Test config with queries as list of strings

.github/codeql/codeql-config-javascript.yml

@@ -1,15 +1,6 @@
 name: "CodeQL config"
 queries: 
-  - name: Run custom queries
-    uses: ./queries
-  # Run all extra query suites, both because we want to
-  # and because it'll act as extra testing. This is why
-  # we include both even though one is a superset of the
-  # other, because we're testing the parsing logic and
-  # that the suites exist in the codeql bundle.
-  - uses: security-and-quality
-  - uses: security-experimental
-  - uses: security-extended
+  - ./queries
 paths-ignore:
   - lib
   - tests

.github/sizeup.yml

@@ -1,55 +0,0 @@
-labeling:
-  applyCategoryLabels: true
-  categoryLabelPrefix: "size/"
-
-commenting:
-  addCommentWhenScoreThresholdHasBeenExceeded: false
-
-sizeup:
-  categories:
-    - name: extra small
-      lte: 25
-      label:
-        name: XS
-        description: Should be very easy to review
-        color: 3cbf00
-    - name: small
-      lte: 100
-      label:
-        name: S
-        description: Should be easy to review
-        color: 5d9801
-    - name: medium
-      lte: 250
-      label:
-        name: M
-        description: Should be of average difficulty to review
-        color: 7f7203
-    - name: large
-      lte: 500
-      label:
-        name: L
-        description: May be hard to review
-        color: a14c05
-    - name: extra large
-      lte: 1000
-      label:
-        name: XL
-        description: May be very hard to review
-        color: c32607
-    - name: extra extra large
-      label:
-        name: XXL
-        description: May be extremely hard to review
-        color: e50009
-  ignoredFilePatterns:
-    - ".github/workflows/__*"
-    - "lib/**/*"
-    - "package-lock.json"
-  testFilePatterns:
-    - "**/*.test.ts"
-  scoring:
-    # This formula and the aliases below it are written in prefix notation.
-    # For an explanation of how this works, please see:
-    # https://github.com/lerebear/sizeup-core/blob/main/README.md#prefix-notation
-    formula: "- - + additions deletions comments whitespace"

.github/workflows/__analyze-ref-input.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -80,11 +70,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__bundle-from-toolcache.yml

@@ -67,9 +67,10 @@ jobs:
             if (allCodeqlVersions.length === 0) {
               throw new Error(`CodeQL could not be found in the toolcache`);
             }
-      - id: setup-codeql
-        uses: ./../action/setup-codeql
+      - id: init
+        uses: ./../action/init
         with:
+          languages: javascript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Check CodeQL is installed within the toolcache
         uses: actions/github-script@v8

.github/workflows/__bundle-zstd.yml

@@ -79,7 +79,7 @@ jobs:
           output: ${{ runner.temp }}/results
           upload-database: false
       - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.os }}-zstd-bundle.sarif
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__config-export.yml

@@ -67,7 +67,7 @@ jobs:
           output: ${{ runner.temp }}/results
           upload-database: false
       - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         with:
           name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__config-input.yml

@@ -49,7 +49,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
         with:
           node-version: 20.x
           cache: npm

.github/workflows/__diagnostics-export.yml

@@ -78,7 +78,7 @@ jobs:
           output: ${{ runner.temp }}/results
           upload-database: false
       - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         with:
           name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__export-file-baseline-information.yml

@@ -85,7 +85,7 @@ jobs:
         with:
           output: ${{ runner.temp }}/results
       - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         with:
           name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__job-run-uuid-sarif.yml

@@ -64,7 +64,7 @@ jobs:
         with:
           output: ${{ runner.temp }}/results
       - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__local-bundle.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -80,11 +70,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Fetch latest CodeQL bundle
         run: |
           wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst

.github/workflows/__multi-language-autodetect.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -114,11 +104,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Use Xcode 16
         if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
         run: sudo xcode-select -s "/Applications/Xcode_16.app"

.github/workflows/__packaging-codescanning-config-inputs-js.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -73,7 +63,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
         with:
           node-version: 20.x
           cache: npm
@@ -91,11 +81,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         with:
           config-file: .github/codeql/codeql-config-packaging3.yml

.github/workflows/__packaging-config-inputs-js.yml

@@ -63,7 +63,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
         with:
           node-version: 20.x
           cache: npm

.github/workflows/__packaging-config-js.yml

@@ -63,7 +63,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
         with:
           node-version: 20.x
           cache: npm

.github/workflows/__packaging-inputs-js.yml

@@ -63,7 +63,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
         with:
           node-version: 20.x
           cache: npm

.github/workflows/__quality-queries.yml

@@ -80,10 +80,9 @@ jobs:
         with:
           output: ${{ runner.temp }}/results
           upload-database: false
-          post-processed-sarif-path: ${{ runner.temp }}/post-processed
       - name: Upload security SARIF
         if: contains(matrix.analysis-kinds, 'code-scanning')
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         with:
           name: |
             quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
@@ -91,20 +90,12 @@ jobs:
           retention-days: 7
       - name: Upload quality SARIF
         if: contains(matrix.analysis-kinds, 'code-quality')
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         with:
           name: |
             quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
           path: ${{ runner.temp }}/results/javascript.quality.sarif
           retention-days: 7
-      - name: Upload post-processed SARIF
-        uses: actions/upload-artifact@v5
-        with:
-          name: |
-            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
-          path: ${{ runner.temp }}/post-processed
-          retention-days: 7
-          if-no-files-found: error
       - name: Check quality query does not appear in security SARIF
         if: contains(matrix.analysis-kinds, 'code-scanning')
         uses: actions/github-script@v8

.github/workflows/__remote-config.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -82,11 +72,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__rubocop-multi-language.yml

@@ -56,7 +56,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Set up Ruby
-        uses: ruby/setup-ruby@d5126b9b3579e429dd52e51e68624dda2e05be25 # v1.267.0
+        uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
         with:
           ruby-version: 2.6
       - name: Install Code Scanning integration

.github/workflows/__unset-environment.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -82,11 +72,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         id: init
         with:

.github/workflows/__upload-ref-sha-input.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -80,11 +70,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__upload-sarif.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -87,11 +77,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__with-checkout-path.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -80,11 +70,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Delete original checkout
         run: |
           # delete the original checkout so we don't accidentally use it.

.github/workflows/codeql.yml

@@ -2,7 +2,6 @@ name: "CodeQL action"
 
 on:
   push:
-    branches: [main, releases/v*]
   pull_request:
     branches: [main, releases/v*]
     # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened

.github/workflows/codescanning-config-cli.yml

@@ -56,7 +56,7 @@ jobs:
       uses: actions/checkout@v5
 
     - name: Set up Node.js
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@v5
       with:
         node-version: 24
         cache: 'npm'

.github/workflows/label-pr-size.yml

@@ -1,26 +0,0 @@
-name: Label PR with size
-
-on:
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - edited
-      - ready_for_review
-
-permissions:
-  contents: read
-  pull-requests: write
-
-jobs:
-  sizeup:
-    name: Label PR with size
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Run sizeup
-        uses: lerebear/sizeup-action@b7beb3dd273e36039e16e48e7bc690c189e61951 # 0.8.12
-        with:
-          token: "${{ secrets.GITHUB_TOKEN }}"
-          configuration-file-path: ".github/sizeup.yml"

.github/workflows/post-release-mergeback.yml

@@ -47,7 +47,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0  # ensure we have all tags and can push commits
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@v5
 
       - name: Update git config
         run: |

.github/workflows/pr-checks.yml

@@ -35,7 +35,7 @@ jobs:
       - uses: actions/checkout@v5
 
       - name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
         with:
           node-version: ${{ matrix.node-version }}
           cache: 'npm'

.github/workflows/query-filters.yml

@@ -32,7 +32,7 @@ jobs:
       uses: actions/checkout@v5
 
     - name: Install Node.js
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@v5
       with:
         node-version: 24
         cache: npm

.github/workflows/update-bundle.yml

@@ -41,7 +41,7 @@ jobs:
           git config --global user.name "github-actions[bot]"
 
       - name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
         with:
           node-version: 24
           cache: 'npm'

CHANGELOG.md

@@ -2,19 +2,9 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
-## 4.31.1 - 30 Oct 2025
+## [UNRELEASED]
 
-- The `add-snippets` input has been removed from the `analyze` action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced.
-
-## 4.31.0 - 24 Oct 2025
-
-- Bump minimum CodeQL bundle version to 2.17.6. [#3223](https://github.com/github/codeql-action/pull/3223)
-- When SARIF files are uploaded by the `analyze` or `upload-sarif` actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the `upload-sarif` action. For `analyze`, this may affect Advanced Setup for CodeQL users who specify a value other than `always` for the `upload` input. [#3222](https://github.com/github/codeql-action/pull/3222)
-
-## 4.30.9 - 17 Oct 2025
-
-- Update default CodeQL bundle version to 2.23.3. [#3205](https://github.com/github/codeql-action/pull/3205)
-- Experimental: A new `setup-codeql` action has been added which is similar to `init`, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#3204](https://github.com/github/codeql-action/pull/3204)
+No user facing changes.
 
 ## 4.30.8 - 10 Oct 2025
 

README.md

@@ -34,7 +34,6 @@ Actions with special purposes and unlikely to be used directly:
 - `autobuild`: Attempts to automatically build the code. Only used for analyzing languages that require a build. Use the `build-mode: autobuild` input in the `init` action instead. For information about input parameters, see the [autobuild action definition](https://github.com/github/codeql-action/blob/main/autobuild/action.yml).
 - `resolve-environment`: [Experimental] Attempts to infer a build environment suitable for automatic builds. For information about input parameters, see the [resolve-environment action definition](https://github.com/github/codeql-action/blob/main/resolve-environment/action.yml).
 - `start-proxy`: [Experimental] Start the HTTP proxy server. Internal use only and will change without notice. For information about input parameters, see the [start-proxy action definition](https://github.com/github/codeql-action/blob/main/start-proxy/action.yml).
-- `setup-codeql`: [Experimental] Similar to `init`, except it only installs the CodeQL CLI and does not initialize a database.
 
 ### Workflow Permissions
 

analyze/action.yml

@@ -6,7 +6,7 @@ inputs:
     description: The name of the check run to add text to.
     required: false
   output:
-    description: The path of the directory in which to save the SARIF results from the CodeQL CLI.
+    description: The path of the directory in which to save the SARIF results
     required: false
     default: "../results"
   upload:
@@ -32,10 +32,14 @@ inputs:
       and 13GB for macOS).
     required: false
   add-snippets:
-    description: Does not have any effect.
+    description: Specify whether or not to add code snippets to the output sarif file.
     required: false
+    default: "false"
     deprecationMessage: >-
-      The input "add-snippets" has been removed and no longer has any effect.
+      The input "add-snippets" is deprecated and will be removed on the first release in August 2025.
+      When this input is set to true it is expected to add code snippets with an alert to the SARIF file.
+      However, since Code Scanning ignores code snippets provided as part of a SARIF file this is currently
+      a no operation. No alternative is available.
   skip-queries:
     description: If this option is set, the CodeQL database will be built but no queries will be run on it. Thus, no results will be produced.
     required: false
@@ -66,12 +70,6 @@ inputs:
     description: Whether to upload the resulting CodeQL database
     required: false
     default: "true"
-  post-processed-sarif-path:
-    description: >-
-      Before uploading the SARIF files produced by the CodeQL CLI, the CodeQL Action may perform some post-processing
-      on them. Ordinarily, these post-processed SARIF files are not saved to disk. However, if a path is provided as an
-      argument for this input, they are written to the specified directory.
-    required: false
   wait-for-processing:
     description: If true, the Action will wait for the uploaded SARIF to be processed before completing.
     required: true

eslint.config.mjs

@@ -131,7 +131,6 @@ export default [
       "no-sequences": "error",
       "no-shadow": "off",
       "@typescript-eslint/no-shadow": "error",
-      "@typescript-eslint/prefer-optional-chain": "error",
       "one-var": ["error", "never"],
     },
   },

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.3",
-  "cliVersion": "2.23.3",
-  "priorBundleVersion": "codeql-bundle-v2.23.2",
-  "priorCliVersion": "2.23.2"
+  "bundleVersion": "codeql-bundle-v2.23.2",
+  "cliVersion": "2.23.2",
+  "priorBundleVersion": "codeql-bundle-v2.23.1",
+  "priorCliVersion": "2.23.1"
 }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "4.31.1",
+  "version": "4.30.9",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
@@ -24,7 +24,7 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@actions/artifact": "^4.0.0",
+    "@actions/artifact": "^2.3.1",
     "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2",
     "@actions/cache": "^4.1.0",
     "@actions/core": "^1.11.1",
@@ -38,7 +38,9 @@
     "@octokit/request-error": "^7.0.1",
     "@schemastore/package": "0.0.10",
     "archiver": "^7.0.1",
+    "check-disk-space": "^3.4.0",
     "console-log-level": "^1.4.1",
+    "del": "^8.0.0",
     "fast-deep-equal": "^3.1.3",
     "follow-redirects": "^1.15.11",
     "get-folder-size": "^5.0.0",
@@ -46,7 +48,7 @@
     "jsonschema": "1.4.1",
     "long": "^5.3.2",
     "node-forge": "^1.3.1",
-    "octokit": "^5.0.4",
+    "octokit": "^5.0.3",
     "semver": "^7.7.3",
     "uuid": "^13.0.0"
   },
@@ -54,10 +56,10 @@
     "@ava/typescript": "6.0.0",
     "@eslint/compat": "^1.4.0",
     "@eslint/eslintrc": "^3.3.1",
-    "@eslint/js": "^9.38.0",
+    "@eslint/js": "^9.37.0",
     "@microsoft/eslint-formatter-sarif": "^3.1.0",
-    "@octokit/types": "^15.0.1",
-    "@types/archiver": "^6.0.4",
+    "@octokit/types": "^15.0.0",
+    "@types/archiver": "^6.0.3",
     "@types/console-log-level": "^1.4.5",
     "@types/follow-redirects": "^1.14.4",
     "@types/js-yaml": "^4.0.9",
@@ -65,10 +67,10 @@
     "@types/node-forge": "^1.3.14",
     "@types/semver": "^7.7.1",
     "@types/sinon": "^17.0.4",
-    "@typescript-eslint/eslint-plugin": "^8.46.2",
+    "@typescript-eslint/eslint-plugin": "^8.46.0",
     "@typescript-eslint/parser": "^8.41.0",
     "ava": "^6.4.1",
-    "esbuild": "^0.25.11",
+    "esbuild": "^0.25.10",
     "eslint": "^8.57.1",
     "eslint-import-resolver-typescript": "^3.8.7",
     "eslint-plugin-filenames": "^1.3.2",

pr-checks/checks/analyze-ref-input.yml

@@ -2,7 +2,6 @@ name: "Analyze: 'ref' and 'sha' from inputs"
 description: "Checks that specifying 'ref' and 'sha' as inputs works"
 versions: ["default"]
 installGo: true
-installPython: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/bundle-from-toolcache.yml

