Document regular expressions

Merge pull request #3529 from github/mbg/ts/sync-back
Convert `sync_back.py` to TypeScript
2026-05-11 16:20:35 +00:00 · 2026-03-05 16:51:15 +00:00 · 2026-03-05 12:36:22 +00:00 · 2026-03-04 16:07:10 +00:00 · 2026-03-04 15:12:33 +01:00 · 2026-03-04 13:27:40 +00:00
193 changed files with 507507 additions and 215319 deletions
@@ -4,14 +4,15 @@ updates:
    directory: "/"
    schedule:
      interval: weekly
+    cooldown:
+      default-days: 7
+      exclude:
+        - "@actions/*"
    labels:
      - Rebuild
    # Ignore incompatible dependency updates
    ignore:
-      # There is a type incompatibility issue between v0.0.9 and our other dependencies.
-      - dependency-name: "@octokit/plugin-retry"
-        versions: ["~6.0.0"]
-      # This is broken due to the way configuration files have changed. 
+      # This is broken due to the way configuration files have changed.
      # This might be fixed when we move to eslint v9.
      - dependency-name: "eslint-plugin-import"
        versions: [">=2.30.0"]
@@ -28,6 +29,10 @@ updates:
      - "/.github/actions"
    schedule:
      interval: weekly
+    cooldown:
+      default-days: 7
+      exclude:
+        - "actions/*"
    labels:
      - Rebuild
    groups:
@@ -23,13 +23,13 @@ For internal use only. Please select the risk level of this change:
 Workflow types:

 - **Advanced setup** - Impacts users who have custom CodeQL workflows.
- **Managed** - Impacts users with `dynamic` workflows (Default Setup, CCR, ...).
+- **Managed** - Impacts users with `dynamic` workflows (Default Setup, Code Quality, ...).

 Products:

 - **Code Scanning** - The changes impact analyses when `analysis-kinds: code-scanning`.
 - **Code Quality** - The changes impact analyses when `analysis-kinds: code-quality`.
- **CCR** - The changes impact analyses for Copilot Code Reviews.
+- **Other first-party** - The changes impact other first-party analyses.
 - **Third-party analyses** - The changes affect the `upload-sarif` action.

 Environments:
@@ -54,6 +54,7 @@ Environments:

 - **Feature flags** - All new or changed code paths can be fully disabled with corresponding feature flags.
 - **Rollback** - Change can only be disabled by rolling back the release or releasing a new version with a fix.
+- **Development/testing only** - This change cannot cause any failures in production.
 - **Other** - Please provide details.

 #### How will you know if something goes wrong after this change is released?
@@ -71,8 +71,9 @@ def open_pr(
    body.append('')
    body.append('Contains the following pull requests:')
    for pr in pull_requests:
-      merger = get_merger_of_pr(repo, pr)
-      body.append(f'- #{pr.number} (@{merger})')
+      # Use PR author if they are GitHub staff, otherwise use the merger
+      display_user = get_pr_author_if_staff(pr) or get_merger_of_pr(repo, pr)
+      body.append(f'- #{pr.number} (@{display_user})')

  # List all commits not part of a PR
  if len(commits_without_pull_requests) > 0:
@@ -168,6 +169,14 @@ def get_pr_for_commit(commit):
 def get_merger_of_pr(repo, pr):
  return repo.get_commit(pr.merge_commit_sha).author.login

+# Get the PR author if they are GitHub staff, otherwise None.
+def get_pr_author_if_staff(pr):
+  if pr.user is None:
+    return None
+  if getattr(pr.user, 'site_admin', False):
+    return pr.user.login
+  return None
+
 def get_current_version():
  with open('package.json', 'r') as f:
    return json.load(f)['version']
@@ -181,9 +190,9 @@ def replace_version_package_json(prev_version, new_version):
      print(line.replace(prev_version, new_version), end='')
    else:
      prev_line_is_codeql = False
-      print(line, end='') 
+      print(line, end='')
    if '\"name\": \"codeql\",' in line:
-        prev_line_is_codeql = True 
+        prev_line_is_codeql = True

 def get_today_string():
  today = datetime.datetime.today()
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -49,8 +52,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    all-platform-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: all-platform-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  all-platform-bundle:
    strategy:
@@ -92,7 +94,7 @@ jobs:
      - id: init
        uses: ./../action/init
        with:
-      # Swift is not supported on Ubuntu so we manually exclude it from the list here
+          # Swift is not supported on Ubuntu so we manually exclude it from the list here
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
@@ -3,7 +3,7 @@
 #     pr-checks/sync.sh
 # to regenerate this file.

-name: PR Check - Quality queries input
+name: PR Check - Analysis kinds
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -29,9 +32,9 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: quality-queries-${{github.ref}}
+  group: analysis-kinds-${{github.ref}}
 jobs:
-  quality-queries:
+  analysis-kinds:
    strategy:
      fail-fast: false
      matrix:
@@ -45,6 +48,9 @@ jobs:
          - os: ubuntu-latest
            version: linked
            analysis-kinds: code-scanning,code-quality
+          - os: ubuntu-latest
+            version: linked
+            analysis-kinds: risk-assessment
          - os: ubuntu-latest
            version: nightly-latest
            analysis-kinds: code-scanning
@@ -54,7 +60,10 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
            analysis-kinds: code-scanning,code-quality
-    name: Quality queries input
+          - os: ubuntu-latest
+            version: nightly-latest
+            analysis-kinds: risk-assessment
+    name: Analysis kinds
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
@@ -78,38 +87,32 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false
-          post-processed-sarif-path: ${{ runner.temp }}/post-processed
-      - name: Upload security SARIF
-        if: contains(matrix.analysis-kinds, 'code-scanning')
+          post-processed-sarif-path: '${{ runner.temp }}/post-processed'
+
+      - name: Upload SARIF files
        uses: actions/upload-artifact@v6
        with:
          name: |
-            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Upload quality SARIF
-        if: contains(matrix.analysis-kinds, 'code-quality')
-        uses: actions/upload-artifact@v6
-        with:
-          name: |
-            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
-          path: ${{ runner.temp }}/results/javascript.quality.sarif
+            analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
+          path: '${{ runner.temp }}/results/*.sarif'
          retention-days: 7
+
      - name: Upload post-processed SARIF
        uses: actions/upload-artifact@v6
        with:
          name: |
-            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
-          path: ${{ runner.temp }}/post-processed
+            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
+          path: '${{ runner.temp }}/post-processed'
          retention-days: 7
          if-no-files-found: error
+
      - name: Check quality query does not appear in security SARIF
        if: contains(matrix.analysis-kinds, 'code-scanning')
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
+          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
          EXPECT_PRESENT: 'false'
        with:
          script: ${{ env.CHECK_SCRIPT }}
@@ -117,11 +120,12 @@ jobs:
        if: contains(matrix.analysis-kinds, 'code-quality')
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.quality.sarif
+          SARIF_PATH: '${{ runner.temp }}/results/javascript.quality.sarif'
          EXPECT_PRESENT: 'true'
        with:
          script: ${{ env.CHECK_SCRIPT }}
    env:
+      CODEQL_ACTION_RISK_ASSESSMENT_ID: 1
      CHECK_SCRIPT: |
        const fs = require('fs');

