Merge pull request #3868 from github/mergeback/v4.35.3-to-main-e46ed2cb

Mergeback v4.35.3 refs/heads/releases/v4 into main
Rebuild
2026-05-03 12:20:09 +00:00 · 2026-05-01 14:34:01 +00:00 · 2026-05-01 14:09:49 +00:00 · 2026-05-01 14:06:46 +00:00 · 2026-05-01 15:05:28 +01:00 · 2026-05-01 14:09:58 +01:00
303 changed files with 988036 additions and 635769 deletions
@@ -22,7 +22,8 @@ runs:
        MAJOR_VERSION: ${{ inputs.major_version }}
        LATEST_TAG: ${{ inputs.latest_tag }}
      run: |
-        python ${{ github.action_path }}/release-branches.py \
+        npm ci
+        npx tsx ./pr-checks/release-branches.ts \
            --major-version "$MAJOR_VERSION" \
            --latest-tag "$LATEST_TAG"
      shell: bash
@@ -1,55 +0,0 @@
-import argparse
-import json
-import os
-import configparser
-
-# Name of the remote
-ORIGIN = 'origin'
-
-script_dir = os.path.dirname(os.path.realpath(__file__))
-grandparent_dir = os.path.dirname(os.path.dirname(script_dir))
-
-config = configparser.ConfigParser()
-with open(os.path.join(grandparent_dir, 'releases.ini')) as stream:
-    config.read_string('[default]\n' + stream.read())
-
-OLDEST_SUPPORTED_MAJOR_VERSION = int(config['default']['OLDEST_SUPPORTED_MAJOR_VERSION'])
-
-def main():
-
-  parser = argparse.ArgumentParser()
-  parser.add_argument("--major-version", required=True, type=str, help="The major version of the release")
-  parser.add_argument("--latest-tag", required=True, type=str, help="The most recent tag published to the repository")
-  args = parser.parse_args()
-
-  major_version = args.major_version
-  latest_tag = args.latest_tag
-
-  print("major_version: " + major_version)
-  print("latest_tag: " + latest_tag)
-
-  # If this is a primary release, we backport to all supported branches,
-  # so we check whether the major_version taken from the package.json
-  # is greater than or equal to the latest tag pulled from the repo.
-  # For example...
-  #     'v1' >= 'v2' is False # we're operating from an older release branch and should not backport
-  #     'v2' >= 'v2' is True  # the normal case where we're updating the current version
-  #     'v3' >= 'v2' is True  # in this case we are making the first release of a new major version
-  consider_backports = ( major_version >= latest_tag.split(".")[0] )
-
-  with open(os.environ["GITHUB_OUTPUT"], "a") as f:
-
-    f.write(f"backport_source_branch=releases/{major_version}\n")
-
-    backport_target_branches = []
-
-    if consider_backports:
-      for i in range(int(major_version.strip("v"))-1, 0, -1):
-        branch_name = f"releases/v{i}"
-        if i >= OLDEST_SUPPORTED_MAJOR_VERSION:
-          backport_target_branches.append(branch_name)
-
-    f.write("backport_target_branches="+json.dumps(backport_target_branches)+"\n")
-
-if __name__ == "__main__":
-  main()
@@ -15,6 +15,12 @@ runs:
      run: echo "$GITHUB_CONTEXT"
      shell: bash

+    - name: Set up Node
+      uses: actions/setup-node@v6
+      with:
+        node-version: 20
+        cache: 'npm'
+
    - name: Set up Python
      uses: actions/setup-python@v6
      with:
@@ -0,0 +1,6 @@
+name: Verify that the best-effort debug artifact scan completed
+description: Verifies that the best-effort debug artifact scan completed successfully during tests
+runs:
+  using: node24
+  main: index.js
+  post: post.js
@@ -0,0 +1,2 @@
+// The main step is a no-op, since we can only verify artifact scan completion in the post step.
+console.log("Will verify artifact scan completion in the post step.");
@@ -0,0 +1,11 @@
+// Post step - runs after the workflow completes, when artifact scan has finished
+const process = require("process");
+
+const scanFinished = process.env.CODEQL_ACTION_ARTIFACT_SCAN_FINISHED;
+
+if (scanFinished !== "true") {
+  console.error("Error: Best-effort artifact scan did not complete. Expected CODEQL_ACTION_ARTIFACT_SCAN_FINISHED=true");
+  process.exit(1);
+}
+
+console.log("✓ Best-effort artifact scan completed successfully");
@@ -1,5 +1,5 @@
 name: "CodeQL config"
-queries: 
+queries:
  - name: Run custom queries
    uses: ./queries
  # Run all extra query suites, both because we want to
@@ -13,3 +13,5 @@ queries:
 paths-ignore:
  - lib
  - tests
+  - "**/*.test.ts"
+  - "**/testing-util.ts"
@@ -1,17 +1,20 @@
 version: 2
 updates:
  - package-ecosystem: npm
-    directory: "/"
+    directories:
+      - "/"
+      - "/pr-checks"
    schedule:
      interval: weekly
+    cooldown:
+      default-days: 7
+      exclude:
+        - "@actions/*"
    labels:
      - Rebuild
    # Ignore incompatible dependency updates
    ignore:
-      # There is a type incompatibility issue between v0.0.9 and our other dependencies.
-      - dependency-name: "@octokit/plugin-retry"
-        versions: ["~6.0.0"]
-      # This is broken due to the way configuration files have changed. 
+      # This is broken due to the way configuration files have changed.
      # This might be fixed when we move to eslint v9.
      - dependency-name: "eslint-plugin-import"
        versions: [">=2.30.0"]
@@ -28,6 +31,10 @@ updates:
      - "/.github/actions"
    schedule:
      interval: weekly
+    cooldown:
+      default-days: 7
+      exclude:
+        - "actions/*"
    labels:
      - Rebuild
    groups:
@@ -23,18 +23,18 @@ For internal use only. Please select the risk level of this change:
 Workflow types:

 - **Advanced setup** - Impacts users who have custom CodeQL workflows.
- **Managed** - Impacts users with `dynamic` workflows (Default Setup, CCR, ...).
+- **Managed** - Impacts users with `dynamic` workflows (Default Setup, Code Quality, ...).

 Products:

 - **Code Scanning** - The changes impact analyses when `analysis-kinds: code-scanning`.
 - **Code Quality** - The changes impact analyses when `analysis-kinds: code-quality`.
- **CCR** - The changes impact analyses for Copilot Code Reviews.
+- **Other first-party** - The changes impact other first-party analyses.
 - **Third-party analyses** - The changes affect the `upload-sarif` action.

 Environments:

- **Dotcom** - Impacts CodeQL workflows on `github.com`.
+- **Dotcom** - Impacts CodeQL workflows on `github.com` and/or GitHub Enterprise Cloud with Data Residency.
 - **GHES** - Impacts CodeQL workflows on GitHub Enterprise Server.
 - **Testing/None** - This change does not impact any CodeQL workflows in production.

@@ -54,6 +54,7 @@ Environments:

 - **Feature flags** - All new or changed code paths can be fully disabled with corresponding feature flags.
 - **Rollback** - Change can only be disabled by rolling back the release or releasing a new version with a fix.
+- **Development/testing only** - This change cannot cause any failures in production.
 - **Other** - Please provide details.

 #### How will you know if something goes wrong after this change is released?
@@ -1 +0,0 @@
-OLDEST_SUPPORTED_MAJOR_VERSION=3
@@ -71,8 +71,9 @@ def open_pr(
    body.append('')
    body.append('Contains the following pull requests:')
    for pr in pull_requests:
-      merger = get_merger_of_pr(repo, pr)
-      body.append(f'- #{pr.number} (@{merger})')
+      # Use PR author if they are GitHub staff, otherwise use the merger
+      display_user = get_pr_author_if_staff(pr) or get_merger_of_pr(repo, pr)
+      body.append(f'- #{pr.number} (@{display_user})')

  # List all commits not part of a PR
  if len(commits_without_pull_requests) > 0:
@@ -168,6 +169,14 @@ def get_pr_for_commit(commit):
 def get_merger_of_pr(repo, pr):
  return repo.get_commit(pr.merge_commit_sha).author.login

+# Get the PR author if they are GitHub staff, otherwise None.
+def get_pr_author_if_staff(pr):
+  if pr.user is None:
+    return None
+  if getattr(pr.user, 'site_admin', False):
+    return pr.user.login
+  return None
+
 def get_current_version():
  with open('package.json', 'r') as f:
    return json.load(f)['version']
@@ -181,9 +190,9 @@ def replace_version_package_json(prev_version, new_version):
      print(line.replace(prev_version, new_version), end='')
    else:
      prev_line_is_codeql = False
-      print(line, end='') 
+      print(line, end='')
    if '\"name\": \"codeql\",' in line:
-        prev_line_is_codeql = True 
+        prev_line_is_codeql = True

 def get_today_string():
  today = datetime.datetime.today()
@@ -18,38 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: all-platform-bundle-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  all-platform-bundle:
    strategy:
@@ -71,7 +74,16 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -79,19 +91,10 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'true'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - id: init
        uses: ./../action/init
        with:
-      # Swift is not supported on Ubuntu so we manually exclude it from the list here
+          # Swift is not supported on Ubuntu so we manually exclude it from the list here
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
@@ -3,7 +3,7 @@
 #     pr-checks/sync.sh
 # to regenerate this file.

-name: PR Check - Quality queries input
+name: PR Check - Analysis kinds
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,10 +31,10 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: analysis-kinds-${{github.ref}}
 jobs:
-  quality-queries:
+  analysis-kinds:
    strategy:
      fail-fast: false
      matrix:
@@ -45,6 +48,9 @@ jobs:
          - os: ubuntu-latest
            version: linked
            analysis-kinds: code-scanning,code-quality
+          - os: ubuntu-latest
+            version: linked
+            analysis-kinds: risk-assessment
          - os: ubuntu-latest
            version: nightly-latest
            analysis-kinds: code-scanning
@@ -54,7 +60,10 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
            analysis-kinds: code-scanning,code-quality
-    name: Quality queries input
+          - os: ubuntu-latest
+            version: nightly-latest
+            analysis-kinds: risk-assessment
+    name: Analysis kinds
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
@@ -63,7 +72,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -78,38 +87,32 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false
-          post-processed-sarif-path: ${{ runner.temp }}/post-processed
-      - name: Upload security SARIF
-        if: contains(matrix.analysis-kinds, 'code-scanning')
-        uses: actions/upload-artifact@v5
+          post-processed-sarif-path: '${{ runner.temp }}/post-processed'
+
+      - name: Upload SARIF files
+        uses: actions/upload-artifact@v7
        with:
          name: |
-            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Upload quality SARIF
-        if: contains(matrix.analysis-kinds, 'code-quality')
-        uses: actions/upload-artifact@v5
-        with:
-          name: |
-            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
-          path: ${{ runner.temp }}/results/javascript.quality.sarif
+            analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
+          path: '${{ runner.temp }}/results/*.sarif'
          retention-days: 7
+
      - name: Upload post-processed SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v7
        with:
          name: |
-            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
-          path: ${{ runner.temp }}/post-processed
+            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
+          path: '${{ runner.temp }}/post-processed'
          retention-days: 7
          if-no-files-found: error
+
      - name: Check quality query does not appear in security SARIF
        if: contains(matrix.analysis-kinds, 'code-scanning')
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
+          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
          EXPECT_PRESENT: 'false'
        with:
          script: ${{ env.CHECK_SCRIPT }}
@@ -117,11 +120,12 @@ jobs:
        if: contains(matrix.analysis-kinds, 'code-quality')
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.quality.sarif
+          SARIF_PATH: '${{ runner.temp }}/results/javascript.quality.sarif'
          EXPECT_PRESENT: 'true'
        with:
          script: ${{ env.CHECK_SCRIPT }}
    env:
+      CODEQL_ACTION_RISK_ASSESSMENT_ID: 1
      CHECK_SCRIPT: |
        const fs = require('fs');

