hack: add python job to see if there are any alerts

2026-05-03 20:30:09 +00:00 · 2025-09-15 14:47:03 +02:00
314 changed files with 565353 additions and 1060005 deletions
@@ -6,16 +6,6 @@ import * as assert from 'assert'

 const actualConfig = loadActualConfig()

-function sortConfigArrays(config) {
-  for (const key of Object.keys(config)) {
-    const value = config[key];
-    if (key === 'queries' && Array.isArray(value)) {
-      config[key] = value.sort();
-    }
-  }
-  return config;
-}
-
 const rawExpectedConfig = process.argv[3].trim()
 if (!rawExpectedConfig) {
  core.setFailed('No expected configuration provided')
@@ -28,8 +18,8 @@ if (!rawExpectedConfig) {
 const expectedConfig = rawExpectedConfig ? JSON.parse(rawExpectedConfig) : undefined;

 assert.deepStrictEqual(
-  sortConfigArrays(actualConfig),
-  sortConfigArrays(expectedConfig),
+  actualConfig,
+  expectedConfig,
  'Expected configuration does not match actual configuration'
 );

@@ -16,5 +16,5 @@ inputs:
      Comma separated list of query ids that should NOT be included in this SARIF file.

 runs:
-  using: node24
+  using: node20
  main: index.js
@@ -2,7 +2,7 @@ name: "Prepare test"
 description: Performs some preparation to run tests
 inputs:
  version:
-    description: "The version of the CodeQL CLI to use. Can be 'linked', 'default', 'toolcache', 'nightly', 'nightly-latest', 'nightly-YYYYMMDD', or 'stable-vX.Y.Z"
+    description: "The version of the CodeQL CLI to use. Can be 'linked', 'default', 'nightly-latest', 'nightly-YYYYMMDD', or 'stable-vX.Y.Z"
    required: true
  use-all-platform-bundle:
    description: "If true, we output a tools URL with codeql-bundle.tar.gz file rather than platform-specific URL"
@@ -35,34 +35,37 @@ runs:
      run: |
        set -e # Fail this Action if `gh release list` fails.

-        if [[ "$VERSION" == "nightly" || "$VERSION" == "nightly-latest" ]]; then
-          echo "tools-url=nightly" >> "$GITHUB_OUTPUT"
-          exit 0
-        elif [[ "$VERSION" == "linked" ]]; then
+        if [[ "$VERSION" == "linked" ]]; then
          echo "tools-url=linked" >> "$GITHUB_OUTPUT"
          exit 0
-        elif [[ "$VERSION" == "toolcache" ]]; then
-          echo "tools-url=toolcache" >> "$GITHUB_OUTPUT"
-          exit 0
        elif [[ "$VERSION" == "default" ]]; then
          echo "tools-url=" >> "$GITHUB_OUTPUT"
          exit 0
        fi

+        if [[ "$VERSION" == "nightly-latest" && "$RUNNER_OS" != "Windows" ]]; then
+          extension="tar.zst"
+        else
+          extension="tar.gz"
+        fi
+
        if [[ "$USE_ALL_PLATFORM_BUNDLE" == "true" ]]; then
-          artifact_name="codeql-bundle.tar.gz"
+          artifact_name="codeql-bundle.$extension"
        elif [[ "$RUNNER_OS" == "Linux" ]]; then
-          artifact_name="codeql-bundle-linux64.tar.gz"
+          artifact_name="codeql-bundle-linux64.$extension"
        elif [[ "$RUNNER_OS" == "macOS" ]]; then
-          artifact_name="codeql-bundle-osx64.tar.gz"
+          artifact_name="codeql-bundle-osx64.$extension"
        elif [[ "$RUNNER_OS" == "Windows" ]]; then
-          artifact_name="codeql-bundle-win64.tar.gz"
+          artifact_name="codeql-bundle-win64.$extension"
        else
          echo "::error::Unrecognized OS $RUNNER_OS"
          exit 1
        fi

-        if [[ "$VERSION" == *"nightly"* ]]; then
+        if [[ "$VERSION" == "nightly-latest" ]]; then
+          tag=`gh release list --repo dsp-testing/codeql-cli-nightlies -L 1 | cut -f 3`
+          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/$tag/$artifact_name" >> $GITHUB_OUTPUT
+        elif [[ "$VERSION" == *"nightly"* ]]; then
          version=`echo "$VERSION" | sed -e 's/^.*\-//'`
          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
        elif [[ "$VERSION" == *"stable"* ]]; then
@@ -22,8 +22,7 @@ runs:
        MAJOR_VERSION: ${{ inputs.major_version }}
        LATEST_TAG: ${{ inputs.latest_tag }}
      run: |
-        npm ci
-        npx tsx ./pr-checks/release-branches.ts \
+        python ${{ github.action_path }}/release-branches.py \
            --major-version "$MAJOR_VERSION" \
            --latest-tag "$LATEST_TAG"
      shell: bash
@@ -0,0 +1,55 @@
+import argparse
+import json
+import os
+import configparser
+
+# Name of the remote
+ORIGIN = 'origin'
+
+script_dir = os.path.dirname(os.path.realpath(__file__))
+grandparent_dir = os.path.dirname(os.path.dirname(script_dir))
+
+config = configparser.ConfigParser()
+with open(os.path.join(grandparent_dir, 'releases.ini')) as stream:
+    config.read_string('[default]\n' + stream.read())
+
+OLDEST_SUPPORTED_MAJOR_VERSION = int(config['default']['OLDEST_SUPPORTED_MAJOR_VERSION'])
+
+def main():
+
+  parser = argparse.ArgumentParser()
+  parser.add_argument("--major-version", required=True, type=str, help="The major version of the release")
+  parser.add_argument("--latest-tag", required=True, type=str, help="The most recent tag published to the repository")
+  args = parser.parse_args()
+
+  major_version = args.major_version
+  latest_tag = args.latest_tag
+
+  print("major_version: " + major_version)
+  print("latest_tag: " + latest_tag)
+
+  # If this is a primary release, we backport to all supported branches,
+  # so we check whether the major_version taken from the package.json
+  # is greater than or equal to the latest tag pulled from the repo.
+  # For example...
+  #     'v1' >= 'v2' is False # we're operating from an older release branch and should not backport
+  #     'v2' >= 'v2' is True  # the normal case where we're updating the current version
+  #     'v3' >= 'v2' is True  # in this case we are making the first release of a new major version
+  consider_backports = ( major_version >= latest_tag.split(".")[0] )
+
+  with open(os.environ["GITHUB_OUTPUT"], "a") as f:
+
+    f.write(f"backport_source_branch=releases/{major_version}\n")
+
+    backport_target_branches = []
+
+    if consider_backports:
+      for i in range(int(major_version.strip("v"))-1, 0, -1):
+        branch_name = f"releases/v{i}"
+        if i >= OLDEST_SUPPORTED_MAJOR_VERSION:
+          backport_target_branches.append(branch_name)
+
+    f.write("backport_target_branches="+json.dumps(backport_target_branches)+"\n")
+
+if __name__ == "__main__":
+  main()
@@ -15,16 +15,10 @@ runs:
      run: echo "$GITHUB_CONTEXT"
      shell: bash

-    - name: Set up Node
-      uses: actions/setup-node@v6
-      with:
-        node-version: 20
-        cache: 'npm'
-
    - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@v5
      with:
-        python-version: '3.12'
+        python-version: 3.12