@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -59,8 +62,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    analyze-ref-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: analyze-ref-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  analyze-ref-input:
    strategy:
@@ -104,13 +106,12 @@ jobs:
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-            github.sha }}
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
      - name: Build code
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -79,7 +82,7 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/autobuild
        env:
-      # Explicitly disable the CLR tracer.
+          # Explicitly disable the CLR tracer.
          COR_ENABLE_PROFILING: ''
          COR_PROFILER: ''
          COR_PROFILER_PATH_64: ''
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -39,8 +42,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    autobuild-direct-tracing-with-working-dir-${{github.ref}}-${{inputs.java-version}}
+  group: autobuild-direct-tracing-with-working-dir-${{github.ref}}-${{inputs.java-version}}
 jobs:
  autobuild-direct-tracing-with-working-dir:
    strategy:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -94,7 +97,7 @@ jobs:
        id: init
        with:
          build-mode: autobuild
-          db-location: ${{ runner.temp }}/customDbLocation
+          db-location: '${{ runner.temp }}/customDbLocation'
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -49,8 +52,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    build-mode-manual-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: build-mode-manual-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  build-mode-manual:
    strategy:
@@ -89,7 +91,7 @@ jobs:
        id: init
        with:
          build-mode: manual
-          db-location: ${{ runner.temp }}/customDbLocation
+          db-location: '${{ runner.temp }}/customDbLocation'
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -61,7 +64,7 @@ jobs:
        id: init
        with:
          build-mode: none
-          db-location: ${{ runner.temp }}/customDbLocation
+          db-location: '${{ runner.temp }}/customDbLocation'
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -74,7 +77,7 @@ jobs:
            exit 1
          fi

-  # The latest nightly supports omitting the autobuild Action when the build mode is specified.
+      # The latest nightly supports omitting the autobuild Action when the build mode is specified.
      - uses: ./../action/autobuild
        if: matrix.version != 'nightly-latest'

@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -65,7 +68,7 @@ jobs:
        id: init
        with:
          build-mode: none
-          db-location: ${{ runner.temp }}/customDbLocation
+          db-location: '${{ runner.temp }}/customDbLocation'
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -3,7 +3,7 @@
 #     pr-checks/sync.sh
 # to regenerate this file.

-name: PR Check - CCR
+name: 'PR Check - Bundle: From nightly'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -29,32 +32,16 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ccr-${{github.ref}}
+  group: bundle-from-nightly-${{github.ref}}
 jobs:
-  ccr:
+  bundle-from-nightly:
    strategy:
      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: stable-v2.18.4
-          - os: ubuntu-latest
-            version: stable-v2.19.4
-          - os: ubuntu-latest
-            version: stable-v2.20.7
-          - os: ubuntu-latest
-            version: stable-v2.21.4
-          - os: ubuntu-latest
-            version: stable-v2.22.4
-          - os: ubuntu-latest
-            version: default
          - os: ubuntu-latest
            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: CCR
+    name: 'Bundle: From nightly'
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
@@ -71,17 +58,15 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - uses: ./../action/init
-        id: init
+      - id: init
+        uses: ./../action/init
+        env:
+          CODEQL_ACTION_FORCE_NIGHTLY: true
        with:
-          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - uses: ./../action/analyze
-        id: analysis
-        with:
-          upload-database: false
-
+          languages: javascript
+      - name: Fail if the CodeQL version is not a nightly
+        if: ${{ !contains(steps.init.outputs.codeql-version, '+') }}
+        run: exit 1
    env:
-      CODEQL_ACTION_ANALYSIS_KEY: dynamic/copilot-pull-request-reviewer/codeql-action-test
      CODEQL_ACTION_TEST_MODE: true
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -56,7 +59,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Install @actions/tool-cache
-        run: npm install @actions/tool-cache
+        run: npm install @actions/tool-cache@3
      - name: Check toolcache contains CodeQL
        continue-on-error: true
        uses: actions/github-script@v8
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -68,7 +71,7 @@ jobs:
            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
            fs.rmdirSync(codeqlPath, { recursive: true });
      - name: Install @actions/tool-cache
-        run: npm install @actions/tool-cache
+        run: npm install @actions/tool-cache@3
      - name: Check toolcache does not contain CodeQL
        uses: actions/github-script@v8
        with:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -64,7 +67,7 @@ jobs:
        id: init
        with:
          build-mode: none
-          db-location: ${{ runner.temp }}/customDbLocation
+          db-location: '${{ runner.temp }}/customDbLocation'
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -64,18 +67,18 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Upload SARIF
        uses: actions/upload-artifact@v6
        with:
          name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
+          path: '${{ runner.temp }}/results/javascript.sarif'
          retention-days: 7
      - name: Check config properties appear in SARIF
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
+          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
        with:
          script: |
            const fs = require('fs');
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -75,18 +78,18 @@ jobs:
            --ready-for-status-page
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Upload SARIF
        uses: actions/upload-artifact@v6
        with:
          name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
+          path: '${{ runner.temp }}/results/javascript.sarif'
          retention-days: 7
      - name: Check diagnostics appear in SARIF
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
+          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
        with:
          script: |
            const fs = require('fs');
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -49,8 +52,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    export-file-baseline-information-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: export-file-baseline-information-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  export-file-baseline-information:
    strategy:
@@ -98,12 +100,12 @@ jobs:
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
      - name: Upload SARIF
        uses: actions/upload-artifact@v6
        with:
          name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
+          path: '${{ runner.temp }}/results/javascript.sarif'
          retention-days: 7
      - name: Check results
        run: |
@@ -125,5 +127,6 @@ jobs:
            fi
          done
    env:
+      CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS: false
      CODEQL_ACTION_SUBLANGUAGE_FILE_COVERAGE: true
      CODEQL_ACTION_TEST_MODE: true
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -48,18 +51,6 @@ jobs:
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-  # These steps are required to initialise the `gh` cli in a container that doesn't
-  # come pre-installed with it. The reason for that is that this is later
-  # needed by the `prepare-test` workflow to find the latest release of CodeQL.
-      - name: Set up GitHub CLI
-        run: |
-          apt update
-          apt install -y curl libreadline8 gnupg2 software-properties-common zstd
-          curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
-          apt-key add /usr/share/keyrings/githubcli-archive-keyring.gpg
-          apt-add-repository https://cli.github.com/packages
-          apt install -y gh
-        env: {}
      - name: Check out repository
        uses: actions/checkout@v6
      - name: Prepare test
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -49,8 +52,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    go-custom-queries-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: go-custom-queries-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  go-custom-queries:
    strategy:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -74,7 +77,7 @@ jobs:
        with:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
-  # Deliberately change Go after the `init` step
+      # Deliberately change Go after the `init` step
      - uses: actions/setup-go@v6
        with:
          go-version: '1.20'
@@ -82,12 +85,12 @@ jobs:
        run: go build main.go
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Check diagnostic appears in SARIF
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: ${{ runner.temp }}/results/go.sarif
+          SARIF_PATH: '${{ runner.temp }}/results/go.sarif'
        with:
          script: |
            const fs = require('fs');
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -39,8 +42,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    go-indirect-tracing-workaround-no-file-program-${{github.ref}}-${{inputs.go-version}}
+  group: go-indirect-tracing-workaround-no-file-program-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-indirect-tracing-workaround-no-file-program:
    strategy:
@@ -84,12 +86,12 @@ jobs:
        run: go build main.go
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Check diagnostic appears in SARIF
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: ${{ runner.temp }}/results/go.sarif
+          SARIF_PATH: '${{ runner.temp }}/results/go.sarif'
        with:
          script: |
            const fs = require('fs');
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -47,7 +50,6 @@ jobs:
    permissions:
      contents: read
      packages: read
-
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -63,7 +65,7 @@ jobs:
      - name: Init with registries
        uses: ./../action/init
        with:
-          db-location: ${{ runner.temp }}/customDbLocation
+          db-location: '${{ runner.temp }}/customDbLocation'
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          config-file: ./.github/codeql/codeql-config-registries.yml
          languages: javascript
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -62,12 +65,12 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
      - name: Upload SARIF
        uses: actions/upload-artifact@v6
        with:
          name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
+          path: '${{ runner.temp }}/results/javascript.sarif'
          retention-days: 7
      - name: Check results
        run: |
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -60,7 +63,7 @@ jobs:
          languages: C#,java-kotlin,swift,typescript
          tools: ${{ steps.prepare-test.outputs.tools-url }}

