Add a debug log for the feature flag API response

Differentiate setupCodeql.setupCodeQL from codeql.setupCodeQL
Add test for using default version with no requested URL on Dotcom
2026-05-09 07:10:22 +00:00 · 2023-01-11 19:10:22 +00:00 · 2023-01-11 19:06:50 +00:00 · 2023-01-11 19:06:50 +00:00 · 2023-01-11 19:06:50 +00:00 · 2023-01-11 19:06:50 +00:00
160 changed files with 3834 additions and 3954 deletions
@@ -1,20 +1,17 @@
 version: 2
 updates:
-  - package-ecosystem: "npm"
+  - package-ecosystem: npm
    directory: "/"
    schedule:
-      interval: "weekly"
-      day: "thursday" # Gives us a working day to merge this before our typical release
+      interval: weekly
    labels:
-      - "Update dependencies"
+      - Update dependencies
    ignore:
      - dependency-name: "*"
-        update-types: ["version-update:semver-minor", "version-update:semver-patch"]
-  - package-ecosystem: "npm"
-    directory: "/runner"
+        update-types:
+          - version-update:semver-minor
+          - version-update:semver-patch
+  - package-ecosystem: github-actions
+    directory: "/"
    schedule:
-      interval: "weekly"
-      day: "thursday" # Gives us a working day to merge this before our typical release
-    ignore:
-      - dependency-name: "*"
-        update-types: ["version-update:semver-minor", "version-update:semver-patch"]
+      interval: weekly
@@ -0,0 +1,32 @@
+name: "Set up Swift"
+description: Performs necessary steps to set up appropriate Swift version.
+inputs:
+  codeql-path:
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Get Swift version
+      id: get_swift_version
+      # We don't support Swift on Windows or prior versions of CLI.
+      if: "(runner.os != 'Windows') && (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version == 'nightly-latest')"
+      shell: bash
+      env: 
+        CODEQL_PATH: ${{inputs.codeql-path}}
+      run: |
+        if [ $RUNNER_OS = "macOS" ]; then
+          PLATFORM="osx64"
+        else # We do not run this step on Windows.
+          PLATFORM="linux64"
+        fi 
+        SWIFT_EXTRACTOR_DIR="$("$CODEQL_PATH" resolve languages --format json | jq -r '.swift[0]')"
+        VERSION="$("$SWIFT_EXTRACTOR_DIR/tools/$PLATFORM/extractor" --version | awk '/version/ { print $3 }')"
+        # Specify 5.7.0, otherwise setup Action will default to latest minor version. 
+        if [ $VERSION = "5.7" ]; then
+          VERSION="5.7.0"
+        fi
+        echo "version=$VERSION" | tee -a $GITHUB_OUTPUT
+    - uses: swift-actions/setup-swift@194625b58a582570f61cc707c3b558086c26b723
+      if: "(runner.os != 'Windows') && (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version == 'nightly-latest')"
+      with:
+        swift-version: "${{steps.get_swift_version.outputs.version}}"
@@ -7,6 +7,7 @@ name: "PR Check - Analyze: 'ref' and 'sha' from inputs"
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -7,6 +7,7 @@ name: PR Check - autobuild-action
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -7,6 +7,7 @@ name: PR Check - Export file baseline information
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -42,18 +43,16 @@ jobs:
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
-    - uses: swift-actions/setup-swift@5cdaa9161ad1f55ae39a5ea1784ef96de72f95d9
-    # Windows doesn't support Swift, and only macOS latest and nightly-latest support Swift 5.7.1.
-      if: runner.os == 'Linux' || (runner.os == 'macOS' && matrix.version == 'cached')
-      with:
-        swift-version: '5.7'
    - uses: ./../action/init
+      id: init
      with:
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}
      env:
        CODEQL_FILE_BASELINE_INFORMATION: true
-        CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: true
+    - uses: ./../action/.github/setup-swift
+      with:
+        codeql-path: ${{steps.init.outputs.codeql-path}}
    - name: Build code
      shell: bash
      run: ./build.sh
@@ -62,7 +61,6 @@ jobs:
        output: ${{ runner.temp }}/results
      env:
        CODEQL_FILE_BASELINE_INFORMATION: true
-        CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: true
    - name: Upload SARIF
      uses: actions/upload-artifact@v3
      with:
@@ -87,4 +85,5 @@ jobs:
          fi
        done
    env:
+      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: true # Remove when Swift is GA.
      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: PR Check - Extractor ram and threads options test
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -7,6 +7,7 @@ name: 'PR Check - Go: Custom queries'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -7,6 +7,7 @@ name: 'PR Check - Go: tracing with autobuilder step'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -7,6 +7,7 @@ name: 'PR Check - Go: tracing with custom build steps'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -7,6 +7,7 @@ name: 'PR Check - Go: tracing with legacy workflow'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -7,6 +7,7 @@ name: 'PR Check - Packaging: Download using registries'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -7,6 +7,7 @@ name: PR Check - Custom source root
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -7,6 +7,7 @@ name: PR Check - ML-powered queries
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -7,6 +7,7 @@ name: PR Check - Multi-language repository
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -65,17 +66,16 @@ jobs:
      uses: actions/setup-go@v3
      with:
        go-version: ^1.13.1
-    - uses: swift-actions/setup-swift@5cdaa9161ad1f55ae39a5ea1784ef96de72f95d9
-    # Only macOS latest and nightly-latest support Swift 5.7.1
-      if: runner.os == 'Linux' || matrix.version == 'cached'
-      with:
-        swift-version: '5.7'
-
    - uses: ./../action/init
+      id: init
      with:
        db-location: ${{ runner.temp }}/customDbLocation
        tools: ${{ steps.prepare-test.outputs.tools-url }}

+    - uses: ./../action/.github/setup-swift
+      with:
+        codeql-path: ${{steps.init.outputs.codeql-path}}
+
    - name: Build code
      shell: bash
      run: ./build.sh
@@ -129,8 +129,8 @@ jobs:
        fi

    - name: Check language autodetect for Swift
-      if: "!startsWith(matrix.os, 'windows') && (matrix.version == 'cached' || matrix.version\
-        \ == 'latest' || matrix.version == 'nightly-latest')"
+      if: (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version
+        == 'nightly-latest')
      shell: bash
      run: |
        SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}
@@ -7,6 +7,7 @@ name: 'PR Check - Packaging: Config and input passed to the CLI'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -7,6 +7,7 @@ name: 'PR Check - Packaging: Config and input'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -7,6 +7,7 @@ name: 'PR Check - Packaging: Config file'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -7,6 +7,7 @@ name: 'PR Check - Packaging: Action input'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -7,6 +7,7 @@ name: PR Check - Remote config file
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -7,6 +7,7 @@ name: PR Check - RuboCop multi-language
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -7,6 +7,7 @@ name: PR Check - Ruby analysis
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -7,6 +7,7 @@ name: PR Check - Split workflow
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -0,0 +1,73 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: PR Check - Submit SARIF after failure
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  submit-sarif-failure:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: latest
+        - os: ubuntu-latest
+          version: cached
+        - os: ubuntu-latest
+          version: nightly-latest
+    name: Submit SARIF after failure
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: actions/checkout@v3
+    - uses: ./init
+      with:
+        languages: javascript
+    - name: Fail
+    # We want this job to pass if the Action correctly uploads the SARIF file for
+    # the failed run.
+    # Setting this step to continue on error means that it is marked as completing
+    # successfully, so will not fail the job.
+      continue-on-error: true
+      run: exit 1
+    - uses: ./analyze
+    # In a real workflow, this step wouldn't run. Since we used `continue-on-error`
+    # above, we manually disable it with an `if` condition.
+      if: false
+      with:
+        category: /test-codeql-version:${{ matrix.version }}
+    env:
+  # Internal-only environment variable used to indicate that the post-init Action
+  # should expect to upload a SARIF file for the failed run.
+      CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF: true
+  # Make sure the uploading SARIF files feature is enabled.
+      CODEQL_ACTION_UPLOAD_FAILED_SARIF: true
+  # Upload the failed SARIF file as an integration test of the API endpoint.
+      CODEQL_ACTION_TEST_MODE: false
+  # Mark telemetry for this workflow so it can be treated separately.
+      CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
+
@@ -7,6 +7,7 @@ name: PR Check - Swift analysis using autobuild
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -42,15 +43,17 @@ jobs:
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
-    - uses: swift-actions/setup-swift@5cdaa9161ad1f55ae39a5ea1784ef96de72f95d9
-    # Only macOS latest and nightly-latest support Swift 5.7.1
-      if: runner.os == 'Linux' || matrix.version == 'cached'
-      with:
-        swift-version: '5.7'
    - uses: ./../action/init
+      id: init
      with:
        languages: swift
        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/.github/setup-swift
+      with:
+        codeql-path: ${{steps.init.outputs.codeql-path}}
+    - name: Check working directory
+      shell: bash
+      run: pwd
    - uses: ./../action/autobuild
    - uses: ./../action/analyze
      id: analysis
@@ -63,5 +66,5 @@ jobs:
          exit 1
        fi
    env:
-      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true'
+      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true' # Remove when Swift is GA.
      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: PR Check - Swift analysis using a custom build command
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -48,15 +49,17 @@ jobs:
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
-    - uses: swift-actions/setup-swift@5cdaa9161ad1f55ae39a5ea1784ef96de72f95d9
-    # Only macOS latest and nightly-latest support Swift 5.7.1
-      if: runner.os == 'Linux' || matrix.version == 'cached'
-      with:
-        swift-version: '5.7'
    - uses: ./../action/init
+      id: init
      with:
        languages: swift
        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/.github/setup-swift
+      with:
+        codeql-path: ${{steps.init.outputs.codeql-path}}
+    - name: Check working directory
+      shell: bash
+      run: pwd
    - name: Build code
      shell: bash
      run: ./build.sh
@@ -71,6 +74,6 @@ jobs:
          exit 1
        fi
    env:
-      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true'
+      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true' # Remove when Swift is GA.
      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
      CODEQL_ACTION_TEST_MODE: true
@@ -7,6 +7,7 @@ name: PR Check - Autobuild working directory
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -7,6 +7,7 @@ name: PR Check - Local CodeQL bundle
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -7,6 +7,7 @@ name: PR Check - Proxy test
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -7,6 +7,7 @@ name: PR Check - Test unsetting environment variables
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -59,7 +60,10 @@ jobs:
        tools: ${{ steps.prepare-test.outputs.tools-url }}
    - name: Build code
      shell: bash
-      run: env -i PATH="$PATH" HOME="$HOME" ./build.sh
+    # Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
+    # workaround for our PR checks.
+      run: env -i CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN=true PATH="$PATH" HOME="$HOME"
+        ./build.sh
    - uses: ./../action/analyze
      id: analysis
    - shell: bash
@@ -7,6 +7,7 @@ name: "PR Check - Upload-sarif: 'ref' and 'sha' from inputs"
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -7,6 +7,7 @@ name: PR Check - Use a custom `checkout_path`
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
@@ -8,6 +8,9 @@ on:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
+  schedule:
+    # Weekly on Sunday.
+    - cron: '30 1 * * 0'

 env:
  CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
@@ -54,7 +57,7 @@ jobs:
        # be the same as `tools: null`. This allows us to make the job for each of the bundles a
        # required status check.
        #
-        # If we're running on push, then we can skip running with `tools: latest` when it would be
+        # If we're running on push or schedule, then we can skip running with `tools: latest` when it would be
        # the same as running with `tools: null`.
        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
          VERSIONS_JSON='[null]'
@@ -78,8 +81,10 @@ jobs:
      security-events: write

    steps:
-    - uses: actions/checkout@v3
-    - uses: ./init
+    - name: Checkout
+      uses: actions/checkout@v3
+    - name: Initialize CodeQL
+      uses: ./init
      id: init
      with:
        languages: javascript
@@ -88,4 +93,5 @@ jobs:
    # confirm steps.init.outputs.codeql-path points to the codeql binary
    - name: Print CodeQL Version
      run: ${{steps.init.outputs.codeql-path}} version --format=json
-    - uses: ./analyze
+    - name: Perform CodeQL Analysis
+      uses: ./analyze
@@ -2,6 +2,9 @@
 # when the analyze step fails.
 name: PR Check - Debug artifacts after failure
 env:
+  # Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
+  # workaround for our PR checks.
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: true
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 on:
  push:
@@ -1,6 +1,9 @@
 # Checks logs, SARIF, and database bundle debug artifacts exist.
 name: PR Check - Debug artifact upload
 env:
+  # Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
+  # workaround for our PR checks.
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: true
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 on:
  push:
@@ -88,7 +88,7 @@ jobs:
          fi

      - name: Set up Python
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@v4
        with:
          python-version: 3.8

@@ -28,17 +28,7 @@ jobs:
        matrix:
          os: [ubuntu-20.04, ubuntu-22.04, macos-latest]
          python_deps_type: [pipenv, poetry, requirements, setup_py]
-          python_version: [2, 3]
-          exclude:
-            # Python2 and poetry are not supported. See https://github.com/actions/setup-python/issues/374
-            - python_version: 2
-              python_deps_type: poetry
-            # Python2 and pipenv are not supported since pipenv v2021.11.5
-            - python_version: 2
-              python_deps_type: pipenv
-            # Python2 is not available on ubuntu-22.04 by default -- see https://github.com/github/codeql-action/pull/1257
-            - python_version: 2
-              os: ubuntu-22.04
+          python_version: [3]


    env:
@@ -138,14 +128,7 @@ jobs:
        fail-fast: false
        matrix:
          python_deps_type: [pipenv, poetry, requirements, setup_py]
-          python_version: [2, 3]
-          exclude:
-            # Python2 and poetry are not supported. See https://github.com/actions/setup-python/issues/374
-            - python_version: 2
-              python_deps_type: poetry
-            # Python2 and pipenv are not supported since pipenv v2021.11.5
-            - python_version: 2
-              python_deps_type: pipenv
+          python_version: [3]

    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -156,7 +139,7 @@ jobs:
    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
    - uses: actions/checkout@v3

-    - uses: actions/setup-python@v3
+    - uses: actions/setup-python@v4
      with:
        python-version: ${{ matrix.python_version }}

@@ -10,7 +10,7 @@ fi

 if [ "$#" -eq 1 ]; then
  # If we were passed an argument, use that as the SHA
-  GITHUB_SHA="$0"
+  GITHUB_SHA="$1"
 elif [ "$#" -gt 1 ]; then
  echo "Usage: $0 [SHA]"
  echo "Update the required checks based on the SHA, or main."
@@ -23,7 +23,7 @@ fi
 echo "Getting checks for $GITHUB_SHA"

 # Ignore any checks with "https://", CodeQL, LGTM, and Update checks.
-CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "LGTM.com" or contains("Update") or contains("update") or contains("test-setup-python-scripts") | not)] | unique | sort')"
+CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "LGTM.com" or . == "check-expected-release-files" or contains("Update") or contains("update") or contains("test-setup-python-scripts") | not)] | unique | sort')"

 echo "$CHECKS" | jq

@@ -29,7 +29,7 @@ jobs:
        fetch-depth: 0

    - name: Set up Python
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v4
      with:
        python-version: 3.8

@@ -13,7 +13,7 @@ jobs:

    steps:
      - name: Setup Python
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@v4
        with:
          python-version: "3.7"
      - name: Checkout CodeQL Action
@@ -35,7 +35,7 @@ jobs:
        env:
          ENTERPRISE_RELEASES_PATH: ${{ github.workspace }}/enterprise-releases/
      - name: Commit Changes
-        uses: peter-evans/create-pull-request@c7f493a8000b8aeb17a1332e326ba76b57cb83eb # v3.4.1
+        uses: peter-evans/create-pull-request@2b011faafdcbc9ceb11414d64d0573f37c774b04 # v4.2.3
        with:
          commit-message: Update supported GitHub Enterprise Server versions.
          title: Update supported GitHub Enterprise Server versions.
@@ -2,7 +2,17 @@

 ## [UNRELEASED]

-No user facing changes.
+- Update default CodeQL bundle version to 2.12.0. [#1466](https://github.com/github/codeql-action/pull/1466)
+
+## 2.1.37 - 14 Dec 2022
+
+- Update default CodeQL bundle version to 2.11.6. [#1433](https://github.com/github/codeql-action/pull/1433)
+
+## 2.1.36 - 08 Dec 2022
+
+- Update default CodeQL bundle version to 2.11.5. [#1412](https://github.com/github/codeql-action/pull/1412)
+- Add a step that tries to upload a SARIF file for the workflow run when that workflow run fails. This will help better surface failed code scanning workflow runs. [#1393](https://github.com/github/codeql-action/pull/1393)
+- Python automatic dependency installation will no longer consider dependecy code installed in venv as user-written, for projects using Poetry that specify `virtualenvs.in-project = true` in their `poetry.toml`. [#1419](https://github.com/github/codeql-action/pull/1419).