@@ -15,9 +15,10 @@ steps:
         if (allCodeqlVersions.length === 0) {
           throw new Error(`CodeQL could not be found in the toolcache`);
         }
-  - id: setup-codeql
-    uses: ./../action/setup-codeql
+  - id: init
+    uses: ./../action/init
     with:
+      languages: javascript
       tools: ${{ steps.prepare-test.outputs.tools-url }}
   - name: Check CodeQL is installed within the toolcache
     uses: actions/github-script@v8

pr-checks/checks/bundle-zstd.yml

@@ -27,7 +27,7 @@ steps:
       output: ${{ runner.temp }}/results
       upload-database: false
   - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
     with:
       name: ${{ matrix.os }}-zstd-bundle.sarif
       path: ${{ runner.temp }}/results/javascript.sarif

pr-checks/checks/config-export.yml

@@ -12,7 +12,7 @@ steps:
       output: "${{ runner.temp }}/results"
       upload-database: false
   - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
     with:
       name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
       path: "${{ runner.temp }}/results/javascript.sarif"

pr-checks/checks/diagnostics-export.yml

@@ -25,7 +25,7 @@ steps:
       output: "${{ runner.temp }}/results"
       upload-database: false
   - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
     with:
       name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
       path: "${{ runner.temp }}/results/javascript.sarif"

pr-checks/checks/export-file-baseline-information.yml

@@ -17,7 +17,7 @@ steps:
     with:
       output: "${{ runner.temp }}/results"
   - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
     with:
       name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
       path: "${{ runner.temp }}/results/javascript.sarif"

pr-checks/checks/job-run-uuid-sarif.yml

@@ -11,7 +11,7 @@ steps:
     with:
       output: "${{ runner.temp }}/results"
   - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
     with:
       name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
       path: "${{ runner.temp }}/results/javascript.sarif"

pr-checks/checks/local-bundle.yml

@@ -2,7 +2,6 @@ name: "Local CodeQL bundle"
 description: "Tests using a CodeQL bundle from a local file rather than a URL"
 versions: ["linked"]
 installGo: true
-installPython: true
 steps:
   - name: Fetch latest CodeQL bundle
     run: |

pr-checks/checks/multi-language-autodetect.yml

@@ -4,7 +4,6 @@ operatingSystems: ["macos", "ubuntu"]
 env:
   CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
 installGo: true
-installPython: true
 steps:
   - name: Use Xcode 16
     if: runner.os == 'macOS' && matrix.version != 'nightly-latest'

pr-checks/checks/packaging-codescanning-config-inputs-js.yml

@@ -3,7 +3,6 @@ description: "Checks that specifying packages using a combination of a config fi
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
 installNode: true
-installPython: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/quality-queries.yml

@@ -36,10 +36,9 @@ steps:
     with:
       output: "${{ runner.temp }}/results"
       upload-database: false
-      post-processed-sarif-path: "${{ runner.temp }}/post-processed"
   - name: Upload security SARIF
     if: contains(matrix.analysis-kinds, 'code-scanning')
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
     with:
       name: |
         quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
@@ -47,20 +46,12 @@ steps:
       retention-days: 7
   - name: Upload quality SARIF
     if: contains(matrix.analysis-kinds, 'code-quality')
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
     with:
       name: |
         quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
       path: "${{ runner.temp }}/results/javascript.quality.sarif"
       retention-days: 7
-  - name: Upload post-processed SARIF
-    uses: actions/upload-artifact@v5
-    with:
-      name: |
-        post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
-      path: "${{ runner.temp }}/post-processed"
-      retention-days: 7
-      if-no-files-found: error
   - name: Check quality query does not appear in security SARIF
     if: contains(matrix.analysis-kinds, 'code-scanning')
     uses: actions/github-script@v8

pr-checks/checks/remote-config.yml

@@ -6,7 +6,6 @@ versions:
   - linked
   - nightly-latest
 installGo: true
-installPython: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/rubocop-multi-language.yml

@@ -4,7 +4,7 @@ description: "Tests using RuboCop to analyze a multi-language repository and the
 versions: ["default"]
 steps:
   - name: Set up Ruby
-    uses: ruby/setup-ruby@d5126b9b3579e429dd52e51e68624dda2e05be25 # v1.267.0
+    uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
     with:
       ruby-version: 2.6
   - name: Install Code Scanning integration

pr-checks/checks/unset-environment.yml

@@ -6,7 +6,6 @@ versions:
   - linked
   - nightly-latest
 installGo: true
-installPython: true
 steps:
   - uses: ./../action/init
     id: init

pr-checks/checks/upload-ref-sha-input.yml

@@ -2,7 +2,6 @@ name: "Upload-sarif: 'ref' and 'sha' from inputs"
 description: "Checks that specifying 'ref' and 'sha' as inputs works"
 versions: ["default"]
 installGo: true
-installPython: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/upload-sarif.yml

@@ -3,7 +3,6 @@ description: "Checks that uploading SARIFs to the code quality endpoint works"
 versions: ["default"]
 analysisKinds: ["code-scanning", "code-quality", "code-scanning,code-quality"]
 installGo: true
-installPython: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/with-checkout-path.yml

@@ -2,7 +2,6 @@ name: "Use a custom `checkout_path`"
 description: "Checks that a custom `checkout_path` will find the proper commit_oid"
 versions: ["linked"]
 installGo: true
-installPython: true
 steps:
   # This ensures we don't accidentally use the original checkout for any part of the test.
   - name: Delete original checkout

pr-checks/sync.py

@@ -117,7 +117,7 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
         steps.extend([
             {
                 'name': 'Install Node.js',
-                'uses': 'actions/setup-node@v6',
+                'uses': 'actions/setup-node@v5',
                 'with': {
                     'node-version': '20.x',
                     'cache': 'npm',
@@ -184,26 +184,6 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
             }
         })
 
-    installPython = is_truthy(checkSpecification.get('installPython', ''))
-
-    if installPython:
-        basePythonVersionExpr = '3.13'
-        workflowInputs['python-version'] = {
-            'type': 'string',
-            'description': 'The version of Python to install',
-            'required': False,
-            'default': basePythonVersionExpr,
-        }
-
-        steps.append({
-            'name': 'Install Python',
-            'if': 'matrix.version != \'nightly-latest\'',
-            'uses': 'actions/setup-python@v6',
-            'with': {
-                'python-version': '${{ inputs.python-version || \'' + basePythonVersionExpr + '\' }}'
-            }
-        })
-
     # If container initialisation steps are present in the check specification,
     # make sure to execute them first.
     if 'container' in checkSpecification and 'container-init-steps' in checkSpecification:

scripts/check-node-modules.sh

@@ -9,15 +9,9 @@ if [ "$GITHUB_ACTIONS" = "true" ]; then
 fi
 
 # Check if npm install is likely needed before proceeding
-if [ ! -d node_modules ]; then
-  echo "Running 'npm install' because 'node_modules' directory is missing."
-  npm install
-elif [ package.json -nt package-lock.json ]; then
-  echo "Running 'npm install' because 'package-lock.json' appears to be outdated."
-  npm install
-elif [ package-lock.json -nt node_modules/.package-lock.json ]; then
-  echo "Running 'npm install' because 'node_modules/.package-lock.json' appears to be outdated."
+if [ ! -d node_modules ] || [ package-lock.json -nt node_modules/.package-lock.json ]; then
+  echo "Running 'npm install' because 'node_modules/.package-lock.json' appears to be outdated..."
   npm install
 else
-  echo "Skipping 'npm install' because everything appears to be up-to-date."
+  echo "Skipping 'npm install' because 'node_modules/.package-lock.json' appears to be up-to-date."
 fi

setup-codeql/action.yml

@@ -1,39 +0,0 @@
-name: 'CodeQL: Setup'
-description: 'Installs the CodeQL CLI'
-author: 'GitHub'
-inputs:
-  tools:
-    description: >-
-      By default, the Action will use the recommended version of the CodeQL
-      Bundle to analyze your project. You can override this choice using this
-      input. One of:
-
-      - A local path to a CodeQL Bundle tarball, or
-      - The URL of a CodeQL Bundle tarball GitHub release asset, or
-      - A special value `linked` which uses the version of the CodeQL tools
-        that the Action has been bundled with.
-      - A special value `nightly` which uses the latest nightly version of the
-        CodeQL tools. Note that this is unstable and not recommended for
-        production use.
-
-      If not specified, the Action will check in several places until it finds
-      the CodeQL tools.
-    required: false
-  token:
-    description: GitHub token to use for authenticating with this instance of GitHub.
-    default: ${{ github.token }}
-    required: false
-  matrix:
-    default: ${{ toJson(matrix) }}
-    required: false
-  external-repository-token:
-    description: A token for fetching additional files from private repositories in the same GitHub instance that is running this action.
-    required: false
-outputs:
-  codeql-path:
-    description: The path of the CodeQL binary that was installed.
-  codeql-version:
-    description: The version of the CodeQL binary that was installed.
-runs:
-  using: node24
-  main: '../lib/setup-codeql-action.js'

src/analyses.test.ts

@@ -1,19 +1,12 @@
 import test from "ava";
-import * as sinon from "sinon";
 
-import * as actionsUtil from "./actions-util";
 import {
   AnalysisKind,
-  getAnalysisKinds,
   parseAnalysisKinds,
   supportedAnalysisKinds,
 } from "./analyses";
-import { getRunnerLogger } from "./logging";
-import { setupTests } from "./testing-utils";
 import { ConfigurationError } from "./util";
 
-setupTests(test);
-
 test("All known analysis kinds can be parsed successfully", async (t) => {
   for (const analysisKind of supportedAnalysisKinds) {
     t.deepEqual(await parseAnalysisKinds(analysisKind), [analysisKind]);
@@ -41,29 +34,3 @@ test("Parsing analysis kinds requires at least one analysis kind", async (t) =>
     instanceOf: ConfigurationError,
   });
 });
-
-test("getAnalysisKinds - returns expected analysis kinds for `analysis-kinds` input", async (t) => {
-  const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
-  requiredInputStub
-    .withArgs("analysis-kinds")
-    .returns("code-scanning,code-quality");
-  const result = await getAnalysisKinds(getRunnerLogger(true), true);
-  t.assert(result.includes(AnalysisKind.CodeScanning));
-  t.assert(result.includes(AnalysisKind.CodeQuality));
-});
-
-test("getAnalysisKinds - includes `code-quality` when deprecated `quality-queries` input is used", async (t) => {
-  const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
-  requiredInputStub.withArgs("analysis-kinds").returns("code-scanning");
-  const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
-  optionalInputStub.withArgs("quality-queries").returns("code-quality");
-  const result = await getAnalysisKinds(getRunnerLogger(true), true);
-  t.assert(result.includes(AnalysisKind.CodeScanning));
-  t.assert(result.includes(AnalysisKind.CodeQuality));
-});
-
-test("getAnalysisKinds - throws if `analysis-kinds` input is invalid", async (t) => {
-  const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
-  requiredInputStub.withArgs("analysis-kinds").returns("no-such-thing");
-  await t.throwsAsync(getAnalysisKinds(getRunnerLogger(true), true));
-});

src/analyses.ts

@@ -1,8 +1,4 @@
-import {
-  fixCodeQualityCategory,
-  getOptionalInput,
-  getRequiredInput,
-} from "./actions-util";
+import { fixCodeQualityCategory } from "./actions-util";
 import { Logger } from "./logging";
 import { ConfigurationError } from "./util";
 
@@ -45,55 +41,6 @@ export async function parseAnalysisKinds(
   );
 }
 
-// Used to avoid re-parsing the input after we have done it once.
-let cachedAnalysisKinds: AnalysisKind[] | undefined;
-
-/**
- * Initialises the analysis kinds for the analysis based on the `analysis-kinds` input.
- * This function will also use the deprecated `quality-queries` input as an indicator to enable `code-quality`.
- * If the `analysis-kinds` input cannot be parsed, a `ConfigurationError` is thrown.
- *
- * @param logger The logger to use.
- * @param skipCache For testing, whether to ignore the cached values (default: false).
- *
- * @returns The array of enabled analysis kinds.
- * @throws A `ConfigurationError` if the `analysis-kinds` input cannot be parsed.
- */
-export async function getAnalysisKinds(
-  logger: Logger,
-  skipCache: boolean = false,
-): Promise<AnalysisKind[]> {
-  if (!skipCache && cachedAnalysisKinds !== undefined) {
-    return cachedAnalysisKinds;
-  }
-
-  cachedAnalysisKinds = await parseAnalysisKinds(
-    getRequiredInput("analysis-kinds"),
-  );
-
-  // Warn that `quality-queries` is deprecated if there is an argument for it.
-  const qualityQueriesInput = getOptionalInput("quality-queries");
-
-  if (qualityQueriesInput !== undefined) {
-    logger.warning(
-      "The `quality-queries` input is deprecated and will be removed in a future version of the CodeQL Action. " +
-        "Use the `analysis-kinds` input to configure different analysis kinds instead.",
-    );
-  }
-
-  // For backwards compatibility, add Code Quality to the enabled analysis kinds
-  // if an input to `quality-queries` was specified. We should remove this once
-  // `quality-queries` is no longer used.
-  if (
-    !cachedAnalysisKinds.includes(AnalysisKind.CodeQuality) &&
-    qualityQueriesInput !== undefined
-  ) {
-    cachedAnalysisKinds.push(AnalysisKind.CodeQuality);
-  }
-
-  return cachedAnalysisKinds;
-}
-
 /** The queries to use for Code Quality analyses. */
 export const codeQualityQueries: string[] = ["code-quality"];
 

src/analyze-action-env.test.ts

@@ -24,9 +24,6 @@ setupTests(test);
 // but the first test would fail.
 
