Improve tests

Improve error message
Remove dead code
2026-05-09 15:20:28 +00:00 · 2026-05-08 19:16:48 +01:00 · 2026-05-08 19:16:47 +01:00 · 2026-05-08 19:16:46 +01:00 · 2026-05-08 19:14:05 +01:00 · 2026-05-08 19:14:05 +01:00
40 changed files with 3818 additions and 1634 deletions
@@ -2,6 +2,10 @@

 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.

+## [UNRELEASED]
+
+- Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. [#3880](https://github.com/github/codeql-action/pull/3880)
+
 ## 4.35.4 - 07 May 2026

 - Update default CodeQL bundle version to [2.25.4](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4). [#3881](https://github.com/github/codeql-action/pull/3881)
@@ -26352,11 +26352,11 @@ var require_valid = __commonJS({
  "node_modules/semver/functions/valid.js"(exports2, module2) {
    "use strict";
    var parse2 = require_parse2();
-    var valid3 = (version, options) => {
+    var valid4 = (version, options) => {
      const v = parse2(version, options);
      return v ? v.version : null;
    };
-    module2.exports = valid3;
+    module2.exports = valid4;
  }
 });

@@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
    var compare2 = require_compare();
-    var rcompare = (a, b, loose) => compare2(b, a, loose);
-    module2.exports = rcompare;
+    var rcompare3 = (a, b, loose) => compare2(b, a, loose);
+    module2.exports = rcompare3;
  }
 });

@@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({
    var SemVer = require_semver();
    var identifiers = require_identifiers();
    var parse2 = require_parse2();
-    var valid3 = require_valid();
+    var valid4 = require_valid();
    var clean3 = require_clean();
    var inc = require_inc();
    var diff = require_diff();
@@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({
    var patch = require_patch();
    var prerelease = require_prerelease();
    var compare2 = require_compare();
-    var rcompare = require_rcompare();
+    var rcompare3 = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
    var sort = require_sort();
@@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({
    var subset = require_subset();
    module2.exports = {
      parse: parse2,
-      valid: valid3,
+      valid: valid4,
      clean: clean3,
      inc,
      diff,
@@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({
      patch,
      prerelease,
      compare: compare2,
-      rcompare,
+      rcompare: rcompare3,
      compareLoose,
      compareBuild,
      sort,
@@ -29553,16 +29553,16 @@ var require_attribute = __commonJS({
      var result = new ValidatorResult(instance, schema2, options, ctx);
      var self2 = this;
      schema2.allOf.forEach(function(v, i) {
-        var valid3 = self2.validateSchema(instance, v, options, ctx);
-        if (!valid3.valid) {
+        var valid4 = self2.validateSchema(instance, v, options, ctx);
+        if (!valid4.valid) {
          var id = v.$id || v.id;
          var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]";
          result.addError({
            name: "allOf",
-            argument: { id: msg, length: valid3.errors.length, valid: valid3 },
-            message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:"
+            argument: { id: msg, length: valid4.errors.length, valid: valid4 },
+            message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:"
          });
-          result.importErrors(valid3);
+          result.importErrors(valid4);
        }
      });
      return result;
@@ -29851,8 +29851,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMinimum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid3 = instance > schema2.exclusiveMinimum;
-      if (!valid3) {
+      var valid4 = instance > schema2.exclusiveMinimum;
+      if (!valid4) {
        result.addError({
          name: "exclusiveMinimum",
          argument: schema2.exclusiveMinimum,
@@ -29865,8 +29865,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMaximum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid3 = instance < schema2.exclusiveMaximum;
-      if (!valid3) {
+      var valid4 = instance < schema2.exclusiveMaximum;
+      if (!valid4) {
        result.addError({
          name: "exclusiveMaximum",
          argument: schema2.exclusiveMaximum,
@@ -32649,8 +32649,8 @@ var require_semver3 = __commonJS({
        return null;
      }
    }
-    exports2.valid = valid3;
-    function valid3(version, options) {
+    exports2.valid = valid4;
+    function valid4(version, options) {
      var v = parse2(version, options);
      return v ? v.version : null;
    }
@@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({
      var versionB = new SemVer(b, loose);
      return versionA.compare(versionB) || versionA.compareBuild(versionB);
    }
-    exports2.rcompare = rcompare;
-    function rcompare(a, b, loose) {
+    exports2.rcompare = rcompare3;
+    function rcompare3(a, b, loose) {
      return compare2(b, a, loose);
    }
    exports2.sort = sort;
@@ -33779,7 +33779,7 @@ var require_cacheUtils = __commonJS({
    var crypto2 = __importStar2(require("crypto"));
    var fs9 = __importStar2(require("fs"));
    var path9 = __importStar2(require("path"));
-    var semver9 = __importStar2(require_semver3());
+    var semver10 = __importStar2(require_semver3());
    var util = __importStar2(require("util"));
    var constants_1 = require_constants7();
    var versionSalt = "1.0";
@@ -33872,7 +33872,7 @@ var require_cacheUtils = __commonJS({
    function getCompressionMethod() {
      return __awaiter2(this, void 0, void 0, function* () {
        const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver9.clean(versionOutput);
+        const version = semver10.clean(versionOutput);
        core15.debug(`zstd version: ${version}`);
        if (versionOutput === "") {
          return constants_1.CompressionMethod.Gzip;
@@ -75278,7 +75278,7 @@ var require_cacheHttpClient = __commonJS({
    exports2.getCacheEntry = getCacheEntry;
    exports2.downloadCache = downloadCache;
    exports2.reserveCache = reserveCache;
-    exports2.saveCache = saveCache4;
+    exports2.saveCache = saveCache5;
    var core15 = __importStar2(require_core());
    var http_client_1 = require_lib();
    var auth_1 = require_auth();
@@ -75455,7 +75455,7 @@ Other caches with similar key:`);
        }));
      });
    }
-    function saveCache4(cacheId, archivePath, signedUploadURL, options) {
+    function saveCache5(cacheId, archivePath, signedUploadURL, options) {
      return __awaiter2(this, void 0, void 0, function* () {
        const uploadOptions = (0, options_1.getUploadOptions)(options);
        if (uploadOptions.useAzureSdk) {
@@ -80955,8 +80955,8 @@ var require_cache4 = __commonJS({
    Object.defineProperty(exports2, "__esModule", { value: true });
    exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0;
    exports2.isFeatureAvailable = isFeatureAvailable;
-    exports2.restoreCache = restoreCache4;
-    exports2.saveCache = saveCache4;
+    exports2.restoreCache = restoreCache5;
+    exports2.saveCache = saveCache5;
    var core15 = __importStar2(require_core());
    var path9 = __importStar2(require("path"));
    var utils = __importStar2(require_cacheUtils());
@@ -81013,7 +81013,7 @@ var require_cache4 = __commonJS({
          return !!process.env["ACTIONS_CACHE_URL"];
      }
    }
-    function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) {
+    function restoreCache5(paths_1, primaryKey_1, restoreKeys_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81157,7 +81157,7 @@ var require_cache4 = __commonJS({
        return void 0;
      });
    }
-    function saveCache4(paths_1, key_1, options_1) {
+    function saveCache5(paths_1, key_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81394,7 +81394,7 @@ var require_manifest = __commonJS({
    exports2._findMatch = _findMatch;
    exports2._getOsVersion = _getOsVersion;
    exports2._readLinuxVersionFile = _readLinuxVersionFile;
-    var semver9 = __importStar2(require_semver2());
+    var semver10 = __importStar2(require_semver2());
    var core_1 = require_core();
    var os2 = require("os");
    var cp = require("child_process");
@@ -81408,7 +81408,7 @@ var require_manifest = __commonJS({
        for (const candidate of candidates) {
          const version = candidate.version;
          (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
            file = candidate.files.find((item) => {
              (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
              let chk = item.arch === archFilter && item.platform === platFilter;
@@ -81417,7 +81417,7 @@ var require_manifest = __commonJS({
                if (osVersion === item.platform_version) {
                  chk = true;
                } else {
-                  chk = semver9.satisfies(osVersion, item.platform_version);
+                  chk = semver10.satisfies(osVersion, item.platform_version);
                }
              }
              return chk;
@@ -81677,7 +81677,7 @@ var require_tool_cache = __commonJS({
    var os2 = __importStar2(require("os"));
    var path9 = __importStar2(require("path"));
    var httpm = __importStar2(require_lib());
-    var semver9 = __importStar2(require_semver2());
+    var semver10 = __importStar2(require_semver2());
    var stream = __importStar2(require("stream"));
    var util = __importStar2(require("util"));
    var assert_1 = require("assert");
@@ -81950,7 +81950,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheDir(sourceDir, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver10.clean(version) || version;
        arch = arch || os2.arch();
        core15.debug(`Caching tool ${tool} ${version} ${arch}`);
        core15.debug(`source dir: ${sourceDir}`);
@@ -81968,7 +81968,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheFile(sourceFile, targetFile, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver10.clean(version) || version;
        arch = arch || os2.arch();
        core15.debug(`Caching tool ${tool} ${version} ${arch}`);
        core15.debug(`source file: ${sourceFile}`);
@@ -81998,7 +81998,7 @@ var require_tool_cache = __commonJS({
      }
      let toolPath = "";
      if (versionSpec) {
-        versionSpec = semver9.clean(versionSpec) || "";
+        versionSpec = semver10.clean(versionSpec) || "";
        const cachePath = path9.join(_getCacheDirectory(), toolName, versionSpec, arch);
        core15.debug(`checking cache: ${cachePath}`);
        if (fs9.existsSync(cachePath) && fs9.existsSync(`${cachePath}.complete`)) {
@@ -82078,7 +82078,7 @@ var require_tool_cache = __commonJS({
    }
    function _createToolPath(tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
+        const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
        core15.debug(`destination ${folderPath}`);
        const markerPath = `${folderPath}.complete`;
        yield io6.rmRF(folderPath);
@@ -82088,30 +82088,30 @@ var require_tool_cache = __commonJS({
      });
    }
    function _completeToolPath(tool, version, arch) {
-      const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
+      const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
      const markerPath = `${folderPath}.complete`;
      fs9.writeFileSync(markerPath, "");
      core15.debug("finished caching tool");
    }
    function isExplicitVersion(versionSpec) {
-      const c = semver9.clean(versionSpec) || "";
+      const c = semver10.clean(versionSpec) || "";
      core15.debug(`isExplicit: ${c}`);
-      const valid3 = semver9.valid(c) != null;
-      core15.debug(`explicit? ${valid3}`);
-      return valid3;
+      const valid4 = semver10.valid(c) != null;
+      core15.debug(`explicit? ${valid4}`);
+      return valid4;
    }
    function evaluateVersions(versions, versionSpec) {
      let version = "";
      core15.debug(`evaluating ${versions.length} versions`);
      versions = versions.sort((a, b) => {
-        if (semver9.gt(a, b)) {
+        if (semver10.gt(a, b)) {
          return 1;
        }
        return -1;
      });
      for (let i = versions.length - 1; i >= 0; i--) {
        const potential = versions[i];
-        const satisfied = semver9.satisfies(potential, versionSpec);
+        const satisfied = semver10.satisfies(potential, versionSpec);
        if (satisfied) {
          version = potential;
          break;
@@ -89825,7 +89825,7 @@ var require_stream_writable = __commonJS({
      pna.nextTick(cb, er);
    }
    function validChunk(stream, state, chunk, cb) {
-      var valid3 = true;
+      var valid4 = true;
      var er = false;
      if (chunk === null) {
        er = new TypeError("May not write null values to stream");
@@ -89835,9 +89835,9 @@ var require_stream_writable = __commonJS({
      if (er) {
        stream.emit("error", er);
        pna.nextTick(cb, er);
-        valid3 = false;
+        valid4 = false;
      }
-      return valid3;
+      return valid4;
    }
    Writable.prototype.write = function(chunk, encoding, cb) {
      var state = this._writableState;
@@ -126877,7 +126877,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.4";
+  return "4.35.5";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -127883,6 +127883,16 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
    minimumVersion: void 0
  },
+  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
+    minimumVersion: void 0
+  },
+  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
+    minimumVersion: void 0
+  },
  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -128044,20 +128054,26 @@ function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
 // src/setup-codeql.ts
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver8 = __toESM(require_semver2());
+var semver9 = __toESM(require_semver2());
+
+// src/overlay/caching.ts
+var actionsCache3 = __toESM(require_cache4());
+var semver6 = __toESM(require_semver2());
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;

 // src/tar.ts
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver6 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());

 // src/tools-download.ts
 var core10 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver7 = __toESM(require_semver2());
+var semver8 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;

 // src/tracer-config.ts
@@ -128654,7 +128670,7 @@ var core12 = __toESM(require_core());

 // src/dependency-caching.ts
 var import_path = require("path");
-var actionsCache3 = __toESM(require_cache4());
+var actionsCache4 = __toESM(require_cache4());
 var glob = __toESM(require_glob());
 function getJavaTempDependencyDir() {
  return (0, import_path.join)(getTemporaryDirectory(), "codeql_java", "repository");
@@ -128728,6 +128744,9 @@ async function scanArchiveFile(archivePath, relativeArchivePath, extractDir, log
      `Maximum archive extraction depth (${MAX_DEPTH}) reached for ${archivePath}`
    );
  }
+  if (process.platform === "win32") {
+    throw new Error("Scanning archives is not supported on Windows.");
+  }
  const result = {
    scannedFiles: 0,
    findings: []
@@ -26352,11 +26352,11 @@ var require_valid = __commonJS({
  "node_modules/semver/functions/valid.js"(exports2, module2) {
    "use strict";
    var parse2 = require_parse2();
-    var valid3 = (version, options) => {
+    var valid4 = (version, options) => {
      const v = parse2(version, options);
      return v ? v.version : null;
    };
-    module2.exports = valid3;
+    module2.exports = valid4;
  }
 });

@@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
    var compare2 = require_compare();
-    var rcompare = (a, b, loose) => compare2(b, a, loose);
-    module2.exports = rcompare;
+    var rcompare3 = (a, b, loose) => compare2(b, a, loose);
+    module2.exports = rcompare3;
  }
 });

@@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({
    var SemVer = require_semver();
    var identifiers = require_identifiers();
    var parse2 = require_parse2();
-    var valid3 = require_valid();
+    var valid4 = require_valid();
    var clean3 = require_clean();
    var inc = require_inc();
    var diff = require_diff();
@@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({
    var patch = require_patch();
    var prerelease = require_prerelease();
    var compare2 = require_compare();
-    var rcompare = require_rcompare();
+    var rcompare3 = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
    var sort = require_sort();
@@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({
    var subset = require_subset();
    module2.exports = {
      parse: parse2,
-      valid: valid3,
+      valid: valid4,
      clean: clean3,
      inc,
      diff,
@@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({
      patch,
      prerelease,
      compare: compare2,
-      rcompare,
+      rcompare: rcompare3,
      compareLoose,
      compareBuild,
      sort,
@@ -29553,16 +29553,16 @@ var require_attribute = __commonJS({
      var result = new ValidatorResult(instance, schema2, options, ctx);
      var self2 = this;
      schema2.allOf.forEach(function(v, i) {
-        var valid3 = self2.validateSchema(instance, v, options, ctx);
-        if (!valid3.valid) {
+        var valid4 = self2.validateSchema(instance, v, options, ctx);
+        if (!valid4.valid) {
          var id = v.$id || v.id;
          var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]";
          result.addError({
            name: "allOf",
-            argument: { id: msg, length: valid3.errors.length, valid: valid3 },
-            message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:"
+            argument: { id: msg, length: valid4.errors.length, valid: valid4 },
+            message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:"
          });
-          result.importErrors(valid3);
+          result.importErrors(valid4);
        }
      });
      return result;
@@ -29851,8 +29851,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMinimum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid3 = instance > schema2.exclusiveMinimum;
-      if (!valid3) {
+      var valid4 = instance > schema2.exclusiveMinimum;
+      if (!valid4) {
        result.addError({
          name: "exclusiveMinimum",
          argument: schema2.exclusiveMinimum,
@@ -29865,8 +29865,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMaximum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid3 = instance < schema2.exclusiveMaximum;
-      if (!valid3) {
+      var valid4 = instance < schema2.exclusiveMaximum;
+      if (!valid4) {
        result.addError({
          name: "exclusiveMaximum",
          argument: schema2.exclusiveMaximum,
@@ -32649,8 +32649,8 @@ var require_semver3 = __commonJS({
        return null;
      }
    }
-    exports2.valid = valid3;
-    function valid3(version, options) {
+    exports2.valid = valid4;
+    function valid4(version, options) {
      var v = parse2(version, options);
      return v ? v.version : null;
    }
@@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({
      var versionB = new SemVer(b, loose);
      return versionA.compare(versionB) || versionA.compareBuild(versionB);
    }
-    exports2.rcompare = rcompare;
-    function rcompare(a, b, loose) {
+    exports2.rcompare = rcompare3;
+    function rcompare3(a, b, loose) {
      return compare2(b, a, loose);
    }
    exports2.sort = sort;
@@ -33779,7 +33779,7 @@ var require_cacheUtils = __commonJS({
    var crypto2 = __importStar2(require("crypto"));
    var fs8 = __importStar2(require("fs"));
    var path9 = __importStar2(require("path"));
-    var semver9 = __importStar2(require_semver3());
+    var semver10 = __importStar2(require_semver3());
    var util = __importStar2(require("util"));
    var constants_1 = require_constants7();
    var versionSalt = "1.0";
@@ -33872,7 +33872,7 @@ var require_cacheUtils = __commonJS({
    function getCompressionMethod() {
      return __awaiter2(this, void 0, void 0, function* () {
        const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver9.clean(versionOutput);
+        const version = semver10.clean(versionOutput);
        core15.debug(`zstd version: ${version}`);
        if (versionOutput === "") {
          return constants_1.CompressionMethod.Gzip;
@@ -75278,7 +75278,7 @@ var require_cacheHttpClient = __commonJS({
    exports2.getCacheEntry = getCacheEntry;
    exports2.downloadCache = downloadCache;
    exports2.reserveCache = reserveCache;
-    exports2.saveCache = saveCache3;
+    exports2.saveCache = saveCache4;
    var core15 = __importStar2(require_core());
    var http_client_1 = require_lib();
    var auth_1 = require_auth();
@@ -75455,7 +75455,7 @@ Other caches with similar key:`);
        }));
      });
    }
-    function saveCache3(cacheId, archivePath, signedUploadURL, options) {
+    function saveCache4(cacheId, archivePath, signedUploadURL, options) {
      return __awaiter2(this, void 0, void 0, function* () {
        const uploadOptions = (0, options_1.getUploadOptions)(options);
        if (uploadOptions.useAzureSdk) {
@@ -80955,8 +80955,8 @@ var require_cache4 = __commonJS({
    Object.defineProperty(exports2, "__esModule", { value: true });
    exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0;
    exports2.isFeatureAvailable = isFeatureAvailable;
-    exports2.restoreCache = restoreCache3;
-    exports2.saveCache = saveCache3;
+    exports2.restoreCache = restoreCache4;
+    exports2.saveCache = saveCache4;
    var core15 = __importStar2(require_core());
    var path9 = __importStar2(require("path"));
    var utils = __importStar2(require_cacheUtils());
@@ -81013,7 +81013,7 @@ var require_cache4 = __commonJS({
          return !!process.env["ACTIONS_CACHE_URL"];
      }
    }
-    function restoreCache3(paths_1, primaryKey_1, restoreKeys_1, options_1) {
+    function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81157,7 +81157,7 @@ var require_cache4 = __commonJS({
        return void 0;
      });
    }
-    function saveCache3(paths_1, key_1, options_1) {
+    function saveCache4(paths_1, key_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81394,7 +81394,7 @@ var require_manifest = __commonJS({
    exports2._findMatch = _findMatch;
    exports2._getOsVersion = _getOsVersion;
    exports2._readLinuxVersionFile = _readLinuxVersionFile;
-    var semver9 = __importStar2(require_semver2());
+    var semver10 = __importStar2(require_semver2());
    var core_1 = require_core();
    var os2 = require("os");
    var cp = require("child_process");
@@ -81408,7 +81408,7 @@ var require_manifest = __commonJS({
        for (const candidate of candidates) {
          const version = candidate.version;
          (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
            file = candidate.files.find((item) => {
              (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
              let chk = item.arch === archFilter && item.platform === platFilter;
@@ -81417,7 +81417,7 @@ var require_manifest = __commonJS({
                if (osVersion === item.platform_version) {
                  chk = true;
                } else {
-                  chk = semver9.satisfies(osVersion, item.platform_version);
+                  chk = semver10.satisfies(osVersion, item.platform_version);
                }
              }
              return chk;
@@ -81677,7 +81677,7 @@ var require_tool_cache = __commonJS({
    var os2 = __importStar2(require("os"));
    var path9 = __importStar2(require("path"));
    var httpm = __importStar2(require_lib());
-    var semver9 = __importStar2(require_semver2());
+    var semver10 = __importStar2(require_semver2());
    var stream = __importStar2(require("stream"));
    var util = __importStar2(require("util"));
    var assert_1 = require("assert");
@@ -81950,7 +81950,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheDir(sourceDir, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver10.clean(version) || version;
        arch = arch || os2.arch();
        core15.debug(`Caching tool ${tool} ${version} ${arch}`);
        core15.debug(`source dir: ${sourceDir}`);
@@ -81968,7 +81968,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheFile(sourceFile, targetFile, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver10.clean(version) || version;
        arch = arch || os2.arch();
        core15.debug(`Caching tool ${tool} ${version} ${arch}`);
        core15.debug(`source file: ${sourceFile}`);
@@ -81998,7 +81998,7 @@ var require_tool_cache = __commonJS({
      }
      let toolPath = "";
      if (versionSpec) {
-        versionSpec = semver9.clean(versionSpec) || "";
+        versionSpec = semver10.clean(versionSpec) || "";
        const cachePath = path9.join(_getCacheDirectory(), toolName, versionSpec, arch);
        core15.debug(`checking cache: ${cachePath}`);
        if (fs8.existsSync(cachePath) && fs8.existsSync(`${cachePath}.complete`)) {
@@ -82078,7 +82078,7 @@ var require_tool_cache = __commonJS({
    }
    function _createToolPath(tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
+        const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
        core15.debug(`destination ${folderPath}`);
        const markerPath = `${folderPath}.complete`;
        yield io5.rmRF(folderPath);
@@ -82088,30 +82088,30 @@ var require_tool_cache = __commonJS({
      });
    }
    function _completeToolPath(tool, version, arch) {
-      const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
+      const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
      const markerPath = `${folderPath}.complete`;
      fs8.writeFileSync(markerPath, "");
      core15.debug("finished caching tool");
    }
    function isExplicitVersion(versionSpec) {
-      const c = semver9.clean(versionSpec) || "";
+      const c = semver10.clean(versionSpec) || "";
      core15.debug(`isExplicit: ${c}`);
-      const valid3 = semver9.valid(c) != null;
-      core15.debug(`explicit? ${valid3}`);
-      return valid3;
+      const valid4 = semver10.valid(c) != null;
+      core15.debug(`explicit? ${valid4}`);
+      return valid4;
    }
    function evaluateVersions(versions, versionSpec) {
      let version = "";
      core15.debug(`evaluating ${versions.length} versions`);
      versions = versions.sort((a, b) => {
-        if (semver9.gt(a, b)) {
+        if (semver10.gt(a, b)) {
          return 1;
        }
        return -1;
      });
      for (let i = versions.length - 1; i >= 0; i--) {
        const potential = versions[i];
-        const satisfied = semver9.satisfies(potential, versionSpec);
+        const satisfied = semver10.satisfies(potential, versionSpec);
        if (satisfied) {
          version = potential;
          break;
@@ -85608,7 +85608,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.4";
+  return "4.35.5";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -86538,6 +86538,10 @@ function isSupportedToolsFeature(versionInfo, feature) {
 // src/feature-flags.ts
 var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_";
 var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
+var LINKED_CODEQL_VERSION = {
+  cliVersion,
+  tagName: bundleVersion
+};
 var featureConfig = {
  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
    defaultValue: false,
@@ -86692,6 +86696,16 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
    minimumVersion: void 0
  },
+  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
+    minimumVersion: void 0
+  },
+  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
+    minimumVersion: void 0
+  },
  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -86752,10 +86766,9 @@ var OfflineFeatures = class {
    this.logger = logger;
  }
  logger;
-  async getDefaultCliVersion(_variant) {
+  async getEnabledDefaultCliVersions(_variant) {
    return {
-      cliVersion,
-      tagName: bundleVersion
+      enabledVersions: [LINKED_CODEQL_VERSION]
    };
  }
  /**
@@ -86860,11 +86873,11 @@ var Features = class extends OfflineFeatures {
      logger
    );
  }
-  async getDefaultCliVersion(variant) {
+  async getEnabledDefaultCliVersions(variant) {
    if (supportsFeatureFlags(variant)) {
-      return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags();
+      return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags();
    }
-    return super.getDefaultCliVersion(variant);
+    return super.getEnabledDefaultCliVersions(variant);
  }
  /**
   *
@@ -86923,34 +86936,36 @@ var GitHubFeatureFlags = class {
    }
    return version;
  }
-  async getDefaultCliVersionFromFlags() {
+  /**
+   * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature
+   * flags, sorted from highest to lowest. Falls back to the version pinned in
+   * `defaults.json` if no such flags are enabled.
+   */
+  async getEnabledDefaultCliVersionsFromFlags() {
    const response = await this.getAllFeatures();
-    const enabledFeatureFlagCliVersions = Object.entries(response).map(
+    const sortedCliVersions = Object.entries(response).map(
      ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0
-    ).filter((f) => f !== void 0);
-    if (enabledFeatureFlagCliVersions.length === 0) {
+    ).filter((f) => f !== void 0).sort(semver5.rcompare);
+    if (sortedCliVersions.length === 0) {
      this.logger.warning(
        `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.`
      );
      const result = {
-        cliVersion,
-        tagName: bundleVersion
+        enabledVersions: [LINKED_CODEQL_VERSION]
      };
      if (this.hasAccessedRemoteFeatureFlags) {
        result.toolsFeatureFlagsValid = false;
      }
      return result;
    }
-    const maxCliVersion = enabledFeatureFlagCliVersions.reduce(
-      (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion,
-      enabledFeatureFlagCliVersions[0]
-    );
    this.logger.debug(
-      `Derived default CLI version of ${maxCliVersion} from feature flags.`
+      `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.`
    );
    return {
-      cliVersion: maxCliVersion,
-      tagName: `codeql-bundle-v${maxCliVersion}`,
+      enabledVersions: sortedCliVersions.map((cliVersion2) => ({
+        cliVersion: cliVersion2,
+        tagName: `codeql-bundle-v${cliVersion2}`
+      })),
      toolsFeatureFlagsValid: true
    };
  }
@@ -87180,20 +87195,26 @@ function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
 // src/setup-codeql.ts
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver8 = __toESM(require_semver2());
+var semver9 = __toESM(require_semver2());
+
+// src/overlay/caching.ts
+var actionsCache3 = __toESM(require_cache4());
+var semver6 = __toESM(require_semver2());
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;

 // src/tar.ts
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver6 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());

