Merge pull request #3583 from github/dependabot/github_actions/dot-github/workflows/actions/create-github-app-token-3.0.0

Bump actions/create-github-app-token from 2.2.1 to 3.0.0 in /.github/workflows
Merge pull request #3581 from github/dependabot/npm_and_yarn/npm-minor-a87b0427cc
2026-05-04 04:40:09 +00:00 · 2026-03-19 10:37:38 +00:00 · 2026-03-19 10:34:28 +00:00 · 2026-03-19 10:12:30 +00:00 · 2026-03-18 18:10:06 +00:00 · 2026-03-18 17:53:32 +00:00
151 changed files with 20653 additions and 15915 deletions
@@ -25,34 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: all-platform-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: all-platform-bundle-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  all-platform-bundle:
    strategy:
@@ -75,6 +75,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -82,15 +91,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'true'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - id: init
        uses: ./../action/init
        with:
@@ -25,44 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: analyze-ref-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: analyze-ref-input-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  analyze-ref-input:
    strategy:
@@ -81,6 +71,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -88,20 +87,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -65,6 +65,10 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -72,10 +76,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          languages: csharp
@@ -67,6 +67,11 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install Java
+        uses: actions/setup-java@v5
+        with:
+          java-version: ${{ inputs.java-version || '17' }}
+          distribution: temurin
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -74,11 +79,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Java
-        uses: actions/setup-java@v5
-        with:
-          java-version: ${{ inputs.java-version || '17' }}
-          distribution: temurin
      - name: Test setup
        run: |
          # Make sure that Gradle build succeeds in autobuild-dir ...
@@ -67,13 +67,6 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
      - name: Install Java
        uses: actions/setup-java@v5
        with:
@@ -87,6 +80,13 @@ jobs:
        run: |-
          gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe"
          echo "$YQ_PATH" >> "$GITHUB_PATH"
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
      - name: Set up Java test repo configuration
        run: |
          mv * .github ../action/tests/multi-language-repo/
@@ -25,34 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: build-mode-manual-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: build-mode-manual-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  build-mode-manual:
    strategy:
@@ -71,6 +71,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -78,15 +87,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        id: init
        with:
@@ -39,10 +39,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: macos-latest
-            version: linked
          - os: ubuntu-latest
            version: linked
+          - os: macos-latest
+            version: linked
          - os: windows-latest
            version: linked
    name: 'Bundle: Caching checks'
@@ -39,10 +39,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: macos-latest
-            version: linked
          - os: ubuntu-latest
            version: linked
+          - os: macos-latest
+            version: linked
          - os: windows-latest
            version: linked
    name: 'Bundle: Zstandard checks'
@@ -25,34 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: export-file-baseline-information-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: export-file-baseline-information-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  export-file-baseline-information:
    strategy:
@@ -75,6 +75,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -82,15 +91,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        id: init
        with:
@@ -25,34 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-custom-queries-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: go-custom-queries-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  go-custom-queries:
    strategy:
@@ -73,6 +73,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -80,15 +89,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          languages: go
@@ -61,6 +61,11 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -68,11 +73,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - uses: ./../action/init
        with:
          languages: go
@@ -61,6 +61,11 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -68,11 +73,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - name: Remove `file` program
        run: |
          echo $(which file)
@@ -61,6 +61,11 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -68,11 +73,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - uses: ./../action/init
        with:
          languages: go
@@ -51,32 +51,18 @@ jobs:
        include:
          - os: ubuntu-latest
            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
          - os: ubuntu-latest
            version: linked
          - os: macos-latest
@@ -95,6 +81,11 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -102,11 +93,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - uses: ./../action/init
        with:
          languages: go
@@ -51,32 +51,18 @@ jobs:
        include:
          - os: ubuntu-latest
            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
          - os: ubuntu-latest
            version: linked
          - os: macos-latest
@@ -95,6 +81,11 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -102,11 +93,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - uses: ./../action/init
        with:
          languages: go
@@ -51,32 +51,18 @@ jobs:
        include:
          - os: ubuntu-latest
            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
          - os: ubuntu-latest
            version: linked
          - os: macos-latest
@@ -95,6 +81,11 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -102,11 +93,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
      - uses: ./../action/init
        with:
          languages: go
@@ -10,16 +10,16 @@ env:
 on:
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 jobs:
  go-custom-queries:
    name: 'Go: Custom queries'
@@ -28,8 +28,8 @@ jobs:
      security-events: read
    uses: ./.github/workflows/__go-custom-queries.yml
    with:
-      go-version: ${{ inputs.go-version }}
      dotnet-version: ${{ inputs.dotnet-version }}
+      go-version: ${{ inputs.go-version }}
  go-indirect-tracing-workaround-diagnostic:
    name: 'Go: diagnostic when Go is changed after init step'
    permissions:
@@ -25,44 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: local-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: local-bundle-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  local-bundle:
    strategy:
@@ -81,6 +71,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -88,20 +87,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Fetch latest CodeQL bundle
        run: |
          wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst
@@ -25,85 +25,75 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: multi-language-autodetect-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: multi-language-autodetect-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  multi-language-autodetect:
