Generate UserConfig from schema ... ish

Add command for turning JSON schemas into TypeScript typings
2026-05-09 07:10:22 +00:00 · 2025-10-17 16:19:12 +01:00 · 2025-10-17 16:12:28 +01:00
145 changed files with 80514 additions and 77616 deletions
@@ -16,9 +16,9 @@ runs:
      shell: bash

    - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@v5
      with:
-        python-version: '3.12'
+        python-version: 3.12

    - name: Install dependencies
      run: |
@@ -18,25 +18,14 @@ For internal use only. Please select the risk level of this change:

 #### Which use cases does this change impact?

-<!-- Delete options that don't apply. If in doubt, do not delete an option. -->
+<!-- Delete options that don't apply. -->

-Workflow types:
-
- **Advanced setup** - Impacts users who have custom CodeQL workflows.
- **Managed** - Impacts users with `dynamic` workflows (Default Setup, CCR, ...).
-
-Products:
-
- **Code Scanning** - The changes impact analyses when `analysis-kinds: code-scanning`.
- **Code Quality** - The changes impact analyses when `analysis-kinds: code-quality`.
- **CCR** - The changes impact analyses for Copilot Code Reviews.
- **Third-party analyses** - The changes affect the `upload-sarif` action.
-
-Environments:
-
- **Dotcom** - Impacts CodeQL workflows on `github.com`.
- **GHES** - Impacts CodeQL workflows on GitHub Enterprise Server.
- **Testing/None** - This change does not impact any CodeQL workflows in production.
+- **Advanced setup** - Impacts users who have custom workflows.
+- **Default setup** - Impacts users who use default setup.
+- **Code Scanning** - Impacts Code Scanning (i.e. `analysis-kinds: code-scanning`).
+- **Code Quality** - Impacts Code Quality (i.e. `analysis-kinds: code-quality`).
+- **Third-party analyses** - Impacts third-party analyses (i.e. `upload-sarif`).
+- **GHES** - Impacts GitHub Enterprise Server.

 #### How did/will you validate this change?

@@ -65,15 +54,6 @@ Environments:
    - **Alerts** - New or existing monitors will trip if something goes wrong with this change.
 - **Other** - Please provide details.

-#### Are there any special considerations for merging or releasing this change?
-
-<!--
-    Consider whether this change depends on a different change in another repository that should be released first.
-->
-
- **No special considerations** - This change can be merged at any time.
- **Special considerations** - This change should only be merged once certain preconditions are met. Please provide details of those or link to this PR from an internal issue.
-
 ### Merge / deployment checklist

 - Confirm this change is backwards compatible with existing workflows.
@@ -1,55 +0,0 @@
-labeling:
-  applyCategoryLabels: true
-  categoryLabelPrefix: "size/"
-
-commenting:
-  addCommentWhenScoreThresholdHasBeenExceeded: false
-
-sizeup:
-  categories:
-    - name: extra small
-      lte: 25
-      label:
-        name: XS
-        description: Should be very easy to review
-        color: 3cbf00
-    - name: small
-      lte: 100
-      label:
-        name: S
-        description: Should be easy to review
-        color: 5d9801
-    - name: medium
-      lte: 250
-      label:
-        name: M
-        description: Should be of average difficulty to review
-        color: 7f7203
-    - name: large
-      lte: 500
-      label:
-        name: L
-        description: May be hard to review
-        color: a14c05
-    - name: extra large
-      lte: 1000
-      label:
-        name: XL
-        description: May be very hard to review
-        color: c32607
-    - name: extra extra large
-      label:
-        name: XXL
-        description: May be extremely hard to review
-        color: e50009
-  ignoredFilePatterns:
-    - ".github/workflows/__*"
-    - "lib/**/*"
-    - "package-lock.json"
-  testFilePatterns:
-    - "**/*.test.ts"
-  scoring:
-    # This formula and the aliases below it are written in prefix notation.
-    # For an explanation of how this works, please see:
-    # https://github.com/lerebear/sizeup-core/blob/main/README.md#prefix-notation
-    formula: "- - + additions deletions comments whitespace"
@@ -27,11 +27,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -39,11 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -84,10 +74,6 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - id: init
        uses: ./../action/init
        with:
@@ -32,11 +32,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -49,11 +44,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -95,10 +85,6 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -21,19 +21,9 @@ on:
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
-    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
+    inputs: {}
  workflow_call:
-    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
+    inputs: {}
 defaults:
  run:
    shell: bash
@@ -69,10 +59,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          languages: csharp
@@ -27,11 +27,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -39,11 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -80,10 +70,6 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        id: init
        with:
@@ -79,7 +79,7 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.os }}-zstd-bundle.sarif
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -67,7 +67,7 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
        with:
          name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -49,7 +49,7 @@ jobs:
      - name: Check out repository
        uses: actions/checkout@v5
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: 20.x
          cache: npm
@@ -78,7 +78,7 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
        with:
          name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -27,11 +27,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -39,11 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -84,10 +74,6 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        id: init
        with:
@@ -99,7 +85,7 @@ jobs:
        with:
          output: ${{ runner.temp }}/results
      - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
        with:
          name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -27,11 +27,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -39,11 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -82,10 +72,6 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          languages: go
@@ -18,11 +18,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 jobs:
  go-custom-queries:
    name: 'Go: Custom queries'
@@ -32,7 +27,6 @@ jobs:
    uses: ./.github/workflows/__go-custom-queries.yml
    with:
      go-version: ${{ inputs.go-version }}
-      dotnet-version: ${{ inputs.dotnet-version }}
  go-indirect-tracing-workaround-diagnostic:
    name: 'Go: diagnostic when Go is changed after init step'
    permissions:
@@ -64,7 +64,7 @@ jobs:
        with:
          output: ${{ runner.temp }}/results
      - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -32,11 +32,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -49,11 +44,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -95,10 +85,6 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Fetch latest CodeQL bundle
        run: |
          wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst
@@ -32,11 +32,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -49,11 +44,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -129,10 +119,6 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Use Xcode 16
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"
@@ -32,11 +32,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -49,11 +44,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -83,7 +73,7 @@ jobs:
      - name: Check out repository
        uses: actions/checkout@v5
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: 20.x
          cache: npm
@@ -106,10 +96,6 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging3.yml
@@ -27,11 +27,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -39,11 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -73,7 +63,7 @@ jobs:
      - name: Check out repository
        uses: actions/checkout@v5
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: 20.x
          cache: npm
@@ -91,10 +81,6 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging3.yml
@@ -27,11 +27,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -39,11 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -73,7 +63,7 @@ jobs:
      - name: Check out repository
        uses: actions/checkout@v5
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: 20.x
          cache: npm
@@ -91,10 +81,6 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging.yml
@@ -27,11 +27,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -39,11 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -73,7 +63,7 @@ jobs:
      - name: Check out repository
        uses: actions/checkout@v5
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: 20.x
          cache: npm
@@ -91,10 +81,6 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging2.yml
@@ -80,10 +80,9 @@ jobs:
        with:
          output: ${{ runner.temp }}/results
          upload-database: false
-          post-processed-sarif-path: ${{ runner.temp }}/post-processed
      - name: Upload security SARIF
        if: contains(matrix.analysis-kinds, 'code-scanning')
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
        with:
          name: |
            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
@@ -91,20 +90,12 @@ jobs:
          retention-days: 7
      - name: Upload quality SARIF
        if: contains(matrix.analysis-kinds, 'code-quality')
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
        with:
          name: |
            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
          path: ${{ runner.temp }}/results/javascript.quality.sarif
          retention-days: 7
-      - name: Upload post-processed SARIF
-        uses: actions/upload-artifact@v5
-        with:
-          name: |
-            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
-          path: ${{ runner.temp }}/post-processed
-          retention-days: 7
-          if-no-files-found: error
      - name: Check quality query does not appear in security SARIF
        if: contains(matrix.analysis-kinds, 'code-scanning')
        uses: actions/github-script@v8
@@ -32,11 +32,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -49,11 +44,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -97,10 +87,6 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -56,7 +56,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Set up Ruby
-        uses: ruby/setup-ruby@8aeb6ff8030dd539317f8e1769a044873b56ea71 # v1.268.0
+        uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
@@ -27,11 +27,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -39,11 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -90,10 +80,6 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging3.yml
@@ -27,11 +27,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -39,11 +34,6 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -84,10 +74,6 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Use Xcode 16
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"
@@ -32,11 +32,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -49,11 +44,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -97,10 +87,6 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        id: init
        with:
@@ -32,11 +32,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -49,11 +44,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -95,10 +85,6 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -32,11 +32,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -49,11 +44,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -102,10 +92,6 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -32,11 +32,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -49,11 +44,6 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
  run:
    shell: bash
@@ -95,10 +85,6 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Delete original checkout
        run: |
          # delete the original checkout so we don't accidentally use it.
@@ -15,7 +15,7 @@ defaults:

 jobs:
  check-expected-release-files:
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest

    permissions:
      contents: read
@@ -81,7 +81,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-14,macos-15]
+        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-13,macos-14,macos-15]
        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
    runs-on: ${{ matrix.os }}

@@ -56,7 +56,7 @@ jobs:
      uses: actions/checkout@v5

    - name: Set up Node.js
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@v5
      with:
        node-version: 24
        cache: 'npm'
@@ -54,10 +54,6 @@ jobs:
      - uses: actions/setup-go@v6
        with:
          go-version: ^1.13.1
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: '9.x'
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -83,7 +79,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v5
      - name: Check expected artifacts exist
        run: |
          LANGUAGES="cpp csharp go java javascript python"
@@ -50,10 +50,6 @@ jobs:
      - uses: actions/setup-go@v6
        with:
          go-version: ^1.13.1
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: '9.x'
      - uses: ./../action/init
        id: init
        with:
@@ -77,7 +73,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v5
      - name: Check expected artifacts exist
        run: |
          VERSIONS="stable-v2.20.3 default linked nightly-latest"
@@ -1,26 +0,0 @@
-name: Label PR with size
-
-on:
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - edited
-      - ready_for_review
-
-permissions:
-  contents: read
-  pull-requests: write
-
-jobs:
-  sizeup:
-    name: Label PR with size
-    runs-on: ubuntu-slim
-
-    steps:
-      - name: Run sizeup
-        uses: lerebear/sizeup-action@b7beb3dd273e36039e16e48e7bc690c189e61951 # 0.8.12
-        with:
-          token: "${{ secrets.GITHUB_TOKEN }}"
-          configuration-file-path: ".github/sizeup.yml"
@@ -24,7 +24,7 @@ defaults:

 jobs:
  merge-back:
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    environment: Automation
    if: github.repository == 'github/codeql-action'
    env:
@@ -47,10 +47,7 @@ jobs:
      - uses: actions/checkout@v5
        with:
          fetch-depth: 0  # ensure we have all tags and can push commits
-      - uses: actions/setup-node@v6
-      - uses: actions/setup-python@v6
-        with:
-          python-version: '3.12'
+      - uses: actions/setup-node@v5

      - name: Update git config
        run: |
@@ -35,7 +35,7 @@ jobs:
      - uses: actions/checkout@v5

      - name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: ${{ matrix.node-version }}
          cache: 'npm'
@@ -29,7 +29,7 @@ defaults:
 jobs:
  prepare:
    name: "Prepare release"
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    if: github.repository == 'github/codeql-action'

    permissions:
@@ -1,10 +1,8 @@
 name: 'Publish Immutable Action Version'

 on:
-  push:
-    tags:
-      # Match version tags, but not the major version tags.
-      - 'v[0-9]+.**'
+  release:
+    types: [published]

 defaults:
  run:
@@ -12,16 +10,30 @@ defaults:

 jobs:
  publish:
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
      packages: write

    steps:
-      - name: Checkout repository
+      - name: Check release name
+        id: check
+        env:
+          RELEASE_NAME: ${{ github.event.release.name }}
+        run: |
+          echo "Release name: ${{ github.event.release.name }}"
+          if [[ $RELEASE_NAME == v* ]]; then
+            echo "This is a CodeQL Action release. Create an Immutable Action"
+            echo "is-action-release=true" >> $GITHUB_OUTPUT
+          else
+            echo "This is a CodeQL Bundle release. Do not create an Immutable Action"
+            echo "is-action-release=false" >> $GITHUB_OUTPUT
+          fi
+      - name: Checking out
+        if: steps.check.outputs.is-action-release == 'true'
        uses: actions/checkout@v5
-
-      - name: Publish immutable release
+      - name: Publish
+        if: steps.check.outputs.is-action-release == 'true'
        id: publish
        uses: actions/publish-immutable-action@v0.0.4
@@ -32,7 +32,7 @@ jobs:
      uses: actions/checkout@v5

    - name: Install Node.js
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@v5
      with:
        node-version: 24
        cache: npm
@@ -1,18 +0,0 @@
-import os
-import re
-
-# Get the PR number from the PR URL.
-pr_number = os.environ['PR_URL'].split('/')[-1]
-changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
-
-# If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
-with open('CHANGELOG.md', 'r') as f:
-    changelog = f.read()
-
-changelog = changelog.replace('## [UNRELEASED]\n\nNo user facing changes.', '## [UNRELEASED]\n')
-
-# Add the changelog note to the bottom of the "[UNRELEASED]" section.
-changelog = re.sub(r'\n## (\d+\.\d+\.\d+)', f'{changelog_note}\n\n## \\1', changelog, count=1)
-
-with open('CHANGELOG.md', 'w') as f:
-    f.write(changelog)
@@ -29,7 +29,7 @@ fi
 echo "Getting checks for $GITHUB_SHA"

