Merge pull request #3868 from github/mergeback/v4.35.3-to-main-e46ed2cb

Mergeback v4.35.3 refs/heads/releases/v4 into main
Rebuild
2026-05-03 12:20:09 +00:00 · 2026-05-01 14:34:01 +00:00 · 2026-05-01 14:09:49 +00:00 · 2026-05-01 14:06:46 +00:00 · 2026-05-01 15:05:28 +01:00 · 2026-05-01 14:09:58 +01:00
18968 changed files with 1594310 additions and 4747085 deletions
@@ -61,11 +61,12 @@ runs:
    - name: Check config
      working-directory: ${{ github.action_path }}
      shell: bash
-      run: ts-node ./index.ts "${{ runner.temp }}/user-config.yaml" '${{ inputs.expected-config-file-contents }}'
-
+      env:
+        EXPECTED_CONFIG_FILE_CONTENTS: '${{ inputs.expected-config-file-contents }}'
+      run: ts-node ./index.ts "$RUNNER_TEMP/user-config.yaml" "$EXPECTED_CONFIG_FILE_CONTENTS"
    - name: Clean up
      shell: bash
      if: always()
      run: |
-        rm -rf ${{ runner.temp }}/codescanning-config-cli-test
-        rm -rf ${{ runner.temp }}/user-config.yaml
+        rm -rf $RUNNER_TEMP/codescanning-config-cli-test
+        rm -rf $RUNNER_TEMP/user-config.yaml
@@ -6,9 +6,19 @@ import * as assert from 'assert'

 const actualConfig = loadActualConfig()

+function sortConfigArrays(config) {
+  for (const key of Object.keys(config)) {
+    const value = config[key];
+    if (key === 'queries' && Array.isArray(value)) {
+      config[key] = value.sort();
+    }
+  }
+  return config;
+}
+
 const rawExpectedConfig = process.argv[3].trim()
 if (!rawExpectedConfig) {
-  core.info('No expected configuration provided')
+  core.setFailed('No expected configuration provided')
 } else {
  core.startGroup('Expected generated user config')
  core.info(yaml.dump(JSON.parse(rawExpectedConfig)))
@@ -18,8 +28,8 @@ if (!rawExpectedConfig) {
 const expectedConfig = rawExpectedConfig ? JSON.parse(rawExpectedConfig) : undefined;

 assert.deepStrictEqual(
-  actualConfig,
-  expectedConfig,
+  sortConfigArrays(actualConfig),
+  sortConfigArrays(expectedConfig),
  'Expected configuration does not match actual configuration'
 );

@@ -16,5 +16,5 @@ inputs:
      Comma separated list of query ids that should NOT be included in this SARIF file.

 runs:
-  using: node20
+  using: node24
  main: index.js
@@ -0,0 +1,80 @@
+name: "Prepare mergeback branch"
+description: Prepares a mergeback branch and opens a PR for it
+inputs:
+  base:
+    description: "The name of the base branch"
+    required: true
+  head:
+    description: "The name of the head branch"
+    required: true
+  branch:
+    description: "The name of the branch to create."
+    required: true
+  version:
+    description: "The new version"
+    required: true
+  token:
+    description: "The token to use"
+    required: true
+  dry-run:
+    description: "Set to true to skip creating the PR. The branch will still be pushed."
+    default: "false"
+runs:
+  using: composite
+  steps:
+    - name: Create mergeback branch
+      shell: bash
+      env:
+        VERSION: "${{ inputs.version }}"
+        NEW_BRANCH: "${{ inputs.branch }}"
+      run: |
+        set -exu
+
+        # Ensure we are on the new branch
+        git checkout "${NEW_BRANCH}"
+
+        # Update the version number ready for the next release
+        npm version patch --no-git-tag-version
+
+        # Update the changelog, adding a new version heading directly above the most recent existing one
+        awk '!f && /##/{print "'"## [UNRELEASED]\n\nNo user facing changes.\n"'"; f=1}1' CHANGELOG.md > temp && mv temp CHANGELOG.md
+        git add .
+        git commit -m "Update changelog and version after ${VERSION}"
+
+        git push origin "${NEW_BRANCH}"
+
+    - name: Create PR
+      shell: bash
+      if: inputs.dry-run != 'true'
+      env:
+        VERSION: "${{ inputs.version }}"
+        BASE_BRANCH: "${{ inputs.base }}"
+        HEAD_BRANCH: "${{ inputs.head }}"
+        NEW_BRANCH: "${{ inputs.branch }}"
+        GITHUB_TOKEN: "${{ inputs.token }}"
+      run: |
+        set -exu
+        pr_title="Mergeback ${VERSION} ${HEAD_BRANCH} into ${BASE_BRANCH}"
+        pr_body=$(cat << EOF
+          This PR bumps the version number and updates the changelog after the ${VERSION} release.
+
+          Please do the following:
+
+          - [ ] Remove and re-add the "Rebuild" label to the PR to trigger just this workflow.
+          - [ ] Wait for the "Rebuild" workflow to push a commit updating the distribution files.
+          - [ ] Mark the PR as ready for review to trigger the full set of PR checks.
+          - [ ] Approve and merge the PR. When merging the PR, make sure "Create a merge commit" is
+                selected rather than "Squash and merge" or "Rebase and merge".
+        EOF
+        )
+
+        # PR checks won't be triggered on PRs created by Actions. Therefore mark the PR as draft
+        # so that a maintainer can take the PR out of draft, thereby triggering the PR checks.
+        gh pr create \
+          --head "${NEW_BRANCH}" \
+          --base "${BASE_BRANCH}" \
+          --title "${pr_title}" \
+          --label "Rebuild" \
+          --body "${pr_body}" \
+          --assignee "${GITHUB_ACTOR}" \
+          --draft
@@ -2,7 +2,7 @@ name: "Prepare test"
 description: Performs some preparation to run tests
 inputs:
  version:
-    description: "The version of the CodeQL CLI to use. Can be 'linked', 'default', 'nightly-latest', 'nightly-YYYY-MM-DD', or 'stable-YYYY-MM-DD'."
+    description: "The version of the CodeQL CLI to use. Can be 'linked', 'default', 'toolcache', 'nightly', 'nightly-latest', 'nightly-YYYYMMDD', or 'stable-vX.Y.Z"
    required: true
  use-all-platform-bundle:
    description: "If true, we output a tools URL with codeql-bundle.tar.gz file rather than platform-specific URL"
@@ -29,41 +29,45 @@ runs:
    - id: get-url
      name: Determine URL
      shell: bash
+      env:
+        VERSION: ${{ inputs.version }}
+        USE_ALL_PLATFORM_BUNDLE: ${{ inputs.use-all-platform-bundle }}
      run: |
        set -e # Fail this Action if `gh release list` fails.

-        if [[ ${{ inputs.version }} == "nightly-latest" ]]; then
-          extension="tar.zst"
-        else
-          extension="tar.gz"
+        if [[ "$VERSION" == "nightly" || "$VERSION" == "nightly-latest" ]]; then
+          echo "tools-url=nightly" >> "$GITHUB_OUTPUT"
+          exit 0
+        elif [[ "$VERSION" == "linked" ]]; then
+          echo "tools-url=linked" >> "$GITHUB_OUTPUT"
+          exit 0
+        elif [[ "$VERSION" == "toolcache" ]]; then
+          echo "tools-url=toolcache" >> "$GITHUB_OUTPUT"
+          exit 0
+        elif [[ "$VERSION" == "default" ]]; then
+          echo "tools-url=" >> "$GITHUB_OUTPUT"
+          exit 0
        fi

-        if [[ ${{ inputs.use-all-platform-bundle }} == "true" ]]; then
-          artifact_name="codeql-bundle.$extension"
+        if [[ "$USE_ALL_PLATFORM_BUNDLE" == "true" ]]; then
+          artifact_name="codeql-bundle.tar.gz"
        elif [[ "$RUNNER_OS" == "Linux" ]]; then
-          artifact_name="codeql-bundle-linux64.$extension"
+          artifact_name="codeql-bundle-linux64.tar.gz"
        elif [[ "$RUNNER_OS" == "macOS" ]]; then
-          artifact_name="codeql-bundle-osx64.$extension"
+          artifact_name="codeql-bundle-osx64.tar.gz"
        elif [[ "$RUNNER_OS" == "Windows" ]]; then
-          artifact_name="codeql-bundle-win64.$extension"
+          artifact_name="codeql-bundle-win64.tar.gz"
        else
          echo "::error::Unrecognized OS $RUNNER_OS"
          exit 1
        fi

-        if [[ ${{ inputs.version }} == "nightly-latest" ]]; then
-          tag=`gh release list --repo dsp-testing/codeql-cli-nightlies -L 1 | cut -f 3`
-          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/$tag/$artifact_name" >> $GITHUB_OUTPUT
-        elif [[ ${{ inputs.version }} == *"nightly"* ]]; then
-          version=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
-          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$version-manual/$artifact_name" >> $GITHUB_OUTPUT
-        elif [[ ${{ inputs.version }} == *"stable"* ]]; then
-          version=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
+        if [[ "$VERSION" == *"nightly"* ]]; then
+          version=`echo "$VERSION" | sed -e 's/^.*\-//'`
+          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
+        elif [[ "$VERSION" == *"stable"* ]]; then
+          version=`echo "$VERSION" | sed -e 's/^.*\-//'`
          echo "tools-url=https://github.com/github/codeql-action/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
-        elif [[ ${{ inputs.version }} == "linked" ]]; then
-          echo "tools-url=linked" >> $GITHUB_OUTPUT
-        elif [[ ${{ inputs.version }} == "default" ]]; then
-          echo "tools-url=" >> $GITHUB_OUTPUT
        else
          echo "::error::Unrecognized version specified!"
          exit 1
@@ -18,8 +18,12 @@ runs:
  using: "composite"
  steps:
    - id: branches
+      env:
+        MAJOR_VERSION: ${{ inputs.major_version }}
+        LATEST_TAG: ${{ inputs.latest_tag }}
      run: |
-        python ${{ github.action_path }}/release-branches.py \
-            --major-version ${{ inputs.major_version }} \
-            --latest-tag ${{ inputs.latest_tag }}
+        npm ci
+        npx tsx ./pr-checks/release-branches.ts \
+            --major-version "$MAJOR_VERSION" \
+            --latest-tag "$LATEST_TAG"
      shell: bash
@@ -1,55 +0,0 @@
-import argparse
-import json
-import os
-import configparser
-
-# Name of the remote
-ORIGIN = 'origin'
-
-script_dir = os.path.dirname(os.path.realpath(__file__))
-grandparent_dir = os.path.dirname(os.path.dirname(script_dir))
-
-config = configparser.ConfigParser()
-with open(os.path.join(grandparent_dir, 'releases.ini')) as stream:
-    config.read_string('[default]\n' + stream.read())
-
-OLDEST_SUPPORTED_MAJOR_VERSION = int(config['default']['OLDEST_SUPPORTED_MAJOR_VERSION'])
-
-def main():
-
-  parser = argparse.ArgumentParser()
-  parser.add_argument("--major-version", required=True, type=str, help="The major version of the release")
-  parser.add_argument("--latest-tag", required=True, type=str, help="The most recent tag published to the repository")
-  args = parser.parse_args()
-
-  major_version = args.major_version
-  latest_tag = args.latest_tag
-
-  print("major_version: " + major_version)
-  print("latest_tag: " + latest_tag)
-
-  # If this is a primary release, we backport to all supported branches,
-  # so we check whether the major_version taken from the package.json
-  # is greater than or equal to the latest tag pulled from the repo.
-  # For example...
-  #     'v1' >= 'v2' is False # we're operating from an older release branch and should not backport
-  #     'v2' >= 'v2' is True  # the normal case where we're updating the current version
-  #     'v3' >= 'v2' is True  # in this case we are making the first release of a new major version
-  consider_backports = ( major_version >= latest_tag.split(".")[0] )
-
-  with open(os.environ["GITHUB_OUTPUT"], "a") as f:
-
-    f.write(f"backport_source_branch=releases/{major_version}\n")
-
-    backport_target_branches = []
-
-    if consider_backports:
-      for i in range(int(major_version.strip("v"))-1, 0, -1):
-        branch_name = f"releases/v{i}"
-        if i >= OLDEST_SUPPORTED_MAJOR_VERSION:
-          backport_target_branches.append(branch_name)
-
-    f.write("backport_target_branches="+json.dumps(backport_target_branches)+"\n")
-
-if __name__ == "__main__":
-  main()
@@ -15,10 +15,16 @@ runs:
      run: echo "$GITHUB_CONTEXT"
      shell: bash

-    - name: Set up Python
-      uses: actions/setup-python@v5
+    - name: Set up Node
+      uses: actions/setup-node@v6
      with:
-        python-version: 3.12
+        node-version: 20
+        cache: 'npm'
+
+    - name: Set up Python
+      uses: actions/setup-python@v6
+      with:
+        python-version: '3.12'