    strategy:
      fail-fast: false
      matrix:
        include:
-          - os: macos-latest
-            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.17.6
          - os: macos-latest
-            version: stable-v2.18.4
+            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.18.4
          - os: macos-latest
-            version: stable-v2.19.4
+            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
          - os: macos-latest
-            version: stable-v2.20.7
+            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
          - os: macos-latest
-            version: stable-v2.21.4
+            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
          - os: macos-latest
-            version: stable-v2.22.4
+            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
          - os: macos-latest
-            version: default
+            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
          - os: macos-latest
-            version: linked
+            version: default
          - os: ubuntu-latest
            version: linked
          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
            version: nightly-latest
-          - os: ubuntu-latest
+          - os: macos-latest
            version: nightly-latest
    name: Multi-language repository
    if: github.triggering_actor != 'dependabot[bot]'
@@ -115,6 +105,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -122,20 +121,14 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
+      - name: Install Python 3.13 for older CLI versions
+        # We need Python 3.13 for older CLI versions because they are not compatible with Python 3.14 or newer.
+        # See https://github.com/github/codeql-action/pull/3212
+        if: matrix.version != 'nightly-latest' && matrix.version != 'linked'
        uses: actions/setup-python@v6
        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+          python-version: '3.13'
+
      - name: Use Xcode 16
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"
@@ -25,44 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  packaging-codescanning-config-inputs-js:
    strategy:
@@ -85,6 +75,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Install Node.js
        uses: actions/setup-node@v6
        with:
@@ -99,20 +98,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: '.github/codeql/codeql-config-packaging3.yml'
@@ -25,34 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: packaging-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: packaging-config-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  packaging-config-inputs-js:
    strategy:
@@ -75,6 +75,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Install Node.js
        uses: actions/setup-node@v6
        with:
@@ -89,15 +98,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: '.github/codeql/codeql-config-packaging3.yml'
@@ -25,34 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: packaging-config-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: packaging-config-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  packaging-config-js:
    strategy:
@@ -75,6 +75,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Install Node.js
        uses: actions/setup-node@v6
        with:
@@ -89,15 +98,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: '.github/codeql/codeql-config-packaging.yml'
@@ -25,34 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: packaging-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: packaging-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  packaging-inputs-js:
    strategy:
@@ -75,6 +75,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Install Node.js
        uses: actions/setup-node@v6
        with:
@@ -89,15 +98,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: '.github/codeql/codeql-config-packaging2.yml'
@@ -25,44 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: remote-config-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: remote-config-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  remote-config:
    strategy:
@@ -83,6 +73,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -90,20 +89,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -39,10 +39,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: default
          - os: ubuntu-latest
            version: linked
+          - os: ubuntu-latest
+            version: default
          - os: ubuntu-latest
            version: nightly-latest
    name: Resolve environment
@@ -25,34 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: split-workflow-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: split-workflow-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  split-workflow:
    strategy:
@@ -81,6 +81,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -88,15 +97,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: '.github/codeql/codeql-config-packaging3.yml'
@@ -25,34 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: swift-custom-build-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
+  group: swift-custom-build-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  swift-custom-build:
    strategy:
@@ -75,6 +75,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -82,15 +91,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Use Xcode 16
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"
@@ -25,44 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: unset-environment-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: unset-environment-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  unset-environment:
    strategy:
@@ -83,6 +73,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -90,20 +89,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        id: init
        with:
@@ -25,44 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: upload-ref-sha-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: upload-ref-sha-input-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  upload-ref-sha-input:
    strategy:
@@ -81,6 +71,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -88,20 +87,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -25,44 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: upload-sarif-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: upload-sarif-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  upload-sarif:
    strategy:
@@ -88,6 +78,15 @@ jobs:
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -95,20 +94,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -25,44 +25,34 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
  workflow_call:
    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 defaults:
  run:
    shell: bash
 concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: with-checkout-path-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
+  group: with-checkout-path-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  with-checkout-path:
    strategy:
@@ -82,6 +72,15 @@ jobs:
      # This ensures we don't accidentally use the original checkout for any part of the test.
      - name: Check out repository
        uses: actions/checkout@v6
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -89,20 +88,6 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Delete original checkout
        run: |
          # delete the original checkout so we don't accidentally use it.
@@ -131,7 +131,7 @@ jobs:
          echo "::endgroup::"