-      - name: Check languages
+      - name: 'Check languages'
        run: |
          expected_languages="csharp,java,swift,javascript"
          actual_languages=$(jq -r '.languages | join(",")' "$RUNNER_TEMP"/config)
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -59,8 +62,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    local-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: local-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  local-bundle:
    strategy:
@@ -106,7 +108,7 @@ jobs:
      - id: init
        uses: ./../action/init
        with:
-      # Swift is not supported on Ubuntu so we manually exclude it from the list here
+          # Swift is not supported on Ubuntu so we manually exclude it from the list here
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ./codeql-bundle-linux64.tar.zst
      - name: Build code
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -59,8 +62,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    multi-language-autodetect-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: multi-language-autodetect-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  multi-language-autodetect:
    strategy:
@@ -141,9 +143,8 @@ jobs:
      - uses: ./../action/init
        id: init
        with:
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: ${{ runner.os == 'Linux' && 'cpp,csharp,go,java,javascript,python,ruby'
-            || '' }}
+          db-location: '${{ runner.temp }}/customDbLocation'
+          languages: ${{ runner.os == 'Linux' && 'cpp,csharp,go,java,javascript,python,ruby' || '' }}
          tools: ${{ steps.prepare-test.outputs.tools-url }}

      - name: Build code
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -59,8 +62,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  packaging-codescanning-config-inputs-js:
    strategy:
@@ -113,7 +115,7 @@ jobs:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
-          config-file: .github/codeql/codeql-config-packaging3.yml
+          config-file: '.github/codeql/codeql-config-packaging3.yml'
          packs: +codeql-testing/codeql-pack1@1.0.0
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -121,15 +123,14 @@ jobs:
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -49,8 +52,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    packaging-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: packaging-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  packaging-config-inputs-js:
    strategy:
@@ -98,7 +100,7 @@ jobs:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
-          config-file: .github/codeql/codeql-config-packaging3.yml
+          config-file: '.github/codeql/codeql-config-packaging3.yml'
          packs: +codeql-testing/codeql-pack1@1.0.0
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -106,15 +108,14 @@ jobs:
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -49,8 +52,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    packaging-config-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: packaging-config-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  packaging-config-js:
    strategy:
@@ -98,22 +100,21 @@ jobs:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
-          config-file: .github/codeql/codeql-config-packaging.yml
+          config-file: '.github/codeql/codeql-config-packaging.yml'
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -49,8 +52,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    packaging-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: packaging-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  packaging-inputs-js:
    strategy:
@@ -98,7 +100,7 @@ jobs:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
-          config-file: .github/codeql/codeql-config-packaging2.yml
+          config-file: '.github/codeql/codeql-config-packaging2.yml'
          languages: javascript
          packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -106,14 +108,13 @@ jobs:
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -59,8 +62,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    remote-config-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: remote-config-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  remote-config:
    strategy:
@@ -106,8 +108,7 @@ jobs:
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-            github.sha }}
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
      - name: Build code
        run: ./build.sh
      - uses: ./../action/analyze
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -81,8 +84,7 @@ jobs:
          language: javascript-typescript

      - name: Fail if JavaScript/TypeScript configuration present
-        if:
-          fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
+        if: fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
        run: exit 1
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -56,7 +59,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Set up Ruby
-        uses: ruby/setup-ruby@80740b3b13bf9857e28854481ca95a84e78a2bdf # v1.284.0
+        uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -96,7 +99,7 @@ jobs:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
-          config-file: .github/codeql/codeql-config-packaging3.yml
+          config-file: '.github/codeql/codeql-config-packaging3.yml'
          packs: +codeql-testing/codeql-pack1@1.0.0
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -105,7 +108,7 @@ jobs:
      - uses: ./../action/analyze
        with:
          skip-queries: true
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false

      - name: Assert No Results
@@ -116,7 +119,7 @@ jobs:
          fi
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Assert Results
        run: |
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -68,8 +71,7 @@ jobs:
        id: proxy
        uses: ./../action/start-proxy
        with:
-          registry_secrets: '[{ "type": "nuget_feed", "url": "https://api.nuget.org/v3/index.json"
-            }]'
+          registry_secrets: '[{ "type": "nuget_feed", "url": "https://api.nuget.org/v3/index.json" }]'

      - name: Print proxy outputs
        run: |
@@ -78,8 +80,7 @@ jobs:
          echo "${{ steps.proxy.outputs.proxy_urls }}"