@@ -18,48 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: analyze-ref-input-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  analyze-ref-input:
    strategy:
@@ -77,7 +70,16 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -85,31 +87,16 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-            github.sha }}
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
      - name: Build code
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -38,8 +41,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: autobuild-action-${{github.ref}}-${{inputs.dotnet-version}}
 jobs:
  autobuild-action:
    strategy:
@@ -61,7 +64,11 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -69,17 +76,13 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          languages: csharp
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/autobuild
        env:
-      # Explicitly disable the CLR tracer.
+          # Explicitly disable the CLR tracer.
          COR_ENABLE_PROFILING: ''
          COR_PROFILER: ''
          COR_PROFILER_PATH_64: ''
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -38,8 +41,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: autobuild-direct-tracing-with-working-dir-${{github.ref}}-${{inputs.java-version}}
 jobs:
  autobuild-direct-tracing-with-working-dir:
    strategy:
@@ -63,7 +66,12 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install Java
+        uses: actions/setup-java@v5
+        with:
+          java-version: ${{ inputs.java-version || '17' }}
+          distribution: temurin
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -71,11 +79,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Java
-        uses: actions/setup-java@v5
-        with:
-          java-version: ${{ inputs.java-version || '17' }}
-          distribution: temurin
      - name: Test setup
        run: |
          # Make sure that Gradle build succeeds in autobuild-dir ...
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,8 +31,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: autobuild-working-dir-${{github.ref}}
 jobs:
  autobuild-working-dir:
    strategy:
@@ -47,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -38,8 +41,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: build-mode-autobuild-${{github.ref}}-${{inputs.java-version}}
 jobs:
  build-mode-autobuild:
    strategy:
@@ -63,7 +66,20 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install Java
+        uses: actions/setup-java@v5
+        with:
+          java-version: ${{ inputs.java-version || '17' }}
+          distribution: temurin
+      - name: Install yq
+        if: runner.os == 'Windows'
+        env:
+          YQ_PATH: ${{ runner.temp }}/yq
+          YQ_VERSION: v4.50.1
+        run: |-
+          gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe"
+          echo "$YQ_PATH" >> "$GITHUB_PATH"
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -71,11 +87,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Java
-        uses: actions/setup-java@v5
-        with:
-          java-version: ${{ inputs.java-version || '17' }}
-          distribution: temurin
      - name: Set up Java test repo configuration
        run: |
          mv * .github ../action/tests/multi-language-repo/
@@ -86,15 +97,10 @@ jobs:
        id: init
        with:
          build-mode: autobuild
-          db-location: ${{ runner.temp }}/customDbLocation
+          db-location: '${{ runner.temp }}/customDbLocation'
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

-      - name: Install yq
-        if: runner.os == 'Windows'
-        run: |
-          choco install yq -y
-
      - name: Validate database build mode
        run: |
          metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
@@ -18,38 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: build-mode-manual-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  build-mode-manual:
    strategy:
@@ -67,7 +70,16 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -75,20 +87,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        id: init
        with:
          build-mode: manual
-          db-location: ${{ runner.temp }}/customDbLocation
+          db-location: '${{ runner.temp }}/customDbLocation'
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,8 +31,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: build-mode-none-${{github.ref}}
 jobs:
  build-mode-none:
    strategy:
@@ -49,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -61,7 +64,7 @@ jobs:
        id: init
        with:
          build-mode: none
-          db-location: ${{ runner.temp }}/customDbLocation
+          db-location: '${{ runner.temp }}/customDbLocation'
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -74,7 +77,7 @@ jobs:
            exit 1
          fi

-  # The latest nightly supports omitting the autobuild Action when the build mode is specified.
+      # The latest nightly supports omitting the autobuild Action when the build mode is specified.
      - uses: ./../action/autobuild
        if: matrix.version != 'nightly-latest'

@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,8 +31,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: build-mode-rollback-${{github.ref}}
 jobs:
  build-mode-rollback:
    strategy:
@@ -47,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -65,7 +68,7 @@ jobs:
        id: init
        with:
          build-mode: none
-          db-location: ${{ runner.temp }}/customDbLocation
+          db-location: '${{ runner.temp }}/customDbLocation'
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -0,0 +1,72 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: 'PR Check - Bundle: From nightly'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: bundle-from-nightly-${{github.ref}}
+jobs:
+  bundle-from-nightly:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+    name: 'Bundle: From nightly'
+    if: github.triggering_actor != 'dependabot[bot]'
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v6
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - id: init
+        uses: ./../action/init
+        env:
+          CODEQL_ACTION_FORCE_NIGHTLY: true
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          languages: javascript
+      - name: Fail if the CodeQL version is not a nightly
+        if: ${{ !contains(steps.init.outputs.codeql-version, '+') }}
+        run: exit 1
+    env:
+      CODEQL_ACTION_TEST_MODE: true
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,8 +31,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: bundle-from-toolcache-${{github.ref}}
 jobs:
  bundle-from-toolcache:
    strategy:
@@ -47,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -56,7 +59,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Install @actions/tool-cache
-        run: npm install @actions/tool-cache
+        run: npm install @actions/tool-cache@3
      - name: Check toolcache contains CodeQL
        continue-on-error: true
        uses: actions/github-script@v8
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,18 +31,18 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: bundle-toolcache-${{github.ref}}
 jobs:
  bundle-toolcache:
    strategy:
      fail-fast: false
      matrix:
        include:
-          - os: macos-latest
-            version: linked
          - os: ubuntu-latest
            version: linked
+          - os: macos-latest
+            version: linked
          - os: windows-latest
            version: linked
    name: 'Bundle: Caching checks'
@@ -51,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -68,7 +71,7 @@ jobs:
            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
            fs.rmdirSync(codeqlPath, { recursive: true });
      - name: Install @actions/tool-cache
-        run: npm install @actions/tool-cache
+        run: npm install @actions/tool-cache@3
      - name: Check toolcache does not contain CodeQL
        uses: actions/github-script@v8
        with:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,18 +31,18 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: bundle-zstd-${{github.ref}}
 jobs:
  bundle-zstd:
    strategy:
      fail-fast: false
      matrix:
        include:
-          - os: macos-latest
-            version: linked
          - os: ubuntu-latest
            version: linked
+          - os: macos-latest
+            version: linked
          - os: windows-latest
            version: linked
    name: 'Bundle: Zstandard checks'
@@ -51,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -79,7 +82,7 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v7
        with:
          name: ${{ matrix.os }}-zstd-bundle.sarif
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,8 +31,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: cleanup-db-cluster-dir-${{github.ref}}
 jobs:
  cleanup-db-cluster-dir:
    strategy:
@@ -47,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -64,7 +67,7 @@ jobs:
        id: init
        with:
          build-mode: none
-          db-location: ${{ runner.temp }}/customDbLocation
+          db-location: '${{ runner.temp }}/customDbLocation'
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,8 +31,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: config-export-${{github.ref}}
 jobs:
  config-export:
    strategy:
@@ -49,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -64,18 +67,18 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v7
        with:
          name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
+          path: '${{ runner.temp }}/results/javascript.sarif'
          retention-days: 7
      - name: Check config properties appear in SARIF
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
+          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
        with:
          script: |
            const fs = require('fs');
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,8 +31,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: config-input-${{github.ref}}
 jobs:
  config-input:
    strategy:
@@ -47,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Install Node.js
        uses: actions/setup-node@v6
        with:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,8 +31,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: cpp-deptrace-disabled-${{github.ref}}
 jobs:
  cpp-deptrace-disabled:
    strategy:
@@ -51,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,8 +31,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: cpp-deptrace-enabled-on-macos-${{github.ref}}
 jobs:
  cpp-deptrace-enabled-on-macos:
    strategy:
@@ -49,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,8 +31,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: cpp-deptrace-enabled-${{github.ref}}
 jobs:
  cpp-deptrace-enabled:
    strategy:
@@ -51,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,8 +31,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: diagnostics-export-${{github.ref}}
 jobs:
  diagnostics-export:
    strategy:
@@ -49,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -75,18 +78,18 @@ jobs:
            --ready-for-status-page
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v7
        with:
          name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
+          path: '${{ runner.temp }}/results/javascript.sarif'
          retention-days: 7
      - name: Check diagnostics appear in SARIF
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
+          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
        with:
          script: |
            const fs = require('fs');
@@ -18,38 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: export-file-baseline-information-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  export-file-baseline-information:
    strategy:
@@ -71,7 +74,16 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -79,15 +91,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        id: init
        with:
@@ -97,12 +100,12 @@ jobs:
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
      - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v7
        with:
          name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
+          path: '${{ runner.temp }}/results/javascript.sarif'
          retention-days: 7
      - name: Check results
        run: |
@@ -124,5 +127,6 @@ jobs:
            fi
          done
    env:
+      CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS: false
      CODEQL_ACTION_SUBLANGUAGE_FILE_COVERAGE: true
      CODEQL_ACTION_TEST_MODE: true
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,8 +31,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: extractor-ram-threads-${{github.ref}}
 jobs:
  extractor-ram-threads:
    strategy:
@@ -47,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,8 +31,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: global-proxy-${{github.ref}}
 jobs:
  global-proxy:
    strategy:
@@ -48,20 +51,8 @@ jobs:
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-  # These steps are required to initialise the `gh` cli in a container that doesn't
-  # come pre-installed with it. The reason for that is that this is later
-  # needed by the `prepare-test` workflow to find the latest release of CodeQL.
-      - name: Set up GitHub CLI
-        run: |
-          apt update
-          apt install -y curl libreadline8 gnupg2 software-properties-common zstd
-          curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
-          apt-key add /usr/share/keyrings/githubcli-archive-keyring.gpg
-          apt-add-repository https://cli.github.com/packages
-          apt install -y gh
-        env: {}
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -76,6 +67,7 @@ jobs:
      - uses: ./../action/analyze
    env:
      https_proxy: http://squid-proxy:3128
+      CODEQL_ACTION_TOLERATE_MISSING_GIT_VERSION: true
      CODEQL_ACTION_TEST_MODE: true
    container:
      image: ubuntu:22.04
@@ -18,38 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: go-custom-queries-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  go-custom-queries:
    strategy:
@@ -69,7 +72,16 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -77,15 +89,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          languages: go
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -38,8 +41,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: go-indirect-tracing-workaround-diagnostic-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-indirect-tracing-workaround-diagnostic:
    strategy:
@@ -57,7 +60,12 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -65,16 +73,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - uses: ./../action/init
        with:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
-  # Deliberately change Go after the `init` step
+      # Deliberately change Go after the `init` step
      - uses: actions/setup-go@v6
        with:
          go-version: '1.20'
@@ -82,12 +85,12 @@ jobs:
        run: go build main.go
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Check diagnostic appears in SARIF
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: ${{ runner.temp }}/results/go.sarif
+          SARIF_PATH: '${{ runner.temp }}/results/go.sarif'
        with:
          script: |
            const fs = require('fs');
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -38,8 +41,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: go-indirect-tracing-workaround-no-file-program-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-indirect-tracing-workaround-no-file-program:
    strategy:
@@ -57,7 +60,12 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -65,11 +73,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Remove `file` program
        run: |
          echo $(which file)
@@ -83,12 +86,12 @@ jobs:
        run: go build main.go
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Check diagnostic appears in SARIF
        uses: actions/github-script@v8
        env:
-          SARIF_PATH: ${{ runner.temp }}/results/go.sarif
+          SARIF_PATH: '${{ runner.temp }}/results/go.sarif'
        with:
          script: |
            const fs = require('fs');
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -38,8 +41,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: go-indirect-tracing-workaround-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-indirect-tracing-workaround:
    strategy:
@@ -57,7 +60,12 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -65,11 +73,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - uses: ./../action/init
        with:
          languages: go
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -38,8 +41,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: go-tracing-autobuilder-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-tracing-autobuilder:
    strategy:
@@ -48,32 +51,18 @@ jobs:
        include:
          - os: ubuntu-latest
            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
          - os: ubuntu-latest
            version: linked
          - os: macos-latest
@@ -91,7 +80,12 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -99,11 +93,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - uses: ./../action/init
        with:
          languages: go
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -38,8 +41,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: go-tracing-custom-build-steps-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-tracing-custom-build-steps:
    strategy:
@@ -48,32 +51,18 @@ jobs:
        include:
          - os: ubuntu-latest
            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
          - os: ubuntu-latest
            version: linked
          - os: macos-latest
@@ -91,7 +80,12 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -99,11 +93,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - uses: ./../action/init
        with:
          languages: go
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -38,8 +41,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: go-tracing-legacy-workflow-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-tracing-legacy-workflow:
    strategy:
@@ -48,32 +51,18 @@ jobs:
        include:
          - os: ubuntu-latest
            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
          - os: ubuntu-latest
            version: linked
          - os: macos-latest
@@ -91,7 +80,12 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -99,11 +93,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - uses: ./../action/init
        with:
          languages: go
@@ -8,21 +8,18 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
-  push:
-    paths:
-      - .github/workflows/__go.yml
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 jobs:
  go-custom-queries:
    name: 'Go: Custom queries'
@@ -31,8 +28,8 @@ jobs:
      security-events: read
    uses: ./.github/workflows/__go-custom-queries.yml
    with:
-      go-version: ${{ inputs.go-version }}
      dotnet-version: ${{ inputs.dotnet-version }}
+      go-version: ${{ inputs.go-version }}
  go-indirect-tracing-workaround-diagnostic:
    name: 'Go: diagnostic when Go is changed after init step'
    permissions:
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,8 +31,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: init-with-registries-${{github.ref}}
 jobs:
  init-with-registries:
    strategy:
@@ -47,12 +50,11 @@ jobs:
    permissions:
      contents: read
      packages: read
-
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -63,7 +65,7 @@ jobs:
      - name: Init with registries
        uses: ./../action/init
        with:
-          db-location: ${{ runner.temp }}/customDbLocation
+          db-location: '${{ runner.temp }}/customDbLocation'
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          config-file: ./.github/codeql/codeql-config-registries.yml
          languages: javascript
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,8 +31,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: javascript-source-root-${{github.ref}}
 jobs:
  javascript-source-root:
    strategy:
@@ -51,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,8 +31,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: job-run-uuid-sarif-${{github.ref}}
 jobs:
  job-run-uuid-sarif:
    strategy:
@@ -47,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -62,12 +65,12 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
      - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v7
        with:
          name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
+          path: '${{ runner.temp }}/results/javascript.sarif'
          retention-days: 7
      - name: Check results
        run: |
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,8 +31,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: language-aliases-${{github.ref}}
 jobs:
  language-aliases:
    strategy:
@@ -47,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -57,12 +60,12 @@ jobs:
          setup-kotlin: 'true'
      - uses: ./../action/init
        with:
-          languages: C#,java-kotlin,swift,typescript
+          languages: C#,java-kotlin,typescript
          tools: ${{ steps.prepare-test.outputs.tools-url }}