 ## 2.1.35 - 01 Dec 2022

@@ -12,6 +12,7 @@ inputs:
  upload:
    description: Upload the SARIF file to Code Scanning
    required: false
+    # If changing this, make sure to update workflow.ts accordingly.
    default: "true"
  cleanup-level:
    description: "Level of cleanup to perform on CodeQL databases at the end of the analyze step. This should either be 'none' to skip cleanup, or be a valid argument for the --mode flag of the CodeQL CLI command 'codeql database cleanup' as documented at https://codeql.github.com/docs/codeql-cli/manual/database-cleanup"
@@ -44,6 +45,7 @@ inputs:
  checkout_path:
    description: "The path at which the analyzed repository was checked out. Used to relativize any absolute paths in the uploaded SARIF file."
    required: false
+    # If changing this, make sure to update workflow.ts accordingly.
    default: ${{ github.workspace }}
  ref:
    description: "The ref where results will be uploaded. If not provided, the Action will use the GITHUB_REF environment variable. If provided, the sha input must be provided as well. This input is not available in pull requests from forks."
@@ -173,10 +173,10 @@ async function getAutomationID() {
 exports.getAutomationID = getAutomationID;
 function computeAutomationID(analysis_key, environment) {
    let automationID = `${analysis_key}/`;
-    // the id has to be deterministic so we sort the fields
-    if (environment !== undefined && environment !== "null") {
-        const environmentObject = JSON.parse(environment);
-        for (const entry of Object.entries(environmentObject).sort()) {
+    const matrix = (0, util_1.parseMatrixInput)(environment);
+    if (matrix !== undefined) {
+        // the id has to be deterministic so we sort the fields
+        for (const entry of Object.entries(matrix).sort()) {
            if (typeof entry[1] === "string") {
                automationID += `${entry[0]}:${entry[1]}/`;
            }
@@ -94,6 +94,30 @@ const util_1 = require("./util");
        getAdditionalInputStub.restore();
    });
 });
+(0, ava_1.default)("getRef() returns CODE_SCANNING_REF as a fallback for GITHUB_REF", async (t) => {
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
+        const expectedRef = "refs/pull/1/HEAD";
+        const currentSha = "a".repeat(40);
+        process.env["CODE_SCANNING_REF"] = expectedRef;
+        process.env["GITHUB_REF"] = "";
+        process.env["GITHUB_SHA"] = currentSha;
+        const actualRef = await actionsutil.getRef();
+        t.deepEqual(actualRef, expectedRef);
+    });
+});
+(0, ava_1.default)("getRef() returns GITHUB_REF over CODE_SCANNING_REF if both are provided", async (t) => {
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
+        const expectedRef = "refs/pull/1/merge";
+        const currentSha = "a".repeat(40);
+        process.env["CODE_SCANNING_REF"] = "refs/pull/1/HEAD";
+        process.env["GITHUB_REF"] = expectedRef;
+        process.env["GITHUB_SHA"] = currentSha;
+        const actualRef = await actionsutil.getRef();
+        t.deepEqual(actualRef, expectedRef);
+    });
+});
 (0, ava_1.default)("getRef() throws an error if only `ref` is provided as an input", async (t) => {
    await (0, util_1.withTmpDir)(async (tmpDir) => {
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
@@ -39,6 +39,7 @@ const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
 const logging_1 = require("./logging");
 const repository_1 = require("./repository");
+const shared_environment_1 = require("./shared-environment");
 const trap_caching_1 = require("./trap-caching");
 const upload_lib = __importStar(require("./upload-lib"));
 const util = __importStar(require("./util"));
@@ -176,7 +177,7 @@ async function run() {
        }
        core.setOutput("db-locations", dbLocations);
        if (runStats && actionsUtil.getRequiredInput("upload") === "true") {
-            uploadResult = await upload_lib.uploadFromActions(outputDir, logger);
+            uploadResult = await upload_lib.uploadFromActions(outputDir, actionsUtil.getRequiredInput("checkout_path"), actionsUtil.getOptionalInput("category"), logger);
            core.setOutput("sarif-id", uploadResult.sarifID);
        }
        else {
@@ -201,6 +202,7 @@ async function run() {
        if (actionsUtil.getOptionalInput("expect-error") === "true") {
            core.setFailed(`expect-error input was set to true but no error was thrown.`);
        }
+        core.exportVariable(shared_environment_1.CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY, "true");
    }
    catch (origError) {
        const error = origError instanceof Error ? origError : new Error(String(origError));
@@ -159,6 +159,7 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
                logger.info(analysisSummary);
            }
            else {
+                // config was generated by the action, so must be interpreted by the action.
                logger.startGroup(`Running queries for ${language}`);
                const querySuitePaths = [];
                if (queries["builtin"].length > 0) {
@@ -207,7 +208,7 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
    return statusReport;
    async function runInterpretResults(language, queries, sarifFile, enableDebugLogging) {
        const databasePath = util.getCodeQLDatabasePath(config, language);
-        return await codeql.databaseInterpretResults(databasePath, queries, sarifFile, addSnippetsFlag, threadsFlag, enableDebugLogging ? "-vv" : "-v", automationDetailsId, featureEnablement);
+        return await codeql.databaseInterpretResults(databasePath, queries, sarifFile, addSnippetsFlag, threadsFlag, enableDebugLogging ? "-vv" : "-v", automationDetailsId);
    }
    async function runPrintLinesOfCode(language) {
        const databasePath = util.getCodeQLDatabasePath(config, language);
@@ -18,30 +18,19 @@ var __importStar = (this && this.__importStar) || function (mod) {
    __setModuleDefault(result, mod);
    return result;
 };
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getExtraOptions = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.convertToSemVer = exports.getCodeQLURLVersion = exports.setupCodeQL = exports.getCodeQLActionRepository = exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_TRACING_GLIBC_2_34 = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = exports.CODEQL_VERSION_CONFIG_FILES = exports.CODEQL_DEFAULT_ACTION_REPOSITORY = exports.CommandInvocationError = void 0;
+exports.getExtraOptions = exports.getCodeQLForCmd = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.setupCodeQL = exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_TRACING_GLIBC_2_34 = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = exports.CommandInvocationError = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
-const toolcache = __importStar(require("@actions/tool-cache"));
-const fast_deep_equal_1 = __importDefault(require("fast-deep-equal"));
 const yaml = __importStar(require("js-yaml"));
-const query_string_1 = __importDefault(require("query-string"));
-const semver = __importStar(require("semver"));
-const uuid_1 = require("uuid");
 const actions_util_1 = require("./actions-util");
-const api = __importStar(require("./api-client"));
-const defaults = __importStar(require("./defaults.json")); // Referenced from codeql-action-sync-tool!
 const error_matcher_1 = require("./error-matcher");
-const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
+const setupCodeql = __importStar(require("./setup-codeql"));
 const toolrunner_error_catcher_1 = require("./toolrunner-error-catcher");
 const trap_caching_1 = require("./trap-caching");
 const util = __importStar(require("./util"));
-const util_1 = require("./util");
 class CommandInvocationError extends Error {
    constructor(cmd, args, exitCode, error, output) {
        super(`Failure invoking ${cmd} with arguments ${args}.\n
@@ -56,8 +45,6 @@ exports.CommandInvocationError = CommandInvocationError;
 * Can be overridden in tests using `setCodeQL`.
 */
 let cachedCodeQL = undefined;
-const CODEQL_BUNDLE_VERSION = defaults.bundleVersion;
-exports.CODEQL_DEFAULT_ACTION_REPOSITORY = "github/codeql-action";
 /**
 * The oldest version of CodeQL that the Action will run with. This should be
 * at least three minor versions behind the current version and must include the
@@ -74,9 +61,9 @@ const CODEQL_MINIMUM_VERSION = "2.6.3";
 */
 const CODEQL_VERSION_CUSTOM_QUERY_HELP = "2.7.1";
 const CODEQL_VERSION_LUA_TRACER_CONFIG = "2.10.0";
-exports.CODEQL_VERSION_CONFIG_FILES = "2.10.1";
 const CODEQL_VERSION_LUA_TRACING_GO_WINDOWS_FIXED = "2.10.4";
 exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = "2.10.4";
+const CODEQL_VERSION_FILE_BASELINE_INFORMATION = "2.11.3";
 /**
 * This variable controls using the new style of tracing from the CodeQL
 * CLI. In particular, with versions above this we will use both indirect
@@ -103,190 +90,23 @@ exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = "2.9.0";
 * --extractor-options-verbosity that we need.
 */
 exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = "2.10.3";
-function getCodeQLBundleName() {
-    let platform;
-    if (process.platform === "win32") {
-        platform = "win64";
-    }
-    else if (process.platform === "linux") {
-        platform = "linux64";
-    }
-    else if (process.platform === "darwin") {
-        platform = "osx64";
-    }
-    else {
-        return "codeql-bundle.tar.gz";
-    }
-    return `codeql-bundle-${platform}.tar.gz`;
-}
-function getCodeQLActionRepository(logger) {
-    if ((0, actions_util_1.isRunningLocalAction)()) {
-        // This handles the case where the Action does not come from an Action repository,
-        // e.g. our integration tests which use the Action code from the current checkout.
-        // In these cases, the GITHUB_ACTION_REPOSITORY environment variable is not set.
-        logger.info("The CodeQL Action is checked out locally. Using the default CodeQL Action repository.");
-        return exports.CODEQL_DEFAULT_ACTION_REPOSITORY;
-    }
-    return util.getRequiredEnvParam("GITHUB_ACTION_REPOSITORY");
-}
-exports.getCodeQLActionRepository = getCodeQLActionRepository;
-async function getCodeQLBundleDownloadURL(apiDetails, variant, logger) {
-    const codeQLActionRepository = getCodeQLActionRepository(logger);
-    const potentialDownloadSources = [
-        // This GitHub instance, and this Action.
-        [apiDetails.url, codeQLActionRepository],
-        // This GitHub instance, and the canonical Action.
-        [apiDetails.url, exports.CODEQL_DEFAULT_ACTION_REPOSITORY],
-        // GitHub.com, and the canonical Action.
-        [util.GITHUB_DOTCOM_URL, exports.CODEQL_DEFAULT_ACTION_REPOSITORY],
-    ];
-    // We now filter out any duplicates.
-    // Duplicates will happen either because the GitHub instance is GitHub.com, or because the Action is not a fork.
-    const uniqueDownloadSources = potentialDownloadSources.filter((source, index, self) => {
-        return !self.slice(0, index).some((other) => (0, fast_deep_equal_1.default)(source, other));
-    });
-    const codeQLBundleName = getCodeQLBundleName();
-    if (variant === util.GitHubVariant.GHAE) {
-        try {
-            const release = await api
-                .getApiClient()
-                .request("GET /enterprise/code-scanning/codeql-bundle/find/{tag}", {
-                tag: CODEQL_BUNDLE_VERSION,
-            });
-            const assetID = release.data.assets[codeQLBundleName];
-            if (assetID !== undefined) {
-                const download = await api
-                    .getApiClient()
-                    .request("GET /enterprise/code-scanning/codeql-bundle/download/{asset_id}", { asset_id: assetID });
-                const downloadURL = download.data.url;
-                logger.info(`Found CodeQL bundle at GitHub AE endpoint with URL ${downloadURL}.`);
-                return downloadURL;
-            }
-            else {
-                logger.info(`Attempted to fetch bundle from GitHub AE endpoint but the bundle ${codeQLBundleName} was not found in the assets ${JSON.stringify(release.data.assets)}.`);
-            }
-        }
-        catch (e) {
-            logger.info(`Attempted to fetch bundle from GitHub AE endpoint but got error ${e}.`);
-        }
-    }
-    for (const downloadSource of uniqueDownloadSources) {
-        const [apiURL, repository] = downloadSource;
-        // If we've reached the final case, short-circuit the API check since we know the bundle exists and is public.
-        if (apiURL === util.GITHUB_DOTCOM_URL &&
-            repository === exports.CODEQL_DEFAULT_ACTION_REPOSITORY) {
-            break;
-        }
-        const [repositoryOwner, repositoryName] = repository.split("/");
-        try {
-            const release = await api.getApiClient().repos.getReleaseByTag({
-                owner: repositoryOwner,
-                repo: repositoryName,
-                tag: CODEQL_BUNDLE_VERSION,
-            });
-            for (const asset of release.data.assets) {
-                if (asset.name === codeQLBundleName) {
-                    logger.info(`Found CodeQL bundle in ${downloadSource[1]} on ${downloadSource[0]} with URL ${asset.url}.`);
-                    return asset.url;
-                }
-            }
-        }
-        catch (e) {
-            logger.info(`Looked for CodeQL bundle in ${downloadSource[1]} on ${downloadSource[0]} but got error ${e}.`);
-        }
-    }
-    return `https://github.com/${exports.CODEQL_DEFAULT_ACTION_REPOSITORY}/releases/download/${CODEQL_BUNDLE_VERSION}/${codeQLBundleName}`;
-}
 /**
 * Set up CodeQL CLI access.
 *
- * @param codeqlURL
+ * @param toolsInput
 * @param apiDetails
 * @param tempDir
 * @param variant
- * @param features
+ * @param bypassToolcache
+ * @param defaultCliVersion
 * @param logger
 * @param checkVersion Whether to check that CodeQL CLI meets the minimum
 *        version requirement. Must be set to true outside tests.
 * @returns a { CodeQL, toolsVersion } object.
 */
-async function setupCodeQL(codeqlURL, apiDetails, tempDir, variant, bypassToolcache, logger, checkVersion) {
+async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, bypassToolcache, defaultCliVersion, logger, checkVersion) {
    try {
-        const forceLatestReason = 
-        // We use the special value of 'latest' to prioritize the version in the
-        // defaults over any pinned cached version.
-        codeqlURL === "latest"
-            ? '"tools: latest" was requested'
-            : // If the user hasn't requested a particular CodeQL version, then bypass
-                // the toolcache when the appropriate feature is enabled. This
-                // allows us to quickly rollback a broken bundle that has made its way
-                // into the toolcache.
-                codeqlURL === undefined && bypassToolcache
-                    ? "a specific version of CodeQL was not requested and the bypass toolcache feature is enabled"
-                    : undefined;
-        const forceLatest = forceLatestReason !== undefined;
-        if (forceLatest) {
-            logger.debug(`Forcing the latest version of the CodeQL tools since ${forceLatestReason}.`);
-            codeqlURL = undefined;
-        }
-        let codeqlFolder;
-        let codeqlURLVersion;
-        if (codeqlURL && !codeqlURL.startsWith("http")) {
-            codeqlFolder = await toolcache.extractTar(codeqlURL);
-            codeqlURLVersion = "local";
-        }
-        else {
-            codeqlURLVersion = getCodeQLURLVersion(codeqlURL || `/${CODEQL_BUNDLE_VERSION}/`);
-            const codeqlURLSemVer = convertToSemVer(codeqlURLVersion, logger);
-            // If we find the specified version, we always use that.
-            codeqlFolder = toolcache.find("CodeQL", codeqlURLSemVer);
-            // If we don't find the requested version, in some cases we may allow a
-            // different version to save download time if the version hasn't been
-            // specified explicitly (in which case we always honor it).
-            if (!codeqlFolder && !codeqlURL && !forceLatest) {
-                const codeqlVersions = toolcache.findAllVersions("CodeQL");
-                if (codeqlVersions.length === 1 && (0, util_1.isGoodVersion)(codeqlVersions[0])) {
-                    const tmpCodeqlFolder = toolcache.find("CodeQL", codeqlVersions[0]);
-                    if (fs.existsSync(path.join(tmpCodeqlFolder, "pinned-version"))) {
-                        logger.debug(`CodeQL in cache overriding the default ${CODEQL_BUNDLE_VERSION}`);
-                        codeqlFolder = tmpCodeqlFolder;
-                        codeqlURLVersion = codeqlVersions[0];
-                    }
-                }
-            }
-            if (codeqlFolder) {
-                logger.debug(`CodeQL found in cache ${codeqlFolder}`);
-            }
-            else {
-                if (!codeqlURL) {
-                    codeqlURL = await getCodeQLBundleDownloadURL(apiDetails, variant, logger);
-                }
-                const parsedCodeQLURL = new URL(codeqlURL);
-                const parsedQueryString = query_string_1.default.parse(parsedCodeQLURL.search);
-                const headers = {
-                    accept: "application/octet-stream",
-                };
-                // We only want to provide an authorization header if we are downloading
-                // from the same GitHub instance the Action is running on.
-                // This avoids leaking Enterprise tokens to dotcom.
-                // We also don't want to send an authorization header if there's already a token provided in the URL.
-                if (codeqlURL.startsWith(`${apiDetails.url}/`) &&
-                    parsedQueryString["token"] === undefined) {
-                    logger.debug("Downloading CodeQL bundle with token.");
-                    headers.authorization = `token ${apiDetails.auth}`;
-                }
-                else {
-                    logger.debug("Downloading CodeQL bundle without token.");
-                }
-                logger.info(`Downloading CodeQL tools from ${codeqlURL}. This may take a while.`);
-                const dest = path.join(tempDir, (0, uuid_1.v4)());
-                const finalHeaders = Object.assign({ "User-Agent": "CodeQL Action" }, headers);
-                const codeqlPath = await toolcache.downloadTool(codeqlURL, dest, undefined, finalHeaders);
-                logger.debug(`CodeQL bundle download to ${codeqlPath} complete.`);
-                const codeqlExtracted = await toolcache.extractTar(codeqlPath);
-                codeqlFolder = await toolcache.cacheDir(codeqlExtracted, "CodeQL", codeqlURLSemVer);
-            }
-        }
+        const { codeqlFolder, toolsVersion } = await setupCodeql.setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, bypassToolcache, defaultCliVersion, logger);
        let codeqlCmd = path.join(codeqlFolder, "codeql", "codeql");
        if (process.platform === "win32") {
            codeqlCmd += ".exe";
@@ -295,7 +115,7 @@ async function setupCodeQL(codeqlURL, apiDetails, tempDir, variant, bypassToolca
            throw new Error(`Unsupported platform: ${process.platform}`);
        }
        cachedCodeQL = await getCodeQLForCmd(codeqlCmd, checkVersion);
-        return { codeql: cachedCodeQL, toolsVersion: codeqlURLVersion };
+        return { codeql: cachedCodeQL, toolsVersion };
    }
    catch (e) {
        logger.error(e instanceof Error ? e : new Error(String(e)));
@@ -303,26 +123,6 @@ async function setupCodeQL(codeqlURL, apiDetails, tempDir, variant, bypassToolca
    }
 }
 exports.setupCodeQL = setupCodeQL;
-function getCodeQLURLVersion(url) {
-    const match = url.match(/\/codeql-bundle-(.*)\//);
-    if (match === null || match.length < 2) {
-        throw new Error(`Malformed tools url: ${url}. Version could not be inferred`);
-    }
-    return match[1];
-}
-exports.getCodeQLURLVersion = getCodeQLURLVersion;
-function convertToSemVer(version, logger) {
-    if (!semver.valid(version)) {
-        logger.debug(`Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.`);
-        version = `0.0.0-${version}`;
-    }
-    const s = semver.clean(version);
-    if (!s) {
-        throw new Error(`Bundle version ${version} is not in SemVer format.`);
-    }
-    return s;
-}
-exports.convertToSemVer = convertToSemVer;
 /**
 * Use the CodeQL executable located at the given path.
 */
@@ -371,6 +171,7 @@ function setCodeQL(partialCodeql) {
        databaseRunQueries: resolveFunction(partialCodeql, "databaseRunQueries"),
        databaseInterpretResults: resolveFunction(partialCodeql, "databaseInterpretResults"),
        databasePrintBaseline: resolveFunction(partialCodeql, "databasePrintBaseline"),
+        diagnosticsExport: resolveFunction(partialCodeql, "diagnosticsExport"),
    };
    return cachedCodeQL;
 }
@@ -507,9 +308,16 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                    extraArgs.push("--no-internal-use-lua-tracing");
                }
            }
+            // A config file is only generated if the CliConfigFileEnabled feature flag is enabled.
            const configLocation = await generateCodeScanningConfig(codeql, config, featureEnablement);
+            // Only pass external repository token if a config file is going to be parsed by the CLI.
+            let externalRepositoryToken;
            if (configLocation) {
                extraArgs.push(`--codescanning-config=${configLocation}`);
+                externalRepositoryToken = (0, actions_util_1.getOptionalInput)("external-repository-token");
+                if (externalRepositoryToken) {
+                    extraArgs.push("--external-repository-token-stdin");
+                }
            }
            await runTool(cmd, [
                "database",
@@ -519,7 +327,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                `--source-root=${sourceRoot}`,
                ...extraArgs,
                ...getExtraOptionsFromEnv(["database", "init"]),
-            ]);
+            ], { stdin: externalRepositoryToken });
        },
        async runAutobuild(language) {
            const cmdName = process.platform === "win32" ? "autobuild.cmd" : "autobuild.sh";
@@ -668,7 +476,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            }
            await (0, toolrunner_error_catcher_1.toolrunnerErrorCatcher)(cmd, codeqlArgs, error_matcher_1.errorMatchers);
        },
-        async databaseInterpretResults(databasePath, querySuitePaths, sarifFile, addSnippetsFlag, threadsFlag, verbosityFlag, automationDetailsId, featureEnablement) {
+        async databaseInterpretResults(databasePath, querySuitePaths, sarifFile, addSnippetsFlag, threadsFlag, verbosityFlag, automationDetailsId) {
            const codeqlArgs = [
                "database",
                "interpret-results",
@@ -687,7 +495,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            if (automationDetailsId !== undefined) {
                codeqlArgs.push("--sarif-category", automationDetailsId);
            }
-            if (await featureEnablement.getValue(feature_flags_1.Feature.FileBaselineInformationEnabled, this)) {
+            if (await util.codeQlVersionAbove(this, CODEQL_VERSION_FILE_BASELINE_INFORMATION)) {
                codeqlArgs.push("--sarif-add-baseline-file-info");
            }
            codeqlArgs.push(databasePath);
@@ -772,6 +580,19 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            ];
            await new toolrunner.ToolRunner(cmd, args).exec();
        },
+        async diagnosticsExport(sarifFile, automationDetailsId) {
+            const args = [
+                "diagnostics",
+                "export",
+                "--format=sarif-latest",
+                `--output=${sarifFile}`,
+                ...getExtraOptionsFromEnv(["diagnostics", "export"]),
+            ];
+            if (automationDetailsId !== undefined) {
+                args.push("--sarif-category", automationDetailsId);
+            }
+            await new toolrunner.ToolRunner(cmd, args).exec();
+        },
    };
    // To ensure that status reports include the CodeQL CLI version wherever
    // possible, we want to call getVersion(), which populates the version value
@@ -787,6 +608,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
    }
    return codeql;
 }
+exports.getCodeQLForCmd = getCodeQLForCmd;
 /**
 * Gets the options for `path` of `options` as an array of extra option strings.
 */
@@ -841,7 +663,7 @@ exports.getExtraOptions = getExtraOptions;
 *     status reports on GitHub.com.
 */
 const maxErrorSize = 20000;
-async function runTool(cmd, args = []) {
+async function runTool(cmd, args = [], opts = {}) {
    let output = "";
    let error = "";
    const exitCode = await new toolrunner.ToolRunner(cmd, args, {
@@ -860,6 +682,7 @@ async function runTool(cmd, args = []) {
            },
        },
        ignoreReturnCode: true,
+        ...(opts.stdin ? { input: Buffer.from(opts.stdin || "") } : {}),
    }).exec();
    if (exitCode !== 0)
        throw new CommandInvocationError(cmd, args, exitCode, error, output);
@@ -24,7 +24,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.stubToolRunnerConstructor = void 0;
 const fs = __importStar(require("fs"));
-const path = __importStar(require("path"));
+const path_1 = __importDefault(require("path"));
 const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
 const toolcache = __importStar(require("@actions/tool-cache"));
 const safeWhich = __importStar(require("@chrisgavin/safe-which"));
@@ -34,8 +34,9 @@ const yaml = __importStar(require("js-yaml"));
 const nock_1 = __importDefault(require("nock"));
 const sinon = __importStar(require("sinon"));
 const actionsUtil = __importStar(require("./actions-util"));
+const api = __importStar(require("./api-client"));
 const codeql = __importStar(require("./codeql"));
-const defaults = __importStar(require("./defaults.json"));
+const defaults = __importStar(require("./defaults.json")); // Referenced from codeql-action-sync-tool!
 const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
 const logging_1 = require("./logging");
@@ -46,14 +47,16 @@ const util_1 = require("./util");
 const sampleApiDetails = {
    auth: "token",
    url: "https://github.com",
-    apiURL: undefined,
-    registriesAuthTokens: undefined,
+    apiURL: "https://api.github.com",
 };
 const sampleGHAEApiDetails = {
    auth: "token",
    url: "https://example.githubenterprise.com",
-    apiURL: undefined,
-    registriesAuthTokens: undefined,
+    apiURL: "https://example.githubenterprise.com/api/v3",
+};
+const SAMPLE_DEFAULT_CLI_VERSION = {
+    cliVersion: "2.0.0",
+    variant: util.GitHubVariant.DOTCOM,
 };
 let stubConfig;
 ava_1.default.beforeEach(() => {
@@ -83,7 +86,13 @@ ava_1.default.beforeEach(() => {
        trapCacheDownloadTime: 0,
    };
 });
-async function mockApiAndSetupCodeQL({ apiDetails, bypassToolcache, isPinned, tmpDir, toolsInput, version, }) {
+/**
+ * Mocks the API for downloading the bundle tagged `tagName`.
+ *
+ * @returns the download URL for the bundle. This can be passed to the tools parameter of
+ * `codeql.setupCodeQL`.
+ */