 # Ignore any checks with "https://", CodeQL, LGTM, Update, and ESLint checks.
-CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") or . == "Agent" or . == "Cleanup artifacts" or . == "Prepare" or . == "Upload results" | not)] | unique | sort')"
+CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") | not)] | unique | sort')"

 echo "$CHECKS" | jq

@@ -43,10 +43,6 @@ jobs:
      with:
        version: ${{ matrix.version }}
        use-all-platform-bundle: true
-    - name: Install .NET
-      uses: actions/setup-dotnet@v5
-      with:
-        dotnet-version: '9.x'
    - id: init
      uses: ./../action/init
      with:
@@ -20,7 +20,7 @@ defaults:
 jobs:
  update-bundle:
    if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    permissions:
      contents: write # needed to push commits
      pull-requests: write # needed to create pull requests
@@ -40,13 +40,8 @@ jobs:
          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git config --global user.name "github-actions[bot]"

-      - name: Set up Python
-        uses: actions/setup-python@v6
-        with:
-          python-version: '3.12'
-
      - name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: 24
          cache: 'npm'
@@ -83,8 +78,28 @@ jobs:
          echo "PR_URL=$pr_url" | tee -a "$GITHUB_ENV"

      - name: Create changelog note
+        shell: python
        run: |
-          python .github/workflows/script/bundle_changelog.py
+          import os
+          import re
+
+          # Get the PR number from the PR URL.
+          pr_number = os.environ['PR_URL'].split('/')[-1]
+          changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
+
+          # If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
+          # Use perl to avoid having to escape the newline character.
+
+          with open('CHANGELOG.md', 'r') as f:
+              changelog = f.read()
+
+          changelog = changelog.replace('## [UNRELEASED]\n\nNo user facing changes.', '## [UNRELEASED]\n')
+
+          # Add the changelog note to the bottom of the "[UNRELEASED]" section.
+          changelog = re.sub(r'\n## (\d+\.\d+\.\d+)', f'{changelog_note}\n\n## \\1', changelog, count=1)
+
+          with open('CHANGELOG.md', 'w') as f:
+              f.write(changelog)

      - name: Push changelog note
        run: |
@@ -26,7 +26,7 @@ jobs:

  update:
    timeout-minutes: 45
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    if: github.event_name == 'workflow_dispatch'
    needs: [prepare]
    env:
@@ -77,7 +77,7 @@ jobs:

  backport:
    timeout-minutes: 45
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    environment: Automation
    needs: [prepare]
    if: ${{ (github.event_name == 'push') && needs.prepare.outputs.backport_target_branches != '[]' }}
@@ -4,18 +4,12 @@ on:
  schedule:
    - cron: "0 0 * * *"
  workflow_dispatch:
-  pull_request:
-    branches:
-      - main
-    paths:
-      - .github/workflows/update-supported-enterprise-server-versions.yml
-      - .github/workflows/update-supported-enterprise-server-versions/update.py

 jobs:
  update-supported-enterprise-server-versions:
    name: Update Supported Enterprise Server Versions
    timeout-minutes: 45
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    if: github.repository == 'github/codeql-action'
    permissions:
      contents: write # needed to push commits
@@ -34,7 +28,6 @@ jobs:
          repository: github/enterprise-releases
          token: ${{ secrets.ENTERPRISE_RELEASE_TOKEN }}
          path: ${{ github.workspace }}/enterprise-releases/
-          sparse-checkout: releases.json
      - name: Update Supported Enterprise Server Versions
        run: |
          cd ./.github/workflows/update-supported-enterprise-server-versions/
@@ -42,7 +35,6 @@ jobs:
          pipenv install
          pipenv run ./update.py
          rm --recursive "$ENTERPRISE_RELEASES_PATH"
-          npm ci
          npm run build
        env:
          ENTERPRISE_RELEASES_PATH: ${{ github.workspace }}/enterprise-releases/
@@ -52,33 +44,25 @@ jobs:
          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git config --global user.name "github-actions[bot]"

-      - name: Commit changes
-        id: prepare-commit
+      - name: Commit changes and open PR
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          if [[ -z $(git status --porcelain) ]]; then
            echo "No changes to commit"
-            echo "committed=false" >> $GITHUB_OUTPUT
          else
            git checkout -b update-supported-enterprise-server-versions
            git add .
            git commit --message "Update supported GitHub Enterprise Server versions"
+            git push origin update-supported-enterprise-server-versions

-            echo "committed=true" >> $GITHUB_OUTPUT
+            body="This PR updates the list of supported GitHub Enterprise Server versions, either because a new "
+            body+="version is about to be feature frozen, or because an old release has been deprecated."
+            body+=$'\n\n'
+            body+="If an old release has been deprecated, please follow the instructions in CONTRIBUTING.md to "
+            body+="deprecate the corresponding version of CodeQL."
+
+            gh pr create --draft \
+              --title "Update supported GitHub Enterprise Server versions" \
+              --body "$body"
          fi
-
-      - name: Open PR
-        if: github.event_name != 'pull_request' && steps.prepare-commit.outputs.committed == 'true'
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          git push origin update-supported-enterprise-server-versions
-
-          body="This PR updates the list of supported GitHub Enterprise Server versions, either because a new "
-          body+="version is about to be feature frozen, or because an old release has been deprecated."
-          body+=$'\n\n'
-          body+="If an old release has been deprecated, please follow the instructions in CONTRIBUTING.md to "
-          body+="deprecate the corresponding version of CodeQL."
-
-          gh pr create --draft \
-            --title "Update supported GitHub Enterprise Server versions" \
-            --body "$body"
@@ -2,33 +2,7 @@

 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.

