base64");
+    const credentials = startProxyExports.getCredentials((0, logging_1.getRunnerLogger)(true), undefined, credentialsInput, undefined);
+    t.is(credentials.length, 3);
+});
+(0, ava_1.default)("getCredentials throws an error when non-printable characters are used", async (t) => {
+    const invalidCredentials = [
+        { type: "nuget_feed", host: "1nuget.pkg.github.com", token: "abc\u0000" }, // Non-printable character in token
+        { type: "nuget_feed", host: "2nuget.pkg.github.com\u0001" }, // Non-printable character in host
+        {
+            type: "nuget_feed",
+            host: "3nuget.pkg.github.com",
+            password: "ghi\u0002",
+        }, // Non-printable character in password
+        { type: "nuget_feed", host: "4nuget.pkg.github.com", password: "ghi\x00" }, // Non-printable character in password
+    ];
+    for (const invalidCredential of invalidCredentials) {
+        const credentialsInput = Buffer.from(JSON.stringify([invalidCredential])).toString("base64");
+        t.throws(() => startProxyExports.getCredentials((0, logging_1.getRunnerLogger)(true), undefined, credentialsInput, undefined), {
+            message: "Invalid credentials - fields must contain only printable characters",
+        });
+    }
+});
+//# sourceMappingURL=start-proxy.test.js.map
@@ -0,0 +1 @@
+{"version":3,"file":"start-proxy.test.js","sourceRoot":"","sources":["../src/start-proxy.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AAEvB,uCAA4C;AAC5C,iEAAmD;AACnD,mDAA6C;AAE7C,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,IAAA,aAAI,EAAC,mEAAmE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACpF,MAAM,mBAAmB,GAAG,MAAM,CAAC,IAAI,CACrC,IAAI,CAAC,SAAS,CAAC;QACb,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,oBAAoB,EAAE,KAAK,EAAE,KAAK,EAAE;KACnE,CAAC,CACH,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACrB,MAAM,eAAe,GAAG,IAAI,CAAC,SAAS,CAAC;QACrC,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,oBAAoB,EAAE,KAAK,EAAE,KAAK,EAAE;KACnE,CAAC,CAAC;IAEH,MAAM,WAAW,GAAG,iBAAiB,CAAC,cAAc,CAClD,IAAA,yBAAe,EAAC,IAAI,CAAC,EACrB,eAAe,EACf,mBAAmB,EACnB,SAAS,CACV,CAAC;IACF,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,oBAAoB,CAAC,CAAC;AAClD,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,kEAAkE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACnF,MAAM,mBAAmB,GAAG,MAAM,CAAC,IAAI,CACrC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC,CACzD,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAErB,CAAC,CAAC,MAAM,CACN,GAAG,EAAE,CACH,iBAAiB,CAAC,cAAc,CAC9B,IAAA,yBAAe,EAAC,IAAI,CAAC,EACrB,SAAS,EACT,mBAAmB,EACnB,SAAS,CACV,EACH;QACE,OAAO,EAAE,gDAAgD;KAC1D,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,mDAAmD,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACpE,MAAM,gBAAgB,GAAG;QACvB,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,oBAAoB,EAAE,KAAK,EAAE,KAAK,EAAE;QAClE,EAAE,IAAI,EAAE,kBAAkB,EAAE,IAAI,EAAE,sBAAsB,EAAE,KAAK,EAAE,KAAK,EAAE;QACxE,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,sBAAsB,EAAE,KAAK,EAAE,KAAK,EAAE;KACnE,CAAC;IAEF,MAAM,WAAW,GAAG,iBAAiB,CAAC,cAAc,CAClD,IAAA,yBAAe,EAAC,IAAI,CAAC,EACrB,SAAS,EACT,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAChE,MAAM,CACP,CAAC;IACF,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC;AAChD,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,mEAAmE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACpF,MAAM,gBAAgB,GAAG;QACvB,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,oBAAoB,EAAE,KAAK,EAAE,KAAK,EAAE;QAClE,EAAE,IAAI,EAAE,kBAAkB,EAAE,IAAI,EAAE,sBAAsB,EAAE,KAAK,EAAE,KAAK,EAAE;QACxE,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,sBAAsB,EAAE,KAAK,EAAE,KAAK,EAAE;KACnE,CAAC;IACF,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,CAClC,IAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,CACjC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAErB,MAAM,WAAW,GAAG,iBAAiB,CAAC,cAAc,CAClD,IAAA,yBAAe,EAAC,IAAI,CAAC,EACrB,SAAS,EACT,gBAAgB,EAChB,SAAS,CACV,CAAC;IACF,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;AAC9B,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,uEAAuE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACxF,MAAM,kBAAkB,GAAG;QACzB,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,uBAAuB,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE,mCAAmC;QAC9G,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,6BAA6B,EAAE,EAAE,kCAAkC;QAC/F;YACE,IAAI,EAAE,YAAY;YAClB,IAAI,EAAE,uBAAuB;YAC7B,QAAQ,EAAE,WAAW;SACtB,EAAE,sCAAsC;QACzC,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,uBAAuB,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,sCAAsC;KACnH,CAAC;IAEF,KAAK,MAAM,iBAAiB,IAAI,kBAAkB,EAAE,CAAC;QACnD,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,CAClC,IAAI,CAAC,SAAS,CAAC,CAAC,iBAAiB,CAAC,CAAC,CACpC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAErB,CAAC,CAAC,MAAM,CACN,GAAG,EAAE,CACH,iBAAiB,CAAC,cAAc,CAC9B,IAAA,yBAAe,EAAC,IAAI,CAAC,EACrB,SAAS,EACT,gBAAgB,EAChB,SAAS,CACV,EACH;YACE,OAAO,EACL,qEAAqE;SACxE,CACF,CAAC;IACJ,CAAC;AACH,CAAC,CAAC,CAAC"}
@@ -43,6 +43,7 @@ const stream = __importStar(require("stream"));
 const toolrunner_1 = require("@actions/exec/lib/toolrunner");
 const io = __importStar(require("@actions/io"));
 const toolcache = __importStar(require("@actions/tool-cache"));
+const semver = __importStar(require("semver"));
 const actions_util_1 = require("./actions-util");
 const util_1 = require("./util");
 const MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3";
@@ -88,13 +89,18 @@ async function isZstdAvailable(logger) {
        switch (type) {
            case "gnu":
                return {
-                    available: foundZstdBinary && version >= MIN_REQUIRED_GNU_TAR_VERSION,
+                    available: foundZstdBinary &&
+                        // GNU tar only uses major and minor version numbers
+                        semver.gte(semver.coerce(version), semver.coerce(MIN_REQUIRED_GNU_TAR_VERSION)),
                    foundZstdBinary,
                    version: tarVersion,
                };
            case "bsd":
                return {
-                    available: foundZstdBinary && version >= MIN_REQUIRED_BSD_TAR_VERSION,
+                    available: foundZstdBinary &&
+                        // Do a loose comparison since these version numbers don't contain
+                        // a patch version number.