    - name: Install dependencies
      run: |
@@ -1,39 +0,0 @@
-name: "Set up Swift on Linux"
-description: Sets up an appropriate Swift version on Linux.
-inputs:
-  codeql-path:
-    description: Path to the CodeQL CLI executable.
-    required: true
-runs:
-  using: "composite"
-  steps:
-    - name: Get Swift version
-      id: get_swift_version
-      if: runner.os == 'Linux'
-      shell: bash
-      env:
-        CODEQL_PATH: ${{ inputs.codeql-path }}
-      run: |
-        SWIFT_EXTRACTOR_DIR="$("$CODEQL_PATH" resolve languages --format json | jq -r '.swift[0]')"
-        if [ $SWIFT_EXTRACTOR_DIR = "null" ]; then
-          VERSION="null"
-        else
-          VERSION="$("$SWIFT_EXTRACTOR_DIR/tools/linux64/extractor" --version | awk '/version/ { print $3 }')"
-          # Specify 5.x.0, otherwise setup Action will default to latest minor version.
-          if [ $VERSION = "5.7" ]; then
-            VERSION="5.7.0"
-          elif [ $VERSION = "5.8" ]; then
-            VERSION="5.8.0"
-          elif [ $VERSION = "5.9" ]; then
-            VERSION="5.9.0"
-          # setup-swift does not yet support v5.9.1 Remove this when it does.
-          elif [ $VERSION = "5.9.1" ]; then
-            VERSION="5.9.0"
-          fi
-        fi
-        echo "version=$VERSION" | tee -a $GITHUB_OUTPUT
-
-    - uses: redsun82/setup-swift@362f49f31da2f5f4f851657046bdd1290d03edc8 # Please update the corresponding SHA in the CLI's CodeQL Action Integration Test.
-      if: runner.os == 'Linux' && steps.get_swift_version.outputs.version != 'null'
-      with:
-        swift-version: "${{ steps.get_swift_version.outputs.version }}"
@@ -0,0 +1,6 @@
+name: Verify that the best-effort debug artifact scan completed
+description: Verifies that the best-effort debug artifact scan completed successfully during tests
+runs:
+  using: node24
+  main: index.js
+  post: post.js
@@ -0,0 +1,2 @@
+// The main step is a no-op, since we can only verify artifact scan completion in the post step.
+console.log("Will verify artifact scan completion in the post step.");
@@ -0,0 +1,11 @@
+// Post step - runs after the workflow completes, when artifact scan has finished
+const process = require("process");
+
+const scanFinished = process.env.CODEQL_ACTION_ARTIFACT_SCAN_FINISHED;
+
+if (scanFinished !== "true") {
+  console.error("Error: Best-effort artifact scan did not complete. Expected CODEQL_ACTION_ARTIFACT_SCAN_FINISHED=true");
+  process.exit(1);
+}
+
+console.log("✓ Best-effort artifact scan completed successfully");
@@ -0,0 +1,17 @@
+name: "CodeQL config"
+queries:
+  - name: Run custom queries
+    uses: ./queries
+  # Run all extra query suites, both because we want to
+  # and because it'll act as extra testing. This is why
+  # we include both even though one is a superset of the
+  # other, because we're testing the parsing logic and
+  # that the suites exist in the codeql bundle.
+  - uses: security-and-quality
+  - uses: security-experimental
+  - uses: security-extended
+paths-ignore:
+  - lib
+  - tests
+  - "**/*.test.ts"
+  - "**/testing-util.ts"
@@ -1,15 +0,0 @@
-name: "CodeQL config"
-queries: 
-  - name: Run custom queries
-    uses: ./queries
-  # Run all extra query suites, both because we want to
-  # and because it'll act as extra testing. This is why
-  # we include both even though one is a superset of the
-  # other, because we're testing the parsing logic and
-  # that the suites exist in the codeql bundle.
-  - uses: security-experimental
-  - uses: security-extended
-  - uses: security-and-quality
-paths-ignore:
-  - tests
-  - lib
@@ -0,0 +1,21 @@
+# CodeQL Action - Copilot Instructions
+
+## Generated code
+
+The CodeQL Action is written in TypeScript and compiled to JavaScript. Both the TypeScript sources and the **generated** JavaScript code are contained in this repository. The TypeScript sources are contained in the `src` directory and the JavaScript code is contained in the `lib` directory. A GitHub Actions workflow checks that the JavaScript code in `lib` is up-to-date. Therefore, you should not review any changes to the contents of the `lib` folder and it is expected that the JavaScript code in `lib` closely mirrors the TypeScript code it is generated from.
+
+GitHub Actions workflows in the `.github/workflows` directory whose filenames start with two underscores (e.g. `__all-platform-bundle.yml`) are automatically generated using the `pr-checks/sync.sh` script from template files in the `pr-checks/checks` directory. Therefore, you do not need to review files in the `.github/workflows` directory that start with two underscores. However, you should review changes to the `pr-checks` directory as well as workflows in the `.github/workflows` directory that do not start with underscores.
+
+## Release process
+
+- A release-PR is a PR which matches all of the following patterns:
+  - PR title starts with the exact prefix: `Merge main into releases/v`
+    - Equivalent regex: `^Merge main into releases\/v`
+  - AND head (source) branch matches the update-branch pattern:
+    - Regex: `^update-v[0-9]+(?:\.[0-9]+)*(?:-[a-f0-9]+)?` (e.g. `update-v3.29.9-cc722e476`)
+  - AND base (target) branch matches a release branch:
+    - Regex: `^releases\/v` (e.g. `releases/v3`)
+
+- Consider all files in release-PRs to have already been reviewed and do not review them, except for the following two files:
+    - `CHANGELOG.md`
+    - `package.json`
@@ -1,46 +1,46 @@
 version: 2
 updates:
  - package-ecosystem: npm
-    directory: "/"
-    reviewers:
-      - "github/codeql-production-shield"
+    directories:
+      - "/"
+      - "/pr-checks"
    schedule:
      interval: weekly
+    cooldown:
+      default-days: 7
+      exclude:
+        - "@actions/*"
    labels:
-      - Update dependencies
+      - Rebuild
    # Ignore incompatible dependency updates
    ignore:
-      # There is a type incompatibility issue between v0.0.9 and our other dependencies.
-      - dependency-name: "@octokit/plugin-retry"
-        versions: ["~6.0.0"]
-      # v7 requires ESM
-      - dependency-name: "del"
-        versions: ["^7.0.0"]
-      # This is broken due to the way configuration files have changed. 
+      # This is broken due to the way configuration files have changed.
      # This might be fixed when we move to eslint v9.
      - dependency-name: "eslint-plugin-import"
        versions: [">=2.30.0"]
    groups:
-      npm:
+      npm-minor:
        patterns:
          - "*"
+        update-types:
+          - "minor"
+          - "patch"
  - package-ecosystem: github-actions
-    directory: "/"
-    reviewers:
-      - "github/codeql-production-shield"
+    directories:
+      - "/.github/workflows"
+      - "/.github/actions"
    schedule:
      interval: weekly
+    cooldown:
+      default-days: 7
+      exclude:
+        - "actions/*"
+    labels:
+      - Rebuild
    groups:
-      actions:
-        patterns:
-          - "*"
-  - package-ecosystem: github-actions
-    directory: "/.github/actions/setup-swift/" # All subdirectories outside of "/.github/workflows" must be explicitly included.
-    reviewers:
-      - "github/codeql-production-shield"
-    schedule:
-      interval: weekly
-    groups:
-      actions-setup-swift:
+      actions-minor:
        patterns:
          - "*"
+        update-types:
+          - "minor"
+          - "patch"
@@ -1,5 +1,82 @@
+<!--
+    For GitHub staff: Remember that this is a public repository. Do not link to internal resources.
+                      If necessary, link to this PR from an internal issue and include further details there.
+
+    Everyone: Include a summary of the context of this change, what it aims to accomplish, and why you
+              chose the approach you did if applicable. Indicate any open questions you want to answer
+              during the review process and anything you want reviewers to pay particular attention to.
+
+    See https://github.com/github/codeql-action/blob/main/CONTRIBUTING.md for additional information.
+-->
+
+### Risk assessment
+
+For internal use only. Please select the risk level of this change:
+
+- **Low risk:** Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.
+- **High risk:** Changes are not fully under feature flags, have limited visibility and/or cannot be tested outside of production.
+
+#### Which use cases does this change impact?
+
+<!-- Delete options that don't apply. If in doubt, do not delete an option. -->
+
+Workflow types:
+
+- **Advanced setup** - Impacts users who have custom CodeQL workflows.
+- **Managed** - Impacts users with `dynamic` workflows (Default Setup, Code Quality, ...).
+
+Products:
+
+- **Code Scanning** - The changes impact analyses when `analysis-kinds: code-scanning`.
+- **Code Quality** - The changes impact analyses when `analysis-kinds: code-quality`.
+- **Other first-party** - The changes impact other first-party analyses.
+- **Third-party analyses** - The changes affect the `upload-sarif` action.
+
+Environments:
+
+- **Dotcom** - Impacts CodeQL workflows on `github.com` and/or GitHub Enterprise Cloud with Data Residency.
+- **GHES** - Impacts CodeQL workflows on GitHub Enterprise Server.
+- **Testing/None** - This change does not impact any CodeQL workflows in production.
+
+#### How did/will you validate this change?
+
+<!-- Delete options that don't apply. -->
+
+- **Test repository** - This change will be tested on a test repository before merging.
+- **Unit tests** - I am depending on unit test coverage (i.e. tests in `.test.ts` files).
+- **End-to-end tests** - I am depending on PR checks (i.e. tests in `pr-checks`).
+- **Other** - Please provide details.
+- **None** - I am not validating these changes.
+
+#### If something goes wrong after this change is released, what are the mitigation and rollback strategies?
+
+<!-- Delete strategies that don't apply. -->
+
+- **Feature flags** - All new or changed code paths can be fully disabled with corresponding feature flags.
+- **Rollback** - Change can only be disabled by rolling back the release or releasing a new version with a fix.
+- **Development/testing only** - This change cannot cause any failures in production.
+- **Other** - Please provide details.
+
+#### How will you know if something goes wrong after this change is released?
+
+<!-- Delete options that don't apply. -->
+
+- **Telemetry** - I rely on existing telemetry or have made changes to the telemetry.
+    - **Dashboards** - I will watch relevant dashboards for issues after the release. Consider whether this requires this change to be released at a particular time rather than as part of a regular release.
+    - **Alerts** - New or existing monitors will trip if something goes wrong with this change.
+- **Other** - Please provide details.
+
+#### Are there any special considerations for merging or releasing this change?
+
+<!--
+    Consider whether this change depends on a different change in another repository that should be released first.
+-->
+
+- **No special considerations** - This change can be merged at any time.
+- **Special considerations** - This change should only be merged once certain preconditions are met. Please provide details of those or link to this PR from an internal issue.
+
 ### Merge / deployment checklist

- [ ] Confirm this change is backwards compatible with existing workflows.
- [ ] Confirm the [readme](https://github.com/github/codeql-action/blob/main/README.md) has been updated if necessary.
- [ ] Confirm the [changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) has been updated if necessary.
+- Confirm this change is backwards compatible with existing workflows.
+- Consider adding a [changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) entry for this change.
+- Confirm the [readme](https://github.com/github/codeql-action/blob/main/README.md) and docs have been updated if necessary.
@@ -1 +0,0 @@
-OLDEST_SUPPORTED_MAJOR_VERSION=2
@@ -0,0 +1,55 @@
+labeling:
+  applyCategoryLabels: true
+  categoryLabelPrefix: "size/"
+
+commenting:
+  addCommentWhenScoreThresholdHasBeenExceeded: false
+
+sizeup:
+  categories:
+    - name: extra small
+      lte: 25
+      label:
+        name: XS
+        description: Should be very easy to review
+        color: 3cbf00
+    - name: small
+      lte: 100
+      label:
+        name: S
+        description: Should be easy to review
+        color: 5d9801
+    - name: medium
+      lte: 250
+      label:
+        name: M
+        description: Should be of average difficulty to review
+        color: 7f7203
+    - name: large
+      lte: 500
+      label:
+        name: L
+        description: May be hard to review
+        color: a14c05
+    - name: extra large
+      lte: 1000
+      label:
+        name: XL
+        description: May be very hard to review
+        color: c32607
+    - name: extra extra large
+      label:
+        name: XXL
+        description: May be extremely hard to review
+        color: e50009
+  ignoredFilePatterns:
+    - ".github/workflows/__*"
+    - "lib/**/*"
+    - "package-lock.json"
+  testFilePatterns:
+    - "**/*.test.ts"
+  scoring:
+    # This formula and the aliases below it are written in prefix notation.
+    # For an explanation of how this works, please see:
+    # https://github.com/lerebear/sizeup-core/blob/main/README.md#prefix-notation
+    formula: "- - + additions deletions comments whitespace"
@@ -71,8 +71,9 @@ def open_pr(
    body.append('')
    body.append('Contains the following pull requests:')
    for pr in pull_requests:
-      merger = get_merger_of_pr(repo, pr)
-      body.append(f'- #{pr.number} (@{merger})')
+      # Use PR author if they are GitHub staff, otherwise use the merger
+      display_user = get_pr_author_if_staff(pr) or get_merger_of_pr(repo, pr)
+      body.append(f'- #{pr.number} (@{display_user})')

  # List all commits not part of a PR
  if len(commits_without_pull_requests) > 0:
@@ -97,8 +98,8 @@ def open_pr(
  body.append(' - [ ] Ensure the docs team is aware of any documentation changes that need to be released.')

  if not is_primary_release:
-    body.append(' - [ ] Remove and re-add the "Update dependencies" label to the PR to trigger just this workflow.')
-    body.append(' - [ ] Wait for the "Update dependencies" workflow to push a commit updating the dependencies.')
+    body.append(' - [ ] Remove and re-add the "Rebuild" label to the PR to trigger just this workflow.')
+    body.append(' - [ ] Wait for the "Rebuild" workflow to push a commit updating the distribution files.')

  body.append(' - [ ] Mark the PR as ready for review to trigger the full set of PR checks.')
  body.append(' - [ ] Approve and merge this PR. Make sure `Create a merge commit` is selected rather than `Squash and merge` or `Rebase and merge`.')
@@ -108,7 +109,7 @@ def open_pr(
    body.append(' - [ ] Merge all backport PRs to older release branches, that will automatically be created once this PR is merged.')

  title = f'Merge {source_branch} into {target_branch}'
-  labels = ['Update dependencies'] if not is_primary_release else []
+  labels = ['Rebuild'] if not is_primary_release else []

  # Create the pull request
  # PR checks won't be triggered on PRs created by Actions. Therefore mark the PR as draft so that
@@ -168,6 +169,14 @@ def get_pr_for_commit(commit):
 def get_merger_of_pr(repo, pr):
  return repo.get_commit(pr.merge_commit_sha).author.login

+# Get the PR author if they are GitHub staff, otherwise None.
+def get_pr_author_if_staff(pr):
+  if pr.user is None:
+    return None
+  if getattr(pr.user, 'site_admin', False):
+    return pr.user.login
+  return None
+
 def get_current_version():
  with open('package.json', 'r') as f:
    return json.load(f)['version']
@@ -181,9 +190,9 @@ def replace_version_package_json(prev_version, new_version):
      print(line.replace(prev_version, new_version), end='')
    else:
      prev_line_is_codeql = False
-      print(line, end='') 
+      print(line, end='')
    if '\"name\": \"codeql\",' in line:
-        prev_line_is_codeql = True 
+        prev_line_is_codeql = True

 def get_today_string():
  today = datetime.datetime.today()
@@ -371,10 +380,10 @@ def main():
      # releases.
      run_git('revert', vOlder_update_commits[0], '--no-edit')

-      # Also revert the "Update checked-in dependencies" commit created by Actions.
-      update_dependencies_commit = run_git('log', '--grep', '^Update checked-in dependencies', '--format=%H').split()[0]
-      print(f'  Reverting {update_dependencies_commit}')
-      run_git('revert', update_dependencies_commit, '--no-edit')
+      # Also revert the "Rebuild" commit created by Actions.
+      rebuild_commit = run_git('log', '--grep', '^Rebuild$', '--format=%H').split()[0]
+      print(f'  Reverting {rebuild_commit}')
+      run_git('revert', rebuild_commit, '--no-edit')

    else:
      print('  Nothing to revert.')
@@ -389,7 +398,7 @@ def main():

    # Migrate the package version number from a vLatest version number to a vOlder version number
    print(f'Setting version number to {version} in package.json')
-    replace_version_package_json(get_current_version(), version) # We rely on the `Update dependencies` workflow to update package-lock.json
+    replace_version_package_json(get_current_version(), version) # We rely on the `Rebuild` workflow to update package-lock.json
    run_git('add', 'package.json')

    # Migrate the changelog notes from vLatest version numbers to vOlder version numbers
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - All-platform bundle
@@ -18,9 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: all-platform-bundle-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  all-platform-bundle:
    strategy:
@@ -29,25 +61,29 @@ jobs:
        include:
          - os: ubuntu-latest
            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
    name: All-platform bundle
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -58,11 +94,10 @@ jobs:
      - id: init
        uses: ./../action/init
        with:
-      # Swift is not supported on Ubuntu so we manually exclude it from the list here
+          # Swift is not supported on Ubuntu so we manually exclude it from the list here
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
    env:
@@ -0,0 +1,152 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: PR Check - Analysis kinds
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: analysis-kinds-${{github.ref}}
+jobs:
+  analysis-kinds:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+            analysis-kinds: code-scanning
+          - os: ubuntu-latest
+            version: linked
+            analysis-kinds: code-quality
+          - os: ubuntu-latest
+            version: linked
+            analysis-kinds: code-scanning,code-quality
+          - os: ubuntu-latest
+            version: linked
+            analysis-kinds: risk-assessment
+          - os: ubuntu-latest
+            version: nightly-latest
+            analysis-kinds: code-scanning
+          - os: ubuntu-latest
+            version: nightly-latest
+            analysis-kinds: code-quality
+          - os: ubuntu-latest
+            version: nightly-latest
+            analysis-kinds: code-scanning,code-quality
+          - os: ubuntu-latest
+            version: nightly-latest
+            analysis-kinds: risk-assessment
+    name: Analysis kinds
+    if: github.triggering_actor != 'dependabot[bot]'
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v6
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        with:
+          languages: javascript
+          analysis-kinds: ${{ matrix.analysis-kinds }}
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/analyze
+        with:
+          output: '${{ runner.temp }}/results'
+          upload-database: false
+          post-processed-sarif-path: '${{ runner.temp }}/post-processed'
+
+      - name: Upload SARIF files
+        uses: actions/upload-artifact@v7
+        with:
+          name: |
+            analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
+          path: '${{ runner.temp }}/results/*.sarif'
+          retention-days: 7
+
+      - name: Upload post-processed SARIF
+        uses: actions/upload-artifact@v7
+        with:
+          name: |
+            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
+          path: '${{ runner.temp }}/post-processed'
+          retention-days: 7
+          if-no-files-found: error
+
+      - name: Check quality query does not appear in security SARIF
+        if: contains(matrix.analysis-kinds, 'code-scanning')
+        uses: actions/github-script@v8
+        env:
+          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
+          EXPECT_PRESENT: 'false'
+        with:
+          script: ${{ env.CHECK_SCRIPT }}
+      - name: Check quality query appears in quality SARIF
+        if: contains(matrix.analysis-kinds, 'code-quality')
+        uses: actions/github-script@v8
+        env:
+          SARIF_PATH: '${{ runner.temp }}/results/javascript.quality.sarif'
+          EXPECT_PRESENT: 'true'
+        with:
+          script: ${{ env.CHECK_SCRIPT }}
+    env:
+      CODEQL_ACTION_RISK_ASSESSMENT_ID: 1
+      CHECK_SCRIPT: |
+        const fs = require('fs');
+
+        const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
+        const expectPresent = JSON.parse(process.env['EXPECT_PRESENT']);
+        const run = sarif.runs[0];
+        const extensions = run.tool.extensions;
+
+        if (extensions === undefined) {
+          core.setFailed('`extensions` property not found in the SARIF run property bag.');
+        }
+
+        // ID of a query we want to check the presence for
+        const targetId = 'js/regex/always-matches';
+        const found = extensions.find(extension => extension.rules && extension.rules.find(rule => rule.id === targetId));
+
+        if (found && expectPresent) {
+          console.log(`Found rule with id '${targetId}'.`);
+        } else if (!found && !expectPresent) {
+          console.log(`Rule with id '${targetId}' was not found.`);
+        } else {
+          core.setFailed(`${ found ? "Found" : "Didn't find" } rule ${targetId}`);
+        }
+      CODEQL_ACTION_TEST_MODE: true
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: "PR Check - Analyze: 'ref' and 'sha' from inputs"
@@ -18,9 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: analyze-ref-input-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  analyze-ref-input:
    strategy:
@@ -29,29 +61,25 @@ jobs:
        include:
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
    name: "Analyze: 'ref' and 'sha' from inputs"
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -63,14 +91,12 @@ jobs:
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-            github.sha }}
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - autobuild-action
@@ -18,9 +18,31 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+  workflow_call:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: autobuild-action-${{github.ref}}-${{inputs.dotnet-version}}
 jobs:
  autobuild-action:
    strategy:
@@ -34,24 +56,19 @@ jobs:
          - os: windows-latest
            version: linked
    name: autobuild-action
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -65,7 +82,7 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/autobuild
        env:
-      # Explicitly disable the CLR tracer.
+          # Explicitly disable the CLR tracer.
          COR_ENABLE_PROFILING: ''
          COR_PROFILER: ''
          COR_PROFILER_PATH_64: ''
@@ -74,7 +91,6 @@ jobs:
          CORECLR_PROFILER_PATH_64: ''
      - uses: ./../action/analyze
      - name: Check database
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/codeql_databases"
          if [[ ! -d csharp ]]; then
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Autobuild direct tracing (custom working directory)
@@ -18,9 +18,31 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      java-version:
+        type: string
+        description: The version of Java to install
+        required: false
+        default: '17'
+  workflow_call:
+    inputs:
+      java-version:
+        type: string
+        description: The version of Java to install
+        required: false
+        default: '17'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: autobuild-direct-tracing-with-working-dir-${{github.ref}}-${{inputs.java-version}}
 jobs:
  autobuild-direct-tracing-with-working-dir:
    strategy:
@@ -36,24 +58,20 @@ jobs:
          - os: windows-latest
            version: nightly-latest
    name: Autobuild direct tracing (custom working directory)
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+      - name: Install Java
+        uses: actions/setup-java@v5
+        with:
+          java-version: ${{ inputs.java-version || '17' }}
+          distribution: temurin
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -62,7 +80,6 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Test setup
-        shell: bash
        run: |
          # Make sure that Gradle build succeeds in autobuild-dir ...
          cp -a ../action/tests/java-repo autobuild-dir
@@ -74,7 +91,6 @@ jobs:
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Check that indirect tracing is disabled
-        shell: bash
        run: |
          if [[ ! -z "${CODEQL_RUNNER}" ]]; then
            echo "Expected indirect tracing to be disabled, but the" \
@@ -1,91 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Autobuild direct tracing
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  autobuild-direct-tracing:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
-    name: Autobuild direct tracing
-    permissions:
-      contents: read
-      security-events: write
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Set up Java test repo configuration
-        shell: bash
-        run: |
-          mv * .github ../action/tests/multi-language-repo/
-          mv ../action/tests/multi-language-repo/.github/workflows .github
-          mv ../action/tests/java-repo/* .
-
-      - uses: ./../action/init
-        id: init
-        with:
-          build-mode: autobuild
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: java
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Check that indirect tracing is disabled
-        shell: bash
-        run: |
-          if [[ ! -z "${CODEQL_RUNNER}" ]]; then
-            echo "Expected indirect tracing to be disabled, but the" \
-              "CODEQL_RUNNER environment variable is set."
-            exit 1
-          fi
-
-      - uses: ./../action/analyze
-    env:
-      CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
-      CODEQL_ACTION_TEST_MODE: true
@@ -0,0 +1,83 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: PR Check - Autobuild working directory
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: autobuild-working-dir-${{github.ref}}
+jobs:
+  autobuild-working-dir:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+    name: Autobuild working directory
+    if: github.triggering_actor != 'dependabot[bot]'
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v6
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Test setup
+        run: |
+          # Make sure that Gradle build succeeds in autobuild-dir ...
+          cp -a ../action/tests/java-repo autobuild-dir
+          # ... and fails if attempted in the current directory
+          echo > build.gradle
+      - uses: ./../action/init
+        with:
+          languages: java
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/autobuild
+        with:
+          working-directory: autobuild-dir
+      - uses: ./../action/analyze
+      - name: Check database
+        run: |
+          cd "$RUNNER_TEMP/codeql_databases"
+          if [[ ! -d java ]]; then
+            echo "Did not find a Java database"
+            exit 1
+          fi
+    env:
+      CODEQL_ACTION_TEST_MODE: true
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Build mode autobuild
@@ -18,9 +18,31 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      java-version:
+        type: string
+        description: The version of Java to install
+        required: false
+        default: '17'
+  workflow_call:
+    inputs:
+      java-version:
+        type: string
+        description: The version of Java to install
+        required: false
+        default: '17'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: build-mode-autobuild-${{github.ref}}-${{inputs.java-version}}
 jobs:
  build-mode-autobuild:
    strategy:
@@ -28,26 +50,36 @@ jobs:
      matrix:
        include:
          - os: ubuntu-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: windows-latest
            version: nightly-latest
    name: Build mode autobuild
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+      - name: Install Java
+        uses: actions/setup-java@v5
+        with:
+          java-version: ${{ inputs.java-version || '17' }}
+          distribution: temurin
+      - name: Install yq
+        if: runner.os == 'Windows'
+        env:
+          YQ_PATH: ${{ runner.temp }}/yq
+          YQ_VERSION: v4.50.1
+        run: |-
+          gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe"
+          echo "$YQ_PATH" >> "$GITHUB_PATH"
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -65,7 +97,7 @@ jobs:
        id: init
        with:
          build-mode: autobuild
-          db-location: ${{ runner.temp }}/customDbLocation
+          db-location: '${{ runner.temp }}/customDbLocation'
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -78,6 +110,14 @@ jobs:
            exit 1
          fi