      - name: Generate token
-        uses: actions/create-github-app-token@v2.2.1
+        uses: actions/create-github-app-token@v3.0.0
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -52,19 +52,10 @@ jobs:
      - name: Verify compiled JS up to date
        run: .github/workflows/script/check-js.sh

-      - name: Verify PR checks up to date
-        if: always()
-        run: .github/workflows/script/verify-pr-checks.sh
-
      - name: Run unit tests
        if: always()
        run: npm test

-      - name: Run pr-checks tests
-        if: always()
-        working-directory: pr-checks
-        run: npm ci && npx tsx --test
-
      - name: Lint
        if: always() && matrix.os != 'windows-latest'
        run: npm run lint-ci
@@ -76,6 +67,43 @@ jobs:
          sarif_file: eslint.sarif
          category: eslint

+  # Verifying the PR checks are up-to-date requires Node 24. The PR checks are not dependent
+  # on the main codebase and therefore do not need to be run as part of the same matrix that
+  # we use for the `unit-tests` job.
+  verify-pr-checks:
+    name: Verify PR checks
+    if: github.triggering_actor != 'dependabot[bot]'
+    permissions:
+      contents: read
+    runs-on: ubuntu-slim
+    timeout-minutes: 10
+
+    steps:
+      - name: Prepare git (Windows)
+        if: runner.os == 'Windows'
+        run: git config --global core.autocrlf false
+
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Verify PR checks up to date
+        if: always()
+        run: .github/workflows/script/verify-pr-checks.sh
+
+      - name: Run pr-checks tests
+        if: always()
+        working-directory: pr-checks
+        run: npx tsx --test
+
  check-node-version:
    if: github.triggering_actor != 'dependabot[bot]'
    name: Check Action Node versions
@@ -29,6 +29,12 @@ jobs:
          fetch-depth: 0
          ref: ${{ env.HEAD_REF }}

+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24
+          cache: 'npm'
+
      - name: Remove label
        if: github.event_name == 'pull_request'
        env:
@@ -49,9 +55,18 @@ jobs:
          git fetch origin "$BASE_BRANCH"

          # Allow merge conflicts in `lib`, since rebuilding should resolve them.
-          git merge "origin/$BASE_BRANCH" || echo "Merge conflicts detected, continuing."
+          git merge "origin/$BASE_BRANCH"
          MERGE_RESULT=$?

+          if [ "$MERGE_RESULT" -eq 0 ]; then
+            echo "Merge succeeded cleanly."
+          elif [ "$MERGE_RESULT" -eq 1 ]; then
+            echo "Merge conflicts detected (exit code $MERGE_RESULT), continuing."
+          else
+            echo "git merge failed with unexpected exit code $MERGE_RESULT."
+            exit 1
+          fi
+
          if [ "$MERGE_RESULT" -ne 0 ]; then
            echo "merge-in-progress=true" >> $GITHUB_OUTPUT

@@ -79,7 +94,7 @@ jobs:
        working-directory: pr-checks
        run: |
          npm ci
-          npx tsx sync_back.ts --verbose
+          npx tsx sync-back.ts --verbose

      - name: Generate workflows
        working-directory: pr-checks
@@ -104,7 +119,7 @@ jobs:
            # Otherwise, just commit the changes.
            if git rev-parse --verify MERGE_HEAD >/dev/null 2>&1; then
              echo "In progress merge detected, finishing it up."
-              git merge --continue --no-edit
+              git commit --no-edit
            else
              echo "No in-progress merge detected, committing changes."
              git commit -m "Rebuild"
@@ -136,7 +136,7 @@ jobs:

      - name: Generate token
        if: github.event_name == 'workflow_dispatch'
-        uses: actions/create-github-app-token@v2.2.1
+        uses: actions/create-github-app-token@v3.0.0
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -93,7 +93,7 @@ jobs:
      pull-requests: write # needed to create pull request
    steps:
    - name: Generate token
-      uses: actions/create-github-app-token@v2.2.1
+      uses: actions/create-github-app-token@v3.0.0
      id: app-token
      with:
        app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -2,6 +2,24 @@

 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.

