Fix linitng issues.

We don't use them yet and will re-save them during analysis.

.github/actions/check-sarif/action.yml

@@ -16,5 +16,5 @@ inputs:
       Comma separated list of query ids that should NOT be included in this SARIF file.
 
 runs:
-  using: node20
+  using: node24
   main: index.js

.github/actions/release-initialise/action.yml

@@ -16,9 +16,9 @@ runs:
       shell: bash
 
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@v5
       with:
-        python-version: '3.12'
+        python-version: 3.12
 
     - name: Install dependencies
       run: |

.github/actions/verify-debug-artifact-scan-completed/action.yml

@@ -1,6 +0,0 @@
-name: Verify that the best-effort debug artifact scan completed
-description: Verifies that the best-effort debug artifact scan completed successfully during tests
-runs:
-  using: node20
-  main: index.js
-  post: post.js

.github/actions/verify-debug-artifact-scan-completed/index.js

@@ -1,2 +0,0 @@
-// The main step is a no-op, since we can only verify artifact scan completion in the post step.
-console.log("Will verify artifact scan completion in the post step.");

.github/actions/verify-debug-artifact-scan-completed/post.js

@@ -1,11 +0,0 @@
-// Post step - runs after the workflow completes, when artifact scan has finished
-const process = require("process");
-
-const scanFinished = process.env.CODEQL_ACTION_ARTIFACT_SCAN_FINISHED;
-
-if (scanFinished !== "true") {
-  console.error("Error: Best-effort artifact scan did not complete. Expected CODEQL_ACTION_ARTIFACT_SCAN_FINISHED=true");
-  process.exit(1);
-}
-
-console.log("✓ Best-effort artifact scan completed successfully");

.github/dependabot.yml

@@ -4,41 +4,30 @@ updates:
     directory: "/"
     schedule:
       interval: weekly
-    cooldown:
-      default-days: 7
-      exclude:
-        - "@actions/*"
     labels:
       - Rebuild
     # Ignore incompatible dependency updates
     ignore:
-      # This is broken due to the way configuration files have changed.
+      # There is a type incompatibility issue between v0.0.9 and our other dependencies.
+      - dependency-name: "@octokit/plugin-retry"
+        versions: ["~6.0.0"]
+      # This is broken due to the way configuration files have changed. 
       # This might be fixed when we move to eslint v9.
       - dependency-name: "eslint-plugin-import"
         versions: [">=2.30.0"]
     groups:
-      npm-minor:
+      npm:
         patterns:
           - "*"
-        update-types:
-          - "minor"
-          - "patch"
   - package-ecosystem: github-actions
     directories:
       - "/.github/workflows"
       - "/.github/actions"
     schedule:
       interval: weekly
-    cooldown:
-      default-days: 7
-      exclude:
-        - "actions/*"
     labels:
       - Rebuild
     groups:
-      actions-minor:
+      actions:
         patterns:
           - "*"
-        update-types:
-          - "minor"
-          - "patch"

.github/pull_request_template.md

@@ -18,25 +18,14 @@ For internal use only. Please select the risk level of this change:
 
 #### Which use cases does this change impact?
 
-<!-- Delete options that don't apply. If in doubt, do not delete an option. -->
+<!-- Delete options that don't apply. -->
 
-Workflow types:
-
-- **Advanced setup** - Impacts users who have custom CodeQL workflows.
-- **Managed** - Impacts users with `dynamic` workflows (Default Setup, Code Quality, ...).
-
-Products:
-
-- **Code Scanning** - The changes impact analyses when `analysis-kinds: code-scanning`.
-- **Code Quality** - The changes impact analyses when `analysis-kinds: code-quality`.
-- **Other first-party** - The changes impact other first-party analyses.
-- **Third-party analyses** - The changes affect the `upload-sarif` action.
-
-Environments:
-
-- **Dotcom** - Impacts CodeQL workflows on `github.com` and/or GitHub Enterprise Cloud with Data Residency.
-- **GHES** - Impacts CodeQL workflows on GitHub Enterprise Server.
-- **Testing/None** - This change does not impact any CodeQL workflows in production.
+- **Advanced setup** - Impacts users who have custom workflows.
+- **Default setup** - Impacts users who use default setup.
+- **Code Scanning** - Impacts Code Scanning (i.e. `analysis-kinds: code-scanning`).
+- **Code Quality** - Impacts Code Quality (i.e. `analysis-kinds: code-quality`).
+- **Third-party analyses** - Impacts third-party analyses (i.e. `upload-sarif`).
+- **GHES** - Impacts GitHub Enterprise Server.
 
 #### How did/will you validate this change?
 
@@ -54,7 +43,6 @@ Environments:
 
 - **Feature flags** - All new or changed code paths can be fully disabled with corresponding feature flags.
 - **Rollback** - Change can only be disabled by rolling back the release or releasing a new version with a fix.
-- **Development/testing only** - This change cannot cause any failures in production.
 - **Other** - Please provide details.
 
 #### How will you know if something goes wrong after this change is released?
@@ -66,15 +54,6 @@ Environments:
     - **Alerts** - New or existing monitors will trip if something goes wrong with this change.
 - **Other** - Please provide details.
 
-#### Are there any special considerations for merging or releasing this change?
-
-<!--
-    Consider whether this change depends on a different change in another repository that should be released first.
--->
-
-- **No special considerations** - This change can be merged at any time.
-- **Special considerations** - This change should only be merged once certain preconditions are met. Please provide details of those or link to this PR from an internal issue.
-
 ### Merge / deployment checklist
 
 - Confirm this change is backwards compatible with existing workflows.

.github/sizeup.yml

@@ -1,55 +0,0 @@
-labeling:
-  applyCategoryLabels: true
-  categoryLabelPrefix: "size/"
-
-commenting:
-  addCommentWhenScoreThresholdHasBeenExceeded: false
-
-sizeup:
-  categories:
-    - name: extra small
-      lte: 25
-      label:
-        name: XS
-        description: Should be very easy to review
-        color: 3cbf00
-    - name: small
-      lte: 100
-      label:
-        name: S
-        description: Should be easy to review
-        color: 5d9801
-    - name: medium
-      lte: 250
-      label:
-        name: M
-        description: Should be of average difficulty to review
-        color: 7f7203
-    - name: large
-      lte: 500
-      label:
-        name: L
-        description: May be hard to review
-        color: a14c05
-    - name: extra large
-      lte: 1000
-      label:
-        name: XL
-        description: May be very hard to review
-        color: c32607
-    - name: extra extra large
-      label:
-        name: XXL
-        description: May be extremely hard to review
-        color: e50009
-  ignoredFilePatterns:
-    - ".github/workflows/__*"
-    - "lib/**/*"
-    - "package-lock.json"
-  testFilePatterns:
-    - "**/*.test.ts"
-  scoring:
-    # This formula and the aliases below it are written in prefix notation.
-    # For an explanation of how this works, please see:
-    # https://github.com/lerebear/sizeup-core/blob/main/README.md#prefix-notation
-    formula: "- - + additions deletions comments whitespace"

.github/update-release-branch.py

@@ -71,9 +71,8 @@ def open_pr(
     body.append('')
     body.append('Contains the following pull requests:')
     for pr in pull_requests:
-      # Use PR author if they are GitHub staff, otherwise use the merger
-      display_user = get_pr_author_if_staff(pr) or get_merger_of_pr(repo, pr)
-      body.append(f'- #{pr.number} (@{display_user})')
+      merger = get_merger_of_pr(repo, pr)
+      body.append(f'- #{pr.number} (@{merger})')
 
   # List all commits not part of a PR
   if len(commits_without_pull_requests) > 0:
@@ -169,14 +168,6 @@ def get_pr_for_commit(commit):
 def get_merger_of_pr(repo, pr):
   return repo.get_commit(pr.merge_commit_sha).author.login
 
-# Get the PR author if they are GitHub staff, otherwise None.
-def get_pr_author_if_staff(pr):
-  if pr.user is None:
-    return None
-  if getattr(pr.user, 'site_admin', False):
-    return pr.user.login
-  return None
-
 def get_current_version():
   with open('package.json', 'r') as f:
     return json.load(f)['version']
@@ -190,9 +181,9 @@ def replace_version_package_json(prev_version, new_version):
       print(line.replace(prev_version, new_version), end='')
     else:
       prev_line_is_codeql = False
-      print(line, end='')
+      print(line, end='') 
     if '\"name\": \"codeql\",' in line:
-        prev_line_is_codeql = True
+        prev_line_is_codeql = True 
 
 def get_today_string():
   today = datetime.datetime.today()
@@ -380,10 +371,10 @@ def main():
       # releases.
       run_git('revert', vOlder_update_commits[0], '--no-edit')
 
-      # Also revert the "Rebuild" commit created by Actions.
-      rebuild_commit = run_git('log', '--grep', '^Rebuild$', '--format=%H').split()[0]
-      print(f'  Reverting {rebuild_commit}')
-      run_git('revert', rebuild_commit, '--no-edit')
+      # Also revert the "Update checked-in dependencies" commit created by Actions.
+      update_dependencies_commit = run_git('log', '--grep', '^Update checked-in dependencies', '--format=%H').split()[0]
+      print(f'  Reverting {update_dependencies_commit}')
+      run_git('revert', update_dependencies_commit, '--no-edit')
 
     else:
       print('  Nothing to revert.')