+                        semver.gte(version, MIN_REQUIRED_BSD_TAR_VERSION),
                    foundZstdBinary,
                    version: tarVersion,
                };
@@ -179,10 +185,16 @@ async function extractTarZst(tar, dest, tarVersion, logger) {
        throw e;
    }
 }
+const KNOWN_EXTENSIONS = {
+    "tar.gz": "gzip",
+    "tar.zst": "zstd",
+};
 function inferCompressionMethod(tarPath) {
-    if (tarPath.endsWith(".tar.gz")) {
-        return "gzip";
+    for (const [ext, method] of Object.entries(KNOWN_EXTENSIONS)) {
+        if (tarPath.endsWith(`.${ext}`)) {
+            return method;
+        }
    }
-    return "zstd";
+    return undefined;
 }
 //# sourceMappingURL=tar.js.map
@@ -73,9 +73,8 @@ function makeStreamedToolsDownloadDurations(combinedDurationMs) {
        streamExtraction: true,
    };
 }
-async function downloadAndExtract(codeqlURL, dest, authorization, headers, tarVersion, logger) {
+async function downloadAndExtract(codeqlURL, compressionMethod, dest, authorization, headers, tarVersion, logger) {
    logger.info(`Downloading CodeQL tools from ${codeqlURL} . This may take a while.`);
-    const compressionMethod = tar.inferCompressionMethod(codeqlURL);
    try {
        if (compressionMethod === "zstd" && process.platform === "linux") {
            logger.info(`Streaming the extraction of the CodeQL bundle.`);
@@ -1 +1 @@
-{"version":3,"file":"tools-download.js","sourceRoot":"","sources":["../src/tools-download.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkFA,gDAmGC;AA8CD,sDAOC;AAED,4DAOC;AAnPD,uCAAyB;AAEzB,uCAAyB;AACzB,2CAA6B;AAC7B,2CAAyC;AAEzC,oDAAsC;AACtC,sDAAkD;AAClD,+DAAiD;AACjD,uDAAyC;AACzC,+CAAiC;AAEjC,uCAAmD;AACnD,2CAA6B;AAC7B,iCAA2E;AAE3E;;GAEG;AACU,QAAA,8BAA8B,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,QAAQ;AAEvE;;GAEG;AACH,MAAM,mBAAmB,GAAG,QAAQ,CAAC;AAarC,SAAS,uCAAuC,CAC9C,kBAA0B,EAC1B,oBAA4B;IAE5B,OAAO;QACL,kBAAkB,EAAE,kBAAkB,GAAG,oBAAoB;QAC7D,kBAAkB;QAClB,oBAAoB;QACpB,gBAAgB,EAAE,KAAK;KACxB,CAAC;AACJ,CAAC;AAaD,SAAS,kCAAkC,CACzC,kBAA0B;IAE1B,OAAO;QACL,kBAAkB;QAClB,kBAAkB,EAAE,SAAS;QAC7B,oBAAoB,EAAE,SAAS;QAC/B,gBAAgB,EAAE,IAAI;KACvB,CAAC;AACJ,CAAC;AAaM,KAAK,UAAU,kBAAkB,CACtC,SAAiB,EACjB,IAAY,EACZ,aAAiC,EACjC,OAA4B,EAC5B,UAAsC,EACtC,MAAc;IAEd,MAAM,CAAC,IAAI,CACT,iCAAiC,SAAS,2BAA2B,CACtE,CAAC;IAEF,MAAM,iBAAiB,GAAG,GAAG,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;IAEhE,IAAI,CAAC;QACH,IAAI,iBAAiB,KAAK,MAAM,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACjE,MAAM,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;YAE9D,MAAM,iBAAiB,GAAG,wBAAW,CAAC,GAAG,EAAE,CAAC;YAC5C,MAAM,mCAAmC,CACvC,SAAS,EACT,IAAI,EACJ,aAAa,EACb,OAAO,EACP,UAAW,EACX,MAAM,CACP,CAAC;YAEF,MAAM,kBAAkB,GAAG,IAAI,CAAC,KAAK,CACnC,wBAAW,CAAC,GAAG,EAAE,GAAG,iBAAiB,CACtC,CAAC;YACF,MAAM,CAAC,IAAI,CACT,wDAAwD,IAAI,KAAK,IAAA,wBAAc,EAC7E,kBAAkB,CACnB,IAAI,CACN,CAAC;YAEF,OAAO;gBACL,iBAAiB;gBACjB,QAAQ,EAAE,0BAA0B,CAAC,SAAS,CAAC;gBAC/C,GAAG,kCAAkC,CAAC,kBAAkB,CAAC;aAC1D,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,IAAI,CAAC,OAAO,CACV,4EAA4E,IAAA,sBAAe,EAAC,CAAC,CAAC,EAAE,CACjG,CAAC;QACF,IAAI,CAAC,OAAO,CAAC,2DAA2D,CAAC,CAAC;QAE1E,gFAAgF;QAChF,uBAAuB;QACvB,MAAM,IAAA,kBAAW,EAAC,IAAI,EAAE,eAAe,EAAE,MAAM,CAAC,CAAC;IACnD,CAAC;IAED,MAAM,kBAAkB,GAAG,wBAAW,CAAC,GAAG,EAAE,CAAC;IAC7C,MAAM,kBAAkB,GAAG,MAAM,SAAS,CAAC,YAAY,CACrD,SAAS,EACT,SAAS,EACT,aAAa,EACb,OAAO,CACR,CAAC;IACF,MAAM,kBAAkB,GAAG,IAAI,CAAC,KAAK,CAAC,wBAAW,CAAC,GAAG,EAAE,GAAG,kBAAkB,CAAC,CAAC;IAE9E,MAAM,CAAC,IAAI,CACT,yCAAyC,kBAAkB,KAAK,IAAA,wBAAc,EAC5E,kBAAkB,CACnB,IAAI,CACN,CAAC;IAEF,IAAI,oBAA4B,CAAC;IAEjC,IAAI,CAAC;QACH,MAAM,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;QACzC,MAAM,eAAe,GAAG,wBAAW,CAAC,GAAG,EAAE,CAAC;QAC1C,MAAM,GAAG,CAAC,OAAO,CACf,kBAAkB,EAClB,IAAI,EACJ,iBAAiB,EACjB,UAAU,EACV,MAAM,CACP,CAAC;QACF,oBAAoB,GAAG,IAAI,CAAC,KAAK,CAAC,wBAAW,CAAC,GAAG,EAAE,GAAG,eAAe,CAAC,CAAC;QACvE,MAAM,CAAC,IAAI,CACT,wCAAwC,IAAI,KAAK,IAAA,wBAAc,EAC7D,oBAAoB,CACrB,IAAI,CACN,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,MAAM,IAAA,kBAAW,EAAC,kBAAkB,EAAE,uBAAuB,EAAE,MAAM,CAAC,CAAC;IACzE,CAAC;IAED,OAAO;QACL,iBAAiB;QACjB,QAAQ,EAAE,0BAA0B,CAAC,SAAS,CAAC;QAC/C,GAAG,uCAAuC,CACxC,kBAAkB,EAClB,oBAAoB,CACrB;KACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,mCAAmC,CAChD,SAAiB,EACjB,IAAY,EACZ,aAAiC,EACjC,OAA4B,EAC5B,UAA0B,EAC1B,MAAc;IAEd,4BAA4B;IAC5B,EAAE,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAExC,mDAAmD;IACnD,MAAM,KAAK,GAAG,IAAI,wBAAU,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IAEnD,8DAA8D;IAC9D,OAAO,GAAG,MAAM,CAAC,MAAM,CACrB,EAAE,YAAY,EAAE,eAAe,EAAE,EACjC,aAAa,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,EACtC,OAAO,CACR,CAAC;IACF,MAAM,QAAQ,GAAG,MAAM,IAAI,OAAO,CAAkB,CAAC,OAAO,EAAE,EAAE,CAC9D,wBAAK,CAAC,GAAG,CACP,SAAS,EACT;QACE,OAAO;QACP,uDAAuD;QACvD,aAAa,EAAE,sCAA8B;QAC7C,2CAA2C;QAC3C,KAAK;KACuB,EAC9B,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,CAClB,CACF,CAAC;IAEF,IAAI,QAAQ,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,yCAAyC,SAAS,uBAAuB,QAAQ,CAAC,UAAU,GAAG,CAChG,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;AAC9D,CAAC;AAED,8FAA8F;AAC9F,SAAgB,qBAAqB,CAAC,OAAe;IACnD,OAAO,IAAI,CAAC,IAAI,CACd,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,EACxC,mBAAmB,EACnB,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,OAAO,EAChC,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,CAChB,CAAC;AACJ,CAAC;AAED,SAAgB,wBAAwB,CACtC,aAAqB,EACrB,MAAc;IAEd,MAAM,cAAc,GAAG,GAAG,aAAa,WAAW,CAAC;IACnD,EAAE,CAAC,aAAa,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;IACrC,MAAM,CAAC,IAAI,CAAC,iCAAiC,cAAc,EAAE,CAAC,CAAC;AACjE,CAAC;AAED,SAAS,0BAA0B,CAAC,GAAW;IAC7C,OAAO,CAAC,sBAAsB,EAAE,kCAAkC,CAAC,CAAC,IAAI,CACtE,CAAC,IAAI,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,sBAAsB,IAAI,qBAAqB,CAAC,CAC1E;QACC,CAAC,CAAC,GAAG;QACL,CAAC,CAAC,iBAAiB,CAAC;AACxB,CAAC"}
+{"version":3,"file":"tools-download.js","sourceRoot":"","sources":["../src/tools-download.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkFA,gDAkGC;AA8CD,sDAOC;AAED,4DAOC;AAlPD,uCAAyB;AAEzB,uCAAyB;AACzB,2CAA6B;AAC7B,2CAAyC;AAEzC,oDAAsC;AACtC,sDAAkD;AAClD,+DAAiD;AACjD,uDAAyC;AACzC,+CAAiC;AAEjC,uCAAmD;AACnD,2CAA6B;AAC7B,iCAA2E;AAE3E;;GAEG;AACU,QAAA,8BAA8B,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,QAAQ;AAEvE;;GAEG;AACH,MAAM,mBAAmB,GAAG,QAAQ,CAAC;AAarC,SAAS,uCAAuC,CAC9C,kBAA0B,EAC1B,oBAA4B;IAE5B,OAAO;QACL,kBAAkB,EAAE,kBAAkB,GAAG,oBAAoB;QAC7D,kBAAkB;QAClB,oBAAoB;QACpB,gBAAgB,EAAE,KAAK;KACxB,CAAC;AACJ,CAAC;AAaD,SAAS,kCAAkC,CACzC,kBAA0B;IAE1B,OAAO;QACL,kBAAkB;QAClB,kBAAkB,EAAE,SAAS;QAC7B,oBAAoB,EAAE,SAAS;QAC/B,gBAAgB,EAAE,IAAI;KACvB,CAAC;AACJ,CAAC;AAaM,KAAK,UAAU,kBAAkB,CACtC,SAAiB,EACjB,iBAAwC,EACxC,IAAY,EACZ,aAAiC,EACjC,OAA4B,EAC5B,UAAsC,EACtC,MAAc;IAEd,MAAM,CAAC,IAAI,CACT,iCAAiC,SAAS,2BAA2B,CACtE,CAAC;IAEF,IAAI,CAAC;QACH,IAAI,iBAAiB,KAAK,MAAM,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACjE,MAAM,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;YAE9D,MAAM,iBAAiB,GAAG,wBAAW,CAAC,GAAG,EAAE,CAAC;YAC5C,MAAM,mCAAmC,CACvC,SAAS,EACT,IAAI,EACJ,aAAa,EACb,OAAO,EACP,UAAW,EACX,MAAM,CACP,CAAC;YAEF,MAAM,kBAAkB,GAAG,IAAI,CAAC,KAAK,CACnC,wBAAW,CAAC,GAAG,EAAE,GAAG,iBAAiB,CACtC,CAAC;YACF,MAAM,CAAC,IAAI,CACT,wDAAwD,IAAI,KAAK,IAAA,wBAAc,EAC7E,kBAAkB,CACnB,IAAI,CACN,CAAC;YAEF,OAAO;gBACL,iBAAiB;gBACjB,QAAQ,EAAE,0BAA0B,CAAC,SAAS,CAAC;gBAC/C,GAAG,kCAAkC,CAAC,kBAAkB,CAAC;aAC1D,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,IAAI,CAAC,OAAO,CACV,4EAA4E,IAAA,sBAAe,EAAC,CAAC,CAAC,EAAE,CACjG,CAAC;QACF,IAAI,CAAC,OAAO,CAAC,2DAA2D,CAAC,CAAC;QAE1E,gFAAgF;QAChF,uBAAuB;QACvB,MAAM,IAAA,kBAAW,EAAC,IAAI,EAAE,eAAe,EAAE,MAAM,CAAC,CAAC;IACnD,CAAC;IAED,MAAM,kBAAkB,GAAG,wBAAW,CAAC,GAAG,EAAE,CAAC;IAC7C,MAAM,kBAAkB,GAAG,MAAM,SAAS,CAAC,YAAY,CACrD,SAAS,EACT,SAAS,EACT,aAAa,EACb,OAAO,CACR,CAAC;IACF,MAAM,kBAAkB,GAAG,IAAI,CAAC,KAAK,CAAC,wBAAW,CAAC,GAAG,EAAE,GAAG,kBAAkB,CAAC,CAAC;IAE9E,MAAM,CAAC,IAAI,CACT,yCAAyC,kBAAkB,KAAK,IAAA,wBAAc,EAC5E,kBAAkB,CACnB,IAAI,CACN,CAAC;IAEF,IAAI,oBAA4B,CAAC;IAEjC,IAAI,CAAC;QACH,MAAM,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;QACzC,MAAM,eAAe,GAAG,wBAAW,CAAC,GAAG,EAAE,CAAC;QAC1C,MAAM,GAAG,CAAC,OAAO,CACf,kBAAkB,EAClB,IAAI,EACJ,iBAAiB,EACjB,UAAU,EACV,MAAM,CACP,CAAC;QACF,oBAAoB,GAAG,IAAI,CAAC,KAAK,CAAC,wBAAW,CAAC,GAAG,EAAE,GAAG,eAAe,CAAC,CAAC;QACvE,MAAM,CAAC,IAAI,CACT,wCAAwC,IAAI,KAAK,IAAA,wBAAc,EAC7D,oBAAoB,CACrB,IAAI,CACN,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,MAAM,IAAA,kBAAW,EAAC,kBAAkB,EAAE,uBAAuB,EAAE,MAAM,CAAC,CAAC;IACzE,CAAC;IAED,OAAO;QACL,iBAAiB;QACjB,QAAQ,EAAE,0BAA0B,CAAC,SAAS,CAAC;QAC/C,GAAG,uCAAuC,CACxC,kBAAkB,EAClB,oBAAoB,CACrB;KACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,mCAAmC,CAChD,SAAiB,EACjB,IAAY,EACZ,aAAiC,EACjC,OAA4B,EAC5B,UAA0B,EAC1B,MAAc;IAEd,4BAA4B;IAC5B,EAAE,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAExC,mDAAmD;IACnD,MAAM,KAAK,GAAG,IAAI,wBAAU,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IAEnD,8DAA8D;IAC9D,OAAO,GAAG,MAAM,CAAC,MAAM,CACrB,EAAE,YAAY,EAAE,eAAe,EAAE,EACjC,aAAa,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,EACtC,OAAO,CACR,CAAC;IACF,MAAM,QAAQ,GAAG,MAAM,IAAI,OAAO,CAAkB,CAAC,OAAO