-## 4.31.5 - 24 Nov 2025
-
-No user facing changes.
-
-## 4.31.4 - 18 Nov 2025
-
-No user facing changes.
-
-## 4.31.3 - 13 Nov 2025
-
- CodeQL Action v3 will be deprecated in December 2026.  The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see [Upcoming deprecation of CodeQL Action v3](https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/).
- Update default CodeQL bundle version to 2.23.5. [#3288](https://github.com/github/codeql-action/pull/3288)
-
-## 4.31.2 - 30 Oct 2025
-
-No user facing changes.
-
-## 4.31.1 - 30 Oct 2025
-
- The `add-snippets` input has been removed from the `analyze` action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced.
-
-## 4.31.0 - 24 Oct 2025
-
- Bump minimum CodeQL bundle version to 2.17.6. [#3223](https://github.com/github/codeql-action/pull/3223)
- When SARIF files are uploaded by the `analyze` or `upload-sarif` actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the `upload-sarif` action. For `analyze`, this may affect Advanced Setup for CodeQL users who specify a value other than `always` for the `upload` input. [#3222](https://github.com/github/codeql-action/pull/3222)
-
-## 4.30.9 - 17 Oct 2025
+## [UNRELEASED]

 - Update default CodeQL bundle version to 2.23.3. [#3205](https://github.com/github/codeql-action/pull/3205)
 - Experimental: A new `setup-codeql` action has been added which is similar to `init`, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#3204](https://github.com/github/codeql-action/pull/3204)
@@ -6,7 +6,7 @@ inputs:
    description: The name of the check run to add text to.
    required: false
  output:
-    description: The path of the directory in which to save the SARIF results from the CodeQL CLI.
+    description: The path of the directory in which to save the SARIF results
    required: false
    default: "../results"
  upload:
@@ -32,10 +32,14 @@ inputs:
      and 13GB for macOS).
    required: false
  add-snippets:
-    description: Does not have any effect.
+    description: Specify whether or not to add code snippets to the output sarif file.
    required: false
+    default: "false"
    deprecationMessage: >-
-      The input "add-snippets" has been removed and no longer has any effect.
+      The input "add-snippets" is deprecated and will be removed on the first release in August 2025.
+      When this input is set to true it is expected to add code snippets with an alert to the SARIF file.
+      However, since Code Scanning ignores code snippets provided as part of a SARIF file this is currently
+      a no operation. No alternative is available.
  skip-queries:
    description: If this option is set, the CodeQL database will be built but no queries will be run on it. Thus, no results will be produced.
    required: false
@@ -66,12 +70,6 @@ inputs:
    description: Whether to upload the resulting CodeQL database
    required: false
    default: "true"
-  post-processed-sarif-path:
-    description: >-
-      Before uploading the SARIF files produced by the CodeQL CLI, the CodeQL Action may perform some post-processing
-      on them. Ordinarily, these post-processed SARIF files are not saved to disk. However, if a path is provided as an
-      argument for this input, they are written to the specified directory.
-    required: false
  wait-for-processing:
    description: If true, the Action will wait for the uploaded SARIF to be processed before completing.
    required: true
@@ -12,7 +12,6 @@ import filenames from "eslint-plugin-filenames";
 import github from "eslint-plugin-github";
 import _import from "eslint-plugin-import";
 import noAsyncForeach from "eslint-plugin-no-async-foreach";
-import jsdoc from "eslint-plugin-jsdoc";
 import globals from "globals";

 const __filename = fileURLToPath(import.meta.url);
@@ -53,7 +52,6 @@ export default [
      github: fixupPluginRules(github),
      import: fixupPluginRules(_import),
      "no-async-foreach": noAsyncForeach,
-      "jsdoc": jsdoc,
    },