 test("analyze action with RAM & threads from environment variables", async (t) => {
-  // This test frequently times out on Windows with the default timeout, so we bump
-  // it a bit to 20s.
-  t.timeout(1000 * 20);
   await util.withTmpDir(async (tmpDir) => {
     process.env["GITHUB_SERVER_URL"] = util.GITHUB_DOTCOM_URL;
     process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
@@ -78,7 +75,7 @@ test("analyze action with RAM & threads from environment variables", async (t) =
     t.deepEqual(runFinalizeStub.firstCall.args[1], "--threads=-1");
     t.deepEqual(runFinalizeStub.firstCall.args[2], "--ram=4992");
     t.assert(runQueriesStub.calledOnce);
-    t.deepEqual(runQueriesStub.firstCall.args[2], "--threads=-1");
+    t.deepEqual(runQueriesStub.firstCall.args[3], "--threads=-1");
     t.deepEqual(runQueriesStub.firstCall.args[1], "--ram=4992");
   });
 });

src/analyze-action-input.test.ts

@@ -24,7 +24,6 @@ setupTests(test);
 // but the first test would fail.
 
 test("analyze action with RAM & threads from action inputs", async (t) => {
-  t.timeout(1000 * 20);
   await util.withTmpDir(async (tmpDir) => {
     process.env["GITHUB_SERVER_URL"] = util.GITHUB_DOTCOM_URL;
     process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
@@ -76,7 +75,7 @@ test("analyze action with RAM & threads from action inputs", async (t) => {
     t.deepEqual(runFinalizeStub.firstCall.args[1], "--threads=-1");
     t.deepEqual(runFinalizeStub.firstCall.args[2], "--ram=3012");
     t.assert(runQueriesStub.calledOnce);
-    t.deepEqual(runQueriesStub.firstCall.args[2], "--threads=-1");
+    t.deepEqual(runQueriesStub.firstCall.args[3], "--threads=-1");
     t.deepEqual(runQueriesStub.firstCall.args[1], "--ram=3012");
   });
 });

src/analyze-action.ts

@@ -52,7 +52,6 @@ import {
 } from "./trap-caching";
 import * as uploadLib from "./upload-lib";
 import { UploadResult } from "./upload-lib";
-import { postProcessAndUploadSarif } from "./upload-sarif";
 import * as util from "./util";
 
 interface AnalysisStatusReport
@@ -212,9 +211,7 @@ async function runAutobuildIfLegacyGoWorkflow(config: Config, logger: Logger) {
 
 async function run() {
   const startedAt = new Date();
-  let uploadResults:
-    | Partial<Record<analyses.AnalysisKind, UploadResult>>
-    | undefined = undefined;
+  let uploadResult: UploadResult | undefined = undefined;
   let runStats: QueriesStatusReport | undefined = undefined;
   let config: Config | undefined = undefined;
   let trapCacheCleanupTelemetry: TrapCacheCleanupStatusReport | undefined =
@@ -324,16 +321,10 @@ async function run() {
     );
 
     if (actionsUtil.getRequiredInput("skip-queries") !== "true") {
-      // Warn if the removed `add-snippets` input is used.
-      if (actionsUtil.getOptionalInput("add-snippets") !== undefined) {
-        logger.warning(
-          "The `add-snippets` input has been removed and no longer has any effect.",
-        );
-      }
-
       runStats = await runQueries(
         outputDir,
         memory,
+        util.getAddSnippetsFlag(actionsUtil.getRequiredInput("add-snippets")),
         threads,
         diffRangePackDir,
         actionsUtil.getOptionalInput("category"),
@@ -350,67 +341,31 @@ async function run() {
     }
     core.setOutput("db-locations", dbLocations);
     core.setOutput("sarif-output", path.resolve(outputDir));
-    const uploadKind = actionsUtil.getUploadValue(
-      actionsUtil.getOptionalInput("upload"),
-    );
-    if (runStats) {
-      const checkoutPath = actionsUtil.getRequiredInput("checkout_path");
-      const category = actionsUtil.getOptionalInput("category");
-
-      if (await features.getValue(Feature.AnalyzeUseNewUpload)) {
-        uploadResults = await postProcessAndUploadSarif(
-          logger,
-          features,
-          uploadKind,
-          checkoutPath,
+    const uploadInput = actionsUtil.getOptionalInput("upload");
+    if (runStats && actionsUtil.getUploadValue(uploadInput) === "always") {
+      if (isCodeScanningEnabled(config)) {
+        uploadResult = await uploadLib.uploadFiles(
           outputDir,
-          category,
-          actionsUtil.getOptionalInput("post-processed-sarif-path"),
+          actionsUtil.getRequiredInput("checkout_path"),
+          actionsUtil.getOptionalInput("category"),
+          features,
+          logger,
+          analyses.CodeScanning,
         );
-      } else if (uploadKind === "always") {
-        uploadResults = {};
-
-        if (isCodeScanningEnabled(config)) {
-          uploadResults[analyses.AnalysisKind.CodeScanning] =
-            await uploadLib.uploadFiles(
-              outputDir,
-              checkoutPath,
-              category,
-              features,
-              logger,
-              analyses.CodeScanning,
-            );
-        }
-
-        if (isCodeQualityEnabled(config)) {
-          uploadResults[analyses.AnalysisKind.CodeQuality] =
-            await uploadLib.uploadFiles(
-              outputDir,
-              checkoutPath,
-              category,
-              features,
-              logger,
-              analyses.CodeQuality,
-            );
-        }
-      } else {
-        uploadResults = {};
-        logger.info("Not uploading results");
+        core.setOutput("sarif-id", uploadResult.sarifID);
       }
 
-      // Set the SARIF id outputs only if we have results for them, to avoid
-      // having keys with empty values in the action output.
-      if (uploadResults[analyses.AnalysisKind.CodeScanning] !== undefined) {
-        core.setOutput(
-          "sarif-id",
-          uploadResults[analyses.AnalysisKind.CodeScanning].sarifID,
-        );
-      }
-      if (uploadResults[analyses.AnalysisKind.CodeQuality] !== undefined) {
-        core.setOutput(
-          "quality-sarif-id",
-          uploadResults[analyses.AnalysisKind.CodeQuality].sarifID,
+      if (isCodeQualityEnabled(config)) {
+        const analysis = analyses.CodeQuality;
+        const qualityUploadResult = await uploadLib.uploadFiles(
+          outputDir,
+          actionsUtil.getRequiredInput("checkout_path"),
+          actionsUtil.getOptionalInput("category"),
+          features,
+          logger,
+          analysis,
         );
+        core.setOutput("quality-sarif-id", qualityUploadResult.sarifID);
       }
     } else {
       logger.info("Not uploading results");
@@ -453,12 +408,12 @@ async function run() {
     if (util.isInTestMode()) {
       logger.debug("In test mode. Waiting for processing is disabled.");
     } else if (
-      uploadResults?.[analyses.AnalysisKind.CodeScanning] !== undefined &&
+      uploadResult !== undefined &&
       actionsUtil.getRequiredInput("wait-for-processing") === "true"
     ) {
       await uploadLib.waitForProcessing(
         getRepositoryNwo(),
-        uploadResults[analyses.AnalysisKind.CodeScanning].sarifID,
+        uploadResult.sarifID,
         getActionsLogger(),
       );
     }
@@ -495,16 +450,13 @@ async function run() {
     return;
   }
 
-  if (
-    runStats !== undefined &&
-    uploadResults?.[analyses.AnalysisKind.CodeScanning] !== undefined
-  ) {
+  if (runStats && uploadResult) {
     await sendStatusReport(
       startedAt,
       config,
       {
         ...runStats,
-        ...uploadResults[analyses.AnalysisKind.CodeScanning].statusReport,
+        ...uploadResult.statusReport,
       },
       undefined,
       trapCacheUploadTime,
@@ -514,7 +466,7 @@ async function run() {
       dependencyCacheResults,
       logger,
     );
-  } else if (runStats !== undefined) {
+  } else if (runStats) {
     await sendStatusReport(
       startedAt,
       config,

src/analyze.test.ts

@@ -4,8 +4,10 @@ import * as path from "path";
 import test from "ava";
 import * as sinon from "sinon";
 
+import * as actionsUtil from "./actions-util";
 import { CodeQuality, CodeScanning } from "./analyses";
 import {
+  exportedForTesting,
   runQueries,
   defaultSuites,
   resolveQuerySuiteAlias,
@@ -37,6 +39,7 @@ test("status report fields", async (t) => {
     setupActionsVars(tmpDir, tmpDir);
 
     const memoryFlag = "";
+    const addSnippetsFlag = "";
     const threadsFlag = "";
     sinon.stub(uploadLib, "validateSarifFileSchema");
 
@@ -102,6 +105,7 @@ test("status report fields", async (t) => {
       const statusReport = await runQueries(
         tmpDir,
         memoryFlag,
+        addSnippetsFlag,
         threadsFlag,
         undefined,
         undefined,
@@ -127,6 +131,204 @@ test("status report fields", async (t) => {
   });
 });
 
+function runGetDiffRanges(changes: number, patch: string[] | undefined): any {
+  sinon
+    .stub(actionsUtil, "getRequiredInput")
+    .withArgs("checkout_path")
+    .returns("/checkout/path");
+  return exportedForTesting.getDiffRanges(
+    {
+      filename: "test.txt",
+      changes,
+      patch: patch?.join("\n"),
+    },
+    getRunnerLogger(true),
+  );
+}
+
+test("getDiffRanges: file unchanged", async (t) => {
+  const diffRanges = runGetDiffRanges(0, undefined);
+  t.deepEqual(diffRanges, []);
+});
+
+test("getDiffRanges: file diff too large", async (t) => {
+  const diffRanges = runGetDiffRanges(1000000, undefined);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 0,
+      endLine: 0,
+    },
+  ]);
+});
+
+test("getDiffRanges: diff thunk with single addition range", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,6 +50,8 @@",
+    " a",
+    " b",
+    " c",
+    "+1",
+    "+2",
+    " d",
+    " e",
+    " f",
+  ]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 53,
+      endLine: 54,
+    },
+  ]);
+});
+
+test("getDiffRanges: diff thunk with single deletion range", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,8 +50,6 @@",
+    " a",
+    " b",
+    " c",
+    "-1",
+    "-2",
+    " d",
+    " e",
+    " f",
+  ]);
+  t.deepEqual(diffRanges, []);
+});
+
+test("getDiffRanges: diff thunk with single update range", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,7 +50,7 @@",
+    " a",
+    " b",
+    " c",
+    "-1",
+    "+2",
+    " d",
+    " e",
+    " f",
+  ]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 53,
+      endLine: 53,
+    },
+  ]);
+});
+
+test("getDiffRanges: diff thunk with addition ranges", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,7 +50,9 @@",
+    " a",
+    " b",
+    " c",
+    "+1",
+    " c",
+    "+2",
+    " d",
+    " e",
+    " f",
+  ]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 53,
+      endLine: 53,
+    },
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 55,
+      endLine: 55,
+    },
+  ]);
+});
+
+test("getDiffRanges: diff thunk with mixed ranges", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,7 +50,7 @@",
+    " a",
+    " b",
+    " c",
+    "-1",
+    " d",
+    "-2",
+    "+3",
+    " e",
+    " f",
+    "+4",
+    "+5",
+    " g",
+    " h",
+    " i",
+  ]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 54,
+      endLine: 54,
+    },
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 57,
+      endLine: 58,
+    },
+  ]);
+});
+
+test("getDiffRanges: multiple diff thunks", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,6 +50,8 @@",
+    " a",
+    " b",
+    " c",
+    "+1",
+    "+2",
+    " d",
+    " e",
+    " f",
+    "@@ -130,6 +150,8 @@",
+    " a",
+    " b",
+    " c",
+    "+1",
+    "+2",
+    " d",
+    " e",
+    " f",
+  ]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 53,
+      endLine: 54,
+    },
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 153,
+      endLine: 154,
+    },
+  ]);
+});
+
+test("getDiffRanges: no diff context lines", async (t) => {
+  const diffRanges = runGetDiffRanges(2, ["@@ -30 +50,2 @@", "+1", "+2"]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 50,
+      endLine: 51,
+    },
+  ]);
+});
+
+test("getDiffRanges: malformed thunk header", async (t) => {
+  const diffRanges = runGetDiffRanges(2, ["@@ 30 +50,2 @@", "+1", "+2"]);
+  t.deepEqual(diffRanges, undefined);
+});
+
 test("resolveQuerySuiteAlias", (t) => {
   // default query suite names should resolve to something language-specific ending in `.qls`.
   for (const suite of defaultSuites) {

src/analyze.ts

@@ -3,10 +3,16 @@ import * as path from "path";
 import { performance } from "perf_hooks";
 
 import * as io from "@actions/io";
+import * as del from "del";
 import * as yaml from "js-yaml";
 
-import { getTemporaryDirectory, PullRequestBranches } from "./actions-util";
+import {
+  getRequiredInput,
+  getTemporaryDirectory,
+  PullRequestBranches,
+} from "./actions-util";
 import * as analyses from "./analyses";
+import { getApiClient } from "./api-client";
 import { setupCppAutobuild } from "./autobuild";
 import { type CodeQL } from "./codeql";
 import * as configUtils from "./config-utils";
@@ -15,13 +21,13 @@ import { addDiagnostic, makeDiagnostic } from "./diagnostics";
 import {
   DiffThunkRange,
   writeDiffRangesJsonFile,
-  getPullRequestEditedDiffRanges,
 } from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
 import { FeatureEnablement, Feature } from "./feature-flags";
 import { KnownLanguage, Language } from "./languages";
 import { Logger, withGroupAsync } from "./logging";
 import { OverlayDatabaseMode } from "./overlay-database-utils";
+import { getRepositoryNwoFromEnv } from "./repository";
 import { DatabaseCreationTimings, EventReport } from "./status-report";
 import { endTracingForCluster } from "./tracer-config";
 import * as util from "./util";
@@ -307,6 +313,185 @@ export async function setupDiffInformedQueryRun(
   );
 }
 