+async function mockDownloadApi({ apiDetails = sampleApiDetails, isPinned, tagName, }) {
    var _a;
    const platform = process.platform === "win32"
        ? "win64"
@@ -92,133 +101,148 @@ async function mockApiAndSetupCodeQL({ apiDetails, bypassToolcache, isPinned, tm
            : "osx64";
    const baseUrl = (_a = apiDetails === null || apiDetails === void 0 ? void 0 : apiDetails.url) !== null && _a !== void 0 ? _a : "https://example.com";
    const relativeUrl = apiDetails
-        ? `/github/codeql-action/releases/download/${version}/codeql-bundle-${platform}.tar.gz`
-        : `/download/codeql-bundle-${version}/codeql-bundle.tar.gz`;
+        ? `/github/codeql-action/releases/download/${tagName}/codeql-bundle-${platform}.tar.gz`
+        : `/download/${tagName}/codeql-bundle.tar.gz`;
    (0, nock_1.default)(baseUrl)
        .get(relativeUrl)
-        .replyWithFile(200, path.join(__dirname, `/../src/testdata/codeql-bundle${isPinned ? "-pinned" : ""}.tar.gz`));
-    return await codeql.setupCodeQL(toolsInput ? toolsInput.input : `${baseUrl}${relativeUrl}`, apiDetails !== null && apiDetails !== void 0 ? apiDetails : sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, !!bypassToolcache, (0, logging_1.getRunnerLogger)(true), false);
+        .replyWithFile(200, path_1.default.join(__dirname, `/../src/testdata/codeql-bundle${isPinned ? "-pinned" : ""}.tar.gz`));
+    return `${baseUrl}${relativeUrl}`;
 }
-(0, ava_1.default)("download codeql bundle cache", async (t) => {
+async function installIntoToolcache({ apiDetails = sampleApiDetails, cliVersion, isPinned, tagName, tmpDir, }) {
+    const url = await mockDownloadApi({ apiDetails, isPinned, tagName });
+    await codeql.setupCodeQL(cliVersion !== undefined ? undefined : url, apiDetails, tmpDir, util.GitHubVariant.GHES, false, cliVersion !== undefined
+        ? { cliVersion, tagName, variant: util.GitHubVariant.GHES }
+        : SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+}
+(0, ava_1.default)("downloads and caches explicitly requested bundles that aren't in the toolcache", async (t) => {
    await util.withTmpDir(async (tmpDir) => {
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
        const versions = ["20200601", "20200610"];
        for (let i = 0; i < versions.length; i++) {
            const version = versions[i];
-            const codeQLConfig = await mockApiAndSetupCodeQL({ version, tmpDir });
+            const url = await mockDownloadApi({
+                tagName: `codeql-bundle-${version}`,
+                isPinned: false,
+            });
+            const result = await codeql.setupCodeQL(url, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, false, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
            t.assert(toolcache.find("CodeQL", `0.0.0-${version}`));
-            t.deepEqual(codeQLConfig.toolsVersion, version);
+            t.is(result.toolsVersion, `0.0.0-${version}`);
        }
        t.is(toolcache.findAllVersions("CodeQL").length, 2);
    });
 });
-(0, ava_1.default)("download codeql bundle cache explicitly requested with pinned different version cached", async (t) => {
+(0, ava_1.default)("downloads an explicitly requested bundle even if a different version is cached", async (t) => {
    await util.withTmpDir(async (tmpDir) => {
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-        const pinnedCodeQLConfig = await mockApiAndSetupCodeQL({
-            version: "20200601",
+        await installIntoToolcache({
+            tagName: "codeql-bundle-20200601",
            isPinned: true,
            tmpDir,
        });
-        t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
-        t.deepEqual(pinnedCodeQLConfig.toolsVersion, "20200601");
-        const unpinnedCodeQLConfig = await mockApiAndSetupCodeQL({
-            version: "20200610",
-            tmpDir,
+        const url = await mockDownloadApi({
+            tagName: "codeql-bundle-20200610",
        });
+        const result = await codeql.setupCodeQL(url, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, false, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
        t.assert(toolcache.find("CodeQL", "0.0.0-20200610"));
-        t.deepEqual(unpinnedCodeQLConfig.toolsVersion, "20200610");
+        t.deepEqual(result.toolsVersion, "0.0.0-20200610");
    });
 });
-(0, ava_1.default)("don't download codeql bundle cache with pinned different version cached", async (t) => {
-    await util.withTmpDir(async (tmpDir) => {
-        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-        const pinnedCodeQLConfig = await mockApiAndSetupCodeQL({
-            version: "20200601",
-            isPinned: true,
-            tmpDir,
-        });
-        t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
-        t.deepEqual(pinnedCodeQLConfig.toolsVersion, "20200601");
-        const codeQLConfig = await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, false, (0, logging_1.getRunnerLogger)(true), false);
-        t.deepEqual(codeQLConfig.toolsVersion, "0.0.0-20200601");
-        const cachedVersions = toolcache.findAllVersions("CodeQL");
-        t.is(cachedVersions.length, 1);
-    });
-});
-(0, ava_1.default)("download codeql bundle cache with different version cached (not pinned)", async (t) => {
-    await util.withTmpDir(async (tmpDir) => {
-        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-        const cachedCodeQLConfig = await mockApiAndSetupCodeQL({
-            version: "20200601",
-            tmpDir,
-        });
-        t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
-        t.deepEqual(cachedCodeQLConfig.toolsVersion, "20200601");
-        const codeQLConfig = await mockApiAndSetupCodeQL({
-            version: defaults.bundleVersion,
-            tmpDir,
-            apiDetails: sampleApiDetails,
-            toolsInput: { input: undefined },
-        });
-        t.deepEqual(codeQLConfig.toolsVersion, defaults.bundleVersion.replace("codeql-bundle-", ""));
-        const cachedVersions = toolcache.findAllVersions("CodeQL");
-        t.is(cachedVersions.length, 2);
-    });
-});
-(0, ava_1.default)('download codeql bundle cache with pinned different version cached if "latest" tools specified', async (t) => {
-    await util.withTmpDir(async (tmpDir) => {
-        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-        const pinnedCodeQLConfig = await mockApiAndSetupCodeQL({
-            version: "20200601",
-            isPinned: true,
-            tmpDir,
-        });
-        t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
-        t.deepEqual(pinnedCodeQLConfig.toolsVersion, "20200601");
-        const latestCodeQLConfig = await mockApiAndSetupCodeQL({
-            version: defaults.bundleVersion,
-            apiDetails: sampleApiDetails,
-            toolsInput: { input: "latest" },
-            tmpDir,
-        });
-        t.deepEqual(latestCodeQLConfig.toolsVersion, defaults.bundleVersion.replace("codeql-bundle-", ""));
-        const cachedVersions = toolcache.findAllVersions("CodeQL");
-        t.is(cachedVersions.length, 2);
-    });
-});
-const TOOLCACHE_BYPASS_TEST_CASES = [
-    [true, undefined, true],
-    [false, undefined, false],
-    [
-        true,
-        "https://github.com/github/codeql-action/releases/download/codeql-bundle-20200601/codeql-bundle.tar.gz",
-        false,
-    ],
-];
-for (const [isFeatureEnabled, toolsInput, shouldToolcacheBeBypassed,] of TOOLCACHE_BYPASS_TEST_CASES) {
-    (0, ava_1.default)(`download codeql bundle ${shouldToolcacheBeBypassed ? "bypasses" : "does not bypass"} toolcache when feature ${isFeatureEnabled ? "enabled" : "disabled"} and tools: ${toolsInput} passed`, async (t) => {
+for (const isCached of [true, false]) {
+    (0, ava_1.default)(`uses default version on Dotcom when default version bundle is ${isCached ? "" : "not "}cached`, async (t) => {
        await util.withTmpDir(async (tmpDir) => {
            (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-            await mockApiAndSetupCodeQL({
-                version: "codeql-bundle-20200601",
-                apiDetails: sampleApiDetails,
-                isPinned: true,
-                tmpDir,
-            });
-            t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
-            await mockApiAndSetupCodeQL({
-                version: defaults.bundleVersion,
-                apiDetails: sampleApiDetails,
-                bypassToolcache: isFeatureEnabled,
-                toolsInput: { input: toolsInput },
-                tmpDir,
-            });
-            const cachedVersions = toolcache.findAllVersions("CodeQL");
-            t.is(cachedVersions.length, shouldToolcacheBeBypassed ? 2 : 1);
+            const tagName = `codeql-bundle-20230101`;
+            if (isCached) {
+                await installIntoToolcache({
+                    cliVersion: SAMPLE_DEFAULT_CLI_VERSION.cliVersion,
+                    tagName,
+                    isPinned: true,
+                    tmpDir,
+                });
+            }
+            else {
+                await mockDownloadApi({
+                    tagName,
+                });
+                sinon.stub(api, "getApiClient").value(() => ({
+                    repos: {
+                        listReleases: sinon.stub().resolves(undefined),
+                    },
+                    paginate: sinon.stub().resolves([
+                        {
+                            assets: [
+                                {
+                                    name: "cli-version-2.0.0.txt",
+                                },
+                            ],
+                            tag_name: tagName,
+                        },
+                    ]),
+                }));
+            }
+            const result = await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, false, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+            t.is(result.toolsVersion, SAMPLE_DEFAULT_CLI_VERSION.cliVersion);
        });
    });
 }
+for (const variant of [util.GitHubVariant.GHAE, util.GitHubVariant.GHES]) {
+    (0, ava_1.default)(`uses a cached bundle when no tools input is given on ${util.GitHubVariant[variant]}`, async (t) => {
+        await util.withTmpDir(async (tmpDir) => {
+            (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
+            await installIntoToolcache({
+                tagName: "codeql-bundle-20200601",
+                isPinned: true,
+                tmpDir,
+            });
+            const result = await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, variant, false, {
+                cliVersion: defaults.cliVersion,
+                tagName: defaults.bundleVersion,
+                variant,
+            }, (0, logging_1.getRunnerLogger)(true), false);
+            t.deepEqual(result.toolsVersion, "0.0.0-20200601");
+            const cachedVersions = toolcache.findAllVersions("CodeQL");
+            t.is(cachedVersions.length, 1);
+        });
+    });
+    (0, ava_1.default)(`downloads bundle if only an unpinned version is cached on ${util.GitHubVariant[variant]}`, async (t) => {
+        await util.withTmpDir(async (tmpDir) => {
+            (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
+            await installIntoToolcache({
+                tagName: "codeql-bundle-20200601",
+                isPinned: false,
+                tmpDir,
+            });
+            await mockDownloadApi({
+                tagName: defaults.bundleVersion,
+            });
+            const result = await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, variant, false, {
+                cliVersion: defaults.cliVersion,
+                tagName: defaults.bundleVersion,
+                variant,
+            }, (0, logging_1.getRunnerLogger)(true), false);
+            t.deepEqual(result.toolsVersion, defaults.cliVersion);
+            const cachedVersions = toolcache.findAllVersions("CodeQL");
+            t.is(cachedVersions.length, 2);
+        });
+    });
+}
+(0, ava_1.default)('downloads bundle if "latest" tools specified but not cached', async (t) => {
+    await util.withTmpDir(async (tmpDir) => {
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
+        await installIntoToolcache({
+            tagName: "codeql-bundle-20200601",
+            isPinned: true,
+            tmpDir,
+        });
+        await mockDownloadApi({
+            tagName: defaults.bundleVersion,
+        });
+        const result = await codeql.setupCodeQL("latest", sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, false, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+        t.deepEqual(result.toolsVersion, defaults.cliVersion);
+        const cachedVersions = toolcache.findAllVersions("CodeQL");
+        t.is(cachedVersions.length, 2);
+    });
+});
 (0, ava_1.default)("download codeql bundle from github ae endpoint", async (t) => {
    await util.withTmpDir(async (tmpDir) => {
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
@@ -241,34 +265,33 @@ for (const [isFeatureEnabled, toolsInput, shouldToolcacheBeBypassed,] of TOOLCAC
        });
        (0, nock_1.default)("https://example.githubenterprise.com")
            .get(`/github/codeql-action/releases/download/${defaults.bundleVersion}/${codeQLBundleName}`)
-            .replyWithFile(200, path.join(__dirname, `/../src/testdata/codeql-bundle-pinned.tar.gz`));
-        await codeql.setupCodeQL(undefined, sampleGHAEApiDetails, tmpDir, util.GitHubVariant.GHAE, false, (0, logging_1.getRunnerLogger)(true), false);
+            .replyWithFile(200, path_1.default.join(__dirname, `/../src/testdata/codeql-bundle-pinned.tar.gz`));
+        // This is a workaround to mock `api.getApiDetails()` since it doesn't seem to be possible to
+        // mock this directly. The difficulty is that `getApiDetails()` is called locally in
+        // `api-client.ts`, but `sinon.stub(api, "getApiDetails")` only affects calls to
+        // `getApiDetails()` via an imported `api` module.
+        sinon
+            .stub(actionsUtil, "getRequiredInput")
+            .withArgs("token")
+            .returns(sampleGHAEApiDetails.auth);
+        const requiredEnvParamStub = sinon.stub(util, "getRequiredEnvParam");
+        requiredEnvParamStub
+            .withArgs("GITHUB_SERVER_URL")
+            .returns(sampleGHAEApiDetails.url);
+        requiredEnvParamStub
+            .withArgs("GITHUB_API_URL")
+            .returns(sampleGHAEApiDetails.apiURL);
+        sinon.stub(actionsUtil, "isRunningLocalAction").returns(false);
+        process.env["GITHUB_ACTION_REPOSITORY"] = "github/codeql-action";
+        await codeql.setupCodeQL(undefined, sampleGHAEApiDetails, tmpDir, util.GitHubVariant.GHAE, false, {
+            cliVersion: defaults.cliVersion,
+            tagName: defaults.bundleVersion,
+            variant: util.GitHubVariant.GHAE,
+        }, (0, logging_1.getRunnerLogger)(true), false);
        const cachedVersions = toolcache.findAllVersions("CodeQL");
        t.is(cachedVersions.length, 1);
    });
 });
-(0, ava_1.default)("parse codeql bundle url version", (t) => {
-    t.deepEqual(codeql.getCodeQLURLVersion("https://github.com/.../codeql-bundle-20200601/..."), "20200601");
-});
-(0, ava_1.default)("convert to semver", (t) => {
-    const tests = {
-        "20200601": "0.0.0-20200601",
-        "20200601.0": "0.0.0-20200601.0",
-        "20200601.0.0": "20200601.0.0",
-        "1.2.3": "1.2.3",
-        "1.2.3-alpha": "1.2.3-alpha",
-        "1.2.3-beta.1": "1.2.3-beta.1",
-    };
-    for (const [version, expectedVersion] of Object.entries(tests)) {
-        try {
-            const parsedVersion = codeql.convertToSemVer(version, (0, logging_1.getRunnerLogger)(true));
-            t.deepEqual(parsedVersion, expectedVersion);
-        }
-        catch (e) {
-            t.fail(e instanceof Error ? e.message : String(e));
-        }
-    }
-});
 (0, ava_1.default)("getExtraOptions works for explicit paths", (t) => {
    t.deepEqual(codeql.getExtraOptions({}, ["foo"], []), []);
    t.deepEqual(codeql.getExtraOptions({ foo: [42] }, ["foo"], []), ["42"]);
@@ -291,27 +314,13 @@ for (const [isFeatureEnabled, toolsInput, shouldToolcacheBeBypassed,] of TOOLCAC
    t.throws(() => codeql.getExtraOptions({ foo: 87 }, ["foo"], []));
    t.throws(() => codeql.getExtraOptions({ "*": [42], foo: { "*": 87, bar: [99] } }, ["foo", "bar"], []));
 });
-(0, ava_1.default)("getCodeQLActionRepository", (t) => {
-    const logger = (0, logging_1.getRunnerLogger)(true);
-    (0, util_1.initializeEnvironment)("1.2.3");
-    // isRunningLocalAction() === true
-    delete process.env["GITHUB_ACTION_REPOSITORY"];
-    process.env["RUNNER_TEMP"] = path.dirname(__dirname);
-    const repoLocalRunner = codeql.getCodeQLActionRepository(logger);
-    t.deepEqual(repoLocalRunner, "github/codeql-action");
-    // isRunningLocalAction() === false
-    sinon.stub(actionsUtil, "isRunningLocalAction").returns(false);
-    process.env["GITHUB_ACTION_REPOSITORY"] = "xxx/yyy";
-    const repoEnv = codeql.getCodeQLActionRepository(logger);
-    t.deepEqual(repoEnv, "xxx/yyy");
-});
 (0, ava_1.default)("databaseInterpretResults() does not set --sarif-add-query-help for 2.7.0", async (t) => {
    const runnerConstructorStub = stubToolRunnerConstructor();
    const codeqlObject = await codeql.getCodeQLForTesting();
    sinon.stub(codeqlObject, "getVersion").resolves("2.7.0");
    // safeWhich throws because of the test CodeQL object.
    sinon.stub(safeWhich, "safeWhich").resolves("");
-    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "", (0, testing_utils_1.createFeatures)([]));
+    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "");
    t.false(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-query-help"), "--sarif-add-query-help should be absent, but it is present");
 });
 (0, ava_1.default)("databaseInterpretResults() sets --sarif-add-query-help for 2.7.1", async (t) => {
@@ -320,7 +329,7 @@ for (const [isFeatureEnabled, toolsInput, shouldToolcacheBeBypassed,] of TOOLCAC
    sinon.stub(codeqlObject, "getVersion").resolves("2.7.1");
    // safeWhich throws because of the test CodeQL object.
    sinon.stub(safeWhich, "safeWhich").resolves("");
-    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "", (0, testing_utils_1.createFeatures)([]));
+    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "");
    t.true(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-query-help"), "--sarif-add-query-help should be present, but it is absent");
 });
 (0, ava_1.default)("databaseInitCluster() without injected codescanning config", async (t) => {
@@ -354,7 +363,7 @@ const injectedConfigMacro = ava_1.default.macro({
            const codeqlObject = await codeql.getCodeQLForTesting();
            sinon
                .stub(codeqlObject, "getVersion")
-                .resolves(codeql.CODEQL_VERSION_CONFIG_FILES);
+                .resolves(feature_flags_1.featureConfig[feature_flags_1.Feature.CliConfigFileEnabled].minimumVersion);
            const thisStubConfig = {
                ...stubConfig,
                ...configOverride,
@@ -384,7 +393,7 @@ const injectedConfigMacro = ava_1.default.macro({
    queriesInputCombines: false,
    packsInputCombines: false,
 }, {}, {
-    packs: ["codeql/javascript-experimental-atm-queries@~0.3.0"],
+    packs: ["codeql/javascript-experimental-atm-queries@~0.4.0"],
 });
 (0, ava_1.default)("injected ML queries with existing packs", injectedConfigMacro, {
    injectedMlQueries: true,
@@ -398,7 +407,7 @@ const injectedConfigMacro = ava_1.default.macro({
    packs: {
        javascript: [
            "codeql/something-else",
-            "codeql/javascript-experimental-atm-queries@~0.3.0",
+            "codeql/javascript-experimental-atm-queries@~0.4.0",
        ],
    },
 });
@@ -413,7 +422,7 @@ const injectedConfigMacro = ava_1.default.macro({
 }, {
    packs: {
        cpp: ["codeql/something-else"],
-        javascript: ["codeql/javascript-experimental-atm-queries@~0.3.0"],
+        javascript: ["codeql/javascript-experimental-atm-queries@~0.4.0"],
    },
 });
 (0, ava_1.default)("injected packs from input", injectedConfigMacro, {
@@ -466,7 +475,7 @@ const injectedConfigMacro = ava_1.default.macro({
        },
    },
 }, {
-    packs: ["xxx", "yyy", "codeql/javascript-experimental-atm-queries@~0.3.0"],
+    packs: ["xxx", "yyy", "codeql/javascript-experimental-atm-queries@~0.4.0"],
 });
 // similar, but with queries
 (0, ava_1.default)("injected queries from input", injectedConfigMacro, {
@@ -560,7 +569,7 @@ const injectedConfigMacro = ava_1.default.macro({
        const codeqlObject = await codeql.getCodeQLForTesting();
        sinon
            .stub(codeqlObject, "getVersion")
-            .resolves(codeql.CODEQL_VERSION_CONFIG_FILES);
+            .resolves(feature_flags_1.featureConfig[feature_flags_1.Feature.CliConfigFileEnabled].minimumVersion);
        await codeqlObject.databaseInitCluster(stubConfig, "", undefined, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        const args = runnerConstructorStub.firstCall.args[1];
        // should have used an config file
@@ -571,28 +580,22 @@ const injectedConfigMacro = ava_1.default.macro({
        process.env["CODEQL_PASS_CONFIG_TO_CLI"] = origCODEQL_PASS_CONFIG_TO_CLI;
    }
 });
-(0, ava_1.default)("databaseInterpretResults() sets --sarif-add-baseline-file-info when feature enabled", async (t) => {
+(0, ava_1.default)("databaseInterpretResults() sets --sarif-add-baseline-file-info for 2.11.3", async (t) => {
    const runnerConstructorStub = stubToolRunnerConstructor();
    const codeqlObject = await codeql.getCodeQLForTesting();
-    // We need to set a CodeQL version such that running `databaseInterpretResults` does not crash.
-    // The version of CodeQL is checked separately to determine feature enablement, and does not
-    // otherwise impact this test, so set it to 0.0.0.
-    sinon.stub(codeqlObject, "getVersion").resolves("0.0.0");
+    sinon.stub(codeqlObject, "getVersion").resolves("2.11.3");
    // safeWhich throws because of the test CodeQL object.
    sinon.stub(safeWhich, "safeWhich").resolves("");
-    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "", (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.FileBaselineInformationEnabled]));
+    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "");
    t.true(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-baseline-file-info"), "--sarif-add-baseline-file-info should be present, but it is absent");
 });
-(0, ava_1.default)("databaseInterpretResults() does not set --sarif-add-baseline-file-info if feature disabled", async (t) => {
+(0, ava_1.default)("databaseInterpretResults() does not set --sarif-add-baseline-file-info for 2.11.2", async (t) => {
    const runnerConstructorStub = stubToolRunnerConstructor();
    const codeqlObject = await codeql.getCodeQLForTesting();
-    // We need to set a CodeQL version such that running `databaseInterpretResults` does not crash.
-    // The version of CodeQL is checked upstream to determine feature enablement, so it does not
-    // affect this test.
-    sinon.stub(codeqlObject, "getVersion").resolves("0.0.0");
+    sinon.stub(codeqlObject, "getVersion").resolves("2.11.2");
    // safeWhich throws because of the test CodeQL object.
    sinon.stub(safeWhich, "safeWhich").resolves("");
-    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "", (0, testing_utils_1.createFeatures)([]));
+    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "");
    t.false(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-baseline-file-info"), "--sarif-add-baseline-file-info must be absent, but it is present");
 });
 function stubToolRunnerConstructor() {
@@ -240,8 +240,12 @@ async function parseQueryUses(languages, codeQL, resultMap, packs, queryUses, te
    if (queryUses.indexOf("/") === -1 && queryUses.indexOf("@") === -1) {
        return await addBuiltinSuiteQueries(languages, codeQL, resultMap, packs, queryUses, featureEnablement, configFile);
    }
-    // Otherwise, must be a reference to another repo
-    await addRemoteQueries(codeQL, resultMap, queryUses, tempDir, apiDetails, logger, configFile);
+    // Otherwise, must be a reference to another repo.
+    // If config parsing is handled in CLI, then this repo will be downloaded
+    // later by the CLI.
+    if (!(await (0, util_1.useCodeScanningConfigInCli)(codeQL, featureEnablement))) {
+        await addRemoteQueries(codeQL, resultMap, queryUses, tempDir, apiDetails, logger, configFile);
+    }
    return false;
 }
 // Regex validating stars in paths or paths-ignore entries.
@@ -925,22 +929,23 @@ async function initConfig(languagesInput, queriesInput, packsInput, registriesIn
    else {
        config = await loadConfig(languagesInput, queriesInput, packsInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, featureEnablement, logger);
    }
-    // The list of queries should not be empty for any language. If it is then
-    // it is a user configuration error.
-    for (const language of config.languages) {
-        const hasBuiltinQueries = ((_a = config.queries[language]) === null || _a === void 0 ? void 0 : _a.builtin.length) > 0;
-        const hasCustomQueries = ((_b = config.queries[language]) === null || _b === void 0 ? void 0 : _b.custom.length) > 0;
-        const hasPacks = (((_c = config.packs[language]) === null || _c === void 0 ? void 0 : _c.length) || 0) > 0;
-        if (!hasPacks && !hasBuiltinQueries && !hasCustomQueries) {
-            throw new Error(`Did not detect any queries to run for ${language}. ` +
-                "Please make sure that the default queries are enabled, or you are specifying queries to run.");
-        }
-    }
    // When using the codescanning config in the CLI, pack downloads
    // happen in the CLI during the `database init` command, so no need
    // to download them here.
    await (0, util_1.logCodeScanningConfigInCli)(codeQL, featureEnablement, logger);
    if (!(await (0, util_1.useCodeScanningConfigInCli)(codeQL, featureEnablement))) {
+        // The list of queries should not be empty for any language. If it is then
+        // it is a user configuration error.
+        // This check occurs in the CLI when it parses the config file.
+        for (const language of config.languages) {
+            const hasBuiltinQueries = ((_a = config.queries[language]) === null || _a === void 0 ? void 0 : _a.builtin.length) > 0;
+            const hasCustomQueries = ((_b = config.queries[language]) === null || _b === void 0 ? void 0 : _b.custom.length) > 0;
+            const hasPacks = (((_c = config.packs[language]) === null || _c === void 0 ? void 0 : _c.length) || 0) > 0;
+            if (!hasPacks && !hasBuiltinQueries && !hasCustomQueries) {
+                throw new Error(`Did not detect any queries to run for ${language}. ` +
+                    "Please make sure that the default queries are enabled, or you are specifying queries to run.");
+            }
+        }
        const registries = parseRegistries(registriesInput);
        await downloadPacks(codeQL, config.languages, config.packs, registries, apiDetails, config.tempDir, logger);
    }
@@ -44,24 +44,32 @@ async function uploadDatabases(repositoryNwo, config, apiDetails, logger) {