+## [UNRELEASED]
+
+- Added an experimental change which disables TRAP caching when [improved incremental analysis](https://github.com/github/roadmap/issues/1158) is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. [#3569](https://github.com/github/codeql-action/pull/3569)
+
+## 4.33.0 - 16 Mar 2026
+
+- Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. [#3562](https://github.com/github/codeql-action/pull/3562)
+
+  To opt out of this change:
+  - **Repositories owned by an organization:** Create a custom repository property with the name `github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to `true` in the repository's settings. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). Alternatively, if you are using an advanced setup workflow, you can set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
+  - **User-owned repositories using default setup:** Switch to an advanced setup workflow and set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
+  - **User-owned repositories using advanced setup:** Set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
+- Fixed [a bug](https://github.com/github/codeql-action/issues/3555) which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. [#3557](https://github.com/github/codeql-action/pull/3557)
+- The CodeQL Action now loads [custom repository properties](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) on GitHub Enterprise Server, enabling the customization of features such as `github-codeql-disable-overlay` that was previously only available on GitHub.com. [#3559](https://github.com/github/codeql-action/pull/3559)
+- Once [private package registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. [#3563](https://github.com/github/codeql-action/pull/3563)
+- Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". [#3564](https://github.com/github/codeql-action/pull/3564)
+- A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. [#3570](https://github.com/github/codeql-action/pull/3570)
+
 ## 4.32.6 - 05 Mar 2026

 - Update default CodeQL bundle version to [2.24.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3). [#3548](https://github.com/github/codeql-action/pull/3548)
@@ -0,0 +1,9 @@
+export default {
+  typescript: {
+    rewritePaths: {
+      "src/": "build/",
+    },
+    compile: false,
+  },
+  require: ["./ava.setup.mjs"],
+};
@@ -0,0 +1,3 @@
+import pkg from "./package.json" with { type: "json" };
+
+globalThis.__CODEQL_ACTION_VERSION__ = pkg.version;
@@ -5,6 +5,8 @@ import { fileURLToPath } from "node:url";
 import * as esbuild from "esbuild";
 import { globSync } from "glob";

+import pkg from "./package.json" with { type: "json" };
+
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);

@@ -13,7 +15,7 @@ const OUT_DIR = join(__dirname, "lib");

 /**
 * Clean the output directory before building.
- * 
+ *
 * @type {esbuild.Plugin}
 */
 const cleanPlugin = {
@@ -27,7 +29,7 @@ const cleanPlugin = {

 /**
 * Copy defaults.json to the output directory since other projects depend on it.
- * 
+ *
 * @type {esbuild.Plugin}
 */
 const copyDefaultsPlugin = {
@@ -69,6 +71,9 @@ const context = await esbuild.context({
  platform: "node",
  plugins: [cleanPlugin, copyDefaultsPlugin, onEndPlugin],
  target: ["node20"],
+  define: {
+    __CODEQL_ACTION_VERSION__: JSON.stringify(pkg.version),
+  },
 });