+      - name: Check that indirect tracing is disabled
+        run: |
+          if [[ ! -z "${CODEQL_RUNNER}" ]]; then
+            echo "Expected indirect tracing to be disabled, but the" \
+              "CODEQL_RUNNER environment variable is set."
+            exit 1
+          fi
+
      - uses: ./../action/analyze
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Build mode manual
@@ -18,9 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: build-mode-manual-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  build-mode-manual:
    strategy:
@@ -30,24 +62,24 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
    name: Build mode manual
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -59,7 +91,7 @@ jobs:
        id: init
        with:
          build-mode: manual
-          db-location: ${{ runner.temp }}/customDbLocation
+          db-location: '${{ runner.temp }}/customDbLocation'
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -73,7 +105,6 @@ jobs:
          fi

      - name: Build code
-        shell: bash
        run: ./build.sh

      - uses: ./../action/analyze
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Build mode none
@@ -18,9 +18,21 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: build-mode-none-${{github.ref}}
 jobs:
  build-mode-none:
    strategy:
@@ -32,24 +44,15 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
    name: Build mode none
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -61,7 +64,7 @@ jobs:
        id: init
        with:
          build-mode: none
-          db-location: ${{ runner.temp }}/customDbLocation
+          db-location: '${{ runner.temp }}/customDbLocation'
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -74,7 +77,7 @@ jobs:
            exit 1
          fi

-  # The latest nightly supports omitting the autobuild Action when the build mode is specified.
+      # The latest nightly supports omitting the autobuild Action when the build mode is specified.
      - uses: ./../action/autobuild
        if: matrix.version != 'nightly-latest'