,EAAE,EAAE,CAC9D,wBAAK,CAAC,GAAG,CACP,SAAS,EACT;QACE,OAAO;QACP,uDAAuD;QACvD,aAAa,EAAE,sCAA8B;QAC7C,2CAA2C;QAC3C,KAAK;KACuB,EAC9B,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,CAClB,CACF,CAAC;IAEF,IAAI,QAAQ,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,yCAAyC,SAAS,uBAAuB,QAAQ,CAAC,UAAU,GAAG,CAChG,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;AAC9D,CAAC;AAED,8FAA8F;AAC9F,SAAgB,qBAAqB,CAAC,OAAe;IACnD,OAAO,IAAI,CAAC,IAAI,CACd,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,EACxC,mBAAmB,EACnB,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,OAAO,EAChC,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,CAChB,CAAC;AACJ,CAAC;AAED,SAAgB,wBAAwB,CACtC,aAAqB,EACrB,MAAc;IAEd,MAAM,cAAc,GAAG,GAAG,aAAa,WAAW,CAAC;IACnD,EAAE,CAAC,aAAa,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;IACrC,MAAM,CAAC,IAAI,CAAC,iCAAiC,cAAc,EAAE,CAAC,CAAC;AACjE,CAAC;AAED,SAAS,0BAA0B,CAAC,GAAW;IAC7C,OAAO,CAAC,sBAAsB,EAAE,kCAAkC,CAAC,CAAC,IAAI,CACtE,CAAC,IAAI,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,sBAAsB,IAAI,qBAAqB,CAAC,CAC1E;QACC,CAAC,CAAC,GAAG;QACL,CAAC,CAAC,iBAAiB,CAAC;AACxB,CAAC"}
@@ -1,7 +1,42 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ToolsFeature = void 0;
+exports.SafeArtifactUploadVersion = exports.ToolsFeature = void 0;
 exports.isSupportedToolsFeature = isSupportedToolsFeature;
+exports.isSafeArtifactUpload = isSafeArtifactUpload;
+const semver = __importStar(require("semver"));
 var ToolsFeature;
 (function (ToolsFeature) {
    ToolsFeature["AnalysisSummaryV2IsDefault"] = "analysisSummaryV2Default";
@@ -25,4 +60,20 @@ var ToolsFeature;
 function isSupportedToolsFeature(versionInfo, feature) {
    return !!versionInfo.features && versionInfo.features[feature];
 }
+exports.SafeArtifactUploadVersion = "2.20.3";
+/**
+ * The first version of the CodeQL CLI where artifact upload is safe to use
+ * for failed runs. This is not really a feature flag, but it is easiest to
+ * model the behavior as a feature flag.
+ *
+ * This was not captured in a tools feature, so we need to use semver.
+ *
+ * @param codeQlVersion The version of the CodeQL CLI to check. If not provided, it is assumed to be safe.
+ * @returns True if artifact upload is safe to use for failed runs or false otherwise.
+ */
+function isSafeArtifactUpload(codeQlVersion) {
+    return !codeQlVersion
+        ? true
+        : semver.gte(codeQlVersion, exports.SafeArtifactUploadVersion);
+}
 //# sourceMappingURL=tools-features.js.map
@@ -1 +1 @@
-{"version":3,"file":"tools-features.js","sourceRoot":"","sources":["../src/tools-features.ts"],"names":[],"mappings":";;;AAsBA,0DAKC;AAzBD,IAAY,YAWX;AAXD,WAAY,YAAY;IACtB,uEAAuD,CAAA;IACvD,mDAAmC,CAAA;IACnC,qHAAqG,CAAA;IACrG,+FAA+E,CAAA;IAC/E,yFAAyE,CAAA;IACzE,iEAAiD,CAAA;IACjD,qEAAqD,CAAA;IACrD,mFAAmE,CAAA;IACnE,iDAAiC,CAAA;IACjC,uFAAuE,CAAA;AACzE,CAAC,EAXW,YAAY,4BAAZ,YAAY,QAWvB;AAED;;;;;;GAMG;AACH,SAAgB,uBAAuB,CACrC,WAAwB,EACxB,OAAqB;IAErB,OAAO,CAAC,CAAC,WAAW,CAAC,QAAQ,IAAI,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACjE,CAAC"}
+{"version":3,"file":"tools-features.js","sourceRoot":"","sources":["../src/tools-features.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAwBA,0DAKC;AAcD,oDAIC;AA/CD,+CAAiC;AAIjC,IAAY,YAWX;AAXD,WAAY,YAAY;IACtB,uEAAuD,CAAA;IACvD,mDAAmC,CAAA;IACnC,qHAAqG,CAAA;IACrG,+FAA+E,CAAA;IAC/E,yFAAyE,CAAA;IACzE,iEAAiD,CAAA;IACjD,qEAAqD,CAAA;IACrD,mFAAmE,CAAA;IACnE,iDAAiC,CAAA;IACjC,uFAAuE,CAAA;AACzE,CAAC,EAXW,YAAY,4BAAZ,YAAY,QAWvB;AAED;;;;;;GAMG;AACH,SAAgB,uBAAuB,CACrC,WAAwB,EACxB,OAAqB;IAErB,OAAO,CAAC,CAAC,WAAW,CAAC,QAAQ,IAAI,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACjE,CAAC;AAEY,QAAA,yBAAyB,GAAG,QAAQ,CAAC;AAElD;;;;;;;;;GASG;AACH,SAAgB,oBAAoB,CAAC,aAAsB;IACzD,OAAO,CAAC,aAAa;QACnB,CAAC,CAAC,IAAI;QACN,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,aAAa,EAAE,iCAAyB,CAAC,CAAC;AAC3D,CAAC"}
@@ -59,7 +59,10 @@ async function runWrapper() {
                core.warning(`Did not upload debug artifacts because cannot determine the GitHub variant running.`);
                return;
            }
-            await (0, logging_1.withGroup)("Uploading combined SARIF debug artifact", () => debugArtifacts.uploadCombinedSarifArtifacts(logger, gitHubVersion.type));
+            await (0, logging_1.withGroup)("Uploading combined SARIF debug artifact", () => debugArtifacts.uploadCombinedSarifArtifacts(logger, gitHubVersion.type, 
+            // The codeqlVersion is not applicable for uploading non-codeql sarif.
+            // We can assume all versions are safe to upload.