 // src/tools-download.ts
 var core10 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver7 = __toESM(require_semver2());
+var semver8 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;

 // src/tracer-config.ts
@@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
    var compare2 = require_compare();
-    var rcompare2 = (a, b, loose) => compare2(b, a, loose);
-    module2.exports = rcompare2;
+    var rcompare3 = (a, b, loose) => compare2(b, a, loose);
+    module2.exports = rcompare3;
  }
 });

@@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({
    var patch = require_patch();
    var prerelease = require_prerelease();
    var compare2 = require_compare();
-    var rcompare2 = require_rcompare();
+    var rcompare3 = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
    var sort = require_sort();
@@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({
      patch,
      prerelease,
      compare: compare2,
-      rcompare: rcompare2,
+      rcompare: rcompare3,
      compareLoose,
      compareBuild,
      sort,
@@ -33101,8 +33101,8 @@ var require_semver3 = __commonJS({
      var versionB = new SemVer(b, loose);
      return versionA.compare(versionB) || versionA.compareBuild(versionB);
    }
-    exports2.rcompare = rcompare2;
-    function rcompare2(a, b, loose) {
+    exports2.rcompare = rcompare3;
+    function rcompare3(a, b, loose) {
      return compare2(b, a, loose);
    }
    exports2.sort = sort;
@@ -86162,7 +86162,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.4";
+  return "4.35.5";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -86358,11 +86358,11 @@ function isAnalyzingPullRequest() {
 }

 // src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind3) => {
-  AnalysisKind3["CodeScanning"] = "code-scanning";
-  AnalysisKind3["CodeQuality"] = "code-quality";
-  AnalysisKind3["RiskAssessment"] = "risk-assessment";
-  return AnalysisKind3;
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
+  AnalysisKind2["CodeScanning"] = "code-scanning";
+  AnalysisKind2["CodeQuality"] = "code-quality";
+  AnalysisKind2["RiskAssessment"] = "risk-assessment";
+  return AnalysisKind2;
 })(AnalysisKind || {});
 var compatibilityMatrix = {
  ["code-scanning" /* CodeScanning */]: /* @__PURE__ */ new Set(["code-quality" /* CodeQuality */]),
@@ -86638,6 +86638,18 @@ function computeAutomationID(analysis_key, environment) {
  }
  return automationID;
 }
+async function listActionsCaches(keyPrefix, ref) {
+  const repositoryNwo = getRepositoryNwo();
+  return await getApiClient().paginate(
+    "GET /repos/{owner}/{repo}/actions/caches",
+    {
+      owner: repositoryNwo.owner,
+      repo: repositoryNwo.repo,
+      key: keyPrefix,
+      ref
+    }
+  );
+}
 async function getRepositoryProperties(repositoryNwo) {
  return getApiClient().request("GET /repos/:owner/:repo/properties/values", {
    owner: repositoryNwo.owner,
@@ -87643,6 +87655,10 @@ function isSupportedToolsFeature(versionInfo, feature) {
 var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_";
 var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
 var CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0";
+var LINKED_CODEQL_VERSION = {
+  cliVersion,
+  tagName: bundleVersion
+};
 var featureConfig = {
  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
    defaultValue: false,
@@ -87797,6 +87813,16 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
    minimumVersion: void 0
  },
+  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
+    minimumVersion: void 0
+  },
+  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
+    minimumVersion: void 0
+  },
  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -87857,10 +87883,9 @@ var OfflineFeatures = class {
    this.logger = logger;
  }
  logger;
-  async getDefaultCliVersion(_variant) {
+  async getEnabledDefaultCliVersions(_variant) {
    return {
-      cliVersion,
-      tagName: bundleVersion
+      enabledVersions: [LINKED_CODEQL_VERSION]
    };
  }
  /**
@@ -87965,11 +87990,11 @@ var Features = class extends OfflineFeatures {
      logger
    );
  }
-  async getDefaultCliVersion(variant) {
+  async getEnabledDefaultCliVersions(variant) {
    if (supportsFeatureFlags(variant)) {
-      return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags();
+      return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags();
    }
-    return super.getDefaultCliVersion(variant);
+    return super.getEnabledDefaultCliVersions(variant);
  }
  /**
   *
@@ -88028,34 +88053,36 @@ var GitHubFeatureFlags = class {
    }
    return version;
  }
-  async getDefaultCliVersionFromFlags() {
+  /**
+   * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature
+   * flags, sorted from highest to lowest. Falls back to the version pinned in
+   * `defaults.json` if no such flags are enabled.
+   */
+  async getEnabledDefaultCliVersionsFromFlags() {
    const response = await this.getAllFeatures();
-    const enabledFeatureFlagCliVersions = Object.entries(response).map(
+    const sortedCliVersions = Object.entries(response).map(
      ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0
-    ).filter((f) => f !== void 0);
-    if (enabledFeatureFlagCliVersions.length === 0) {
+    ).filter((f) => f !== void 0).sort(semver5.rcompare);
+    if (sortedCliVersions.length === 0) {
      this.logger.warning(
        `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.`
      );
      const result = {
-        cliVersion,
-        tagName: bundleVersion
+        enabledVersions: [LINKED_CODEQL_VERSION]
      };
      if (this.hasAccessedRemoteFeatureFlags) {
        result.toolsFeatureFlagsValid = false;
      }
      return result;
    }
-    const maxCliVersion = enabledFeatureFlagCliVersions.reduce(
-      (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion,
-      enabledFeatureFlagCliVersions[0]
-    );
    this.logger.debug(
-      `Derived default CLI version of ${maxCliVersion} from feature flags.`
+      `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.`
    );
    return {
-      cliVersion: maxCliVersion,
-      tagName: `codeql-bundle-v${maxCliVersion}`,
+      enabledVersions: sortedCliVersions.map((cliVersion2) => ({
+        cliVersion: cliVersion2,
+        tagName: `codeql-bundle-v${cliVersion2}`
+      })),
      toolsFeatureFlagsValid: true
    };
  }
@@ -88361,6 +88388,17 @@ var BuiltInLanguage = /* @__PURE__ */ ((BuiltInLanguage2) => {
  return BuiltInLanguage2;
 })(BuiltInLanguage || {});
 var builtInLanguageSet = new Set(builtin_default.languages);
+function isBuiltInLanguage(language) {
+  return builtInLanguageSet.has(language);
+}
+function parseBuiltInLanguage(language) {
+  language = language.trim().toLowerCase();
+  language = builtin_default.aliases[language] ?? language;
+  if (isBuiltInLanguage(language)) {
+    return language;
+  }
+  return void 0;
+}

 // src/overlay/diagnostics.ts
 async function addOverlayDisablementDiagnostics(config, codeql, overlayDisabledReason) {
@@ -89608,7 +89646,7 @@ var internal = {
 };

 // src/init.ts
-var fs15 = __toESM(require("fs"));
+var fs16 = __toESM(require("fs"));
 var path15 = __toESM(require("path"));
 var core12 = __toESM(require_core());
 var toolrunner4 = __toESM(require_toolrunner());
@@ -89616,7 +89654,7 @@ var github2 = __toESM(require_github());
 var io5 = __toESM(require_io());

 // src/codeql.ts
-var fs14 = __toESM(require("fs"));
+var fs15 = __toESM(require("fs"));
 var path14 = __toESM(require("path"));
 var core11 = __toESM(require_core());
 var toolrunner3 = __toESM(require_toolrunner());
@@ -89870,20 +89908,222 @@ function wrapCliConfigurationError(cliError) {
 }

 // src/setup-codeql.ts
-var fs12 = __toESM(require("fs"));
+var fs13 = __toESM(require("fs"));
 var path12 = __toESM(require("path"));
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver8 = __toESM(require_semver2());
+var semver9 = __toESM(require_semver2());
+
+// src/overlay/caching.ts
+var fs10 = __toESM(require("fs"));
+var actionsCache4 = __toESM(require_cache4());
+var semver6 = __toESM(require_semver2());
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
+var CACHE_VERSION2 = 1;
+var CACHE_PREFIX = "codeql-overlay-base-database";
+var MAX_CACHE_OPERATION_MS3 = 6e5;
+async function checkOverlayBaseDatabase(codeql, config, logger, warningPrefix) {
+  const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config);
+  if (!fs10.existsSync(baseDatabaseOidsFilePath)) {
+    logger.warning(
+      `${warningPrefix}: ${baseDatabaseOidsFilePath} does not exist`
+    );
+    return false;
+  }
+  for (const language of config.languages) {
+    const dbPath = getCodeQLDatabasePath(config, language);
+    try {
+      const resolveDatabaseOutput = await codeql.resolveDatabase(dbPath);
+      if (resolveDatabaseOutput === void 0 || !("overlayBaseSpecifier" in resolveDatabaseOutput)) {
+        logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`);
+        return false;
+      } else {
+        logger.debug(
+          `Overlay base specifier for ${language} overlay-base database found: ${resolveDatabaseOutput.overlayBaseSpecifier}`
+        );
+      }
+    } catch (e) {
+      logger.warning(`${warningPrefix}: failed to resolve database: ${e}`);
+      return false;
+    }
+  }
+  return true;
+}
+async function downloadOverlayBaseDatabaseFromCache(codeql, config, logger) {
+  const overlayDatabaseMode = config.overlayDatabaseMode;
+  if (overlayDatabaseMode !== "overlay" /* Overlay */) {
+    logger.debug(
+      `Overlay database mode is ${overlayDatabaseMode}. Skip downloading overlay-base database from cache.`
+    );
+    return void 0;
+  }
+  if (!config.useOverlayDatabaseCaching) {
+    logger.debug(
+      "Overlay database caching is disabled. Skip downloading overlay-base database from cache."
+    );
+    return void 0;
+  }
+  if (isInTestMode()) {
+    logger.debug(
+      "In test mode. Skip downloading overlay-base database from cache."
+    );
+    return void 0;
+  }
+  const dbLocation = config.dbLocation;
+  const codeQlVersion = (await codeql.getVersion()).version;
+  const cacheRestoreKeyPrefix = await getCacheRestoreKeyPrefix(
+    config,
+    codeQlVersion
+  );
+  logger.info(
+    `Looking in Actions cache for overlay-base database with restore key ${cacheRestoreKeyPrefix}`
+  );
+  let databaseDownloadDurationMs = 0;
+  try {
+    const databaseDownloadStart = performance.now();
+    const foundKey = await waitForResultWithTimeLimit(
+      // This ten-minute limit for the cache restore operation is mainly to
+      // guard against the possibility that the cache service is unresponsive
+      // and hangs outside the data download.
+      //
+      // Data download (which is normally the most time-consuming part of the
+      // restore operation) should not run long enough to hit this limit. Even
+      // for an extremely large 10GB database, at a download speed of 40MB/s
+      // (see below), the download should complete within five minutes. If we
+      // do hit this limit, there are likely more serious problems other than
+      // mere slow download speed.
+      //
+      // This is important because we don't want any ongoing file operations
+      // on the database directory when we do hit this limit. Hitting this
+      // time limit takes us to a fallback path where we re-initialize the
+      // database from scratch at dbLocation, and having the cache restore
+      // operation continue to write into dbLocation in the background would
+      // really mess things up. We want to hit this limit only in the case
+      // of a hung cache service, not just slow download speed.
+      MAX_CACHE_OPERATION_MS3,
+      actionsCache4.restoreCache(
+        [dbLocation],
+        cacheRestoreKeyPrefix,
+        void 0,
+        {
+          // Azure SDK download (which is the default) uses 128MB segments; see
+          // https://github.com/actions/toolkit/blob/main/packages/cache/README.md.
+          // Setting segmentTimeoutInMs to 3000 translates to segment download
+          // speed of about 40 MB/s, which should be achievable unless the
+          // download is unreliable (in which case we do want to abort).
+          segmentTimeoutInMs: 3e3
+        }
+      ),
+      () => {
+        logger.info("Timed out downloading overlay-base database from cache");
+      }
+    );
+    databaseDownloadDurationMs = Math.round(
+      performance.now() - databaseDownloadStart
+    );
+    if (foundKey === void 0) {
+      logger.info("No overlay-base database found in Actions cache");
+      return void 0;
+    }
+    logger.info(
+      `Downloaded overlay-base database in cache with key ${foundKey}`
+    );
+  } catch (error3) {
+    logger.warning(
+      `Failed to download overlay-base database from cache: ${error3 instanceof Error ? error3.message : String(error3)}`
+    );
+    return void 0;
+  }
+  const databaseIsValid = await checkOverlayBaseDatabase(
+    codeql,
+    config,
+    logger,
+    "Downloaded overlay-base database is invalid"
+  );
+  if (!databaseIsValid) {
+    logger.warning("Downloaded overlay-base database failed validation");
+    return void 0;
+  }
+  const databaseSizeBytes = await tryGetFolderBytes(dbLocation, logger);
+  if (databaseSizeBytes === void 0) {
+    logger.info(
+      "Filesystem error while accessing downloaded overlay-base database"
+    );
+    return void 0;
+  }
+  logger.info(`Successfully downloaded overlay-base database to ${dbLocation}`);
+  return {
+    databaseSizeBytes: Math.round(databaseSizeBytes),
+    databaseDownloadDurationMs
+  };
+}
+async function getCacheRestoreKeyPrefix(config, codeQlVersion) {
+  return `${await getCacheKeyPrefixBase(config.languages)}${codeQlVersion}-`;
+}
+async function getCacheKeyPrefixBase(parsedLanguages) {
+  const languagesComponent = [...parsedLanguages].sort().join("_");
+  const cacheKeyComponents = {
+    automationID: await getAutomationID()
+    // Add more components here as needed in the future
+  };
+  const componentsHash = createCacheKeyHash(cacheKeyComponents);
+  return `${CACHE_PREFIX}-${CACHE_VERSION2}-${componentsHash}-${languagesComponent}-`;
+}
+async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) {
+  const languages = rawLanguages.map(parseBuiltInLanguage);
+  if (languages.includes(void 0)) {
+    logger.warning(
+      "One or more provided languages are not recognized as built-in languages. Skipping searching for overlay-base databases in cache."
+    );
+    return void 0;
+  }
+  const dedupedLanguages = [
+    ...new Set(languages.filter((l) => l !== void 0))
+  ];
+  const cacheKeyPrefix = await getCacheKeyPrefixBase(dedupedLanguages);
+  logger.debug(
+    `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}`
+  );
+  const caches = await listActionsCaches(cacheKeyPrefix);
+  if (caches.length === 0) {
+    logger.info("No overlay-base databases found in Actions cache.");
+    return [];
+  }
+  logger.info(
+    `Found ${caches.length} overlay-base ${caches.length === 1 ? "database" : "databases"} in the Actions cache.`
+  );
+  const versionRegex = /^([\d.]+)-/;
+  const versionSet = /* @__PURE__ */ new Set();
+  for (const cache of caches) {
+    if (!cache.key) continue;
+    const suffix = cache.key.substring(cacheKeyPrefix.length);
+    const match = suffix.match(versionRegex);
+    if (match && semver6.valid(match[1])) {
+      versionSet.add(match[1]);
+    }
+  }
+  if (versionSet.size === 0) {
+    logger.info(
+      "Could not parse any CodeQL versions from overlay-base database cache keys."
+    );
+    return [];
+  }
+  const versions = [...versionSet].sort(semver6.rcompare);
+  logger.info(
+    `Found overlay databases for the following CodeQL versions in the Actions cache: ${versions.join(", ")}`
+  );
+  return versions;
+}

 // src/tar.ts
 var import_child_process = require("child_process");
-var fs10 = __toESM(require("fs"));
+var fs11 = __toESM(require("fs"));
 var stream = __toESM(require("stream"));
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver6 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());
 var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3";
 var MIN_REQUIRED_GNU_TAR_VERSION = "1.31";
 async function getTarVersion() {
@@ -89925,9 +90165,9 @@ async function isZstdAvailable(logger) {
      case "gnu":
        return {
          available: foundZstdBinary && // GNU tar only uses major and minor version numbers
-          semver6.gte(
-            semver6.coerce(version),
-            semver6.coerce(MIN_REQUIRED_GNU_TAR_VERSION)
+          semver7.gte(
+            semver7.coerce(version),
+            semver7.coerce(MIN_REQUIRED_GNU_TAR_VERSION)
          ),
          foundZstdBinary,
          version: tarVersion
@@ -89936,7 +90176,7 @@ async function isZstdAvailable(logger) {
        return {
          available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain
          // a patch version number.
-          semver6.gte(version, MIN_REQUIRED_BSD_TAR_VERSION),
+          semver7.gte(version, MIN_REQUIRED_BSD_TAR_VERSION),
          foundZstdBinary,
          version: tarVersion
        };
@@ -89951,7 +90191,7 @@ async function isZstdAvailable(logger) {
  }
 }
 async function extract(tarPath, dest, compressionMethod, tarVersion, logger) {
-  fs10.mkdirSync(dest, { recursive: true });
+  fs11.mkdirSync(dest, { recursive: true });
  switch (compressionMethod) {
    case "gzip":
      return await toolcache.extractTar(tarPath, dest);
@@ -90035,7 +90275,7 @@ function inferCompressionMethod(tarPath) {
 }

 // src/tools-download.ts
-var fs11 = __toESM(require("fs"));
+var fs12 = __toESM(require("fs"));
 var os4 = __toESM(require("os"));
 var path11 = __toESM(require("path"));
 var import_perf_hooks2 = require("perf_hooks");
@@ -90043,7 +90283,7 @@ var core10 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver7 = __toESM(require_semver2());
+var semver8 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;
 var TOOLCACHE_TOOL_NAME = "CodeQL";
 function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) {
@@ -90142,7 +90382,7 @@ async function downloadAndExtract(codeqlURL, compressionMethod, dest, authorizat
  };
 }
 async function downloadAndExtractZstdWithStreaming(codeqlURL, dest, authorization, headers, tarVersion, logger) {
-  fs11.mkdirSync(dest, { recursive: true });
+  fs12.mkdirSync(dest, { recursive: true });
  const agent = new import_http_client.HttpClient().getAgent(codeqlURL);
  headers = Object.assign(
    { "User-Agent": "CodeQL Action" },
@@ -90173,13 +90413,13 @@ function getToolcacheDirectory(version) {
  return path11.join(
    getRequiredEnvParam("RUNNER_TOOL_CACHE"),
    TOOLCACHE_TOOL_NAME,
-    semver7.clean(version) || version,
+    semver8.clean(version) || version,
    os4.arch() || ""
  );
 }
 function writeToolcacheMarkerFile(extractedPath, logger) {
  const markerFilePath = `${extractedPath}.complete`;
-  fs11.writeFileSync(markerFilePath, "");
+  fs12.writeFileSync(markerFilePath, "");
  logger.info(`Created toolcache marker file ${markerFilePath}`);
 }
 function sanitizeUrlForStatusReport(url) {
@@ -90298,13 +90538,13 @@ function tryGetTagNameFromUrl(url, logger) {
  return match[1];
 }
 function convertToSemVer(version, logger) {
-  if (!semver8.valid(version)) {
+  if (!semver9.valid(version)) {
    logger.debug(
      `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.`
    );
    version = `0.0.0-${version}`;
  }
-  const s = semver8.clean(version);
+  const s = semver9.clean(version);
  if (!s) {
    throw new Error(`Bundle version ${version} is not in SemVer format.`);
  }
@@ -90314,7 +90554,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
  const candidates = toolcache3.findAllVersions("CodeQL").filter(isGoodVersion).map((version) => ({
    folder: toolcache3.find("CodeQL", version),
    version
-  })).filter(({ folder }) => fs12.existsSync(path12.join(folder, "pinned-version")));
+  })).filter(({ folder }) => fs13.existsSync(path12.join(folder, "pinned-version")));
  if (candidates.length === 1) {
    const candidate = candidates[0];
    logger.debug(
@@ -90336,7 +90576,84 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
  }
  return void 0;
 }
-async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) {
+async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, rawLanguages, features, logger) {
+  if (rawLanguages === void 0 || rawLanguages.length === 0) {
+    return [];
+  }
+  const isEnabled = await features.getValue(
+    "overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */
+  );
+  const isDryRun = !isEnabled && await features.getValue("overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */);
+  if (!isEnabled && !isDryRun) {
+    return [];
+  }
+  let cachedVersions;
+  try {
+    cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases(
+      rawLanguages,
+      logger
+    );
+  } catch (e) {
+    logger.warning(
+      `Could not list overlay-base databases in the Actions cache while choosing a default CodeQL CLI version, falling back to the highest enabled version. Details: ${getErrorMessage(e)}`
+    );
+    return [];
+  }
+  if (cachedVersions === void 0 || cachedVersions.length === 0) {
+    return [];
+  }
+  const cachedVersionsSet = new Set(cachedVersions);
+  const overlayVersions = defaultCliVersion.enabledVersions.filter(
+    (v) => cachedVersionsSet.has(v.cliVersion)
+  );
+  if (overlayVersions.length === 0) {
+    return [];
+  }
+  const isCachedVersionDifferent = overlayVersions[0].cliVersion !== defaultCliVersion.enabledVersions[0].cliVersion;
+  if (isCachedVersionDifferent) {
+    addNoLanguageDiagnostic(
+      void 0,
+      makeTelemetryDiagnostic(
+        "codeql-action/overlay-aware-default-codeql-version",
+        "Overlay-aware default CodeQL version selection",
+        {
+          cachedVersions,
+          enabledVersions: defaultCliVersion.enabledVersions.map(
+            (v) => v.cliVersion
+          ),
+          isDryRun,
+          overlayAwareVersion: overlayVersions[0].cliVersion
+        }
+      )
+    );
+  }
+  if (isDryRun) {
+    logger.debug(
+      `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.`
+    );
+    return [];
+  }
+  return overlayVersions;
+}
+async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) {
+  if (!useOverlayAwareDefaultCliVersion || !isAnalyzingPullRequest()) {
+    return defaultCliVersion.enabledVersions[0];
+  }
+  const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases(
+    defaultCliVersion,
+    rawLanguages,
+    features,
+    logger
+  );
+  if (overlayVersions.length > 0) {
+    logger.info(
+      `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the highest enabled version that has a cached overlay-base database.`
+    );
+    return overlayVersions[0];
+  }
+  return defaultCliVersion.enabledVersions[0];
+}
+async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) {
  if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) {
    logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
    const compressionMethod2 = inferCompressionMethod(toolsInput);
@@ -90430,21 +90747,35 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
          );
        }
      }
-      cliVersion2 = defaultCliVersion.cliVersion;
-      tagName = defaultCliVersion.tagName;
+      const version = await resolveDefaultCliVersion(
+        defaultCliVersion,
+        rawLanguages,
+        useOverlayAwareDefaultCliVersion,
+        features,
+        logger
+      );
+      cliVersion2 = version.cliVersion;
+      tagName = version.tagName;
    }
  } else if (toolsInput !== void 0) {
    tagName = tryGetTagNameFromUrl(toolsInput, logger);
    url = toolsInput;
    if (tagName) {
      const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger);
-      if (bundleVersion3 && semver8.valid(bundleVersion3)) {
+      if (bundleVersion3 && semver9.valid(bundleVersion3)) {
        cliVersion2 = convertToSemVer(bundleVersion3, logger);
      }
    }
  } else {
-    cliVersion2 = defaultCliVersion.cliVersion;
-    tagName = defaultCliVersion.tagName;
+    const version = await resolveDefaultCliVersion(
+      defaultCliVersion,
+      rawLanguages,
+      useOverlayAwareDefaultCliVersion,
+      features,
+      logger
+    );
+    cliVersion2 = version.cliVersion;
+    tagName = version.tagName;
  }
  const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger);
  const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url ?? "unknown";
@@ -90641,7 +90972,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) {
  }
  return cliVersion2;
 }
-async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) {
+async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) {
  if (!await isBinaryAccessible("tar", logger)) {
    throw new ConfigurationError(
      "Could not find tar in PATH, so unable to extract CodeQL bundle."
@@ -90651,6 +90982,8 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau
  const source = await getCodeQLSource(
    toolsInput,
    defaultCliVersion,
+    rawLanguages,
+    useOverlayAwareDefaultCliVersion,
    apiDetails,
    variant,
    zstdAvailability.available,
@@ -90709,7 +91042,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau
 async function useZstdBundle(cliVersion2, tarSupportsZstd) {
  return (
    // In testing, gzip performs better than zstd on Windows.
-    process.platform !== "win32" && tarSupportsZstd && semver8.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE)
+    process.platform !== "win32" && tarSupportsZstd && semver9.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE)
  );
 }
 function getTempExtractionDir(tempDir) {
@@ -90741,7 +91074,7 @@ async function getNightlyToolsUrl(logger) {
  }
 }
 function getLatestToolcacheVersion(logger) {
-  const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver8.compare(b, a));
+  const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver9.compare(b, a));
  logger.debug(
    `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify(
      allVersions
@@ -90761,7 +91094,7 @@ function isReservedToolsValue(tools) {
 }

 // src/tracer-config.ts
-var fs13 = __toESM(require("fs"));
+var fs14 = __toESM(require("fs"));
 var path13 = __toESM(require("path"));
 async function shouldEnableIndirectTracing(codeql, config) {
  if (config.buildMode === "none" /* None */) {
@@ -90774,7 +91107,7 @@ async function shouldEnableIndirectTracing(codeql, config) {
 }
 async function getTracerConfigForCluster(config) {
  const tracingEnvVariables = JSON.parse(
-    fs13.readFileSync(
+    fs14.readFileSync(
      path13.resolve(
        config.dbLocation,
        "temp/tracingEnvironment/start-tracing.json"
@@ -90800,7 +91133,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4";
 var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15";
 var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09";
 var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
-async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) {
+async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger, checkVersion) {
  try {
    const {
      codeqlFolder,
@@ -90814,6 +91147,8 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
      tempDir,
      variant,
      defaultCliVersion,
+      rawLanguages,
+      useOverlayAwareDefaultCliVersion,
      features,
      logger
    );
@@ -90883,7 +91218,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
        "tools",
        "tracing-config.lua"
      );
-      return fs14.existsSync(tracingConfigPath);
+      return fs15.existsSync(tracingConfigPath);
    },
    async isScannedLanguage(language) {
      return !await this.isTracedLanguage(language);
@@ -91359,7 +91694,7 @@ async function writeCodeScanningConfigFile(config, logger) {
  logger.startGroup("Augmented user configuration file contents");
  logger.info(dump(augmentedConfig));
  logger.endGroup();
-  fs14.writeFileSync(codeScanningConfigFile, dump(augmentedConfig));
+  fs15.writeFileSync(codeScanningConfigFile, dump(augmentedConfig));
  return codeScanningConfigFile;
 }
 var TRAP_CACHE_SIZE_MB = 1024;
@@ -91403,7 +91738,7 @@ async function getJobRunUuidSarifOptions(codeql) {
 }