 await context.rebuild();
@@ -19,9 +19,10 @@ export default [
      "src/testdata/**/*",
      "tests/**/*",
      "build.mjs",
+      "ava.config.mjs",
+      "ava.setup.mjs",
      "eslint.config.mjs",
      ".github/**/*",
-      "pr-checks/**/*",
    ],
  },
  // eslint recommended config
@@ -161,10 +162,36 @@ export default [
      "@typescript-eslint/no-unused-vars": [
        "error",
        {
+          "args": "all",
          "argsIgnorePattern": "^_",
        }
      ],
      "func-style": "off",
    },
  },
+  {
+    files: ["pr-checks/**/*.ts"],
+
+    languageOptions: {
+      parserOptions: {
+        // Use the correct `tsconfig.json` for `pr-checks`.
+        project: "./pr-checks/tsconfig.json",
+      },
+    },
+
+    rules: {
+      // The scripts in `pr-checks` are expected to output to the console.
+      "no-console": "off",
+
+      "@typescript-eslint/no-floating-promises": [
+        "error",
+        {
+          allowForKnownSafeCalls: [
+            // Avoid needing explicit `void` in front of `describe` calls in test files.
+            { from: "package", name: ["describe"], package: "node:test" },
+          ],
+        },
+      ],
+    },
+  },
 ];
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "4.32.6",
+  "version": "4.33.1",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -14,15 +14,10 @@
    "test-debug": "npm run test -- --timeout=20m",
    "transpile": "tsc --build --verbose"
  },
-  "ava": {
-    "typescript": {
-      "rewritePaths": {
-        "src/": "build/"
-      },
-      "compile": false
-    }
-  },
  "license": "MIT",
+  "workspaces": [
+    "pr-checks"
+  ],
  "dependencies": {
    "@actions/artifact": "^5.0.3",
    "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2",
@@ -50,7 +45,7 @@
  },
  "devDependencies": {
    "@ava/typescript": "6.0.0",
-    "@eslint/compat": "^2.0.2",
+    "@eslint/compat": "^2.0.3",
    "@microsoft/eslint-formatter-sarif": "^3.1.0",
    "@octokit/types": "^16.0.0",
    "@types/archiver": "^7.0.0",
@@ -61,7 +56,7 @@
    "@types/sarif": "^2.1.7",
    "@types/semver": "^7.7.1",
    "@types/sinon": "^21.0.0",
-    "ava": "^6.4.1",
+    "ava": "^7.0.0",
    "esbuild": "^0.27.3",
    "eslint": "^9.39.2",
    "eslint-import-resolver-typescript": "^3.8.7",
@@ -70,11 +65,11 @@
    "eslint-plugin-jsdoc": "^62.7.1",
    "eslint-plugin-no-async-foreach": "^0.1.1",
    "glob": "^11.1.0",
-    "globals": "^17.3.0",
+    "globals": "^17.4.0",
    "nock": "^14.0.11",
-    "sinon": "^21.0.1",
+    "sinon": "^21.0.2",
    "typescript": "^5.9.3",
-    "typescript-eslint": "^8.56.1"
+    "typescript-eslint": "^8.57.0"
  },
  "overrides": {
    "@actions/tool-cache": {
@@ -1,7 +1,11 @@
 name: "All-platform bundle"
 description: "Tests using an all-platform CodeQL Bundle"
-operatingSystems: ["ubuntu", "macos", "windows"]
-versions: ["nightly-latest"]
+operatingSystems:
+  - ubuntu
+  - macos
+  - windows
+versions:
+  - nightly-latest
 useAllPlatformBundle: "true"
 installGo: true
 installDotNet: true
@@ -1,7 +1,13 @@
 name: "Analysis kinds"
 description: "Tests basic functionality for different `analysis-kinds` inputs."
-versions: ["linked", "nightly-latest"]
-analysisKinds: ["code-scanning", "code-quality", "code-scanning,code-quality", "risk-assessment"]
+versions:
+  - linked
+  - nightly-latest
+analysisKinds:
+  - code-scanning
+  - code-quality
+  - code-scanning,code-quality
+  - risk-assessment
 env:
  CODEQL_ACTION_RISK_ASSESSMENT_ID: 1
  CHECK_SCRIPT: |
@@ -1,8 +1,8 @@
 name: "Analyze: 'ref' and 'sha' from inputs"
 description: "Checks that specifying 'ref' and 'sha' as inputs works"
-versions: ["default"]
+versions:
+  - default
 installGo: true
-installPython: true
 installDotNet: true
 steps:
  - uses: ./../action/init
@@ -1,7 +1,11 @@
 name: "autobuild-action"
 description: "Tests that the C# autobuild action works"
-operatingSystems: ["ubuntu", "macos", "windows"]
-versions: ["linked"]
+operatingSystems:
+  - ubuntu
+  - macos
+  - windows