.github/workflows/__all-platform-bundle.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -30,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -42,18 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    all-platform-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   all-platform-bundle:
     strategy:
@@ -75,7 +61,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -88,10 +74,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - id: init
         uses: ./../action/init
         with:

.github/workflows/__analyze-ref-input.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -30,16 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -47,23 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    analyze-ref-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   analyze-ref-input:
     strategy:
@@ -81,7 +57,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -94,15 +70,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__autobuild-action.yml

@@ -18,31 +18,18 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
-    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
+    inputs: {}
   workflow_call:
-    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
+    inputs: {}
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: autobuild-action-${{github.ref}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   autobuild-action:
     strategy:
@@ -64,7 +51,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -72,10 +59,6 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           languages: csharp

.github/workflows/__autobuild-direct-tracing-with-working-dir.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -41,9 +38,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    autobuild-direct-tracing-with-working-dir-${{github.ref}}-${{inputs.java-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   autobuild-direct-tracing-with-working-dir:
     strategy:
@@ -67,7 +63,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test

.github/workflows/__autobuild-working-dir.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: autobuild-working-dir-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   autobuild-working-dir:
     strategy:
@@ -50,7 +47,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test

.github/workflows/__build-mode-autobuild.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -41,8 +38,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: build-mode-autobuild-${{github.ref}}-${{inputs.java-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   build-mode-autobuild:
     strategy:
@@ -66,7 +63,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -79,14 +76,6 @@ jobs:
         with:
           java-version: ${{ inputs.java-version || '17' }}
           distribution: temurin
-      - name: Install yq
-        if: runner.os == 'Windows'
-        env:
-          YQ_PATH: ${{ runner.temp }}/yq
-          YQ_VERSION: v4.50.1
-        run: |-
-          gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe"
-          echo "$YQ_PATH" >> "$GITHUB_PATH"
       - name: Set up Java test repo configuration
         run: |
           mv * .github ../action/tests/multi-language-repo/
@@ -101,6 +90,11 @@ jobs:
           languages: java
           tools: ${{ steps.prepare-test.outputs.tools-url }}
 
+      - name: Install yq
+        if: runner.os == 'Windows'
+        run: |
+          choco install yq -y
+
       - name: Validate database build mode
         run: |
           metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"

.github/workflows/__build-mode-manual.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -30,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -42,18 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    build-mode-manual-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   build-mode-manual:
     strategy:
@@ -71,7 +57,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -84,10 +70,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         id: init
         with:

.github/workflows/__build-mode-none.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: build-mode-none-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   build-mode-none:
     strategy:
@@ -52,7 +49,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test

.github/workflows/__build-mode-rollback.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: build-mode-rollback-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   build-mode-rollback:
     strategy:
@@ -50,7 +47,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test

.github/workflows/__bundle-from-nightly.yml

@@ -1,72 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: 'PR Check - Bundle: From nightly'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: bundle-from-nightly-${{github.ref}}
-jobs:
-  bundle-from-nightly:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-    name: 'Bundle: From nightly'
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - id: init
-        uses: ./../action/init
-        env:
-          CODEQL_ACTION_FORCE_NIGHTLY: true
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          languages: javascript
-      - name: Fail if the CodeQL version is not a nightly
-        if: "!contains(steps.init.outputs.codeql-version, '+')"
-        run: exit 1
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__bundle-from-toolcache.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: bundle-from-toolcache-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   bundle-from-toolcache:
     strategy:
@@ -50,7 +47,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -59,7 +56,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Install @actions/tool-cache
-        run: npm install @actions/tool-cache@3
+        run: npm install @actions/tool-cache
       - name: Check toolcache contains CodeQL
         continue-on-error: true
         uses: actions/github-script@v8
@@ -70,9 +67,10 @@ jobs:
             if (allCodeqlVersions.length === 0) {
               throw new Error(`CodeQL could not be found in the toolcache`);
             }
-      - id: setup-codeql
-        uses: ./../action/setup-codeql
+      - id: init
+        uses: ./../action/init
         with:
+          languages: javascript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Check CodeQL is installed within the toolcache
         uses: actions/github-script@v8

.github/workflows/__bundle-toolcache.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: bundle-toolcache-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   bundle-toolcache:
     strategy:
@@ -54,7 +51,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -71,7 +68,7 @@ jobs:
             const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
             fs.rmdirSync(codeqlPath, { recursive: true });
       - name: Install @actions/tool-cache
-        run: npm install @actions/tool-cache@3
+        run: npm install @actions/tool-cache
       - name: Check toolcache does not contain CodeQL
         uses: actions/github-script@v8
         with:

.github/workflows/__bundle-zstd.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: bundle-zstd-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   bundle-zstd:
     strategy:
@@ -54,7 +51,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -82,7 +79,7 @@ jobs:
           output: ${{ runner.temp }}/results
           upload-database: false
       - name: Upload SARIF
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.os }}-zstd-bundle.sarif
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__cleanup-db-cluster-dir.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: cleanup-db-cluster-dir-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   cleanup-db-cluster-dir:
     strategy:
@@ -50,7 +47,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test

.github/workflows/__config-export.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: config-export-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   config-export:
     strategy:
@@ -52,7 +49,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -70,7 +67,7 @@ jobs:
           output: ${{ runner.temp }}/results
           upload-database: false
       - name: Upload SARIF
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v4
         with:
           name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__config-input.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: config-input-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   config-input:
     strategy:
@@ -50,9 +47,9 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
         with:
           node-version: 20.x
           cache: npm

.github/workflows/__cpp-deptrace-disabled.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: cpp-deptrace-disabled-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   cpp-deptrace-disabled:
     strategy:
@@ -54,7 +51,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test

.github/workflows/__cpp-deptrace-enabled-on-macos.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: cpp-deptrace-enabled-on-macos-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   cpp-deptrace-enabled-on-macos:
     strategy:
@@ -52,7 +49,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test

.github/workflows/__cpp-deptrace-enabled.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: cpp-deptrace-enabled-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   cpp-deptrace-enabled:
     strategy:
@@ -54,7 +51,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test

.github/workflows/__diagnostics-export.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: diagnostics-export-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   diagnostics-export:
     strategy:
@@ -52,7 +49,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -81,7 +78,7 @@ jobs:
           output: ${{ runner.temp }}/results
           upload-database: false
       - name: Upload SARIF
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v4
         with:
           name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__export-file-baseline-information.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -30,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -42,18 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    export-file-baseline-information-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   export-file-baseline-information:
     strategy:
@@ -75,7 +61,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -88,10 +74,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         id: init
         with:
@@ -103,7 +85,7 @@ jobs:
         with:
           output: ${{ runner.temp }}/results
       - name: Upload SARIF
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v4
         with:
           name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: ${{ runner.temp }}/results/javascript.sarif
@@ -128,6 +110,5 @@ jobs:
             fi
           done
     env:
-      CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS: false
       CODEQL_ACTION_SUBLANGUAGE_FILE_COVERAGE: true
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__extractor-ram-threads.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: extractor-ram-threads-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   extractor-ram-threads:
     strategy:
@@ -50,7 +47,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test

.github/workflows/__global-proxy.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: global-proxy-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   global-proxy:
     strategy:
@@ -51,8 +48,20 @@ jobs:
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+  # These steps are required to initialise the `gh` cli in a container that doesn't
+  # come pre-installed with it. The reason for that is that this is later
+  # needed by the `prepare-test` workflow to find the latest release of CodeQL.
+      - name: Set up GitHub CLI
+        run: |
+          apt update
+          apt install -y curl libreadline8 gnupg2 software-properties-common zstd
+          curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
+          apt-key add /usr/share/keyrings/githubcli-archive-keyring.gpg
+          apt-add-repository https://cli.github.com/packages
+          apt install -y gh
+        env: {}
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -67,7 +76,6 @@ jobs:
       - uses: ./../action/analyze
     env:
       https_proxy: http://squid-proxy:3128
-      CODEQL_ACTION_TOLERATE_MISSING_GIT_VERSION: true
       CODEQL_ACTION_TEST_MODE: true
     container:
       image: ubuntu:22.04

.github/workflows/__go-custom-queries.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -30,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -42,18 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    go-custom-queries-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   go-custom-queries:
     strategy:
@@ -73,7 +59,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -86,10 +72,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           languages: go

.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -41,8 +38,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-indirect-tracing-workaround-diagnostic-${{github.ref}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   go-indirect-tracing-workaround-diagnostic:
     strategy:
@@ -60,7 +57,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test

.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -41,9 +38,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    go-indirect-tracing-workaround-no-file-program-${{github.ref}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   go-indirect-tracing-workaround-no-file-program:
     strategy:
@@ -61,7 +57,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test

.github/workflows/__go-indirect-tracing-workaround.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -41,8 +38,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-indirect-tracing-workaround-${{github.ref}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   go-indirect-tracing-workaround:
     strategy:
@@ -60,7 +57,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test

.github/workflows/__go-tracing-autobuilder.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -41,8 +38,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-tracing-autobuilder-${{github.ref}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   go-tracing-autobuilder:
     strategy:
@@ -94,7 +91,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test