 // src/init.ts
-async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) {
+async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) {
  logger.startGroup("Setup CodeQL tools");
  const {
    codeql,
@@ -91417,6 +91752,8 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe
    tempDir,
    variant,
    defaultCliVersion,
+    rawLanguages,
+    useOverlayAwareDefaultCliVersion,
    features,
    logger,
    true
@@ -91437,7 +91774,7 @@ async function initConfig2(features, inputs) {
  });
 }
 async function runDatabaseInitCluster(databaseInitEnvironment, codeql, config, sourceRoot, processName, qlconfigFile, logger) {
-  fs15.mkdirSync(config.dbLocation, { recursive: true });
+  fs16.mkdirSync(config.dbLocation, { recursive: true });
  await wrapEnvironment(
    databaseInitEnvironment,
    async () => await codeql.databaseInitCluster(
@@ -91473,24 +91810,24 @@ async function checkPacksForOverlayCompatibility(codeql, config, logger) {
 function checkPackForOverlayCompatibility(packDir, codeQlOverlayVersion, logger) {
  try {
    let qlpackPath = path15.join(packDir, "qlpack.yml");
-    if (!fs15.existsSync(qlpackPath)) {
+    if (!fs16.existsSync(qlpackPath)) {
      qlpackPath = path15.join(packDir, "codeql-pack.yml");
    }
    const qlpackContents = load(
-      fs15.readFileSync(qlpackPath, "utf8")
+      fs16.readFileSync(qlpackPath, "utf8")
    );
    if (!qlpackContents.buildMetadata) {
      return true;
    }
    const packInfoPath = path15.join(packDir, ".packinfo");
-    if (!fs15.existsSync(packInfoPath)) {
+    if (!fs16.existsSync(packInfoPath)) {
      logger.warning(
        `The query pack at ${packDir} does not have a .packinfo file, so it cannot support overlay analysis. Recompiling the query pack with the latest CodeQL CLI should solve this problem.`
      );
      return false;
    }
    const packInfoFileContents = JSON.parse(
-      fs15.readFileSync(packInfoPath, "utf8")
+      fs16.readFileSync(packInfoPath, "utf8")
    );
    const packOverlayVersion = packInfoFileContents.overlayVersion;
    if (typeof packOverlayVersion !== "number") {
@@ -91525,8 +91862,8 @@ async function checkInstallPython311(languages, codeql) {
    ]).exec();
  }
 }
-function cleanupDatabaseClusterDirectory(config, logger, options = {}, rmSync2 = fs15.rmSync) {
-  if (fs15.existsSync(config.dbLocation) && (fs15.statSync(config.dbLocation).isFile() || fs15.readdirSync(config.dbLocation).length > 0)) {
+function cleanupDatabaseClusterDirectory(config, logger, options = {}, rmSync2 = fs16.rmSync) {
+  if (fs16.existsSync(config.dbLocation) && (fs16.statSync(config.dbLocation).isFile() || fs16.readdirSync(config.dbLocation).length > 0)) {
    if (!options.disableExistingDirectoryWarning) {
      logger.warning(
        `The database cluster directory ${config.dbLocation} must be empty. Attempting to clean it up.`
@@ -91630,163 +91967,6 @@ To opt out of this change, ${envVarOptOut}`;
  core12.exportVariable("CODEQL_ACTION_DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION" /* DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION */, "true");
 }

-// src/overlay/caching.ts
-var fs16 = __toESM(require("fs"));
-var actionsCache4 = __toESM(require_cache4());
-var semver9 = __toESM(require_semver2());
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
-var CACHE_VERSION2 = 1;
-var CACHE_PREFIX = "codeql-overlay-base-database";
-var MAX_CACHE_OPERATION_MS3 = 6e5;
-async function checkOverlayBaseDatabase(codeql, config, logger, warningPrefix) {
-  const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config);
-  if (!fs16.existsSync(baseDatabaseOidsFilePath)) {
-    logger.warning(
-      `${warningPrefix}: ${baseDatabaseOidsFilePath} does not exist`
-    );
-    return false;
-  }
-  for (const language of config.languages) {
-    const dbPath = getCodeQLDatabasePath(config, language);
-    try {
-      const resolveDatabaseOutput = await codeql.resolveDatabase(dbPath);
-      if (resolveDatabaseOutput === void 0 || !("overlayBaseSpecifier" in resolveDatabaseOutput)) {
-        logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`);
-        return false;
-      } else {
-        logger.debug(
-          `Overlay base specifier for ${language} overlay-base database found: ${resolveDatabaseOutput.overlayBaseSpecifier}`
-        );
-      }
-    } catch (e) {
-      logger.warning(`${warningPrefix}: failed to resolve database: ${e}`);
-      return false;
-    }
-  }
-  return true;
-}
-async function downloadOverlayBaseDatabaseFromCache(codeql, config, logger) {
-  const overlayDatabaseMode = config.overlayDatabaseMode;
-  if (overlayDatabaseMode !== "overlay" /* Overlay */) {
-    logger.debug(
-      `Overlay database mode is ${overlayDatabaseMode}. Skip downloading overlay-base database from cache.`
-    );
-    return void 0;
-  }
-  if (!config.useOverlayDatabaseCaching) {
-    logger.debug(
-      "Overlay database caching is disabled. Skip downloading overlay-base database from cache."
-    );
-    return void 0;
-  }
-  if (isInTestMode()) {
-    logger.debug(
-      "In test mode. Skip downloading overlay-base database from cache."
-    );
-    return void 0;
-  }
-  const dbLocation = config.dbLocation;
-  const codeQlVersion = (await codeql.getVersion()).version;
-  const cacheRestoreKeyPrefix = await getCacheRestoreKeyPrefix(
-    config,
-    codeQlVersion
-  );
-  logger.info(
-    `Looking in Actions cache for overlay-base database with restore key ${cacheRestoreKeyPrefix}`
-  );
-  let databaseDownloadDurationMs = 0;
-  try {
-    const databaseDownloadStart = performance.now();
-    const foundKey = await waitForResultWithTimeLimit(
-      // This ten-minute limit for the cache restore operation is mainly to
-      // guard against the possibility that the cache service is unresponsive
-      // and hangs outside the data download.
-      //
-      // Data download (which is normally the most time-consuming part of the
-      // restore operation) should not run long enough to hit this limit. Even
-      // for an extremely large 10GB database, at a download speed of 40MB/s
-      // (see below), the download should complete within five minutes. If we
-      // do hit this limit, there are likely more serious problems other than
-      // mere slow download speed.
-      //
-      // This is important because we don't want any ongoing file operations
-      // on the database directory when we do hit this limit. Hitting this
-      // time limit takes us to a fallback path where we re-initialize the
-      // database from scratch at dbLocation, and having the cache restore
-      // operation continue to write into dbLocation in the background would
-      // really mess things up. We want to hit this limit only in the case
-      // of a hung cache service, not just slow download speed.
-      MAX_CACHE_OPERATION_MS3,
-      actionsCache4.restoreCache(
-        [dbLocation],
-        cacheRestoreKeyPrefix,
-        void 0,
-        {
-          // Azure SDK download (which is the default) uses 128MB segments; see
-          // https://github.com/actions/toolkit/blob/main/packages/cache/README.md.
-          // Setting segmentTimeoutInMs to 3000 translates to segment download
-          // speed of about 40 MB/s, which should be achievable unless the
-          // download is unreliable (in which case we do want to abort).
-          segmentTimeoutInMs: 3e3
-        }
-      ),
-      () => {
-        logger.info("Timed out downloading overlay-base database from cache");
-      }
-    );
-    databaseDownloadDurationMs = Math.round(
-      performance.now() - databaseDownloadStart
-    );
-    if (foundKey === void 0) {
-      logger.info("No overlay-base database found in Actions cache");
-      return void 0;
-    }
-    logger.info(
-      `Downloaded overlay-base database in cache with key ${foundKey}`
-    );
-  } catch (error3) {
-    logger.warning(
-      `Failed to download overlay-base database from cache: ${error3 instanceof Error ? error3.message : String(error3)}`
-    );
-    return void 0;
-  }
-  const databaseIsValid = await checkOverlayBaseDatabase(
-    codeql,
-    config,
-    logger,
-    "Downloaded overlay-base database is invalid"
-  );
-  if (!databaseIsValid) {
-    logger.warning("Downloaded overlay-base database failed validation");
-    return void 0;
-  }
-  const databaseSizeBytes = await tryGetFolderBytes(dbLocation, logger);
-  if (databaseSizeBytes === void 0) {
-    logger.info(
-      "Filesystem error while accessing downloaded overlay-base database"
-    );
-    return void 0;
-  }
-  logger.info(`Successfully downloaded overlay-base database to ${dbLocation}`);
-  return {
-    databaseSizeBytes: Math.round(databaseSizeBytes),
-    databaseDownloadDurationMs
-  };
-}
-async function getCacheRestoreKeyPrefix(config, codeQlVersion) {
-  return `${await getCacheKeyPrefixBase(config.languages)}${codeQlVersion}-`;
-}
-async function getCacheKeyPrefixBase(parsedLanguages) {
-  const languagesComponent = [...parsedLanguages].sort().join("_");
-  const cacheKeyComponents = {
-    automationID: await getAutomationID()
-    // Add more components here as needed in the future
-  };
-  const componentsHash = createCacheKeyHash(cacheKeyComponents);
-  return `${CACHE_PREFIX}-${CACHE_VERSION2}-${componentsHash}-${languagesComponent}-`;
-}
-
 // src/status-report.ts
 var os5 = __toESM(require("os"));
 var core13 = __toESM(require_core());
@@ -92354,16 +92534,22 @@ async function run(startedAt) {
        `The 'init' action should not be run in the same workflow as 'setup-codeql'.`
      );
    }
-    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
-      gitHubVersion.type
-    );
+    const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type);
    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
+    const rawLanguages = getRawLanguagesNoAutodetect(
+      getOptionalInput("languages")
+    );
+    const useOverlayAwareDefaultCliVersion = !!analysisKinds?.includes(
+      "code-scanning" /* CodeScanning */
+    );
    const initCodeQLResult = await initCodeQL(
      getOptionalInput("tools"),
      apiDetails,
      getTemporaryDirectory(),
      gitHubVersion.type,
      codeQLDefaultVersionInfo,
+      rawLanguages,
+      useOverlayAwareDefaultCliVersion,
      features,
      logger
    );
@@ -26352,11 +26352,11 @@ var require_valid = __commonJS({
  "node_modules/semver/functions/valid.js"(exports2, module2) {
    "use strict";
    var parse2 = require_parse2();
-    var valid3 = (version, options) => {
+    var valid4 = (version, options) => {
      const v = parse2(version, options);
      return v ? v.version : null;
    };
-    module2.exports = valid3;
+    module2.exports = valid4;
  }
 });

@@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
    var compare2 = require_compare();
-    var rcompare = (a, b, loose) => compare2(b, a, loose);
-    module2.exports = rcompare;
+    var rcompare3 = (a, b, loose) => compare2(b, a, loose);
+    module2.exports = rcompare3;
  }
 });

@@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({
    var SemVer = require_semver();
    var identifiers = require_identifiers();
    var parse2 = require_parse2();
-    var valid3 = require_valid();
+    var valid4 = require_valid();
    var clean3 = require_clean();
    var inc = require_inc();
    var diff = require_diff();
@@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({
    var patch = require_patch();
    var prerelease = require_prerelease();
    var compare2 = require_compare();
-    var rcompare = require_rcompare();
+    var rcompare3 = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
    var sort = require_sort();
@@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({
    var subset = require_subset();
    module2.exports = {
      parse: parse2,
-      valid: valid3,
+      valid: valid4,
      clean: clean3,
      inc,
      diff,
@@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({
      patch,
      prerelease,
      compare: compare2,
-      rcompare,
+      rcompare: rcompare3,
      compareLoose,
      compareBuild,
      sort,
@@ -29553,16 +29553,16 @@ var require_attribute = __commonJS({
      var result = new ValidatorResult(instance, schema2, options, ctx);
      var self2 = this;
      schema2.allOf.forEach(function(v, i) {
-        var valid3 = self2.validateSchema(instance, v, options, ctx);
-        if (!valid3.valid) {
+        var valid4 = self2.validateSchema(instance, v, options, ctx);
+        if (!valid4.valid) {
          var id = v.$id || v.id;
          var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]";
          result.addError({
            name: "allOf",
-            argument: { id: msg, length: valid3.errors.length, valid: valid3 },
-            message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:"
+            argument: { id: msg, length: valid4.errors.length, valid: valid4 },
+            message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:"
          });
-          result.importErrors(valid3);
+          result.importErrors(valid4);
        }
      });
      return result;
@@ -29851,8 +29851,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMinimum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid3 = instance > schema2.exclusiveMinimum;
-      if (!valid3) {
+      var valid4 = instance > schema2.exclusiveMinimum;
+      if (!valid4) {
        result.addError({
          name: "exclusiveMinimum",
          argument: schema2.exclusiveMinimum,
@@ -29865,8 +29865,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMaximum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid3 = instance < schema2.exclusiveMaximum;
-      if (!valid3) {
+      var valid4 = instance < schema2.exclusiveMaximum;
+      if (!valid4) {
        result.addError({
          name: "exclusiveMaximum",
          argument: schema2.exclusiveMaximum,
@@ -32649,8 +32649,8 @@ var require_semver3 = __commonJS({
        return null;
      }
    }
-    exports2.valid = valid3;
-    function valid3(version, options) {
+    exports2.valid = valid4;
+    function valid4(version, options) {
      var v = parse2(version, options);
      return v ? v.version : null;
    }
@@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({
      var versionB = new SemVer(b, loose);
      return versionA.compare(versionB) || versionA.compareBuild(versionB);
    }
-    exports2.rcompare = rcompare;
-    function rcompare(a, b, loose) {
+    exports2.rcompare = rcompare3;
+    function rcompare3(a, b, loose) {
      return compare2(b, a, loose);
    }
    exports2.sort = sort;
@@ -33779,7 +33779,7 @@ var require_cacheUtils = __commonJS({
    var crypto2 = __importStar2(require("crypto"));
    var fs6 = __importStar2(require("fs"));
    var path7 = __importStar2(require("path"));
-    var semver9 = __importStar2(require_semver3());
+    var semver10 = __importStar2(require_semver3());
    var util = __importStar2(require("util"));
    var constants_1 = require_constants7();
    var versionSalt = "1.0";
@@ -33872,7 +33872,7 @@ var require_cacheUtils = __commonJS({
    function getCompressionMethod() {
      return __awaiter2(this, void 0, void 0, function* () {
        const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver9.clean(versionOutput);
+        const version = semver10.clean(versionOutput);
        core14.debug(`zstd version: ${version}`);
        if (versionOutput === "") {
          return constants_1.CompressionMethod.Gzip;
@@ -75278,7 +75278,7 @@ var require_cacheHttpClient = __commonJS({
    exports2.getCacheEntry = getCacheEntry;
    exports2.downloadCache = downloadCache;
    exports2.reserveCache = reserveCache;
-    exports2.saveCache = saveCache3;
+    exports2.saveCache = saveCache4;
    var core14 = __importStar2(require_core());
    var http_client_1 = require_lib();
    var auth_1 = require_auth();
@@ -75455,7 +75455,7 @@ Other caches with similar key:`);
        }));
      });
    }
-    function saveCache3(cacheId, archivePath, signedUploadURL, options) {
+    function saveCache4(cacheId, archivePath, signedUploadURL, options) {
      return __awaiter2(this, void 0, void 0, function* () {
        const uploadOptions = (0, options_1.getUploadOptions)(options);
        if (uploadOptions.useAzureSdk) {
@@ -80955,8 +80955,8 @@ var require_cache4 = __commonJS({
    Object.defineProperty(exports2, "__esModule", { value: true });
    exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0;
    exports2.isFeatureAvailable = isFeatureAvailable;
-    exports2.restoreCache = restoreCache3;
-    exports2.saveCache = saveCache3;
+    exports2.restoreCache = restoreCache4;
+    exports2.saveCache = saveCache4;
    var core14 = __importStar2(require_core());
    var path7 = __importStar2(require("path"));
    var utils = __importStar2(require_cacheUtils());
@@ -81013,7 +81013,7 @@ var require_cache4 = __commonJS({
          return !!process.env["ACTIONS_CACHE_URL"];
      }
    }
-    function restoreCache3(paths_1, primaryKey_1, restoreKeys_1, options_1) {
+    function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core14.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81157,7 +81157,7 @@ var require_cache4 = __commonJS({
        return void 0;
      });
    }
-    function saveCache3(paths_1, key_1, options_1) {
+    function saveCache4(paths_1, key_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core14.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81394,7 +81394,7 @@ var require_manifest = __commonJS({
    exports2._findMatch = _findMatch;
    exports2._getOsVersion = _getOsVersion;
    exports2._readLinuxVersionFile = _readLinuxVersionFile;
-    var semver9 = __importStar2(require_semver2());
+    var semver10 = __importStar2(require_semver2());
    var core_1 = require_core();
    var os2 = require("os");
    var cp = require("child_process");
@@ -81408,7 +81408,7 @@ var require_manifest = __commonJS({
        for (const candidate of candidates) {
          const version = candidate.version;
          (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
            file = candidate.files.find((item) => {
              (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
              let chk = item.arch === archFilter && item.platform === platFilter;
@@ -81417,7 +81417,7 @@ var require_manifest = __commonJS({
                if (osVersion === item.platform_version) {
                  chk = true;
                } else {
-                  chk = semver9.satisfies(osVersion, item.platform_version);
+                  chk = semver10.satisfies(osVersion, item.platform_version);
                }
              }
              return chk;
@@ -81677,7 +81677,7 @@ var require_tool_cache = __commonJS({
    var os2 = __importStar2(require("os"));
    var path7 = __importStar2(require("path"));
    var httpm = __importStar2(require_lib());
-    var semver9 = __importStar2(require_semver2());
+    var semver10 = __importStar2(require_semver2());
    var stream = __importStar2(require("stream"));
    var util = __importStar2(require("util"));
    var assert_1 = require("assert");
@@ -81950,7 +81950,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheDir(sourceDir, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver10.clean(version) || version;
        arch = arch || os2.arch();
        core14.debug(`Caching tool ${tool} ${version} ${arch}`);
        core14.debug(`source dir: ${sourceDir}`);
@@ -81968,7 +81968,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheFile(sourceFile, targetFile, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver10.clean(version) || version;
        arch = arch || os2.arch();
        core14.debug(`Caching tool ${tool} ${version} ${arch}`);
        core14.debug(`source file: ${sourceFile}`);
@@ -81998,7 +81998,7 @@ var require_tool_cache = __commonJS({
      }
      let toolPath = "";
      if (versionSpec) {
-        versionSpec = semver9.clean(versionSpec) || "";
+        versionSpec = semver10.clean(versionSpec) || "";
        const cachePath = path7.join(_getCacheDirectory(), toolName, versionSpec, arch);
        core14.debug(`checking cache: ${cachePath}`);
        if (fs6.existsSync(cachePath) && fs6.existsSync(`${cachePath}.complete`)) {
@@ -82078,7 +82078,7 @@ var require_tool_cache = __commonJS({
    }
    function _createToolPath(tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path7.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
+        const folderPath = path7.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
        core14.debug(`destination ${folderPath}`);
        const markerPath = `${folderPath}.complete`;
        yield io5.rmRF(folderPath);
@@ -82088,30 +82088,30 @@ var require_tool_cache = __commonJS({
      });
    }
    function _completeToolPath(tool, version, arch) {
-      const folderPath = path7.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
+      const folderPath = path7.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
      const markerPath = `${folderPath}.complete`;
      fs6.writeFileSync(markerPath, "");
      core14.debug("finished caching tool");
    }
    function isExplicitVersion(versionSpec) {
-      const c = semver9.clean(versionSpec) || "";
+      const c = semver10.clean(versionSpec) || "";
      core14.debug(`isExplicit: ${c}`);
-      const valid3 = semver9.valid(c) != null;
-      core14.debug(`explicit? ${valid3}`);
-      return valid3;
+      const valid4 = semver10.valid(c) != null;
+      core14.debug(`explicit? ${valid4}`);
+      return valid4;
    }
    function evaluateVersions(versions, versionSpec) {
      let version = "";
      core14.debug(`evaluating ${versions.length} versions`);
      versions = versions.sort((a, b) => {
-        if (semver9.gt(a, b)) {
+        if (semver10.gt(a, b)) {
          return 1;
        }
        return -1;
      });
      for (let i = versions.length - 1; i >= 0; i--) {
        const potential = versions[i];
-        const satisfied = semver9.satisfies(potential, versionSpec);
+        const satisfied = semver10.satisfies(potential, versionSpec);
        if (satisfied) {
          version = potential;
          break;
@@ -85616,7 +85616,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.4";
+  return "4.35.5";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -86683,6 +86683,16 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
    minimumVersion: void 0
  },
+  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
+    minimumVersion: void 0
+  },
+  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
+    minimumVersion: void 0
+  },
  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -86850,20 +86860,26 @@ var toolrunner3 = __toESM(require_toolrunner());
 // src/setup-codeql.ts
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver8 = __toESM(require_semver2());
+var semver9 = __toESM(require_semver2());
+
+// src/overlay/caching.ts
+var actionsCache3 = __toESM(require_cache4());
+var semver6 = __toESM(require_semver2());
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;

 // src/tar.ts
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver6 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());

 // src/tools-download.ts
 var core10 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver7 = __toESM(require_semver2());
+var semver8 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;

 // src/tracer-config.ts
@@ -26352,11 +26352,11 @@ var require_valid = __commonJS({
  "node_modules/semver/functions/valid.js"(exports2, module2) {
    "use strict";
    var parse2 = require_parse2();
-    var valid3 = (version, options) => {
+    var valid4 = (version, options) => {
      const v = parse2(version, options);
      return v ? v.version : null;
    };
-    module2.exports = valid3;
+    module2.exports = valid4;
  }
 });

@@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
    var compare2 = require_compare();
-    var rcompare = (a, b, loose) => compare2(b, a, loose);
-    module2.exports = rcompare;
+    var rcompare3 = (a, b, loose) => compare2(b, a, loose);
+    module2.exports = rcompare3;
  }
 });