+versions:
+  - linked
 installDotNet: true
 steps:
  - uses: ./../action/init
@@ -3,8 +3,12 @@ description: >
  An end-to-end integration test of a Java repository built using 'build-mode: autobuild',
  with direct tracing enabled and a custom working directory specified as the input to the
  autobuild Action.
-operatingSystems: ["ubuntu", "windows"]
-versions: ["linked", "nightly-latest"]
+operatingSystems:
+  - ubuntu
+  - windows
+versions:
+  - linked
+  - nightly-latest
 installJava: true
 env:
  CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
@@ -1,6 +1,7 @@
 name: "Autobuild working directory"
 description: "Tests working-directory input of autobuild action"
-versions: ["linked"]
+versions:
+  - linked
 steps:
  - name: Test setup
    run: |
@@ -1,7 +1,11 @@
 name: "Build mode autobuild"
 description: "An end-to-end integration test of a Java repository built using 'build-mode: autobuild'"
-operatingSystems: ["ubuntu", "windows"]
-versions: ["linked", "nightly-latest"]
+operatingSystems:
+  - ubuntu
+  - windows
+versions:
+  - linked
+  - nightly-latest
 installJava: true
 installYq: true
 steps:
@@ -1,6 +1,7 @@
 name: "Build mode manual"
 description: "An end-to-end integration test of a Java repository built using 'build-mode: manual'"
-versions: ["nightly-latest"]
+versions:
+  - nightly-latest
 installGo: true
 installDotNet: true
 steps:
@@ -1,6 +1,8 @@
 name: "Build mode none"
 description: "An end-to-end integration test of a Java repository built using 'build-mode: none'"
-versions: ["linked", "nightly-latest"]
+versions:
+  - linked
+  - nightly-latest
 steps:
  - uses: ./../action/init
    id: init
@@ -1,6 +1,7 @@
 name: "Build mode rollback"
 description: "The build mode is rolled back from none to autobuild when the relevant feature flag is enabled."
-versions: ["nightly-latest"]
+versions:
+  - nightly-latest
 env:
  CODEQL_ACTION_DISABLE_JAVA_BUILDLESS: true
 steps:
@@ -3,8 +3,8 @@ description: "The CodeQL bundle should be cached within the toolcache"
 versions:
  - linked
 operatingSystems:
-  - macos
  - ubuntu
+  - macos
  - windows
 steps:
  - name: Remove CodeQL from toolcache
@@ -3,8 +3,8 @@ description: "A Zstandard CodeQL bundle should be extracted on supported operati
 versions:
  - linked
 operatingSystems:
-  - macos
  - ubuntu
+  - macos
  - windows
 steps:
  - name: Remove CodeQL from toolcache
@@ -1,6 +1,7 @@
 name: "Clean up database cluster directory"
 description: "The database cluster directory is cleaned up if it is not empty."
-versions: ["linked"]
+versions:
+  - linked
 steps:
  - name: Add a file to the database cluster directory
    run: |
@@ -1,6 +1,8 @@
 name: "Config export"
 description: "Tests that the code scanning configuration file is exported to SARIF correctly."
-versions: ["linked", "nightly-latest"]
+versions:
+  - linked
+  - nightly-latest
 steps:
  - uses: ./../action/init
    with:
@@ -1,7 +1,8 @@
 name: "Config input"
 description: "Tests specifying configuration using the config input"
 installNode: true
-versions: ["linked"]
+versions:
+  - linked
 steps:
  - name: Copy queries into workspace
    run: |
@@ -1,6 +1,9 @@
 name: "C/C++: disabling autoinstalling dependencies (Linux)"
 description: "Checks that running C/C++ autobuild with autoinstalling dependencies explicitly disabled works"
-versions: ["linked", "default", "nightly-latest"]
+versions:
+  - linked
+  - default
+  - nightly-latest
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
@@ -1,7 +1,10 @@
 name: "C/C++: autoinstalling dependencies is skipped (macOS)"
 description: "Checks that running C/C++ autobuild with autoinstalling dependencies explicitly enabled is a no-op on macOS"
-operatingSystems: ["macos"]
-versions: ["linked", "nightly-latest"]
+operatingSystems:
+  - macos
+versions:
+  - linked
+  - nightly-latest
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
@@ -1,6 +1,9 @@
 name: "C/C++: autoinstalling dependencies (Linux)"