    - name: Install dependencies
      run: |
@@ -1,6 +0,0 @@
-name: Verify that the best-effort debug artifact scan completed
-description: Verifies that the best-effort debug artifact scan completed successfully during tests
-runs:
-  using: node24
-  main: index.js
-  post: post.js
@@ -1,2 +0,0 @@
-// The main step is a no-op, since we can only verify artifact scan completion in the post step.
-console.log("Will verify artifact scan completion in the post step.");
@@ -1,11 +0,0 @@
-// Post step - runs after the workflow completes, when artifact scan has finished
-const process = require("process");
-
-const scanFinished = process.env.CODEQL_ACTION_ARTIFACT_SCAN_FINISHED;
-
-if (scanFinished !== "true") {
-  console.error("Error: Best-effort artifact scan did not complete. Expected CODEQL_ACTION_ARTIFACT_SCAN_FINISHED=true");
-  process.exit(1);
-}
-
-console.log("✓ Best-effort artifact scan completed successfully");
@@ -0,0 +1,4 @@
+# Configuration for the CodeQL Actions Queries
+name: "CodeQL Actions Queries config"
+queries:
+  - uses: security-and-quality
@@ -7,9 +7,9 @@ queries:
  # we include both even though one is a superset of the
  # other, because we're testing the parsing logic and
  # that the suites exist in the codeql bundle.
-  - uses: security-and-quality
  - uses: security-experimental
  - uses: security-extended
+  - uses: security-and-quality
 paths-ignore:
-  - lib
  - tests
+  - lib
@@ -4,41 +4,34 @@ updates:
    directory: "/"
    schedule:
      interval: weekly
-    cooldown:
-      default-days: 7
-      exclude:
-        - "@actions/*"
    labels:
      - Rebuild
    # Ignore incompatible dependency updates
    ignore:
-      # This is broken due to the way configuration files have changed.
+      # There is a type incompatibility issue between v0.0.9 and our other dependencies.
+      - dependency-name: "@octokit/plugin-retry"
+        versions: ["~6.0.0"]
+      # This is broken due to the way configuration files have changed. 
      # This might be fixed when we move to eslint v9.
      - dependency-name: "eslint-plugin-import"
        versions: [">=2.30.0"]
    groups:
-      npm-minor:
+      npm:
        patterns:
          - "*"
-        update-types:
-          - "minor"
-          - "patch"
  - package-ecosystem: github-actions
-    directories:
-      - "/.github/workflows"
-      - "/.github/actions"
+    directory: "/"
    schedule:
      interval: weekly
-    cooldown:
-      default-days: 7
-      exclude:
-        - "actions/*"
-    labels:
-      - Rebuild
    groups:
-      actions-minor:
+      actions:
+        patterns:
+          - "*"
+  - package-ecosystem: github-actions
+    directory: "/.github/actions/setup-swift/" # All subdirectories outside of "/.github/workflows" must be explicitly included.
+    schedule:
+      interval: weekly
+    groups:
+      actions-setup-swift:
        patterns:
          - "*"
-        update-types:
-          - "minor"
-          - "patch"
@@ -1,13 +1,4 @@
-<!--
-    For GitHub staff: Remember that this is a public repository. Do not link to internal resources.
-                      If necessary, link to this PR from an internal issue and include further details there.
-
-    Everyone: Include a summary of the context of this change, what it aims to accomplish, and why you
-              chose the approach you did if applicable. Indicate any open questions you want to answer
-              during the review process and anything you want reviewers to pay particular attention to.
-
-    See https://github.com/github/codeql-action/blob/main/CONTRIBUTING.md for additional information.
-->
+<!-- For GitHub staff: Remember that this is a public repository. -->

 ### Risk assessment

@@ -16,65 +7,6 @@ For internal use only. Please select the risk level of this change:
 - **Low risk:** Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.
 - **High risk:** Changes are not fully under feature flags, have limited visibility and/or cannot be tested outside of production.

-#### Which use cases does this change impact?
-
-<!-- Delete options that don't apply. If in doubt, do not delete an option. -->
-
-Workflow types:
-
- **Advanced setup** - Impacts users who have custom CodeQL workflows.
- **Managed** - Impacts users with `dynamic` workflows (Default Setup, Code Quality, ...).
-
-Products:
-
- **Code Scanning** - The changes impact analyses when `analysis-kinds: code-scanning`.
- **Code Quality** - The changes impact analyses when `analysis-kinds: code-quality`.
- **Other first-party** - The changes impact other first-party analyses.
- **Third-party analyses** - The changes affect the `upload-sarif` action.
-
-Environments:
-
- **Dotcom** - Impacts CodeQL workflows on `github.com` and/or GitHub Enterprise Cloud with Data Residency.
- **GHES** - Impacts CodeQL workflows on GitHub Enterprise Server.
- **Testing/None** - This change does not impact any CodeQL workflows in production.
-
-#### How did/will you validate this change?
-
-<!-- Delete options that don't apply. -->
-
- **Test repository** - This change will be tested on a test repository before merging.
- **Unit tests** - I am depending on unit test coverage (i.e. tests in `.test.ts` files).
- **End-to-end tests** - I am depending on PR checks (i.e. tests in `pr-checks`).
- **Other** - Please provide details.
- **None** - I am not validating these changes.
-
-#### If something goes wrong after this change is released, what are the mitigation and rollback strategies?
-
-<!-- Delete strategies that don't apply. -->
-
- **Feature flags** - All new or changed code paths can be fully disabled with corresponding feature flags.
- **Rollback** - Change can only be disabled by rolling back the release or releasing a new version with a fix.
- **Development/testing only** - This change cannot cause any failures in production.
- **Other** - Please provide details.
-
-#### How will you know if something goes wrong after this change is released?
-
-<!-- Delete options that don't apply. -->
-
- **Telemetry** - I rely on existing telemetry or have made changes to the telemetry.
-    - **Dashboards** - I will watch relevant dashboards for issues after the release. Consider whether this requires this change to be released at a particular time rather than as part of a regular release.
-    - **Alerts** - New or existing monitors will trip if something goes wrong with this change.
- **Other** - Please provide details.
-
-#### Are there any special considerations for merging or releasing this change?
-
-<!--
-    Consider whether this change depends on a different change in another repository that should be released first.
-->
-
- **No special considerations** - This change can be merged at any time.
- **Special considerations** - This change should only be merged once certain preconditions are met. Please provide details of those or link to this PR from an internal issue.
-
 ### Merge / deployment checklist

 - Confirm this change is backwards compatible with existing workflows.
@@ -0,0 +1 @@
+OLDEST_SUPPORTED_MAJOR_VERSION=3
@@ -1,55 +0,0 @@
-labeling:
-  applyCategoryLabels: true
-  categoryLabelPrefix: "size/"
-
-commenting:
-  addCommentWhenScoreThresholdHasBeenExceeded: false
-
-sizeup:
-  categories:
-    - name: extra small
-      lte: 25
-      label:
-        name: XS
-        description: Should be very easy to review
-        color: 3cbf00
-    - name: small
-      lte: 100
-      label:
-        name: S
-        description: Should be easy to review
-        color: 5d9801
-    - name: medium
-      lte: 250
-      label:
-        name: M
-        description: Should be of average difficulty to review
-        color: 7f7203
-    - name: large
-      lte: 500
-      label:
-        name: L
-        description: May be hard to review
-        color: a14c05
-    - name: extra large
-      lte: 1000
-      label:
-        name: XL
-        description: May be very hard to review
-        color: c32607
-    - name: extra extra large
-      label:
-        name: XXL
-        description: May be extremely hard to review
-        color: e50009
-  ignoredFilePatterns:
-    - ".github/workflows/__*"
-    - "lib/**/*"
-    - "package-lock.json"
-  testFilePatterns:
-    - "**/*.test.ts"
-  scoring:
-    # This formula and the aliases below it are written in prefix notation.
-    # For an explanation of how this works, please see:
-    # https://github.com/lerebear/sizeup-core/blob/main/README.md#prefix-notation
-    formula: "- - + additions deletions comments whitespace"
@@ -71,9 +71,8 @@ def open_pr(
    body.append('')
    body.append('Contains the following pull requests:')
    for pr in pull_requests:
-      # Use PR author if they are GitHub staff, otherwise use the merger
-      display_user = get_pr_author_if_staff(pr) or get_merger_of_pr(repo, pr)
-      body.append(f'- #{pr.number} (@{display_user})')
+      merger = get_merger_of_pr(repo, pr)
+      body.append(f'- #{pr.number} (@{merger})')