    const client = (0, api_client_1.getApiClient)();
    const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
    for (const language of config.languages) {
-        // Upload the database bundle.
-        // Although we are uploading arbitrary file contents to the API, it's worth
-        // noting that it's the API's job to validate that the contents is acceptable.
-        // This API method is available to anyone with write access to the repo.
-        const payload = fs.readFileSync(await (0, util_1.bundleDb)(config, language, codeql, language));
        try {
-            await client.request(`POST https://uploads.github.com/repos/:owner/:repo/code-scanning/codeql/databases/:language?name=:name`, {
-                owner: repositoryNwo.owner,
-                repo: repositoryNwo.repo,
-                language,
-                name: `${language}-database`,
-                data: payload,
-                headers: {
-                    authorization: `token ${apiDetails.auth}`,
-                    "Content-Type": "application/zip",
-                },
-            });
-            logger.debug(`Successfully uploaded database for ${language}`);
+            // Upload the database bundle.
+            // Although we are uploading arbitrary file contents to the API, it's worth
+            // noting that it's the API's job to validate that the contents is acceptable.
+            // This API method is available to anyone with write access to the repo.
+            const bundledDb = await (0, util_1.bundleDb)(config, language, codeql, language);
+            const bundledDbSize = fs.statSync(bundledDb).size;
+            const bundledDbReadStream = fs.createReadStream(bundledDb);
+            try {
+                await client.request(`POST https://uploads.github.com/repos/:owner/:repo/code-scanning/codeql/databases/:language?name=:name`, {
+                    owner: repositoryNwo.owner,
+                    repo: repositoryNwo.repo,
+                    language,
+                    name: `${language}-database`,
+                    data: bundledDbReadStream,
+                    headers: {
+                        authorization: `token ${apiDetails.auth}`,
+                        "Content-Type": "application/zip",
+                        "Content-Length": bundledDbSize,
+                    },
+                });
+                logger.debug(`Successfully uploaded database for ${language}`);
+            }
+            finally {
+                bundledDbReadStream.close();
+            }
        }
        catch (e) {
            console.log(e);
@@ -1 +1 @@
-{"version":3,"file":"database-upload.js","sourceRoot":"","sources":["../src/database-upload.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AAEzB,4DAA8C;AAC9C,6CAA8D;AAC9D,qCAAqC;AAIrC,6CAA+B;AAC/B,iCAAkC;AAE3B,KAAK,UAAU,eAAe,CACnC,aAA4B,EAC5B,MAAc,EACd,UAA4B,EAC5B,MAAc;IAEd,IAAI,WAAW,CAAC,gBAAgB,CAAC,iBAAiB,CAAC,KAAK,MAAM,EAAE;QAC9D,MAAM,CAAC,KAAK,CAAC,wDAAwD,CAAC,CAAC;QACvE,OAAO;KACR;IAED,iDAAiD;IACjD,IAAI,MAAM,CAAC,aAAa,CAAC,IAAI,KAAK,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE;QAC3D,MAAM,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACjE,OAAO;KACR;IAED,IAAI,CAAC,CAAC,MAAM,WAAW,CAAC,wBAAwB,EAAE,CAAC,EAAE;QACnD,4EAA4E;QAC5E,MAAM,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;QAC/D,OAAO;KACR;IAED,MAAM,MAAM,GAAG,IAAA,yBAAY,GAAE,CAAC;IAC9B,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAEjD,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE;QACvC,8BAA8B;QAC9B,2EAA2E;QAC3E,8EAA8E;QAC9E,wEAAwE;QACxE,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAC7B,MAAM,IAAA,eAAQ,EAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CACnD,CAAC;QACF,IAAI;YACF,MAAM,MAAM,CAAC,OAAO,CAClB,wGAAwG,EACxG;gBACE,KAAK,EAAE,aAAa,CAAC,KAAK;gBAC1B,IAAI,EAAE,aAAa,CAAC,IAAI;gBACxB,QAAQ;gBACR,IAAI,EAAE,GAAG,QAAQ,WAAW;gBAC5B,IAAI,EAAE,OAAO;gBACb,OAAO,EAAE;oBACP,aAAa,EAAE,SAAS,UAAU,CAAC,IAAI,EAAE;oBACzC,cAAc,EAAE,iBAAiB;iBAClC;aACF,CACF,CAAC;YACF,MAAM,CAAC,KAAK,CAAC,sCAAsC,QAAQ,EAAE,CAAC,CAAC;SAChE;QAAC,OAAO,CAAC,EAAE;YACV,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACf,4CAA4C;YAC5C,MAAM,CAAC,OAAO,CAAC,iCAAiC,QAAQ,KAAK,CAAC,EAAE,CAAC,CAAC;SACnE;KACF;AACH,CAAC;AAxDD,0CAwDC"}
+{"version":3,"file":"database-upload.js","sourceRoot":"","sources":["../src/database-upload.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AAEzB,4DAA8C;AAC9C,6CAA8D;AAC9D,qCAAqC;AAIrC,6CAA+B;AAC/B,iCAAkC;AAE3B,KAAK,UAAU,eAAe,CACnC,aAA4B,EAC5B,MAAc,EACd,UAA4B,EAC5B,MAAc;IAEd,IAAI,WAAW,CAAC,gBAAgB,CAAC,iBAAiB,CAAC,KAAK,MAAM,EAAE;QAC9D,MAAM,CAAC,KAAK,CAAC,wDAAwD,CAAC,CAAC;QACvE,OAAO;KACR;IAED,iDAAiD;IACjD,IAAI,MAAM,CAAC,aAAa,CAAC,IAAI,KAAK,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE;QAC3D,MAAM,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACjE,OAAO;KACR;IAED,IAAI,CAAC,CAAC,MAAM,WAAW,CAAC,wBAAwB,EAAE,CAAC,EAAE;QACnD,4EAA4E;QAC5E,MAAM,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;QAC/D,OAAO;KACR;IAED,MAAM,MAAM,GAAG,IAAA,yBAAY,GAAE,CAAC;IAC9B,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAEjD,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE;QACvC,IAAI;YACF,8BAA8B;YAC9B,2EAA2E;YAC3E,8EAA8E;YAC9E,wEAAwE;YACxE,MAAM,SAAS,GAAG,MAAM,IAAA,eAAQ,EAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;YACrE,MAAM,aAAa,GAAG,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC;YAClD,MAAM,mBAAmB,GAAG,EAAE,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC;YAC3D,IAAI;gBACF,MAAM,MAAM,CAAC,OAAO,CAClB,wGAAwG,EACxG;oBACE,KAAK,EAAE,aAAa,CAAC,KAAK;oBAC1B,IAAI,EAAE,aAAa,CAAC,IAAI;oBACxB,QAAQ;oBACR,IAAI,EAAE,GAAG,QAAQ,WAAW;oBAC5B,IAAI,EAAE,mBAAmB;oBACzB,OAAO,EAAE;wBACP,aAAa,EAAE,SAAS,UAAU,CAAC,IAAI,EAAE;wBACzC,cAAc,EAAE,iBAAiB;wBACjC,gBAAgB,EAAE,aAAa;qBAChC;iBACF,CACF,CAAC;gBACF,MAAM,CAAC,KAAK,CAAC,sCAAsC,QAAQ,EAAE,CAAC,CAAC;aAChE;oBAAS;gBACR,mBAAmB,CAAC,KAAK,EAAE,CAAC;aAC7B;SACF;QAAC,OAAO,CAAC,EAAE;YACV,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACf,4CAA4C;YAC5C,MAAM,CAAC,OAAO,CAAC,iCAAiC,QAAQ,KAAK,CAAC,EAAE,CAAC,CAAC;SACnE;KACF;AACH,CAAC;AA7DD,0CA6DC"}
@@ -1,3 +1,6 @@
 {
-    "bundleVersion": "codeql-bundle-20221123"
+    "bundleVersion": "codeql-bundle-20230105",
+    "cliVersion": "2.12.0",
+    "priorBundleVersion": "codeql-bundle-20221211",
+    "priorCliVersion": "2.11.6"
 }
@@ -22,17 +22,22 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.Features = exports.FEATURE_FLAGS_FILE_NAME = exports.featureConfig = exports.Feature = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
+const semver = __importStar(require("semver"));
 const api_client_1 = require("./api-client");
+const defaults = __importStar(require("./defaults.json")); // Referenced from codeql-action-sync-tool!
 const util = __importStar(require("./util"));
+const DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_";
+const DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
+const MINIMUM_ENABLED_CODEQL_VERSION = "2.11.6";
 var Feature;
 (function (Feature) {
    Feature["BypassToolcacheEnabled"] = "bypass_toolcache_enabled";
    Feature["BypassToolcacheKotlinSwiftEnabled"] = "bypass_toolcache_kotlin_swift_enabled";
    Feature["CliConfigFileEnabled"] = "cli_config_file_enabled";
    Feature["DisableKotlinAnalysisEnabled"] = "disable_kotlin_analysis_enabled";
-    Feature["FileBaselineInformationEnabled"] = "file_baseline_information_enabled";
    Feature["MlPoweredQueriesEnabled"] = "ml_powered_queries_enabled";
    Feature["TrapCachingEnabled"] = "trap_caching_enabled";
+    Feature["UploadFailedSarifEnabled"] = "upload_failed_sarif_enabled";
 })(Feature = exports.Feature || (exports.Feature = {}));
 exports.featureConfig = {
    [Feature.BypassToolcacheEnabled]: {
@@ -53,11 +58,7 @@ exports.featureConfig = {
    },
    [Feature.CliConfigFileEnabled]: {
        envVar: "CODEQL_PASS_CONFIG_TO_CLI",
-        minimumVersion: "2.11.1",
-    },
-    [Feature.FileBaselineInformationEnabled]: {
-        envVar: "CODEQL_FILE_BASELINE_INFORMATION",
-        minimumVersion: "2.11.3",
+        minimumVersion: "2.11.6",
    },
    [Feature.MlPoweredQueriesEnabled]: {
        envVar: "CODEQL_ML_POWERED_QUERIES",
@@ -67,6 +68,10 @@ exports.featureConfig = {
        envVar: "CODEQL_TRAP_CACHING",
        minimumVersion: undefined,
    },
+    [Feature.UploadFailedSarifEnabled]: {
+        envVar: "CODEQL_ACTION_UPLOAD_FAILED_SARIF",
+        minimumVersion: "2.11.3",
+    },
 };
 exports.FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
 /**
@@ -78,6 +83,9 @@ class Features {
    constructor(gitHubVersion, repositoryNwo, tempDir, logger) {
        this.gitHubFeatureFlags = new GitHubFeatureFlags(gitHubVersion, repositoryNwo, path.join(tempDir, exports.FEATURE_FLAGS_FILE_NAME), logger);
    }
+    async getDefaultCliVersion(variant) {
+        return await this.gitHubFeatureFlags.getDefaultCliVersion(variant);
+    }
    /**
     *
     * @param feature The feature to check.
@@ -127,6 +135,48 @@ class GitHubFeatureFlags {
        this.logger = logger;
        /**/
    }
+    getCliVersionFromFeatureFlag(f) {
+        if (!f.startsWith(DEFAULT_VERSION_FEATURE_FLAG_PREFIX) ||
+            !f.endsWith(DEFAULT_VERSION_FEATURE_FLAG_SUFFIX)) {
+            return undefined;
+        }
+        const version = f
+            .substring(DEFAULT_VERSION_FEATURE_FLAG_PREFIX.length, f.length - DEFAULT_VERSION_FEATURE_FLAG_SUFFIX.length)
+            .replace(/_/g, ".");
+        if (!semver.valid(version)) {
+            this.logger.warning(`Ignoring feature flag ${f} as it does not specify a valid CodeQL version.`);
+            return undefined;
+        }
+        return version;
+    }
+    async getDefaultCliVersion(variant) {
+        if (variant === util.GitHubVariant.DOTCOM) {
+            return {
+                cliVersion: await this.getDefaultDotcomCliVersion(),
+                variant,
+            };
+        }
+        return {
+            cliVersion: defaults.cliVersion,
+            tagName: defaults.bundleVersion,
+            variant,
+        };
+    }
+    async getDefaultDotcomCliVersion() {
+        const response = await this.getAllFeatures();
+        const enabledFeatureFlagCliVersions = Object.entries(response)
+            .map(([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : undefined)
+            .filter((f) => f !== undefined)
+            .map((f) => f);
+        if (enabledFeatureFlagCliVersions.length === 0) {
+            this.logger.debug("Feature flags do not specify a default CLI version. Falling back to CLI version " +
+                `${MINIMUM_ENABLED_CODEQL_VERSION}.`);
+            return MINIMUM_ENABLED_CODEQL_VERSION;
+        }
+        const maxCliVersion = enabledFeatureFlagCliVersions.reduce((maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion, enabledFeatureFlagCliVersions[0]);
+        this.logger.debug(`Derived default CLI version of ${maxCliVersion} from feature flags.`);
+        return maxCliVersion;
+    }
    async getValue(feature) {
        const response = await this.getAllFeatures();
        if (response === undefined) {
@@ -194,7 +244,10 @@ class GitHubFeatureFlags {
                owner: this.repositoryNwo.owner,
                repo: this.repositoryNwo.repo,
            });
-            return response.data;
+            const remoteFlags = response.data;
+            this.logger.debug("Loaded the following default values for the feature flags from the Code Scanning API: " +
+                `${JSON.stringify(remoteFlags)}`);
+            return remoteFlags;
        }
        catch (e) {
            if (util.isHTTPError(e) && e.status === 403) {
@@ -202,6 +255,7 @@ class GitHubFeatureFlags {
                    "As a result, it will not be opted into any experimental features. " +
                    "This could be because the Action is running on a pull request from a fork. If not, " +
                    `please ensure the Action has the 'security-events: write' permission. Details: ${e}`);
+                return {};
            }
            else {
                // Some features, such as `ml_powered_queries_enabled` affect the produced alerts.
@@ -25,6 +25,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const ava_1 = __importDefault(require("ava"));
+const defaults = __importStar(require("./defaults.json")); // Referenced from codeql-action-sync-tool!
 const feature_flags_1 = require("./feature-flags");
 const logging_1 = require("./logging");
 const repository_1 = require("./repository");
@@ -208,6 +209,65 @@ for (const feature of Object.keys(feature_flags_1.featureConfig)) {
        t.false(await featureEnablement.getValue(feature_flags_1.Feature.CliConfigFileEnabled, includeCodeQlIfRequired(feature_flags_1.Feature.CliConfigFileEnabled)), "Feature flag should be disabled after setting env var");
    });
 });
+for (const variant of [util_1.GitHubVariant.GHAE, util_1.GitHubVariant.GHES]) {
+    (0, ava_1.default)(`selects CLI from defaults.json on ${util_1.GitHubVariant[variant]}`, async (t) => {
+        await (0, util_1.withTmpDir)(async (tmpDir) => {
+            const features = setUpFeatureFlagTests(tmpDir);
+            t.deepEqual(await features.getDefaultCliVersion(variant), {
+                cliVersion: defaults.cliVersion,
+                tagName: defaults.bundleVersion,
+                variant,
+            });
+        });
+    });
+}
+(0, ava_1.default)("selects CLI v2.12.1 on Dotcom when feature flags enable v2.12.0 and v2.12.1", async (t) => {
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        const featureEnablement = setUpFeatureFlagTests(tmpDir);
+        const expectedFeatureEnablement = initializeFeatures(true);
+        expectedFeatureEnablement["default_codeql_version_2_12_0_enabled"] = true;
+        expectedFeatureEnablement["default_codeql_version_2_12_1_enabled"] = true;
+        expectedFeatureEnablement["default_codeql_version_2_12_2_enabled"] = false;
+        expectedFeatureEnablement["default_codeql_version_2_12_3_enabled"] = false;
+        expectedFeatureEnablement["default_codeql_version_2_12_4_enabled"] = false;
+        expectedFeatureEnablement["default_codeql_version_2_12_5_enabled"] = false;
+        (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, expectedFeatureEnablement);
+        t.deepEqual(await featureEnablement.getDefaultCliVersion(util_1.GitHubVariant.DOTCOM), {
+            cliVersion: "2.12.1",
+            variant: util_1.GitHubVariant.DOTCOM,
+        });
+    });
+});
+(0, ava_1.default)(`selects CLI v2.11.6 on Dotcom when no default version feature flags are enabled`, async (t) => {
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        const featureEnablement = setUpFeatureFlagTests(tmpDir);
+        const expectedFeatureEnablement = initializeFeatures(true);
+        (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, expectedFeatureEnablement);
+        t.deepEqual(await featureEnablement.getDefaultCliVersion(util_1.GitHubVariant.DOTCOM), {
+            cliVersion: "2.11.6",
+            variant: util_1.GitHubVariant.DOTCOM,
+        });
+    });
+});
+(0, ava_1.default)("ignores invalid version numbers in default version feature flags", async (t) => {
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        const loggedMessages = [];
+        const featureEnablement = setUpFeatureFlagTests(tmpDir, (0, testing_utils_1.getRecordingLogger)(loggedMessages));
+        const expectedFeatureEnablement = initializeFeatures(true);
+        expectedFeatureEnablement["default_codeql_version_2_12_0_enabled"] = true;
+        expectedFeatureEnablement["default_codeql_version_2_12_1_enabled"] = true;
+        expectedFeatureEnablement["default_codeql_version_2_12_invalid_enabled"] =
+            true;
+        (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, expectedFeatureEnablement);
+        t.deepEqual(await featureEnablement.getDefaultCliVersion(util_1.GitHubVariant.DOTCOM), {
+            cliVersion: "2.12.1",
+            variant: util_1.GitHubVariant.DOTCOM,
+        });
+        t.assert(loggedMessages.find((v) => v.type === "warning" &&
+            v.message ===
+                "Ignoring feature flag default_codeql_version_2_12_invalid_enabled as it does not specify a valid CodeQL version.") !== undefined);
+    });
+});
 function assertAllFeaturesUndefinedInApi(t, loggedMessages) {
    for (const feature of Object.keys(feature_flags_1.featureConfig)) {
        t.assert(loggedMessages.find((v) => v.type === "debug" &&
@@ -19,24 +19,94 @@ var __importStar = (this && this.__importStar) || function (mod) {
    return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.run = void 0;
+exports.run = exports.tryUploadSarifIfRunFailed = void 0;
 const core = __importStar(require("@actions/core"));
 const actionsUtil = __importStar(require("./actions-util"));
+const codeql_1 = require("./codeql");
 const config_utils_1 = require("./config-utils");
-const logging_1 = require("./logging");
-async function run(uploadDatabaseBundleDebugArtifact, uploadLogsDebugArtifact, printDebugLogs) {
-    const logger = (0, logging_1.getActionsLogger)();
+const feature_flags_1 = require("./feature-flags");
+const shared_environment_1 = require("./shared-environment");
+const uploadLib = __importStar(require("./upload-lib"));
+const util_1 = require("./util");
+const workflow_1 = require("./workflow");
+function createFailedUploadFailedSarifResult(error) {
+    return {
+        upload_failed_run_error: error instanceof Error ? error.message : String(error),
+        upload_failed_run_stack_trace: error instanceof Error ? error.stack : undefined,
+    };
+}
+/**
+ * Upload a failed SARIF file if we can verify that SARIF upload is enabled and determine the SARIF
+ * category for the workflow.
+ */
+async function maybeUploadFailedSarif(config, repositoryNwo, featureEnablement, logger) {
+    var _a;
+    if (!config.codeQLCmd) {
+        return { upload_failed_run_skipped_because: "CodeQL command not found" };
+    }
+    const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
+    if (!(await featureEnablement.getValue(feature_flags_1.Feature.UploadFailedSarifEnabled, codeql))) {
+        return { upload_failed_run_skipped_because: "Feature disabled" };
+    }
+    const workflow = await (0, workflow_1.getWorkflow)();
+    const jobName = (0, util_1.getRequiredEnvParam)("GITHUB_JOB");
+    const matrix = (0, util_1.parseMatrixInput)(actionsUtil.getRequiredInput("matrix"));
+    if ((0, workflow_1.getUploadInputOrThrow)(workflow, jobName, matrix) !== "true" ||
+        (0, util_1.isInTestMode)()) {
+        return { upload_failed_run_skipped_because: "SARIF upload is disabled" };
+    }
+    const category = (0, workflow_1.getCategoryInputOrThrow)(workflow, jobName, matrix);
+    const checkoutPath = (0, workflow_1.getCheckoutPathInputOrThrow)(workflow, jobName, matrix);
+    const sarifFile = "../codeql-failed-run.sarif";
+    await codeql.diagnosticsExport(sarifFile, category);
+    core.info(`Uploading failed SARIF file ${sarifFile}`);
+    const uploadResult = await uploadLib.uploadFromActions(sarifFile, checkoutPath, category, logger);
+    await uploadLib.waitForProcessing(repositoryNwo, uploadResult.sarifID, logger, { isUnsuccessfulExecution: true });
+    return (_a = uploadResult === null || uploadResult === void 0 ? void 0 : uploadResult.statusReport) !== null && _a !== void 0 ? _a : {};
+}
+async function tryUploadSarifIfRunFailed(config, repositoryNwo, featureEnablement, logger) {
+    if (process.env[shared_environment_1.CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY] !== "true") {
+        try {
+            return await maybeUploadFailedSarif(config, repositoryNwo, featureEnablement, logger);
+        }
+        catch (e) {
+            logger.debug(`Failed to upload a SARIF file for this failed CodeQL code scanning run. ${e}`);
+            return createFailedUploadFailedSarifResult(e);
+        }
+    }
+    else {
+        return {
+            upload_failed_run_skipped_because: "Analyze Action completed successfully",
+        };
+    }
+}
+exports.tryUploadSarifIfRunFailed = tryUploadSarifIfRunFailed;
+async function run(uploadDatabaseBundleDebugArtifact, uploadLogsDebugArtifact, printDebugLogs, repositoryNwo, featureEnablement, logger) {
    const config = await (0, config_utils_1.getConfig)(actionsUtil.getTemporaryDirectory(), logger);
    if (config === undefined) {
        logger.warning("Debugging artifacts are unavailable since the 'init' Action failed before it could produce any.");
+        return;
+    }
+    const uploadFailedSarifResult = await tryUploadSarifIfRunFailed(config, repositoryNwo, featureEnablement, logger);
+    if (uploadFailedSarifResult.upload_failed_run_skipped_because) {
+        logger.debug("Won't upload a failed SARIF file for this CodeQL code scanning run because: " +
+            `${uploadFailedSarifResult.upload_failed_run_skipped_because}.`);
+    }
+    // Throw an error if in integration tests, we expected to upload a SARIF file for a failed run
+    // but we didn't upload anything.
+    if (process.env["CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF"] === "true" &&
+        !uploadFailedSarifResult.raw_upload_size_bytes) {
+        throw new Error("Expected to upload a failed SARIF file for this CodeQL code scanning run, " +
+            `but the result was instead ${uploadFailedSarifResult}.`);
    }
    // Upload appropriate Actions artifacts for debugging
-    if (config === null || config === void 0 ? void 0 : config.debugMode) {
+    if (config.debugMode) {
        core.info("Debug mode is on. Uploading available database bundles and logs as Actions debugging artifacts...");
        await uploadDatabaseBundleDebugArtifact(config, logger);
        await uploadLogsDebugArtifact(config);
        await printDebugLogs(config);
    }
+    return uploadFailedSarifResult;
 }
 exports.run = run;
 //# sourceMappingURL=init-action-post-helper.js.map
@@ -1 +1 @@
-{"version":3,"file":"init-action-post-helper.js","sourceRoot":"","sources":["../src/init-action-post-helper.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,iDAA2C;AAC3C,uCAA6C;AAEtC,KAAK,UAAU,GAAG,CACvB,iCAA2C,EAC3C,uBAAiC,EACjC,cAAwB;IAExB,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAElC,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,WAAW,CAAC,qBAAqB,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;QACxB,MAAM,CAAC,OAAO,CACZ,iGAAiG,CAClG,CAAC;KACH;IAED,qDAAqD;IACrD,IAAI,MAAM,aAAN,MAAM,uBAAN,MAAM,CAAE,SAAS,EAAE;QACrB,IAAI,CAAC,IAAI,CACP,mGAAmG,CACpG,CAAC;QACF,MAAM,iCAAiC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,uBAAuB,CAAC,MAAM,CAAC,CAAC;QAEtC,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;KAC9B;AACH,CAAC;AAxBD,kBAwBC"}
+{"version":3,"file":"init-action-post-helper.js","sourceRoot":"","sources":["../src/init-action-post-helper.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,qCAAqC;AACrC,iDAAmD;AACnD,mDAA6D;AAG7D,6DAAuF;AACvF,wDAA0C;AAC1C,iCAA6E;AAC7E,yCAKoB;AAWpB,SAAS,mCAAmC,CAC1C,KAAc;IAEd,OAAO;QACL,uBAAuB,EACrB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;QACxD,6BAA6B,EAC3B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;KACnD,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,sBAAsB,CACnC,MAAc,EACd,aAA4B,EAC5B,iBAAoC,EACpC,MAAc;;IAEd,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE;QACrB,OAAO,EAAE,iCAAiC,EAAE,0BAA0B,EAAE,CAAC;KAC1E;IACD,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,IACE,CAAC,CAAC,MAAM,iBAAiB,CAAC,QAAQ,CAChC,uBAAO,CAAC,wBAAwB,EAChC,MAAM,CACP,CAAC,EACF;QACA,OAAO,EAAE,iCAAiC,EAAE,kBAAkB,EAAE,CAAC;KAClE;IACD,MAAM,QAAQ,GAAG,MAAM,IAAA,sBAAW,GAAE,CAAC;IACrC,MAAM,OAAO,GAAG,IAAA,0BAAmB,EAAC,YAAY,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,IAAA,uBAAgB,EAAC,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC;IACxE,IACE,IAAA,gCAAqB,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,KAAK,MAAM;QAC3D,IAAA,mBAAY,GAAE,EACd;QACA,OAAO,EAAE,iCAAiC,EAAE,0BAA0B,EAAE,CAAC;KAC1E;IACD,MAAM,QAAQ,GAAG,IAAA,kCAAuB,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IACpE,MAAM,YAAY,GAAG,IAAA,sCAA2B,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IAE5E,MAAM,SAAS,GAAG,4BAA4B,CAAC;IAC/C,MAAM,MAAM,CAAC,iBAAiB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IAEpD,IAAI,CAAC,IAAI,CAAC,+BAA+B,SAAS,EAAE,CAAC,CAAC;IACtD,MAAM,YAAY,GAAG,MAAM,SAAS,CAAC,iBAAiB,CACpD,SAAS,EACT,YAAY,EACZ,QAAQ,EACR,MAAM,CACP,CAAC;IACF,MAAM,SAAS,CAAC,iBAAiB,CAC/B,aAAa,EACb,YAAY,CAAC,OAAO,EACpB,MAAM,EACN,EAAE,uBAAuB,EAAE,IAAI,EAAE,CAClC,CAAC;IACF,OAAO,MAAA,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,YAAY,mCAAI,EAAE,CAAC;AAC1C,CAAC;AAEM,KAAK,UAAU,yBAAyB,CAC7C,MAAc,EACd,aAA4B,EAC5B,iBAAoC,EACpC,MAAc;IAEd,IAAI,OAAO,CAAC,GAAG,CAAC,oEAA+C,CAAC,KAAK,MAAM,EAAE;QAC3E,IAAI;YACF,OAAO,MAAM,sBAAsB,CACjC,MAAM,EACN,aAAa,EACb,iBAAiB,EACjB,MAAM,CACP,CAAC;SACH;QAAC,OAAO,CAAC,EAAE;YACV,MAAM,CAAC,KAAK,CACV,2EAA2E,CAAC,EAAE,CAC/E,CAAC;YACF,OAAO,mCAAmC,CAAC,CAAC,CAAC,CAAC;SAC/C;KACF;SAAM;QACL,OAAO;YACL,iCAAiC,EAC/B,uCAAuC;SAC1C,CAAC;KACH;AACH,CAAC;AA1BD,8DA0BC;AAEM,KAAK,UAAU,GAAG,CACvB,iCAA2C,EAC3C,uBAAiC,EACjC,cAAwB,EACxB,aAA4B,EAC5B,iBAAoC,EACpC,MAAc;IAEd,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,WAAW,CAAC,qBAAqB,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;QACxB,MAAM,CAAC,OAAO,CACZ,iGAAiG,CAClG,CAAC;QACF,OAAO;KACR;IAED,MAAM,uBAAuB,GAAG,MAAM,yBAAyB,CAC7D,MAAM,EACN,aAAa,EACb,iBAAiB,EACjB,MAAM,CACP,CAAC;IACF,IAAI,uBAAuB,CAAC,iCAAiC,EAAE;QAC7D,MAAM,CAAC,KAAK,CACV,8EAA8E;YAC5E,GAAG,uBAAuB,CAAC,iCAAiC,GAAG,CAClE,CAAC;KACH;IACD,8FAA8F;IAC9F,iCAAiC;IACjC,IACE,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,KAAK,MAAM;QAClE,CAAC,uBAAuB,CAAC,qBAAqB,EAC9C;QACA,MAAM,IAAI,KAAK,CACb,4EAA4E;YAC1E,8BAA8B,uBAAuB,GAAG,CAC3D,CAAC;KACH;IAED,qDAAqD;IACrD,IAAI,MAAM,CAAC,SAAS,EAAE;QACpB,IAAI,CAAC,IAAI,CACP,mGAAmG,CACpG,CAAC;QACF,MAAM,iCAAiC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,uBAAuB,CAAC,MAAM,CAAC,CAAC;QAEtC,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;KAC9B;IAED,OAAO,uBAAuB,CAAC;AACjC,CAAC;AApDD,kBAoDC"}
@@ -24,13 +24,21 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 const ava_1 = __importDefault(require("ava"));
 const sinon = __importStar(require("sinon"));
+const actionsUtil = __importStar(require("./actions-util"));
+const codeql = __importStar(require("./codeql"));
 const configUtils = __importStar(require("./config-utils"));
+const feature_flags_1 = require("./feature-flags");
 const initActionPostHelper = __importStar(require("./init-action-post-helper"));
+const logging_1 = require("./logging");
+const repository_1 = require("./repository");
 const testing_utils_1 = require("./testing-utils");
+const uploadLib = __importStar(require("./upload-lib"));
 const util = __importStar(require("./util"));
+const workflow = __importStar(require("./workflow"));
 (0, testing_utils_1.setupTests)(ava_1.default);
 (0, ava_1.default)("post: init action with debug mode off", async (t) => {
    return await util.withTmpDir(async (tmpDir) => {
+        process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
        process.env["RUNNER_TEMP"] = tmpDir;
        const gitHubVersion = {
            type: util.GitHubVariant.DOTCOM,
@@ -44,7 +52,7 @@ const util = __importStar(require("./util"));
        const uploadDatabaseBundleSpy = sinon.spy();
        const uploadLogsSpy = sinon.spy();