      - name: Fail if proxy outputs are not set
-        if: (!steps.proxy.outputs.proxy_host) || (!steps.proxy.outputs.proxy_port)
-          || (!steps.proxy.outputs.proxy_ca_certificate) || (!steps.proxy.outputs.proxy_urls)
+        if: (!steps.proxy.outputs.proxy_host) || (!steps.proxy.outputs.proxy_port) || (!steps.proxy.outputs.proxy_ca_certificate) || (!steps.proxy.outputs.proxy_urls)
        run: exit 1
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -46,8 +49,7 @@ jobs:
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write # needed to upload the SARIF file
-
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -66,26 +68,20 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Fail
-    # We want this job to pass if the Action correctly uploads the SARIF file for
-    # the failed run.
-    # Setting this step to continue on error means that it is marked as completing
-    # successfully, so will not fail the job.
+        # We want this job to pass if the Action correctly uploads the SARIF file for
+        # the failed run.
+        # Setting this step to continue on error means that it is marked as completing
+        # successfully, so will not fail the job.
        continue-on-error: true
        run: exit 1
      - uses: ./analyze
-    # In a real workflow, this step wouldn't run. Since we used `continue-on-error`
-    # above, we manually disable it with an `if` condition.
+        # In a real workflow, this step wouldn't run. Since we used `continue-on-error`
+        # above, we manually disable it with an `if` condition.
        if: false
        with:
-          category: /test-codeql-version:${{ matrix.version }}
+          category: '/test-codeql-version:${{ matrix.version }}'
    env:
-  # Internal-only environment variable used to indicate that the post-init Action
-  # should expect to upload a SARIF file for the failed run.
      CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF: true
-  # Make sure the uploading SARIF files feature is enabled.
      CODEQL_ACTION_UPLOAD_FAILED_SARIF: true
-  # Upload the failed SARIF file as an integration test of the API endpoint.
      CODEQL_ACTION_TEST_MODE: false
-  # Mark telemetry for this workflow so it can be treated separately.
      CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
-
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -49,8 +52,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    swift-custom-build-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: swift-custom-build-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  swift-custom-build:
    strategy:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -59,8 +62,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    unset-environment-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: unset-environment-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  unset-environment:
    strategy:
@@ -106,7 +108,7 @@ jobs:
        id: init
        with:
          db-location: ${{ runner.temp }}/customDbLocation
-      # Swift is not supported on Ubuntu so we manually exclude it from the list here
+          # Swift is not supported on Ubuntu so we manually exclude it from the list here
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -59,8 +62,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    upload-ref-sha-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: upload-ref-sha-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  upload-ref-sha-input:
    strategy:
@@ -104,19 +106,18 @@ jobs:
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-            github.sha }}
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
      - name: Build code
        run: ./build.sh
-  # Generate some SARIF we can upload with the upload-sarif step
+      # Generate some SARIF we can upload with the upload-sarif step
      - uses: ./../action/analyze
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
          upload: never
      - uses: ./../action/upload-sarif
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -59,8 +62,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    upload-sarif-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: upload-sarif-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  upload-sarif:
    strategy:
@@ -114,11 +116,11 @@ jobs:
          analysis-kinds: ${{ matrix.analysis-kinds }}
      - name: Build code
        run: ./build.sh
-  # Generate some SARIF we can upload with the upload-sarif step
+      # Generate some SARIF we can upload with the upload-sarif step
      - uses: ./../action/analyze
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
          upload: never
          output: ${{ runner.temp }}/results

@@ -127,15 +129,15 @@ jobs:
        uses: ./../action/upload-sarif
        id: upload-sarif
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
          sarif_file: ${{ runner.temp }}/results
          category: |
            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:all-files/
-      - name: Fail for missing output from `upload-sarif` step for `code-scanning`
+      - name: 'Fail for missing output from `upload-sarif` step for `code-scanning`'
        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning)
        run: exit 1
-      - name: Fail for missing output from `upload-sarif` step for `code-quality`
+      - name: 'Fail for missing output from `upload-sarif` step for `code-quality`'
        if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)
        run: exit 1

@@ -144,28 +146,26 @@ jobs:
        id: upload-single-sarif-code-scanning
        if: contains(matrix.analysis-kinds, 'code-scanning')
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
          sarif_file: ${{ runner.temp }}/results/javascript.sarif
          category: |
            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-scanning/
-      - name: Fail for missing output from `upload-single-sarif-code-scanning` step
-        if: contains(matrix.analysis-kinds, 'code-scanning') &&
-          !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)
+      - name: 'Fail for missing output from `upload-single-sarif-code-scanning` step'
+        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)
        run: exit 1
      - name: Upload single SARIF file for Code Quality
        uses: ./../action/upload-sarif
        id: upload-single-sarif-code-quality
        if: contains(matrix.analysis-kinds, 'code-quality')
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
          sarif_file: ${{ runner.temp }}/results/javascript.quality.sarif
          category: |
            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-quality/
-      - name: Fail for missing output from `upload-single-sarif-code-quality` step
-        if: contains(matrix.analysis-kinds, 'code-quality') &&
-          !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)
+      - name: 'Fail for missing output from `upload-single-sarif-code-quality` step'
+        if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)
        run: exit 1

      - name: Change SARIF file extension
@@ -176,12 +176,12 @@ jobs:
        id: upload-single-non-sarif
        if: contains(matrix.analysis-kinds, 'code-scanning')
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
          sarif_file: ${{ runner.temp }}/results/javascript.sarif.json
          category: |
            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:non-sarif/
-      - name: Fail for missing output from `upload-single-non-sarif` step
+      - name: 'Fail for missing output from `upload-single-non-sarif` step'
        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning)
        run: exit 1
    env:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -59,8 +62,7 @@ defaults:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    with-checkout-path-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: with-checkout-path-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  with-checkout-path:
    strategy:
@@ -77,6 +79,7 @@ jobs:
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      # This ensures we don't accidentally use the original checkout for any part of the test.
      - name: Check out repository
        uses: actions/checkout@v6
      - name: Prepare test
@@ -106,8 +109,8 @@ jobs:
          # Actions does not support deleting the current working directory, so we
          # delete the contents of the directory instead.
          rm -rf ./* .github .git
-  # Check out the actions repo again, but at a different location.
-  # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
+      # Check out the actions repo again, but at a different location.
+      # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
      - uses: actions/checkout@v6
        with:
          ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
@@ -116,7 +119,7 @@ jobs:
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      # it's enough to test one compiled language and one interpreted language
+          # it's enough to test one compiled language and one interpreted language
          languages: csharp,javascript
          source-root: x/y/z/some-path/tests/multi-language-repo

@@ -7,6 +7,8 @@ on:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
+  merge_group:
+    types: [checks_requested]
  schedule:
    # Weekly on Sunday.
    - cron: '30 1 * * 0'
@@ -29,34 +31,29 @@ jobs:

    permissions:
      contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read

    steps:
    - uses: actions/checkout@v6
-    - name: Init with default CodeQL bundle from the VM image
-      id: init-default
-      uses: ./init
-      with:
-        languages: javascript
-    - name: Remove empty database
-      # allows us to run init a second time
-      run: |
-        rm -rf "$RUNNER_TEMP/codeql_databases"
-    - name: Init with latest CodeQL bundle
-      id: init-latest
-      uses: ./init
+    - name: Set up default CodeQL bundle
+      id: setup-default
+      uses: ./setup-codeql
+    - name: Set up linked CodeQL bundle
+      id: setup-linked
+      uses: ./setup-codeql
      with:
        tools: linked
-        languages: javascript
-    - name: Compare default and latest CodeQL bundle versions
+    - name: Compare default and linked CodeQL bundle versions
      id: compare
      env:
-        CODEQL_DEFAULT: ${{ steps.init-default.outputs.codeql-path }}
-        CODEQL_LATEST: ${{ steps.init-latest.outputs.codeql-path }}
+        CODEQL_DEFAULT: ${{ steps.setup-default.outputs.codeql-path }}
+        CODEQL_LINKED: ${{ steps.setup-linked.outputs.codeql-path }}
      run: |
        CODEQL_VERSION_DEFAULT="$("$CODEQL_DEFAULT" version --format terse)"
-        CODEQL_VERSION_LATEST="$("$CODEQL_LATEST" version --format terse)"
+        CODEQL_VERSION_LINKED="$("$CODEQL_LINKED" version --format terse)"
        echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
-        echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"
+        echo "Linked CodeQL bundle version is $CODEQL_VERSION_LINKED"