    languageOptions: {
@@ -133,18 +131,7 @@ export default [
      "no-sequences": "error",
      "no-shadow": "off",
      "@typescript-eslint/no-shadow": "error",
-      "@typescript-eslint/prefer-optional-chain": "error",
      "one-var": ["error", "never"],
-
-      // Check param names to ensure that we don't have outdated JSDocs.
-      "jsdoc/check-param-names": [
-        "error",
-        {
-          // We don't currently require full JSDoc coverage, so this rule
-          // should not error on missing @param annotations.
-          disableMissingParamChecks: true,
-        }
-      ],
    },
  },
  {
@@ -0,0 +1,29 @@
+import fs from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+
+import { globSync } from "glob";
+import { compileFromFile } from 'json-schema-to-typescript';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+const SRC_DIR = path.join(__dirname, "schemas");
+const OUT_DIR = path.join(__dirname, "src");
+
+async function generateTypings() {
+  const schemas = globSync(`${SRC_DIR}/*.json`);
+  for (const schema of schemas) {
+    const outPath = path.join(
+      OUT_DIR,
+      `${path.basename(schema, ".json")}.d.ts`,
+    );
+    const ts = await compileFromFile(schema, {
+      bannerComment:
+        "/* This file was automatically generated by `npm run generate:schemas`. Do not edit by hand. */",
+    });
+    fs.writeFileSync(outPath, ts, "utf-8");
+  }
+}
+
+await generateTypings();
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.5",
-  "cliVersion": "2.23.5",
-  "priorBundleVersion": "codeql-bundle-v2.23.3",
-  "priorCliVersion": "2.23.3"
+  "bundleVersion": "codeql-bundle-v2.23.3",
+  "cliVersion": "2.23.3",
+  "priorBundleVersion": "codeql-bundle-v2.23.2",
+  "priorCliVersion": "2.23.2"
 }
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "4.31.5",
+  "version": "4.30.9",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -12,7 +12,8 @@
    "ava": "npm run transpile && ava --serial --verbose",
    "test": "npm run ava -- src/",
    "test-debug": "npm run test -- --timeout=20m",
-    "transpile": "tsc --build --verbose"
+    "transpile": "npm run generate:schemas && tsc --build --verbose",
+    "generate:schemas": "node json-schemas.mjs"
  },
  "ava": {
    "typescript": {
@@ -24,55 +25,61 @@
  },
  "license": "MIT",
  "dependencies": {
-    "@actions/artifact": "^4.0.0",
+    "@actions/artifact": "^2.3.1",
    "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2",
    "@actions/cache": "^4.1.0",
    "@actions/core": "^1.11.1",
    "@actions/exec": "^1.1.1",
    "@actions/github": "^6.0.0",
    "@actions/glob": "^0.5.0",
-    "@actions/http-client": "^3.0.0",
-    "@actions/io": "^2.0.0",
+    "@actions/http-client": "^2.2.3",
+    "@actions/io": "^1.1.3",
    "@actions/tool-cache": "^2.0.2",
    "@octokit/plugin-retry": "^6.0.0",
+    "@octokit/request-error": "^7.0.1",
    "@schemastore/package": "0.0.10",
    "archiver": "^7.0.1",
+    "check-disk-space": "^3.4.0",
+    "console-log-level": "^1.4.1",
+    "del": "^8.0.0",
    "fast-deep-equal": "^3.1.3",
    "follow-redirects": "^1.15.11",
    "get-folder-size": "^5.0.0",
-    "js-yaml": "^4.1.1",
+    "js-yaml": "^4.1.0",
    "jsonschema": "1.4.1",
    "long": "^5.3.2",
    "node-forge": "^1.3.1",
+    "octokit": "^5.0.3",
    "semver": "^7.7.3",
    "uuid": "^13.0.0"
  },
  "devDependencies": {
    "@ava/typescript": "6.0.0",
-    "@eslint/compat": "^2.0.0",
+    "@eslint/compat": "^1.4.0",
    "@eslint/eslintrc": "^3.3.1",
-    "@eslint/js": "^9.39.1",
+    "@eslint/js": "^9.37.0",
    "@microsoft/eslint-formatter-sarif": "^3.1.0",
-    "@octokit/types": "^16.0.0",
-    "@types/archiver": "^7.0.0",
+    "@octokit/types": "^15.0.0",
+    "@types/archiver": "^6.0.3",
+    "@types/console-log-level": "^1.4.5",
    "@types/follow-redirects": "^1.14.4",
    "@types/js-yaml": "^4.0.9",
-    "@types/node": "^20.19.9",
+    "@types/node": "20.19.9",
    "@types/node-forge": "^1.3.14",
    "@types/semver": "^7.7.1",
-    "@types/sinon": "^21.0.0",
-    "@typescript-eslint/eslint-plugin": "^8.46.4",
+    "@types/sinon": "^17.0.4",
+    "@typescript-eslint/eslint-plugin": "^8.46.0",
    "@typescript-eslint/parser": "^8.41.0",
    "ava": "^6.4.1",
-    "esbuild": "^0.27.0",
+    "esbuild": "^0.25.10",
    "eslint": "^8.57.1",
    "eslint-import-resolver-typescript": "^3.8.7",
    "eslint-plugin-filenames": "^1.3.2",
    "eslint-plugin-github": "^5.1.8",
    "eslint-plugin-import": "2.29.1",
-    "eslint-plugin-jsdoc": "^61.2.1",
    "eslint-plugin-no-async-foreach": "^0.1.1",
-    "glob": "^11.1.0",
+    "glob": "^11.0.3",
+    "json-schema-to-typescript": "^15.0.4",
    "nock": "^14.0.10",
    "sinon": "^21.0.0",
    "typescript": "^5.9.3"
@@ -96,7 +103,6 @@
    "eslint-plugin-jsx-a11y": {
      "semver": ">=6.3.1"
    },
-    "brace-expansion@2.0.1": "2.0.2",
-    "glob": "^11.1.0"
+    "brace-expansion@2.0.1": "2.0.2"
  }
 }
@@ -4,7 +4,6 @@ operatingSystems: ["ubuntu", "macos", "windows"]
 versions: ["nightly-latest"]
 useAllPlatformBundle: "true"
 installGo: true
-installDotNet: true
 steps:
  - id: init
    uses: ./../action/init
@@ -3,7 +3,6 @@ description: "Checks that specifying 'ref' and 'sha' as inputs works"
 versions: ["default"]
 installGo: true
 installPython: true
-installDotNet: true
 steps:
  - uses: ./../action/init
    with:
@@ -2,7 +2,6 @@ name: "autobuild-action"
 description: "Tests that the C# autobuild action works"
 operatingSystems: ["ubuntu", "macos", "windows"]
 versions: ["linked"]
-installDotNet: true
 steps:
  - uses: ./../action/init
    with:
@@ -2,7 +2,6 @@ name: "Build mode manual"
 description: "An end-to-end integration test of a Java repository built using 'build-mode: manual'"
 versions: ["nightly-latest"]
 installGo: true
-installDotNet: true
 steps:
  - uses: ./../action/init
    id: init
@@ -27,7 +27,7 @@ steps:
      output: ${{ runner.temp }}/results
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
    with:
      name: ${{ matrix.os }}-zstd-bundle.sarif
      path: ${{ runner.temp }}/results/javascript.sarif
@@ -12,7 +12,7 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
    with:
      name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -25,7 +25,7 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
    with:
      name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -3,7 +3,6 @@ description: "Tests that file baseline information is exported when the feature
 operatingSystems: ["ubuntu", "macos", "windows"]
 versions: ["nightly-latest"]
 installGo: true
-installDotNet: true
 env:
  CODEQL_ACTION_SUBLANGUAGE_FILE_COVERAGE: true
 steps:
@@ -18,7 +17,7 @@ steps:
    with:
      output: "${{ runner.temp }}/results"
  - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
    with:
      name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -7,7 +7,6 @@ versions:
  - linked
  - nightly-latest
 installGo: true
-installDotNet: true
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
@@ -11,7 +11,7 @@ steps:
    with:
      output: "${{ runner.temp }}/results"
  - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
    with:
      name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -3,7 +3,6 @@ description: "Tests using a CodeQL bundle from a local file rather than a URL"
 versions: ["linked"]
 installGo: true
 installPython: true
-installDotNet: true
 steps:
  - name: Fetch latest CodeQL bundle
    run: |
@@ -5,7 +5,6 @@ env:
  CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
 installGo: true
 installPython: true
-installDotNet: true
 steps:
  - name: Use Xcode 16
    if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
@@ -4,7 +4,6 @@ versions: ["linked", "default", "nightly-latest"] # This feature is not compatib
 installGo: true
 installNode: true
 installPython: true
-installDotNet: true
 steps:
  - uses: ./../action/init
    with:
@@ -3,7 +3,6 @@ description: "Checks that specifying packages using a combination of a config fi
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
 installNode: true
-installDotNet: true
 steps:
  - uses: ./../action/init
    with:
@@ -3,7 +3,6 @@ description: "Checks that specifying packages using only a config file works"
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
 installNode: true
-installDotNet: true
 steps:
  - uses: ./../action/init
    with:
@@ -3,7 +3,6 @@ description: "Checks that specifying packages using the input to the Action work
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
 installNode: true
-installDotNet: true
 steps:
  - uses: ./../action/init
    with:
@@ -36,10 +36,9 @@ steps:
    with:
      output: "${{ runner.temp }}/results"
      upload-database: false
-      post-processed-sarif-path: "${{ runner.temp }}/post-processed"
  - name: Upload security SARIF
    if: contains(matrix.analysis-kinds, 'code-scanning')
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
    with:
      name: |
        quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
@@ -47,20 +46,12 @@ steps:
      retention-days: 7
  - name: Upload quality SARIF
    if: contains(matrix.analysis-kinds, 'code-quality')
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
    with:
      name: |
        quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
      path: "${{ runner.temp }}/results/javascript.quality.sarif"
      retention-days: 7
-  - name: Upload post-processed SARIF
-    uses: actions/upload-artifact@v5
-    with:
-      name: |
-        post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
-      path: "${{ runner.temp }}/post-processed"
-      retention-days: 7
-      if-no-files-found: error
  - name: Check quality query does not appear in security SARIF
    if: contains(matrix.analysis-kinds, 'code-scanning')
    uses: actions/github-script@v8
@@ -7,7 +7,6 @@ versions:
  - nightly-latest
 installGo: true
 installPython: true
-installDotNet: true
 steps:
  - uses: ./../action/init
    with:
@@ -4,7 +4,7 @@ description: "Tests using RuboCop to analyze a multi-language repository and the
 versions: ["default"]
 steps:
  - name: Set up Ruby
-    uses: ruby/setup-ruby@8aeb6ff8030dd539317f8e1769a044873b56ea71 # v1.268.0
+    uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
    with:
      ruby-version: 2.6
  - name: Install Code Scanning integration
@@ -3,7 +3,6 @@ description: "Tests a split-up workflow in which we first build a database and l
 operatingSystems: ["ubuntu", "macos"]
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
-installDotNet: true
 steps:
  - uses: ./../action/init
    with:
@@ -3,7 +3,6 @@ description: "Tests creation of a Swift database using custom build"
 versions: ["linked", "default", "nightly-latest"]
 operatingSystems: ["macos"]
 installGo: true
-installDotNet: true
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
@@ -7,7 +7,6 @@ versions:
  - nightly-latest
 installGo: true
 installPython: true
-installDotNet: true
 steps:
  - uses: ./../action/init
    id: init
@@ -3,7 +3,6 @@ description: "Checks that specifying 'ref' and 'sha' as inputs works"
 versions: ["default"]
 installGo: true
 installPython: true
-installDotNet: true
 steps:
  - uses: ./../action/init
    with:
@@ -4,7 +4,6 @@ versions: ["default"]
 analysisKinds: ["code-scanning", "code-quality", "code-scanning,code-quality"]
 installGo: true
 installPython: true
-installDotNet: true
 steps:
  - uses: ./../action/init
    with:
@@ -3,7 +3,6 @@ description: "Checks that a custom `checkout_path` will find the proper commit_o
 versions: ["linked"]
 installGo: true
 installPython: true
-installDotNet: true
 steps:
  # This ensures we don't accidentally use the original checkout for any part of the test.
  - name: Delete original checkout
@@ -117,7 +117,7 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
        steps.extend([
            {
                'name': 'Install Node.js',
-                'uses': 'actions/setup-node@v6',
+                'uses': 'actions/setup-node@v5',
                'with': {
                    'node-version': '20.x',
                    'cache': 'npm',
@@ -204,25 +204,6 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
            }
        })

