Merge pull request #3213 from github/update-v4.30.9-70205d3d1

Merge main into releases/v4
Update changelog for v4.30.9
2026-05-04 04:40:09 +00:00 · 2025-10-17 16:22:48 +01:00 · 2025-10-17 14:54:08 +00:00 · 2025-10-17 14:46:51 +01:00 · 2025-10-17 14:21:44 +01:00 · 2025-10-17 14:18:19 +01:00
81 changed files with 90903 additions and 1058 deletions
@@ -16,5 +16,5 @@ inputs:
      Comma separated list of query ids that should NOT be included in this SARIF file.

 runs:
-  using: node20
+  using: node24
  main: index.js
@@ -2,7 +2,7 @@ name: "Prepare test"
 description: Performs some preparation to run tests
 inputs:
  version:
-    description: "The version of the CodeQL CLI to use. Can be 'linked', 'default', 'nightly', 'nightly-latest', 'nightly-YYYYMMDD', or 'stable-vX.Y.Z"
+    description: "The version of the CodeQL CLI to use. Can be 'linked', 'default', 'toolcache', 'nightly', 'nightly-latest', 'nightly-YYYYMMDD', or 'stable-vX.Y.Z"
    required: true
  use-all-platform-bundle:
    description: "If true, we output a tools URL with codeql-bundle.tar.gz file rather than platform-specific URL"
@@ -41,6 +41,9 @@ runs:
        elif [[ "$VERSION" == "linked" ]]; then
          echo "tools-url=linked" >> "$GITHUB_OUTPUT"
          exit 0
+        elif [[ "$VERSION" == "toolcache" ]]; then
+          echo "tools-url=toolcache" >> "$GITHUB_OUTPUT"
+          exit 0
        elif [[ "$VERSION" == "default" ]]; then
          echo "tools-url=" >> "$GITHUB_OUTPUT"
          exit 0
@@ -16,9 +16,12 @@ updates:
      - dependency-name: "eslint-plugin-import"
        versions: [">=2.30.0"]
    groups:
-      npm:
+      npm-minor:
        patterns:
          - "*"
+        update-types:
+          - "minor"
+          - "patch"
  - package-ecosystem: github-actions
    directories:
      - "/.github/workflows"
@@ -28,6 +31,9 @@ updates:
    labels:
      - Rebuild
    groups:
-      actions:
+      actions-minor:
        patterns:
          - "*"
+        update-types:
+          - "minor"
+          - "patch"
@@ -1,4 +1,13 @@
-<!-- For GitHub staff: Remember that this is a public repository. -->
+<!--
+    For GitHub staff: Remember that this is a public repository. Do not link to internal resources.
+                      If necessary, link to this PR from an internal issue and include further details there.
+
+    Everyone: Include a summary of the context of this change, what it aims to accomplish, and why you
+              chose the approach you did if applicable. Indicate any open questions you want to answer
+              during the review process and anything you want reviewers to pay particular attention to.
+
+    See https://github.com/github/codeql-action/blob/main/CONTRIBUTING.md for additional information.
+-->

 ### Risk assessment

@@ -7,6 +16,44 @@ For internal use only. Please select the risk level of this change:
 - **Low risk:** Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.
 - **High risk:** Changes are not fully under feature flags, have limited visibility and/or cannot be tested outside of production.

+#### Which use cases does this change impact?
+
+<!-- Delete options that don't apply. -->
+
+- **Advanced setup** - Impacts users who have custom workflows.
+- **Default setup** - Impacts users who use default setup.
+- **Code Scanning** - Impacts Code Scanning (i.e. `analysis-kinds: code-scanning`).
+- **Code Quality** - Impacts Code Quality (i.e. `analysis-kinds: code-quality`).
+- **Third-party analyses** - Impacts third-party analyses (i.e. `upload-sarif`).
+- **GHES** - Impacts GitHub Enterprise Server.
+
+#### How did/will you validate this change?
+
+<!-- Delete options that don't apply. -->
+
+- **Test repository** - This change will be tested on a test repository before merging.
+- **Unit tests** - I am depending on unit test coverage (i.e. tests in `.test.ts` files).
+- **End-to-end tests** - I am depending on PR checks (i.e. tests in `pr-checks`).
+- **Other** - Please provide details.
+- **None** - I am not validating these changes.
+
+#### If something goes wrong after this change is released, what are the mitigation and rollback strategies?
+
+<!-- Delete strategies that don't apply. -->
+
+- **Feature flags** - All new or changed code paths can be fully disabled with corresponding feature flags.
+- **Rollback** - Change can only be disabled by rolling back the release or releasing a new version with a fix.
+- **Other** - Please provide details.
+
+#### How will you know if something goes wrong after this change is released?
+
+<!-- Delete options that don't apply. -->
+
+- **Telemetry** - I rely on existing telemetry or have made changes to the telemetry.
+    - **Dashboards** - I will watch relevant dashboards for issues after the release. Consider whether this requires this change to be released at a particular time rather than as part of a regular release.
+    - **Alerts** - New or existing monitors will trip if something goes wrong with this change.
+- **Other** - Please provide details.
+
 ### Merge / deployment checklist

 - Confirm this change is backwards compatible with existing workflows.
@@ -371,10 +371,10 @@ def main():
      # releases.
      run_git('revert', vOlder_update_commits[0], '--no-edit')

-      # Also revert the "Update checked-in dependencies" commit created by Actions.
-      update_dependencies_commit = run_git('log', '--grep', '^Update checked-in dependencies', '--format=%H').split()[0]
-      print(f'  Reverting {update_dependencies_commit}')
-      run_git('revert', update_dependencies_commit, '--no-edit')
+      # Also revert the "Rebuild" commit created by Actions.
+      rebuild_commit = run_git('log', '--grep', '^Rebuild$', '--format=%H').split()[0]
+      print(f'  Reverting {rebuild_commit}')
+      run_git('revert', rebuild_commit, '--no-edit')

    else:
      print('  Nothing to revert.')
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
  run:
    shell: bash
@@ -70,6 +80,11 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -3,7 +3,7 @@
 #     pr-checks/sync.sh
 # to regenerate this file.

-name: 'PR Check - Upload-sarif: code quality endpoint'
+name: 'PR Check - Bundle: From toolcache'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
@@ -21,19 +21,9 @@ on:
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+    inputs: {}
  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+    inputs: {}
 defaults:
  run:
    shell: bash
@@ -41,14 +31,14 @@ concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  upload-quality-sarif:
+  bundle-from-toolcache:
    strategy:
      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: default
-    name: 'Upload-sarif: code quality endpoint'
+            version: toolcache
+    name: 'Bundle: From toolcache'
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
@@ -65,31 +55,31 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
+      - name: Install @actions/tool-cache
+        run: npm install @actions/tool-cache
+      - name: Check toolcache contains CodeQL
+        continue-on-error: true
+        uses: actions/github-script@v8
        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - uses: ./../action/init
+          script: |
+            const toolcache = require('@actions/tool-cache');
+            const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
+            if (allCodeqlVersions.length === 0) {
+              throw new Error(`CodeQL could not be found in the toolcache`);
+            }
+      - id: setup-codeql
+        uses: ./../action/setup-codeql
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          languages: csharp,java,javascript,python
-          analysis-kinds: code-quality
-      - name: Build code
-        run: ./build.sh
-  # Generate some SARIF we can upload with the upload-sarif step
-      - uses: ./../action/analyze
+      - name: Check CodeQL is installed within the toolcache
+        uses: actions/github-script@v8
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
-          upload: never
-      - uses: ./../action/upload-sarif
-        id: upload-sarif
-        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
-      - name: Check output from `upload-sarif` step
-        if: '!(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)'
-        run: exit 1
+          script: |
+            const toolcache = require('@actions/tool-cache');
+            const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
+            console.log(`Found CodeQL versions: ${allCodeqlVersions}`);
+            if (allCodeqlVersions.length === 0) {
+              throw new Error('CodeQL not found in toolcache');
+            }
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
  run:
    shell: bash
@@ -70,6 +80,11 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
      - name: Fetch latest CodeQL bundle
        run: |
          wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
  run:
    shell: bash
@@ -104,6 +114,11 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
      - name: Use Xcode 16
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
  run:
    shell: bash
@@ -81,6 +91,11 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging3.yml
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
  run:
    shell: bash
@@ -72,6 +82,11 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -56,7 +56,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Set up Ruby
-        uses: ruby/setup-ruby@0481980f17b760ef6bca5e8c55809102a0af1e5a # v1.263.0
+        uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
  run:
    shell: bash
@@ -72,6 +82,11 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
      - uses: ./../action/init
        id: init
        with:
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
  run:
    shell: bash
@@ -70,6 +80,11 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -0,0 +1,173 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: PR Check - Test different uses of `upload-sarif`
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
+jobs:
+  upload-sarif:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: default
+            analysis-kinds: code-scanning
+          - os: ubuntu-latest
+            version: default
+            analysis-kinds: code-quality
+          - os: ubuntu-latest
+            version: default
+            analysis-kinds: code-scanning,code-quality
+    name: Test different uses of `upload-sarif`
+    if: github.triggering_actor != 'dependabot[bot]'
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v5
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
+      - uses: ./../action/init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          languages: csharp,java,javascript,python
+          analysis-kinds: ${{ matrix.analysis-kinds }}
+      - name: Build code
+        run: ./build.sh
+  # Generate some SARIF we can upload with the upload-sarif step
+      - uses: ./../action/analyze
+        with:
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          upload: never
+          output: ${{ runner.temp }}/results
+
+      - name: |
+          Upload all SARIF files for `analysis-kinds: ${{ matrix.analysis-kinds }}`
+        uses: ./../action/upload-sarif
+        id: upload-sarif
+        with:
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          sarif_file: ${{ runner.temp }}/results
+          category: |
+            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:all-files/
+      - name: Fail for missing output from `upload-sarif` step for `code-scanning`
+        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning)
+        run: exit 1
+      - name: Fail for missing output from `upload-sarif` step for `code-quality`
+        if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)
+        run: exit 1
+
+      - name: Upload single SARIF file for Code Scanning
+        uses: ./../action/upload-sarif
+        id: upload-single-sarif-code-scanning
+        if: contains(matrix.analysis-kinds, 'code-scanning')
+        with:
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          sarif_file: ${{ runner.temp }}/results/javascript.sarif
+          category: |
+            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-scanning/
+      - name: Fail for missing output from `upload-single-sarif-code-scanning` step
+        if: contains(matrix.analysis-kinds, 'code-scanning') &&
+          !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)
+        run: exit 1
+      - name: Upload single SARIF file for Code Quality
+        uses: ./../action/upload-sarif
+        id: upload-single-sarif-code-quality
+        if: contains(matrix.analysis-kinds, 'code-quality')
+        with:
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          sarif_file: ${{ runner.temp }}/results/javascript.quality.sarif
+          category: |
+            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-quality/
+      - name: Fail for missing output from `upload-single-sarif-code-quality` step
+        if: contains(matrix.analysis-kinds, 'code-quality') &&
+          !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)
+        run: exit 1
+
+      - name: Change SARIF file extension
+        if: contains(matrix.analysis-kinds, 'code-scanning')
+        run: mv ${{ runner.temp }}/results/javascript.sarif ${{ runner.temp }}/results/javascript.sarif.json
+      - name: Upload single non-`.sarif` file
+        uses: ./../action/upload-sarif
+        id: upload-single-non-sarif
+        if: contains(matrix.analysis-kinds, 'code-scanning')
+        with:
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          sarif_file: ${{ runner.temp }}/results/javascript.sarif.json
+          category: |
+            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:non-sarif/
+      - name: Fail for missing output from `upload-single-non-sarif` step
+        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning)
+        run: exit 1
+    env:
+      CODEQL_ACTION_TEST_MODE: true
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
  run:
    shell: bash
@@ -70,6 +80,11 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
      - name: Delete original checkout
        run: |
          # delete the original checkout so we don't accidentally use it.
@@ -103,29 +118,30 @@ jobs:

      - name: Verify SARIF after upload
        run: |
+          PAYLOAD_FILE="$RUNNER_TEMP/payload-code-scanning.json"
          EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
          EXPECTED_REF="v1.1.0"
          EXPECTED_CHECKOUT_URI_SUFFIX="/x/y/z/some-path/tests/multi-language-repo"

-          ACTUAL_COMMIT_OID="$(cat "$RUNNER_TEMP/payload.json" | jq -r .commit_oid)"
-          ACTUAL_REF="$(cat "$RUNNER_TEMP/payload.json" | jq -r .ref)"
-          ACTUAL_CHECKOUT_URI="$(cat "$RUNNER_TEMP/payload.json" | jq -r .checkout_uri)"
+          ACTUAL_COMMIT_OID="$(cat "$PAYLOAD_FILE" | jq -r .commit_oid)"
+          ACTUAL_REF="$(cat "$PAYLOAD_FILE" | jq -r .ref)"
+          ACTUAL_CHECKOUT_URI="$(cat "$PAYLOAD_FILE" | jq -r .checkout_uri)"

          if [[ "$EXPECTED_COMMIT_OID" != "$ACTUAL_COMMIT_OID" ]]; then
            echo "::error Invalid commit oid. Expected: $EXPECTED_COMMIT_OID Actual: $ACTUAL_COMMIT_OID"
-            echo "$RUNNER_TEMP/payload.json"
+            echo "$PAYLOAD_FILE"
            exit 1
          fi

          if [[ "$EXPECTED_REF" != "$ACTUAL_REF" ]]; then
            echo "::error Invalid ref. Expected: '$EXPECTED_REF' Actual: '$ACTUAL_REF'"
-            echo "$RUNNER_TEMP/payload.json"
+            echo "$PAYLOAD_FILE"
            exit 1
          fi

          if [[ "$ACTUAL_CHECKOUT_URI" != *$EXPECTED_CHECKOUT_URI_SUFFIX ]]; then
            echo "::error Invalid checkout URI suffix. Expected suffix: $EXPECTED_CHECKOUT_URI_SUFFIX Actual uri: $ACTUAL_CHECKOUT_URI"
-            echo "$RUNNER_TEMP/payload.json"
+            echo "$PAYLOAD_FILE"
            exit 1
          fi
    env:
@@ -146,6 +146,7 @@ jobs:
          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}

      - name: Create the GitHub release
+        if: steps.check.outputs.exists != 'true'
        env:
          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
          VERSION: "${{ steps.getVersion.outputs.version }}"
@@ -73,7 +73,7 @@ jobs:
        run: npm run lint-ci

      - name: Upload sarif
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
        if: matrix.os == 'ubuntu-latest' && matrix.node-version == 24
        with:
          sarif_file: eslint.sarif
@@ -2,10 +2,19 @@

 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.

-## 3.30.7 - 06 Oct 2025
+## 4.30.9 - 17 Oct 2025
+
+- Update default CodeQL bundle version to 2.23.3. [#3205](https://github.com/github/codeql-action/pull/3205)
+- Experimental: A new `setup-codeql` action has been added which is similar to `init`, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#3204](https://github.com/github/codeql-action/pull/3204)
+
+## 4.30.8 - 10 Oct 2025

 No user facing changes.

+## 4.30.7 - 06 Oct 2025
+
+- [v4+ only] The CodeQL Action now runs on Node.js v24. [#3169](https://github.com/github/codeql-action/pull/3169)
+
 ## 3.30.6 - 02 Oct 2025

 - Update default CodeQL bundle version to 2.23.2. [#3168](https://github.com/github/codeql-action/pull/3168)
@@ -240,13 +249,17 @@ No user facing changes.
 ## 3.26.12 - 07 Oct 2024

 - _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.14.5 and earlier. These versions of CodeQL were discontinued on 24 September 2024 alongside GitHub Enterprise Server 3.10, and will be unsupported by CodeQL Action versions 3.27.0 and later and versions 2.27.0 and later. [#2520](https://github.com/github/codeql-action/pull/2520)
+
  - If you are using one of these versions, please update to CodeQL CLI version 2.14.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.
+
  - Alternatively, if you want to continue using a version of the CodeQL CLI between 2.13.5 and 2.14.5, you can replace `github/codeql-action/*@v3` by `github/codeql-action/*@v3.26.11` and `github/codeql-action/*@v2` by `github/codeql-action/*@v2.26.11` in your code scanning workflow to ensure you continue using this version of the CodeQL Action.

 ## 3.26.11 - 03 Oct 2024

 - _Upcoming breaking change_: Add support for using `actions/download-artifact@v4` to programmatically consume CodeQL Action debug artifacts.
+
  Starting November 30, 2024, GitHub.com customers will [no longer be able to use `actions/download-artifact@v3`](https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/). Therefore, to avoid breakage, customers who programmatically download the CodeQL Action debug artifacts should set the `CODEQL_ACTION_ARTIFACT_V4_UPGRADE` environment variable to `true` and bump `actions/download-artifact@v3` to `actions/download-artifact@v4` in their workflows. The CodeQL Action will enable this behavior by default in early November and workflows that have not yet bumped `actions/download-artifact@v3` to `actions/download-artifact@v4` will begin failing then.
+
  This change is currently unavailable for GitHub Enterprise Server customers, as `actions/upload-artifact@v4` and `actions/download-artifact@v4` are not yet compatible with GHES.
 - Update default CodeQL bundle version to 2.19.1. [#2519](https://github.com/github/codeql-action/pull/2519)

@@ -369,9 +382,12 @@ No user facing changes.
 ## 3.25.0 - 15 Apr 2024

 - The deprecated feature for extracting dependencies for a Python analysis has been removed. [#2224](https://github.com/github/codeql-action/pull/2224)
+
  As a result, the following inputs and environment variables are now ignored:
+
  - The `setup-python-dependencies` input to the `init` Action
  - The `CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION` environment variable
+
  We recommend removing any references to these from your workflows. For more information, see the release notes for CodeQL Action v3.23.0 and v2.23.0.
 - Automatically overwrite an existing database if found on the filesystem. [#2229](https://github.com/github/codeql-action/pull/2229)
 - Bump the minimum CodeQL bundle version to 2.12.6. [#2232](https://github.com/github/codeql-action/pull/2232)
@@ -34,6 +34,7 @@ Actions with special purposes and unlikely to be used directly:
 - `autobuild`: Attempts to automatically build the code. Only used for analyzing languages that require a build. Use the `build-mode: autobuild` input in the `init` action instead. For information about input parameters, see the [autobuild action definition](https://github.com/github/codeql-action/blob/main/autobuild/action.yml).
 - `resolve-environment`: [Experimental] Attempts to infer a build environment suitable for automatic builds. For information about input parameters, see the [resolve-environment action definition](https://github.com/github/codeql-action/blob/main/resolve-environment/action.yml).
 - `start-proxy`: [Experimental] Start the HTTP proxy server. Internal use only and will change without notice. For information about input parameters, see the [start-proxy action definition](https://github.com/github/codeql-action/blob/main/start-proxy/action.yml).
+- `setup-codeql`: [Experimental] Similar to `init`, except it only installs the CodeQL CLI and does not initialize a database.

 ### Workflow Permissions

@@ -92,6 +92,6 @@ outputs:
  sarif-id:
    description: The ID of the uploaded SARIF file.
 runs:
-  using: node20
+  using: node24
  main: "../lib/analyze-action.js"
  post: "../lib/analyze-action-post.js"
@@ -15,5 +15,5 @@ inputs:
      $GITHUB_WORKSPACE as its working directory.
    required: false
 runs:
-  using: node20
+  using: node24
  main: '../lib/autobuild-action.js'
@@ -165,6 +165,6 @@ outputs:
  codeql-version:
    description: The version of the CodeQL binary used for analysis
 runs:
-  using: node20
+  using: node24
  main: '../lib/init-action.js'
  post: '../lib/init-action-post.js'
@@ -24680,6 +24680,9 @@ var require_identifiers = __commonJS({
    "use strict";
    var numeric = /^[0-9]+$/;
    var compareIdentifiers = (a, b) => {
+      if (typeof a === "number" && typeof b === "number") {
+        return a === b ? 0 : a < b ? -1 : 1;
+      }
      const anum = numeric.test(a);
      const bnum = numeric.test(b);
      if (anum && bnum) {
@@ -24786,7 +24789,25 @@ var require_semver = __commonJS({
        if (!(other instanceof _SemVer)) {
          other = new _SemVer(other, this.options);
        }
-        return compareIdentifiers(this.major, other.major) || compareIdentifiers(this.minor, other.minor) || compareIdentifiers(this.patch, other.patch);
+        if (this.major < other.major) {
+          return -1;
+        }
+        if (this.major > other.major) {
+          return 1;
+        }
+        if (this.minor < other.minor) {
+          return -1;
+        }
+        if (this.minor > other.minor) {
+          return 1;
+        }
+        if (this.patch < other.patch) {
+          return -1;
+        }
+        if (this.patch > other.patch) {
+          return 1;
+        }
+        return 0;
      }
      comparePre(other) {
        if (!(other instanceof _SemVer)) {
@@ -25121,8 +25142,8 @@ var require_compare = __commonJS({
  "node_modules/semver/functions/compare.js"(exports2, module2) {
    "use strict";
    var SemVer = require_semver();
-    var compare = (a, b, loose) => new SemVer(a, loose).compare(new SemVer(b, loose));
-    module2.exports = compare;
+    var compare2 = (a, b, loose) => new SemVer(a, loose).compare(new SemVer(b, loose));
+    module2.exports = compare2;
  }
 });

@@ -25130,8 +25151,8 @@ var require_compare = __commonJS({
 var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var rcompare = (a, b, loose) => compare(b, a, loose);
+    var compare2 = require_compare();
+    var rcompare = (a, b, loose) => compare2(b, a, loose);
    module2.exports = rcompare;
  }
 });
@@ -25140,8 +25161,8 @@ var require_rcompare = __commonJS({
 var require_compare_loose = __commonJS({
  "node_modules/semver/functions/compare-loose.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var compareLoose = (a, b) => compare(a, b, true);
+    var compare2 = require_compare();
+    var compareLoose = (a, b) => compare2(a, b, true);
    module2.exports = compareLoose;
  }
 });
@@ -25184,8 +25205,8 @@ var require_rsort = __commonJS({
 var require_gt = __commonJS({
  "node_modules/semver/functions/gt.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var gt = (a, b, loose) => compare(a, b, loose) > 0;
+    var compare2 = require_compare();
+    var gt = (a, b, loose) => compare2(a, b, loose) > 0;
    module2.exports = gt;
  }
 });
@@ -25194,8 +25215,8 @@ var require_gt = __commonJS({
 var require_lt = __commonJS({
  "node_modules/semver/functions/lt.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var lt = (a, b, loose) => compare(a, b, loose) < 0;
+    var compare2 = require_compare();
+    var lt = (a, b, loose) => compare2(a, b, loose) < 0;
    module2.exports = lt;
  }
 });
@@ -25204,8 +25225,8 @@ var require_lt = __commonJS({
 var require_eq = __commonJS({
  "node_modules/semver/functions/eq.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var eq = (a, b, loose) => compare(a, b, loose) === 0;
+    var compare2 = require_compare();
+    var eq = (a, b, loose) => compare2(a, b, loose) === 0;
    module2.exports = eq;
  }
 });
@@ -25214,8 +25235,8 @@ var require_eq = __commonJS({
 var require_neq = __commonJS({
  "node_modules/semver/functions/neq.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var neq = (a, b, loose) => compare(a, b, loose) !== 0;
+    var compare2 = require_compare();
+    var neq = (a, b, loose) => compare2(a, b, loose) !== 0;
    module2.exports = neq;
  }
 });
@@ -25224,8 +25245,8 @@ var require_neq = __commonJS({
 var require_gte = __commonJS({
  "node_modules/semver/functions/gte.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var gte5 = (a, b, loose) => compare(a, b, loose) >= 0;
+    var compare2 = require_compare();
+    var gte5 = (a, b, loose) => compare2(a, b, loose) >= 0;
    module2.exports = gte5;
  }
 });
@@ -25234,8 +25255,8 @@ var require_gte = __commonJS({
 var require_lte = __commonJS({
  "node_modules/semver/functions/lte.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var lte = (a, b, loose) => compare(a, b, loose) <= 0;
+    var compare2 = require_compare();
+    var lte = (a, b, loose) => compare2(a, b, loose) <= 0;
    module2.exports = lte;
  }
 });
@@ -25547,6 +25568,7 @@ var require_range = __commonJS({
      return result;
    };
    var parseComparator = (comp, options) => {
+      comp = comp.replace(re[t.BUILD], "");
      debug2("comp", comp, options);
      comp = replaceCarets(comp, options);
      debug2("caret", comp);
@@ -26131,12 +26153,12 @@ var require_simplify = __commonJS({
  "node_modules/semver/ranges/simplify.js"(exports2, module2) {
    "use strict";
    var satisfies2 = require_satisfies();
-    var compare = require_compare();
+    var compare2 = require_compare();
    module2.exports = (versions, range, options) => {
      const set2 = [];
      let first = null;
      let prev = null;
-      const v = versions.sort((a, b) => compare(a, b, options));
+      const v = versions.sort((a, b) => compare2(a, b, options));
      for (const version of v) {
        const included = satisfies2(version, range, options);
        if (included) {
@@ -26184,7 +26206,7 @@ var require_subset = __commonJS({
    var Comparator = require_comparator();
    var { ANY } = Comparator;
    var satisfies2 = require_satisfies();
-    var compare = require_compare();
+    var compare2 = require_compare();
    var subset = (sub, dom, options = {}) => {
      if (sub === dom) {
        return true;
@@ -26244,7 +26266,7 @@ var require_subset = __commonJS({
      }
      let gtltComp;
      if (gt && lt) {
-        gtltComp = compare(gt.semver, lt.semver, options);
+        gtltComp = compare2(gt.semver, lt.semver, options);
        if (gtltComp > 0) {
          return null;
        } else if (gtltComp === 0 && (gt.operator !== ">=" || lt.operator !== "<=")) {
@@ -26324,14 +26346,14 @@ var require_subset = __commonJS({
      if (!a) {
        return b;
      }
-      const comp = compare(a.semver, b.semver, options);
+      const comp = compare2(a.semver, b.semver, options);
      return comp > 0 ? a : comp < 0 ? b : b.operator === ">" && a.operator === ">=" ? b : a;
    };
    var lowerLT = (a, b, options) => {
      if (!a) {
        return b;
      }
-      const comp = compare(a.semver, b.semver, options);
+      const comp = compare2(a.semver, b.semver, options);
      return comp < 0 ? a : comp > 0 ? b : b.operator === "<" && a.operator === "<=" ? b : a;
    };
    module2.exports = subset;
@@ -26355,7 +26377,7 @@ var require_semver2 = __commonJS({
    var minor = require_minor();
    var patch = require_patch();
    var prerelease = require_prerelease();
-    var compare = require_compare();
+    var compare2 = require_compare();
    var rcompare = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
@@ -26393,7 +26415,7 @@ var require_semver2 = __commonJS({
      minor,
      patch,
      prerelease,
-      compare,
+      compare: compare2,
      rcompare,
      compareLoose,
      compareBuild,
@@ -26438,7 +26460,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.7",
+      version: "4.30.9",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -26473,6 +26495,7 @@ var require_package = __commonJS({
        "@actions/io": "^1.1.3",
        "@actions/tool-cache": "^2.0.2",
        "@octokit/plugin-retry": "^6.0.0",
+        "@octokit/request-error": "^7.0.1",
        "@schemastore/package": "0.0.10",
        archiver: "^7.0.1",
        "check-disk-space": "^3.4.0",
@@ -26486,14 +26509,14 @@ var require_package = __commonJS({
        long: "^5.3.2",
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
-        semver: "^7.7.2",
+        semver: "^7.7.3",
        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.0",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.36.0",
+        "@eslint/js": "^9.37.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
@@ -26504,7 +26527,7 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.44.1",
+        "@typescript-eslint/eslint-plugin": "^8.46.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
        esbuild: "^0.25.10",
@@ -26517,7 +26540,7 @@ var require_package = __commonJS({
        glob: "^11.0.3",
        nock: "^14.0.10",
        sinon: "^21.0.0",
-        typescript: "^5.9.2"
+        typescript: "^5.9.3"
      },
      overrides: {
        "@actions/tool-cache": {
@@ -30261,13 +30284,13 @@ var require_semver3 = __commonJS({
    function patch(a, loose) {
      return new SemVer(a, loose).patch;
    }
-    exports2.compare = compare;
-    function compare(a, b, loose) {
+    exports2.compare = compare2;
+    function compare2(a, b, loose) {
      return new SemVer(a, loose).compare(new SemVer(b, loose));
    }
    exports2.compareLoose = compareLoose;
    function compareLoose(a, b) {
-      return compare(a, b, true);
+      return compare2(a, b, true);
    }
    exports2.compareBuild = compareBuild;
    function compareBuild(a, b, loose) {
@@ -30277,7 +30300,7 @@ var require_semver3 = __commonJS({
    }
    exports2.rcompare = rcompare;
    function rcompare(a, b, loose) {
-      return compare(b, a, loose);
+      return compare2(b, a, loose);
    }
    exports2.sort = sort;
    function sort(list, loose) {
@@ -30293,27 +30316,27 @@ var require_semver3 = __commonJS({
    }
    exports2.gt = gt;
    function gt(a, b, loose) {
-      return compare(a, b, loose) > 0;
+      return compare2(a, b, loose) > 0;
    }
    exports2.lt = lt;
    function lt(a, b, loose) {
-      return compare(a, b, loose) < 0;
+      return compare2(a, b, loose) < 0;
    }
    exports2.eq = eq;
    function eq(a, b, loose) {
-      return compare(a, b, loose) === 0;
+      return compare2(a, b, loose) === 0;
    }
    exports2.neq = neq;
    function neq(a, b, loose) {
-      return compare(a, b, loose) !== 0;
+      return compare2(a, b, loose) !== 0;
    }
    exports2.gte = gte5;
    function gte5(a, b, loose) {
-      return compare(a, b, loose) >= 0;
+      return compare2(a, b, loose) >= 0;
    }
    exports2.lte = lte;
    function lte(a, b, loose) {
-      return compare(a, b, loose) <= 0;
+      return compare2(a, b, loose) <= 0;
    }
    exports2.cmp = cmp;
    function cmp(a, op, b, loose) {
@@ -95823,8 +95846,8 @@ var require_commonjs16 = __commonJS({
        if (rootPath === this.root.name) {
          return this.root;
        }
-        for (const [compare, root] of Object.entries(this.roots)) {
-          if (this.sameRoot(rootPath, compare)) {
+        for (const [compare2, root] of Object.entries(this.roots)) {
+          if (this.sameRoot(rootPath, compare2)) {
            return this.roots[rootPath] = root;
          }
        }
@@ -95833,9 +95856,9 @@ var require_commonjs16 = __commonJS({
      /**
       * @internal
       */
-      sameRoot(rootPath, compare = this.root.name) {
+      sameRoot(rootPath, compare2 = this.root.name) {
        rootPath = rootPath.toUpperCase().replace(/\//g, "\\").replace(uncDriveRegexp, "$1\\");
-        return rootPath === compare;
+        return rootPath === compare2;
      }
    };
    exports2.PathWin32 = PathWin32;
@@ -99854,7 +99877,7 @@ var require_b4a = __commonJS({
    function byteLength(string, encoding) {
      return Buffer.byteLength(string, encoding);
    }
-    function compare(a, b) {
+    function compare2(a, b) {
      return Buffer.compare(a, b);
    }
    function concat(buffers, totalLength) {
@@ -99955,7 +99978,7 @@ var require_b4a = __commonJS({
      allocUnsafe,
      allocUnsafeSlow,
      byteLength,
-      compare,
+      compare: compare2,
      concat,
      copy,
      equals,
@@ -117805,6 +117828,11 @@ function isSafeArtifactUpload(codeQlVersion) {

 // src/feature-flags.ts
 var featureConfig = {
+  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
+    minimumVersion: void 0
+  },
  ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -20602,14 +20602,14 @@ var require_dist_node4 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -20701,7 +20701,7 @@ var require_dist_node5 = __commonJS({
      const Ctor = Object.prototype.hasOwnProperty.call(proto, "constructor") && proto.constructor;
      return typeof Ctor === "function" && Ctor instanceof Ctor && Function.prototype.call(Ctor) === Function.prototype.call(value);
    }
-    var import_request_error = require_dist_node4();
+    var import_request_error2 = require_dist_node4();
    function getBufferResponse(response) {
      return response.arrayBuffer();
    }
@@ -20753,7 +20753,7 @@ var require_dist_node5 = __commonJS({
          if (status < 400) {
            return;
          }
-          throw new import_request_error.RequestError(response.statusText, status, {
+          throw new import_request_error2.RequestError(response.statusText, status, {
            response: {
              url: url2,
              status,
@@ -20764,7 +20764,7 @@ var require_dist_node5 = __commonJS({
          });
        }
        if (status === 304) {
-          throw new import_request_error.RequestError("Not modified", status, {
+          throw new import_request_error2.RequestError("Not modified", status, {
            response: {
              url: url2,
              status,
@@ -20776,7 +20776,7 @@ var require_dist_node5 = __commonJS({
        }
        if (status >= 400) {
          const data = await getResponseData(response);
-          const error2 = new import_request_error.RequestError(toErrorMessage(data), status, {
+          const error2 = new import_request_error2.RequestError(toErrorMessage(data), status, {
            response: {
              url: url2,
              status,
@@ -20796,7 +20796,7 @@ var require_dist_node5 = __commonJS({
          data
        };
      }).catch((error2) => {
-        if (error2 instanceof import_request_error.RequestError)
+        if (error2 instanceof import_request_error2.RequestError)
          throw error2;
        else if (error2.name === "AbortError")
          throw error2;
@@ -20808,7 +20808,7 @@ var require_dist_node5 = __commonJS({
            message = error2.cause;
          }
        }
-        throw new import_request_error.RequestError(message, 500, {
+        throw new import_request_error2.RequestError(message, 500, {
          request: requestOptions
        });
      });
@@ -21250,14 +21250,14 @@ var require_dist_node7 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -21349,7 +21349,7 @@ var require_dist_node8 = __commonJS({
      const Ctor = Object.prototype.hasOwnProperty.call(proto, "constructor") && proto.constructor;
      return typeof Ctor === "function" && Ctor instanceof Ctor && Function.prototype.call(Ctor) === Function.prototype.call(value);
    }
-    var import_request_error = require_dist_node7();
+    var import_request_error2 = require_dist_node7();
    function getBufferResponse(response) {
      return response.arrayBuffer();
    }
@@ -21401,7 +21401,7 @@ var require_dist_node8 = __commonJS({
          if (status < 400) {
            return;
          }
-          throw new import_request_error.RequestError(response.statusText, status, {
+          throw new import_request_error2.RequestError(response.statusText, status, {
            response: {
              url: url2,
              status,
@@ -21412,7 +21412,7 @@ var require_dist_node8 = __commonJS({
          });
        }
        if (status === 304) {
-          throw new import_request_error.RequestError("Not modified", status, {
+          throw new import_request_error2.RequestError("Not modified", status, {
            response: {
              url: url2,
              status,
@@ -21424,7 +21424,7 @@ var require_dist_node8 = __commonJS({
        }
        if (status >= 400) {
          const data = await getResponseData(response);
-          const error2 = new import_request_error.RequestError(toErrorMessage(data), status, {
+          const error2 = new import_request_error2.RequestError(toErrorMessage(data), status, {
            response: {
              url: url2,
              status,
@@ -21444,7 +21444,7 @@ var require_dist_node8 = __commonJS({
          data
        };
      }).catch((error2) => {
-        if (error2 instanceof import_request_error.RequestError)
+        if (error2 instanceof import_request_error2.RequestError)
          throw error2;
        else if (error2.name === "AbortError")
          throw error2;
@@ -21456,7 +21456,7 @@ var require_dist_node8 = __commonJS({
            message = error2.cause;
          }
        }
-        throw new import_request_error.RequestError(message, 500, {
+        throw new import_request_error2.RequestError(message, 500, {
          request: requestOptions
        });
      });
@@ -25039,7 +25039,7 @@ var require_to_regex_range = __commonJS({
        stop = countZeros(max + 1, zeros) - 1;
      }
      stops = [...stops];
-      stops.sort(compare2);
+      stops.sort(compare3);
      return stops;
    }
    function rangeToPattern(start, stop, options) {
@@ -25111,7 +25111,7 @@ var require_to_regex_range = __commonJS({
      for (let i = 0; i < a.length; i++) arr.push([a[i], b[i]]);
      return arr;
    }
-    function compare2(a, b) {
+    function compare3(a, b) {
      return a > b ? 1 : b > a ? -1 : 0;
    }
    function contains(arr, key, val2) {
@@ -30529,6 +30529,9 @@ var require_identifiers = __commonJS({
    "use strict";
    var numeric = /^[0-9]+$/;
    var compareIdentifiers = (a, b) => {
+      if (typeof a === "number" && typeof b === "number") {
+        return a === b ? 0 : a < b ? -1 : 1;
+      }
      const anum = numeric.test(a);
      const bnum = numeric.test(b);
      if (anum && bnum) {
@@ -30635,7 +30638,25 @@ var require_semver = __commonJS({
        if (!(other instanceof _SemVer)) {
          other = new _SemVer(other, this.options);
        }
-        return compareIdentifiers(this.major, other.major) || compareIdentifiers(this.minor, other.minor) || compareIdentifiers(this.patch, other.patch);
+        if (this.major < other.major) {
+          return -1;
+        }
+        if (this.major > other.major) {
+          return 1;
+        }
+        if (this.minor < other.minor) {
+          return -1;
+        }
+        if (this.minor > other.minor) {
+          return 1;
+        }
+        if (this.patch < other.patch) {
+          return -1;
+        }
+        if (this.patch > other.patch) {
+          return 1;
+        }
+        return 0;
      }
      comparePre(other) {
        if (!(other instanceof _SemVer)) {
@@ -30970,8 +30991,8 @@ var require_compare = __commonJS({
  "node_modules/semver/functions/compare.js"(exports2, module2) {
    "use strict";
    var SemVer = require_semver();
-    var compare2 = (a, b, loose) => new SemVer(a, loose).compare(new SemVer(b, loose));
-    module2.exports = compare2;
+    var compare3 = (a, b, loose) => new SemVer(a, loose).compare(new SemVer(b, loose));
+    module2.exports = compare3;
  }
 });

@@ -30979,8 +31000,8 @@ var require_compare = __commonJS({
 var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var rcompare = (a, b, loose) => compare2(b, a, loose);
+    var compare3 = require_compare();
+    var rcompare = (a, b, loose) => compare3(b, a, loose);
    module2.exports = rcompare;
  }
 });
@@ -30989,8 +31010,8 @@ var require_rcompare = __commonJS({
 var require_compare_loose = __commonJS({
  "node_modules/semver/functions/compare-loose.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var compareLoose = (a, b) => compare2(a, b, true);
+    var compare3 = require_compare();
+    var compareLoose = (a, b) => compare3(a, b, true);
    module2.exports = compareLoose;
  }
 });
@@ -31033,8 +31054,8 @@ var require_rsort = __commonJS({
 var require_gt = __commonJS({
  "node_modules/semver/functions/gt.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var gt = (a, b, loose) => compare2(a, b, loose) > 0;
+    var compare3 = require_compare();
+    var gt = (a, b, loose) => compare3(a, b, loose) > 0;
    module2.exports = gt;
  }
 });
@@ -31043,8 +31064,8 @@ var require_gt = __commonJS({
 var require_lt = __commonJS({
  "node_modules/semver/functions/lt.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var lt = (a, b, loose) => compare2(a, b, loose) < 0;
+    var compare3 = require_compare();
+    var lt = (a, b, loose) => compare3(a, b, loose) < 0;
    module2.exports = lt;
  }
 });
@@ -31053,8 +31074,8 @@ var require_lt = __commonJS({
 var require_eq = __commonJS({
  "node_modules/semver/functions/eq.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var eq = (a, b, loose) => compare2(a, b, loose) === 0;
+    var compare3 = require_compare();
+    var eq = (a, b, loose) => compare3(a, b, loose) === 0;
    module2.exports = eq;
  }
 });
@@ -31063,8 +31084,8 @@ var require_eq = __commonJS({
 var require_neq = __commonJS({
  "node_modules/semver/functions/neq.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var neq = (a, b, loose) => compare2(a, b, loose) !== 0;
+    var compare3 = require_compare();
+    var neq = (a, b, loose) => compare3(a, b, loose) !== 0;
    module2.exports = neq;
  }
 });
@@ -31073,8 +31094,8 @@ var require_neq = __commonJS({
 var require_gte = __commonJS({
  "node_modules/semver/functions/gte.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var gte5 = (a, b, loose) => compare2(a, b, loose) >= 0;
+    var compare3 = require_compare();
+    var gte5 = (a, b, loose) => compare3(a, b, loose) >= 0;
    module2.exports = gte5;
  }
 });
@@ -31083,8 +31104,8 @@ var require_gte = __commonJS({
 var require_lte = __commonJS({
  "node_modules/semver/functions/lte.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var lte = (a, b, loose) => compare2(a, b, loose) <= 0;
+    var compare3 = require_compare();
+    var lte = (a, b, loose) => compare3(a, b, loose) <= 0;
    module2.exports = lte;
  }
 });
@@ -31396,6 +31417,7 @@ var require_range = __commonJS({
      return result;
    };
    var parseComparator = (comp, options) => {
+      comp = comp.replace(re[t.BUILD], "");
      debug3("comp", comp, options);
      comp = replaceCarets(comp, options);
      debug3("caret", comp);
@@ -31980,12 +32002,12 @@ var require_simplify = __commonJS({
  "node_modules/semver/ranges/simplify.js"(exports2, module2) {
    "use strict";
    var satisfies2 = require_satisfies();
-    var compare2 = require_compare();
+    var compare3 = require_compare();
    module2.exports = (versions, range, options) => {
      const set2 = [];
      let first = null;
      let prev = null;
-      const v = versions.sort((a, b) => compare2(a, b, options));
+      const v = versions.sort((a, b) => compare3(a, b, options));
      for (const version of v) {
        const included = satisfies2(version, range, options);
        if (included) {
@@ -32033,7 +32055,7 @@ var require_subset = __commonJS({
    var Comparator = require_comparator();
    var { ANY } = Comparator;
    var satisfies2 = require_satisfies();
-    var compare2 = require_compare();
+    var compare3 = require_compare();
    var subset = (sub, dom, options = {}) => {
      if (sub === dom) {
        return true;
@@ -32093,7 +32115,7 @@ var require_subset = __commonJS({
      }
      let gtltComp;
      if (gt && lt) {
-        gtltComp = compare2(gt.semver, lt.semver, options);
+        gtltComp = compare3(gt.semver, lt.semver, options);
        if (gtltComp > 0) {
          return null;
        } else if (gtltComp === 0 && (gt.operator !== ">=" || lt.operator !== "<=")) {
@@ -32173,14 +32195,14 @@ var require_subset = __commonJS({
      if (!a) {
        return b;
      }
-      const comp = compare2(a.semver, b.semver, options);
+      const comp = compare3(a.semver, b.semver, options);
      return comp > 0 ? a : comp < 0 ? b : b.operator === ">" && a.operator === ">=" ? b : a;
    };
    var lowerLT = (a, b, options) => {
      if (!a) {
        return b;
      }
-      const comp = compare2(a.semver, b.semver, options);
+      const comp = compare3(a.semver, b.semver, options);
      return comp < 0 ? a : comp > 0 ? b : b.operator === "<" && a.operator === "<=" ? b : a;
    };
    module2.exports = subset;
@@ -32204,7 +32226,7 @@ var require_semver2 = __commonJS({
    var minor = require_minor();
    var patch = require_patch();
    var prerelease = require_prerelease();
-    var compare2 = require_compare();
+    var compare3 = require_compare();
    var rcompare = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
@@ -32242,7 +32264,7 @@ var require_semver2 = __commonJS({
      minor,
      patch,
      prerelease,
-      compare: compare2,
+      compare: compare3,
      rcompare,
      compareLoose,
      compareBuild,
@@ -32287,7 +32309,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.7",
+      version: "4.30.9",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -32322,6 +32344,7 @@ var require_package = __commonJS({
        "@actions/io": "^1.1.3",
        "@actions/tool-cache": "^2.0.2",
        "@octokit/plugin-retry": "^6.0.0",
+        "@octokit/request-error": "^7.0.1",
        "@schemastore/package": "0.0.10",
        archiver: "^7.0.1",
        "check-disk-space": "^3.4.0",
@@ -32335,14 +32358,14 @@ var require_package = __commonJS({
        long: "^5.3.2",
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
-        semver: "^7.7.2",
+        semver: "^7.7.3",
        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.0",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.36.0",
+        "@eslint/js": "^9.37.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
@@ -32353,7 +32376,7 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.44.1",
+        "@typescript-eslint/eslint-plugin": "^8.46.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
        esbuild: "^0.25.10",
@@ -32366,7 +32389,7 @@ var require_package = __commonJS({
        glob: "^11.0.3",
        nock: "^14.0.10",
        sinon: "^21.0.0",
-        typescript: "^5.9.2"
+        typescript: "^5.9.3"
      },
      overrides: {
        "@actions/tool-cache": {
@@ -33745,14 +33768,14 @@ var require_dist_node14 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -33854,7 +33877,7 @@ var require_dist_node15 = __commonJS({
      throw error2;
    }
    var import_light = __toESM2(require_light());
-    var import_request_error = require_dist_node14();
+    var import_request_error2 = require_dist_node14();
    async function wrapRequest(state, octokit, request, options) {
      const limiter = new import_light.default();
      limiter.on("failed", function(error2, info4) {
@@ -33875,7 +33898,7 @@ var require_dist_node15 = __commonJS({
      if (response.data && response.data.errors && response.data.errors.length > 0 && /Something went wrong while executing your query/.test(
        response.data.errors[0].message
      )) {
-        const error2 = new import_request_error.RequestError(response.data.errors[0].message, 500, {
+        const error2 = new import_request_error2.RequestError(response.data.errors[0].message, 500, {
          request: options,
          response
        });
@@ -36110,13 +36133,13 @@ var require_semver3 = __commonJS({
    function patch(a, loose) {
      return new SemVer(a, loose).patch;
    }
-    exports2.compare = compare2;
-    function compare2(a, b, loose) {
+    exports2.compare = compare3;
+    function compare3(a, b, loose) {
      return new SemVer(a, loose).compare(new SemVer(b, loose));
    }
    exports2.compareLoose = compareLoose;
    function compareLoose(a, b) {
-      return compare2(a, b, true);
+      return compare3(a, b, true);
    }
    exports2.compareBuild = compareBuild;
    function compareBuild(a, b, loose) {
@@ -36126,7 +36149,7 @@ var require_semver3 = __commonJS({
    }
    exports2.rcompare = rcompare;
    function rcompare(a, b, loose) {
-      return compare2(b, a, loose);
+      return compare3(b, a, loose);
    }
    exports2.sort = sort;
    function sort(list, loose) {
@@ -36142,27 +36165,27 @@ var require_semver3 = __commonJS({
    }
    exports2.gt = gt;
    function gt(a, b, loose) {
-      return compare2(a, b, loose) > 0;
+      return compare3(a, b, loose) > 0;
    }
    exports2.lt = lt;
    function lt(a, b, loose) {
-      return compare2(a, b, loose) < 0;
+      return compare3(a, b, loose) < 0;
    }
    exports2.eq = eq;
    function eq(a, b, loose) {
-      return compare2(a, b, loose) === 0;
+      return compare3(a, b, loose) === 0;
    }
    exports2.neq = neq;
    function neq(a, b, loose) {
-      return compare2(a, b, loose) !== 0;
+      return compare3(a, b, loose) !== 0;
    }
    exports2.gte = gte5;
    function gte5(a, b, loose) {
-      return compare2(a, b, loose) >= 0;
+      return compare3(a, b, loose) >= 0;
    }
    exports2.lte = lte;
    function lte(a, b, loose) {
-      return compare2(a, b, loose) <= 0;
+      return compare3(a, b, loose) <= 0;
    }
    exports2.cmp = cmp;
    function cmp(a, op, b, loose) {
@@ -89773,6 +89796,9 @@ function isGoodVersion(versionSpec) {
 function isInTestMode() {
  return process.env["CODEQL_ACTION_TEST_MODE" /* TEST_MODE */] === "true";
 }
+function shouldSkipSarifUpload() {
+  return isInTestMode() || process.env["CODEQL_ACTION_SKIP_SARIF_UPLOAD" /* SKIP_SARIF_UPLOAD */] === "true";
+}
 function getTestingEnvironment() {
  const testingEnvironment = process.env["CODEQL_ACTION_TESTING_ENVIRONMENT" /* TESTING_ENVIRONMENT */] || "";
  if (testingEnvironment === "") {
@@ -90039,9 +90065,12 @@ function getWorkflowRunAttempt() {
 function isSelfHostedRunner() {
  return process.env.RUNNER_ENVIRONMENT === "self-hosted";
 }
-function isDefaultSetup() {
+function isDynamicWorkflow() {
  return getWorkflowEventName() === "dynamic";
 }
+function isDefaultSetup() {
+  return isDynamicWorkflow();
+}
 function prettyPrintInvocation(cmd, args) {
  return [cmd, ...args].map((x) => x.includes(" ") ? `'${x}'` : x).join(" ");
 }
@@ -90364,6 +90393,45 @@ var path14 = __toESM(require("path"));
 var core10 = __toESM(require_core());
 var toolrunner3 = __toESM(require_toolrunner());