+            undefined));
        }
    }
    catch (error) {
@@ -1 +1 @@
-{"version":3,"file":"upload-sarif-action-post.js","sourceRoot":"","sources":["../src/upload-sarif-action-post.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;GAIG;AACH,oDAAsC;AAEtC,4DAA8C;AAC9C,6CAAgD;AAChD,kEAAoD;AACpD,+CAAuC;AACvC,uCAAwD;AACxD,iCAAoE;AAEpE,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,6CAA6C;QAC7C,WAAW,CAAC,aAAa,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,kFAAkF;QAClF,mFAAmF;QACnF,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAM,CAAC,mBAAmB,CAAC,KAAK,MAAM,EAAE,CAAC;YACvD,IAAI,aAAa,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBACrC,IAAI,CAAC,OAAO,CACV,qFAAqF,CACtF,CAAC;gBACF,OAAO;YACT,CAAC;YACD,MAAM,IAAA,mBAAS,EAAC,yCAAyC,EAAE,GAAG,EAAE,CAC9D,cAAc,CAAC,4BAA4B,CAAC,MAAM,EAAE,aAAa,CAAC,IAAI,CAAC,CACxE,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CACZ,yCAAyC,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CAClE,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"upload-sarif-action-post.js","sourceRoot":"","sources":["../src/upload-sarif-action-post.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;GAIG;AACH,oDAAsC;AAEtC,4DAA8C;AAC9C,6CAAgD;AAChD,kEAAoD;AACpD,+CAAuC;AACvC,uCAAwD;AACxD,iCAAoE;AAEpE,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,6CAA6C;QAC7C,WAAW,CAAC,aAAa,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,kFAAkF;QAClF,mFAAmF;QACnF,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAM,CAAC,mBAAmB,CAAC,KAAK,MAAM,EAAE,CAAC;YACvD,IAAI,aAAa,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBACrC,IAAI,CAAC,OAAO,CACV,qFAAqF,CACtF,CAAC;gBACF,OAAO;YACT,CAAC;YACD,MAAM,IAAA,mBAAS,EAAC,yCAAyC,EAAE,GAAG,EAAE,CAC9D,cAAc,CAAC,4BAA4B,CACzC,MAAM,EACN,aAAa,CAAC,IAAI;YAClB,sEAAsE;YACtE,iDAAiD;YACjD,SAAS,CACV,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CACZ,yCAAyC,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CAClE,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Arthur Baars	9e8d0789d4	Merge pull request #2757 from github/update-v3.28.9-24e1c2d33 Merge main into releases/v3	2025-02-07 11:34:10 +01:00
github-actions[bot]	43d9be6701	Update changelog for v3.28.9	2025-02-07 10:18:39 +00:00
Arthur Baars	24e1c2d337	Merge pull request #2753 from github/update-bundle/codeql-bundle-v2.20.4 Update default bundle to 2.20.4	2025-02-06 11:59:36 +01:00
github-actions[bot]	57a08c0c7f	Add changelog note	2025-02-04 11:22:54 +00:00
github-actions[bot]	52189d23af	Update default bundle to codeql-bundle-v2.20.4	2025-02-04 11:22:50 +00:00
Henry Mercer	08bc0cf022	Merge pull request #2751 from github/henrymercer/fix-init-post-without-config Send `init-post` status report in absence of config	2025-02-03 20:00:22 +00:00
Henry Mercer	cf7c687919	Send `init-post` status report in absence of config	2025-02-03 19:46:23 +00:00
Angela P Wen	ad42dbd32d	Merge pull request #2750 from github/dependabot/npm_and_yarn/npm-768bd9b555 build(deps): bump the npm group with 5 updates	2025-02-03 10:00:42 -08:00
Angela P Wen	a8f5935da0	Merge pull request #2749 from github/dependabot/github_actions/actions-29d379cebb build(deps): bump actions/create-github-app-token from 1.11.1 to 1.11.2 in the actions group	2025-02-03 09:24:29 -08:00
github-actions[bot]	9660df3fcc	Update checked-in dependencies	2025-02-03 17:20:53 +00:00
dependabot[bot]	3e913ef09d	build(deps): bump the npm group with 5 updates Bumps the npm group with 5 updates: \| Package \| From \| To \| \| --- \| --- \| --- \| \| [@octokit/types](https://github.com/octokit/types.ts) \| `13.7.0` \| `13.8.0` \| \| [semver](https://github.com/npm/node-semver) \| `7.6.3` \| `7.7.0` \| \| [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) \| `8.22.0` \| `8.23.0` \| \| [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) \| `8.22.0` \| `8.23.0` \| \| [eslint-plugin-github](https://github.com/github/eslint-plugin-github) \| `5.1.5` \| `5.1.7` \| Updates `@octokit/types` from 13.7.0 to 13.8.0 - [Release notes](https://github.com/octokit/types.ts/releases) - [Commits](https://github.com/octokit/types.ts/compare/v13.7.0...v13.8.0) Updates `semver` from 7.6.3 to 7.7.0 - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/node-semver/compare/v7.6.3...v7.7.0) Updates `@typescript-eslint/eslint-plugin` from 8.22.0 to 8.23.0 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.23.0/packages/eslint-plugin) Updates `@typescript-eslint/parser` from 8.22.0 to 8.23.0 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.23.0/packages/parser) Updates `eslint-plugin-github` from 5.1.5 to 5.1.7 - [Release notes](https://github.com/github/eslint-plugin-github/releases) - [Commits](https://github.com/github/eslint-plugin-github/compare/v5.1.5...v5.1.7) --- updated-dependencies: - dependency-name: "@octokit/types" dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm - dependency-name: semver dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm - dependency-name: "@typescript-eslint/eslint-plugin" dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm - dependency-name: "@typescript-eslint/parser" dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm - dependency-name: eslint-plugin-github dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm ... Signed-off-by: dependabot[bot] <support@github.com>	2025-02-03 17:19:36 +00:00
dependabot[bot]	e456c53578	build(deps): bump actions/create-github-app-token in the actions group Bumps the actions group with 1 update: [actions/create-github-app-token](https://github.com/actions/create-github-app-token). Updates `actions/create-github-app-token` from 1.11.1 to 1.11.2 - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Commits](https://github.com/actions/create-github-app-token/compare/c1a285145b9d317df6ced56c09f525b5c2b6f755...136412a57a7081aa63c935a2cc2918f76c34f514) --- updated-dependencies: - dependency-name: actions/create-github-app-token dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>	2025-02-03 17:10:22 +00:00
Óscar San José	0701025a8b	Merge pull request #2727 from github/oscarsj-patch-1 Switch auth for enterprises-release repo from ssh to codeql CI token	2025-01-30 19:22:18 +01:00
Henry Mercer	9a4ae2164a	Merge pull request #2748 from github/henrymercer/pin-setup-ruby Pin `ruby/setup-ruby` Action to v1.215.0	2025-01-30 17:48:15 +00:00
Henry Mercer	5be1eb0d46	Pin `ruby/setup-ruby` Action to v1.215.0	2025-01-30 11:09:54 +00:00
Andrew Eisenberg	dcf2d0d183	Merge branch 'main' into oscarsj-patch-1	2025-01-29 14:16:29 -08:00