-      - name: Check languages
+      - name: 'Check languages'
        run: |
-          expected_languages="csharp,java,swift,javascript"
+          expected_languages="csharp,java,javascript"
          actual_languages=$(jq -r '.languages | join(",")' "$RUNNER_TEMP"/config)

          if [ "$expected_languages" != "$actual_languages" ]; then
@@ -18,48 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: local-bundle-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  local-bundle:
    strategy:
@@ -77,7 +70,16 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -85,27 +87,13 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Fetch latest CodeQL bundle
        run: |
          wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst
      - id: init
        uses: ./../action/init
        with:
-      # Swift is not supported on Ubuntu so we manually exclude it from the list here
+          # Swift is not supported on Ubuntu so we manually exclude it from the list here
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ./codeql-bundle-linux64.tar.zst
      - name: Build code
@@ -18,89 +18,82 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: multi-language-autodetect-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  multi-language-autodetect:
    strategy:
      fail-fast: false
      matrix:
        include:
-          - os: macos-latest
-            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.17.6
          - os: macos-latest
-            version: stable-v2.18.4
+            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.18.4
          - os: macos-latest
-            version: stable-v2.19.4
+            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
          - os: macos-latest
-            version: stable-v2.20.7
+            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
          - os: macos-latest
-            version: stable-v2.21.4
+            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
          - os: macos-latest
-            version: stable-v2.22.4
+            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
          - os: macos-latest
-            version: default
+            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
          - os: macos-latest
-            version: linked
+            version: default
          - os: ubuntu-latest
            version: linked
          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
            version: nightly-latest
-          - os: ubuntu-latest
+          - os: macos-latest
            version: nightly-latest
    name: Multi-language repository
    if: github.triggering_actor != 'dependabot[bot]'
@@ -111,7 +104,16 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -119,20 +121,14 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
+      - name: Install Python 3.13 for older CLI versions
+        # We need Python 3.13 for older CLI versions because they are not compatible with Python 3.14 or newer.
+        # See https://github.com/github/codeql-action/pull/3212
+        if: matrix.version != 'nightly-latest' && matrix.version != 'linked'
        uses: actions/setup-python@v6
        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+          python-version: '3.13'
+
      - name: Use Xcode 16
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"
@@ -140,9 +136,8 @@ jobs:
      - uses: ./../action/init
        id: init
        with:
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: ${{ runner.os == 'Linux' && 'cpp,csharp,go,java,javascript,python,ruby'
-            || '' }}
+          db-location: '${{ runner.temp }}/customDbLocation'
+          languages: ${{ runner.os == 'Linux' && 'cpp,csharp,go,java,javascript,python,ruby' || '' }}
          tools: ${{ steps.prepare-test.outputs.tools-url }}

      - name: Build code
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,8 +31,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: overlay-init-fallback-${{github.ref}}
 jobs:
  overlay-init-fallback:
    strategy:
@@ -49,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -18,48 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  packaging-codescanning-config-inputs-js:
    strategy:
@@ -81,7 +74,16 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Install Node.js
        uses: actions/setup-node@v6
        with:
@@ -96,23 +98,9 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
-          config-file: .github/codeql/codeql-config-packaging3.yml
+          config-file: '.github/codeql/codeql-config-packaging3.yml'
          packs: +codeql-testing/codeql-pack1@1.0.0
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -120,15 +108,14 @@ jobs:
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
@@ -18,38 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: packaging-config-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  packaging-config-inputs-js:
    strategy:
@@ -71,7 +74,16 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Install Node.js
        uses: actions/setup-node@v6
        with:
@@ -86,18 +98,9 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
-          config-file: .github/codeql/codeql-config-packaging3.yml
+          config-file: '.github/codeql/codeql-config-packaging3.yml'
          packs: +codeql-testing/codeql-pack1@1.0.0
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -105,15 +108,14 @@ jobs:
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
@@ -18,38 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: packaging-config-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  packaging-config-js:
    strategy:
@@ -71,7 +74,16 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Install Node.js
        uses: actions/setup-node@v6
        with:
@@ -86,33 +98,23 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
-          config-file: .github/codeql/codeql-config-packaging.yml
+          config-file: '.github/codeql/codeql-config-packaging.yml'
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
@@ -18,38 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: packaging-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  packaging-inputs-js:
    strategy:
@@ -71,7 +74,16 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Install Node.js
        uses: actions/setup-node@v6
        with:
@@ -86,18 +98,9 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
-          config-file: .github/codeql/codeql-config-packaging2.yml
+          config-file: '.github/codeql/codeql-config-packaging2.yml'
          languages: javascript
          packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -105,14 +108,13 @@ jobs:
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
@@ -18,48 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: remote-config-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  remote-config:
    strategy:
@@ -79,7 +72,16 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -87,26 +89,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-            github.sha }}
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
      - name: Build code
        run: ./build.sh
      - uses: ./../action/analyze
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,18 +31,18 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: resolve-environment-action-${{github.ref}}
 jobs:
  resolve-environment-action:
    strategy:
      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: default
          - os: ubuntu-latest
            version: linked
+          - os: ubuntu-latest
+            version: default
          - os: ubuntu-latest
            version: nightly-latest
    name: Resolve environment
@@ -51,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -81,8 +84,7 @@ jobs:
          language: javascript-typescript

      - name: Fail if JavaScript/TypeScript configuration present
-        if:
-          fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
+        if: fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
        run: exit 1
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,8 +31,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: rubocop-multi-language-${{github.ref}}
 jobs:
  rubocop-multi-language:
    strategy:
@@ -47,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -56,7 +59,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Set up Ruby
-        uses: ruby/setup-ruby@8aeb6ff8030dd539317f8e1769a044873b56ea71 # v1.268.0
+        uses: ruby/setup-ruby@0cb964fd540e0a24c900370abf38a33466142735 # v1.305.0
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,8 +31,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: ruby-${{github.ref}}
 jobs:
  ruby:
    strategy:
@@ -57,7 +60,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,8 +31,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: rust-${{github.ref}}
 jobs:
  rust:
    strategy:
@@ -55,7 +58,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -18,38 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: split-workflow-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  split-workflow:
    strategy:
@@ -77,7 +80,16 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -85,18 +97,9 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
-          config-file: .github/codeql/codeql-config-packaging3.yml
+          config-file: '.github/codeql/codeql-config-packaging3.yml'
          packs: +codeql-testing/codeql-pack1@1.0.0
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -105,7 +108,7 @@ jobs:
      - uses: ./../action/analyze
        with:
          skip-queries: true
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false

      - name: Assert No Results
@@ -116,7 +119,7 @@ jobs:
          fi
      - uses: ./../action/analyze
        with:
-          output: ${{ runner.temp }}/results
+          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Assert Results
        run: |
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,8 +31,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: start-proxy-${{github.ref}}
 jobs:
  start-proxy:
    strategy:
@@ -51,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -68,8 +71,17 @@ jobs:
        id: proxy
        uses: ./../action/start-proxy
        with:
-          registry_secrets: '[{ "type": "nuget_feed", "url": "https://api.nuget.org/v3/index.json"
-            }]'
+          registry_secrets: |
+            [
+              {
+                "type": "maven_repository",
+                "url": "https://repo.maven.apache.org/maven2/"
+              },
+              {
+                "type": "maven_repository",
+                "url": "https://repo1.maven.org/maven2"
+              }
+            ]

      - name: Print proxy outputs
        run: |
@@ -78,8 +90,14 @@ jobs:
          echo "${{ steps.proxy.outputs.proxy_urls }}"

      - name: Fail if proxy outputs are not set
-        if: (!steps.proxy.outputs.proxy_host) || (!steps.proxy.outputs.proxy_port)
-          || (!steps.proxy.outputs.proxy_ca_certificate) || (!steps.proxy.outputs.proxy_urls)
+        if: (!steps.proxy.outputs.proxy_host) || (!steps.proxy.outputs.proxy_port) || (!steps.proxy.outputs.proxy_ca_certificate) || (!steps.proxy.outputs.proxy_urls)
+        run: exit 1
+
+      - name: Fail if proxy_urls does not contain all registries
+        if: |
+          join(fromJSON(steps.proxy.outputs.proxy_urls)[*].type, ',') != 'maven_repository,maven_repository'
+          || !contains(steps.proxy.outputs.proxy_urls, 'https://repo.maven.apache.org/maven2/')
+          || !contains(steps.proxy.outputs.proxy_urls, 'https://repo1.maven.org/maven2')
        run: exit 1
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,8 +31,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: submit-sarif-failure-${{github.ref}}
 jobs:
  submit-sarif-failure:
    strategy:
@@ -46,13 +49,12 @@ jobs:
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write # needed to upload the SARIF file
-
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -60,32 +62,26 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
      - uses: ./init
        with:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Fail
-    # We want this job to pass if the Action correctly uploads the SARIF file for
-    # the failed run.
-    # Setting this step to continue on error means that it is marked as completing
-    # successfully, so will not fail the job.
+        # We want this job to pass if the Action correctly uploads the SARIF file for
+        # the failed run.
+        # Setting this step to continue on error means that it is marked as completing
+        # successfully, so will not fail the job.
        continue-on-error: true
        run: exit 1
      - uses: ./analyze
-    # In a real workflow, this step wouldn't run. Since we used `continue-on-error`
-    # above, we manually disable it with an `if` condition.
+        # In a real workflow, this step wouldn't run. Since we used `continue-on-error`
+        # above, we manually disable it with an `if` condition.
        if: false
        with:
-          category: /test-codeql-version:${{ matrix.version }}
+          category: '/test-codeql-version:${{ matrix.version }}'
    env:
-  # Internal-only environment variable used to indicate that the post-init Action
-  # should expect to upload a SARIF file for the failed run.
      CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF: true
-  # Make sure the uploading SARIF files feature is enabled.
      CODEQL_ACTION_UPLOAD_FAILED_SARIF: true
-  # Upload the failed SARIF file as an integration test of the API endpoint.
      CODEQL_ACTION_TEST_MODE: false
-  # Mark telemetry for this workflow so it can be treated separately.
      CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
-
@@ -18,6 +18,9 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -28,8 +31,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: swift-autobuild-${{github.ref}}
 jobs:
  swift-autobuild:
    strategy:
@@ -47,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -18,38 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: swift-custom-build-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  swift-custom-build:
    strategy:
@@ -71,7 +74,16 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -79,15 +91,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Use Xcode 16
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"
@@ -18,48 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: unset-environment-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  unset-environment:
    strategy:
@@ -79,7 +72,16 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -87,25 +89,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        id: init
        with:
          db-location: ${{ runner.temp }}/customDbLocation
-      # Swift is not supported on Ubuntu so we manually exclude it from the list here
+          # Swift is not supported on Ubuntu so we manually exclude it from the list here
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
@@ -18,48 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: upload-ref-sha-input-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  upload-ref-sha-input:
    strategy:
@@ -77,7 +70,16 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -85,37 +87,22 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-            github.sha }}
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
      - name: Build code
        run: ./build.sh
-  # Generate some SARIF we can upload with the upload-sarif step
+      # Generate some SARIF we can upload with the upload-sarif step
      - uses: ./../action/analyze
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
          upload: never
      - uses: ./../action/upload-sarif
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -18,48 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: upload-sarif-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  upload-sarif:
    strategy:
@@ -84,7 +77,16 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -92,20 +94,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -113,11 +101,11 @@ jobs:
          analysis-kinds: ${{ matrix.analysis-kinds }}
      - name: Build code
        run: ./build.sh
-  # Generate some SARIF we can upload with the upload-sarif step
+      # Generate some SARIF we can upload with the upload-sarif step
      - uses: ./../action/analyze
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
          upload: never
          output: ${{ runner.temp }}/results