+// node_modules/@octokit/request-error/dist-src/index.js
+var RequestError = class extends Error {
+  name;
+  /**
+   * http status code
+   */
+  status;
+  /**
+   * Request options that lead to the error.
+   */
+  request;
+  /**
+   * Response object if a response was received
+   */
+  response;
+  constructor(message, statusCode, options) {
+    super(message);
+    this.name = "HttpError";
+    this.status = Number.parseInt(statusCode);
+    if (Number.isNaN(this.status)) {
+      this.status = 0;
+    }
+    if ("response" in options) {
+      this.response = options.response;
+    }
+    const requestCopy = Object.assign({}, options.request);
+    if (options.request.headers.authorization) {
+      requestCopy.headers = Object.assign({}, options.request.headers, {
+        authorization: options.request.headers.authorization.replace(
+          /(?<! ) .*$/,
+          " [REDACTED]"
+        )
+      });
+    }
+    requestCopy.url = requestCopy.url.replace(/\bclient_secret=\w+/g, "client_secret=[REDACTED]").replace(/\baccess_token=\w+/g, "access_token=[REDACTED]");
+    this.request = requestCopy;
+  }
+};
+
 // src/cli-errors.ts
 var SUPPORTED_PLATFORMS = [
  ["linux", "x64"],
@@ -90636,8 +90704,8 @@ var path8 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());

 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.2";
-var cliVersion = "2.23.2";
+var bundleVersion = "codeql-bundle-v2.23.3";
+var cliVersion = "2.23.3";

 // src/overlay-database-utils.ts
 var crypto = __toESM(require("crypto"));
@@ -91049,6 +91117,11 @@ var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_";
 var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
 var CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0";
 var featureConfig = {
+  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
+    minimumVersion: void 0
+  },
  ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -92111,6 +92184,7 @@ var CODEQL_NIGHTLIES_REPOSITORY_OWNER = "dsp-testing";
 var CODEQL_NIGHTLIES_REPOSITORY_NAME = "codeql-cli-nightlies";
 var CODEQL_BUNDLE_VERSION_ALIAS = ["linked", "latest"];
 var CODEQL_NIGHTLY_TOOLS_INPUTS = ["nightly", "nightly-latest"];
+var CODEQL_TOOLCACHE_INPUT = "toolcache";
 function getCodeQLBundleExtension(compressionMethod) {
  switch (compressionMethod) {
    case "gzip":
@@ -92252,7 +92326,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
  }
  return void 0;
 }
-async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, logger) {
+async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) {
  if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) {
    logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
    const compressionMethod2 = inferCompressionMethod(toolsInput);
@@ -92289,6 +92363,40 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
        "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required."
      );
    }
+  } else if (toolsInput !== void 0 && toolsInput === CODEQL_TOOLCACHE_INPUT) {
+    let latestToolcacheVersion;
+    const allowToolcacheValueFF = await features.getValue(
+      "allow_toolcache_input" /* AllowToolcacheInput */
+    );
+    const allowToolcacheValue = allowToolcacheValueFF && (isDynamicWorkflow() || isInTestMode());
+    if (allowToolcacheValue) {
+      logger.info(
+        `Attempting to use the latest CodeQL CLI version in the toolcache, as requested by 'tools: ${toolsInput}'.`
+      );
+      latestToolcacheVersion = getLatestToolcacheVersion(logger);
+      if (latestToolcacheVersion) {
+        cliVersion2 = latestToolcacheVersion;
+      }
+    }
+    if (latestToolcacheVersion === void 0) {
+      if (allowToolcacheValue) {
+        logger.info(
+          `Found no CodeQL CLI in the toolcache, ignoring 'tools: ${toolsInput}'...`
+        );
+      } else {
+        if (allowToolcacheValueFF) {
+          logger.warning(
+            `Ignoring 'tools: ${toolsInput}' because the workflow was not triggered dynamically.`
+          );
+        } else {
+          logger.info(
+            `Ignoring 'tools: ${toolsInput}' because the feature is not enabled.`
+          );
+        }
+      }
+      cliVersion2 = defaultCliVersion.cliVersion;
+      tagName = defaultCliVersion.tagName;
+    }
  } else if (toolsInput !== void 0) {
    tagName = tryGetTagNameFromUrl(toolsInput, logger);
    url2 = toolsInput;
@@ -92497,7 +92605,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) {
  }
  return cliVersion2;
 }
-async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger) {
+async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) {
  if (!await isBinaryAccessible("tar", logger)) {
    throw new ConfigurationError(
      "Could not find tar in PATH, so unable to extract CodeQL bundle."
@@ -92510,6 +92618,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau
    apiDetails,
    variant,
    zstdAvailability.available,
+    features,
    logger
  );
  let codeqlFolder;
@@ -92595,8 +92704,24 @@ async function getNightlyToolsUrl(logger) {
    );
  }
 }
+function getLatestToolcacheVersion(logger) {
+  const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver7.compare(b, a));
+  logger.debug(
+    `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify(
+      allVersions
+    )}.`
+  );
+  if (allVersions.length > 0) {
+    const latestToolcacheVersion = allVersions[0];
+    logger.info(
+      `CLI version ${latestToolcacheVersion} is the latest version in the toolcache.`
+    );
+    return latestToolcacheVersion;
+  }
+  return void 0;
+}
 function isReservedToolsValue(tools) {
-  return CODEQL_BUNDLE_VERSION_ALIAS.includes(tools) || CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools);
+  return CODEQL_BUNDLE_VERSION_ALIAS.includes(tools) || CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools) || tools === CODEQL_TOOLCACHE_INPUT;
 }

 // src/tracer-config.ts
@@ -92651,7 +92776,7 @@ var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.13";
 var GHES_MOST_RECENT_DEPRECATION_DATE = "2025-06-19";
 var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
 var CODEQL_VERSION_CACHE_CLEANUP = "2.17.1";
-async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger, checkVersion) {
+async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) {
  try {
    const {
      codeqlFolder,
@@ -92665,6 +92790,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
      tempDir,
      variant,
      defaultCliVersion,
+      features,
      logger
    );
    logger.debug(
@@ -92689,7 +92815,8 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
      zstdAvailability
    };
  } catch (e) {
-    const ErrorClass = e instanceof ConfigurationError || e instanceof Error && e.message.includes("ENOSPC") ? ConfigurationError : Error;
+    const ErrorClass = e instanceof ConfigurationError || e instanceof Error && e.message.includes("ENOSPC") || // out of disk space
+    e instanceof RequestError && e.status === 429 ? ConfigurationError : Error;
    throw new ErrorClass(
      `Unable to download and extract CodeQL CLI: ${getErrorMessage(e)}${e instanceof Error && e.stack ? `

@@ -94063,7 +94190,7 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
      action_ref: actionRef,
      action_started_at: actionStartedAt.toISOString(),
      action_version: getActionVersion(),
-      analysis_kinds: config?.analysisKinds.join(","),
+      analysis_kinds: config?.analysisKinds?.join(","),
      analysis_key,
      build_mode: config?.buildMode,
      commit_oid: commitOid,
@@ -94086,7 +94213,7 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
      logger.warning(`Could not determine the workflow event name: ${e}.`);
    }
    if (config) {
-      statusReport.languages = config.languages.join(",");
+      statusReport.languages = config.languages?.join(",");
    }
    if (diskInfo) {
      statusReport.runner_available_disk_space_bytes = diskInfo.numAvailableBytes;
@@ -94764,7 +94891,7 @@ LongPrototype.greaterThanOrEqual = function greaterThanOrEqual(other) {
 };
 LongPrototype.gte = LongPrototype.greaterThanOrEqual;
 LongPrototype.ge = LongPrototype.greaterThanOrEqual;
-LongPrototype.compare = function compare(other) {
+LongPrototype.compare = function compare2(other) {
  if (!isLong(other)) other = fromValue(other);
  if (this.eq(other)) return 0;
  var thisNeg = this.isNegative(), otherNeg = other.isNegative();
@@ -95315,7 +95442,7 @@ async function addFingerprints(sarif, sourceRoot, logger) {
 // src/init.ts
 var toolrunner4 = __toESM(require_toolrunner());
 var io6 = __toESM(require_io());
-async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger) {
+async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) {
  logger.startGroup("Setup CodeQL tools");
  const {
    codeql,
@@ -95329,6 +95456,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe
    tempDir,
    variant,
    defaultCliVersion,
+    features,
    logger,
    true
  );
@@ -95475,6 +95603,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo
      tempDir,
      gitHubVersion.type,
      codeQLDefaultVersionInfo,
+      features,
      logger
    );
    codeQL = initCodeQLResult.codeql;
@@ -95530,23 +95659,23 @@ function getAutomationID2(category, analysis_key, environment) {
  }
  return computeAutomationID(analysis_key, environment);
 }
-async function uploadPayload(payload, repositoryNwo, logger, target) {
+async function uploadPayload(payload, repositoryNwo, logger, analysis) {
  logger.info("Uploading results");
-  if (isInTestMode()) {
+  if (shouldSkipSarifUpload()) {
    const payloadSaveFile = path18.join(
      getTemporaryDirectory(),
-      "payload.json"
+      `payload-${analysis.kind}.json`
    );
    logger.info(
-      `In test mode. Results are not uploaded. Saving to ${payloadSaveFile}`
+      `SARIF upload disabled by an environment variable. Saving to ${payloadSaveFile}`
    );
    logger.info(`Payload: ${JSON.stringify(payload, null, 2)}`);
    fs18.writeFileSync(payloadSaveFile, JSON.stringify(payload, null, 2));
-    return "test-mode-sarif-id";
+    return "dummy-sarif-id";
  }
  const client = getApiClient();
  try {
-    const response = await client.request(target, {
+    const response = await client.request(analysis.target, {
      owner: repositoryNwo.owner,
      repo: repositoryNwo.repo,
      data: payload
@@ -95780,7 +95909,7 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features
    payload,
    getRepositoryNwo(),
    logger,
-    uploadTarget.target
+    uploadTarget
  );
  logger.endGroup();
  return {
@@ -24680,6 +24680,9 @@ var require_identifiers = __commonJS({
    "use strict";
    var numeric = /^[0-9]+$/;
    var compareIdentifiers = (a, b) => {
+      if (typeof a === "number" && typeof b === "number") {
+        return a === b ? 0 : a < b ? -1 : 1;
+      }
      const anum = numeric.test(a);
      const bnum = numeric.test(b);
      if (anum && bnum) {
@@ -24786,7 +24789,25 @@ var require_semver = __commonJS({
        if (!(other instanceof _SemVer)) {
          other = new _SemVer(other, this.options);
        }
-        return compareIdentifiers(this.major, other.major) || compareIdentifiers(this.minor, other.minor) || compareIdentifiers(this.patch, other.patch);
+        if (this.major < other.major) {
+          return -1;
+        }
+        if (this.major > other.major) {
+          return 1;
+        }
+        if (this.minor < other.minor) {
+          return -1;
+        }
+        if (this.minor > other.minor) {
+          return 1;
+        }
+        if (this.patch < other.patch) {
+          return -1;
+        }
+        if (this.patch > other.patch) {
+          return 1;
+        }
+        return 0;
      }
      comparePre(other) {
        if (!(other instanceof _SemVer)) {
@@ -25121,8 +25142,8 @@ var require_compare = __commonJS({
  "node_modules/semver/functions/compare.js"(exports2, module2) {
    "use strict";
    var SemVer = require_semver();
-    var compare = (a, b, loose) => new SemVer(a, loose).compare(new SemVer(b, loose));
-    module2.exports = compare;
+    var compare2 = (a, b, loose) => new SemVer(a, loose).compare(new SemVer(b, loose));
+    module2.exports = compare2;
  }
 });

@@ -25130,8 +25151,8 @@ var require_compare = __commonJS({
 var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var rcompare = (a, b, loose) => compare(b, a, loose);
+    var compare2 = require_compare();
+    var rcompare = (a, b, loose) => compare2(b, a, loose);
    module2.exports = rcompare;
  }
 });
@@ -25140,8 +25161,8 @@ var require_rcompare = __commonJS({
 var require_compare_loose = __commonJS({
  "node_modules/semver/functions/compare-loose.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var compareLoose = (a, b) => compare(a, b, true);
+    var compare2 = require_compare();
+    var compareLoose = (a, b) => compare2(a, b, true);
    module2.exports = compareLoose;
  }
 });
@@ -25184,8 +25205,8 @@ var require_rsort = __commonJS({
 var require_gt = __commonJS({
  "node_modules/semver/functions/gt.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var gt = (a, b, loose) => compare(a, b, loose) > 0;
+    var compare2 = require_compare();
+    var gt = (a, b, loose) => compare2(a, b, loose) > 0;
    module2.exports = gt;
  }
 });
@@ -25194,8 +25215,8 @@ var require_gt = __commonJS({
 var require_lt = __commonJS({
  "node_modules/semver/functions/lt.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var lt = (a, b, loose) => compare(a, b, loose) < 0;
+    var compare2 = require_compare();
+    var lt = (a, b, loose) => compare2(a, b, loose) < 0;
    module2.exports = lt;
  }
 });
@@ -25204,8 +25225,8 @@ var require_lt = __commonJS({
 var require_eq = __commonJS({
  "node_modules/semver/functions/eq.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var eq = (a, b, loose) => compare(a, b, loose) === 0;
+    var compare2 = require_compare();
+    var eq = (a, b, loose) => compare2(a, b, loose) === 0;
    module2.exports = eq;
  }
 });
@@ -25214,8 +25235,8 @@ var require_eq = __commonJS({
 var require_neq = __commonJS({
  "node_modules/semver/functions/neq.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var neq = (a, b, loose) => compare(a, b, loose) !== 0;
+    var compare2 = require_compare();
+    var neq = (a, b, loose) => compare2(a, b, loose) !== 0;
    module2.exports = neq;
  }
 });
@@ -25224,8 +25245,8 @@ var require_neq = __commonJS({
 var require_gte = __commonJS({
  "node_modules/semver/functions/gte.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var gte5 = (a, b, loose) => compare(a, b, loose) >= 0;
+    var compare2 = require_compare();
+    var gte5 = (a, b, loose) => compare2(a, b, loose) >= 0;
    module2.exports = gte5;
  }
 });
@@ -25234,8 +25255,8 @@ var require_gte = __commonJS({
 var require_lte = __commonJS({
  "node_modules/semver/functions/lte.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var lte = (a, b, loose) => compare(a, b, loose) <= 0;
+    var compare2 = require_compare();
+    var lte = (a, b, loose) => compare2(a, b, loose) <= 0;
    module2.exports = lte;
  }
 });
@@ -25547,6 +25568,7 @@ var require_range = __commonJS({
      return result;
    };
    var parseComparator = (comp, options) => {
+      comp = comp.replace(re[t.BUILD], "");
      debug3("comp", comp, options);
      comp = replaceCarets(comp, options);
      debug3("caret", comp);
@@ -26131,12 +26153,12 @@ var require_simplify = __commonJS({
  "node_modules/semver/ranges/simplify.js"(exports2, module2) {
    "use strict";
    var satisfies2 = require_satisfies();
-    var compare = require_compare();
+    var compare2 = require_compare();
    module2.exports = (versions, range, options) => {
      const set2 = [];
      let first = null;
      let prev = null;
-      const v = versions.sort((a, b) => compare(a, b, options));
+      const v = versions.sort((a, b) => compare2(a, b, options));
      for (const version of v) {
        const included = satisfies2(version, range, options);
        if (included) {
@@ -26184,7 +26206,7 @@ var require_subset = __commonJS({
    var Comparator = require_comparator();
    var { ANY } = Comparator;
    var satisfies2 = require_satisfies();
-    var compare = require_compare();
+    var compare2 = require_compare();
    var subset = (sub, dom, options = {}) => {
      if (sub === dom) {
        return true;
@@ -26244,7 +26266,7 @@ var require_subset = __commonJS({
      }
      let gtltComp;
      if (gt && lt) {
-        gtltComp = compare(gt.semver, lt.semver, options);
+        gtltComp = compare2(gt.semver, lt.semver, options);
        if (gtltComp > 0) {
          return null;
        } else if (gtltComp === 0 && (gt.operator !== ">=" || lt.operator !== "<=")) {
@@ -26324,14 +26346,14 @@ var require_subset = __commonJS({
      if (!a) {
        return b;
      }
-      const comp = compare(a.semver, b.semver, options);
+      const comp = compare2(a.semver, b.semver, options);
      return comp > 0 ? a : comp < 0 ? b : b.operator === ">" && a.operator === ">=" ? b : a;
    };
    var lowerLT = (a, b, options) => {
      if (!a) {
        return b;
      }
-      const comp = compare(a.semver, b.semver, options);
+      const comp = compare2(a.semver, b.semver, options);
      return comp < 0 ? a : comp > 0 ? b : b.operator === "<" && a.operator === "<=" ? b : a;
    };
    module2.exports = subset;
@@ -26355,7 +26377,7 @@ var require_semver2 = __commonJS({
    var minor = require_minor();
    var patch = require_patch();
    var prerelease = require_prerelease();
-    var compare = require_compare();
+    var compare2 = require_compare();
    var rcompare = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
@@ -26393,7 +26415,7 @@ var require_semver2 = __commonJS({
      minor,
      patch,
      prerelease,
-      compare,
+      compare: compare2,
      rcompare,
      compareLoose,
      compareBuild,
@@ -26438,7 +26460,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.7",
+      version: "4.30.9",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -26473,6 +26495,7 @@ var require_package = __commonJS({
        "@actions/io": "^1.1.3",
        "@actions/tool-cache": "^2.0.2",
        "@octokit/plugin-retry": "^6.0.0",
+        "@octokit/request-error": "^7.0.1",
        "@schemastore/package": "0.0.10",
        archiver: "^7.0.1",
        "check-disk-space": "^3.4.0",
@@ -26486,14 +26509,14 @@ var require_package = __commonJS({
        long: "^5.3.2",
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
-        semver: "^7.7.2",
+        semver: "^7.7.3",
        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.0",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.36.0",
+        "@eslint/js": "^9.37.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
@@ -26504,7 +26527,7 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.44.1",
+        "@typescript-eslint/eslint-plugin": "^8.46.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
        esbuild: "^0.25.10",
@@ -26517,7 +26540,7 @@ var require_package = __commonJS({
        glob: "^11.0.3",
        nock: "^14.0.10",
        sinon: "^21.0.0",
-        typescript: "^5.9.2"
+        typescript: "^5.9.3"
      },
      overrides: {
        "@actions/tool-cache": {
@@ -30261,13 +30284,13 @@ var require_semver3 = __commonJS({
    function patch(a, loose) {
      return new SemVer(a, loose).patch;
    }
-    exports2.compare = compare;
-    function compare(a, b, loose) {
+    exports2.compare = compare2;
+    function compare2(a, b, loose) {
      return new SemVer(a, loose).compare(new SemVer(b, loose));
    }
    exports2.compareLoose = compareLoose;
    function compareLoose(a, b) {
-      return compare(a, b, true);
+      return compare2(a, b, true);
    }
    exports2.compareBuild = compareBuild;
    function compareBuild(a, b, loose) {
@@ -30277,7 +30300,7 @@ var require_semver3 = __commonJS({
    }
    exports2.rcompare = rcompare;
    function rcompare(a, b, loose) {
-      return compare(b, a, loose);
+      return compare2(b, a, loose);
    }
    exports2.sort = sort;
    function sort(list, loose) {
@@ -30293,27 +30316,27 @@ var require_semver3 = __commonJS({
    }
    exports2.gt = gt;
    function gt(a, b, loose) {
-      return compare(a, b, loose) > 0;
+      return compare2(a, b, loose) > 0;
    }
    exports2.lt = lt;
    function lt(a, b, loose) {
-      return compare(a, b, loose) < 0;
+      return compare2(a, b, loose) < 0;
    }
    exports2.eq = eq;
    function eq(a, b, loose) {
-      return compare(a, b, loose) === 0;
+      return compare2(a, b, loose) === 0;
    }
    exports2.neq = neq;
    function neq(a, b, loose) {
-      return compare(a, b, loose) !== 0;
+      return compare2(a, b, loose) !== 0;
    }
    exports2.gte = gte5;
    function gte5(a, b, loose) {
-      return compare(a, b, loose) >= 0;
+      return compare2(a, b, loose) >= 0;
    }
    exports2.lte = lte;
    function lte(a, b, loose) {
-      return compare(a, b, loose) <= 0;
+      return compare2(a, b, loose) <= 0;
    }
    exports2.cmp = cmp;
    function cmp(a, op, b, loose) {
@@ -78295,8 +78318,8 @@ var path3 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());

 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.2";
-var cliVersion = "2.23.2";
+var bundleVersion = "codeql-bundle-v2.23.3";
+var cliVersion = "2.23.3";

 // src/overlay-database-utils.ts
 var fs2 = __toESM(require("fs"));
@@ -78543,6 +78566,11 @@ function isSupportedToolsFeature(versionInfo, feature) {
 var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_";
 var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
 var featureConfig = {
+  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
+    minimumVersion: void 0
+  },
  ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -79812,7 +79840,7 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
      action_ref: actionRef,
      action_started_at: actionStartedAt.toISOString(),
      action_version: getActionVersion(),
-      analysis_kinds: config?.analysisKinds.join(","),
+      analysis_kinds: config?.analysisKinds?.join(","),
      analysis_key,
      build_mode: config?.buildMode,
      commit_oid: commitOid,
@@ -79835,7 +79863,7 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
      logger.warning(`Could not determine the workflow event name: ${e}.`);
    }
    if (config) {
-      statusReport.languages = config.languages.join(",");
+      statusReport.languages = config.languages?.join(",");
    }
    if (diskInfo) {
      statusReport.runner_available_disk_space_bytes = diskInfo.numAvailableBytes;
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.2",
-  "cliVersion": "2.23.2",
-  "priorBundleVersion": "codeql-bundle-v2.23.1",
-  "priorCliVersion": "2.23.1"
+  "bundleVersion": "codeql-bundle-v2.23.3",
+  "cliVersion": "2.23.3",
+  "priorBundleVersion": "codeql-bundle-v2.23.2",
+  "priorCliVersion": "2.23.2"
 }
@@ -20602,14 +20602,14 @@ var require_dist_node4 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -20701,7 +20701,7 @@ var require_dist_node5 = __commonJS({
      const Ctor = Object.prototype.hasOwnProperty.call(proto, "constructor") && proto.constructor;
      return typeof Ctor === "function" && Ctor instanceof Ctor && Function.prototype.call(Ctor) === Function.prototype.call(value);
    }
-    var import_request_error = require_dist_node4();
+    var import_request_error2 = require_dist_node4();
    function getBufferResponse(response) {
      return response.arrayBuffer();
    }
@@ -20753,7 +20753,7 @@ var require_dist_node5 = __commonJS({
          if (status < 400) {
            return;
          }
-          throw new import_request_error.RequestError(response.statusText, status, {
+          throw new import_request_error2.RequestError(response.statusText, status, {
            response: {
              url: url2,
              status,
@@ -20764,7 +20764,7 @@ var require_dist_node5 = __commonJS({
          });
        }
        if (status === 304) {
-          throw new import_request_error.RequestError("Not modified", status, {
+          throw new import_request_error2.RequestError("Not modified", status, {
            response: {
              url: url2,
              status,
@@ -20776,7 +20776,7 @@ var require_dist_node5 = __commonJS({
        }
        if (status >= 400) {
          const data = await getResponseData(response);
-          const error2 = new import_request_error.RequestError(toErrorMessage(data), status, {
+          const error2 = new import_request_error2.RequestError(toErrorMessage(data), status, {
            response: {
              url: url2,
              status,
@@ -20796,7 +20796,7 @@ var require_dist_node5 = __commonJS({
          data
        };
      }).catch((error2) => {
-        if (error2 instanceof import_request_error.RequestError)
+        if (error2 instanceof import_request_error2.RequestError)
          throw error2;
        else if (error2.name === "AbortError")
          throw error2;
@@ -20808,7 +20808,7 @@ var require_dist_node5 = __commonJS({
            message = error2.cause;
          }
        }
-        throw new import_request_error.RequestError(message, 500, {
+        throw new import_request_error2.RequestError(message, 500, {
          request: requestOptions
        });
      });
@@ -21250,14 +21250,14 @@ var require_dist_node7 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -21349,7 +21349,7 @@ var require_dist_node8 = __commonJS({
      const Ctor = Object.prototype.hasOwnProperty.call(proto, "constructor") && proto.constructor;
      return typeof Ctor === "function" && Ctor instanceof Ctor && Function.prototype.call(Ctor) === Function.prototype.call(value);
    }
-    var import_request_error = require_dist_node7();
+    var import_request_error2 = require_dist_node7();
    function getBufferResponse(response) {
      return response.arrayBuffer();
    }
@@ -21401,7 +21401,7 @@ var require_dist_node8 = __commonJS({
          if (status < 400) {
            return;
          }
-          throw new import_request_error.RequestError(response.statusText, status, {
+          throw new import_request_error2.RequestError(response.statusText, status, {
            response: {
              url: url2,
              status,
@@ -21412,7 +21412,7 @@ var require_dist_node8 = __commonJS({
          });
        }
        if (status === 304) {
-          throw new import_request_error.RequestError("Not modified", status, {
+          throw new import_request_error2.RequestError("Not modified", status, {
            response: {
              url: url2,
              status,
@@ -21424,7 +21424,7 @@ var require_dist_node8 = __commonJS({
        }
        if (status >= 400) {
          const data = await getResponseData(response);
-          const error2 = new import_request_error.RequestError(toErrorMessage(data), status, {
+          const error2 = new import_request_error2.RequestError(toErrorMessage(data), status, {
            response: {
              url: url2,
              status,
@@ -21444,7 +21444,7 @@ var require_dist_node8 = __commonJS({
          data
        };
      }).catch((error2) => {
-        if (error2 instanceof import_request_error.RequestError)
+        if (error2 instanceof import_request_error2.RequestError)
          throw error2;
        else if (error2.name === "AbortError")
          throw error2;
@@ -21456,7 +21456,7 @@ var require_dist_node8 = __commonJS({
            message = error2.cause;
          }
        }
-        throw new import_request_error.RequestError(message, 500, {
+        throw new import_request_error2.RequestError(message, 500, {
          request: requestOptions
        });
      });
@@ -25039,7 +25039,7 @@ var require_to_regex_range = __commonJS({
        stop = countZeros(max + 1, zeros) - 1;
      }
      stops = [...stops];
-      stops.sort(compare2);
+      stops.sort(compare3);
      return stops;
    }
    function rangeToPattern(start, stop, options) {
@@ -25111,7 +25111,7 @@ var require_to_regex_range = __commonJS({
      for (let i = 0; i < a.length; i++) arr.push([a[i], b[i]]);
      return arr;
    }
-    function compare2(a, b) {
+    function compare3(a, b) {
      return a > b ? 1 : b > a ? -1 : 0;
    }
    function contains(arr, key, val2) {
@@ -30529,6 +30529,9 @@ var require_identifiers = __commonJS({
    "use strict";
    var numeric = /^[0-9]+$/;
    var compareIdentifiers = (a, b) => {
+      if (typeof a === "number" && typeof b === "number") {
+        return a === b ? 0 : a < b ? -1 : 1;
+      }
      const anum = numeric.test(a);
      const bnum = numeric.test(b);
      if (anum && bnum) {
@@ -30635,7 +30638,25 @@ var require_semver = __commonJS({
        if (!(other instanceof _SemVer)) {
          other = new _SemVer(other, this.options);
        }
-        return compareIdentifiers(this.major, other.major) || compareIdentifiers(this.minor, other.minor) || compareIdentifiers(this.patch, other.patch);
+        if (this.major < other.major) {
+          return -1;
+        }
+        if (this.major > other.major) {
+          return 1;
+        }
+        if (this.minor < other.minor) {
+          return -1;
+        }
+        if (this.minor > other.minor) {
+          return 1;
+        }
+        if (this.patch < other.patch) {
+          return -1;
+        }
+        if (this.patch > other.patch) {
+          return 1;
+        }
+        return 0;
      }
      comparePre(other) {
        if (!(other instanceof _SemVer)) {
@@ -30970,8 +30991,8 @@ var require_compare = __commonJS({
  "node_modules/semver/functions/compare.js"(exports2, module2) {
    "use strict";
    var SemVer = require_semver();
-    var compare2 = (a, b, loose) => new SemVer(a, loose).compare(new SemVer(b, loose));
-    module2.exports = compare2;
+    var compare3 = (a, b, loose) => new SemVer(a, loose).compare(new SemVer(b, loose));
+    module2.exports = compare3;
  }
 });

@@ -30979,8 +31000,8 @@ var require_compare = __commonJS({
 var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var rcompare = (a, b, loose) => compare2(b, a, loose);
+    var compare3 = require_compare();
+    var rcompare = (a, b, loose) => compare3(b, a, loose);
    module2.exports = rcompare;
  }
 });
@@ -30989,8 +31010,8 @@ var require_rcompare = __commonJS({
 var require_compare_loose = __commonJS({
  "node_modules/semver/functions/compare-loose.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var compareLoose = (a, b) => compare2(a, b, true);
+    var compare3 = require_compare();
+    var compareLoose = (a, b) => compare3(a, b, true);
    module2.exports = compareLoose;
  }
 });
@@ -31033,8 +31054,8 @@ var require_rsort = __commonJS({
 var require_gt = __commonJS({
  "node_modules/semver/functions/gt.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var gt = (a, b, loose) => compare2(a, b, loose) > 0;
+    var compare3 = require_compare();
+    var gt = (a, b, loose) => compare3(a, b, loose) > 0;
    module2.exports = gt;
  }
 });
@@ -31043,8 +31064,8 @@ var require_gt = __commonJS({
 var require_lt = __commonJS({
  "node_modules/semver/functions/lt.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var lt = (a, b, loose) => compare2(a, b, loose) < 0;
+    var compare3 = require_compare();
+    var lt = (a, b, loose) => compare3(a, b, loose) < 0;
    module2.exports = lt;
  }
 });
@@ -31053,8 +31074,8 @@ var require_lt = __commonJS({
 var require_eq = __commonJS({
  "node_modules/semver/functions/eq.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var eq = (a, b, loose) => compare2(a, b, loose) === 0;
+    var compare3 = require_compare();
+    var eq = (a, b, loose) => compare3(a, b, loose) === 0;
    module2.exports = eq;
  }
 });
@@ -31063,8 +31084,8 @@ var require_eq = __commonJS({
 var require_neq = __commonJS({
  "node_modules/semver/functions/neq.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var neq = (a, b, loose) => compare2(a, b, loose) !== 0;
+    var compare3 = require_compare();
+    var neq = (a, b, loose) => compare3(a, b, loose) !== 0;
    module2.exports = neq;
  }
 });
@@ -31073,8 +31094,8 @@ var require_neq = __commonJS({
 var require_gte = __commonJS({
  "node_modules/semver/functions/gte.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var gte5 = (a, b, loose) => compare2(a, b, loose) >= 0;
+    var compare3 = require_compare();
+    var gte5 = (a, b, loose) => compare3(a, b, loose) >= 0;
    module2.exports = gte5;
  }
 });
@@ -31083,8 +31104,8 @@ var require_gte = __commonJS({
 var require_lte = __commonJS({
  "node_modules/semver/functions/lte.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var lte = (a, b, loose) => compare2(a, b, loose) <= 0;
+    var compare3 = require_compare();
+    var lte = (a, b, loose) => compare3(a, b, loose) <= 0;
    module2.exports = lte;
  }
 });
@@ -31396,6 +31417,7 @@ var require_range = __commonJS({
      return result;
    };
    var parseComparator = (comp, options) => {
+      comp = comp.replace(re[t.BUILD], "");
      debug3("comp", comp, options);
      comp = replaceCarets(comp, options);
      debug3("caret", comp);
@@ -31980,12 +32002,12 @@ var require_simplify = __commonJS({
  "node_modules/semver/ranges/simplify.js"(exports2, module2) {
    "use strict";
    var satisfies2 = require_satisfies();
-    var compare2 = require_compare();
+    var compare3 = require_compare();
    module2.exports = (versions, range, options) => {
      const set2 = [];
      let first = null;
      let prev = null;
-      const v = versions.sort((a, b) => compare2(a, b, options));
+      const v = versions.sort((a, b) => compare3(a, b, options));
      for (const version of v) {
        const included = satisfies2(version, range, options);
        if (included) {
@@ -32033,7 +32055,7 @@ var require_subset = __commonJS({
    var Comparator = require_comparator();
    var { ANY } = Comparator;
    var satisfies2 = require_satisfies();
-    var compare2 = require_compare();
+    var compare3 = require_compare();
    var subset = (sub, dom, options = {}) => {
      if (sub === dom) {
        return true;
@@ -32093,7 +32115,7 @@ var require_subset = __commonJS({
      }
      let gtltComp;
      if (gt && lt) {
-        gtltComp = compare2(gt.semver, lt.semver, options);
+        gtltComp = compare3(gt.semver, lt.semver, options);
        if (gtltComp > 0) {
          return null;
        } else if (gtltComp === 0 && (gt.operator !== ">=" || lt.operator !== "<=")) {
@@ -32173,14 +32195,14 @@ var require_subset = __commonJS({
      if (!a) {
        return b;
      }
-      const comp = compare2(a.semver, b.semver, options);
+      const comp = compare3(a.semver, b.semver, options);
      return comp > 0 ? a : comp < 0 ? b : b.operator === ">" && a.operator === ">=" ? b : a;
    };
    var lowerLT = (a, b, options) => {
      if (!a) {
        return b;
      }
-      const comp = compare2(a.semver, b.semver, options);
+      const comp = compare3(a.semver, b.semver, options);
      return comp < 0 ? a : comp > 0 ? b : b.operator === "<" && a.operator === "<=" ? b : a;
    };
    module2.exports = subset;
@@ -32204,7 +32226,7 @@ var require_semver2 = __commonJS({
    var minor = require_minor();
    var patch = require_patch();
    var prerelease = require_prerelease();
-    var compare2 = require_compare();
+    var compare3 = require_compare();
    var rcompare = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
@@ -32242,7 +32264,7 @@ var require_semver2 = __commonJS({
      minor,
      patch,
      prerelease,
-      compare: compare2,
+      compare: compare3,
      rcompare,
      compareLoose,
      compareBuild,
@@ -32287,7 +32309,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.7",
+      version: "4.30.9",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -32322,6 +32344,7 @@ var require_package = __commonJS({
        "@actions/io": "^1.1.3",
        "@actions/tool-cache": "^2.0.2",
        "@octokit/plugin-retry": "^6.0.0",
+        "@octokit/request-error": "^7.0.1",
        "@schemastore/package": "0.0.10",
        archiver: "^7.0.1",
        "check-disk-space": "^3.4.0",
@@ -32335,14 +32358,14 @@ var require_package = __commonJS({
        long: "^5.3.2",
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
-        semver: "^7.7.2",
+        semver: "^7.7.3",
        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.0",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.36.0",
+        "@eslint/js": "^9.37.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
@@ -32353,7 +32376,7 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.44.1",
+        "@typescript-eslint/eslint-plugin": "^8.46.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
        esbuild: "^0.25.10",
@@ -32366,7 +32389,7 @@ var require_package = __commonJS({
        glob: "^11.0.3",
        nock: "^14.0.10",
        sinon: "^21.0.0",
-        typescript: "^5.9.2"
+        typescript: "^5.9.3"
      },
      overrides: {
        "@actions/tool-cache": {
@@ -33745,14 +33768,14 @@ var require_dist_node14 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -33854,7 +33877,7 @@ var require_dist_node15 = __commonJS({
      throw error2;
    }
    var import_light = __toESM2(require_light());
-    var import_request_error = require_dist_node14();
+    var import_request_error2 = require_dist_node14();
    async function wrapRequest(state, octokit, request, options) {
      const limiter = new import_light.default();
      limiter.on("failed", function(error2, info5) {
@@ -33875,7 +33898,7 @@ var require_dist_node15 = __commonJS({
      if (response.data && response.data.errors && response.data.errors.length > 0 && /Something went wrong while executing your query/.test(
        response.data.errors[0].message
      )) {
-        const error2 = new import_request_error.RequestError(response.data.errors[0].message, 500, {
+        const error2 = new import_request_error2.RequestError(response.data.errors[0].message, 500, {
          request: options,
          response
        });
@@ -36110,13 +36133,13 @@ var require_semver3 = __commonJS({
    function patch(a, loose) {
      return new SemVer(a, loose).patch;
    }
-    exports2.compare = compare2;
-    function compare2(a, b, loose) {
+    exports2.compare = compare3;
+    function compare3(a, b, loose) {
      return new SemVer(a, loose).compare(new SemVer(b, loose));
    }
    exports2.compareLoose = compareLoose;
    function compareLoose(a, b) {
-      return compare2(a, b, true);
+      return compare3(a, b, true);
    }
    exports2.compareBuild = compareBuild;
    function compareBuild(a, b, loose) {
@@ -36126,7 +36149,7 @@ var require_semver3 = __commonJS({
    }
    exports2.rcompare = rcompare;
    function rcompare(a, b, loose) {
-      return compare2(b, a, loose);
+      return compare3(b, a, loose);
    }
    exports2.sort = sort;
    function sort(list, loose) {
@@ -36142,27 +36165,27 @@ var require_semver3 = __commonJS({
    }
    exports2.gt = gt;
    function gt(a, b, loose) {
-      return compare2(a, b, loose) > 0;
+      return compare3(a, b, loose) > 0;
    }
    exports2.lt = lt;
    function lt(a, b, loose) {
-      return compare2(a, b, loose) < 0;
+      return compare3(a, b, loose) < 0;
    }
    exports2.eq = eq;
    function eq(a, b, loose) {
-      return compare2(a, b, loose) === 0;
+      return compare3(a, b, loose) === 0;
    }
    exports2.neq = neq;
    function neq(a, b, loose) {
-      return compare2(a, b, loose) !== 0;
+      return compare3(a, b, loose) !== 0;
    }
    exports2.gte = gte5;
    function gte5(a, b, loose) {
-      return compare2(a, b, loose) >= 0;
+      return compare3(a, b, loose) >= 0;
    }
    exports2.lte = lte;
    function lte(a, b, loose) {
-      return compare2(a, b, loose) <= 0;
+      return compare3(a, b, loose) <= 0;
    }
    exports2.cmp = cmp;
    function cmp(a, op, b, loose) {
@@ -101672,8 +101695,8 @@ var require_commonjs16 = __commonJS({
        if (rootPath === this.root.name) {
          return this.root;
        }
-        for (const [compare2, root] of Object.entries(this.roots)) {
-          if (this.sameRoot(rootPath, compare2)) {
+        for (const [compare3, root] of Object.entries(this.roots)) {
+          if (this.sameRoot(rootPath, compare3)) {
            return this.roots[rootPath] = root;
          }
        }
@@ -101682,9 +101705,9 @@ var require_commonjs16 = __commonJS({
      /**
       * @internal
       */
-      sameRoot(rootPath, compare2 = this.root.name) {
+      sameRoot(rootPath, compare3 = this.root.name) {
        rootPath = rootPath.toUpperCase().replace(/\//g, "\\").replace(uncDriveRegexp, "$1\\");
-        return rootPath === compare2;
+        return rootPath === compare3;
      }
    };
    exports2.PathWin32 = PathWin32;
@@ -105703,7 +105726,7 @@ var require_b4a = __commonJS({
    function byteLength(string, encoding) {
      return Buffer.byteLength(string, encoding);
    }
-    function compare2(a, b) {
+    function compare3(a, b) {
      return Buffer.compare(a, b);
    }
    function concat(buffers, totalLength) {
@@ -105804,7 +105827,7 @@ var require_b4a = __commonJS({
      allocUnsafe,
      allocUnsafeSlow,
      byteLength,
-      compare: compare2,
+      compare: compare3,
      concat,
      copy,
      equals: equals2,
@@ -111944,7 +111967,7 @@ var require_dist_node17 = __commonJS({
    var once2 = _interopDefault(require_once());
    var logOnceCode = once2((deprecation2) => console.warn(deprecation2));
    var logOnceHeaders = once2((deprecation2) => console.warn(deprecation2));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -111982,7 +112005,7 @@ var require_dist_node17 = __commonJS({
        });
      }
    };
-    exports2.RequestError = RequestError;
+    exports2.RequestError = RequestError2;
  }
 });