.github/workflows/__go-tracing-custom-build-steps.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -41,8 +38,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-tracing-custom-build-steps-${{github.ref}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   go-tracing-custom-build-steps:
     strategy:
@@ -94,7 +91,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test

.github/workflows/__go-tracing-legacy-workflow.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -41,8 +38,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-tracing-legacy-workflow-${{github.ref}}-${{inputs.go-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   go-tracing-legacy-workflow:
     strategy:
@@ -94,7 +91,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test

.github/workflows/__go.yml

@@ -8,6 +8,9 @@ env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
 on:
+  push:
+    paths:
+      - .github/workflows/__go.yml
   workflow_dispatch:
     inputs:
       go-version:
@@ -15,11 +18,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 jobs:
   go-custom-queries:
     name: 'Go: Custom queries'
@@ -29,7 +27,6 @@ jobs:
     uses: ./.github/workflows/__go-custom-queries.yml
     with:
       go-version: ${{ inputs.go-version }}
-      dotnet-version: ${{ inputs.dotnet-version }}
   go-indirect-tracing-workaround-diagnostic:
     name: 'Go: diagnostic when Go is changed after init step'
     permissions:

.github/workflows/__init-with-registries.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: init-with-registries-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   init-with-registries:
     strategy:
@@ -55,7 +52,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test

.github/workflows/__javascript-source-root.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: javascript-source-root-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   javascript-source-root:
     strategy:
@@ -54,7 +51,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test

.github/workflows/__job-run-uuid-sarif.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: job-run-uuid-sarif-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   job-run-uuid-sarif:
     strategy:
@@ -50,7 +47,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -67,7 +64,7 @@ jobs:
         with:
           output: ${{ runner.temp }}/results
       - name: Upload SARIF
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__language-aliases.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: language-aliases-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   language-aliases:
     strategy:
@@ -50,7 +47,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test

.github/workflows/__local-bundle.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -30,16 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -47,23 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    local-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   local-bundle:
     strategy:
@@ -81,7 +57,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -94,15 +70,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - name: Fetch latest CodeQL bundle
         run: |
           wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst

.github/workflows/__multi-language-autodetect.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -30,16 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -47,23 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    multi-language-autodetect-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   multi-language-autodetect:
     strategy:
@@ -115,7 +91,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -128,15 +104,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - name: Use Xcode 16
         if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
         run: sudo xcode-select -s "/Applications/Xcode_16.app"

.github/workflows/__overlay-init-fallback.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: overlay-init-fallback-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   overlay-init-fallback:
     strategy:
@@ -52,7 +49,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test

.github/workflows/__packaging-codescanning-config-inputs-js.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -30,16 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -47,23 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   packaging-codescanning-config-inputs-js:
     strategy:
@@ -85,9 +61,9 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
         with:
           node-version: 20.x
           cache: npm
@@ -105,15 +81,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           config-file: .github/codeql/codeql-config-packaging3.yml

.github/workflows/__packaging-config-inputs-js.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -30,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -42,18 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    packaging-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   packaging-config-inputs-js:
     strategy:
@@ -75,9 +61,9 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
         with:
           node-version: 20.x
           cache: npm
@@ -95,10 +81,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           config-file: .github/codeql/codeql-config-packaging3.yml

.github/workflows/__packaging-config-js.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -30,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -42,18 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    packaging-config-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   packaging-config-js:
     strategy:
@@ -75,9 +61,9 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
         with:
           node-version: 20.x
           cache: npm
@@ -95,10 +81,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           config-file: .github/codeql/codeql-config-packaging.yml

.github/workflows/__packaging-inputs-js.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -30,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -42,18 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    packaging-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   packaging-inputs-js:
     strategy:
@@ -75,9 +61,9 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
         with:
           node-version: 20.x
           cache: npm
@@ -95,10 +81,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           config-file: .github/codeql/codeql-config-packaging2.yml

.github/workflows/__quality-queries.yml

@@ -3,7 +3,7 @@
 #     pr-checks/sync.sh
 # to regenerate this file.
 
-name: PR Check - Analysis kinds
+name: PR Check - Quality queries input
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,10 +28,10 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: analysis-kinds-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  analysis-kinds:
+  quality-queries:
     strategy:
       fail-fast: false
       matrix:
@@ -48,9 +45,6 @@ jobs:
           - os: ubuntu-latest
             version: linked
             analysis-kinds: code-scanning,code-quality
-          - os: ubuntu-latest
-            version: linked
-            analysis-kinds: risk-assessment
           - os: ubuntu-latest
             version: nightly-latest
             analysis-kinds: code-scanning
@@ -60,10 +54,7 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
             analysis-kinds: code-scanning,code-quality
-          - os: ubuntu-latest
-            version: nightly-latest
-            analysis-kinds: risk-assessment
-    name: Analysis kinds
+    name: Quality queries input
     if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
@@ -72,7 +63,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -89,25 +80,22 @@ jobs:
         with:
           output: ${{ runner.temp }}/results
           upload-database: false
-          post-processed-sarif-path: ${{ runner.temp }}/post-processed
-
-      - name: Upload SARIF files
-        uses: actions/upload-artifact@v6
+      - name: Upload security SARIF
+        if: contains(matrix.analysis-kinds, 'code-scanning')
+        uses: actions/upload-artifact@v4
         with:
           name: |
-            analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
-          path: ${{ runner.temp }}/results/*.sarif
+            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
+          path: ${{ runner.temp }}/results/javascript.sarif
           retention-days: 7
-
-      - name: Upload post-processed SARIF
-        uses: actions/upload-artifact@v6
+      - name: Upload quality SARIF
+        if: contains(matrix.analysis-kinds, 'code-quality')
+        uses: actions/upload-artifact@v4
         with:
           name: |
-            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
-          path: ${{ runner.temp }}/post-processed
+            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
+          path: ${{ runner.temp }}/results/javascript.quality.sarif
           retention-days: 7
-          if-no-files-found: error
-
       - name: Check quality query does not appear in security SARIF
         if: contains(matrix.analysis-kinds, 'code-scanning')
         uses: actions/github-script@v8
@@ -125,7 +113,6 @@ jobs:
         with:
           script: ${{ env.CHECK_SCRIPT }}
     env:
-      CODEQL_ACTION_RISK_ASSESSMENT_ID: 1
       CHECK_SCRIPT: |
         const fs = require('fs');
 

.github/workflows/__remote-config.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -30,16 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -47,23 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    remote-config-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   remote-config:
     strategy:
@@ -83,7 +59,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -96,15 +72,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__resolve-environment-action.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: resolve-environment-action-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   resolve-environment-action:
     strategy:
@@ -54,7 +51,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test

.github/workflows/__rubocop-multi-language.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: rubocop-multi-language-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   rubocop-multi-language:
     strategy:
@@ -50,7 +47,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -59,7 +56,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Set up Ruby
-        uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0
+        uses: ruby/setup-ruby@0481980f17b760ef6bca5e8c55809102a0af1e5a # v1.263.0
         with:
           ruby-version: 2.6
       - name: Install Code Scanning integration

.github/workflows/__ruby.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ruby-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   ruby:
     strategy:
@@ -60,7 +57,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test

.github/workflows/__rust.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: rust-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   rust:
     strategy:
@@ -58,7 +55,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test

.github/workflows/__split-workflow.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -30,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -42,17 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: split-workflow-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   split-workflow:
     strategy:
@@ -80,7 +67,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -93,10 +80,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           config-file: .github/codeql/codeql-config-packaging3.yml

.github/workflows/__start-proxy.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: start-proxy-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   start-proxy:
     strategy:
@@ -54,7 +51,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test

.github/workflows/__submit-sarif-failure.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: submit-sarif-failure-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   submit-sarif-failure:
     strategy:
@@ -55,7 +52,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -63,7 +60,7 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
       - uses: ./init
         with:
           languages: javascript

.github/workflows/__swift-autobuild.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -31,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: swift-autobuild-${{github.ref}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   swift-autobuild:
     strategy:
@@ -50,7 +47,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test

.github/workflows/__swift-custom-build.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -30,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -42,18 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    swift-custom-build-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   swift-custom-build:
     strategy:
@@ -75,7 +61,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -88,10 +74,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - name: Use Xcode 16
         if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
         run: sudo xcode-select -s "/Applications/Xcode_16.app"

.github/workflows/__unset-environment.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -30,16 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -47,23 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    unset-environment-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   unset-environment:
     strategy:
@@ -83,7 +59,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -96,15 +72,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         id: init
         with:

.github/workflows/__upload-ref-sha-input.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -30,16 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -47,23 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    upload-ref-sha-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   upload-ref-sha-input:
     strategy:
@@ -81,7 +57,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -94,15 +70,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__upload-sarif.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -30,16 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -47,23 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    upload-sarif-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   upload-sarif:
     strategy:
@@ -88,7 +64,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -101,15 +77,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__with-checkout-path.yml

@@ -18,9 +18,6 @@ on:
       - synchronize
       - reopened
       - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
@@ -30,16 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -47,23 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group:
-    with-checkout-path-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   with-checkout-path:
     strategy:
@@ -81,7 +57,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -94,15 +70,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - name: Delete original checkout
         run: |
           # delete the original checkout so we don't accidentally use it.
@@ -111,7 +78,7 @@ jobs:
           rm -rf ./* .github .git
   # Check out the actions repo again, but at a different location.
   # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
         with:
           ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
           path: x/y/z/some-path