  # List all commits not part of a PR
  if len(commits_without_pull_requests) > 0:
@@ -169,14 +168,6 @@ def get_pr_for_commit(commit):
 def get_merger_of_pr(repo, pr):
  return repo.get_commit(pr.merge_commit_sha).author.login

-# Get the PR author if they are GitHub staff, otherwise None.
-def get_pr_author_if_staff(pr):
-  if pr.user is None:
-    return None
-  if getattr(pr.user, 'site_admin', False):
-    return pr.user.login
-  return None
-
 def get_current_version():
  with open('package.json', 'r') as f:
    return json.load(f)['version']
@@ -190,9 +181,9 @@ def replace_version_package_json(prev_version, new_version):
      print(line.replace(prev_version, new_version), end='')
    else:
      prev_line_is_codeql = False
-      print(line, end='')
+      print(line, end='') 
    if '\"name\": \"codeql\",' in line:
-        prev_line_is_codeql = True
+        prev_line_is_codeql = True 

 def get_today_string():
  today = datetime.datetime.today()
@@ -380,10 +371,10 @@ def main():
      # releases.
      run_git('revert', vOlder_update_commits[0], '--no-edit')

-      # Also revert the "Rebuild" commit created by Actions.
-      rebuild_commit = run_git('log', '--grep', '^Rebuild$', '--format=%H').split()[0]
-      print(f'  Reverting {rebuild_commit}')
-      run_git('revert', rebuild_commit, '--no-edit')
+      # Also revert the "Update checked-in dependencies" commit created by Actions.
+      update_dependencies_commit = run_git('log', '--grep', '^Update checked-in dependencies', '--format=%H').split()[0]
+      print(f'  Reverting {update_dependencies_commit}')
+      run_git('revert', update_dependencies_commit, '--no-edit')

    else:
      print('  Nothing to revert.')
@@ -18,18 +18,10 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -37,11 +29,6 @@ on:
        default: '>=1.21.0'
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -50,9 +37,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: all-platform-bundle-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  all-platform-bundle:
    strategy:
@@ -61,12 +45,7 @@ jobs:
        include:
          - os: ubuntu-latest
            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
    name: All-platform bundle
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -74,16 +53,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -91,10 +61,15 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'true'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - id: init
        uses: ./../action/init
        with:
-          # Swift is not supported on Ubuntu so we manually exclude it from the list here
+      # Swift is not supported on Ubuntu so we manually exclude it from the list here
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
@@ -18,18 +18,10 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -37,11 +29,6 @@ on:
        default: '>=1.21.0'
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -50,9 +37,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: analyze-ref-input-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  analyze-ref-input:
    strategy:
@@ -61,8 +45,11 @@ jobs:
        include:
          - os: ubuntu-latest
            version: default
+          - os: macos-latest
+            version: default
+          - os: windows-latest
+            version: default
    name: "Analyze: 'ref' and 'sha' from inputs"
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -70,16 +57,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -87,16 +65,22 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+            github.sha }}
      - name: Build code
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -18,31 +18,15 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
-    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
+    inputs: {}
  workflow_call:
-    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
+    inputs: {}
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: autobuild-action-${{github.ref}}-${{inputs.dotnet-version}}
 jobs:
  autobuild-action:
    strategy:
@@ -56,7 +40,6 @@ jobs:
          - os: windows-latest
            version: linked
    name: autobuild-action
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -64,11 +47,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -82,7 +61,7 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/autobuild
        env:
-          # Explicitly disable the CLR tracer.
+      # Explicitly disable the CLR tracer.
          COR_ENABLE_PROFILING: ''
          COR_PROFILER: ''
          COR_PROFILER_PATH_64: ''
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -40,9 +37,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: autobuild-direct-tracing-with-working-dir-${{github.ref}}-${{inputs.java-version}}
 jobs:
  autobuild-direct-tracing-with-working-dir:
    strategy:
@@ -58,7 +52,6 @@ jobs:
          - os: windows-latest
            version: nightly-latest
    name: Autobuild direct tracing (custom working directory)
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -66,12 +59,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install Java
-        uses: actions/setup-java@v5
-        with:
-          java-version: ${{ inputs.java-version || '17' }}
-          distribution: temurin
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -79,6 +67,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Java
+        uses: actions/setup-java@v5
+        with:
+          java-version: ${{ inputs.java-version || '17' }}
+          distribution: temurin
      - name: Test setup
        run: |
          # Make sure that Gradle build succeeds in autobuild-dir ...
@@ -0,0 +1,100 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: PR Check - Autobuild direct tracing
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+    inputs:
+      java-version:
+        type: string
+        description: The version of Java to install
+        required: false
+        default: '17'
+  workflow_call:
+    inputs:
+      java-version:
+        type: string
+        description: The version of Java to install
+        required: false
+        default: '17'
+defaults:
+  run:
+    shell: bash
+jobs:
+  autobuild-direct-tracing:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
+    name: Autobuild direct tracing
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v5
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Install Java
+        uses: actions/setup-java@v5
+        with:
+          java-version: ${{ inputs.java-version || '17' }}
+          distribution: temurin
+      - name: Set up Java test repo configuration
+        run: |
+          mv * .github ../action/tests/multi-language-repo/
+          mv ../action/tests/multi-language-repo/.github/workflows .github
+          mv ../action/tests/java-repo/* .
+
+      - uses: ./../action/init
+        id: init
+        with:
+          build-mode: autobuild
+          db-location: ${{ runner.temp }}/customDbLocation
+          languages: java
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+      - name: Check that indirect tracing is disabled
+        run: |
+          if [[ ! -z "${CODEQL_RUNNER}" ]]; then
+            echo "Expected indirect tracing to be disabled, but the" \
+              "CODEQL_RUNNER environment variable is set."
+            exit 1
+          fi
+
+      - uses: ./../action/analyze
+    env:
+      CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
+      CODEQL_ACTION_TEST_MODE: true
@@ -18,31 +18,15 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
-    inputs:
-      java-version:
-        type: string
-        description: The version of Java to install
-        required: false
-        default: '17'
+    inputs: {}
  workflow_call:
-    inputs:
-      java-version:
-        type: string
-        description: The version of Java to install
-        required: false
-        default: '17'
+    inputs: {}
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: build-mode-autobuild-${{github.ref}}-${{inputs.java-version}}
 jobs:
  build-mode-autobuild:
    strategy:
@@ -50,15 +34,8 @@ jobs:
      matrix:
        include:
          - os: ubuntu-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: windows-latest
            version: nightly-latest
    name: Build mode autobuild
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -66,20 +43,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install Java
-        uses: actions/setup-java@v5
-        with:
-          java-version: ${{ inputs.java-version || '17' }}
-          distribution: temurin
-      - name: Install yq
-        if: runner.os == 'Windows'
-        env:
-          YQ_PATH: ${{ runner.temp }}/yq
-          YQ_VERSION: v4.50.1
-        run: |-
-          gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe"
-          echo "$YQ_PATH" >> "$GITHUB_PATH"
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -97,7 +61,7 @@ jobs:
        id: init
        with:
          build-mode: autobuild
-          db-location: '${{ runner.temp }}/customDbLocation'
+          db-location: ${{ runner.temp }}/customDbLocation
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -110,14 +74,6 @@ jobs:
            exit 1
          fi