@@ -128072,6 +128095,9 @@ function isGoodVersion(versionSpec) {
 function isInTestMode() {
  return process.env["CODEQL_ACTION_TEST_MODE" /* TEST_MODE */] === "true";
 }
+function shouldSkipSarifUpload() {
+  return isInTestMode() || process.env["CODEQL_ACTION_SKIP_SARIF_UPLOAD" /* SKIP_SARIF_UPLOAD */] === "true";
+}
 function getTestingEnvironment() {
  const testingEnvironment = process.env["CODEQL_ACTION_TESTING_ENVIRONMENT" /* TESTING_ENVIRONMENT */] || "";
  if (testingEnvironment === "") {
@@ -128337,9 +128363,12 @@ function getWorkflowRunAttempt() {
 function isSelfHostedRunner() {
  return process.env.RUNNER_ENVIRONMENT === "self-hosted";
 }
-function isDefaultSetup() {
+function isDynamicWorkflow() {
  return getWorkflowEventName() === "dynamic";
 }
+function isDefaultSetup() {
+  return isDynamicWorkflow();
+}
 function prettyPrintInvocation(cmd, args) {
  return [cmd, ...args].map((x) => x.includes(" ") ? `'${x}'` : x).join(" ");
 }
@@ -128595,6 +128624,45 @@ var path13 = __toESM(require("path"));
 var core10 = __toESM(require_core());
 var toolrunner3 = __toESM(require_toolrunner());

+// node_modules/@octokit/request-error/dist-src/index.js
+var RequestError = class extends Error {
+  name;
+  /**
+   * http status code
+   */
+  status;
+  /**
+   * Request options that lead to the error.
+   */
+  request;
+  /**
+   * Response object if a response was received
+   */
+  response;
+  constructor(message, statusCode, options) {
+    super(message);
+    this.name = "HttpError";
+    this.status = Number.parseInt(statusCode);
+    if (Number.isNaN(this.status)) {
+      this.status = 0;
+    }
+    if ("response" in options) {
+      this.response = options.response;
+    }
+    const requestCopy = Object.assign({}, options.request);
+    if (options.request.headers.authorization) {
+      requestCopy.headers = Object.assign({}, options.request.headers, {
+        authorization: options.request.headers.authorization.replace(
+          /(?<! ) .*$/,
+          " [REDACTED]"
+        )
+      });
+    }
+    requestCopy.url = requestCopy.url.replace(/\bclient_secret=\w+/g, "client_secret=[REDACTED]").replace(/\baccess_token=\w+/g, "access_token=[REDACTED]");
+    this.request = requestCopy;
+  }
+};
+
 // src/cli-errors.ts
 var SUPPORTED_PLATFORMS = [
  ["linux", "x64"],
@@ -128881,8 +128949,8 @@ var path8 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());

 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.2";
-var cliVersion = "2.23.2";
+var bundleVersion = "codeql-bundle-v2.23.3";
+var cliVersion = "2.23.3";

 // src/overlay-database-utils.ts
 var fs6 = __toESM(require("fs"));
@@ -129187,6 +129255,11 @@ var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_";
 var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
 var CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0";
 var featureConfig = {
+  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
+    minimumVersion: void 0
+  },
  ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -129713,6 +129786,9 @@ function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
  }
  return augmentedConfig;
 }
+function isCodeScanningEnabled(config) {
+  return config.analysisKinds.includes("code-scanning" /* CodeScanning */);
+}

 // src/setup-codeql.ts
 var fs12 = __toESM(require("fs"));
@@ -130093,6 +130169,7 @@ var CODEQL_NIGHTLIES_REPOSITORY_OWNER = "dsp-testing";
 var CODEQL_NIGHTLIES_REPOSITORY_NAME = "codeql-cli-nightlies";
 var CODEQL_BUNDLE_VERSION_ALIAS = ["linked", "latest"];
 var CODEQL_NIGHTLY_TOOLS_INPUTS = ["nightly", "nightly-latest"];
+var CODEQL_TOOLCACHE_INPUT = "toolcache";
 function getCodeQLBundleExtension(compressionMethod) {
  switch (compressionMethod) {
    case "gzip":
@@ -130234,7 +130311,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
  }
  return void 0;
 }
-async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, logger) {
+async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) {
  if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) {
    logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
    const compressionMethod2 = inferCompressionMethod(toolsInput);
@@ -130271,6 +130348,40 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
        "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required."
      );
    }
+  } else if (toolsInput !== void 0 && toolsInput === CODEQL_TOOLCACHE_INPUT) {
+    let latestToolcacheVersion;
+    const allowToolcacheValueFF = await features.getValue(
+      "allow_toolcache_input" /* AllowToolcacheInput */
+    );
+    const allowToolcacheValue = allowToolcacheValueFF && (isDynamicWorkflow() || isInTestMode());
+    if (allowToolcacheValue) {
+      logger.info(
+        `Attempting to use the latest CodeQL CLI version in the toolcache, as requested by 'tools: ${toolsInput}'.`
+      );
+      latestToolcacheVersion = getLatestToolcacheVersion(logger);
+      if (latestToolcacheVersion) {
+        cliVersion2 = latestToolcacheVersion;
+      }
+    }
+    if (latestToolcacheVersion === void 0) {
+      if (allowToolcacheValue) {
+        logger.info(
+          `Found no CodeQL CLI in the toolcache, ignoring 'tools: ${toolsInput}'...`
+        );
+      } else {
+        if (allowToolcacheValueFF) {
+          logger.warning(
+            `Ignoring 'tools: ${toolsInput}' because the workflow was not triggered dynamically.`
+          );
+        } else {
+          logger.info(
+            `Ignoring 'tools: ${toolsInput}' because the feature is not enabled.`
+          );
+        }
+      }
+      cliVersion2 = defaultCliVersion.cliVersion;
+      tagName = defaultCliVersion.tagName;
+    }
  } else if (toolsInput !== void 0) {
    tagName = tryGetTagNameFromUrl(toolsInput, logger);
    url2 = toolsInput;
@@ -130479,7 +130590,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) {
  }
  return cliVersion2;
 }
-async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger) {
+async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) {
  if (!await isBinaryAccessible("tar", logger)) {
    throw new ConfigurationError(
      "Could not find tar in PATH, so unable to extract CodeQL bundle."
@@ -130492,6 +130603,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau
    apiDetails,
    variant,
    zstdAvailability.available,
+    features,
    logger
  );
  let codeqlFolder;
@@ -130577,8 +130689,24 @@ async function getNightlyToolsUrl(logger) {
    );
  }
 }
+function getLatestToolcacheVersion(logger) {
+  const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver7.compare(b, a));
+  logger.debug(
+    `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify(
+      allVersions
+    )}.`
+  );
+  if (allVersions.length > 0) {
+    const latestToolcacheVersion = allVersions[0];
+    logger.info(
+      `CLI version ${latestToolcacheVersion} is the latest version in the toolcache.`
+    );
+    return latestToolcacheVersion;
+  }
+  return void 0;
+}
 function isReservedToolsValue(tools) {
-  return CODEQL_BUNDLE_VERSION_ALIAS.includes(tools) || CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools);
+  return CODEQL_BUNDLE_VERSION_ALIAS.includes(tools) || CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools) || tools === CODEQL_TOOLCACHE_INPUT;
 }

 // src/tracer-config.ts
@@ -130600,7 +130728,7 @@ var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.13";
 var GHES_MOST_RECENT_DEPRECATION_DATE = "2025-06-19";
 var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
 var CODEQL_VERSION_CACHE_CLEANUP = "2.17.1";
-async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger, checkVersion) {
+async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) {
  try {
    const {
      codeqlFolder,
@@ -130614,6 +130742,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
      tempDir,
      variant,
      defaultCliVersion,
+      features,
      logger
    );
    logger.debug(
@@ -130638,7 +130767,8 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
      zstdAvailability
    };
  } catch (e) {
-    const ErrorClass = e instanceof ConfigurationError || e instanceof Error && e.message.includes("ENOSPC") ? ConfigurationError : Error;
+    const ErrorClass = e instanceof ConfigurationError || e instanceof Error && e.message.includes("ENOSPC") || // out of disk space
+    e instanceof RequestError && e.status === 429 ? ConfigurationError : Error;
    throw new ErrorClass(
      `Unable to download and extract CodeQL CLI: ${getErrorMessage(e)}${e instanceof Error && e.stack ? `

@@ -131539,7 +131669,7 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
      action_ref: actionRef,
      action_started_at: actionStartedAt.toISOString(),
      action_version: getActionVersion(),
-      analysis_kinds: config?.analysisKinds.join(","),
+      analysis_kinds: config?.analysisKinds?.join(","),
      analysis_key,
      build_mode: config?.buildMode,
      commit_oid: commitOid,
@@ -131562,7 +131692,7 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
      logger.warning(`Could not determine the workflow event name: ${e}.`);
    }
    if (config) {
-      statusReport.languages = config.languages.join(",");
+      statusReport.languages = config.languages?.join(",");
    }
    if (diskInfo) {
      statusReport.runner_available_disk_space_bytes = diskInfo.numAvailableBytes;
@@ -132240,7 +132370,7 @@ LongPrototype.greaterThanOrEqual = function greaterThanOrEqual(other) {
 };
 LongPrototype.gte = LongPrototype.greaterThanOrEqual;
 LongPrototype.ge = LongPrototype.greaterThanOrEqual;
-LongPrototype.compare = function compare(other) {
+LongPrototype.compare = function compare2(other) {
  if (!isLong(other)) other = fromValue(other);
  if (this.eq(other)) return 0;
  var thisNeg = this.isNegative(), otherNeg = other.isNegative();
@@ -132791,7 +132921,7 @@ async function addFingerprints(sarif, sourceRoot, logger) {
 // src/init.ts
 var toolrunner4 = __toESM(require_toolrunner());
 var io6 = __toESM(require_io());
-async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger) {
+async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) {
  logger.startGroup("Setup CodeQL tools");
  const {
    codeql,
@@ -132805,6 +132935,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe
    tempDir,
    variant,
    defaultCliVersion,
+    features,
    logger,
    true
  );
@@ -132951,6 +133082,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo
      tempDir,
      gitHubVersion.type,
      codeQLDefaultVersionInfo,
+      features,
      logger
    );
    codeQL = initCodeQLResult.codeql;
@@ -133006,23 +133138,23 @@ function getAutomationID2(category, analysis_key, environment) {
  }
  return computeAutomationID(analysis_key, environment);
 }
-async function uploadPayload(payload, repositoryNwo, logger, target) {
+async function uploadPayload(payload, repositoryNwo, logger, analysis) {
  logger.info("Uploading results");
-  if (isInTestMode()) {
+  if (shouldSkipSarifUpload()) {
    const payloadSaveFile = path17.join(
      getTemporaryDirectory(),
-      "payload.json"
+      `payload-${analysis.kind}.json`
    );
    logger.info(
-      `In test mode. Results are not uploaded. Saving to ${payloadSaveFile}`
+      `SARIF upload disabled by an environment variable. Saving to ${payloadSaveFile}`
    );
    logger.info(`Payload: ${JSON.stringify(payload, null, 2)}`);
    fs17.writeFileSync(payloadSaveFile, JSON.stringify(payload, null, 2));
-    return "test-mode-sarif-id";
+    return "dummy-sarif-id";
  }
  const client = getApiClient();
  try {
-    const response = await client.request(target, {
+    const response = await client.request(analysis.target, {
      owner: repositoryNwo.owner,
      repo: repositoryNwo.repo,
      data: payload
@@ -133256,7 +133388,7 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features
    payload,
    getRepositoryNwo(),
    logger,
-    uploadTarget.target
+    uploadTarget
  );
  logger.endGroup();
  return {
@@ -133585,7 +133717,7 @@ async function maybeUploadFailedSarif(config, repositoryNwo, features, logger) {
  const shouldUpload = getUploadInputOrThrow(workflow, jobName, matrix);
  if (!["always", "failure-only"].includes(
    getUploadValue(shouldUpload)
-  ) || isInTestMode()) {
+  ) || shouldSkipSarifUpload()) {
    return { upload_failed_run_skipped_because: "SARIF upload is disabled" };
  }
  const category = getCategoryInputOrThrow(workflow, jobName, matrix);
@@ -133621,6 +133753,11 @@ async function tryUploadSarifIfRunFailed(config, repositoryNwo, features, logger
      "CODEQL_ACTION_JOB_STATUS" /* JOB_STATUS */,
      process.env["CODEQL_ACTION_JOB_STATUS" /* JOB_STATUS */] ?? "JOB_STATUS_CONFIGURATION_ERROR" /* ConfigErrorStatus */
    );
+    if (!isCodeScanningEnabled(config)) {
+      return {
+        upload_failed_run_skipped_because: "Code Scanning is not enabled."
+      };
+    }
    try {
      return await maybeUploadFailedSarif(
        config,
@@ -19971,6 +19971,9 @@ var require_identifiers = __commonJS({
    "use strict";
    var numeric = /^[0-9]+$/;
    var compareIdentifiers = (a, b) => {
+      if (typeof a === "number" && typeof b === "number") {
+        return a === b ? 0 : a < b ? -1 : 1;
+      }
      const anum = numeric.test(a);
      const bnum = numeric.test(b);
      if (anum && bnum) {
@@ -20077,7 +20080,25 @@ var require_semver = __commonJS({
        if (!(other instanceof _SemVer)) {
          other = new _SemVer(other, this.options);
        }
-        return compareIdentifiers(this.major, other.major) || compareIdentifiers(this.minor, other.minor) || compareIdentifiers(this.patch, other.patch);
+        if (this.major < other.major) {
+          return -1;
+        }
+        if (this.major > other.major) {
+          return 1;
+        }
+        if (this.minor < other.minor) {
+          return -1;
+        }
+        if (this.minor > other.minor) {
+          return 1;
+        }
+        if (this.patch < other.patch) {
+          return -1;
+        }
+        if (this.patch > other.patch) {
+          return 1;
+        }
+        return 0;
      }
      comparePre(other) {
        if (!(other instanceof _SemVer)) {
@@ -20412,8 +20433,8 @@ var require_compare = __commonJS({
  "node_modules/semver/functions/compare.js"(exports2, module2) {
    "use strict";
    var SemVer = require_semver();
-    var compare = (a, b, loose) => new SemVer(a, loose).compare(new SemVer(b, loose));
-    module2.exports = compare;
+    var compare2 = (a, b, loose) => new SemVer(a, loose).compare(new SemVer(b, loose));
+    module2.exports = compare2;
  }
 });

@@ -20421,8 +20442,8 @@ var require_compare = __commonJS({
 var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var rcompare = (a, b, loose) => compare(b, a, loose);
+    var compare2 = require_compare();
+    var rcompare = (a, b, loose) => compare2(b, a, loose);
    module2.exports = rcompare;
  }
 });
@@ -20431,8 +20452,8 @@ var require_rcompare = __commonJS({
 var require_compare_loose = __commonJS({
  "node_modules/semver/functions/compare-loose.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var compareLoose = (a, b) => compare(a, b, true);
+    var compare2 = require_compare();
+    var compareLoose = (a, b) => compare2(a, b, true);
    module2.exports = compareLoose;
  }
 });
@@ -20475,8 +20496,8 @@ var require_rsort = __commonJS({
 var require_gt = __commonJS({
  "node_modules/semver/functions/gt.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var gt = (a, b, loose) => compare(a, b, loose) > 0;
+    var compare2 = require_compare();
+    var gt = (a, b, loose) => compare2(a, b, loose) > 0;
    module2.exports = gt;
  }
 });
@@ -20485,8 +20506,8 @@ var require_gt = __commonJS({
 var require_lt = __commonJS({
  "node_modules/semver/functions/lt.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var lt2 = (a, b, loose) => compare(a, b, loose) < 0;
+    var compare2 = require_compare();
+    var lt2 = (a, b, loose) => compare2(a, b, loose) < 0;
    module2.exports = lt2;
  }
 });
@@ -20495,8 +20516,8 @@ var require_lt = __commonJS({
 var require_eq = __commonJS({
  "node_modules/semver/functions/eq.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var eq = (a, b, loose) => compare(a, b, loose) === 0;
+    var compare2 = require_compare();
+    var eq = (a, b, loose) => compare2(a, b, loose) === 0;
    module2.exports = eq;
  }
 });
@@ -20505,8 +20526,8 @@ var require_eq = __commonJS({
 var require_neq = __commonJS({
  "node_modules/semver/functions/neq.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var neq = (a, b, loose) => compare(a, b, loose) !== 0;
+    var compare2 = require_compare();
+    var neq = (a, b, loose) => compare2(a, b, loose) !== 0;
    module2.exports = neq;
  }
 });
@@ -20515,8 +20536,8 @@ var require_neq = __commonJS({
 var require_gte = __commonJS({
  "node_modules/semver/functions/gte.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var gte5 = (a, b, loose) => compare(a, b, loose) >= 0;
+    var compare2 = require_compare();
+    var gte5 = (a, b, loose) => compare2(a, b, loose) >= 0;
    module2.exports = gte5;
  }
 });
@@ -20525,8 +20546,8 @@ var require_gte = __commonJS({
 var require_lte = __commonJS({
  "node_modules/semver/functions/lte.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var lte = (a, b, loose) => compare(a, b, loose) <= 0;
+    var compare2 = require_compare();
+    var lte = (a, b, loose) => compare2(a, b, loose) <= 0;
    module2.exports = lte;
  }
 });
@@ -20838,6 +20859,7 @@ var require_range = __commonJS({
      return result;
    };
    var parseComparator = (comp, options) => {
+      comp = comp.replace(re[t.BUILD], "");
      debug3("comp", comp, options);
      comp = replaceCarets(comp, options);
      debug3("caret", comp);
@@ -21422,12 +21444,12 @@ var require_simplify = __commonJS({
  "node_modules/semver/ranges/simplify.js"(exports2, module2) {
    "use strict";
    var satisfies2 = require_satisfies();
-    var compare = require_compare();
+    var compare2 = require_compare();
    module2.exports = (versions, range, options) => {
      const set2 = [];
      let first = null;
      let prev = null;
-      const v = versions.sort((a, b) => compare(a, b, options));
+      const v = versions.sort((a, b) => compare2(a, b, options));
      for (const version of v) {
        const included = satisfies2(version, range, options);
        if (included) {
@@ -21475,7 +21497,7 @@ var require_subset = __commonJS({
    var Comparator = require_comparator();
    var { ANY } = Comparator;
    var satisfies2 = require_satisfies();
-    var compare = require_compare();
+    var compare2 = require_compare();
    var subset = (sub, dom, options = {}) => {
      if (sub === dom) {
        return true;
@@ -21535,7 +21557,7 @@ var require_subset = __commonJS({
      }
      let gtltComp;
      if (gt && lt2) {
-        gtltComp = compare(gt.semver, lt2.semver, options);
+        gtltComp = compare2(gt.semver, lt2.semver, options);
        if (gtltComp > 0) {
          return null;
        } else if (gtltComp === 0 && (gt.operator !== ">=" || lt2.operator !== "<=")) {
@@ -21615,14 +21637,14 @@ var require_subset = __commonJS({
      if (!a) {
        return b;
      }
-      const comp = compare(a.semver, b.semver, options);
+      const comp = compare2(a.semver, b.semver, options);
      return comp > 0 ? a : comp < 0 ? b : b.operator === ">" && a.operator === ">=" ? b : a;
    };
    var lowerLT = (a, b, options) => {
      if (!a) {
        return b;
      }
-      const comp = compare(a.semver, b.semver, options);
+      const comp = compare2(a.semver, b.semver, options);
      return comp < 0 ? a : comp > 0 ? b : b.operator === "<" && a.operator === "<=" ? b : a;
    };
    module2.exports = subset;
@@ -21646,7 +21668,7 @@ var require_semver2 = __commonJS({
    var minor = require_minor();
    var patch = require_patch();
    var prerelease = require_prerelease();
-    var compare = require_compare();
+    var compare2 = require_compare();
    var rcompare = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
@@ -21684,7 +21706,7 @@ var require_semver2 = __commonJS({
      minor,
      patch,
      prerelease,
-      compare,
+      compare: compare2,
      rcompare,
      compareLoose,
      compareBuild,
@@ -22510,14 +22532,14 @@ var require_dist_node4 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -22609,7 +22631,7 @@ var require_dist_node5 = __commonJS({
      const Ctor = Object.prototype.hasOwnProperty.call(proto, "constructor") && proto.constructor;
      return typeof Ctor === "function" && Ctor instanceof Ctor && Function.prototype.call(Ctor) === Function.prototype.call(value);
    }
-    var import_request_error = require_dist_node4();
+    var import_request_error2 = require_dist_node4();
    function getBufferResponse(response) {
      return response.arrayBuffer();
    }
@@ -22661,7 +22683,7 @@ var require_dist_node5 = __commonJS({
          if (status < 400) {
            return;
          }
-          throw new import_request_error.RequestError(response.statusText, status, {
+          throw new import_request_error2.RequestError(response.statusText, status, {
            response: {
              url,
              status,
@@ -22672,7 +22694,7 @@ var require_dist_node5 = __commonJS({
          });
        }
        if (status === 304) {
-          throw new import_request_error.RequestError("Not modified", status, {
+          throw new import_request_error2.RequestError("Not modified", status, {
            response: {
              url,
              status,
@@ -22684,7 +22706,7 @@ var require_dist_node5 = __commonJS({
        }
        if (status >= 400) {
          const data = await getResponseData(response);
-          const error2 = new import_request_error.RequestError(toErrorMessage(data), status, {
+          const error2 = new import_request_error2.RequestError(toErrorMessage(data), status, {
            response: {
              url,
              status,
@@ -22704,7 +22726,7 @@ var require_dist_node5 = __commonJS({
          data
        };
      }).catch((error2) => {
-        if (error2 instanceof import_request_error.RequestError)
+        if (error2 instanceof import_request_error2.RequestError)
          throw error2;
        else if (error2.name === "AbortError")
          throw error2;
@@ -22716,7 +22738,7 @@ var require_dist_node5 = __commonJS({
            message = error2.cause;
          }
        }
-        throw new import_request_error.RequestError(message, 500, {
+        throw new import_request_error2.RequestError(message, 500, {
          request: requestOptions
        });
      });
@@ -23158,14 +23180,14 @@ var require_dist_node7 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -23257,7 +23279,7 @@ var require_dist_node8 = __commonJS({
      const Ctor = Object.prototype.hasOwnProperty.call(proto, "constructor") && proto.constructor;
      return typeof Ctor === "function" && Ctor instanceof Ctor && Function.prototype.call(Ctor) === Function.prototype.call(value);
    }
-    var import_request_error = require_dist_node7();
+    var import_request_error2 = require_dist_node7();
    function getBufferResponse(response) {
      return response.arrayBuffer();
    }
@@ -23309,7 +23331,7 @@ var require_dist_node8 = __commonJS({
          if (status < 400) {
            return;
          }
-          throw new import_request_error.RequestError(response.statusText, status, {
+          throw new import_request_error2.RequestError(response.statusText, status, {
            response: {
              url,
              status,
@@ -23320,7 +23342,7 @@ var require_dist_node8 = __commonJS({
          });
        }
        if (status === 304) {
-          throw new import_request_error.RequestError("Not modified", status, {
+          throw new import_request_error2.RequestError("Not modified", status, {
            response: {
              url,
              status,
@@ -23332,7 +23354,7 @@ var require_dist_node8 = __commonJS({
        }
        if (status >= 400) {
          const data = await getResponseData(response);
-          const error2 = new import_request_error.RequestError(toErrorMessage(data), status, {
+          const error2 = new import_request_error2.RequestError(toErrorMessage(data), status, {
            response: {
              url,
              status,
@@ -23352,7 +23374,7 @@ var require_dist_node8 = __commonJS({
          data
        };
      }).catch((error2) => {
-        if (error2 instanceof import_request_error.RequestError)
+        if (error2 instanceof import_request_error2.RequestError)
          throw error2;
        else if (error2.name === "AbortError")
          throw error2;
@@ -23364,7 +23386,7 @@ var require_dist_node8 = __commonJS({
            message = error2.cause;
          }
        }
-        throw new import_request_error.RequestError(message, 500, {
+        throw new import_request_error2.RequestError(message, 500, {
          request: requestOptions
        });
      });
@@ -26947,7 +26969,7 @@ var require_to_regex_range = __commonJS({
        stop = countZeros(max + 1, zeros) - 1;
      }
      stops = [...stops];
-      stops.sort(compare);
+      stops.sort(compare2);
      return stops;
    }
    function rangeToPattern(start, stop, options) {
@@ -27019,7 +27041,7 @@ var require_to_regex_range = __commonJS({
      for (let i = 0; i < a.length; i++) arr.push([a[i], b[i]]);
      return arr;
    }
-    function compare(a, b) {
+    function compare2(a, b) {
      return a > b ? 1 : b > a ? -1 : 0;
    }
    function contains(arr, key, val2) {
@@ -32287,7 +32309,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.7",
+      version: "4.30.9",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -32322,6 +32344,7 @@ var require_package = __commonJS({
        "@actions/io": "^1.1.3",
        "@actions/tool-cache": "^2.0.2",
        "@octokit/plugin-retry": "^6.0.0",
+        "@octokit/request-error": "^7.0.1",
        "@schemastore/package": "0.0.10",
        archiver: "^7.0.1",
        "check-disk-space": "^3.4.0",
@@ -32335,14 +32358,14 @@ var require_package = __commonJS({
        long: "^5.3.2",
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
-        semver: "^7.7.2",
+        semver: "^7.7.3",
        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.0",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.36.0",
+        "@eslint/js": "^9.37.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
@@ -32353,7 +32376,7 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.44.1",
+        "@typescript-eslint/eslint-plugin": "^8.46.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
        esbuild: "^0.25.10",
@@ -32366,7 +32389,7 @@ var require_package = __commonJS({
        glob: "^11.0.3",
        nock: "^14.0.10",
        sinon: "^21.0.0",
-        typescript: "^5.9.2"
+        typescript: "^5.9.3"
      },
      overrides: {
        "@actions/tool-cache": {
@@ -33745,14 +33768,14 @@ var require_dist_node14 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -33854,7 +33877,7 @@ var require_dist_node15 = __commonJS({
      throw error2;
    }
    var import_light = __toESM2(require_light());
-    var import_request_error = require_dist_node14();
+    var import_request_error2 = require_dist_node14();
    async function wrapRequest(state, octokit, request, options) {
      const limiter = new import_light.default();
      limiter.on("failed", function(error2, info4) {
@@ -33875,7 +33898,7 @@ var require_dist_node15 = __commonJS({
      if (response.data && response.data.errors && response.data.errors.length > 0 && /Something went wrong while executing your query/.test(
        response.data.errors[0].message
      )) {
-        const error2 = new import_request_error.RequestError(response.data.errors[0].message, 500, {
+        const error2 = new import_request_error2.RequestError(response.data.errors[0].message, 500, {
          request: options,
          response
        });
@@ -36110,13 +36133,13 @@ var require_semver3 = __commonJS({
    function patch(a, loose) {
      return new SemVer(a, loose).patch;
    }
-    exports2.compare = compare;
-    function compare(a, b, loose) {
+    exports2.compare = compare2;
+    function compare2(a, b, loose) {
      return new SemVer(a, loose).compare(new SemVer(b, loose));
    }
    exports2.compareLoose = compareLoose;
    function compareLoose(a, b) {
-      return compare(a, b, true);
+      return compare2(a, b, true);
    }
    exports2.compareBuild = compareBuild;
    function compareBuild(a, b, loose) {
@@ -36126,7 +36149,7 @@ var require_semver3 = __commonJS({
    }
    exports2.rcompare = rcompare;
    function rcompare(a, b, loose) {
-      return compare(b, a, loose);
+      return compare2(b, a, loose);
    }
    exports2.sort = sort;
    function sort(list, loose) {
@@ -36142,27 +36165,27 @@ var require_semver3 = __commonJS({
    }
    exports2.gt = gt;
    function gt(a, b, loose) {
-      return compare(a, b, loose) > 0;
+      return compare2(a, b, loose) > 0;
    }
    exports2.lt = lt2;
    function lt2(a, b, loose) {
-      return compare(a, b, loose) < 0;
+      return compare2(a, b, loose) < 0;
    }
    exports2.eq = eq;
    function eq(a, b, loose) {
-      return compare(a, b, loose) === 0;
+      return compare2(a, b, loose) === 0;
    }
    exports2.neq = neq;
    function neq(a, b, loose) {
-      return compare(a, b, loose) !== 0;
+      return compare2(a, b, loose) !== 0;
    }
    exports2.gte = gte5;
    function gte5(a, b, loose) {
-      return compare(a, b, loose) >= 0;
+      return compare2(a, b, loose) >= 0;
    }
    exports2.lte = lte;
    function lte(a, b, loose) {
-      return compare(a, b, loose) <= 0;
+      return compare2(a, b, loose) <= 0;
    }
    exports2.cmp = cmp;
    function cmp(a, op, b, loose) {
@@ -85943,9 +85966,12 @@ var getFileType = async (filePath) => {
 function isSelfHostedRunner() {
  return process.env.RUNNER_ENVIRONMENT === "self-hosted";
 }
-function isDefaultSetup() {
+function isDynamicWorkflow() {
  return getWorkflowEventName() === "dynamic";
 }
+function isDefaultSetup() {
+  return isDynamicWorkflow();
+}
 function prettyPrintInvocation(cmd, args) {
  return [cmd, ...args].map((x) => x.includes(" ") ? `'${x}'` : x).join(" ");
 }
@@ -86036,6 +86062,50 @@ function isAnalyzingPullRequest() {
  return getPullRequestBranches() !== void 0;
 }

+// src/analyses.ts
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind3) => {
+  AnalysisKind3["CodeScanning"] = "code-scanning";
+  AnalysisKind3["CodeQuality"] = "code-quality";
+  return AnalysisKind3;
+})(AnalysisKind || {});
+var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+async function parseAnalysisKinds(input) {
+  const components = input.split(",");
+  if (components.length < 1) {
+    throw new ConfigurationError(
+      "At least one analysis kind must be configured."
+    );
+  }
+  for (const component of components) {
+    if (!supportedAnalysisKinds.has(component)) {
+      throw new ConfigurationError(`Unknown analysis kind: ${component}`);
+    }
+  }
+  return Array.from(
+    new Set(components.map((component) => component))
+  );
+}
+var cachedAnalysisKinds;
+async function getAnalysisKinds(logger, skipCache = false) {
+  if (!skipCache && cachedAnalysisKinds !== void 0) {
+    return cachedAnalysisKinds;
+  }
+  cachedAnalysisKinds = await parseAnalysisKinds(
+    getRequiredInput("analysis-kinds")
+  );
+  const qualityQueriesInput = getOptionalInput("quality-queries");
+  if (qualityQueriesInput !== void 0) {
+    logger.warning(
+      "The `quality-queries` input is deprecated and will be removed in a future version of the CodeQL Action. Use the `analysis-kinds` input to configure different analysis kinds instead."
+    );
+  }
+  if (!cachedAnalysisKinds.includes("code-quality" /* CodeQuality */) && qualityQueriesInput !== void 0) {
+    cachedAnalysisKinds.push("code-quality" /* CodeQuality */);
+  }
+  return cachedAnalysisKinds;
+}
+var codeQualityQueries = ["code-quality"];
+
 // src/api-client.ts
 var core5 = __toESM(require_core());
 var githubUtils = __toESM(require_utils4());
@@ -86228,31 +86298,6 @@ var fs9 = __toESM(require("fs"));
 var path11 = __toESM(require("path"));
 var import_perf_hooks = require("perf_hooks");

-// src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
-  AnalysisKind2["CodeScanning"] = "code-scanning";
-  AnalysisKind2["CodeQuality"] = "code-quality";
-  return AnalysisKind2;
-})(AnalysisKind || {});
-var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
-async function parseAnalysisKinds(input) {
-  const components = input.split(",");
-  if (components.length < 1) {
-    throw new ConfigurationError(
-      "At least one analysis kind must be configured."
-    );
-  }
-  for (const component of components) {
-    if (!supportedAnalysisKinds.has(component)) {
-      throw new ConfigurationError(`Unknown analysis kind: ${component}`);
-    }
-  }
-  return Array.from(
-    new Set(components.map((component) => component))
-  );
-}
-var codeQualityQueries = ["code-quality"];
-
 // src/config/db-config.ts
 var path7 = __toESM(require("path"));
 var semver2 = __toESM(require_semver2());
@@ -86563,8 +86608,8 @@ var path9 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());

 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.2";
-var cliVersion = "2.23.2";
+var bundleVersion = "codeql-bundle-v2.23.3";
+var cliVersion = "2.23.3";

 // src/overlay-database-utils.ts
 var crypto = __toESM(require("crypto"));
@@ -86977,6 +87022,11 @@ var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_";
 var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
 var CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0";
 var featureConfig = {
+  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
+    minimumVersion: void 0
+  },
  ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -87660,10 +87710,8 @@ async function getRawLanguages(languagesInput, repository, sourceRoot, logger) {
  };
 }
 async function initActionState({
-  analysisKindsInput,
  languagesInput,
  queriesInput,
-  qualityQueriesInput,
  packsInput,
  buildModeInput,
  dbLocation,
@@ -87679,12 +87727,9 @@ async function initActionState({
  githubVersion,
  features,
  repositoryProperties,
+  analysisKinds,
  logger
 }, userConfig) {
-  const analysisKinds = await parseAnalysisKinds(analysisKindsInput);
-  if (!analysisKinds.includes("code-quality" /* CodeQuality */) && qualityQueriesInput !== void 0) {
-    analysisKinds.push("code-quality" /* CodeQuality */);
-  }
  const languages = await getLanguages(
    codeql,
    languagesInput,
@@ -87860,7 +87905,13 @@ async function getOverlayDatabaseMode(codeql, repository, features, languages, s
    return nonOverlayAnalysis;
  }
  if (buildMode !== "none" /* None */ && (await Promise.all(
-    languages.map(async (l) => await codeql.isTracedLanguage(l))
+    languages.map(
+      async (l) => l !== "go" /* go */ && // Workaround to allow overlay analysis for Go with any build
+      // mode, since it does not yet support BMN. The Go autobuilder and/or extractor will
+      // ensure that overlay-base databases are only created for supported Go build setups,
+      // and that we'll fall back to full databases in other cases.
+      await codeql.isTracedLanguage(l)
+    )
  )).some(Boolean)) {
    logger.warning(
      `Cannot build an ${overlayDatabaseMode} database because build-mode is set to "${buildMode}" instead of "none". Falling back to creating a normal full database instead.`
@@ -88324,6 +88375,45 @@ var path16 = __toESM(require("path"));
 var core10 = __toESM(require_core());
 var toolrunner3 = __toESM(require_toolrunner());

+// node_modules/@octokit/request-error/dist-src/index.js
+var RequestError = class extends Error {
+  name;
+  /**
+   * http status code
+   */
+  status;
+  /**
+   * Request options that lead to the error.
+   */
+  request;
+  /**
+   * Response object if a response was received
+   */
+  response;
+  constructor(message, statusCode, options) {
+    super(message);
+    this.name = "HttpError";
+    this.status = Number.parseInt(statusCode);
+    if (Number.isNaN(this.status)) {
+      this.status = 0;
+    }
+    if ("response" in options) {
+      this.response = options.response;
+    }
+    const requestCopy = Object.assign({}, options.request);
+    if (options.request.headers.authorization) {
+      requestCopy.headers = Object.assign({}, options.request.headers, {
+        authorization: options.request.headers.authorization.replace(
+          /(?<! ) .*$/,
+          " [REDACTED]"
+        )
+      });
+    }
+    requestCopy.url = requestCopy.url.replace(/\bclient_secret=\w+/g, "client_secret=[REDACTED]").replace(/\baccess_token=\w+/g, "access_token=[REDACTED]");
+    this.request = requestCopy;
+  }
+};
+
 // src/cli-errors.ts
 var SUPPORTED_PLATFORMS = [
  ["linux", "x64"],
@@ -88886,6 +88976,7 @@ var CODEQL_NIGHTLIES_REPOSITORY_OWNER = "dsp-testing";
 var CODEQL_NIGHTLIES_REPOSITORY_NAME = "codeql-cli-nightlies";
 var CODEQL_BUNDLE_VERSION_ALIAS = ["linked", "latest"];
 var CODEQL_NIGHTLY_TOOLS_INPUTS = ["nightly", "nightly-latest"];
+var CODEQL_TOOLCACHE_INPUT = "toolcache";
 function getCodeQLBundleExtension(compressionMethod) {
  switch (compressionMethod) {
    case "gzip":
@@ -89027,7 +89118,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
  }
  return void 0;
 }
-async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, logger) {
+async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) {
  if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) {
    logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
    const compressionMethod2 = inferCompressionMethod(toolsInput);
@@ -89064,6 +89155,40 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
        "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required."
      );
    }
+  } else if (toolsInput !== void 0 && toolsInput === CODEQL_TOOLCACHE_INPUT) {
+    let latestToolcacheVersion;
+    const allowToolcacheValueFF = await features.getValue(
+      "allow_toolcache_input" /* AllowToolcacheInput */
+    );
+    const allowToolcacheValue = allowToolcacheValueFF && (isDynamicWorkflow() || isInTestMode());
+    if (allowToolcacheValue) {
+      logger.info(
+        `Attempting to use the latest CodeQL CLI version in the toolcache, as requested by 'tools: ${toolsInput}'.`
+      );
+      latestToolcacheVersion = getLatestToolcacheVersion(logger);
+      if (latestToolcacheVersion) {
+        cliVersion2 = latestToolcacheVersion;
+      }
+    }
+    if (latestToolcacheVersion === void 0) {
+      if (allowToolcacheValue) {
+        logger.info(
+          `Found no CodeQL CLI in the toolcache, ignoring 'tools: ${toolsInput}'...`
+        );
+      } else {
+        if (allowToolcacheValueFF) {
+          logger.warning(
+            `Ignoring 'tools: ${toolsInput}' because the workflow was not triggered dynamically.`
+          );
+        } else {
+          logger.info(
+            `Ignoring 'tools: ${toolsInput}' because the feature is not enabled.`
+          );
+        }
+      }
+      cliVersion2 = defaultCliVersion.cliVersion;
+      tagName = defaultCliVersion.tagName;
+    }
  } else if (toolsInput !== void 0) {
    tagName = tryGetTagNameFromUrl(toolsInput, logger);
    url = toolsInput;
@@ -89272,7 +89397,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) {
  }
  return cliVersion2;
 }
-async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger) {
+async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) {
  if (!await isBinaryAccessible("tar", logger)) {
    throw new ConfigurationError(
      "Could not find tar in PATH, so unable to extract CodeQL bundle."
@@ -89285,6 +89410,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau
    apiDetails,
    variant,
    zstdAvailability.available,
+    features,
    logger
  );
  let codeqlFolder;
@@ -89370,8 +89496,24 @@ async function getNightlyToolsUrl(logger) {
    );
  }
 }
+function getLatestToolcacheVersion(logger) {
+  const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver7.compare(b, a));
+  logger.debug(
+    `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify(
+      allVersions
+    )}.`
+  );
+  if (allVersions.length > 0) {
+    const latestToolcacheVersion = allVersions[0];
+    logger.info(
+      `CLI version ${latestToolcacheVersion} is the latest version in the toolcache.`
+    );
+    return latestToolcacheVersion;
+  }
+  return void 0;
+}
 function isReservedToolsValue(tools) {
-  return CODEQL_BUNDLE_VERSION_ALIAS.includes(tools) || CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools);
+  return CODEQL_BUNDLE_VERSION_ALIAS.includes(tools) || CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools) || tools === CODEQL_TOOLCACHE_INPUT;
 }

 // src/tracer-config.ts
@@ -89415,7 +89557,7 @@ var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.13";
 var GHES_MOST_RECENT_DEPRECATION_DATE = "2025-06-19";
 var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
 var CODEQL_VERSION_CACHE_CLEANUP = "2.17.1";
-async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger, checkVersion) {
+async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) {
  try {
    const {
      codeqlFolder,
@@ -89429,6 +89571,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
      tempDir,
      variant,
      defaultCliVersion,
+      features,
      logger
    );
    logger.debug(
@@ -89453,7 +89596,8 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
      zstdAvailability
    };
  } catch (e) {
-    const ErrorClass = e instanceof ConfigurationError || e instanceof Error && e.message.includes("ENOSPC") ? ConfigurationError : Error;
+    const ErrorClass = e instanceof ConfigurationError || e instanceof Error && e.message.includes("ENOSPC") || // out of disk space
+    e instanceof RequestError && e.status === 429 ? ConfigurationError : Error;
    throw new ErrorClass(
      `Unable to download and extract CodeQL CLI: ${getErrorMessage(e)}${e instanceof Error && e.stack ? `

@@ -90001,7 +90145,7 @@ async function getJobRunUuidSarifOptions(codeql) {
 }

 // src/init.ts
-async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger) {
+async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) {
  logger.startGroup("Setup CodeQL tools");
  const {
    codeql,
@@ -90015,6 +90159,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe
    tempDir,
    variant,
    defaultCliVersion,
+    features,
    logger,
    true
  );
@@ -90214,7 +90359,7 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
      action_ref: actionRef,
      action_started_at: actionStartedAt.toISOString(),
      action_version: getActionVersion(),
-      analysis_kinds: config?.analysisKinds.join(","),
+      analysis_kinds: config?.analysisKinds?.join(","),
      analysis_key,
      build_mode: config?.buildMode,
      commit_oid: commitOid,
@@ -90237,7 +90382,7 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
      logger.warning(`Could not determine the workflow event name: ${e}.`);
    }
    if (config) {
-      statusReport.languages = config.languages.join(",");
+      statusReport.languages = config.languages?.join(",");
    }
    if (diskInfo) {
      statusReport.runner_available_disk_space_bytes = diskInfo.numAvailableBytes;
@@ -90552,6 +90697,19 @@ async function getWorkflowAbsolutePath(logger) {
 }

 // src/init-action.ts
+async function sendStartingStatusReport(startedAt, config, logger) {
+  const statusReportBase = await createStatusReportBase(
+    "init" /* Init */,
+    "starting",
+    startedAt,
+    config,
+    await checkDiskUsage(logger),
+    logger
+  );
+  if (statusReportBase !== void 0) {
+    await sendStatusReport(statusReportBase);
+  }
+}
 async function sendCompletedStatusReport(startedAt, config, configFile, toolsDownloadStatusReport, toolsFeatureFlagsValid, toolsSource, toolsVersion, overlayBaseDatabaseStats, dependencyCachingResults, logger, error2) {
  const statusReportBase = await createStatusReportBase(
    "init" /* Init */,
@@ -90642,16 +90800,19 @@ async function run() {
    getOptionalInput("source-root") || ""
  );
  try {
-    const statusReportBase = await createStatusReportBase(
-      "init" /* Init */,
-      "starting",
-      startedAt,
-      config,
-      await checkDiskUsage(logger),
-      logger
-    );
-    if (statusReportBase !== void 0) {
-      await sendStatusReport(statusReportBase);
+    let analysisKinds;
+    try {
+      analysisKinds = await getAnalysisKinds(logger);
+    } catch (err) {
+      logger.debug(
+        `Failed to parse analysis kinds for 'starting' status report: ${getErrorMessage(err)}`
+      );
+    }
+    await sendStartingStatusReport(startedAt, { analysisKinds }, logger);
+    if (process.env["CODEQL_ACTION_SETUP_CODEQL_HAS_RUN" /* SETUP_CODEQL_ACTION_HAS_RUN */] === "true") {
+      throw new ConfigurationError(
+        `The 'init' action should not be run in the same workflow as 'setup-codeql'.`
+      );
    }
    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
      gitHubVersion.type
@@ -90663,6 +90824,7 @@ async function run() {
      getTemporaryDirectory(),
      gitHubVersion.type,
      codeQLDefaultVersionInfo,
+      features,
      logger
    );
    codeql = initCodeQLResult.codeql;
@@ -90698,17 +90860,11 @@ async function run() {
        logger.info("Experimental Rust analysis enabled");
      }
    }
-    const qualityQueriesInput = getOptionalInput("quality-queries");
-    if (qualityQueriesInput !== void 0) {
-      logger.warning(
-        "The `quality-queries` input is deprecated and will be removed in a future version of the CodeQL Action. Use the `analysis-kinds` input to configure different analysis kinds instead."
-      );
-    }
+    analysisKinds = await getAnalysisKinds(logger);
    config = await initConfig2({
-      analysisKindsInput: getRequiredInput("analysis-kinds"),
+      analysisKinds,
      languagesInput: getOptionalInput("languages"),
      queriesInput: getOptionalInput("queries"),
-      qualityQueriesInput,
      packsInput: getOptionalInput("packs"),
      buildModeInput: getOptionalInput("build-mode"),
      configFile,
@@ -24680,6 +24680,9 @@ var require_identifiers = __commonJS({
    "use strict";
    var numeric = /^[0-9]+$/;
    var compareIdentifiers = (a, b) => {
+      if (typeof a === "number" && typeof b === "number") {
+        return a === b ? 0 : a < b ? -1 : 1;
+      }
      const anum = numeric.test(a);
      const bnum = numeric.test(b);
      if (anum && bnum) {
@@ -24786,7 +24789,25 @@ var require_semver = __commonJS({
        if (!(other instanceof _SemVer)) {
          other = new _SemVer(other, this.options);
        }
-        return compareIdentifiers(this.major, other.major) || compareIdentifiers(this.minor, other.minor) || compareIdentifiers(this.patch, other.patch);
+        if (this.major < other.major) {
+          return -1;
+        }
+        if (this.major > other.major) {
+          return 1;
+        }
+        if (this.minor < other.minor) {
+          return -1;
+        }
+        if (this.minor > other.minor) {
+          return 1;
+        }
+        if (this.patch < other.patch) {
+          return -1;
+        }
+        if (this.patch > other.patch) {
+          return 1;
+        }
+        return 0;
      }
      comparePre(other) {
        if (!(other instanceof _SemVer)) {
@@ -25121,8 +25142,8 @@ var require_compare = __commonJS({
  "node_modules/semver/functions/compare.js"(exports2, module2) {
    "use strict";
    var SemVer = require_semver();
-    var compare = (a, b, loose) => new SemVer(a, loose).compare(new SemVer(b, loose));
-    module2.exports = compare;
+    var compare2 = (a, b, loose) => new SemVer(a, loose).compare(new SemVer(b, loose));
+    module2.exports = compare2;
  }
 });