        # If we're running on a pull request, run with both bundles, even if `tools: linked` would
        # be the same as `tools: null`. This allows us to make the job for each of the bundles a
@@ -64,7 +61,7 @@ jobs:
        #
        # If we're running on push or schedule, then we can skip running with `tools: linked` when it would be
        # the same as running with `tools: null`.
-        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
+        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$GITHUB_EVENT_NAME" != "merge_group" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LINKED" ]]; then
          VERSIONS_JSON='[null]'
        else
          VERSIONS_JSON='[null, "linked"]'
@@ -108,7 +105,7 @@ jobs:
      uses: ./analyze
      with:
        category: "/language:javascript"
-        upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && 'always') || 'never' }}
+        upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && github.event_name != 'merge_group' && 'always' ) || 'never' }}

  analyze-other:
    if: github.triggering_actor != 'dependabot[bot]'
@@ -143,3 +140,4 @@ jobs:
      uses: ./analyze
      with:
        category: "/language:${{ matrix.language }}"
+        upload: ${{ (github.event_name != 'merge_group' && 'always') || 'never' }}
@@ -11,6 +11,8 @@ env:
  CODEQL_ACTION_OVERLAY_ANALYSIS: true
  CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT: false
  CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT: true
+  CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_CHECK: false
+  CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS: true

 on:
  push:
@@ -23,9 +25,11 @@ on:
    - synchronize
    - reopened
    - ready_for_review
+  merge_group:
+    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:

 defaults:
  run:
@@ -14,9 +14,11 @@ on:
    - synchronize
    - reopened
    - ready_for_review
+  merge_group:
+    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:

 defaults:
  run:
@@ -39,6 +41,8 @@ jobs:
      CODEQL_ACTION_TEST_MODE: true
    permissions:
      contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read
    timeout-minutes: 45
    runs-on: ubuntu-latest
    steps:
@@ -13,9 +13,11 @@ on:
    - synchronize
    - reopened
    - ready_for_review
+  merge_group:
+    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:

 defaults:
  run:
@@ -38,6 +40,8 @@ jobs:
    timeout-minutes: 45
    permissions:
      contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository
@@ -17,6 +17,7 @@ jobs:
  sizeup:
    name: Label PR with size
    runs-on: ubuntu-slim
+    if: github.event.pull_request.merged != true

    steps:
      - name: Run sizeup
@@ -6,6 +6,8 @@ on:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
+  merge_group:
+    types: [checks_requested]
  workflow_dispatch:

 defaults:
@@ -40,11 +42,6 @@ jobs:
          node-version: ${{ matrix.node-version }}
          cache: 'npm'

-      - name: Set up Python
-        uses: actions/setup-python@v6
-        with:
-          python-version: 3.11
-
      - name: Install dependencies
        run: |
          # Use the system Bash shell to ensure we can run commands like `npm ci`
@@ -66,7 +63,7 @@ jobs:
      - name: Run pr-checks tests
        if: always()
        working-directory: pr-checks
-        run: python -m unittest discover
+        run: npm ci && npx tsx --test

      - name: Lint
        if: always() && matrix.os != 'windows-latest'
@@ -80,7 +77,7 @@ jobs:
          category: eslint

  check-node-version:
-    if: github.event.pull_request && github.triggering_actor != 'dependabot[bot]'
+    if: github.triggering_actor != 'dependabot[bot]'
    name: Check Action Node versions
    runs-on: ubuntu-latest
    timeout-minutes: 45
@@ -7,6 +7,8 @@ on:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
+  merge_group:
+    types: [checks_requested]
  schedule:
    # Weekly on Monday.
    - cron: '0 0 * * 1'
@@ -24,6 +26,8 @@ jobs:
    timeout-minutes: 45
    permissions:
      contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read
    runs-on: windows-latest

    steps:
@@ -11,9 +11,11 @@ on:
    - synchronize
    - reopened
    - ready_for_review
+  merge_group:
+    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:

 defaults:
  run:
@@ -73,24 +73,17 @@ jobs:
          npm run lint -- --fix
          npm run build

-      - name: Set up Python
-        uses: actions/setup-python@v6
-        with:
-          python-version: 3.11
-
      - name: Sync back version updates to generated workflows
        # Only sync back versions on Dependabot update PRs
        if: startsWith(env.HEAD_REF, 'dependabot/')
        working-directory: pr-checks
        run: |
-          python3 sync_back.py -v
+          npm ci
+          npx tsx sync_back.ts --verbose

      - name: Generate workflows
        working-directory: pr-checks
-        run: |
-          python -m pip install --upgrade pip
-          pip install ruamel.yaml==0.17.31
-          python3 sync.py
+        run: ./sync.sh

      - name: "Merge in progress: Finish merge and push"
        if: steps.merge.outputs.merge-in-progress == 'true'
@@ -111,7 +104,7 @@ jobs:
            # Otherwise, just commit the changes.
            if git rev-parse --verify MERGE_HEAD >/dev/null 2>&1; then
              echo "In progress merge detected, finishing it up."
-              git merge --continue
+              git merge --continue --no-edit
            else
              echo "No in-progress merge detected, committing changes."
              git commit -m "Rebuild"
@@ -29,7 +29,7 @@ fi
 echo "Getting checks for $GITHUB_SHA"

 # Ignore any checks with "https://", CodeQL, LGTM, Update, and ESLint checks.
-CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") or . == "Agent" or . == "Cleanup artifacts" or . == "Prepare" or . == "Upload results" | not)] | unique | sort')"
+CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") or . == "Agent" or . == "Cleanup artifacts" or . == "Prepare" or . == "Upload results" or . == "Label PR with size" | not)] | unique | sort')"

 echo "$CHECKS" | jq

@@ -19,7 +19,7 @@ if [ ! -z "$(git status --porcelain)" ]; then
    # If we get a fail here then the PR needs attention
    git diff
    git status
-    >&2 echo "Failed: PR checks are not up to date. Run 'cd pr-checks && python3 sync.py' to update"
+    >&2 echo "Failed: PR checks are not up to date. Run 'cd pr-checks && ./sync.sh' to update"

    echo "### Generated workflows diff" >> $GITHUB_STEP_SUMMARY
    echo "" >> $GITHUB_STEP_SUMMARY
@@ -13,9 +13,11 @@ on:
    - synchronize
    - reopened
    - ready_for_review
+  merge_group:
+    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
 defaults:
  run:
    shell: bash
@@ -57,6 +57,24 @@ jobs:
      - name: Update bundle
        uses: ./.github/actions/update-bundle