@@ -126,15 +114,15 @@ jobs:
        uses: ./../action/upload-sarif
        id: upload-sarif
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
          sarif_file: ${{ runner.temp }}/results
          category: |
            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:all-files/
-      - name: Fail for missing output from `upload-sarif` step for `code-scanning`
+      - name: 'Fail for missing output from `upload-sarif` step for `code-scanning`'
        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning)
        run: exit 1
-      - name: Fail for missing output from `upload-sarif` step for `code-quality`
+      - name: 'Fail for missing output from `upload-sarif` step for `code-quality`'
        if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)
        run: exit 1

@@ -143,28 +131,26 @@ jobs:
        id: upload-single-sarif-code-scanning
        if: contains(matrix.analysis-kinds, 'code-scanning')
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
          sarif_file: ${{ runner.temp }}/results/javascript.sarif
          category: |
            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-scanning/
-      - name: Fail for missing output from `upload-single-sarif-code-scanning` step
-        if: contains(matrix.analysis-kinds, 'code-scanning') &&
-          !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)
+      - name: 'Fail for missing output from `upload-single-sarif-code-scanning` step'
+        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)
        run: exit 1
      - name: Upload single SARIF file for Code Quality
        uses: ./../action/upload-sarif
        id: upload-single-sarif-code-quality
        if: contains(matrix.analysis-kinds, 'code-quality')
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
          sarif_file: ${{ runner.temp }}/results/javascript.quality.sarif
          category: |
            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-quality/
-      - name: Fail for missing output from `upload-single-sarif-code-quality` step
-        if: contains(matrix.analysis-kinds, 'code-quality') &&
-          !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)
+      - name: 'Fail for missing output from `upload-single-sarif-code-quality` step'
+        if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)
        run: exit 1

      - name: Change SARIF file extension
@@ -175,12 +161,12 @@ jobs:
        id: upload-single-non-sarif
        if: contains(matrix.analysis-kinds, 'code-scanning')
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          ref: 'refs/heads/main'
+          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
          sarif_file: ${{ runner.temp }}/results/javascript.sarif.json
          category: |
            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:non-sarif/
-      - name: Fail for missing output from `upload-single-non-sarif` step
+      - name: 'Fail for missing output from `upload-single-non-sarif` step'
        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning)
        run: exit 1
    env:
@@ -18,48 +18,41 @@ on:
      - synchronize
      - reopened
      - ready_for_review
+  merge_group:
+    types:
+      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: with-checkout-path-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  with-checkout-path:
    strategy:
@@ -76,8 +69,18 @@ jobs:
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+      # This ensures we don't accidentally use the original checkout for any part of the test.
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -85,29 +88,15 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Delete original checkout
        run: |
          # delete the original checkout so we don't accidentally use it.
          # Actions does not support deleting the current working directory, so we
          # delete the contents of the directory instead.
          rm -rf ./* .github .git
-  # Check out the actions repo again, but at a different location.
-  # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
-      - uses: actions/checkout@v5
+      # Check out the actions repo again, but at a different location.
+      # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
+      - uses: actions/checkout@v6
        with:
          ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
          path: x/y/z/some-path
@@ -115,7 +104,7 @@ jobs:
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      # it's enough to test one compiled language and one interpreted language
+          # it's enough to test one compiled language and one interpreted language
          languages: csharp,javascript
          source-root: x/y/z/some-path/tests/multi-language-repo

@@ -22,7 +22,7 @@ jobs:

    steps:
      - name: Checkout CodeQL Action
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Check Expected Release Files
        run: |
          bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"
@@ -4,10 +4,11 @@ on:
  push:
    branches: [main, releases/v*]
  pull_request:
-    branches: [main, releases/v*]
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
+  merge_group:
+    types: [checks_requested]
  schedule:
    # Weekly on Sunday.
    - cron: '30 1 * * 0'
@@ -30,34 +31,29 @@ jobs:

    permissions:
      contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read

    steps:
-    - uses: actions/checkout@v5
-    - name: Init with default CodeQL bundle from the VM image
-      id: init-default
-      uses: ./init
-      with:
-        languages: javascript
-    - name: Remove empty database
-      # allows us to run init a second time
-      run: |
-        rm -rf "$RUNNER_TEMP/codeql_databases"
-    - name: Init with latest CodeQL bundle
-      id: init-latest
-      uses: ./init
+    - uses: actions/checkout@v6
+    - name: Set up default CodeQL bundle
+      id: setup-default
+      uses: ./setup-codeql
+    - name: Set up linked CodeQL bundle
+      id: setup-linked
+      uses: ./setup-codeql
      with:
        tools: linked
-        languages: javascript
-    - name: Compare default and latest CodeQL bundle versions
+    - name: Compare default and linked CodeQL bundle versions
      id: compare
      env:
-        CODEQL_DEFAULT: ${{ steps.init-default.outputs.codeql-path }}
-        CODEQL_LATEST: ${{ steps.init-latest.outputs.codeql-path }}
+        CODEQL_DEFAULT: ${{ steps.setup-default.outputs.codeql-path }}
+        CODEQL_LINKED: ${{ steps.setup-linked.outputs.codeql-path }}
      run: |
        CODEQL_VERSION_DEFAULT="$("$CODEQL_DEFAULT" version --format terse)"
-        CODEQL_VERSION_LATEST="$("$CODEQL_LATEST" version --format terse)"
+        CODEQL_VERSION_LINKED="$("$CODEQL_LINKED" version --format terse)"
        echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
-        echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"
+        echo "Linked CodeQL bundle version is $CODEQL_VERSION_LINKED"

        # If we're running on a pull request, run with both bundles, even if `tools: linked` would
        # be the same as `tools: null`. This allows us to make the job for each of the bundles a
@@ -65,7 +61,7 @@ jobs:
        #
        # If we're running on push or schedule, then we can skip running with `tools: linked` when it would be
        # the same as running with `tools: null`.
-        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
+        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$GITHUB_EVENT_NAME" != "merge_group" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LINKED" ]]; then
          VERSIONS_JSON='[null]'
        else
          VERSIONS_JSON='[null, "linked"]'
@@ -91,7 +87,7 @@ jobs:

    steps:
    - name: Checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
    - name: Initialize CodeQL
      uses: ./init
      id: init
@@ -109,7 +105,7 @@ jobs:
      uses: ./analyze
      with:
        category: "/language:javascript"
-        upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && 'always') || 'never' }}
+        upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && github.event_name != 'merge_group' && 'always' ) || 'never' }}

  analyze-other:
    if: github.triggering_actor != 'dependabot[bot]'
@@ -128,7 +124,7 @@ jobs:

    steps:
    - name: Checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
    - name: Initialize CodeQL
      uses: ./init
      with:
@@ -144,3 +140,4 @@ jobs:
      uses: ./analyze
      with:
        category: "/language:${{ matrix.language }}"
+        upload: ${{ (github.event_name != 'merge_group' && 'always') || 'never' }}
@@ -6,6 +6,13 @@ env:
  # Diff informed queries add an additional query filter which is not yet
  # taken into account by these tests.
  CODEQL_ACTION_DIFF_INFORMED_QUERIES: false
+  # Specify overlay enablement manually to ensure stability around the exclude-from-incremental
+  # query filter. Here we only enable for the default code scanning suite.
+  CODEQL_ACTION_OVERLAY_ANALYSIS: true
+  CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT: false
+  CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT: true
+  CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_CHECK: false
+  CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS: true

 on:
  push:
@@ -18,9 +25,11 @@ on:
    - synchronize
    - reopened
    - ready_for_review
+  merge_group:
+    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:

 defaults:
  run:
@@ -53,7 +62,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6

    - name: Set up Node.js
      uses: actions/setup-node@v6
@@ -70,13 +79,33 @@ jobs:
      with:
        version: ${{ matrix.version }}

-    - name: Empty file
+    # On PRs, overlay analysis may change the config that is passed to the CLI.
+    # Therefore, we have two variants of the following test, one for PRs and one for other events.
+    - name: Empty file (non-PR)
+      if: github.event_name != 'pull_request'
      uses: ./../action/.github/actions/check-codescanning-config
      with:
        expected-config-file-contents: "{}"
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}

+    - name: Empty file (PR)
+      if: github.event_name == 'pull_request'
+      uses: ./../action/.github/actions/check-codescanning-config
+      with:
+        expected-config-file-contents: |
+          {
+            "query-filters": [
+              {
+                "exclude": {
+                  "tags": "exclude-from-incremental"
+                }
+              }
+            ]
+          }
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+
    - name: Packs from input
      if: success() || failure()
      uses: ./../action/.github/actions/check-codescanning-config
@@ -14,9 +14,11 @@ on:
    - synchronize
    - reopened
    - ready_for_review
+  merge_group:
+    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:

 defaults:
  run:
@@ -39,13 +41,15 @@ jobs:
      CODEQL_ACTION_TEST_MODE: true
    permissions:
      contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read
    timeout-minutes: 45
    runs-on: ubuntu-latest
    steps:
      - name: Dump GitHub event
        run: cat "${GITHUB_EVENT_PATH}"
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -58,8 +62,11 @@ jobs:
        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: '9.x'
+      - name: Assert best-effort artifact scan completed
+        uses: ./../action/.github/actions/verify-debug-artifact-scan-completed
      - uses: ./../action/init
        with:
+          languages: cpp,csharp,go,java,javascript,python
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          debug: true
          debug-artifact-name: my-debug-artifacts
@@ -83,7 +90,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v8
      - name: Check expected artifacts exist
        run: |
          LANGUAGES="cpp csharp go java javascript python"
@@ -13,9 +13,11 @@ on:
    - synchronize
    - reopened
    - ready_for_review
+  merge_group:
+    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:

 defaults:
  run:
@@ -38,10 +40,12 @@ jobs:
    timeout-minutes: 45
    permissions:
      contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -54,6 +58,8 @@ jobs:
        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: '9.x'
+      - name: Assert best-effort artifact scan completed
+        uses: ./../action/.github/actions/verify-debug-artifact-scan-completed
      - uses: ./../action/init
        id: init
        with:
@@ -77,7 +83,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v8
      - name: Check expected artifacts exist
        run: |
          VERSIONS="stable-v2.20.3 default linked nightly-latest"
@@ -0,0 +1,106 @@
+# Workflow runs on main, on a release branch, and that were triggered as part of a merge group have
+# already passed CI before being merged. Therefore if they fail, we should make sure that there
+# wasn't a transient failure by rerunning the failed jobs once before investigating further.
+name: Deflake
+
+on:
+  workflow_run:
+    types: [completed]
+    # Exclude workflows that have significant side effects, like publishing releases. It's OK to
+    # retry CodeQL analysis.
+    workflows:
+      - Check Expected Release Files
+      - Code-Scanning config CLI tests
+      - CodeQL action
+      - Manual Check - go
+      - "PR Check - All-platform bundle"
+      - "PR Check - Analysis kinds"
+      - "PR Check - Analyze: 'ref' and 'sha' from inputs"
+      - "PR Check - autobuild-action"
+      - "PR Check - Autobuild direct tracing (custom working directory)"
+      - "PR Check - Autobuild working directory"
+      - "PR Check - Build mode autobuild"
+      - "PR Check - Build mode manual"
+      - "PR Check - Build mode none"
+      - "PR Check - Build mode rollback"
+      - "PR Check - Bundle: Caching checks"
+      - "PR Check - Bundle: From nightly"
+      - "PR Check - Bundle: From toolcache"
+      - "PR Check - Bundle: Zstandard checks"
+      - "PR Check - C/C\\+\\+: autoinstalling dependencies (Linux)"
+      - "PR Check - C/C\\+\\+: autoinstalling dependencies is skipped (macOS)"
+      - "PR Check - C/C\\+\\+: disabling autoinstalling dependencies (Linux)"
+      - "PR Check - Clean up database cluster directory"
+      - "PR Check - CodeQL Bundle All"
+      - "PR Check - Config export"
+      - "PR Check - Config input"
+      - "PR Check - Custom source root"
+      - "PR Check - Debug artifact upload"
+      - "PR Check - Debug artifacts after failure"
+      - "PR Check - Diagnostic export"
+      - "PR Check - Export file baseline information"
+      - "PR Check - Extractor ram and threads options test"
+      - "PR Check - Go: Custom queries"
+      - "PR Check - Go: diagnostic when Go is changed after init step"
+      - "PR Check - Go: diagnostic when `file` is not installed"
+      - "PR Check - Go: tracing with autobuilder step"
+      - "PR Check - Go: tracing with custom build steps"
+      - "PR Check - Go: tracing with legacy workflow"
+      - "PR Check - Go: workaround for indirect tracing"
+      - "PR Check - Job run UUID added to SARIF"
+      - "PR Check - Language aliases"
+      - "PR Check - Local CodeQL bundle"
+      - "PR Check - Multi-language repository"
+      - "PR Check - Overlay database init fallback"
+      - "PR Check - Packaging: Action input"
+      - "PR Check - Packaging: Config and input"
+      - "PR Check - Packaging: Config and input passed to the CLI"
+      - "PR Check - Packaging: Config file"
+      - "PR Check - Packaging: Download using registries"
+      - "PR Check - Proxy test"
+      - "PR Check - Remote config file"
+      - "PR Check - Resolve environment"
+      - "PR Check - RuboCop multi-language"
+      - "PR Check - Ruby analysis"
+      - "PR Check - Rust analysis"
+      - "PR Check - Split workflow"
+      - "PR Check - Start proxy"
+      - "PR Check - Submit SARIF after failure"
+      - "PR Check - Swift analysis using a custom build command"
+      - "PR Check - Swift analysis using autobuild"
+      - "PR Check - Test different uses of `upload-sarif`"
+      - "PR Check - Test unsetting environment variables"
+      - "PR Check - Upload-sarif: ref and sha from inputs"
+      - "PR Check - Use a custom `checkout_path`"
+      - PR Checks
+      - Query filters tests
+      - Test that the workaround for python 3.12 on windows works
+
+jobs:
+  rerun-on-failure:
+    name: Rerun failed jobs
+    if: >-
+      github.event.workflow_run.conclusion == 'failure' &&
+      github.event.workflow_run.run_attempt == 1 &&
+      (
+        github.event.workflow_run.head_branch == 'main' ||
+        startsWith(github.event.workflow_run.head_branch, 'releases/') ||
+        github.event.workflow_run.event == 'merge_group'
+      )
+    runs-on: ubuntu-slim
+    permissions:
+      actions: write
+    steps:
+      - name: Rerun failed jobs in ${{ github.event.workflow_run.name }}
+        env:
+          GH_TOKEN: ${{ github.token }}
+          GH_REPO: ${{ github.repository }}
+          RUN_ID: ${{ github.event.workflow_run.id }}
+          RUN_NAME: ${{ github.event.workflow_run.name }}
+          RUN_URL: ${{ github.event.workflow_run.html_url }}
+        run: |
+          echo "Rerunning failed jobs for workflow run ${RUN_ID}"
+          gh run rerun "${RUN_ID}" --failed
+          echo "### Reran failed jobs :recycle:" >> "$GITHUB_STEP_SUMMARY"
+          echo "" >> "$GITHUB_STEP_SUMMARY"
+          echo "Workflow: [${RUN_NAME}](${RUN_URL})" >> "$GITHUB_STEP_SUMMARY"
@@ -17,6 +17,7 @@ jobs:
  sizeup:
    name: Label PR with size
    runs-on: ubuntu-slim
+    if: github.event.pull_request.merged != true

    steps:
      - name: Run sizeup
@@ -24,7 +24,7 @@ defaults:

 jobs:
  merge-back:
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    environment: Automation
    if: github.repository == 'github/codeql-action'
    env:
@@ -44,7 +44,7 @@ jobs:
          GITHUB_CONTEXT: '${{ toJson(github) }}'
        run: echo "${GITHUB_CONTEXT}"

-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
        with:
          fetch-depth: 0  # ensure we have all tags and can push commits
      - uses: actions/setup-node@v6
@@ -123,26 +123,15 @@ jobs:
      - name: Prepare partial Changelog
        env:
          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
-          VERSION: "${{ steps.getVersion.outputs.version }}"
        run: |
-          python .github/workflows/script/prepare_changelog.py CHANGELOG.md "$VERSION" > $PARTIAL_CHANGELOG
+          python .github/workflows/script/prepare_changelog.py CHANGELOG.md > $PARTIAL_CHANGELOG

          echo "::group::Partial CHANGELOG"
          cat $PARTIAL_CHANGELOG
          echo "::endgroup::"

-      - name: Create mergeback branch and PR
-        if: ${{ steps.check.outputs.exists != 'true' && endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }}
-        uses: ./.github/actions/prepare-mergeback-branch
-        with:
-          base: "${{ env.BASE_BRANCH }}"
-          head: "${{ env.HEAD_BRANCH }}"
-          branch: "${{ steps.getVersion.outputs.newBranch }}"
-          version: "${{ steps.getVersion.outputs.version }}"
-          token: "${{ secrets.GITHUB_TOKEN }}"
-
      - name: Generate token
-        uses: actions/create-github-app-token@v2.1.4
+        uses: actions/create-github-app-token@v3.1.1
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -161,3 +150,13 @@ jobs:
            --latest=false \
            --title "$VERSION" \
            --notes-file "$PARTIAL_CHANGELOG"
+
+      - name: Create mergeback branch and PR
+        if: ${{ endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }}
+        uses: ./.github/actions/prepare-mergeback-branch
+        with:
+          base: "${{ env.BASE_BRANCH }}"
+          head: "${{ env.HEAD_BRANCH }}"
+          branch: "${{ steps.getVersion.outputs.newBranch }}"
+          version: "${{ steps.getVersion.outputs.version }}"
+          token: "${{ secrets.GITHUB_TOKEN }}"
@@ -6,6 +6,8 @@ on:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
+  merge_group:
+    types: [checks_requested]
  workflow_dispatch:

 defaults:
@@ -32,7 +34,7 @@ jobs:
        if: runner.os == 'Windows'
        run: git config --global core.autocrlf false

-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6

      - name: Set up Node.js
        uses: actions/setup-node@v6
@@ -40,11 +42,6 @@ jobs:
          node-version: ${{ matrix.node-version }}
          cache: 'npm'

-      - name: Set up Python
-        uses: actions/setup-python@v6
-        with:
-          python-version: 3.11
-
      - name: Install dependencies
        run: |
          # Use the system Bash shell to ensure we can run commands like `npm ci`
@@ -55,19 +52,10 @@ jobs:
      - name: Verify compiled JS up to date
        run: .github/workflows/script/check-js.sh

-      - name: Verify PR checks up to date
-        if: always()
-        run: .github/workflows/script/verify-pr-checks.sh
-
      - name: Run unit tests
        if: always()
        run: npm test

-      - name: Run pr-checks tests
-        if: always()
-        working-directory: pr-checks
-        run: python -m unittest discover
-
      - name: Lint
        if: always() && matrix.os != 'windows-latest'
        run: npm run lint-ci
@@ -79,8 +67,45 @@ jobs:
          sarif_file: eslint.sarif
          category: eslint

+  # Verifying the PR checks are up-to-date requires Node 24. The PR checks are not dependent
+  # on the main codebase and therefore do not need to be run as part of the same matrix that
+  # we use for the `unit-tests` job.
+  verify-pr-checks:
+    name: Verify PR checks
+    if: github.triggering_actor != 'dependabot[bot]'
+    permissions:
+      contents: read
+    runs-on: ubuntu-slim
+    timeout-minutes: 10
+
+    steps:
+      - name: Prepare git (Windows)
+        if: runner.os == 'Windows'
+        run: git config --global core.autocrlf false
+
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Verify PR checks up to date
+        if: always()
+        run: .github/workflows/script/verify-pr-checks.sh
+
+      - name: Run pr-checks tests
+        if: always()
+        working-directory: pr-checks
+        run: npx tsx --test
+
  check-node-version:
-    if: github.event.pull_request && github.triggering_actor != 'dependabot[bot]'
+    if: github.triggering_actor != 'dependabot[bot]'
    name: Check Action Node versions
    runs-on: ubuntu-latest
    timeout-minutes: 45
@@ -91,7 +116,7 @@ jobs:
      contents: read

    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
      - id: head-version
        name: Verify all Actions use the same Node version
        run: |
@@ -106,7 +131,7 @@ jobs:
      - id: checkout-base
        name: 'Backport: Check out base ref'
        if: ${{ startsWith(github.head_ref, 'backport-') }}
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          ref: ${{ env.BASE_REF }}

@@ -29,7 +29,7 @@ defaults:
 jobs:
  prepare:
    name: "Prepare release"
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    if: github.repository == 'github/codeql-action'

    permissions:
@@ -44,7 +44,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0 # Need full history for calculation of diffs

@@ -20,7 +20,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6

      - name: Publish immutable release
        id: publish
@@ -7,6 +7,8 @@ on:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
+  merge_group:
+    types: [checks_requested]
  schedule:
    # Weekly on Monday.
    - cron: '0 0 * * 1'
@@ -24,6 +26,8 @@ jobs:
    timeout-minutes: 45
    permissions:
      contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read
    runs-on: windows-latest

    steps:
@@ -31,7 +35,7 @@ jobs:
      with:
        python-version: 3.12

-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6

    - name: Prepare test
      uses: ./.github/actions/prepare-test
@@ -11,9 +11,11 @@ on:
    - synchronize
    - reopened
    - ready_for_review
+  merge_group:
+    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:

 defaults:
  run:
@@ -29,7 +31,7 @@ jobs:
      contents: read # This permission is needed to allow the GitHub Actions workflow to read the contents of the repository.
    steps:
    - name: Check out repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6

    - name: Install Node.js
      uses: actions/setup-node@v6
@@ -24,11 +24,17 @@ jobs:
      pull-requests: write # needed to comment on the PR
    steps:
      - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0
          ref: ${{ env.HEAD_REF }}

+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24
+          cache: 'npm'
+
      - name: Remove label
        if: github.event_name == 'pull_request'
        env:
@@ -49,9 +55,18 @@ jobs:
          git fetch origin "$BASE_BRANCH"

          # Allow merge conflicts in `lib`, since rebuilding should resolve them.
-          git merge "origin/$BASE_BRANCH" || echo "Merge conflicts detected, continuing."
+          git merge "origin/$BASE_BRANCH"
          MERGE_RESULT=$?