@@ -25130,8 +25151,8 @@ var require_compare = __commonJS({
 var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var rcompare = (a, b, loose) => compare(b, a, loose);
+    var compare2 = require_compare();
+    var rcompare = (a, b, loose) => compare2(b, a, loose);
    module2.exports = rcompare;
  }
 });
@@ -25140,8 +25161,8 @@ var require_rcompare = __commonJS({
 var require_compare_loose = __commonJS({
  "node_modules/semver/functions/compare-loose.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var compareLoose = (a, b) => compare(a, b, true);
+    var compare2 = require_compare();
+    var compareLoose = (a, b) => compare2(a, b, true);
    module2.exports = compareLoose;
  }
 });
@@ -25184,8 +25205,8 @@ var require_rsort = __commonJS({
 var require_gt = __commonJS({
  "node_modules/semver/functions/gt.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var gt = (a, b, loose) => compare(a, b, loose) > 0;
+    var compare2 = require_compare();
+    var gt = (a, b, loose) => compare2(a, b, loose) > 0;
    module2.exports = gt;
  }
 });
@@ -25194,8 +25215,8 @@ var require_gt = __commonJS({
 var require_lt = __commonJS({
  "node_modules/semver/functions/lt.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var lt = (a, b, loose) => compare(a, b, loose) < 0;
+    var compare2 = require_compare();
+    var lt = (a, b, loose) => compare2(a, b, loose) < 0;
    module2.exports = lt;
  }
 });
@@ -25204,8 +25225,8 @@ var require_lt = __commonJS({
 var require_eq = __commonJS({
  "node_modules/semver/functions/eq.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var eq = (a, b, loose) => compare(a, b, loose) === 0;
+    var compare2 = require_compare();
+    var eq = (a, b, loose) => compare2(a, b, loose) === 0;
    module2.exports = eq;
  }
 });
@@ -25214,8 +25235,8 @@ var require_eq = __commonJS({
 var require_neq = __commonJS({
  "node_modules/semver/functions/neq.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var neq = (a, b, loose) => compare(a, b, loose) !== 0;
+    var compare2 = require_compare();
+    var neq = (a, b, loose) => compare2(a, b, loose) !== 0;
    module2.exports = neq;
  }
 });
@@ -25224,8 +25245,8 @@ var require_neq = __commonJS({
 var require_gte = __commonJS({
  "node_modules/semver/functions/gte.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var gte5 = (a, b, loose) => compare(a, b, loose) >= 0;
+    var compare2 = require_compare();
+    var gte5 = (a, b, loose) => compare2(a, b, loose) >= 0;
    module2.exports = gte5;
  }
 });
@@ -25234,8 +25255,8 @@ var require_gte = __commonJS({
 var require_lte = __commonJS({
  "node_modules/semver/functions/lte.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var lte = (a, b, loose) => compare(a, b, loose) <= 0;
+    var compare2 = require_compare();
+    var lte = (a, b, loose) => compare2(a, b, loose) <= 0;
    module2.exports = lte;
  }
 });
@@ -25547,6 +25568,7 @@ var require_range = __commonJS({
      return result;
    };
    var parseComparator = (comp, options) => {
+      comp = comp.replace(re[t.BUILD], "");
      debug3("comp", comp, options);
      comp = replaceCarets(comp, options);
      debug3("caret", comp);
@@ -26131,12 +26153,12 @@ var require_simplify = __commonJS({
  "node_modules/semver/ranges/simplify.js"(exports2, module2) {
    "use strict";
    var satisfies2 = require_satisfies();
-    var compare = require_compare();
+    var compare2 = require_compare();
    module2.exports = (versions, range, options) => {
      const set2 = [];
      let first = null;
      let prev = null;
-      const v = versions.sort((a, b) => compare(a, b, options));
+      const v = versions.sort((a, b) => compare2(a, b, options));
      for (const version of v) {
        const included = satisfies2(version, range, options);
        if (included) {
@@ -26184,7 +26206,7 @@ var require_subset = __commonJS({
    var Comparator = require_comparator();
    var { ANY } = Comparator;
    var satisfies2 = require_satisfies();
-    var compare = require_compare();
+    var compare2 = require_compare();
    var subset = (sub, dom, options = {}) => {
      if (sub === dom) {
        return true;
@@ -26244,7 +26266,7 @@ var require_subset = __commonJS({
      }
      let gtltComp;
      if (gt && lt) {
-        gtltComp = compare(gt.semver, lt.semver, options);
+        gtltComp = compare2(gt.semver, lt.semver, options);
        if (gtltComp > 0) {
          return null;
        } else if (gtltComp === 0 && (gt.operator !== ">=" || lt.operator !== "<=")) {
@@ -26324,14 +26346,14 @@ var require_subset = __commonJS({
      if (!a) {
        return b;
      }
-      const comp = compare(a.semver, b.semver, options);
+      const comp = compare2(a.semver, b.semver, options);
      return comp > 0 ? a : comp < 0 ? b : b.operator === ">" && a.operator === ">=" ? b : a;
    };
    var lowerLT = (a, b, options) => {
      if (!a) {
        return b;
      }
-      const comp = compare(a.semver, b.semver, options);
+      const comp = compare2(a.semver, b.semver, options);
      return comp < 0 ? a : comp > 0 ? b : b.operator === "<" && a.operator === "<=" ? b : a;
    };
    module2.exports = subset;
@@ -26355,7 +26377,7 @@ var require_semver2 = __commonJS({
    var minor = require_minor();
    var patch = require_patch();
    var prerelease = require_prerelease();
-    var compare = require_compare();
+    var compare2 = require_compare();
    var rcompare = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
@@ -26393,7 +26415,7 @@ var require_semver2 = __commonJS({
      minor,
      patch,
      prerelease,
-      compare,
+      compare: compare2,
      rcompare,
      compareLoose,
      compareBuild,
@@ -26438,7 +26460,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.7",
+      version: "4.30.9",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -26473,6 +26495,7 @@ var require_package = __commonJS({
        "@actions/io": "^1.1.3",
        "@actions/tool-cache": "^2.0.2",
        "@octokit/plugin-retry": "^6.0.0",
+        "@octokit/request-error": "^7.0.1",
        "@schemastore/package": "0.0.10",
        archiver: "^7.0.1",
        "check-disk-space": "^3.4.0",
@@ -26486,14 +26509,14 @@ var require_package = __commonJS({
        long: "^5.3.2",
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
-        semver: "^7.7.2",
+        semver: "^7.7.3",
        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.0",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.36.0",
+        "@eslint/js": "^9.37.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
@@ -26504,7 +26527,7 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.44.1",
+        "@typescript-eslint/eslint-plugin": "^8.46.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
        esbuild: "^0.25.10",
@@ -26517,7 +26540,7 @@ var require_package = __commonJS({
        glob: "^11.0.3",
        nock: "^14.0.10",
        sinon: "^21.0.0",
-        typescript: "^5.9.2"
+        typescript: "^5.9.3"
      },
      overrides: {
        "@actions/tool-cache": {
@@ -30261,13 +30284,13 @@ var require_semver3 = __commonJS({
    function patch(a, loose) {
      return new SemVer(a, loose).patch;
    }
-    exports2.compare = compare;
-    function compare(a, b, loose) {
+    exports2.compare = compare2;
+    function compare2(a, b, loose) {
      return new SemVer(a, loose).compare(new SemVer(b, loose));
    }
    exports2.compareLoose = compareLoose;
    function compareLoose(a, b) {
-      return compare(a, b, true);
+      return compare2(a, b, true);
    }
    exports2.compareBuild = compareBuild;
    function compareBuild(a, b, loose) {
@@ -30277,7 +30300,7 @@ var require_semver3 = __commonJS({
    }
    exports2.rcompare = rcompare;
    function rcompare(a, b, loose) {
-      return compare(b, a, loose);
+      return compare2(b, a, loose);
    }
    exports2.sort = sort;
    function sort(list, loose) {
@@ -30293,27 +30316,27 @@ var require_semver3 = __commonJS({
    }
    exports2.gt = gt;
    function gt(a, b, loose) {
-      return compare(a, b, loose) > 0;
+      return compare2(a, b, loose) > 0;
    }
    exports2.lt = lt;
    function lt(a, b, loose) {
-      return compare(a, b, loose) < 0;
+      return compare2(a, b, loose) < 0;
    }
    exports2.eq = eq;
    function eq(a, b, loose) {
-      return compare(a, b, loose) === 0;
+      return compare2(a, b, loose) === 0;
    }
    exports2.neq = neq;
    function neq(a, b, loose) {
-      return compare(a, b, loose) !== 0;
+      return compare2(a, b, loose) !== 0;
    }
    exports2.gte = gte5;
    function gte5(a, b, loose) {
-      return compare(a, b, loose) >= 0;
+      return compare2(a, b, loose) >= 0;
    }
    exports2.lte = lte;
    function lte(a, b, loose) {
-      return compare(a, b, loose) <= 0;
+      return compare2(a, b, loose) <= 0;
    }
    exports2.cmp = cmp;
    function cmp(a, op, b, loose) {
@@ -78534,6 +78557,11 @@ function isSupportedToolsFeature(versionInfo, feature) {

 // src/feature-flags.ts
 var featureConfig = {
+  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
+    minimumVersion: void 0
+  },
  ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -79439,7 +79467,7 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
      action_ref: actionRef,
      action_started_at: actionStartedAt.toISOString(),
      action_version: getActionVersion(),
-      analysis_kinds: config?.analysisKinds.join(","),
+      analysis_kinds: config?.analysisKinds?.join(","),
      analysis_key,
      build_mode: config?.buildMode,
      commit_oid: commitOid,
@@ -79462,7 +79490,7 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
      logger.warning(`Could not determine the workflow event name: ${e}.`);
    }
    if (config) {
-      statusReport.languages = config.languages.join(",");
+      statusReport.languages = config.languages?.join(",");
    }
    if (diskInfo) {
      statusReport.runner_available_disk_space_bytes = diskInfo.numAvailableBytes;
@@ -24680,6 +24680,9 @@ var require_identifiers = __commonJS({
    "use strict";
    var numeric = /^[0-9]+$/;
    var compareIdentifiers = (a, b) => {
+      if (typeof a === "number" && typeof b === "number") {
+        return a === b ? 0 : a < b ? -1 : 1;
+      }
      const anum = numeric.test(a);
      const bnum = numeric.test(b);
      if (anum && bnum) {
@@ -24786,7 +24789,25 @@ var require_semver = __commonJS({
        if (!(other instanceof _SemVer)) {
          other = new _SemVer(other, this.options);
        }
-        return compareIdentifiers(this.major, other.major) || compareIdentifiers(this.minor, other.minor) || compareIdentifiers(this.patch, other.patch);
+        if (this.major < other.major) {
+          return -1;
+        }
+        if (this.major > other.major) {
+          return 1;
+        }
+        if (this.minor < other.minor) {
+          return -1;
+        }
+        if (this.minor > other.minor) {
+          return 1;
+        }
+        if (this.patch < other.patch) {
+          return -1;
+        }
+        if (this.patch > other.patch) {
+          return 1;
+        }
+        return 0;
      }
      comparePre(other) {
        if (!(other instanceof _SemVer)) {
@@ -25121,8 +25142,8 @@ var require_compare = __commonJS({
  "node_modules/semver/functions/compare.js"(exports2, module2) {
    "use strict";
    var SemVer = require_semver();
-    var compare = (a, b, loose) => new SemVer(a, loose).compare(new SemVer(b, loose));
-    module2.exports = compare;
+    var compare2 = (a, b, loose) => new SemVer(a, loose).compare(new SemVer(b, loose));
+    module2.exports = compare2;
  }
 });

@@ -25130,8 +25151,8 @@ var require_compare = __commonJS({
 var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var rcompare = (a, b, loose) => compare(b, a, loose);
+    var compare2 = require_compare();
+    var rcompare = (a, b, loose) => compare2(b, a, loose);
    module2.exports = rcompare;
  }
 });
@@ -25140,8 +25161,8 @@ var require_rcompare = __commonJS({
 var require_compare_loose = __commonJS({
  "node_modules/semver/functions/compare-loose.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var compareLoose = (a, b) => compare(a, b, true);
+    var compare2 = require_compare();
+    var compareLoose = (a, b) => compare2(a, b, true);
    module2.exports = compareLoose;
  }
 });
@@ -25184,8 +25205,8 @@ var require_rsort = __commonJS({
 var require_gt = __commonJS({
  "node_modules/semver/functions/gt.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var gt = (a, b, loose) => compare(a, b, loose) > 0;
+    var compare2 = require_compare();
+    var gt = (a, b, loose) => compare2(a, b, loose) > 0;
    module2.exports = gt;
  }
 });
@@ -25194,8 +25215,8 @@ var require_gt = __commonJS({
 var require_lt = __commonJS({
  "node_modules/semver/functions/lt.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var lt = (a, b, loose) => compare(a, b, loose) < 0;
+    var compare2 = require_compare();
+    var lt = (a, b, loose) => compare2(a, b, loose) < 0;
    module2.exports = lt;
  }
 });
@@ -25204,8 +25225,8 @@ var require_lt = __commonJS({
 var require_eq = __commonJS({
  "node_modules/semver/functions/eq.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var eq = (a, b, loose) => compare(a, b, loose) === 0;
+    var compare2 = require_compare();
+    var eq = (a, b, loose) => compare2(a, b, loose) === 0;
    module2.exports = eq;
  }
 });
@@ -25214,8 +25235,8 @@ var require_eq = __commonJS({
 var require_neq = __commonJS({
  "node_modules/semver/functions/neq.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var neq = (a, b, loose) => compare(a, b, loose) !== 0;
+    var compare2 = require_compare();
+    var neq = (a, b, loose) => compare2(a, b, loose) !== 0;
    module2.exports = neq;
  }
 });
@@ -25224,8 +25245,8 @@ var require_neq = __commonJS({
 var require_gte = __commonJS({
  "node_modules/semver/functions/gte.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var gte5 = (a, b, loose) => compare(a, b, loose) >= 0;
+    var compare2 = require_compare();
+    var gte5 = (a, b, loose) => compare2(a, b, loose) >= 0;
    module2.exports = gte5;
  }
 });
@@ -25234,8 +25255,8 @@ var require_gte = __commonJS({
 var require_lte = __commonJS({
  "node_modules/semver/functions/lte.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var lte = (a, b, loose) => compare(a, b, loose) <= 0;
+    var compare2 = require_compare();
+    var lte = (a, b, loose) => compare2(a, b, loose) <= 0;
    module2.exports = lte;
  }
 });
@@ -25547,6 +25568,7 @@ var require_range = __commonJS({
      return result;
    };
    var parseComparator = (comp, options) => {
+      comp = comp.replace(re[t.BUILD], "");
      debug2("comp", comp, options);
      comp = replaceCarets(comp, options);
      debug2("caret", comp);
@@ -26131,12 +26153,12 @@ var require_simplify = __commonJS({
  "node_modules/semver/ranges/simplify.js"(exports2, module2) {
    "use strict";
    var satisfies2 = require_satisfies();
-    var compare = require_compare();
+    var compare2 = require_compare();
    module2.exports = (versions, range, options) => {
      const set2 = [];
      let first = null;
      let prev = null;
-      const v = versions.sort((a, b) => compare(a, b, options));
+      const v = versions.sort((a, b) => compare2(a, b, options));
      for (const version of v) {
        const included = satisfies2(version, range, options);
        if (included) {
@@ -26184,7 +26206,7 @@ var require_subset = __commonJS({
    var Comparator = require_comparator();
    var { ANY } = Comparator;
    var satisfies2 = require_satisfies();
-    var compare = require_compare();
+    var compare2 = require_compare();
    var subset = (sub, dom, options = {}) => {
      if (sub === dom) {
        return true;
@@ -26244,7 +26266,7 @@ var require_subset = __commonJS({
      }
      let gtltComp;
      if (gt && lt) {
-        gtltComp = compare(gt.semver, lt.semver, options);
+        gtltComp = compare2(gt.semver, lt.semver, options);
        if (gtltComp > 0) {
          return null;
        } else if (gtltComp === 0 && (gt.operator !== ">=" || lt.operator !== "<=")) {
@@ -26324,14 +26346,14 @@ var require_subset = __commonJS({
      if (!a) {
        return b;
      }
-      const comp = compare(a.semver, b.semver, options);
+      const comp = compare2(a.semver, b.semver, options);
      return comp > 0 ? a : comp < 0 ? b : b.operator === ">" && a.operator === ">=" ? b : a;
    };
    var lowerLT = (a, b, options) => {
      if (!a) {
        return b;
      }
-      const comp = compare(a.semver, b.semver, options);
+      const comp = compare2(a.semver, b.semver, options);
      return comp < 0 ? a : comp > 0 ? b : b.operator === "<" && a.operator === "<=" ? b : a;
    };
    module2.exports = subset;
@@ -26355,7 +26377,7 @@ var require_semver2 = __commonJS({
    var minor = require_minor();
    var patch = require_patch();
    var prerelease = require_prerelease();
-    var compare = require_compare();
+    var compare2 = require_compare();
    var rcompare = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
@@ -26393,7 +26415,7 @@ var require_semver2 = __commonJS({
      minor,
      patch,
      prerelease,
-      compare,
+      compare: compare2,
      rcompare,
      compareLoose,
      compareBuild,
@@ -26438,7 +26460,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.7",
+      version: "4.30.9",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -26473,6 +26495,7 @@ var require_package = __commonJS({
        "@actions/io": "^1.1.3",
        "@actions/tool-cache": "^2.0.2",
        "@octokit/plugin-retry": "^6.0.0",
+        "@octokit/request-error": "^7.0.1",
        "@schemastore/package": "0.0.10",
        archiver: "^7.0.1",
        "check-disk-space": "^3.4.0",
@@ -26486,14 +26509,14 @@ var require_package = __commonJS({
        long: "^5.3.2",
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
-        semver: "^7.7.2",
+        semver: "^7.7.3",
        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.0",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.36.0",
+        "@eslint/js": "^9.37.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
@@ -26504,7 +26527,7 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.44.1",
+        "@typescript-eslint/eslint-plugin": "^8.46.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
        esbuild: "^0.25.10",
@@ -26517,7 +26540,7 @@ var require_package = __commonJS({
        glob: "^11.0.3",
        nock: "^14.0.10",
        sinon: "^21.0.0",
-        typescript: "^5.9.2"
+        typescript: "^5.9.3"
      },
      overrides: {
        "@actions/tool-cache": {
@@ -30261,13 +30284,13 @@ var require_semver3 = __commonJS({
    function patch(a, loose) {
      return new SemVer(a, loose).patch;
    }
-    exports2.compare = compare;
-    function compare(a, b, loose) {
+    exports2.compare = compare2;
+    function compare2(a, b, loose) {
      return new SemVer(a, loose).compare(new SemVer(b, loose));
    }
    exports2.compareLoose = compareLoose;
    function compareLoose(a, b) {
-      return compare(a, b, true);
+      return compare2(a, b, true);
    }
    exports2.compareBuild = compareBuild;
    function compareBuild(a, b, loose) {
@@ -30277,7 +30300,7 @@ var require_semver3 = __commonJS({
    }
    exports2.rcompare = rcompare;
    function rcompare(a, b, loose) {
-      return compare(b, a, loose);
+      return compare2(b, a, loose);
    }
    exports2.sort = sort;
    function sort(list, loose) {
@@ -30293,27 +30316,27 @@ var require_semver3 = __commonJS({
    }
    exports2.gt = gt;
    function gt(a, b, loose) {
-      return compare(a, b, loose) > 0;
+      return compare2(a, b, loose) > 0;
    }
    exports2.lt = lt;
    function lt(a, b, loose) {
-      return compare(a, b, loose) < 0;
+      return compare2(a, b, loose) < 0;
    }
    exports2.eq = eq;
    function eq(a, b, loose) {
-      return compare(a, b, loose) === 0;
+      return compare2(a, b, loose) === 0;
    }
    exports2.neq = neq;
    function neq(a, b, loose) {
-      return compare(a, b, loose) !== 0;
+      return compare2(a, b, loose) !== 0;
    }
    exports2.gte = gte5;
    function gte5(a, b, loose) {
-      return compare(a, b, loose) >= 0;
+      return compare2(a, b, loose) >= 0;
    }
    exports2.lte = lte;
    function lte(a, b, loose) {
-      return compare(a, b, loose) <= 0;
+      return compare2(a, b, loose) <= 0;
    }
    exports2.cmp = cmp;
    function cmp(a, op, b, loose) {
@@ -94483,8 +94506,8 @@ var require_commonjs16 = __commonJS({
        if (rootPath === this.root.name) {
          return this.root;
        }
-        for (const [compare, root] of Object.entries(this.roots)) {
-          if (this.sameRoot(rootPath, compare)) {
+        for (const [compare2, root] of Object.entries(this.roots)) {
+          if (this.sameRoot(rootPath, compare2)) {
            return this.roots[rootPath] = root;
          }
        }
@@ -94493,9 +94516,9 @@ var require_commonjs16 = __commonJS({
      /**
       * @internal
       */
-      sameRoot(rootPath, compare = this.root.name) {
+      sameRoot(rootPath, compare2 = this.root.name) {
        rootPath = rootPath.toUpperCase().replace(/\//g, "\\").replace(uncDriveRegexp, "$1\\");
-        return rootPath === compare;
+        return rootPath === compare2;
      }
    };
    exports2.PathWin32 = PathWin32;
@@ -98514,7 +98537,7 @@ var require_b4a = __commonJS({
    function byteLength(string, encoding) {
      return Buffer.byteLength(string, encoding);
    }
-    function compare(a, b) {
+    function compare2(a, b) {
      return Buffer.compare(a, b);
    }
    function concat(buffers, totalLength) {
@@ -98615,7 +98638,7 @@ var require_b4a = __commonJS({
      allocUnsafe,
      allocUnsafeSlow,
      byteLength,
-      compare,
+      compare: compare2,
      concat,
      copy,
      equals,
@@ -117214,6 +117237,11 @@ var semver3 = __toESM(require_semver2());

 // src/feature-flags.ts
 var featureConfig = {
+  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
+    minimumVersion: void 0
+  },
  ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -19971,6 +19971,9 @@ var require_identifiers = __commonJS({
    "use strict";
    var numeric = /^[0-9]+$/;
    var compareIdentifiers = (a, b) => {
+      if (typeof a === "number" && typeof b === "number") {
+        return a === b ? 0 : a < b ? -1 : 1;
+      }
      const anum = numeric.test(a);
      const bnum = numeric.test(b);
      if (anum && bnum) {
@@ -20077,7 +20080,25 @@ var require_semver = __commonJS({
        if (!(other instanceof _SemVer)) {
          other = new _SemVer(other, this.options);
        }
-        return compareIdentifiers(this.major, other.major) || compareIdentifiers(this.minor, other.minor) || compareIdentifiers(this.patch, other.patch);
+        if (this.major < other.major) {
+          return -1;
+        }
+        if (this.major > other.major) {
+          return 1;
+        }
+        if (this.minor < other.minor) {
+          return -1;
+        }
+        if (this.minor > other.minor) {
+          return 1;
+        }
+        if (this.patch < other.patch) {
+          return -1;
+        }
+        if (this.patch > other.patch) {
+          return 1;
+        }
+        return 0;
      }
      comparePre(other) {
        if (!(other instanceof _SemVer)) {
@@ -20838,6 +20859,7 @@ var require_range = __commonJS({
      return result;
    };
    var parseComparator = (comp, options) => {
+      comp = comp.replace(re[t.BUILD], "");
      debug3("comp", comp, options);
      comp = replaceCarets(comp, options);
      debug3("caret", comp);
@@ -44974,7 +44996,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.7",
+      version: "4.30.9",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -45009,6 +45031,7 @@ var require_package = __commonJS({
        "@actions/io": "^1.1.3",
        "@actions/tool-cache": "^2.0.2",
        "@octokit/plugin-retry": "^6.0.0",
+        "@octokit/request-error": "^7.0.1",
        "@schemastore/package": "0.0.10",
        archiver: "^7.0.1",
        "check-disk-space": "^3.4.0",
@@ -45022,14 +45045,14 @@ var require_package = __commonJS({
        long: "^5.3.2",
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
-        semver: "^7.7.2",
+        semver: "^7.7.3",
        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.0",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.36.0",
+        "@eslint/js": "^9.37.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
@@ -45040,7 +45063,7 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.44.1",
+        "@typescript-eslint/eslint-plugin": "^8.46.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
        esbuild: "^0.25.10",
@@ -45053,7 +45076,7 @@ var require_package = __commonJS({
        glob: "^11.0.3",
        nock: "^14.0.10",
        sinon: "^21.0.0",
-        typescript: "^5.9.2"
+        typescript: "^5.9.3"
      },
      overrides: {
        "@actions/tool-cache": {
@@ -95037,8 +95060,8 @@ function getActionsLogger() {
 var core7 = __toESM(require_core());

 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.2";
-var cliVersion = "2.23.2";
+var bundleVersion = "codeql-bundle-v2.23.3";
+var cliVersion = "2.23.3";

 // src/languages.ts
 var KnownLanguage = /* @__PURE__ */ ((KnownLanguage2) => {
@@ -95087,8 +95110,7 @@ var LANGUAGE_TO_REGISTRY_TYPE = {
  rust: ["cargo_registry"],
  go: ["goproxy_server", "git_source"]
 };
-function getCredentials(logger, registrySecrets, registriesCredentials, languageString) {
-  const language = languageString ? parseLanguage(languageString) : void 0;
+function getCredentials(logger, registrySecrets, registriesCredentials, language) {
  const registryTypeForLanguage = language ? LANGUAGE_TO_REGISTRY_TYPE[language] : void 0;
  let credentialsStr;
  if (registriesCredentials !== void 0) {
@@ -95329,6 +95351,11 @@ var semver3 = __toESM(require_semver2());

 // src/feature-flags.ts
 var featureConfig = {
+  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
+    minimumVersion: void 0
+  },
  ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -95589,7 +95616,7 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
      action_ref: actionRef,
      action_started_at: actionStartedAt.toISOString(),
      action_version: getActionVersion(),
-      analysis_kinds: config?.analysisKinds.join(","),
+      analysis_kinds: config?.analysisKinds?.join(","),
      analysis_key,
      build_mode: config?.buildMode,
      commit_oid: commitOid,
@@ -95612,7 +95639,7 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
      logger.warning(`Could not determine the workflow event name: ${e}.`);
    }
    if (config) {
-      statusReport.languages = config.languages.join(",");
+      statusReport.languages = config.languages?.join(",");
    }
    if (diskInfo) {
      statusReport.runner_available_disk_space_bytes = diskInfo.numAvailableBytes;
@@ -95755,12 +95782,12 @@ function generateCertificateAuthority() {
  const key = import_node_forge.pki.privateKeyToPem(keys.privateKey);
  return { cert: pem, key };
 }
-async function sendSuccessStatusReport(startedAt, registry_types, logger) {
+async function sendSuccessStatusReport(startedAt, config, registry_types, logger) {
  const statusReportBase = await createStatusReportBase(
    "start-proxy" /* StartProxy */,
    "success",
    startedAt,
-    void 0,
+    config,
    await checkDiskUsage(logger),
    logger
  );
@@ -95776,15 +95803,18 @@ async function runWrapper() {
  const startedAt = /* @__PURE__ */ new Date();
  persistInputs();
  const logger = getActionsLogger();
+  let language;
  try {
    const tempDir = getTemporaryDirectory();
    const proxyLogFilePath = path.resolve(tempDir, "proxy.log");
    core11.saveState("proxy-log-file", proxyLogFilePath);
+    const languageInput = getOptionalInput("language");
+    language = languageInput ? parseLanguage(languageInput) : void 0;
    const credentials = getCredentials(
      logger,
      getOptionalInput("registry_secrets"),
      getOptionalInput("registries_credentials"),
-      getOptionalInput("language")
+      language
    );
    if (credentials.length === 0) {
      logger.info("No credentials found, skipping proxy setup.");
@@ -95803,6 +95833,9 @@ async function runWrapper() {
    await startProxy(proxyBin, proxyConfig, proxyLogFilePath, logger);
    await sendSuccessStatusReport(
      startedAt,
+      {
+        languages: language && [language]
+      },
      proxyConfig.all_credentials.map((c) => c.type),
      logger
    );
@@ -95813,7 +95846,9 @@ async function runWrapper() {
      "start-proxy" /* StartProxy */,
      getActionsStatus(error2),
      startedAt,
-      void 0,
+      {
+        languages: language && [language]
+      },
      await checkDiskUsage(logger),
      logger
    );
@@ -21899,14 +21899,14 @@ var require_dist_node4 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -21998,7 +21998,7 @@ var require_dist_node5 = __commonJS({
      const Ctor = Object.prototype.hasOwnProperty.call(proto, "constructor") && proto.constructor;
      return typeof Ctor === "function" && Ctor instanceof Ctor && Function.prototype.call(Ctor) === Function.prototype.call(value);
    }
-    var import_request_error = require_dist_node4();
+    var import_request_error2 = require_dist_node4();
    function getBufferResponse(response) {
      return response.arrayBuffer();
    }
@@ -22050,7 +22050,7 @@ var require_dist_node5 = __commonJS({
          if (status < 400) {
            return;
          }
-          throw new import_request_error.RequestError(response.statusText, status, {
+          throw new import_request_error2.RequestError(response.statusText, status, {
            response: {
              url: url2,
              status,
@@ -22061,7 +22061,7 @@ var require_dist_node5 = __commonJS({
          });
        }
        if (status === 304) {
-          throw new import_request_error.RequestError("Not modified", status, {
+          throw new import_request_error2.RequestError("Not modified", status, {
            response: {
              url: url2,
              status,
@@ -22073,7 +22073,7 @@ var require_dist_node5 = __commonJS({
        }
        if (status >= 400) {
          const data = await getResponseData(response);
-          const error2 = new import_request_error.RequestError(toErrorMessage(data), status, {
+          const error2 = new import_request_error2.RequestError(toErrorMessage(data), status, {
            response: {
              url: url2,
              status,
@@ -22093,7 +22093,7 @@ var require_dist_node5 = __commonJS({
          data
        };
      }).catch((error2) => {
-        if (error2 instanceof import_request_error.RequestError)
+        if (error2 instanceof import_request_error2.RequestError)
          throw error2;
        else if (error2.name === "AbortError")
          throw error2;
@@ -22105,7 +22105,7 @@ var require_dist_node5 = __commonJS({
            message = error2.cause;
          }
        }
-        throw new import_request_error.RequestError(message, 500, {
+        throw new import_request_error2.RequestError(message, 500, {
          request: requestOptions
        });
      });
@@ -22547,14 +22547,14 @@ var require_dist_node7 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -22646,7 +22646,7 @@ var require_dist_node8 = __commonJS({
      const Ctor = Object.prototype.hasOwnProperty.call(proto, "constructor") && proto.constructor;
      return typeof Ctor === "function" && Ctor instanceof Ctor && Function.prototype.call(Ctor) === Function.prototype.call(value);
    }
-    var import_request_error = require_dist_node7();
+    var import_request_error2 = require_dist_node7();
    function getBufferResponse(response) {
      return response.arrayBuffer();
    }
@@ -22698,7 +22698,7 @@ var require_dist_node8 = __commonJS({
          if (status < 400) {
            return;
          }
-          throw new import_request_error.RequestError(response.statusText, status, {
+          throw new import_request_error2.RequestError(response.statusText, status, {
            response: {
              url: url2,
              status,
@@ -22709,7 +22709,7 @@ var require_dist_node8 = __commonJS({
          });
        }
        if (status === 304) {
-          throw new import_request_error.RequestError("Not modified", status, {
+          throw new import_request_error2.RequestError("Not modified", status, {
            response: {
              url: url2,
              status,
@@ -22721,7 +22721,7 @@ var require_dist_node8 = __commonJS({
        }
        if (status >= 400) {
          const data = await getResponseData(response);
-          const error2 = new import_request_error.RequestError(toErrorMessage(data), status, {
+          const error2 = new import_request_error2.RequestError(toErrorMessage(data), status, {
            response: {
              url: url2,
              status,
@@ -22741,7 +22741,7 @@ var require_dist_node8 = __commonJS({
          data
        };
      }).catch((error2) => {
-        if (error2 instanceof import_request_error.RequestError)
+        if (error2 instanceof import_request_error2.RequestError)
          throw error2;
        else if (error2.name === "AbortError")
          throw error2;
@@ -22753,7 +22753,7 @@ var require_dist_node8 = __commonJS({
            message = error2.cause;
          }
        }
-        throw new import_request_error.RequestError(message, 500, {
+        throw new import_request_error2.RequestError(message, 500, {
          request: requestOptions
        });
      });
@@ -26336,7 +26336,7 @@ var require_to_regex_range = __commonJS({
        stop = countZeros(max + 1, zeros) - 1;
      }
      stops = [...stops];
-      stops.sort(compare2);
+      stops.sort(compare3);
      return stops;
    }
    function rangeToPattern(start, stop, options) {
@@ -26408,7 +26408,7 @@ var require_to_regex_range = __commonJS({
      for (let i = 0; i < a.length; i++) arr.push([a[i], b[i]]);
      return arr;
    }
-    function compare2(a, b) {
+    function compare3(a, b) {
      return a > b ? 1 : b > a ? -1 : 0;
    }
    function contains(arr, key, val2) {
@@ -31826,6 +31826,9 @@ var require_identifiers = __commonJS({
    "use strict";
    var numeric = /^[0-9]+$/;
    var compareIdentifiers = (a, b) => {
+      if (typeof a === "number" && typeof b === "number") {
+        return a === b ? 0 : a < b ? -1 : 1;
+      }
      const anum = numeric.test(a);
      const bnum = numeric.test(b);
      if (anum && bnum) {
@@ -31932,7 +31935,25 @@ var require_semver = __commonJS({
        if (!(other instanceof _SemVer)) {
          other = new _SemVer(other, this.options);
        }
-        return compareIdentifiers(this.major, other.major) || compareIdentifiers(this.minor, other.minor) || compareIdentifiers(this.patch, other.patch);
+        if (this.major < other.major) {
+          return -1;
+        }
+        if (this.major > other.major) {
+          return 1;
+        }
+        if (this.minor < other.minor) {
+          return -1;
+        }
+        if (this.minor > other.minor) {
+          return 1;
+        }
+        if (this.patch < other.patch) {
+          return -1;
+        }
+        if (this.patch > other.patch) {
+          return 1;
+        }
+        return 0;
      }
      comparePre(other) {
        if (!(other instanceof _SemVer)) {
@@ -32267,8 +32288,8 @@ var require_compare = __commonJS({
  "node_modules/semver/functions/compare.js"(exports2, module2) {
    "use strict";
    var SemVer = require_semver();
-    var compare2 = (a, b, loose) => new SemVer(a, loose).compare(new SemVer(b, loose));
-    module2.exports = compare2;
+    var compare3 = (a, b, loose) => new SemVer(a, loose).compare(new SemVer(b, loose));
+    module2.exports = compare3;
  }
 });

@@ -32276,8 +32297,8 @@ var require_compare = __commonJS({
 var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var rcompare = (a, b, loose) => compare2(b, a, loose);
+    var compare3 = require_compare();
+    var rcompare = (a, b, loose) => compare3(b, a, loose);
    module2.exports = rcompare;
  }
 });
@@ -32286,8 +32307,8 @@ var require_rcompare = __commonJS({
 var require_compare_loose = __commonJS({
  "node_modules/semver/functions/compare-loose.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var compareLoose = (a, b) => compare2(a, b, true);
+    var compare3 = require_compare();
+    var compareLoose = (a, b) => compare3(a, b, true);
    module2.exports = compareLoose;
  }
 });
@@ -32330,8 +32351,8 @@ var require_rsort = __commonJS({
 var require_gt = __commonJS({
  "node_modules/semver/functions/gt.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var gt = (a, b, loose) => compare2(a, b, loose) > 0;
+    var compare3 = require_compare();
+    var gt = (a, b, loose) => compare3(a, b, loose) > 0;
    module2.exports = gt;
  }
 });
@@ -32340,8 +32361,8 @@ var require_gt = __commonJS({
 var require_lt = __commonJS({
  "node_modules/semver/functions/lt.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var lt = (a, b, loose) => compare2(a, b, loose) < 0;
+    var compare3 = require_compare();
+    var lt = (a, b, loose) => compare3(a, b, loose) < 0;
    module2.exports = lt;
  }
 });
@@ -32350,8 +32371,8 @@ var require_lt = __commonJS({
 var require_eq = __commonJS({
  "node_modules/semver/functions/eq.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var eq = (a, b, loose) => compare2(a, b, loose) === 0;
+    var compare3 = require_compare();
+    var eq = (a, b, loose) => compare3(a, b, loose) === 0;
    module2.exports = eq;
  }
 });
@@ -32360,8 +32381,8 @@ var require_eq = __commonJS({
 var require_neq = __commonJS({
  "node_modules/semver/functions/neq.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var neq = (a, b, loose) => compare2(a, b, loose) !== 0;
+    var compare3 = require_compare();
+    var neq = (a, b, loose) => compare3(a, b, loose) !== 0;
    module2.exports = neq;
  }
 });
@@ -32370,8 +32391,8 @@ var require_neq = __commonJS({
 var require_gte = __commonJS({
  "node_modules/semver/functions/gte.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var gte5 = (a, b, loose) => compare2(a, b, loose) >= 0;
+    var compare3 = require_compare();
+    var gte5 = (a, b, loose) => compare3(a, b, loose) >= 0;
    module2.exports = gte5;
  }
 });
@@ -32380,8 +32401,8 @@ var require_gte = __commonJS({
 var require_lte = __commonJS({
  "node_modules/semver/functions/lte.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var lte = (a, b, loose) => compare2(a, b, loose) <= 0;
+    var compare3 = require_compare();
+    var lte = (a, b, loose) => compare3(a, b, loose) <= 0;
    module2.exports = lte;
  }
 });
@@ -32693,6 +32714,7 @@ var require_range = __commonJS({
      return result;
    };
    var parseComparator = (comp, options) => {
+      comp = comp.replace(re[t.BUILD], "");
      debug2("comp", comp, options);
      comp = replaceCarets(comp, options);
      debug2("caret", comp);
@@ -33277,12 +33299,12 @@ var require_simplify = __commonJS({
  "node_modules/semver/ranges/simplify.js"(exports2, module2) {
    "use strict";
    var satisfies2 = require_satisfies();
-    var compare2 = require_compare();
+    var compare3 = require_compare();
    module2.exports = (versions, range, options) => {
      const set2 = [];
      let first = null;
      let prev = null;
-      const v = versions.sort((a, b) => compare2(a, b, options));
+      const v = versions.sort((a, b) => compare3(a, b, options));
      for (const version of v) {
        const included = satisfies2(version, range, options);
        if (included) {
@@ -33330,7 +33352,7 @@ var require_subset = __commonJS({
    var Comparator = require_comparator();
    var { ANY } = Comparator;
    var satisfies2 = require_satisfies();
-    var compare2 = require_compare();
+    var compare3 = require_compare();
    var subset = (sub, dom, options = {}) => {
      if (sub === dom) {
        return true;
@@ -33390,7 +33412,7 @@ var require_subset = __commonJS({
      }
      let gtltComp;
      if (gt && lt) {
-        gtltComp = compare2(gt.semver, lt.semver, options);
+        gtltComp = compare3(gt.semver, lt.semver, options);
        if (gtltComp > 0) {
          return null;
        } else if (gtltComp === 0 && (gt.operator !== ">=" || lt.operator !== "<=")) {
@@ -33470,14 +33492,14 @@ var require_subset = __commonJS({
      if (!a) {
        return b;
      }
-      const comp = compare2(a.semver, b.semver, options);
+      const comp = compare3(a.semver, b.semver, options);
      return comp > 0 ? a : comp < 0 ? b : b.operator === ">" && a.operator === ">=" ? b : a;
    };
    var lowerLT = (a, b, options) => {
      if (!a) {
        return b;
      }
-      const comp = compare2(a.semver, b.semver, options);
+      const comp = compare3(a.semver, b.semver, options);
      return comp < 0 ? a : comp > 0 ? b : b.operator === "<" && a.operator === "<=" ? b : a;
    };
    module2.exports = subset;
@@ -33501,7 +33523,7 @@ var require_semver2 = __commonJS({
    var minor = require_minor();
    var patch = require_patch();
    var prerelease = require_prerelease();
-    var compare2 = require_compare();
+    var compare3 = require_compare();
    var rcompare = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
@@ -33539,7 +33561,7 @@ var require_semver2 = __commonJS({
      minor,
      patch,
      prerelease,
-      compare: compare2,
+      compare: compare3,
      rcompare,
      compareLoose,
      compareBuild,
@@ -33584,7 +33606,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.7",
+      version: "4.30.9",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -33619,6 +33641,7 @@ var require_package = __commonJS({
        "@actions/io": "^1.1.3",
        "@actions/tool-cache": "^2.0.2",
        "@octokit/plugin-retry": "^6.0.0",
+        "@octokit/request-error": "^7.0.1",
        "@schemastore/package": "0.0.10",
        archiver: "^7.0.1",
        "check-disk-space": "^3.4.0",
@@ -33632,14 +33655,14 @@ var require_package = __commonJS({
        long: "^5.3.2",
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
-        semver: "^7.7.2",
+        semver: "^7.7.3",
        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.0",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.36.0",
+        "@eslint/js": "^9.37.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
@@ -33650,7 +33673,7 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.44.1",
+        "@typescript-eslint/eslint-plugin": "^8.46.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
        esbuild: "^0.25.10",
@@ -33663,7 +33686,7 @@ var require_package = __commonJS({
        glob: "^11.0.3",
        nock: "^14.0.10",
        sinon: "^21.0.0",
-        typescript: "^5.9.2"
+        typescript: "^5.9.3"
      },
      overrides: {
        "@actions/tool-cache": {
@@ -35042,14 +35065,14 @@ var require_dist_node14 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -35151,7 +35174,7 @@ var require_dist_node15 = __commonJS({
      throw error2;
    }
    var import_light = __toESM2(require_light());
-    var import_request_error = require_dist_node14();
+    var import_request_error2 = require_dist_node14();
    async function wrapRequest(state, octokit, request, options) {
      const limiter = new import_light.default();
      limiter.on("failed", function(error2, info4) {
@@ -35172,7 +35195,7 @@ var require_dist_node15 = __commonJS({
      if (response.data && response.data.errors && response.data.errors.length > 0 && /Something went wrong while executing your query/.test(
        response.data.errors[0].message
      )) {
-        const error2 = new import_request_error.RequestError(response.data.errors[0].message, 500, {
+        const error2 = new import_request_error2.RequestError(response.data.errors[0].message, 500, {
          request: options,
          response
        });
@@ -37407,13 +37430,13 @@ var require_semver3 = __commonJS({
    function patch(a, loose) {
      return new SemVer(a, loose).patch;
    }
-    exports2.compare = compare2;
-    function compare2(a, b, loose) {
+    exports2.compare = compare3;
+    function compare3(a, b, loose) {
      return new SemVer(a, loose).compare(new SemVer(b, loose));
    }
    exports2.compareLoose = compareLoose;
    function compareLoose(a, b) {
-      return compare2(a, b, true);
+      return compare3(a, b, true);
    }
    exports2.compareBuild = compareBuild;
    function compareBuild(a, b, loose) {
@@ -37423,7 +37446,7 @@ var require_semver3 = __commonJS({
    }
    exports2.rcompare = rcompare;
    function rcompare(a, b, loose) {
-      return compare2(b, a, loose);
+      return compare3(b, a, loose);
    }
    exports2.sort = sort;
    function sort(list, loose) {
@@ -37439,27 +37462,27 @@ var require_semver3 = __commonJS({
    }
    exports2.gt = gt;
    function gt(a, b, loose) {
-      return compare2(a, b, loose) > 0;
+      return compare3(a, b, loose) > 0;
    }
    exports2.lt = lt;
    function lt(a, b, loose) {
-      return compare2(a, b, loose) < 0;
+      return compare3(a, b, loose) < 0;
    }
    exports2.eq = eq;
    function eq(a, b, loose) {
-      return compare2(a, b, loose) === 0;
+      return compare3(a, b, loose) === 0;
    }
    exports2.neq = neq;
    function neq(a, b, loose) {
-      return compare2(a, b, loose) !== 0;
+      return compare3(a, b, loose) !== 0;
    }
    exports2.gte = gte5;
    function gte5(a, b, loose) {
-      return compare2(a, b, loose) >= 0;
+      return compare3(a, b, loose) >= 0;
    }
    exports2.lte = lte;
    function lte(a, b, loose) {
-      return compare2(a, b, loose) <= 0;
+      return compare3(a, b, loose) <= 0;
    }
    exports2.cmp = cmp;
    function cmp(a, op, b, loose) {
@@ -84830,6 +84853,7 @@ __export(upload_lib_exports, {
  shouldShowCombineSarifFilesDeprecationWarning: () => shouldShowCombineSarifFilesDeprecationWarning,
  throwIfCombineSarifFilesDisabled: () => throwIfCombineSarifFilesDisabled,
  uploadFiles: () => uploadFiles,
+  uploadPayload: () => uploadPayload,
  uploadSpecifiedFiles: () => uploadSpecifiedFiles,
  validateSarifFileSchema: () => validateSarifFileSchema,
  validateUniqueCategory: () => validateUniqueCategory,
@@ -88340,6 +88364,9 @@ function isGoodVersion(versionSpec) {
 function isInTestMode() {
  return process.env["CODEQL_ACTION_TEST_MODE" /* TEST_MODE */] === "true";
 }
+function shouldSkipSarifUpload() {
+  return isInTestMode() || process.env["CODEQL_ACTION_SKIP_SARIF_UPLOAD" /* SKIP_SARIF_UPLOAD */] === "true";
+}
 function getTestingEnvironment() {
  const testingEnvironment = process.env["CODEQL_ACTION_TESTING_ENVIRONMENT" /* TESTING_ENVIRONMENT */] || "";
  if (testingEnvironment === "") {
@@ -88474,9 +88501,12 @@ function getWorkflowRunAttempt() {
  }
  return workflowRunAttempt;
 }
-function isDefaultSetup() {
+function isDynamicWorkflow() {
  return getWorkflowEventName() === "dynamic";
 }
+function isDefaultSetup() {
+  return isDynamicWorkflow();
+}
 function prettyPrintInvocation(cmd, args) {
  return [cmd, ...args].map((x) => x.includes(" ") ? `'${x}'` : x).join(" ");
 }
@@ -88735,6 +88765,45 @@ var path12 = __toESM(require("path"));
 var core10 = __toESM(require_core());
 var toolrunner3 = __toESM(require_toolrunner());