Andrew Eisenberg	e9987ad0c1	Merge pull request #2725 from github/aeisenberg/enable-actions-analysis Add actions analysis to code scanning	2025-01-29 14:16:07 -08:00
Andrew Eisenberg	50954e7f00	Use a separate config file for actions queries	2025-01-29 12:25:34 -08:00
Henry Mercer	cf6550fa50	Merge pull request #2747 from github/mergeback/v3.28.8-to-main-dd746615 Mergeback v3.28.8 refs/heads/releases/v3 into main	2025-01-29 19:50:50 +00:00
github-actions[bot]	30ac3f3555	Update checked-in dependencies	2025-01-29 19:00:06 +00:00
github-actions[bot]	44dfd8f991	Update changelog and version after v3.28.8	2025-01-29 18:58:44 +00:00
Ian Lynagh	dd746615b3	Merge pull request #2746 from github/update-v3.28.8-a91a3f767 Merge main into releases/v3	2025-01-29 18:57:40 +00:00
Ian Lynagh	3210a3cda6	Fix Kotlin version in changelog	2025-01-29 18:33:39 +00:00
github-actions[bot]	72f9d0296b	Update changelog for v3.28.8	2025-01-29 18:02:09 +00:00
Ian Lynagh	a91a3f7678	Merge pull request #2744 from github/igfoo/kot2.1.10 Kotlin: The 2.20.3 release supports Kotlin 2.1.10.	2025-01-29 16:45:39 +00:00
Marco Gario	c520fb59d4	Merge pull request #2745 from github/mergeback/v3.28.7-to-main-6e545590 Mergeback v3.28.7 refs/heads/releases/v3 into main	2025-01-29 14:22:11 +01:00
Ian Lynagh	3879c57660	Add changelog entry	2025-01-29 13:08:49 +00:00
Ian Lynagh	0c2193725f	Run "npm run build"	2025-01-29 13:08:49 +00:00
Ian Lynagh	5a61bf07fa	Kotlin: The 2.20.3 release supports Kotlin 2.1.10.	2025-01-29 13:08:49 +00:00
github-actions[bot]	163d1195df	Update checked-in dependencies	2025-01-29 13:05:13 +00:00
github-actions[bot]	bcf5cecbc6	Update changelog and version after v3.28.7	2025-01-29 13:04:01 +00:00
Marco Gario	6e54559041	Merge pull request #2743 from github/update-v3.28.7-797fb30ed Merge main into releases/v3	2025-01-29 14:03:15 +01:00
github-actions[bot]	cd346029a4	Update changelog for v3.28.7	2025-01-29 12:45:09 +00:00
Marco Gario	797fb30eda	Merge pull request #2741 from github/reset_proxy_envs Properly unset proxy env if empty	2025-01-29 13:23:57 +01:00
Óscar San José	1b7bc4888b	Rename token to clarify scope	2025-01-29 12:34:35 +01:00
Marco Gario	f98f14dd82	Unset proxy env	2025-01-29 11:04:28 +00:00
Marco Gario	14b9c0ec59	Merge pull request #2740 from github/revert-2724-marcogario/skip_proxy Revert "start-proxy: Skip proxy setup if no credentials are available"	2025-01-29 11:03:48 +01:00
Marco Gario	7fdc1b8d67	Revert "start-proxy: Skip proxy setup if no credentials are available"	2025-01-29 09:33:23 +01:00
Marco Gario	54b1c84213	Merge pull request #2724 from github/marcogario/skip_proxy start-proxy: Skip proxy setup if no credentials are available	2025-01-28 22:15:51 +01:00
Marco Gario	76622e7fee	Merge branch 'main' into marcogario/skip_proxy	2025-01-28 19:49:45 +00:00
Marco Gario	5f4f998a94	Merge pull request #2733 from github/marcogario/remove_proxy_password start-proxy: Remove unusued proxy_password input	2025-01-28 09:59:10 +01:00
Andrew Eisenberg	43cffee811	Merge pull request #2736 from github/mergeback/v3.28.6-to-main-17a820bf Mergeback v3.28.6 refs/heads/releases/v3 into main	2025-01-27 13:25:18 -08:00
github-actions[bot]	a5f217b812	Update checked-in dependencies	2025-01-27 21:06:23 +00:00
github-actions[bot]	c386dcd486	Update changelog and version after v3.28.6	2025-01-27 21:04:21 +00:00
Andrew Eisenberg	17a820bf2e	Merge pull request #2735 from github/aeisenberg/fix-permissions Add extra permission to mergeback workflow	2025-01-27 13:00:25 -08:00
Andrew Eisenberg	3a4eae00ff	Add extra permission to mergeback workflow	2025-01-27 12:45:34 -08:00
Andrew Eisenberg	4e83f6b818	Merge pull request #2732 from github/update-v3.28.6-b49419044 Merge main into releases/v3	2025-01-27 12:28:00 -08:00
Marco Gario	e2f043dee4	Remove unusued proxy_password input	2025-01-27 20:10:59 +00:00
github-actions[bot]	64ad47c7c1	Update changelog for v3.28.6	2025-01-27 20:04:40 +00:00
Marco Gario	8aa028b476	Merge branch 'main' into marcogario/skip_proxy	2025-01-27 20:24:32 +01:00
Andrew Eisenberg	b494190443	Merge pull request #2726 from github/aeisenberg/reenable-artifact-upload Ensure artifacts are only uploaded in safe situations	2025-01-27 11:10:46 -08:00
Andrew Eisenberg	a879704805	Clarify test fail;ure message	2025-01-27 10:51:01 -08:00
Andrew Eisenberg	62c322fad9	Add better comments around artifact upload tests	2025-01-27 10:18:03 -08:00
Andrew Eisenberg	c6b286132e	Merge pull request #2731 from github/dependabot/npm_and_yarn/npm-e1e9e6cd15 build(deps-dev): bump the npm group with 4 updates	2025-01-27 10:14:25 -08:00
Andrew Eisenberg	9ba5bca2ab	Update Python version to 3.13 in workflow	2025-01-27 09:29:49 -08:00
Andrew Eisenberg	297e89a0d9	Merge pull request #2723 from github/marcogario/start-proxy_tests start-proxy: Fix bug when language is not provided	2025-01-27 09:25:59 -08:00
github-actions[bot]	357e0ceaa9	Update checked-in dependencies	2025-01-27 17:21:38 +00:00
dependabot[bot]	7fdbca3ba3	build(deps-dev): bump the npm group with 4 updates Bumps the npm group with 4 updates: [@eslint/js](https://github.com/eslint/eslint/tree/HEAD/packages/js), [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin), [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) and [nock](https://github.com/nock/nock). Updates `@eslint/js` from 9.18.0 to 9.19.0 - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md) - [Commits](https://github.com/eslint/eslint/commits/v9.19.0/packages/js) Updates `@typescript-eslint/eslint-plugin` from 8.21.0 to 8.22.0 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.22.0/packages/eslint-plugin) Updates `@typescript-eslint/parser` from 8.21.0 to 8.22.0 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.22.0/packages/parser) Updates `nock` from 13.5.6 to 14.0.0 - [Release notes](https://github.com/nock/nock/releases) - [Changelog](https://github.com/nock/nock/blob/main/CHANGELOG.md) - [Commits](https://github.com/nock/nock/compare/v13.5.6...v14.0.0) --- updated-dependencies: - dependency-name: "@eslint/js" dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm - dependency-name: "@typescript-eslint/eslint-plugin" dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm - dependency-name: "@typescript-eslint/parser" dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm - dependency-name: nock dependency-type: direct:development update-type: version-update:semver-major dependency-group: npm ... Signed-off-by: dependabot[bot] <support@github.com>	2025-01-27 17:20:44 +00:00
Marco Gario	7c2eafa990	Use ConfigureationError for exceptions	2025-01-27 10:09:07 +00:00
Óscar San José	faa23b6fee	Switch auth for enterprises-release repo from ssh to codeql CI token	2025-01-27 10:54:47 +01:00