-    installDotNet = is_truthy(checkSpecification.get('installDotNet', ''))
-
-    if installDotNet:
-        baseDotNetVersionExpr = '9.x'
-        workflowInputs['dotnet-version'] = {
-            'type': 'string',
-            'description': 'The version of .NET to install',
-            'required': False,
-            'default': baseDotNetVersionExpr,
-        }
-
-        steps.append({
-            'name': 'Install .NET',
-            'uses': 'actions/setup-dotnet@v5',
-            'with': {
-                'dotnet-version': '${{ inputs.dotnet-version || \'' + baseDotNetVersionExpr + '\' }}'
-            }
-        })
-
    # If container initialisation steps are present in the check specification,
    # make sure to execute them first.
    if 'container' in checkSpecification and 'container-init-steps' in checkSpecification:
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "title": "CodeQL Database Configuration",
+  "title": "UserConfig",
  "description": "Format of the config file supplied by the user for CodeQL analysis",
  "type": "object",
  "properties": {
@@ -9,15 +9,9 @@ if [ "$GITHUB_ACTIONS" = "true" ]; then
 fi

 # Check if npm install is likely needed before proceeding
-if [ ! -d node_modules ]; then
-  echo "Running 'npm install' because 'node_modules' directory is missing."
-  npm install
-elif [ package.json -nt package-lock.json ]; then
-  echo "Running 'npm install' because 'package-lock.json' appears to be outdated."
-  npm install
-elif [ package-lock.json -nt node_modules/.package-lock.json ]; then
-  echo "Running 'npm install' because 'node_modules/.package-lock.json' appears to be outdated."
+if [ ! -d node_modules ] || [ package-lock.json -nt node_modules/.package-lock.json ]; then
+  echo "Running 'npm install' because 'node_modules/.package-lock.json' appears to be outdated..."
  npm install
 else
-  echo "Skipping 'npm install' because everything appears to be up-to-date."
+  echo "Skipping 'npm install' because 'node_modules/.package-lock.json' appears to be up-to-date."
 fi
@@ -80,7 +80,7 @@ export function isRunningLocalAction(): boolean {
 *
 * This can be used to get the Action's name or tell if we're running a local Action.
 */
-function getRelativeScriptPath(): string {
+export function getRelativeScriptPath(): string {
  const runnerTemp = getRequiredEnvParam("RUNNER_TEMP");
  const actionsDirectory = path.join(path.dirname(runnerTemp), "_actions");
  return path.relative(actionsDirectory, __filename);
@@ -98,7 +98,7 @@ export async function getAnalysisKinds(
 export const codeQualityQueries: string[] = ["code-quality"];

 // Enumerates API endpoints that accept SARIF files.
-enum SARIF_UPLOAD_ENDPOINT {
+export enum SARIF_UPLOAD_ENDPOINT {
  CODE_SCANNING = "PUT /repos/:owner/:repo/code-scanning/analysis",
  CODE_QUALITY = "PUT /repos/:owner/:repo/code-quality/analysis",
 }
@@ -24,9 +24,6 @@ setupTests(test);
 // but the first test would fail.

 test("analyze action with RAM & threads from environment variables", async (t) => {
-  // This test frequently times out on Windows with the default timeout, so we bump
-  // it a bit to 20s.
-  t.timeout(1000 * 20);
  await util.withTmpDir(async (tmpDir) => {
    process.env["GITHUB_SERVER_URL"] = util.GITHUB_DOTCOM_URL;
    process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
@@ -78,7 +75,7 @@ test("analyze action with RAM & threads from environment variables", async (t) =
    t.deepEqual(runFinalizeStub.firstCall.args[1], "--threads=-1");
    t.deepEqual(runFinalizeStub.firstCall.args[2], "--ram=4992");
    t.assert(runQueriesStub.calledOnce);
-    t.deepEqual(runQueriesStub.firstCall.args[2], "--threads=-1");
+    t.deepEqual(runQueriesStub.firstCall.args[3], "--threads=-1");
    t.deepEqual(runQueriesStub.firstCall.args[1], "--ram=4992");
  });
 });
@@ -24,7 +24,6 @@ setupTests(test);
 // but the first test would fail.