+// node_modules/@octokit/request-error/dist-src/index.js
+var RequestError = class extends Error {
+  name;
+  /**
+   * http status code
+   */
+  status;
+  /**
+   * Request options that lead to the error.
+   */
+  request;
+  /**
+   * Response object if a response was received
+   */
+  response;
+  constructor(message, statusCode, options) {
+    super(message);
+    this.name = "HttpError";
+    this.status = Number.parseInt(statusCode);
+    if (Number.isNaN(this.status)) {
+      this.status = 0;
+    }
+    if ("response" in options) {
+      this.response = options.response;
+    }
+    const requestCopy = Object.assign({}, options.request);
+    if (options.request.headers.authorization) {
+      requestCopy.headers = Object.assign({}, options.request.headers, {
+        authorization: options.request.headers.authorization.replace(
+          /(?<! ) .*$/,
+          " [REDACTED]"
+        )
+      });
+    }
+    requestCopy.url = requestCopy.url.replace(/\bclient_secret=\w+/g, "client_secret=[REDACTED]").replace(/\baccess_token=\w+/g, "access_token=[REDACTED]");
+    this.request = requestCopy;
+  }
+};
+
 // src/cli-errors.ts
 var SUPPORTED_PLATFORMS = [
  ["linux", "x64"],
@@ -88996,8 +89065,8 @@ var path8 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());

 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.2";
-var cliVersion = "2.23.2";
+var bundleVersion = "codeql-bundle-v2.23.3";
+var cliVersion = "2.23.3";

 // src/overlay-database-utils.ts
 var fs5 = __toESM(require("fs"));
@@ -89285,6 +89354,11 @@ function isSupportedToolsFeature(versionInfo, feature) {
 // src/feature-flags.ts
 var CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0";
 var featureConfig = {
+  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
+    minimumVersion: void 0
+  },
  ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -89927,6 +90001,7 @@ var CODEQL_NIGHTLIES_REPOSITORY_OWNER = "dsp-testing";
 var CODEQL_NIGHTLIES_REPOSITORY_NAME = "codeql-cli-nightlies";
 var CODEQL_BUNDLE_VERSION_ALIAS = ["linked", "latest"];
 var CODEQL_NIGHTLY_TOOLS_INPUTS = ["nightly", "nightly-latest"];
+var CODEQL_TOOLCACHE_INPUT = "toolcache";
 function getCodeQLBundleExtension(compressionMethod) {
  switch (compressionMethod) {
    case "gzip":
@@ -90068,7 +90143,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
  }
  return void 0;
 }
-async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, logger) {
+async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) {
  if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) {
    logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
    const compressionMethod2 = inferCompressionMethod(toolsInput);
@@ -90105,6 +90180,40 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
        "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required."
      );
    }
+  } else if (toolsInput !== void 0 && toolsInput === CODEQL_TOOLCACHE_INPUT) {
+    let latestToolcacheVersion;
+    const allowToolcacheValueFF = await features.getValue(
+      "allow_toolcache_input" /* AllowToolcacheInput */
+    );
+    const allowToolcacheValue = allowToolcacheValueFF && (isDynamicWorkflow() || isInTestMode());
+    if (allowToolcacheValue) {
+      logger.info(
+        `Attempting to use the latest CodeQL CLI version in the toolcache, as requested by 'tools: ${toolsInput}'.`
+      );
+      latestToolcacheVersion = getLatestToolcacheVersion(logger);
+      if (latestToolcacheVersion) {
+        cliVersion2 = latestToolcacheVersion;
+      }
+    }
+    if (latestToolcacheVersion === void 0) {
+      if (allowToolcacheValue) {
+        logger.info(
+          `Found no CodeQL CLI in the toolcache, ignoring 'tools: ${toolsInput}'...`
+        );
+      } else {
+        if (allowToolcacheValueFF) {
+          logger.warning(
+            `Ignoring 'tools: ${toolsInput}' because the workflow was not triggered dynamically.`
+          );
+        } else {
+          logger.info(
+            `Ignoring 'tools: ${toolsInput}' because the feature is not enabled.`
+          );
+        }
+      }
+      cliVersion2 = defaultCliVersion.cliVersion;
+      tagName = defaultCliVersion.tagName;
+    }
  } else if (toolsInput !== void 0) {
    tagName = tryGetTagNameFromUrl(toolsInput, logger);
    url2 = toolsInput;
@@ -90313,7 +90422,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) {
  }
  return cliVersion2;
 }
-async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger) {
+async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) {
  if (!await isBinaryAccessible("tar", logger)) {
    throw new ConfigurationError(
      "Could not find tar in PATH, so unable to extract CodeQL bundle."
@@ -90326,6 +90435,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau
    apiDetails,
    variant,
    zstdAvailability.available,
+    features,
    logger
  );
  let codeqlFolder;
@@ -90411,8 +90521,24 @@ async function getNightlyToolsUrl(logger) {
    );
  }
 }
+function getLatestToolcacheVersion(logger) {
+  const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver7.compare(b, a));
+  logger.debug(
+    `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify(
+      allVersions
+    )}.`
+  );
+  if (allVersions.length > 0) {
+    const latestToolcacheVersion = allVersions[0];
+    logger.info(
+      `CLI version ${latestToolcacheVersion} is the latest version in the toolcache.`
+    );
+    return latestToolcacheVersion;
+  }
+  return void 0;
+}
 function isReservedToolsValue(tools) {
-  return CODEQL_BUNDLE_VERSION_ALIAS.includes(tools) || CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools);
+  return CODEQL_BUNDLE_VERSION_ALIAS.includes(tools) || CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools) || tools === CODEQL_TOOLCACHE_INPUT;
 }

 // src/tracer-config.ts
@@ -90434,7 +90560,7 @@ var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.13";
 var GHES_MOST_RECENT_DEPRECATION_DATE = "2025-06-19";
 var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
 var CODEQL_VERSION_CACHE_CLEANUP = "2.17.1";
-async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger, checkVersion) {
+async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) {
  try {
    const {
      codeqlFolder,
@@ -90448,6 +90574,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
      tempDir,
      variant,
      defaultCliVersion,
+      features,
      logger
    );
    logger.debug(
@@ -90472,7 +90599,8 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
      zstdAvailability
    };
  } catch (e) {
-    const ErrorClass = e instanceof ConfigurationError || e instanceof Error && e.message.includes("ENOSPC") ? ConfigurationError : Error;
+    const ErrorClass = e instanceof ConfigurationError || e instanceof Error && e.message.includes("ENOSPC") || // out of disk space
+    e instanceof RequestError && e.status === 429 ? ConfigurationError : Error;
    throw new ErrorClass(
      `Unable to download and extract CodeQL CLI: ${getErrorMessage(e)}${e instanceof Error && e.stack ? `

@@ -91599,7 +91727,7 @@ LongPrototype.greaterThanOrEqual = function greaterThanOrEqual(other) {
 };
 LongPrototype.gte = LongPrototype.greaterThanOrEqual;
 LongPrototype.ge = LongPrototype.greaterThanOrEqual;
-LongPrototype.compare = function compare(other) {
+LongPrototype.compare = function compare2(other) {
  if (!isLong(other)) other = fromValue(other);
  if (this.eq(other)) return 0;
  var thisNeg = this.isNegative(), otherNeg = other.isNegative();
@@ -92150,7 +92278,7 @@ async function addFingerprints(sarif, sourceRoot, logger) {
 // src/init.ts
 var toolrunner4 = __toESM(require_toolrunner());
 var io5 = __toESM(require_io());
-async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger) {
+async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) {
  logger.startGroup("Setup CodeQL tools");
  const {
    codeql,
@@ -92164,6 +92292,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe
    tempDir,
    variant,
    defaultCliVersion,
+    features,
    logger,
    true
  );
@@ -92310,6 +92439,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo
      tempDir,
      gitHubVersion.type,
      codeQLDefaultVersionInfo,
+      features,
      logger
    );
    codeQL = initCodeQLResult.codeql;
@@ -92365,23 +92495,23 @@ function getAutomationID2(category, analysis_key, environment) {
  }
  return computeAutomationID(analysis_key, environment);
 }
-async function uploadPayload(payload, repositoryNwo, logger, target) {
+async function uploadPayload(payload, repositoryNwo, logger, analysis) {
  logger.info("Uploading results");
-  if (isInTestMode()) {
+  if (shouldSkipSarifUpload()) {
    const payloadSaveFile = path14.join(
      getTemporaryDirectory(),
-      "payload.json"
+      `payload-${analysis.kind}.json`
    );
    logger.info(
-      `In test mode. Results are not uploaded. Saving to ${payloadSaveFile}`
+      `SARIF upload disabled by an environment variable. Saving to ${payloadSaveFile}`
    );
    logger.info(`Payload: ${JSON.stringify(payload, null, 2)}`);
    fs13.writeFileSync(payloadSaveFile, JSON.stringify(payload, null, 2));
-    return "test-mode-sarif-id";
+    return "dummy-sarif-id";
  }
  const client = getApiClient();
  try {
-    const response = await client.request(target, {
+    const response = await client.request(analysis.target, {
      owner: repositoryNwo.owner,
      repo: repositoryNwo.repo,
      data: payload
@@ -92663,7 +92793,7 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features
    payload,
    getRepositoryNwo(),
    logger,
-    uploadTarget.target
+    uploadTarget
  );
  logger.endGroup();
  return {
@@ -92855,6 +92985,7 @@ function filterAlertsByDiffRange(logger, sarif) {
  shouldShowCombineSarifFilesDeprecationWarning,
  throwIfCombineSarifFilesDisabled,
  uploadFiles,
+  uploadPayload,
  uploadSpecifiedFiles,
  validateSarifFileSchema,
  validateUniqueCategory,
@@ -24680,6 +24680,9 @@ var require_identifiers = __commonJS({
    "use strict";
    var numeric = /^[0-9]+$/;
    var compareIdentifiers = (a, b) => {
+      if (typeof a === "number" && typeof b === "number") {
+        return a === b ? 0 : a < b ? -1 : 1;
+      }
      const anum = numeric.test(a);
      const bnum = numeric.test(b);
      if (anum && bnum) {
@@ -24786,7 +24789,25 @@ var require_semver = __commonJS({
        if (!(other instanceof _SemVer)) {
          other = new _SemVer(other, this.options);
        }
-        return compareIdentifiers(this.major, other.major) || compareIdentifiers(this.minor, other.minor) || compareIdentifiers(this.patch, other.patch);
+        if (this.major < other.major) {
+          return -1;
+        }
+        if (this.major > other.major) {
+          return 1;
+        }
+        if (this.minor < other.minor) {
+          return -1;
+        }
+        if (this.minor > other.minor) {
+          return 1;
+        }
+        if (this.patch < other.patch) {
+          return -1;
+        }
+        if (this.patch > other.patch) {
+          return 1;
+        }
+        return 0;
      }
      comparePre(other) {
        if (!(other instanceof _SemVer)) {
@@ -25121,8 +25142,8 @@ var require_compare = __commonJS({
  "node_modules/semver/functions/compare.js"(exports2, module2) {
    "use strict";
    var SemVer = require_semver();
-    var compare = (a, b, loose) => new SemVer(a, loose).compare(new SemVer(b, loose));
-    module2.exports = compare;
+    var compare2 = (a, b, loose) => new SemVer(a, loose).compare(new SemVer(b, loose));
+    module2.exports = compare2;
  }
 });

@@ -25130,8 +25151,8 @@ var require_compare = __commonJS({
 var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var rcompare = (a, b, loose) => compare(b, a, loose);
+    var compare2 = require_compare();
+    var rcompare = (a, b, loose) => compare2(b, a, loose);
    module2.exports = rcompare;
  }
 });
@@ -25140,8 +25161,8 @@ var require_rcompare = __commonJS({
 var require_compare_loose = __commonJS({
  "node_modules/semver/functions/compare-loose.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var compareLoose = (a, b) => compare(a, b, true);
+    var compare2 = require_compare();
+    var compareLoose = (a, b) => compare2(a, b, true);
    module2.exports = compareLoose;
  }
 });
@@ -25184,8 +25205,8 @@ var require_rsort = __commonJS({
 var require_gt = __commonJS({
  "node_modules/semver/functions/gt.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var gt = (a, b, loose) => compare(a, b, loose) > 0;
+    var compare2 = require_compare();
+    var gt = (a, b, loose) => compare2(a, b, loose) > 0;
    module2.exports = gt;
  }
 });
@@ -25194,8 +25215,8 @@ var require_gt = __commonJS({
 var require_lt = __commonJS({
  "node_modules/semver/functions/lt.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var lt = (a, b, loose) => compare(a, b, loose) < 0;
+    var compare2 = require_compare();
+    var lt = (a, b, loose) => compare2(a, b, loose) < 0;
    module2.exports = lt;
  }
 });
@@ -25204,8 +25225,8 @@ var require_lt = __commonJS({
 var require_eq = __commonJS({
  "node_modules/semver/functions/eq.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var eq = (a, b, loose) => compare(a, b, loose) === 0;
+    var compare2 = require_compare();
+    var eq = (a, b, loose) => compare2(a, b, loose) === 0;
    module2.exports = eq;
  }
 });
@@ -25214,8 +25235,8 @@ var require_eq = __commonJS({
 var require_neq = __commonJS({
  "node_modules/semver/functions/neq.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var neq = (a, b, loose) => compare(a, b, loose) !== 0;
+    var compare2 = require_compare();
+    var neq = (a, b, loose) => compare2(a, b, loose) !== 0;
    module2.exports = neq;
  }
 });
@@ -25224,8 +25245,8 @@ var require_neq = __commonJS({
 var require_gte = __commonJS({
  "node_modules/semver/functions/gte.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var gte5 = (a, b, loose) => compare(a, b, loose) >= 0;
+    var compare2 = require_compare();
+    var gte5 = (a, b, loose) => compare2(a, b, loose) >= 0;
    module2.exports = gte5;
  }
 });
@@ -25234,8 +25255,8 @@ var require_gte = __commonJS({
 var require_lte = __commonJS({
  "node_modules/semver/functions/lte.js"(exports2, module2) {
    "use strict";
-    var compare = require_compare();
-    var lte = (a, b, loose) => compare(a, b, loose) <= 0;
+    var compare2 = require_compare();
+    var lte = (a, b, loose) => compare2(a, b, loose) <= 0;
    module2.exports = lte;
  }
 });
@@ -25547,6 +25568,7 @@ var require_range = __commonJS({
      return result;
    };
    var parseComparator = (comp, options) => {
+      comp = comp.replace(re[t.BUILD], "");
      debug2("comp", comp, options);
      comp = replaceCarets(comp, options);
      debug2("caret", comp);
@@ -26131,12 +26153,12 @@ var require_simplify = __commonJS({
  "node_modules/semver/ranges/simplify.js"(exports2, module2) {
    "use strict";
    var satisfies2 = require_satisfies();
-    var compare = require_compare();
+    var compare2 = require_compare();
    module2.exports = (versions, range, options) => {
      const set2 = [];
      let first = null;
      let prev = null;
-      const v = versions.sort((a, b) => compare(a, b, options));
+      const v = versions.sort((a, b) => compare2(a, b, options));
      for (const version of v) {
        const included = satisfies2(version, range, options);
        if (included) {
@@ -26184,7 +26206,7 @@ var require_subset = __commonJS({
    var Comparator = require_comparator();
    var { ANY } = Comparator;
    var satisfies2 = require_satisfies();
-    var compare = require_compare();
+    var compare2 = require_compare();
    var subset = (sub, dom, options = {}) => {
      if (sub === dom) {
        return true;
@@ -26244,7 +26266,7 @@ var require_subset = __commonJS({
      }
      let gtltComp;
      if (gt && lt) {
-        gtltComp = compare(gt.semver, lt.semver, options);
+        gtltComp = compare2(gt.semver, lt.semver, options);
        if (gtltComp > 0) {
          return null;
        } else if (gtltComp === 0 && (gt.operator !== ">=" || lt.operator !== "<=")) {
@@ -26324,14 +26346,14 @@ var require_subset = __commonJS({
      if (!a) {
        return b;
      }
-      const comp = compare(a.semver, b.semver, options);
+      const comp = compare2(a.semver, b.semver, options);
      return comp > 0 ? a : comp < 0 ? b : b.operator === ">" && a.operator === ">=" ? b : a;
    };
    var lowerLT = (a, b, options) => {
      if (!a) {
        return b;
      }
-      const comp = compare(a.semver, b.semver, options);
+      const comp = compare2(a.semver, b.semver, options);
      return comp < 0 ? a : comp > 0 ? b : b.operator === "<" && a.operator === "<=" ? b : a;
    };
    module2.exports = subset;
@@ -26355,7 +26377,7 @@ var require_semver2 = __commonJS({
    var minor = require_minor();
    var patch = require_patch();
    var prerelease = require_prerelease();
-    var compare = require_compare();
+    var compare2 = require_compare();
    var rcompare = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
@@ -26393,7 +26415,7 @@ var require_semver2 = __commonJS({
      minor,
      patch,
      prerelease,
-      compare,
+      compare: compare2,
      rcompare,
      compareLoose,
      compareBuild,
@@ -26438,7 +26460,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.7",
+      version: "4.30.9",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -26473,6 +26495,7 @@ var require_package = __commonJS({
        "@actions/io": "^1.1.3",
        "@actions/tool-cache": "^2.0.2",
        "@octokit/plugin-retry": "^6.0.0",
+        "@octokit/request-error": "^7.0.1",
        "@schemastore/package": "0.0.10",
        archiver: "^7.0.1",
        "check-disk-space": "^3.4.0",
@@ -26486,14 +26509,14 @@ var require_package = __commonJS({
        long: "^5.3.2",
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
-        semver: "^7.7.2",
+        semver: "^7.7.3",
        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.0",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.36.0",
+        "@eslint/js": "^9.37.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
@@ -26504,7 +26527,7 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.44.1",
+        "@typescript-eslint/eslint-plugin": "^8.46.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
        esbuild: "^0.25.10",
@@ -26517,7 +26540,7 @@ var require_package = __commonJS({
        glob: "^11.0.3",
        nock: "^14.0.10",
        sinon: "^21.0.0",
-        typescript: "^5.9.2"
+        typescript: "^5.9.3"
      },
      overrides: {
        "@actions/tool-cache": {
@@ -88567,8 +88590,8 @@ var require_commonjs16 = __commonJS({
        if (rootPath === this.root.name) {
          return this.root;
        }
-        for (const [compare, root] of Object.entries(this.roots)) {
-          if (this.sameRoot(rootPath, compare)) {
+        for (const [compare2, root] of Object.entries(this.roots)) {
+          if (this.sameRoot(rootPath, compare2)) {
            return this.roots[rootPath] = root;
          }
        }
@@ -88577,9 +88600,9 @@ var require_commonjs16 = __commonJS({
      /**
       * @internal
       */
-      sameRoot(rootPath, compare = this.root.name) {
+      sameRoot(rootPath, compare2 = this.root.name) {
        rootPath = rootPath.toUpperCase().replace(/\//g, "\\").replace(uncDriveRegexp, "$1\\");
-        return rootPath === compare;
+        return rootPath === compare2;
      }
    };
    exports2.PathWin32 = PathWin32;
@@ -92598,7 +92621,7 @@ var require_b4a = __commonJS({
    function byteLength(string, encoding) {
      return Buffer.byteLength(string, encoding);
    }
-    function compare(a, b) {
+    function compare2(a, b) {
      return Buffer.compare(a, b);
    }
    function concat(buffers, totalLength) {
@@ -92699,7 +92722,7 @@ var require_b4a = __commonJS({
      allocUnsafe,
      allocUnsafeSlow,
      byteLength,
-      compare,
+      compare: compare2,
      concat,
      copy,
      equals,
@@ -108085,13 +108108,13 @@ var require_semver3 = __commonJS({
    function patch(a, loose) {
      return new SemVer(a, loose).patch;
    }
-    exports2.compare = compare;
-    function compare(a, b, loose) {
+    exports2.compare = compare2;
+    function compare2(a, b, loose) {
      return new SemVer(a, loose).compare(new SemVer(b, loose));
    }
    exports2.compareLoose = compareLoose;
    function compareLoose(a, b) {
-      return compare(a, b, true);
+      return compare2(a, b, true);
    }
    exports2.compareBuild = compareBuild;
    function compareBuild(a, b, loose) {
@@ -108101,7 +108124,7 @@ var require_semver3 = __commonJS({
    }
    exports2.rcompare = rcompare;
    function rcompare(a, b, loose) {
-      return compare(b, a, loose);
+      return compare2(b, a, loose);
    }
    exports2.sort = sort;
    function sort(list, loose) {
@@ -108117,27 +108140,27 @@ var require_semver3 = __commonJS({
    }
    exports2.gt = gt;
    function gt(a, b, loose) {
-      return compare(a, b, loose) > 0;
+      return compare2(a, b, loose) > 0;
    }
    exports2.lt = lt;
    function lt(a, b, loose) {
-      return compare(a, b, loose) < 0;
+      return compare2(a, b, loose) < 0;
    }
    exports2.eq = eq;
    function eq(a, b, loose) {
-      return compare(a, b, loose) === 0;
+      return compare2(a, b, loose) === 0;
    }
    exports2.neq = neq;
    function neq(a, b, loose) {
-      return compare(a, b, loose) !== 0;
+      return compare2(a, b, loose) !== 0;
    }
    exports2.gte = gte5;
    function gte5(a, b, loose) {
-      return compare(a, b, loose) >= 0;
+      return compare2(a, b, loose) >= 0;
    }
    exports2.lte = lte;
    function lte(a, b, loose) {
-      return compare(a, b, loose) <= 0;
+      return compare2(a, b, loose) <= 0;
    }
    exports2.cmp = cmp;
    function cmp(a, op, b, loose) {
@@ -117377,6 +117400,11 @@ function isSafeArtifactUpload(codeQlVersion) {

 // src/feature-flags.ts
 var featureConfig = {
+  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
+    minimumVersion: void 0
+  },
  ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -20602,14 +20602,14 @@ var require_dist_node4 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -20701,7 +20701,7 @@ var require_dist_node5 = __commonJS({
      const Ctor = Object.prototype.hasOwnProperty.call(proto, "constructor") && proto.constructor;
      return typeof Ctor === "function" && Ctor instanceof Ctor && Function.prototype.call(Ctor) === Function.prototype.call(value);
    }
-    var import_request_error = require_dist_node4();
+    var import_request_error2 = require_dist_node4();
    function getBufferResponse(response) {
      return response.arrayBuffer();
    }
@@ -20753,7 +20753,7 @@ var require_dist_node5 = __commonJS({
          if (status < 400) {
            return;
          }
-          throw new import_request_error.RequestError(response.statusText, status, {
+          throw new import_request_error2.RequestError(response.statusText, status, {
            response: {
              url: url2,
              status,
@@ -20764,7 +20764,7 @@ var require_dist_node5 = __commonJS({
          });
        }
        if (status === 304) {
-          throw new import_request_error.RequestError("Not modified", status, {
+          throw new import_request_error2.RequestError("Not modified", status, {
            response: {
              url: url2,
              status,
@@ -20776,7 +20776,7 @@ var require_dist_node5 = __commonJS({
        }
        if (status >= 400) {
          const data = await getResponseData(response);
-          const error2 = new import_request_error.RequestError(toErrorMessage(data), status, {
+          const error2 = new import_request_error2.RequestError(toErrorMessage(data), status, {
            response: {
              url: url2,
              status,
@@ -20796,7 +20796,7 @@ var require_dist_node5 = __commonJS({
          data
        };
      }).catch((error2) => {
-        if (error2 instanceof import_request_error.RequestError)
+        if (error2 instanceof import_request_error2.RequestError)
          throw error2;
        else if (error2.name === "AbortError")
          throw error2;
@@ -20808,7 +20808,7 @@ var require_dist_node5 = __commonJS({
            message = error2.cause;
          }
        }
-        throw new import_request_error.RequestError(message, 500, {
+        throw new import_request_error2.RequestError(message, 500, {
          request: requestOptions
        });
      });
@@ -21250,14 +21250,14 @@ var require_dist_node7 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -21349,7 +21349,7 @@ var require_dist_node8 = __commonJS({
      const Ctor = Object.prototype.hasOwnProperty.call(proto, "constructor") && proto.constructor;
      return typeof Ctor === "function" && Ctor instanceof Ctor && Function.prototype.call(Ctor) === Function.prototype.call(value);
    }
-    var import_request_error = require_dist_node7();
+    var import_request_error2 = require_dist_node7();
    function getBufferResponse(response) {
      return response.arrayBuffer();
    }
@@ -21401,7 +21401,7 @@ var require_dist_node8 = __commonJS({
          if (status < 400) {
            return;
          }
-          throw new import_request_error.RequestError(response.statusText, status, {
+          throw new import_request_error2.RequestError(response.statusText, status, {
            response: {
              url: url2,
              status,
@@ -21412,7 +21412,7 @@ var require_dist_node8 = __commonJS({
          });
        }
        if (status === 304) {
-          throw new import_request_error.RequestError("Not modified", status, {
+          throw new import_request_error2.RequestError("Not modified", status, {
            response: {
              url: url2,
              status,
@@ -21424,7 +21424,7 @@ var require_dist_node8 = __commonJS({
        }
        if (status >= 400) {
          const data = await getResponseData(response);
-          const error2 = new import_request_error.RequestError(toErrorMessage(data), status, {
+          const error2 = new import_request_error2.RequestError(toErrorMessage(data), status, {
            response: {
              url: url2,
              status,
@@ -21444,7 +21444,7 @@ var require_dist_node8 = __commonJS({
          data
        };
      }).catch((error2) => {
-        if (error2 instanceof import_request_error.RequestError)
+        if (error2 instanceof import_request_error2.RequestError)
          throw error2;
        else if (error2.name === "AbortError")
          throw error2;
@@ -21456,7 +21456,7 @@ var require_dist_node8 = __commonJS({
            message = error2.cause;
          }
        }
-        throw new import_request_error.RequestError(message, 500, {
+        throw new import_request_error2.RequestError(message, 500, {
          request: requestOptions
        });
      });
@@ -25039,7 +25039,7 @@ var require_to_regex_range = __commonJS({
        stop = countZeros(max + 1, zeros) - 1;
      }
      stops = [...stops];
-      stops.sort(compare2);
+      stops.sort(compare3);
      return stops;
    }
    function rangeToPattern(start, stop, options) {
@@ -25111,7 +25111,7 @@ var require_to_regex_range = __commonJS({
      for (let i = 0; i < a.length; i++) arr.push([a[i], b[i]]);
      return arr;
    }
-    function compare2(a, b) {
+    function compare3(a, b) {
      return a > b ? 1 : b > a ? -1 : 0;
    }
    function contains(arr, key, val2) {
@@ -30529,6 +30529,9 @@ var require_identifiers = __commonJS({
    "use strict";
    var numeric = /^[0-9]+$/;
    var compareIdentifiers = (a, b) => {
+      if (typeof a === "number" && typeof b === "number") {
+        return a === b ? 0 : a < b ? -1 : 1;
+      }
      const anum = numeric.test(a);
      const bnum = numeric.test(b);
      if (anum && bnum) {
@@ -30635,7 +30638,25 @@ var require_semver = __commonJS({
        if (!(other instanceof _SemVer)) {
          other = new _SemVer(other, this.options);
        }
-        return compareIdentifiers(this.major, other.major) || compareIdentifiers(this.minor, other.minor) || compareIdentifiers(this.patch, other.patch);
+        if (this.major < other.major) {
+          return -1;
+        }
+        if (this.major > other.major) {
+          return 1;
+        }
+        if (this.minor < other.minor) {
+          return -1;
+        }
+        if (this.minor > other.minor) {
+          return 1;
+        }
+        if (this.patch < other.patch) {
+          return -1;
+        }
+        if (this.patch > other.patch) {
+          return 1;
+        }
+        return 0;
      }
      comparePre(other) {
        if (!(other instanceof _SemVer)) {
@@ -30970,8 +30991,8 @@ var require_compare = __commonJS({
  "node_modules/semver/functions/compare.js"(exports2, module2) {
    "use strict";
    var SemVer = require_semver();
-    var compare2 = (a, b, loose) => new SemVer(a, loose).compare(new SemVer(b, loose));
-    module2.exports = compare2;
+    var compare3 = (a, b, loose) => new SemVer(a, loose).compare(new SemVer(b, loose));
+    module2.exports = compare3;
  }
 });

@@ -30979,8 +31000,8 @@ var require_compare = __commonJS({
 var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var rcompare = (a, b, loose) => compare2(b, a, loose);
+    var compare3 = require_compare();
+    var rcompare = (a, b, loose) => compare3(b, a, loose);
    module2.exports = rcompare;
  }
 });
@@ -30989,8 +31010,8 @@ var require_rcompare = __commonJS({
 var require_compare_loose = __commonJS({
  "node_modules/semver/functions/compare-loose.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var compareLoose = (a, b) => compare2(a, b, true);
+    var compare3 = require_compare();
+    var compareLoose = (a, b) => compare3(a, b, true);
    module2.exports = compareLoose;
  }
 });
@@ -31033,8 +31054,8 @@ var require_rsort = __commonJS({
 var require_gt = __commonJS({
  "node_modules/semver/functions/gt.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var gt = (a, b, loose) => compare2(a, b, loose) > 0;
+    var compare3 = require_compare();
+    var gt = (a, b, loose) => compare3(a, b, loose) > 0;
    module2.exports = gt;
  }
 });
@@ -31043,8 +31064,8 @@ var require_gt = __commonJS({
 var require_lt = __commonJS({
  "node_modules/semver/functions/lt.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var lt = (a, b, loose) => compare2(a, b, loose) < 0;
+    var compare3 = require_compare();
+    var lt = (a, b, loose) => compare3(a, b, loose) < 0;
    module2.exports = lt;
  }
 });
@@ -31053,8 +31074,8 @@ var require_lt = __commonJS({
 var require_eq = __commonJS({
  "node_modules/semver/functions/eq.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var eq = (a, b, loose) => compare2(a, b, loose) === 0;
+    var compare3 = require_compare();
+    var eq = (a, b, loose) => compare3(a, b, loose) === 0;
    module2.exports = eq;
  }
 });
@@ -31063,8 +31084,8 @@ var require_eq = __commonJS({
 var require_neq = __commonJS({
  "node_modules/semver/functions/neq.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var neq = (a, b, loose) => compare2(a, b, loose) !== 0;
+    var compare3 = require_compare();
+    var neq = (a, b, loose) => compare3(a, b, loose) !== 0;
    module2.exports = neq;
  }
 });
@@ -31073,8 +31094,8 @@ var require_neq = __commonJS({
 var require_gte = __commonJS({
  "node_modules/semver/functions/gte.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var gte5 = (a, b, loose) => compare2(a, b, loose) >= 0;
+    var compare3 = require_compare();
+    var gte5 = (a, b, loose) => compare3(a, b, loose) >= 0;
    module2.exports = gte5;
  }
 });
@@ -31083,8 +31104,8 @@ var require_gte = __commonJS({
 var require_lte = __commonJS({
  "node_modules/semver/functions/lte.js"(exports2, module2) {
    "use strict";
-    var compare2 = require_compare();
-    var lte = (a, b, loose) => compare2(a, b, loose) <= 0;
+    var compare3 = require_compare();
+    var lte = (a, b, loose) => compare3(a, b, loose) <= 0;
    module2.exports = lte;
  }
 });
@@ -31396,6 +31417,7 @@ var require_range = __commonJS({
      return result;
    };
    var parseComparator = (comp, options) => {
+      comp = comp.replace(re[t.BUILD], "");
      debug4("comp", comp, options);
      comp = replaceCarets(comp, options);
      debug4("caret", comp);
@@ -31980,12 +32002,12 @@ var require_simplify = __commonJS({
  "node_modules/semver/ranges/simplify.js"(exports2, module2) {
    "use strict";
    var satisfies2 = require_satisfies();
-    var compare2 = require_compare();
+    var compare3 = require_compare();
    module2.exports = (versions, range, options) => {
      const set2 = [];
      let first = null;
      let prev = null;
-      const v = versions.sort((a, b) => compare2(a, b, options));
+      const v = versions.sort((a, b) => compare3(a, b, options));
      for (const version of v) {
        const included = satisfies2(version, range, options);
        if (included) {
@@ -32033,7 +32055,7 @@ var require_subset = __commonJS({
    var Comparator = require_comparator();
    var { ANY } = Comparator;
    var satisfies2 = require_satisfies();
-    var compare2 = require_compare();
+    var compare3 = require_compare();
    var subset = (sub, dom, options = {}) => {
      if (sub === dom) {
        return true;
@@ -32093,7 +32115,7 @@ var require_subset = __commonJS({
      }
      let gtltComp;
      if (gt && lt) {
-        gtltComp = compare2(gt.semver, lt.semver, options);
+        gtltComp = compare3(gt.semver, lt.semver, options);
        if (gtltComp > 0) {
          return null;
        } else if (gtltComp === 0 && (gt.operator !== ">=" || lt.operator !== "<=")) {
@@ -32173,14 +32195,14 @@ var require_subset = __commonJS({
      if (!a) {
        return b;
      }
-      const comp = compare2(a.semver, b.semver, options);
+      const comp = compare3(a.semver, b.semver, options);
      return comp > 0 ? a : comp < 0 ? b : b.operator === ">" && a.operator === ">=" ? b : a;
    };
    var lowerLT = (a, b, options) => {
      if (!a) {
        return b;
      }
-      const comp = compare2(a.semver, b.semver, options);
+      const comp = compare3(a.semver, b.semver, options);
      return comp < 0 ? a : comp > 0 ? b : b.operator === "<" && a.operator === "<=" ? b : a;
    };
    module2.exports = subset;
@@ -32204,7 +32226,7 @@ var require_semver2 = __commonJS({
    var minor = require_minor();
    var patch = require_patch();
    var prerelease = require_prerelease();
-    var compare2 = require_compare();
+    var compare3 = require_compare();
    var rcompare = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
@@ -32242,7 +32264,7 @@ var require_semver2 = __commonJS({
      minor,
      patch,
      prerelease,
-      compare: compare2,
+      compare: compare3,
      rcompare,
      compareLoose,
      compareBuild,
@@ -32287,7 +32309,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.7",
+      version: "4.30.9",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -32322,6 +32344,7 @@ var require_package = __commonJS({
        "@actions/io": "^1.1.3",
        "@actions/tool-cache": "^2.0.2",
        "@octokit/plugin-retry": "^6.0.0",
+        "@octokit/request-error": "^7.0.1",
        "@schemastore/package": "0.0.10",
        archiver: "^7.0.1",
        "check-disk-space": "^3.4.0",
@@ -32335,14 +32358,14 @@ var require_package = __commonJS({
        long: "^5.3.2",
        "node-forge": "^1.3.1",
        octokit: "^5.0.3",
-        semver: "^7.7.2",
+        semver: "^7.7.3",
        uuid: "^13.0.0"
      },
      devDependencies: {
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.0",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.36.0",
+        "@eslint/js": "^9.37.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
@@ -32353,7 +32376,7 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.44.1",
+        "@typescript-eslint/eslint-plugin": "^8.46.0",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
        esbuild: "^0.25.10",
@@ -32366,7 +32389,7 @@ var require_package = __commonJS({
        glob: "^11.0.3",
        nock: "^14.0.10",
        sinon: "^21.0.0",
-        typescript: "^5.9.2"
+        typescript: "^5.9.3"
      },
      overrides: {
        "@actions/tool-cache": {
@@ -33745,14 +33768,14 @@ var require_dist_node14 = __commonJS({
    var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
    var dist_src_exports = {};
    __export2(dist_src_exports, {
-      RequestError: () => RequestError
+      RequestError: () => RequestError2
    });
    module2.exports = __toCommonJS2(dist_src_exports);
    var import_deprecation = require_dist_node3();
    var import_once = __toESM2(require_once());
    var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
    var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError = class extends Error {
+    var RequestError2 = class extends Error {
      constructor(message, statusCode, options) {
        super(message);
        if (Error.captureStackTrace) {
@@ -33854,7 +33877,7 @@ var require_dist_node15 = __commonJS({
      throw error2;
    }
    var import_light = __toESM2(require_light());
-    var import_request_error = require_dist_node14();
+    var import_request_error2 = require_dist_node14();
    async function wrapRequest(state, octokit, request, options) {
      const limiter = new import_light.default();
      limiter.on("failed", function(error2, info4) {
@@ -33875,7 +33898,7 @@ var require_dist_node15 = __commonJS({
      if (response.data && response.data.errors && response.data.errors.length > 0 && /Something went wrong while executing your query/.test(
        response.data.errors[0].message
      )) {
-        const error2 = new import_request_error.RequestError(response.data.errors[0].message, 500, {
+        const error2 = new import_request_error2.RequestError(response.data.errors[0].message, 500, {
          request: options,
          response
        });
@@ -36110,13 +36133,13 @@ var require_semver3 = __commonJS({
    function patch(a, loose) {
      return new SemVer(a, loose).patch;
    }
-    exports2.compare = compare2;
-    function compare2(a, b, loose) {
+    exports2.compare = compare3;
+    function compare3(a, b, loose) {
      return new SemVer(a, loose).compare(new SemVer(b, loose));
    }
    exports2.compareLoose = compareLoose;
    function compareLoose(a, b) {
-      return compare2(a, b, true);
+      return compare3(a, b, true);
    }
    exports2.compareBuild = compareBuild;
    function compareBuild(a, b, loose) {
@@ -36126,7 +36149,7 @@ var require_semver3 = __commonJS({
    }
    exports2.rcompare = rcompare;
    function rcompare(a, b, loose) {
-      return compare2(b, a, loose);
+      return compare3(b, a, loose);
    }
    exports2.sort = sort;
    function sort(list, loose) {
@@ -36142,27 +36165,27 @@ var require_semver3 = __commonJS({
    }
    exports2.gt = gt;
    function gt(a, b, loose) {
-      return compare2(a, b, loose) > 0;
+      return compare3(a, b, loose) > 0;
    }
    exports2.lt = lt;
    function lt(a, b, loose) {
-      return compare2(a, b, loose) < 0;
+      return compare3(a, b, loose) < 0;
    }
    exports2.eq = eq;
    function eq(a, b, loose) {
-      return compare2(a, b, loose) === 0;
+      return compare3(a, b, loose) === 0;
    }
    exports2.neq = neq;
    function neq(a, b, loose) {
-      return compare2(a, b, loose) !== 0;
+      return compare3(a, b, loose) !== 0;
    }
    exports2.gte = gte5;
    function gte5(a, b, loose) {
-      return compare2(a, b, loose) >= 0;
+      return compare3(a, b, loose) >= 0;
    }
    exports2.lte = lte;
    function lte(a, b, loose) {
-      return compare2(a, b, loose) <= 0;
+      return compare3(a, b, loose) <= 0;
    }
    exports2.cmp = cmp;
    function cmp(a, op, b, loose) {
@@ -88457,6 +88480,9 @@ function isGoodVersion(versionSpec) {
 function isInTestMode() {
  return process.env["CODEQL_ACTION_TEST_MODE" /* TEST_MODE */] === "true";
 }
+function shouldSkipSarifUpload() {
+  return isInTestMode() || process.env["CODEQL_ACTION_SKIP_SARIF_UPLOAD" /* SKIP_SARIF_UPLOAD */] === "true";
+}
 function getTestingEnvironment() {
  const testingEnvironment = process.env["CODEQL_ACTION_TESTING_ENVIRONMENT" /* TESTING_ENVIRONMENT */] || "";
  if (testingEnvironment === "") {
@@ -88671,9 +88697,12 @@ function getWorkflowRunAttempt() {
 function isSelfHostedRunner() {
  return process.env.RUNNER_ENVIRONMENT === "self-hosted";
 }
-function isDefaultSetup() {
+function isDynamicWorkflow() {
  return getWorkflowEventName() === "dynamic";
 }
+function isDefaultSetup() {
+  return isDynamicWorkflow();
+}
 function prettyPrintInvocation(cmd, args) {
  return [cmd, ...args].map((x) => x.includes(" ") ? `'${x}'` : x).join(" ");
 }
@@ -88947,8 +88976,8 @@ var path8 = __toESM(require("path"));
 var semver3 = __toESM(require_semver2());

 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.2";
-var cliVersion = "2.23.2";
+var bundleVersion = "codeql-bundle-v2.23.3";
+var cliVersion = "2.23.3";