 description: "Checks that running C/C++ autobuild with autoinstalling dependencies works"
-versions: ["linked", "default", "nightly-latest"]
+versions:
+  - linked
+  - default
+  - nightly-latest
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
@@ -1,6 +1,8 @@
 name: "Diagnostic export"
 description: "Tests that manually added diagnostics are correctly exported to SARIF."
-versions: ["linked", "nightly-latest"]
+versions:
+  - linked
+  - nightly-latest
 env:
  CODEQL_ACTION_EXPORT_DIAGNOSTICS: true
 steps:
@@ -1,7 +1,11 @@
 name: "Export file baseline information"
 description: "Tests that file baseline information is exported when the feature is enabled"
-operatingSystems: ["ubuntu", "macos", "windows"]
-versions: ["nightly-latest"]
+operatingSystems:
+  - ubuntu
+  - macos
+  - windows
+versions:
+  - nightly-latest
 installGo: true
 installDotNet: true
 env:
@@ -1,6 +1,7 @@
 name: "Extractor ram and threads options test"
 description: "Tests passing RAM and threads limits to extractors"
-versions: ["linked"]
+versions:
+  - linked
 steps:
  - uses: ./../action/init
    with:
@@ -1,6 +1,8 @@
 name: "Proxy test"
 description: "Tests using a proxy specified by the https_proxy environment variable"
-versions: ["linked", "nightly-latest"]
+versions:
+  - linked
+  - nightly-latest
 container:
  image: ubuntu:22.04
 services:
@@ -2,7 +2,8 @@ name: "Go: diagnostic when Go is changed after init step"
 description: "Checks that we emit a diagnostic if Go is changed after the init step"
 # only Linux is affected
 # pinned to a version which does not support statically linked binaries for indirect tracing
-versions: ["default"]
+versions:
+  - default
 installGo: true
 collection: go
 steps:
@@ -2,7 +2,8 @@ name: "Go: diagnostic when `file` is not installed"
 description: "Checks that we emit a diagnostic if the `file` program is not installed"
 # only Linux is affected
 # pinned to a version which does not support statically linked binaries for indirect tracing
-versions: ["default"]
+versions:
+  - default
 installGo: true
 collection: go
 steps:
@@ -2,7 +2,8 @@ name: "Go: workaround for indirect tracing"
 description: "Checks that our workaround for indirect tracing for Go 1.21+ on Linux works"
 # only Linux is affected
 # pinned to a version which does not support statically linked binaries for indirect tracing
-versions: ["default"]
+versions:
+  - default
 installGo: true
 collection: go
 steps:
@@ -1,7 +1,13 @@
 name: "Go: tracing with autobuilder step"
 description: "Checks that Go tracing works when using an autobuilder step"
 collection: go
-operatingSystems: ["ubuntu", "macos"]
+operatingSystems:
+  - ubuntu
+  - macos
+osCodeQlVersions:
+  macos:
+    - linked
+    - nightly-latest
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 installGo: true
@@ -1,7 +1,13 @@
 name: "Go: tracing with custom build steps"
 description: "Checks that Go tracing traces the build when using custom build steps"
 collection: go
-operatingSystems: ["ubuntu", "macos"]
+operatingSystems:
+  - ubuntu
+  - macos
+osCodeQlVersions:
+  macos:
+    - linked
+    - nightly-latest
 installGo: true
 steps:
  - uses: ./../action/init
@@ -1,7 +1,13 @@
 name: "Go: tracing with legacy workflow"
 description: "Checks that we run the autobuilder in legacy workflows with neither an autobuild step nor manual build steps"
 collection: go
-operatingSystems: ["ubuntu", "macos"]
+operatingSystems:
+  - ubuntu
+  - macos
+osCodeQlVersions:
+  macos:
+    - linked
+    - nightly-latest
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 installGo: true
@@ -4,12 +4,11 @@
 # basic mechanics of multi-registry auth is working.
 name: "Packaging: Download using registries"
 description: "Checks that specifying a registries block and associated auth works as expected"
-versions: [
-    # This feature is not compatible with older CLIs
-    "default",
-    "linked",
-    "nightly-latest",
-]
+versions:
+  # This feature is not compatible with older CLIs
+  - default
+  - linked
+  - nightly-latest