        const printDebugLogsSpy = sinon.spy();
-        await initActionPostHelper.run(uploadDatabaseBundleSpy, uploadLogsSpy, printDebugLogsSpy);
+        await initActionPostHelper.run(uploadDatabaseBundleSpy, uploadLogsSpy, printDebugLogsSpy, (0, repository_1.parseRepositoryNwo)("github/codeql-action"), (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        t.assert(uploadDatabaseBundleSpy.notCalled);
        t.assert(uploadLogsSpy.notCalled);
        t.assert(printDebugLogsSpy.notCalled);
@@ -52,6 +60,7 @@ const util = __importStar(require("./util"));
 });
 (0, ava_1.default)("post: init action with debug mode on", async (t) => {
    return await util.withTmpDir(async (tmpDir) => {
+        process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
        process.env["RUNNER_TEMP"] = tmpDir;
        const gitHubVersion = {
            type: util.GitHubVariant.DOTCOM,
@@ -65,10 +74,193 @@ const util = __importStar(require("./util"));
        const uploadDatabaseBundleSpy = sinon.spy();
        const uploadLogsSpy = sinon.spy();
        const printDebugLogsSpy = sinon.spy();
-        await initActionPostHelper.run(uploadDatabaseBundleSpy, uploadLogsSpy, printDebugLogsSpy);
+        await initActionPostHelper.run(uploadDatabaseBundleSpy, uploadLogsSpy, printDebugLogsSpy, (0, repository_1.parseRepositoryNwo)("github/codeql-action"), (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        t.assert(uploadDatabaseBundleSpy.called);
        t.assert(uploadLogsSpy.called);
        t.assert(printDebugLogsSpy.called);
    });
 });
+(0, ava_1.default)("uploads failed SARIF run for typical workflow", async (t) => {
+    const actionsWorkflow = createTestWorkflow([
+        {
+            name: "Checkout repository",
+            uses: "actions/checkout@v3",
+        },
+        {
+            name: "Initialize CodeQL",
+            uses: "github/codeql-action/init@v2",
+            with: {
+                languages: "javascript",
+            },
+        },
+        {
+            name: "Perform CodeQL Analysis",
+            uses: "github/codeql-action/analyze@v2",
+            with: {
+                category: "my-category",
+            },
+        },
+    ]);
+    await testFailedSarifUpload(t, actionsWorkflow, { category: "my-category" });
+});
+(0, ava_1.default)("doesn't upload failed SARIF for workflow with upload: false", async (t) => {
+    const actionsWorkflow = createTestWorkflow([
+        {
+            name: "Checkout repository",
+            uses: "actions/checkout@v3",
+        },
+        {
+            name: "Initialize CodeQL",
+            uses: "github/codeql-action/init@v2",
+            with: {
+                languages: "javascript",
+            },
+        },
+        {
+            name: "Perform CodeQL Analysis",
+            uses: "github/codeql-action/analyze@v2",
+            with: {
+                category: "my-category",
+                upload: false,
+            },
+        },
+    ]);
+    const result = await testFailedSarifUpload(t, actionsWorkflow, {
+        expectUpload: false,
+    });
+    t.is(result.upload_failed_run_skipped_because, "SARIF upload is disabled");
+});
+(0, ava_1.default)("uploading failed SARIF run succeeds when workflow uses an input with a matrix var", async (t) => {
+    const actionsWorkflow = createTestWorkflow([
+        {
+            name: "Checkout repository",
+            uses: "actions/checkout@v3",
+        },
+        {
+            name: "Initialize CodeQL",
+            uses: "github/codeql-action/init@v2",
+            with: {
+                languages: "javascript",
+            },
+        },
+        {
+            name: "Perform CodeQL Analysis",
+            uses: "github/codeql-action/analyze@v2",
+            with: {
+                category: "/language:${{ matrix.language }}",
+            },
+        },
+    ]);
+    await testFailedSarifUpload(t, actionsWorkflow, {
+        category: "/language:csharp",
+        matrix: { language: "csharp" },
+    });
+});
+(0, ava_1.default)("uploading failed SARIF run fails when workflow uses a complex upload input", async (t) => {
+    const actionsWorkflow = createTestWorkflow([
+        {
+            name: "Checkout repository",
+            uses: "actions/checkout@v3",
+        },
+        {
+            name: "Initialize CodeQL",
+            uses: "github/codeql-action/init@v2",
+            with: {
+                languages: "javascript",
+            },
+        },
+        {
+            name: "Perform CodeQL Analysis",
+            uses: "github/codeql-action/analyze@v2",
+            with: {
+                upload: "${{ matrix.language != 'csharp' }}",
+            },
+        },
+    ]);
+    const result = await testFailedSarifUpload(t, actionsWorkflow, {
+        expectUpload: false,
+    });
+    t.is(result.upload_failed_run_error, "Could not get upload input to github/codeql-action/analyze since it contained an " +
+        "unrecognized dynamic value.");
+});
+(0, ava_1.default)("uploading failed SARIF run fails when workflow does not reference github/codeql-action", async (t) => {
+    const actionsWorkflow = createTestWorkflow([
+        {
+            name: "Checkout repository",
+            uses: "actions/checkout@v3",
+        },
+    ]);
+    const result = await testFailedSarifUpload(t, actionsWorkflow, {
+        expectUpload: false,
+    });
+    t.is(result.upload_failed_run_error, "Could not get upload input to github/codeql-action/analyze since the analyze job does not " +
+        "call github/codeql-action/analyze.");
+    t.truthy(result.upload_failed_run_stack_trace);
+});
+function createTestWorkflow(steps) {
+    return {
+        name: "CodeQL",
+        on: {
+            push: {
+                branches: ["main"],
+            },
+            pull_request: {
+                branches: ["main"],
+            },
+        },
+        jobs: {
+            analyze: {
+                name: "CodeQL Analysis",
+                "runs-on": "ubuntu-latest",
+                steps,
+            },
+        },
+    };
+}
+async function testFailedSarifUpload(t, actionsWorkflow, { category, expectUpload = true, matrix = {}, } = {}) {
+    const config = {
+        codeQLCmd: "codeql",
+        debugMode: true,
+        languages: [],
+        packs: [],
+    };
+    process.env["GITHUB_JOB"] = "analyze";
+    process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
+    process.env["GITHUB_WORKSPACE"] =
+        "/home/runner/work/codeql-action/codeql-action";
+    sinon
+        .stub(actionsUtil, "getRequiredInput")
+        .withArgs("matrix")
+        .returns(JSON.stringify(matrix));
+    const codeqlObject = await codeql.getCodeQLForTesting();
+    sinon.stub(codeql, "getCodeQL").resolves(codeqlObject);
+    const diagnosticsExportStub = sinon.stub(codeqlObject, "diagnosticsExport");
+    sinon.stub(workflow, "getWorkflow").resolves(actionsWorkflow);
+    const uploadFromActions = sinon.stub(uploadLib, "uploadFromActions");
+    uploadFromActions.resolves({
+        sarifID: "42",
+        statusReport: { raw_upload_size_bytes: 20, zipped_upload_size_bytes: 10 },
+    });
+    const waitForProcessing = sinon.stub(uploadLib, "waitForProcessing");
+    const result = await initActionPostHelper.tryUploadSarifIfRunFailed(config, (0, repository_1.parseRepositoryNwo)("github/codeql-action"), (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.UploadFailedSarifEnabled]), (0, logging_1.getRunnerLogger)(true));
+    if (expectUpload) {
+        t.deepEqual(result, {
+            raw_upload_size_bytes: 20,
+            zipped_upload_size_bytes: 10,
+        });
+    }
+    if (expectUpload) {
+        t.true(diagnosticsExportStub.calledOnceWith(sinon.match.string, category), `Actual args were: ${diagnosticsExportStub.args}`);
+        t.true(uploadFromActions.calledOnceWith(sinon.match.string, sinon.match.string, category, sinon.match.any), `Actual args were: ${uploadFromActions.args}`);
+        t.true(waitForProcessing.calledOnceWith(sinon.match.any, "42", sinon.match.any, {
+            isUnsuccessfulExecution: true,
+        }));
+    }
+    else {
+        t.true(diagnosticsExportStub.notCalled);
+        t.true(uploadFromActions.notCalled);
+        t.true(waitForProcessing.notCalled);
+    }
+    return result;
+}
 //# sourceMappingURL=init-action-post-helper.test.js.map
@@ -25,17 +25,37 @@ var __importStar = (this && this.__importStar) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const core = __importStar(require("@actions/core"));
-const actionsUtil = __importStar(require("./actions-util"));
+const actions_util_1 = require("./actions-util");
+const api_client_1 = require("./api-client");
 const debugArtifacts = __importStar(require("./debug-artifacts"));
+const feature_flags_1 = require("./feature-flags");
 const initActionPostHelper = __importStar(require("./init-action-post-helper"));
+const logging_1 = require("./logging");
+const repository_1 = require("./repository");
+const util_1 = require("./util");
 async function runWrapper() {
+    const startedAt = new Date();
+    let uploadFailedSarifResult;
    try {
-        await initActionPostHelper.run(debugArtifacts.uploadDatabaseBundleDebugArtifact, debugArtifacts.uploadLogsDebugArtifact, actionsUtil.printDebugLogs);
+        const logger = (0, logging_1.getActionsLogger)();
+        const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
+        (0, util_1.checkGitHubVersionInRange)(gitHubVersion, logger);
+        const repositoryNwo = (0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY"));
+        const features = new feature_flags_1.Features(gitHubVersion, repositoryNwo, (0, actions_util_1.getTemporaryDirectory)(), logger);
+        uploadFailedSarifResult = await initActionPostHelper.run(debugArtifacts.uploadDatabaseBundleDebugArtifact, debugArtifacts.uploadLogsDebugArtifact, actions_util_1.printDebugLogs, repositoryNwo, features, logger);
    }
-    catch (error) {
-        core.setFailed(`init post-action step failed: ${error}`);
-        console.log(error);
+    catch (e) {
+        core.setFailed(e instanceof Error ? e.message : String(e));
+        console.log(e);
+        await (0, actions_util_1.sendStatusReport)(await (0, actions_util_1.createStatusReportBase)("init-post", (0, actions_util_1.getActionsStatus)(e), startedAt, String(e), e instanceof Error ? e.stack : undefined));
+        return;
    }
+    const statusReportBase = await (0, actions_util_1.createStatusReportBase)("init-post", "success", startedAt);
+    const statusReport = {
+        ...statusReportBase,
+        ...uploadFailedSarifResult,
+    };
+    await (0, actions_util_1.sendStatusReport)(statusReport);
 }
 void runWrapper();
 //# sourceMappingURL=init-action-post.js.map
@@ -1 +1 @@
-{"version":3,"file":"init-action-post.js","sourceRoot":"","sources":["../src/init-action-post.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;;;;;;;;;;;;;;;;;;;AAEH,oDAAsC;AAEtC,4DAA8C;AAC9C,kEAAoD;AACpD,gFAAkE;AAElE,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,oBAAoB,CAAC,GAAG,CAC5B,cAAc,CAAC,iCAAiC,EAChD,cAAc,CAAC,uBAAuB,EACtC,WAAW,CAAC,cAAc,CAC3B,CAAC;KACH;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,iCAAiC,KAAK,EAAE,CAAC,CAAC;QACzD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"init-action-post.js","sourceRoot":"","sources":["../src/init-action-post.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;;;;;;;;;;;;;;;;;;;AAEH,oDAAsC;AAEtC,iDAOwB;AACxB,6CAAgD;AAChD,kEAAoD;AACpD,mDAA2C;AAC3C,gFAAkE;AAClE,uCAA6C;AAC7C,6CAAkD;AAClD,iCAAwE;AAMxE,KAAK,UAAU,UAAU;IACvB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IAAI,uBAES,CAAC;IACd,IAAI;QACF,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,MAAM,aAAa,GAAG,IAAA,+BAAkB,EACtC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CACzC,CAAC;QACF,MAAM,QAAQ,GAAG,IAAI,wBAAQ,CAC3B,aAAa,EACb,aAAa,EACb,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;QAEF,uBAAuB,GAAG,MAAM,oBAAoB,CAAC,GAAG,CACtD,cAAc,CAAC,iCAAiC,EAChD,cAAc,CAAC,uBAAuB,EACtC,6BAAc,EACd,aAAa,EACb,QAAQ,EACR,MAAM,CACP,CAAC;KACH;IAAC,OAAO,CAAC,EAAE;QACV,IAAI,CAAC,SAAS,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QAE3D,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACf,MAAM,IAAA,+BAAgB,EACpB,MAAM,IAAA,qCAAsB,EAC1B,WAAW,EACX,IAAA,+BAAgB,EAAC,CAAC,CAAC,EACnB,SAAS,EACT,MAAM,CAAC,CAAC,CAAC,EACT,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CACzC,CACF,CAAC;QACF,OAAO;KACR;IACD,MAAM,gBAAgB,GAAG,MAAM,IAAA,qCAAsB,EACnD,WAAW,EACX,SAAS,EACT,SAAS,CACV,CAAC;IACF,MAAM,YAAY,GAAyB;QACzC,GAAG,gBAAgB;QACnB,GAAG,uBAAuB;KAC3B,CAAC;IACF,MAAM,IAAA,+BAAgB,EAAC,YAAY,CAAC,CAAC;AACvC,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
@@ -95,7 +95,8 @@ async function run() {
        if (!(await (0, actions_util_1.sendStatusReport)(await (0, actions_util_1.createStatusReportBase)("init", "starting", startedAt, workflowErrors)))) {
            return;
        }
-        const initCodeQLResult = await (0, init_1.initCodeQL)((0, actions_util_1.getOptionalInput)("tools"), apiDetails, (0, actions_util_1.getTemporaryDirectory)(), gitHubVersion.type, await (0, util_1.shouldBypassToolcache)(features, (0, actions_util_1.getOptionalInput)("tools"), (0, actions_util_1.getOptionalInput)("languages"), repositoryNwo, logger), logger);
+        const defaultCliVersion = await features.getDefaultCliVersion(gitHubVersion.type);
+        const initCodeQLResult = await (0, init_1.initCodeQL)((0, actions_util_1.getOptionalInput)("tools"), apiDetails, (0, actions_util_1.getTemporaryDirectory)(), gitHubVersion.type, await (0, util_1.shouldBypassToolcache)(features, (0, actions_util_1.getOptionalInput)("tools"), (0, actions_util_1.getOptionalInput)("languages"), repositoryNwo, logger), defaultCliVersion, logger);
        codeql = initCodeQLResult.codeql;
        toolsVersion = initCodeQLResult.toolsVersion;
        await (0, util_1.enrichEnvironment)(codeql);
@@ -30,9 +30,9 @@ const configUtils = __importStar(require("./config-utils"));
 const tracer_config_1 = require("./tracer-config");
 const util = __importStar(require("./util"));
 const util_1 = require("./util");
-async function initCodeQL(codeqlURL, apiDetails, tempDir, variant, bypassToolcache, logger) {
+async function initCodeQL(toolsInput, apiDetails, tempDir, variant, bypassToolcache, defaultCliVersion, logger) {
    logger.startGroup("Setup CodeQL tools");
-    const { codeql, toolsVersion } = await (0, codeql_1.setupCodeQL)(codeqlURL, apiDetails, tempDir, variant, bypassToolcache, logger, true);
+    const { codeql, toolsVersion } = await (0, codeql_1.setupCodeQL)(toolsInput, apiDetails, tempDir, variant, bypassToolcache, defaultCliVersion, logger, true);
    await codeql.printVersion();
    logger.endGroup();
    return { codeql, toolsVersion };
@@ -1 +1 @@
-{"version":3,"file":"init.js","sourceRoot":"","sources":["../src/init.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAE7B,yEAA2D;AAC3D,kEAAoD;AAEpD,gEAAkD;AAElD,qCAA2E;AAC3E,4DAA8C;AAI9C,mDAAwE;AACxE,6CAA+B;AAC/B,iCAA4C;AAErC,KAAK,UAAU,UAAU,CAC9B,SAA6B,EAC7B,UAA4B,EAC5B,OAAe,EACf,OAA2B,EAC3B,eAAwB,EACxB,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,oBAAoB,CAAC,CAAC;IACxC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,IAAA,oBAAW,EAChD,SAAS,EACT,UAAU,EACV,OAAO,EACP,OAAO,EACP,eAAe,EACf,MAAM,EACN,IAAI,CACL,CAAC;IACF,MAAM,MAAM,CAAC,YAAY,EAAE,CAAC;IAC5B,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC;AAClC,CAAC;AArBD,gCAqBC;AAEM,KAAK,UAAU,UAAU,CAC9B,cAAkC,EAClC,YAAgC,EAChC,UAA8B,EAC9B,eAAmC,EACnC,UAA8B,EAC9B,UAA8B,EAC9B,kBAA2B,EAC3B,SAAkB,EAClB,iBAAyB,EACzB,iBAAyB,EACzB,UAAyB,EACzB,OAAe,EACf,MAAc,EACd,aAAqB,EACrB,aAAiC,EACjC,UAAoC,EACpC,iBAAoC,EACpC,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,6BAA6B,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,UAAU,CACzC,cAAc,EACd,YAAY,EACZ,UAAU,EACV,eAAe,EACf,UAAU,EACV,UAAU,EACV,kBAAkB,EAClB,SAAS,EACT,iBAAiB,EACjB,iBAAiB,EACjB,UAAU,EACV,OAAO,EACP,MAAM,EACN,aAAa,EACb,aAAa,EACb,UAAU,EACV,iBAAiB,EACjB,MAAM,CACP,CAAC;IACF,aAAa,CAAC,uBAAuB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtD,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,MAAM,CAAC;AAChB,CAAC;AA5CD,gCA4CC;AAEM,KAAK,UAAU,OAAO,CAC3B,MAAc,EACd,MAA0B,EAC1B,UAAkB,EAClB,WAA+B,EAC/B,iBAAoC,EACpC,MAAc;IAEd,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAErD,IAAI;QACF,IAAI,MAAM,IAAA,yBAAkB,EAAC,MAAM,EAAE,mCAA0B,CAAC,EAAE;YAChE,0BAA0B;YAC1B,MAAM,MAAM,CAAC,mBAAmB,CAC9B,MAAM,EACN,UAAU,EACV,WAAW,EACX,iBAAiB,EACjB,MAAM,CACP,CAAC;SACH;aAAM;YACL,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE;gBACvC,yBAAyB;gBACzB,MAAM,MAAM,CAAC,YAAY,CACvB,IAAI,CAAC,qBAAqB,CAAC,MAAM,EAAE,QAAQ,CAAC,EAC5C,QAAQ,EACR,UAAU,CACX,CAAC;aACH;SACF;KACF;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,YAAY,CAAC,CAAC,CAAC,CAAC;KACvB;IACD,OAAO,MAAM,IAAA,uCAAuB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AACvD,CAAC;AAlCD,0BAkCC;AAED;;;;;;;;GAQG;AACH,SAAS,YAAY,CAAC,CAAM;;IAC1B,IAAI,CAAC,CAAC,CAAC,YAAY,KAAK,CAAC,EAAE;QACzB,OAAO,CAAC,CAAC;KACV;IAED;IACE,2BAA2B;IAC3B,CAAA,MAAA,CAAC,CAAC,OAAO,0CAAE,QAAQ,CAAC,8BAA8B,CAAC;SACnD,MAAA,CAAC,CAAC,OAAO,0CAAE,QAAQ,CAAC,uCAAuC,CAAC,CAAA,EAC5D;QACA,OAAO,IAAI,IAAI,CAAC,SAAS,CACvB,sDAAsD,CAAC,CAAC,OAAO,EAAE,CAClE,CAAC;KACH;IAED;IACE,+EAA+E;IAC/E,CAAA,MAAA,CAAC,CAAC,OAAO,0CAAE,QAAQ,CAAC,wCAAwC,CAAC;;QAC7D,gEAAgE;QAChE,MAAA,CAAC,CAAC,OAAO,0CAAE,QAAQ,CAAC,qBAAqB,CAAC,CAAA,EAC1C;QACA,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;KACtC;IAED,OAAO,CAAC,CAAC;AACX,CAAC;AAED,sEAAsE;AACtE,4EAA4E;AAC5E,4EAA4E;AAC5E,6EAA6E;AAC7E,+CAA+C;AACxC,KAAK,UAAU,mBAAmB,CACvC,WAA+B,EAC/B,YAAgC,EAChC,MAA0B,EAC1B,MAAc,EACd,YAA0B;IAE1B,IAAI,MAAc,CAAC;IACnB,IAAI,WAAW,KAAK,SAAS,EAAE;QAC7B,MAAM,GAAG;;;;;;;;;;;;uCAY0B,WAAW;;8BAEpB,WAAW;;;;;;;;gDAQO,CAAC;KAC9C;SAAM;QACL,oEAAoE;QACpE,mFAAmF;QACnF,+EAA+E;QAC/E,kFAAkF;QAClF,6EAA6E;QAC7E,oFAAoF;QACpF,6CAA6C;QAC7C,YAAY,GAAG,YAAY,IAAI,CAAC,CAAC;QACjC,MAAM,GAAG;;;;;;;;4BAQe,YAAY;;;;;;;;;;;;;;;;;;;;;gDAqBQ,CAAC;KAC9C;IAED,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;IACxE,EAAE,CAAC,aAAa,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;IAE3C,MAAM,IAAI,UAAU,CAAC,UAAU,CAC7B,MAAM,SAAS,CAAC,SAAS,CAAC,YAAY,CAAC,EACvC;QACE,kBAAkB;QAClB,QAAQ;QACR,OAAO;QACP,gBAAgB;QAChB,IAAI,CAAC,OAAO,CACV,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,EAC9B,OAAO,EACP,OAAO,EACP,YAAY,CACb;KACF,EACD,EAAE,GAAG,EAAE,EAAE,0BAA0B,EAAE,YAAY,CAAC,IAAI,EAAE,EAAE,CAC3D,CAAC,IAAI,EAAE,CAAC;AACX,CAAC;AA5FD,kDA4FC;AAEM,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,MAAc;IACpE,MAAM,CAAC,UAAU,CAAC,2BAA2B,CAAC,CAAC;IAE/C,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;IAEjE,IAAI;QACF,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;YAChC,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE;gBACvE,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,mBAAmB,CAAC;aAC9C,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;aAAM;YACL,MAAM,IAAI,UAAU,CAAC,UAAU,CAC7B,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,kBAAkB,CAAC,CAC7C,CAAC,IAAI,EAAE,CAAC;SACV;QACD,MAAM,MAAM,GAAG,0BAA0B,CAAC;QAC1C,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;YAChC,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;gBAC/D,IAAI;gBACJ,IAAI;gBACJ,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;gBAChC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;aAC/B,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;aAAM;YACL,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE;gBACpE,IAAI;gBACJ,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;gBAChC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;aAC/B,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;KACF;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,CAAC,QAAQ,EAAE,CAAC;QAClB,MAAM,CAAC,OAAO,CACZ,gFAAgF,CAAC,IAAI;YACnF,qGAAqG;YACrG,oGAAoG;YACpG,iDAAiD,CACpD,CAAC;QACF,OAAO;KACR;IACD,MAAM,CAAC,QAAQ,EAAE,CAAC;AACpB,CAAC;AAzCD,8CAyCC"}
+{"version":3,"file":"init.js","sourceRoot":"","sources":["../src/init.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAE7B,yEAA2D;AAC3D,kEAAoD;AAEpD,gEAAkD;AAElD,qCAA2E;AAC3E,4DAA8C;AAI9C,mDAAwE;AACxE,6CAA+B;AAC/B,iCAA4C;AAErC,KAAK,UAAU,UAAU,CAC9B,UAA8B,EAC9B,UAA4B,EAC5B,OAAe,EACf,OAA2B,EAC3B,eAAwB,EACxB,iBAA2C,EAC3C,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,oBAAoB,CAAC,CAAC;IACxC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,IAAA,oBAAW,EAChD,UAAU,EACV,UAAU,EACV,OAAO,EACP,OAAO,EACP,eAAe,EACf,iBAAiB,EACjB,MAAM,EACN,IAAI,CACL,CAAC;IACF,MAAM,MAAM,CAAC,YAAY,EAAE,CAAC;IAC5B,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC;AAClC,CAAC;AAvBD,gCAuBC;AAEM,KAAK,UAAU,UAAU,CAC9B,cAAkC,EAClC,YAAgC,EAChC,UAA8B,EAC9B,eAAmC,EACnC,UAA8B,EAC9B,UAA8B,EAC9B,kBAA2B,EAC3B,SAAkB,EAClB,iBAAyB,EACzB,iBAAyB,EACzB,UAAyB,EACzB,OAAe,EACf,MAAc,EACd,aAAqB,EACrB,aAAiC,EACjC,UAAoC,EACpC,iBAAoC,EACpC,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,6BAA6B,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,UAAU,CACzC,cAAc,EACd,YAAY,EACZ,UAAU,EACV,eAAe,EACf,UAAU,EACV,UAAU,EACV,kBAAkB,EAClB,SAAS,EACT,iBAAiB,EACjB,iBAAiB,EACjB,UAAU,EACV,OAAO,EACP,MAAM,EACN,aAAa,EACb,aAAa,EACb,UAAU,EACV,iBAAiB,EACjB,MAAM,CACP,CAAC;IACF,aAAa,CAAC,uBAAuB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtD,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,MAAM,CAAC;AAChB,CAAC;AA5CD,gCA4CC;AAEM,KAAK,UAAU,OAAO,CAC3B,MAAc,EACd,MAA0B,EAC1B,UAAkB,EAClB,WAA+B,EAC/B,iBAAoC,EACpC,MAAc;IAEd,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAErD,IAAI;QACF,IAAI,MAAM,IAAA,yBAAkB,EAAC,MAAM,EAAE,mCAA0B,CAAC,EAAE;YAChE,0BAA0B;YAC1B,MAAM,MAAM,CAAC,mBAAmB,CAC9B,MAAM,EACN,UAAU,EACV,WAAW,EACX,iBAAiB,EACjB,MAAM,CACP,CAAC;SACH;aAAM;YACL,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE;gBACvC,yBAAyB;gBACzB,MAAM,MAAM,CAAC,YAAY,CACvB,IAAI,CAAC,qBAAqB,CAAC,MAAM,EAAE,QAAQ,CAAC,EAC5C,QAAQ,EACR,UAAU,CACX,CAAC;aACH;SACF;KACF;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,YAAY,CAAC,CAAC,CAAC,CAAC;KACvB;IACD,OAAO,MAAM,IAAA,uCAAuB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AACvD,CAAC;AAlCD,0BAkCC;AAED;;;;;;;;GAQG;AACH,SAAS,YAAY,CAAC,CAAM;;IAC1B,IAAI,CAAC,CAAC,CAAC,YAAY,KAAK,CAAC,EAAE;QACzB,OAAO,CAAC,CAAC;KACV;IAED;IACE,2BAA2B;IAC3B,CAAA,MAAA,CAAC,CAAC,OAAO,0CAAE,QAAQ,CAAC,8BAA8B,CAAC;SACnD,MAAA,CAAC,CAAC,OAAO,0CAAE,QAAQ,CAAC,uCAAuC,CAAC,CAAA,EAC5D;QACA,OAAO,IAAI,IAAI,CAAC,SAAS,CACvB,sDAAsD,CAAC,CAAC,OAAO,EAAE,CAClE,CAAC;KACH;IAED;IACE,+EAA+E;IAC/E,CAAA,MAAA,CAAC,CAAC,OAAO,0CAAE,QAAQ,CAAC,wCAAwC,CAAC;;QAC7D,gEAAgE;QAChE,MAAA,CAAC,CAAC,OAAO,0CAAE,QAAQ,CAAC,qBAAqB,CAAC,CAAA,EAC1C;QACA,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;KACtC;IAED,OAAO,CAAC,CAAC;AACX,CAAC;AAED,sEAAsE;AACtE,4EAA4E;AAC5E,4EAA4E;AAC5E,6EAA6E;AAC7E,+CAA+C;AACxC,KAAK,UAAU,mBAAmB,CACvC,WAA+B,EAC/B,YAAgC,EAChC,MAA0B,EAC1B,MAAc,EACd,YAA0B;IAE1B,IAAI,MAAc,CAAC;IACnB,IAAI,WAAW,KAAK,SAAS,EAAE;QAC7B,MAAM,GAAG;;;;;;;;;;;;uCAY0B,WAAW;;8BAEpB,WAAW;;;;;;;;gDAQO,CAAC;KAC9C;SAAM;QACL,oEAAoE;QACpE,mFAAmF;QACnF,+EAA+E;QAC/E,kFAAkF;QAClF,6EAA6E;QAC7E,oFAAoF;QACpF,6CAA6C;QAC7C,YAAY,GAAG,YAAY,IAAI,CAAC,CAAC;QACjC,MAAM,GAAG;;;;;;;;4BAQe,YAAY;;;;;;;;;;;;;;;;;;;;;gDAqBQ,CAAC;KAC9C;IAED,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;IACxE,EAAE,CAAC,aAAa,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;IAE3C,MAAM,IAAI,UAAU,CAAC,UAAU,CAC7B,MAAM,SAAS,CAAC,SAAS,CAAC,YAAY,CAAC,EACvC;QACE,kBAAkB;QAClB,QAAQ;QACR,OAAO;QACP,gBAAgB;QAChB,IAAI,CAAC,OAAO,CACV,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,EAC9B,OAAO,EACP,OAAO,EACP,YAAY,CACb;KACF,EACD,EAAE,GAAG,EAAE,EAAE,0BAA0B,EAAE,YAAY,CAAC,IAAI,EAAE,EAAE,CAC3D,CAAC,IAAI,EAAE,CAAC;AACX,CAAC;AA5FD,kDA4FC;AAEM,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,MAAc;IACpE,MAAM,CAAC,UAAU,CAAC,2BAA2B,CAAC,CAAC;IAE/C,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;IAEjE,IAAI;QACF,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;YAChC,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE;gBACvE,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,mBAAmB,CAAC;aAC9C,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;aAAM;YACL,MAAM,IAAI,UAAU,CAAC,UAAU,CAC7B,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,kBAAkB,CAAC,CAC7C,CAAC,IAAI,EAAE,CAAC;SACV;QACD,MAAM,MAAM,GAAG,0BAA0B,CAAC;QAC1C,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;YAChC,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;gBAC/D,IAAI;gBACJ,IAAI;gBACJ,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;gBAChC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;aAC/B,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;aAAM;YACL,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE;gBACpE,IAAI;gBACJ,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;gBAChC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;aAC/B,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;KACF;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,CAAC,QAAQ,EAAE,CAAC;QAClB,MAAM,CAAC,OAAO,CACZ,gFAAgF,CAAC,IAAI;YACnF,qGAAqG;YACrG,oGAAoG;YACpG,iDAAiD,CACpD,CAAC;QACF,OAAO;KACR;IACD,MAAM,CAAC,QAAQ,EAAE,CAAC;AACpB,CAAC;AAzCD,8CAyCC"}
@@ -0,0 +1,382 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.setupCodeQLBundle = exports.getCodeQLURLVersion = exports.downloadCodeQL = exports.getCodeQLSource = exports.convertToSemVer = exports.getBundleTagNameFromUrl = exports.findCodeQLBundleTagDotcomOnly = exports.getCodeQLActionRepository = exports.CODEQL_DEFAULT_ACTION_REPOSITORY = void 0;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const toolcache = __importStar(require("@actions/tool-cache"));
+const fast_deep_equal_1 = __importDefault(require("fast-deep-equal"));
+const semver = __importStar(require("semver"));
+const uuid_1 = require("uuid");
+const actions_util_1 = require("./actions-util");
+const api = __importStar(require("./api-client"));
+const defaults = __importStar(require("./defaults.json")); // Referenced from codeql-action-sync-tool!
+const util = __importStar(require("./util"));
+const util_1 = require("./util");
+exports.CODEQL_DEFAULT_ACTION_REPOSITORY = "github/codeql-action";
+function getCodeQLBundleName() {
+    let platform;
+    if (process.platform === "win32") {
+        platform = "win64";
+    }
+    else if (process.platform === "linux") {
+        platform = "linux64";
+    }
+    else if (process.platform === "darwin") {
+        platform = "osx64";
+    }
+    else {
+        return "codeql-bundle.tar.gz";
+    }
+    return `codeql-bundle-${platform}.tar.gz`;
+}
+function getCodeQLActionRepository(logger) {
+    if ((0, actions_util_1.isRunningLocalAction)()) {
+        // This handles the case where the Action does not come from an Action repository,
+        // e.g. our integration tests which use the Action code from the current checkout.
+        // In these cases, the GITHUB_ACTION_REPOSITORY environment variable is not set.
+        logger.info("The CodeQL Action is checked out locally. Using the default CodeQL Action repository.");
+        return exports.CODEQL_DEFAULT_ACTION_REPOSITORY;
+    }
+    return util.getRequiredEnvParam("GITHUB_ACTION_REPOSITORY");
+}
+exports.getCodeQLActionRepository = getCodeQLActionRepository;
+async function findCodeQLBundleTagDotcomOnly(cliVersion, logger) {
+    logger.debug(`Trying to find the CodeQL bundle release for CLI version ${cliVersion}.`);
+    const apiClient = api.getApiClient();
+    const codeQLActionRepository = getCodeQLActionRepository(logger);