 // src/overlay-database-utils.ts
 var fs5 = __toESM(require("fs"));
@@ -89241,6 +89270,11 @@ var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_";
 var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
 var CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0";
 var featureConfig = {
+  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
+    minimumVersion: void 0
+  },
  ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -89850,7 +89884,7 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
      action_ref: actionRef,
      action_started_at: actionStartedAt.toISOString(),
      action_version: getActionVersion(),
-      analysis_kinds: config?.analysisKinds.join(","),
+      analysis_kinds: config?.analysisKinds?.join(","),
      analysis_key,
      build_mode: config?.buildMode,
      commit_oid: commitOid,
@@ -89873,7 +89907,7 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
      logger.warning(`Could not determine the workflow event name: ${e}.`);
    }
    if (config) {
-      statusReport.languages = config.languages.join(",");
+      statusReport.languages = config.languages?.join(",");
    }
    if (diskInfo) {
      statusReport.runner_available_disk_space_bytes = diskInfo.numAvailableBytes;
@@ -89983,6 +90017,45 @@ var path13 = __toESM(require("path"));
 var core11 = __toESM(require_core());
 var toolrunner3 = __toESM(require_toolrunner());

+// node_modules/@octokit/request-error/dist-src/index.js
+var RequestError = class extends Error {
+  name;
+  /**
+   * http status code
+   */
+  status;
+  /**
+   * Request options that lead to the error.
+   */
+  request;
+  /**
+   * Response object if a response was received
+   */
+  response;
+  constructor(message, statusCode, options) {
+    super(message);
+    this.name = "HttpError";
+    this.status = Number.parseInt(statusCode);
+    if (Number.isNaN(this.status)) {
+      this.status = 0;
+    }
+    if ("response" in options) {
+      this.response = options.response;
+    }
+    const requestCopy = Object.assign({}, options.request);
+    if (options.request.headers.authorization) {
+      requestCopy.headers = Object.assign({}, options.request.headers, {
+        authorization: options.request.headers.authorization.replace(
+          /(?<! ) .*$/,
+          " [REDACTED]"
+        )
+      });
+    }
+    requestCopy.url = requestCopy.url.replace(/\bclient_secret=\w+/g, "client_secret=[REDACTED]").replace(/\baccess_token=\w+/g, "access_token=[REDACTED]");
+    this.request = requestCopy;
+  }
+};
+
 // src/cli-errors.ts
 var SUPPORTED_PLATFORMS = [
  ["linux", "x64"],
@@ -90599,6 +90672,7 @@ var CODEQL_NIGHTLIES_REPOSITORY_OWNER = "dsp-testing";
 var CODEQL_NIGHTLIES_REPOSITORY_NAME = "codeql-cli-nightlies";
 var CODEQL_BUNDLE_VERSION_ALIAS = ["linked", "latest"];
 var CODEQL_NIGHTLY_TOOLS_INPUTS = ["nightly", "nightly-latest"];
+var CODEQL_TOOLCACHE_INPUT = "toolcache";
 function getCodeQLBundleExtension(compressionMethod) {
  switch (compressionMethod) {
    case "gzip":
@@ -90740,7 +90814,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
  }
  return void 0;
 }
-async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, logger) {
+async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) {
  if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) {
    logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
    const compressionMethod2 = inferCompressionMethod(toolsInput);
@@ -90777,6 +90851,40 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
        "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required."
      );
    }
+  } else if (toolsInput !== void 0 && toolsInput === CODEQL_TOOLCACHE_INPUT) {
+    let latestToolcacheVersion;
+    const allowToolcacheValueFF = await features.getValue(
+      "allow_toolcache_input" /* AllowToolcacheInput */
+    );
+    const allowToolcacheValue = allowToolcacheValueFF && (isDynamicWorkflow() || isInTestMode());
+    if (allowToolcacheValue) {
+      logger.info(
+        `Attempting to use the latest CodeQL CLI version in the toolcache, as requested by 'tools: ${toolsInput}'.`
+      );
+      latestToolcacheVersion = getLatestToolcacheVersion(logger);
+      if (latestToolcacheVersion) {
+        cliVersion2 = latestToolcacheVersion;
+      }
+    }
+    if (latestToolcacheVersion === void 0) {
+      if (allowToolcacheValue) {
+        logger.info(
+          `Found no CodeQL CLI in the toolcache, ignoring 'tools: ${toolsInput}'...`
+        );
+      } else {
+        if (allowToolcacheValueFF) {
+          logger.warning(
+            `Ignoring 'tools: ${toolsInput}' because the workflow was not triggered dynamically.`
+          );
+        } else {
+          logger.info(
+            `Ignoring 'tools: ${toolsInput}' because the feature is not enabled.`
+          );
+        }
+      }
+      cliVersion2 = defaultCliVersion.cliVersion;
+      tagName = defaultCliVersion.tagName;
+    }
  } else if (toolsInput !== void 0) {
    tagName = tryGetTagNameFromUrl(toolsInput, logger);
    url2 = toolsInput;
@@ -90985,7 +91093,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) {
  }
  return cliVersion2;
 }
-async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger) {
+async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) {
  if (!await isBinaryAccessible("tar", logger)) {
    throw new ConfigurationError(
      "Could not find tar in PATH, so unable to extract CodeQL bundle."
@@ -90998,6 +91106,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau
    apiDetails,
    variant,
    zstdAvailability.available,
+    features,
    logger
  );
  let codeqlFolder;
@@ -91083,8 +91192,24 @@ async function getNightlyToolsUrl(logger) {
    );
  }
 }
+function getLatestToolcacheVersion(logger) {
+  const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver7.compare(b, a));
+  logger.debug(
+    `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify(
+      allVersions
+    )}.`
+  );
+  if (allVersions.length > 0) {
+    const latestToolcacheVersion = allVersions[0];
+    logger.info(
+      `CLI version ${latestToolcacheVersion} is the latest version in the toolcache.`
+    );
+    return latestToolcacheVersion;
+  }
+  return void 0;
+}
 function isReservedToolsValue(tools) {
-  return CODEQL_BUNDLE_VERSION_ALIAS.includes(tools) || CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools);
+  return CODEQL_BUNDLE_VERSION_ALIAS.includes(tools) || CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools) || tools === CODEQL_TOOLCACHE_INPUT;
 }

 // src/tracer-config.ts
@@ -91106,7 +91231,7 @@ var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.13";
 var GHES_MOST_RECENT_DEPRECATION_DATE = "2025-06-19";
 var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
 var CODEQL_VERSION_CACHE_CLEANUP = "2.17.1";
-async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger, checkVersion) {
+async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) {
  try {
    const {
      codeqlFolder,
@@ -91120,6 +91245,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
      tempDir,
      variant,
      defaultCliVersion,
+      features,
      logger
    );
    logger.debug(
@@ -91144,7 +91270,8 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
      zstdAvailability
    };
  } catch (e) {
-    const ErrorClass = e instanceof ConfigurationError || e instanceof Error && e.message.includes("ENOSPC") ? ConfigurationError : Error;
+    const ErrorClass = e instanceof ConfigurationError || e instanceof Error && e.message.includes("ENOSPC") || // out of disk space
+    e instanceof RequestError && e.status === 429 ? ConfigurationError : Error;
    throw new ErrorClass(
      `Unable to download and extract CodeQL CLI: ${getErrorMessage(e)}${e instanceof Error && e.stack ? `

@@ -92271,7 +92398,7 @@ LongPrototype.greaterThanOrEqual = function greaterThanOrEqual(other) {
 };
 LongPrototype.gte = LongPrototype.greaterThanOrEqual;
 LongPrototype.ge = LongPrototype.greaterThanOrEqual;
-LongPrototype.compare = function compare(other) {
+LongPrototype.compare = function compare2(other) {
  if (!isLong(other)) other = fromValue(other);
  if (this.eq(other)) return 0;
  var thisNeg = this.isNegative(), otherNeg = other.isNegative();
@@ -92822,7 +92949,7 @@ async function addFingerprints(sarif, sourceRoot, logger) {
 // src/init.ts
 var toolrunner4 = __toESM(require_toolrunner());
 var io5 = __toESM(require_io());
-async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger) {
+async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) {
  logger.startGroup("Setup CodeQL tools");
  const {
    codeql,
@@ -92836,6 +92963,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe
    tempDir,
    variant,
    defaultCliVersion,
+    features,
    logger,
    true
  );
@@ -92982,6 +93110,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo
      tempDir,
      gitHubVersion.type,
      codeQLDefaultVersionInfo,
+      features,
      logger
    );
    codeQL = initCodeQLResult.codeql;
@@ -93037,23 +93166,23 @@ function getAutomationID2(category, analysis_key, environment) {
  }
  return computeAutomationID(analysis_key, environment);
 }
-async function uploadPayload(payload, repositoryNwo, logger, target) {
+async function uploadPayload(payload, repositoryNwo, logger, analysis) {
  logger.info("Uploading results");
-  if (isInTestMode()) {
+  if (shouldSkipSarifUpload()) {
    const payloadSaveFile = path15.join(
      getTemporaryDirectory(),
-      "payload.json"
+      `payload-${analysis.kind}.json`
    );
    logger.info(
-      `In test mode. Results are not uploaded. Saving to ${payloadSaveFile}`
+      `SARIF upload disabled by an environment variable. Saving to ${payloadSaveFile}`
    );
    logger.info(`Payload: ${JSON.stringify(payload, null, 2)}`);
    fs14.writeFileSync(payloadSaveFile, JSON.stringify(payload, null, 2));
-    return "test-mode-sarif-id";
+    return "dummy-sarif-id";
  }
  const client = getApiClient();
  try {
-    const response = await client.request(target, {
+    const response = await client.request(analysis.target, {
      owner: repositoryNwo.owner,
      repo: repositoryNwo.repo,
      data: payload
@@ -93304,7 +93433,7 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features
    payload,
    getRepositoryNwo(),
    logger,
-    uploadTarget.target
+    uploadTarget
  );
  logger.endGroup();
  return {
@@ -93570,8 +93699,10 @@ async function run() {
      core13.setOutput("sarif-id", codeScanningResult.sarifID);
    }
    core13.setOutput("sarif-ids", JSON.stringify(uploadResults));
-    if (isInTestMode()) {
-      core13.debug("In test mode. Waiting for processing is disabled.");
+    if (shouldSkipSarifUpload()) {
+      core13.debug(
+        "SARIF upload disabled by an environment variable. Waiting for processing is disabled."
+      );
    } else if (getRequiredInput("wait-for-processing") === "true") {
      if (codeScanningResult !== void 0) {
        await waitForProcessing(
@@ -1,12 +1,12 @@
 {
  "name": "codeql",
-  "version": "4.30.7",
+  "version": "4.30.9",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "codeql",
-      "version": "4.30.7",
+      "version": "4.30.9",
      "license": "MIT",
      "dependencies": {
        "@actions/artifact": "^2.3.1",
@@ -20,6 +20,7 @@
        "@actions/io": "^1.1.3",
        "@actions/tool-cache": "^2.0.2",
        "@octokit/plugin-retry": "^6.0.0",
+        "@octokit/request-error": "^7.0.1",
        "@schemastore/package": "0.0.10",
        "archiver": "^7.0.1",
        "check-disk-space": "^3.4.0",
@@ -33,14 +34,14 @@
        "long": "^5.3.2",
        "node-forge": "^1.3.1",
        "octokit": "^5.0.3",
-        "semver": "^7.7.2",
+        "semver": "^7.7.3",
        "uuid": "^13.0.0"
      },
      "devDependencies": {
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.0",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.36.0",
+        "@eslint/js": "^9.37.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
@@ -51,7 +52,7 @@
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.44.1",
+        "@typescript-eslint/eslint-plugin": "^8.46.0",
        "@typescript-eslint/parser": "^8.41.0",
        "ava": "^6.4.1",
        "esbuild": "^0.25.10",
@@ -64,7 +65,7 @@
        "glob": "^11.0.3",
        "nock": "^14.0.10",
        "sinon": "^21.0.0",
-        "typescript": "^5.9.2"
+        "typescript": "^5.9.3"
      }
    },
    "node_modules/@aashutoshrathi/word-wrap": {
@@ -1346,9 +1347,9 @@
      }
    },
    "node_modules/@eslint/js": {
-      "version": "9.36.0",
-      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.36.0.tgz",
-      "integrity": "sha512-uhCbYtYynH30iZErszX78U+nR3pJU3RHGQ57NXy5QupD4SBVwDeU8TNBy+MjMngc1UyIW9noKqsRqfjQTBU2dw==",
+      "version": "9.37.0",
+      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.37.0.tgz",
+      "integrity": "sha512-jaS+NJ+hximswBG6pjNX0uEJZkrT0zwpVi3BA3vX22aFGjJjmgSTSmPpZCRKmoBL5VY/M6p0xsSJx7rk7sy5gg==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2175,7 +2176,6 @@
      "version": "26.0.0",
      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-26.0.0.tgz",
      "integrity": "sha512-7AtcfKtpo77j7Ts73b4OWhOZHTKo/gGY8bB3bNBQz4H+GRSWqx2yvj8TXRsbdTE0eRmYmXOEY66jM7mJ7LzfsA==",
-      "dev": true,
      "license": "MIT"
    },
    "node_modules/@octokit/openapi-webhooks-types": {
@@ -2299,31 +2299,17 @@
      }
    },
    "node_modules/@octokit/request-error": {
-      "version": "7.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-7.0.0.tgz",
-      "integrity": "sha512-KRA7VTGdVyJlh0cP5Tf94hTiYVVqmt2f3I6mnimmaVz4UG3gQV/k4mDJlJv3X67iX6rmN7gSHCF8ssqeMnmhZg==",
+      "version": "7.0.1",
+      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-7.0.1.tgz",
+      "integrity": "sha512-CZpFwV4+1uBrxu7Cw8E5NCXDWFNf18MSY23TdxCBgjw1tXXHvTrZVsXlW8hgFTOLw8RQR1BBrMvYRtuyaijHMA==",
+      "license": "MIT",
      "dependencies": {
-        "@octokit/types": "^14.0.0"
+        "@octokit/types": "^15.0.0"
      },
      "engines": {
        "node": ">= 20"
      }
    },
-    "node_modules/@octokit/request-error/node_modules/@octokit/openapi-types": {
-      "version": "25.1.0",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-25.1.0.tgz",
-      "integrity": "sha512-idsIggNXUKkk0+BExUn1dQ92sfysJrje03Q0bv0e+KPLrvyqZF8MnBpFz8UNfYDwB3Ie7Z0TByjWfzxt7vseaA==",
-      "license": "MIT"
-    },
-    "node_modules/@octokit/request-error/node_modules/@octokit/types": {
-      "version": "14.1.0",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-14.1.0.tgz",
-      "integrity": "sha512-1y6DgTy8Jomcpu33N+p5w58l6xyt55Ar2I91RPiIA0xCJBXyUAhXCcmZaDWSANiha7R9a6qJJ2CRomGPZ6f46g==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/openapi-types": "^25.1.0"
-      }
-    },
    "node_modules/@octokit/request/node_modules/@octokit/openapi-types": {
      "version": "25.1.0",
      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-25.1.0.tgz",
@@ -2348,7 +2334,6 @@
      "version": "15.0.0",
      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-15.0.0.tgz",
      "integrity": "sha512-8o6yDfmoGJUIeR9OfYU0/TUJTnMPG2r68+1yEdUeG2Fdqpj8Qetg0ziKIgcBm0RW/j29H41WP37CYCEhp6GoHQ==",
-      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@octokit/openapi-types": "^26.0.0"
@@ -2712,17 +2697,17 @@
      "license": "MIT"
    },
    "node_modules/@typescript-eslint/eslint-plugin": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.44.1.tgz",
-      "integrity": "sha512-molgphGqOBT7t4YKCSkbasmu1tb1MgrZ2szGzHbclF7PNmOkSTQVHy+2jXOSnxvR3+Xe1yySHFZoqMpz3TfQsw==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.46.0.tgz",
+      "integrity": "sha512-hA8gxBq4ukonVXPy0OKhiaUh/68D0E88GSmtC1iAEnGaieuDi38LhS7jdCHRLi6ErJBNDGCzvh5EnzdPwUc0DA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@eslint-community/regexpp": "^4.10.0",
-        "@typescript-eslint/scope-manager": "8.44.1",
-        "@typescript-eslint/type-utils": "8.44.1",
-        "@typescript-eslint/utils": "8.44.1",
-        "@typescript-eslint/visitor-keys": "8.44.1",
+        "@typescript-eslint/scope-manager": "8.46.0",
+        "@typescript-eslint/type-utils": "8.46.0",
+        "@typescript-eslint/utils": "8.46.0",
+        "@typescript-eslint/visitor-keys": "8.46.0",
        "graphemer": "^1.4.0",
        "ignore": "^7.0.0",
        "natural-compare": "^1.4.0",
@@ -2736,20 +2721,20 @@
        "url": "https://opencollective.com/typescript-eslint"
      },
      "peerDependencies": {
-        "@typescript-eslint/parser": "^8.44.1",
+        "@typescript-eslint/parser": "^8.46.0",
        "eslint": "^8.57.0 || ^9.0.0",
        "typescript": ">=4.8.4 <6.0.0"
      }
    },
    "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.44.1.tgz",
-      "integrity": "sha512-NdhWHgmynpSvyhchGLXh+w12OMT308Gm25JoRIyTZqEbApiBiQHD/8xgb6LqCWCFcxFtWwaVdFsLPQI3jvhywg==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.46.0.tgz",
+      "integrity": "sha512-lWETPa9XGcBes4jqAMYD9fW0j4n6hrPtTJwWDmtqgFO/4HF4jmdH/Q6wggTw5qIT5TXjKzbt7GsZUBnWoO3dqw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.44.1",
-        "@typescript-eslint/visitor-keys": "8.44.1"
+        "@typescript-eslint/types": "8.46.0",
+        "@typescript-eslint/visitor-keys": "8.46.0"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2760,9 +2745,9 @@
      }
    },
    "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/types": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.44.1.tgz",
-      "integrity": "sha512-Lk7uj7y9uQUOEguiDIDLYLJOrYHQa7oBiURYVFqIpGxclAFQ78f6VUOM8lI2XEuNOKNB7XuvM2+2cMXAoq4ALQ==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.46.0.tgz",
+      "integrity": "sha512-bHGGJyVjSE4dJJIO5yyEWt/cHyNwga/zXGJbJJ8TiO01aVREK6gCTu3L+5wrkb1FbDkQ+TKjMNe9R/QQQP9+rA==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2774,16 +2759,16 @@
      }
    },
    "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.44.1.tgz",
-      "integrity": "sha512-qnQJ+mVa7szevdEyvfItbO5Vo+GfZ4/GZWWDRRLjrxYPkhM+6zYB2vRYwCsoJLzqFCdZT4mEqyJoyzkunsZ96A==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.46.0.tgz",
+      "integrity": "sha512-ekDCUfVpAKWJbRfm8T1YRrCot1KFxZn21oV76v5Fj4tr7ELyk84OS+ouvYdcDAwZL89WpEkEj2DKQ+qg//+ucg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/project-service": "8.44.1",
-        "@typescript-eslint/tsconfig-utils": "8.44.1",
-        "@typescript-eslint/types": "8.44.1",
-        "@typescript-eslint/visitor-keys": "8.44.1",
+        "@typescript-eslint/project-service": "8.46.0",
+        "@typescript-eslint/tsconfig-utils": "8.46.0",
+        "@typescript-eslint/types": "8.46.0",
+        "@typescript-eslint/visitor-keys": "8.46.0",
        "debug": "^4.3.4",
        "fast-glob": "^3.3.2",
        "is-glob": "^4.0.3",
@@ -2803,16 +2788,16 @@
      }
    },
    "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/utils": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.44.1.tgz",
-      "integrity": "sha512-DpX5Fp6edTlocMCwA+mHY8Mra+pPjRZ0TfHkXI8QFelIKcbADQz1LUPNtzOFUriBB2UYqw4Pi9+xV4w9ZczHFg==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.46.0.tgz",
+      "integrity": "sha512-nD6yGWPj1xiOm4Gk0k6hLSZz2XkNXhuYmyIrOWcHoPuAhjT9i5bAG+xbWPgFeNR8HPHHtpNKdYUXJl/D3x7f5g==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@eslint-community/eslint-utils": "^4.7.0",
-        "@typescript-eslint/scope-manager": "8.44.1",
-        "@typescript-eslint/types": "8.44.1",
-        "@typescript-eslint/typescript-estree": "8.44.1"
+        "@typescript-eslint/scope-manager": "8.46.0",
+        "@typescript-eslint/types": "8.46.0",
+        "@typescript-eslint/typescript-estree": "8.46.0"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2827,13 +2812,13 @@
      }
    },
    "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.44.1.tgz",
-      "integrity": "sha512-576+u0QD+Jp3tZzvfRfxon0EA2lzcDt3lhUbsC6Lgzy9x2VR4E+JUiNyGHi5T8vk0TV+fpJ5GLG1JsJuWCaKhw==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.46.0.tgz",
+      "integrity": "sha512-FrvMpAK+hTbFy7vH5j1+tMYHMSKLE6RzluFJlkFNKD0p9YsUT75JlBSmr5so3QRzvMwU5/bIEdeNrxm8du8l3Q==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.44.1",
+        "@typescript-eslint/types": "8.46.0",
        "eslint-visitor-keys": "^4.2.1"
      },
      "engines": {
@@ -2906,16 +2891,16 @@
      }
    },
    "node_modules/@typescript-eslint/parser": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.44.1.tgz",
-      "integrity": "sha512-EHrrEsyhOhxYt8MTg4zTF+DJMuNBzWwgvvOYNj/zm1vnaD/IC5zCXFehZv94Piqa2cRFfXrTFxIvO95L7Qc/cw==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.46.0.tgz",
+      "integrity": "sha512-n1H6IcDhmmUEG7TNVSspGmiHHutt7iVKtZwRppD7e04wha5MrkV1h3pti9xQLcCMt6YWsncpoT0HMjkH1FNwWQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/scope-manager": "8.44.1",
-        "@typescript-eslint/types": "8.44.1",
-        "@typescript-eslint/typescript-estree": "8.44.1",
-        "@typescript-eslint/visitor-keys": "8.44.1",
+        "@typescript-eslint/scope-manager": "8.46.0",
+        "@typescript-eslint/types": "8.46.0",
+        "@typescript-eslint/typescript-estree": "8.46.0",
+        "@typescript-eslint/visitor-keys": "8.46.0",
        "debug": "^4.3.4"
      },
      "engines": {
@@ -2931,14 +2916,14 @@
      }
    },
    "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.44.1.tgz",
-      "integrity": "sha512-NdhWHgmynpSvyhchGLXh+w12OMT308Gm25JoRIyTZqEbApiBiQHD/8xgb6LqCWCFcxFtWwaVdFsLPQI3jvhywg==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.46.0.tgz",
+      "integrity": "sha512-lWETPa9XGcBes4jqAMYD9fW0j4n6hrPtTJwWDmtqgFO/4HF4jmdH/Q6wggTw5qIT5TXjKzbt7GsZUBnWoO3dqw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.44.1",
-        "@typescript-eslint/visitor-keys": "8.44.1"
+        "@typescript-eslint/types": "8.46.0",
+        "@typescript-eslint/visitor-keys": "8.46.0"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2949,9 +2934,9 @@
      }
    },
    "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/types": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.44.1.tgz",
-      "integrity": "sha512-Lk7uj7y9uQUOEguiDIDLYLJOrYHQa7oBiURYVFqIpGxclAFQ78f6VUOM8lI2XEuNOKNB7XuvM2+2cMXAoq4ALQ==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.46.0.tgz",
+      "integrity": "sha512-bHGGJyVjSE4dJJIO5yyEWt/cHyNwga/zXGJbJJ8TiO01aVREK6gCTu3L+5wrkb1FbDkQ+TKjMNe9R/QQQP9+rA==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2963,16 +2948,16 @@
      }
    },
    "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.44.1.tgz",
-      "integrity": "sha512-qnQJ+mVa7szevdEyvfItbO5Vo+GfZ4/GZWWDRRLjrxYPkhM+6zYB2vRYwCsoJLzqFCdZT4mEqyJoyzkunsZ96A==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.46.0.tgz",
+      "integrity": "sha512-ekDCUfVpAKWJbRfm8T1YRrCot1KFxZn21oV76v5Fj4tr7ELyk84OS+ouvYdcDAwZL89WpEkEj2DKQ+qg//+ucg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/project-service": "8.44.1",
-        "@typescript-eslint/tsconfig-utils": "8.44.1",
-        "@typescript-eslint/types": "8.44.1",
-        "@typescript-eslint/visitor-keys": "8.44.1",
+        "@typescript-eslint/project-service": "8.46.0",
+        "@typescript-eslint/tsconfig-utils": "8.46.0",
+        "@typescript-eslint/types": "8.46.0",
+        "@typescript-eslint/visitor-keys": "8.46.0",
        "debug": "^4.3.4",
        "fast-glob": "^3.3.2",
        "is-glob": "^4.0.3",
@@ -2992,13 +2977,13 @@
      }
    },
    "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.44.1.tgz",
-      "integrity": "sha512-576+u0QD+Jp3tZzvfRfxon0EA2lzcDt3lhUbsC6Lgzy9x2VR4E+JUiNyGHi5T8vk0TV+fpJ5GLG1JsJuWCaKhw==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.46.0.tgz",
+      "integrity": "sha512-FrvMpAK+hTbFy7vH5j1+tMYHMSKLE6RzluFJlkFNKD0p9YsUT75JlBSmr5so3QRzvMwU5/bIEdeNrxm8du8l3Q==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.44.1",
+        "@typescript-eslint/types": "8.46.0",
        "eslint-visitor-keys": "^4.2.1"
      },
      "engines": {
@@ -3062,14 +3047,14 @@
      }
    },
    "node_modules/@typescript-eslint/project-service": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.44.1.tgz",
-      "integrity": "sha512-ycSa60eGg8GWAkVsKV4E6Nz33h+HjTXbsDT4FILyL8Obk5/mx4tbvCNsLf9zret3ipSumAOG89UcCs/KRaKYrA==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.46.0.tgz",
+      "integrity": "sha512-OEhec0mH+U5Je2NZOeK1AbVCdm0ChyapAyTeXVIYTPXDJ3F07+cu87PPXcGoYqZ7M9YJVvFnfpGg1UmCIqM+QQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/tsconfig-utils": "^8.44.1",
-        "@typescript-eslint/types": "^8.44.1",
+        "@typescript-eslint/tsconfig-utils": "^8.46.0",
+        "@typescript-eslint/types": "^8.46.0",
        "debug": "^4.3.4"
      },
      "engines": {
@@ -3084,9 +3069,9 @@
      }
    },
    "node_modules/@typescript-eslint/project-service/node_modules/@typescript-eslint/types": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.44.1.tgz",
-      "integrity": "sha512-Lk7uj7y9uQUOEguiDIDLYLJOrYHQa7oBiURYVFqIpGxclAFQ78f6VUOM8lI2XEuNOKNB7XuvM2+2cMXAoq4ALQ==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.46.0.tgz",
+      "integrity": "sha512-bHGGJyVjSE4dJJIO5yyEWt/cHyNwga/zXGJbJJ8TiO01aVREK6gCTu3L+5wrkb1FbDkQ+TKjMNe9R/QQQP9+rA==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -3116,9 +3101,9 @@
      }
    },
    "node_modules/@typescript-eslint/tsconfig-utils": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.44.1.tgz",
-      "integrity": "sha512-B5OyACouEjuIvof3o86lRMvyDsFwZm+4fBOqFHccIctYgBjqR3qT39FBYGN87khcgf0ExpdCBeGKpKRhSFTjKQ==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.46.0.tgz",
+      "integrity": "sha512-WrYXKGAHY836/N7zoK/kzi6p8tXFhasHh8ocFL9VZSAkvH956gfeRfcnhs3xzRy8qQ/dq3q44v1jvQieMFg2cw==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -3133,15 +3118,15 @@
      }
    },
    "node_modules/@typescript-eslint/type-utils": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.44.1.tgz",
-      "integrity": "sha512-KdEerZqHWXsRNKjF9NYswNISnFzXfXNDfPxoTh7tqohU/PRIbwTmsjGK6V9/RTYWau7NZvfo52lgVk+sJh0K3g==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.46.0.tgz",
+      "integrity": "sha512-hy+lvYV1lZpVs2jRaEYvgCblZxUoJiPyCemwbQZ+NGulWkQRy0HRPYAoef/CNSzaLt+MLvMptZsHXHlkEilaeg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.44.1",
-        "@typescript-eslint/typescript-estree": "8.44.1",
-        "@typescript-eslint/utils": "8.44.1",
+        "@typescript-eslint/types": "8.46.0",
+        "@typescript-eslint/typescript-estree": "8.46.0",
+        "@typescript-eslint/utils": "8.46.0",
        "debug": "^4.3.4",
        "ts-api-utils": "^2.1.0"
      },
@@ -3158,14 +3143,14 @@
      }
    },
    "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.44.1.tgz",
-      "integrity": "sha512-NdhWHgmynpSvyhchGLXh+w12OMT308Gm25JoRIyTZqEbApiBiQHD/8xgb6LqCWCFcxFtWwaVdFsLPQI3jvhywg==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.46.0.tgz",
+      "integrity": "sha512-lWETPa9XGcBes4jqAMYD9fW0j4n6hrPtTJwWDmtqgFO/4HF4jmdH/Q6wggTw5qIT5TXjKzbt7GsZUBnWoO3dqw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.44.1",
-        "@typescript-eslint/visitor-keys": "8.44.1"
+        "@typescript-eslint/types": "8.46.0",
+        "@typescript-eslint/visitor-keys": "8.46.0"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -3176,9 +3161,9 @@
      }
    },
    "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/types": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.44.1.tgz",
-      "integrity": "sha512-Lk7uj7y9uQUOEguiDIDLYLJOrYHQa7oBiURYVFqIpGxclAFQ78f6VUOM8lI2XEuNOKNB7XuvM2+2cMXAoq4ALQ==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.46.0.tgz",
+      "integrity": "sha512-bHGGJyVjSE4dJJIO5yyEWt/cHyNwga/zXGJbJJ8TiO01aVREK6gCTu3L+5wrkb1FbDkQ+TKjMNe9R/QQQP9+rA==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -3190,16 +3175,16 @@
      }
    },
    "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.44.1.tgz",
-      "integrity": "sha512-qnQJ+mVa7szevdEyvfItbO5Vo+GfZ4/GZWWDRRLjrxYPkhM+6zYB2vRYwCsoJLzqFCdZT4mEqyJoyzkunsZ96A==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.46.0.tgz",
+      "integrity": "sha512-ekDCUfVpAKWJbRfm8T1YRrCot1KFxZn21oV76v5Fj4tr7ELyk84OS+ouvYdcDAwZL89WpEkEj2DKQ+qg//+ucg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/project-service": "8.44.1",
-        "@typescript-eslint/tsconfig-utils": "8.44.1",
-        "@typescript-eslint/types": "8.44.1",
-        "@typescript-eslint/visitor-keys": "8.44.1",
+        "@typescript-eslint/project-service": "8.46.0",
+        "@typescript-eslint/tsconfig-utils": "8.46.0",
+        "@typescript-eslint/types": "8.46.0",
+        "@typescript-eslint/visitor-keys": "8.46.0",
        "debug": "^4.3.4",
        "fast-glob": "^3.3.2",
        "is-glob": "^4.0.3",
@@ -3219,16 +3204,16 @@
      }
    },
    "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/utils": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.44.1.tgz",
-      "integrity": "sha512-DpX5Fp6edTlocMCwA+mHY8Mra+pPjRZ0TfHkXI8QFelIKcbADQz1LUPNtzOFUriBB2UYqw4Pi9+xV4w9ZczHFg==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.46.0.tgz",
+      "integrity": "sha512-nD6yGWPj1xiOm4Gk0k6hLSZz2XkNXhuYmyIrOWcHoPuAhjT9i5bAG+xbWPgFeNR8HPHHtpNKdYUXJl/D3x7f5g==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@eslint-community/eslint-utils": "^4.7.0",
-        "@typescript-eslint/scope-manager": "8.44.1",
-        "@typescript-eslint/types": "8.44.1",
-        "@typescript-eslint/typescript-estree": "8.44.1"
+        "@typescript-eslint/scope-manager": "8.46.0",
+        "@typescript-eslint/types": "8.46.0",
+        "@typescript-eslint/typescript-estree": "8.46.0"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -3243,13 +3228,13 @@
      }
    },
    "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.44.1.tgz",
-      "integrity": "sha512-576+u0QD+Jp3tZzvfRfxon0EA2lzcDt3lhUbsC6Lgzy9x2VR4E+JUiNyGHi5T8vk0TV+fpJ5GLG1JsJuWCaKhw==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.46.0.tgz",
+      "integrity": "sha512-FrvMpAK+hTbFy7vH5j1+tMYHMSKLE6RzluFJlkFNKD0p9YsUT75JlBSmr5so3QRzvMwU5/bIEdeNrxm8du8l3Q==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.44.1",
+        "@typescript-eslint/types": "8.46.0",
        "eslint-visitor-keys": "^4.2.1"
      },
      "engines": {
@@ -8225,9 +8210,10 @@
      "license": "ISC"
    },
    "node_modules/semver": {
-      "version": "7.7.2",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.2.tgz",
-      "integrity": "sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA==",
+      "version": "7.7.3",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.3.tgz",
+      "integrity": "sha512-SdsKMrI9TdgjdweUSR9MweHA4EJ8YxHn8DFaDisvhVlUOe4BF1tLD7GAj0lIqWVl+dPb/rExr0Btby5loQm20Q==",
+      "license": "ISC",
      "bin": {
        "semver": "bin/semver.js"
      },
@@ -9043,9 +9029,9 @@
      }
    },
    "node_modules/typescript": {
-      "version": "5.9.2",
-      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.2.tgz",
-      "integrity": "sha512-CWBzXQrc/qOkhidw1OzBTQuYRbfyxDXJMVJ1XNwUHGROVmuaeiEm3OslpZ1RV96d7SKKjZKrSJu3+t/xlw3R9A==",
+      "version": "5.9.3",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz",
+      "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
      "dev": true,
      "license": "Apache-2.0",
      "bin": {
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "3.30.7",
+  "version": "4.30.9",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -35,6 +35,7 @@
    "@actions/io": "^1.1.3",
    "@actions/tool-cache": "^2.0.2",
    "@octokit/plugin-retry": "^6.0.0",
+    "@octokit/request-error": "^7.0.1",
    "@schemastore/package": "0.0.10",
    "archiver": "^7.0.1",
    "check-disk-space": "^3.4.0",
@@ -48,14 +49,14 @@
    "long": "^5.3.2",
    "node-forge": "^1.3.1",
    "octokit": "^5.0.3",
-    "semver": "^7.7.2",
+    "semver": "^7.7.3",
    "uuid": "^13.0.0"
  },
  "devDependencies": {
    "@ava/typescript": "6.0.0",
    "@eslint/compat": "^1.4.0",
    "@eslint/eslintrc": "^3.3.1",
-    "@eslint/js": "^9.36.0",
+    "@eslint/js": "^9.37.0",
    "@microsoft/eslint-formatter-sarif": "^3.1.0",
    "@octokit/types": "^15.0.0",
    "@types/archiver": "^6.0.3",
@@ -66,7 +67,7 @@
    "@types/node-forge": "^1.3.14",
    "@types/semver": "^7.7.1",
    "@types/sinon": "^17.0.4",
-    "@typescript-eslint/eslint-plugin": "^8.44.1",
+    "@typescript-eslint/eslint-plugin": "^8.46.0",
    "@typescript-eslint/parser": "^8.41.0",
    "ava": "^6.4.1",
    "esbuild": "^0.25.10",
@@ -79,7 +80,7 @@
    "glob": "^11.0.3",
    "nock": "^14.0.10",
    "sinon": "^21.0.0",
-    "typescript": "^5.9.2"
+    "typescript": "^5.9.3"
  },
  "overrides": {
    "@actions/tool-cache": {
@@ -2,6 +2,7 @@ name: "Analyze: 'ref' and 'sha' from inputs"
 description: "Checks that specifying 'ref' and 'sha' as inputs works"
 versions: ["default"]
 installGo: true
+installPython: true
 steps:
  - uses: ./../action/init
    with:
@@ -0,0 +1,31 @@
+name: "Bundle: From toolcache"
+description: "The CodeQL bundle should be cached within the toolcache"
+versions:
+  - toolcache
+steps:
+  - name: Install @actions/tool-cache
+    run: npm install @actions/tool-cache
+  - name: Check toolcache contains CodeQL
+    continue-on-error: true
+    uses: actions/github-script@v8
+    with:
+      script: |
+        const toolcache = require('@actions/tool-cache');
+        const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
+        if (allCodeqlVersions.length === 0) {
+          throw new Error(`CodeQL could not be found in the toolcache`);
+        }
+  - id: setup-codeql
+    uses: ./../action/setup-codeql
+    with:
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+  - name: Check CodeQL is installed within the toolcache
+    uses: actions/github-script@v8
+    with:
+      script: |
+        const toolcache = require('@actions/tool-cache');
+        const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
+        console.log(`Found CodeQL versions: ${allCodeqlVersions}`);
+        if (allCodeqlVersions.length === 0) {
+          throw new Error('CodeQL not found in toolcache');
+        }
@@ -2,6 +2,7 @@ name: "Local CodeQL bundle"
 description: "Tests using a CodeQL bundle from a local file rather than a URL"
 versions: ["linked"]
 installGo: true
+installPython: true
 steps:
  - name: Fetch latest CodeQL bundle
    run: |
@@ -4,6 +4,7 @@ operatingSystems: ["macos", "ubuntu"]
 env:
  CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
 installGo: true
+installPython: true
 steps:
  - name: Use Xcode 16
    if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
@@ -3,6 +3,7 @@ description: "Checks that specifying packages using a combination of a config fi
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
 installNode: true
+installPython: true
 steps:
  - uses: ./../action/init
    with:
@@ -6,6 +6,7 @@ versions:
  - linked
  - nightly-latest
 installGo: true
+installPython: true
 steps:
  - uses: ./../action/init
    with:
@@ -4,7 +4,7 @@ description: "Tests using RuboCop to analyze a multi-language repository and the
 versions: ["default"]
 steps:
  - name: Set up Ruby
-    uses: ruby/setup-ruby@0481980f17b760ef6bca5e8c55809102a0af1e5a # v1.263.0
+    uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
    with:
      ruby-version: 2.6
  - name: Install Code Scanning integration
@@ -6,6 +6,7 @@ versions:
  - linked
  - nightly-latest
 installGo: true
+installPython: true
 steps:
  - uses: ./../action/init
    id: init
@@ -1,26 +0,0 @@
-name: "Upload-sarif: code quality endpoint"
-description: "Checks that uploading SARIFs to the code quality endpoint works"
-versions: ["default"]
-installGo: true
-steps:
-  - uses: ./../action/init
-    with:
-      tools: ${{ steps.prepare-test.outputs.tools-url }}
-      languages: csharp,java,javascript,python
-      analysis-kinds: code-quality
-  - name: Build code
-    run: ./build.sh
-  # Generate some SARIF we can upload with the upload-sarif step
-  - uses: ./../action/analyze
-    with:
-      ref: 'refs/heads/main'
-      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
-      upload: never
-  - uses: ./../action/upload-sarif
-    id: upload-sarif
-    with:
-      ref: 'refs/heads/main'
-      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
-  - name: "Check output from `upload-sarif` step"
-    if: '!(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)'
-    run: exit 1
@@ -2,6 +2,7 @@ name: "Upload-sarif: 'ref' and 'sha' from inputs"
 description: "Checks that specifying 'ref' and 'sha' as inputs works"
 versions: ["default"]
 installGo: true
+installPython: true
 steps:
  - uses: ./../action/init
    with:
@@ -0,0 +1,82 @@
+name: "Test different uses of `upload-sarif`"
+description: "Checks that uploading SARIFs to the code quality endpoint works"
+versions: ["default"]
+analysisKinds: ["code-scanning", "code-quality", "code-scanning,code-quality"]
+installGo: true
+installPython: true
+steps:
+  - uses: ./../action/init
+    with:
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+      languages: csharp,java,javascript,python
+      analysis-kinds: ${{ matrix.analysis-kinds }}
+  - name: Build code
+    run: ./build.sh
+  # Generate some SARIF we can upload with the upload-sarif step
+  - uses: ./../action/analyze
+    with:
+      ref: 'refs/heads/main'
+      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+      upload: never
+      output: ${{ runner.temp }}/results
+
+  - name: |
+      Upload all SARIF files for `analysis-kinds: ${{ matrix.analysis-kinds }}`
+    uses: ./../action/upload-sarif
+    id: upload-sarif
+    with:
+      ref: 'refs/heads/main'
+      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+      sarif_file: ${{ runner.temp }}/results
+      category: |
+        ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:all-files/
+  - name: "Fail for missing output from `upload-sarif` step for `code-scanning`"
+    if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning)"
+    run: exit 1
+  - name: "Fail for missing output from `upload-sarif` step for `code-quality`"
+    if: "contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)"
+    run: exit 1
+
+  - name: Upload single SARIF file for Code Scanning
+    uses: ./../action/upload-sarif
+    id: upload-single-sarif-code-scanning
+    if: "contains(matrix.analysis-kinds, 'code-scanning')"
+    with:
+      ref: 'refs/heads/main'
+      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+      sarif_file: ${{ runner.temp }}/results/javascript.sarif
+      category: |
+        ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-scanning/
+  - name: "Fail for missing output from `upload-single-sarif-code-scanning` step"
+    if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)"
+    run: exit 1
+  - name: Upload single SARIF file for Code Quality
+    uses: ./../action/upload-sarif
+    id: upload-single-sarif-code-quality
+    if: "contains(matrix.analysis-kinds, 'code-quality')"
+    with:
+      ref: 'refs/heads/main'
+      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+      sarif_file: ${{ runner.temp }}/results/javascript.quality.sarif
+      category: |
+        ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-quality/
+  - name: "Fail for missing output from `upload-single-sarif-code-quality` step"
+    if: "contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)"
+    run: exit 1
+
+  - name: Change SARIF file extension
+    if: "contains(matrix.analysis-kinds, 'code-scanning')"
+    run: mv ${{ runner.temp }}/results/javascript.sarif ${{ runner.temp }}/results/javascript.sarif.json
+  - name: Upload single non-`.sarif` file
+    uses: ./../action/upload-sarif
+    id: upload-single-non-sarif
+    if: "contains(matrix.analysis-kinds, 'code-scanning')"
+    with:
+      ref: 'refs/heads/main'
+      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+      sarif_file: ${{ runner.temp }}/results/javascript.sarif.json
+      category: |
+        ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:non-sarif/
+  - name: "Fail for missing output from `upload-single-non-sarif` step"
+    if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning)"
+    run: exit 1
@@ -2,6 +2,7 @@ name: "Use a custom `checkout_path`"
 description: "Checks that a custom `checkout_path` will find the proper commit_oid"
 versions: ["linked"]
 installGo: true
+installPython: true
 steps:
  # This ensures we don't accidentally use the original checkout for any part of the test.
  - name: Delete original checkout
@@ -37,28 +38,29 @@ steps:

  - name: Verify SARIF after upload
    run: |
+      PAYLOAD_FILE="$RUNNER_TEMP/payload-code-scanning.json"
      EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
      EXPECTED_REF="v1.1.0"
      EXPECTED_CHECKOUT_URI_SUFFIX="/x/y/z/some-path/tests/multi-language-repo"

-      ACTUAL_COMMIT_OID="$(cat "$RUNNER_TEMP/payload.json" | jq -r .commit_oid)"
-      ACTUAL_REF="$(cat "$RUNNER_TEMP/payload.json" | jq -r .ref)"
-      ACTUAL_CHECKOUT_URI="$(cat "$RUNNER_TEMP/payload.json" | jq -r .checkout_uri)"
+      ACTUAL_COMMIT_OID="$(cat "$PAYLOAD_FILE" | jq -r .commit_oid)"
+      ACTUAL_REF="$(cat "$PAYLOAD_FILE" | jq -r .ref)"
+      ACTUAL_CHECKOUT_URI="$(cat "$PAYLOAD_FILE" | jq -r .checkout_uri)"

      if [[ "$EXPECTED_COMMIT_OID" != "$ACTUAL_COMMIT_OID" ]]; then
        echo "::error Invalid commit oid. Expected: $EXPECTED_COMMIT_OID Actual: $ACTUAL_COMMIT_OID"
-        echo "$RUNNER_TEMP/payload.json"
+        echo "$PAYLOAD_FILE"
        exit 1
      fi

      if [[ "$EXPECTED_REF" != "$ACTUAL_REF" ]]; then
        echo "::error Invalid ref. Expected: '$EXPECTED_REF' Actual: '$ACTUAL_REF'"
-        echo "$RUNNER_TEMP/payload.json"
+        echo "$PAYLOAD_FILE"
        exit 1
      fi

      if [[ "$ACTUAL_CHECKOUT_URI" != *$EXPECTED_CHECKOUT_URI_SUFFIX ]]; then
        echo "::error Invalid checkout URI suffix. Expected suffix: $EXPECTED_CHECKOUT_URI_SUFFIX Actual uri: $ACTUAL_CHECKOUT_URI"
-        echo "$RUNNER_TEMP/payload.json"
+        echo "$PAYLOAD_FILE"
        exit 1
      fi
@@ -184,6 +184,26 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
            }
        })