.github/workflows/check-expected-release-files.yml

@@ -15,14 +15,14 @@ defaults:
 
 jobs:
   check-expected-release-files:
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
 
     permissions:
       contents: read
 
     steps:
       - name: Checkout CodeQL Action
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Check Expected Release Files
         run: |
           bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"

.github/workflows/codeql.yml

@@ -4,11 +4,10 @@ on:
   push:
     branches: [main, releases/v*]
   pull_request:
+    branches: [main, releases/v*]
     # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
     # by other workflows.
     types: [opened, synchronize, reopened, ready_for_review]
-  merge_group:
-    types: [checks_requested]
   schedule:
     # Weekly on Sunday.
     - cron: '30 1 * * 0'
@@ -33,7 +32,7 @@ jobs:
       contents: read
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v5
     - name: Init with default CodeQL bundle from the VM image
       id: init-default
       uses: ./init
@@ -66,7 +65,7 @@ jobs:
         #
         # If we're running on push or schedule, then we can skip running with `tools: linked` when it would be
         # the same as running with `tools: null`.
-        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$GITHUB_EVENT_NAME" != "merge_group" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
+        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
           VERSIONS_JSON='[null]'
         else
           VERSIONS_JSON='[null, "linked"]'
@@ -82,7 +81,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-14,macos-15]
+        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-13,macos-14,macos-15]
         tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
     runs-on: ${{ matrix.os }}
 
@@ -92,7 +91,7 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@v5
     - name: Initialize CodeQL
       uses: ./init
       id: init
@@ -110,7 +109,7 @@ jobs:
       uses: ./analyze
       with:
         category: "/language:javascript"
-        upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && github.event_name != 'merge_group' && 'always' ) || 'never' }}
+        upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && 'always') || 'never' }}
 
   analyze-other:
     if: github.triggering_actor != 'dependabot[bot]'
@@ -129,7 +128,7 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@v5
     - name: Initialize CodeQL
       uses: ./init
       with:
@@ -145,4 +144,3 @@ jobs:
       uses: ./analyze
       with:
         category: "/language:${{ matrix.language }}"
-        upload: ${{ (github.event_name != 'merge_group' && 'always') || 'never' }}

.github/workflows/codescanning-config-cli.yml

@@ -6,11 +6,6 @@ env:
   # Diff informed queries add an additional query filter which is not yet
   # taken into account by these tests.
   CODEQL_ACTION_DIFF_INFORMED_QUERIES: false
-  # Specify overlay enablement manually to ensure stability around the exclude-from-incremental
-  # query filter. Here we only enable for the default code scanning suite.
-  CODEQL_ACTION_OVERLAY_ANALYSIS: true
-  CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT: false
-  CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT: true
 
 on:
   push:
@@ -23,11 +18,9 @@ on:
     - synchronize
     - reopened
     - ready_for_review
-  merge_group:
-    types: [checks_requested]
   schedule:
     - cron: '0 5 * * *'
-  workflow_dispatch:
+  workflow_dispatch: {}
 
 defaults:
   run:
@@ -60,10 +53,10 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@v5
 
     - name: Set up Node.js
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@v5
       with:
         node-version: 24
         cache: 'npm'
@@ -77,33 +70,13 @@ jobs:
       with:
         version: ${{ matrix.version }}
 
-    # On PRs, overlay analysis may change the config that is passed to the CLI.
-    # Therefore, we have two variants of the following test, one for PRs and one for other events.
-    - name: Empty file (non-PR)
-      if: github.event_name != 'pull_request'
+    - name: Empty file
       uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: "{}"
         languages: javascript
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
-    - name: Empty file (PR)
-      if: github.event_name == 'pull_request'
-      uses: ./../action/.github/actions/check-codescanning-config
-      with:
-        expected-config-file-contents: |
-          {
-            "query-filters": [
-              {
-                "exclude": {
-                  "tags": "exclude-from-incremental"
-                }
-              }
-            ]
-          }
-        languages: javascript
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-
     - name: Packs from input
       if: success() || failure()
       uses: ./../action/.github/actions/check-codescanning-config

.github/workflows/debug-artifacts-failure-safe.yml

@@ -14,11 +14,9 @@ on:
     - synchronize
     - reopened
     - ready_for_review
-  merge_group:
-    types: [checks_requested]
   schedule:
     - cron: '0 5 * * *'
-  workflow_dispatch:
+  workflow_dispatch: {}
 
 defaults:
   run:
@@ -47,7 +45,7 @@ jobs:
       - name: Dump GitHub event
         run: cat "${GITHUB_EVENT_PATH}"
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -56,12 +54,6 @@ jobs:
       - uses: actions/setup-go@v6
         with:
           go-version: ^1.13.1
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: '9.x'
-      - name: Assert best-effort artifact scan completed
-        uses: ./../action/.github/actions/verify-debug-artifact-scan-completed
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -87,7 +79,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download all artifacts
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@v5
       - name: Check expected artifacts exist
         run: |
           LANGUAGES="cpp csharp go java javascript python"

.github/workflows/debug-artifacts-safe.yml

@@ -13,11 +13,9 @@ on:
     - synchronize
     - reopened
     - ready_for_review
-  merge_group:
-    types: [checks_requested]
   schedule:
     - cron: '0 5 * * *'
-  workflow_dispatch:
+  workflow_dispatch: {}
 
 defaults:
   run:
@@ -43,7 +41,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -52,12 +50,6 @@ jobs:
       - uses: actions/setup-go@v6
         with:
           go-version: ^1.13.1
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: '9.x'
-      - name: Assert best-effort artifact scan completed
-        uses: ./../action/.github/actions/verify-debug-artifact-scan-completed
       - uses: ./../action/init
         id: init
         with:
@@ -81,7 +73,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download all artifacts
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@v5
       - name: Check expected artifacts exist
         run: |
           VERSIONS="stable-v2.20.3 default linked nightly-latest"

.github/workflows/label-pr-size.yml

@@ -1,27 +0,0 @@
-name: Label PR with size
-
-on:
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - edited
-      - ready_for_review
-
-permissions:
-  contents: read
-  pull-requests: write
-
-jobs:
-  sizeup:
-    name: Label PR with size
-    runs-on: ubuntu-slim
-    if: github.event.pull_request.merged != true
-
-    steps:
-      - name: Run sizeup
-        uses: lerebear/sizeup-action@b7beb3dd273e36039e16e48e7bc690c189e61951 # 0.8.12
-        with:
-          token: "${{ secrets.GITHUB_TOKEN }}"
-          configuration-file-path: ".github/sizeup.yml"

.github/workflows/post-release-mergeback.yml

@@ -24,7 +24,7 @@ defaults:
 
 jobs:
   merge-back:
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
     environment: Automation
     if: github.repository == 'github/codeql-action'
     env:
@@ -44,13 +44,10 @@ jobs:
           GITHUB_CONTEXT: '${{ toJson(github) }}'
         run: echo "${GITHUB_CONTEXT}"
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0  # ensure we have all tags and can push commits
-      - uses: actions/setup-node@v6
-      - uses: actions/setup-python@v6
-        with:
-          python-version: '3.12'
+      - uses: actions/setup-node@v5
 
       - name: Update git config
         run: |
@@ -123,22 +120,32 @@ jobs:
       - name: Prepare partial Changelog
         env:
           PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
+          VERSION: "${{ steps.getVersion.outputs.version }}"
         run: |
-          python .github/workflows/script/prepare_changelog.py CHANGELOG.md > $PARTIAL_CHANGELOG
+          python .github/workflows/script/prepare_changelog.py CHANGELOG.md "$VERSION" > $PARTIAL_CHANGELOG
 
           echo "::group::Partial CHANGELOG"
           cat $PARTIAL_CHANGELOG
           echo "::endgroup::"
 
+      - name: Create mergeback branch and PR
+        if: ${{ steps.check.outputs.exists != 'true' && endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }}
+        uses: ./.github/actions/prepare-mergeback-branch
+        with:
+          base: "${{ env.BASE_BRANCH }}"
+          head: "${{ env.HEAD_BRANCH }}"
+          branch: "${{ steps.getVersion.outputs.newBranch }}"
+          version: "${{ steps.getVersion.outputs.version }}"
+          token: "${{ secrets.GITHUB_TOKEN }}"
+
       - name: Generate token
-        uses: actions/create-github-app-token@v2.2.1
+        uses: actions/create-github-app-token@v2.1.4
         id: app-token
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}
           private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
 
       - name: Create the GitHub release
-        if: steps.check.outputs.exists != 'true'
         env:
           PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
           VERSION: "${{ steps.getVersion.outputs.version }}"
@@ -150,13 +157,3 @@ jobs:
             --latest=false \
             --title "$VERSION" \
             --notes-file "$PARTIAL_CHANGELOG"
-
-      - name: Create mergeback branch and PR
-        if: ${{ endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }}
-        uses: ./.github/actions/prepare-mergeback-branch
-        with:
-          base: "${{ env.BASE_BRANCH }}"
-          head: "${{ env.HEAD_BRANCH }}"
-          branch: "${{ steps.getVersion.outputs.newBranch }}"
-          version: "${{ steps.getVersion.outputs.version }}"
-          token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/pr-checks.yml