-      - name: Check that indirect tracing is disabled
-        run: |
-          if [[ ! -z "${CODEQL_RUNNER}" ]]; then
-            echo "Expected indirect tracing to be disabled, but the" \
-              "CODEQL_RUNNER environment variable is set."
-            exit 1
-          fi
-
      - uses: ./../action/analyze
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -18,18 +18,10 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -37,11 +29,6 @@ on:
        default: '>=1.21.0'
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -50,9 +37,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: build-mode-manual-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  build-mode-manual:
    strategy:
@@ -62,7 +46,6 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
    name: Build mode manual
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -70,16 +53,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -87,11 +61,16 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        id: init
        with:
          build-mode: manual
-          db-location: '${{ runner.temp }}/customDbLocation'
+          db-location: ${{ runner.temp }}/customDbLocation
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,9 +27,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: build-mode-none-${{github.ref}}
 jobs:
  build-mode-none:
    strategy:
@@ -44,7 +38,6 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
    name: Build mode none
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -52,7 +45,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -64,7 +57,7 @@ jobs:
        id: init
        with:
          build-mode: none
-          db-location: '${{ runner.temp }}/customDbLocation'
+          db-location: ${{ runner.temp }}/customDbLocation
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -77,7 +70,7 @@ jobs:
            exit 1
          fi

-      # The latest nightly supports omitting the autobuild Action when the build mode is specified.
+  # The latest nightly supports omitting the autobuild Action when the build mode is specified.
      - uses: ./../action/autobuild
        if: matrix.version != 'nightly-latest'

@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,9 +27,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: build-mode-rollback-${{github.ref}}
 jobs:
  build-mode-rollback:
    strategy:
@@ -42,7 +36,6 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
    name: Build mode rollback
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -50,7 +43,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -68,7 +61,7 @@ jobs:
        id: init
        with:
          build-mode: none
-          db-location: '${{ runner.temp }}/customDbLocation'
+          db-location: ${{ runner.temp }}/customDbLocation
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -1,72 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: 'PR Check - Bundle: From nightly'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: bundle-from-nightly-${{github.ref}}
-jobs:
-  bundle-from-nightly:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-    name: 'Bundle: From nightly'
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - id: init
-        uses: ./../action/init
-        env:
-          CODEQL_ACTION_FORCE_NIGHTLY: true
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          languages: javascript
-      - name: Fail if the CodeQL version is not a nightly
-        if: ${{ !contains(steps.init.outputs.codeql-version, '+') }}
-        run: exit 1
-    env:
-      CODEQL_ACTION_TEST_MODE: true
@@ -1,88 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: 'PR Check - Bundle: From toolcache'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: bundle-from-toolcache-${{github.ref}}
-jobs:
-  bundle-from-toolcache:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: toolcache
-    name: 'Bundle: From toolcache'
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install @actions/tool-cache
-        run: npm install @actions/tool-cache@3
-      - name: Check toolcache contains CodeQL
-        continue-on-error: true
-        uses: actions/github-script@v8
-        with:
-          script: |
-            const toolcache = require('@actions/tool-cache');
-            const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
-            if (allCodeqlVersions.length === 0) {
-              throw new Error(`CodeQL could not be found in the toolcache`);
-            }
-      - id: setup-codeql
-        uses: ./../action/setup-codeql
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Check CodeQL is installed within the toolcache
-        uses: actions/github-script@v8
-        with:
-          script: |
-            const toolcache = require('@actions/tool-cache');
-            const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
-            console.log(`Found CodeQL versions: ${allCodeqlVersions}`);
-            if (allCodeqlVersions.length === 0) {
-              throw new Error('CodeQL not found in toolcache');
-            }
-    env:
-      CODEQL_ACTION_TEST_MODE: true
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,23 +27,19 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: bundle-toolcache-${{github.ref}}
 jobs:
  bundle-toolcache:
    strategy:
      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: linked
          - os: macos-latest
            version: linked
+          - os: ubuntu-latest
+            version: linked
          - os: windows-latest
            version: linked
    name: 'Bundle: Caching checks'
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -54,7 +47,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -63,7 +56,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v8
+        uses: actions/github-script@v7
        with:
          script: |
            const fs = require('fs');
@@ -71,9 +64,9 @@ jobs:
            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
            fs.rmdirSync(codeqlPath, { recursive: true });
      - name: Install @actions/tool-cache
-        run: npm install @actions/tool-cache@3
+        run: npm install @actions/tool-cache
      - name: Check toolcache does not contain CodeQL
-        uses: actions/github-script@v8
+        uses: actions/github-script@v7
        with:
          script: |
            const toolcache = require('@actions/tool-cache');
@@ -92,7 +85,7 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Check CodeQL is installed within the toolcache
-        uses: actions/github-script@v8
+        uses: actions/github-script@v7
        with:
          script: |
            const toolcache = require('@actions/tool-cache');
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,23 +27,19 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: bundle-zstd-${{github.ref}}
 jobs:
  bundle-zstd:
    strategy:
      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: linked
          - os: macos-latest
            version: linked
+          - os: ubuntu-latest
+            version: linked
          - os: windows-latest
            version: linked
    name: 'Bundle: Zstandard checks'
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -54,7 +47,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -63,7 +56,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v8
+        uses: actions/github-script@v7
        with:
          script: |
            const fs = require('fs');
@@ -82,13 +75,13 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.os }}-zstd-bundle.sarif
          path: ${{ runner.temp }}/results/javascript.sarif
          retention-days: 7
      - name: Check diagnostic with expected tools URL appears in SARIF
-        uses: actions/github-script@v8
+        uses: actions/github-script@v7
        env:
          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
        with:
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,9 +27,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: cleanup-db-cluster-dir-${{github.ref}}
 jobs:
  cleanup-db-cluster-dir:
    strategy:
@@ -42,7 +36,6 @@ jobs:
          - os: ubuntu-latest
            version: linked
    name: Clean up database cluster directory
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -50,7 +43,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -67,7 +60,7 @@ jobs:
        id: init
        with:
          build-mode: none
-          db-location: '${{ runner.temp }}/customDbLocation'
+          db-location: ${{ runner.temp }}/customDbLocation
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}