+    const releases = await apiClient.paginate(apiClient.repos.listReleases, {
+        owner: codeQLActionRepository.split("/")[0],
+        repo: codeQLActionRepository.split("/")[1],
+    });
+    logger.debug(`Found ${releases.length} releases.`);
+    for (const release of releases) {
+        const cliVersionFileVersions = release.assets
+            .map((asset) => { var _a; return (_a = asset.name.match(/cli-version-(.*)\.txt/)) === null || _a === void 0 ? void 0 : _a[1]; })
+            .filter((v) => v)
+            .map((v) => v);
+        if (cliVersionFileVersions.length === 0) {
+            logger.debug(`Ignoring release ${release.tag_name} with no CLI version marker file.`);
+            continue;
+        }
+        if (cliVersionFileVersions.length > 1) {
+            logger.warning(`Ignoring release ${release.tag_name} with multiple CLI version marker files.`);
+            continue;
+        }
+        if (cliVersionFileVersions[0] === cliVersion) {
+            return release.tag_name;
+        }
+    }
+    throw new Error(`Failed to find a CodeQL bundle release for CLI version ${cliVersion}.`);
+}
+exports.findCodeQLBundleTagDotcomOnly = findCodeQLBundleTagDotcomOnly;
+async function getCodeQLBundleDownloadURL(tagName, apiDetails, variant, logger) {
+    const codeQLActionRepository = getCodeQLActionRepository(logger);
+    const potentialDownloadSources = [
+        // This GitHub instance, and this Action.
+        [apiDetails.url, codeQLActionRepository],
+        // This GitHub instance, and the canonical Action.
+        [apiDetails.url, exports.CODEQL_DEFAULT_ACTION_REPOSITORY],
+        // GitHub.com, and the canonical Action.
+        [util.GITHUB_DOTCOM_URL, exports.CODEQL_DEFAULT_ACTION_REPOSITORY],
+    ];
+    // We now filter out any duplicates.
+    // Duplicates will happen either because the GitHub instance is GitHub.com, or because the Action is not a fork.
+    const uniqueDownloadSources = potentialDownloadSources.filter((source, index, self) => {
+        return !self.slice(0, index).some((other) => (0, fast_deep_equal_1.default)(source, other));
+    });
+    const codeQLBundleName = getCodeQLBundleName();
+    if (variant === util.GitHubVariant.GHAE) {
+        try {
+            const release = await api
+                .getApiClient()
+                .request("GET /enterprise/code-scanning/codeql-bundle/find/{tag}", {
+                tag: tagName,
+            });
+            const assetID = release.data.assets[codeQLBundleName];
+            if (assetID !== undefined) {
+                const download = await api
+                    .getApiClient()
+                    .request("GET /enterprise/code-scanning/codeql-bundle/download/{asset_id}", { asset_id: assetID });
+                const downloadURL = download.data.url;
+                logger.info(`Found CodeQL bundle at GitHub AE endpoint with URL ${downloadURL}.`);
+                return downloadURL;
+            }
+            else {
+                logger.info(`Attempted to fetch bundle from GitHub AE endpoint but the bundle ${codeQLBundleName} was not found in the assets ${JSON.stringify(release.data.assets)}.`);
+            }
+        }
+        catch (e) {
+            logger.info(`Attempted to fetch bundle from GitHub AE endpoint but got error ${e}.`);
+        }
+    }
+    for (const downloadSource of uniqueDownloadSources) {
+        const [apiURL, repository] = downloadSource;
+        // If we've reached the final case, short-circuit the API check since we know the bundle exists and is public.
+        if (apiURL === util.GITHUB_DOTCOM_URL &&
+            repository === exports.CODEQL_DEFAULT_ACTION_REPOSITORY) {
+            break;
+        }
+        const [repositoryOwner, repositoryName] = repository.split("/");
+        try {
+            const release = await api.getApiClient().repos.getReleaseByTag({
+                owner: repositoryOwner,
+                repo: repositoryName,
+                tag: tagName,
+            });
+            for (const asset of release.data.assets) {
+                if (asset.name === codeQLBundleName) {
+                    logger.info(`Found CodeQL bundle in ${downloadSource[1]} on ${downloadSource[0]} with URL ${asset.url}.`);
+                    return asset.url;
+                }
+            }
+        }
+        catch (e) {
+            logger.info(`Looked for CodeQL bundle in ${downloadSource[1]} on ${downloadSource[0]} but got error ${e}.`);
+        }
+    }
+    return `https://github.com/${exports.CODEQL_DEFAULT_ACTION_REPOSITORY}/releases/download/${tagName}/${codeQLBundleName}`;
+}
+function getBundleTagNameFromUrl(url) {
+    const match = url.match(/\/codeql-bundle-(.*)\//);
+    if (match === null || match.length < 2) {
+        throw new Error(`Malformed tools url: ${url}. Tag name could not be inferred`);
+    }
+    return match[1];
+}
+exports.getBundleTagNameFromUrl = getBundleTagNameFromUrl;
+function convertToSemVer(version, logger) {
+    if (!semver.valid(version)) {
+        logger.debug(`Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.`);
+        version = `0.0.0-${version}`;
+    }
+    const s = semver.clean(version);
+    if (!s) {
+        throw new Error(`Bundle version ${version} is not in SemVer format.`);
+    }
+    return s;
+}
+exports.convertToSemVer = convertToSemVer;
+async function getOrFindBundleTagName(version, logger) {
+    if (version.variant === util.GitHubVariant.DOTCOM) {
+        return await findCodeQLBundleTagDotcomOnly(version.cliVersion, logger);
+    }
+    else {
+        return version.tagName;
+    }
+}
+/**
+ * Look for a version of the CodeQL tools in the cache which could override the requested CLI version.
+ */
+async function findOverridingToolsInCache(requestedCliVersion, logger) {
+    const candidates = toolcache
+        .findAllVersions("CodeQL")
+        .filter(util_1.isGoodVersion)
+        .map((version) => ({
+        folder: toolcache.find("CodeQL", version),
+        version,
+    }))
+        .filter(({ folder }) => fs.existsSync(path.join(folder, "pinned-version")));
+    if (candidates.length === 1) {
+        const candidate = candidates[0];
+        logger.debug(`CodeQL tools version ${candidate.version} in toolcache overriding version ${requestedCliVersion}.`);
+        return {
+            codeqlFolder: candidate.folder,
+            sourceType: "toolcache",
+            toolsVersion: candidate.version,
+        };
+    }
+    else if (candidates.length === 0) {
+        logger.debug("Did not find any candidate pinned versions of the CodeQL tools in the toolcache.");
+    }
+    else {
+        logger.debug("Could not use CodeQL tools from the toolcache since more than one candidate pinned " +
+            "version was found in the toolcache.");
+    }
+    return undefined;
+}
+async function getCodeQLSource(toolsInput, bypassToolcache, defaultCliVersion, apiDetails, variant, logger) {
+    if (toolsInput && toolsInput !== "latest" && !toolsInput.startsWith("http")) {
+        return {
+            codeqlTarPath: toolsInput,
+            sourceType: "local",
+            toolsVersion: "local",
+        };
+    }
+    const forceLatestReason = 
+    // We use the special value of 'latest' to prioritize the version in the
+    // defaults over any pinned cached version.
+    toolsInput === "latest"
+        ? '"tools: latest" was requested'
+        : // If the user hasn't requested a particular CodeQL version, then bypass
+            // the toolcache when the appropriate feature is enabled. This
+            // allows us to quickly rollback a broken bundle that has made its way
+            // into the toolcache.
+            toolsInput === undefined && bypassToolcache
+                ? "a specific version of the CodeQL tools was not requested and the bypass toolcache feature is enabled"
+                : undefined;
+    const forceLatest = forceLatestReason !== undefined;
+    if (forceLatest) {
+        logger.debug(`Forcing the latest version of the CodeQL tools since ${forceLatestReason}.`);
+    }
+    /**
+     * The requested version is:
+     *
+     * 1. The one in `defaults.json`, if forceLatest is true.
+     * 2. The version specified by the tools input URL, if one was provided.
+     * 3. The default CLI version, otherwise.
+    
+     * We include a `variant` property to let us verify using the type system that
+     * `tagName` is only undefined when the variant is Dotcom. This lets us ensure
+     * that we can always compute `tagName`, either by using the existing tag name
+     * on enterprise instances, or safely calling `findCodeQLBundleTagDotcomOnly`
+     * on Dotcom.
+     */
+    const requestedVersion = forceLatest
+        ? // case 1
+            {
+                cliVersion: defaults.cliVersion,
+                tagName: defaults.bundleVersion,
+                variant,
+            }
+        : toolsInput !== undefined
+            ? // case 2
+                {
+                    cliVersion: convertToSemVer(getBundleTagNameFromUrl(toolsInput), logger),
+                    tagName: getBundleTagNameFromUrl(toolsInput),
+                    url: toolsInput,
+                    variant,
+                }
+            : // case 3
+                defaultCliVersion;
+    // If we find the specified version, we always use that.
+    let codeqlFolder = toolcache.find("CodeQL", requestedVersion.cliVersion);
+    let tagName = requestedVersion["tagName"];
+    if (!codeqlFolder && !requestedVersion.cliVersion.startsWith("0.0.0")) {
+        // Fall back to accepting a `0.0.0-<tagName>` version if we didn't find the
+        // `x.y.z` version. This is to support old versions of the toolcache.
+        tagName =
+            tagName || (await getOrFindBundleTagName(requestedVersion, logger));
+        const fallbackVersion = convertToSemVer(tagName, logger);
+        logger.debug(`Computed a fallback toolcache version number of ${fallbackVersion} for CodeQL tools version ${requestedVersion.cliVersion}.`);
+        codeqlFolder = toolcache.find("CodeQL", fallbackVersion);
+    }
+    if (codeqlFolder) {
+        return {
+            codeqlFolder,
+            sourceType: "toolcache",
+            toolsVersion: requestedVersion.cliVersion,
+        };
+    }
+    logger.debug(`Did not find CodeQL tools version ${requestedVersion.cliVersion} in the toolcache.`);
+    // If we don't find the requested version on Enterprise, we may allow a
+    // different version to save download time if the version hasn't been
+    // specified explicitly (in which case we always honor it).
+    if (variant !== util.GitHubVariant.DOTCOM && !forceLatest && !toolsInput) {
+        const result = await findOverridingToolsInCache(requestedVersion.cliVersion, logger);
+        if (result !== undefined) {
+            return result;
+        }
+    }
+    return {
+        codeqlURL: requestedVersion["url"] ||
+            (await getCodeQLBundleDownloadURL(tagName || (await getOrFindBundleTagName(requestedVersion, logger)), apiDetails, variant, logger)),
+        semanticVersion: requestedVersion.cliVersion,
+        sourceType: "download",
+        toolsVersion: requestedVersion.cliVersion,
+    };
+}
+exports.getCodeQLSource = getCodeQLSource;
+async function downloadCodeQL(codeqlURL, semanticVersion, apiDetails, tempDir, logger) {
+    const parsedCodeQLURL = new URL(codeqlURL);
+    const searchParams = new URLSearchParams(parsedCodeQLURL.search);
+    const headers = {
+        accept: "application/octet-stream",
+    };
+    // We only want to provide an authorization header if we are downloading
+    // from the same GitHub instance the Action is running on.
+    // This avoids leaking Enterprise tokens to dotcom.
+    // We also don't want to send an authorization header if there's already a token provided in the URL.
+    if (searchParams.has("token")) {
+        logger.debug("CodeQL tools URL contains an authorization token.");
+    }
+    else if (codeqlURL.startsWith(`${apiDetails.url}/`)) {
+        logger.debug("Providing an authorization token to download CodeQL tools.");
+        headers.authorization = `token ${apiDetails.auth}`;
+    }
+    else {
+        logger.debug("Downloading CodeQL tools without an authorization token.");
+    }
+    logger.info(`Downloading CodeQL tools from ${codeqlURL}. This may take a while.`);
+    const dest = path.join(tempDir, (0, uuid_1.v4)());
+    const finalHeaders = Object.assign({ "User-Agent": "CodeQL Action" }, headers);
+    const codeqlPath = await toolcache.downloadTool(codeqlURL, dest, undefined, finalHeaders);
+    logger.debug(`CodeQL bundle download to ${codeqlPath} complete.`);
+    const codeqlExtracted = await toolcache.extractTar(codeqlPath);
+    return await toolcache.cacheDir(codeqlExtracted, "CodeQL", semanticVersion);
+}
+exports.downloadCodeQL = downloadCodeQL;
+function getCodeQLURLVersion(url) {
+    const match = url.match(/\/codeql-bundle-(.*)\//);
+    if (match === null || match.length < 2) {
+        throw new Error(`Malformed tools url: ${url}. Version could not be inferred`);
+    }
+    return match[1];
+}
+exports.getCodeQLURLVersion = getCodeQLURLVersion;
+/**
+ * Obtains the CodeQL bundle, installs it in the toolcache if appropriate, and extracts it.
+ *
+ * @param toolsInput
+ * @param apiDetails
+ * @param tempDir
+ * @param variant
+ * @param bypassToolcache
+ * @param defaultCliVersion
+ * @param logger
+ * @param checkVersion Whether to check that CodeQL CLI meets the minimum
+ *        version requirement. Must be set to true outside tests.
+ * @returns the path to the extracted bundle, and the version of the tools
+ */
+async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, bypassToolcache, defaultCliVersion, logger) {
+    const source = await getCodeQLSource(toolsInput, bypassToolcache, defaultCliVersion, apiDetails, variant, logger);
+    let codeqlFolder;
+    switch (source.sourceType) {
+        case "local":
+            codeqlFolder = await toolcache.extractTar(source.codeqlTarPath);
+            break;
+        case "toolcache":
+            codeqlFolder = source.codeqlFolder;
+            logger.debug(`CodeQL found in cache ${codeqlFolder}`);
+            break;
+        case "download":
+            codeqlFolder = await downloadCodeQL(source.codeqlURL, source.semanticVersion, apiDetails, tempDir, logger);
+            break;
+        default:
+            util.assertNever(source);
+    }
+    return { codeqlFolder, toolsVersion: source.toolsVersion };
+}
+exports.setupCodeQLBundle = setupCodeQLBundle;
+//# sourceMappingURL=setup-codeql.js.map
@@ -0,0 +1,116 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const path = __importStar(require("path"));
+const ava_1 = __importDefault(require("ava"));
+const sinon = __importStar(require("sinon"));
+const actionsUtil = __importStar(require("./actions-util"));
+const api = __importStar(require("./api-client"));
+const logging_1 = require("./logging");
+const setupCodeql = __importStar(require("./setup-codeql"));
+const testing_utils_1 = require("./testing-utils");
+const util_1 = require("./util");
+(0, testing_utils_1.setupTests)(ava_1.default);
+ava_1.default.beforeEach(() => {
+    (0, util_1.initializeEnvironment)("1.2.3");
+});
+(0, ava_1.default)("parse codeql bundle url version", (t) => {
+    t.deepEqual(setupCodeql.getCodeQLURLVersion("https://github.com/.../codeql-bundle-20200601/..."), "20200601");
+});
+(0, ava_1.default)("convert to semver", (t) => {
+    const tests = {
+        "20200601": "0.0.0-20200601",
+        "20200601.0": "0.0.0-20200601.0",
+        "20200601.0.0": "20200601.0.0",
+        "1.2.3": "1.2.3",
+        "1.2.3-alpha": "1.2.3-alpha",
+        "1.2.3-beta.1": "1.2.3-beta.1",
+    };
+    for (const [version, expectedVersion] of Object.entries(tests)) {
+        try {
+            const parsedVersion = setupCodeql.convertToSemVer(version, (0, logging_1.getRunnerLogger)(true));
+            t.deepEqual(parsedVersion, expectedVersion);
+        }
+        catch (e) {
+            t.fail(e instanceof Error ? e.message : String(e));
+        }
+    }
+});
+(0, ava_1.default)("getCodeQLActionRepository", (t) => {
+    const logger = (0, logging_1.getRunnerLogger)(true);
+    (0, util_1.initializeEnvironment)("1.2.3");
+    // isRunningLocalAction() === true
+    delete process.env["GITHUB_ACTION_REPOSITORY"];
+    process.env["RUNNER_TEMP"] = path.dirname(__dirname);
+    const repoLocalRunner = setupCodeql.getCodeQLActionRepository(logger);
+    t.deepEqual(repoLocalRunner, "github/codeql-action");
+    // isRunningLocalAction() === false
+    sinon.stub(actionsUtil, "isRunningLocalAction").returns(false);
+    process.env["GITHUB_ACTION_REPOSITORY"] = "xxx/yyy";
+    const repoEnv = setupCodeql.getCodeQLActionRepository(logger);
+    t.deepEqual(repoEnv, "xxx/yyy");
+});
+(0, ava_1.default)("findCodeQLBundleTagDotcomOnly() matches GitHub Release with marker file", async (t) => {
+    // Look for GitHub Releases in github/codeql-action
+    sinon.stub(actionsUtil, "isRunningLocalAction").resolves(true);
+    sinon.stub(api, "getApiClient").value(() => ({
+        repos: {
+            listReleases: sinon.stub().resolves(undefined),
+        },
+        paginate: sinon.stub().resolves([
+            {
+                assets: [
+                    {
+                        name: "cli-version-2.12.0.txt",
+                    },
+                ],
+                tag_name: "codeql-bundle-20230106",
+            },
+        ]),
+    }));
+    t.is(await setupCodeql.findCodeQLBundleTagDotcomOnly("2.12.0", (0, logging_1.getRunnerLogger)(true)), "codeql-bundle-20230106");
+});
+(0, ava_1.default)("findCodeQLBundleTagDotcomOnly() errors if no GitHub Release matches marker file", async (t) => {
+    // Look for GitHub Releases in github/codeql-action
+    sinon.stub(actionsUtil, "isRunningLocalAction").resolves(true);
+    sinon.stub(api, "getApiClient").value(() => ({
+        repos: {
+            listReleases: sinon.stub().resolves(undefined),
+        },
+        paginate: sinon.stub().resolves([
+            {
+                assets: [
+                    {
+                        name: "cli-version-2.12.0.txt",
+                    },
+                ],
+                tag_name: "codeql-bundle-20230106",
+            },
+        ]),
+    }));
+    await t.throwsAsync(async () => await setupCodeql.findCodeQLBundleTagDotcomOnly("2.12.1", (0, logging_1.getRunnerLogger)(true)), {
+        message: "Failed to find a CodeQL bundle release for CLI version 2.12.1.",
+    });
+});
+//# sourceMappingURL=setup-codeql.test.js.map
@@ -0,0 +1 @@
+{"version":3,"file":"setup-codeql.test.js","sourceRoot":"","sources":["../src/setup-codeql.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,kDAAoC;AACpC,uCAA4C;AAC5C,4DAA8C;AAC9C,mDAA6C;AAC7C,iCAA+C;AAE/C,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,aAAI,CAAC,UAAU,CAAC,GAAG,EAAE;IACnB,IAAA,4BAAqB,EAAC,OAAO,CAAC,CAAC;AACjC,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,iCAAiC,EAAE,CAAC,CAAC,EAAE,EAAE;IAC5C,CAAC,CAAC,SAAS,CACT,WAAW,CAAC,mBAAmB,CAC7B,mDAAmD,CACpD,EACD,UAAU,CACX,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,mBAAmB,EAAE,CAAC,CAAC,EAAE,EAAE;IAC9B,MAAM,KAAK,GAAG;QACZ,UAAU,EAAE,gBAAgB;QAC5B,YAAY,EAAE,kBAAkB;QAChC,cAAc,EAAE,cAAc;QAC9B,OAAO,EAAE,OAAO;QAChB,aAAa,EAAE,aAAa;QAC5B,cAAc,EAAE,cAAc;KAC/B,CAAC;IAEF,KAAK,MAAM,CAAC,OAAO,EAAE,eAAe,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE;QAC9D,IAAI;YACF,MAAM,aAAa,GAAG,WAAW,CAAC,eAAe,CAC/C,OAAO,EACP,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;YACF,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,eAAe,CAAC,CAAC;SAC7C;QAAC,OAAO,CAAC,EAAE;YACV,CAAC,CAAC,IAAI,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;SACpD;KACF;AACH,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,2BAA2B,EAAE,CAAC,CAAC,EAAE,EAAE;IACtC,MAAM,MAAM,GAAG,IAAA,yBAAe,EAAC,IAAI,CAAC,CAAC;IAErC,IAAA,4BAAqB,EAAC,OAAO,CAAC,CAAC;IAE/B,kCAAkC;IAClC,OAAO,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;IAC/C,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACrD,MAAM,eAAe,GAAG,WAAW,CAAC,yBAAyB,CAAC,MAAM,CAAC,CAAC;IACtE,CAAC,CAAC,SAAS,CAAC,eAAe,EAAE,sBAAsB,CAAC,CAAC;IAErD,mCAAmC;IACnC,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC/D,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,GAAG,SAAS,CAAC;IACpD,MAAM,OAAO,GAAG,WAAW,CAAC,yBAAyB,CAAC,MAAM,CAAC,CAAC;IAC9D,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;AAClC,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,yEAAyE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC1F,mDAAmD;IACnD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC/D,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;QAC3C,KAAK,EAAE;YACL,YAAY,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;SAC/C;QACD,QAAQ,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC;YAC9B;gBACE,MAAM,EAAE;oBACN;wBACE,IAAI,EAAE,wBAAwB;qBAC/B;iBACF;gBACD,QAAQ,EAAE,wBAAwB;aACnC;SACF,CAAC;KACH,CAAC,CAAC,CAAC;IACJ,CAAC,CAAC,EAAE,CACF,MAAM,WAAW,CAAC,6BAA6B,CAC7C,QAAQ,EACR,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,EACD,wBAAwB,CACzB,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,iFAAiF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAClG,mDAAmD;IACnD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC/D,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;QAC3C,KAAK,EAAE;YACL,YAAY,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;SAC/C;QACD,QAAQ,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC;YAC9B;gBACE,MAAM,EAAE;oBACN;wBACE,IAAI,EAAE,wBAAwB;qBAC/B;iBACF;gBACD,QAAQ,EAAE,wBAAwB;aACnC;SACF,CAAC;KACH,CAAC,CAAC,CAAC;IACJ,MAAM,CAAC,CAAC,WAAW,CACjB,KAAK,IAAI,EAAE,CACT,MAAM,WAAW,CAAC,6BAA6B,CAC7C,QAAQ,EACR,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,EACH;QACE,OAAO,EAAE,gEAAgE;KAC1E,CACF,CAAC;AACJ,CAAC,CAAC,CAAC"}
@@ -1,14 +1,21 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CODEQL_ACTION_TEST_MODE = exports.CODEQL_ACTION_TESTING_ENVIRONMENT = exports.CODEQL_WORKFLOW_STARTED_AT = exports.ODASA_TRACER_CONFIGURATION = void 0;
-exports.ODASA_TRACER_CONFIGURATION = "ODASA_TRACER_CONFIGURATION";
-// The time at which the first action (normally init) started executing.
-// If a workflow invokes a different action without first invoking the init
-// action (i.e. the upload action is being used by a third-party integrator)
-// then this variable will be assigned the start time of the action invoked
-// rather that the init action.
-exports.CODEQL_WORKFLOW_STARTED_AT = "CODEQL_WORKFLOW_STARTED_AT";
+exports.ODASA_TRACER_CONFIGURATION = exports.CODEQL_WORKFLOW_STARTED_AT = exports.CODEQL_ACTION_TEST_MODE = exports.CODEQL_ACTION_TESTING_ENVIRONMENT = exports.CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY = void 0;
+/**
+ * This environment variable is set to true when the `analyze` Action
+ * completes successfully.
+ */
+exports.CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY = "CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY";
 exports.CODEQL_ACTION_TESTING_ENVIRONMENT = "CODEQL_ACTION_TESTING_ENVIRONMENT";
 /** Used to disable uploading SARIF results or status reports to the GitHub API */
 exports.CODEQL_ACTION_TEST_MODE = "CODEQL_ACTION_TEST_MODE";
+/**
+ * The time at which the first action (normally init) started executing.
+ * If a workflow invokes a different action without first invoking the init
+ * action (i.e. the upload action is being used by a third-party integrator)
+ * then this variable will be assigned the start time of the action invoked
+ * rather that the init action.
+ */
+exports.CODEQL_WORKFLOW_STARTED_AT = "CODEQL_WORKFLOW_STARTED_AT";
+exports.ODASA_TRACER_CONFIGURATION = "ODASA_TRACER_CONFIGURATION";
 //# sourceMappingURL=shared-environment.js.map
@@ -1 +1 @@
-{"version":3,"file":"shared-environment.js","sourceRoot":"","sources":["../src/shared-environment.ts"],"names":[],"mappings":";;;AAAa,QAAA,0BAA0B,GAAG,4BAA4B,CAAC;AACvE,wEAAwE;AACxE,2EAA2E;AAC3E,4EAA4E;AAC5E,2EAA2E;AAC3E,+BAA+B;AAClB,QAAA,0BAA0B,GAAG,4BAA4B,CAAC;AAE1D,QAAA,iCAAiC,GAC5C,mCAAmC,CAAC;AAEtC,kFAAkF;AACrE,QAAA,uBAAuB,GAAG,yBAAyB,CAAC"}
+{"version":3,"file":"shared-environment.js","sourceRoot":"","sources":["../src/shared-environment.ts"],"names":[],"mappings":";;;AAAA;;;GAGG;AACU,QAAA,+CAA+C,GAC1D,iDAAiD,CAAC;AAEvC,QAAA,iCAAiC,GAC5C,mCAAmC,CAAC;AAEtC,kFAAkF;AACrE,QAAA,uBAAuB,GAAG,yBAAyB,CAAC;AAEjE;;;;;;GAMG;AACU,QAAA,0BAA0B,GAAG,4BAA4B,CAAC;AAE1D,QAAA,0BAA0B,GAAG,4BAA4B,CAAC"}
@@ -21,6 +21,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createFeatures = exports.mockCodeQLVersion = exports.mockLanguagesInRepo = exports.mockFeatureFlagApiEndpoint = exports.getRecordingLogger = exports.setupActionsVars = exports.setupTests = void 0;
 const github = __importStar(require("@actions/github"));
+const nock = __importStar(require("nock"));
 const sinon = __importStar(require("sinon"));
 const apiClient = __importStar(require("./api-client"));
 const CodeQL = __importStar(require("./codeql"));
@@ -85,6 +86,8 @@ function setupTests(test) {
        if (!t.passed) {
            process.stdout.write(t.context.testOutput);
        }
+        // Undo any modifications made by nock
+        nock.cleanAll();
        // Undo any modifications made by sinon
        sinon.restore();
        // Undo any modifications to the env
@@ -178,6 +181,9 @@ exports.mockCodeQLVersion = mockCodeQLVersion;
 */
 function createFeatures(enabledFeatures) {
    return {
+        getDefaultCliVersion: async () => {
+            throw new Error("not implemented");
+        },
        getValue: async (feature) => {
            return enabledFeatures.includes(feature);
        },
@@ -128,9 +128,8 @@ function findSarifFilesInDir(sarifPath) {
 exports.findSarifFilesInDir = findSarifFilesInDir;
 // Uploads a single sarif file or a directory of sarif files
 // depending on what the path happens to refer to.
-// Returns true iff the upload occurred and succeeded
-async function uploadFromActions(sarifPath, logger) {
-    return await uploadFiles(getSarifFilePaths(sarifPath), (0, repository_1.parseRepositoryNwo)(util.getRequiredEnvParam("GITHUB_REPOSITORY")), await actionsUtil.getCommitOid(actionsUtil.getRequiredInput("checkout_path")), await actionsUtil.getRef(), await actionsUtil.getAnalysisKey(), actionsUtil.getOptionalInput("category"), util.getRequiredEnvParam("GITHUB_WORKFLOW"), workflow.getWorkflowRunID(), actionsUtil.getRequiredInput("checkout_path"), actionsUtil.getRequiredInput("matrix"), logger);
+async function uploadFromActions(sarifPath, checkoutPath, category, logger) {
+    return await uploadFiles(getSarifFilePaths(sarifPath), (0, repository_1.parseRepositoryNwo)(util.getRequiredEnvParam("GITHUB_REPOSITORY")), await actionsUtil.getCommitOid(checkoutPath), await actionsUtil.getRef(), await actionsUtil.getAnalysisKey(), category, util.getRequiredEnvParam("GITHUB_WORKFLOW"), workflow.getWorkflowRunID(), checkoutPath, actionsUtil.getRequiredInput("matrix"), logger);
 }
 exports.uploadFromActions = uploadFromActions;
 function getSarifFilePaths(sarifPath) {
@@ -270,48 +269,92 @@ async function uploadFiles(sarifFiles, repositoryNwo, commitOid, ref, analysisKe
 }
 const STATUS_CHECK_FREQUENCY_MILLISECONDS = 5 * 1000;
 const STATUS_CHECK_TIMEOUT_MILLISECONDS = 2 * 60 * 1000;