 permissions:
  contents: read
@@ -1,6 +1,10 @@
 name: "Custom source root"
 description: "Checks that the argument specifying a non-default source root works"
-versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
+# This feature is not compatible with old CLIs
+versions:
+  - linked
+  - default
+  - nightly-latest
 steps:
  - name: Move codeql-action
    run: |
@@ -1,6 +1,7 @@
 name: "Job run UUID added to SARIF"
 description: "Tests that the job run UUID is added to the SARIF output"
-versions: ["nightly-latest"]
+versions:
+  - nightly-latest
 steps:
  - uses: ./../action/init
    id: init
@@ -1,6 +1,7 @@
 name: "Language aliases"
 description: "Tests that language aliases are resolved correctly"
-versions: ["linked"]
+versions:
+  - linked
 steps:
  - uses: ./../action/init
    with:
@@ -1,8 +1,8 @@
 name: "Local CodeQL bundle"
 description: "Tests using a CodeQL bundle from a local file rather than a URL"
-versions: ["linked"]
+versions:
+  - linked
 installGo: true
-installPython: true
 installDotNet: true
 steps:
  - name: Fetch latest CodeQL bundle
@@ -1,12 +1,21 @@
 name: "Multi-language repository"
-description: "An end-to-end integration test of a multi-language repository using automatic language detection for macOS"
-operatingSystems: ["macos", "ubuntu"]
+description: "An end-to-end integration test of a multi-language repository using automatic language detection"
+operatingSystems:
+  - ubuntu
+  - macos
 env:
  CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
 installGo: true
-installPython: true
 installDotNet: true
 steps:
+  - name: Install Python 3.13 for older CLI versions
+    # We need Python 3.13 for older CLI versions because they are not compatible with Python 3.14 or newer.
+    # See https://github.com/github/codeql-action/pull/3212
+    if: matrix.version != 'nightly-latest' && matrix.version != 'linked'
+    uses: actions/setup-python@v6
+    with:
+      python-version: "3.13"
+
  - name: Use Xcode 16
    if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
    run: sudo xcode-select -s "/Applications/Xcode_16.app"
@@ -1,6 +1,8 @@
 name: "Overlay database init fallback"
 description: "Tests that overlay init action succeeds with non-overlay packs"
-versions: ["linked", "nightly-latest"]
+versions:
+  - linked
+  - nightly-latest
 steps:
  - uses: ./../action/init
    with:
@@ -1,9 +1,12 @@
 name: "Packaging: Config and input passed to the CLI"
 description: "Checks that specifying packages using a combination of a config file and input to the Action works"
-versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
+# This feature is not compatible with old CLIs
+versions:
+  - linked
+  - default
+  - nightly-latest
 installGo: true
 installNode: true
-installPython: true
 installDotNet: true
 steps:
  - uses: ./../action/init
@@ -1,6 +1,10 @@
 name: "Packaging: Config and input"
 description: "Checks that specifying packages using a combination of a config file and input to the Action works"
-versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
+# This feature is not compatible with old CLIs
+versions:
+  - linked
+  - default
+  - nightly-latest
 installGo: true
 installNode: true
 installDotNet: true
@@ -1,6 +1,10 @@
 name: "Packaging: Config file"
 description: "Checks that specifying packages using only a config file works"
-versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
+# This feature is not compatible with old CLIs
+versions:
+  - linked
+  - default
+  - nightly-latest
 installGo: true
 installNode: true
 installDotNet: true
@@ -1,6 +1,10 @@
 name: "Packaging: Action input"
 description: "Checks that specifying packages using the input to the Action works"
-versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
+# This feature is not compatible with old CLIs
+versions:
+  - linked
+  - default
+  - nightly-latest
 installGo: true
 installNode: true
 installDotNet: true
@@ -6,7 +6,6 @@ versions:
  - linked
  - nightly-latest
 installGo: true
-installPython: true
 installDotNet: true
 steps:
  - uses: ./../action/init
@@ -1,6 +1,9 @@
 name: "Resolve environment"
 description: "Tests that the resolve-environment action works for Go and JavaScript/TypeScript"
-versions: ["default", "linked", "nightly-latest"]
+versions:
+  - linked
+  - default
+  - nightly-latest
 steps:
  - uses: ./../action/init
    with:
@@ -1,7 +1,8 @@
 name: "RuboCop multi-language"
 description: "Tests using RuboCop to analyze a multi-language repository and then using the CodeQL Action to upload the resulting SARIF"
 # This check doesn't use CodeQL, so the `version` matrix variable is unused.
-versions: ["default"]
+versions:
+  - default
 steps:
  - name: Set up Ruby
    uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0
@@ -1,7 +1,12 @@
 name: "Ruby analysis"
 description: "Tests creation of a Ruby database"
-versions: ["linked", "default", "nightly-latest"]
-operatingSystems: ["ubuntu", "macos"]
+versions:
+  - linked
+  - default
+  - nightly-latest
+operatingSystems:
+  - ubuntu
+  - macos
 steps:
  - uses: ./../action/init
    with:
@@ -1,7 +1,13 @@
 name: "Split workflow"
 description: "Tests a split-up workflow in which we first build a database and later analyze it"
-operatingSystems: ["ubuntu", "macos"]
-versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
+operatingSystems:
+  - ubuntu
+  - macos
+# This feature is not compatible with old CLIs
+versions:
+  - linked
+  - default
+  - nightly-latest
 installGo: true
 installDotNet: true
 steps:
@@ -1,7 +1,11 @@
 name: "Start proxy"
 description: "Tests that the proxy can be initialised on all platforms"
-operatingSystems: ["ubuntu", "macos", "windows"]
-versions: ["linked"]
+operatingSystems:
+  - ubuntu
+  - macos
+  - windows
+versions:
+  - linked
 steps:
  - uses: ./../action/init
    with:
--- a/Show More
+++ b/Show More