@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,9 +27,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: config-export-${{github.ref}}
 jobs:
  config-export:
    strategy:
@@ -41,10 +35,17 @@ jobs:
        include:
          - os: ubuntu-latest
            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
+            version: linked
          - os: ubuntu-latest
            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
    name: Config export
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -52,7 +53,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -67,18 +68,18 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v4
        with:
          name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: '${{ runner.temp }}/results/javascript.sarif'
+          path: ${{ runner.temp }}/results/javascript.sarif
          retention-days: 7
      - name: Check config properties appear in SARIF
-        uses: actions/github-script@v8
+        uses: actions/github-script@v7
        env:
-          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
        with:
          script: |
            const fs = require('fs');
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,9 +27,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: config-input-${{github.ref}}
 jobs:
  config-input:
    strategy:
@@ -42,7 +36,6 @@ jobs:
          - os: ubuntu-latest
            version: linked
    name: Config input
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -50,9 +43,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v4
        with:
          node-version: 20.x
          cache: npm
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,9 +27,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: cpp-deptrace-disabled-${{github.ref}}
 jobs:
  cpp-deptrace-disabled:
    strategy:
@@ -46,7 +40,6 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
    name: 'C/C++: disabling autoinstalling dependencies (Linux)'
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -54,7 +47,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,9 +27,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: cpp-deptrace-enabled-on-macos-${{github.ref}}
 jobs:
  cpp-deptrace-enabled-on-macos:
    strategy:
@@ -44,7 +38,6 @@ jobs:
          - os: macos-latest
            version: nightly-latest
    name: 'C/C++: autoinstalling dependencies is skipped (macOS)'
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -52,7 +45,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,9 +27,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: cpp-deptrace-enabled-${{github.ref}}
 jobs:
  cpp-deptrace-enabled:
    strategy:
@@ -46,7 +40,6 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
    name: 'C/C++: autoinstalling dependencies (Linux)'
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -54,7 +47,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,9 +27,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: diagnostics-export-${{github.ref}}
 jobs:
  diagnostics-export:
    strategy:
@@ -41,10 +35,17 @@ jobs:
        include:
          - os: ubuntu-latest
            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
+            version: linked
          - os: ubuntu-latest
            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
    name: Diagnostic export
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -52,7 +53,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -78,18 +79,18 @@ jobs:
            --ready-for-status-page
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v4
        with:
          name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: '${{ runner.temp }}/results/javascript.sarif'
+          path: ${{ runner.temp }}/results/javascript.sarif
          retention-days: 7
      - name: Check diagnostics appear in SARIF
-        uses: actions/github-script@v8
+        uses: actions/github-script@v7
        env:
-          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
        with:
          script: |
            const fs = require('fs');
@@ -18,18 +18,10 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -37,11 +29,6 @@ on:
        default: '>=1.21.0'
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -50,9 +37,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: export-file-baseline-information-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  export-file-baseline-information:
    strategy:
@@ -66,7 +50,6 @@ jobs:
          - os: windows-latest
            version: nightly-latest
    name: Export file baseline information
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -74,16 +57,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -91,6 +65,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        id: init
        with:
@@ -100,12 +79,12 @@ jobs:
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
      - name: Upload SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v4
        with:
          name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: '${{ runner.temp }}/results/javascript.sarif'
+          path: ${{ runner.temp }}/results/javascript.sarif
          retention-days: 7
      - name: Check results
        run: |
@@ -127,6 +106,5 @@ jobs:
            fi
          done
    env:
-      CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS: false
      CODEQL_ACTION_SUBLANGUAGE_FILE_COVERAGE: true
      CODEQL_ACTION_TEST_MODE: true
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,9 +27,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: extractor-ram-threads-${{github.ref}}
 jobs:
  extractor-ram-threads:
    strategy:
@@ -42,7 +36,6 @@ jobs:
          - os: ubuntu-latest
            version: linked
    name: Extractor ram and threads options test
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -50,7 +43,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -18,18 +18,10 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -37,11 +29,6 @@ on:
        default: '>=1.21.0'
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -50,9 +37,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-custom-queries-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  go-custom-queries:
    strategy:
@@ -64,7 +48,6 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
    name: 'Go: Custom queries'
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -72,16 +55,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -89,6 +63,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
          languages: go
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -40,9 +37,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-indirect-tracing-workaround-diagnostic-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-indirect-tracing-workaround-diagnostic:
    strategy:
@@ -52,7 +46,6 @@ jobs:
          - os: ubuntu-latest
            version: default
    name: 'Go: diagnostic when Go is changed after init step'
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -60,12 +53,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -73,24 +61,29 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      # Deliberately change Go after the `init` step
-      - uses: actions/setup-go@v6
+  # Deliberately change Go after the `init` step
+      - uses: actions/setup-go@v5
        with:
          go-version: '1.20'
      - name: Build code
        run: go build main.go
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Check diagnostic appears in SARIF
-        uses: actions/github-script@v8
+        uses: actions/github-script@v7
        env:
-          SARIF_PATH: '${{ runner.temp }}/results/go.sarif'
+          SARIF_PATH: ${{ runner.temp }}/results/go.sarif
        with:
          script: |
            const fs = require('fs');
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -40,9 +37,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-indirect-tracing-workaround-no-file-program-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-indirect-tracing-workaround-no-file-program:
    strategy:
@@ -52,7 +46,6 @@ jobs:
          - os: ubuntu-latest
            version: default
    name: 'Go: diagnostic when `file` is not installed'
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -60,12 +53,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -73,6 +61,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Remove `file` program
        run: |
          echo $(which file)
@@ -86,12 +79,12 @@ jobs:
        run: go build main.go
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Check diagnostic appears in SARIF
-        uses: actions/github-script@v8
+        uses: actions/github-script@v7
        env:
-          SARIF_PATH: '${{ runner.temp }}/results/go.sarif'
+          SARIF_PATH: ${{ runner.temp }}/results/go.sarif
        with:
          script: |
            const fs = require('fs');
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -40,9 +37,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-indirect-tracing-workaround-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-indirect-tracing-workaround:
    strategy:
@@ -52,7 +46,6 @@ jobs:
          - os: ubuntu-latest
            version: default
    name: 'Go: workaround for indirect tracing'
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -60,12 +53,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -73,6 +61,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
          languages: go
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -40,9 +37,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-tracing-autobuilder-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-tracing-autobuilder:
    strategy:
@@ -51,17 +45,27 @@ jobs:
        include:
          - os: ubuntu-latest
            version: stable-v2.17.6
+          - os: macos-latest
+            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.18.4
+          - os: macos-latest
+            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
+          - os: macos-latest
+            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
+          - os: macos-latest
+            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.21.4
          - os: ubuntu-latest
-            version: stable-v2.22.4
-          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
            version: default
          - os: ubuntu-latest
            version: linked
@@ -72,7 +76,6 @@ jobs:
          - os: macos-latest
            version: nightly-latest
    name: 'Go: tracing with autobuilder step'
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -80,12 +83,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -93,6 +91,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
          languages: go
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -40,9 +37,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-tracing-custom-build-steps-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-tracing-custom-build-steps:
    strategy:
@@ -51,17 +45,27 @@ jobs:
        include:
          - os: ubuntu-latest
            version: stable-v2.17.6
+          - os: macos-latest
+            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.18.4
+          - os: macos-latest
+            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
+          - os: macos-latest
+            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
+          - os: macos-latest
+            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.21.4
          - os: ubuntu-latest
-            version: stable-v2.22.4
-          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
            version: default
          - os: ubuntu-latest
            version: linked
@@ -72,7 +76,6 @@ jobs:
          - os: macos-latest
            version: nightly-latest
    name: 'Go: tracing with custom build steps'
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -80,12 +83,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -93,6 +91,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
          languages: go
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -40,9 +37,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: go-tracing-legacy-workflow-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-tracing-legacy-workflow:
    strategy:
@@ -51,17 +45,27 @@ jobs:
        include:
          - os: ubuntu-latest
            version: stable-v2.17.6
+          - os: macos-latest
+            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.18.4
+          - os: macos-latest
+            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
+          - os: macos-latest
+            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
+          - os: macos-latest
+            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.21.4
          - os: ubuntu-latest
-            version: stable-v2.22.4
-          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
            version: default
          - os: ubuntu-latest
            version: linked
@@ -72,7 +76,6 @@ jobs:
          - os: macos-latest
            version: nightly-latest
    name: 'Go: tracing with legacy workflow'
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -80,12 +83,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -93,6 +91,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
          languages: go
@@ -8,13 +8,11 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
+  push:
+    paths:
+      - .github/workflows/__go.yml
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -28,7 +26,6 @@ jobs:
      security-events: read
    uses: ./.github/workflows/__go-custom-queries.yml
    with:
-      dotnet-version: ${{ inputs.dotnet-version }}
      go-version: ${{ inputs.go-version }}
  go-indirect-tracing-workaround-diagnostic:
    name: 'Go: diagnostic when Go is changed after init step'
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,9 +27,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: init-with-registries-${{github.ref}}
 jobs:
  init-with-registries:
    strategy:
@@ -41,20 +35,32 @@ jobs:
        include:
          - os: ubuntu-latest
            version: default
+          - os: macos-latest
+            version: default
+          - os: windows-latest
+            version: default
          - os: ubuntu-latest
            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
+            version: linked
          - os: ubuntu-latest
            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
    name: 'Packaging: Download using registries'
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      packages: read
+
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -65,7 +71,7 @@ jobs:
      - name: Init with registries
        uses: ./../action/init
        with:
-          db-location: '${{ runner.temp }}/customDbLocation'
+          db-location: ${{ runner.temp }}/customDbLocation
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          config-file: ./.github/codeql/codeql-config-registries.yml
          languages: javascript
@@ -108,6 +114,8 @@ jobs:
          fi