+/**
+ * Return the file line ranges that were added or modified in the pull request.
+ *
+ * @param branches The base and head branches of the pull request.
+ * @param logger
+ * @returns An array of tuples, where each tuple contains the absolute path of a
+ * file, the start line and the end line (both 1-based and inclusive) of an
+ * added or modified range in that file. Returns `undefined` if the action was
+ * not triggered by a pull request or if there was an error.
+ */
+async function getPullRequestEditedDiffRanges(
+  branches: PullRequestBranches,
+  logger: Logger,
+): Promise<DiffThunkRange[] | undefined> {
+  const fileDiffs = await getFileDiffsWithBasehead(branches, logger);
+  if (fileDiffs === undefined) {
+    return undefined;
+  }
+  if (fileDiffs.length >= 300) {
+    // The "compare two commits" API returns a maximum of 300 changed files. If
+    // we see that many changed files, it is possible that there could be more,
+    // with the rest being truncated. In this case, we should not attempt to
+    // compute the diff ranges, as the result would be incomplete.
+    logger.warning(
+      `Cannot retrieve the full diff because there are too many ` +
+        `(${fileDiffs.length}) changed files in the pull request.`,
+    );
+    return undefined;
+  }
+  const results: DiffThunkRange[] = [];
+  for (const filediff of fileDiffs) {
+    const diffRanges = getDiffRanges(filediff, logger);
+    if (diffRanges === undefined) {
+      return undefined;
+    }
+    results.push(...diffRanges);
+  }
+  return results;
+}
+
+/**
+ * This interface is an abbreviated version of the file diff object returned by
+ * the GitHub API.
+ */
+interface FileDiff {
+  filename: string;
+  changes: number;
+  // A patch may be absent if the file is binary, if the file diff is too large,
+  // or if the file is unchanged.
+  patch?: string | undefined;
+}
+
+async function getFileDiffsWithBasehead(
+  branches: PullRequestBranches,
+  logger: Logger,
+): Promise<FileDiff[] | undefined> {
+  // Check CODE_SCANNING_REPOSITORY first. If it is empty or not set, fall back
+  // to GITHUB_REPOSITORY.
+  const repositoryNwo = getRepositoryNwoFromEnv(
+    "CODE_SCANNING_REPOSITORY",
+    "GITHUB_REPOSITORY",
+  );
+  const basehead = `${branches.base}...${branches.head}`;
+  try {
+    const response = await getApiClient().rest.repos.compareCommitsWithBasehead(
+      {
+        owner: repositoryNwo.owner,
+        repo: repositoryNwo.repo,
+        basehead,
+        per_page: 1,
+      },
+    );
+    logger.debug(
+      `Response from compareCommitsWithBasehead(${basehead}):` +
+        `\n${JSON.stringify(response, null, 2)}`,
+    );
+    return response.data.files;
+  } catch (error: any) {
+    if (error.status) {
+      logger.warning(`Error retrieving diff ${basehead}: ${error.message}`);
+      logger.debug(
+        `Error running compareCommitsWithBasehead(${basehead}):` +
+          `\nRequest: ${JSON.stringify(error.request, null, 2)}` +
+          `\nError Response: ${JSON.stringify(error.response, null, 2)}`,
+      );
+      return undefined;
+    } else {
+      throw error;
+    }
+  }
+}
+
+function getDiffRanges(
+  fileDiff: FileDiff,
+  logger: Logger,
+): DiffThunkRange[] | undefined {
+  // Diff-informed queries expect the file path to be absolute. CodeQL always
+  // uses forward slashes as the path separator, so on Windows we need to
+  // replace any backslashes with forward slashes.
+  const filename = path
+    .join(getRequiredInput("checkout_path"), fileDiff.filename)
+    .replaceAll(path.sep, "/");
+
+  if (fileDiff.patch === undefined) {
+    if (fileDiff.changes === 0) {
+      // There are situations where a changed file legitimately has no diff.
+      // For example, the file may be a binary file, or that the file may have
+      // been renamed with no changes to its contents. In these cases, the
+      // file would be reported as having 0 changes, and we can return an empty
+      // array to indicate no diff range in this file.
+      return [];
+    }
+    // If a file is reported to have nonzero changes but no patch, that may be
+    // due to the file diff being too large. In this case, we should fall back
+    // to a special diff range that covers the entire file.
+    return [
+      {
+        path: filename,
+        startLine: 0,
+        endLine: 0,
+      },
+    ];
+  }
+
+  // The 1-based file line number of the current line
+  let currentLine = 0;
+  // The 1-based file line number that starts the current range of added lines
+  let additionRangeStartLine: number | undefined = undefined;
+  const diffRanges: DiffThunkRange[] = [];
+
+  const diffLines = fileDiff.patch.split("\n");
+  // Adding a fake context line at the end ensures that the following loop will
+  // always terminate the last range of added lines.
+  diffLines.push(" ");
+
+  for (const diffLine of diffLines) {
+    if (diffLine.startsWith("-")) {
+      // Ignore deletions completely -- we do not even want to consider them when
+      // calculating consecutive ranges of added lines.
+      continue;
+    }
+    if (diffLine.startsWith("+")) {
+      if (additionRangeStartLine === undefined) {
+        additionRangeStartLine = currentLine;
+      }
+      currentLine++;
+      continue;
+    }
+    if (additionRangeStartLine !== undefined) {
+      // Any line that does not start with a "+" or "-" terminates the current
+      // range of added lines.
+      diffRanges.push({
+        path: filename,
+        startLine: additionRangeStartLine,
+        endLine: currentLine - 1,
+      });
+      additionRangeStartLine = undefined;
+    }
+    if (diffLine.startsWith("@@ ")) {
+      // A new hunk header line resets the current line number.
+      const match = diffLine.match(/^@@ -\d+(?:,\d+)? \+(\d+)(?:,\d+)? @@/);
+      if (match === null) {
+        logger.warning(
+          `Cannot parse diff hunk header for ${fileDiff.filename}: ${diffLine}`,
+        );
+        return undefined;
+      }
+      currentLine = parseInt(match[1], 10);
+      continue;
+    }
+    if (diffLine.startsWith(" ")) {
+      // An unchanged context line advances the current line number.
+      currentLine++;
+      continue;
+    }
+  }
+  return diffRanges;
+}
+
 /**
  * Create an extension pack in the temporary directory that contains the file
  * line ranges that were added or modified in the pull request.
@@ -436,6 +621,7 @@ export function addSarifExtension(
 export async function runQueries(
   sarifFolder: string,
   memoryFlag: string,
+  addSnippetsFlag: string,
   threadsFlag: string,
   diffRangePackDir: string | undefined,
   automationDetailsId: string | undefined,
@@ -625,6 +811,7 @@ export async function runQueries(
       databasePath,
       queries,
       sarifFile,
+      addSnippetsFlag,
       threadsFlag,
       enableDebugLogging ? "-vv" : "-v",
       sarifRunPropertyFlag,
@@ -668,7 +855,7 @@ export async function runFinalize(
   logger: Logger,
 ): Promise<DatabaseCreationTimings> {
   try {
-    await fs.promises.rm(outputDir, { force: true, recursive: true });
+    await del.deleteAsync(outputDir, { force: true });
   } catch (error: any) {
     if (error?.code !== "ENOENT") {
       throw error;
@@ -735,3 +922,7 @@ export async function warnIfGoInstalledAfterInit(
     }
   }
 }
+
+export const exportedForTesting = {
+  getDiffRanges,
+};

src/api-client.test.ts

@@ -169,39 +169,4 @@ test("wrapApiConfigurationError correctly wraps specific configuration errors",
     res,
     new util.ConfigurationError("Resource not accessible by integration"),
   );
-
-  // Enablement errors.
-  const codeSecurityNotEnabledError = new util.HTTPError(
-    "Code Security must be enabled for this repository to use code scanning",
-    403,
-  );
-  res = api.wrapApiConfigurationError(codeSecurityNotEnabledError);
-  t.deepEqual(
-    res,
-    new util.ConfigurationError(
-      api.getFeatureEnablementError(codeSecurityNotEnabledError.message),
-    ),
-  );
-  const advancedSecurityNotEnabledError = new util.HTTPError(
-    "Advanced Security must be enabled for this repository to use code scanning",
-    403,
-  );
-  res = api.wrapApiConfigurationError(advancedSecurityNotEnabledError);
-  t.deepEqual(
-    res,
-    new util.ConfigurationError(
-      api.getFeatureEnablementError(advancedSecurityNotEnabledError.message),
-    ),
-  );
-  const codeScanningNotEnabledError = new util.HTTPError(
-    "Code Scanning is not enabled for this repository. Please enable code scanning in the repository settings.",
-    403,
-  );
-  res = api.wrapApiConfigurationError(codeScanningNotEnabledError);
-  t.deepEqual(
-    res,
-    new util.ConfigurationError(
-      api.getFeatureEnablementError(codeScanningNotEnabledError.message),
-    ),
-  );
 });

src/api-client.ts

@@ -1,17 +1,18 @@
 import * as core from "@actions/core";
 import * as githubUtils from "@actions/github/lib/utils";
 import * as retry from "@octokit/plugin-retry";
+import consoleLogLevel from "console-log-level";
 
 import { getActionVersion, getRequiredInput } from "./actions-util";
 import { Logger } from "./logging";
 import { getRepositoryNwo, RepositoryNwo } from "./repository";
 import {
-  asHTTPError,
   ConfigurationError,
   getRequiredEnvParam,
   GITHUB_DOTCOM_URL,
   GitHubVariant,
   GitHubVersion,
+  isHTTPError,
   parseGitHubUrl,
   parseMatrixInput,
 } from "./util";
@@ -49,12 +50,7 @@ function createApiClientWithDetails(
     githubUtils.getOctokitOptions(auth, {
       baseUrl: apiDetails.apiURL,
       userAgent: `CodeQL-Action/${getActionVersion()}`,
-      log: {
-        debug: core.debug,
-        info: core.info,
-        warn: core.warning,
-        error: core.error,
-      },
+      log: consoleLogLevel({ level: "debug" }),
     }),
   );
 }
@@ -283,49 +279,23 @@ export async function getRepositoryProperties(repositoryNwo: RepositoryNwo) {
   });
 }
 
-function isEnablementError(msg: string) {
-  return [
-    /Code Security must be enabled/,
-    /Advanced Security must be enabled/,
-    /Code Scanning is not enabled/,
-  ].some((pattern) => pattern.test(msg));
-}
-
-// TODO: Move to `error-messages.ts` after refactoring import order to avoid cycle
-// since `error-messages.ts` currently depends on this file.
-export function getFeatureEnablementError(message: string): string {
-  return `Please verify that the necessary features are enabled: ${message}`;
-}
-
 export function wrapApiConfigurationError(e: unknown) {
-  const httpError = asHTTPError(e);
-  if (httpError !== undefined) {
+  if (isHTTPError(e)) {
     if (
-      [
-        /API rate limit exceeded/,
-        /commit not found/,
-        /Resource not accessible by integration/,
-        /ref .* not found in this repository/,
-      ].some((pattern) => pattern.test(httpError.message))
+      e.message.includes("API rate limit exceeded for installation") ||
+      e.message.includes("commit not found") ||
+      e.message.includes("Resource not accessible by integration") ||
+      /ref .* not found in this repository/.test(e.message)
     ) {
-      return new ConfigurationError(httpError.message);
-    }
-    if (
-      httpError.message.includes("Bad credentials") ||
-      httpError.message.includes("Not Found")
+      return new ConfigurationError(e.message);
+    } else if (
+      e.message.includes("Bad credentials") ||
+      e.message.includes("Not Found")
     ) {
       return new ConfigurationError(
         "Please check that your token is valid and has the required permissions: contents: read, security-events: write",
       );
     }
-    if (httpError.status === 403 && isEnablementError(httpError.message)) {
-      return new ConfigurationError(
-        getFeatureEnablementError(httpError.message),
-      );
-    }
-    if (httpError.status === 429) {
-      return new ConfigurationError("API rate limit exceeded");
-    }
   }
   return e;
 }

src/cli-errors.test.ts

@@ -310,20 +310,6 @@ test("wrapCliConfigurationError - pack cannot be found", (t) => {
   t.true(wrappedError instanceof ConfigurationError);
 });
 
-test("wrapCliConfigurationError - unknown query file", (t) => {
-  const commandError = new CommandInvocationError(
-    "codeql",
-    ["database", "init"],
-    2,
-    "my-query-file is not a .ql file, .qls file, a directory, or a query pack specification. See the logs for more details.",
-  );
-  const cliError = new CliError(commandError);
-
-  const wrappedError = wrapCliConfigurationError(cliError);
-
-  t.true(wrappedError instanceof ConfigurationError);
-});
-
 test("wrapCliConfigurationError - pack missing auth", (t) => {
   const commandError = new CommandInvocationError(
     "codeql",

src/cli-errors.ts

@@ -264,9 +264,6 @@ export const cliErrorsConfig: Record<
       new RegExp(
         "Query pack .* cannot be found\\. Check the spelling of the pack\\.",
       ),
-      new RegExp(
-        "is not a .ql file, .qls file, a directory, or a query pack specification.",
-      ),
     ],
   },
   [CliConfigErrorCategory.PackMissingAuth]: {

src/codeql.test.ts

@@ -5,6 +5,7 @@ import * as toolrunner from "@actions/exec/lib/toolrunner";
 import * as io from "@actions/io";
 import * as toolcache from "@actions/tool-cache";
 import test, { ExecutionContext } from "ava";
+import * as del from "del";
 import * as yaml from "js-yaml";
 import nock from "nock";
 import * as sinon from "sinon";
@@ -35,6 +36,7 @@ import {
   createTestConfig,
 } from "./testing-utils";
 import { ToolsDownloadStatusReport } from "./tools-download";
+import { ToolsFeature } from "./tools-features";
 import * as util from "./util";
 import { initializeEnvironment } from "./util";
 
@@ -556,7 +558,7 @@ const injectedConfigMacro = test.macro({
       const augmentedConfig = yaml.load(fs.readFileSync(configFile, "utf8"));
       t.deepEqual(augmentedConfig, expectedConfig);
 
-      await fs.promises.rm(configFile, { force: true });
+      await del.deleteAsync(configFile, { force: true });
     });
   },
 