+          if [ "$MERGE_RESULT" -eq 0 ]; then
+            echo "Merge succeeded cleanly."
+          elif [ "$MERGE_RESULT" -eq 1 ]; then
+            echo "Merge conflicts detected (exit code $MERGE_RESULT), continuing."
+          else
+            echo "git merge failed with unexpected exit code $MERGE_RESULT."
+            exit 1
+          fi
+
          if [ "$MERGE_RESULT" -ne 0 ]; then
            echo "merge-in-progress=true" >> $GITHUB_OUTPUT

@@ -73,24 +88,17 @@ jobs:
          npm run lint -- --fix
          npm run build

-      - name: Set up Python
-        uses: actions/setup-python@v6
-        with:
-          python-version: 3.11
-
      - name: Sync back version updates to generated workflows
        # Only sync back versions on Dependabot update PRs
        if: startsWith(env.HEAD_REF, 'dependabot/')
        working-directory: pr-checks
        run: |
-          python3 sync_back.py -v
+          npm ci
+          npx tsx sync-back.ts --verbose

      - name: Generate workflows
        working-directory: pr-checks
-        run: |
-          python -m pip install --upgrade pip
-          pip install ruamel.yaml==0.17.31
-          python3 sync.py
+        run: ./sync.sh

      - name: "Merge in progress: Finish merge and push"
        if: steps.merge.outputs.merge-in-progress == 'true'
@@ -111,7 +119,7 @@ jobs:
            # Otherwise, just commit the changes.
            if git rev-parse --verify MERGE_HEAD >/dev/null 2>&1; then
              echo "In progress merge detected, finishing it up."
-              git merge --continue
+              git commit --no-edit
            else
              echo "No in-progress merge detected, committing changes."
              git commit -m "Rebuild"
@@ -52,7 +52,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0 # Need full history for calculation of diffs

@@ -127,9 +127,8 @@ jobs:
        env:
          NEW_CHANGELOG: "${{ runner.temp }}/new_changelog.md"
          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
-          VERSION: "${{ needs.prepare.outputs.version }}"
        run: |
-          python .github/workflows/script/prepare_changelog.py $NEW_CHANGELOG "$VERSION" > $PARTIAL_CHANGELOG
+          python .github/workflows/script/prepare_changelog.py $NEW_CHANGELOG > $PARTIAL_CHANGELOG

          echo "::group::Partial CHANGELOG"
          cat $PARTIAL_CHANGELOG
@@ -137,7 +136,7 @@ jobs:

      - name: Generate token
        if: github.event_name == 'workflow_dispatch'
-        uses: actions/create-github-app-token@v2.1.4
+        uses: actions/create-github-app-token@v3.1.1
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -1,9 +1,14 @@
+#!/usr/bin/env python3
 import os
 import re

+cli_version = os.environ['CLI_VERSION']
+
+# The GitHub Release for the new bundle version.
+bundle_release_url = f"https://github.com/github/codeql-action/releases/tag/codeql-bundle-v{cli_version}"
 # Get the PR number from the PR URL.
 pr_number = os.environ['PR_URL'].split('/')[-1]
-changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
+changelog_note = f"- Update default CodeQL bundle version to [{cli_version}]({bundle_release_url}). [#{pr_number}]({os.environ['PR_URL']})"

 # If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
 with open('CHANGELOG.md', 'r') as f:
@@ -1,3 +1,4 @@
+#!/usr/bin/env python3
 import os
 import sys

@@ -6,7 +7,7 @@ EMPTY_CHANGELOG = 'No changes.\n\n'
 # Prepare the changelog for the new release
 # This function will extract the part of the changelog that
 # we want to include in the new release.
-def extract_changelog_snippet(changelog_file, version_tag):
+def extract_changelog_snippet(changelog_file):
  output = ''
  if (not os.path.exists(changelog_file)):
    output = EMPTY_CHANGELOG
@@ -15,23 +16,20 @@ def extract_changelog_snippet(changelog_file, version_tag):
    with open(changelog_file, 'r') as f:
      lines = f.readlines()

-      # Include everything up to, but excluding the second heading
+      # Include only the contents of the first section
      found_first_section = False
-      for i, line in enumerate(lines):
+      for line in lines:
        if line.startswith('## '):
          if found_first_section:
            break
          found_first_section = True
-        output += line
+        elif found_first_section:
+          output += line

-  output += f"See the full [CHANGELOG.md](https://github.com/github/codeql-action/blob/{version_tag}/CHANGELOG.md) for more information."
-
-  return output
+  return output.strip()


-if len(sys.argv) < 3:
-  raise Exception('Expecting argument: changelog_file version_tag')
+if len(sys.argv) < 2:
+  raise Exception('Expecting argument: changelog_file')
 changelog_file = sys.argv[1]
-version_tag = sys.argv[2]
-
-print(extract_changelog_snippet(changelog_file, version_tag))
+print(extract_changelog_snippet(changelog_file))
@@ -1,64 +0,0 @@
-#!/usr/bin/env bash
-# Update the required checks based on the current branch.
-
-set -euo pipefail
-
-SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
-REPO_DIR="$(dirname "$SCRIPT_DIR")"
-GRANDPARENT_DIR="$(dirname "$REPO_DIR")"
-source "$GRANDPARENT_DIR/releases.ini"
-
-if ! gh auth status 2>/dev/null; then
-  gh auth status
-  echo "Failed: Not authorized. This script requires admin access to github/codeql-action through the gh CLI."
-  exit 1
-fi
-
-if [ "$#" -eq 1 ]; then
-  # If we were passed an argument, use that as the SHA
-  GITHUB_SHA="$1"
-elif [ "$#" -gt 1 ]; then
-  echo "Usage: $0 [SHA]"
-  echo "Update the required checks based on the SHA, or main."
-  exit 1
-elif [ -z "$GITHUB_SHA" ]; then
-  # If we don't have a SHA, use main
-  GITHUB_SHA="$(git rev-parse main)"
-fi
-
-echo "Getting checks for $GITHUB_SHA"
-
-# Ignore any checks with "https://", CodeQL, LGTM, Update, and ESLint checks.
-CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") or . == "Agent" or . == "Cleanup artifacts" or . == "Prepare" or . == "Upload results" | not)] | unique | sort')"
-
-echo "$CHECKS" | jq
-
-# Fail if there are no checks
-if [ -z "$CHECKS" ] || [ "$(echo "$CHECKS" | jq '. | length')" -eq 0 ]; then
-  echo "No checks found for $GITHUB_SHA"
-  exit 1
-fi
-
-echo "{\"contexts\": ${CHECKS}}" > checks.json
-
-echo "Updating main"
-gh api --silent -X "PATCH" "repos/github/codeql-action/branches/main/protection/required_status_checks" --input checks.json
-
-# list all branchs on origin remote matching releases/v*
-BRANCHES="$(git ls-remote --heads origin 'releases/v*' | sed 's?.*refs/heads/??' | sort -V)"
-
-for BRANCH in $BRANCHES; do
-
-  # strip exact 'releases/v' prefix from $BRANCH using count of characters
-  VERSION="${BRANCH:10}"
-
-  if [ "$VERSION" -lt "$OLDEST_SUPPORTED_MAJOR_VERSION" ]; then
-    echo "Skipping $BRANCH"
-    continue
-  fi
-
-  echo "Updating $BRANCH"
-  gh api --silent -X "PATCH" "repos/github/codeql-action/branches/$BRANCH/protection/required_status_checks" --input checks.json
-done
-
-rm checks.json
@@ -19,7 +19,7 @@ if [ ! -z "$(git status --porcelain)" ]; then
    # If we get a fail here then the PR needs attention
    git diff
    git status
-    >&2 echo "Failed: PR checks are not up to date. Run 'cd pr-checks && python3 sync.py' to update"
+    >&2 echo "Failed: PR checks are not up to date. Run 'cd pr-checks && ./sync.sh' to update"

    echo "### Generated workflows diff" >> $GITHUB_STEP_SUMMARY
    echo "" >> $GITHUB_STEP_SUMMARY
@@ -13,9 +13,11 @@ on:
    - synchronize
    - reopened
    - ready_for_review
+  merge_group:
+    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
 defaults:
  run:
    shell: bash
@@ -36,7 +38,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
    - name: Prepare test
      id: prepare-test
      uses: ./.github/actions/prepare-test
@@ -20,7 +20,7 @@ defaults:
 jobs:
  update-bundle:
    if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    permissions:
      contents: write # needed to push commits
      pull-requests: write # needed to create pull requests
@@ -33,7 +33,7 @@ jobs:
          GITHUB_CONTEXT: '${{ toJson(github) }}'
        run: echo "$GITHUB_CONTEXT"

-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6

      - name: Update git config
        run: |
@@ -57,6 +57,35 @@ jobs:
      - name: Update bundle
        uses: ./.github/actions/update-bundle

+      - name: Set up CodeQL CLI from new bundle
+        id: setup-codeql
+        uses: ./setup-codeql
+        with:
+          tools: https://github.com/github/codeql-action/releases/download/${{ github.event.release.tag_name }}/codeql-bundle-linux64.tar.gz
+
+      - name: Update built-in languages
+        run: npx tsx pr-checks/update-builtin-languages.ts "$CODEQL_PATH"
+        env:
+          CODEQL_PATH: ${{ steps.setup-codeql.outputs.codeql-path }}
+
+      - name: Bump Action minor version if new CodeQL minor version series
+        id: bump-action-version
+        run: |
+          prior_cli_version=$(jq -r '.priorCliVersion' src/defaults.json)
+          cli_version=$(jq -r '.cliVersion' src/defaults.json)
+
+          prior_minor=$(echo "$prior_cli_version" | cut -d. -f2)
+          current_minor=$(echo "$cli_version" | cut -d. -f2)
+
+          if [[ "$current_minor" != "$prior_minor" ]]; then
+            echo "New CodeQL minor version series ($prior_cli_version -> $cli_version), bumping Action minor version"
+            npm version minor --no-git-tag-version
+            echo "bumped=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "Same minor version series ($prior_cli_version -> $cli_version), skipping Action version bump"
+            echo "bumped=false" >> "$GITHUB_OUTPUT"
+          fi
+
      - name: Rebuild Action
        run: npm run build

@@ -71,11 +100,19 @@ jobs:
      - name: Open pull request
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ACTION_VERSION_BUMPED: ${{ steps.bump-action-version.outputs.bumped }}
        run: |
          cli_version=$(jq -r '.cliVersion' src/defaults.json)
+          action_version=$(jq -r '.version' package.json)
+
+          pr_body="This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version."
+          if [[ "$ACTION_VERSION_BUMPED" == "true" ]]; then
+            pr_body+=$'\n\n'"Since this is a new CodeQL minor version series, this PR also bumps the Action version to $action_version."
+          fi
+
          pr_url=$(gh pr create \
            --title "Update default bundle to $cli_version" \
-            --body "This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version." \
+            --body "$pr_body" \
            --assignee "$GITHUB_ACTOR" \
            --draft \
          )
@@ -26,7 +26,7 @@ jobs:

  update:
    timeout-minutes: 45
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    if: github.event_name == 'workflow_dispatch'
    needs: [prepare]
    env:
@@ -38,7 +38,7 @@ jobs:
      contents: write # needed to push commits
      pull-requests: write # needed to create pull request
    steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
      with:
        fetch-depth: 0  # Need full history for calculation of diffs
    - uses: ./.github/actions/release-initialise
@@ -77,7 +77,7 @@ jobs:

  backport:
    timeout-minutes: 45
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    environment: Automation
    needs: [prepare]
    if: ${{ (github.event_name == 'push') && needs.prepare.outputs.backport_target_branches != '[]' }}
@@ -93,14 +93,14 @@ jobs:
      pull-requests: write # needed to create pull request
    steps:
    - name: Generate token
-      uses: actions/create-github-app-token@v2.1.4
+      uses: actions/create-github-app-token@v3.1.1
      id: app-token
      with:
        app-id: ${{ vars.AUTOMATION_APP_ID }}
        private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}