Andrew Eisenberg	a2c1b36bdf	Iterate over each version Not sure why we need this now, but didn't before.	2025-01-26 19:18:07 -08:00
Andrew Eisenberg	346d06794f	Fix CLI versions	2025-01-26 19:17:29 -08:00
Andrew Eisenberg	f71067bd5f	Stop using feature-flag support for determining if a feature is active Using the feature flag mechanism for checking if uploads are enabled was too clunky. I'm moving the change to checking versions directly.	2025-01-26 13:42:15 -08:00
Andrew Eisenberg	5ff24648ef	Update changelog	2025-01-25 15:34:21 -08:00
Andrew Eisenberg	2bab9f7984	Ensure artifacts are only uploaded in safe situations This commit: Turns on uploading of artifacts again but only if CLI version is >= 2.20.3. I implemented the check using our feature flag functionality. I was on the fence about this since it makes the PR more complex. However, it does give us more flexibility when controlling artifact uploads. Also, I renamed the two workflows that were previously disabled. This way we will not accidentally enable the old workflows for previous versions of the action.	2025-01-25 15:31:35 -08:00
Andrew Eisenberg	de4457eac2	Add actions analysis to code scannign Create a new job to run actions since we don't need to matrix the runs across multiple OSes.	2025-01-24 15:14:37 -08:00
Marco Gario	7d7758bb24	Skip proxy if no credentials	2025-01-24 21:46:40 +00:00
Marco Gario	f6d19ed42e	Formatting	2025-01-24 20:27:36 +00:00
Marco Gario	ecf723239a	Sanitize inputs	2025-01-24 20:20:10 +00:00
Dave Bartolomeo	e7c0c9d71b	Merge pull request #2722 from github/mergeback/v3.28.5-to-main-f6091c01 Mergeback v3.28.5 refs/heads/releases/v3 into main	2025-01-24 11:52:47 -05:00
Marco Gario	51bb5eb99a	Fix bug in getCredentials + tests	2025-01-24 16:39:47 +00:00
Henry Mercer	4b8aeabbe4	Merge branch 'main' into mergeback/v3.28.5-to-main-f6091c01	2025-01-24 16:39:07 +00:00
github-actions[bot]	336c69eec0	Update checked-in dependencies	2025-01-24 16:37:53 +00:00
github-actions[bot]	da67fa0eb5	Update changelog and version after v3.28.5	2025-01-24 16:34:16 +00:00
Dave Bartolomeo	f6091c0113	Merge pull request #2721 from github/update-v3.28.5-01f001931 Merge main into releases/v3	2025-01-24 11:26:18 -05:00
Henry Mercer	c22d1f36ab	Merge pull request #2720 from github/henrymercer/add-permissions Restrict workflow permissions	2025-01-24 16:21:00 +00:00
github-actions[bot]	064af10f0d	Update changelog for v3.28.5	2025-01-24 16:11:52 +00:00
Dave Bartolomeo	01f0019310	Merge pull request #2717 from github/update-bundle/codeql-bundle-v2.20.3 Update default bundle to 2.20.3	2025-01-24 09:53:17 -05:00
Henry Mercer	3b34c672ca	Merge branch 'main' into henrymercer/add-permissions	2025-01-24 13:40:54 +00:00
Henry Mercer	9cd802ec12	Give only read-level `security-events` permission where possible	2025-01-24 13:27:33 +00:00
Henry Mercer	d39065943f	Add missing permissions	2025-01-24 13:21:05 +00:00
Stephan Brandauer	573ad887cd	Merge pull request #2718 from github/kaeluka/4779-1 Update workflow permissions	2025-01-24 14:16:12 +01:00
Stephan Brandauer	d7f39764f6	permissions block in query-filters.yml	2025-01-24 12:12:00 +01:00
github-actions[bot]	428975ce2c	Add changelog note	2025-01-23 22:15:18 +00:00
github-actions[bot]	208091da0a	Update default bundle to codeql-bundle-v2.20.3	2025-01-23 22:15:14 +00:00
Chris Smowton	7e3036b9cd	Merge pull request #2716 from github/mergeback/v3.28.4-to-main-ee117c90 Mergeback v3.28.4 refs/heads/releases/v3 into main	2025-01-23 17:09:33 +00:00
github-actions[bot]	e32a0d62d4	Update checked-in dependencies	2025-01-23 16:48:10 +00:00
github-actions[bot]	67c21e4084	Update changelog and version after v3.28.4	2025-01-23 16:44:36 +00:00
Chris Smowton	ee117c905a	Merge pull request #2715 from github/update-v3.28.4-b44b19fe8 Merge main into releases/v3	2025-01-23 16:43:44 +00:00
github-actions[bot]	377913f015	Update changelog for v3.28.4	2025-01-23 16:28:37 +00:00
Angela P Wen	b44b19fe8d	Merge pull request #2714 from github/mergeback/v3.28.3-to-main-dd196fa9 Mergeback v3.28.3 refs/heads/releases/v3 into main	2025-01-22 11:34:36 -08:00
github-actions[bot]	d7366a1e50	Update checked-in dependencies	2025-01-22 19:16:53 +00:00
github-actions[bot]	4872b26ff9	Update changelog and version after v3.28.3	2025-01-22 19:14:27 +00:00
Angela P Wen	dd196fa9ce	Merge pull request #2713 from github/update-v3.28.3-23ec3afaf Merge main into releases/v3	2025-01-22 11:13:29 -08:00
github-actions[bot]	23d07bb885	Update changelog for v3.28.3	2025-01-22 18:55:38 +00:00
Angela P Wen	23ec3afaf8	Merge pull request #2712 from github/angelapwen/stop-debug-artifacts Temporarily disable uploading debug artifacts	2025-01-22 10:53:09 -08:00
Angela P Wen	519de26711	Temporarily disable uploading debug artifacts	2025-01-22 10:35:38 -08:00
Henry Mercer	7e4b683a3d	Merge pull request #2710 from github/henrymercer/fix-extension-assumption Fix assumption that download URLs contain file extension	2025-01-22 16:03:43 +00:00
Henry Mercer	3505f8142a	Merge branch 'main' into henrymercer/fix-extension-assumption	2025-01-22 14:52:26 +00:00
Chris Smowton	1645dbd3bf	Merge pull request #2707 from github/update-bundle/codeql-bundle-v2.20.2 Update default bundle to 2.20.2	2025-01-22 14:41:04 +00:00
Chris Smowton	4b7c237f3d	Merge branch 'main' into update-bundle/codeql-bundle-v2.20.2	2025-01-22 14:27:19 +00:00
Henry Mercer	924ef8f189	Merge pull request #2711 from github/dependabot/npm_and_yarn/npm_and_yarn-2c579f9325 build(deps): bump undici from 5.28.4 to 5.28.5 in the npm_and_yarn group	2025-01-22 13:35:07 +00:00
github-actions[bot]	140c5ea762	Update checked-in dependencies	2025-01-22 13:22:06 +00:00
dependabot[bot]	c34eb63970	build(deps): bump undici from 5.28.4 to 5.28.5 in the npm_and_yarn group Bumps the npm_and_yarn group with 1 update: [undici](https://github.com/nodejs/undici). Updates `undici` from 5.28.4 to 5.28.5 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](https://github.com/nodejs/undici/compare/v5.28.4...v5.28.5) --- updated-dependencies: - dependency-name: undici dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>	2025-01-22 13:20:50 +00:00
Henry Mercer	07d32980ce	Tweak wording of changelog entry	2025-01-22 13:14:30 +00:00
Henry Mercer	20bbc8f5b5	Add changelog note	2025-01-22 13:02:46 +00:00
Henry Mercer	d23f49f56f	Fix assumption that download URLs contain file extension This is not the case when downloading the bundle from a GitHub Release synced to GHES with the CodeQL Action sync tool.	2025-01-22 13:02:45 +00:00