@@ -868,6 +870,84 @@ test("does not pass a qlconfig to the CLI when it is undefined", async (t: Execu
   });
 });
 
+const NEW_ANALYSIS_SUMMARY_TEST_CASES = [
+  {
+    codeqlVersion: makeVersionInfo("2.15.0", {
+      [ToolsFeature.AnalysisSummaryV2IsDefault]: true,
+    }),
+    githubVersion: {
+      type: util.GitHubVariant.DOTCOM,
+    },
+    flagPassed: false,
+    negativeFlagPassed: false,
+  },
+  {
+    codeqlVersion: makeVersionInfo("2.15.0"),
+    githubVersion: {
+      type: util.GitHubVariant.DOTCOM,
+    },
+    flagPassed: true,
+    negativeFlagPassed: false,
+  },
+  {
+    codeqlVersion: makeVersionInfo("2.15.0"),
+    githubVersion: {
+      type: util.GitHubVariant.GHES,
+      version: "3.10.0",
+    },
+    flagPassed: true,
+    negativeFlagPassed: false,
+  },
+];
+
+for (const {
+  codeqlVersion,
+  flagPassed,
+  githubVersion,
+  negativeFlagPassed,
+} of NEW_ANALYSIS_SUMMARY_TEST_CASES) {
+  test(`database interpret-results passes ${
+    flagPassed
+      ? "--new-analysis-summary"
+      : negativeFlagPassed
+        ? "--no-new-analysis-summary"
+        : "nothing"
+  } for CodeQL version ${JSON.stringify(codeqlVersion)} and ${
+    util.GitHubVariant[githubVersion.type]
+  } ${githubVersion.version ? ` ${githubVersion.version}` : ""}`, async (t) => {
+    const runnerConstructorStub = stubToolRunnerConstructor();
+    const codeqlObject = await codeql.getCodeQLForTesting();
+    sinon.stub(codeqlObject, "getVersion").resolves(codeqlVersion);
+    // io throws because of the test CodeQL object.
+    sinon.stub(io, "which").resolves("");
+    await codeqlObject.databaseInterpretResults(
+      "",
+      [],
+      "",
+      "",
+      "",
+      "-v",
+      undefined,
+      "",
+      Object.assign({}, stubConfig, { gitHubVersion: githubVersion }),
+      createFeatures([]),
+    );
+    const actualArgs = runnerConstructorStub.firstCall.args[1] as string[];
+    t.is(
+      actualArgs.includes("--new-analysis-summary"),
+      flagPassed,
+      `--new-analysis-summary should${flagPassed ? "" : "n't"} be passed`,
+    );
+    t.is(
+      actualArgs.includes("--no-new-analysis-summary"),
+      negativeFlagPassed,
+      `--no-new-analysis-summary should${
+        negativeFlagPassed ? "" : "n't"
+      } be passed`,
+    );
+  });
+}
+
 test("runTool summarizes several fatal errors", async (t) => {
   const heapError =
     "A fatal error occurred: Evaluator heap must be at least 384.00 MiB";
@@ -1045,7 +1125,7 @@ test("Avoids duplicating --overwrite flag if specified in CODEQL_ACTION_EXTRA_OP
   );
   t.truthy(configArg, "Should have injected a codescanning config");
   const configFile = configArg!.split("=")[1];
-  await fs.promises.rm(configFile, { force: true });
+  await del.deleteAsync(configFile, { force: true });
 });
 
 export function stubToolRunnerConstructor(

src/codeql.ts

@@ -3,6 +3,7 @@ import * as path from "path";
 
 import * as core from "@actions/core";
 import * as toolrunner from "@actions/exec/lib/toolrunner";
+import { RequestError } from "@octokit/request-error";
 import * as yaml from "js-yaml";
 
 import {
@@ -167,6 +168,7 @@ export interface CodeQL {
     databasePath: string,
     querySuitePaths: string[] | undefined,
     sarifFile: string,
+    addSnippetsFlag: string,
     threadsFlag: string,
     verbosityFlag: string | undefined,
     sarifRunPropertyFlag: string | undefined,
@@ -266,7 +268,7 @@ let cachedCodeQL: CodeQL | undefined = undefined;
  * The version flags below can be used to conditionally enable certain features
  * on versions newer than this.
  */
-const CODEQL_MINIMUM_VERSION = "2.17.6";
+const CODEQL_MINIMUM_VERSION = "2.16.6";
 
 /**
  * This version will shortly become the oldest version of CodeQL that the Action will run with.
@@ -369,11 +371,11 @@ export async function setupCodeQL(
       toolsVersion,
       zstdAvailability,
     };
-  } catch (rawError) {
-    const e = api.wrapApiConfigurationError(rawError);
+  } catch (e) {
     const ErrorClass =
       e instanceof util.ConfigurationError ||
-      (e instanceof Error && e.message.includes("ENOSPC")) // out of disk space
+      (e instanceof Error && e.message.includes("ENOSPC")) || // out of disk space
+      (e instanceof RequestError && e.status === 429) // rate limited
         ? util.ConfigurationError
         : Error;
 
@@ -816,6 +818,7 @@ export async function getCodeQLForCmd(
       databasePath: string,
       querySuitePaths: string[] | undefined,
       sarifFile: string,
+      addSnippetsFlag: string,
       threadsFlag: string,
       verbosityFlag: string,
       sarifRunPropertyFlag: string | undefined,
@@ -834,6 +837,7 @@ export async function getCodeQLForCmd(
         "--format=sarif-latest",
         verbosityFlag,
         `--output=${sarifFile}`,
+        addSnippetsFlag,
         "--print-diagnostics-summary",
         "--print-metrics-summary",
         "--sarif-add-baseline-file-info",
@@ -857,6 +861,14 @@ export async function getCodeQLForCmd(
       } else {
         codeqlArgs.push("--no-sarif-include-diagnostics");
       }
+      if (
+        !isSupportedToolsFeature(
+          await this.getVersion(),
+          ToolsFeature.AnalysisSummaryV2IsDefault,
+        )
+      ) {
+        codeqlArgs.push("--new-analysis-summary");
+      }
       codeqlArgs.push(databasePath);
       if (querySuitePaths) {
         codeqlArgs.push(...querySuitePaths);

src/config-utils.test.ts

@@ -49,9 +49,10 @@ function createTestInitConfigInputs(
   return Object.assign(
     {},
     {
-      analysisKinds: [AnalysisKind.CodeScanning],
+      analysisKindsInput: "code-scanning",
       languagesInput: undefined,
       queriesInput: undefined,
+      qualityQueriesInput: undefined,
       packsInput: undefined,
       configFile: undefined,
       dbLocation: undefined,
@@ -148,7 +149,6 @@ test("load empty config", async (t) => {
     });
 
     const config = await configUtils.initConfig(
-      createFeatures([]),
       createTestInitConfigInputs({
         languagesInput: languages,
         repository: { owner: "github", repo: "example" },
@@ -188,9 +188,8 @@ test("load code quality config", async (t) => {
     });
 
     const config = await configUtils.initConfig(
-      createFeatures([]),
       createTestInitConfigInputs({
-        analysisKinds: [AnalysisKind.CodeQuality],
+        analysisKindsInput: "code-quality",
         languagesInput: languages,
         repository: { owner: "github", repo: "example" },
         tempDir,
@@ -273,9 +272,8 @@ test("initActionState doesn't throw if there are queries configured in the repos
 
     await t.notThrowsAsync(async () => {
       const config = await configUtils.initConfig(
-        createFeatures([]),
         createTestInitConfigInputs({
-          analysisKinds: [AnalysisKind.CodeQuality],
+          analysisKindsInput: "code-quality",
           languagesInput: languages,
           repository: { owner: "github", repo: "example" },
           tempDir,
@@ -312,7 +310,6 @@ test("loading a saved config produces the same config", async (t) => {
     t.deepEqual(await configUtils.getConfig(tempDir, logger), undefined);
 
     const config1 = await configUtils.initConfig(
-      createFeatures([]),
       createTestInitConfigInputs({
         languagesInput: "javascript,python",
         tempDir,
@@ -364,7 +361,6 @@ test("loading config with version mismatch throws", async (t) => {
       .returns("does-not-exist");
 
     const config = await configUtils.initConfig(
-      createFeatures([]),
       createTestInitConfigInputs({
         languagesInput: "javascript,python",
         tempDir,
@@ -393,7 +389,6 @@ test("load input outside of workspace", async (t) => {
   return await withTmpDir(async (tempDir) => {
     try {
       await configUtils.initConfig(
-        createFeatures([]),
         createTestInitConfigInputs({
           configFile: "../input",
           tempDir,
@@ -421,7 +416,6 @@ test("load non-local input with invalid repo syntax", async (t) => {
 
     try {
       await configUtils.initConfig(
-        createFeatures([]),
         createTestInitConfigInputs({
           configFile,
           tempDir,
@@ -450,7 +444,6 @@ test("load non-existent input", async (t) => {
 
     try {
       await configUtils.initConfig(
-        createFeatures([]),
         createTestInitConfigInputs({
           languagesInput,
           configFile,
@@ -534,7 +527,6 @@ test("load non-empty input", async (t) => {
     const configFilePath = createConfigFile(inputFileContents, tempDir);
 
     const actualConfig = await configUtils.initConfig(
-      createFeatures([]),
       createTestInitConfigInputs({
         languagesInput,
         buildModeInput: "none",
@@ -591,7 +583,6 @@ test("Using config input and file together, config input should be used.", async
     const languagesInput = "javascript";
 
     const config = await configUtils.initConfig(
-      createFeatures([]),
       createTestInitConfigInputs({
         languagesInput,
         configFile: configFilePath,
@@ -642,7 +633,6 @@ test("API client used when reading remote config", async (t) => {
     const languagesInput = "javascript";
 
     await configUtils.initConfig(
-      createFeatures([]),
       createTestInitConfigInputs({
         languagesInput,
         configFile,
@@ -663,7 +653,6 @@ test("Remote config handles the case where a directory is provided", async (t) =
     const repoReference = "octo-org/codeql-config/config.yaml@main";
     try {
       await configUtils.initConfig(
-        createFeatures([]),
         createTestInitConfigInputs({
           configFile: repoReference,
           tempDir,
@@ -692,7 +681,6 @@ test("Invalid format of remote config handled correctly", async (t) => {
     const repoReference = "octo-org/codeql-config/config.yaml@main";
     try {
       await configUtils.initConfig(
-        createFeatures([]),
         createTestInitConfigInputs({
           configFile: repoReference,
           tempDir,
@@ -722,7 +710,6 @@ test("No detected languages", async (t) => {
 
     try {
       await configUtils.initConfig(
-        createFeatures([]),
         createTestInitConfigInputs({
           tempDir,
           codeql,
@@ -745,7 +732,6 @@ test("Unknown languages", async (t) => {
 
     try {
       await configUtils.initConfig(
-        createFeatures([]),
         createTestInitConfigInputs({
           languagesInput,
           tempDir,

src/config-utils.ts

@@ -11,6 +11,7 @@ import {
   CodeQuality,
   codeQualityQueries,
   CodeScanning,
+  parseAnalysisKinds,
 } from "./analyses";
 import * as api from "./api-client";
 import { CachingKind, getCachingKind } from "./caching-utils";
@@ -19,7 +20,6 @@ import {
   calculateAugmentation,
   ExcludeQueryFilter,
   generateCodeScanningConfig,
-  parseUserConfig,
   UserConfig,
 } from "./config/db-config";
 import { shouldPerformDiffInformedAnalysis } from "./diff-informed-analysis-utils";
@@ -373,8 +373,10 @@ export async function getRawLanguages(
 
 /** Inputs required to initialize a configuration. */
 export interface InitConfigInputs {
+  analysisKindsInput: string;
   languagesInput: string | undefined;
   queriesInput: string | undefined;
+  qualityQueriesInput: string | undefined;
   packsInput: string | undefined;
   configFile: string | undefined;
   dbLocation: string | undefined;
@@ -394,7 +396,6 @@ export interface InitConfigInputs {
   apiDetails: api.GitHubApiCombinedDetails;
   features: FeatureEnablement;
   repositoryProperties: RepositoryProperties;
-  analysisKinds: AnalysisKind[];
   logger: Logger;
 }
 
@@ -404,8 +405,10 @@ export interface InitConfigInputs {
  */
 export async function initActionState(
   {
+    analysisKindsInput,
     languagesInput,
     queriesInput,
+    qualityQueriesInput,
     packsInput,
     buildModeInput,
     dbLocation,
@@ -421,11 +424,22 @@ export async function initActionState(
     githubVersion,
     features,
     repositoryProperties,
-    analysisKinds,
     logger,
   }: InitConfigInputs,
   userConfig: UserConfig,
 ): Promise<Config> {
+  const analysisKinds = await parseAnalysisKinds(analysisKindsInput);
+
+  // For backwards compatibility, add Code Quality to the enabled analysis kinds
+  // if an input to `quality-queries` was specified. We should remove this once
+  // `quality-queries` is no longer used.
+  if (
+    !analysisKinds.includes(AnalysisKind.CodeQuality) &&
+    qualityQueriesInput !== undefined
+  ) {
+    analysisKinds.push(AnalysisKind.CodeQuality);
+  }
+
   const languages = await getLanguages(
     codeql,
     languagesInput,
@@ -526,12 +540,10 @@ async function downloadCacheWithTime(
 }
 
 async function loadUserConfig(
-  logger: Logger,
   configFile: string,
   workspacePath: string,
   apiDetails: api.GitHubApiCombinedDetails,
   tempDir: string,
-  validateConfig: boolean,
 ): Promise<UserConfig> {
   if (isLocal(configFile)) {
     if (configFile !== userConfigFromActionPath(tempDir)) {
@@ -544,14 +556,9 @@ async function loadUserConfig(
         );
       }
     }
-    return getLocalConfig(logger, configFile, validateConfig);
+    return getLocalConfig(configFile);
   } else {
-    return await getRemoteConfig(
-      logger,
-      configFile,
-      apiDetails,
-      validateConfig,
-    );
+    return await getRemoteConfig(configFile, apiDetails);
   }
 }
 