@@ -6,8 +6,6 @@ on:
     # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
     # by other workflows.
     types: [opened, synchronize, reopened, ready_for_review]
-  merge_group:
-    types: [checks_requested]
   workflow_dispatch:
 
 defaults:
@@ -34,10 +32,10 @@ jobs:
         if: runner.os == 'Windows'
         run: git config --global core.autocrlf false
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
 
       - name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
         with:
           node-version: ${{ matrix.node-version }}
           cache: 'npm'
@@ -75,14 +73,14 @@ jobs:
         run: npm run lint-ci
 
       - name: Upload sarif
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@v3
         if: matrix.os == 'ubuntu-latest' && matrix.node-version == 24
         with:
           sarif_file: eslint.sarif
           category: eslint
 
   check-node-version:
-    if: github.triggering_actor != 'dependabot[bot]'
+    if: github.event.pull_request && github.triggering_actor != 'dependabot[bot]'
     name: Check Action Node versions
     runs-on: ubuntu-latest
     timeout-minutes: 45
@@ -93,7 +91,7 @@ jobs:
       contents: read
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
       - id: head-version
         name: Verify all Actions use the same Node version
         run: |
@@ -108,7 +106,7 @@ jobs:
       - id: checkout-base
         name: 'Backport: Check out base ref'
         if: ${{ startsWith(github.head_ref, 'backport-') }}
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
         with:
           ref: ${{ env.BASE_REF }}
 

.github/workflows/prepare-release.yml

@@ -29,7 +29,7 @@ defaults:
 jobs:
   prepare:
     name: "Prepare release"
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
     if: github.repository == 'github/codeql-action'
 
     permissions:
@@ -44,7 +44,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0 # Need full history for calculation of diffs
 

.github/workflows/publish-immutable-action.yml

@@ -1,10 +1,8 @@
 name: 'Publish Immutable Action Version'
 
 on:
-  push:
-    tags:
-      # Match version tags, but not the major version tags.
-      - 'v[0-9]+.**'
+  release:
+    types: [published]
 
 defaults:
   run:
@@ -12,16 +10,30 @@ defaults:
 
 jobs:
   publish:
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
     permissions:
       contents: read
       id-token: write
       packages: write
 
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Publish immutable release
+      - name: Check release name
+        id: check
+        env:
+          RELEASE_NAME: ${{ github.event.release.name }}
+        run: |
+          echo "Release name: ${{ github.event.release.name }}"
+          if [[ $RELEASE_NAME == v* ]]; then
+            echo "This is a CodeQL Action release. Create an Immutable Action"
+            echo "is-action-release=true" >> $GITHUB_OUTPUT
+          else
+            echo "This is a CodeQL Bundle release. Do not create an Immutable Action"
+            echo "is-action-release=false" >> $GITHUB_OUTPUT
+          fi
+      - name: Checking out
+        if: steps.check.outputs.is-action-release == 'true'
+        uses: actions/checkout@v5
+      - name: Publish
+        if: steps.check.outputs.is-action-release == 'true'
         id: publish
         uses: actions/publish-immutable-action@v0.0.4

.github/workflows/python312-windows.yml

@@ -7,8 +7,6 @@ on:
     # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
     # by other workflows.
     types: [opened, synchronize, reopened, ready_for_review]
-  merge_group:
-    types: [checks_requested]
   schedule:
     # Weekly on Monday.
     - cron: '0 0 * * 1'
@@ -33,7 +31,7 @@ jobs:
       with:
         python-version: 3.12
 
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v5
 
     - name: Prepare test
       uses: ./.github/actions/prepare-test

.github/workflows/query-filters.yml

@@ -11,11 +11,9 @@ on:
     - synchronize
     - reopened
     - ready_for_review
-  merge_group:
-    types: [checks_requested]
   schedule:
     - cron: '0 5 * * *'
-  workflow_dispatch:
+  workflow_dispatch: {}
 
 defaults:
   run:
@@ -31,10 +29,10 @@ jobs:
       contents: read # This permission is needed to allow the GitHub Actions workflow to read the contents of the repository.
     steps:
     - name: Check out repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@v5
 
     - name: Install Node.js
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@v5
       with:
         node-version: 24
         cache: npm

.github/workflows/rebuild.yml

@@ -24,7 +24,7 @@ jobs:
       pull-requests: write # needed to comment on the PR
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
           ref: ${{ env.HEAD_REF }}
@@ -111,7 +111,7 @@ jobs:
             # Otherwise, just commit the changes.
             if git rev-parse --verify MERGE_HEAD >/dev/null 2>&1; then
               echo "In progress merge detected, finishing it up."
-              git merge --continue --no-edit
+              git merge --continue
             else
               echo "No in-progress merge detected, committing changes."
               git commit -m "Rebuild"

.github/workflows/rollback-release.yml

@@ -52,7 +52,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0 # Need full history for calculation of diffs
 
@@ -127,8 +127,9 @@ jobs:
         env:
           NEW_CHANGELOG: "${{ runner.temp }}/new_changelog.md"
           PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
+          VERSION: "${{ needs.prepare.outputs.version }}"
         run: |
-          python .github/workflows/script/prepare_changelog.py $NEW_CHANGELOG > $PARTIAL_CHANGELOG
+          python .github/workflows/script/prepare_changelog.py $NEW_CHANGELOG "$VERSION" > $PARTIAL_CHANGELOG
 
           echo "::group::Partial CHANGELOG"
           cat $PARTIAL_CHANGELOG
@@ -136,7 +137,7 @@ jobs:
 
       - name: Generate token
         if: github.event_name == 'workflow_dispatch'
-        uses: actions/create-github-app-token@v2.2.1
+        uses: actions/create-github-app-token@v2.1.4
         id: app-token
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}

.github/workflows/script/bundle_changelog.py

@@ -1,23 +0,0 @@
-#!/usr/bin/env python3
-import os
-import re
-
-cli_version = os.environ['CLI_VERSION']
-
-# The GitHub Release for the new bundle version.
-bundle_release_url = f"https://github.com/github/codeql-action/releases/tag/codeql-bundle-v{cli_version}"
-# Get the PR number from the PR URL.
-pr_number = os.environ['PR_URL'].split('/')[-1]
-changelog_note = f"- Update default CodeQL bundle version to [{cli_version}]({bundle_release_url}). [#{pr_number}]({os.environ['PR_URL']})"
-
-# If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
-with open('CHANGELOG.md', 'r') as f:
-    changelog = f.read()
-
-changelog = changelog.replace('## [UNRELEASED]\n\nNo user facing changes.', '## [UNRELEASED]\n')
-
-# Add the changelog note to the bottom of the "[UNRELEASED]" section.
-changelog = re.sub(r'\n## (\d+\.\d+\.\d+)', f'{changelog_note}\n\n## \\1', changelog, count=1)
-
-with open('CHANGELOG.md', 'w') as f:
-    f.write(changelog)

.github/workflows/script/prepare_changelog.py

@@ -1,4 +1,3 @@
-#!/usr/bin/env python3
 import os
 import sys
 
@@ -7,7 +6,7 @@ EMPTY_CHANGELOG = 'No changes.\n\n'
 # Prepare the changelog for the new release
 # This function will extract the part of the changelog that
 # we want to include in the new release.
-def extract_changelog_snippet(changelog_file):
+def extract_changelog_snippet(changelog_file, version_tag):
   output = ''
   if (not os.path.exists(changelog_file)):
     output = EMPTY_CHANGELOG
@@ -16,20 +15,23 @@ def extract_changelog_snippet(changelog_file):
     with open(changelog_file, 'r') as f:
       lines = f.readlines()
 
-      # Include only the contents of the first section
+      # Include everything up to, but excluding the second heading
       found_first_section = False
-      for line in lines:
+      for i, line in enumerate(lines):
         if line.startswith('## '):
           if found_first_section:
             break
           found_first_section = True
-        elif found_first_section:
-          output += line
+        output += line
 
-  return output.strip()
+  output += f"See the full [CHANGELOG.md](https://github.com/github/codeql-action/blob/{version_tag}/CHANGELOG.md) for more information."
+
+  return output
 
 
-if len(sys.argv) < 2:
-  raise Exception('Expecting argument: changelog_file')
+if len(sys.argv) < 3:
+  raise Exception('Expecting argument: changelog_file version_tag')
 changelog_file = sys.argv[1]
-print(extract_changelog_snippet(changelog_file))
+version_tag = sys.argv[2]
+
+print(extract_changelog_snippet(changelog_file, version_tag))

.github/workflows/script/update-required-checks.sh

@@ -29,7 +29,7 @@ fi
 echo "Getting checks for $GITHUB_SHA"
 
 # Ignore any checks with "https://", CodeQL, LGTM, Update, and ESLint checks.
-CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") or . == "Agent" or . == "Cleanup artifacts" or . == "Prepare" or . == "Upload results" or . == "Label PR with size" | not)] | unique | sort')"
+CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") | not)] | unique | sort')"
 
 echo "$CHECKS" | jq
 

.github/workflows/test-codeql-bundle-all.yml

@@ -13,11 +13,9 @@ on:
     - synchronize
     - reopened
     - ready_for_review
-  merge_group:
-    types: [checks_requested]
   schedule:
     - cron: '0 5 * * *'
-  workflow_dispatch:
+  workflow_dispatch: {}
 defaults:
   run:
     shell: bash
@@ -38,17 +36,13 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@v5
     - name: Prepare test
       id: prepare-test
       uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
         use-all-platform-bundle: true
-    - name: Install .NET
-      uses: actions/setup-dotnet@v5
-      with:
-        dotnet-version: '9.x'
     - id: init
       uses: ./../action/init
       with:

.github/workflows/update-bundle.yml

@@ -20,7 +20,7 @@ defaults:
 jobs:
   update-bundle:
     if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
     permissions:
       contents: write # needed to push commits
       pull-requests: write # needed to create pull requests
@@ -33,20 +33,15 @@ jobs:
           GITHUB_CONTEXT: '${{ toJson(github) }}'
         run: echo "$GITHUB_CONTEXT"
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
 
       - name: Update git config
         run: |
           git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git config --global user.name "github-actions[bot]"
 
-      - name: Set up Python
-        uses: actions/setup-python@v6
-        with:
-          python-version: '3.12'
-
       - name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
         with:
           node-version: 24
           cache: 'npm'
@@ -57,24 +52,6 @@ jobs:
       - name: Update bundle
         uses: ./.github/actions/update-bundle
 
-      - name: Bump Action minor version if new CodeQL minor version series
-        id: bump-action-version
-        run: |
-          prior_cli_version=$(jq -r '.priorCliVersion' src/defaults.json)
-          cli_version=$(jq -r '.cliVersion' src/defaults.json)
-
-          prior_minor=$(echo "$prior_cli_version" | cut -d. -f2)
-          current_minor=$(echo "$cli_version" | cut -d. -f2)
-
-          if [[ "$current_minor" != "$prior_minor" ]]; then
-            echo "New CodeQL minor version series ($prior_cli_version -> $cli_version), bumping Action minor version"
-            npm version minor --no-git-tag-version
-            echo "bumped=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "Same minor version series ($prior_cli_version -> $cli_version), skipping Action version bump"
-            echo "bumped=false" >> "$GITHUB_OUTPUT"
-          fi
-
       - name: Rebuild Action
         run: npm run build
 
@@ -89,19 +66,11 @@ jobs:
       - name: Open pull request
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          ACTION_VERSION_BUMPED: ${{ steps.bump-action-version.outputs.bumped }}
         run: |
           cli_version=$(jq -r '.cliVersion' src/defaults.json)
-          action_version=$(jq -r '.version' package.json)
-
-          pr_body="This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version."
-          if [[ "$ACTION_VERSION_BUMPED" == "true" ]]; then
-            pr_body+=$'\n\n'"Since this is a new CodeQL minor version series, this PR also bumps the Action version to $action_version."
-          fi
-
           pr_url=$(gh pr create \
             --title "Update default bundle to $cli_version" \
-            --body "$pr_body" \
+            --body "This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version." \
             --assignee "$GITHUB_ACTOR" \
             --draft \
           )
@@ -109,8 +78,28 @@ jobs:
           echo "PR_URL=$pr_url" | tee -a "$GITHUB_ENV"
 
       - name: Create changelog note
+        shell: python
         run: |
-          python .github/workflows/script/bundle_changelog.py
+          import os
+          import re
+
+          # Get the PR number from the PR URL.
+          pr_number = os.environ['PR_URL'].split('/')[-1]
+          changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
+
+          # If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
+          # Use perl to avoid having to escape the newline character.
+
+          with open('CHANGELOG.md', 'r') as f:
+              changelog = f.read()
+
+          changelog = changelog.replace('## [UNRELEASED]\n\nNo user facing changes.', '## [UNRELEASED]\n')
+
+          # Add the changelog note to the bottom of the "[UNRELEASED]" section.
+          changelog = re.sub(r'\n## (\d+\.\d+\.\d+)', f'{changelog_note}\n\n## \\1', changelog, count=1)
+
+          with open('CHANGELOG.md', 'w') as f:
+              f.write(changelog)
 
       - name: Push changelog note
         run: |

.github/workflows/update-release-branch.yml

@@ -26,7 +26,7 @@ jobs:
 
   update:
     timeout-minutes: 45
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
     if: github.event_name == 'workflow_dispatch'
     needs: [prepare]
     env:
@@ -38,7 +38,7 @@ jobs:
       contents: write # needed to push commits
       pull-requests: write # needed to create pull request
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v5
       with:
         fetch-depth: 0  # Need full history for calculation of diffs
     - uses: ./.github/actions/release-initialise
@@ -77,7 +77,7 @@ jobs:
 
   backport:
     timeout-minutes: 45
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
     environment: Automation
     needs: [prepare]
     if: ${{ (github.event_name == 'push') && needs.prepare.outputs.backport_target_branches != '[]' }}
@@ -93,14 +93,14 @@ jobs:
       pull-requests: write # needed to create pull request
     steps:
     - name: Generate token
-      uses: actions/create-github-app-token@v2.2.1
+      uses: actions/create-github-app-token@v2.1.4
       id: app-token
       with:
         app-id: ${{ vars.AUTOMATION_APP_ID }}
         private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
 
     - name: Checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@v5
       with:
         fetch-depth: 0  # Need full history for calculation of diffs
         token: ${{ steps.app-token.outputs.token }}

.github/workflows/update-supported-enterprise-server-versions.yml

@@ -4,18 +4,12 @@ on:
   schedule:
     - cron: "0 0 * * *"
   workflow_dispatch:
-  pull_request:
-    branches:
-      - main
-    paths:
-      - .github/workflows/update-supported-enterprise-server-versions.yml
-      - .github/workflows/update-supported-enterprise-server-versions/update.py
 
 jobs:
   update-supported-enterprise-server-versions:
     name: Update Supported Enterprise Server Versions
     timeout-minutes: 45
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
     if: github.repository == 'github/codeql-action'
     permissions:
       contents: write # needed to push commits
@@ -27,14 +21,13 @@ jobs:
         with:
           python-version: "3.13"
       - name: Checkout CodeQL Action
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Checkout Enterprise Releases
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
         with:
           repository: github/enterprise-releases
           token: ${{ secrets.ENTERPRISE_RELEASE_TOKEN }}
           path: ${{ github.workspace }}/enterprise-releases/
-          sparse-checkout: releases.json
       - name: Update Supported Enterprise Server Versions
         run: |
           cd ./.github/workflows/update-supported-enterprise-server-versions/
@@ -42,7 +35,6 @@ jobs:
           pipenv install
           pipenv run ./update.py
           rm --recursive "$ENTERPRISE_RELEASES_PATH"
-          npm ci
           npm run build
         env:
           ENTERPRISE_RELEASES_PATH: ${{ github.workspace }}/enterprise-releases/
@@ -52,33 +44,25 @@ jobs:
           git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git config --global user.name "github-actions[bot]"
 
-      - name: Commit changes
-        id: prepare-commit
+      - name: Commit changes and open PR
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           if [[ -z $(git status --porcelain) ]]; then
             echo "No changes to commit"
-            echo "committed=false" >> $GITHUB_OUTPUT
           else
             git checkout -b update-supported-enterprise-server-versions
             git add .
             git commit --message "Update supported GitHub Enterprise Server versions"
+            git push origin update-supported-enterprise-server-versions
 
-            echo "committed=true" >> $GITHUB_OUTPUT
+            body="This PR updates the list of supported GitHub Enterprise Server versions, either because a new "
+            body+="version is about to be feature frozen, or because an old release has been deprecated."
+            body+=$'\n\n'
+            body+="If an old release has been deprecated, please follow the instructions in CONTRIBUTING.md to "
+            body+="deprecate the corresponding version of CodeQL."
+
+            gh pr create --draft \
+              --title "Update supported GitHub Enterprise Server versions" \
+              --body "$body"
           fi
-
-      - name: Open PR
-        if: github.event_name != 'pull_request' && steps.prepare-commit.outputs.committed == 'true'
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          git push origin update-supported-enterprise-server-versions
-
-          body="This PR updates the list of supported GitHub Enterprise Server versions, either because a new "
-          body+="version is about to be feature frozen, or because an old release has been deprecated."
-          body+=$'\n\n'
-          body+="If an old release has been deprecated, please follow the instructions in CONTRIBUTING.md to "
-          body+="deprecate the corresponding version of CodeQL."
-
-          gh pr create --draft \
-            --title "Update supported GitHub Enterprise Server versions" \
-            --body "$body"