 test("analyze action with RAM & threads from action inputs", async (t) => {
-  t.timeout(1000 * 20);
  await util.withTmpDir(async (tmpDir) => {
    process.env["GITHUB_SERVER_URL"] = util.GITHUB_DOTCOM_URL;
    process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
@@ -76,7 +75,7 @@ test("analyze action with RAM & threads from action inputs", async (t) => {
    t.deepEqual(runFinalizeStub.firstCall.args[1], "--threads=-1");
    t.deepEqual(runFinalizeStub.firstCall.args[2], "--ram=3012");
    t.assert(runQueriesStub.calledOnce);
-    t.deepEqual(runQueriesStub.firstCall.args[2], "--threads=-1");
+    t.deepEqual(runQueriesStub.firstCall.args[3], "--threads=-1");
    t.deepEqual(runQueriesStub.firstCall.args[1], "--ram=3012");
  });
 });
@@ -25,7 +25,7 @@ import {
  isCodeQualityEnabled,
  isCodeScanningEnabled,
 } from "./config-utils";
-import { cleanupAndUploadDatabases } from "./database-upload";
+import { uploadDatabases } from "./database-upload";
 import {
  DependencyCacheUploadStatusReport,
  uploadDependencyCaches,
@@ -35,7 +35,7 @@ import { EnvVar } from "./environment";
 import { Feature, Features } from "./feature-flags";
 import { KnownLanguage } from "./languages";
 import { getActionsLogger, Logger } from "./logging";
-import { cleanupAndUploadOverlayBaseDatabaseToCache } from "./overlay-database-utils";
+import { uploadOverlayBaseDatabaseToCache } from "./overlay-database-utils";
 import { getRepositoryNwo } from "./repository";
 import * as statusReport from "./status-report";
 import {
@@ -52,7 +52,6 @@ import {
 } from "./trap-caching";
 import * as uploadLib from "./upload-lib";
 import { UploadResult } from "./upload-lib";
-import { postProcessAndUploadSarif } from "./upload-sarif";
 import * as util from "./util";

 interface AnalysisStatusReport
@@ -212,9 +211,7 @@ async function runAutobuildIfLegacyGoWorkflow(config: Config, logger: Logger) {

 async function run() {
  const startedAt = new Date();
-  let uploadResults:
-    | Partial<Record<analyses.AnalysisKind, UploadResult>>
-    | undefined = undefined;
+  let uploadResult: UploadResult | undefined = undefined;
  let runStats: QueriesStatusReport | undefined = undefined;
  let config: Config | undefined = undefined;
  let trapCacheCleanupTelemetry: TrapCacheCleanupStatusReport | undefined =
@@ -324,16 +321,10 @@ async function run() {
    );

    if (actionsUtil.getRequiredInput("skip-queries") !== "true") {
-      // Warn if the removed `add-snippets` input is used.
-      if (actionsUtil.getOptionalInput("add-snippets") !== undefined) {
-        logger.warning(
-          "The `add-snippets` input has been removed and no longer has any effect.",
-        );
-      }
-
      runStats = await runQueries(
        outputDir,
        memory,
+        util.getAddSnippetsFlag(actionsUtil.getRequiredInput("add-snippets")),
        threads,
        diffRangePackDir,
        actionsUtil.getOptionalInput("category"),
@@ -350,88 +341,43 @@ async function run() {
    }
    core.setOutput("db-locations", dbLocations);
    core.setOutput("sarif-output", path.resolve(outputDir));
-    const uploadKind = actionsUtil.getUploadValue(
-      actionsUtil.getOptionalInput("upload"),
-    );
-    if (runStats) {
-      const checkoutPath = actionsUtil.getRequiredInput("checkout_path");
-      const category = actionsUtil.getOptionalInput("category");
-
-      if (await features.getValue(Feature.AnalyzeUseNewUpload)) {
-        uploadResults = await postProcessAndUploadSarif(
-          logger,
-          features,
-          uploadKind,
-          checkoutPath,
+    const uploadInput = actionsUtil.getOptionalInput("upload");
+    if (runStats && actionsUtil.getUploadValue(uploadInput) === "always") {
+      if (isCodeScanningEnabled(config)) {
+        uploadResult = await uploadLib.uploadFiles(
          outputDir,
-          category,
-          actionsUtil.getOptionalInput("post-processed-sarif-path"),
+          actionsUtil.getRequiredInput("checkout_path"),
+          actionsUtil.getOptionalInput("category"),
+          features,
+          logger,
+          analyses.CodeScanning,
        );
-      } else if (uploadKind === "always") {
-        uploadResults = {};
-
-        if (isCodeScanningEnabled(config)) {
-          uploadResults[analyses.AnalysisKind.CodeScanning] =
-            await uploadLib.uploadFiles(
-              outputDir,
-              checkoutPath,
-              category,
-              features,
-              logger,
-              analyses.CodeScanning,
-            );
-        }
-
-        if (isCodeQualityEnabled(config)) {
-          uploadResults[analyses.AnalysisKind.CodeQuality] =
-            await uploadLib.uploadFiles(
-              outputDir,
-              checkoutPath,
-              category,
-              features,
-              logger,
-              analyses.CodeQuality,
-            );
-        }
-      } else {
-        uploadResults = {};
-        logger.info("Not uploading results");
+        core.setOutput("sarif-id", uploadResult.sarifID);
      }

-      // Set the SARIF id outputs only if we have results for them, to avoid
-      // having keys with empty values in the action output.
-      if (uploadResults[analyses.AnalysisKind.CodeScanning] !== undefined) {
-        core.setOutput(
-          "sarif-id",
-          uploadResults[analyses.AnalysisKind.CodeScanning].sarifID,
-        );
-      }
-      if (uploadResults[analyses.AnalysisKind.CodeQuality] !== undefined) {
-        core.setOutput(
-          "quality-sarif-id",
-          uploadResults[analyses.AnalysisKind.CodeQuality].sarifID,
+      if (isCodeQualityEnabled(config)) {
+        const analysis = analyses.CodeQuality;
+        const qualityUploadResult = await uploadLib.uploadFiles(
+          outputDir,
+          actionsUtil.getRequiredInput("checkout_path"),
+          actionsUtil.getOptionalInput("category"),
+          features,
+          logger,
+          analysis,
        );
+        core.setOutput("quality-sarif-id", qualityUploadResult.sarifID);
      }
    } else {
      logger.info("Not uploading results");
    }

    // Possibly upload the overlay-base database to actions cache.
-    // Note: Take care with the ordering of this call since databases may be cleaned up
-    // at the `overlay` level.
-    await cleanupAndUploadOverlayBaseDatabaseToCache(codeql, config, logger);
+    // If databases are to be uploaded, they will first be cleaned up at the overlay level.
+    await uploadOverlayBaseDatabaseToCache(codeql, config, logger);

    // Possibly upload the database bundles for remote queries.
-    // Note: Take care with the ordering of this call since databases may be cleaned up
-    // at the `overlay` or `clear` level.
-    await cleanupAndUploadDatabases(
-      repositoryNwo,
-      codeql,
-      config,
-      apiDetails,
-      features,
-      logger,
-    );
+    // If databases are to be uploaded, they will first be cleaned up at the clear level.
+    await uploadDatabases(repositoryNwo, codeql, config, apiDetails, logger);

    // Possibly upload the TRAP caches for later re-use
    const trapCacheUploadStartTime = performance.now();
@@ -447,11 +393,14 @@ async function run() {