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Build mode rollback
@@ -18,9 +18,21 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: build-mode-rollback-${{github.ref}}
 jobs:
  build-mode-rollback:
    strategy:
@@ -30,24 +42,15 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
    name: Build mode rollback
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -65,7 +68,7 @@ jobs:
        id: init
        with:
          build-mode: none
-          db-location: ${{ runner.temp }}/customDbLocation
+          db-location: '${{ runner.temp }}/customDbLocation'
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -0,0 +1,72 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: 'PR Check - Bundle: From nightly'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: bundle-from-nightly-${{github.ref}}
+jobs:
+  bundle-from-nightly:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+    name: 'Bundle: From nightly'
+    if: github.triggering_actor != 'dependabot[bot]'
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v6
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - id: init
+        uses: ./../action/init
+        env:
+          CODEQL_ACTION_FORCE_NIGHTLY: true
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          languages: javascript
+      - name: Fail if the CodeQL version is not a nightly
+        if: ${{ !contains(steps.init.outputs.codeql-version, '+') }}
+        run: exit 1
+    env:
+      CODEQL_ACTION_TEST_MODE: true
@@ -0,0 +1,88 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: 'PR Check - Bundle: From toolcache'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: bundle-from-toolcache-${{github.ref}}
+jobs:
+  bundle-from-toolcache:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: toolcache
+    name: 'Bundle: From toolcache'
+    if: github.triggering_actor != 'dependabot[bot]'
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v6
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Install @actions/tool-cache
+        run: npm install @actions/tool-cache@3
+      - name: Check toolcache contains CodeQL
+        continue-on-error: true
+        uses: actions/github-script@v8
+        with:
+          script: |
+            const toolcache = require('@actions/tool-cache');
+            const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
+            if (allCodeqlVersions.length === 0) {
+              throw new Error(`CodeQL could not be found in the toolcache`);
+            }
+      - id: setup-codeql
+        uses: ./../action/setup-codeql
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - name: Check CodeQL is installed within the toolcache
+        uses: actions/github-script@v8
+        with:
+          script: |
+            const toolcache = require('@actions/tool-cache');
+            const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
+            console.log(`Found CodeQL versions: ${allCodeqlVersions}`);
+            if (allCodeqlVersions.length === 0) {
+              throw new Error('CodeQL not found in toolcache');
+            }
+    env:
+      CODEQL_ACTION_TEST_MODE: true
@@ -0,0 +1,108 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: 'PR Check - Bundle: Caching checks'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: bundle-toolcache-${{github.ref}}
+jobs:
+  bundle-toolcache:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+    name: 'Bundle: Caching checks'
+    if: github.triggering_actor != 'dependabot[bot]'
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v6
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Remove CodeQL from toolcache
+        uses: actions/github-script@v8
+        with:
+          script: |
+            const fs = require('fs');
+            const path = require('path');
+            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
+            fs.rmdirSync(codeqlPath, { recursive: true });
+      - name: Install @actions/tool-cache
+        run: npm install @actions/tool-cache@3
+      - name: Check toolcache does not contain CodeQL
+        uses: actions/github-script@v8
+        with:
+          script: |
+            const toolcache = require('@actions/tool-cache');
+            const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
+            if (allCodeqlVersions.length !== 0) {
+              throw new Error(`CodeQL should not be found in the toolcache, but found ${allCodeqlVersions}`);
+            }
+            console.log('No versions of CodeQL found in the toolcache');
+      - id: init
+        uses: ./../action/init
+        with:
+          languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/analyze
+        with:
+          output: ${{ runner.temp }}/results
+          upload-database: false
+      - name: Check CodeQL is installed within the toolcache
+        uses: actions/github-script@v8
+        with:
+          script: |
+            const toolcache = require('@actions/tool-cache');
+            const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
+            console.log(`Found CodeQL versions: ${allCodeqlVersions}`);
+            if (allCodeqlVersions.length === 0) {
+              throw new Error('CodeQL not found in toolcache');
+            }
+            if (allCodeqlVersions.length > 1) {
+              throw new Error('Multiple CodeQL versions found in toolcache');
+            }
+    env:
+      CODEQL_ACTION_TEST_MODE: true
@@ -0,0 +1,125 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: 'PR Check - Bundle: Zstandard checks'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: bundle-zstd-${{github.ref}}
+jobs:
+  bundle-zstd:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+    name: 'Bundle: Zstandard checks'
+    if: github.triggering_actor != 'dependabot[bot]'
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v6
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Remove CodeQL from toolcache
+        uses: actions/github-script@v8
+        with:
+          script: |
+            const fs = require('fs');
+            const path = require('path');
+            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
+            if (codeqlPath !== undefined) {
+              fs.rmdirSync(codeqlPath, { recursive: true });
+            }
+      - id: init
+        uses: ./../action/init
+        with:
+          languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/analyze
+        with:
+          output: ${{ runner.temp }}/results
+          upload-database: false
+      - name: Upload SARIF
+        uses: actions/upload-artifact@v7
+        with:
+          name: ${{ matrix.os }}-zstd-bundle.sarif
+          path: ${{ runner.temp }}/results/javascript.sarif
+          retention-days: 7
+      - name: Check diagnostic with expected tools URL appears in SARIF
+        uses: actions/github-script@v8
+        env:
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
+        with:
+          script: |
+            const fs = require('fs');
+
+            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
+            const run = sarif.runs[0];
+
+            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
+            const downloadTelemetryNotifications = toolExecutionNotifications.filter(n =>
+              n.descriptor.id === 'codeql-action/bundle-download-telemetry'
+            );
+            if (downloadTelemetryNotifications.length !== 1) {
+              core.setFailed(
+                'Expected exactly one reporting descriptor in the ' +
+                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
+                  `${downloadTelemetryNotifications.length}. All notification reporting descriptors: ` +
+                  `${JSON.stringify(toolExecutionNotifications)}.`
+              );
+            }
+
+            const toolsUrl = downloadTelemetryNotifications[0].properties.attributes.toolsUrl;
+            console.log(`Found tools URL: ${toolsUrl}`);
+
+            const expectedExtension = process.env['RUNNER_OS'] === 'Windows' ? '.tar.gz' : '.tar.zst';
+
+            if (!toolsUrl.endsWith(expectedExtension)) {
+              core.setFailed(
+                `Expected the tools URL to be a ${expectedExtension} file, but found ${toolsUrl}.`
+              );
+            }
+    env:
+      CODEQL_ACTION_TEST_MODE: true
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Clean up database cluster directory
@@ -18,9 +18,21 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: cleanup-db-cluster-dir-${{github.ref}}
 jobs:
  cleanup-db-cluster-dir:
    strategy:
@@ -30,24 +42,15 @@ jobs:
          - os: ubuntu-latest
            version: linked
    name: Clean up database cluster directory
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -64,7 +67,7 @@ jobs:
        id: init
        with:
          build-mode: none
-          db-location: ${{ runner.temp }}/customDbLocation
+          db-location: '${{ runner.temp }}/customDbLocation'
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Config export
@@ -18,9 +18,21 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: config-export-${{github.ref}}
 jobs:
  config-export:
    strategy:
@@ -29,35 +41,18 @@ jobs:
        include:
          - os: ubuntu-latest
            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
          - os: ubuntu-latest
            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
    name: Config export
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -72,18 +67,18 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v7
        with:
          name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
+          path: '${{ runner.temp }}/results/javascript.sarif'
          retention-days: 7
      - name: Check config properties appear in SARIF
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
+          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
        with:
          script: |
            const fs = require('fs');
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Config input
@@ -18,9 +18,21 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: config-input-${{github.ref}}
 jobs:
  config-input:
    strategy:
@@ -30,24 +42,22 @@ jobs:
          - os: ubuntu-latest
            version: linked
    name: Config input
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+      - name: Install Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 20.x
+          cache: npm
+      - name: Install dependencies
+        run: npm ci
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - C/C++: disabling autoinstalling dependencies (Linux)'
@@ -18,9 +18,21 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: cpp-deptrace-disabled-${{github.ref}}
 jobs:
  cpp-deptrace-disabled:
    strategy:
@@ -34,24 +46,15 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
    name: 'C/C++: disabling autoinstalling dependencies (Linux)'
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -60,7 +63,6 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Test setup
-        shell: bash
        run: |
          cp -a ../action/tests/cpp-autobuild autobuild-dir
      - uses: ./../action/init
@@ -72,8 +74,7 @@ jobs:
          working-directory: autobuild-dir
        env:
          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: false
-      - shell: bash
-        run: |
+      - run: |
          if ls /usr/bin/errno; then
            echo "C/C++ autobuild installed errno, but it should not have since auto-install dependencies is disabled."
            exit 1
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - C/C++: autoinstalling dependencies is skipped (macOS)'
@@ -18,36 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: cpp-deptrace-enabled-on-macos-${{github.ref}}
 jobs:
  cpp-deptrace-enabled-on-macos:
    strategy:
      fail-fast: false
      matrix:
        include:
+          - os: macos-latest
+            version: linked
          - os: macos-latest
            version: nightly-latest
    name: 'C/C++: autoinstalling dependencies is skipped (macOS)'
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -56,7 +61,6 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Test setup
-        shell: bash
        run: |
          cp -a ../action/tests/cpp-autobuild autobuild-dir
      - uses: ./../action/init
@@ -68,8 +72,7 @@ jobs:
          working-directory: autobuild-dir
        env:
          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-      - shell: bash
-        run: |
+      - run: |
          if ! ls /usr/bin/errno; then
            echo "As expected, CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES is a no-op on macOS"
          else
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - C/C++: autoinstalling dependencies (Linux)'
@@ -18,9 +18,21 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: cpp-deptrace-enabled-${{github.ref}}
 jobs:
  cpp-deptrace-enabled:
    strategy:
@@ -34,24 +46,15 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
    name: 'C/C++: autoinstalling dependencies (Linux)'
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -60,7 +63,6 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Test setup
-        shell: bash
        run: |
          cp -a ../action/tests/cpp-autobuild autobuild-dir
      - uses: ./../action/init
@@ -72,8 +74,7 @@ jobs:
          working-directory: autobuild-dir
        env:
          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-      - shell: bash
-        run: |
+      - run: |
          if ! ls /usr/bin/errno; then
            echo "Did not autoinstall errno"
            exit 1
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Diagnostic export
@@ -18,9 +18,21 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: diagnostics-export-${{github.ref}}
 jobs:
  diagnostics-export:
    strategy:
@@ -29,35 +41,18 @@ jobs:
        include:
          - os: ubuntu-latest
            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
          - os: ubuntu-latest
            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
    name: Diagnostic export
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -71,7 +66,6 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Add test diagnostics
-        shell: bash
        env:
          CODEQL_PATH: ${{ steps.init.outputs.codeql-path }}
        run: |
@@ -84,18 +78,18 @@ jobs:
            --ready-for-status-page
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v7
        with:
          name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
+          path: '${{ runner.temp }}/results/javascript.sarif'
          retention-days: 7
      - name: Check diagnostics appear in SARIF
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
+          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
        with:
          script: |
            const fs = require('fs');
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Export file baseline information
@@ -18,9 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: export-file-baseline-information-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  export-file-baseline-information:
    strategy:
@@ -34,24 +66,24 @@ jobs:
          - os: windows-latest
            version: nightly-latest
    name: Export file baseline information
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -64,23 +96,18 @@ jobs:
        with:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/.github/actions/setup-swift
-        with:
-          codeql-path: ${{ steps.init.outputs.codeql-path }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
      - name: Upload SARIF
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v7
        with:
          name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
+          path: '${{ runner.temp }}/results/javascript.sarif'
          retention-days: 7
      - name: Check results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          expected_baseline_languages="c csharp go java kotlin javascript python ruby"
@@ -100,5 +127,6 @@ jobs:
            fi
          done
    env:
+      CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS: false
      CODEQL_ACTION_SUBLANGUAGE_FILE_COVERAGE: true
      CODEQL_ACTION_TEST_MODE: true
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Extractor ram and threads options test
@@ -18,9 +18,21 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: extractor-ram-threads-${{github.ref}}
 jobs:
  extractor-ram-threads:
    strategy:
@@ -30,24 +42,15 @@ jobs:
          - os: ubuntu-latest
            version: linked
    name: Extractor ram and threads options test
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -61,7 +64,6 @@ jobs:
          ram: 230
          threads: 1
      - name: Assert Results
-        shell: bash
        run: |
          if [ "${CODEQL_RAM}" != "230" ]; then
            echo "CODEQL_RAM is '${CODEQL_RAM}' instead of 230"
@@ -0,0 +1,78 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: PR Check - Proxy test
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: global-proxy-${{github.ref}}
+jobs:
+  global-proxy:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Proxy test
+    if: github.triggering_actor != 'dependabot[bot]'
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v6
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'false'
+      - uses: ./../action/init
+        with:
+          languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/analyze
+    env:
+      https_proxy: http://squid-proxy:3128
+      CODEQL_ACTION_TOLERATE_MISSING_GIT_VERSION: true
+      CODEQL_ACTION_TEST_MODE: true
+    container:
+      image: ubuntu:22.04
+    services:
+      squid-proxy:
+        image: ubuntu/squid:latest
+        ports:
+          - 3128:3128
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Go: Custom queries'
@@ -18,9 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: go-custom-queries-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  go-custom-queries:
    strategy:
@@ -32,24 +64,24 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
    name: 'Go: Custom queries'
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -57,16 +89,12 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
      - uses: ./../action/init
        with:
          languages: go
          config-file: ./.github/codeql/custom-queries.yml
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
    env:
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Go: diagnostic when Go is changed after init step'
@@ -18,9 +18,31 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: go-indirect-tracing-workaround-diagnostic-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-indirect-tracing-workaround-diagnostic:
    strategy:
@@ -28,26 +50,22 @@ jobs:
      matrix:
        include:
          - os: ubuntu-latest
-            version: stable-v2.14.6
+            version: default
    name: 'Go: diagnostic when Go is changed after init step'
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -55,29 +73,24 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - uses: actions/setup-go@v5
-        with:
-      # We need a Go version that ships with statically linked binaries on Linux
-          go-version: '>=1.21.0'
      - uses: ./../action/init
        with:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
-  # Deliberately change Go after the `init` step
-      - uses: actions/setup-go@v5
+      # Deliberately change Go after the `init` step
+      - uses: actions/setup-go@v6
        with:
          go-version: '1.20'
      - name: Build code
-        shell: bash
        run: go build main.go
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Check diagnostic appears in SARIF
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
        env:
-          SARIF_PATH: ${{ runner.temp }}/results/go.sarif
+          SARIF_PATH: '${{ runner.temp }}/results/go.sarif'
        with:
          script: |
            const fs = require('fs');
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Go: diagnostic when `file` is not installed'
@@ -18,9 +18,31 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: go-indirect-tracing-workaround-no-file-program-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-indirect-tracing-workaround-no-file-program:
    strategy:
@@ -28,26 +50,22 @@ jobs:
      matrix:
        include:
          - os: ubuntu-latest
-            version: stable-v2.14.6
+            version: default
    name: 'Go: diagnostic when `file` is not installed'
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -55,10 +73,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - uses: actions/setup-go@v5
-        with:
-      # We need a Go version that ships with statically linked binaries on Linux
-          go-version: '>=1.21.0'
      - name: Remove `file` program
        run: |
          echo $(which file)
@@ -69,16 +83,15 @@ jobs:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: go build main.go
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Check diagnostic appears in SARIF
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
        env:
-          SARIF_PATH: ${{ runner.temp }}/results/go.sarif
+          SARIF_PATH: '${{ runner.temp }}/results/go.sarif'
        with:
          script: |
            const fs = require('fs');
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Go: workaround for indirect tracing'
@@ -18,9 +18,31 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: go-indirect-tracing-workaround-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-indirect-tracing-workaround:
    strategy:
@@ -28,26 +50,22 @@ jobs:
      matrix:
        include:
          - os: ubuntu-latest
-            version: stable-v2.14.6
+            version: default
    name: 'Go: workaround for indirect tracing'
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -55,20 +73,14 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - uses: actions/setup-go@v5
-        with:
-      # We need a Go version that ships with statically linked binaries on Linux
-          go-version: '>=1.21.0'
      - uses: ./../action/init
        with:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: go build main.go
      - uses: ./../action/analyze
-      - shell: bash
-        run: |
+      - run: |
          if [[ -z "${CODEQL_ACTION_GO_BINARY}" ]]; then
            echo "Expected the workaround for indirect tracing of static binaries to trigger, but the" \
              "CODEQL_ACTION_GO_BINARY environment variable is not set."
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Go: tracing with autobuilder step'
@@ -18,9 +18,31 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: go-tracing-autobuilder-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-tracing-autobuilder:
    strategy:
@@ -28,28 +50,18 @@ jobs:
      matrix:
        include:
          - os: ubuntu-latest
-            version: stable-v2.13.5
-          - os: macos-12
-            version: stable-v2.13.5
-          - os: ubuntu-latest
-            version: stable-v2.14.6
-          - os: macos-12
-            version: stable-v2.14.6
-          - os: ubuntu-latest
-            version: stable-v2.15.5
-          - os: macos-latest
-            version: stable-v2.15.5
-          - os: ubuntu-latest
-            version: stable-v2.16.6
-          - os: macos-latest
-            version: stable-v2.16.6
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: macos-latest
            version: stable-v2.17.6
          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
+            version: stable-v2.18.4
+          - os: ubuntu-latest
+            version: stable-v2.19.4
+          - os: ubuntu-latest
+            version: stable-v2.20.7
+          - os: ubuntu-latest
+            version: stable-v2.21.4
+          - os: ubuntu-latest
+            version: stable-v2.22.4
+          - os: ubuntu-latest
            version: default
          - os: ubuntu-latest
            version: linked
@@ -60,24 +72,20 @@ jobs:
          - os: macos-latest
            version: nightly-latest
    name: 'Go: tracing with autobuilder step'
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -85,20 +93,13 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ~1.23.0
-      # to avoid potentially misleading autobuilder results where we expect it to download
-      # dependencies successfully, but they actually come from a warm cache
-          cache: false
      - uses: ./../action/init
        with:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/autobuild
      - uses: ./../action/analyze
-      - shell: bash
-        run: |
+      - run: |
          if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then
            echo "Expected the Go autobuilder to be run, but the" \
              "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was not true."
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Go: tracing with custom build steps'
@@ -18,9 +18,31 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: go-tracing-custom-build-steps-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-tracing-custom-build-steps:
    strategy:
@@ -28,28 +50,18 @@ jobs:
      matrix:
        include:
          - os: ubuntu-latest
-            version: stable-v2.13.5
-          - os: macos-12
-            version: stable-v2.13.5
-          - os: ubuntu-latest
-            version: stable-v2.14.6
-          - os: macos-12
-            version: stable-v2.14.6
-          - os: ubuntu-latest
-            version: stable-v2.15.5
-          - os: macos-latest
-            version: stable-v2.15.5
-          - os: ubuntu-latest
-            version: stable-v2.16.6
-          - os: macos-latest
-            version: stable-v2.16.6
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: macos-latest
            version: stable-v2.17.6
          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
+            version: stable-v2.18.4
+          - os: ubuntu-latest
+            version: stable-v2.19.4
+          - os: ubuntu-latest
+            version: stable-v2.20.7
+          - os: ubuntu-latest
+            version: stable-v2.21.4
+          - os: ubuntu-latest
+            version: stable-v2.22.4
+          - os: ubuntu-latest
            version: default
          - os: ubuntu-latest
            version: linked
@@ -60,24 +72,20 @@ jobs:
          - os: macos-latest
            version: nightly-latest
    name: 'Go: tracing with custom build steps'
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -85,22 +93,14 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ~1.23.0
-      # to avoid potentially misleading autobuilder results where we expect it to download
-      # dependencies successfully, but they actually come from a warm cache
-          cache: false
      - uses: ./../action/init
        with:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: go build main.go
      - uses: ./../action/analyze
-      - shell: bash
-        run: |
+      - run: |
          # Once we start running Bash 4.2 in all environments, we can replace the
          # `! -z` flag with the more elegant `-v` which confirms that the variable
          # is actually unset and not potentially set to a blank value.
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Go: tracing with legacy workflow'
@@ -18,9 +18,31 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: go-tracing-legacy-workflow-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-tracing-legacy-workflow:
    strategy:
@@ -28,28 +50,18 @@ jobs:
      matrix:
        include:
          - os: ubuntu-latest
-            version: stable-v2.13.5
-          - os: macos-12
-            version: stable-v2.13.5
-          - os: ubuntu-latest
-            version: stable-v2.14.6
-          - os: macos-12
-            version: stable-v2.14.6
-          - os: ubuntu-latest
-            version: stable-v2.15.5
-          - os: macos-latest
-            version: stable-v2.15.5
-          - os: ubuntu-latest
-            version: stable-v2.16.6
-          - os: macos-latest
-            version: stable-v2.16.6
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: macos-latest
            version: stable-v2.17.6
          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
+            version: stable-v2.18.4
+          - os: ubuntu-latest
+            version: stable-v2.19.4
+          - os: ubuntu-latest
+            version: stable-v2.20.7
+          - os: ubuntu-latest
+            version: stable-v2.21.4
+          - os: ubuntu-latest
+            version: stable-v2.22.4
+          - os: ubuntu-latest
            version: default
          - os: ubuntu-latest
            version: linked
@@ -60,24 +72,20 @@ jobs:
          - os: macos-latest
            version: nightly-latest
    name: 'Go: tracing with legacy workflow'
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -85,19 +93,12 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ~1.23.0
-      # to avoid potentially misleading autobuilder results where we expect it to download
-      # dependencies successfully, but they actually come from a warm cache
-          cache: false
      - uses: ./../action/init
        with:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
-      - shell: bash
-        run: |
+      - run: |
          cd "$RUNNER_TEMP/codeql_databases"
          if [[ ! -d go ]]; then
            echo "Did not find a Go database"
@@ -0,0 +1,80 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: Manual Check - go
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  workflow_dispatch:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+jobs:
+  go-custom-queries:
+    name: 'Go: Custom queries'
+    permissions:
+      contents: read
+      security-events: read
+    uses: ./.github/workflows/__go-custom-queries.yml
+    with:
+      dotnet-version: ${{ inputs.dotnet-version }}
+      go-version: ${{ inputs.go-version }}
+  go-indirect-tracing-workaround-diagnostic:
+    name: 'Go: diagnostic when Go is changed after init step'
+    permissions:
+      contents: read
+      security-events: read
+    uses: ./.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml
+    with:
+      go-version: ${{ inputs.go-version }}
+  go-indirect-tracing-workaround-no-file-program:
+    name: 'Go: diagnostic when `file` is not installed'
+    permissions:
+      contents: read
+      security-events: read
+    uses: ./.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml
+    with:
+      go-version: ${{ inputs.go-version }}
+  go-indirect-tracing-workaround:
+    name: 'Go: workaround for indirect tracing'
+    permissions:
+      contents: read
+      security-events: read
+    uses: ./.github/workflows/__go-indirect-tracing-workaround.yml
+    with:
+      go-version: ${{ inputs.go-version }}
+  go-tracing-autobuilder:
+    name: 'Go: tracing with autobuilder step'
+    permissions:
+      contents: read
+      security-events: read
+    uses: ./.github/workflows/__go-tracing-autobuilder.yml
+    with:
+      go-version: ${{ inputs.go-version }}
+  go-tracing-custom-build-steps:
+    name: 'Go: tracing with custom build steps'
+    permissions:
+      contents: read
+      security-events: read
+    uses: ./.github/workflows/__go-tracing-custom-build-steps.yml
+    with:
+      go-version: ${{ inputs.go-version }}
+  go-tracing-legacy-workflow:
+    name: 'Go: tracing with legacy workflow'
+    permissions:
+      contents: read
+      security-events: read
+    uses: ./.github/workflows/__go-tracing-legacy-workflow.yml
+    with:
+      go-version: ${{ inputs.go-version }}
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Packaging: Download using registries'
@@ -18,9 +18,21 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: init-with-registries-${{github.ref}}
 jobs:
  init-with-registries:
    strategy:
@@ -29,42 +41,20 @@ jobs:
        include:
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
          - os: ubuntu-latest
            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
          - os: ubuntu-latest
            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
    name: 'Packaging: Download using registries'
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      packages: read
-
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -75,7 +65,7 @@ jobs:
      - name: Init with registries
        uses: ./../action/init
        with:
-          db-location: ${{ runner.temp }}/customDbLocation
+          db-location: '${{ runner.temp }}/customDbLocation'
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          config-file: ./.github/codeql/codeql-config-registries.yml
          languages: javascript
@@ -85,7 +75,6 @@ jobs:
              token: "${{ secrets.GITHUB_TOKEN }}"

      - name: Verify packages installed
-        shell: bash
        run: |
          PRIVATE_PACK="$HOME/.codeql/packages/codeql-testing/private-pack"
          CODEQL_PACK1="$HOME/.codeql/packages/codeql-testing/codeql-pack1"
@@ -107,7 +96,6 @@ jobs:
          fi

      - name: Verify qlconfig.yml file was created
-        shell: bash
        run: |
          QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
          echo "Expected qlconfig.yml file to be created at $QLCONFIG_PATH"
@@ -120,9 +108,6 @@ jobs:
          fi

      - name: Verify contents of qlconfig.yml
-    # yq is not available on windows
-        if: runner.os != 'Windows'
-        shell: bash
        run: |
          QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
          cat $QLCONFIG_PATH | yq -e '.registries[] | select(.url == "https://ghcr.io/v2/") | select(.packages == "*/*")'
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Custom source root
@@ -18,9 +18,21 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: javascript-source-root-${{github.ref}}
 jobs:
  javascript-source-root:
    strategy:
@@ -34,24 +46,15 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
    name: Custom source root
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -60,7 +63,6 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Move codeql-action
-        shell: bash
        run: |
          mkdir ../new-source-root
          mv * ../new-source-root
@@ -73,7 +75,6 @@ jobs:
        with:
          skip-queries: true
      - name: Assert database exists
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/codeql_databases"
          if [[ ! -d javascript ]]; then
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Job run UUID added to SARIF
@@ -18,9 +18,21 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: job-run-uuid-sarif-${{github.ref}}
 jobs:
  job-run-uuid-sarif:
    strategy:
@@ -30,24 +42,15 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
    name: Job run UUID added to SARIF
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -62,15 +65,14 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
      - name: Upload SARIF
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v7
        with:
          name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
+          path: '${{ runner.temp }}/results/javascript.sarif'
          retention-days: 7
      - name: Check results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          actual=$(jq -r '.runs[0].properties.jobRunUuid' javascript.sarif)
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Language aliases
@@ -18,9 +18,21 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: language-aliases-${{github.ref}}
 jobs:
  language-aliases:
    strategy:
@@ -30,24 +42,15 @@ jobs:
          - os: ubuntu-latest
            version: linked
    name: Language aliases
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -57,12 +60,12 @@ jobs:
          setup-kotlin: 'true'
      - uses: ./../action/init
        with:
-          languages: C#,java-kotlin,swift,typescript
+          languages: C#,java-kotlin,typescript
          tools: ${{ steps.prepare-test.outputs.tools-url }}

-      - name: Check languages
+      - name: 'Check languages'
        run: |
-          expected_languages="csharp,java,swift,javascript"
+          expected_languages="csharp,java,javascript"
          actual_languages=$(jq -r '.languages | join(",")' "$RUNNER_TEMP"/config)

          if [ "$expected_languages" != "$actual_languages" ]; then
@@ -0,0 +1,103 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: PR Check - Local CodeQL bundle
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: local-bundle-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+jobs:
+  local-bundle:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+    name: Local CodeQL bundle
+    if: github.triggering_actor != 'dependabot[bot]'
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Fetch latest CodeQL bundle
+        run: |
+          wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst
+      - id: init
+        uses: ./../action/init
+        with:
+          # Swift is not supported on Ubuntu so we manually exclude it from the list here
+          languages: cpp,csharp,go,java,javascript,python,ruby
+          tools: ./codeql-bundle-linux64.tar.zst
+      - name: Build code
+        run: ./build.sh
+      - uses: ./../action/analyze
+    env:
+      CODEQL_ACTION_TEST_MODE: true
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Multi-language repository
@@ -18,66 +18,102 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: multi-language-autodetect-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  multi-language-autodetect:
    strategy:
      fail-fast: false
      matrix:
        include:
-          - os: macos-12
-            version: stable-v2.13.5
-          - os: ubuntu-latest
-            version: stable-v2.13.5
-          - os: macos-12
-            version: stable-v2.14.6
-          - os: ubuntu-latest
-            version: stable-v2.14.6
-          - os: macos-latest
-            version: stable-v2.15.5
-          - os: ubuntu-latest
-            version: stable-v2.15.5
-          - os: macos-latest
-            version: stable-v2.16.6
-          - os: ubuntu-latest
-            version: stable-v2.16.6
-          - os: macos-latest
-            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.17.6
          - os: macos-latest
-            version: default
+            version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: stable-v2.18.4
+          - os: macos-latest
+            version: stable-v2.18.4
+          - os: ubuntu-latest
+            version: stable-v2.19.4
+          - os: macos-latest
+            version: stable-v2.19.4
+          - os: ubuntu-latest
+            version: stable-v2.20.7
+          - os: macos-latest
+            version: stable-v2.20.7
+          - os: ubuntu-latest
+            version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.21.4
+          - os: ubuntu-latest
+            version: stable-v2.22.4
+          - os: macos-latest
+            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
          - os: macos-latest
-            version: linked
+            version: default
          - os: ubuntu-latest
            version: linked
          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
            version: nightly-latest
-          - os: ubuntu-latest
+          - os: macos-latest
            version: nightly-latest
    name: Multi-language repository
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -85,26 +121,26 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - uses: actions/setup-go@v5
+      - name: Install Python 3.13 for older CLI versions
+        # We need Python 3.13 for older CLI versions because they are not compatible with Python 3.14 or newer.
+        # See https://github.com/github/codeql-action/pull/3212
+        if: matrix.version != 'nightly-latest' && matrix.version != 'linked'
+        uses: actions/setup-python@v6
        with:
-          go-version: '>=1.21.0'
+          python-version: '3.13'
+
+      - name: Use Xcode 16
+        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
+        run: sudo xcode-select -s "/Applications/Xcode_16.app"