-// Waits until either the analysis is successfully processed, a processing error is reported, or STATUS_CHECK_TIMEOUT_MILLISECONDS elapses.
-async function waitForProcessing(repositoryNwo, sarifID, logger) {
+/**
+ * Waits until either the analysis is successfully processed, a processing error
+ * is reported, or `STATUS_CHECK_TIMEOUT_MILLISECONDS` elapses.
+ *
+ * If `isUnsuccessfulExecution` is passed, will throw an error if the analysis
+ * processing does not produce a single error mentioning the unsuccessful
+ * execution.
+ */
+async function waitForProcessing(repositoryNwo, sarifID, logger, options = {
+    isUnsuccessfulExecution: false,
+}) {
    logger.startGroup("Waiting for processing to finish");
-    const client = api.getApiClient();
-    const statusCheckingStarted = Date.now();
-    // eslint-disable-next-line no-constant-condition
-    while (true) {
-        if (Date.now() >
-            statusCheckingStarted + STATUS_CHECK_TIMEOUT_MILLISECONDS) {
-            // If the analysis hasn't finished processing in the allotted time, we continue anyway rather than failing.
-            // It's possible the analysis will eventually finish processing, but it's not worth spending more Actions time waiting.
-            logger.warning("Timed out waiting for analysis to finish processing. Continuing.");
-            break;
+    try {
+        const client = api.getApiClient();
+        const statusCheckingStarted = Date.now();
+        // eslint-disable-next-line no-constant-condition
+        while (true) {
+            if (Date.now() >
+                statusCheckingStarted + STATUS_CHECK_TIMEOUT_MILLISECONDS) {
+                // If the analysis hasn't finished processing in the allotted time, we continue anyway rather than failing.
+                // It's possible the analysis will eventually finish processing, but it's not worth spending more Actions time waiting.
+                logger.warning("Timed out waiting for analysis to finish processing. Continuing.");
+                break;
+            }
+            let response = undefined;
+            try {
+                response = await client.request("GET /repos/:owner/:repo/code-scanning/sarifs/:sarif_id", {
+                    owner: repositoryNwo.owner,
+                    repo: repositoryNwo.repo,
+                    sarif_id: sarifID,
+                });
+            }
+            catch (e) {
+                logger.warning(`An error occurred checking the status of the delivery. ${e} It should still be processed in the background, but errors that occur during processing may not be reported.`);
+                break;
+            }
+            const status = response.data.processing_status;
+            logger.info(`Analysis upload status is ${status}.`);
+            if (status === "pending") {
+                logger.debug("Analysis processing is still pending...");
+            }
+            else if (options.isUnsuccessfulExecution) {
+                // We expect a specific processing error for unsuccessful executions, so
+                // handle these separately.
+                handleProcessingResultForUnsuccessfulExecution(response, status, logger);
+                break;
+            }
+            else if (status === "complete") {
+                break;
+            }
+            else if (status === "failed") {
+                throw new Error(`Code Scanning could not process the submitted SARIF file:\n${response.data.errors}`);
+            }
+            else {
+                util.assertNever(status);
+            }
+            await util.delay(STATUS_CHECK_FREQUENCY_MILLISECONDS);
        }
-        let response = undefined;
-        try {
-            response = await client.request("GET /repos/:owner/:repo/code-scanning/sarifs/:sarif_id", {
-                owner: repositoryNwo.owner,
-                repo: repositoryNwo.repo,
-                sarif_id: sarifID,
-            });
-        }
-        catch (e) {
-            logger.warning(`An error occurred checking the status of the delivery. ${e} It should still be processed in the background, but errors that occur during processing may not be reported.`);
-            break;
-        }
-        const status = response.data.processing_status;
-        logger.info(`Analysis upload status is ${status}.`);
-        if (status === "complete") {
-            break;
-        }
-        else if (status === "pending") {
-            logger.debug("Analysis processing is still pending...");
-        }
-        else if (status === "failed") {
-            throw new Error(`Code Scanning could not process the submitted SARIF file:\n${response.data.errors}`);
-        }
-        await util.delay(STATUS_CHECK_FREQUENCY_MILLISECONDS);
    }
-    logger.endGroup();
+    finally {
+        logger.endGroup();
+    }
 }
 exports.waitForProcessing = waitForProcessing;
+/**
+ * Checks the processing result for an unsuccessful execution. Throws if the
+ * result is not a failure with a single "unsuccessful execution" error.
+ */
+function handleProcessingResultForUnsuccessfulExecution(response, status, logger) {
+    if (status === "failed" &&
+        Array.isArray(response.data.errors) &&
+        response.data.errors.length === 1 &&
+        response.data.errors[0].toString().startsWith("unsuccessful execution")) {
+        logger.debug("Successfully uploaded a SARIF file for the unsuccessful execution. Received expected " +
+            '"unsuccessful execution" error, and no other errors.');
+    }
+    else {
+        const shortMessage = "Failed to upload a SARIF file for the unsuccessful execution. Code scanning status " +
+            "information for the repository may be out of date as a result.";
+        const longMessage = shortMessage + status === "failed"
+            ? ` Processing errors: ${response.data.errors}`
+            : ' Encountered no processing errors, but expected to receive an "unsuccessful execution" error.';
+        logger.debug(longMessage);
+        throw new Error(shortMessage);
+    }
+}
 function validateUniqueCategory(sarif) {
    var _a, _b, _c;
    // duplicate categories are allowed in the same sarif file
@@ -43,7 +43,7 @@ async function run() {
        return;
    }
    try {
-        const uploadResult = await upload_lib.uploadFromActions(actionsUtil.getRequiredInput("sarif_file"), (0, logging_1.getActionsLogger)());
+        const uploadResult = await upload_lib.uploadFromActions(actionsUtil.getRequiredInput("sarif_file"), actionsUtil.getRequiredInput("checkout_path"), actionsUtil.getOptionalInput("category"), (0, logging_1.getActionsLogger)());
        core.setOutput("sarif-id", uploadResult.sarifID);
        // We don't upload results in test mode, so don't wait for processing
        if ((0, util_1.isInTestMode)()) {
@@ -1 +1 @@
-{"version":3,"file":"upload-sarif-action.js","sourceRoot":"","sources":["../src/upload-sarif-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,uCAA6C;AAC7C,6CAAkD;AAClD,yDAA2C;AAC3C,iCAKgB;AAEhB,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAMvC,KAAK,UAAU,uBAAuB,CACpC,SAAe,EACf,WAA0C;IAE1C,MAAM,gBAAgB,GAAG,MAAM,WAAW,CAAC,sBAAsB,CAC/D,cAAc,EACd,SAAS,EACT,SAAS,CACV,CAAC;IACF,MAAM,YAAY,GAA4B;QAC5C,GAAG,gBAAgB;QACnB,GAAG,WAAW;KACf,CAAC;IACF,MAAM,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;AACnD,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IAAA,4BAAqB,EAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACnC,MAAM,IAAA,yBAAkB,EAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACtC,IACE,CAAC,CAAC,MAAM,WAAW,CAAC,gBAAgB,CAClC,MAAM,WAAW,CAAC,sBAAsB,CACtC,cAAc,EACd,UAAU,EACV,SAAS,CACV,CACF,CAAC,EACF;QACA,OAAO;KACR;IAED,IAAI;QACF,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,iBAAiB,CACrD,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,EAC1C,IAAA,0BAAgB,GAAE,CACnB,CAAC;QACF,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC;QAEjD,qEAAqE;QACrE,IAAI,IAAA,mBAAY,GAAE,EAAE;YAClB,IAAI,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC;SACjE;aAAM,IAAI,WAAW,CAAC,gBAAgB,CAAC,qBAAqB,CAAC,KAAK,MAAM,EAAE;YACzE,MAAM,UAAU,CAAC,iBAAiB,CAChC,IAAA,+BAAkB,EAAC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CAAC,EAC5D,YAAY,CAAC,OAAO,EACpB,IAAA,0BAAgB,GAAE,CACnB,CAAC;SACH;QACD,MAAM,uBAAuB,CAAC,SAAS,EAAE,YAAY,CAAC,YAAY,CAAC,CAAC;KACrE;IAAC,OAAO,KAAK,EAAE;QACd,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,MAAM,KAAK,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,WAAW,CAAC,gBAAgB,CAChC,MAAM,WAAW,CAAC,sBAAsB,CACtC,cAAc,EACd,WAAW,CAAC,gBAAgB,CAAC,KAAK,CAAC,EACnC,SAAS,EACT,OAAO,EACP,KAAK,CACN,CACF,CAAC;QACF,OAAO;KACR;AACH,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,sCAAsC,KAAK,EAAE,CAAC,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"upload-sarif-action.js","sourceRoot":"","sources":["../src/upload-sarif-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,uCAA6C;AAC7C,6CAAkD;AAClD,yDAA2C;AAC3C,iCAKgB;AAEhB,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAMvC,KAAK,UAAU,uBAAuB,CACpC,SAAe,EACf,WAA0C;IAE1C,MAAM,gBAAgB,GAAG,MAAM,WAAW,CAAC,sBAAsB,CAC/D,cAAc,EACd,SAAS,EACT,SAAS,CACV,CAAC;IACF,MAAM,YAAY,GAA4B;QAC5C,GAAG,gBAAgB;QACnB,GAAG,WAAW;KACf,CAAC;IACF,MAAM,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;AACnD,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IAAA,4BAAqB,EAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACnC,MAAM,IAAA,yBAAkB,EAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACtC,IACE,CAAC,CAAC,MAAM,WAAW,CAAC,gBAAgB,CAClC,MAAM,WAAW,CAAC,sBAAsB,CACtC,cAAc,EACd,UAAU,EACV,SAAS,CACV,CACF,CAAC,EACF;QACA,OAAO;KACR;IAED,IAAI;QACF,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,iBAAiB,CACrD,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,EAC1C,WAAW,CAAC,gBAAgB,CAAC,eAAe,CAAC,EAC7C,WAAW,CAAC,gBAAgB,CAAC,UAAU,CAAC,EACxC,IAAA,0BAAgB,GAAE,CACnB,CAAC;QACF,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC;QAEjD,qEAAqE;QACrE,IAAI,IAAA,mBAAY,GAAE,EAAE;YAClB,IAAI,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC;SACjE;aAAM,IAAI,WAAW,CAAC,gBAAgB,CAAC,qBAAqB,CAAC,KAAK,MAAM,EAAE;YACzE,MAAM,UAAU,CAAC,iBAAiB,CAChC,IAAA,+BAAkB,EAAC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CAAC,EAC5D,YAAY,CAAC,OAAO,EACpB,IAAA,0BAAgB,GAAE,CACnB,CAAC;SACH;QACD,MAAM,uBAAuB,CAAC,SAAS,EAAE,YAAY,CAAC,YAAY,CAAC,CAAC;KACrE;IAAC,OAAO,KAAK,EAAE;QACd,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,MAAM,KAAK,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,WAAW,CAAC,gBAAgB,CAChC,MAAM,WAAW,CAAC,sBAAsB,CACtC,cAAc,EACd,WAAW,CAAC,gBAAgB,CAAC,KAAK,CAAC,EACnC,SAAS,EACT,OAAO,EACP,KAAK,CACN,CACF,CAAC;QACF,OAAO;KACR;AACH,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,sCAAsC,KAAK,EAAE,CAAC,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
@@ -22,7 +22,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.shouldBypassToolcache = exports.isHostedRunner = exports.checkForTimeout = exports.withTimeout = exports.tryGetFolderBytes = exports.listFolder = exports.doesDirectoryExist = exports.logCodeScanningConfigInCli = exports.useCodeScanningConfigInCli = exports.isInTestMode = exports.checkActionVersion = exports.getMlPoweredJsQueriesStatus = exports.getMlPoweredJsQueriesPack = exports.ML_POWERED_JS_QUERIES_PACK_NAME = exports.isGoodVersion = exports.delay = exports.bundleDb = exports.codeQlVersionAbove = exports.getCachedCodeQlVersion = exports.cacheCodeQlVersion = exports.isHTTPError = exports.UserError = exports.HTTPError = exports.getRequiredEnvParam = exports.enrichEnvironment = exports.initializeEnvironment = exports.EnvVar = exports.assertNever = exports.apiVersionInRange = exports.DisallowedAPIVersionReason = exports.checkGitHubVersionInRange = exports.getGitHubVersion = exports.GitHubVariant = exports.parseGitHubUrl = exports.getCodeQLDatabasePath = exports.getThreadsFlag = exports.getThreadsFlagValue = exports.getAddSnippetsFlag = exports.getMemoryFlag = exports.getMemoryFlagValue = exports.withTmpDir = exports.getToolNames = exports.getExtraOptionsEnvParam = exports.DID_AUTOBUILD_GO_ENV_VAR_NAME = exports.DEFAULT_DEBUG_DATABASE_NAME = exports.DEFAULT_DEBUG_ARTIFACT_NAME = exports.GITHUB_DOTCOM_URL = void 0;
+exports.getPinnedCodeqlVersion = exports.parseMatrixInput = exports.shouldBypassToolcache = exports.isHostedRunner = exports.checkForTimeout = exports.withTimeout = exports.tryGetFolderBytes = exports.listFolder = exports.doesDirectoryExist = exports.logCodeScanningConfigInCli = exports.useCodeScanningConfigInCli = exports.isInTestMode = exports.checkActionVersion = exports.getMlPoweredJsQueriesStatus = exports.getMlPoweredJsQueriesPack = exports.ML_POWERED_JS_QUERIES_PACK_NAME = exports.isGoodVersion = exports.delay = exports.bundleDb = exports.codeQlVersionAbove = exports.getCachedCodeQlVersion = exports.cacheCodeQlVersion = exports.isHTTPError = exports.UserError = exports.HTTPError = exports.getRequiredEnvParam = exports.enrichEnvironment = exports.initializeEnvironment = exports.EnvVar = exports.assertNever = exports.apiVersionInRange = exports.DisallowedAPIVersionReason = exports.checkGitHubVersionInRange = exports.getGitHubVersion = exports.GitHubVariant = exports.parseGitHubUrl = exports.getCodeQLDatabasePath = exports.getThreadsFlag = exports.getThreadsFlagValue = exports.getAddSnippetsFlag = exports.getMemoryFlag = exports.getMemoryFlagValue = exports.withTmpDir = exports.getToolNames = exports.getExtraOptionsEnvParam = exports.DID_AUTOBUILD_GO_ENV_VAR_NAME = exports.DEFAULT_DEBUG_DATABASE_NAME = exports.DEFAULT_DEBUG_ARTIFACT_NAME = exports.GITHUB_DOTCOM_URL = void 0;
 const fs = __importStar(require("fs"));
 const os = __importStar(require("os"));
 const path = __importStar(require("path"));
@@ -36,6 +36,7 @@ const api_client_1 = require("./api-client");
 const apiCompatibility = __importStar(require("./api-compatibility.json"));
 const codeql_1 = require("./codeql");
 const config_utils_1 = require("./config-utils");
+const defaults = __importStar(require("./defaults.json")); // Referenced from codeql-action-sync-tool!
 const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
 const shared_environment_1 = require("./shared-environment");
@@ -750,4 +751,32 @@ async function shouldBypassToolcache(featuresEnablement, codeqlUrl, languagesInp
    return bypass;
 }
 exports.shouldBypassToolcache = shouldBypassToolcache;
+function parseMatrixInput(matrixInput) {
+    if (matrixInput === undefined || matrixInput === "null") {
+        return undefined;
+    }
+    return JSON.parse(matrixInput);
+}
+exports.parseMatrixInput = parseMatrixInput;
+function computeToolcacheVersion(cliVersion, tagName) {
+    return `${cliVersion}-${tagName}`;
+}
+/**
+ * Gets version information about the CodeQL bundle which was current as of the release of this
+ * Action.
+ *
+ * This should be used in the following circumstances:
+ *
+ * - When running the Action on Enterprise instances.
+ * - When a user requests `tools: latest`.
+ * - When the Action is running on Dotcom and no default CodeQL version feature flags are enabled.
+ */
+function getPinnedCodeqlVersion() {
+    return {
+        cliVersion: defaults.cliVersion,
+        tagName: defaults.bundleVersion,
+        toolcacheVersion: computeToolcacheVersion(defaults.cliVersion, defaults.bundleVersion),
+    };
+}
+exports.getPinnedCodeqlVersion = getPinnedCodeqlVersion;
 //# sourceMappingURL=util.js.map
@@ -19,7 +19,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
    return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getCategoryInputOrThrow = exports.getWorkflowRunID = exports.getWorkflowPath = exports.getWorkflow = exports.formatWorkflowCause = exports.formatWorkflowErrors = exports.validateWorkflow = exports.getWorkflowErrors = exports.WorkflowErrors = exports.patternIsSuperset = void 0;
+exports.getCheckoutPathInputOrThrow = exports.getUploadInputOrThrow = exports.getCategoryInputOrThrow = exports.getWorkflowRunID = exports.getWorkflowPath = exports.getWorkflow = exports.formatWorkflowCause = exports.formatWorkflowErrors = exports.validateWorkflow = exports.getWorkflowErrors = exports.WorkflowErrors = exports.patternIsSuperset = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const core = __importStar(require("@actions/core"));
@@ -213,7 +213,16 @@ exports.formatWorkflowCause = formatWorkflowCause;
 async function getWorkflow() {
    const relativePath = await getWorkflowPath();
    const absolutePath = path.join((0, util_1.getRequiredEnvParam)("GITHUB_WORKSPACE"), relativePath);
-    return yaml.load(fs.readFileSync(absolutePath, "utf-8"));
+    try {
+        return yaml.load(fs.readFileSync(absolutePath, "utf-8"));
+    }
+    catch (e) {
+        if (e instanceof Error && e["code"] === "ENOENT") {
+            throw new Error(`Unable to load code scanning workflow from ${absolutePath}. This can happen if the currently ` +
+                "running workflow checks out a branch that doesn't contain the corresponding workflow file.");
+        }
+        throw e;
+    }
 }
 exports.getWorkflow = getWorkflow;
 /**
@@ -247,6 +256,9 @@ function getWorkflowRunID() {
 }
 exports.getWorkflowRunID = getWorkflowRunID;
 function getStepsCallingAction(job, actionName) {
+    if (job.uses) {
+        throw new Error(`Could not get steps calling ${actionName} since the job calls a reusable workflow.`);
+    }
    const steps = job.steps;
    if (!Array.isArray(steps)) {
        throw new Error(`Could not get steps calling ${actionName} since job.steps was not an array.`);
@@ -264,34 +276,48 @@ function getStepsCallingAction(job, actionName) {
 * determine that no such input is passed to the Action.
 */
 function getInputOrThrow(workflow, jobName, actionName, inputName, matrixVars) {
+    var _a, _b;
+    const preamble = `Could not get ${inputName} input to ${actionName} since`;
    if (!workflow.jobs) {
-        throw new Error(`Could not get ${inputName} input to ${actionName} since the workflow has no jobs.`);
+        throw new Error(`${preamble} the workflow has no jobs.`);
    }
    if (!workflow.jobs[jobName]) {
-        throw new Error(`Could not get ${inputName} input to ${actionName} since the workflow has no job named ${jobName}.`);
+        throw new Error(`${preamble} the workflow has no job named ${jobName}.`);
    }
-    const inputs = getStepsCallingAction(workflow.jobs[jobName], actionName)
-        .map((step) => { var _a; return (_a = step.with) === null || _a === void 0 ? void 0 : _a[inputName]; })
-        .filter((input) => input !== undefined)
-        .map((input) => input);
-    if (inputs.length === 0) {
-        return undefined;
+    const stepsCallingAction = getStepsCallingAction(workflow.jobs[jobName], actionName);
+    if (stepsCallingAction.length === 0) {
+        throw new Error(`${preamble} the ${jobName} job does not call ${actionName}.`);
    }
-    if (!inputs.every((input) => input === inputs[0])) {
-        throw new Error(`Could not get ${inputName} input to ${actionName} since there were multiple steps calling ` +
-            `${actionName} with different values for ${inputName}.`);
+    else if (stepsCallingAction.length > 1) {
+        throw new Error(`${preamble} the ${jobName} job calls ${actionName} multiple times.`);
    }
-    // Make a basic attempt to substitute matrix variables
-    // First normalize by removing whitespace
-    let input = inputs[0].replace(/\${{\s+/, "${{").replace(/\s+}}/, "}}");
-    for (const [key, value] of Object.entries(matrixVars)) {
-        input = input.replace(`\${{matrix.${key}}}`, value);
+    let input = (_b = (_a = stepsCallingAction[0].with) === null || _a === void 0 ? void 0 : _a[inputName]) === null || _b === void 0 ? void 0 : _b.toString();
+    if (input !== undefined && matrixVars !== undefined) {
+        // Normalize by removing whitespace
+        input = input.replace(/\${{\s+/, "${{").replace(/\s+}}/, "}}");
+        // Make a basic attempt to substitute matrix variables
+        for (const [key, value] of Object.entries(matrixVars)) {
+            input = input.replace(`\${{matrix.${key}}}`, value);
+        }
    }
-    if (input.includes("${{")) {
+    if (input !== undefined && input.includes("${{")) {
        throw new Error(`Could not get ${inputName} input to ${actionName} since it contained an unrecognized dynamic value.`);
    }
    return input;
 }
+/**
+ * Get the expected name of the analyze Action.
+ *
+ * This allows us to test workflow parsing functionality as a CodeQL Action PR check.
+ */
+function getAnalyzeActionName() {
+    if ((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY") === "github/codeql-action") {
+        return "./analyze";
+    }
+    else {
+        return "github/codeql-action/analyze";
+    }
+}
 /**
 * Makes a best effort attempt to retrieve the category input for the particular job,
 * given a set of matrix variables.
@@ -302,7 +328,35 @@ function getInputOrThrow(workflow, jobName, actionName, inputName, matrixVars) {
 * @throws an error if the category input could not be determined
 */
 function getCategoryInputOrThrow(workflow, jobName, matrixVars) {
-    return getInputOrThrow(workflow, jobName, "github/codeql-action/analyze", "category", matrixVars);
+    return getInputOrThrow(workflow, jobName, getAnalyzeActionName(), "category", matrixVars);
 }
 exports.getCategoryInputOrThrow = getCategoryInputOrThrow;
+/**
+ * Makes a best effort attempt to retrieve the upload input for the particular job,
+ * given a set of matrix variables.
+ *
+ * Typically you'll want to wrap this function in a try/catch block and handle the error.
+ *
+ * @returns the upload input
+ * @throws an error if the upload input could not be determined
+ */
+function getUploadInputOrThrow(workflow, jobName, matrixVars) {
+    return (getInputOrThrow(workflow, jobName, getAnalyzeActionName(), "upload", matrixVars) || "true" // if unspecified, upload defaults to true
+    );
+}
+exports.getUploadInputOrThrow = getUploadInputOrThrow;
+/**
+ * Makes a best effort attempt to retrieve the checkout_path input for the
+ * particular job, given a set of matrix variables.
+ *
+ * Typically you'll want to wrap this function in a try/catch block and handle the error.
+ *
+ * @returns the checkout_path input
+ * @throws an error if the checkout_path input could not be determined
+ */
+function getCheckoutPathInputOrThrow(workflow, jobName, matrixVars) {
+    return (getInputOrThrow(workflow, jobName, getAnalyzeActionName(), "checkout_path", matrixVars) || (0, util_1.getRequiredEnvParam)("GITHUB_WORKSPACE") // if unspecified, checkout_path defaults to ${{ github.workspace }}
+    );
+}
+exports.getCheckoutPathInputOrThrow = getCheckoutPathInputOrThrow;
 //# sourceMappingURL=workflow.js.map
@@ -356,6 +356,7 @@ function errorCodes(actual, expected) {
  `)), []));
 });
 (0, ava_1.default)("getCategoryInputOrThrow returns category for simple workflow with category", (t) => {
+    process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
    t.is((0, workflow_1.getCategoryInputOrThrow)(yaml.load(`
        jobs:
          analysis:
@@ -369,6 +370,7 @@ function errorCodes(actual, expected) {
      `), "analysis", {}), "some-category");
 });
 (0, ava_1.default)("getCategoryInputOrThrow returns undefined for simple workflow without category", (t) => {
+    process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
    t.is((0, workflow_1.getCategoryInputOrThrow)(yaml.load(`
        jobs:
          analysis:
@@ -380,6 +382,7 @@ function errorCodes(actual, expected) {
      `), "analysis", {}), undefined);
 });
 (0, ava_1.default)("getCategoryInputOrThrow returns category for workflow with multiple jobs", (t) => {
+    process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
    t.is((0, workflow_1.getCategoryInputOrThrow)(yaml.load(`
        jobs:
          foo:
@@ -403,6 +406,7 @@ function errorCodes(actual, expected) {
      `), "bar", {}), "bar-category");
 });
 (0, ava_1.default)("getCategoryInputOrThrow finds category for workflow with language matrix", (t) => {
+    process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
    t.is((0, workflow_1.getCategoryInputOrThrow)(yaml.load(`
        jobs:
          analysis:
@@ -421,6 +425,7 @@ function errorCodes(actual, expected) {
      `), "analysis", { language: "javascript" }), "/language:javascript");
 });
 (0, ava_1.default)("getCategoryInputOrThrow throws error for workflow with dynamic category", (t) => {
+    process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
    t.throws(() => (0, workflow_1.getCategoryInputOrThrow)(yaml.load(`
          jobs:
            analysis:
@@ -435,7 +440,8 @@ function errorCodes(actual, expected) {
            "an unrecognized dynamic value.",
    });
 });
-(0, ava_1.default)("getCategoryInputOrThrow throws error for workflow with multiple categories", (t) => {
+(0, ava_1.default)("getCategoryInputOrThrow throws error for workflow with multiple calls to analyze", (t) => {
+    process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
    t.throws(() => (0, workflow_1.getCategoryInputOrThrow)(yaml.load(`
          jobs:
            analysis:
@@ -450,8 +456,8 @@ function errorCodes(actual, expected) {
                  with:
                    category: another-category
        `), "analysis", {}), {
-        message: "Could not get category input to github/codeql-action/analyze since there were multiple steps " +
-            "calling github/codeql-action/analyze with different values for category.",
+        message: "Could not get category input to github/codeql-action/analyze since the analysis job " +
+            "calls github/codeql-action/analyze multiple times.",
    });
 });
 //# sourceMappingURL=workflow.test.js.map
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "2.1.36",
+  "version": "2.1.38",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
@@ -1924,13 +1924,6 @@
        }
      }
    },
-    "node_modules/decode-uri-component": {
-      "version": "0.2.0",
-      "integrity": "sha1-6zkTMzRYd1y4TNGh+uBiEGu4dUU=",
-      "engines": {
-        "node": ">=0.10"
-      }
-    },
    "node_modules/deep-is": {
      "version": "0.1.3",
      "integrity": "sha1-s2nW+128E+7PUk+RsHD+7cNXzzQ=",
@@ -3046,13 +3039,6 @@
        "node": ">=8"
      }
    },
-    "node_modules/filter-obj": {
-      "version": "1.1.0",
-      "integrity": "sha1-mzERErxsYSehbgFsbF1/GeCAXFs=",
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
    "node_modules/find-up": {
      "version": "6.2.0",
      "resolved": "https://registry.npmjs.org/find-up/-/find-up-6.2.0.tgz",
@@ -4559,23 +4545,6 @@
        "node": ">=6"
      }
    },
-    "node_modules/query-string": {
-      "version": "7.0.1",
-      "resolved": "https://registry.npmjs.org/query-string/-/query-string-7.0.1.tgz",
-      "integrity": "sha512-uIw3iRvHnk9to1blJCG3BTc+Ro56CBowJXKmNNAm3RulvPBzWLRqKSiiDk+IplJhsydwtuNMHi8UGQFcCLVfkA==",
-      "dependencies": {
-        "decode-uri-component": "^0.2.0",
-        "filter-obj": "^1.1.0",
-        "split-on-first": "^1.0.0",
-        "strict-uri-encode": "^2.0.0"
-      },
-      "engines": {
-        "node": ">=6"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
-    },
    "node_modules/read-pkg-up": {
      "version": "3.0.0",
      "resolved": "https://registry.npmjs.org/read-pkg-up/-/read-pkg-up-3.0.0.tgz",
@@ -5041,13 +5010,6 @@