@@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({
    var SemVer = require_semver();
    var identifiers = require_identifiers();
    var parse2 = require_parse2();
-    var valid3 = require_valid();
+    var valid4 = require_valid();
    var clean3 = require_clean();
    var inc = require_inc();
    var diff = require_diff();
@@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({
    var patch = require_patch();
    var prerelease = require_prerelease();
    var compare2 = require_compare();
-    var rcompare = require_rcompare();
+    var rcompare3 = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
    var sort = require_sort();
@@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({
    var subset = require_subset();
    module2.exports = {
      parse: parse2,
-      valid: valid3,
+      valid: valid4,
      clean: clean3,
      inc,
      diff,
@@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({
      patch,
      prerelease,
      compare: compare2,
-      rcompare,
+      rcompare: rcompare3,
      compareLoose,
      compareBuild,
      sort,
@@ -29553,16 +29553,16 @@ var require_attribute = __commonJS({
      var result = new ValidatorResult(instance, schema2, options, ctx);
      var self2 = this;
      schema2.allOf.forEach(function(v, i) {
-        var valid3 = self2.validateSchema(instance, v, options, ctx);
-        if (!valid3.valid) {
+        var valid4 = self2.validateSchema(instance, v, options, ctx);
+        if (!valid4.valid) {
          var id = v.$id || v.id;
          var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]";
          result.addError({
            name: "allOf",
-            argument: { id: msg, length: valid3.errors.length, valid: valid3 },
-            message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:"
+            argument: { id: msg, length: valid4.errors.length, valid: valid4 },
+            message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:"
          });
-          result.importErrors(valid3);
+          result.importErrors(valid4);
        }
      });
      return result;
@@ -29851,8 +29851,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMinimum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid3 = instance > schema2.exclusiveMinimum;
-      if (!valid3) {
+      var valid4 = instance > schema2.exclusiveMinimum;
+      if (!valid4) {
        result.addError({
          name: "exclusiveMinimum",
          argument: schema2.exclusiveMinimum,
@@ -29865,8 +29865,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMaximum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid3 = instance < schema2.exclusiveMaximum;
-      if (!valid3) {
+      var valid4 = instance < schema2.exclusiveMaximum;
+      if (!valid4) {
        result.addError({
          name: "exclusiveMaximum",
          argument: schema2.exclusiveMaximum,
@@ -32649,8 +32649,8 @@ var require_semver3 = __commonJS({
        return null;
      }
    }
-    exports2.valid = valid3;
-    function valid3(version, options) {
+    exports2.valid = valid4;
+    function valid4(version, options) {
      var v = parse2(version, options);
      return v ? v.version : null;
    }
@@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({
      var versionB = new SemVer(b, loose);
      return versionA.compare(versionB) || versionA.compareBuild(versionB);
    }
-    exports2.rcompare = rcompare;
-    function rcompare(a, b, loose) {
+    exports2.rcompare = rcompare3;
+    function rcompare3(a, b, loose) {
      return compare2(b, a, loose);
    }
    exports2.sort = sort;
@@ -33779,7 +33779,7 @@ var require_cacheUtils = __commonJS({
    var crypto2 = __importStar2(require("crypto"));
    var fs3 = __importStar2(require("fs"));
    var path4 = __importStar2(require("path"));
-    var semver9 = __importStar2(require_semver3());
+    var semver10 = __importStar2(require_semver3());
    var util = __importStar2(require("util"));
    var constants_1 = require_constants7();
    var versionSalt = "1.0";
@@ -33872,7 +33872,7 @@ var require_cacheUtils = __commonJS({
    function getCompressionMethod() {
      return __awaiter2(this, void 0, void 0, function* () {
        const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver9.clean(versionOutput);
+        const version = semver10.clean(versionOutput);
        core15.debug(`zstd version: ${version}`);
        if (versionOutput === "") {
          return constants_1.CompressionMethod.Gzip;
@@ -75278,7 +75278,7 @@ var require_cacheHttpClient = __commonJS({
    exports2.getCacheEntry = getCacheEntry;
    exports2.downloadCache = downloadCache;
    exports2.reserveCache = reserveCache;
-    exports2.saveCache = saveCache4;
+    exports2.saveCache = saveCache5;
    var core15 = __importStar2(require_core());
    var http_client_1 = require_lib();
    var auth_1 = require_auth();
@@ -75455,7 +75455,7 @@ Other caches with similar key:`);
        }));
      });
    }
-    function saveCache4(cacheId, archivePath, signedUploadURL, options) {
+    function saveCache5(cacheId, archivePath, signedUploadURL, options) {
      return __awaiter2(this, void 0, void 0, function* () {
        const uploadOptions = (0, options_1.getUploadOptions)(options);
        if (uploadOptions.useAzureSdk) {
@@ -80955,8 +80955,8 @@ var require_cache4 = __commonJS({
    Object.defineProperty(exports2, "__esModule", { value: true });
    exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0;
    exports2.isFeatureAvailable = isFeatureAvailable;
-    exports2.restoreCache = restoreCache4;
-    exports2.saveCache = saveCache4;
+    exports2.restoreCache = restoreCache5;
+    exports2.saveCache = saveCache5;
    var core15 = __importStar2(require_core());
    var path4 = __importStar2(require("path"));
    var utils = __importStar2(require_cacheUtils());
@@ -81013,7 +81013,7 @@ var require_cache4 = __commonJS({
          return !!process.env["ACTIONS_CACHE_URL"];
      }
    }
-    function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) {
+    function restoreCache5(paths_1, primaryKey_1, restoreKeys_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81157,7 +81157,7 @@ var require_cache4 = __commonJS({
        return void 0;
      });
    }
-    function saveCache4(paths_1, key_1, options_1) {
+    function saveCache5(paths_1, key_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -88437,7 +88437,7 @@ var require_stream_writable = __commonJS({
      pna.nextTick(cb, er);
    }
    function validChunk(stream, state, chunk, cb) {
-      var valid3 = true;
+      var valid4 = true;
      var er = false;
      if (chunk === null) {
        er = new TypeError("May not write null values to stream");
@@ -88447,9 +88447,9 @@ var require_stream_writable = __commonJS({
      if (er) {
        stream.emit("error", er);
        pna.nextTick(cb, er);
-        valid3 = false;
+        valid4 = false;
      }
-      return valid3;
+      return valid4;
    }
    Writable.prototype.write = function(chunk, encoding, cb) {
      var state = this._writableState;
@@ -122745,7 +122745,7 @@ var require_manifest = __commonJS({
    exports2._findMatch = _findMatch;
    exports2._getOsVersion = _getOsVersion;
    exports2._readLinuxVersionFile = _readLinuxVersionFile;
-    var semver9 = __importStar2(require_semver2());
+    var semver10 = __importStar2(require_semver2());
    var core_1 = require_core();
    var os2 = require("os");
    var cp = require("child_process");
@@ -122759,7 +122759,7 @@ var require_manifest = __commonJS({
        for (const candidate of candidates) {
          const version = candidate.version;
          (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
            file = candidate.files.find((item) => {
              (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
              let chk = item.arch === archFilter && item.platform === platFilter;
@@ -122768,7 +122768,7 @@ var require_manifest = __commonJS({
                if (osVersion === item.platform_version) {
                  chk = true;
                } else {
-                  chk = semver9.satisfies(osVersion, item.platform_version);
+                  chk = semver10.satisfies(osVersion, item.platform_version);
                }
              }
              return chk;
@@ -123028,7 +123028,7 @@ var require_tool_cache = __commonJS({
    var os2 = __importStar2(require("os"));
    var path4 = __importStar2(require("path"));
    var httpm = __importStar2(require_lib());
-    var semver9 = __importStar2(require_semver2());
+    var semver10 = __importStar2(require_semver2());
    var stream = __importStar2(require("stream"));
    var util = __importStar2(require("util"));
    var assert_1 = require("assert");
@@ -123301,7 +123301,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheDir(sourceDir, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver10.clean(version) || version;
        arch = arch || os2.arch();
        core15.debug(`Caching tool ${tool} ${version} ${arch}`);
        core15.debug(`source dir: ${sourceDir}`);
@@ -123319,7 +123319,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheFile(sourceFile, targetFile, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver10.clean(version) || version;
        arch = arch || os2.arch();
        core15.debug(`Caching tool ${tool} ${version} ${arch}`);
        core15.debug(`source file: ${sourceFile}`);
@@ -123349,7 +123349,7 @@ var require_tool_cache = __commonJS({
      }
      let toolPath = "";
      if (versionSpec) {
-        versionSpec = semver9.clean(versionSpec) || "";
+        versionSpec = semver10.clean(versionSpec) || "";
        const cachePath = path4.join(_getCacheDirectory(), toolName, versionSpec, arch);
        core15.debug(`checking cache: ${cachePath}`);
        if (fs3.existsSync(cachePath) && fs3.existsSync(`${cachePath}.complete`)) {
@@ -123429,7 +123429,7 @@ var require_tool_cache = __commonJS({
    }
    function _createToolPath(tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path4.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
+        const folderPath = path4.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
        core15.debug(`destination ${folderPath}`);
        const markerPath = `${folderPath}.complete`;
        yield io6.rmRF(folderPath);
@@ -123439,30 +123439,30 @@ var require_tool_cache = __commonJS({
      });
    }
    function _completeToolPath(tool, version, arch) {
-      const folderPath = path4.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
+      const folderPath = path4.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
      const markerPath = `${folderPath}.complete`;
      fs3.writeFileSync(markerPath, "");
      core15.debug("finished caching tool");
    }
    function isExplicitVersion(versionSpec) {
-      const c = semver9.clean(versionSpec) || "";
+      const c = semver10.clean(versionSpec) || "";
      core15.debug(`isExplicit: ${c}`);
-      const valid3 = semver9.valid(c) != null;
-      core15.debug(`explicit? ${valid3}`);
-      return valid3;
+      const valid4 = semver10.valid(c) != null;
+      core15.debug(`explicit? ${valid4}`);
+      return valid4;
    }
    function evaluateVersions(versions, versionSpec) {
      let version = "";
      core15.debug(`evaluating ${versions.length} versions`);
      versions = versions.sort((a, b) => {
-        if (semver9.gt(a, b)) {
+        if (semver10.gt(a, b)) {
          return 1;
        }
        return -1;
      });
      for (let i = versions.length - 1; i >= 0; i--) {
        const potential = versions[i];
-        const satisfied = semver9.satisfies(potential, versionSpec);
+        const satisfied = semver10.satisfies(potential, versionSpec);
        if (satisfied) {
          version = potential;
          break;
@@ -126824,7 +126824,7 @@ function getTemporaryDirectory() {
  return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP");
 }
 function getActionVersion() {
-  return "4.35.4";
+  return "4.35.5";
 }
 var persistedInputsKey = "persisted_inputs";
 var restoreInputs = function() {
@@ -127203,6 +127203,16 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
    minimumVersion: void 0
  },
+  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
+    minimumVersion: void 0
+  },
+  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
+    minimumVersion: void 0
+  },
  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -127505,24 +127515,30 @@ var cliErrorsConfig = {
 // src/setup-codeql.ts
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver8 = __toESM(require_semver2());
+var semver9 = __toESM(require_semver2());
+
+// src/overlay/caching.ts
+var actionsCache3 = __toESM(require_cache4());
+var semver6 = __toESM(require_semver2());
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;

 // src/tar.ts
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver6 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());

 // src/tools-download.ts
 var core10 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver7 = __toESM(require_semver2());
+var semver8 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;

 // src/dependency-caching.ts
-var actionsCache3 = __toESM(require_cache4());
+var actionsCache4 = __toESM(require_cache4());
 var glob = __toESM(require_glob());

 // src/artifact-scanner.ts
@@ -127590,6 +127606,9 @@ async function scanArchiveFile(archivePath, relativeArchivePath, extractDir, log
      `Maximum archive extraction depth (${MAX_DEPTH}) reached for ${archivePath}`
    );
  }
+  if (process.platform === "win32") {
+    throw new Error("Scanning archives is not supported on Windows.");
+  }
  const result = {
    scannedFiles: 0,
    findings: []
@@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
    var compare = require_compare();
-    var rcompare = (a, b, loose) => compare(b, a, loose);
-    module2.exports = rcompare;
+    var rcompare2 = (a, b, loose) => compare(b, a, loose);
+    module2.exports = rcompare2;
  }
 });

@@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({
    var patch = require_patch();
    var prerelease = require_prerelease();
    var compare = require_compare();
-    var rcompare = require_rcompare();
+    var rcompare2 = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
    var sort = require_sort();
@@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({
      patch,
      prerelease,
      compare,
-      rcompare,
+      rcompare: rcompare2,
      compareLoose,
      compareBuild,
      sort,
@@ -33772,8 +33772,8 @@ var require_semver3 = __commonJS({
      var versionB = new SemVer(b, loose);
      return versionA.compare(versionB) || versionA.compareBuild(versionB);
    }
-    exports2.rcompare = rcompare;
-    function rcompare(a, b, loose) {
+    exports2.rcompare = rcompare2;
+    function rcompare2(a, b, loose) {
      return compare(b, a, loose);
    }
    exports2.sort = sort;
@@ -102813,7 +102813,7 @@ function getTemporaryDirectory() {
  return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP");
 }
 function getActionVersion() {
-  return "4.35.4";
+  return "4.35.5";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -103177,6 +103177,10 @@ var semver3 = __toESM(require_semver2());
 // src/feature-flags.ts
 var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_";
 var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
+var LINKED_CODEQL_VERSION = {
+  cliVersion,
+  tagName: bundleVersion
+};
 var featureConfig = {
  ["allow_toolcache_input" /* AllowToolcacheInput */]: {
    defaultValue: false,
@@ -103331,6 +103335,16 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
    minimumVersion: void 0
  },
+  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
+    minimumVersion: void 0
+  },
+  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
+    minimumVersion: void 0
+  },
  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -103391,10 +103405,9 @@ var OfflineFeatures = class {
    this.logger = logger;
  }
  logger;
-  async getDefaultCliVersion(_variant) {
+  async getEnabledDefaultCliVersions(_variant) {
    return {
-      cliVersion,
-      tagName: bundleVersion
+      enabledVersions: [LINKED_CODEQL_VERSION]
    };
  }
  /**
@@ -103499,11 +103512,11 @@ var Features = class extends OfflineFeatures {
      logger
    );
  }
-  async getDefaultCliVersion(variant) {
+  async getEnabledDefaultCliVersions(variant) {
    if (supportsFeatureFlags(variant)) {
-      return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags();
+      return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags();
    }
-    return super.getDefaultCliVersion(variant);
+    return super.getEnabledDefaultCliVersions(variant);
  }
  /**
   *
@@ -103562,34 +103575,36 @@ var GitHubFeatureFlags = class {
    }
    return version;
  }
-  async getDefaultCliVersionFromFlags() {
+  /**
+   * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature
+   * flags, sorted from highest to lowest. Falls back to the version pinned in
+   * `defaults.json` if no such flags are enabled.
+   */
+  async getEnabledDefaultCliVersionsFromFlags() {
    const response = await this.getAllFeatures();
-    const enabledFeatureFlagCliVersions = Object.entries(response).map(
+    const sortedCliVersions = Object.entries(response).map(
      ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0
-    ).filter((f) => f !== void 0);
-    if (enabledFeatureFlagCliVersions.length === 0) {
+    ).filter((f) => f !== void 0).sort(semver4.rcompare);
+    if (sortedCliVersions.length === 0) {
      this.logger.warning(
        `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.`
      );
      const result = {
-        cliVersion,
-        tagName: bundleVersion
+        enabledVersions: [LINKED_CODEQL_VERSION]
      };
      if (this.hasAccessedRemoteFeatureFlags) {
        result.toolsFeatureFlagsValid = false;
      }
      return result;
    }
-    const maxCliVersion = enabledFeatureFlagCliVersions.reduce(
-      (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion,
-      enabledFeatureFlagCliVersions[0]
-    );
    this.logger.debug(
-      `Derived default CLI version of ${maxCliVersion} from feature flags.`
+      `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.`
    );
    return {
-      cliVersion: maxCliVersion,
-      tagName: `codeql-bundle-v${maxCliVersion}`,
+      enabledVersions: sortedCliVersions.map((cliVersion2) => ({
+        cliVersion: cliVersion2,
+        tagName: `codeql-bundle-v${cliVersion2}`
+      })),
      toolsFeatureFlagsValid: true
    };
  }
@@ -104469,7 +104484,7 @@ async function getReleaseByVersion(version) {
 }
 async function getCliVersionFromFeatures(features) {
  const gitHubVersion = await getGitHubVersion();
-  return await features.getDefaultCliVersion(gitHubVersion.type);
+  return await features.getEnabledDefaultCliVersions(gitHubVersion.type);
 }
 async function getDownloadUrl(logger, features) {
  const proxyPackage = getProxyPackage();
@@ -104477,7 +104492,7 @@ async function getDownloadUrl(logger, features) {
    const useFeaturesToDetermineCLI = await features.getValue(
      "start_proxy_use_features_release" /* StartProxyUseFeaturesRelease */
    );
-    const versionInfo = useFeaturesToDetermineCLI ? await getCliVersionFromFeatures(features) : {
+    const versionInfo = useFeaturesToDetermineCLI ? (await getCliVersionFromFeatures(features)).enabledVersions[0] : {
      cliVersion,
      tagName: bundleVersion
    };
@@ -203,7 +203,7 @@ var require_file_command = __commonJS({
    Object.defineProperty(exports2, "__esModule", { value: true });
    exports2.issueFileCommand = issueFileCommand;
    exports2.prepareKeyValueMessage = prepareKeyValueMessage;
-    var crypto2 = __importStar2(require("crypto"));
+    var crypto3 = __importStar2(require("crypto"));
    var fs14 = __importStar2(require("fs"));
    var os2 = __importStar2(require("os"));
    var utils_1 = require_utils();
@@ -220,7 +220,7 @@ var require_file_command = __commonJS({
      });
    }
    function prepareKeyValueMessage(key, value) {
-      const delimiter = `ghadelimiter_${crypto2.randomUUID()}`;
+      const delimiter = `ghadelimiter_${crypto3.randomUUID()}`;
      const convertedValue = (0, utils_1.toCommandValue)(value);
      if (key.includes(delimiter)) {
        throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`);
@@ -4287,11 +4287,11 @@ var require_util2 = __commonJS({
    var { isUint8Array } = require("node:util/types");
    var { webidl } = require_webidl();
    var supportedHashes = [];
-    var crypto2;
+    var crypto3;
    try {
-      crypto2 = require("node:crypto");
+      crypto3 = require("node:crypto");
      const possibleRelevantHashes = ["sha256", "sha384", "sha512"];
-      supportedHashes = crypto2.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2));
+      supportedHashes = crypto3.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2));
    } catch {
    }
    function responseURL(response) {
@@ -4564,7 +4564,7 @@ var require_util2 = __commonJS({
      }
    }
    function bytesMatch(bytes, metadataList) {
-      if (crypto2 === void 0) {
+      if (crypto3 === void 0) {
        return true;
      }
      const parsedMetadata = parseMetadata(metadataList);
@@ -4579,7 +4579,7 @@ var require_util2 = __commonJS({
      for (const item of metadata) {
        const algorithm = item.algo;
        const expectedValue = item.hash;
-        let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64");
+        let actualValue = crypto3.createHash(algorithm).update(bytes).digest("base64");
        if (actualValue[actualValue.length - 1] === "=") {
          if (actualValue[actualValue.length - 2] === "=") {
            actualValue = actualValue.slice(0, -2);
@@ -5643,8 +5643,8 @@ var require_body = __commonJS({
    var { multipartFormDataParser } = require_formdata_parser();
    var random;
    try {
-      const crypto2 = require("node:crypto");
-      random = (max) => crypto2.randomInt(0, max);
+      const crypto3 = require("node:crypto");
+      random = (max) => crypto3.randomInt(0, max);
    } catch {
      random = (max) => Math.floor(Math.random(max));
    }
@@ -17052,13 +17052,13 @@ var require_frame = __commonJS({
    "use strict";
    var { maxUnsigned16Bit } = require_constants5();
    var BUFFER_SIZE = 16386;
-    var crypto2;
+    var crypto3;
    var buffer = null;
    var bufIdx = BUFFER_SIZE;
    try {
-      crypto2 = require("node:crypto");
+      crypto3 = require("node:crypto");
    } catch {
-      crypto2 = {
+      crypto3 = {
        // not full compatibility, but minimum.
        randomFillSync: function randomFillSync(buffer2, _offset, _size) {
          for (let i = 0; i < buffer2.length; ++i) {
@@ -17071,7 +17071,7 @@ var require_frame = __commonJS({
    function generateMask() {
      if (bufIdx === BUFFER_SIZE) {
        bufIdx = 0;
-        crypto2.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE);
+        crypto3.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE);
      }
      return [buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++]];
    }
@@ -17143,9 +17143,9 @@ var require_connection = __commonJS({
    var { Headers, getHeadersList } = require_headers();
    var { getDecodeSplit } = require_util2();
    var { WebsocketFrameSend } = require_frame();
-    var crypto2;
+    var crypto3;
    try {
-      crypto2 = require("node:crypto");
+      crypto3 = require("node:crypto");
    } catch {
    }
    function establishWebSocketConnection(url2, protocols, client, ws, onEstablish, options) {
@@ -17165,7 +17165,7 @@ var require_connection = __commonJS({
        const headersList = getHeadersList(new Headers(options.headers));
        request2.headersList = headersList;
      }
-      const keyValue = crypto2.randomBytes(16).toString("base64");
+      const keyValue = crypto3.randomBytes(16).toString("base64");
      request2.headersList.append("sec-websocket-key", keyValue);
      request2.headersList.append("sec-websocket-version", "13");
      for (const protocol of protocols) {
@@ -17195,7 +17195,7 @@ var require_connection = __commonJS({
            return;
          }
          const secWSAccept = response.headersList.get("Sec-WebSocket-Accept");
-          const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64");
+          const digest = crypto3.createHash("sha1").update(keyValue + uid).digest("base64");
          if (secWSAccept !== digest) {
            failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header.");
            return;
@@ -21993,16 +21993,16 @@ var require_attribute = __commonJS({
      var result = new ValidatorResult(instance, schema2, options, ctx);
      var self2 = this;
      schema2.allOf.forEach(function(v, i) {
-        var valid3 = self2.validateSchema(instance, v, options, ctx);
-        if (!valid3.valid) {
+        var valid4 = self2.validateSchema(instance, v, options, ctx);
+        if (!valid4.valid) {
          var id = v.$id || v.id;
          var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]";
          result.addError({
            name: "allOf",
-            argument: { id: msg, length: valid3.errors.length, valid: valid3 },
-            message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:"
+            argument: { id: msg, length: valid4.errors.length, valid: valid4 },
+            message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:"
          });
-          result.importErrors(valid3);
+          result.importErrors(valid4);
        }
      });
      return result;
@@ -22291,8 +22291,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMinimum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid3 = instance > schema2.exclusiveMinimum;
-      if (!valid3) {
+      var valid4 = instance > schema2.exclusiveMinimum;
+      if (!valid4) {
        result.addError({
          name: "exclusiveMinimum",
          argument: schema2.exclusiveMinimum,
@@ -22305,8 +22305,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMaximum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid3 = instance < schema2.exclusiveMaximum;
-      if (!valid3) {
+      var valid4 = instance < schema2.exclusiveMaximum;
+      if (!valid4) {
        result.addError({
          name: "exclusiveMaximum",
          argument: schema2.exclusiveMaximum,
@@ -27657,11 +27657,11 @@ var require_valid = __commonJS({
  "node_modules/semver/functions/valid.js"(exports2, module2) {
    "use strict";
    var parse2 = require_parse2();
-    var valid3 = (version, options) => {
+    var valid4 = (version, options) => {
      const v = parse2(version, options);
      return v ? v.version : null;
    };
-    module2.exports = valid3;
+    module2.exports = valid4;
  }
 });

@@ -27804,8 +27804,8 @@ var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
    var compare3 = require_compare();
-    var rcompare = (a, b, loose) => compare3(b, a, loose);
-    module2.exports = rcompare;
+    var rcompare3 = (a, b, loose) => compare3(b, a, loose);
+    module2.exports = rcompare3;
  }
 });

@@ -29021,7 +29021,7 @@ var require_semver2 = __commonJS({
    var SemVer = require_semver();
    var identifiers = require_identifiers();
    var parse2 = require_parse2();
-    var valid3 = require_valid();
+    var valid4 = require_valid();
    var clean3 = require_clean();
    var inc = require_inc();
    var diff = require_diff();
@@ -29030,7 +29030,7 @@ var require_semver2 = __commonJS({
    var patch = require_patch();
    var prerelease = require_prerelease();
    var compare3 = require_compare();
-    var rcompare = require_rcompare();
+    var rcompare3 = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
    var sort = require_sort();
@@ -29059,7 +29059,7 @@ var require_semver2 = __commonJS({
    var subset = require_subset();
    module2.exports = {
      parse: parse2,
-      valid: valid3,
+      valid: valid4,
      clean: clean3,
      inc,
      diff,
@@ -29068,7 +29068,7 @@ var require_semver2 = __commonJS({
      patch,
      prerelease,
      compare: compare3,
-      rcompare,
+      rcompare: rcompare3,
      compareLoose,
      compareBuild,
      sort,
@@ -32371,7 +32371,7 @@ var require_internal_hash_files = __commonJS({
    };
    Object.defineProperty(exports2, "__esModule", { value: true });
    exports2.hashFiles = hashFiles;
-    var crypto2 = __importStar2(require("crypto"));
+    var crypto3 = __importStar2(require("crypto"));
    var core14 = __importStar2(require_core());
    var fs14 = __importStar2(require("fs"));
    var stream2 = __importStar2(require("stream"));
@@ -32384,7 +32384,7 @@ var require_internal_hash_files = __commonJS({
        const writeDelegate = verbose ? core14.info : core14.debug;
        let hasMatch = false;
        const githubWorkspace = currentWorkspace ? currentWorkspace : (_d = process.env["GITHUB_WORKSPACE"]) !== null && _d !== void 0 ? _d : process.cwd();
-        const result = crypto2.createHash("sha256");
+        const result = crypto3.createHash("sha256");
        let count = 0;
        try {
          for (var _e = true, _f = __asyncValues2(globber.globGenerator()), _g; _g = yield _f.next(), _a = _g.done, !_a; _e = true) {
@@ -32400,7 +32400,7 @@ var require_internal_hash_files = __commonJS({
              writeDelegate(`Skip directory '${file}'.`);
              continue;
            }
-            const hash2 = crypto2.createHash("sha256");
+            const hash2 = crypto3.createHash("sha256");
            const pipeline = util.promisify(stream2.pipeline);
            yield pipeline(fs14.createReadStream(file), hash2);
            result.write(hash2.digest());
@@ -32649,8 +32649,8 @@ var require_semver3 = __commonJS({
        return null;
      }
    }
-    exports2.valid = valid3;
-    function valid3(version, options) {
+    exports2.valid = valid4;
+    function valid4(version, options) {
      var v = parse2(version, options);
      return v ? v.version : null;
    }
@@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({
      var versionB = new SemVer(b, loose);
      return versionA.compare(versionB) || versionA.compareBuild(versionB);
    }
-    exports2.rcompare = rcompare;
-    function rcompare(a, b, loose) {
+    exports2.rcompare = rcompare3;
+    function rcompare3(a, b, loose) {
      return compare3(b, a, loose);
    }
    exports2.sort = sort;
@@ -33776,10 +33776,10 @@ var require_cacheUtils = __commonJS({
    var exec = __importStar2(require_exec());
    var glob = __importStar2(require_glob());
    var io6 = __importStar2(require_io());
-    var crypto2 = __importStar2(require("crypto"));
+    var crypto3 = __importStar2(require("crypto"));
    var fs14 = __importStar2(require("fs"));
    var path12 = __importStar2(require("path"));
-    var semver9 = __importStar2(require_semver3());
+    var semver10 = __importStar2(require_semver3());
    var util = __importStar2(require("util"));
    var constants_1 = require_constants7();
    var versionSalt = "1.0";
@@ -33800,7 +33800,7 @@ var require_cacheUtils = __commonJS({
          }
          tempDirectory = path12.join(baseLocation, "actions", "temp");
        }
-        const dest = path12.join(tempDirectory, crypto2.randomUUID());
+        const dest = path12.join(tempDirectory, crypto3.randomUUID());
        yield io6.mkdirP(dest);
        return dest;
      });
@@ -33872,7 +33872,7 @@ var require_cacheUtils = __commonJS({
    function getCompressionMethod() {
      return __awaiter2(this, void 0, void 0, function* () {
        const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver9.clean(versionOutput);
+        const version = semver10.clean(versionOutput);
        core14.debug(`zstd version: ${version}`);
        if (versionOutput === "") {
          return constants_1.CompressionMethod.Gzip;
@@ -33908,7 +33908,7 @@ var require_cacheUtils = __commonJS({
        components.push("windows-only");
      }
      components.push(versionSalt);
-      return crypto2.createHash("sha256").update(components.join("|")).digest("hex");
+      return crypto3.createHash("sha256").update(components.join("|")).digest("hex");
    }
    function getRuntimeToken() {
      const token = process.env["ACTIONS_RUNTIME_TOKEN"];
@@ -75278,7 +75278,7 @@ var require_cacheHttpClient = __commonJS({
    exports2.getCacheEntry = getCacheEntry;
    exports2.downloadCache = downloadCache;
    exports2.reserveCache = reserveCache;
-    exports2.saveCache = saveCache3;
+    exports2.saveCache = saveCache4;
    var core14 = __importStar2(require_core());
    var http_client_1 = require_lib();
    var auth_1 = require_auth();
@@ -75455,7 +75455,7 @@ Other caches with similar key:`);
        }));
      });
    }
-    function saveCache3(cacheId, archivePath, signedUploadURL, options) {
+    function saveCache4(cacheId, archivePath, signedUploadURL, options) {
      return __awaiter2(this, void 0, void 0, function* () {
        const uploadOptions = (0, options_1.getUploadOptions)(options);
        if (uploadOptions.useAzureSdk) {
@@ -80955,8 +80955,8 @@ var require_cache4 = __commonJS({
    Object.defineProperty(exports2, "__esModule", { value: true });
    exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0;
    exports2.isFeatureAvailable = isFeatureAvailable;
-    exports2.restoreCache = restoreCache3;
-    exports2.saveCache = saveCache3;
+    exports2.restoreCache = restoreCache4;
+    exports2.saveCache = saveCache4;
    var core14 = __importStar2(require_core());
    var path12 = __importStar2(require("path"));
    var utils = __importStar2(require_cacheUtils());
@@ -81013,7 +81013,7 @@ var require_cache4 = __commonJS({
          return !!process.env["ACTIONS_CACHE_URL"];
      }
    }
-    function restoreCache3(paths_1, primaryKey_1, restoreKeys_1, options_1) {
+    function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core14.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81157,7 +81157,7 @@ var require_cache4 = __commonJS({
        return void 0;
      });
    }
-    function saveCache3(paths_1, key_1, options_1) {
+    function saveCache4(paths_1, key_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core14.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -81394,7 +81394,7 @@ var require_manifest = __commonJS({
    exports2._findMatch = _findMatch;
    exports2._getOsVersion = _getOsVersion;
    exports2._readLinuxVersionFile = _readLinuxVersionFile;
-    var semver9 = __importStar2(require_semver2());
+    var semver10 = __importStar2(require_semver2());
    var core_1 = require_core();
    var os2 = require("os");
    var cp = require("child_process");
@@ -81408,7 +81408,7 @@ var require_manifest = __commonJS({
        for (const candidate of candidates) {
          const version = candidate.version;
          (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
            file = candidate.files.find((item) => {
              (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
              let chk = item.arch === archFilter && item.platform === platFilter;
@@ -81417,7 +81417,7 @@ var require_manifest = __commonJS({
                if (osVersion === item.platform_version) {
                  chk = true;
                } else {
-                  chk = semver9.satisfies(osVersion, item.platform_version);
+                  chk = semver10.satisfies(osVersion, item.platform_version);
                }
              }
              return chk;
@@ -81671,13 +81671,13 @@ var require_tool_cache = __commonJS({
    exports2.evaluateVersions = evaluateVersions;
    var core14 = __importStar2(require_core());
    var io6 = __importStar2(require_io());
-    var crypto2 = __importStar2(require("crypto"));
+    var crypto3 = __importStar2(require("crypto"));
    var fs14 = __importStar2(require("fs"));
    var mm = __importStar2(require_manifest());
    var os2 = __importStar2(require("os"));
    var path12 = __importStar2(require("path"));
    var httpm = __importStar2(require_lib());
-    var semver9 = __importStar2(require_semver2());
+    var semver10 = __importStar2(require_semver2());
    var stream2 = __importStar2(require("stream"));
    var util = __importStar2(require("util"));
    var assert_1 = require("assert");
@@ -81696,7 +81696,7 @@ var require_tool_cache = __commonJS({
    var userAgent2 = "actions/tool-cache";
    function downloadTool2(url2, dest, auth2, headers) {
      return __awaiter2(this, void 0, void 0, function* () {
-        dest = dest || path12.join(_getTempDirectory(), crypto2.randomUUID());
+        dest = dest || path12.join(_getTempDirectory(), crypto3.randomUUID());
        yield io6.mkdirP(path12.dirname(dest));
        core14.debug(`Downloading ${url2}`);
        core14.debug(`Destination ${dest}`);
@@ -81950,7 +81950,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheDir(sourceDir, tool, version, arch2) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver10.clean(version) || version;
        arch2 = arch2 || os2.arch();
        core14.debug(`Caching tool ${tool} ${version} ${arch2}`);
        core14.debug(`source dir: ${sourceDir}`);
@@ -81968,7 +81968,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheFile(sourceFile, targetFile, tool, version, arch2) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver10.clean(version) || version;
        arch2 = arch2 || os2.arch();
        core14.debug(`Caching tool ${tool} ${version} ${arch2}`);
        core14.debug(`source file: ${sourceFile}`);
@@ -81998,7 +81998,7 @@ var require_tool_cache = __commonJS({
      }
      let toolPath = "";
      if (versionSpec) {
-        versionSpec = semver9.clean(versionSpec) || "";
+        versionSpec = semver10.clean(versionSpec) || "";
        const cachePath = path12.join(_getCacheDirectory(), toolName, versionSpec, arch2);
        core14.debug(`checking cache: ${cachePath}`);
        if (fs14.existsSync(cachePath) && fs14.existsSync(`${cachePath}.complete`)) {
@@ -82070,7 +82070,7 @@ var require_tool_cache = __commonJS({
    function _createExtractFolder(dest) {
      return __awaiter2(this, void 0, void 0, function* () {
        if (!dest) {
-          dest = path12.join(_getTempDirectory(), crypto2.randomUUID());
+          dest = path12.join(_getTempDirectory(), crypto3.randomUUID());
        }
        yield io6.mkdirP(dest);
        return dest;
@@ -82078,7 +82078,7 @@ var require_tool_cache = __commonJS({
    }
    function _createToolPath(tool, version, arch2) {
      return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path12.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || "");
+        const folderPath = path12.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || "");
        core14.debug(`destination ${folderPath}`);
        const markerPath = `${folderPath}.complete`;
        yield io6.rmRF(folderPath);
@@ -82088,30 +82088,30 @@ var require_tool_cache = __commonJS({
      });
    }
    function _completeToolPath(tool, version, arch2) {
-      const folderPath = path12.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || "");
+      const folderPath = path12.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || "");
      const markerPath = `${folderPath}.complete`;
      fs14.writeFileSync(markerPath, "");
      core14.debug("finished caching tool");
    }
    function isExplicitVersion(versionSpec) {
-      const c = semver9.clean(versionSpec) || "";
+      const c = semver10.clean(versionSpec) || "";
      core14.debug(`isExplicit: ${c}`);
-      const valid3 = semver9.valid(c) != null;
-      core14.debug(`explicit? ${valid3}`);
-      return valid3;
+      const valid4 = semver10.valid(c) != null;
+      core14.debug(`explicit? ${valid4}`);
+      return valid4;
    }
    function evaluateVersions(versions, versionSpec) {
      let version = "";
      core14.debug(`evaluating ${versions.length} versions`);
      versions = versions.sort((a, b) => {
-        if (semver9.gt(a, b)) {
+        if (semver10.gt(a, b)) {
          return 1;
        }
        return -1;
      });
      for (let i = versions.length - 1; i >= 0; i--) {
        const potential = versions[i];
-        const satisfied = semver9.satisfies(potential, versionSpec);
+        const satisfied = semver10.satisfies(potential, versionSpec);
        if (satisfied) {
          version = potential;
          break;
@@ -88509,7 +88509,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.4";
+  return "4.35.5";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -88630,6 +88630,32 @@ async function runTool(cmd, args = [], opts = {}) {
  }
  return stdout;
 }
+function getPullRequestBranches() {
+  const pullRequest = github.context.payload.pull_request;
+  if (pullRequest) {
+    return {
+      base: pullRequest.base.ref,
+      // We use the head label instead of the head ref here, because the head
+      // ref lacks owner information and by itself does not uniquely identify
+      // the head branch (which may be in a forked repository).
+      head: pullRequest.head.label
+    };
+  }
+  const codeScanningRef = process.env.CODE_SCANNING_REF;
+  const codeScanningBaseBranch = process.env.CODE_SCANNING_BASE_BRANCH;
+  if (codeScanningRef && codeScanningBaseBranch) {
+    return {
+      base: codeScanningBaseBranch,
+      // PR analysis under Default Setup analyzes the PR head commit instead of
+      // the merge commit, so we can use the provided ref directly.
+      head: codeScanningRef
+    };
+  }
+  return void 0;
+}
+function isAnalyzingPullRequest() {
+  return getPullRequestBranches() !== void 0;
+}
 var qualityCategoryMapping = {
  "c#": "csharp",
  cpp: "c-cpp",
@@ -88912,6 +88938,11 @@ async function getAnalysisKey() {
  core5.exportVariable("CODEQL_ACTION_ANALYSIS_KEY" /* ANALYSIS_KEY */, analysisKey);
  return analysisKey;
 }
+async function getAutomationID() {
+  const analysis_key = await getAnalysisKey();
+  const environment = getRequiredInput("matrix");
+  return computeAutomationID(analysis_key, environment);
+}
 function computeAutomationID(analysis_key, environment) {
  let automationID = `${analysis_key}/`;
  const matrix = parseMatrixInput(environment);
@@ -88926,6 +88957,18 @@ function computeAutomationID(analysis_key, environment) {
  }
  return automationID;
 }
+async function listActionsCaches(keyPrefix, ref) {
+  const repositoryNwo = getRepositoryNwo();
+  return await getApiClient().paginate(
+    "GET /repos/{owner}/{repo}/actions/caches",
+    {
+      owner: repositoryNwo.owner,
+      repo: repositoryNwo.repo,
+      key: keyPrefix,
+      ref
+    }
+  );
+}
 function isEnablementError(msg) {
  return [
    /Code Security must be enabled/i,
@@ -89224,7 +89267,13 @@ var path6 = __toESM(require("path"));
 var core9 = __toESM(require_core());