+    installPython = is_truthy(checkSpecification.get('installPython', ''))
+
+    if installPython:
+        basePythonVersionExpr = '3.13'
+        workflowInputs['python-version'] = {
+            'type': 'string',
+            'description': 'The version of Python to install',
+            'required': False,
+            'default': basePythonVersionExpr,
+        }
+
+        steps.append({
+            'name': 'Install Python',
+            'if': 'matrix.version != \'nightly-latest\'',
+            'uses': 'actions/setup-python@v6',
+            'with': {
+                'python-version': '${{ inputs.python-version || \'' + basePythonVersionExpr + '\' }}'
+            }
+        })
+
    # If container initialisation steps are present in the check specification,
    # make sure to execute them first.
    if 'container' in checkSpecification and 'container-init-steps' in checkSpecification:
@@ -21,5 +21,5 @@ outputs:
  environment:
    description: The inferred build environment configuration.
 runs:
-  using: node20
+  using: node24
  main: '../lib/resolve-environment-action.js'
@@ -0,0 +1,39 @@
+name: 'CodeQL: Setup'
+description: 'Installs the CodeQL CLI'
+author: 'GitHub'
+inputs:
+  tools:
+    description: >-
+      By default, the Action will use the recommended version of the CodeQL
+      Bundle to analyze your project. You can override this choice using this
+      input. One of:
+
+      - A local path to a CodeQL Bundle tarball, or
+      - The URL of a CodeQL Bundle tarball GitHub release asset, or
+      - A special value `linked` which uses the version of the CodeQL tools
+        that the Action has been bundled with.
+      - A special value `nightly` which uses the latest nightly version of the
+        CodeQL tools. Note that this is unstable and not recommended for
+        production use.
+
+      If not specified, the Action will check in several places until it finds
+      the CodeQL tools.
+    required: false
+  token:
+    description: GitHub token to use for authenticating with this instance of GitHub.
+    default: ${{ github.token }}
+    required: false
+  matrix:
+    default: ${{ toJson(matrix) }}
+    required: false
+  external-repository-token:
+    description: A token for fetching additional files from private repositories in the same GitHub instance that is running this action.
+    required: false
+outputs:
+  codeql-path:
+    description: The path of the CodeQL binary that was installed.
+  codeql-version:
+    description: The version of the CodeQL binary that was installed.
+runs:
+  using: node24
+  main: '../lib/setup-codeql-action.js'
@@ -247,9 +247,14 @@ export function isSelfHostedRunner() {
  return process.env.RUNNER_ENVIRONMENT === "self-hosted";
 }

+/** Determines whether the workflow trigger is `dynamic`. */
+export function isDynamicWorkflow(): boolean {
+  return getWorkflowEventName() === "dynamic";
+}
+
 /** Determines whether we are running in default setup. */
 export function isDefaultSetup(): boolean {
-  return getWorkflowEventName() === "dynamic";
+  return isDynamicWorkflow();
 }

 export function prettyPrintInvocation(cmd: string, args: string[]): string {
@@ -1,12 +1,19 @@
 import test from "ava";
+import * as sinon from "sinon";

+import * as actionsUtil from "./actions-util";
 import {
  AnalysisKind,
+  getAnalysisKinds,
  parseAnalysisKinds,
  supportedAnalysisKinds,
 } from "./analyses";
+import { getRunnerLogger } from "./logging";
+import { setupTests } from "./testing-utils";
 import { ConfigurationError } from "./util";

+setupTests(test);
+
 test("All known analysis kinds can be parsed successfully", async (t) => {
  for (const analysisKind of supportedAnalysisKinds) {
    t.deepEqual(await parseAnalysisKinds(analysisKind), [analysisKind]);
@@ -34,3 +41,29 @@ test("Parsing analysis kinds requires at least one analysis kind", async (t) =>
    instanceOf: ConfigurationError,
  });
 });
+
+test("getAnalysisKinds - returns expected analysis kinds for `analysis-kinds` input", async (t) => {
+  const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+  requiredInputStub
+    .withArgs("analysis-kinds")
+    .returns("code-scanning,code-quality");
+  const result = await getAnalysisKinds(getRunnerLogger(true), true);
+  t.assert(result.includes(AnalysisKind.CodeScanning));
+  t.assert(result.includes(AnalysisKind.CodeQuality));
+});
+
+test("getAnalysisKinds - includes `code-quality` when deprecated `quality-queries` input is used", async (t) => {
+  const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+  requiredInputStub.withArgs("analysis-kinds").returns("code-scanning");
+  const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
+  optionalInputStub.withArgs("quality-queries").returns("code-quality");
+  const result = await getAnalysisKinds(getRunnerLogger(true), true);
+  t.assert(result.includes(AnalysisKind.CodeScanning));
+  t.assert(result.includes(AnalysisKind.CodeQuality));
+});
+
+test("getAnalysisKinds - throws if `analysis-kinds` input is invalid", async (t) => {
+  const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+  requiredInputStub.withArgs("analysis-kinds").returns("no-such-thing");
+  await t.throwsAsync(getAnalysisKinds(getRunnerLogger(true), true));
+});
@@ -1,4 +1,8 @@
-import { fixCodeQualityCategory } from "./actions-util";
+import {
+  fixCodeQualityCategory,
+  getOptionalInput,
+  getRequiredInput,
+} from "./actions-util";
 import { Logger } from "./logging";
 import { ConfigurationError } from "./util";

@@ -41,6 +45,55 @@ export async function parseAnalysisKinds(
  );
 }

+// Used to avoid re-parsing the input after we have done it once.
+let cachedAnalysisKinds: AnalysisKind[] | undefined;
+
+/**
+ * Initialises the analysis kinds for the analysis based on the `analysis-kinds` input.
+ * This function will also use the deprecated `quality-queries` input as an indicator to enable `code-quality`.
+ * If the `analysis-kinds` input cannot be parsed, a `ConfigurationError` is thrown.
+ *
+ * @param logger The logger to use.
+ * @param skipCache For testing, whether to ignore the cached values (default: false).
+ *
+ * @returns The array of enabled analysis kinds.
+ * @throws A `ConfigurationError` if the `analysis-kinds` input cannot be parsed.
+ */
+export async function getAnalysisKinds(
+  logger: Logger,
+  skipCache: boolean = false,
+): Promise<AnalysisKind[]> {
+  if (!skipCache && cachedAnalysisKinds !== undefined) {
+    return cachedAnalysisKinds;
+  }
+
+  cachedAnalysisKinds = await parseAnalysisKinds(
+    getRequiredInput("analysis-kinds"),
+  );
+
+  // Warn that `quality-queries` is deprecated if there is an argument for it.
+  const qualityQueriesInput = getOptionalInput("quality-queries");
+
+  if (qualityQueriesInput !== undefined) {
+    logger.warning(
+      "The `quality-queries` input is deprecated and will be removed in a future version of the CodeQL Action. " +
+        "Use the `analysis-kinds` input to configure different analysis kinds instead.",
+    );
+  }
+
+  // For backwards compatibility, add Code Quality to the enabled analysis kinds
+  // if an input to `quality-queries` was specified. We should remove this once
+  // `quality-queries` is no longer used.
+  if (
+    !cachedAnalysisKinds.includes(AnalysisKind.CodeQuality) &&
+    qualityQueriesInput !== undefined
+  ) {
+    cachedAnalysisKinds.push(AnalysisKind.CodeQuality);
+  }
+
+  return cachedAnalysisKinds;
+}
+
 /** The queries to use for Code Quality analyses. */
 export const codeQualityQueries: string[] = ["code-quality"];

@@ -74,6 +74,7 @@ async function installIntoToolcache({
    cliVersion !== undefined
      ? { cliVersion, tagName }
      : SAMPLE_DEFAULT_CLI_VERSION,
+    createFeatures([]),
    getRunnerLogger(true),
    false,
  );
@@ -122,6 +123,8 @@ async function stubCodeql(): Promise<codeql.CodeQL> {
 }

 test("downloads and caches explicitly requested bundles that aren't in the toolcache", async (t) => {
+  const features = createFeatures([]);
+
  await util.withTmpDir(async (tmpDir) => {
    setupActionsVars(tmpDir, tmpDir);

@@ -140,6 +143,7 @@ test("downloads and caches explicitly requested bundles that aren't in the toolc
        tmpDir,
        util.GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
+        features,
        getRunnerLogger(true),
        false,
      );
@@ -154,6 +158,8 @@ test("downloads and caches explicitly requested bundles that aren't in the toolc
 });

 test("caches semantically versioned bundles using their semantic version number", async (t) => {
+  const features = createFeatures([]);
+
  await util.withTmpDir(async (tmpDir) => {
    setupActionsVars(tmpDir, tmpDir);
    const url = mockBundleDownloadApi({
@@ -166,6 +172,7 @@ test("caches semantically versioned bundles using their semantic version number"
      tmpDir,
      util.GitHubVariant.DOTCOM,
      SAMPLE_DEFAULT_CLI_VERSION,
+      features,
      getRunnerLogger(true),
      false,
    );
@@ -181,6 +188,8 @@ test("caches semantically versioned bundles using their semantic version number"
 });

 test("downloads an explicitly requested bundle even if a different version is cached", async (t) => {
+  const features = createFeatures([]);
+
  await util.withTmpDir(async (tmpDir) => {
    setupActionsVars(tmpDir, tmpDir);

@@ -199,6 +208,7 @@ test("downloads an explicitly requested bundle even if a different version is ca
      tmpDir,
      util.GitHubVariant.DOTCOM,
      SAMPLE_DEFAULT_CLI_VERSION,
+      features,
      getRunnerLogger(true),
      false,
    );
@@ -227,6 +237,8 @@ for (const {
  expectedToolcacheVersion,
 } of EXPLICITLY_REQUESTED_BUNDLE_TEST_CASES) {
  test(`caches explicitly requested bundle ${tagName} as ${expectedToolcacheVersion}`, async (t) => {
+    const features = createFeatures([]);
+
    await util.withTmpDir(async (tmpDir) => {
      setupActionsVars(tmpDir, tmpDir);

@@ -243,6 +255,7 @@ for (const {
        tmpDir,
        util.GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
+        features,
        getRunnerLogger(true),
        false,
      );
@@ -266,6 +279,8 @@ for (const toolcacheVersion of [
    `uses tools from toolcache when ${SAMPLE_DEFAULT_CLI_VERSION.cliVersion} is requested and ` +
      `${toolcacheVersion} is installed`,
    async (t) => {
+      const features = createFeatures([]);
+
      await util.withTmpDir(async (tmpDir) => {
        setupActionsVars(tmpDir, tmpDir);

@@ -281,6 +296,7 @@ for (const toolcacheVersion of [
          tmpDir,
          util.GitHubVariant.DOTCOM,
          SAMPLE_DEFAULT_CLI_VERSION,
+          features,
          getRunnerLogger(true),
          false,
        );
@@ -295,6 +311,8 @@ for (const toolcacheVersion of [
 }

 test(`uses a cached bundle when no tools input is given on GHES`, async (t) => {
+  const features = createFeatures([]);
+
  await util.withTmpDir(async (tmpDir) => {
    setupActionsVars(tmpDir, tmpDir);

@@ -313,6 +331,7 @@ test(`uses a cached bundle when no tools input is given on GHES`, async (t) => {
        cliVersion: defaults.cliVersion,
        tagName: defaults.bundleVersion,
      },
+      features,
      getRunnerLogger(true),
      false,
    );
@@ -328,6 +347,8 @@ test(`uses a cached bundle when no tools input is given on GHES`, async (t) => {
 });

 test(`downloads bundle if only an unpinned version is cached on GHES`, async (t) => {
+  const features = createFeatures([]);
+
  await util.withTmpDir(async (tmpDir) => {
    setupActionsVars(tmpDir, tmpDir);

@@ -349,6 +370,7 @@ test(`downloads bundle if only an unpinned version is cached on GHES`, async (t)
        cliVersion: defaults.cliVersion,
        tagName: defaults.bundleVersion,
      },
+      features,
      getRunnerLogger(true),
      false,
    );
@@ -364,6 +386,8 @@ test(`downloads bundle if only an unpinned version is cached on GHES`, async (t)
 });

 test('downloads bundle if "latest" tools specified but not cached', async (t) => {
+  const features = createFeatures([]);
+
  await util.withTmpDir(async (tmpDir) => {
    setupActionsVars(tmpDir, tmpDir);

@@ -382,6 +406,7 @@ test('downloads bundle if "latest" tools specified but not cached', async (t) =>
      tmpDir,
      util.GitHubVariant.DOTCOM,
      SAMPLE_DEFAULT_CLI_VERSION,
+      features,
      getRunnerLogger(true),
      false,
    );
@@ -397,6 +422,8 @@ test('downloads bundle if "latest" tools specified but not cached', async (t) =>
 });

 test("bundle URL from another repo is cached as 0.0.0-bundleVersion", async (t) => {
+  const features = createFeatures([]);
+
  await util.withTmpDir(async (tmpDir) => {
    setupActionsVars(tmpDir, tmpDir);

@@ -417,6 +444,7 @@ test("bundle URL from another repo is cached as 0.0.0-bundleVersion", async (t)
      tmpDir,
      util.GitHubVariant.DOTCOM,
      SAMPLE_DEFAULT_CLI_VERSION,
+      features,
      getRunnerLogger(true),
      false,
    );
@@ -3,6 +3,7 @@ import * as path from "path";

 import * as core from "@actions/core";
 import * as toolrunner from "@actions/exec/lib/toolrunner";
+import { RequestError } from "@octokit/request-error";
 import * as yaml from "js-yaml";

 import {
@@ -308,6 +309,7 @@ const CODEQL_VERSION_CACHE_CLEANUP = "2.17.1";
 * @param tempDir
 * @param variant
 * @param defaultCliVersion
+ * @param features Information about the features that are enabled.
 * @param logger
 * @param checkVersion Whether to check that CodeQL CLI meets the minimum
 *        version requirement. Must be set to true outside tests.
@@ -319,6 +321,7 @@ export async function setupCodeQL(
  tempDir: string,
  variant: util.GitHubVariant,
  defaultCliVersion: CodeQLDefaultVersionInfo,
+  features: FeatureEnablement,
  logger: Logger,
  checkVersion: boolean,
 ): Promise<{
@@ -341,6 +344,7 @@ export async function setupCodeQL(
      tempDir,
      variant,
      defaultCliVersion,
+      features,
      logger,
    );

@@ -370,7 +374,8 @@ export async function setupCodeQL(
  } catch (e) {
    const ErrorClass =
      e instanceof util.ConfigurationError ||
-      (e instanceof Error && e.message.includes("ENOSPC")) // out of disk space
+      (e instanceof Error && e.message.includes("ENOSPC")) || // out of disk space
+      (e instanceof RequestError && e.status === 429) // rate limited
        ? util.ConfigurationError
        : Error;

@@ -49,10 +49,9 @@ function createTestInitConfigInputs(
  return Object.assign(
    {},
    {
-      analysisKindsInput: "code-scanning",
+      analysisKinds: [AnalysisKind.CodeScanning],
      languagesInput: undefined,
      queriesInput: undefined,
-      qualityQueriesInput: undefined,
      packsInput: undefined,
      configFile: undefined,
      dbLocation: undefined,
@@ -189,7 +188,7 @@ test("load code quality config", async (t) => {

    const config = await configUtils.initConfig(
      createTestInitConfigInputs({
-        analysisKindsInput: "code-quality",
+        analysisKinds: [AnalysisKind.CodeQuality],
        languagesInput: languages,
        repository: { owner: "github", repo: "example" },
        tempDir,
@@ -273,7 +272,7 @@ test("initActionState doesn't throw if there are queries configured in the repos
    await t.notThrowsAsync(async () => {
      const config = await configUtils.initConfig(
        createTestInitConfigInputs({
-          analysisKindsInput: "code-quality",
+          analysisKinds: [AnalysisKind.CodeQuality],
          languagesInput: languages,
          repository: { owner: "github", repo: "example" },
          tempDir,
@@ -11,7 +11,6 @@ import {
  CodeQuality,
  codeQualityQueries,
  CodeScanning,
-  parseAnalysisKinds,
 } from "./analyses";
 import * as api from "./api-client";
 import { CachingKind, getCachingKind } from "./caching-utils";
@@ -373,10 +372,8 @@ export async function getRawLanguages(

 /** Inputs required to initialize a configuration. */
 export interface InitConfigInputs {
-  analysisKindsInput: string;
  languagesInput: string | undefined;
  queriesInput: string | undefined;
-  qualityQueriesInput: string | undefined;
  packsInput: string | undefined;
  configFile: string | undefined;
  dbLocation: string | undefined;
@@ -396,6 +393,7 @@ export interface InitConfigInputs {
  apiDetails: api.GitHubApiCombinedDetails;
  features: FeatureEnablement;
  repositoryProperties: RepositoryProperties;
+  analysisKinds: AnalysisKind[];
  logger: Logger;
 }

@@ -405,10 +403,8 @@ export interface InitConfigInputs {
 */
 export async function initActionState(
  {
-    analysisKindsInput,
    languagesInput,
    queriesInput,
-    qualityQueriesInput,
    packsInput,
    buildModeInput,
    dbLocation,
@@ -424,22 +420,11 @@ export async function initActionState(
    githubVersion,
    features,
    repositoryProperties,
+    analysisKinds,
    logger,
  }: InitConfigInputs,
  userConfig: UserConfig,
 ): Promise<Config> {
-  const analysisKinds = await parseAnalysisKinds(analysisKindsInput);
-
-  // For backwards compatibility, add Code Quality to the enabled analysis kinds
-  // if an input to `quality-queries` was specified. We should remove this once
-  // `quality-queries` is no longer used.
-  if (
-    !analysisKinds.includes(AnalysisKind.CodeQuality) &&
-    qualityQueriesInput !== undefined
-  ) {
-    analysisKinds.push(AnalysisKind.CodeQuality);
-  }
-
  const languages = await getLanguages(
    codeql,
    languagesInput,
@@ -723,7 +708,14 @@ export async function getOverlayDatabaseMode(
    buildMode !== BuildMode.None &&
    (
      await Promise.all(
-        languages.map(async (l) => await codeql.isTracedLanguage(l)),
+        languages.map(
+          async (l) =>
+            l !== KnownLanguage.go && // Workaround to allow overlay analysis for Go with any build
+            // mode, since it does not yet support BMN. The Go autobuilder and/or extractor will
+            // ensure that overlay-base databases are only created for supported Go build setups,
+            // and that we'll fall back to full databases in other cases.
+            (await codeql.isTracedLanguage(l)),
+        ),
      )
    ).some(Boolean)
  ) {
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.2",
-  "cliVersion": "2.23.2",
-  "priorBundleVersion": "codeql-bundle-v2.23.1",
-  "priorCliVersion": "2.23.1"
+  "bundleVersion": "codeql-bundle-v2.23.3",
+  "cliVersion": "2.23.3",
+  "priorBundleVersion": "codeql-bundle-v2.23.2",
+  "priorCliVersion": "2.23.2"
 }
@@ -47,6 +47,9 @@ export enum EnvVar {
  /** Whether the CodeQL Action has already warned the user about low disk space. */
  HAS_WARNED_ABOUT_DISK_SPACE = "CODEQL_ACTION_HAS_WARNED_ABOUT_DISK_SPACE",

+  /** Whether the `setup-codeql` action has been run. */
+  SETUP_CODEQL_ACTION_HAS_RUN = "CODEQL_ACTION_SETUP_CODEQL_HAS_RUN",
+
  /** Whether the init action has been run. */
  INIT_ACTION_HAS_RUN = "CODEQL_ACTION_INIT_HAS_RUN",

@@ -128,4 +131,10 @@ export enum EnvVar {
   * whether the upload is disabled. This is intended for testing and debugging purposes.
   */
  SARIF_DUMP_DIR = "CODEQL_ACTION_SARIF_DUMP_DIR",
+
+  /**
+   * Whether to skip uploading SARIF results to GitHub. Intended for testing purposes.
+   * This setting is more specific than `CODEQL_ACTION_TEST_MODE`, which implies this option.
+   */
+  SKIP_SARIF_UPLOAD = "CODEQL_ACTION_SKIP_SARIF_UPLOAD",
 }
@@ -43,6 +43,7 @@ export interface FeatureEnablement {
 * Legacy features should end with `_enabled`.
 */
 export enum Feature {
+  AllowToolcacheInput = "allow_toolcache_input",
  CleanupTrapCaches = "cleanup_trap_caches",
  CppDependencyInstallation = "cpp_dependency_installation_enabled",
  DiffInformedQueries = "diff_informed_queries",
@@ -73,9 +74,9 @@ export enum Feature {
  OverlayAnalysisRust = "overlay_analysis_rust",
  OverlayAnalysisSwift = "overlay_analysis_swift",
  PythonDefaultIsToNotExtractStdlib = "python_default_is_to_not_extract_stdlib",
-  UseRepositoryProperties = "use_repository_properties",
  QaTelemetryEnabled = "qa_telemetry_enabled",
  ResolveSupportedLanguagesUsingCli = "resolve_supported_languages_using_cli",
+  UseRepositoryProperties = "use_repository_properties",
 }

 export const featureConfig: Record<
@@ -109,6 +110,11 @@ export const featureConfig: Record<
    toolsFeature?: ToolsFeature;
  }
 > = {
+  [Feature.AllowToolcacheInput]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
+    minimumVersion: undefined,
+  },
  [Feature.CleanupTrapCaches]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -2,6 +2,7 @@ import test, { ExecutionContext } from "ava";
 import * as sinon from "sinon";

 import * as actionsUtil from "./actions-util";
+import { AnalysisKind } from "./analyses";
 import * as codeql from "./codeql";
 import * as configUtils from "./config-utils";
 import { Feature } from "./feature-flags";
@@ -28,12 +29,13 @@ test("post: init action with debug mode off", async (t) => {
    const gitHubVersion: util.GitHubVersion = {
      type: util.GitHubVariant.DOTCOM,
    };
-    sinon.stub(configUtils, "getConfig").resolves({
-      debugMode: false,
-      gitHubVersion,
-      languages: [],
-      packs: [],
-    } as unknown as configUtils.Config);
+    sinon.stub(configUtils, "getConfig").resolves(
+      createTestConfig({
+        debugMode: false,
+        gitHubVersion,
+        languages: [],
+      }),
+    );

    const uploadAllAvailableDebugArtifactsSpy = sinon.spy();
    const printDebugLogsSpy = sinon.spy();
@@ -295,6 +297,17 @@ test("uploading failed SARIF run fails when workflow does not reference github/c
  t.truthy(result.upload_failed_run_stack_trace);
 });

+test("not uploading failed SARIF when `code-scanning` is not an enabled analysis kind", async (t) => {
+  const result = await testFailedSarifUpload(t, createTestWorkflow([]), {
+    analysisKinds: [AnalysisKind.CodeQuality],
+    expectUpload: false,
+  });
+  t.is(
+    result.upload_failed_run_skipped_because,
+    "Code Scanning is not enabled.",
+  );
+});
+
 function createTestWorkflow(
  steps: workflow.WorkflowJobStep[],
 ): workflow.Workflow {
@@ -327,20 +340,22 @@ async function testFailedSarifUpload(
    expectUpload = true,
    exportDiagnosticsEnabled = false,
    matrix = {},
+    analysisKinds = [AnalysisKind.CodeScanning],
  }: {
    category?: string;
    databaseExists?: boolean;
    expectUpload?: boolean;
    exportDiagnosticsEnabled?: boolean;
    matrix?: { [key: string]: string };
+    analysisKinds?: AnalysisKind[];
  } = {},
 ): Promise<initActionPostHelper.UploadFailedSarifResult> {
-  const config = {
+  const config = createTestConfig({
+    analysisKinds,
    codeQLCmd: "codeql",
    debugMode: true,
    languages: [],
-    packs: [],
-  } as unknown as configUtils.Config;
+  });
  if (databaseExists) {
    config.dbLocation = "path/to/database";
  }
@@ -7,7 +7,7 @@ import * as actionsUtil from "./actions-util";
 import { CodeScanning } from "./analyses";
 import { getApiClient } from "./api-client";
 import { CodeQL, getCodeQL } from "./codeql";
-import { Config } from "./config-utils";
+import { Config, isCodeScanningEnabled } from "./config-utils";
 import * as dependencyCaching from "./dependency-caching";
 import { EnvVar } from "./environment";
 import { Feature, FeatureEnablement } from "./feature-flags";
@@ -19,8 +19,8 @@ import {
  delay,
  getErrorMessage,
  getRequiredEnvParam,
-  isInTestMode,
  parseMatrixInput,
+  shouldSkipSarifUpload,
  wrapError,
 } from "./util";
 import {
@@ -81,7 +81,7 @@ async function maybeUploadFailedSarif(
    !["always", "failure-only"].includes(
      actionsUtil.getUploadValue(shouldUpload),
    ) ||
-    isInTestMode()
+    shouldSkipSarifUpload()
  ) {
    return { upload_failed_run_skipped_because: "SARIF upload is disabled" };
  }
@@ -139,6 +139,15 @@ export async function tryUploadSarifIfRunFailed(
      EnvVar.JOB_STATUS,
      process.env[EnvVar.JOB_STATUS] ?? JobStatus.ConfigErrorStatus,
    );
+
+    // If the only enabled analysis kind is `code-quality`, then we shouldn't
+    // upload the failed SARIF to Code Scanning.
+    if (!isCodeScanningEnabled(config)) {
+      return {
+        upload_failed_run_skipped_because: "Code Scanning is not enabled.",
+      };
+    }
+
    try {
      return await maybeUploadFailedSarif(
        config,
@@ -15,6 +15,7 @@ import {
  getTemporaryDirectory,
  persistInputs,
 } from "./actions-util";
+import { AnalysisKind, getAnalysisKinds } from "./analyses";
 import { getGitHubVersion } from "./api-client";
 import {
  getDependencyCachingEnabled,
@@ -56,6 +57,7 @@ import { ToolsSource } from "./setup-codeql";
 import {
  ActionName,
  InitStatusReport,
+  InitToolsDownloadFields,
  InitWithConfigStatusReport,
  createInitWithConfigStatusReport,
  createStatusReportBase,
@@ -86,14 +88,29 @@ import {
 } from "./util";
 import { validateWorkflow } from "./workflow";

-/** Fields of the init status report populated when the tools source is `download`. */
-interface InitToolsDownloadFields {
-  /** Time taken to download the bundle, in milliseconds. */
-  tools_download_duration_ms?: number;
-  /**
-   * Whether the relevant tools dotcom feature flags have been misconfigured.
-   * Only populated if we attempt to determine the default version based on the dotcom feature flags. */
-  tools_feature_flags_valid?: boolean;
+/**
+ * Sends a status report indicating that the `init` Action is starting.
+ *
+ * @param startedAt
+ * @param config
+ * @param logger
+ */
+async function sendStartingStatusReport(
+  startedAt: Date,
+  config: Partial<configUtils.Config> | undefined,
+  logger: Logger,
+) {
+  const statusReportBase = await createStatusReportBase(
+    ActionName.Init,
+    "starting",
+    startedAt,
+    config,
+    await checkDiskUsage(logger),
+    logger,
+  );
+  if (statusReportBase !== undefined) {
+    await sendStatusReport(statusReportBase);
+  }
 }

 async function sendCompletedStatusReport(
@@ -210,6 +227,7 @@ async function run() {
    ? await loadPropertiesFromApi(gitHubVersion, logger, repositoryNwo)
    : {};

+  // Create a unique identifier for this run.
  const jobRunUuid = uuidV4();
  logger.info(`Job run UUID is ${jobRunUuid}.`);
  core.exportVariable(EnvVar.JOB_RUN_UUID, jobRunUuid);
@@ -227,17 +245,30 @@ async function run() {
  );

  try {
-    const statusReportBase = await createStatusReportBase(
-      ActionName.Init,
-      "starting",
-      startedAt,
-      config,
-      await checkDiskUsage(logger),
-      logger,
-    );
-    if (statusReportBase !== undefined) {
-      await sendStatusReport(statusReportBase);
+    // Parsing the `analysis-kinds` input may throw a `ConfigurationError`, which we don't want before
+    // we have called `sendStartingStatusReport` below. However, we want the analysis kinds for that status
+    // report. To work around this, we ignore exceptions that are thrown here and then call `getAnalysisKinds`
+    // a second time later. The second call will then throw the exception again. If `getAnalysisKinds` is
+    // successful, the results are cached so that we don't duplicate the work in normal runs.
+    let analysisKinds: AnalysisKind[] | undefined;
+    try {
+      analysisKinds = await getAnalysisKinds(logger);
+    } catch (err) {
+      logger.debug(
+        `Failed to parse analysis kinds for 'starting' status report: ${getErrorMessage(err)}`,
+      );
    }
+
+    // Send a status report indicating that an analysis is starting.
+    await sendStartingStatusReport(startedAt, { analysisKinds }, logger);
+
+    // Throw a `ConfigurationError` if the `setup-codeql` action has been run.
+    if (process.env[EnvVar.SETUP_CODEQL_ACTION_HAS_RUN] === "true") {
+      throw new ConfigurationError(
+        `The 'init' action should not be run in the same workflow as 'setup-codeql'.`,
+      );
+    }
+
    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
      gitHubVersion.type,
    );
@@ -248,6 +279,7 @@ async function run() {
      getTemporaryDirectory(),
      gitHubVersion.type,
      codeQLDefaultVersionInfo,
+      features,
      logger,
    );
    codeql = initCodeQLResult.codeql;
@@ -292,21 +324,11 @@ async function run() {
      }
    }

-    // Warn that `quality-queries` is deprecated if there is an argument for it.
-    const qualityQueriesInput = getOptionalInput("quality-queries");
-
-    if (qualityQueriesInput !== undefined) {
-      logger.warning(
-        "The `quality-queries` input is deprecated and will be removed in a future version of the CodeQL Action. " +
-          "Use the `analysis-kinds` input to configure different analysis kinds instead.",
-      );
-    }
-
+    analysisKinds = await getAnalysisKinds(logger);
    config = await initConfig({
-      analysisKindsInput: getRequiredInput("analysis-kinds"),
+      analysisKinds,
      languagesInput: getOptionalInput("languages"),
      queriesInput: getOptionalInput("queries"),
-      qualityQueriesInput,
      packsInput: getOptionalInput("packs"),
      buildModeInput: getOptionalInput("build-mode"),
      configFile,
@@ -9,7 +9,7 @@ import { getOptionalInput, isSelfHostedRunner } from "./actions-util";
 import { GitHubApiDetails } from "./api-client";
 import { CodeQL, setupCodeQL } from "./codeql";
 import * as configUtils from "./config-utils";
-import { CodeQLDefaultVersionInfo } from "./feature-flags";
+import { CodeQLDefaultVersionInfo, FeatureEnablement } from "./feature-flags";
 import { KnownLanguage, Language } from "./languages";
 import { Logger, withGroupAsync } from "./logging";
 import { ToolsSource } from "./setup-codeql";
@@ -23,6 +23,7 @@ export async function initCodeQL(
  tempDir: string,
  variant: util.GitHubVariant,
  defaultCliVersion: CodeQLDefaultVersionInfo,
+  features: FeatureEnablement,
  logger: Logger,
 ): Promise<{
  codeql: CodeQL;
@@ -44,6 +45,7 @@ export async function initCodeQL(
    tempDir,
    variant,
    defaultCliVersion,
+    features,
    logger,
    true,
  );
@@ -0,0 +1,196 @@
+import * as core from "@actions/core";
+import { v4 as uuidV4 } from "uuid";
+
+import {
+  getActionVersion,
+  getOptionalInput,
+  getRequiredInput,
+  getTemporaryDirectory,
+} from "./actions-util";
+import { getGitHubVersion } from "./api-client";
+import { CodeQL } from "./codeql";
+import { EnvVar } from "./environment";
+import { Features } from "./feature-flags";
+import { initCodeQL } from "./init";
+import { getActionsLogger, Logger } from "./logging";
+import { getRepositoryNwo } from "./repository";
+import { ToolsSource } from "./setup-codeql";
+import {
+  ActionName,
+  InitStatusReport,
+  InitToolsDownloadFields,
+  createStatusReportBase,
+  getActionsStatus,
+  sendStatusReport,
+} from "./status-report";
+import { ToolsDownloadStatusReport } from "./tools-download";
+import {
+  checkDiskUsage,
+  checkForTimeout,
+  checkGitHubVersionInRange,
+  getRequiredEnvParam,
+  initializeEnvironment,
+  ConfigurationError,
+  wrapError,
+  checkActionVersion,
+  getErrorMessage,
+} from "./util";
+
+/**
+ * Helper function to send a full status report for this action.
+ */
+async function sendCompletedStatusReport(
+  startedAt: Date,
+  toolsDownloadStatusReport: ToolsDownloadStatusReport | undefined,
+  toolsFeatureFlagsValid: boolean | undefined,
+  toolsSource: ToolsSource,
+  toolsVersion: string,
+  logger: Logger,
+  error?: Error,
+): Promise<void> {
+  const statusReportBase = await createStatusReportBase(
+    ActionName.SetupCodeQL,
+    getActionsStatus(error),
+    startedAt,
+    undefined,
+    await checkDiskUsage(logger),
+    logger,
+    error?.message,
+    error?.stack,
+  );
+
+  if (statusReportBase === undefined) {
+    return;
+  }
+
+  const initStatusReport: InitStatusReport = {
+    ...statusReportBase,
+    tools_input: getOptionalInput("tools") || "",
+    tools_resolved_version: toolsVersion,
+    tools_source: toolsSource || ToolsSource.Unknown,
+    workflow_languages: "",
+  };
+
+  const initToolsDownloadFields: InitToolsDownloadFields = {};
+
+  if (toolsDownloadStatusReport?.downloadDurationMs !== undefined) {
+    initToolsDownloadFields.tools_download_duration_ms =
+      toolsDownloadStatusReport.downloadDurationMs;
+  }
+  if (toolsFeatureFlagsValid !== undefined) {
+    initToolsDownloadFields.tools_feature_flags_valid = toolsFeatureFlagsValid;
+  }
+
+  await sendStatusReport({ ...initStatusReport, ...initToolsDownloadFields });
+}
+
+/** The main behaviour of this action. */
+async function run(): Promise<void> {
+  const startedAt = new Date();
+  const logger = getActionsLogger();
+  initializeEnvironment(getActionVersion());
+
+  let codeql: CodeQL;
+  let toolsDownloadStatusReport: ToolsDownloadStatusReport | undefined;
+  let toolsFeatureFlagsValid: boolean | undefined;
+  let toolsSource: ToolsSource;
+  let toolsVersion: string;
+
+  const apiDetails = {
+    auth: getRequiredInput("token"),
+    externalRepoAuth: getOptionalInput("external-repository-token"),
+    url: getRequiredEnvParam("GITHUB_SERVER_URL"),
+    apiURL: getRequiredEnvParam("GITHUB_API_URL"),
+  };
+
+  const gitHubVersion = await getGitHubVersion();
+  checkGitHubVersionInRange(gitHubVersion, logger);
+  checkActionVersion(getActionVersion(), gitHubVersion);
+
+  const repositoryNwo = getRepositoryNwo();
+
+  const features = new Features(
+    gitHubVersion,
+    repositoryNwo,
+    getTemporaryDirectory(),
+    logger,
+  );
+
+  const jobRunUuid = uuidV4();
+  logger.info(`Job run UUID is ${jobRunUuid}.`);
+  core.exportVariable(EnvVar.JOB_RUN_UUID, jobRunUuid);
+
+  try {
+    const statusReportBase = await createStatusReportBase(
+      ActionName.SetupCodeQL,
+      "starting",
+      startedAt,
+      undefined,
+      await checkDiskUsage(logger),
+      logger,
+    );
+    if (statusReportBase !== undefined) {
+      await sendStatusReport(statusReportBase);
+    }
+    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
+      gitHubVersion.type,
+    );
+    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
+    const initCodeQLResult = await initCodeQL(
+      getOptionalInput("tools"),
+      apiDetails,
+      getTemporaryDirectory(),
+      gitHubVersion.type,
+      codeQLDefaultVersionInfo,
+      features,
+      logger,
+    );
+    codeql = initCodeQLResult.codeql;
+    toolsDownloadStatusReport = initCodeQLResult.toolsDownloadStatusReport;
+    toolsVersion = initCodeQLResult.toolsVersion;
+    toolsSource = initCodeQLResult.toolsSource;
+
+    core.setOutput("codeql-path", codeql.getPath());
+    core.setOutput("codeql-version", (await codeql.getVersion()).version);
+
+    core.exportVariable(EnvVar.SETUP_CODEQL_ACTION_HAS_RUN, "true");
+  } catch (unwrappedError) {
+    const error = wrapError(unwrappedError);
+    core.setFailed(error.message);
+    const statusReportBase = await createStatusReportBase(
+      ActionName.SetupCodeQL,
+      error instanceof ConfigurationError ? "user-error" : "failure",
+      startedAt,
+      undefined,
+      await checkDiskUsage(logger),
+      logger,
+      error.message,
+      error.stack,
+    );
+    if (statusReportBase !== undefined) {
+      await sendStatusReport(statusReportBase);
+    }
+    return;
+  }
+
+  await sendCompletedStatusReport(
+    startedAt,
+    toolsDownloadStatusReport,
+    toolsFeatureFlagsValid,
+    toolsSource,
+    toolsVersion,
+    logger,
+  );
+}
+
+/** Run the action and catch any unhandled errors. */
+async function runWrapper(): Promise<void> {
+  try {
+    await run();
+  } catch (error) {
+    core.setFailed(`setup-codeql action failed: ${getErrorMessage(error)}`);
+  }
+  await checkForTimeout();
+}
+
+void runWrapper();
@@ -1,6 +1,7 @@
 import * as path from "path";

-import test from "ava";
+import * as toolcache from "@actions/tool-cache";
+import test, { ExecutionContext } from "ava";
 import * as sinon from "sinon";

 import * as actionsUtil from "./actions-util";
@@ -12,6 +13,7 @@ import {
  LoggedMessage,
  SAMPLE_DEFAULT_CLI_VERSION,
  SAMPLE_DOTCOM_API_DETAILS,
+  createFeatures,
  getRecordingLogger,
  initializeFeatures,
  mockBundleDownloadApi,
@@ -90,6 +92,8 @@ test("getCodeQLActionRepository", (t) => {
 });

 test("getCodeQLSource sets CLI version for a semver tagged bundle", async (t) => {
+  const features = createFeatures([]);
+
  await withTmpDir(async (tmpDir) => {
    setupActionsVars(tmpDir, tmpDir);
    const tagName = "codeql-bundle-v1.2.3";
@@ -100,6 +104,7 @@ test("getCodeQLSource sets CLI version for a semver tagged bundle", async (t) =>
      SAMPLE_DOTCOM_API_DETAILS,
      GitHubVariant.DOTCOM,
      false,
+      features,
      getRunnerLogger(true),
    );

@@ -109,6 +114,8 @@ test("getCodeQLSource sets CLI version for a semver tagged bundle", async (t) =>
 });

 test("getCodeQLSource correctly returns bundled CLI version when tools == linked", async (t) => {
+  const features = createFeatures([]);
+
  await withTmpDir(async (tmpDir) => {
    setupActionsVars(tmpDir, tmpDir);
    const source = await setupCodeql.getCodeQLSource(
@@ -117,6 +124,7 @@ test("getCodeQLSource correctly returns bundled CLI version when tools == linked
      SAMPLE_DOTCOM_API_DETAILS,
      GitHubVariant.DOTCOM,
      false,
+      features,
      getRunnerLogger(true),
    );

@@ -128,6 +136,7 @@ test("getCodeQLSource correctly returns bundled CLI version when tools == linked
 test("getCodeQLSource correctly returns bundled CLI version when tools == latest", async (t) => {
  const loggedMessages: LoggedMessage[] = [];
  const logger = getRecordingLogger(loggedMessages);
+  const features = createFeatures([]);

  await withTmpDir(async (tmpDir) => {
    setupActionsVars(tmpDir, tmpDir);
@@ -137,6 +146,7 @@ test("getCodeQLSource correctly returns bundled CLI version when tools == latest
      SAMPLE_DOTCOM_API_DETAILS,
      GitHubVariant.DOTCOM,
      false,
+      features,
      logger,
    );

@@ -161,6 +171,7 @@ test("getCodeQLSource correctly returns bundled CLI version when tools == latest
 test("setupCodeQLBundle logs the CodeQL CLI version being used when asked to use linked tools", async (t) => {
  const loggedMessages: LoggedMessage[] = [];
  const logger = getRecordingLogger(loggedMessages);
+  const features = createFeatures([]);

  // Stub the downloadCodeQL function to prevent downloading artefacts
  // during testing from being called.
@@ -185,6 +196,7 @@ test("setupCodeQLBundle logs the CodeQL CLI version being used when asked to use
      "tmp/codeql_action_test/",
      GitHubVariant.DOTCOM,
      SAMPLE_DEFAULT_CLI_VERSION,
+      features,
      logger,
    );

@@ -207,6 +219,7 @@ test("setupCodeQLBundle logs the CodeQL CLI version being used when asked to use
 test("setupCodeQLBundle logs the CodeQL CLI version being used when asked to download a non-default bundle", async (t) => {
  const loggedMessages: LoggedMessage[] = [];
  const logger = getRecordingLogger(loggedMessages);
+  const features = createFeatures([]);

  const bundleUrl =
    "https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.16.0/codeql-bundle-linux64.tar.gz";
@@ -235,6 +248,7 @@ test("setupCodeQLBundle logs the CodeQL CLI version being used when asked to dow
      "tmp/codeql_action_test/",
      GitHubVariant.DOTCOM,
      SAMPLE_DEFAULT_CLI_VERSION,
+      features,
      logger,
    );

@@ -254,6 +268,160 @@ test("setupCodeQLBundle logs the CodeQL CLI version being used when asked to dow
  });
 });