      "integrity": "sha512-J+FWzZoynJEXGphVIS+XEh3kFSjZX/1i9gFBaWQcB+/tmpe2qUsSBABpcxqxnAxFdiUFEgAX1bjYGQvIZmoz9Q==",
      "dev": true
    },
-    "node_modules/split-on-first": {
-      "version": "1.1.0",
-      "integrity": "sha512-43ZssAJaMusuKWL8sKUBQXHWOpq8d6CfN/u1p4gUzfJkM05C8rxTmYrkIPTXapZpORA6LkkzcUulJ8FqA7Uudw==",
-      "engines": {
-        "node": ">=6"
-      }
-    },
    "node_modules/sprintf-js": {
      "version": "1.0.3",
      "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz",
@@ -5075,13 +5037,6 @@
        "node": ">=8"
      }
    },
-    "node_modules/strict-uri-encode": {
-      "version": "2.0.0",
-      "integrity": "sha1-ucczDHBChi9rFC3CdLvMWGbONUY=",
-      "engines": {
-        "node": ">=4"
-      }
-    },
    "node_modules/string-width": {
      "version": "4.2.3",
      "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
@@ -1,94 +0,0 @@
-'use strict';
-var token = '%[a-f0-9]{2}';
-var singleMatcher = new RegExp(token, 'gi');
-var multiMatcher = new RegExp('(' + token + ')+', 'gi');
-
-function decodeComponents(components, split) {
-	try {
-		// Try to decode the entire string first
-		return decodeURIComponent(components.join(''));
-	} catch (err) {
-		// Do nothing
-	}
-
-	if (components.length === 1) {
-		return components;
-	}
-
-	split = split || 1;
-
-	// Split the array in 2 parts
-	var left = components.slice(0, split);
-	var right = components.slice(split);
-
-	return Array.prototype.concat.call([], decodeComponents(left), decodeComponents(right));
-}
-
-function decode(input) {
-	try {
-		return decodeURIComponent(input);
-	} catch (err) {
-		var tokens = input.match(singleMatcher);
-
-		for (var i = 1; i < tokens.length; i++) {
-			input = decodeComponents(tokens, i).join('');
-
-			tokens = input.match(singleMatcher);
-		}
-
-		return input;
-	}
-}
-
-function customDecodeURIComponent(input) {
-	// Keep track of all the replacements and prefill the map with the `BOM`
-	var replaceMap = {
-		'%FE%FF': '\uFFFD\uFFFD',
-		'%FF%FE': '\uFFFD\uFFFD'
-	};
-
-	var match = multiMatcher.exec(input);
-	while (match) {
-		try {
-			// Decode as big chunks as possible
-			replaceMap[match[0]] = decodeURIComponent(match[0]);
-		} catch (err) {
-			var result = decode(match[0]);
-
-			if (result !== match[0]) {
-				replaceMap[match[0]] = result;
-			}
-		}
-
-		match = multiMatcher.exec(input);
-	}
-
-	// Add `%C2` at the end of the map to make sure it does not replace the combinator before everything else
-	replaceMap['%C2'] = '\uFFFD';
-
-	var entries = Object.keys(replaceMap);
-
-	for (var i = 0; i < entries.length; i++) {
-		// Replace all decoded components
-		var key = entries[i];
-		input = input.replace(new RegExp(key, 'g'), replaceMap[key]);
-	}
-
-	return input;
-}
-
-module.exports = function (encodedURI) {
-	if (typeof encodedURI !== 'string') {
-		throw new TypeError('Expected `encodedURI` to be of type `string`, got `' + typeof encodedURI + '`');
-	}
-
-	try {
-		encodedURI = encodedURI.replace(/\+/g, ' ');
-
-		// Try the built in decoder first
-		return decodeURIComponent(encodedURI);
-	} catch (err) {
-		// Fallback to a more advanced decoder
-		return customDecodeURIComponent(encodedURI);
-	}
-};
@@ -1,21 +0,0 @@
-The MIT License (MIT)
-
-Copyright (c) Sam Verschueren <sam.verschueren@gmail.com> (github.com/SamVerschueren)
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
@@ -1,37 +0,0 @@
-{
-  "name": "decode-uri-component",
-  "version": "0.2.0",
-  "description": "A better decodeURIComponent",
-  "license": "MIT",
-  "repository": "SamVerschueren/decode-uri-component",
-  "author": {
-    "name": "Sam Verschueren",
-    "email": "sam.verschueren@gmail.com",
-    "url": "github.com/SamVerschueren"
-  },
-  "engines": {
-    "node": ">=0.10"
-  },
-  "scripts": {
-    "test": "xo && nyc ava",
-    "coveralls": "nyc report --reporter=text-lcov | coveralls"
-  },
-  "files": [
-    "index.js"
-  ],
-  "keywords": [
-    "decode",
-    "uri",
-    "component",
-    "decodeuricomponent",
-    "components",
-    "decoder",
-    "url"
-  ],
-  "devDependencies": {
-    "ava": "^0.17.0",
-    "coveralls": "^2.13.1",
-    "nyc": "^10.3.2",
-    "xo": "^0.16.0"
-  }
-}
@@ -1,70 +0,0 @@
-# decode-uri-component
-
-[![Build Status](https://travis-ci.org/SamVerschueren/decode-uri-component.svg?branch=master)](https://travis-ci.org/SamVerschueren/decode-uri-component) [![Coverage Status](https://coveralls.io/repos/SamVerschueren/decode-uri-component/badge.svg?branch=master&service=github)](https://coveralls.io/github/SamVerschueren/decode-uri-component?branch=master)
-
-> A better [decodeURIComponent](https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Global_Objects/decodeURIComponent)
-
-
-## Why?
-
- Decodes `+` to a space.
- Converts the [BOM](https://en.wikipedia.org/wiki/Byte_order_mark) to a [replacement character](https://en.wikipedia.org/wiki/Specials_(Unicode_block)#Replacement_character) `�`.
- Does not throw with invalid encoded input.
- Decodes as much of the string as possible.
-
-
-## Install
-
-```
-$ npm install --save decode-uri-component
-```
-
-
-## Usage
-
-```js
-const decodeUriComponent = require('decode-uri-component');
-
-decodeUriComponent('%25');
-//=> '%'
-
-decodeUriComponent('%');
-//=> '%'
-
-decodeUriComponent('st%C3%A5le');
-//=> 'ståle'
-
-decodeUriComponent('%st%C3%A5le%');
-//=> '%ståle%'
-
-decodeUriComponent('%%7Bst%C3%A5le%7D%');
-//=> '%{ståle}%'
-
-decodeUriComponent('%7B%ab%%7C%de%%7D');
-//=> '{%ab%|%de%}'
-
-decodeUriComponent('%FE%FF');
-//=> '\uFFFD\uFFFD'
-
-decodeUriComponent('%C2');
-//=> '\uFFFD'
-
-decodeUriComponent('%C2%B5');
-//=> 'µ'
-```
-
-
-## API
-
-### decodeUriComponent(encodedURI)
-
-#### encodedURI
-
-Type: `string`
-
-An encoded component of a Uniform Resource Identifier.
-
-
-## License
-
-MIT © [Sam Verschueren](https://github.com/SamVerschueren)
@@ -1,17 +0,0 @@
-'use strict';
-module.exports = function (obj, predicate) {
-	var ret = {};
-	var keys = Object.keys(obj);
-	var isArr = Array.isArray(predicate);
-
-	for (var i = 0; i < keys.length; i++) {
-		var key = keys[i];
-		var val = obj[key];
-
-		if (isArr ? predicate.indexOf(key) !== -1 : predicate(key, val, obj)) {
-			ret[key] = val;
-		}
-	}
-
-	return ret;
-};
@@ -1,21 +0,0 @@
-The MIT License (MIT)
-
-Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (sindresorhus.com)
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
@@ -1,37 +0,0 @@
-{
-  "name": "filter-obj",
-  "version": "1.1.0",
-  "description": "Filter object keys and values into a new object",
-  "license": "MIT",
-  "repository": "sindresorhus/filter-obj",
-  "author": {
-    "name": "Sindre Sorhus",
-    "email": "sindresorhus@gmail.com",
-    "url": "sindresorhus.com"
-  },
-  "engines": {
-    "node": ">=0.10.0"
-  },
-  "scripts": {
-    "test": "xo && node test.js"
-  },
-  "files": [
-    "index.js"
-  ],
-  "keywords": [
-    "filter",
-    "obj",
-    "object",
-    "key",
-    "keys",
-    "value",
-    "values",
-    "val",
-    "iterate",
-    "iterator"
-  ],
-  "devDependencies": {
-    "ava": "0.0.4",
-    "xo": "*"
-  }
-}
@@ -1,41 +0,0 @@
-# filter-obj [![Build Status](https://travis-ci.org/sindresorhus/filter-obj.svg?branch=master)](https://travis-ci.org/sindresorhus/filter-obj)
-
-> Filter object keys and values into a new object
-
-
-## Install
-
-```
-$ npm install --save filter-obj
-```
-
-
-## Usage
-
-```js
-var filterObj = require('filter-obj');
-
-var obj = {
-	foo: true,
-	bar: false
-};
-
-var newObject = filterObj(obj, function (key, value, object) {
-	return value === true;
-});
-//=> {foo: true}
-
-var newObject2 = filterObj(obj, ['bar']);
-//=> {bar: true}
-```
-
-
-## Related
-
- [map-obj](https://github.com/sindresorhus/map-obj) - Map object keys and values into a new object
- [object-assign](https://github.com/sindresorhus/object-assign) - Copy enumerable own properties from one or more source objects to a target object
-
-
-## License
-
-MIT © [Sindre Sorhus](http://sindresorhus.com)
@@ -1,545 +0,0 @@
-export interface ParseOptions {
-	/**
-	Decode the keys and values. URI components are decoded with [`decode-uri-component`](https://github.com/SamVerschueren/decode-uri-component).
-
-	@default true
-	*/
-	readonly decode?: boolean;
-
-	/**
-	@default 'none'
-
-	- `bracket`: Parse arrays with bracket representation:
-
-		```
-		import queryString = require('query-string');
-
-		queryString.parse('foo[]=1&foo[]=2&foo[]=3', {arrayFormat: 'bracket'});
-		//=> {foo: ['1', '2', '3']}
-		```
-
-	- `index`: Parse arrays with index representation:
-
-		```
-		import queryString = require('query-string');
-
-		queryString.parse('foo[0]=1&foo[1]=2&foo[3]=3', {arrayFormat: 'index'});
-		//=> {foo: ['1', '2', '3']}
-		```
-
-	- `comma`: Parse arrays with elements separated by comma:
-
-		```
-		import queryString = require('query-string');
-
-		queryString.parse('foo=1,2,3', {arrayFormat: 'comma'});
-		//=> {foo: ['1', '2', '3']}
-		```
-
-	- `separator`: Parse arrays with elements separated by a custom character:
-
-		```
-		import queryString = require('query-string');
-
-		queryString.parse('foo=1|2|3', {arrayFormat: 'separator', arrayFormatSeparator: '|'});
-		//=> {foo: ['1', '2', '3']}
-		```
-
-	- `bracket-separator`: Parse arrays (that are explicitly marked with brackets) with elements separated by a custom character:
-
-		```
-		import queryString = require('query-string');
-
-		queryString.parse('foo[]', {arrayFormat: 'bracket-separator', arrayFormatSeparator: '|'});
-		//=> {foo: []}
-
-		queryString.parse('foo[]=', {arrayFormat: 'bracket-separator', arrayFormatSeparator: '|'});
-		//=> {foo: ['']}
-
-		queryString.parse('foo[]=1', {arrayFormat: 'bracket-separator', arrayFormatSeparator: '|'});
-	 	//=> {foo: ['1']}
-
-		queryString.parse('foo[]=1|2|3', {arrayFormat: 'bracket-separator', arrayFormatSeparator: '|'});
-		//=> {foo: ['1', '2', '3']}
-
-		queryString.parse('foo[]=1||3|||6', {arrayFormat: 'bracket-separator', arrayFormatSeparator: '|'});
-		//=> {foo: ['1', '', 3, '', '', '6']}
-
-		queryString.parse('foo[]=1|2|3&bar=fluffy&baz[]=4', {arrayFormat: 'bracket-separator', arrayFormatSeparator: '|'});
-		//=> {foo: ['1', '2', '3'], bar: 'fluffy', baz:['4']}
-		```
-
-	- `none`: Parse arrays with elements using duplicate keys:
-
-		```
-		import queryString = require('query-string');
-
-		queryString.parse('foo=1&foo=2&foo=3');
-		//=> {foo: ['1', '2', '3']}
-		```
-	*/
-	readonly arrayFormat?: 'bracket' | 'index' | 'comma' | 'separator' | 'bracket-separator' | 'none';
-
-	/**
-	The character used to separate array elements when using `{arrayFormat: 'separator'}`.
-
-	@default ,
-	*/
-	readonly arrayFormatSeparator?: string;
-
-	/**
-	Supports both `Function` as a custom sorting function or `false` to disable sorting.
-
-	If omitted, keys are sorted using `Array#sort`, which means, converting them to strings and comparing strings in Unicode code point order.
-
-	@default true
-
-	@example
-	```
-	import queryString = require('query-string');
-
-	const order = ['c', 'a', 'b'];
-
-	queryString.parse('?a=one&b=two&c=three', {
-		sort: (itemLeft, itemRight) => order.indexOf(itemLeft) - order.indexOf(itemRight)
-	});
-	//=> {c: 'three', a: 'one', b: 'two'}
-	```
-
-	@example
-	```
-	import queryString = require('query-string');
-
-	queryString.parse('?a=one&c=three&b=two', {sort: false});
-	//=> {a: 'one', c: 'three', b: 'two'}
-	```
-	*/
-	readonly sort?: ((itemLeft: string, itemRight: string) => number) | false;
-
-	/**
-	Parse the value as a number type instead of string type if it's a number.
-
-	@default false
-
-	@example
-	```
-	import queryString = require('query-string');
-
-	queryString.parse('foo=1', {parseNumbers: true});
-	//=> {foo: 1}
-	```
-	*/
-	readonly parseNumbers?: boolean;
-
-	/**
-	Parse the value as a boolean type instead of string type if it's a boolean.
-
-	@default false
-
-	@example
-	```
-	import queryString = require('query-string');
-
-	queryString.parse('foo=true', {parseBooleans: true});
-	//=> {foo: true}
-	```
-	*/
-	readonly parseBooleans?: boolean;
-
-	/**
-	Parse the fragment identifier from the URL and add it to result object.
-
-	@default false
-
-	@example
-	```
-	import queryString = require('query-string');
-
-	queryString.parseUrl('https://foo.bar?foo=bar#xyz', {parseFragmentIdentifier: true});
-	//=> {url: 'https://foo.bar', query: {foo: 'bar'}, fragmentIdentifier: 'xyz'}
-	```
-	*/
-	readonly parseFragmentIdentifier?: boolean;
-}
-
-export interface ParsedQuery<T = string> {
-	[key: string]: T | T[] | null;
-}
-
-/**
-Parse a query string into an object. Leading `?` or `#` are ignored, so you can pass `location.search` or `location.hash` directly.
-
-The returned object is created with [`Object.create(null)`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/create) and thus does not have a `prototype`.
-
-@param query - The query string to parse.
-*/
-export function parse(query: string, options: {parseBooleans: true, parseNumbers: true} & ParseOptions): ParsedQuery<string | boolean | number>;
-export function parse(query: string, options: {parseBooleans: true} & ParseOptions): ParsedQuery<string | boolean>;
-export function parse(query: string, options: {parseNumbers: true} & ParseOptions): ParsedQuery<string | number>;
-export function parse(query: string, options?: ParseOptions): ParsedQuery;
-
-export interface ParsedUrl {
-	readonly url: string;
-	readonly query: ParsedQuery;
-
-	/**
-	The fragment identifier of the URL.
-
-	Present when the `parseFragmentIdentifier` option is `true`.
-	*/
-	readonly fragmentIdentifier?: string;
-}
-
-/**
-Extract the URL and the query string as an object.
-
-If the `parseFragmentIdentifier` option is `true`, the object will also contain a `fragmentIdentifier` property.
-
-@param url - The URL to parse.
-
-@example
-```
-import queryString = require('query-string');
-
-queryString.parseUrl('https://foo.bar?foo=bar');
-//=> {url: 'https://foo.bar', query: {foo: 'bar'}}
-
-queryString.parseUrl('https://foo.bar?foo=bar#xyz', {parseFragmentIdentifier: true});
-//=> {url: 'https://foo.bar', query: {foo: 'bar'}, fragmentIdentifier: 'xyz'}
-```
-*/
-export function parseUrl(url: string, options?: ParseOptions): ParsedUrl;
-
-export interface StringifyOptions {
-	/**
-	Strictly encode URI components with [`strict-uri-encode`](https://github.com/kevva/strict-uri-encode). It uses [`encodeURIComponent`](https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent) if set to `false`. You probably [don't care](https://github.com/sindresorhus/query-string/issues/42) about this option.
-
-	@default true
-	*/
-	readonly strict?: boolean;
-
-	/**
-	[URL encode](https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent) the keys and values.
-
-	@default true
-	*/
-	readonly encode?: boolean;
-
-	/**
-	@default 'none'
-
-	- `bracket`: Serialize arrays using bracket representation:
-
-		```
-		import queryString = require('query-string');
-
-		queryString.stringify({foo: [1, 2, 3]}, {arrayFormat: 'bracket'});
-		//=> 'foo[]=1&foo[]=2&foo[]=3'
-		```
-
-	- `index`: Serialize arrays using index representation:
-
-		```
-		import queryString = require('query-string');
-
-		queryString.stringify({foo: [1, 2, 3]}, {arrayFormat: 'index'});
-		//=> 'foo[0]=1&foo[1]=2&foo[2]=3'
-		```
-
-	- `comma`: Serialize arrays by separating elements with comma:
-
-		```
-		import queryString = require('query-string');
-
-		queryString.stringify({foo: [1, 2, 3]}, {arrayFormat: 'comma'});
-		//=> 'foo=1,2,3'
-
-		queryString.stringify({foo: [1, null, '']}, {arrayFormat: 'comma'});
-		//=> 'foo=1,,'
-		// Note that typing information for null values is lost
-		// and `.parse('foo=1,,')` would return `{foo: [1, '', '']}`.
-		```
-
-	- `separator`: Serialize arrays by separating elements with character:
-
-		```
-		import queryString = require('query-string');
-
-		queryString.stringify({foo: [1, 2, 3]}, {arrayFormat: 'separator', arrayFormatSeparator: '|'});
-		//=> 'foo=1|2|3'
-		```
-
-	- `bracket-separator`: Serialize arrays by explicitly post-fixing array names with brackets and separating elements with a custom character:
-
-		```
-		import queryString = require('query-string');
-
-		queryString.stringify({foo: []}, {arrayFormat: 'bracket-separator', arrayFormatSeparator: '|'});
-		//=> 'foo[]'
-
-		queryString.stringify({foo: ['']}, {arrayFormat: 'bracket-separator', arrayFormatSeparator: '|'});
-		//=> 'foo[]='
-
-		queryString.stringify({foo: [1]}, {arrayFormat: 'bracket-separator', arrayFormatSeparator: '|'});
-		//=> 'foo[]=1'
-
-		queryString.stringify({foo: [1, 2, 3]}, {arrayFormat: 'bracket-separator', arrayFormatSeparator: '|'});
-		//=> 'foo[]=1|2|3'
-
-		queryString.stringify({foo: [1, '', 3, null, null, 6]}, {arrayFormat: 'bracket-separator', arrayFormatSeparator: '|'});
-		//=> 'foo[]=1||3|||6'
-
-		queryString.stringify({foo: [1, '', 3, null, null, 6]}, {arrayFormat: 'bracket-separator', arrayFormatSeparator: '|', skipNull: true});
-		//=> 'foo[]=1||3|6'
-
-		queryString.stringify({foo: [1, 2, 3], bar: 'fluffy', baz: [4]}, {arrayFormat: 'bracket-separator', arrayFormatSeparator: '|'});
-		//=> 'foo[]=1|2|3&bar=fluffy&baz[]=4'
-		```
-
-	- `none`: Serialize arrays by using duplicate keys:
-
-		```
-		import queryString = require('query-string');
-
-		queryString.stringify({foo: [1, 2, 3]});
-		//=> 'foo=1&foo=2&foo=3'
-		```
-	*/
-	readonly arrayFormat?: 'bracket' | 'index' | 'comma' | 'separator' | 'bracket-separator' | 'none';
-
-	/**
-	The character used to separate array elements when using `{arrayFormat: 'separator'}`.
-
-	@default ,
-	*/
-	readonly arrayFormatSeparator?: string;
-
-	/**
-	Supports both `Function` as a custom sorting function or `false` to disable sorting.
-
-	If omitted, keys are sorted using `Array#sort`, which means, converting them to strings and comparing strings in Unicode code point order.
-
-	@default true
-
-	@example
-	```
-	import queryString = require('query-string');
-
-	const order = ['c', 'a', 'b'];
-
-	queryString.stringify({a: 1, b: 2, c: 3}, {
-		sort: (itemLeft, itemRight) => order.indexOf(itemLeft) - order.indexOf(itemRight)
-	});
-	//=> 'c=3&a=1&b=2'
-	```
-
-	@example
-	```
-	import queryString = require('query-string');
-
-	queryString.stringify({b: 1, c: 2, a: 3}, {sort: false});
-	//=> 'b=1&c=2&a=3'
-	```
-	*/
-	readonly sort?: ((itemLeft: string, itemRight: string) => number) | false;
-
-	/**
-	Skip keys with `null` as the value.
-
-	Note that keys with `undefined` as the value are always skipped.
-
-	@default false
-
-	@example
-	```
-	import queryString = require('query-string');
-
-	queryString.stringify({a: 1, b: undefined, c: null, d: 4}, {
-		skipNull: true
-	});
-	//=> 'a=1&d=4'
-
-	queryString.stringify({a: undefined, b: null}, {
-		skipNull: true
-	});
-	//=> ''
-	```
-	*/
-	readonly skipNull?: boolean;
-
-	/**
-	Skip keys with an empty string as the value.
-
-	@default false
-
-	@example
-	```
-	import queryString = require('query-string');
-
-	queryString.stringify({a: 1, b: '', c: '', d: 4}, {
-		skipEmptyString: true
-	});
-	//=> 'a=1&d=4'
-	```
-
-	@example
-	```
-	import queryString = require('query-string');
-
-	queryString.stringify({a: '', b: ''}, {
-		skipEmptyString: true
-	});
-	//=> ''
-	```
-	*/
-	readonly skipEmptyString?: boolean;
-}
-
-export type Stringifiable = string | boolean | number | null | undefined;
-
-export type StringifiableRecord = Record<
-	string,
-	Stringifiable | readonly Stringifiable[]
->;
-
-/**
-Stringify an object into a query string and sort the keys.
-*/
-export function stringify(
-	// TODO: Use the below instead when the following TS issues are fixed:
-	// - https://github.com/microsoft/TypeScript/issues/15300
-	// - https://github.com/microsoft/TypeScript/issues/42021
-	// Context: https://github.com/sindresorhus/query-string/issues/298
-	// object: StringifiableRecord,
-	object: Record<string, any>,
-	options?: StringifyOptions
-): string;
-
-/**
-Extract a query string from a URL that can be passed into `.parse()`.
-
-Note: This behaviour can be changed with the `skipNull` option.
-*/
-export function extract(url: string): string;
-
-export interface UrlObject {
-	readonly url: string;
-
-	/**
-	Overrides queries in the `url` property.
-	*/
-	readonly query?: StringifiableRecord;
-
-	/**
-	Overrides the fragment identifier in the `url` property.
-	*/
-	readonly fragmentIdentifier?: string;
-}
-
-/**
-Stringify an object into a URL with a query string and sorting the keys. The inverse of [`.parseUrl()`](https://github.com/sindresorhus/query-string#parseurlstring-options)
-
-Query items in the `query` property overrides queries in the `url` property.
-
-The `fragmentIdentifier` property overrides the fragment identifier in the `url` property.
-
-@example
-```
-queryString.stringifyUrl({url: 'https://foo.bar', query: {foo: 'bar'}});
-//=> 'https://foo.bar?foo=bar'
-
-queryString.stringifyUrl({url: 'https://foo.bar?foo=baz', query: {foo: 'bar'}});
-//=> 'https://foo.bar?foo=bar'
-
-queryString.stringifyUrl({
-	url: 'https://foo.bar',
-	query: {
-		top: 'foo'
-	},
-	fragmentIdentifier: 'bar'
-});
-//=> 'https://foo.bar?top=foo#bar'
-```
-*/
-export function stringifyUrl(
-	object: UrlObject,
-	options?: StringifyOptions
-): string;
-
-/**
-Pick query parameters from a URL.
-
-@param url - The URL containing the query parameters to pick.
-@param keys - The names of the query parameters to keep. All other query parameters will be removed from the URL.
-@param filter - A filter predicate that will be provided the name of each query parameter and its value. The `parseNumbers` and `parseBooleans` options also affect `value`.
-
-@returns The URL with the picked query parameters.
-
-@example
-```
-queryString.pick('https://foo.bar?foo=1&bar=2#hello', ['foo']);
-//=> 'https://foo.bar?foo=1#hello'
-
-queryString.pick('https://foo.bar?foo=1&bar=2#hello', (name, value) => value === 2, {parseNumbers: true});
-//=> 'https://foo.bar?bar=2#hello'
-```
-*/
-export function pick(
-	url: string,
-	keys: readonly string[],
-	options?: ParseOptions & StringifyOptions
-): string
-export function pick(
-	url: string,
-	filter: (key: string, value: string | boolean | number) => boolean,
-	options?: {parseBooleans: true, parseNumbers: true} & ParseOptions & StringifyOptions
-): string
-export function pick(
-	url: string,
-	filter: (key: string, value: string | boolean) => boolean,
-	options?: {parseBooleans: true} & ParseOptions & StringifyOptions
-): string
-export function pick(
-	url: string,
-	filter: (key: string, value: string | number) => boolean,
-	options?: {parseNumbers: true} & ParseOptions & StringifyOptions
-): string
-
-/**
-Exclude query parameters from a URL. Like `.pick()` but reversed.
-
-@param url - The URL containing the query parameters to exclude.
-@param keys - The names of the query parameters to remove. All other query parameters will remain in the URL.
-@param filter - A filter predicate that will be provided the name of each query parameter and its value. The `parseNumbers` and `parseBooleans` options also affect `value`.
-
-@returns The URL without the excluded the query parameters.
-
-@example
-```
-queryString.exclude('https://foo.bar?foo=1&bar=2#hello', ['foo']);
-//=> 'https://foo.bar?bar=2#hello'
-
-queryString.exclude('https://foo.bar?foo=1&bar=2#hello', (name, value) => value === 2, {parseNumbers: true});
-//=> 'https://foo.bar?foo=1#hello'
-```
-*/
-export function exclude(
-	url: string,
-	keys: readonly string[],
-	options?: ParseOptions & StringifyOptions
-): string
-export function exclude(
-	url: string,
-	filter: (key: string, value: string | boolean | number) => boolean,
-	options?: {parseBooleans: true, parseNumbers: true} & ParseOptions & StringifyOptions
-): string
-export function exclude(
-	url: string,
-	filter: (key: string, value: string | boolean) => boolean,
-	options?: {parseBooleans: true} & ParseOptions & StringifyOptions
-): string
-export function exclude(
-	url: string,
-	filter: (key: string, value: string | number) => boolean,
-	options?: {parseNumbers: true} & ParseOptions & StringifyOptions
-): string
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				{"version":3,"file":"setup-codeql.test.js","sourceRoot":"","sources":["../src/setup-codeql.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,kDAAoC;AACpC,uCAA4C;AAC5C,4DAA8C;AAC9C,mDAA6C;AAC7C,iCAA+C;AAE/C,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,aAAI,CAAC,UAAU,CAAC,GAAG,EAAE;IACnB,IAAA,4BAAqB,EAAC,OAAO,CAAC,CAAC;AACjC,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,iCAAiC,EAAE,CAAC,CAAC,EAAE,EAAE;IAC5C,CAAC,CAAC,SAAS,CACT,WAAW,CAAC,mBAAmB,CAC7B,mDAAmD,CACpD,EACD,UAAU,CACX,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,mBAAmB,EAAE,CAAC,CAAC,EAAE,EAAE;IAC9B,MAAM,KAAK,GAAG;QACZ,UAAU,EAAE,gBAAgB;QAC5B,YAAY,EAAE,kBAAkB;QAChC,cAAc,EAAE,cAAc;QAC9B,OAAO,EAAE,OAAO;QAChB,aAAa,EAAE,aAAa;QAC5B,cAAc,EAAE,cAAc;KAC/B,CAAC;IAEF,KAAK,MAAM,CAAC,OAAO,EAAE,eAAe,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE;QAC9D,IAAI;YACF,MAAM,aAAa,GAAG,WAAW,CAAC,eAAe,CAC/C,OAAO,EACP,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;YACF,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,eAAe,CAAC,CAAC;SAC7C;QAAC,OAAO,CAAC,EAAE;YACV,CAAC,CAAC,IAAI,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;SACpD;KACF;AACH,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,2BAA2B,EAAE,CAAC,CAAC,EAAE,EAAE;IACtC,MAAM,MAAM,GAAG,IAAA,yBAAe,EAAC,IAAI,CAAC,CAAC;IAErC,IAAA,4BAAqB,EAAC,OAAO,CAAC,CAAC;IAE/B,kCAAkC;IAClC,OAAO,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;IAC/C,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACrD,MAAM,eAAe,GAAG,WAAW,CAAC,yBAAyB,CAAC,MAAM,CAAC,CAAC;IACtE,CAAC,CAAC,SAAS,CAAC,eAAe,EAAE,sBAAsB,CAAC,CAAC;IAErD,mCAAmC;IACnC,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC/D,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,GAAG,SAAS,CAAC;IACpD,MAAM,OAAO,GAAG,WAAW,CAAC,yBAAyB,CAAC,MAAM,CAAC,CAAC;IAC9D,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;AAClC,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,yEAAyE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC1F,mDAAmD;IACnD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC/D,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;QAC3C,KAAK,EAAE;YACL,YAAY,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;SAC/C;QACD,QAAQ,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC;YAC9B;gBACE,MAAM,EAAE;oBACN;wBACE,IAAI,EAAE,wBAAwB;qBAC/B;iBACF;gBACD,QAAQ,EAAE,wBAAwB;aACnC;SACF,CAAC;KACH,CAAC,CAAC,CAAC;IACJ,CAAC,CAAC,EAAE,CACF,MAAM,WAAW,CAAC,6BAA6B,CAC7C,QAAQ,EACR,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,EACD,wBAAwB,CACzB,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,iFAAiF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAClG,mDAAmD;IACnD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC/D,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;QAC3C,KAAK,EAAE;YACL,YAAY,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;SAC/C;QACD,QAAQ,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC;YAC9B;gBACE,MAAM,EAAE;oBACN;wBACE,IAAI,EAAE,wBAAwB;qBAC/B;iBACF;gBACD,QAAQ,EAAE,wBAAwB;aACnC;SACF,CAAC;KACH,CAAC,CAAC,CAAC;IACJ,MAAM,CAAC,CAAC,WAAW,CACjB,KAAK,IAAI,EAAE,CACT,MAAM,WAAW,CAAC,6BAA6B,CAC7C,QAAQ,EACR,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,EACH;QACE,OAAO,EAAE,gEAAgE;KAC1E,CACF,CAAC;AACJ,CAAC,CAAC,CAAC"}