      - uses: ./../action/init
        id: init
        with:
-          db-location: ${{ runner.temp }}/customDbLocation
-      # Swift is not supported on Ubuntu so we manually exclude it from the list here
-          languages: ${{ runner.os == 'Linux' && 'cpp,csharp,go,java,javascript,python,ruby'
-            || '' }}
+          db-location: '${{ runner.temp }}/customDbLocation'
+          languages: ${{ runner.os == 'Linux' && 'cpp,csharp,go,java,javascript,python,ruby' || '' }}
          tools: ${{ steps.prepare-test.outputs.tools-url }}

-      - uses: ./../action/.github/actions/setup-swift
-        if: runner.os == 'macOS'
-        with:
-          codeql-path: ${{ steps.init.outputs.codeql-path }}
-
      - name: Build code
-        shell: bash
        run: ./build.sh

      - uses: ./../action/analyze
@@ -113,7 +149,6 @@ jobs:
          upload-database: false

      - name: Check language autodetect for all languages excluding Swift
-        shell: bash
        run: |
          CPP_DB=${{ fromJson(steps.analysis.outputs.db-locations).cpp }}
          if [[ ! -d $CPP_DB ]] || [[ ! $CPP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
@@ -151,9 +186,8 @@ jobs:
            exit 1
          fi

-      - name: Check language autodetect for Swift on MacOS
+      - name: Check language autodetect for Swift on macOS
        if: runner.os == 'macOS'
-        shell: bash
        run: |
          SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}
          if [[ ! -d $SWIFT_DB ]] || [[ ! $SWIFT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
@@ -161,4 +195,5 @@ jobs:
            exit 1
          fi
    env:
+      CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
      CODEQL_ACTION_TEST_MODE: true
@@ -0,0 +1,81 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: PR Check - Overlay database init fallback
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: overlay-init-fallback-${{github.ref}}
+jobs:
+  overlay-init-fallback:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Overlay database init fallback
+    if: github.triggering_actor != 'dependabot[bot]'
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v6
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        with:
+          languages: actions # Any language without overlay support will do
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+        env:
+          CODEQL_OVERLAY_DATABASE_MODE: overlay-base
+      - uses: ./../action/analyze
+        id: analysis
+        with:
+          upload-database: false
+      - name: Check database
+        run: |
+          cd "$RUNNER_TEMP/codeql_databases/actions"
+          if ! grep -q 'overlayBaseDatabase: false' codeql-database.yml ; then
+            echo "This test needs to be updated to use a non-overlay language."
+            exit 1
+          fi
+    env:
+      CODEQL_ACTION_TEST_MODE: true
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Packaging: Config and input passed to the CLI'
@@ -18,9 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  packaging-codescanning-config-inputs-js:
    strategy:
@@ -29,41 +61,36 @@ jobs:
        include:
          - os: ubuntu-latest
            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
          - os: ubuntu-latest
            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
    name: 'Packaging: Config and input passed to the CLI'
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 20.x
+          cache: npm
+      - name: Install dependencies
+        run: npm ci
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -73,28 +100,25 @@ jobs:
          setup-kotlin: 'true'
      - uses: ./../action/init
        with:
-          config-file: .github/codeql/codeql-config-packaging3.yml
+          config-file: '.github/codeql/codeql-config-packaging3.yml'
          packs: +codeql-testing/codeql-pack1@1.0.0
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run: 
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          # We should have 4 hits from these rules
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Packaging: Config and input'
@@ -18,9 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: packaging-config-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  packaging-config-inputs-js:
    strategy:
@@ -29,41 +61,36 @@ jobs:
        include:
          - os: ubuntu-latest
            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
          - os: ubuntu-latest
            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
    name: 'Packaging: Config and input'
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 20.x
+          cache: npm
+      - name: Install dependencies
+        run: npm ci
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -73,28 +100,25 @@ jobs:
          setup-kotlin: 'true'
      - uses: ./../action/init
        with:
-          config-file: .github/codeql/codeql-config-packaging3.yml
+          config-file: '.github/codeql/codeql-config-packaging3.yml'
          packs: +codeql-testing/codeql-pack1@1.0.0
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run: 
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          # We should have 4 hits from these rules
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Packaging: Config file'
@@ -18,9 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: packaging-config-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  packaging-config-js:
    strategy:
@@ -29,41 +61,36 @@ jobs:
        include:
          - os: ubuntu-latest
            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
          - os: ubuntu-latest
            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
    name: 'Packaging: Config file'
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 20.x
+          cache: npm
+      - name: Install dependencies
+        run: npm ci
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -73,27 +100,24 @@ jobs:
          setup-kotlin: 'true'
      - uses: ./../action/init
        with:
-          config-file: .github/codeql/codeql-config-packaging.yml
+          config-file: '.github/codeql/codeql-config-packaging.yml'
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run: 
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          # We should have 4 hits from these rules
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Packaging: Action input'
@@ -18,9 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: packaging-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  packaging-inputs-js:
    strategy:
@@ -29,41 +61,36 @@ jobs:
        include:
          - os: ubuntu-latest
            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
          - os: ubuntu-latest
            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
    name: 'Packaging: Action input'
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 20.x
+          cache: npm
+      - name: Install dependencies
+        run: npm ci
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -73,27 +100,24 @@ jobs:
          setup-kotlin: 'true'
      - uses: ./../action/init
        with:
-          config-file: .github/codeql/codeql-config-packaging2.yml
+          config-file: '.github/codeql/codeql-config-packaging2.yml'
          languages: javascript
          packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run: 
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          # We should have 4 hits from these rules
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Remote config file
@@ -18,9 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: remote-config-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  remote-config:
    strategy:
@@ -32,24 +64,24 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
    name: Remote config file
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -61,10 +93,8 @@ jobs:
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-            github.sha }}
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
    env:
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Resolve environment
@@ -18,9 +18,21 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: resolve-environment-action-${{github.ref}}
 jobs:
  resolve-environment-action:
    strategy:
@@ -28,48 +40,21 @@ jobs:
      matrix:
        include:
          - os: ubuntu-latest
-            version: stable-v2.13.5
-          - os: macos-12
-            version: stable-v2.13.5
-          - os: windows-latest
-            version: stable-v2.13.5
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
            version: linked
          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
+            version: default
+          - os: ubuntu-latest
            version: nightly-latest
    name: Resolve environment
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -79,8 +64,7 @@ jobs:
          setup-kotlin: 'true'
      - uses: ./../action/init
        with:
-          languages: ${{ matrix.version == 'stable-v2.13.5' && 'go' || 'go,javascript-typescript'
-            }}
+          languages: go,javascript-typescript
          tools: ${{ steps.prepare-test.outputs.tools-url }}

      - name: Resolve environment for Go
@@ -94,15 +78,13 @@ jobs:
        run: exit 1

      - name: Resolve environment for JavaScript/TypeScript
-        if: matrix.version != 'stable-v2.13.5'
        uses: ./../action/resolve-environment
        id: resolve-environment-js
        with:
          language: javascript-typescript

      - name: Fail if JavaScript/TypeScript configuration present
-        if: matrix.version != 'stable-v2.13.5' && 
-          fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
+        if: fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
        run: exit 1
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - RuboCop multi-language
@@ -18,9 +18,21 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: rubocop-multi-language-${{github.ref}}
 jobs:
  rubocop-multi-language:
    strategy:
@@ -30,24 +42,15 @@ jobs:
          - os: ubuntu-latest
            version: default
    name: RuboCop multi-language
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -56,17 +59,14 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@0cb964fd540e0a24c900370abf38a33466142735 # v1.305.0
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
-        shell: bash
        run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
      - name: Install dependencies
-        shell: bash
        run: bundle install
      - name: RuboCop run
-        shell: bash
        run: |
          bash -c "
            bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Ruby analysis
@@ -18,9 +18,21 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: ruby-${{github.ref}}
 jobs:
  ruby:
    strategy:
@@ -40,24 +52,15 @@ jobs:
          - os: macos-latest
            version: nightly-latest
    name: Ruby analysis
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -74,7 +77,6 @@ jobs:
        with:
          upload-database: false
      - name: Check database
-        shell: bash
        run: |
          RUBY_DB="${{ fromJson(steps.analysis.outputs.db-locations).ruby }}"
          if [[ ! -d "$RUBY_DB" ]]; then
@@ -0,0 +1,85 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: PR Check - Rust analysis
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: rust-${{github.ref}}
+jobs:
+  rust:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: stable-v2.19.3
+          - os: ubuntu-latest
+            version: stable-v2.22.1
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: default
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Rust analysis
+    if: github.triggering_actor != 'dependabot[bot]'
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v6
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        with:
+          languages: rust
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/analyze
+        id: analysis
+        with:
+          upload-database: false
+      - name: Check database
+        run: |
+          RUST_DB="${{ fromJson(steps.analysis.outputs.db-locations).rust }}"
+          if [[ ! -d "$RUST_DB" ]]; then
+            echo "Did not create a database for Rust."
+            exit 1
+          fi
+    env:
+      CODEQL_ACTION_TEST_MODE: true
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Split workflow
@@ -18,9 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: split-workflow-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  split-workflow:
    strategy:
@@ -40,24 +72,24 @@ jobs:
          - os: macos-latest
            version: nightly-latest
    name: Split workflow
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -67,21 +99,19 @@ jobs:
          setup-kotlin: 'true'
      - uses: ./../action/init
        with:
-          config-file: .github/codeql/codeql-config-packaging3.yml
+          config-file: '.github/codeql/codeql-config-packaging3.yml'
          packs: +codeql-testing/codeql-pack1@1.0.0
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
          skip-queries: true
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false

      - name: Assert No Results
-        shell: bash
        run: |
          if [ "$(ls -A $RUNNER_TEMP/results)" ]; then
            echo "Expected results directory to be empty after skipping query execution!"
@@ -89,10 +119,9 @@ jobs:
          fi
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Assert Results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          # We should have 4 hits from these rules
@@ -0,0 +1,103 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: PR Check - Start proxy
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: start-proxy-${{github.ref}}
+jobs:
+  start-proxy:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+    name: Start proxy
+    if: github.triggering_actor != 'dependabot[bot]'
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v6
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        with:
+          languages: csharp
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+      - name: Setup proxy for registries
+        id: proxy
+        uses: ./../action/start-proxy
+        with:
+          registry_secrets: |
+            [
+              {
+                "type": "maven_repository",
+                "url": "https://repo.maven.apache.org/maven2/"
+              },
+              {
+                "type": "maven_repository",
+                "url": "https://repo1.maven.org/maven2"
+              }
+            ]
+
+      - name: Print proxy outputs
+        run: |
+          echo "${{ steps.proxy.outputs.proxy_host }}"
+          echo "${{ steps.proxy.outputs.proxy_port }}"
+          echo "${{ steps.proxy.outputs.proxy_urls }}"
+
+      - name: Fail if proxy outputs are not set
+        if: (!steps.proxy.outputs.proxy_host) || (!steps.proxy.outputs.proxy_port) || (!steps.proxy.outputs.proxy_ca_certificate) || (!steps.proxy.outputs.proxy_urls)
+        run: exit 1
+
+      - name: Fail if proxy_urls does not contain all registries
+        if: |
+          join(fromJSON(steps.proxy.outputs.proxy_urls)[*].type, ',') != 'maven_repository,maven_repository'
+          || !contains(steps.proxy.outputs.proxy_urls, 'https://repo.maven.apache.org/maven2/')
+          || !contains(steps.proxy.outputs.proxy_urls, 'https://repo1.maven.org/maven2')
+        run: exit 1
+    env:
+      CODEQL_ACTION_TEST_MODE: true
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Submit SARIF after failure
@@ -18,9 +18,21 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: submit-sarif-failure-${{github.ref}}
 jobs:
  submit-sarif-failure:
    strategy:
@@ -34,24 +46,15 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
    name: Submit SARIF after failure
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -59,32 +62,26 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
      - uses: ./init
        with:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Fail
-    # We want this job to pass if the Action correctly uploads the SARIF file for
-    # the failed run.
-    # Setting this step to continue on error means that it is marked as completing
-    # successfully, so will not fail the job.
+        # We want this job to pass if the Action correctly uploads the SARIF file for
+        # the failed run.
+        # Setting this step to continue on error means that it is marked as completing
+        # successfully, so will not fail the job.
        continue-on-error: true
        run: exit 1
      - uses: ./analyze
-    # In a real workflow, this step wouldn't run. Since we used `continue-on-error`
-    # above, we manually disable it with an `if` condition.
+        # In a real workflow, this step wouldn't run. Since we used `continue-on-error`
+        # above, we manually disable it with an `if` condition.
        if: false
        with:
-          category: /test-codeql-version:${{ matrix.version }}
+          category: '/test-codeql-version:${{ matrix.version }}'
    env:
-  # Internal-only environment variable used to indicate that the post-init Action
-  # should expect to upload a SARIF file for the failed run.
      CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF: true
-  # Make sure the uploading SARIF files feature is enabled.
      CODEQL_ACTION_UPLOAD_FAILED_SARIF: true
-  # Upload the failed SARIF file as an integration test of the API endpoint.
      CODEQL_ACTION_TEST_MODE: false
-  # Mark telemetry for this workflow so it can be treated separately.
      CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
-
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Swift analysis using autobuild
@@ -18,9 +18,21 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: swift-autobuild-${{github.ref}}
 jobs:
  swift-autobuild:
    strategy:
@@ -30,24 +42,15 @@ jobs:
          - os: macos-latest
            version: nightly-latest
    name: Swift analysis using autobuild
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -61,11 +64,7 @@ jobs:
          languages: swift
          build-mode: autobuild
          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/.github/actions/setup-swift
-        with:
-          codeql-path: ${{steps.init.outputs.codeql-path}}
      - name: Check working directory
-        shell: bash
        run: pwd
      - uses: ./../action/autobuild
        timeout-minutes: 30
@@ -74,7 +73,6 @@ jobs:
        with:
          upload-database: false
      - name: Check database
-        shell: bash
        run: |
          SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
          if [[ ! -d "$SWIFT_DB" ]]; then
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Swift analysis using a custom build command
@@ -18,9 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: swift-custom-build-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  swift-custom-build:
    strategy:
@@ -34,24 +66,24 @@ jobs:
          - os: macos-latest
            version: nightly-latest
    name: Swift analysis using a custom build command
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -59,26 +91,23 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Use Xcode 16
+        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
+        run: sudo xcode-select -s "/Applications/Xcode_16.app"
      - uses: ./../action/init
        id: init
        with:
          languages: swift
          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/.github/actions/setup-swift
-        with:
-          codeql-path: ${{steps.init.outputs.codeql-path}}
      - name: Check working directory
-        shell: bash
        run: pwd
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        id: analysis
        with:
          upload-database: false
      - name: Check database
-        shell: bash
        run: |
          SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
          if [[ ! -d "$SWIFT_DB" ]]; then
@@ -1,82 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Autobuild working directory
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  test-autobuild-working-dir:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-    name: Autobuild working directory
-    permissions:
-      contents: read
-      security-events: write
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Test setup
-        shell: bash
-        run: |
-          # Make sure that Gradle build succeeds in autobuild-dir ...
-          cp -a ../action/tests/java-repo autobuild-dir
-          # ... and fails if attempted in the current directory
-          echo > build.gradle
-      - uses: ./../action/init
-        with:
-          languages: java
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/autobuild
-        with:
-          working-directory: autobuild-dir
-      - uses: ./../action/analyze
-      - name: Check database
-        shell: bash
-        run: |
-          cd "$RUNNER_TEMP/codeql_databases"
-          if [[ ! -d java ]]; then
-            echo "Did not find a Java database"
-            exit 1
-          fi
-    env:
-      CODEQL_ACTION_TEST_MODE: true
@@ -1,75 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Local CodeQL bundle
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  test-local-codeql:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Local CodeQL bundle
-    permissions:
-      contents: read
-      security-events: write
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Fetch a CodeQL bundle
-        shell: bash
-        env:
-          CODEQL_URL: ${{ steps.prepare-test.outputs.tools-url }}
-        run: |
-          wget "$CODEQL_URL"
-      - id: init
-        uses: ./../action/init
-        with:
-      # Swift is not supported on Ubuntu so we manually exclude it from the list here
-          languages: cpp,csharp,go,java,javascript,python,ruby
-          tools: ./codeql-bundle-linux64.tar.zst
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-    env:
-      CODEQL_ACTION_TEST_MODE: true
@@ -1,73 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Proxy test
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  test-proxy:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-    name: Proxy test
-    permissions:
-      contents: read
-      security-events: write
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'false'
-      - uses: ./../action/init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-    env:
-      https_proxy: http://squid-proxy:3128
-      CODEQL_ACTION_TEST_MODE: true
-    container:
-      image: ubuntu:22.04
-      options: --dns 127.0.0.1
-    services:
-      squid-proxy:
-        image: ubuntu/squid:latest
-        ports:
-          - 3128:3128
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Test unsetting environment variables
@@ -18,9 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: unset-environment-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  unset-environment:
    strategy:
@@ -32,24 +64,24 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
    name: Test unsetting environment variables
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -61,21 +93,16 @@ jobs:
        id: init
        with:
          db-location: ${{ runner.temp }}/customDbLocation
-      # Swift is not supported on Ubuntu so we manually exclude it from the list here
+          # Swift is not supported on Ubuntu so we manually exclude it from the list here
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
      - name: Build code
-        shell: bash
        run: env -i PATH="$PATH" HOME="$HOME" ./build.sh
      - uses: ./../action/analyze
        id: analysis
        with:
          upload-database: false
-      - shell: bash
-        run: |
+      - run: |
          CPP_DB="${{ fromJson(steps.analysis.outputs.db-locations).cpp }}"
          if [[ ! -d "$CPP_DB" ]] || [[ ! "$CPP_DB" == "${RUNNER_TEMP}/customDbLocation/cpp" ]]; then
            echo "::error::Did not create a database for CPP, or created it in the wrong location." \
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: "PR Check - Upload-sarif: 'ref' and 'sha' from inputs"
@@ -18,9 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: upload-ref-sha-input-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  upload-ref-sha-input:
    strategy:
@@ -29,29 +61,25 @@ jobs:
        include:
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
    name: "Upload-sarif: 'ref' and 'sha' from inputs"
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -63,20 +91,18 @@ jobs:
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-            github.sha }}
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
      - name: Build code
-        shell: bash
        run: ./build.sh
-  # Generate some SARIF we can upload with the upload-sarif step
+      # Generate some SARIF we can upload with the upload-sarif step
      - uses: ./../action/analyze
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
          upload: never
      - uses: ./../action/upload-sarif
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -0,0 +1,173 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: PR Check - Test different uses of `upload-sarif`
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: upload-sarif-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
+jobs:
+  upload-sarif:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: default
+            analysis-kinds: code-scanning
+          - os: ubuntu-latest
+            version: default
+            analysis-kinds: code-quality
+          - os: ubuntu-latest
+            version: default
+            analysis-kinds: code-scanning,code-quality
+    name: Test different uses of `upload-sarif`
+    if: github.triggering_actor != 'dependabot[bot]'
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          languages: csharp,java,javascript,python
+          analysis-kinds: ${{ matrix.analysis-kinds }}
+      - name: Build code
+        run: ./build.sh
+      # Generate some SARIF we can upload with the upload-sarif step
+      - uses: ./../action/analyze
+        with:
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          upload: never
+          output: ${{ runner.temp }}/results
+
+      - name: |
+          Upload all SARIF files for `analysis-kinds: ${{ matrix.analysis-kinds }}`
+        uses: ./../action/upload-sarif
+        id: upload-sarif
+        with:
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          sarif_file: ${{ runner.temp }}/results
+          category: |
+            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:all-files/
+      - name: 'Fail for missing output from `upload-sarif` step for `code-scanning`'
+        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning)
+        run: exit 1
+      - name: 'Fail for missing output from `upload-sarif` step for `code-quality`'
+        if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)
+        run: exit 1
+
+      - name: Upload single SARIF file for Code Scanning
+        uses: ./../action/upload-sarif
+        id: upload-single-sarif-code-scanning
+        if: contains(matrix.analysis-kinds, 'code-scanning')
+        with:
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          sarif_file: ${{ runner.temp }}/results/javascript.sarif
+          category: |
+            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-scanning/
+      - name: 'Fail for missing output from `upload-single-sarif-code-scanning` step'
+        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)
+        run: exit 1
+      - name: Upload single SARIF file for Code Quality
+        uses: ./../action/upload-sarif
+        id: upload-single-sarif-code-quality
+        if: contains(matrix.analysis-kinds, 'code-quality')
+        with:
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          sarif_file: ${{ runner.temp }}/results/javascript.quality.sarif
+          category: |
+            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-quality/
+      - name: 'Fail for missing output from `upload-single-sarif-code-quality` step'
+        if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)
+        run: exit 1
+
+      - name: Change SARIF file extension
+        if: contains(matrix.analysis-kinds, 'code-scanning')
+        run: mv ${{ runner.temp }}/results/javascript.sarif ${{ runner.temp }}/results/javascript.sarif.json
+      - name: Upload single non-`.sarif` file
+        uses: ./../action/upload-sarif
+        id: upload-single-non-sarif
+        if: contains(matrix.analysis-kinds, 'code-scanning')
+        with:
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          sarif_file: ${{ runner.temp }}/results/javascript.sarif.json
+          category: |
+            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:non-sarif/
+      - name: 'Fail for missing output from `upload-single-non-sarif` step'
+        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning)
+        run: exit 1
+    env:
+      CODEQL_ACTION_TEST_MODE: true
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Use a custom `checkout_path`
@@ -18,9 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: with-checkout-path-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  with-checkout-path:
    strategy:
@@ -29,29 +61,26 @@ jobs:
        include:
          - os: ubuntu-latest
            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
    name: Use a custom `checkout_path`
+    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
+      # This ensures we don't accidentally use the original checkout for any part of the test.
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -60,15 +89,14 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Delete original checkout
-        shell: bash
        run: |
          # delete the original checkout so we don't accidentally use it.
          # Actions does not support deleting the current working directory, so we
          # delete the contents of the directory instead.
          rm -rf ./* .github .git
-  # Check out the actions repo again, but at a different location.
-  # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
-      - uses: actions/checkout@v4
+      # Check out the actions repo again, but at a different location.
+      # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
+      - uses: actions/checkout@v6
        with:
          ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
          path: x/y/z/some-path
@@ -76,12 +104,11 @@ jobs:
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      # it's enough to test one compiled language and one interpreted language
+          # it's enough to test one compiled language and one interpreted language
          languages: csharp,javascript
          source-root: x/y/z/some-path/tests/multi-language-repo