 // src/caching-utils.ts
+var crypto2 = __toESM(require("crypto"));
 var core6 = __toESM(require_core());
+var cacheKeyHashLength = 16;
+function createCacheKeyHash(components) {
+  const componentsJson = JSON.stringify(components);
+  return crypto2.createHash("sha256").update(componentsJson).digest("hex").substring(0, cacheKeyHashLength);
+}

 // src/config/db-config.ts
 var jsonschema = __toESM(require_lib2());
@@ -89339,6 +89388,16 @@ function writeDiagnostic(config, language, diagnostic) {
    logger.debug(JSON.stringify(diagnostic));
  }
 }
+function makeTelemetryDiagnostic(id, name, attributes) {
+  return makeDiagnostic(id, name, {
+    attributes,
+    visibility: {
+      cliSummaryTable: false,
+      statusPage: false,
+      telemetry: true
+    }
+  });
+}

 // src/diff-informed-analysis-utils.ts
 var fs5 = __toESM(require("fs"));
@@ -89846,6 +89905,16 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
    minimumVersion: void 0
  },
+  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
+    minimumVersion: void 0
+  },
+  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
+    minimumVersion: void 0
+  },
  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -89952,6 +90021,17 @@ var builtin_default = {

 // src/languages/index.ts
 var builtInLanguageSet = new Set(builtin_default.languages);
+function isBuiltInLanguage(language) {
+  return builtInLanguageSet.has(language);
+}
+function parseBuiltInLanguage(language) {
+  language = language.trim().toLowerCase();
+  language = builtin_default.aliases[language] ?? language;
+  if (isBuiltInLanguage(language)) {
+    return language;
+  }
+  return void 0;
+}

 // src/overlay/status.ts
 var actionsCache = __toESM(require_cache4());
@@ -90031,7 +90111,7 @@ var fs9 = __toESM(require("fs"));
 var path8 = __toESM(require("path"));
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver8 = __toESM(require_semver2());
+var semver9 = __toESM(require_semver2());

 // node_modules/uuid/dist-node/stringify.js
 var byteToHex = [];
@@ -90077,6 +90157,68 @@ function _v4(options, buf, offset) {
 }
 var v4_default = v4;

+// src/overlay/caching.ts
+var actionsCache3 = __toESM(require_cache4());
+var semver6 = __toESM(require_semver2());
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
+var CACHE_VERSION = 1;
+var CACHE_PREFIX = "codeql-overlay-base-database";
+async function getCacheKeyPrefixBase(parsedLanguages) {
+  const languagesComponent = [...parsedLanguages].sort().join("_");
+  const cacheKeyComponents = {
+    automationID: await getAutomationID()
+    // Add more components here as needed in the future
+  };
+  const componentsHash = createCacheKeyHash(cacheKeyComponents);
+  return `${CACHE_PREFIX}-${CACHE_VERSION}-${componentsHash}-${languagesComponent}-`;
+}
+async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) {
+  const languages = rawLanguages.map(parseBuiltInLanguage);
+  if (languages.includes(void 0)) {
+    logger.warning(
+      "One or more provided languages are not recognized as built-in languages. Skipping searching for overlay-base databases in cache."
+    );
+    return void 0;
+  }
+  const dedupedLanguages = [
+    ...new Set(languages.filter((l) => l !== void 0))
+  ];
+  const cacheKeyPrefix = await getCacheKeyPrefixBase(dedupedLanguages);
+  logger.debug(
+    `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}`
+  );
+  const caches = await listActionsCaches(cacheKeyPrefix);
+  if (caches.length === 0) {
+    logger.info("No overlay-base databases found in Actions cache.");
+    return [];
+  }
+  logger.info(
+    `Found ${caches.length} overlay-base ${caches.length === 1 ? "database" : "databases"} in the Actions cache.`
+  );
+  const versionRegex = /^([\d.]+)-/;
+  const versionSet = /* @__PURE__ */ new Set();
+  for (const cache of caches) {
+    if (!cache.key) continue;
+    const suffix = cache.key.substring(cacheKeyPrefix.length);
+    const match = suffix.match(versionRegex);
+    if (match && semver6.valid(match[1])) {
+      versionSet.add(match[1]);
+    }
+  }
+  if (versionSet.size === 0) {
+    logger.info(
+      "Could not parse any CodeQL versions from overlay-base database cache keys."
+    );
+    return [];
+  }
+  const versions = [...versionSet].sort(semver6.rcompare);
+  logger.info(
+    `Found overlay databases for the following CodeQL versions in the Actions cache: ${versions.join(", ")}`
+  );
+  return versions;
+}
+
 // src/tar.ts
 var import_child_process = require("child_process");
 var fs7 = __toESM(require("fs"));
@@ -90084,7 +90226,7 @@ var stream = __toESM(require("stream"));
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver6 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());
 var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3";
 var MIN_REQUIRED_GNU_TAR_VERSION = "1.31";
 async function getTarVersion() {
@@ -90126,9 +90268,9 @@ async function isZstdAvailable(logger) {
      case "gnu":
        return {
          available: foundZstdBinary && // GNU tar only uses major and minor version numbers
-          semver6.gte(
-            semver6.coerce(version),
-            semver6.coerce(MIN_REQUIRED_GNU_TAR_VERSION)
+          semver7.gte(
+            semver7.coerce(version),
+            semver7.coerce(MIN_REQUIRED_GNU_TAR_VERSION)
          ),
          foundZstdBinary,
          version: tarVersion
@@ -90137,7 +90279,7 @@ async function isZstdAvailable(logger) {
        return {
          available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain
          // a patch version number.
-          semver6.gte(version, MIN_REQUIRED_BSD_TAR_VERSION),
+          semver7.gte(version, MIN_REQUIRED_BSD_TAR_VERSION),
          foundZstdBinary,
          version: tarVersion
        };
@@ -90244,7 +90386,7 @@ var core10 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver7 = __toESM(require_semver2());
+var semver8 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;
 var TOOLCACHE_TOOL_NAME = "CodeQL";
 function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) {
@@ -90374,7 +90516,7 @@ function getToolcacheDirectory(version) {
  return path7.join(
    getRequiredEnvParam("RUNNER_TOOL_CACHE"),
    TOOLCACHE_TOOL_NAME,
-    semver7.clean(version) || version,
+    semver8.clean(version) || version,
    os.arch() || ""
  );
 }
@@ -90499,13 +90641,13 @@ function tryGetTagNameFromUrl(url2, logger) {
  return match[1];
 }
 function convertToSemVer(version, logger) {
-  if (!semver8.valid(version)) {
+  if (!semver9.valid(version)) {
    logger.debug(
      `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.`
    );
    version = `0.0.0-${version}`;
  }
-  const s = semver8.clean(version);
+  const s = semver9.clean(version);
  if (!s) {
    throw new Error(`Bundle version ${version} is not in SemVer format.`);
  }
@@ -90537,7 +90679,84 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
  }
  return void 0;
 }
-async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) {
+async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, rawLanguages, features, logger) {
+  if (rawLanguages === void 0 || rawLanguages.length === 0) {
+    return [];
+  }
+  const isEnabled = await features.getValue(
+    "overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */
+  );
+  const isDryRun = !isEnabled && await features.getValue("overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */);
+  if (!isEnabled && !isDryRun) {
+    return [];
+  }
+  let cachedVersions;
+  try {
+    cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases(
+      rawLanguages,
+      logger
+    );
+  } catch (e) {
+    logger.warning(
+      `Could not list overlay-base databases in the Actions cache while choosing a default CodeQL CLI version, falling back to the highest enabled version. Details: ${getErrorMessage(e)}`
+    );
+    return [];
+  }
+  if (cachedVersions === void 0 || cachedVersions.length === 0) {
+    return [];
+  }
+  const cachedVersionsSet = new Set(cachedVersions);
+  const overlayVersions = defaultCliVersion.enabledVersions.filter(
+    (v) => cachedVersionsSet.has(v.cliVersion)
+  );
+  if (overlayVersions.length === 0) {
+    return [];
+  }
+  const isCachedVersionDifferent = overlayVersions[0].cliVersion !== defaultCliVersion.enabledVersions[0].cliVersion;
+  if (isCachedVersionDifferent) {
+    addNoLanguageDiagnostic(
+      void 0,
+      makeTelemetryDiagnostic(
+        "codeql-action/overlay-aware-default-codeql-version",
+        "Overlay-aware default CodeQL version selection",
+        {
+          cachedVersions,
+          enabledVersions: defaultCliVersion.enabledVersions.map(
+            (v) => v.cliVersion
+          ),
+          isDryRun,
+          overlayAwareVersion: overlayVersions[0].cliVersion
+        }
+      )
+    );
+  }
+  if (isDryRun) {
+    logger.debug(
+      `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.`
+    );
+    return [];
+  }
+  return overlayVersions;
+}
+async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) {
+  if (!useOverlayAwareDefaultCliVersion || !isAnalyzingPullRequest()) {
+    return defaultCliVersion.enabledVersions[0];
+  }
+  const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases(
+    defaultCliVersion,
+    rawLanguages,
+    features,
+    logger
+  );
+  if (overlayVersions.length > 0) {
+    logger.info(
+      `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the highest enabled version that has a cached overlay-base database.`
+    );
+    return overlayVersions[0];
+  }
+  return defaultCliVersion.enabledVersions[0];
+}
+async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) {
  if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) {
    logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
    const compressionMethod2 = inferCompressionMethod(toolsInput);
@@ -90631,21 +90850,35 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
          );
        }
      }
-      cliVersion2 = defaultCliVersion.cliVersion;
-      tagName = defaultCliVersion.tagName;
+      const version = await resolveDefaultCliVersion(
+        defaultCliVersion,
+        rawLanguages,
+        useOverlayAwareDefaultCliVersion,
+        features,
+        logger
+      );
+      cliVersion2 = version.cliVersion;
+      tagName = version.tagName;
    }
  } else if (toolsInput !== void 0) {
    tagName = tryGetTagNameFromUrl(toolsInput, logger);
    url2 = toolsInput;
    if (tagName) {
      const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger);
-      if (bundleVersion3 && semver8.valid(bundleVersion3)) {
+      if (bundleVersion3 && semver9.valid(bundleVersion3)) {
        cliVersion2 = convertToSemVer(bundleVersion3, logger);
      }
    }
  } else {
-    cliVersion2 = defaultCliVersion.cliVersion;
-    tagName = defaultCliVersion.tagName;
+    const version = await resolveDefaultCliVersion(
+      defaultCliVersion,
+      rawLanguages,
+      useOverlayAwareDefaultCliVersion,
+      features,
+      logger
+    );
+    cliVersion2 = version.cliVersion;
+    tagName = version.tagName;
  }
  const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger);
  const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url2 ?? "unknown";
@@ -90842,7 +91075,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) {
  }
  return cliVersion2;
 }
-async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) {
+async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) {
  if (!await isBinaryAccessible("tar", logger)) {
    throw new ConfigurationError(
      "Could not find tar in PATH, so unable to extract CodeQL bundle."
@@ -90852,6 +91085,8 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau
  const source = await getCodeQLSource(
    toolsInput,
    defaultCliVersion,
+    rawLanguages,
+    useOverlayAwareDefaultCliVersion,
    apiDetails,
    variant,
    zstdAvailability.available,
@@ -90910,7 +91145,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau
 async function useZstdBundle(cliVersion2, tarSupportsZstd) {
  return (
    // In testing, gzip performs better than zstd on Windows.
-    process.platform !== "win32" && tarSupportsZstd && semver8.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE)
+    process.platform !== "win32" && tarSupportsZstd && semver9.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE)
  );
 }
 function getTempExtractionDir(tempDir) {
@@ -90942,7 +91177,7 @@ async function getNightlyToolsUrl(logger) {
  }
 }
 function getLatestToolcacheVersion(logger) {
-  const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver8.compare(b, a));
+  const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver9.compare(b, a));
  logger.debug(
    `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify(
      allVersions
@@ -90979,7 +91214,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4";
 var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15";
 var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09";
 var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
-async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) {
+async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger, checkVersion) {
  try {
    const {
      codeqlFolder,
@@ -90993,6 +91228,8 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
      tempDir,
      variant,
      defaultCliVersion,
+      rawLanguages,
+      useOverlayAwareDefaultCliVersion,
      features,
      logger
    );
@@ -92714,7 +92951,7 @@ var core12 = __toESM(require_core());
 var toolrunner4 = __toESM(require_toolrunner());
 var github2 = __toESM(require_github());
 var io5 = __toESM(require_io());
-async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) {
+async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) {
  logger.startGroup("Setup CodeQL tools");
  const {
    codeql,
@@ -92728,6 +92965,8 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe
    tempDir,
    variant,
    defaultCliVersion,
+    rawLanguages,
+    useOverlayAwareDefaultCliVersion,
    features,
    logger,
    true
@@ -92876,9 +93115,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo
      url: getRequiredEnvParam("GITHUB_SERVER_URL"),
      apiURL: getRequiredEnvParam("GITHUB_API_URL")
    };
-    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
-      gitHubVersion.type
-    );
+    const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type);
    const initCodeQLResult = await initCodeQL(
      void 0,
      // There is no tools input on the upload action
@@ -92886,6 +93123,10 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo
      tempDir,
      gitHubVersion.type,
      codeQLDefaultVersionInfo,
+      void 0,
+      // rawLanguages: upload-lib does not run analysis
+      false,
+      // useOverlayAwareDefaultCliVersion: upload-lib does not run analysis
      features,
      logger
    );
@@ -92901,7 +93142,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo
  return readSarifFile(outputFile);
 }
 function populateRunAutomationDetails(sarifFile, category, analysis_key, environment) {
-  const automationID = getAutomationID(category, analysis_key, environment);
+  const automationID = getAutomationID2(category, analysis_key, environment);
  if (automationID !== void 0) {
    for (const run of sarifFile.runs || []) {
      if (run.automationDetails === void 0) {
@@ -92914,7 +93155,7 @@ function populateRunAutomationDetails(sarifFile, category, analysis_key, environ
  }
  return sarifFile;
 }
-function getAutomationID(category, analysis_key, environment) {
+function getAutomationID2(category, analysis_key, environment) {
  if (category !== void 0) {
    let automationID = category;
    if (!automationID.endsWith("/")) {
@@ -26352,11 +26352,11 @@ var require_valid = __commonJS({
  "node_modules/semver/functions/valid.js"(exports2, module2) {
    "use strict";
    var parse2 = require_parse2();
-    var valid3 = (version, options) => {
+    var valid4 = (version, options) => {
      const v = parse2(version, options);
      return v ? v.version : null;
    };
-    module2.exports = valid3;
+    module2.exports = valid4;
  }
 });

@@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({
  "node_modules/semver/functions/rcompare.js"(exports2, module2) {
    "use strict";
    var compare2 = require_compare();
-    var rcompare = (a, b, loose) => compare2(b, a, loose);
-    module2.exports = rcompare;
+    var rcompare3 = (a, b, loose) => compare2(b, a, loose);
+    module2.exports = rcompare3;
  }
 });