CHANGELOG.md

@@ -2,106 +2,13 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
-## 3.32.5 - 02 Mar 2026
-
-- Repositories owned by an organization can now set up the `github-codeql-disable-overlay` custom repository property to disable [improved incremental analysis for CodeQL](https://github.com/github/roadmap/issues/1158). First, create a custom repository property with the name `github-codeql-disable-overlay` and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to `true` to disable improved incremental analysis. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). This feature is not yet available on GitHub Enterprise Server. [#3507](https://github.com/github/codeql-action/pull/3507)
-- Added an experimental change so that when [improved incremental analysis](https://github.com/github/roadmap/issues/1158) fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. [#3487](https://github.com/github/codeql-action/pull/3487)
-- The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. [#3515](https://github.com/github/codeql-action/pull/3515)
-- Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. [#3516](https://github.com/github/codeql-action/pull/3516)
-- Added an experimental change which lowers the minimum disk space requirement for [improved incremental analysis](https://github.com/github/roadmap/issues/1158), enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. [#3498](https://github.com/github/codeql-action/pull/3498)
-- Added an experimental change which allows the `start-proxy` action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. [#3512](https://github.com/github/codeql-action/pull/3512)
-- The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. [#3503](https://github.com/github/codeql-action/pull/3503), [#3504](https://github.com/github/codeql-action/pull/3504)
-
-## 3.32.4 - 20 Feb 2026
-
-- Update default CodeQL bundle version to [2.24.2](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2). [#3493](https://github.com/github/codeql-action/pull/3493)
-- Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when [private package registries are configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries). This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. [#3473](https://github.com/github/codeql-action/pull/3473)
-- When the CodeQL Action is run [with debugging enabled in Default Setup](https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-analysis-errors/logs-not-detailed-enough#creating-codeql-debugging-artifacts-for-codeql-default-setup) and [private package registries are configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries), the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. [#3486](https://github.com/github/codeql-action/pull/3486)
-- Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. [#3485](https://github.com/github/codeql-action/pull/3485)
-- Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a [nightly CodeQL CLI release](https://github.com/dsp-testing/codeql-cli-nightlies) instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. [#3484](https://github.com/github/codeql-action/pull/3484)
-
-## 3.32.3 - 13 Feb 2026
-
-- Added experimental support for testing connections to [private package registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries). This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. [#3466](https://github.com/github/codeql-action/pull/3466)
-
-## 3.32.2 - 05 Feb 2026
-
-- Update default CodeQL bundle version to [2.24.1](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.1). [#3460](https://github.com/github/codeql-action/pull/3460)
-
-## 3.32.1 - 02 Feb 2026
-
-- A warning is now shown in Default Setup workflow logs if a [private package registry is configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) using a GitHub Personal Access Token (PAT), but no username is configured. [#3422](https://github.com/github/codeql-action/pull/3422)
-- Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. [#3421](https://github.com/github/codeql-action/pull/3421)
-
-## 3.32.0 - 26 Jan 2026
-
-- Update default CodeQL bundle version to [2.24.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0). [#3425](https://github.com/github/codeql-action/pull/3425)
-
-## 3.31.11 - 23 Jan 2026
-
-- When running a Default Setup workflow with [Actions debugging enabled](https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging), the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. [#3409](https://github.com/github/codeql-action/pull/3409)
-- Improved error handling throughout the CodeQL Action. [#3415](https://github.com/github/codeql-action/pull/3415)
-- Added experimental support for automatically excluding [generated files](https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github) from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. [#3318](https://github.com/github/codeql-action/pull/3318)
-- The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. [#3403](https://github.com/github/codeql-action/pull/3403)
-
-## 3.31.10 - 12 Jan 2026
-
-- Update default CodeQL bundle version to 2.23.9. [#3393](https://github.com/github/codeql-action/pull/3393)
-
-## 3.31.9 - 16 Dec 2025
+## [UNRELEASED]
 
 No user facing changes.
 
-## 3.31.8 - 11 Dec 2025
+## 4.30.7 - 06 Oct 2025
 
-- Update default CodeQL bundle version to 2.23.8. [#3354](https://github.com/github/codeql-action/pull/3354)
-
-## 3.31.7 - 05 Dec 2025
-
-- Update default CodeQL bundle version to 2.23.7. [#3343](https://github.com/github/codeql-action/pull/3343)
-
-## 3.31.6 - 01 Dec 2025
-
-No user facing changes.
-
-## 3.31.5 - 24 Nov 2025
-
-- Update default CodeQL bundle version to 2.23.6. [#3321](https://github.com/github/codeql-action/pull/3321)
-
-## 3.31.4 - 18 Nov 2025
-
-No user facing changes.
-
-## 3.31.3 - 13 Nov 2025
-
-- CodeQL Action v3 will be deprecated in December 2026.  The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see [Upcoming deprecation of CodeQL Action v3](https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/).
-- Update default CodeQL bundle version to 2.23.5. [#3288](https://github.com/github/codeql-action/pull/3288)
-
-## 3.31.2 - 30 Oct 2025
-
-No user facing changes.
-
-## 3.31.1 - 30 Oct 2025
-
-- The `add-snippets` input has been removed from the `analyze` action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced.
-
-## 3.31.0 - 24 Oct 2025
-
-- Bump minimum CodeQL bundle version to 2.17.6. [#3223](https://github.com/github/codeql-action/pull/3223)
-- When SARIF files are uploaded by the `analyze` or `upload-sarif` actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the `upload-sarif` action. For `analyze`, this may affect Advanced Setup for CodeQL users who specify a value other than `always` for the `upload` input. [#3222](https://github.com/github/codeql-action/pull/3222)
-
-## 3.30.9 - 17 Oct 2025
-
-- Update default CodeQL bundle version to 2.23.3. [#3205](https://github.com/github/codeql-action/pull/3205)
-- Experimental: A new `setup-codeql` action has been added which is similar to `init`, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#3204](https://github.com/github/codeql-action/pull/3204)
-
-## 3.30.8 - 10 Oct 2025
-
-No user facing changes.
-
-## 3.30.7 - 06 Oct 2025
-
-No user facing changes.
+- [v4+ only] The CodeQL Action now runs on Node.js v24. [#3169](https://github.com/github/codeql-action/pull/3169)
 
 ## 3.30.6 - 02 Oct 2025
 
@@ -337,13 +244,17 @@ No user facing changes.
 ## 3.26.12 - 07 Oct 2024
 
 - _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.14.5 and earlier. These versions of CodeQL were discontinued on 24 September 2024 alongside GitHub Enterprise Server 3.10, and will be unsupported by CodeQL Action versions 3.27.0 and later and versions 2.27.0 and later. [#2520](https://github.com/github/codeql-action/pull/2520)
+
   - If you are using one of these versions, please update to CodeQL CLI version 2.14.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.
+
   - Alternatively, if you want to continue using a version of the CodeQL CLI between 2.13.5 and 2.14.5, you can replace `github/codeql-action/*@v3` by `github/codeql-action/*@v3.26.11` and `github/codeql-action/*@v2` by `github/codeql-action/*@v2.26.11` in your code scanning workflow to ensure you continue using this version of the CodeQL Action.
 
 ## 3.26.11 - 03 Oct 2024
 
 - _Upcoming breaking change_: Add support for using `actions/download-artifact@v4` to programmatically consume CodeQL Action debug artifacts.
+
   Starting November 30, 2024, GitHub.com customers will [no longer be able to use `actions/download-artifact@v3`](https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/). Therefore, to avoid breakage, customers who programmatically download the CodeQL Action debug artifacts should set the `CODEQL_ACTION_ARTIFACT_V4_UPGRADE` environment variable to `true` and bump `actions/download-artifact@v3` to `actions/download-artifact@v4` in their workflows. The CodeQL Action will enable this behavior by default in early November and workflows that have not yet bumped `actions/download-artifact@v3` to `actions/download-artifact@v4` will begin failing then.
+
   This change is currently unavailable for GitHub Enterprise Server customers, as `actions/upload-artifact@v4` and `actions/download-artifact@v4` are not yet compatible with GHES.
 - Update default CodeQL bundle version to 2.19.1. [#2519](https://github.com/github/codeql-action/pull/2519)
 
@@ -466,9 +377,12 @@ No user facing changes.
 ## 3.25.0 - 15 Apr 2024
 
 - The deprecated feature for extracting dependencies for a Python analysis has been removed. [#2224](https://github.com/github/codeql-action/pull/2224)
+
   As a result, the following inputs and environment variables are now ignored:
+
   - The `setup-python-dependencies` input to the `init` Action
   - The `CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION` environment variable
+
   We recommend removing any references to these from your workflows. For more information, see the release notes for CodeQL Action v3.23.0 and v2.23.0.
 - Automatically overwrite an existing database if found on the filesystem. [#2229](https://github.com/github/codeql-action/pull/2229)
 - Bump the minimum CodeQL bundle version to 2.12.6. [#2232](https://github.com/github/codeql-action/pull/2232)

README.md

@@ -34,7 +34,6 @@ Actions with special purposes and unlikely to be used directly:
 - `autobuild`: Attempts to automatically build the code. Only used for analyzing languages that require a build. Use the `build-mode: autobuild` input in the `init` action instead. For information about input parameters, see the [autobuild action definition](https://github.com/github/codeql-action/blob/main/autobuild/action.yml).
 - `resolve-environment`: [Experimental] Attempts to infer a build environment suitable for automatic builds. For information about input parameters, see the [resolve-environment action definition](https://github.com/github/codeql-action/blob/main/resolve-environment/action.yml).
 - `start-proxy`: [Experimental] Start the HTTP proxy server. Internal use only and will change without notice. For information about input parameters, see the [start-proxy action definition](https://github.com/github/codeql-action/blob/main/start-proxy/action.yml).
-- `setup-codeql`: [Experimental] Similar to `init`, except it only installs the CodeQL CLI and does not initialize a database.
 