      - name: Verify contents of qlconfig.yml
+    # yq is not available on windows
+        if: runner.os != 'Windows'
        run: |
          QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
          cat $QLCONFIG_PATH | yq -e '.registries[] | select(.url == "https://ghcr.io/v2/") | select(.packages == "*/*")'
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,9 +27,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: javascript-source-root-${{github.ref}}
 jobs:
  javascript-source-root:
    strategy:
@@ -46,7 +40,6 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
    name: Custom source root
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -54,7 +47,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,9 +27,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: job-run-uuid-sarif-${{github.ref}}
 jobs:
  job-run-uuid-sarif:
    strategy:
@@ -42,7 +36,6 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
    name: Job run UUID added to SARIF
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -50,7 +43,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -65,12 +58,12 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
      - name: Upload SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: '${{ runner.temp }}/results/javascript.sarif'
+          path: ${{ runner.temp }}/results/javascript.sarif
          retention-days: 7
      - name: Check results
        run: |
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,9 +27,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: language-aliases-${{github.ref}}
 jobs:
  language-aliases:
    strategy:
@@ -42,7 +36,6 @@ jobs:
          - os: ubuntu-latest
            version: linked
    name: Language aliases
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -50,7 +43,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -63,7 +56,7 @@ jobs:
          languages: C#,java-kotlin,swift,typescript
          tools: ${{ steps.prepare-test.outputs.tools-url }}

-      - name: 'Check languages'
+      - name: Check languages
        run: |
          expected_languages="csharp,java,swift,javascript"
          actual_languages=$(jq -r '.languages | join(",")' "$RUNNER_TEMP"/config)
@@ -18,18 +18,10 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -37,11 +29,6 @@ on:
        default: '>=1.21.0'
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -50,53 +37,45 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: multi-language-autodetect-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  multi-language-autodetect:
    strategy:
      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: stable-v2.17.6
          - os: macos-latest
            version: stable-v2.17.6
          - os: ubuntu-latest
-            version: stable-v2.18.4
+            version: stable-v2.17.6
          - os: macos-latest
            version: stable-v2.18.4
          - os: ubuntu-latest
-            version: stable-v2.19.4
+            version: stable-v2.18.4
          - os: macos-latest
            version: stable-v2.19.4
          - os: ubuntu-latest
-            version: stable-v2.20.7
+            version: stable-v2.19.4
          - os: macos-latest
            version: stable-v2.20.7
          - os: ubuntu-latest
-            version: stable-v2.21.4
+            version: stable-v2.20.7
          - os: macos-latest
            version: stable-v2.21.4
          - os: ubuntu-latest
-            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
-          - os: ubuntu-latest
-            version: default
+            version: stable-v2.21.4
          - os: macos-latest
            version: default
          - os: ubuntu-latest
-            version: linked
+            version: default
          - os: macos-latest
            version: linked
          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
            version: nightly-latest
-          - os: macos-latest
+          - os: ubuntu-latest
            version: nightly-latest
    name: Multi-language repository
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -104,16 +83,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -121,14 +91,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Python 3.13 for older CLI versions
-        # We need Python 3.13 for older CLI versions because they are not compatible with Python 3.14 or newer.
-        # See https://github.com/github/codeql-action/pull/3212
-        if: matrix.version != 'nightly-latest' && matrix.version != 'linked'
-        uses: actions/setup-python@v6
+      - name: Install Go
+        uses: actions/setup-go@v5
        with:
-          python-version: '3.13'
-
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Use Xcode 16
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"
@@ -136,8 +103,9 @@ jobs:
      - uses: ./../action/init
        id: init
        with:
-          db-location: '${{ runner.temp }}/customDbLocation'
-          languages: ${{ runner.os == 'Linux' && 'cpp,csharp,go,java,javascript,python,ruby' || '' }}
+          db-location: ${{ runner.temp }}/customDbLocation
+          languages: ${{ runner.os == 'Linux' && 'cpp,csharp,go,java,javascript,python,ruby'
+            || '' }}
          tools: ${{ steps.prepare-test.outputs.tools-url }}

      - name: Build code
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,9 +27,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: overlay-init-fallback-${{github.ref}}
 jobs:
  overlay-init-fallback:
    strategy:
@@ -44,7 +38,6 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
    name: Overlay database init fallback
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -52,7 +45,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -18,18 +18,10 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -37,11 +29,6 @@ on:
        default: '>=1.21.0'
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -50,9 +37,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  packaging-codescanning-config-inputs-js:
    strategy:
@@ -61,12 +45,23 @@ jobs:
        include:
          - os: ubuntu-latest
            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
+            version: linked
          - os: ubuntu-latest
            version: default
+          - os: macos-latest
+            version: default
+          - os: windows-latest
+            version: default
          - os: ubuntu-latest
            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
    name: 'Packaging: Config and input passed to the CLI'
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -74,18 +69,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+        uses: actions/checkout@v5
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v4
        with:
          node-version: 20.x
          cache: npm
@@ -98,9 +84,14 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
-          config-file: '.github/codeql/codeql-config-packaging3.yml'
+          config-file: .github/codeql/codeql-config-packaging3.yml
          packs: +codeql-testing/codeql-pack1@1.0.0
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -108,14 +99,15 @@ jobs:
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run:
+            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
@@ -18,18 +18,10 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -37,11 +29,6 @@ on:
        default: '>=1.21.0'
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -50,9 +37,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: packaging-config-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  packaging-config-inputs-js:
    strategy:
@@ -61,12 +45,23 @@ jobs:
        include:
          - os: ubuntu-latest
            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
+            version: linked
          - os: ubuntu-latest
            version: default
+          - os: macos-latest
+            version: default
+          - os: windows-latest
+            version: default
          - os: ubuntu-latest
            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
    name: 'Packaging: Config and input'
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -74,18 +69,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+        uses: actions/checkout@v5
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v4
        with:
          node-version: 20.x
          cache: npm
@@ -98,9 +84,14 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
-          config-file: '.github/codeql/codeql-config-packaging3.yml'
+          config-file: .github/codeql/codeql-config-packaging3.yml
          packs: +codeql-testing/codeql-pack1@1.0.0
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -108,14 +99,15 @@ jobs:
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run:
+            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
@@ -18,18 +18,10 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -37,11 +29,6 @@ on:
        default: '>=1.21.0'
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -50,9 +37,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: packaging-config-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  packaging-config-js:
    strategy:
@@ -61,12 +45,23 @@ jobs:
        include:
          - os: ubuntu-latest
            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
+            version: linked
          - os: ubuntu-latest
            version: default
+          - os: macos-latest
+            version: default
+          - os: windows-latest
+            version: default
          - os: ubuntu-latest
            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
    name: 'Packaging: Config file'
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -74,18 +69,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+        uses: actions/checkout@v5
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v4
        with:
          node-version: 20.x
          cache: npm
@@ -98,23 +84,29 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
-          config-file: '.github/codeql/codeql-config-packaging.yml'
+          config-file: .github/codeql/codeql-config-packaging.yml
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run:
+            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
@@ -18,18 +18,10 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -37,11 +29,6 @@ on:
        default: '>=1.21.0'
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -50,9 +37,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: packaging-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  packaging-inputs-js:
    strategy:
@@ -61,12 +45,23 @@ jobs:
        include:
          - os: ubuntu-latest
            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
+            version: linked
          - os: ubuntu-latest
            version: default
+          - os: macos-latest
+            version: default
+          - os: windows-latest
+            version: default
          - os: ubuntu-latest
            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
    name: 'Packaging: Action input'
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -74,18 +69,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+        uses: actions/checkout@v5
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v4
        with:
          node-version: 20.x
          cache: npm
@@ -98,9 +84,14 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
-          config-file: '.github/codeql/codeql-config-packaging2.yml'
+          config-file: .github/codeql/codeql-config-packaging2.yml
          languages: javascript
          packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -108,13 +99,14 @@ jobs:
        run: ./build.sh
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results