    - name: Checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
      with:
        fetch-depth: 0  # Need full history for calculation of diffs
        token: ${{ steps.app-token.outputs.token }}
@@ -27,9 +27,9 @@ jobs:
        with:
          python-version: "3.13"
      - name: Checkout CodeQL Action
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
      - name: Checkout Enterprise Releases
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
        with:
          repository: github/enterprise-releases
          token: ${{ secrets.ENTERPRISE_RELEASE_TOKEN }}
@@ -11,3 +11,5 @@ build/
 eslint.sarif
 # for local incremental compilation
 tsconfig.tsbuildinfo
+# esbuild metadata file
+meta.json
@@ -0,0 +1,30 @@
+{
+  // Place your codeql-action workspace snippets here. Each snippet is defined under a snippet name and has a scope, prefix, body and
+  // description. Add comma separated ids of the languages where the snippet is applicable in the scope field. If scope
+  // is left empty or omitted, the snippet gets applied to all languages. The prefix is what is
+  // used to trigger the snippet and the body will be expanded and inserted. Possible variables are:
+  // $1, $2 for tab stops, $0 for the final cursor position, and ${1:label}, ${2:another} for placeholders.
+  // Placeholders with the same ids are connected.
+  // Example:
+  // "Print to console": {
+  // 	"scope": "javascript,typescript",
+  // 	"prefix": "log",
+  // 	"body": [
+  // 		"console.log('$1');",
+  // 		"$2"
+  // 	],
+  // 	"description": "Log output to console"
+  // }
+  "Test Macro": {
+    "scope": "javascript, typescript",
+    "prefix": "testMacro",
+    "body": [
+      "const ${1:nameMacro} = test.macro({",
+      "  exec: async (t: ExecutionContext<unknown>) => {},",
+      "",
+      "  title: (providedTitle = \"\") => `${2:common title} - \\${providedTitle}`,",
+      "});",
+    ],
+    "description": "An Ava test macro",
+  },
+}
@@ -2,6 +2,129 @@

 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.

+## [UNRELEASED]
+
+No user facing changes.
+
+## 4.35.3 - 01 May 2026
+
+- _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. [#3837](https://github.com/github/codeql-action/pull/3837)
+- Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. [#3850](https://github.com/github/codeql-action/pull/3850)
+- Best-effort connection tests for private registries now use `GET` requests instead of `HEAD` for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. [#3853](https://github.com/github/codeql-action/pull/3853)
+- Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. [#3852](https://github.com/github/codeql-action/pull/3852)
+- Update default CodeQL bundle version to [2.25.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.3). [#3865](https://github.com/github/codeql-action/pull/3865)
+
+## 4.35.2 - 15 Apr 2026
+
+- The undocumented TRAP cache cleanup feature that could be enabled using the `CODEQL_ACTION_CLEANUP_TRAP_CACHES` environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the `trap-caching: false` input to the `init` Action. [#3795](https://github.com/github/codeql-action/pull/3795)
+- The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. [#3789](https://github.com/github/codeql-action/pull/3789)
+- Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. [#3794](https://github.com/github/codeql-action/pull/3794)
+- Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. [#3807](https://github.com/github/codeql-action/pull/3807)
+- Update default CodeQL bundle version to [2.25.2](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.2). [#3823](https://github.com/github/codeql-action/pull/3823)
+
+## 4.35.1 - 27 Mar 2026
+
+- Fix incorrect minimum required Git version for [improved incremental analysis](https://github.com/github/roadmap/issues/1158): it should have been 2.36.0, not 2.11.0. [#3781](https://github.com/github/codeql-action/pull/3781)
+
+## 4.35.0 - 27 Mar 2026
+
+- Reduced the minimum Git version required for [improved incremental analysis](https://github.com/github/roadmap/issues/1158) from 2.38.0 to 2.11.0. [#3767](https://github.com/github/codeql-action/pull/3767)
+- Update default CodeQL bundle version to [2.25.1](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1). [#3773](https://github.com/github/codeql-action/pull/3773)
+
+## 4.34.1 - 20 Mar 2026
+
+- Downgrade default CodeQL bundle version to [2.24.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3) due to issues with a small percentage of Actions and JavaScript analyses. [#3762](https://github.com/github/codeql-action/pull/3762)
+
+## 4.34.0 - 20 Mar 2026
+
+- Added an experimental change which disables TRAP caching when [improved incremental analysis](https://github.com/github/roadmap/issues/1158) is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. [#3569](https://github.com/github/codeql-action/pull/3569)
+- We are rolling out improved incremental analysis to C/C++ analyses that use build mode `none`. We expect this rollout to be complete by the end of April 2026. [#3584](https://github.com/github/codeql-action/pull/3584)
+- Update default CodeQL bundle version to [2.25.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0). [#3585](https://github.com/github/codeql-action/pull/3585)
+
+## 4.33.0 - 16 Mar 2026
+
+- Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. [#3562](https://github.com/github/codeql-action/pull/3562)
+
+  To opt out of this change:
+  - **Repositories owned by an organization:** Create a custom repository property with the name `github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to `true` in the repository's settings. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). Alternatively, if you are using an advanced setup workflow, you can set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
+  - **User-owned repositories using default setup:** Switch to an advanced setup workflow and set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
+  - **User-owned repositories using advanced setup:** Set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
+- Fixed [a bug](https://github.com/github/codeql-action/issues/3555) which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. [#3557](https://github.com/github/codeql-action/pull/3557)
+- The CodeQL Action now loads [custom repository properties](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) on GitHub Enterprise Server, enabling the customization of features such as `github-codeql-disable-overlay` that was previously only available on GitHub.com. [#3559](https://github.com/github/codeql-action/pull/3559)
+- Once [private package registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. [#3563](https://github.com/github/codeql-action/pull/3563)
+- Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". [#3564](https://github.com/github/codeql-action/pull/3564)
+- A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. [#3570](https://github.com/github/codeql-action/pull/3570)
+
+## 4.32.6 - 05 Mar 2026
+
+- Update default CodeQL bundle version to [2.24.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3). [#3548](https://github.com/github/codeql-action/pull/3548)
+
+## 4.32.5 - 02 Mar 2026
+
+- Repositories owned by an organization can now set up the `github-codeql-disable-overlay` custom repository property to disable [improved incremental analysis for CodeQL](https://github.com/github/roadmap/issues/1158). First, create a custom repository property with the name `github-codeql-disable-overlay` and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to `true` to disable improved incremental analysis. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). This feature is not yet available on GitHub Enterprise Server. [#3507](https://github.com/github/codeql-action/pull/3507)
+- Added an experimental change so that when [improved incremental analysis](https://github.com/github/roadmap/issues/1158) fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. [#3487](https://github.com/github/codeql-action/pull/3487)
+- The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. [#3515](https://github.com/github/codeql-action/pull/3515)
+- Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. [#3516](https://github.com/github/codeql-action/pull/3516)
+- Added an experimental change which lowers the minimum disk space requirement for [improved incremental analysis](https://github.com/github/roadmap/issues/1158), enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. [#3498](https://github.com/github/codeql-action/pull/3498)
+- Added an experimental change which allows the `start-proxy` action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. [#3512](https://github.com/github/codeql-action/pull/3512)
+- The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. [#3503](https://github.com/github/codeql-action/pull/3503), [#3504](https://github.com/github/codeql-action/pull/3504)
+
+## 4.32.4 - 20 Feb 2026
+
+- Update default CodeQL bundle version to [2.24.2](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2). [#3493](https://github.com/github/codeql-action/pull/3493)
+- Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when [private package registries are configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries). This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. [#3473](https://github.com/github/codeql-action/pull/3473)
+- When the CodeQL Action is run [with debugging enabled in Default Setup](https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-analysis-errors/logs-not-detailed-enough#creating-codeql-debugging-artifacts-for-codeql-default-setup) and [private package registries are configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries), the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. [#3486](https://github.com/github/codeql-action/pull/3486)
+- Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. [#3485](https://github.com/github/codeql-action/pull/3485)
+- Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a [nightly CodeQL CLI release](https://github.com/dsp-testing/codeql-cli-nightlies) instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. [#3484](https://github.com/github/codeql-action/pull/3484)
+
+## 4.32.3 - 13 Feb 2026
+
+- Added experimental support for testing connections to [private package registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries). This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. [#3466](https://github.com/github/codeql-action/pull/3466)
+
+## 4.32.2 - 05 Feb 2026
+
+- Update default CodeQL bundle version to [2.24.1](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.1). [#3460](https://github.com/github/codeql-action/pull/3460)
+
+## 4.32.1 - 02 Feb 2026
+
+- A warning is now shown in Default Setup workflow logs if a [private package registry is configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) using a GitHub Personal Access Token (PAT), but no username is configured. [#3422](https://github.com/github/codeql-action/pull/3422)
+- Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. [#3421](https://github.com/github/codeql-action/pull/3421)
+
+## 4.32.0 - 26 Jan 2026
+
+- Update default CodeQL bundle version to [2.24.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0). [#3425](https://github.com/github/codeql-action/pull/3425)
+
+## 4.31.11 - 23 Jan 2026
+
+- When running a Default Setup workflow with [Actions debugging enabled](https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging), the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. [#3409](https://github.com/github/codeql-action/pull/3409)
+- Improved error handling throughout the CodeQL Action. [#3415](https://github.com/github/codeql-action/pull/3415)
+- Added experimental support for automatically excluding [generated files](https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github) from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. [#3318](https://github.com/github/codeql-action/pull/3318)
+- The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. [#3403](https://github.com/github/codeql-action/pull/3403)
+
+## 4.31.10 - 12 Jan 2026
+
+- Update default CodeQL bundle version to 2.23.9. [#3393](https://github.com/github/codeql-action/pull/3393)
+
+## 4.31.9 - 16 Dec 2025
+
+No user facing changes.
+
+## 4.31.8 - 11 Dec 2025
+
+- Update default CodeQL bundle version to 2.23.8. [#3354](https://github.com/github/codeql-action/pull/3354)
+
+## 4.31.7 - 05 Dec 2025
+
+- Update default CodeQL bundle version to 2.23.7. [#3343](https://github.com/github/codeql-action/pull/3343)
+
+## 4.31.6 - 01 Dec 2025
+
+No user facing changes.
+
+## 4.31.5 - 24 Nov 2025
+
+- Update default CodeQL bundle version to 2.23.6. [#3321](https://github.com/github/codeql-action/pull/3321)
+
 ## 4.31.4 - 18 Nov 2025

 No user facing changes.
@@ -69,12 +69,14 @@ Once the mergeback and backport pull request have been merged, the release is co

 ## Keeping the PR checks up to date (admin access required)

-Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred required jobs that need to pass in order for a PR to turn green. It would be too tedious to maintain that list manually. You can regenerate the set of required checks automatically by running the [update-required-checks.sh](.github/workflows/script/update-required-checks.sh) script:
+Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred required jobs that need to pass in order for a PR to turn green. It would be too tedious to maintain that list manually. You can regenerate the set of required checks automatically by running the [sync-checks.ts](pr-checks/sync-checks.ts) script:

- If you run the script without an argument, it will retrieve the set of workflows that ran for the latest commit on `main`. Make sure that your local `main` branch is up to date before running the script.
- You can specify a commit SHA as argument to retrieve the set of workflows for that commit instead. You will likely want to use this if you have a PR that removes or adds PR checks.
+- At a minimum, you must provide an argument for the `--token` input. For example, `--token "$(gh auth token)"` to use the same token that `gh` uses. If no token is provided or the token has insufficient permissions, the script will fail.
+- By default, the script performs a dry run and outputs information about the changes it would make to the branch protection rules. To actually apply the changes, specify the `--apply` flag.
+- If you run the script without any other arguments, it will retrieve the set of workflows that ran for the latest commit on `main`.
+- You can specify a different git ref with the `--ref` input. You will likely want to use this if you have a PR that removes or adds PR checks. For example, `--ref "some/branch/name"` to use the HEAD of the `some/branch/name` branch.