@@ -787,10 +794,7 @@ function hasQueryCustomisation(userConfig: UserConfig): boolean {
  * This will parse the config from the user input if present, or generate
  * a default config. The parsed config is then stored to a known location.
  */
-export async function initConfig(
-  features: FeatureEnablement,
-  inputs: InitConfigInputs,
-): Promise<Config> {
+export async function initConfig(inputs: InitConfigInputs): Promise<Config> {
   const { logger, tempDir } = inputs;
 
   // if configInput is set, it takes precedence over configFile
@@ -810,14 +814,11 @@ export async function initConfig(
     logger.debug("No configuration file was provided");
   } else {
     logger.debug(`Using configuration file: ${inputs.configFile}`);
-    const validateConfig = await features.getValue(Feature.ValidateDbConfig);
     userConfig = await loadUserConfig(
-      logger,
       inputs.configFile,
       inputs.workspacePath,
       inputs.apiDetails,
       tempDir,
-      validateConfig,
     );
   }
 
@@ -911,11 +912,7 @@ function isLocal(configPath: string): boolean {
   return configPath.indexOf("@") === -1;
 }
 
-function getLocalConfig(
-  logger: Logger,
-  configFile: string,
-  validateConfig: boolean,
-): UserConfig {
+function getLocalConfig(configFile: string): UserConfig {
   // Error if the file does not exist
   if (!fs.existsSync(configFile)) {
     throw new ConfigurationError(
@@ -923,19 +920,12 @@ function getLocalConfig(
     );
   }
 
-  return parseUserConfig(
-    logger,
-    configFile,
-    fs.readFileSync(configFile, "utf-8"),
-    validateConfig,
-  );
+  return yaml.load(fs.readFileSync(configFile, "utf8")) as UserConfig;
 }
 
 async function getRemoteConfig(
-  logger: Logger,
   configFile: string,
   apiDetails: api.GitHubApiCombinedDetails,
-  validateConfig: boolean,
 ): Promise<UserConfig> {
   // retrieve the various parts of the config location, and ensure they're present
   const format = new RegExp(
@@ -943,7 +933,7 @@ async function getRemoteConfig(
   );
   const pieces = format.exec(configFile);
   // 5 = 4 groups + the whole expression
-  if (pieces?.groups === undefined || pieces.length < 5) {
+  if (pieces === null || pieces.groups === undefined || pieces.length < 5) {
     throw new ConfigurationError(
       errorMessages.getConfigFileRepoFormatInvalidMessage(configFile),
     );
@@ -971,12 +961,9 @@ async function getRemoteConfig(
     );
   }
 
-  return parseUserConfig(
-    logger,
-    configFile,
+  return yaml.load(
     Buffer.from(fileContents, "base64").toString("binary"),
-    validateConfig,
-  );
+  ) as UserConfig;
 }
 
 /**

src/config/db-config.test.ts

@@ -2,13 +2,7 @@ import test, { ExecutionContext } from "ava";
 
 import { RepositoryProperties } from "../feature-flags/properties";
 import { KnownLanguage, Language } from "../languages";
-import { getRunnerLogger } from "../logging";
-import {
-  checkExpectedLogMessages,
-  getRecordingLogger,
-  LoggedMessage,
-} from "../testing-utils";
-import { ConfigurationError, prettyPrintPack } from "../util";
+import { prettyPrintPack } from "../util";
 
 import * as dbConfig from "./db-config";
 
@@ -397,111 +391,3 @@ test(
   {},
   /"a-pack-without-a-scope" is not a valid pack/,
 );
-
-test("parseUserConfig - successfully parses valid YAML", (t) => {
-  const result = dbConfig.parseUserConfig(
-    getRunnerLogger(true),
-    "test",
-    `
-    paths-ignore:
-      - "some/path"
-    queries:
-      - uses: foo
-    some-unknown-option: true
-    `,
-    true,
-  );
-  t.truthy(result);
-  if (t.truthy(result["paths-ignore"])) {
-    t.is(result["paths-ignore"].length, 1);
-    t.is(result["paths-ignore"][0], "some/path");
-  }
-  if (t.truthy(result["queries"])) {
-    t.is(result["queries"].length, 1);
-    t.deepEqual(result["queries"][0], { uses: "foo" });
-  }
-});
-
-test("parseUserConfig - throws a ConfigurationError if the file is not valid YAML", (t) => {
-  t.throws(
-    () =>
-      dbConfig.parseUserConfig(
-        getRunnerLogger(true),
-        "test",
-        `
-        paths-ignore:
-         - "some/path"
-         queries:
-         - foo
-        `,
-        true,
-      ),
-    {
-      instanceOf: ConfigurationError,
-    },
-  );
-});
-
-test("parseUserConfig - validation isn't picky about `query-filters`", (t) => {
-  const loggedMessages: LoggedMessage[] = [];
-  const logger = getRecordingLogger(loggedMessages);
-
-  t.notThrows(() =>
-    dbConfig.parseUserConfig(
-      logger,
-      "test",
-      `
-        query-filters:
-          - something
-          - include: foo
-          - exclude: bar
-        `,
-      true,
-    ),
-  );
-});
-
-test("parseUserConfig - throws a ConfigurationError if validation fails", (t) => {
-  const loggedMessages: LoggedMessage[] = [];
-  const logger = getRecordingLogger(loggedMessages);
-
-  t.throws(
-    () =>
-      dbConfig.parseUserConfig(
-        logger,
-        "test",
-        `
-        paths-ignore:
-         - "some/path"
-        queries: true
-        `,
-        true,
-      ),
-    {
-      instanceOf: ConfigurationError,
-      message:
-        'The configuration file "test" is invalid: instance.queries is not of a type(s) array.',
-    },
-  );
-
-  const expectedMessages = ["instance.queries is not of a type(s) array"];
-  checkExpectedLogMessages(t, loggedMessages, expectedMessages);
-});
-
-test("parseUserConfig - throws no ConfigurationError if validation should fail, but feature is disabled", (t) => {
-  const loggedMessages: LoggedMessage[] = [];
-  const logger = getRecordingLogger(loggedMessages);
-
-  t.notThrows(() =>
-    dbConfig.parseUserConfig(
-      logger,
-      "test",
-      `
-        paths-ignore:
-         - "some/path"
-        queries: true
-        `,
-      false,
-    ),
-  );
-});

src/config/db-config.ts

@@ -1,7 +1,5 @@
 import * as path from "path";
 
-import * as yaml from "js-yaml";
-import * as jsonschema from "jsonschema";
 import * as semver from "semver";
 
 import * as errorMessages from "../error-messages";
@@ -380,7 +378,10 @@ function combineQueries(
   const result: QuerySpec[] = [];
 
   // Query settings obtained from the repository properties have the highest precedence.
-  if (augmentationProperties.repoPropertyQueries?.input) {
+  if (
+    augmentationProperties.repoPropertyQueries &&
+    augmentationProperties.repoPropertyQueries.input
+  ) {
     logger.info(
       `Found query configuration in the repository properties (${RepositoryPropertyName.EXTRA_QUERIES}): ` +
         `${augmentationProperties.repoPropertyQueries.input.map((q) => q.uses).join(", ")}`,
@@ -473,53 +474,3 @@ export function generateCodeScanningConfig(
 
   return augmentedConfig;
 }
-
-/**
- * Attempts to parse `contents` into a `UserConfig` value.
- *
- * @param logger The logger to use.
- * @param pathInput The path to the file where `contents` was obtained from, for use in error messages.
- * @param contents The string contents of a YAML file to try and parse as a `UserConfig`.
- * @param validateConfig Whether to validate the configuration file against the schema.
- * @returns The `UserConfig` corresponding to `contents`, if parsing was successful.
- * @throws A `ConfigurationError` if parsing failed.
- */
-export function parseUserConfig(
-  logger: Logger,
-  pathInput: string,
-  contents: string,
-  validateConfig: boolean,
-): UserConfig {
-  try {
-    const schema =
-      // eslint-disable-next-line @typescript-eslint/no-require-imports
-      require("../../src/db-config-schema.json") as jsonschema.Schema;
-
-    const doc = yaml.load(contents);
-
-    if (validateConfig) {
-      const result = new jsonschema.Validator().validate(doc, schema);
-
-      if (result.errors.length > 0) {
-        for (const error of result.errors) {
-          logger.error(error.stack);
-        }
-        throw new ConfigurationError(
-          errorMessages.getInvalidConfigFileMessage(
-            pathInput,
-            result.errors.map((e) => e.stack),
-          ),
-        );
-      }
-    }
-
-    return doc as UserConfig;
-  } catch (error) {
-    if (error instanceof yaml.YAMLException) {
-      throw new ConfigurationError(
-        errorMessages.getConfigFileParseErrorMessage(pathInput, error.message),
-      );
-    }
-    throw error;
-  }
-}

src/database-upload.test.ts

@@ -5,7 +5,6 @@ import test from "ava";
 import * as sinon from "sinon";
 
 import * as actionsUtil from "./actions-util";
-import { AnalysisKind } from "./analyses";
 import { GitHubApiDetails } from "./api-client";
 import * as apiClient from "./api-client";
 import { createStubCodeQL } from "./codeql";
@@ -109,39 +108,6 @@ test("Abort database upload if 'upload-database' input set to false", async (t)
   });
 });
 
-test("Abort database upload if 'analysis-kinds: code-scanning' is not enabled", async (t) => {
-  await withTmpDir(async (tmpDir) => {
-    setupActionsVars(tmpDir, tmpDir);
-    sinon
-      .stub(actionsUtil, "getRequiredInput")
-      .withArgs("upload-database")
-      .returns("true");
-    sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
-
-    await mockHttpRequests(201);
-
-    const loggedMessages = [];
-    await uploadDatabases(
-      testRepoName,
-      getCodeQL(),
-      {
-        ...getTestConfig(tmpDir),
-        analysisKinds: [AnalysisKind.CodeQuality],
-      },
-      testApiDetails,
-      getRecordingLogger(loggedMessages),
-    );
-    t.assert(
-      loggedMessages.find(
-        (v: LoggedMessage) =>
-          v.type === "debug" &&
-          v.message ===
-            "Not uploading database because 'analysis-kinds: code-scanning' is not enabled.",
-      ) !== undefined,
-    );
-  });
-});
-
 test("Abort database upload if running against GHES", async (t) => {
   await withTmpDir(async (tmpDir) => {
     setupActionsVars(tmpDir, tmpDir);

src/database-upload.ts

@@ -1,7 +1,6 @@
 import * as fs from "fs";
 
 import * as actionsUtil from "./actions-util";
-import { AnalysisKind } from "./analyses";
 import { getApiClient, GitHubApiDetails } from "./api-client";
 import { type CodeQL } from "./codeql";
 import { Config } from "./config-utils";
@@ -23,13 +22,6 @@ export async function uploadDatabases(
     return;
   }
 
-  if (!config.analysisKinds.includes(AnalysisKind.CodeScanning)) {
-    logger.debug(
-      `Not uploading database because 'analysis-kinds: ${AnalysisKind.CodeScanning}' is not enabled.`,
-    );
-    return;
-  }
-
   if (util.isInTestMode()) {
     logger.debug("In test mode. Skipping database upload.");
     return;

src/db-config-schema.json

@@ -1,145 +0,0 @@
-{
-  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "title": "CodeQL Database Configuration",
-  "description": "Format of the config file supplied by the user for CodeQL analysis",
-  "type": "object",
-  "properties": {
-    "name": {
-      "type": "string",
-      "description": "Name of the configuration"
-    },
-    "disable-default-queries": {
-      "type": "boolean",
-      "description": "Whether to disable default queries"
-    },
-    "queries": {
-      "type": "array",
-      "description": "List of additional queries to run",
-      "items": {
-        "$ref": "#/definitions/QuerySpec"
-      }
-    },
-    "paths-ignore": {
-      "type": "array",
-      "description": "Paths to ignore during analysis",
-      "items": {
-        "type": "string"
-      }
-    },
-    "paths": {
-      "type": "array",
-      "description": "Paths to include in analysis",
-      "items": {
-        "type": "string"
-      }
-    },
-    "packs": {
-      "description": "Query packs to include. Can be a simple array for single-language analysis or an object with language-specific arrays for multi-language analysis",
-      "oneOf": [
-        {
-          "type": "array",
-          "items": {
-            "type": "string"
-          }
-        },
-        {
-          "type": "object",
-          "additionalProperties": {
-            "type": "array",
-            "items": {
-              "type": "string"
-            }
-          }
-        }
-      ]
-    },
-    "query-filters": {
-      "type": "array",
-      "description": "Set of query filters to include and exclude extra queries based on CodeQL query suite include and exclude properties",
-      "items": {
-        "$ref": "#/definitions/QueryFilter"
-      }
-    }
-  },
-  "additionalProperties": true,
-  "definitions": {
-    "QuerySpec": {
-      "type": "object",
-      "description": "Detailed query specification object",
-      "properties": {
-        "name": {
-          "type": "string",
-          "description": "Optional name for the query"
-        },
-        "uses": {
-          "type": "string",
-          "description": "The query or query suite to use"
-        }
-      },
-      "required": ["uses"],
-      "additionalProperties": false
-    },
-    "QueryFilter": {
-      "description": "Query filter that can either include or exclude queries",
-      "oneOf": [
-        {
-          "$ref": "#/definitions/ExcludeQueryFilter"
-        },
-        {
-          "$ref": "#/definitions/IncludeQueryFilter"
-        },
-        {}
-      ]
-    },
-    "ExcludeQueryFilter": {
-      "type": "object",
-      "description": "Filter to exclude queries",
-      "properties": {
-        "exclude": {
-          "type": "object",
-          "description": "Queries to exclude",
-          "additionalProperties": {
-            "oneOf": [
-              {
-                "type": "array",
-                "items": {
-                  "type": "string"
-                }
-              },
-              {
-                "type": "string"
-              }
-            ]
-          }
-        }
-      },
-      "required": ["exclude"],
-      "additionalProperties": false
-    },
-    "IncludeQueryFilter": {
-      "type": "object",
-      "description": "Filter to include queries",
-      "properties": {
-        "include": {
-          "type": "object",
-          "description": "Queries to include",
-          "additionalProperties": {
-            "oneOf": [
-              {
-                "type": "array",
-                "items": {
-                  "type": "string"
-                }
-              },
-              {
-                "type": "string"
-              }
-            ]
-          }
-        }
-      },
-      "required": ["include"],
-      "additionalProperties": false
-    }
-  }
-}