      - name: Build code
-        shell: bash
        working-directory: x/y/z/some-path/tests/multi-language-repo
        run: |
          ./build.sh
@@ -93,31 +120,31 @@ jobs:
          sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6

      - name: Verify SARIF after upload
-        shell: bash
        run: |
+          PAYLOAD_FILE="$RUNNER_TEMP/payload-code-scanning.json"
          EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
          EXPECTED_REF="v1.1.0"
          EXPECTED_CHECKOUT_URI_SUFFIX="/x/y/z/some-path/tests/multi-language-repo"

-          ACTUAL_COMMIT_OID="$(cat "$RUNNER_TEMP/payload.json" | jq -r .commit_oid)"
-          ACTUAL_REF="$(cat "$RUNNER_TEMP/payload.json" | jq -r .ref)"
-          ACTUAL_CHECKOUT_URI="$(cat "$RUNNER_TEMP/payload.json" | jq -r .checkout_uri)"
+          ACTUAL_COMMIT_OID="$(cat "$PAYLOAD_FILE" | jq -r .commit_oid)"
+          ACTUAL_REF="$(cat "$PAYLOAD_FILE" | jq -r .ref)"
+          ACTUAL_CHECKOUT_URI="$(cat "$PAYLOAD_FILE" | jq -r .checkout_uri)"

          if [[ "$EXPECTED_COMMIT_OID" != "$ACTUAL_COMMIT_OID" ]]; then
            echo "::error Invalid commit oid. Expected: $EXPECTED_COMMIT_OID Actual: $ACTUAL_COMMIT_OID"
-            echo "$RUNNER_TEMP/payload.json"
+            echo "$PAYLOAD_FILE"
            exit 1
          fi

          if [[ "$EXPECTED_REF" != "$ACTUAL_REF" ]]; then
            echo "::error Invalid ref. Expected: '$EXPECTED_REF' Actual: '$ACTUAL_REF'"
-            echo "$RUNNER_TEMP/payload.json"
+            echo "$PAYLOAD_FILE"
            exit 1
          fi

          if [[ "$ACTUAL_CHECKOUT_URI" != *$EXPECTED_CHECKOUT_URI_SUFFIX ]]; then
            echo "::error Invalid checkout URI suffix. Expected suffix: $EXPECTED_CHECKOUT_URI_SUFFIX Actual uri: $ACTUAL_CHECKOUT_URI"
-            echo "$RUNNER_TEMP/payload.json"
+            echo "$PAYLOAD_FILE"
            exit 1
          fi
    env:
@@ -1,130 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Zstandard bundle fallback
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  zstd-bundle-fallback:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: linked
-    name: Zstandard bundle fallback
-    permissions:
-      contents: read
-      security-events: write
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const fs = require('fs');
-            const path = require('path');
-            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
-            fs.rmdirSync(codeqlPath, { recursive: true });
-      - id: init
-        uses: ./../action/init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v3
-        with:
-          name: zstd-bundle.sarif
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check expected diagnostics
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
-        with:
-          script: |
-            const fs = require('fs');
-
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
-
-            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
-            const downloadTelemetryNotifications = toolExecutionNotifications.filter(n =>
-              n.descriptor.id === 'codeql-action/bundle-download-telemetry'
-            );
-            if (downloadTelemetryNotifications.length !== 1) {
-              core.setFailed(
-                'Expected exactly one reporting descriptor in the ' +
-                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
-                  `${downloadTelemetryNotifications.length}. All notification reporting descriptors: ` +
-                  `${JSON.stringify(toolExecutionNotifications)}.`
-              );
-            }
-
-            const toolsUrl = downloadTelemetryNotifications[0].properties.attributes.toolsUrl;
-            console.log(`Found tools URL: ${toolsUrl}`);
-
-            if (!toolsUrl.endsWith('.tar.gz')) {
-              core.setFailed(
-                `Expected the tools URL to be a .tar.gz file, but found '${toolsUrl}'.`
-              );
-            }
-
-            const zstdFailureReason = downloadTelemetryNotifications[0].properties.attributes.zstdFailureReason;
-            console.log(`Found zstd failure reason: ${zstdFailureReason}`);
-
-            const expectedZstdFailureReason = 'Failing since CODEQL_ACTION_FORCE_ZSTD_FAILURE is true.';
-            if (zstdFailureReason !== expectedZstdFailureReason) {
-              core.setFailed(
-                `Expected the zstd failure reason to be '${expectedZstdFailureReason}', but found '${zstdFailureReason}'.`
-              );
-            }
-    env:
-      CODEQL_ACTION_ZSTD_BUNDLE: true
-      CODEQL_ACTION_FORCE_ZSTD_FAILURE: true
-      CODEQL_ACTION_TEST_MODE: true
@@ -1,119 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Zstandard bundle
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  zstd-bundle:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: linked
-    name: Zstandard bundle
-    permissions:
-      contents: read
-      security-events: write
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Setup Python on MacOS
-        uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
-        with:
-          python-version: '3.11'
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const fs = require('fs');
-            const path = require('path');
-            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
-            fs.rmdirSync(codeqlPath, { recursive: true });
-      - id: init
-        uses: ./../action/init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v3
-        with:
-          name: zstd-bundle.sarif
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check diagnostic with expected tools URL appears in SARIF
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
-        with:
-          script: |
-            const fs = require('fs');
-
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
-
-            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
-            const downloadTelemetryNotifications = toolExecutionNotifications.filter(n =>
-              n.descriptor.id === 'codeql-action/bundle-download-telemetry'
-            );
-            if (downloadTelemetryNotifications.length !== 1) {
-              core.setFailed(
-                'Expected exactly one reporting descriptor in the ' +
-                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
-                  `${downloadTelemetryNotifications.length}. All notification reporting descriptors: ` +
-                  `${JSON.stringify(toolExecutionNotifications)}.`
-              );
-            }
-
-            const toolsUrl = downloadTelemetryNotifications[0].properties.attributes.toolsUrl;
-            console.log(`Found tools URL: ${toolsUrl}`);
-
-            if (!toolsUrl.endsWith('.tar.zst')) {
-              core.setFailed(
-                `Expected the tools URL to be a .tar.zst file, but found ${toolsUrl}.`
-              );
-            }
-    env:
-      CODEQL_ACTION_ZSTD_BUNDLE: true
-      CODEQL_ACTION_TEST_MODE: true
@@ -9,13 +9,20 @@ on:
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]

+defaults:
+  run:
+    shell: bash
+
 jobs:
  check-expected-release-files:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
+
+    permissions:
+      contents: read

    steps:
      - name: Checkout CodeQL Action
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
      - name: Check Expected Release Files
        run: |
          bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"
@@ -4,55 +4,56 @@ on:
  push:
    branches: [main, releases/v*]
  pull_request:
-    branches: [main, releases/v*]
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
+  merge_group:
+    types: [checks_requested]
  schedule:
    # Weekly on Sunday.
    - cron: '30 1 * * 0'
  workflow_dispatch:

+defaults:
+  run:
+    shell: bash
+
 env:
  CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks

 jobs:
  # Identify the CodeQL tool versions to use in the analysis job.
  check-codeql-versions:
+    if: github.triggering_actor != 'dependabot[bot]'
    runs-on: ubuntu-latest
    outputs:
      versions: ${{ steps.compare.outputs.versions }}

    permissions:
-      security-events: write
+      contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read

    steps:
-    - uses: actions/checkout@v4
-    - name: Init with default CodeQL bundle from the VM image
-      id: init-default
-      uses: ./init
-      with:
-        languages: javascript
-    - name: Remove empty database
-      # allows us to run init a second time
-      run: |
-        rm -rf "$RUNNER_TEMP/codeql_databases"
-    - name: Init with latest CodeQL bundle
-      id: init-latest
-      uses: ./init
+    - uses: actions/checkout@v6
+    - name: Set up default CodeQL bundle
+      id: setup-default
+      uses: ./setup-codeql
+    - name: Set up linked CodeQL bundle
+      id: setup-linked
+      uses: ./setup-codeql
      with:
        tools: linked
-        languages: javascript
-    - name: Compare default and latest CodeQL bundle versions
+    - name: Compare default and linked CodeQL bundle versions
      id: compare
      env:
-        CODEQL_DEFAULT: ${{ steps.init-default.outputs.codeql-path }}
-        CODEQL_LATEST: ${{ steps.init-latest.outputs.codeql-path }}
+        CODEQL_DEFAULT: ${{ steps.setup-default.outputs.codeql-path }}
+        CODEQL_LINKED: ${{ steps.setup-linked.outputs.codeql-path }}
      run: |
        CODEQL_VERSION_DEFAULT="$("$CODEQL_DEFAULT" version --format terse)"
-        CODEQL_VERSION_LATEST="$("$CODEQL_LATEST" version --format terse)"
+        CODEQL_VERSION_LINKED="$("$CODEQL_LINKED" version --format terse)"
        echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
-        echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"
+        echo "Linked CodeQL bundle version is $CODEQL_VERSION_LINKED"

        # If we're running on a pull request, run with both bundles, even if `tools: linked` would
        # be the same as `tools: null`. This allows us to make the job for each of the bundles a
@@ -60,7 +61,7 @@ jobs:
        #
        # If we're running on push or schedule, then we can skip running with `tools: linked` when it would be
        # the same as running with `tools: null`.
-        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
+        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$GITHUB_EVENT_NAME" != "merge_group" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LINKED" ]]; then
          VERSIONS_JSON='[null]'
        else
          VERSIONS_JSON='[null, "linked"]'
@@ -70,32 +71,73 @@ jobs:
        echo "Suggested matrix config for analysis job: $VERSIONS_JSON"
        echo "versions=${VERSIONS_JSON}" >> $GITHUB_OUTPUT

-  build:
+  analyze-javascript:
+    if: github.triggering_actor != 'dependabot[bot]'
    needs: [check-codeql-versions]
    strategy:
      fail-fast: false
      matrix:
-        os: [ubuntu-20.04,ubuntu-22.04,windows-2019,windows-2022,macos-12,macos-13,macos-14]
+        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-14,macos-15]
        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
    runs-on: ${{ matrix.os }}

    permissions:
+      contents: read
      security-events: write

    steps:
    - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
    - name: Initialize CodeQL
      uses: ./init
      id: init
      with:
        languages: javascript
-        config-file: ./.github/codeql/codeql-config.yml
+        config-file: ./.github/codeql/codeql-config-javascript.yml
        tools: ${{ matrix.tools }}
    # confirm steps.init.outputs.codeql-path points to the codeql binary
    - name: Print CodeQL Version
-      run: ${{steps.init.outputs.codeql-path}} version --format=json
+      run: >
+        "$CODEQL" version --format=json
+      env:
+        CODEQL: ${{steps.init.outputs.codeql-path}}
    - name: Perform CodeQL Analysis
      uses: ./analyze
      with:
        category: "/language:javascript"
+        upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && github.event_name != 'merge_group' && 'always' ) || 'never' }}
+
+  analyze-other:
+    if: github.triggering_actor != 'dependabot[bot]'
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+          - language: python
+
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v6
+    - name: Initialize CodeQL
+      uses: ./init
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: none
+        config: >
+          paths-ignore:
+            - lib
+            - tests
+          queries:
+            - uses: security-and-quality
+    - name: Perform CodeQL Analysis
+      uses: ./analyze
+      with:
+        category: "/language:${{ matrix.language }}"
+        upload: ${{ (github.event_name != 'merge_group' && 'always') || 'never' }}
@@ -3,6 +3,16 @@
 name: Code-Scanning config CLI tests
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  # Diff informed queries add an additional query filter which is not yet
+  # taken into account by these tests.
+  CODEQL_ACTION_DIFF_INFORMED_QUERIES: false
+  # Specify overlay enablement manually to ensure stability around the exclude-from-incremental
+  # query filter. Here we only enable for the default code scanning suite.
+  CODEQL_ACTION_OVERLAY_ANALYSIS: true
+  CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT: false
+  CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT: true
+  CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_CHECK: false
+  CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS: true

 on:
  push:
@@ -15,30 +25,36 @@ on:
    - synchronize
    - reopened
    - ready_for_review
+  merge_group:
+    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+
+defaults:
+  run:
+    shell: bash

 jobs:
  code-scanning-config-tests:
+    if: github.triggering_actor != 'dependabot[bot]'
    continue-on-error: true