    // Store dependency cache(s) if dependency caching is enabled.
    if (shouldStoreCache(config.dependencyCachingEnabled)) {
-      dependencyCacheResults = await uploadDependencyCaches(
+      const minimizeJavaJars = await features.getValue(
+        Feature.JavaMinimizeDependencyJars,
        codeql,
-        features,
+      );
+      dependencyCacheResults = await uploadDependencyCaches(
        config,
        logger,
+        minimizeJavaJars,
      );
    }

@@ -459,12 +408,12 @@ async function run() {
    if (util.isInTestMode()) {
      logger.debug("In test mode. Waiting for processing is disabled.");
    } else if (
-      uploadResults?.[analyses.AnalysisKind.CodeScanning] !== undefined &&
+      uploadResult !== undefined &&
      actionsUtil.getRequiredInput("wait-for-processing") === "true"
    ) {
      await uploadLib.waitForProcessing(
        getRepositoryNwo(),
-        uploadResults[analyses.AnalysisKind.CodeScanning].sarifID,
+        uploadResult.sarifID,
        getActionsLogger(),
      );
    }
@@ -501,16 +450,13 @@ async function run() {
    return;
  }

-  if (
-    runStats !== undefined &&
-    uploadResults?.[analyses.AnalysisKind.CodeScanning] !== undefined
-  ) {
+  if (runStats && uploadResult) {
    await sendStatusReport(
      startedAt,
      config,
      {
        ...runStats,
-        ...uploadResults[analyses.AnalysisKind.CodeScanning].statusReport,
+        ...uploadResult.statusReport,
      },
      undefined,
      trapCacheUploadTime,
@@ -520,7 +466,7 @@ async function run() {
      dependencyCacheResults,
      logger,
    );
-  } else if (runStats !== undefined) {
+  } else if (runStats) {
    await sendStatusReport(
      startedAt,
      config,
@@ -4,8 +4,10 @@ import * as path from "path";
 import test from "ava";
 import * as sinon from "sinon";

+import * as actionsUtil from "./actions-util";
 import { CodeQuality, CodeScanning } from "./analyses";
 import {
+  exportedForTesting,
  runQueries,
  defaultSuites,
  resolveQuerySuiteAlias,
@@ -37,6 +39,7 @@ test("status report fields", async (t) => {
    setupActionsVars(tmpDir, tmpDir);

    const memoryFlag = "";
+    const addSnippetsFlag = "";
    const threadsFlag = "";
    sinon.stub(uploadLib, "validateSarifFileSchema");

@@ -102,6 +105,7 @@ test("status report fields", async (t) => {
      const statusReport = await runQueries(
        tmpDir,
        memoryFlag,
+        addSnippetsFlag,
        threadsFlag,
        undefined,
        undefined,
@@ -127,6 +131,204 @@ test("status report fields", async (t) => {
  });
 });

+function runGetDiffRanges(changes: number, patch: string[] | undefined): any {
+  sinon
+    .stub(actionsUtil, "getRequiredInput")
+    .withArgs("checkout_path")
+    .returns("/checkout/path");
+  return exportedForTesting.getDiffRanges(
+    {
+      filename: "test.txt",
+      changes,
+      patch: patch?.join("\n"),
+    },
+    getRunnerLogger(true),
+  );
+}
+
+test("getDiffRanges: file unchanged", async (t) => {
+  const diffRanges = runGetDiffRanges(0, undefined);
+  t.deepEqual(diffRanges, []);
+});
+
+test("getDiffRanges: file diff too large", async (t) => {
+  const diffRanges = runGetDiffRanges(1000000, undefined);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 0,
+      endLine: 0,
+    },
+  ]);
+});
+
+test("getDiffRanges: diff thunk with single addition range", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,6 +50,8 @@",
+    " a",
+    " b",
+    " c",
+    "+1",
+    "+2",
+    " d",
+    " e",
+    " f",
+  ]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 53,
+      endLine: 54,
+    },
+  ]);
+});
+
+test("getDiffRanges: diff thunk with single deletion range", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,8 +50,6 @@",
+    " a",
+    " b",
+    " c",
+    "-1",
+    "-2",
+    " d",
+    " e",
+    " f",
+  ]);
+  t.deepEqual(diffRanges, []);
+});
+
+test("getDiffRanges: diff thunk with single update range", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,7 +50,7 @@",
+    " a",
+    " b",
+    " c",
+    "-1",
+    "+2",
+    " d",
+    " e",
+    " f",
+  ]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 53,
+      endLine: 53,
+    },
+  ]);
+});
+
+test("getDiffRanges: diff thunk with addition ranges", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,7 +50,9 @@",
+    " a",
+    " b",
+    " c",
+    "+1",
+    " c",
+    "+2",
+    " d",
+    " e",
+    " f",
+  ]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 53,
+      endLine: 53,
+    },
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 55,
+      endLine: 55,
+    },
+  ]);
+});
+
+test("getDiffRanges: diff thunk with mixed ranges", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,7 +50,7 @@",
+    " a",
+    " b",
+    " c",
+    "-1",
+    " d",
+    "-2",
+    "+3",
+    " e",
+    " f",
+    "+4",
+    "+5",
+    " g",
+    " h",
+    " i",
+  ]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 54,
+      endLine: 54,
+    },
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 57,
+      endLine: 58,
+    },
+  ]);
+});
+
+test("getDiffRanges: multiple diff thunks", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,6 +50,8 @@",
+    " a",
+    " b",
+    " c",
+    "+1",
+    "+2",
+    " d",
+    " e",
+    " f",
+    "@@ -130,6 +150,8 @@",
+    " a",
+    " b",
+    " c",
+    "+1",
+    "+2",
+    " d",
+    " e",
+    " f",
+  ]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 53,
+      endLine: 54,
+    },
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 153,
+      endLine: 154,
+    },
+  ]);
+});
+
+test("getDiffRanges: no diff context lines", async (t) => {
+  const diffRanges = runGetDiffRanges(2, ["@@ -30 +50,2 @@", "+1", "+2"]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 50,
+      endLine: 51,
+    },
+  ]);
+});
+
+test("getDiffRanges: malformed thunk header", async (t) => {
+  const diffRanges = runGetDiffRanges(2, ["@@ 30 +50,2 @@", "+1", "+2"]);
+  t.deepEqual(diffRanges, undefined);
+});
+
 test("resolveQuerySuiteAlias", (t) => {
  // default query suite names should resolve to something language-specific ending in `.qls`.
  for (const suite of defaultSuites) {
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Michael B. Gale	0cf61911ea	Generate `UserConfig` from schema ... ish	2025-10-17 16:19:12 +01:00
Michael B. Gale	816fc30181	Add command for turning JSON schemas into TypeScript typings	2025-10-17 16:12:28 +01:00