-After running, go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules for `main`, `v3`, and any other currently supported major versions have been updated.
+After running, go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules for `main`, `v4`, and any other currently supported major versions have been updated.

 Note that any updates to checks on `main` need to be backported to all currently supported major version branches, in order to maintain the same set of names for required checks.

@@ -92,7 +94,7 @@ We typically deprecate a version of CodeQL when the GitHub Enterprise Server (GH
 1. Remove support for the old version of CodeQL.
    - Bump `CODEQL_MINIMUM_VERSION` in `src/codeql.ts` to the new minimum version of CodeQL.
    - Remove any code that is only needed to support the old version of CodeQL. This is often behind a version guard, so look for instances of version numbers between the old minimum version and the new minimum version in the codebase. A good place to start is the list of version numbers in `src/codeql.ts`.
-    - Update the default set of CodeQL test versions in `pr-checks/sync.py`.
+    - Update the default set of CodeQL test versions in `pr-checks/sync.ts`.
        - Remove the old minimum version of CodeQL.
        - Add the latest patch release for any new CodeQL minor version series that have shipped in GHES.
        - Run the script to update the generated PR checks.
@@ -122,7 +124,7 @@ To deprecate an older version of the Action:
   - Implement an Actions warning for customers using the deprecated version.
 1. Wait for the deprecation period to pass.
 1. Upgrade the Actions warning for customers using the deprecated version to a non-fatal error, and mention that this version of the Action is no longer supported.
-1. Make a PR to bump the `OLDEST_SUPPORTED_MAJOR_VERSION` in [releases.ini](.github/releases.ini).  Once this PR is merged, the release process will no longer backport changes to the deprecated release version.
+1. Make a PR to bump the `OLDEST_SUPPORTED_MAJOR_VERSION` in [config.ts](pr-checks/config.ts).  Once this PR is merged, the release process will no longer backport changes to the deprecated release version.

 ## Resources

@@ -72,14 +72,23 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n

 | Minimum CodeQL Action | Minimum CodeQL Bundle Version | GitHub Environment | Notes |
 |-----------------------|-------------------------------|--------------------|-------|
-| `v3.28.21`  | `2.21.3` | Enterprise Server 3.18 | |
-| `v3.28.12`  | `2.20.7` | Enterprise Server 3.17 | |
-| `v3.28.6`  | `2.20.3` | Enterprise Server 3.16 | |
-| `v3.28.6`  | `2.20.3` | Enterprise Server 3.15 | |
+| `v4.33.0` | `2.24.3` | Enterprise Server 3.21 | |
+| `v4.31.10` | `2.23.9` | Enterprise Server 3.20 | |
+| `v3.29.11` | `2.22.4` | Enterprise Server 3.19 | |
+| `v3.28.21` | `2.21.3` | Enterprise Server 3.18 | |
+| `v3.28.12` | `2.20.7` | Enterprise Server 3.17 | |
+| `v3.28.6` | `2.20.3` | Enterprise Server 3.16 | |
+| `v3.28.6` | `2.20.3` | Enterprise Server 3.15 | |
 | `v3.28.6` | `2.20.3` | Enterprise Server 3.14 | |

 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).

+## Keeping the CodeQL Action up to date in advanced setups
+
+If you are using an [advanced setup](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning), we recommend referencing the CodeQL Action using a major version tag (e.g. `v4`) in your workflow file. This ensures your workflow automatically picks up the latest release within that major version, including bug fixes, new features, and updated CodeQL CLI versions.
+
+If you pin to a specific commit SHA or patch version tag, ensure you keep it updated (e.g. via [Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot)). Some CodeQL Action features are enabled by server-side flags that may be removed over time, which can cause old versions to lose functionality.
+
 ## Troubleshooting

 Read about [troubleshooting code scanning](https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning).
@@ -0,0 +1,9 @@
+export default {
+  typescript: {
+    rewritePaths: {
+      "src/": "build/",
+    },
+    compile: false,
+  },
+  require: ["./ava.setup.mjs"],
+};
@@ -0,0 +1,3 @@
+import pkg from "./package.json" with { type: "json" };
+
+globalThis.__CODEQL_ACTION_VERSION__ = pkg.version;
@@ -1,10 +1,12 @@
-import { copyFile, rm } from "node:fs/promises";
+import { copyFile, rm, writeFile } from "node:fs/promises";
 import { dirname, join } from "node:path";
 import { fileURLToPath } from "node:url";

 import * as esbuild from "esbuild";
 import { globSync } from "glob";

+import pkg from "./package.json" with { type: "json" };
+
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);

@@ -13,7 +15,7 @@ const OUT_DIR = join(__dirname, "lib");

 /**
 * Clean the output directory before building.
- * 
+ *
 * @type {esbuild.Plugin}
 */
 const cleanPlugin = {
@@ -27,7 +29,7 @@ const cleanPlugin = {

 /**
 * Copy defaults.json to the output directory since other projects depend on it.
- * 
+ *
 * @type {esbuild.Plugin}
 */
 const copyDefaultsPlugin = {
@@ -62,14 +64,24 @@ const onEndPlugin = {

 const context = await esbuild.context({
  // Include upload-lib.ts as an entry point for use in testing environments.
-  entryPoints: globSync([`${SRC_DIR}/*-action.ts`, `${SRC_DIR}/*-action-post.ts`, "src/upload-lib.ts"]),
+  entryPoints: globSync([
+    `${SRC_DIR}/*-action.ts`,
+    `${SRC_DIR}/*-action-post.ts`,
+    "src/upload-lib.ts",
+  ]),
  bundle: true,
  format: "cjs",
  outdir: OUT_DIR,
  platform: "node",
  plugins: [cleanPlugin, copyDefaultsPlugin, onEndPlugin],
  target: ["node20"],
+  define: {
+    __CODEQL_ACTION_VERSION__: JSON.stringify(pkg.version),
+  },
+  metafile: true,
 });

-await context.rebuild();
+const result = await context.rebuild();
+await writeFile(join(__dirname, "meta.json"), JSON.stringify(result.metafile));
+
 await context.dispose();
@@ -1,27 +1,18 @@
-// Automatically generated by running npx @eslint/migrate-config .eslintrc.json
-
-import path from "node:path";
-import { fileURLToPath } from "node:url";
-
-import { fixupConfigRules, fixupPluginRules } from "@eslint/compat";
-import { FlatCompat } from "@eslint/eslintrc";
+import { fixupPluginRules } from "@eslint/compat";
 import js from "@eslint/js";
-import typescriptEslint from "@typescript-eslint/eslint-plugin";
-import tsParser from "@typescript-eslint/parser";
-import filenames from "eslint-plugin-filenames";
 import github from "eslint-plugin-github";
-import _import from "eslint-plugin-import";
+import { importX, createNodeResolver } from "eslint-plugin-import-x";
+import { createTypeScriptImportResolver } from "eslint-import-resolver-typescript";
 import noAsyncForeach from "eslint-plugin-no-async-foreach";
 import jsdoc from "eslint-plugin-jsdoc";
+import tseslint from "typescript-eslint";
 import globals from "globals";
+import path from "path";
+import { fileURLToPath } from "url";

 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
-const compat = new FlatCompat({
-  baseDirectory: __dirname,
-  recommendedConfig: js.configs.recommended,
-  allConfig: js.configs.all,
-});
+const githubFlatConfigs = github.getFlatConfigs();

 export default [
  {
@@ -32,33 +23,35 @@ export default [
      "src/testdata/**/*",
      "tests/**/*",
      "build.mjs",
+      "ava.config.mjs",
+      "ava.setup.mjs",
      "eslint.config.mjs",
      ".github/**/*",
    ],
  },
-  ...fixupConfigRules(
-    compat.extends(
-      "eslint:recommended",
-      "plugin:@typescript-eslint/recommended",
-      "plugin:@typescript-eslint/recommended-requiring-type-checking",
-      "plugin:github/recommended",
-      "plugin:github/typescript",
-      "plugin:import/typescript",
-    ),
-  ),
+  // eslint recommended config
+  js.configs.recommended,
+  // Type-checked rules from typescript-eslint
+  ...tseslint.configs.recommendedTypeChecked,
+  ...tseslint.configs.strict,
+  // eslint-plugin-github recommended config
+  githubFlatConfigs.recommended,
+  // eslint-plugin-github typescript config
+  ...githubFlatConfigs.typescript,
+  // import-x TypeScript settings
+  // This is needed for import-x rules to properly parse TypeScript files.
+  {
+    settings: importX.flatConfigs.typescript.settings,
+  },
  {
    plugins: {
-      "@typescript-eslint": fixupPluginRules(typescriptEslint),
-      filenames: fixupPluginRules(filenames),
-      github: fixupPluginRules(github),
-      import: fixupPluginRules(_import),
-      "no-async-foreach": noAsyncForeach,
-      "jsdoc": jsdoc,
+      "import-x": importX,
+      "no-async-foreach": fixupPluginRules(noAsyncForeach),
+      jsdoc: jsdoc,
    },

    languageOptions: {
-      parser: tsParser,
-      ecmaVersion: 5,
+      ecmaVersion: "latest",
      sourceType: "module",

      globals: {
@@ -78,11 +71,23 @@ export default [

        typescript: {},
      },
-      "import/ignore": ["sinon", "uuid", "@octokit/plugin-retry", "del", "get-folder-size"],
+      "import/ignore": [
+        "sinon",
+        "uuid",
+        "@octokit/plugin-retry",
+        "del",
+        "get-folder-size",
+      ],
+      "import-x/resolver-next": [
+        createTypeScriptImportResolver(),
+        createNodeResolver({
+          extensions: [".ts", ".js", ".json"],
+        }),
+      ],
    },

    rules: {
-      "filenames/match-regex": ["error", "^[a-z0-9-]+(\\.test)?$"],
+      "github/filenames-match-regex": ["error", "^[a-z0-9-]+(\\.test)?$"],
      "i18n-text/no-en": "off",

      "import/extensions": [
@@ -94,7 +99,10 @@ export default [

      "import/no-amd": "error",
      "import/no-commonjs": "error",
-      "import/no-cycle": "error",
+      // import/no-cycle does not seem to work with ESLint 9.
+      // Use import-x/no-cycle from eslint-plugin-import-x instead.
+      "import/no-cycle": "off",
+      "import-x/no-cycle": "error",
      "import/no-dynamic-require": "error",

      "import/no-extraneous-dependencies": [
@@ -132,6 +140,8 @@ export default [
      "no-async-foreach/no-async-foreach": "error",
      "no-sequences": "error",
      "no-shadow": "off",
+      // This is overly restrictive with unsetting `EnvVar`s
+      "@typescript-eslint/no-dynamic-delete": "off",
      "@typescript-eslint/no-shadow": "error",
      "@typescript-eslint/prefer-optional-chain": "error",
      "one-var": ["error", "never"],
@@ -143,7 +153,7 @@ export default [
          // We don't currently require full JSDoc coverage, so this rule
          // should not error on missing @param annotations.
          disableMissingParamChecks: true,
-        }
+        },
      ],
    },
  },
@@ -162,10 +172,41 @@ export default [
      "@typescript-eslint/no-unused-vars": [
        "error",
        {
-          "argsIgnorePattern": "^_",
-        }
+          args: "all",
+          argsIgnorePattern: "^_",
+        },
      ],
      "func-style": "off",
    },
  },
+  {
+    files: ["pr-checks/**/*.ts"],
+
+    languageOptions: {
+      parserOptions: {
+        // Use the correct `tsconfig.json` for `pr-checks`.
+        project: "./pr-checks/tsconfig.json",
+      },
+    },
+
+    rules: {
+      // The scripts in `pr-checks` are expected to output to the console.
+      "no-console": "off",
+
+      "import/no-extraneous-dependencies": [
+        "error",
+        { packageDir: [__dirname, path.resolve(__dirname, "pr-checks")] },
+      ],
+
+      "@typescript-eslint/no-floating-promises": [
+        "error",
+        {
+          allowForKnownSafeCalls: [
+            // Avoid needing explicit `void` in front of `describe` calls in test files.
+            { from: "package", name: ["describe"], package: "node:test" },
+          ],
+        },
+      ],
+    },
+  },
 ];
--- a/Show More
+++ b/Show More