+    permissions:
+      contents: read
+      packages: read
+      security-events: read
+
    strategy:
      fail-fast: false
      matrix:
        include:
        - os: ubuntu-latest
          version: linked
-        - os: macos-latest
-          version: linked
        - os: ubuntu-latest
          version: default
-        - os: macos-latest
-          version: default
        - os: ubuntu-latest
          version: nightly-latest
-        - os: macos-latest
-          version: nightly-latest

    # Code-Scanning config not created because environment variable is not set
    name: Code Scanning Configuration tests
@@ -46,20 +62,50 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
+
+    - name: Set up Node.js
+      uses: actions/setup-node@v6
+      with:
+        node-version: 24
+        cache: 'npm'
+
+    - name: Install dependencies
+      run: npm ci
+
    - name: Prepare test
      id: prepare-test
      uses: ./.github/actions/prepare-test
      with:
        version: ${{ matrix.version }}

-    - name: Empty file
+    # On PRs, overlay analysis may change the config that is passed to the CLI.
+    # Therefore, we have two variants of the following test, one for PRs and one for other events.
+    - name: Empty file (non-PR)
+      if: github.event_name != 'pull_request'
      uses: ./../action/.github/actions/check-codescanning-config
      with:
        expected-config-file-contents: "{}"
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}

+    - name: Empty file (PR)
+      if: github.event_name == 'pull_request'
+      uses: ./../action/.github/actions/check-codescanning-config
+      with:
+        expected-config-file-contents: |
+          {
+            "query-filters": [
+              {
+                "exclude": {
+                  "tags": "exclude-from-incremental"
+                }
+              }
+            ]
+          }
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+
    - name: Packs from input
      if: success() || failure()
      uses: ./../action/.github/actions/check-codescanning-config
@@ -158,13 +204,13 @@ jobs:
      with:
        expected-config-file-contents: |
          {
-            "queries": [
-              { "uses": "./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql" },
-              { "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }
-            ],
            "packs": {
              "javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2", "codeql/javascript-queries" ]
-            }
+            },
+            "queries": [
+              { "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" },
+              { "uses": "./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql" }
+            ]
          }
        languages: javascript
        queries: + ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql
@@ -0,0 +1,118 @@
+# Checks logs, SARIF, and database bundle debug artifacts exist
+# when the analyze step fails.
+name: PR Check - Debug artifacts after failure
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+on:
+  push:
+    branches:
+    - main
+    - releases/v*
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  merge_group:
+    types: [checks_requested]
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  upload-artifacts:
+    if: github.triggering_actor != 'dependabot[bot]'
+    strategy:
+      fail-fast: false
+      matrix:
+        version:
+        - stable-v2.20.3
+        - default
+        - linked
+        - nightly-latest
+    name: Upload debug artifacts after failure in analyze
+    continue-on-error: true
+    env:
+      CODEQL_ACTION_TEST_MODE: true
+    permissions:
+      contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    steps:
+      - name: Dump GitHub event
+        run: cat "${GITHUB_EVENT_PATH}"
+      - name: Check out repository
+        uses: actions/checkout@v6
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+      - uses: actions/setup-go@v6
+        with:
+          go-version: ^1.13.1
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: '9.x'
+      - name: Assert best-effort artifact scan completed
+        uses: ./../action/.github/actions/verify-debug-artifact-scan-completed
+      - uses: ./../action/init
+        with:
+          languages: cpp,csharp,go,java,javascript,python
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          debug: true
+          debug-artifact-name: my-debug-artifacts
+          debug-database-name: my-db
+      - name: Build code
+        run: ./build.sh
+      - uses: ./../action/analyze
+        id: analysis
+        env:
+          # Forces a failure in this step.
+          CODEQL_ACTION_EXTRA_OPTIONS: '{ "database": { "finalize": ["--invalid-option"] } }'
+        with:
+          expect-error: true
+  download-and-check-artifacts:
+    name: Download and check debug artifacts after failure in analyze
+    if: github.triggering_actor != 'dependabot[bot]'
+    needs: upload-artifacts
+    timeout-minutes: 45
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v8
+      - name: Check expected artifacts exist
+        run: |
+          LANGUAGES="cpp csharp go java javascript python"
+          for version in $VERSIONS; do
+            echo "Artifacts from version $version:"
+            pushd "./my-debug-artifacts-${version//./}"
+            for language in $LANGUAGES; do
+              echo "- Checking $language"
+              if [[ ! -f "my-db-$language-partial.zip" ]] ; then
+                echo "Missing a partial database bundle for $language"
+                exit 1
+              fi
+              if [[ ! -d "log" ]] ; then
+                echo "Missing database initialization logs"
+                exit 1
+              fi
+              if [[ ! "$language" == "go" ]] && [[ ! -d "$language/log" ]] ; then
+                echo "Missing logs for $language"
+                exit 1
+              fi
+            done
+            popd
+          done
+        env:
+          GO111MODULE: auto
@@ -1,87 +0,0 @@
-# Checks logs, SARIF, and database bundle debug artifacts exist
-# when the analyze step fails.
-name: PR Check - Debug artifacts after failure
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-on:
-  push:
-    branches:
-    - main
-    - releases/v*
-  pull_request:
-    types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  upload-artifacts:
-    name: Upload debug artifacts after failure in analyze
-    continue-on-error: true
-    env:
-      CODEQL_ACTION_TEST_MODE: true
-    timeout-minutes: 45
-    runs-on: ubuntu-latest
-    steps:
-      - name: Dump GitHub event
-        run: cat "${GITHUB_EVENT_PATH}"
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: linked
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ^1.13.1
-      - uses: ./../action/init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          debug: true
-          debug-artifact-name: my-debug-artifacts
-          debug-database-name: my-db
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        id: analysis
-        env: 
-          # Forces a failure in this step.
-          CODEQL_ACTION_EXTRA_OPTIONS: '{ "database": { "finalize": ["--invalid-option"] } }'
-        with:
-          expect-error: true
-  download-and-check-artifacts:
-    name: Download and check debug artifacts after failure in analyze
-    needs: upload-artifacts
-    timeout-minutes: 45
-    runs-on: ubuntu-latest
-    steps:
-      - name: Download all artifacts
-        uses: actions/download-artifact@v3
-      - name: Check expected artifacts exist
-        shell: bash
-        run: |
-          LANGUAGES="cpp csharp go java javascript python"
-          cd "./my-debug-artifacts"
-          echo "Artifacts from run:"
-          for language in $LANGUAGES; do
-            echo "- Checking $language"
-            if [[ ! -f "my-db-$language-partial.zip" ]] ; then
-              echo "Missing a partial database bundle for $language"
-              exit 1
-            fi
-            if [[ ! -d "log" ]] ; then
-              echo "Missing database initialization logs"
-              exit 1
-            fi
-            if [[ ! "$language" == "go" ]] && [[ ! -d "$language/log" ]] ; then
-              echo "Missing logs for $language"
-              exit 1
-            fi
-          done
-        env:
-          GO111MODULE: auto
@@ -0,0 +1,112 @@
+# Checks logs, SARIF, and database bundle debug artifacts exist.
+name: PR Check - Debug artifact upload
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+on:
+  push:
+    branches:
+    - main
+    - releases/v*
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  merge_group:
+    types: [checks_requested]
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  upload-artifacts:
+    if: github.triggering_actor != 'dependabot[bot]'
+    strategy:
+      fail-fast: false
+      matrix:
+        version:
+        - stable-v2.20.3
+        - default
+        - linked
+        - nightly-latest
+    name: Upload debug artifacts
+    env:
+      CODEQL_ACTION_TEST_MODE: true
+    timeout-minutes: 45
+    permissions:
+      contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v6
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+      - uses: actions/setup-go@v6
+        with:
+          go-version: ^1.13.1
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: '9.x'
+      - name: Assert best-effort artifact scan completed
+        uses: ./../action/.github/actions/verify-debug-artifact-scan-completed
+      - uses: ./../action/init
+        id: init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          debug: true
+          debug-artifact-name: my-debug-artifacts
+          debug-database-name: my-db
+          # We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
+          languages: cpp,csharp,go,java,javascript,python,ruby
+      - name: Build code
+        run: ./build.sh
+      - uses: ./../action/analyze
+        id: analysis
+  download-and-check-artifacts:
+    name: Download and check debug artifacts
+    if: github.triggering_actor != 'dependabot[bot]'
+    needs: upload-artifacts
+    timeout-minutes: 45
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v8
+      - name: Check expected artifacts exist
+        run: |
+          VERSIONS="stable-v2.20.3 default linked nightly-latest"
+          LANGUAGES="cpp csharp go java javascript python"
+          for version in $VERSIONS; do
+            pushd "./my-debug-artifacts-${version//./}"
+            echo "Artifacts from version $version:"
+            for language in $LANGUAGES; do
+              echo "- Checking $language"
+              if [[ ! -f "$language.sarif" ]] ; then
+                echo "Missing a SARIF file for $language"
+                exit 1
+              fi
+              if [[ ! -f "my-db-$language.zip" ]] ; then
+                echo "Missing a database bundle for $language"
+                exit 1
+              fi
+              if [[ ! -d "$language/log" ]] ; then
+                echo "Missing logs for $language"
+                exit 1
+              fi
+            done
+            popd
+          done
+        env:
+          GO111MODULE: auto
@@ -1,99 +0,0 @@
-# Checks logs, SARIF, and database bundle debug artifacts exist and are accessible
-# with download-artifact@v4 when CODEQL_ACTION_ARTIFACT_V4_UPGRADE is set to true.
-name: PR Check - Debug artifact upload using artifact@v2
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  CODEQL_ACTION_ARTIFACT_V4_UPGRADE: true
-on:
-  push:
-    branches:
-    - main
-    - releases/v*
-  pull_request:
-    types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  upload-artifacts:
-    strategy:
-      fail-fast: false
-      matrix:
-        version:
-        - stable-v2.13.5
-        - stable-v2.14.6
-        - stable-v2.15.5
-        - stable-v2.16.6
-        - stable-v2.17.6
-        - default
-        - linked
-        - nightly-latest
-    name: Upload debug artifacts
-    env:
-      CODEQL_ACTION_TEST_MODE: true
-    timeout-minutes: 45
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ^1.13.1
-      - uses: ./../action/init
-        id: init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          debug: true
-          debug-artifact-name: my-debug-artifacts
-          debug-database-name: my-db
-          # We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
-          languages: cpp,csharp,go,java,javascript,python,ruby 
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        id: analysis
-  download-and-check-artifacts:
-    name: Download and check debug artifacts
-    needs: upload-artifacts
-    timeout-minutes: 45
-    runs-on: ubuntu-latest
-    steps:
-      - name: Download all artifacts
-        uses: actions/download-artifact@v4
-      - name: Check expected artifacts exist
-        shell: bash
-        run: |
-          VERSIONS="stable-v2.13.5 stable-v2.14.6 stable-v2.15.5 stable-v2.16.6 stable-v2.17.6 default linked nightly-latest"
-          LANGUAGES="cpp csharp go java javascript python"
-          for version in $VERSIONS; do
-            pushd "./my-debug-artifacts-${version//./}"
-            echo "Artifacts from version $version:"
-            for language in $LANGUAGES; do
-              echo "- Checking $language"
-              if [[ ! -f "$language.sarif" ]] ; then
-                echo "Missing a SARIF file for $language"
-                exit 1
-              fi
-              if [[ ! -f "my-db-$language.zip" ]] ; then
-                echo "Missing a database bundle for $language"
-                exit 1
-              fi
-              if [[ ! -d "$language/log" ]] ; then
-                echo "Missing logs for $language"
-                exit 1
-              fi
-            done
-            popd
-          done
-        env:
-          GO111MODULE: auto
@@ -1,97 +0,0 @@
-# Checks logs, SARIF, and database bundle debug artifacts exist.
-name: PR Check - Debug artifact upload
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-on:
-  push:
-    branches:
-    - main
-    - releases/v*
-  pull_request:
-    types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  upload-artifacts:
-    strategy:
-      fail-fast: false
-      matrix:
-        version:
-        - stable-v2.13.5
-        - stable-v2.14.6
-        - stable-v2.15.5
-        - stable-v2.16.6
-        - stable-v2.17.6
-        - default
-        - linked
-        - nightly-latest
-    name: Upload debug artifacts
-    env:
-      CODEQL_ACTION_TEST_MODE: true
-    timeout-minutes: 45
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ^1.13.1
-      - uses: ./../action/init
-        id: init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          debug: true
-          debug-artifact-name: my-debug-artifacts
-          debug-database-name: my-db
-          # We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
-          languages: cpp,csharp,go,java,javascript,python,ruby 
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        id: analysis
-  download-and-check-artifacts:
-    name: Download and check debug artifacts
-    needs: upload-artifacts
-    timeout-minutes: 45
-    runs-on: ubuntu-latest
-    steps:
-      - name: Download all artifacts
-        uses: actions/download-artifact@v3
-      - name: Check expected artifacts exist
-        shell: bash
-        run: |
-          VERSIONS="stable-v2.13.5 stable-v2.14.6 stable-v2.15.5 stable-v2.16.6 stable-v2.17.6 default linked nightly-latest"
-          LANGUAGES="cpp csharp go java javascript python"
-          for version in $VERSIONS; do
-            pushd "./my-debug-artifacts-${version//./}"
-            echo "Artifacts from version $version:"
-            for language in $LANGUAGES; do
-              echo "- Checking $language"
-              if [[ ! -f "$language.sarif" ]] ; then
-                echo "Missing a SARIF file for $language"
-                exit 1
-              fi
-              if [[ ! -f "my-db-$language.zip" ]] ; then
-                echo "Missing a database bundle for $language"
-                exit 1
-              fi
-              if [[ ! -d "$language/log" ]] ; then
-                echo "Missing logs for $language"
-                exit 1
-              fi
-            done
-            popd
-          done
-        env:
-          GO111MODULE: auto
@@ -0,0 +1,106 @@
+# Workflow runs on main, on a release branch, and that were triggered as part of a merge group have
+# already passed CI before being merged. Therefore if they fail, we should make sure that there
+# wasn't a transient failure by rerunning the failed jobs once before investigating further.
+name: Deflake
+
+on:
+  workflow_run:
+    types: [completed]
+    # Exclude workflows that have significant side effects, like publishing releases. It's OK to
+    # retry CodeQL analysis.
+    workflows:
+      - Check Expected Release Files
+      - Code-Scanning config CLI tests
+      - CodeQL action
+      - Manual Check - go
+      - "PR Check - All-platform bundle"
+      - "PR Check - Analysis kinds"
+      - "PR Check - Analyze: 'ref' and 'sha' from inputs"
+      - "PR Check - autobuild-action"
+      - "PR Check - Autobuild direct tracing (custom working directory)"
+      - "PR Check - Autobuild working directory"
+      - "PR Check - Build mode autobuild"
+      - "PR Check - Build mode manual"
+      - "PR Check - Build mode none"
+      - "PR Check - Build mode rollback"
+      - "PR Check - Bundle: Caching checks"
+      - "PR Check - Bundle: From nightly"
+      - "PR Check - Bundle: From toolcache"
+      - "PR Check - Bundle: Zstandard checks"
+      - "PR Check - C/C\\+\\+: autoinstalling dependencies (Linux)"
+      - "PR Check - C/C\\+\\+: autoinstalling dependencies is skipped (macOS)"
+      - "PR Check - C/C\\+\\+: disabling autoinstalling dependencies (Linux)"
+      - "PR Check - Clean up database cluster directory"
+      - "PR Check - CodeQL Bundle All"
+      - "PR Check - Config export"
+      - "PR Check - Config input"
+      - "PR Check - Custom source root"
+      - "PR Check - Debug artifact upload"
+      - "PR Check - Debug artifacts after failure"
+      - "PR Check - Diagnostic export"
+      - "PR Check - Export file baseline information"
+      - "PR Check - Extractor ram and threads options test"
+      - "PR Check - Go: Custom queries"
+      - "PR Check - Go: diagnostic when Go is changed after init step"
+      - "PR Check - Go: diagnostic when `file` is not installed"
+      - "PR Check - Go: tracing with autobuilder step"
+      - "PR Check - Go: tracing with custom build steps"
+      - "PR Check - Go: tracing with legacy workflow"
+      - "PR Check - Go: workaround for indirect tracing"
+      - "PR Check - Job run UUID added to SARIF"
+      - "PR Check - Language aliases"
+      - "PR Check - Local CodeQL bundle"
+      - "PR Check - Multi-language repository"
+      - "PR Check - Overlay database init fallback"
+      - "PR Check - Packaging: Action input"
+      - "PR Check - Packaging: Config and input"
+      - "PR Check - Packaging: Config and input passed to the CLI"
+      - "PR Check - Packaging: Config file"
+      - "PR Check - Packaging: Download using registries"
+      - "PR Check - Proxy test"
+      - "PR Check - Remote config file"
+      - "PR Check - Resolve environment"
+      - "PR Check - RuboCop multi-language"
+      - "PR Check - Ruby analysis"
+      - "PR Check - Rust analysis"
+      - "PR Check - Split workflow"
+      - "PR Check - Start proxy"
+      - "PR Check - Submit SARIF after failure"
+      - "PR Check - Swift analysis using a custom build command"
+      - "PR Check - Swift analysis using autobuild"
+      - "PR Check - Test different uses of `upload-sarif`"
+      - "PR Check - Test unsetting environment variables"
+      - "PR Check - Upload-sarif: ref and sha from inputs"
+      - "PR Check - Use a custom `checkout_path`"
+      - PR Checks
+      - Query filters tests
+      - Test that the workaround for python 3.12 on windows works
+
+jobs:
+  rerun-on-failure:
+    name: Rerun failed jobs
+    if: >-
+      github.event.workflow_run.conclusion == 'failure' &&
+      github.event.workflow_run.run_attempt == 1 &&
+      (
+        github.event.workflow_run.head_branch == 'main' ||
+        startsWith(github.event.workflow_run.head_branch, 'releases/') ||
+        github.event.workflow_run.event == 'merge_group'
+      )
+    runs-on: ubuntu-slim
+    permissions:
+      actions: write
+    steps:
+      - name: Rerun failed jobs in ${{ github.event.workflow_run.name }}
+        env:
+          GH_TOKEN: ${{ github.token }}
+          GH_REPO: ${{ github.repository }}
+          RUN_ID: ${{ github.event.workflow_run.id }}
+          RUN_NAME: ${{ github.event.workflow_run.name }}
+          RUN_URL: ${{ github.event.workflow_run.html_url }}
+        run: |
+          echo "Rerunning failed jobs for workflow run ${RUN_ID}"
+          gh run rerun "${RUN_ID}" --failed
+          echo "### Reran failed jobs :recycle:" >> "$GITHUB_STEP_SUMMARY"
+          echo "" >> "$GITHUB_STEP_SUMMARY"
+          echo "Workflow: [${RUN_NAME}](${RUN_URL})" >> "$GITHUB_STEP_SUMMARY"
@@ -1,46 +0,0 @@
-name: Check queries that ran
-
-on:
-  push:
-    branches:
-    - main
-    - releases/v*
-  pull_request:
-    types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-
-jobs:
-  expected-queries:
-    name: Expected Queries Tests
-    env:
-      CODEQL_ACTION_TEST_MODE: true
-    timeout-minutes: 45
-    runs-on: ubuntu-latest
-    steps:
-    - name: Check out repository
-      uses: actions/checkout@v4
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/actions/prepare-test
-      with:
-        version: linked
-    - uses: ./../action/init
-      with:
-        languages: javascript
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-    - uses: ./../action/analyze
-      with:
-        output: ${{ runner.temp }}/results
-
-    - name: Check Sarif
-      uses: ./../action/.github/actions/check-sarif
-      with:
-        sarif-file: ${{ runner.temp }}/results/javascript.sarif
-        queries-run: js/incomplete-hostname-regexp,js/path-injection
-        queries-not-run: foo,bar
@@ -0,0 +1,27 @@
+name: Label PR with size
+
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - edited
+      - ready_for_review
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  sizeup:
+    name: Label PR with size
+    runs-on: ubuntu-slim
+    if: github.event.pull_request.merged != true
+
+    steps:
+      - name: Run sizeup
+        uses: lerebear/sizeup-action@b7beb3dd273e36039e16e48e7bc690c189e61951 # 0.8.12
+        with:
+          token: "${{ secrets.GITHUB_TOKEN }}"
+          configuration-file-path: ".github/sizeup.yml"
@@ -3,7 +3,7 @@
 #    tag
 # 2. Updates the `vN` tag to refer to this merge commit.
 # 3. Iff vN == vLatest, merges any changes from the release back into the main branch.
-#    Typically, this is two commits – one to update the version number and one to update dependencies.
+#    Typically, this is two commits – one to update the version number and one to rebuild.
 name: Tag release and merge back