github-actions[bot]	a0c2b7d296	Add changelog note	2025-01-21 14:20:16 +00:00
github-actions[bot]	aa76523503	Update default bundle to codeql-bundle-v2.20.2	2025-01-21 14:20:11 +00:00
				`@@ -0,0 +1 @@`
				{"version":3,"file":"start-proxy.js","sourceRoot":"","sources":["../src/start-proxy.ts"],"names":[],"mappings":";;AA8BA,wCA2EC;AAzGD,2CAAsD;AAEtD,iCAA4C;AAW5C,MAAM,yBAAyB,GAA6B;IAC1D,IAAI,EAAE,kBAAkB;IACxB,MAAM,EAAE,YAAY;IACpB,UAAU,EAAE,cAAc;IAC1B,MAAM,EAAE,cAAc;IACtB,IAAI,EAAE,iBAAiB;IACvB,IAAI,EAAE,gBAAgB;IACtB,oFAAoF;IACpF,OAAO,EAAE,EAAE;IACX,GAAG,EAAE,EAAE;IACP,EAAE,EAAE,EAAE;IACN,KAAK,EAAE,EAAE;CACD,CAAC;AAEX,kEAAkE;AAClE,+DAA+D;AAC/D,gDAAgD;AAChD,SAAgB,cAAc,CAC5B,MAAc,EACd,eAAmC,EACnC,qBAAyC,EACzC,cAAkC;IAElC,MAAM,QAAQ,GAAG,cAAc,CAAC,CAAC,CAAC,IAAA,yBAAa,EAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC5E,MAAM,uBAAuB,GAAG,QAAQ;QACtC,CAAC,CAAC,yBAAyB,CAAC,QAAQ,CAAC;QACrC,CAAC,CAAC,SAAS,CAAC;IAEd,IAAI,cAAsB,CAAC;IAC3B,IAAI,qBAAqB,KAAK,SAAS,EAAE,CAAC;QACxC,MAAM,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;QACnD,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,qBAAqB,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC3E,CAAC;SAAM,IAAI,eAAe,KAAK,SAAS,EAAE,CAAC;QACzC,MAAM,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;QAC7C,cAAc,GAAG,eAAe,CAAC;IACnC,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;QACvC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,qCAAqC;IACrC,IAAI,MAAoB,CAAC;IACzB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,CAAiB,CAAC;IACtD,CAAC;IAAC,MAAM,CAAC;QACP,oEAAoE;QACpE,MAAM,CAAC,KAAK,CAAC,uCAAuC,CAAC,CAAC;QACtD,MAAM,IAAI,yBAAkB,CAAC,6BAA6B,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,GAAG,GAAiB,EAAE,CAAC;IAC7B,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,IAAI,CAAC,CAAC,GAAG,KAAK,SAAS,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAChD,yFAAyF;YACzF,MAAM,IAAI,yBAAkB,CAC1B,gDAAgD,CACjD,CAAC;QACJ,CAAC;QAED,kFAAkF;QAClF,iEAAiE;QACjE,IAAI,uBAAuB,IAAI,CAAC,CAAC,IAAI,KAAK,uBAAuB,EAAE,CAAC;YAClE,SAAS;QACX,CAAC;QAED,MAAM,WAAW,GAAG,CAAC,GAAuB,EAAW,EAAE;YACvD,OAAO,GAAG,CAAC,CAAC,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACjD,CAAC,CAAC;QAEF,IACE,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC;YACpB,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC;YACpB,CAAC,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC;YACnB,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ,CAAC;YACxB,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ,CAAC;YACxB,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,EACrB,CAAC;YACD,MAAM,IAAI,yBAAkB,CAC1B,qEAAqE,CACtE,CAAC;QACJ,CAAC;QAED,GAAG,CAAC,IAAI,CAAC;YACP,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,GAAG,EAAE,CAAC,CAAC,GAAG;YACV,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,KAAK,EAAE,CAAC,CAAC,KAAK;SACf,CAAC,CAAC;IACL,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}
				`@@ -0,0 +1 @@`
				{"version":3,"file":"start-proxy.test.js","sourceRoot":"","sources":["../src/start-proxy.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AAEvB,uCAA4C;AAC5C,iEAAmD;AACnD,mDAA6C;AAE7C,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,IAAA,aAAI,EAAC,mEAAmE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACpF,MAAM,mBAAmB,GAAG,MAAM,CAAC,IAAI,CACrC,IAAI,CAAC,SAAS,CAAC;QACb,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,oBAAoB,EAAE,KAAK,EAAE,KAAK,EAAE;KACnE,CAAC,CACH,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACrB,MAAM,eAAe,GAAG,IAAI,CAAC,SAAS,CAAC;QACrC,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,oBAAoB,EAAE,KAAK,EAAE,KAAK,EAAE;KACnE,CAAC,CAAC;IAEH,MAAM,WAAW,GAAG,iBAAiB,CAAC,cAAc,CAClD,IAAA,yBAAe,EAAC,IAAI,CAAC,EACrB,eAAe,EACf,mBAAmB,EACnB,SAAS,CACV,CAAC;IACF,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,oBAAoB,CAAC,CAAC;AAClD,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,kEAAkE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACnF,MAAM,mBAAmB,GAAG,MAAM,CAAC,IAAI,CACrC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC,CACzD,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAErB,CAAC,CAAC,MAAM,CACN,GAAG,EAAE,CACH,iBAAiB,CAAC,cAAc,CAC9B,IAAA,yBAAe,EAAC,IAAI,CAAC,EACrB,SAAS,EACT,mBAAmB,EACnB,SAAS,CACV,EACH;QACE,OAAO,EAAE,gDAAgD;KAC1D,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,mDAAmD,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACpE,MAAM,gBAAgB,GAAG;QACvB,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,oBAAoB,EAAE,KAAK,EAAE,KAAK,EAAE;QAClE,EAAE,IAAI,EAAE,kBAAkB,EAAE,IAAI,EAAE,sBAAsB,EAAE,KAAK,EAAE,KAAK,EAAE;QACxE,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,sBAAsB,EAAE,KAAK,EAAE,KAAK,EAAE;KACnE,CAAC;IAEF,MAAM,WAAW,GAAG,iBAAiB,CAAC,cAAc,CAClD,IAAA,yBAAe,EAAC,IAAI,CAAC,EACrB,SAAS,EACT,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAChE,MAAM,CACP,CAAC;IACF,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC;AAChD,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,mEAAmE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACpF,MAAM,gBAAgB,GAAG;QACvB,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,oBAAoB,EAAE,KAAK,EAAE,KAAK,EAAE;QAClE,EAAE,IAAI,EAAE,kBAAkB,EAAE,IAAI,EAAE,sBAAsB,EAAE,KAAK,EAAE,KAAK,EAAE;QACxE,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,sBAAsB,EAAE,KAAK,EAAE,KAAK,EAAE;KACnE,CAAC;IACF,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,CAClC,IAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,CACjC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAErB,MAAM,WAAW,GAAG,iBAAiB,CAAC,cAAc,CAClD,IAAA,yBAAe,EAAC,IAAI,CAAC,EACrB,SAAS,EACT,gBAAgB,EAChB,SAAS,CACV,CAAC;IACF,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;AAC9B,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,uEAAuE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACxF,MAAM,kBAAkB,GAAG;QACzB,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,uBAAuB,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE,mCAAmC;QAC9G,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,6BAA6B,EAAE,EAAE,kCAAkC;QAC/F;YACE,IAAI,EAAE,YAAY;YAClB,IAAI,EAAE,uBAAuB;YAC7B,QAAQ,EAAE,WAAW;SACtB,EAAE,sCAAsC;QACzC,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,uBAAuB,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,sCAAsC;KACnH,CAAC;IAEF,KAAK,MAAM,iBAAiB,IAAI,kBAAkB,EAAE,CAAC;QACnD,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,CAClC,IAAI,CAAC,SAAS,CAAC,CAAC,iBAAiB,CAAC,CAAC,CACpC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAErB,CAAC,CAAC,MAAM,CACN,GAAG,EAAE,CACH,iBAAiB,CAAC,cAAc,CAC9B,IAAA,yBAAe,EAAC,IAAI,CAAC,EACrB,SAAS,EACT,gBAAgB,EAChB,SAAS,CACV,EACH;YACE,OAAO,EACL,qEAAqE;SACxE,CACF,CAAC;IACJ,CAAC;AACH,CAAC,CAAC,CAAC"}