@@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({
    var SemVer = require_semver();
    var identifiers = require_identifiers();
    var parse2 = require_parse2();
-    var valid3 = require_valid();
+    var valid4 = require_valid();
    var clean3 = require_clean();
    var inc = require_inc();
    var diff = require_diff();
@@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({
    var patch = require_patch();
    var prerelease = require_prerelease();
    var compare2 = require_compare();
-    var rcompare = require_rcompare();
+    var rcompare3 = require_rcompare();
    var compareLoose = require_compare_loose();
    var compareBuild = require_compare_build();
    var sort = require_sort();
@@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({
    var subset = require_subset();
    module2.exports = {
      parse: parse2,
-      valid: valid3,
+      valid: valid4,
      clean: clean3,
      inc,
      diff,
@@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({
      patch,
      prerelease,
      compare: compare2,
-      rcompare,
+      rcompare: rcompare3,
      compareLoose,
      compareBuild,
      sort,
@@ -80613,7 +80613,7 @@ var require_stream_writable = __commonJS({
      pna.nextTick(cb, er);
    }
    function validChunk(stream, state, chunk, cb) {
-      var valid3 = true;
+      var valid4 = true;
      var er = false;
      if (chunk === null) {
        er = new TypeError("May not write null values to stream");
@@ -80623,9 +80623,9 @@ var require_stream_writable = __commonJS({
      if (er) {
        stream.emit("error", er);
        pna.nextTick(cb, er);
-        valid3 = false;
+        valid4 = false;
      }
-      return valid3;
+      return valid4;
    }
    Writable.prototype.write = function(chunk, encoding, cb) {
      var state = this._writableState;
@@ -115281,16 +115281,16 @@ var require_attribute = __commonJS({
      var result = new ValidatorResult(instance, schema2, options, ctx);
      var self2 = this;
      schema2.allOf.forEach(function(v, i) {
-        var valid3 = self2.validateSchema(instance, v, options, ctx);
-        if (!valid3.valid) {
+        var valid4 = self2.validateSchema(instance, v, options, ctx);
+        if (!valid4.valid) {
          var id = v.$id || v.id;
          var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]";
          result.addError({
            name: "allOf",
-            argument: { id: msg, length: valid3.errors.length, valid: valid3 },
-            message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:"
+            argument: { id: msg, length: valid4.errors.length, valid: valid4 },
+            message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:"
          });
-          result.importErrors(valid3);
+          result.importErrors(valid4);
        }
      });
      return result;
@@ -115579,8 +115579,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMinimum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid3 = instance > schema2.exclusiveMinimum;
-      if (!valid3) {
+      var valid4 = instance > schema2.exclusiveMinimum;
+      if (!valid4) {
        result.addError({
          name: "exclusiveMinimum",
          argument: schema2.exclusiveMinimum,
@@ -115593,8 +115593,8 @@ var require_attribute = __commonJS({
      if (typeof schema2.exclusiveMaximum === "boolean") return;
      if (!this.types.number(instance)) return;
      var result = new ValidatorResult(instance, schema2, options, ctx);
-      var valid3 = instance < schema2.exclusiveMaximum;
-      if (!valid3) {
+      var valid4 = instance < schema2.exclusiveMaximum;
+      if (!valid4) {
        result.addError({
          name: "exclusiveMaximum",
          argument: schema2.exclusiveMaximum,
@@ -118322,8 +118322,8 @@ var require_semver3 = __commonJS({
        return null;
      }
    }
-    exports2.valid = valid3;
-    function valid3(version, options) {
+    exports2.valid = valid4;
+    function valid4(version, options) {
      var v = parse2(version, options);
      return v ? v.version : null;
    }
@@ -118623,8 +118623,8 @@ var require_semver3 = __commonJS({
      var versionB = new SemVer(b, loose);
      return versionA.compare(versionB) || versionA.compareBuild(versionB);
    }
-    exports2.rcompare = rcompare;
-    function rcompare(a, b, loose) {
+    exports2.rcompare = rcompare3;
+    function rcompare3(a, b, loose) {
      return compare2(b, a, loose);
    }
    exports2.sort = sort;
@@ -119452,7 +119452,7 @@ var require_cacheUtils = __commonJS({
    var crypto2 = __importStar2(require("crypto"));
    var fs3 = __importStar2(require("fs"));
    var path3 = __importStar2(require("path"));
-    var semver9 = __importStar2(require_semver3());
+    var semver10 = __importStar2(require_semver3());
    var util = __importStar2(require("util"));
    var constants_1 = require_constants14();
    var versionSalt = "1.0";
@@ -119545,7 +119545,7 @@ var require_cacheUtils = __commonJS({
    function getCompressionMethod() {
      return __awaiter2(this, void 0, void 0, function* () {
        const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver9.clean(versionOutput);
+        const version = semver10.clean(versionOutput);
        core15.debug(`zstd version: ${version}`);
        if (versionOutput === "") {
          return constants_1.CompressionMethod.Gzip;
@@ -120855,7 +120855,7 @@ var require_cacheHttpClient = __commonJS({
    exports2.getCacheEntry = getCacheEntry;
    exports2.downloadCache = downloadCache;
    exports2.reserveCache = reserveCache;
-    exports2.saveCache = saveCache4;
+    exports2.saveCache = saveCache5;
    var core15 = __importStar2(require_core());
    var http_client_1 = require_lib();
    var auth_1 = require_auth();
@@ -121032,7 +121032,7 @@ Other caches with similar key:`);
        }));
      });
    }
-    function saveCache4(cacheId, archivePath, signedUploadURL, options) {
+    function saveCache5(cacheId, archivePath, signedUploadURL, options) {
      return __awaiter2(this, void 0, void 0, function* () {
        const uploadOptions = (0, options_1.getUploadOptions)(options);
        if (uploadOptions.useAzureSdk) {
@@ -122306,8 +122306,8 @@ var require_cache4 = __commonJS({
    Object.defineProperty(exports2, "__esModule", { value: true });
    exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0;
    exports2.isFeatureAvailable = isFeatureAvailable;
-    exports2.restoreCache = restoreCache4;
-    exports2.saveCache = saveCache4;
+    exports2.restoreCache = restoreCache5;
+    exports2.saveCache = saveCache5;
    var core15 = __importStar2(require_core());
    var path3 = __importStar2(require("path"));
    var utils = __importStar2(require_cacheUtils());
@@ -122364,7 +122364,7 @@ var require_cache4 = __commonJS({
          return !!process.env["ACTIONS_CACHE_URL"];
      }
    }
-    function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) {
+    function restoreCache5(paths_1, primaryKey_1, restoreKeys_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -122508,7 +122508,7 @@ var require_cache4 = __commonJS({
        return void 0;
      });
    }
-    function saveCache4(paths_1, key_1, options_1) {
+    function saveCache5(paths_1, key_1, options_1) {
      return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
        const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
        core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -122745,7 +122745,7 @@ var require_manifest = __commonJS({
    exports2._findMatch = _findMatch;
    exports2._getOsVersion = _getOsVersion;
    exports2._readLinuxVersionFile = _readLinuxVersionFile;
-    var semver9 = __importStar2(require_semver2());
+    var semver10 = __importStar2(require_semver2());
    var core_1 = require_core();
    var os2 = require("os");
    var cp = require("child_process");
@@ -122759,7 +122759,7 @@ var require_manifest = __commonJS({
        for (const candidate of candidates) {
          const version = candidate.version;
          (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
            file = candidate.files.find((item) => {
              (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
              let chk = item.arch === archFilter && item.platform === platFilter;
@@ -122768,7 +122768,7 @@ var require_manifest = __commonJS({
                if (osVersion === item.platform_version) {
                  chk = true;
                } else {
-                  chk = semver9.satisfies(osVersion, item.platform_version);
+                  chk = semver10.satisfies(osVersion, item.platform_version);
                }
              }
              return chk;
@@ -123028,7 +123028,7 @@ var require_tool_cache = __commonJS({
    var os2 = __importStar2(require("os"));
    var path3 = __importStar2(require("path"));
    var httpm = __importStar2(require_lib());
-    var semver9 = __importStar2(require_semver2());
+    var semver10 = __importStar2(require_semver2());
    var stream = __importStar2(require("stream"));
    var util = __importStar2(require("util"));
    var assert_1 = require("assert");
@@ -123301,7 +123301,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheDir(sourceDir, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver10.clean(version) || version;
        arch = arch || os2.arch();
        core15.debug(`Caching tool ${tool} ${version} ${arch}`);
        core15.debug(`source dir: ${sourceDir}`);
@@ -123319,7 +123319,7 @@ var require_tool_cache = __commonJS({
    }
    function cacheFile(sourceFile, targetFile, tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver10.clean(version) || version;
        arch = arch || os2.arch();
        core15.debug(`Caching tool ${tool} ${version} ${arch}`);
        core15.debug(`source file: ${sourceFile}`);
@@ -123349,7 +123349,7 @@ var require_tool_cache = __commonJS({
      }
      let toolPath = "";
      if (versionSpec) {
-        versionSpec = semver9.clean(versionSpec) || "";
+        versionSpec = semver10.clean(versionSpec) || "";
        const cachePath = path3.join(_getCacheDirectory(), toolName, versionSpec, arch);
        core15.debug(`checking cache: ${cachePath}`);
        if (fs3.existsSync(cachePath) && fs3.existsSync(`${cachePath}.complete`)) {
@@ -123429,7 +123429,7 @@ var require_tool_cache = __commonJS({
    }
    function _createToolPath(tool, version, arch) {
      return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path3.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
+        const folderPath = path3.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
        core15.debug(`destination ${folderPath}`);
        const markerPath = `${folderPath}.complete`;
        yield io6.rmRF(folderPath);
@@ -123439,30 +123439,30 @@ var require_tool_cache = __commonJS({
      });
    }
    function _completeToolPath(tool, version, arch) {
-      const folderPath = path3.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
+      const folderPath = path3.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || "");
      const markerPath = `${folderPath}.complete`;
      fs3.writeFileSync(markerPath, "");
      core15.debug("finished caching tool");
    }
    function isExplicitVersion(versionSpec) {
-      const c = semver9.clean(versionSpec) || "";
+      const c = semver10.clean(versionSpec) || "";
      core15.debug(`isExplicit: ${c}`);
-      const valid3 = semver9.valid(c) != null;
-      core15.debug(`explicit? ${valid3}`);
-      return valid3;
+      const valid4 = semver10.valid(c) != null;
+      core15.debug(`explicit? ${valid4}`);
+      return valid4;
    }
    function evaluateVersions(versions, versionSpec) {
      let version = "";
      core15.debug(`evaluating ${versions.length} versions`);
      versions = versions.sort((a, b) => {
-        if (semver9.gt(a, b)) {
+        if (semver10.gt(a, b)) {
          return 1;
        }
        return -1;
      });
      for (let i = versions.length - 1; i >= 0; i--) {
        const potential = versions[i];
-        const satisfied = semver9.satisfies(potential, versionSpec);
+        const satisfied = semver10.satisfies(potential, versionSpec);
        if (satisfied) {
          version = potential;
          break;
@@ -126824,7 +126824,7 @@ function getTemporaryDirectory() {
  return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP");
 }
 function getActionVersion() {
-  return "4.35.4";
+  return "4.35.5";
 }
 var persistedInputsKey = "persisted_inputs";
 var restoreInputs = function() {
@@ -127373,6 +127373,16 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
    minimumVersion: void 0
  },
+  ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
+    minimumVersion: void 0
+  },
+  ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
+    minimumVersion: void 0
+  },
  ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -127492,24 +127502,30 @@ var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
 // src/setup-codeql.ts
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver8 = __toESM(require_semver2());
+var semver9 = __toESM(require_semver2());
+
+// src/overlay/caching.ts
+var actionsCache3 = __toESM(require_cache4());
+var semver6 = __toESM(require_semver2());
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;

 // src/tar.ts
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver6 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());

 // src/tools-download.ts
 var core10 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver7 = __toESM(require_semver2());
+var semver8 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;

 // src/dependency-caching.ts
-var actionsCache3 = __toESM(require_cache4());
+var actionsCache4 = __toESM(require_cache4());
 var glob = __toESM(require_glob2());

 // src/artifact-scanner.ts
@@ -127577,6 +127593,9 @@ async function scanArchiveFile(archivePath, relativeArchivePath, extractDir, log
      `Maximum archive extraction depth (${MAX_DEPTH}) reached for ${archivePath}`
    );
  }
+  if (process.platform === "win32") {
+    throw new Error("Scanning archives is not supported on Windows.");
+  }
  const result = {
    scannedFiles: 0,
    findings: []
@@ -1,12 +1,12 @@
 {
  "name": "codeql",
-  "version": "4.35.4",
+  "version": "4.35.5",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "codeql",
-      "version": "4.35.4",
+      "version": "4.35.5",
      "license": "MIT",
      "workspaces": [
        "pr-checks"
@@ -43,14 +43,14 @@
        "@types/archiver": "^7.0.0",
        "@types/follow-redirects": "^1.14.4",
        "@types/js-yaml": "^4.0.9",
-        "@types/node": "^20.19.9",
+        "@types/node": "^20.19.39",
        "@types/node-forge": "^1.3.14",
        "@types/sarif": "^2.1.7",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^21.0.1",
        "ava": "^7.0.0",
        "esbuild": "^0.28.0",
-        "eslint": "^9.39.2",
+        "eslint": "^9.39.4",
        "eslint-import-resolver-typescript": "^4.4.4",
        "eslint-plugin-github": "^6.0.0",
        "eslint-plugin-import-x": "^4.16.2",
@@ -60,8 +60,8 @@
        "globals": "^17.5.0",
        "nock": "^14.0.12",
        "sinon": "^21.1.2",
-        "typescript": "^6.0.2",
-        "typescript-eslint": "^8.58.2"
+        "typescript": "^6.0.3",
+        "typescript-eslint": "^8.59.1"
      }
    },
    "node_modules/@aashutoshrathi/word-wrap": {
@@ -1337,15 +1337,15 @@
      }
    },
    "node_modules/@eslint/config-array": {
-      "version": "0.21.1",
-      "resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.21.1.tgz",
-      "integrity": "sha512-aw1gNayWpdI/jSYVgzN5pL0cfzU02GT3NBpeT/DXbx1/1x7ZKxFPd9bwrzygx/qiwIQiJ1sw/zD8qY/kRvlGHA==",
+      "version": "0.21.2",
+      "resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.21.2.tgz",
+      "integrity": "sha512-nJl2KGTlrf9GjLimgIru+V/mzgSK0ABCDQRvxw5BjURL7WfH5uoWmizbH7QB6MmnMBd8cIC9uceWnezL1VZWWw==",
      "dev": true,
      "license": "Apache-2.0",
      "dependencies": {
        "@eslint/object-schema": "^2.1.7",
        "debug": "^4.3.1",
-        "minimatch": "^3.1.2"
+        "minimatch": "^3.1.5"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -1391,20 +1391,20 @@
      }
    },
    "node_modules/@eslint/eslintrc": {
-      "version": "3.3.3",
-      "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-3.3.3.tgz",
-      "integrity": "sha512-Kr+LPIUVKz2qkx1HAMH8q1q6azbqBAsXJUxBl/ODDuVPX45Z9DfwB8tPjTi6nNZ8BuM3nbJxC5zCAg5elnBUTQ==",
+      "version": "3.3.5",
+      "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-3.3.5.tgz",
+      "integrity": "sha512-4IlJx0X0qftVsN5E+/vGujTRIFtwuLbNsVUe7TO6zYPDR1O6nFwvwhIKEKSrl6dZchmYBITazxKoUYOjdtjlRg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "ajv": "^6.12.4",
+        "ajv": "^6.14.0",
        "debug": "^4.3.2",
        "espree": "^10.0.1",
        "globals": "^14.0.0",
        "ignore": "^5.2.0",
        "import-fresh": "^3.2.1",
        "js-yaml": "^4.1.1",
-        "minimatch": "^3.1.2",
+        "minimatch": "^3.1.5",
        "strip-json-comments": "^3.1.1"
      },
      "engines": {
@@ -1427,9 +1427,9 @@
      }
    },
    "node_modules/@eslint/js": {
-      "version": "9.39.2",
-      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.39.2.tgz",
-      "integrity": "sha512-q1mjIoW1VX4IvSocvM/vbTiveKC4k9eLrajNEuSsmjymSDEbpGddtpfOoN7YGAqBK3NG+uqo8ia4PDTt8buCYA==",
+      "version": "9.39.4",
+      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.39.4.tgz",
+      "integrity": "sha512-nE7DEIchvtiFTwBw4Lfbu59PG+kCofhjsKaCWzxTpt4lfRjRMqG6uMBzKXuEcyXhOHoUp9riAm7/aWYGhXZ9cw==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2469,9 +2469,9 @@
      "license": "MIT"
    },
    "node_modules/@types/node": {
-      "version": "20.19.9",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.9.tgz",
-      "integrity": "sha512-cuVNgarYWZqxRJDQHEB58GEONhOK79QVR/qYx4S7kcUObQvUwvFnYxJuuHUKm2aieN9X3yZB4LZsuYNU1Qphsw==",
+      "version": "20.19.39",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.39.tgz",
+      "integrity": "sha512-orrrD74MBUyK8jOAD/r0+lfa1I2MO6I+vAkmAWzMYbCcgrN4lCrmK52gRFQq/JRxfYPfonkr4b0jcY7Olqdqbw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -2528,17 +2528,17 @@
      "license": "MIT"
    },
    "node_modules/@typescript-eslint/eslint-plugin": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.58.2.tgz",
-      "integrity": "sha512-aC2qc5thQahutKjP+cl8cgN9DWe3ZUqVko30CMSZHnFEHyhOYoZSzkGtAI2mcwZ38xeImDucI4dnqsHiOYuuCw==",
+      "version": "8.59.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.59.1.tgz",
+      "integrity": "sha512-BOziFIfE+6osHO9FoJG4zjoHUcvI7fTNBSpdAwrNH0/TLvzjsk2oo8XSSOT2HhqUyhZPfHv4UOffoJ9oEEQ7Ag==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@eslint-community/regexpp": "^4.12.2",
-        "@typescript-eslint/scope-manager": "8.58.2",
-        "@typescript-eslint/type-utils": "8.58.2",
-        "@typescript-eslint/utils": "8.58.2",
-        "@typescript-eslint/visitor-keys": "8.58.2",
+        "@typescript-eslint/scope-manager": "8.59.1",
+        "@typescript-eslint/type-utils": "8.59.1",
+        "@typescript-eslint/utils": "8.59.1",
+        "@typescript-eslint/visitor-keys": "8.59.1",
        "ignore": "^7.0.5",
        "natural-compare": "^1.4.0",
        "ts-api-utils": "^2.5.0"
@@ -2551,7 +2551,7 @@
        "url": "https://opencollective.com/typescript-eslint"
      },
      "peerDependencies": {
-        "@typescript-eslint/parser": "^8.58.2",
+        "@typescript-eslint/parser": "^8.59.1",
        "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
        "typescript": ">=4.8.4 <6.1.0"
      }
@@ -2567,16 +2567,16 @@
      }
    },
    "node_modules/@typescript-eslint/parser": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.58.2.tgz",
-      "integrity": "sha512-/Zb/xaIDfxeJnvishjGdcR4jmr7S+bda8PKNhRGdljDM+elXhlvN0FyPSsMnLmJUrVG9aPO6dof80wjMawsASg==",
+      "version": "8.59.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.59.1.tgz",
+      "integrity": "sha512-HDQH9O/47Dxi1ceDhBXdaldtf/WV9yRYMjbjCuNk3qnaTD564qwv61Y7+gTxwxRKzSrgO5uhtw584igXVuuZkA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/scope-manager": "8.58.2",
-        "@typescript-eslint/types": "8.58.2",
-        "@typescript-eslint/typescript-estree": "8.58.2",
-        "@typescript-eslint/visitor-keys": "8.58.2",
+        "@typescript-eslint/scope-manager": "8.59.1",
+        "@typescript-eslint/types": "8.59.1",
+        "@typescript-eslint/typescript-estree": "8.59.1",
+        "@typescript-eslint/visitor-keys": "8.59.1",
        "debug": "^4.4.3"
      },
      "engines": {
@@ -2610,14 +2610,14 @@
      }
    },
    "node_modules/@typescript-eslint/project-service": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.58.2.tgz",
-      "integrity": "sha512-Cq6UfpZZk15+r87BkIh5rDpi38W4b+Sjnb8wQCPPDDweS/LRCFjCyViEbzHk5Ck3f2QDfgmlxqSa7S7clDtlfg==",
+      "version": "8.59.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.59.1.tgz",
+      "integrity": "sha512-+MuHQlHiEr00Of/IQbE/MmEoi44znZHbR/Pz7Opq4HryUOlRi+/44dro9Ycy8Fyo+/024IWtw8m4JUMCGTYxDg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/tsconfig-utils": "^8.58.2",
-        "@typescript-eslint/types": "^8.58.2",
+        "@typescript-eslint/tsconfig-utils": "^8.59.1",
+        "@typescript-eslint/types": "^8.59.1",
        "debug": "^4.4.3"
      },
      "engines": {
@@ -2650,14 +2650,14 @@
      }
    },
    "node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.58.2.tgz",
-      "integrity": "sha512-SgmyvDPexWETQek+qzZnrG6844IaO02UVyOLhI4wpo82dpZJY9+6YZCKAMFzXb7qhx37mFK1QcPQ18tud+vo6Q==",
+      "version": "8.59.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.59.1.tgz",
+      "integrity": "sha512-LwuHQI4pDOYVKvmH2dkaJo6YZCSgouVgnS/z7yBPKBMvgtBvyLqiLy9Z6b7+m/TRcX1NFYUqZetI5Y+aT4GEfg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.58.2",
-        "@typescript-eslint/visitor-keys": "8.58.2"
+        "@typescript-eslint/types": "8.59.1",
+        "@typescript-eslint/visitor-keys": "8.59.1"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2668,9 +2668,9 @@
      }
    },
    "node_modules/@typescript-eslint/tsconfig-utils": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.58.2.tgz",
-      "integrity": "sha512-3SR+RukipDvkkKp/d0jP0dyzuls3DbGmwDpVEc5wqk5f38KFThakqAAO0XMirWAE+kT00oTauTbzMFGPoAzB0A==",
+      "version": "8.59.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.59.1.tgz",
+      "integrity": "sha512-/0nEyPbX7gRsk0Uwfe4ALwwgxuA66d/l2mhRDNlAvaj4U3juhUtJNq0DsY8M2AYwwb9rEq2hrC3IcIcEt++iJA==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2685,15 +2685,15 @@
      }
    },
    "node_modules/@typescript-eslint/type-utils": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.58.2.tgz",
-      "integrity": "sha512-Z7EloNR/B389FvabdGeTo2XMs4W9TjtPiO9DAsmT0yom0bwlPyRjkJ1uCdW1DvrrrYP50AJZ9Xc3sByZA9+dcg==",
+      "version": "8.59.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.59.1.tgz",
+      "integrity": "sha512-klWPBR2ciQHS3f++ug/mVnWKPjBUo7icEL3FAO1lhAR1Z1i5NQYZ1EannMSRYcq5qCv5wNALlXr6fksRHyYl7w==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.58.2",
-        "@typescript-eslint/typescript-estree": "8.58.2",
-        "@typescript-eslint/utils": "8.58.2",
+        "@typescript-eslint/types": "8.59.1",
+        "@typescript-eslint/typescript-estree": "8.59.1",
+        "@typescript-eslint/utils": "8.59.1",
        "debug": "^4.4.3",
        "ts-api-utils": "^2.5.0"
      },
@@ -2728,9 +2728,9 @@
      }
    },
    "node_modules/@typescript-eslint/types": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.58.2.tgz",
-      "integrity": "sha512-9TukXyATBQf/Jq9AMQXfvurk+G5R2MwfqQGDR2GzGz28HvY/lXNKGhkY+6IOubwcquikWk5cjlgPvD2uAA7htQ==",
+      "version": "8.59.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.59.1.tgz",
+      "integrity": "sha512-ZDCjgccSdYPw5Bxh+my4Z0lJU96ZDN7jbBzvmEn0FZx3RtU1C7VWl6NbDx94bwY3V5YsgwRzJPOgeY2Q/nLG8A==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2742,16 +2742,16 @@
      }
    },
    "node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.58.2.tgz",
-      "integrity": "sha512-ELGuoofuhhoCvNbQjFFiobFcGgcDCEm0ThWdmO4Z0UzLqPXS3KFvnEZ+SHewwOYHjM09tkzOWXNTv9u6Gqtyuw==",
+      "version": "8.59.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.59.1.tgz",
+      "integrity": "sha512-OUd+vJS05sSkOip+BkZ/2NS8RMxrAAJemsC6vU3kmfLyeaJT0TftHkV9mcx2107MmsBVXXexhVu4F0TZXyMl4g==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/project-service": "8.58.2",
-        "@typescript-eslint/tsconfig-utils": "8.58.2",
-        "@typescript-eslint/types": "8.58.2",
-        "@typescript-eslint/visitor-keys": "8.58.2",
+        "@typescript-eslint/project-service": "8.59.1",
+        "@typescript-eslint/tsconfig-utils": "8.59.1",
+        "@typescript-eslint/types": "8.59.1",
+        "@typescript-eslint/visitor-keys": "8.59.1",
        "debug": "^4.4.3",
        "minimatch": "^10.2.2",
        "semver": "^7.7.3",
@@ -2827,16 +2827,16 @@
      }
    },
    "node_modules/@typescript-eslint/utils": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.58.2.tgz",
-      "integrity": "sha512-QZfjHNEzPY8+l0+fIXMvuQ2sJlplB4zgDZvA+NmvZsZv3EQwOcc1DuIU1VJUTWZ/RKouBMhDyNaBMx4sWvrzRA==",
+      "version": "8.59.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.59.1.tgz",
+      "integrity": "sha512-3pIeoXhCeYH9FSCBI8P3iNwJlGuzPlYKkTlen2O9T1DSeeg8UG8jstq6BLk+Mda0qup7mgk4z4XL4OzRaxZ8LA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@eslint-community/eslint-utils": "^4.9.1",
-        "@typescript-eslint/scope-manager": "8.58.2",
-        "@typescript-eslint/types": "8.58.2",
-        "@typescript-eslint/typescript-estree": "8.58.2"
+        "@typescript-eslint/scope-manager": "8.59.1",
+        "@typescript-eslint/types": "8.59.1",
+        "@typescript-eslint/typescript-estree": "8.59.1"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2851,13 +2851,13 @@
      }
    },
    "node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.58.2.tgz",
-      "integrity": "sha512-f1WO2Lx8a9t8DARmcWAUPJbu0G20bJlj8L4z72K00TMeJAoyLr/tHhI/pzYBLrR4dXWkcxO1cWYZEOX8DKHTqA==",
+      "version": "8.59.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.59.1.tgz",
+      "integrity": "sha512-LdDNl6C5iJExcM0Yh0PwAIBb9PrSiCsWamF/JyEZawm3kFDnRoaq3LGE4bpyRao/fWeGKKyw7icx0YxrLFC5Cg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.58.2",
+        "@typescript-eslint/types": "8.59.1",
        "eslint-visitor-keys": "^5.0.0"
      },
      "engines": {
@@ -3271,7 +3271,9 @@
      }
    },
    "node_modules/ajv": {
-      "version": "6.12.6",
+      "version": "6.15.0",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.15.0.tgz",
+      "integrity": "sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -4725,25 +4727,25 @@
      }
    },
    "node_modules/eslint": {
-      "version": "9.39.2",
-      "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.39.2.tgz",
-      "integrity": "sha512-LEyamqS7W5HB3ujJyvi0HQK/dtVINZvd5mAAp9eT5S/ujByGjiZLCzPcHVzuXbpJDJF/cxwHlfceVUDZ2lnSTw==",
+      "version": "9.39.4",
+      "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.39.4.tgz",
+      "integrity": "sha512-XoMjdBOwe/esVgEvLmNsD3IRHkm7fbKIUGvrleloJXUZgDHig2IPWNniv+GwjyJXzuNqVjlr5+4yVUZjycJwfQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@eslint-community/eslint-utils": "^4.8.0",
        "@eslint-community/regexpp": "^4.12.1",
-        "@eslint/config-array": "^0.21.1",
+        "@eslint/config-array": "^0.21.2",
        "@eslint/config-helpers": "^0.4.2",
        "@eslint/core": "^0.17.0",
-        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "9.39.2",
+        "@eslint/eslintrc": "^3.3.5",
+        "@eslint/js": "9.39.4",
        "@eslint/plugin-kit": "^0.4.1",
        "@humanfs/node": "^0.16.6",
        "@humanwhocodes/module-importer": "^1.0.1",
        "@humanwhocodes/retry": "^0.4.2",
        "@types/estree": "^1.0.6",
-        "ajv": "^6.12.4",
+        "ajv": "^6.14.0",
        "chalk": "^4.0.0",
        "cross-spawn": "^7.0.6",
        "debug": "^4.3.2",
@@ -4762,7 +4764,7 @@
        "is-glob": "^4.0.0",
        "json-stable-stringify-without-jsonify": "^1.0.1",
        "lodash.merge": "^4.6.2",
-        "minimatch": "^3.1.2",
+        "minimatch": "^3.1.5",
        "natural-compare": "^1.4.0",
        "optionator": "^0.9.3"
      },
@@ -9771,9 +9773,9 @@
      }
    },
    "node_modules/typescript": {
-      "version": "6.0.2",
-      "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.2.tgz",
-      "integrity": "sha512-bGdAIrZ0wiGDo5l8c++HWtbaNCWTS4UTv7RaTH/ThVIgjkveJt83m74bBHMJkuCbslY8ixgLBVZJIOiQlQTjfQ==",
+      "version": "6.0.3",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.3.tgz",
+      "integrity": "sha512-y2TvuxSZPDyQakkFRPZHKFm+KKVqIisdg9/CZwm9ftvKXLP8NRWj38/ODjNbr43SsoXqNuAisEf1GdCxqWcdBw==",
      "dev": true,
      "license": "Apache-2.0",
      "bin": {
@@ -9785,16 +9787,16 @@
      }
    },
    "node_modules/typescript-eslint": {
-      "version": "8.58.2",
-      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.58.2.tgz",
-      "integrity": "sha512-V8iSng9mRbdZjl54VJ9NKr6ZB+dW0J3TzRXRGcSbLIej9jV86ZRtlYeTKDR/QLxXykocJ5icNzbsl2+5TzIvcQ==",
+      "version": "8.59.1",
+      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.59.1.tgz",
+      "integrity": "sha512-xqDcFVBmlrltH64lklOVp1wYxgJr6LVdg3NamBgH2OOQDLFdTKfIZXF5PfghrnXQKXZGTQs8tr1vL7fJvq8CTQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/eslint-plugin": "8.58.2",
-        "@typescript-eslint/parser": "8.58.2",
-        "@typescript-eslint/typescript-estree": "8.58.2",
-        "@typescript-eslint/utils": "8.58.2"
+        "@typescript-eslint/eslint-plugin": "8.59.1",
+        "@typescript-eslint/parser": "8.59.1",
+        "@typescript-eslint/typescript-estree": "8.59.1",
+        "@typescript-eslint/utils": "8.59.1"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -10388,7 +10390,7 @@
        "yaml": "^2.8.3"
      },
      "devDependencies": {
-        "@types/node": "^20.19.9",
+        "@types/node": "^20.19.39",
        "tsx": "^4.21.0"
      }
    }
@@ -1,11 +1,11 @@
 {
  "name": "codeql",
-  "version": "4.35.4",
+  "version": "4.35.5",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
    "_build_comment": "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'",
-    "build": "./scripts/check-node-modules.sh && npm run transpile && node build.mjs && npx tsx ./pr-checks/bundle-metadata.ts",
+    "build": "./scripts/check-node-modules.sh && npm run transpile && node build.mjs",
    "lint": "eslint --report-unused-disable-directives --max-warnings=0 .",
    "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
    "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
@@ -50,14 +50,14 @@
    "@types/archiver": "^7.0.0",
    "@types/follow-redirects": "^1.14.4",
    "@types/js-yaml": "^4.0.9",
-    "@types/node": "^20.19.9",
+    "@types/node": "^20.19.39",
    "@types/node-forge": "^1.3.14",
    "@types/sarif": "^2.1.7",
    "@types/semver": "^7.7.1",
    "@types/sinon": "^21.0.1",
    "ava": "^7.0.0",
    "esbuild": "^0.28.0",
-    "eslint": "^9.39.2",
+    "eslint": "^9.39.4",
    "eslint-import-resolver-typescript": "^4.4.4",
    "eslint-plugin-github": "^6.0.0",
    "eslint-plugin-import-x": "^4.16.2",
@@ -67,8 +67,8 @@
    "globals": "^17.5.0",
    "nock": "^14.0.12",
    "sinon": "^21.1.2",
-    "typescript": "^6.0.2",
-    "typescript-eslint": "^8.58.2"
+    "typescript": "^6.0.3",
+    "typescript-eslint": "^8.59.1"
  },
  "overrides": {
    "@actions/tool-cache": {
@@ -10,7 +10,7 @@
    "yaml": "^2.8.3"
  },
  "devDependencies": {
-    "@types/node": "^20.19.9",
+    "@types/node": "^20.19.39",
    "tsx": "^4.21.0"
  }
 }
@@ -19,6 +19,25 @@ inputs:
      If not specified, the Action will check in several places until it finds
      the CodeQL tools.
    required: false
+  languages:
+    description: >-
+      A comma-separated list of CodeQL languages that will be analyzed in subsequent
+      `github/codeql-action/init` and `github/codeql-action/analyze` invocations. If specified, the
+      Action may use this list to select a CodeQL CLI version that is best suited to analyzing those
+      languages, for example by preferring a version that has a cached overlay-base database for the
+      specified languages. This input is not remembered and must also be passed to
+      `github/codeql-action/init`.
+    required: false
+  analysis-kinds:
+    description: >-
+      [Internal] A comma-separated list of analysis kinds that subsequent
+      `github/codeql-action/init` invocations will enable. If specified, the Action may use this
+      list to select a CodeQL CLI version that is best suited to those analysis kinds. This input is
+      not remembered and must also be passed to `github/codeql-action/init`.
+
+      Available options are the same as for the `analysis-kinds` input on the `init` Action.
+    default: 'code-scanning'
+    required: true
  token:
    description: GitHub token to use for authenticating with this instance of GitHub.
    default: ${{ github.token }}
@@ -141,7 +141,12 @@ test("scanArtifactsForTokens handles files without tokens", async (t) => {
  }
 });