      - name: Check results
        uses: ./../action/.github/actions/check-sarif
        with:
          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-run:
+            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
          queries-not-run: foo,bar

      - name: Assert Results
@@ -3,7 +3,7 @@
 #     pr-checks/sync.sh
 # to regenerate this file.

-name: PR Check - Analysis kinds
+name: PR Check - Quality queries input
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,11 +27,8 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: analysis-kinds-${{github.ref}}
 jobs:
-  analysis-kinds:
+  quality-queries:
    strategy:
      fail-fast: false
      matrix:
@@ -48,9 +42,24 @@ jobs:
          - os: ubuntu-latest
            version: linked
            analysis-kinds: code-scanning,code-quality
-          - os: ubuntu-latest
+          - os: macos-latest
            version: linked
-            analysis-kinds: risk-assessment
+            analysis-kinds: code-scanning
+          - os: macos-latest
+            version: linked
+            analysis-kinds: code-quality
+          - os: macos-latest
+            version: linked
+            analysis-kinds: code-scanning,code-quality
+          - os: windows-latest
+            version: linked
+            analysis-kinds: code-scanning
+          - os: windows-latest
+            version: linked
+            analysis-kinds: code-quality
+          - os: windows-latest
+            version: linked
+            analysis-kinds: code-scanning,code-quality
          - os: ubuntu-latest
            version: nightly-latest
            analysis-kinds: code-scanning
@@ -60,11 +69,25 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
            analysis-kinds: code-scanning,code-quality
-          - os: ubuntu-latest
+          - os: macos-latest
            version: nightly-latest
-            analysis-kinds: risk-assessment
-    name: Analysis kinds
-    if: github.triggering_actor != 'dependabot[bot]'
+            analysis-kinds: code-scanning
+          - os: macos-latest
+            version: nightly-latest
+            analysis-kinds: code-quality
+          - os: macos-latest
+            version: nightly-latest
+            analysis-kinds: code-scanning,code-quality
+          - os: windows-latest
+            version: nightly-latest
+            analysis-kinds: code-scanning
+          - os: windows-latest
+            version: nightly-latest
+            analysis-kinds: code-quality
+          - os: windows-latest
+            version: nightly-latest
+            analysis-kinds: code-scanning,code-quality
+    name: Quality queries input
    permissions:
      contents: read
      security-events: read
@@ -72,7 +95,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -87,45 +110,41 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false
-          post-processed-sarif-path: '${{ runner.temp }}/post-processed'
-
-      - name: Upload SARIF files
-        uses: actions/upload-artifact@v7
+      - name: Upload security SARIF
+        if: contains(matrix.analysis-kinds, 'code-scanning')
+        uses: actions/upload-artifact@v4
        with:
          name: |
-            analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
-          path: '${{ runner.temp }}/results/*.sarif'
+            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
+          path: ${{ runner.temp }}/results/javascript.sarif
          retention-days: 7
-
-      - name: Upload post-processed SARIF
-        uses: actions/upload-artifact@v7
+      - name: Upload quality SARIF
+        if: contains(matrix.analysis-kinds, 'code-quality')
+        uses: actions/upload-artifact@v4
        with:
          name: |
-            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
-          path: '${{ runner.temp }}/post-processed'
+            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
+          path: ${{ runner.temp }}/results/javascript.quality.sarif
          retention-days: 7
-          if-no-files-found: error
-
      - name: Check quality query does not appear in security SARIF
        if: contains(matrix.analysis-kinds, 'code-scanning')
-        uses: actions/github-script@v8
+        uses: actions/github-script@v7
        env:
-          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
          EXPECT_PRESENT: 'false'
        with:
          script: ${{ env.CHECK_SCRIPT }}
      - name: Check quality query appears in quality SARIF
        if: contains(matrix.analysis-kinds, 'code-quality')
-        uses: actions/github-script@v8
+        uses: actions/github-script@v7
        env:
-          SARIF_PATH: '${{ runner.temp }}/results/javascript.quality.sarif'
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.quality.sarif
          EXPECT_PRESENT: 'true'
        with:
          script: ${{ env.CHECK_SCRIPT }}
    env:
-      CODEQL_ACTION_RISK_ASSESSMENT_ID: 1
      CHECK_SCRIPT: |
        const fs = require('fs');

@@ -18,18 +18,10 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -37,11 +29,6 @@ on:
        default: '>=1.21.0'
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -50,9 +37,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: remote-config-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  remote-config:
    strategy:
@@ -64,7 +48,6 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
    name: Remote config file
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -72,16 +55,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -89,11 +63,17 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+            github.sha }}
      - name: Build code
        run: ./build.sh
      - uses: ./../action/analyze
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,9 +27,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: resolve-environment-action-${{github.ref}}
 jobs:
  resolve-environment-action:
    strategy:
@@ -40,13 +34,24 @@ jobs:
      matrix:
        include:
          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: default
+          - os: windows-latest
            version: default
          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+          - os: windows-latest
            version: nightly-latest
    name: Resolve environment
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -54,7 +59,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -84,7 +89,8 @@ jobs:
          language: javascript-typescript

      - name: Fail if JavaScript/TypeScript configuration present
-        if: fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
+        if:
+          fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
        run: exit 1
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,9 +27,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: rubocop-multi-language-${{github.ref}}
 jobs:
  rubocop-multi-language:
    strategy:
@@ -42,7 +36,6 @@ jobs:
          - os: ubuntu-latest
            version: default
    name: RuboCop multi-language
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -50,7 +43,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -59,7 +52,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Set up Ruby
-        uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1.295.0
+        uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,9 +27,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: ruby-${{github.ref}}
 jobs:
  ruby:
    strategy:
@@ -52,7 +46,6 @@ jobs:
          - os: macos-latest
            version: nightly-latest
    name: Ruby analysis
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -60,7 +53,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,9 +27,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: rust-${{github.ref}}
 jobs:
  rust:
    strategy:
@@ -50,7 +44,6 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
    name: Rust analysis
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -58,7 +51,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -18,18 +18,10 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -37,11 +29,6 @@ on:
        default: '>=1.21.0'
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -50,9 +37,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: split-workflow-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  split-workflow:
    strategy:
@@ -72,7 +56,6 @@ jobs:
          - os: macos-latest
            version: nightly-latest
    name: Split workflow
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -80,16 +63,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -97,9 +71,14 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
-          config-file: '.github/codeql/codeql-config-packaging3.yml'
+          config-file: .github/codeql/codeql-config-packaging3.yml
          packs: +codeql-testing/codeql-pack1@1.0.0
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -108,7 +87,7 @@ jobs:
      - uses: ./../action/analyze
        with:
          skip-queries: true
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false