+      - name: Bump Action minor version if new CodeQL minor version series
+        id: bump-action-version
+        run: |
+          prior_cli_version=$(jq -r '.priorCliVersion' src/defaults.json)
+          cli_version=$(jq -r '.cliVersion' src/defaults.json)
+
+          prior_minor=$(echo "$prior_cli_version" | cut -d. -f2)
+          current_minor=$(echo "$cli_version" | cut -d. -f2)
+
+          if [[ "$current_minor" != "$prior_minor" ]]; then
+            echo "New CodeQL minor version series ($prior_cli_version -> $cli_version), bumping Action minor version"
+            npm version minor --no-git-tag-version
+            echo "bumped=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "Same minor version series ($prior_cli_version -> $cli_version), skipping Action version bump"
+            echo "bumped=false" >> "$GITHUB_OUTPUT"
+          fi
+
      - name: Rebuild Action
        run: npm run build

@@ -71,11 +89,19 @@ jobs:
      - name: Open pull request
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ACTION_VERSION_BUMPED: ${{ steps.bump-action-version.outputs.bumped }}
        run: |
          cli_version=$(jq -r '.cliVersion' src/defaults.json)
+          action_version=$(jq -r '.version' package.json)
+
+          pr_body="This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version."
+          if [[ "$ACTION_VERSION_BUMPED" == "true" ]]; then
+            pr_body+=$'\n\n'"Since this is a new CodeQL minor version series, this PR also bumps the Action version to $action_version."
+          fi
+
          pr_url=$(gh pr create \
            --title "Update default bundle to $cli_version" \
-            --body "This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version." \
+            --body "$pr_body" \
            --assignee "$GITHUB_ACTOR" \
            --draft \
          )
@@ -4,6 +4,41 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

 ## [UNRELEASED]

+No user facing changes.
+
+## 4.32.5 - 02 Mar 2026
+
+- Repositories owned by an organization can now set up the `github-codeql-disable-overlay` custom repository property to disable [improved incremental analysis for CodeQL](https://github.com/github/roadmap/issues/1158). First, create a custom repository property with the name `github-codeql-disable-overlay` and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to `true` to disable improved incremental analysis. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). This feature is not yet available on GitHub Enterprise Server. [#3507](https://github.com/github/codeql-action/pull/3507)
+- Added an experimental change so that when [improved incremental analysis](https://github.com/github/roadmap/issues/1158) fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. [#3487](https://github.com/github/codeql-action/pull/3487)
+- The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. [#3515](https://github.com/github/codeql-action/pull/3515)
+- Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. [#3516](https://github.com/github/codeql-action/pull/3516)
+- Added an experimental change which lowers the minimum disk space requirement for [improved incremental analysis](https://github.com/github/roadmap/issues/1158), enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. [#3498](https://github.com/github/codeql-action/pull/3498)
+- Added an experimental change which allows the `start-proxy` action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. [#3512](https://github.com/github/codeql-action/pull/3512)
+- The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. [#3503](https://github.com/github/codeql-action/pull/3503), [#3504](https://github.com/github/codeql-action/pull/3504)
+
+## 4.32.4 - 20 Feb 2026
+
+- Update default CodeQL bundle version to [2.24.2](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2). [#3493](https://github.com/github/codeql-action/pull/3493)
+- Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when [private package registries are configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries). This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. [#3473](https://github.com/github/codeql-action/pull/3473)
+- When the CodeQL Action is run [with debugging enabled in Default Setup](https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-analysis-errors/logs-not-detailed-enough#creating-codeql-debugging-artifacts-for-codeql-default-setup) and [private package registries are configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries), the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. [#3486](https://github.com/github/codeql-action/pull/3486)
+- Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. [#3485](https://github.com/github/codeql-action/pull/3485)
+- Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a [nightly CodeQL CLI release](https://github.com/dsp-testing/codeql-cli-nightlies) instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. [#3484](https://github.com/github/codeql-action/pull/3484)
+
+## 4.32.3 - 13 Feb 2026
+
+- Added experimental support for testing connections to [private package registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries). This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. [#3466](https://github.com/github/codeql-action/pull/3466)
+
+## 4.32.2 - 05 Feb 2026
+
+- Update default CodeQL bundle version to [2.24.1](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.1). [#3460](https://github.com/github/codeql-action/pull/3460)
+
+## 4.32.1 - 02 Feb 2026
+
+- A warning is now shown in Default Setup workflow logs if a [private package registry is configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) using a GitHub Personal Access Token (PAT), but no username is configured. [#3422](https://github.com/github/codeql-action/pull/3422)
+- Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. [#3421](https://github.com/github/codeql-action/pull/3421)
+
+## 4.32.0 - 26 Jan 2026
+
 - Update default CodeQL bundle version to [2.24.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0). [#3425](https://github.com/github/codeql-action/pull/3425)

 ## 4.31.11 - 23 Jan 2026
@@ -92,7 +92,7 @@ We typically deprecate a version of CodeQL when the GitHub Enterprise Server (GH
 1. Remove support for the old version of CodeQL.
    - Bump `CODEQL_MINIMUM_VERSION` in `src/codeql.ts` to the new minimum version of CodeQL.
    - Remove any code that is only needed to support the old version of CodeQL. This is often behind a version guard, so look for instances of version numbers between the old minimum version and the new minimum version in the codebase. A good place to start is the list of version numbers in `src/codeql.ts`.
-    - Update the default set of CodeQL test versions in `pr-checks/sync.py`.
+    - Update the default set of CodeQL test versions in `pr-checks/sync.ts`.
        - Remove the old minimum version of CodeQL.
        - Add the latest patch release for any new CodeQL minor version series that have shipped in GHES.
        - Run the script to update the generated PR checks.
@@ -72,14 +72,22 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n

 | Minimum CodeQL Action | Minimum CodeQL Bundle Version | GitHub Environment | Notes |
 |-----------------------|-------------------------------|--------------------|-------|
-| `v3.28.21`  | `2.21.3` | Enterprise Server 3.18 | |
-| `v3.28.12`  | `2.20.7` | Enterprise Server 3.17 | |
-| `v3.28.6`  | `2.20.3` | Enterprise Server 3.16 | |
-| `v3.28.6`  | `2.20.3` | Enterprise Server 3.15 | |
+| `v4.31.10` | `2.23.9` | Enterprise Server 3.20 | |
+| `v3.29.11` | `2.22.4` | Enterprise Server 3.19 | |
+| `v3.28.21` | `2.21.3` | Enterprise Server 3.18 | |
+| `v3.28.12` | `2.20.7` | Enterprise Server 3.17 | |
+| `v3.28.6` | `2.20.3` | Enterprise Server 3.16 | |
+| `v3.28.6` | `2.20.3` | Enterprise Server 3.15 | |
 | `v3.28.6` | `2.20.3` | Enterprise Server 3.14 | |

 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).