+test("getCodeQLSource correctly returns latest version from toolcache when tools == toolcache", async (t) => {
+  const loggedMessages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(loggedMessages);
+  const features = createFeatures([Feature.AllowToolcacheInput]);
+
+  process.env["GITHUB_EVENT_NAME"] = "dynamic";
+
+  const latestToolcacheVersion = "3.2.1";
+  const latestVersionPath = "/path/to/latest";
+  const testVersions = ["2.3.1", latestToolcacheVersion, "1.2.3"];
+  const findAllVersionsStub = sinon
+    .stub(toolcache, "findAllVersions")
+    .returns(testVersions);
+  const findStub = sinon.stub(toolcache, "find");
+  findStub
+    .withArgs("CodeQL", latestToolcacheVersion)
+    .returns(latestVersionPath);
+
+  await withTmpDir(async (tmpDir) => {
+    setupActionsVars(tmpDir, tmpDir);
+    const source = await setupCodeql.getCodeQLSource(
+      "toolcache",
+      SAMPLE_DEFAULT_CLI_VERSION,
+      SAMPLE_DOTCOM_API_DETAILS,
+      GitHubVariant.DOTCOM,
+      false,
+      features,
+      logger,
+    );
+
+    // Check that the toolcache functions were called with the expected arguments
+    t.assert(
+      findAllVersionsStub.calledOnceWith("CodeQL"),
+      `toolcache.findAllVersions("CodeQL") wasn't called`,
+    );
+    t.assert(
+      findStub.calledOnceWith("CodeQL", latestToolcacheVersion),
+      `toolcache.find("CodeQL", ${latestToolcacheVersion}) wasn't called`,
+    );
+
+    // Check that `sourceType` and `toolsVersion` match expectations.
+    t.is(source.sourceType, "toolcache");
+    t.is(source.toolsVersion, latestToolcacheVersion);
+
+    // Check that key messages we would expect to find in the log are present.
+    const expectedMessages: string[] = [
+      `Attempting to use the latest CodeQL CLI version in the toolcache, as requested by 'tools: toolcache'.`,
+      `CLI version ${latestToolcacheVersion} is the latest version in the toolcache.`,
+      `Using CodeQL CLI version ${latestToolcacheVersion} from toolcache at ${latestVersionPath}`,
+    ];
+    for (const expectedMessage of expectedMessages) {
+      t.assert(
+        loggedMessages.some(
+          (msg) =>
+            typeof msg.message === "string" &&
+            msg.message.includes(expectedMessage),
+        ),
+        `Expected '${expectedMessage}' in the logger output, but didn't find it in:\n ${loggedMessages.map((m) => ` - '${m.message}'`).join("\n")}`,
+      );
+    }
+  });
+});
+
+const toolcacheInputFallbackMacro = test.macro({
+  exec: async (
+    t: ExecutionContext<unknown>,
+    featureList: Feature[],
+    environment: Record<string, string>,
+    testVersions: string[],
+    expectedMessages: string[],
+  ) => {
+    const loggedMessages: LoggedMessage[] = [];
+    const logger = getRecordingLogger(loggedMessages);
+    const features = createFeatures(featureList);
+
+    for (const [k, v] of Object.entries(environment)) {
+      process.env[k] = v;
+    }
+
+    const findAllVersionsStub = sinon
+      .stub(toolcache, "findAllVersions")
+      .returns(testVersions);
+
+    await withTmpDir(async (tmpDir) => {
+      setupActionsVars(tmpDir, tmpDir);
+      const source = await setupCodeql.getCodeQLSource(
+        "toolcache",
+        SAMPLE_DEFAULT_CLI_VERSION,
+        SAMPLE_DOTCOM_API_DETAILS,
+        GitHubVariant.DOTCOM,
+        false,
+        features,
+        logger,
+      );
+
+      // Check that the toolcache functions were called with the expected arguments
+      t.assert(
+        findAllVersionsStub.calledWith("CodeQL"),
+        `toolcache.findAllVersions("CodeQL") wasn't called`,
+      );
+
+      // Check that `sourceType` and `toolsVersion` match expectations.
+      t.is(source.sourceType, "download");
+      t.is(source.toolsVersion, SAMPLE_DEFAULT_CLI_VERSION.cliVersion);
+
+      // Check that key messages we would expect to find in the log are present.
+      for (const expectedMessage of expectedMessages) {
+        t.assert(
+          loggedMessages.some(
+            (msg) =>
+              typeof msg.message === "string" &&
+              msg.message.includes(expectedMessage),
+          ),
+          `Expected '${expectedMessage}' in the logger output, but didn't find it in:\n ${loggedMessages.map((m) => ` - '${m.message}'`).join("\n")}`,
+        );
+      }
+    });
+  },
+  title: (providedTitle = "") =>
+    `getCodeQLSource falls back to downloading the CLI if ${providedTitle}`,
+});
+
+test(
+  "the toolcache doesn't have a CodeQL CLI when tools == toolcache",
+  toolcacheInputFallbackMacro,
+  [Feature.AllowToolcacheInput],
+  { GITHUB_EVENT_NAME: "dynamic" },
+  [],
+  [
+    `Attempting to use the latest CodeQL CLI version in the toolcache, as requested by 'tools: toolcache'.`,
+    `Found no CodeQL CLI in the toolcache, ignoring 'tools: toolcache'...`,
+  ],
+);
+
+test(
+  "the workflow trigger is not `dynamic`",
+  toolcacheInputFallbackMacro,
+  [Feature.AllowToolcacheInput],
+  { GITHUB_EVENT_NAME: "pull_request" },
+  [],
+  [
+    `Ignoring 'tools: toolcache' because the workflow was not triggered dynamically.`,
+  ],
+);
+
+test(
+  "the feature flag is not enabled",
+  toolcacheInputFallbackMacro,
+  [],
+  { GITHUB_EVENT_NAME: "dynamic" },
+  [],
+  [`Ignoring 'tools: toolcache' because the feature is not enabled.`],
+);
+
 test('tryGetTagNameFromUrl extracts the right tag name for a repo name containing "codeql-bundle"', (t) => {
  t.is(
    setupCodeql.tryGetTagNameFromUrl(
@@ -263,3 +431,15 @@ test('tryGetTagNameFromUrl extracts the right tag name for a repo name containin
    "codeql-bundle-v2.19.0",
  );
 });
+
+test("getLatestToolcacheVersion returns undefined if there are no CodeQL CLIs in the toolcache", (t) => {
+  sinon.stub(toolcache, "findAllVersions").returns([]);
+  t.is(setupCodeql.getLatestToolcacheVersion(getRunnerLogger(true)), undefined);
+});
+
+test("getLatestToolcacheVersion returns latest version in the toolcache", (t) => {
+  const testVersions = ["2.3.1", "3.2.1", "1.2.3"];
+  sinon.stub(toolcache, "findAllVersions").returns(testVersions);
+
+  t.is(setupCodeql.getLatestToolcacheVersion(getRunnerLogger(true)), "3.2.1");
+});
@@ -7,12 +7,14 @@ import { default as deepEqual } from "fast-deep-equal";
 import * as semver from "semver";
 import { v4 as uuidV4 } from "uuid";

-import { isRunningLocalAction } from "./actions-util";
+import { isDynamicWorkflow, isRunningLocalAction } from "./actions-util";
 import * as api from "./api-client";
 import * as defaults from "./defaults.json";
 import {
  CODEQL_VERSION_ZSTD_BUNDLE,
  CodeQLDefaultVersionInfo,
+  Feature,
+  FeatureEnablement,
 } from "./feature-flags";
 import { Logger } from "./logging";
 import * as tar from "./tar";
@@ -38,6 +40,7 @@ const CODEQL_NIGHTLIES_REPOSITORY_NAME = "codeql-cli-nightlies";

 const CODEQL_BUNDLE_VERSION_ALIAS: string[] = ["linked", "latest"];
 const CODEQL_NIGHTLY_TOOLS_INPUTS = ["nightly", "nightly-latest"];
+const CODEQL_TOOLCACHE_INPUT = "toolcache";

 function getCodeQLBundleExtension(
  compressionMethod: tar.CompressionMethod,
@@ -275,6 +278,7 @@ export async function getCodeQLSource(
  apiDetails: api.GitHubApiDetails,
  variant: util.GitHubVariant,
  tarSupportsZstd: boolean,
+  features: FeatureEnablement,
  logger: Logger,
 ): Promise<CodeQLToolsSource> {
  if (
@@ -346,6 +350,54 @@ export async function getCodeQLSource(
        "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required.",
      );
    }
+  } else if (
+    toolsInput !== undefined &&
+    toolsInput === CODEQL_TOOLCACHE_INPUT
+  ) {
+    let latestToolcacheVersion: string | undefined;
+
+    // We only allow `toolsInput === "toolcache"` for `dynamic` events. In general, using `toolsInput === "toolcache"`
+    // can lead to alert wobble and so it shouldn't be used for an analysis where results are intended to be uploaded.
+    // We also allow this in test mode.
+    const allowToolcacheValueFF = await features.getValue(
+      Feature.AllowToolcacheInput,
+    );
+    const allowToolcacheValue =
+      allowToolcacheValueFF && (isDynamicWorkflow() || util.isInTestMode());
+    if (allowToolcacheValue) {
+      // If `toolsInput === "toolcache"`, try to find the latest version of the CLI that's available in the toolcache
+      // and use that. We perform this check here since we can set `cliVersion` directly and don't want to default to
+      // the linked version.
+      logger.info(
+        `Attempting to use the latest CodeQL CLI version in the toolcache, as requested by 'tools: ${toolsInput}'.`,
+      );
+
+      latestToolcacheVersion = getLatestToolcacheVersion(logger);
+      if (latestToolcacheVersion) {
+        cliVersion = latestToolcacheVersion;
+      }
+    }
+
+    if (latestToolcacheVersion === undefined) {
+      if (allowToolcacheValue) {
+        logger.info(
+          `Found no CodeQL CLI in the toolcache, ignoring 'tools: ${toolsInput}'...`,
+        );
+      } else {
+        if (allowToolcacheValueFF) {
+          logger.warning(
+            `Ignoring 'tools: ${toolsInput}' because the workflow was not triggered dynamically.`,
+          );
+        } else {
+          logger.info(
+            `Ignoring 'tools: ${toolsInput}' because the feature is not enabled.`,
+          );
+        }
+      }
+
+      cliVersion = defaultCliVersion.cliVersion;
+      tagName = defaultCliVersion.tagName;
+    }
  } else if (toolsInput !== undefined) {
    // If a tools URL was provided, then use that.
    tagName = tryGetTagNameFromUrl(toolsInput, logger);
@@ -696,6 +748,7 @@ export async function setupCodeQLBundle(
  tempDir: string,
  variant: util.GitHubVariant,
  defaultCliVersion: CodeQLDefaultVersionInfo,
+  features: FeatureEnablement,
  logger: Logger,
 ) {
  if (!(await util.isBinaryAccessible("tar", logger))) {
@@ -711,6 +764,7 @@ export async function setupCodeQLBundle(
    apiDetails,
    variant,
    zstdAvailability.available,
+    features,
    logger,
  );

@@ -816,9 +870,38 @@ async function getNightlyToolsUrl(logger: Logger) {
  }
 }

+/**
+ * Gets the latest version of the CodeQL CLI that is available in the toolcache, or `undefined`
+ * if no CodeQL CLI is available in the toolcache.
+ *
+ * @param logger The logger to use.
+ * @returns The latest version of the CodeQL CLI that is available in the toolcache, or `undefined` if there is none.
+ */
+export function getLatestToolcacheVersion(logger: Logger): string | undefined {
+  const allVersions = toolcache
+    .findAllVersions("CodeQL")
+    .sort((a, b) => semver.compare(b, a));
+  logger.debug(
+    `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify(
+      allVersions,
+    )}.`,
+  );
+
+  if (allVersions.length > 0) {
+    const latestToolcacheVersion = allVersions[0];
+    logger.info(
+      `CLI version ${latestToolcacheVersion} is the latest version in the toolcache.`,
+    );
+    return latestToolcacheVersion;
+  }
+
+  return undefined;
+}
+
 function isReservedToolsValue(tools: string): boolean {
  return (
    CODEQL_BUNDLE_VERSION_ALIAS.includes(tools) ||
-    CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools)
+    CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools) ||
+    tools === CODEQL_TOOLCACHE_INPUT
  );
 }
@@ -7,11 +7,14 @@ import { pki } from "node-forge";

 import * as actionsUtil from "./actions-util";
 import { getApiDetails, getAuthorizationHeaderFor } from "./api-client";
+import { Config } from "./config-utils";
+import { KnownLanguage } from "./languages";
 import { getActionsLogger, Logger } from "./logging";
 import {
  Credential,
  getCredentials,
  getDownloadUrl,
+  parseLanguage,
  UPDATEJOB_PROXY,
 } from "./start-proxy";
 import {
@@ -98,6 +101,7 @@ interface StartProxyStatus extends StatusReportBase {

 async function sendSuccessStatusReport(
  startedAt: Date,
+  config: Partial<Config>,
  registry_types: string[],
  logger: Logger,
 ) {
@@ -105,7 +109,7 @@ async function sendSuccessStatusReport(
    ActionName.StartProxy,
    "success",
    startedAt,
-    undefined,
+    config,
    await util.checkDiskUsage(logger),
    logger,
  );
@@ -125,6 +129,7 @@ async function runWrapper() {
  actionsUtil.persistInputs();

  const logger = getActionsLogger();
+  let language: KnownLanguage | undefined;

  try {
    // Setup logging for the proxy
@@ -133,11 +138,13 @@ async function runWrapper() {
    core.saveState("proxy-log-file", proxyLogFilePath);

    // Get the configuration options
+    const languageInput = actionsUtil.getOptionalInput("language");
+    language = languageInput ? parseLanguage(languageInput) : undefined;
    const credentials = getCredentials(
      logger,
      actionsUtil.getOptionalInput("registry_secrets"),
      actionsUtil.getOptionalInput("registries_credentials"),
-      actionsUtil.getOptionalInput("language"),
+      language,
    );

    if (credentials.length === 0) {
@@ -165,6 +172,9 @@ async function runWrapper() {
    // Report success if we have reached this point.
    await sendSuccessStatusReport(
      startedAt,
+      {
+        languages: language && [language],
+      },
      proxyConfig.all_credentials.map((c) => c.type),
      logger,
    );
@@ -178,7 +188,9 @@ async function runWrapper() {
      ActionName.StartProxy,
      getActionsStatus(error),
      startedAt,
-      undefined,
+      {
+        languages: language && [language],
+      },
      await util.checkDiskUsage(logger),
      logger,
    );
@@ -109,7 +109,7 @@ test("getCredentials filters by language when specified", async (t) => {
    getRunnerLogger(true),
    undefined,
    toEncodedJSON(mixedCredentials),
-    "java",
+    KnownLanguage.java,
  );
  t.is(credentials.length, 1);
  t.is(credentials[0].type, "maven_repository");
@@ -120,7 +120,7 @@ test("getCredentials returns all for a language when specified", async (t) => {
    getRunnerLogger(true),
    undefined,
    toEncodedJSON(mixedCredentials),
-    "go",
+    KnownLanguage.go,
  );
  t.is(credentials.length, 2);

@@ -79,9 +79,8 @@ export function getCredentials(
  logger: Logger,
  registrySecrets: string | undefined,
  registriesCredentials: string | undefined,
-  languageString: string | undefined,
+  language: KnownLanguage | undefined,
 ): Credential[] {
-  const language = languageString ? parseLanguage(languageString) : undefined;
  const registryTypeForLanguage = language
    ? LANGUAGE_TO_REGISTRY_TYPE[language]
    : undefined;
@@ -92,6 +92,49 @@ test("createStatusReportBase", async (t) => {
  });
 });

+test("createStatusReportBase - empty configuration", async (t) => {
+  await withTmpDir(async (tmpDir: string) => {
+    setupEnvironmentAndStub(tmpDir);
+
+    const statusReport = await createStatusReportBase(
+      ActionName.StartProxy,
+      "success",
+      new Date("May 19, 2023 05:19:00"),
+      {},
+      { numAvailableBytes: 100, numTotalBytes: 500 },
+      getRunnerLogger(false),
+    );
+
+    if (t.truthy(statusReport)) {
+      t.is(statusReport.action_name, ActionName.StartProxy);
+      t.is(statusReport.status, "success");
+    }
+  });
+});
+
+test("createStatusReportBase - partial configuration", async (t) => {
+  await withTmpDir(async (tmpDir: string) => {
+    setupEnvironmentAndStub(tmpDir);
+
+    const statusReport = await createStatusReportBase(
+      ActionName.StartProxy,
+      "success",
+      new Date("May 19, 2023 05:19:00"),
+      {
+        languages: ["go"],
+      },
+      { numAvailableBytes: 100, numTotalBytes: 500 },
+      getRunnerLogger(false),
+    );
+
+    if (t.truthy(statusReport)) {
+      t.is(statusReport.action_name, ActionName.StartProxy);
+      t.is(statusReport.status, "success");
+      t.is(statusReport.languages, "go");
+    }
+  });
+});
+
 test("createStatusReportBase_firstParty", async (t) => {
  await withTmpDir(async (tmpDir: string) => {
    setupEnvironmentAndStub(tmpDir);
@@ -41,6 +41,7 @@ export enum ActionName {
  Init = "init",
  InitPost = "init-post",
  ResolveEnvironment = "resolve-environment",
+  SetupCodeQL = "setup-codeql",
  StartProxy = "start-proxy",
  UploadSarif = "upload-sarif",
 }
@@ -260,7 +261,7 @@ export async function createStatusReportBase(
  actionName: ActionName,
  status: ActionStatus,
  actionStartedAt: Date,
-  config: Config | undefined,
+  config: Partial<Config> | undefined,
  diskInfo: DiskUsage | undefined,
  logger: Logger,
  cause?: string,
@@ -299,7 +300,7 @@ export async function createStatusReportBase(
      action_ref: actionRef,
      action_started_at: actionStartedAt.toISOString(),
      action_version: getActionVersion(),
-      analysis_kinds: config?.analysisKinds.join(","),
+      analysis_kinds: config?.analysisKinds?.join(","),
      analysis_key,
      build_mode: config?.buildMode,
      commit_oid: commitOid,
@@ -324,7 +325,7 @@ export async function createStatusReportBase(
    }

    if (config) {
-      statusReport.languages = config.languages.join(",");
+      statusReport.languages = config.languages?.join(",");
    }

    if (diskInfo) {
@@ -516,6 +517,16 @@ export interface InitWithConfigStatusReport extends InitStatusReport {
  config_file: string;
 }

+/** Fields of the init status report populated when the tools source is `download`. */
+export interface InitToolsDownloadFields {
+  /** Time taken to download the bundle, in milliseconds. */
+  tools_download_duration_ms?: number;
+  /**
+   * Whether the relevant tools dotcom feature flags have been misconfigured.
+   * Only populated if we attempt to determine the default version based on the dotcom feature flags. */
+  tools_feature_flags_valid?: boolean;
+}
+
 /**
 * Composes a `InitWithConfigStatusReport` from the given values.
 *
@@ -1,9 +1,14 @@
 import * as fs from "fs";
 import * as path from "path";

+import * as github from "@actions/github";
+import { HTTPError } from "@actions/tool-cache";
 import test from "ava";
+import * as sinon from "sinon";

+import * as analyses from "./analyses";
 import { AnalysisKind, CodeQuality, CodeScanning } from "./analyses";
+import * as api from "./api-client";
 import { getRunnerLogger, Logger } from "./logging";
 import { setupTests } from "./testing-utils";
 import * as uploadLib from "./upload-lib";
@@ -867,3 +872,91 @@ function createMockSarif(id?: string, tool?: string) {
    ],
  };
 }
+
+function uploadPayloadFixtures(analysis: analyses.AnalysisConfig) {
+  const mockData = {
+    payload: { sarif: "base64data", commit_sha: "abc123" },
+    owner: "test-owner",
+    repo: "test-repo",
+    response: {
+      status: 200,
+      data: { id: "uploaded-sarif-id" },
+      headers: {},
+      url: analysis.target,
+    },
+  };
+  const client = github.getOctokit("123");
+  sinon.stub(api, "getApiClient").value(() => client);
+  const requestStub = sinon.stub(client, "request");
+
+  const upload = async () =>
+    uploadLib.uploadPayload(
+      mockData.payload,
+      {
+        owner: mockData.owner,
+        repo: mockData.repo,
+      },
+      getRunnerLogger(true),
+      analysis,
+    );
+
+  return {
+    upload,
+    requestStub,
+    mockData,
+  };
+}
+
+for (const analysis of [CodeScanning, CodeQuality]) {
+  test(`uploadPayload on ${analysis.name} uploads successfully`, async (t) => {
+    const { upload, requestStub, mockData } = uploadPayloadFixtures(analysis);
+    requestStub
+      .withArgs(analysis.target, {
+        owner: mockData.owner,
+        repo: mockData.repo,
+        data: mockData.payload,
+      })
+      .onFirstCall()
+      .returns(Promise.resolve(mockData.response));
+    const result = await upload();
+    t.is(result, mockData.response.data.id);
+    t.true(requestStub.calledOnce);
+  });
+
+  for (const envVar of [
+    "CODEQL_ACTION_SKIP_SARIF_UPLOAD",
+    "CODEQL_ACTION_TEST_MODE",
+  ]) {
+    test(`uploadPayload on ${analysis.name} skips upload when ${envVar} is set`, async (t) => {
+      const { upload, requestStub, mockData } = uploadPayloadFixtures(analysis);
+      await withTmpDir(async (tmpDir) => {
+        process.env.RUNNER_TEMP = tmpDir;
+        process.env[envVar] = "true";
+        const result = await upload();
+        t.is(result, "dummy-sarif-id");
+        t.false(requestStub.called);
+
+        const payloadFile = path.join(tmpDir, `payload-${analysis.kind}.json`);
+        t.true(fs.existsSync(payloadFile));
+
+        const savedPayload = JSON.parse(fs.readFileSync(payloadFile, "utf8"));
+        t.deepEqual(savedPayload, mockData.payload);
+      });
+    });
+  }
+
+  test(`uploadPayload on ${analysis.name} wraps request errors using wrapApiConfigurationError`, async (t) => {
+    const { upload, requestStub } = uploadPayloadFixtures(analysis);
+    const wrapApiConfigurationErrorStub = sinon.stub(
+      api,
+      "wrapApiConfigurationError",
+    );
+    const originalError = new HTTPError(404);
+    const wrappedError = new Error("Wrapped error message");
+    requestStub.rejects(originalError);
+    wrapApiConfigurationErrorStub.withArgs(originalError).returns(wrappedError);
+    await t.throwsAsync(upload, {
+      is: wrappedError,
+    });
+  });
+}
@@ -262,6 +262,7 @@ async function combineSarifFilesUsingCLI(
      tempDir,
      gitHubVersion.type,
      codeQLDefaultVersionInfo,
+      features,
      logger,
    );

@@ -346,34 +347,36 @@ function getAutomationID(
  return api.computeAutomationID(analysis_key, environment);
 }

-// Upload the given payload.
-// If the request fails then this will retry a small number of times.
-async function uploadPayload(
+/**
+ * Upload the given payload.
+ * If the request fails then this will retry a small number of times.
+ * This is exported for testing purposes only.
+ */
+export async function uploadPayload(
  payload: any,
  repositoryNwo: RepositoryNwo,
  logger: Logger,
-  target: analyses.SARIF_UPLOAD_ENDPOINT,
+  analysis: analyses.AnalysisConfig,
 ): Promise<string> {
  logger.info("Uploading results");

-  // If in test mode we don't want to upload the results
-  if (util.isInTestMode()) {
+  if (util.shouldSkipSarifUpload()) {
    const payloadSaveFile = path.join(
      actionsUtil.getTemporaryDirectory(),
-      "payload.json",
+      `payload-${analysis.kind}.json`,
    );
    logger.info(
-      `In test mode. Results are not uploaded. Saving to ${payloadSaveFile}`,
+      `SARIF upload disabled by an environment variable. Saving to ${payloadSaveFile}`,
    );
    logger.info(`Payload: ${JSON.stringify(payload, null, 2)}`);
    fs.writeFileSync(payloadSaveFile, JSON.stringify(payload, null, 2));
-    return "test-mode-sarif-id";
+    return "dummy-sarif-id";
  }

  const client = api.getApiClient();

  try {
-    const response = await client.request(target, {
+    const response = await client.request(analysis.target, {
      owner: repositoryNwo.owner,
      repo: repositoryNwo.repo,
      data: payload,
@@ -807,7 +810,7 @@ export async function uploadSpecifiedFiles(
    payload,
    getRepositoryNwo(),
    logger,
-    uploadTarget.target,
+    uploadTarget,
  );

  logger.endGroup();
@@ -23,7 +23,7 @@ import {
  checkDiskUsage,
  getErrorMessage,
  initializeEnvironment,
-  isInTestMode,
+  shouldSkipSarifUpload,
  wrapError,
 } from "./util";

@@ -113,8 +113,10 @@ async function run() {
    core.setOutput("sarif-ids", JSON.stringify(uploadResults));

    // We don't upload results in test mode, so don't wait for processing
-    if (isInTestMode()) {
-      core.debug("In test mode. Waiting for processing is disabled.");
+    if (shouldSkipSarifUpload()) {
+      core.debug(
+        "SARIF upload disabled by an environment variable. Waiting for processing is disabled.",
+      );
    } else if (actionsUtil.getRequiredInput("wait-for-processing") === "true") {
      if (codeScanningResult !== undefined) {
        await upload_lib.waitForProcessing(
@@ -764,12 +764,19 @@ export function isGoodVersion(versionSpec: string) {
 /**
 * Returns whether we are in test mode. This is used by CodeQL Action PR checks.
 *
- * In test mode, we don't upload SARIF results or status reports to the GitHub API.
+ * In test mode, we skip several uploads (SARIF results, status reports, DBs, ...).
 */
 export function isInTestMode(): boolean {
  return process.env[EnvVar.TEST_MODE] === "true";
 }

+/**
+ * Returns whether we specifically want to skip uploading SARIF files.
+ */
+export function shouldSkipSarifUpload(): boolean {
+  return isInTestMode() || process.env[EnvVar.SKIP_SARIF_UPLOAD] === "true";
+}
+
 /**
 * Get the testing environment.
 *
@@ -29,6 +29,6 @@ outputs:
  proxy_urls:
    description: A stringified JSON array of objects containing the types and URLs of the configured registries.
 runs:
-  using: node20
+  using: node24
  main: "../lib/start-proxy-action.js"
  post: "../lib/start-proxy-action-post.js"
@@ -41,6 +41,6 @@ outputs:

      { "code-scanning": "some-id", "code-quality": "some-other-id" }
 runs:
-  using: node20
+  using: node24
  main: '../lib/upload-sarif-action.js'
  post: '../lib/upload-sarif-action-post.js'
Author	SHA1	Message	Date
Henry Mercer	16140ae1a1	Merge pull request #3213 from github/update-v4.30.9-70205d3d1 Merge main into releases/v4	2025-10-17 16:22:48 +01:00
github-actions[bot]	30db5fee08	Update changelog for v4.30.9	2025-10-17 14:54:08 +00:00
Michael B. Gale	70205d3d12	Merge pull request #3211 from github/mbg/init/starting-partial-config Make analysis kinds available for `starting` status report	2025-10-17 14:46:51 +01:00
Michael B. Gale	697c209bfc	Merge remote-tracking branch 'origin/main' into mbg/init/starting-partial-config	2025-10-17 14:21:44 +01:00
Henry Mercer	1bd53ba38c	Merge pull request #3205 from github/update-bundle/codeql-bundle-v2.23.3 Update default bundle to 2.23.3	2025-10-17 14:18:19 +01:00
github-actions[bot]	cac4df0c79	Rebuild	2025-10-17 12:59:18 +00:00
Henry Mercer	77e5c0d0a2	Merge branch 'main' into update-bundle/codeql-bundle-v2.23.3	2025-10-17 13:53:02 +01:00
Michael B. Gale	97a4f751be	Merge pull request #3204 from github/mbg/setup-codeql Add `setup-codeql` action	2025-10-17 13:47:42 +01:00
Michael B. Gale	2d5512b361	Merge remote-tracking branch 'origin/main' into mbg/init/starting-partial-config	2025-10-17 13:44:28 +01:00
Michael B. Gale	fa7bdf0559	Call `getAnalysisKinds` a second time, and ignore exceptions thrown during the first call	2025-10-17 13:40:18 +01:00
Michael B. Gale	57c7b0a884	Rename `initAnalysisKinds` to `getAnalysisKinds` and cache results	2025-10-17 13:33:55 +01:00
Michael B. Gale	4874f90a8d	Merge branch 'main' into mbg/setup-codeql	2025-10-17 13:32:40 +01:00
Michael B. Gale	5a9e92afca	Merge pull request #3212 from github/mbg/ci/pin-python Install Python 3.13 to fix failing PR checks with older CLI versions	2025-10-17 13:31:26 +01:00
Michael B. Gale	9bd9b03572	Remove now unused `qualityQueriesInput` from `InitConfigInputs`	2025-10-17 13:22:41 +01:00
Michael B. Gale	3569065d7e	Install Python 3.13, except for `nightly-latest`	2025-10-17 12:51:50 +01:00
Michael B. Gale	c0e8887d5a	Throw a `ConfigurationError` if `setup-codeql` has run before `init`	2025-10-17 12:17:47 +01:00
Michael B. Gale	3c8d00aea0	Initialise analysis kinds before `starting` status report	2025-10-17 11:46:35 +01:00
Michael B. Gale	bc93b04b0c	Add `initAnalysisKinds` for `analysis-kinds` enablement logic	2025-10-17 11:43:00 +01:00
Michael B. Gale	adf39dd33f	Add function for `starting` status report	2025-10-17 11:16:00 +01:00
Michael B. Gale	000295122d	Use `failure` instead of `aborted`	2025-10-16 19:05:03 +01:00
Michael B. Gale	2611d033d7	De-duplicate `InitToolsDownloadFIelds` definition	2025-10-16 19:03:46 +01:00
Michael B. Gale	ee753b4724	Merge pull request #3209 from github/mbg/code-quality/skip-failed-upload Skip failed SARIF upload if Code Quality is the only analysis kind	2025-10-16 15:22:01 +01:00
Michael B. Gale	db6938a4d0	Change check to be restrictive by default	2025-10-16 15:06:19 +01:00
Michael B. Gale	d02f50ee62	Update changelog for `setup-codeql`	2025-10-16 14:50:16 +01:00
Michael B. Gale	f4237b7e76	Add `setup-codeql` to README	2025-10-16 14:48:35 +01:00
Michael B. Gale	302fc5e00d	Update docs	2025-10-16 14:46:35 +01:00
Michael B. Gale	c77b3fb96e	Skip failed SARIF upload if `analysis-kinds: code-quality`	2025-10-16 14:27:17 +01:00
Michael B. Gale	2a54ab5016	Fix `init-action-post-helper` tests using broken `Config`s	2025-10-16 14:18:51 +01:00
github-actions[bot]	a60e5ce8ec	Add changelog note	2025-10-14 12:53:29 +00:00
github-actions[bot]	8d0251c1f7	Update default bundle to codeql-bundle-v2.23.3	2025-10-14 12:53:17 +00:00
Michael B. Gale	80220dcd46	Use `setup-codeql` action in `bundle-from-toolcache` check	2025-10-12 14:14:07 +01:00
Michael B. Gale	e72fd9acb1	Add initial `setup-codeql` action	2025-10-12 14:14:06 +01:00
Michael B. Gale	17783bfb99	Merge pull request #3199 from github/mergeback/v4.30.8-to-main-f443b600 Mergeback v4.30.8 refs/heads/releases/v4 into main	2025-10-10 18:16:14 +01:00
Henry Mercer	3c764cd93a	Only create GitHub release if it doesn't already exist	2025-10-10 17:54:08 +01:00
Henry Mercer	e1968324ff	Merge branch 'releases/v4' into mergeback/v4.30.8-to-main-f443b600	2025-10-10 17:53:24 +01:00
Henry Mercer	2a6736cca7	Merge pull request #3200 from github/henrymercer/backport-hotfix Revert "Rebuild" commit rather than "Update dependencies"	2025-10-10 17:47:40 +01:00
Henry Mercer	c8765c966b	Revert "Rebuild" commit rather than "Update dependencies"	2025-10-10 17:23:02 +01:00
github-actions[bot]	61789e2fdb	Rebuild	2025-10-10 15:59:22 +00:00
github-actions[bot]	5cd2d139cb	Update changelog and version after v4.30.8	2025-10-10 15:55:20 +00:00
Michael B. Gale	f443b600d9	Merge pull request #3198 from github/update-v4.30.8-527f0f324 Merge main into releases/v4	2025-10-10 16:54:36 +01:00
github-actions[bot]	7a2cb623ed	Update changelog for v4.30.8	2025-10-10 14:34:56 +00:00
Henry Mercer	527f0f324a	Merge pull request #3195 from github/dependabot/npm_and_yarn/npm-minor-37415c9066 Bump the npm-minor group with 3 updates	2025-10-10 15:22:52 +01:00
Henry Mercer	f402506f0f	Merge pull request #3196 from github/dependabot/github_actions/dot-github/workflows/actions-minor-945aab589d Bump ruby/setup-ruby from 1.263.0 to 1.265.0 in /.github/workflows in the actions-minor group across 1 directory	2025-10-10 15:20:16 +01:00
Henry Mercer	f5e53f9476	Merge pull request #3197 from github/dependabot/github_actions/dot-github/workflows/github/codeql-action-4 Bump github/codeql-action from 3 to 4 in /.github/workflows	2025-10-10 15:13:23 +01:00
Michael B. Gale	4e90a42a3e	Merge pull request #3193 from github/mbg/ff/tools-toolcache Gate `tools: toolcache` behind FF	2025-10-10 15:09:00 +01:00
github-actions[bot]	413a4a4df1	Rebuild	2025-10-10 13:49:43 +00:00
dependabot[bot]	452186448a	Bump github/codeql-action from 3 to 4 in /.github/workflows Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/v3...v4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2025-10-10 13:48:11 +00:00
dependabot[bot]	eadf14bf6e	Bump ruby/setup-ruby Bumps the actions-minor group with 1 update in the /.github/workflows directory: [ruby/setup-ruby](https://github.com/ruby/setup-ruby). Updates `ruby/setup-ruby` from 1.263.0 to 1.265.0 - [Release notes](https://github.com/ruby/setup-ruby/releases) - [Changelog](https://github.com/ruby/setup-ruby/blob/master/release.rb) - [Commits](https://github.com/ruby/setup-ruby/compare/0481980f17b760ef6bca5e8c55809102a0af1e5a...ab177d40ee5483edb974554986f56b33477e21d0) --- updated-dependencies: - dependency-name: ruby/setup-ruby dependency-version: 1.265.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2025-10-10 13:48:07 +00:00
github-actions[bot]	e1257b6fda	Rebuild	2025-10-10 13:47:47 +00:00
dependabot[bot]	b516b1d4bc	Bump the npm-minor group with 3 updates Bumps the npm-minor group with 3 updates: [semver](https://github.com/npm/node-semver), [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) and [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser). Updates `semver` from 7.7.2 to 7.7.3 - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/node-semver/compare/v7.7.2...v7.7.3) Updates `@typescript-eslint/eslint-plugin` from 8.45.0 to 8.46.0 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.46.0/packages/eslint-plugin) Updates `@typescript-eslint/parser` from 8.45.0 to 8.46.0 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.46.0/packages/parser) --- updated-dependencies: - dependency-name: semver dependency-version: 7.7.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm-minor - dependency-name: "@typescript-eslint/eslint-plugin" dependency-version: 8.46.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor - dependency-name: "@typescript-eslint/parser" dependency-version: 8.46.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2025-10-10 13:46:16 +00:00
Henry Mercer	168b2dee16	Merge pull request #3194 from github/henrymercer-patch-1 Dependabot: Only group minor and patch updates	2025-10-10 14:44:22 +01:00
Michael B. Gale	4704ab1869	Fix swapped log levels	2025-10-10 14:42:09 +01:00
Michael B. Gale	dc2ced8385	Add tests for scenarios where the feature is unavailable	2025-10-10 14:39:59 +01:00
Michael B. Gale	5c752c85dd	Add test macro for fallback tests	2025-10-10 14:39:58 +01:00
Henry Mercer	e74435a1da	Dependabot: Only group minor and patch updates Major updates are likely to include breaking changes and are worth reviewing individually.	2025-10-10 14:28:32 +01:00
Michael B. Gale	524b9a00e8	Fix log message swap	2025-10-10 14:04:39 +01:00
Michael B. Gale	a512fe0868	Gate `tools: toolcache` behind FF Mainly to allow us to disable it, if needed.	2025-10-10 13:49:06 +01:00
Michael B. Gale	62f0f21c3c	Add `AllowToolcacheInput` feature	2025-10-10 13:27:50 +01:00
Paolo Tranquilli	a8440d08d5	Merge pull request #3185 from github/redsun82/skip-sarif-upload-tests Add unit tests for `uploadPayload`	2025-10-10 14:00:05 +02:00
Paolo Tranquilli	610c7c68e3	Address review	2025-10-09 15:24:02 +02:00
Paolo Tranquilli	ff2fc66cc1	Simplify `uploadPayload` tests	2025-10-09 12:31:00 +02:00
Paolo Tranquilli	a841c540b7	Scratch `uploadSpecifiedFiles` tests, make `uploadPayload` tests instead	2025-10-09 12:18:14 +02:00
Paolo Tranquilli	aeb12f6eaa	Merge branch 'main' into redsun82/skip-sarif-upload-tests	2025-10-09 11:38:10 +02:00
Henry Mercer	6fd4ceb7bb	Merge pull request #3189 from github/henrymercer/download-codeql-rate-limit Add configuration error for rate limited CodeQL download	2025-10-08 15:11:29 +01:00
Michael B. Gale	196a3e577b	Merge pull request #3188 from github/mbg/telemetry/partial-config Allow `Partial<Config>` for `createStatusReportBase`	2025-10-08 14:59:05 +01:00
Henry Mercer	98abb870dc	Add configuration error for rate limited CodeQL download	2025-10-08 14:43:54 +01:00
Michael B. Gale	bdd2cdf891	Also include `language` in error status report for `start-proxy`, if available	2025-10-08 13:13:04 +01:00
Michael B. Gale	fb148789ab	Include `languages` in `start-proxy` telemetry	2025-10-08 13:01:35 +01:00
Michael B. Gale	2ff418f28a	Parse `language` before calling `getCredentials`	2025-10-08 13:01:35 +01:00
Michael B. Gale	527501d15d	Allow `createStatusReportBase` to accept a `Partial<Config>`	2025-10-08 13:01:35 +01:00
Paolo Tranquilli	621809b239	Address copilot review	2025-10-08 12:24:49 +02:00
Paolo Tranquilli	8301b8b096	Merge pull request #3180 from github/redsun82/skip-sarif-upload Introduce `CODEQL_ACTION_SKIP_SARIF_UPLOAD`	2025-10-08 12:09:54 +02:00
Nick Rolfe	7bdfa9736a	Merge pull request #3184 from github/nickrolfe/go-overlay Overlays: allow any build mode for Go	2025-10-08 10:48:40 +01:00
Paolo Tranquilli	a57997f2d2	Fix test after rebase	2025-10-08 09:34:48 +02:00
Paolo Tranquilli	4489a63a9d	Add unit tests for uploadSpecifiedFiles	2025-10-08 09:34:48 +02:00
Paolo Tranquilli	1707898e5b	Merge branch 'main' into redsun82/skip-sarif-upload	2025-10-08 09:34:05 +02:00
Paolo Tranquilli	d05f2255a0	Tweak comment	2025-10-08 09:34:01 +02:00
Nick Rolfe	7892cb2362	Overlays: allow any build mode for Go We have a check that a traced language can only run overlay analysis with build-mode: none, but Go does not currently declare support for BMN, even though it has a similar autobuild mode that will work for overlay analysis. This commit adds a hard-coded exception to that check, allowing any build mode for Go. This is intended as a short-term solution until Go declares BMN support. It should be safe, since we can choose not to enable the feature flag for Go repos using traced builds.	2025-10-07 17:45:08 +01:00
Mario Campos	8a6b62bc2d	Merge pull request #3186 from github/mergeback/v4.30.7-to-main-e296a935 Mergeback v4.30.7 refs/heads/releases/v4 into main	2025-10-07 11:20:49 -05:00
github-actions[bot]	d95a3b53f8	Rebuild	2025-10-07 16:01:48 +00:00
github-actions[bot]	257e42ce3d	Merge remote-tracking branch 'origin/main' into mergeback/v4.30.7-to-main-e296a935	2025-10-07 16:01:00 +00:00
github-actions[bot]	074940162c	Update changelog and version after v4.30.7	2025-10-07 15:22:00 +00:00
Paolo Tranquilli	df65651d4f	Merge branch 'main' into redsun82/skip-sarif-upload	2025-10-07 17:17:13 +02:00
Paolo Tranquilli	1b09eb4ccc	Address review	2025-10-07 17:17:06 +02:00
Michael B. Gale	2f11c17b09	Merge pull request #3175 from github/mbg/setup/toolcache Support requesting latest version from toolcache with `tools: toolcache`	2025-10-07 10:32:03 +01:00
Michael B. Gale	0ba4970165	Merge branch 'main' into mbg/setup/toolcache	2025-10-07 10:09:12 +01:00
Michael B. Gale	5431b6a308	Merge pull request #3176 from github/mbg/pr-template/tests Add more questions to the PR template	2025-10-07 10:05:07 +01:00
Michael B. Gale	7f5db167b6	Merge branch 'main' into mbg/pr-template/tests	2025-10-07 09:48:29 +01:00
Michael B. Gale	239d7b286f	Merge pull request #3181 from github/mbg/pr-checks/upload-sarif Add more end-to-end tests for `upload-sarif`	2025-10-07 09:48:05 +01:00
Paolo Tranquilli	86b2ad6646	Remove unneeded comment	2025-10-07 10:36:45 +02:00
Paolo Tranquilli	5dfb610e99	Merge branch 'main' into redsun82/skip-sarif-upload	2025-10-07 10:36:12 +02:00
Henry Mercer	1491baa17e	Merge branch 'main' into mbg/pr-checks/upload-sarif	2025-10-07 09:28:42 +01:00
Henry Mercer	db562a696f	Merge pull request #3182 from github/dependabot/npm_and_yarn/npm-b02b6854f6 Bump the npm group with 4 updates	2025-10-07 09:16:58 +01:00
github-actions[bot]	6877465dc1	Rebuild	2025-10-06 17:03:52 +00:00
dependabot[bot]	ff23a55f4d	Bump the npm group with 4 updates Bumps the npm group with 4 updates: [@eslint/js](https://github.com/eslint/eslint/tree/HEAD/packages/js), [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin), [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) and [typescript](https://github.com/microsoft/TypeScript). Updates `@eslint/js` from 9.36.0 to 9.37.0 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](https://github.com/eslint/eslint/commits/v9.37.0/packages/js) Updates `@typescript-eslint/eslint-plugin` from 8.44.1 to 8.45.0 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.45.0/packages/eslint-plugin) Updates `@typescript-eslint/parser` from 8.44.1 to 8.45.0 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.45.0/packages/parser) Updates `typescript` from 5.9.2 to 5.9.3 - [Release notes](https://github.com/microsoft/TypeScript/releases) - [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release-publish.yml) - [Commits](https://github.com/microsoft/TypeScript/compare/v5.9.2...v5.9.3) --- updated-dependencies: - dependency-name: "@eslint/js" dependency-version: 9.37.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm - dependency-name: "@typescript-eslint/eslint-plugin" dependency-version: 8.45.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm - dependency-name: "@typescript-eslint/parser" dependency-version: 8.45.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm - dependency-name: typescript dependency-version: 5.9.3 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm ... Signed-off-by: dependabot[bot] <support@github.com>	2025-10-06 17:02:21 +00:00
Paolo Tranquilli	00a6e13cbf	Tweak SARIF skipping logs	2025-10-06 17:03:29 +02:00
Paolo Tranquilli	25c8db918a	Revert "Specify reason for skipping SARIF upload in logs" This reverts commit `680b07003d`.	2025-10-06 16:59:45 +02:00
Michael B. Gale	dabf6fc578	Adjust step names to be clearer	2025-10-06 15:40:35 +01:00
Michael B. Gale	14c5d77032	Fix: Update `payload.json` path in `with-checkout-path` test	2025-10-06 15:28:40 +01:00
Michael B. Gale	380e002752	Add explicit `category` values	2025-10-06 15:15:43 +01:00
Paolo Tranquilli	680b07003d	Specify reason for skipping SARIF upload in logs	2025-10-06 15:39:29 +02:00
Michael B. Gale	22aba57acf	Include analysis kind in `payloadSaveFile` path in `uploadPayload`	2025-10-06 14:30:30 +01:00
Paolo Tranquilli	11e4034414	Clarify comment about SKIP_SARIF_UPLOAD setting	2025-10-06 15:23:18 +02:00
Paolo Tranquilli	882667e383	Update src/util.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2025-10-06 15:22:34 +02:00
Michael B. Gale	6f964b7776	Cover more cases in `upload-sarif` check	2025-10-06 14:10:49 +01:00
Michael B. Gale	6bdf5d3d00	Run `upload-sarif` check for all `analysis-kinds` values	2025-10-06 13:56:19 +01:00
Michael B. Gale	9b3ade946d	Rename `upload-quality-sarif.yml` workflow	2025-10-06 13:50:21 +01:00
Paolo Tranquilli	e0b9da7b0a	Introduce `CODEQL_ACTION_SKIP_SARIF_UPLOAD` This triggers a subset of the behavior of `CODEQL_ACTION_TEST_MODE`, specifically just skipping the SARIF upload step. This is required for our internal testing where we want the SARIF file (via `CODEQL_ACTION_DUMP_SARIF_DIR`) but don't want to actually upload it, but we don't want the rest of the behaviour of `CODEQL_ACTION_TEST_MODE` that is specific for `codeql-action` own CI checks.	2025-10-06 14:38:32 +02:00
Michael B. Gale	726a341ed4	Restrict when `tools: toolcache` can be used	2025-10-06 13:16:16 +01:00
Michael B. Gale	1cc5eb6636	Use `semver.compare` instead of `semver.lt`	2025-10-06 12:58:00 +01:00
Michael B. Gale	43ce7ef399	Add `isDynamicWorkflow` function	2025-10-06 12:55:54 +01:00
Michael B. Gale	4d0c164f60	Remove `toolcache` option description from `action.yml`	2025-10-06 12:53:17 +01:00
Michael B. Gale	dd9e24a8a4	Add more questions to the PR template	2025-10-03 16:27:36 +01:00
Michael B. Gale	13a3a6890f	Add basic PR check for `tools: toolcache`	2025-10-03 15:49:29 +01:00
Michael B. Gale	7d468c931c	Accept `toolcache` as `version` value for `prepare-test`	2025-10-03 15:48:04 +01:00
Michael B. Gale	425ef85595	Support requesting CLI from toolcache with `tools: toolcache`	2025-10-03 15:40:33 +01:00
Michael B. Gale	297313df79	Add `getLatestToolcacheVersion` with tests	2025-10-03 14:40:34 +01:00