src/debug-artifacts.ts

@@ -5,6 +5,7 @@ import * as artifact from "@actions/artifact";
 import * as artifactLegacy from "@actions/artifact-legacy";
 import * as core from "@actions/core";
 import archiver from "archiver";
+import * as del from "del";
 
 import { getOptionalInput, getTemporaryDirectory } from "./actions-util";
 import { dbIsFinalized } from "./analyze";
@@ -344,7 +345,7 @@ async function createPartialDatabaseBundle(
   );
   // See `bundleDb` for explanation behind deleting existing db bundle.
   if (fs.existsSync(databaseBundlePath)) {
-    await fs.promises.rm(databaseBundlePath, { force: true });
+    await del.deleteAsync(databaseBundlePath, { force: true });
   }
   const output = fs.createWriteStream(databaseBundlePath);
   const zip = archiver("zip");

src/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.3",
-  "cliVersion": "2.23.3",
-  "priorBundleVersion": "codeql-bundle-v2.23.2",
-  "priorCliVersion": "2.23.2"
+  "bundleVersion": "codeql-bundle-v2.23.2",
+  "cliVersion": "2.23.2",
+  "priorBundleVersion": "codeql-bundle-v2.23.1",
+  "priorCliVersion": "2.23.1"
 }

src/diff-informed-analysis-utils.test.ts

@@ -4,10 +4,7 @@ import * as sinon from "sinon";
 import * as actionsUtil from "./actions-util";
 import type { PullRequestBranches } from "./actions-util";
 import * as apiClient from "./api-client";
-import {
-  shouldPerformDiffInformedAnalysis,
-  exportedForTesting,
-} from "./diff-informed-analysis-utils";
+import { shouldPerformDiffInformedAnalysis } from "./diff-informed-analysis-utils";
 import { Feature, Features } from "./feature-flags";
 import { getRunnerLogger } from "./logging";
 import { parseRepositoryNwo } from "./repository";
@@ -186,201 +183,3 @@ test(
   },
   false,
 );
-
-function runGetDiffRanges(changes: number, patch: string[] | undefined): any {
-  sinon
-    .stub(actionsUtil, "getRequiredInput")
-    .withArgs("checkout_path")
-    .returns("/checkout/path");
-  return exportedForTesting.getDiffRanges(
-    {
-      filename: "test.txt",
-      changes,
-      patch: patch?.join("\n"),
-    },
-    getRunnerLogger(true),
-  );
-}
-
-test("getDiffRanges: file unchanged", async (t) => {
-  const diffRanges = runGetDiffRanges(0, undefined);
-  t.deepEqual(diffRanges, []);
-});
-
-test("getDiffRanges: file diff too large", async (t) => {
-  const diffRanges = runGetDiffRanges(1000000, undefined);
-  t.deepEqual(diffRanges, [
-    {
-      path: "/checkout/path/test.txt",
-      startLine: 0,
-      endLine: 0,
-    },
-  ]);
-});
-
-test("getDiffRanges: diff thunk with single addition range", async (t) => {
-  const diffRanges = runGetDiffRanges(2, [
-    "@@ -30,6 +50,8 @@",
-    " a",
-    " b",
-    " c",
-    "+1",
-    "+2",
-    " d",
-    " e",
-    " f",
-  ]);
-  t.deepEqual(diffRanges, [
-    {
-      path: "/checkout/path/test.txt",
-      startLine: 53,
-      endLine: 54,
-    },
-  ]);
-});
-
-test("getDiffRanges: diff thunk with single deletion range", async (t) => {
-  const diffRanges = runGetDiffRanges(2, [
-    "@@ -30,8 +50,6 @@",
-    " a",
-    " b",
-    " c",
-    "-1",
-    "-2",
-    " d",
-    " e",
-    " f",
-  ]);
-  t.deepEqual(diffRanges, []);
-});
-
-test("getDiffRanges: diff thunk with single update range", async (t) => {
-  const diffRanges = runGetDiffRanges(2, [
-    "@@ -30,7 +50,7 @@",
-    " a",
-    " b",
-    " c",
-    "-1",
-    "+2",
-    " d",
-    " e",
-    " f",
-  ]);
-  t.deepEqual(diffRanges, [
-    {
-      path: "/checkout/path/test.txt",
-      startLine: 53,
-      endLine: 53,
-    },
-  ]);
-});
-
-test("getDiffRanges: diff thunk with addition ranges", async (t) => {
-  const diffRanges = runGetDiffRanges(2, [
-    "@@ -30,7 +50,9 @@",
-    " a",
-    " b",
-    " c",
-    "+1",
-    " c",
-    "+2",
-    " d",
-    " e",
-    " f",
-  ]);
-  t.deepEqual(diffRanges, [
-    {
-      path: "/checkout/path/test.txt",
-      startLine: 53,
-      endLine: 53,
-    },
-    {
-      path: "/checkout/path/test.txt",
-      startLine: 55,
-      endLine: 55,
-    },
-  ]);
-});
-
-test("getDiffRanges: diff thunk with mixed ranges", async (t) => {
-  const diffRanges = runGetDiffRanges(2, [
-    "@@ -30,7 +50,7 @@",
-    " a",
-    " b",
-    " c",
-    "-1",
-    " d",
-    "-2",
-    "+3",
-    " e",
-    " f",
-    "+4",
-    "+5",
-    " g",
-    " h",
-    " i",
-  ]);
-  t.deepEqual(diffRanges, [
-    {
-      path: "/checkout/path/test.txt",
-      startLine: 54,
-      endLine: 54,
-    },
-    {
-      path: "/checkout/path/test.txt",
-      startLine: 57,
-      endLine: 58,
-    },
-  ]);
-});
-
-test("getDiffRanges: multiple diff thunks", async (t) => {
-  const diffRanges = runGetDiffRanges(2, [
-    "@@ -30,6 +50,8 @@",
-    " a",
-    " b",
-    " c",
-    "+1",
-    "+2",
-    " d",
-    " e",
-    " f",
-    "@@ -130,6 +150,8 @@",
-    " a",
-    " b",
-    " c",
-    "+1",
-    "+2",
-    " d",
-    " e",
-    " f",
-  ]);
-  t.deepEqual(diffRanges, [
-    {
-      path: "/checkout/path/test.txt",
-      startLine: 53,
-      endLine: 54,
-    },
-    {
-      path: "/checkout/path/test.txt",
-      startLine: 153,
-      endLine: 154,
-    },
-  ]);
-});
-
-test("getDiffRanges: no diff context lines", async (t) => {
-  const diffRanges = runGetDiffRanges(2, ["@@ -30 +50,2 @@", "+1", "+2"]);
-  t.deepEqual(diffRanges, [
-    {
-      path: "/checkout/path/test.txt",
-      startLine: 50,
-      endLine: 51,
-    },
-  ]);
-});
-
-test("getDiffRanges: malformed thunk header", async (t) => {
-  const diffRanges = runGetDiffRanges(2, ["@@ 30 +50,2 @@", "+1", "+2"]);
-  t.deepEqual(diffRanges, undefined);
-});

src/diff-informed-analysis-utils.ts

@@ -3,25 +3,12 @@ import * as path from "path";
 
 import * as actionsUtil from "./actions-util";
 import type { PullRequestBranches } from "./actions-util";
-import { getApiClient, getGitHubVersion } from "./api-client";
+import { getGitHubVersion } from "./api-client";
 import type { CodeQL } from "./codeql";
 import { Feature, FeatureEnablement } from "./feature-flags";
 import { Logger } from "./logging";
-import { getRepositoryNwoFromEnv } from "./repository";
 import { GitHubVariant, satisfiesGHESVersion } from "./util";
 
-/**
- * This interface is an abbreviated version of the file diff object returned by
- * the GitHub API.
- */
-interface FileDiff {
-  filename: string;
-  changes: number;
-  // A patch may be absent if the file is binary, if the file diff is too large,
-  // or if the file is unchanged.
-  patch?: string | undefined;
-}
-
 /**
  * Check if the action should perform diff-informed analysis.
  */
@@ -106,174 +93,3 @@ export function readDiffRangesJsonFile(
   );
   return JSON.parse(jsonContents) as DiffThunkRange[];
 }
-
-/**
- * Return the file line ranges that were added or modified in the pull request.
- *
- * @param branches The base and head branches of the pull request.
- * @param logger
- * @returns An array of tuples, where each tuple contains the absolute path of a
- * file, the start line and the end line (both 1-based and inclusive) of an
- * added or modified range in that file. Returns `undefined` if the action was
- * not triggered by a pull request or if there was an error.
- */
-export async function getPullRequestEditedDiffRanges(
-  branches: PullRequestBranches,
-  logger: Logger,
-): Promise<DiffThunkRange[] | undefined> {
-  const fileDiffs = await getFileDiffsWithBasehead(branches, logger);
-  if (fileDiffs === undefined) {
-    return undefined;
-  }
-  if (fileDiffs.length >= 300) {
-    // The "compare two commits" API returns a maximum of 300 changed files. If
-    // we see that many changed files, it is possible that there could be more,
-    // with the rest being truncated. In this case, we should not attempt to
-    // compute the diff ranges, as the result would be incomplete.
-    logger.warning(
-      `Cannot retrieve the full diff because there are too many ` +
-        `(${fileDiffs.length}) changed files in the pull request.`,
-    );
-    return undefined;
-  }
-  const results: DiffThunkRange[] = [];
-  for (const filediff of fileDiffs) {
-    const diffRanges = getDiffRanges(filediff, logger);
-    if (diffRanges === undefined) {
-      return undefined;
-    }
-    results.push(...diffRanges);
-  }
-  return results;
-}
-
-async function getFileDiffsWithBasehead(
-  branches: PullRequestBranches,
-  logger: Logger,
-): Promise<FileDiff[] | undefined> {
-  // Check CODE_SCANNING_REPOSITORY first. If it is empty or not set, fall back
-  // to GITHUB_REPOSITORY.
-  const repositoryNwo = getRepositoryNwoFromEnv(
-    "CODE_SCANNING_REPOSITORY",
-    "GITHUB_REPOSITORY",
-  );
-  const basehead = `${branches.base}...${branches.head}`;
-  try {
-    const response = await getApiClient().rest.repos.compareCommitsWithBasehead(
-      {
-        owner: repositoryNwo.owner,
-        repo: repositoryNwo.repo,
-        basehead,
-        per_page: 1,
-      },
-    );
-    logger.debug(
-      `Response from compareCommitsWithBasehead(${basehead}):` +
-        `\n${JSON.stringify(response, null, 2)}`,
-    );
-    return response.data.files;
-  } catch (error: any) {
-    if (error.status) {
-      logger.warning(`Error retrieving diff ${basehead}: ${error.message}`);
-      logger.debug(
-        `Error running compareCommitsWithBasehead(${basehead}):` +
-          `\nRequest: ${JSON.stringify(error.request, null, 2)}` +
-          `\nError Response: ${JSON.stringify(error.response, null, 2)}`,
-      );
-      return undefined;
-    } else {
-      throw error;
-    }
-  }
-}
-
-function getDiffRanges(
-  fileDiff: FileDiff,
-  logger: Logger,
-): DiffThunkRange[] | undefined {
-  // Diff-informed queries expect the file path to be absolute. CodeQL always
-  // uses forward slashes as the path separator, so on Windows we need to
-  // replace any backslashes with forward slashes.
-  const filename = path
-    .join(actionsUtil.getRequiredInput("checkout_path"), fileDiff.filename)
-    .replaceAll(path.sep, "/");
-
-  if (fileDiff.patch === undefined) {
-    if (fileDiff.changes === 0) {
-      // There are situations where a changed file legitimately has no diff.
-      // For example, the file may be a binary file, or that the file may have
-      // been renamed with no changes to its contents. In these cases, the
-      // file would be reported as having 0 changes, and we can return an empty
-      // array to indicate no diff range in this file.
-      return [];
-    }
-    // If a file is reported to have nonzero changes but no patch, that may be
-    // due to the file diff being too large. In this case, we should fall back
-    // to a special diff range that covers the entire file.
-    return [
-      {
-        path: filename,
-        startLine: 0,
-        endLine: 0,
-      },
-    ];
-  }
-
-  // The 1-based file line number of the current line
-  let currentLine = 0;
-  // The 1-based file line number that starts the current range of added lines
-  let additionRangeStartLine: number | undefined = undefined;
-  const diffRanges: DiffThunkRange[] = [];
-
-  const diffLines = fileDiff.patch.split("\n");
-  // Adding a fake context line at the end ensures that the following loop will
-  // always terminate the last range of added lines.
-  diffLines.push(" ");
-
-  for (const diffLine of diffLines) {
-    if (diffLine.startsWith("-")) {
-      // Ignore deletions completely -- we do not even want to consider them when
-      // calculating consecutive ranges of added lines.
-      continue;
-    }
-    if (diffLine.startsWith("+")) {
-      if (additionRangeStartLine === undefined) {
-        additionRangeStartLine = currentLine;
-      }
-      currentLine++;
-      continue;
-    }
-    if (additionRangeStartLine !== undefined) {
-      // Any line that does not start with a "+" or "-" terminates the current
-      // range of added lines.
-      diffRanges.push({
-        path: filename,
-        startLine: additionRangeStartLine,
-        endLine: currentLine - 1,
-      });
-      additionRangeStartLine = undefined;
-    }
-    if (diffLine.startsWith("@@ ")) {
-      // A new hunk header line resets the current line number.
-      const match = diffLine.match(/^@@ -\d+(?:,\d+)? \+(\d+)(?:,\d+)? @@/);
-      if (match === null) {
-        logger.warning(
-          `Cannot parse diff hunk header for ${fileDiff.filename}: ${diffLine}`,
-        );
-        return undefined;
-      }
-      currentLine = parseInt(match[1], 10);
-      continue;
-    }
-    if (diffLine.startsWith(" ")) {
-      // An unchanged context line advances the current line number.
-      currentLine++;
-      continue;
-    }
-  }
-  return diffRanges;
-}
-
-export const exportedForTesting = {
-  getDiffRanges,
-};

src/environment.ts

@@ -47,9 +47,6 @@ export enum EnvVar {
   /** Whether the CodeQL Action has already warned the user about low disk space. */
   HAS_WARNED_ABOUT_DISK_SPACE = "CODEQL_ACTION_HAS_WARNED_ABOUT_DISK_SPACE",
 