-if (os.platform() !== "win32") {
+// This test is slow (extracts and scans a zip artifact), so by default we only run it in CI. Set
+// RUN_SLOW_TESTS=1 to run it locally.
+if (
+  os.platform() !== "win32" &&
+  (process.env.CI === "true" || process.env.RUN_SLOW_TESTS === "1")
+) {
  test("scanArtifactsForTokens finds token in debug artifacts", async (t) => {
    t.timeout(15000); // 15 seconds
    const messages: LoggedMessage[] = [];
@@ -156,6 +156,10 @@ async function scanArchiveFile(
    );
  }

+  if (process.platform === "win32") {
+    throw new Error("Scanning archives is not supported on Windows.");
+  }
+
  const result: ScanResult = {
    scannedFiles: 0,
    findings: [],
@@ -71,8 +71,10 @@ async function installIntoToolcache({
    tmpDir,
    util.GitHubVariant.GHES,
    cliVersion !== undefined
-      ? { cliVersion, tagName }
+      ? { enabledVersions: [{ cliVersion, tagName }] }
      : SAMPLE_DEFAULT_CLI_VERSION,
+    undefined, // rawLanguages
+    false, // useOverlayAwareDefaultCliVersion
    createFeatures([]),
    getRunnerLogger(true),
    false,
@@ -144,6 +146,8 @@ test.serial(
          tmpDir,
          util.GitHubVariant.DOTCOM,
          SAMPLE_DEFAULT_CLI_VERSION,
+          undefined, // rawLanguages
+          false, // useOverlayAwareDefaultCliVersion
          features,
          getRunnerLogger(true),
          false,
@@ -176,6 +180,8 @@ test.serial(
        tmpDir,
        util.GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -215,6 +221,8 @@ test.serial(
        tmpDir,
        util.GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -265,6 +273,8 @@ for (const {
          tmpDir,
          util.GitHubVariant.DOTCOM,
          SAMPLE_DEFAULT_CLI_VERSION,
+          undefined, // rawLanguages
+          false, // useOverlayAwareDefaultCliVersion
          features,
          getRunnerLogger(true),
          false,
@@ -285,11 +295,11 @@ for (const {
 for (const toolcacheVersion of [
  // Test that we use the tools from the toolcache when `SAMPLE_DEFAULT_CLI_VERSION` is requested
  // and `SAMPLE_DEFAULT_CLI_VERSION-` is in the toolcache.
-  SAMPLE_DEFAULT_CLI_VERSION.cliVersion,
-  `${SAMPLE_DEFAULT_CLI_VERSION.cliVersion}-20230101`,
+  SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion,
+  `${SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion}-20230101`,
 ]) {
  test.serial(
-    `uses tools from toolcache when ${SAMPLE_DEFAULT_CLI_VERSION.cliVersion} is requested and ` +
+    `uses tools from toolcache when ${SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion} is requested and ` +
      `${toolcacheVersion} is installed`,
    async (t) => {
      const features = createFeatures([]);
@@ -309,11 +319,16 @@ for (const toolcacheVersion of [
          tmpDir,
          util.GitHubVariant.DOTCOM,
          SAMPLE_DEFAULT_CLI_VERSION,
+          undefined, // rawLanguages
+          false, // useOverlayAwareDefaultCliVersion
          features,
          getRunnerLogger(true),
          false,
        );
-        t.is(result.toolsVersion, SAMPLE_DEFAULT_CLI_VERSION.cliVersion);
+        t.is(
+          result.toolsVersion,
+          SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion,
+        );
        t.is(result.toolsSource, ToolsSource.Toolcache);
        t.is(result.toolsDownloadStatusReport?.combinedDurationMs, undefined);
        t.is(result.toolsDownloadStatusReport?.downloadDurationMs, undefined);
@@ -343,9 +358,15 @@ test.serial(
        tmpDir,
        util.GitHubVariant.GHES,
        {
-          cliVersion: defaults.cliVersion,
-          tagName: defaults.bundleVersion,
+          enabledVersions: [
+            {
+              cliVersion: defaults.cliVersion,
+              tagName: defaults.bundleVersion,
+            },
+          ],
        },
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -385,9 +406,15 @@ test.serial(
        tmpDir,
        util.GitHubVariant.GHES,
        {
-          cliVersion: defaults.cliVersion,
-          tagName: defaults.bundleVersion,
+          enabledVersions: [
+            {
+              cliVersion: defaults.cliVersion,
+              tagName: defaults.bundleVersion,
+            },
+          ],
        },
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -427,6 +454,8 @@ test.serial(
        tmpDir,
        util.GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -468,6 +497,8 @@ test.serial(
        tmpDir,
        util.GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        features,
        getRunnerLogger(true),
        false,
@@ -305,6 +305,8 @@ const EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
 * @param tempDir
 * @param variant
 * @param defaultCliVersion
+ * @param rawLanguages Raw set of languages.
+ * @param useOverlayAwareDefaultCliVersion Whether to select an overlay-aware default CLI version.
 * @param features Information about the features that are enabled.
 * @param logger
 * @param checkVersion Whether to check that CodeQL CLI meets the minimum
@@ -317,6 +319,8 @@ export async function setupCodeQL(
  tempDir: string,
  variant: util.GitHubVariant,
  defaultCliVersion: CodeQLDefaultVersionInfo,
+  rawLanguages: string[] | undefined,
+  useOverlayAwareDefaultCliVersion: boolean,
  features: FeatureEnablement,
  logger: Logger,
  checkVersion: boolean,
@@ -340,6 +344,8 @@ export async function setupCodeQL(
      tempDir,
      variant,
      defaultCliVersion,
+      rawLanguages,
+      useOverlayAwareDefaultCliVersion,
      features,
      logger,
    );
@@ -1207,7 +1207,7 @@ checkOverlayEnablementMacro.serial(
    features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript],
    codeScanningConfig: {
      packs: ["some-custom-pack@1.0.0"],
-    } as UserConfig,
+    },
    isDefaultBranch: true,
  },
  {
@@ -1444,7 +1444,7 @@ checkOverlayEnablementMacro.serial(
    ],
    codeScanningConfig: {
      "disable-default-queries": true,
-    } as UserConfig,
+    },
    isDefaultBranch: true,
  },
  {
@@ -1462,7 +1462,7 @@ checkOverlayEnablementMacro.serial(
    ],
    codeScanningConfig: {
      packs: ["some-custom-pack@1.0.0"],
-    } as UserConfig,
+    },
    isDefaultBranch: true,
  },
  {
@@ -1480,7 +1480,7 @@ checkOverlayEnablementMacro.serial(
    ],
    codeScanningConfig: {
      queries: [{ uses: "some-query.ql" }],
-    } as UserConfig,
+    },
    isDefaultBranch: true,
  },
  {
@@ -1498,7 +1498,7 @@ checkOverlayEnablementMacro.serial(
    ],
    codeScanningConfig: {
      "query-filters": [{ include: { "security-severity": "high" } }],
-    } as UserConfig,
+    },
    isDefaultBranch: true,
  },
  {
@@ -1562,7 +1562,7 @@ checkOverlayEnablementMacro.serial(
    features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript],
    codeScanningConfig: {
      packs: ["some-custom-pack@1.0.0"],
-    } as UserConfig,
+    },
    isPullRequest: true,
  },
  {
@@ -1705,7 +1705,7 @@ checkOverlayEnablementMacro.serial(
    ],
    codeScanningConfig: {
      "disable-default-queries": true,
-    } as UserConfig,
+    },
    isPullRequest: true,
  },
  {
@@ -1723,7 +1723,7 @@ checkOverlayEnablementMacro.serial(
    ],
    codeScanningConfig: {
      packs: ["some-custom-pack@1.0.0"],
-    } as UserConfig,
+    },
    isPullRequest: true,
  },
  {
@@ -1741,7 +1741,7 @@ checkOverlayEnablementMacro.serial(
    ],
    codeScanningConfig: {
      queries: [{ uses: "some-query.ql" }],
-    } as UserConfig,
+    },
    isPullRequest: true,
  },
  {
@@ -1759,7 +1759,7 @@ checkOverlayEnablementMacro.serial(
    ],
    codeScanningConfig: {
      "query-filters": [{ include: { "security-severity": "high" } }],
-    } as UserConfig,
+    },
    isPullRequest: true,
  },
  {
@@ -407,6 +407,7 @@ export async function getLanguages(
  return languages;
 }

+/** Parses the `languages` input into a list of languages without checking if they are supported by CodeQL. */
 export function getRawLanguagesNoAutodetect(
  languagesInput: string | undefined,
 ): string[] {
@@ -263,7 +263,7 @@ export function getArtifactSuffix(matrix: string | undefined): string {
    try {
      const matrixObject = JSON.parse(matrix);
      if (json.isObject(matrixObject)) {
-        for (const matrixKey of Object.keys(matrixObject as object).sort())
+        for (const matrixKey of Object.keys(matrixObject).sort())
          suffix += `-${matrixObject[matrixKey]}`;
      } else {
        core.warning("User-specified `matrix` input is not an object.");
@@ -451,12 +451,16 @@ test.serial(`selects CLI from defaults.json on GHES`, async (t) => {
  await withTmpDir(async (tmpDir) => {
    const features = setUpFeatureFlagTests(tmpDir);

-    const defaultCliVersion = await features.getDefaultCliVersion(
+    const defaultCliVersion = await features.getEnabledDefaultCliVersions(
      GitHubVariant.GHES,
    );
    t.deepEqual(defaultCliVersion, {
-      cliVersion: defaults.cliVersion,
-      tagName: defaults.bundleVersion,
+      enabledVersions: [
+        {
+          cliVersion: defaults.cliVersion,
+          tagName: defaults.bundleVersion,
+        },
+      ],
    });
  });
 });
@@ -482,10 +486,13 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) {
          false;
        mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement);

-        const defaultCliVersion = await features.getDefaultCliVersion(variant);
+        const defaultCliVersion =
+          await features.getEnabledDefaultCliVersions(variant);
        t.deepEqual(defaultCliVersion, {
-          cliVersion: "2.20.1",
-          tagName: "codeql-bundle-v2.20.1",
+          enabledVersions: [
+            { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
+            { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" },
+          ],
          toolsFeatureFlagsValid: true,
        });
      });
@@ -500,10 +507,15 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) {
        const expectedFeatureEnablement = initializeFeatures(true);
        mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement);

-        const defaultCliVersion = await features.getDefaultCliVersion(variant);
+        const defaultCliVersion =
+          await features.getEnabledDefaultCliVersions(variant);
        t.deepEqual(defaultCliVersion, {
-          cliVersion: defaults.cliVersion,
-          tagName: defaults.bundleVersion,
+          enabledVersions: [
+            {
+              cliVersion: defaults.cliVersion,
+              tagName: defaults.bundleVersion,
+            },
+          ],
          toolsFeatureFlagsValid: false,
        });
      });
@@ -529,10 +541,13 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) {
        ] = true;
        mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement);

-        const defaultCliVersion = await features.getDefaultCliVersion(variant);
+        const defaultCliVersion =
+          await features.getEnabledDefaultCliVersions(variant);
        t.deepEqual(defaultCliVersion, {
-          cliVersion: "2.20.1",
-          tagName: "codeql-bundle-v2.20.1",
+          enabledVersions: [
+            { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
+            { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" },
+          ],
          toolsFeatureFlagsValid: true,
        });

@@ -29,9 +29,32 @@ const DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
 */
 export const CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0";

-export interface CodeQLDefaultVersionInfo {
+const LINKED_CODEQL_VERSION: CodeQLVersionInfo = {
+  cliVersion: defaults.cliVersion,
+  tagName: defaults.bundleVersion,
+};
+
+export interface CodeQLVersionInfo {
+  /** The version number of the CodeQL CLI, e.g. `2.19.0`. */
  cliVersion: string;
+  /**
+   * The tag name of the CodeQL Bundle associated with this version, e.g. `codeql-bundle-v2.19.0`.
+   */
  tagName: string;
+}
+
+export interface CodeQLDefaultVersionInfo {
+  /**
+   * CodeQL CLI versions that are enabled as defaults, sorted from highest to lowest.
+   *
+   * Guaranteed to be non-empty. When feature flags are unavailable, this falls back to a single
+   * entry containing the version pinned in `defaults.json`.
+   */
+  enabledVersions: CodeQLVersionInfo[];
+  /**
+   * If accessed, whether the tools feature flags are valid, i.e. contain at least one enabled
+   * version.
+   */
  toolsFeatureFlagsValid?: boolean;
 }

@@ -72,6 +95,19 @@ export enum Feature {
  OverlayAnalysisGo = "overlay_analysis_go",
  OverlayAnalysisJava = "overlay_analysis_java",
  OverlayAnalysisJavascript = "overlay_analysis_javascript",
+  /**
+   * When set, chooses the default CodeQL CLI version as the highest version that is both enabled by
+   * feature flags and present as an overlay-base database in the Actions cache for the configured
+   * languages. Falls back to the highest feature flagged version if no intersecting overlay-base
+   * database exists in the cache.
+   */
+  OverlayAnalysisMatchCodeqlVersion = "overlay_analysis_match_codeql_version",
+  /**
+   * Like `OverlayAnalysisMatchCodeqlVersion`, but only logs a diagnostic with the version that
+   * would have been chosen instead of actually changing the default CodeQL CLI version.
+   * `OverlayAnalysisMatchCodeqlVersion` overrides this flag.
+   */
+  OverlayAnalysisMatchCodeqlVersionDryRun = "overlay_analysis_match_codeql_version_dry_run",
  OverlayAnalysisPython = "overlay_analysis_python",
  /**
   * Controls whether lower disk space requirements are used for overlay hardware checks.
@@ -277,6 +313,16 @@ export const featureConfig = {
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
    minimumVersion: undefined,
  },
+  [Feature.OverlayAnalysisMatchCodeqlVersion]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION",
+    minimumVersion: undefined,
+  },
+  [Feature.OverlayAnalysisMatchCodeqlVersionDryRun]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN",
+    minimumVersion: undefined,
+  },
  [Feature.OverlayAnalysisResourceChecksV2]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
@@ -346,8 +392,12 @@ export type FeatureWithoutCLI = {
 }[keyof typeof featureConfig];

 export interface FeatureEnablement {
-  /** Gets the default version of the CodeQL tools. */
-  getDefaultCliVersion(
+  /**
+   * Returns the set of default CodeQL CLI versions to consider, sorted from
+   * highest to lowest. The first entry is the version that the CodeQL Action
+   * will use by default. The list is always non-empty.
+   */
+  getEnabledDefaultCliVersions(
    variant: util.GitHubVariant,
  ): Promise<CodeQLDefaultVersionInfo>;
  getValue(feature: FeatureWithoutCLI): Promise<boolean>;
@@ -371,12 +421,11 @@ export const FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
 class OfflineFeatures implements FeatureEnablement {
  constructor(protected readonly logger: Logger) {}

-  async getDefaultCliVersion(
+  async getEnabledDefaultCliVersions(
    _variant: util.GitHubVariant,
  ): Promise<CodeQLDefaultVersionInfo> {
    return {
-      cliVersion: defaults.cliVersion,
-      tagName: defaults.bundleVersion,
+      enabledVersions: [LINKED_CODEQL_VERSION],
    };
  }

@@ -386,7 +435,7 @@ class OfflineFeatures implements FeatureEnablement {
  getFeatureConfig(feature: Feature): FeatureConfig {
    // Narrow the type to FeatureConfig to avoid type errors. To avoid unsafe use of `as`, we
    // check that the required properties exist using `satisfies`.
-    return featureConfig[feature] satisfies FeatureConfig as FeatureConfig;
+    return featureConfig[feature] satisfies FeatureConfig;
  }

  /**
@@ -518,13 +567,13 @@ class Features extends OfflineFeatures {
    );
  }

-  async getDefaultCliVersion(
+  async getEnabledDefaultCliVersions(
    variant: util.GitHubVariant,
  ): Promise<CodeQLDefaultVersionInfo> {
    if (supportsFeatureFlags(variant)) {
-      return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags();
+      return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags();
    }
-    return super.getDefaultCliVersion(variant);
+    return super.getEnabledDefaultCliVersions(variant);
  }

  /**
@@ -600,16 +649,22 @@ class GitHubFeatureFlags {
    return version;
  }

-  async getDefaultCliVersionFromFlags(): Promise<CodeQLDefaultVersionInfo> {
+  /**
+   * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature
+   * flags, sorted from highest to lowest. Falls back to the version pinned in
+   * `defaults.json` if no such flags are enabled.
+   */
+  async getEnabledDefaultCliVersionsFromFlags(): Promise<CodeQLDefaultVersionInfo> {
    const response = await this.getAllFeatures();

-    const enabledFeatureFlagCliVersions = Object.entries(response)
+    const sortedCliVersions = Object.entries(response)
      .map(([f, isEnabled]) =>
        isEnabled ? this.getCliVersionFromFeatureFlag(f) : undefined,
      )
-      .filter((f): f is string => f !== undefined);
+      .filter((f): f is string => f !== undefined)
+      .sort(semver.rcompare);

-    if (enabledFeatureFlagCliVersions.length === 0) {
+    if (sortedCliVersions.length === 0) {
      // We expect at least one default CLI version to be enabled on Dotcom at any time. However if
      // the feature flags are misconfigured, rather than crashing, we fall back to the CLI version
      // shipped with the Action in defaults.json. This has the effect of immediately rolling out
@@ -625,8 +680,7 @@ class GitHubFeatureFlags {
          `shipped with the Action. This is ${defaults.cliVersion}.`,
      );
      const result: CodeQLDefaultVersionInfo = {
-        cliVersion: defaults.cliVersion,
-        tagName: defaults.bundleVersion,
+        enabledVersions: [LINKED_CODEQL_VERSION],
      };
      if (this.hasAccessedRemoteFeatureFlags) {
        result.toolsFeatureFlagsValid = false;
@@ -634,17 +688,14 @@ class GitHubFeatureFlags {
      return result;
    }

-    const maxCliVersion = enabledFeatureFlagCliVersions.reduce(
-      (maxVersion, currentVersion) =>
-        currentVersion > maxVersion ? currentVersion : maxVersion,
-      enabledFeatureFlagCliVersions[0],
-    );
    this.logger.debug(
-      `Derived default CLI version of ${maxCliVersion} from feature flags.`,
+      `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.`,
    );
    return {
-      cliVersion: maxCliVersion,
-      tagName: `codeql-bundle-v${maxCliVersion}`,
+      enabledVersions: sortedCliVersions.map((cliVersion) => ({
+        cliVersion,
+        tagName: `codeql-bundle-v${cliVersion}`,
+      })),
      toolsFeatureFlagsValid: true,
    };
  }
@@ -602,7 +602,7 @@ async function testFailedSarifUpload(
  uploadFiles.resolves({
    sarifID: "42",
    statusReport: { raw_upload_size_bytes: 20, zipped_upload_size_bytes: 10 },
-  } as uploadLib.UploadResult);
+  });
  const waitForProcessing = sinon.stub(uploadLib, "waitForProcessing");

  const features = [] as Feature[];
@@ -298,16 +298,23 @@ async function run(startedAt: Date) {
      );
    }

-    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
-      gitHubVersion.type,
-    );
+    const codeQLDefaultVersionInfo =
+      await features.getEnabledDefaultCliVersions(gitHubVersion.type);
    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
+    const rawLanguages = configUtils.getRawLanguagesNoAutodetect(
+      getOptionalInput("languages"),
+    );
+    const useOverlayAwareDefaultCliVersion = !!analysisKinds?.includes(
+      AnalysisKind.CodeScanning,
+    );
    const initCodeQLResult = await initCodeQL(
      getOptionalInput("tools"),
      apiDetails,
      getTemporaryDirectory(),
      gitHubVersion.type,
      codeQLDefaultVersionInfo,
+      rawLanguages,
+      useOverlayAwareDefaultCliVersion,
      features,
      logger,
    );
@@ -39,6 +39,8 @@ export async function initCodeQL(
  tempDir: string,
  variant: util.GitHubVariant,
  defaultCliVersion: CodeQLDefaultVersionInfo,
+  rawLanguages: string[] | undefined,
+  useOverlayAwareDefaultCliVersion: boolean,
  features: FeatureEnablement,
  logger: Logger,
 ): Promise<{
@@ -61,6 +63,8 @@ export async function initCodeQL(
    tempDir,
    variant,
    defaultCliVersion,
+    rawLanguages,
+    useOverlayAwareDefaultCliVersion,
    features,
    logger,
    true,
@@ -380,6 +380,32 @@ test.serial(
  },
 );

+test.serial(
+  "getCodeQlVersionsForOverlayBaseDatabases de-duplicates resolved language aliases",
+  async (t) => {
+    const logger = getRunnerLogger(true);
+
+    sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
+    const listActionsCachesStub = sinon
+      .stub(apiClient, "listActionsCaches")
+      .resolves([
+        {
+          key: "codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-2.25.0-abc123-1-1",
+        },
+      ]);
+
+    const result = await getCodeQlVersionsForOverlayBaseDatabases(
+      ["javascript", "typescript", "Python", "python"],
+      logger,
+    );
+    t.deepEqual(result, ["2.25.0"]);
+    sinon.assert.calledOnceWithExactly(
+      listActionsCachesStub,
+      "codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-",
+    );
+  },
+);
+
 test.serial(
  "getCodeQlVersionsForOverlayBaseDatabases ignores nightly versions with build metadata",
  async (t) => {
@@ -461,9 +461,10 @@ export async function getCodeQlVersionsForOverlayBaseDatabases(
    );
    return undefined;
  }
-  const cacheKeyPrefix = await getCacheKeyPrefixBase(
-    languages.filter((l) => l !== undefined),
-  );
+  const dedupedLanguages = [
+    ...new Set(languages.filter((l) => l !== undefined)),
+  ];
+  const cacheKeyPrefix = await getCacheKeyPrefixBase(dedupedLanguages);

  logger.debug(
    `Searching for overlay-base databases in Actions cache with ` +
@@ -7,8 +7,10 @@ import {
  getRequiredInput,
  getTemporaryDirectory,
 } from "./actions-util";
+import { AnalysisKind, getAnalysisKinds } from "./analyses";
 import { getGitHubVersion } from "./api-client";
 import { CodeQL } from "./codeql";
+import { getRawLanguagesNoAutodetect } from "./config-utils";
 import { EnvVar } from "./environment";
 import { initFeatures } from "./feature-flags";
 import { initCodeQL } from "./init";
@@ -136,16 +138,21 @@ async function run(startedAt: Date): Promise<void> {
    if (statusReportBase !== undefined) {
      await sendStatusReport(statusReportBase);
    }
-    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
-      gitHubVersion.type,
-    );
+    const codeQLDefaultVersionInfo =
+      await features.getEnabledDefaultCliVersions(gitHubVersion.type);
    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
+    const rawLanguages = getRawLanguagesNoAutodetect(
+      getOptionalInput("languages"),
+    );
+    const analysisKinds = await getAnalysisKinds(logger);
    const initCodeQLResult = await initCodeQL(
      getOptionalInput("tools"),
      apiDetails,
      getTemporaryDirectory(),
      gitHubVersion.type,
      codeQLDefaultVersionInfo,
+      rawLanguages,
+      analysisKinds.includes(AnalysisKind.CodeScanning),
      features,
      logger,
    );
@@ -7,8 +7,9 @@ import * as sinon from "sinon";

 import * as actionsUtil from "./actions-util";
 import * as api from "./api-client";
-import { Feature, FeatureEnablement } from "./feature-flags";
+import { Feature } from "./feature-flags";
 import { getRunnerLogger } from "./logging";
+import { getCacheRestoreKeyPrefix } from "./overlay/caching";
 import * as setupCodeql from "./setup-codeql";
 import * as tar from "./tar";
 import {
@@ -18,8 +19,8 @@ import {
  SAMPLE_DOTCOM_API_DETAILS,
  checkExpectedLogMessages,
  createFeatures,
+  createTestConfig,
  getRecordingLogger,
-  initializeFeatures,
  makeMacro,
  mockBundleDownloadApi,
  setupActionsVars,
@@ -34,14 +35,6 @@ import {

 setupTests(test);

-// TODO: Remove when when we no longer need to pass in features (https://github.com/github/codeql-action/issues/2600)
-const expectedFeatureEnablement: FeatureEnablement = initializeFeatures(
-  true,
-) as FeatureEnablement;
-expectedFeatureEnablement.getValue = function (feature: Feature) {
-  // eslint-disable-next-line @typescript-eslint/no-unsafe-return
-  return expectedFeatureEnablement[feature];
-};
 test.beforeEach(() => {
  initializeEnvironment("1.2.3");
 });
@@ -108,6 +101,8 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        `https://github.com/github/codeql-action/releases/download/${tagName}/codeql-bundle-linux64.tar.gz`,
        SAMPLE_DEFAULT_CLI_VERSION,
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -131,6 +126,8 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        "linked",
        SAMPLE_DEFAULT_CLI_VERSION,
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -156,6 +153,8 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        "latest",
        SAMPLE_DEFAULT_CLI_VERSION,
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -212,6 +211,8 @@ test.serial(
        "tmp/codeql_action_test/",
        GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        features,
        logger,
      );
@@ -267,6 +268,8 @@ test.serial(
        "tmp/codeql_action_test/",
        GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        features,
        logger,
      );
@@ -318,6 +321,8 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        "nightly",
        SAMPLE_DEFAULT_CLI_VERSION,
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -379,6 +384,8 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        undefined,
        SAMPLE_DEFAULT_CLI_VERSION,
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -433,6 +440,8 @@ test.serial(
      const source = await setupCodeql.getCodeQLSource(
        "toolcache",
        SAMPLE_DEFAULT_CLI_VERSION,
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -500,6 +509,8 @@ const toolcacheInputFallbackMacro = makeMacro({
      const source = await setupCodeql.getCodeQLSource(
        "toolcache",
        SAMPLE_DEFAULT_CLI_VERSION,
+        undefined, // rawLanguages
+        false, // useOverlayAwareDefaultCliVersion
        SAMPLE_DOTCOM_API_DETAILS,
        GitHubVariant.DOTCOM,
        false,
@@ -515,7 +526,10 @@ const toolcacheInputFallbackMacro = makeMacro({