 on:
@@ -18,14 +18,23 @@ on:
    branches:
      - releases/v*

+defaults:
+  run:
+    shell: bash
+
 jobs:
  merge-back:
    runs-on: ubuntu-latest
+    environment: Automation
    if: github.repository == 'github/codeql-action'
    env:
      BASE_BRANCH: "${{ github.event.inputs.baseBranch || 'main' }}"
      HEAD_BRANCH: "${{ github.head_ref || github.ref }}"

+    permissions:
+      contents: write # needed to create tags and push commits
+      pull-requests: write
+
    steps:
      - name: Dump environment
        run: env
@@ -35,10 +44,13 @@ jobs:
          GITHUB_CONTEXT: '${{ toJson(github) }}'
        run: echo "${GITHUB_CONTEXT}"

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
        with:
          fetch-depth: 0  # ensure we have all tags and can push commits
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
+      - uses: actions/setup-python@v6
+        with:
+          python-version: '3.12'

      - name: Update git config
        run: |
@@ -108,45 +120,43 @@ jobs:
          # - `--force` since we're overwriting the `vN` tag
          git push origin --atomic --force refs/tags/"${VERSION}" refs/tags/"${major_version_tag}"

-      - name: Create mergeback branch
-        if: ${{ steps.check.outputs.exists != 'true' && endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }}
+      - name: Prepare partial Changelog
        env:
-          VERSION: "${{ steps.getVersion.outputs.version }}"
-          NEW_BRANCH: "${{ steps.getVersion.outputs.newBranch }}"
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
        run: |
-          set -exu
-          pr_title="Mergeback ${VERSION} ${HEAD_BRANCH} into ${BASE_BRANCH}"
-          pr_body=$(cat << EOF
-            This PR bumps the version number and updates the changelog after the ${VERSION} release.
+          python .github/workflows/script/prepare_changelog.py CHANGELOG.md > $PARTIAL_CHANGELOG

-            Please do the following:
+          echo "::group::Partial CHANGELOG"
+          cat $PARTIAL_CHANGELOG
+          echo "::endgroup::"

-            - [ ] Remove and re-add the "Update dependencies" label to the PR to trigger just this workflow.
-            - [ ] Wait for the "Update dependencies" workflow to push a commit updating the dependencies.
-            - [ ] Mark the PR as ready for review to trigger the full set of PR checks.
-            - [ ] Approve and merge the PR. When merging the PR, make sure "Create a merge commit" is
-                  selected rather than "Squash and merge" or "Rebase and merge".
-          EOF
-          )
+      - name: Generate token
+        uses: actions/create-github-app-token@v3.1.1
+        id: app-token
+        with:
+          app-id: ${{ vars.AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}

-          # Update the version number ready for the next release
-          npm version patch --no-git-tag-version
+      - name: Create the GitHub release
+        if: steps.check.outputs.exists != 'true'
+        env:
+          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
+          VERSION: "${{ steps.getVersion.outputs.version }}"
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: |
+          # Do not mark this release as latest. The most recent CLI release must be marked as latest.
+          gh release create \
+            "$VERSION" \
+            --latest=false \
+            --title "$VERSION" \
+            --notes-file "$PARTIAL_CHANGELOG"

-          # Update the changelog, adding a new version heading directly above the most recent existing one
-          awk '!f && /##/{print "'"## [UNRELEASED]\n\nNo user facing changes.\n"'"; f=1}1' CHANGELOG.md > temp && mv temp CHANGELOG.md
-          git add .
-          git commit -m "Update changelog and version after ${VERSION}"
-
-          git push origin "${NEW_BRANCH}"
-
-          # PR checks won't be triggered on PRs created by Actions. Therefore mark the PR as draft
-          # so that a maintainer can take the PR out of draft, thereby triggering the PR checks.
-          gh pr create \
-            --head "${NEW_BRANCH}" \
-            --base "${BASE_BRANCH}" \
-            --title "${pr_title}" \
-            --label "Update dependencies" \
-            --body "${pr_body}" \
-            --assignee "${GITHUB_ACTOR}" \
-            --draft
+      - name: Create mergeback branch and PR
+        if: ${{ endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }}
+        uses: ./.github/actions/prepare-mergeback-branch
+        with:
+          base: "${{ env.BASE_BRANCH }}"
+          head: "${{ env.HEAD_BRANCH }}"
+          branch: "${{ steps.getVersion.outputs.newBranch }}"
+          version: "${{ steps.getVersion.outputs.version }}"
+          token: "${{ secrets.GITHUB_TOKEN }}"
@@ -6,126 +6,117 @@ on:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
+  merge_group:
+    types: [checks_requested]
  workflow_dispatch:

+defaults:
+  run:
+    shell: bash
+
 jobs:
-  check-js:
-    name: Check JS
-    runs-on: ubuntu-latest
-    timeout-minutes: 45
-
-    strategy:
-      fail-fast: false
-      matrix:
-        node-types-version: [16.11, current] # run tests on 16.11 while CodeQL Action v2 is still supported
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Lint
-        id: lint
-        run: npm run-script lint-ci
-
-      - name: Upload sarif
-        uses: github/codeql-action/upload-sarif@v3
-        # Only upload SARIF for the latest version of Node.js
-        if: "!cancelled() && matrix.node-types-version == 'current' && !startsWith(github.head_ref, 'dependabot/')"
-        with:
-          sarif_file: eslint.sarif
-          category: eslint
-
-      - name: Update version of @types/node
-        if: matrix.node-types-version != 'current'
-        env:
-          NODE_TYPES_VERSION: ${{ matrix.node-types-version }}
-        run: |
-          # Export `NODE_TYPES_VERSION` so it's available to jq
-          export NODE_TYPES_VERSION="${NODE_TYPES_VERSION}"
-          contents=$(jq '.devDependencies."@types/node" = env.NODE_TYPES_VERSION' package.json)
-          echo "${contents}" > package.json
-          # Usually we run `npm install` on macOS to ensure that we pick up macOS-only dependencies.
-          # However we're not checking in the updated lockfile here, so it's fine to run
-          # `npm install` on Linux.
-          npm install
-
-          if [ ! -z "$(git status --porcelain)" ]; then
-            git config --global user.email "github-actions@github.com"
-            git config --global user.name "github-actions[bot]"
-            # The period in `git add --all .` ensures that we stage deleted files too.
-            git add --all .
-            git commit -m "Use @types/node=${NODE_TYPES_VERSION}"
-          fi
-
-      - name: Check generated JS
-        run: .github/workflows/script/check-js.sh
-
-  check-node-modules:
-    if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
-    name: Check modules up to date
-    runs-on: macos-latest
-    timeout-minutes: 45
-
-    steps:
-      - uses: actions/checkout@v4
-      - name: Check node modules up to date
-        run: .github/workflows/script/check-node-modules.sh
-
-  check-file-contents:
-    if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
-    name: Check file contents
-    runs-on: ubuntu-latest
-    timeout-minutes: 45
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: 3.11
-
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          # When updating this, update the autogenerated code header in `sync.py` too.
-          pip install ruamel.yaml==0.17.31
-
-      # Ensure the generated PR check workflows are up to date.
-      - name: Verify PR checks up to date
-        run: .github/workflows/script/verify-pr-checks.sh
-
-  npm-test:
-    if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
-    name: Unit Test
-    needs: [check-js, check-node-modules]
+  unit-tests:
+    name: Unit Tests
+    if: github.triggering_actor != 'dependabot[bot]'
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
+        node-version: [20, 24]
+    permissions:
+      contents: read
+      security-events: write # needed to upload ESLint results
    runs-on: ${{ matrix.os }}
    timeout-minutes: 45

    steps:
-      - uses: actions/checkout@v4
-      - name: npm test
+      - name: Prepare git (Windows)
+        if: runner.os == 'Windows'
+        run: git config --global core.autocrlf false
+
+      - uses: actions/checkout@v6
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: 'npm'
+
+      - name: Install dependencies
        run: |
-          # Run any commands referenced in package.json using Bash, otherwise
-          # we won't be able to find them on Windows.
+          # Use the system Bash shell to ensure we can run commands like `npm ci`
+          # that are not available in the default shell on Windows.
          npm config set script-shell bash
-          npm test
+          npm ci
+
+      - name: Verify compiled JS up to date
+        run: .github/workflows/script/check-js.sh
+
+      - name: Run unit tests
+        if: always()
+        run: npm test
+
+      - name: Lint
+        if: always() && matrix.os != 'windows-latest'
+        run: npm run lint-ci
+
+      - name: Upload sarif
+        uses: github/codeql-action/upload-sarif@v4
+        if: matrix.os == 'ubuntu-latest' && matrix.node-version == 24
+        with:
+          sarif_file: eslint.sarif
+          category: eslint
+
+  # Verifying the PR checks are up-to-date requires Node 24. The PR checks are not dependent
+  # on the main codebase and therefore do not need to be run as part of the same matrix that
+  # we use for the `unit-tests` job.
+  verify-pr-checks:
+    name: Verify PR checks
+    if: github.triggering_actor != 'dependabot[bot]'
+    permissions:
+      contents: read
+    runs-on: ubuntu-slim
+    timeout-minutes: 10
+
+    steps:
+      - name: Prepare git (Windows)
+        if: runner.os == 'Windows'
+        run: git config --global core.autocrlf false
+
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Verify PR checks up to date
+        if: always()
+        run: .github/workflows/script/verify-pr-checks.sh
+
+      - name: Run pr-checks tests
+        if: always()
+        working-directory: pr-checks
+        run: npx tsx --test

  check-node-version:
-    if: github.event.pull_request
+    if: github.triggering_actor != 'dependabot[bot]'
    name: Check Action Node versions
    runs-on: ubuntu-latest
    timeout-minutes: 45
    env:
      BASE_REF: ${{ github.base_ref }}

+    permissions:
+      contents: read
+
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
      - id: head-version
        name: Verify all Actions use the same Node version
        run: |
@@ -140,7 +131,7 @@ jobs:
      - id: checkout-base
        name: 'Backport: Check out base ref'
        if: ${{ startsWith(github.head_ref, 'backport-') }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
        with:
          ref: ${{ env.BASE_REF }}

@@ -0,0 +1,77 @@
+name: Prepare release
+on:
+  workflow_call:
+    outputs:
+      version:
+        description: "The version that is being released."
+        value: ${{ jobs.prepare.outputs.version }}
+      major_version:
+        description: "The major version of the release."
+        value: ${{ jobs.prepare.outputs.major_version }}
+      latest_tag:
+        description: "The most recent, existing release tag."
+        value: ${{ jobs.prepare.outputs.latest_tag }}
+      backport_source_branch:
+        description: "The release branch for the given tag."
+        value: ${{ jobs.prepare.outputs.backport_source_branch }}
+      backport_target_branches:
+        description: "JSON encoded list of branches to target with backports."
+        value: ${{ jobs.prepare.outputs.backport_target_branches }}
+
+  push:
+    paths:
+      - .github/workflows/prepare-release.yml
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  prepare:
+    name: "Prepare release"
+    runs-on: ubuntu-latest
+    if: github.repository == 'github/codeql-action'
+
+    permissions:
+      contents: read
+
+    outputs:
+      version: ${{ steps.versions.outputs.version }}
+      major_version: ${{ steps.versions.outputs.major_version }}
+      latest_tag: ${{ steps.versions.outputs.latest_tag }}
+      backport_source_branch: ${{ steps.branches.outputs.backport_source_branch }}
+      backport_target_branches: ${{ steps.branches.outputs.backport_target_branches }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0 # Need full history for calculation of diffs
+
+      - name: Configure runner for release
+        uses: ./.github/actions/release-initialise
+
+      - name: Get version tags
+        id: versions
+        run: |
+          VERSION="v$(jq '.version' -r 'package.json')"
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+          MAJOR_VERSION=$(cut -d '.' -f1 <<< "${VERSION}")
+          echo "major_version=${MAJOR_VERSION}" >> $GITHUB_OUTPUT
+          LATEST_TAG=$(git tag --sort=-v:refname | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+' | head -1)
+          echo "latest_tag=${LATEST_TAG}" >> $GITHUB_OUTPUT
+
+      - name: Determine older release branches
+        id: branches
+        uses: ./.github/actions/release-branches
+        with:
+          major_version: ${{ steps.versions.outputs.major_version }}
+          latest_tag: ${{ steps.versions.outputs.latest_tag }}
+
+      - name: Print release information
+        run: |
+          echo 'version: ${{ steps.versions.outputs.version }}'
+          echo 'major_version: ${{ steps.versions.outputs.major_version }}'
+          echo 'latest_tag: ${{ steps.versions.outputs.latest_tag }}'
+          echo 'backport_source_branch: ${{ steps.branches.outputs.backport_source_branch }}'
+          echo 'backport_target_branches: ${{ steps.branches.outputs.backport_target_branches }}'
@@ -0,0 +1,27 @@
+name: 'Publish Immutable Action Version'
+
+on:
+  push:
+    tags:
+      # Match version tags, but not the major version tags.
+      - 'v[0-9]+.**'
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  publish:
+    runs-on: ubuntu-slim
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Publish immutable release
+        id: publish
+        uses: actions/publish-immutable-action@v0.0.4
@@ -7,24 +7,35 @@ on:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
+  merge_group:
+    types: [checks_requested]
  schedule:
    # Weekly on Monday.
    - cron: '0 0 * * 1'
  workflow_dispatch:

+defaults:
+  run:
+    shell: bash
+
 jobs:
  test-setup-python-scripts:
+    if: github.triggering_actor != 'dependabot[bot]'
    env:
      CODEQL_ACTION_TEST_MODE: true
    timeout-minutes: 45
+    permissions:
+      contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read
    runs-on: windows-latest

    steps:
-    - uses: actions/setup-python@v5
+    - uses: actions/setup-python@v6
      with:
        python-version: 3.12

-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6

    - name: Prepare test
      uses: ./.github/actions/prepare-test
@@ -11,18 +11,37 @@ on:
    - synchronize
    - reopened
    - ready_for_review
+  merge_group:
+    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+
+defaults:
+  run:
+    shell: bash

 jobs:
  query-filters:
    name: Query Filters Tests
+    if: github.triggering_actor != 'dependabot[bot]'
    timeout-minutes: 45
    runs-on: ubuntu-latest
+    permissions:
+      contents: read # This permission is needed to allow the GitHub Actions workflow to read the contents of the repository.
    steps:
    - name: Check out repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
+
+    - name: Install Node.js
+      uses: actions/setup-node@v6
+      with:
+        node-version: 24
+        cache: npm
+
+    - name: Install dependencies
+      run: npm ci
+
    - name: Prepare test
      id: prepare-test
      uses: ./.github/actions/prepare-test
--- a/Show More
+++ b/Show More