-  /** Whether the `setup-codeql` action has been run. */
-  SETUP_CODEQL_ACTION_HAS_RUN = "CODEQL_ACTION_SETUP_CODEQL_HAS_RUN",
-
   /** Whether the init action has been run. */
   INIT_ACTION_HAS_RUN = "CODEQL_ACTION_INIT_HAS_RUN",
 
@@ -137,10 +134,4 @@ export enum EnvVar {
    * This setting is more specific than `CODEQL_ACTION_TEST_MODE`, which implies this option.
    */
   SKIP_SARIF_UPLOAD = "CODEQL_ACTION_SKIP_SARIF_UPLOAD",
-
-  /**
-   * Whether to skip workflow validation. Intended for internal use, where we know that
-   * the workflow is valid and validation is not necessary.
-   */
-  SKIP_WORKFLOW_VALIDATION = "CODEQL_ACTION_SKIP_WORKFLOW_VALIDATION",
 }

src/error-messages.ts

@@ -14,22 +14,6 @@ export function getConfigFileDoesNotExistErrorMessage(
   return `The configuration file "${configFile}" does not exist`;
 }
 
-export function getConfigFileParseErrorMessage(
-  configFile: string,
-  message: string,
-): string {
-  return `Cannot parse "${configFile}": ${message}`;
-}
-
-export function getInvalidConfigFileMessage(
-  configFile: string,
-  messages: string[],
-): string {
-  const andMore =
-    messages.length > 10 ? `, and ${messages.length - 10} more.` : ".";
-  return `The configuration file "${configFile}" is invalid: ${messages.slice(0, 10).join(", ")}${andMore}`;
-}
-
 export function getConfigFileRepoFormatInvalidMessage(
   configFile: string,
 ): string {

src/feature-flags.ts

@@ -44,7 +44,6 @@ export interface FeatureEnablement {
  */
 export enum Feature {
   AllowToolcacheInput = "allow_toolcache_input",
-  AnalyzeUseNewUpload = "analyze_use_new_upload",
   CleanupTrapCaches = "cleanup_trap_caches",
   CppDependencyInstallation = "cpp_dependency_installation_enabled",
   DiffInformedQueries = "diff_informed_queries",
@@ -78,7 +77,6 @@ export enum Feature {
   QaTelemetryEnabled = "qa_telemetry_enabled",
   ResolveSupportedLanguagesUsingCli = "resolve_supported_languages_using_cli",
   UseRepositoryProperties = "use_repository_properties",
-  ValidateDbConfig = "validate_db_config",
 }
 
 export const featureConfig: Record<
@@ -117,11 +115,6 @@ export const featureConfig: Record<
     envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
     minimumVersion: undefined,
   },
-  [Feature.AnalyzeUseNewUpload]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_ANALYZE_USE_NEW_UPLOAD",
-    minimumVersion: undefined,
-  },
   [Feature.CleanupTrapCaches]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -294,11 +287,6 @@ export const featureConfig: Record<
     envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
     minimumVersion: "2.23.0",
   },
-  [Feature.ValidateDbConfig]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_VALIDATE_DB_CONFIG",
-    minimumVersion: undefined,
-  },
 };
 
 /**
@@ -653,7 +641,7 @@ class GitHubFeatureFlags {
       }
 
       this.logger.debug(
-        "Loaded the following default values for the feature flags from the CodeQL Action API:",
+        "Loaded the following default values for the feature flags from the Code Scanning API:",
       );
       for (const [feature, value] of Object.entries(remoteFlags).sort(
         ([nameA], [nameB]) => nameA.localeCompare(nameB),
@@ -663,13 +651,12 @@ class GitHubFeatureFlags {
       this.hasAccessedRemoteFeatureFlags = true;
       return remoteFlags;
     } catch (e) {
-      const httpError = util.asHTTPError(e);
-      if (httpError?.status === 403) {
+      if (util.isHTTPError(e) && e.status === 403) {
         this.logger.warning(
-          "This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. " +
+          "This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. " +
             "As a result, it will not be opted into any experimental features. " +
             "This could be because the Action is running on a pull request from a fork. If not, " +
-            `please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`,
+            `please ensure the Action has the 'security-events: write' permission. Details: ${e.message}`,
         );
         this.hasAccessedRemoteFeatureFlags = false;
         return {};

src/init-action-post-helper.test.ts

@@ -2,7 +2,6 @@ import test, { ExecutionContext } from "ava";
 import * as sinon from "sinon";
 
 import * as actionsUtil from "./actions-util";
-import { AnalysisKind } from "./analyses";
 import * as codeql from "./codeql";
 import * as configUtils from "./config-utils";
 import { Feature } from "./feature-flags";
@@ -29,13 +28,12 @@ test("post: init action with debug mode off", async (t) => {
     const gitHubVersion: util.GitHubVersion = {
       type: util.GitHubVariant.DOTCOM,
     };
-    sinon.stub(configUtils, "getConfig").resolves(
-      createTestConfig({
-        debugMode: false,
-        gitHubVersion,
-        languages: [],
-      }),
-    );
+    sinon.stub(configUtils, "getConfig").resolves({
+      debugMode: false,
+      gitHubVersion,
+      languages: [],
+      packs: [],
+    } as unknown as configUtils.Config);
 
     const uploadAllAvailableDebugArtifactsSpy = sinon.spy();
     const printDebugLogsSpy = sinon.spy();
@@ -297,17 +295,6 @@ test("uploading failed SARIF run fails when workflow does not reference github/c
   t.truthy(result.upload_failed_run_stack_trace);
 });
 
-test("not uploading failed SARIF when `code-scanning` is not an enabled analysis kind", async (t) => {
-  const result = await testFailedSarifUpload(t, createTestWorkflow([]), {
-    analysisKinds: [AnalysisKind.CodeQuality],
-    expectUpload: false,
-  });
-  t.is(
-    result.upload_failed_run_skipped_because,
-    "Code Scanning is not enabled.",
-  );
-});
-
 function createTestWorkflow(
   steps: workflow.WorkflowJobStep[],
 ): workflow.Workflow {
@@ -340,22 +327,20 @@ async function testFailedSarifUpload(
     expectUpload = true,
     exportDiagnosticsEnabled = false,
     matrix = {},
-    analysisKinds = [AnalysisKind.CodeScanning],
   }: {
     category?: string;
     databaseExists?: boolean;
     expectUpload?: boolean;
     exportDiagnosticsEnabled?: boolean;
     matrix?: { [key: string]: string };
-    analysisKinds?: AnalysisKind[];
   } = {},
 ): Promise<initActionPostHelper.UploadFailedSarifResult> {
-  const config = createTestConfig({
-    analysisKinds,
+  const config = {
     codeQLCmd: "codeql",
     debugMode: true,
     languages: [],
-  });
+    packs: [],
+  } as unknown as configUtils.Config;
   if (databaseExists) {
     config.dbLocation = "path/to/database";
   }

src/init-action-post-helper.ts

@@ -7,7 +7,7 @@ import * as actionsUtil from "./actions-util";
 import { CodeScanning } from "./analyses";
 import { getApiClient } from "./api-client";
 import { CodeQL, getCodeQL } from "./codeql";
-import { Config, isCodeScanningEnabled } from "./config-utils";
+import { Config } from "./config-utils";
 import * as dependencyCaching from "./dependency-caching";
 import { EnvVar } from "./environment";
 import { Feature, FeatureEnablement } from "./feature-flags";
@@ -139,15 +139,6 @@ export async function tryUploadSarifIfRunFailed(
       EnvVar.JOB_STATUS,
       process.env[EnvVar.JOB_STATUS] ?? JobStatus.ConfigErrorStatus,
     );
-
-    // If the only enabled analysis kind is `code-quality`, then we shouldn't
-    // upload the failed SARIF to Code Scanning.
-    if (!isCodeScanningEnabled(config)) {
-      return {
-        upload_failed_run_skipped_because: "Code Scanning is not enabled.",
-      };
-    }
-
     try {
       return await maybeUploadFailedSarif(
         config,

src/init-action.ts

@@ -15,7 +15,6 @@ import {
   getTemporaryDirectory,
   persistInputs,
 } from "./actions-util";
-import { AnalysisKind, getAnalysisKinds } from "./analyses";
 import { getGitHubVersion } from "./api-client";
 import {
   getDependencyCachingEnabled,
@@ -57,7 +56,6 @@ import { ToolsSource } from "./setup-codeql";
 import {
   ActionName,
   InitStatusReport,
-  InitToolsDownloadFields,
   InitWithConfigStatusReport,
   createInitWithConfigStatusReport,
   createStatusReportBase,
@@ -86,31 +84,16 @@ import {
   getErrorMessage,
   BuildMode,
 } from "./util";
-import { checkWorkflow } from "./workflow";
+import { validateWorkflow } from "./workflow";
 
-/**
- * Sends a status report indicating that the `init` Action is starting.
- *
- * @param startedAt
- * @param config
- * @param logger
- */
-async function sendStartingStatusReport(
-  startedAt: Date,
-  config: Partial<configUtils.Config> | undefined,
-  logger: Logger,
-) {
-  const statusReportBase = await createStatusReportBase(
-    ActionName.Init,
-    "starting",
-    startedAt,
-    config,
-    await checkDiskUsage(logger),
-    logger,
-  );
-  if (statusReportBase !== undefined) {
-    await sendStatusReport(statusReportBase);
-  }
+/** Fields of the init status report populated when the tools source is `download`. */
+interface InitToolsDownloadFields {
+  /** Time taken to download the bundle, in milliseconds. */
+  tools_download_duration_ms?: number;
+  /**
+   * Whether the relevant tools dotcom feature flags have been misconfigured.
+   * Only populated if we attempt to determine the default version based on the dotcom feature flags. */
+  tools_feature_flags_valid?: boolean;
 }
 
 async function sendCompletedStatusReport(
@@ -227,7 +210,6 @@ async function run() {
     ? await loadPropertiesFromApi(gitHubVersion, logger, repositoryNwo)
     : {};
 
-  // Create a unique identifier for this run.
   const jobRunUuid = uuidV4();
   logger.info(`Job run UUID is ${jobRunUuid}.`);
   core.exportVariable(EnvVar.JOB_RUN_UUID, jobRunUuid);
@@ -245,30 +227,17 @@ async function run() {
   );
 
   try {
-    // Parsing the `analysis-kinds` input may throw a `ConfigurationError`, which we don't want before
-    // we have called `sendStartingStatusReport` below. However, we want the analysis kinds for that status
-    // report. To work around this, we ignore exceptions that are thrown here and then call `getAnalysisKinds`
-    // a second time later. The second call will then throw the exception again. If `getAnalysisKinds` is
-    // successful, the results are cached so that we don't duplicate the work in normal runs.
-    let analysisKinds: AnalysisKind[] | undefined;
-    try {
-      analysisKinds = await getAnalysisKinds(logger);
-    } catch (err) {
-      logger.debug(
-        `Failed to parse analysis kinds for 'starting' status report: ${getErrorMessage(err)}`,
-      );
+    const statusReportBase = await createStatusReportBase(
+      ActionName.Init,
+      "starting",
+      startedAt,
+      config,
+      await checkDiskUsage(logger),
+      logger,
+    );
+    if (statusReportBase !== undefined) {
+      await sendStatusReport(statusReportBase);
     }
-
-    // Send a status report indicating that an analysis is starting.
-    await sendStartingStatusReport(startedAt, { analysisKinds }, logger);
-
-    // Throw a `ConfigurationError` if the `setup-codeql` action has been run.
-    if (process.env[EnvVar.SETUP_CODEQL_ACTION_HAS_RUN] === "true") {
-      throw new ConfigurationError(
-        `The 'init' action should not be run in the same workflow as 'setup-codeql'.`,
-      );
-    }
-
     const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
       gitHubVersion.type,
     );
@@ -288,9 +257,16 @@ async function run() {
     toolsSource = initCodeQLResult.toolsSource;
     zstdAvailability = initCodeQLResult.zstdAvailability;
 
-    // Check the workflow for problems. If there are any problems, they are reported
-    // to the workflow log. No exceptions are thrown.
-    await checkWorkflow(logger, codeql);
+    core.startGroup("Validating workflow");
+    const validateWorkflowResult = await validateWorkflow(codeql, logger);
+    if (validateWorkflowResult === undefined) {
+      logger.info("Detected no issues with the code scanning workflow.");
+    } else {
+      logger.warning(
+        `Unable to validate code scanning workflow: ${validateWorkflowResult}`,
+      );
+    }
+    core.endGroup();
 
     // Set CODEQL_ENABLE_EXPERIMENTAL_FEATURES for Rust if between 2.19.3 (included) and 2.22.1 (excluded)
     // We need to set this environment variable before initializing the config, otherwise Rust
@@ -317,11 +293,21 @@ async function run() {
       }
     }
 
-    analysisKinds = await getAnalysisKinds(logger);
-    config = await initConfig(features, {
-      analysisKinds,
+    // Warn that `quality-queries` is deprecated if there is an argument for it.
+    const qualityQueriesInput = getOptionalInput("quality-queries");
+
+    if (qualityQueriesInput !== undefined) {
+      logger.warning(
+        "The `quality-queries` input is deprecated and will be removed in a future version of the CodeQL Action. " +
+          "Use the `analysis-kinds` input to configure different analysis kinds instead.",
+      );
+    }
+
+    config = await initConfig({
+      analysisKindsInput: getRequiredInput("analysis-kinds"),
       languagesInput: getOptionalInput("languages"),
       queriesInput: getOptionalInput("queries"),
+      qualityQueriesInput,
       packsInput: getOptionalInput("packs"),
       buildModeInput: getOptionalInput("build-mode"),
       configFile,

src/init.ts

@@ -61,11 +61,10 @@ export async function initCodeQL(
 }
 
 export async function initConfig(
-  features: FeatureEnablement,
   inputs: configUtils.InitConfigInputs,
 ): Promise<configUtils.Config> {
   return await withGroupAsync("Load language configuration", async () => {
-    return await configUtils.initConfig(features, inputs);
+    return await configUtils.initConfig(inputs);
   });
 }