+## Keeping the CodeQL Action up to date in advanced setups
+
+If you are using an [advanced setup](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning), we recommend referencing the CodeQL Action using a major version tag (e.g. `v4`) in your workflow file. This ensures your workflow automatically picks up the latest release within that major version, including bug fixes, new features, and updated CodeQL CLI versions.
+
+If you pin to a specific commit SHA or patch version tag, ensure you keep it updated (e.g. via [Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot)). Some CodeQL Action features are enabled by server-side flags that may be removed over time, which can cause old versions to lose functionality.
+
 ## Troubleshooting

 Read about [troubleshooting code scanning](https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning).
@@ -1,27 +1,14 @@
-// Automatically generated by running npx @eslint/migrate-config .eslintrc.json
-
-import path from "node:path";
-import { fileURLToPath } from "node:url";
-
-import { fixupConfigRules, fixupPluginRules } from "@eslint/compat";
-import { FlatCompat } from "@eslint/eslintrc";
+import { fixupPluginRules } from "@eslint/compat";
 import js from "@eslint/js";
-import typescriptEslint from "@typescript-eslint/eslint-plugin";
-import tsParser from "@typescript-eslint/parser";
-import filenames from "eslint-plugin-filenames";
 import github from "eslint-plugin-github";
-import _import from "eslint-plugin-import";
+import { importX, createNodeResolver } from "eslint-plugin-import-x";
+import { createTypeScriptImportResolver } from "eslint-import-resolver-typescript";
 import noAsyncForeach from "eslint-plugin-no-async-foreach";
 import jsdoc from "eslint-plugin-jsdoc";
+import tseslint from "typescript-eslint";
 import globals from "globals";

-const __filename = fileURLToPath(import.meta.url);
-const __dirname = path.dirname(__filename);
-const compat = new FlatCompat({
-  baseDirectory: __dirname,
-  recommendedConfig: js.configs.recommended,
-  allConfig: js.configs.all,
-});
+const githubFlatConfigs = github.getFlatConfigs();

 export default [
  {
@@ -34,31 +21,32 @@ export default [
      "build.mjs",
      "eslint.config.mjs",
      ".github/**/*",
+      "pr-checks/**/*",
    ],
  },
-  ...fixupConfigRules(
-    compat.extends(
-      "eslint:recommended",
-      "plugin:@typescript-eslint/recommended",
-      "plugin:@typescript-eslint/recommended-requiring-type-checking",
-      "plugin:github/recommended",
-      "plugin:github/typescript",
-      "plugin:import/typescript",
-    ),
-  ),
+  // eslint recommended config
+  js.configs.recommended,
+  // Type-checked rules from typescript-eslint
+  ...tseslint.configs.recommendedTypeChecked,
+  ...tseslint.configs.strict,
+  // eslint-plugin-github recommended config
+  githubFlatConfigs.recommended,
+  // eslint-plugin-github typescript config
+  ...githubFlatConfigs.typescript,
+  // import-x TypeScript settings
+  // This is needed for import-x rules to properly parse TypeScript files.
+  {
+    settings: importX.flatConfigs.typescript.settings,
+  },
  {
    plugins: {
-      "@typescript-eslint": fixupPluginRules(typescriptEslint),
-      filenames: fixupPluginRules(filenames),
-      github: fixupPluginRules(github),
-      import: fixupPluginRules(_import),
-      "no-async-foreach": noAsyncForeach,
+      "import-x": importX,
+      "no-async-foreach": fixupPluginRules(noAsyncForeach),
      "jsdoc": jsdoc,
    },

    languageOptions: {
-      parser: tsParser,
-      ecmaVersion: 5,
+      ecmaVersion: "latest",
      sourceType: "module",

      globals: {
@@ -79,10 +67,16 @@ export default [
        typescript: {},
      },
      "import/ignore": ["sinon", "uuid", "@octokit/plugin-retry", "del", "get-folder-size"],
+      "import-x/resolver-next": [
+        createTypeScriptImportResolver(),
+        createNodeResolver({
+          extensions: [".ts", ".js", ".json"],
+        }),
+      ],
    },

    rules: {
-      "filenames/match-regex": ["error", "^[a-z0-9-]+(\\.test)?$"],
+      "github/filenames-match-regex": ["error", "^[a-z0-9-]+(\\.test)?$"],
      "i18n-text/no-en": "off",

      "import/extensions": [
@@ -94,7 +88,10 @@ export default [

      "import/no-amd": "error",
      "import/no-commonjs": "error",
-      "import/no-cycle": "error",
+      // import/no-cycle does not seem to work with ESLint 9.
+      // Use import-x/no-cycle from eslint-plugin-import-x instead.
+      "import/no-cycle": "off",
+      "import-x/no-cycle": "error",
      "import/no-dynamic-require": "error",