 ### Workflow Permissions
 
@@ -72,22 +71,14 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n
 
 | Minimum CodeQL Action | Minimum CodeQL Bundle Version | GitHub Environment | Notes |
 |-----------------------|-------------------------------|--------------------|-------|
-| `v4.31.10` | `2.23.9` | Enterprise Server 3.20 | |
-| `v3.29.11` | `2.22.4` | Enterprise Server 3.19 | |
-| `v3.28.21` | `2.21.3` | Enterprise Server 3.18 | |
-| `v3.28.12` | `2.20.7` | Enterprise Server 3.17 | |
-| `v3.28.6` | `2.20.3` | Enterprise Server 3.16 | |
-| `v3.28.6` | `2.20.3` | Enterprise Server 3.15 | |
+| `v3.28.21`  | `2.21.3` | Enterprise Server 3.18 | |
+| `v3.28.12`  | `2.20.7` | Enterprise Server 3.17 | |
+| `v3.28.6`  | `2.20.3` | Enterprise Server 3.16 | |
+| `v3.28.6`  | `2.20.3` | Enterprise Server 3.15 | |
 | `v3.28.6` | `2.20.3` | Enterprise Server 3.14 | |
 
 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).
 
-## Keeping the CodeQL Action up to date in advanced setups
-
-If you are using an [advanced setup](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning), we recommend referencing the CodeQL Action using a major version tag (e.g. `v4`) in your workflow file. This ensures your workflow automatically picks up the latest release within that major version, including bug fixes, new features, and updated CodeQL CLI versions.
-
-If you pin to a specific commit SHA or patch version tag, ensure you keep it updated (e.g. via [Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot)). Some CodeQL Action features are enabled by server-side flags that may be removed over time, which can cause old versions to lose functionality.
-
 ## Troubleshooting
 
 Read about [troubleshooting code scanning](https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning).

analyze/action.yml

@@ -6,7 +6,7 @@ inputs:
     description: The name of the check run to add text to.
     required: false
   output:
-    description: The path of the directory in which to save the SARIF results from the CodeQL CLI.
+    description: The path of the directory in which to save the SARIF results
     required: false
     default: "../results"
   upload:
@@ -32,10 +32,14 @@ inputs:
       and 13GB for macOS).
     required: false
   add-snippets:
-    description: Does not have any effect.
+    description: Specify whether or not to add code snippets to the output sarif file.
     required: false
+    default: "false"
     deprecationMessage: >-
-      The input "add-snippets" has been removed and no longer has any effect.
+      The input "add-snippets" is deprecated and will be removed on the first release in August 2025.
+      When this input is set to true it is expected to add code snippets with an alert to the SARIF file.
+      However, since Code Scanning ignores code snippets provided as part of a SARIF file this is currently
+      a no operation. No alternative is available.
   skip-queries:
     description: If this option is set, the CodeQL database will be built but no queries will be run on it. Thus, no results will be produced.
     required: false
@@ -66,12 +70,6 @@ inputs:
     description: Whether to upload the resulting CodeQL database
     required: false
     default: "true"
-  post-processed-sarif-path:
-    description: >-
-      Before uploading the SARIF files produced by the CodeQL CLI, the CodeQL Action may perform some post-processing
-      on them. Ordinarily, these post-processed SARIF files are not saved to disk. However, if a path is provided as an
-      argument for this input, they are written to the specified directory.
-    required: false
   wait-for-processing:
     description: If true, the Action will wait for the uploaded SARIF to be processed before completing.
     required: true
@@ -94,6 +92,6 @@ outputs:
   sarif-id:
     description: The ID of the uploaded SARIF file.
 runs:
-  using: node20
+  using: node24
   main: "../lib/analyze-action.js"
   post: "../lib/analyze-action-post.js"

autobuild/action.yml

@@ -15,5 +15,5 @@ inputs:
       $GITHUB_WORKSPACE as its working directory.
     required: false
 runs:
-  using: node20
+  using: node24
   main: '../lib/autobuild-action.js'

eslint.config.mjs

@@ -1,14 +1,26 @@
-import { fixupPluginRules } from "@eslint/compat";
+// Automatically generated by running npx @eslint/migrate-config .eslintrc.json
+
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+
+import { fixupConfigRules, fixupPluginRules } from "@eslint/compat";
+import { FlatCompat } from "@eslint/eslintrc";
 import js from "@eslint/js";
+import typescriptEslint from "@typescript-eslint/eslint-plugin";
+import tsParser from "@typescript-eslint/parser";
+import filenames from "eslint-plugin-filenames";
 import github from "eslint-plugin-github";
-import { importX, createNodeResolver } from "eslint-plugin-import-x";
-import { createTypeScriptImportResolver } from "eslint-import-resolver-typescript";
+import _import from "eslint-plugin-import";
 import noAsyncForeach from "eslint-plugin-no-async-foreach";
-import jsdoc from "eslint-plugin-jsdoc";
-import tseslint from "typescript-eslint";
 import globals from "globals";
 
-const githubFlatConfigs = github.getFlatConfigs();
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+const compat = new FlatCompat({
+  baseDirectory: __dirname,
+  recommendedConfig: js.configs.recommended,
+  allConfig: js.configs.all,
+});
 
 export default [
   {
@@ -23,29 +35,28 @@ export default [
       ".github/**/*",
     ],
   },
-  // eslint recommended config
-  js.configs.recommended,
-  // Type-checked rules from typescript-eslint
-  ...tseslint.configs.recommendedTypeChecked,
-  ...tseslint.configs.strict,
-  // eslint-plugin-github recommended config
-  githubFlatConfigs.recommended,
-  // eslint-plugin-github typescript config
-  ...githubFlatConfigs.typescript,
-  // import-x TypeScript settings
-  // This is needed for import-x rules to properly parse TypeScript files.
-  {
-    settings: importX.flatConfigs.typescript.settings,
-  },
+  ...fixupConfigRules(
+    compat.extends(
+      "eslint:recommended",
+      "plugin:@typescript-eslint/recommended",
+      "plugin:@typescript-eslint/recommended-requiring-type-checking",
+      "plugin:github/recommended",
+      "plugin:github/typescript",
+      "plugin:import/typescript",
+    ),
+  ),
   {
     plugins: {
-      "import-x": importX,
-      "no-async-foreach": fixupPluginRules(noAsyncForeach),
-      "jsdoc": jsdoc,
+      "@typescript-eslint": fixupPluginRules(typescriptEslint),
+      filenames: fixupPluginRules(filenames),
+      github: fixupPluginRules(github),
+      import: fixupPluginRules(_import),
+      "no-async-foreach": noAsyncForeach,
     },
 
     languageOptions: {
-      ecmaVersion: "latest",
+      parser: tsParser,
+      ecmaVersion: 5,
       sourceType: "module",
 
       globals: {
@@ -66,16 +77,10 @@ export default [
         typescript: {},
       },
       "import/ignore": ["sinon", "uuid", "@octokit/plugin-retry", "del", "get-folder-size"],
-      "import-x/resolver-next": [
-        createTypeScriptImportResolver(),
-        createNodeResolver({
-          extensions: [".ts", ".js", ".json"],
-        }),
-      ],
     },
 
     rules: {
-      "github/filenames-match-regex": ["error", "^[a-z0-9-]+(\\.test)?$"],
+      "filenames/match-regex": ["error", "^[a-z0-9-]+(\\.test)?$"],
       "i18n-text/no-en": "off",
 
       "import/extensions": [
@@ -87,10 +92,7 @@ export default [
 
       "import/no-amd": "error",
       "import/no-commonjs": "error",
-      // import/no-cycle does not seem to work with ESLint 9.
-      // Use import-x/no-cycle from eslint-plugin-import-x instead.
-      "import/no-cycle": "off",
-      "import-x/no-cycle": "error",
+      "import/no-cycle": "error",
       "import/no-dynamic-require": "error",
 
       "import/no-extraneous-dependencies": [
@@ -128,21 +130,8 @@ export default [
       "no-async-foreach/no-async-foreach": "error",
       "no-sequences": "error",
       "no-shadow": "off",
-      // This is overly restrictive with unsetting `EnvVar`s
-      "@typescript-eslint/no-dynamic-delete": "off",
       "@typescript-eslint/no-shadow": "error",
-      "@typescript-eslint/prefer-optional-chain": "error",
       "one-var": ["error", "never"],
-
-      // Check param names to ensure that we don't have outdated JSDocs.
-      "jsdoc/check-param-names": [
-        "error",
-        {
-          // We don't currently require full JSDoc coverage, so this rule
-          // should not error on missing @param annotations.
-          disableMissingParamChecks: true,
-        }
-      ],
     },
   },
   {

init/action.yml

@@ -165,6 +165,6 @@ outputs:
   codeql-version:
     description: The version of the CodeQL binary used for analysis
 runs:
-  using: node20
+  using: node24
   main: '../lib/init-action.js'
   post: '../lib/init-action-post.js'

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.24.2",
-  "cliVersion": "2.24.2",
-  "priorBundleVersion": "codeql-bundle-v2.24.1",
-  "priorCliVersion": "2.24.1"
+  "bundleVersion": "codeql-bundle-v2.23.2",
+  "cliVersion": "2.23.2",
+  "priorBundleVersion": "codeql-bundle-v2.23.1",
+  "priorCliVersion": "2.23.1"
 }