      // Check that `sourceType` and `toolsVersion` match expectations.
      t.is(source.sourceType, "download");
-      t.is(source.toolsVersion, SAMPLE_DEFAULT_CLI_VERSION.cliVersion);
+      t.is(
+        source.toolsVersion,
+        SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion,
+      );

      // Check that key messages we would expect to find in the log are present.
      for (const expectedMessage of expectedMessages) {
@@ -596,3 +610,288 @@ test.serial(
    t.is(setupCodeql.getLatestToolcacheVersion(getRunnerLogger(true)), "3.2.1");
  },
 );
+
+const overlayMatchEnabledVersions = {
+  enabledVersions: [
+    { cliVersion: "2.20.2", tagName: "codeql-bundle-v2.20.2" },
+    { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
+    { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" },
+  ],
+  toolsFeatureFlagsValid: true,
+};
+
+async function fakeOverlayBaseCacheKey(
+  language: string,
+  cliVersion: string,
+  suffix: string,
+): Promise<string> {
+  const prefix = await getCacheRestoreKeyPrefix(
+    createTestConfig({ languages: [language] }),
+    cliVersion,
+  );
+  return `${prefix}${suffix}`;
+}
+
+test.serial(
+  "getCodeQLSource uses overlay-aware default version when requested for a PR",
+  async (t) => {
+    await withTmpDir(async (tmpDir) => {
+      setupActionsVars(tmpDir, tmpDir);
+      process.env["CODE_SCANNING_REF"] = "refs/heads/feature-branch";
+      process.env["CODE_SCANNING_BASE_BRANCH"] = "main";
+
+      sinon.stub(api, "getAutomationID").resolves("test/");
+      const listStub = sinon.stub(api, "listActionsCaches").resolves([
+        {
+          key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"),
+        },
+      ]);
+      sinon
+        .stub(toolcache, "find")
+        .withArgs("CodeQL", "2.20.1")
+        .returns("/path/to/codeql-2.20.1");
+
+      const source = await setupCodeql.getCodeQLSource(
+        undefined,
+        overlayMatchEnabledVersions,
+        ["javascript"],
+        true,
+        SAMPLE_DOTCOM_API_DETAILS,
+        GitHubVariant.DOTCOM,
+        false,
+        createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
+        getRunnerLogger(true),
+      );
+
+      t.assert(listStub.calledOnce);
+      t.is(source.sourceType, "toolcache");
+      t.is(source.toolsVersion, "2.20.1");
+    });
+  },
+);
+
+test.serial(
+  "getCodeQLSource skips overlay-aware default version when not requested",
+  async (t) => {
+    await withTmpDir(async (tmpDir) => {
+      setupActionsVars(tmpDir, tmpDir);
+      process.env["CODE_SCANNING_REF"] = "refs/heads/feature-branch";
+      process.env["CODE_SCANNING_BASE_BRANCH"] = "main";
+
+      sinon.stub(api, "getAutomationID").resolves("test/");
+      const listStub = sinon.stub(api, "listActionsCaches").resolves([
+        {
+          key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"),
+        },
+      ]);
+      sinon
+        .stub(toolcache, "find")
+        .withArgs("CodeQL", "2.20.2")
+        .returns("/path/to/codeql-2.20.2");
+
+      const source = await setupCodeql.getCodeQLSource(
+        undefined,
+        overlayMatchEnabledVersions,
+        ["javascript"],
+        false,
+        SAMPLE_DOTCOM_API_DETAILS,
+        GitHubVariant.DOTCOM,
+        false,
+        createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
+        getRunnerLogger(true),
+      );
+
+      t.assert(listStub.notCalled);
+      t.is(source.sourceType, "toolcache");
+      t.is(source.toolsVersion, "2.20.2");
+    });
+  },
+);
+
+test.serial(
+  "getEnabledVersionsWithOverlayBaseDatabases returns flag-enabled versions present in cache, sorted desc",
+  async (t) => {
+    sinon.stub(api, "getAutomationID").resolves("test/");
+    sinon.stub(api, "listActionsCaches").resolves([
+      // Flag-enabled versions present in the cache, listed in non-descending
+      // order so the test exercises the sort.
+      {
+        key: await fakeOverlayBaseCacheKey("javascript", "2.20.0", "ghi-3-1"),
+      },
+      {
+        key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "def-2-1"),
+      },
+      // Newer than any flag-enabled version: should be filtered out.
+      {
+        key: await fakeOverlayBaseCacheKey("javascript", "2.21.0", "abc-1-1"),
+      },
+    ]);
+
+    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
+      overlayMatchEnabledVersions,
+      ["javascript"],
+      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
+      getRunnerLogger(true),
+    );
+    t.deepEqual(result, [
+      { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
+      { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" },
+    ]);
+  },
+);
+
+test.serial(
+  "getEnabledVersionsWithOverlayBaseDatabases returns empty when no cached version is flag-enabled",
+  async (t) => {
+    sinon.stub(api, "getAutomationID").resolves("test/");
+    sinon.stub(api, "listActionsCaches").resolves([
+      {
+        key: await fakeOverlayBaseCacheKey("javascript", "2.19.0", "abc-1-1"),
+      },
+    ]);
+
+    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
+      overlayMatchEnabledVersions,
+      ["javascript"],
+      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
+      getRunnerLogger(true),
+    );
+    t.deepEqual(result, []);
+  },
+);
+
+const noLanguagesMacro = makeMacro({
+  exec: async (
+    t: ExecutionContext<unknown>,
+    rawLanguages: string[] | undefined,
+  ) => {
+    const listStub = sinon.stub(api, "listActionsCaches").resolves([]);
+
+    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
+      overlayMatchEnabledVersions,
+      rawLanguages,
+      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
+      getRunnerLogger(true),
+    );
+    t.deepEqual(result, []);
+    t.assert(
+      listStub.notCalled,
+      "Should not list Actions caches without any rawLanguages.",
+    );
+  },
+  title: (providedTitle = "") =>
+    `getEnabledVersionsWithOverlayBaseDatabases does not list caches when rawLanguages is ${providedTitle}`,
+});
+
+noLanguagesMacro.serial("undefined", undefined);
+noLanguagesMacro.serial("an empty array", []);
+
+test.serial(
+  "getEnabledVersionsWithOverlayBaseDatabases returns empty when listing caches throws",
+  async (t) => {
+    sinon.stub(api, "getAutomationID").resolves("test/");
+    sinon.stub(api, "listActionsCaches").rejects(new Error("listing failed"));
+
+    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
+      overlayMatchEnabledVersions,
+      ["javascript"],
+      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
+      getRunnerLogger(true),
+    );
+    t.deepEqual(result, []);
+  },
+);
+
+test.serial(
+  "getEnabledVersionsWithOverlayBaseDatabases returns versions present in the cache",
+  async (t) => {
+    sinon.stub(api, "getAutomationID").resolves("test/");
+    sinon.stub(api, "listActionsCaches").resolves([
+      {
+        key: await fakeOverlayBaseCacheKey("javascript", "2.20.2", "abc-1-1"),
+      },
+    ]);
+
+    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
+      overlayMatchEnabledVersions,
+      ["javascript"],
+      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]),
+      getRunnerLogger(true),
+    );
+    t.deepEqual(result, [
+      { cliVersion: "2.20.2", tagName: "codeql-bundle-v2.20.2" },
+    ]);
+  },
+);
+
+test.serial(
+  "getEnabledVersionsWithOverlayBaseDatabases does not list caches when both gates are off",
+  async (t) => {
+    const listStub = sinon.stub(api, "listActionsCaches").resolves([]);
+
+    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
+      overlayMatchEnabledVersions,
+      ["javascript"],
+      createFeatures([]),
+      getRunnerLogger(true),
+    );
+    t.deepEqual(result, []);
+    t.assert(
+      listStub.notCalled,
+      "Should not list Actions caches when both gating feature flags are off.",
+    );
+  },
+);
+
+test.serial(
+  "getEnabledVersionsWithOverlayBaseDatabases dry-run returns empty but lists caches",
+  async (t) => {
+    sinon.stub(api, "getAutomationID").resolves("test/");
+    const listStub = sinon.stub(api, "listActionsCaches").resolves([
+      {
+        key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"),
+      },
+    ]);
+
+    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
+      overlayMatchEnabledVersions,
+      ["javascript"],
+      createFeatures([Feature.OverlayAnalysisMatchCodeqlVersionDryRun]),
+      getRunnerLogger(true),
+    );
+    t.deepEqual(
+      result,
+      [],
+      "Dry-run should return an empty list so the caller falls back.",
+    );
+    t.assert(
+      listStub.calledOnce,
+      "Dry-run should still list Actions caches to populate the diagnostic.",
+    );
+  },
+);
+
+test.serial(
+  "getEnabledVersionsWithOverlayBaseDatabases match flag wins over dry-run",
+  async (t) => {
+    sinon.stub(api, "getAutomationID").resolves("test/");
+    sinon.stub(api, "listActionsCaches").resolves([
+      {
+        key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"),
+      },
+    ]);
+
+    const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases(
+      overlayMatchEnabledVersions,
+      ["javascript"],
+      createFeatures([
+        Feature.OverlayAnalysisMatchCodeqlVersion,
+        Feature.OverlayAnalysisMatchCodeqlVersionDryRun,
+      ]),
+      getRunnerLogger(true),
+    );
+    t.deepEqual(result, [
+      { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" },
+    ]);
+  },
+);
@@ -7,17 +7,27 @@ import { default as deepEqual } from "fast-deep-equal";
 import * as semver from "semver";
 import { v4 as uuidV4 } from "uuid";

-import { isDynamicWorkflow, isRunningLocalAction } from "./actions-util";
+import {
+  isAnalyzingPullRequest,
+  isDynamicWorkflow,
+  isRunningLocalAction,
+} from "./actions-util";
 import * as api from "./api-client";
 import * as defaults from "./defaults.json";
-import { addNoLanguageDiagnostic, makeDiagnostic } from "./diagnostics";
+import {
+  addNoLanguageDiagnostic,
+  makeDiagnostic,
+  makeTelemetryDiagnostic,
+} from "./diagnostics";
 import {
  CODEQL_VERSION_ZSTD_BUNDLE,
  CodeQLDefaultVersionInfo,
+  CodeQLVersionInfo,
  Feature,
  FeatureEnablement,
 } from "./feature-flags";
 import { Logger } from "./logging";
+import { getCodeQlVersionsForOverlayBaseDatabases } from "./overlay/caching";
 import * as tar from "./tar";
 import {
  downloadAndExtract,
@@ -264,12 +274,131 @@ async function findOverridingToolsInCache(
  return undefined;
 }

+/**
+ * Returns the sorted set of enabled versions that have cached overlay-base databases for the
+ * given languages, or an empty list if neither the `OverlayAnalysisMatchCodeqlVersion` nor the
+ * `OverlayAnalysisMatchCodeqlVersionDryRun` feature flag is enabled. When only the dry-run flag
+ * is enabled, this performs the lookup and emits a telemetry diagnostic with the version that
+ * would have been chosen, but still returns an empty list so the caller falls back.
+ */
+export async function getEnabledVersionsWithOverlayBaseDatabases(
+  defaultCliVersion: CodeQLDefaultVersionInfo,
+  rawLanguages: string[] | undefined,
+  features: FeatureEnablement,
+  logger: Logger,
+): Promise<CodeQLVersionInfo[]> {
+  if (rawLanguages === undefined || rawLanguages.length === 0) {
+    return [];
+  }
+  const isEnabled = await features.getValue(
+    Feature.OverlayAnalysisMatchCodeqlVersion,
+  );
+  const isDryRun =
+    !isEnabled &&
+    (await features.getValue(Feature.OverlayAnalysisMatchCodeqlVersionDryRun));
+  if (!isEnabled && !isDryRun) {
+    return [];
+  }
+
+  let cachedVersions: string[] | undefined;
+  try {
+    cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases(
+      rawLanguages,
+      logger,
+    );
+  } catch (e) {
+    logger.warning(
+      "Could not list overlay-base databases in the Actions cache while choosing a default " +
+        `CodeQL CLI version, falling back to the highest enabled version. Details: ${util.getErrorMessage(e)}`,
+    );
+    return [];
+  }
+
+  if (cachedVersions === undefined || cachedVersions.length === 0) {
+    return [];
+  }
+
+  const cachedVersionsSet = new Set(cachedVersions);
+  const overlayVersions = defaultCliVersion.enabledVersions.filter((v) =>
+    cachedVersionsSet.has(v.cliVersion),
+  );
+
+  if (overlayVersions.length === 0) {
+    return [];
+  }
+
+  const isCachedVersionDifferent =
+    overlayVersions[0].cliVersion !==
+    defaultCliVersion.enabledVersions[0].cliVersion;
+
+  if (isCachedVersionDifferent) {
+    addNoLanguageDiagnostic(
+      undefined,
+      makeTelemetryDiagnostic(
+        "codeql-action/overlay-aware-default-codeql-version",
+        "Overlay-aware default CodeQL version selection",
+        {
+          cachedVersions,
+          enabledVersions: defaultCliVersion.enabledVersions.map(
+            (v) => v.cliVersion,
+          ),
+          isDryRun,
+          overlayAwareVersion: overlayVersions[0].cliVersion,
+        },
+      ),
+    );
+  }
+
+  if (isDryRun) {
+    logger.debug(
+      `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.`,
+    );
+    return [];
+  }
+
+  return overlayVersions;
+}
+
+/**
+ * Resolves the newest enabled default CLI version that has a cached overlay-base database for the
+ * relevant languages, if running a Code Scanning analysis for a pull request and one exists.
+ * Otherwise, falls back to the newest enabled default CLI version.
+ */
+async function resolveDefaultCliVersion(
+  defaultCliVersion: CodeQLDefaultVersionInfo,
+  rawLanguages: string[] | undefined,
+  useOverlayAwareDefaultCliVersion: boolean,
+  features: FeatureEnablement,
+  logger: Logger,
+): Promise<CodeQLVersionInfo> {
+  if (!useOverlayAwareDefaultCliVersion || !isAnalyzingPullRequest()) {
+    return defaultCliVersion.enabledVersions[0];
+  }
+
+  const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases(
+    defaultCliVersion,
+    rawLanguages,
+    features,
+    logger,
+  );
+  if (overlayVersions.length > 0) {
+    logger.info(
+      `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the ` +
+        `highest enabled version that has a cached overlay-base database.`,
+    );
+    return overlayVersions[0];
+  }
+  return defaultCliVersion.enabledVersions[0];
+}
+
 /**
 * Determines where the CodeQL CLI we want to use comes from. This can be from a local file,
 * the Actions toolcache, or a download.
 *
 * @param toolsInput The argument provided for the `tools` input, if any.
 * @param defaultCliVersion The default CLI version that's linked to the CodeQL Action.
+ * @param rawLanguages Raw set of languages.
+ * @param useOverlayAwareDefaultCliVersion Whether to select an overlay-aware default CLI version.
 * @param apiDetails Information about the GitHub API.
 * @param variant The GitHub variant we are running on.
 * @param tarSupportsZstd Whether zstd is supported by `tar`.
@@ -281,6 +410,8 @@ async function findOverridingToolsInCache(
 export async function getCodeQLSource(
  toolsInput: string | undefined,
  defaultCliVersion: CodeQLDefaultVersionInfo,
+  rawLanguages: string[] | undefined,
+  useOverlayAwareDefaultCliVersion: boolean,
  apiDetails: api.GitHubApiDetails,
  variant: util.GitHubVariant,
  tarSupportsZstd: boolean,
@@ -438,8 +569,15 @@ export async function getCodeQLSource(
        }
      }

-      cliVersion = defaultCliVersion.cliVersion;
-      tagName = defaultCliVersion.tagName;
+      const version = await resolveDefaultCliVersion(
+        defaultCliVersion,
+        rawLanguages,
+        useOverlayAwareDefaultCliVersion,
+        features,
+        logger,
+      );
+      cliVersion = version.cliVersion;
+      tagName = version.tagName;
    }
  } else if (toolsInput !== undefined) {
    // If a tools URL was provided, then use that.
@@ -454,9 +592,15 @@ export async function getCodeQLSource(
      }
    }
  } else {
-    // Otherwise, use the default CLI version passed in.
-    cliVersion = defaultCliVersion.cliVersion;
-    tagName = defaultCliVersion.tagName;
+    const version = await resolveDefaultCliVersion(
+      defaultCliVersion,
+      rawLanguages,
+      useOverlayAwareDefaultCliVersion,
+      features,
+      logger,
+    );
+    cliVersion = version.cliVersion;
+    tagName = version.tagName;
  }

  const bundleVersion =
@@ -791,6 +935,8 @@ export async function setupCodeQLBundle(
  tempDir: string,
  variant: util.GitHubVariant,
  defaultCliVersion: CodeQLDefaultVersionInfo,
+  rawLanguages: string[] | undefined,
+  useOverlayAwareDefaultCliVersion: boolean,
  features: FeatureEnablement,
  logger: Logger,
 ): Promise<SetupCodeQLResult> {
@@ -804,6 +950,8 @@ export async function setupCodeQLBundle(
  const source = await getCodeQLSource(
    toolsInput,
    defaultCliVersion,
+    rawLanguages,
+    useOverlayAwareDefaultCliVersion,
    apiDetails,
    variant,
    zstdAvailability.available,
@@ -1010,8 +1010,10 @@ test.serial(
        return true;
      });
      const getDefaultCliVersion = sinon
-        .stub(features, "getDefaultCliVersion")
-        .resolves({ cliVersion: "2.20.1", tagName: expectedTag });
+        .stub(features, "getEnabledDefaultCliVersions")
+        .resolves({
+          enabledVersions: [{ cliVersion: "2.20.1", tagName: expectedTag }],
+        });
      const path = await startProxyExports.getProxyBinaryPath(logger, features);

      t.assert(getDefaultCliVersion.calledOnce);
@@ -415,7 +415,7 @@ async function getCliVersionFromFeatures(
  features: FeatureEnablement,
 ): Promise<CodeQLDefaultVersionInfo> {
  const gitHubVersion = await getGitHubVersion();
-  return await features.getDefaultCliVersion(gitHubVersion.type);
+  return await features.getEnabledDefaultCliVersions(gitHubVersion.type);
 }

 /**
@@ -440,7 +440,7 @@ export async function getDownloadUrl(
    // Retrieve information about the CLI version we should use. This will be either the linked
    // version, or the one enabled by FFs.
    const versionInfo = useFeaturesToDetermineCLI
-      ? await getCliVersionFromFeatures(features)
+      ? (await getCliVersionFromFeatures(features)).enabledVersions[0]
      : {
          cliVersion: defaults.cliVersion,
          tagName: defaults.bundleVersion,
@@ -40,16 +40,20 @@ export const SAMPLE_DOTCOM_API_DETAILS = {
  apiURL: "https://api.github.com",
 };

-export const SAMPLE_DEFAULT_CLI_VERSION: CodeQLDefaultVersionInfo = {
-  cliVersion: "2.20.0",
-  tagName: "codeql-bundle-v2.20.0",
-};
-
 export const LINKED_CLI_VERSION = {
  cliVersion: defaults.cliVersion,
  tagName: defaults.bundleVersion,
 };

+export const SAMPLE_DEFAULT_CLI_VERSION: CodeQLDefaultVersionInfo = {
+  enabledVersions: [
+    {
+      cliVersion: "2.20.0",
+      tagName: "codeql-bundle-v2.20.0",
+    },
+  ],
+};
+
 type TestContext = {
  stdoutWrite: any;
  stderrWrite: any;
@@ -466,7 +470,7 @@ export function mockCodeQLVersion(
 */
 export function createFeatures(enabledFeatures: Feature[]): FeatureEnablement {
  return {
-    getDefaultCliVersion: async () => {
+    getEnabledDefaultCliVersions: async () => {
      throw new Error("not implemented");
    },
    getValue: async (feature) => {
@@ -156,9 +156,8 @@ async function combineSarifFilesUsingCLI(
      apiURL: getRequiredEnvParam("GITHUB_API_URL"),
    };

-    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
-      gitHubVersion.type,
-    );
+    const codeQLDefaultVersionInfo =
+      await features.getEnabledDefaultCliVersions(gitHubVersion.type);

    const initCodeQLResult = await initCodeQL(
      undefined, // There is no tools input on the upload action
@@ -166,6 +165,8 @@ async function combineSarifFilesUsingCLI(
      tempDir,
      gitHubVersion.type,
      codeQLDefaultVersionInfo,
+      undefined, // rawLanguages: upload-lib does not run analysis
+      false, // useOverlayAwareDefaultCliVersion: upload-lib does not run analysis
      features,
      logger,
    );
@@ -67,7 +67,7 @@ const postProcessAndUploadSarifMacro = makeMacro({
        const analysisConfig = getAnalysisConfig(analysisKind);
        uploadPostProcessedFiles
          .withArgs(logger, sinon.match.any, analysisConfig, sinon.match.any)
-          .resolves(expectedResult[analysisKind as AnalysisKind]?.uploadResult);
+          .resolves(expectedResult[analysisKind]?.uploadResult);
      }

      const fullSarifPaths = sarifFiles.map(toFullPath);
@@ -422,7 +422,7 @@ async function testLanguageAliases(
          ],
        },
      },
-    } as Workflow,
+    },
    codeql,
  );
Author	SHA1	Message	Date
Henry Mercer	b4ea7aa65a	Improve tests	2026-05-08 19:16:48 +01:00
Henry Mercer	87ac48dae6	Improve error message	2026-05-08 19:16:47 +01:00
Henry Mercer	42d7f62579	Remove dead code	2026-05-08 19:16:46 +01:00
Henry Mercer	540699dcca	Remove `makeOverlayMatchFeatures` indirection	2026-05-08 19:14:05 +01:00
Henry Mercer	9a85234875	Add JSDoc for `getRawLanguagesNoAutodetect`	2026-05-08 19:14:05 +01:00
Henry Mercer	2a950b930c	Enable overlay-aware version selection in `setup-codeql`	2026-05-08 19:14:05 +01:00
Henry Mercer	4f815a68d3	Minor: Introduce constant to avoid duplication	2026-05-08 19:14:04 +01:00
Henry Mercer	0aedbb71d8	Merge branch 'main' into henrymercer/overlay-match-codeql-version	2026-05-08 19:10:45 +01:00
Henry Mercer	868e2ea564	Merge pull request #3886 from github/mergeback/v4.35.4-to-main-68bde559 Mergeback v4.35.4 refs/heads/releases/v4 into main	2026-05-08 14:25:20 +00:00
Henry Mercer	792c223bc1	Merge pull request #3875 from github/dependabot/npm_and_yarn/npm-minor-c8e071f5f8 Bump the npm-minor group across 1 directory with 4 updates	2026-05-08 14:25:05 +00:00
Henry Mercer	efc9b0a9e3	Improve changelog note Co-authored-by: Michael B. Gale <mbg@github.com>	2026-05-07 18:44:08 +01:00
github-actions[bot]	272ada693f	Rebuild	2026-05-07 15:58:38 +00:00
github-actions[bot]	610a6682b6	Merge remote-tracking branch 'origin/main' into mergeback/v4.35.4-to-main-68bde559	2026-05-07 15:57:56 +00:00
github-actions[bot]	1627096569	Update changelog and version after v4.35.4	2026-05-07 15:54:04 +00:00
Henry Mercer	b81d0d250f	Merge pull request #3874 from github/henrymercer/slow-tests-ci-only Tests: Run slow `scanArtifactsForTokens` test in CI only by default	2026-05-07 15:04:47 +00:00
Michael B. Gale	a16cb53dd8	Merge pull request #3884 from github/mbg/dev/no-build-metadata Do not run `bundle-metadata.ts` as part of `npm run build`	2026-05-07 15:02:21 +00:00
Henry Mercer	0c80cee806	Add explicit error on Windows	2026-05-07 15:39:42 +01:00
Michael B. Gale	d032ee8c47	Do not run `bundle-metadata.ts` as part of `npm run build`	2026-05-07 15:38:28 +01:00
Henry Mercer	7525c68ea1	Nit: Dedupe languages	2026-05-07 11:01:15 +01:00
Henry Mercer	01bc9be56a	Filter to code scanning only	2026-05-07 11:00:54 +01:00
Henry Mercer	817b68489e	Merge branch 'main' into henrymercer/overlay-match-codeql-version	2026-05-06 19:20:52 +01:00
Henry Mercer	1b5632783c	Add changelog note	2026-05-06 19:13:25 +01:00
github-actions[bot]	1848b73afa	Rebuild	2026-05-06 18:01:54 +00:00
dependabot[bot]	d1e9792bc8	Bump the npm-minor group across 1 directory with 4 updates Bumps the npm-minor group with 4 updates in the / directory: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node), [eslint](https://github.com/eslint/eslint), [typescript](https://github.com/microsoft/TypeScript) and [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint). Updates `@types/node` from 20.19.9 to 20.19.39 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `eslint` from 9.39.2 to 9.39.4 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](https://github.com/eslint/eslint/compare/v9.39.2...v9.39.4) Updates `typescript` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/microsoft/TypeScript/releases) - [Commits](https://github.com/microsoft/TypeScript/compare/v6.0.2...v6.0.3) Updates `typescript-eslint` from 8.58.2 to 8.59.1 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.59.1/packages/typescript-eslint) --- updated-dependencies: - dependency-name: "@types/node" dependency-version: 20.19.39 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor - dependency-name: eslint dependency-version: 9.39.4 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor - dependency-name: typescript dependency-version: 6.0.3 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor - dependency-name: typescript-eslint dependency-version: 8.59.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-06 17:59:44 +00:00
Henry Mercer	2c9cd77837	Tests: Run slow `scanArtifactsForTokens` test in CI only by default	2026-05-06 18:45:24 +01:00
Henry Mercer	b967fdfbdc	Add dry run mode so we can dark ship	2026-05-06 18:30:24 +01:00
Henry Mercer	55d6319f96	Match CLI version to cached overlay-base database	2026-05-06 18:01:37 +01:00
Henry Mercer	b0942116d7	Expose all enabled default CLI versions	2026-05-06 17:45:56 +01:00
Henry Mercer	a796e3e4ed	Add OverlayAnalysisMatchCodeqlVersion feature flag	2026-05-06 15:14:04 +01:00