      "import/no-extraneous-dependencies": [
@@ -132,6 +129,8 @@ export default [
      "no-async-foreach/no-async-foreach": "error",
      "no-sequences": "error",
      "no-shadow": "off",
+      // This is overly restrictive with unsetting `EnvVar`s
+      "@typescript-eslint/no-dynamic-delete": "off",
      "@typescript-eslint/no-shadow": "error",
      "@typescript-eslint/prefer-optional-chain": "error",
      "one-var": ["error", "never"],
@@ -159,6 +159,11 @@ inputs:
    description: >-
      Explicitly enable or disable caching of project build dependencies.
    required: false
+  check-run-id:
+    description: >-
+      [Internal] The ID of the check run, as provided by the Actions runtime environment. Do not set this value manually.
+    default: ${{ job.check_run_id }}
+    required: false
 outputs:
  codeql-path:
    description: The path of the CodeQL binary used for analysis
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.24.0",
-  "cliVersion": "2.24.0",
-  "priorBundleVersion": "codeql-bundle-v2.23.9",
-  "priorCliVersion": "2.23.9"
+  "bundleVersion": "codeql-bundle-v2.24.2",
+  "cliVersion": "2.24.2",
+  "priorBundleVersion": "codeql-bundle-v2.24.1",
+  "priorCliVersion": "2.24.1"
 }
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "4.31.12",
+  "version": "4.32.6",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -9,7 +9,7 @@
    "lint": "eslint --report-unused-disable-directives --max-warnings=0 .",
    "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
    "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-    "ava": "npm run transpile && ava --serial --verbose",
+    "ava": "npm run transpile && ava --verbose",
    "test": "npm run ava -- src/",
    "test-debug": "npm run test -- --timeout=20m",
    "transpile": "tsc --build --verbose"
@@ -24,34 +24,33 @@
  },
  "license": "MIT",
  "dependencies": {
-    "@actions/artifact": "^5.0.2",
+    "@actions/artifact": "^5.0.3",
    "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2",
-    "@actions/cache": "^5.0.3",
-    "@actions/core": "^2.0.2",
+    "@actions/cache": "^5.0.5",
+    "@actions/core": "^2.0.3",
    "@actions/exec": "^2.0.0",
-    "@actions/github": "^7.0.0",
+    "@actions/github": "^8.0.1",
    "@actions/glob": "^0.5.0",
    "@actions/http-client": "^3.0.0",
    "@actions/io": "^2.0.0",
-    "@actions/tool-cache": "^3.0.0",
-    "@octokit/plugin-retry": "^6.0.0",
+    "@actions/tool-cache": "^3.0.1",
+    "@octokit/plugin-retry": "^8.0.0",
    "@schemastore/package": "0.0.10",
    "archiver": "^7.0.1",
    "fast-deep-equal": "^3.1.3",
    "follow-redirects": "^1.15.11",
    "get-folder-size": "^5.0.0",
+    "https-proxy-agent": "^7.0.6",
    "js-yaml": "^4.1.1",
    "jsonschema": "1.4.1",
    "long": "^5.3.2",
    "node-forge": "^1.3.3",
-    "semver": "^7.7.3",
+    "semver": "^7.7.4",
    "uuid": "^13.0.0"
  },
  "devDependencies": {
    "@ava/typescript": "6.0.0",
-    "@eslint/compat": "^2.0.1",
-    "@eslint/eslintrc": "^3.3.3",
-    "@eslint/js": "^9.39.2",
+    "@eslint/compat": "^2.0.2",
    "@microsoft/eslint-formatter-sarif": "^3.1.0",
    "@octokit/types": "^16.0.0",
    "@types/archiver": "^7.0.0",
@@ -59,23 +58,23 @@
    "@types/js-yaml": "^4.0.9",
    "@types/node": "^20.19.9",
    "@types/node-forge": "^1.3.14",
+    "@types/sarif": "^2.1.7",
    "@types/semver": "^7.7.1",
    "@types/sinon": "^21.0.0",
-    "@typescript-eslint/eslint-plugin": "^8.53.1",
-    "@typescript-eslint/parser": "^8.48.0",
    "ava": "^6.4.1",
-    "esbuild": "^0.27.2",
-    "eslint": "^8.57.1",
+    "esbuild": "^0.27.3",
+    "eslint": "^9.39.2",
    "eslint-import-resolver-typescript": "^3.8.7",
-    "eslint-plugin-filenames": "^1.3.2",
-    "eslint-plugin-github": "^5.1.8",
-    "eslint-plugin-import": "2.29.1",
-    "eslint-plugin-jsdoc": "^62.2.0",
+    "eslint-plugin-github": "^6.0.0",
+    "eslint-plugin-import-x": "^4.16.1",
+    "eslint-plugin-jsdoc": "^62.6.0",
    "eslint-plugin-no-async-foreach": "^0.1.1",
    "glob": "^11.1.0",
-    "nock": "^14.0.10",
+    "globals": "^17.3.0",
+    "nock": "^14.0.11",
    "sinon": "^21.0.1",
-    "typescript": "^5.9.3"
+    "typescript": "^5.9.3",
+    "typescript-eslint": "^8.56.0"
  },
  "overrides": {
    "@actions/tool-cache": {
@@ -1,3 +1 @@
-env
-__pycache__/
-*.pyc
+node_modules/
@@ -1,8 +1,9 @@
-name: "Quality queries input"
-description: "Tests that queries specified in the quality-queries input are used."
+name: "Analysis kinds"
+description: "Tests basic functionality for different `analysis-kinds` inputs."
 versions: ["linked", "nightly-latest"]
-analysisKinds: ["code-scanning", "code-quality", "code-scanning,code-quality"]
+analysisKinds: ["code-scanning", "code-quality", "code-scanning,code-quality", "risk-assessment"]
 env:
+  CODEQL_ACTION_RISK_ASSESSMENT_ID: 1
  CHECK_SCRIPT: |
    const fs = require('fs');

@@ -37,30 +38,24 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
      post-processed-sarif-path: "${{ runner.temp }}/post-processed"
-  - name: Upload security SARIF
-    if: contains(matrix.analysis-kinds, 'code-scanning')
+
+  - name: Upload SARIF files
    uses: actions/upload-artifact@v6
    with:
      name: |
-        quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
-      path: "${{ runner.temp }}/results/javascript.sarif"
-      retention-days: 7
-  - name: Upload quality SARIF
-    if: contains(matrix.analysis-kinds, 'code-quality')
-    uses: actions/upload-artifact@v6
-    with:
-      name: |
-        quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
-      path: "${{ runner.temp }}/results/javascript.quality.sarif"
+        analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
+      path: "${{ runner.temp }}/results/*.sarif"
      retention-days: 7
+
  - name: Upload post-processed SARIF
    uses: actions/upload-artifact@v6
    with:
      name: |
-        post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
+        post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
      path: "${{ runner.temp }}/post-processed"
      retention-days: 7
      if-no-files-found: error
+
  - name: Check quality query does not appear in security SARIF
    if: contains(matrix.analysis-kinds, 'code-scanning')
    uses: actions/github-script@v8
@@ -5,7 +5,7 @@ description: >
  autobuild Action.
 operatingSystems: ["ubuntu", "windows"]
 versions: ["linked", "nightly-latest"]
-installJava: "true"
+installJava: true
 env:
  CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
 steps:
@@ -2,8 +2,8 @@ name: "Build mode autobuild"
 description: "An end-to-end integration test of a Java repository built using 'build-mode: autobuild'"
 operatingSystems: ["ubuntu", "windows"]
 versions: ["linked", "nightly-latest"]
-installJava: "true"
-installYq: "true"
+installJava: true
+installYq: true
 steps:
  - name: Set up Java test repo configuration
    run: |
@@ -0,0 +1,15 @@
+name: "Bundle: From nightly"
+description: "The nightly CodeQL bundle should be used when forced"
+versions:
+  - linked # overruled by the FF set below
+steps:
+  - id: init
+    uses: ./../action/init
+    env:
+      CODEQL_ACTION_FORCE_NIGHTLY: true
+    with:
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+      languages: javascript
+  - name: Fail if the CodeQL version is not a nightly
+    if: ${{ !contains(steps.init.outputs.codeql-version, '+') }}
+    run: exit 1
@@ -4,7 +4,7 @@ versions:
  - toolcache
 steps:
  - name: Install @actions/tool-cache
-    run: npm install @actions/tool-cache
+    run: npm install @actions/tool-cache@3
  - name: Check toolcache contains CodeQL
    continue-on-error: true
    uses: actions/github-script@v8
@@ -16,7 +16,7 @@ steps:
        const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
        fs.rmdirSync(codeqlPath, { recursive: true });
  - name: Install @actions/tool-cache
-    run: npm install @actions/tool-cache
+    run: npm install @actions/tool-cache@3
  - name: Check toolcache does not contain CodeQL
    uses: actions/github-script@v8
    with:
--- a/Show More
+++ b/Show More