      - name: Assert No Results
@@ -119,7 +98,7 @@ jobs:
          fi
      - uses: ./../action/analyze
        with:
-          output: '${{ runner.temp }}/results'
+          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Assert Results
        run: |
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,9 +27,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: start-proxy-${{github.ref}}
 jobs:
  start-proxy:
    strategy:
@@ -46,7 +40,6 @@ jobs:
          - os: windows-latest
            version: linked
    name: Start proxy
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -54,7 +47,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -71,7 +64,8 @@ jobs:
        id: proxy
        uses: ./../action/start-proxy
        with:
-          registry_secrets: '[{ "type": "nuget_feed", "url": "https://api.nuget.org/v3/index.json" }]'
+          registry_secrets: '[{ "type": "nuget_feed", "url": "https://api.nuget.org/v3/index.json"
+            }]'

      - name: Print proxy outputs
        run: |
@@ -80,7 +74,8 @@ jobs:
          echo "${{ steps.proxy.outputs.proxy_urls }}"

      - name: Fail if proxy outputs are not set
-        if: (!steps.proxy.outputs.proxy_host) || (!steps.proxy.outputs.proxy_port) || (!steps.proxy.outputs.proxy_ca_certificate) || (!steps.proxy.outputs.proxy_urls)
+        if: (!steps.proxy.outputs.proxy_host) || (!steps.proxy.outputs.proxy_port)
+          || (!steps.proxy.outputs.proxy_ca_certificate) || (!steps.proxy.outputs.proxy_urls)
        run: exit 1
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,9 +27,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: submit-sarif-failure-${{github.ref}}
 jobs:
  submit-sarif-failure:
    strategy:
@@ -46,15 +40,15 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
    name: Submit SARIF after failure
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
-      security-events: write
+      security-events: write # needed to upload the SARIF file
+
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -62,26 +56,32 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
      - uses: ./init
        with:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Fail
-        # We want this job to pass if the Action correctly uploads the SARIF file for
-        # the failed run.
-        # Setting this step to continue on error means that it is marked as completing
-        # successfully, so will not fail the job.
+    # We want this job to pass if the Action correctly uploads the SARIF file for
+    # the failed run.
+    # Setting this step to continue on error means that it is marked as completing
+    # successfully, so will not fail the job.
        continue-on-error: true
        run: exit 1
      - uses: ./analyze
-        # In a real workflow, this step wouldn't run. Since we used `continue-on-error`
-        # above, we manually disable it with an `if` condition.
+    # In a real workflow, this step wouldn't run. Since we used `continue-on-error`
+    # above, we manually disable it with an `if` condition.
        if: false
        with:
-          category: '/test-codeql-version:${{ matrix.version }}'
+          category: /test-codeql-version:${{ matrix.version }}
    env:
+  # Internal-only environment variable used to indicate that the post-init Action
+  # should expect to upload a SARIF file for the failed run.
      CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF: true
+  # Make sure the uploading SARIF files feature is enabled.
      CODEQL_ACTION_UPLOAD_FAILED_SARIF: true
+  # Upload the failed SARIF file as an integration test of the API endpoint.
      CODEQL_ACTION_TEST_MODE: false
+  # Mark telemetry for this workflow so it can be treated separately.
      CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
+
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,9 +27,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: swift-autobuild-${{github.ref}}
 jobs:
  swift-autobuild:
    strategy:
@@ -42,7 +36,6 @@ jobs:
          - os: macos-latest
            version: nightly-latest
    name: Swift analysis using autobuild
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -50,7 +43,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -18,18 +18,10 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -37,11 +29,6 @@ on:
        default: '>=1.21.0'
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -50,9 +37,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: swift-custom-build-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  swift-custom-build:
    strategy:
@@ -66,7 +50,6 @@ jobs:
          - os: macos-latest
            version: nightly-latest
    name: Swift analysis using a custom build command
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -74,16 +57,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -91,6 +65,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Use Xcode 16
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,11 +27,8 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: autobuild-working-dir-${{github.ref}}
 jobs:
-  autobuild-working-dir:
+  test-autobuild-working-dir:
    strategy:
      fail-fast: false
      matrix:
@@ -42,7 +36,6 @@ jobs:
          - os: ubuntu-latest
            version: linked
    name: Autobuild working directory
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -50,7 +43,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -18,18 +18,10 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -37,11 +29,6 @@ on:
        default: '>=1.21.0'
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -50,19 +37,15 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: local-bundle-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
-  local-bundle:
+  test-local-codeql:
    strategy:
      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: linked
+            version: nightly-latest
    name: Local CodeQL bundle
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -70,16 +53,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -87,13 +61,20 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Fetch latest CodeQL bundle
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Fetch a CodeQL bundle
+        env:
+          CODEQL_URL: ${{ steps.prepare-test.outputs.tools-url }}
        run: |
-          wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst
+          wget "$CODEQL_URL"
      - id: init
        uses: ./../action/init
        with:
-          # Swift is not supported on Ubuntu so we manually exclude it from the list here
+      # Swift is not supported on Ubuntu so we manually exclude it from the list here
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ./codeql-bundle-linux64.tar.zst
      - name: Build code
@@ -18,9 +18,6 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
@@ -30,11 +27,8 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: global-proxy-${{github.ref}}
 jobs:
-  global-proxy:
+  test-proxy:
    strategy:
      fail-fast: false
      matrix:
@@ -44,15 +38,26 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
    name: Proxy test
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
+  # These steps are required to initialise the `gh` cli in a container that doesn't
+  # come pre-installed with it. The reason for that is that this is later
+  # needed by the `prepare-test` workflow to find the latest release of CodeQL.
+      - name: Set up GitHub CLI
+        run: |
+          apt update
+          apt install -y curl libreadline8 gnupg2 software-properties-common zstd
+          curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
+          apt-key add /usr/share/keyrings/githubcli-archive-keyring.gpg
+          apt-add-repository https://cli.github.com/packages
+          apt install -y gh
+        env: {}
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -67,7 +72,6 @@ jobs:
      - uses: ./../action/analyze
    env:
      https_proxy: http://squid-proxy:3128
-      CODEQL_ACTION_TOLERATE_MISSING_GIT_VERSION: true
      CODEQL_ACTION_TEST_MODE: true
    container:
      image: ubuntu:22.04
@@ -18,18 +18,10 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -37,11 +29,6 @@ on:
        default: '>=1.21.0'
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -50,9 +37,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: unset-environment-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  unset-environment:
    strategy:
@@ -64,7 +48,6 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
    name: Test unsetting environment variables
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -72,16 +55,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -89,11 +63,16 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        id: init
        with:
          db-location: ${{ runner.temp }}/customDbLocation
-          # Swift is not supported on Ubuntu so we manually exclude it from the list here
+      # Swift is not supported on Ubuntu so we manually exclude it from the list here
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
@@ -0,0 +1,93 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: 'PR Check - Upload-sarif: code quality endpoint'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+jobs:
+  upload-quality-sarif:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: default
+          - os: windows-latest
+            version: default
+    name: 'Upload-sarif: code quality endpoint'
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v5
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - uses: ./../action/init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          languages: cpp,csharp,java,javascript,python
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+            github.sha }}
+          analysis-kinds: code-scanning,code-quality
+      - name: Build code
+        run: ./build.sh
+  # Generate some SARIF we can upload with the upload-sarif step
+      - uses: ./../action/analyze
+        with:
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          upload: never
+      - uses: ./../action/upload-sarif
+        with:
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+    env:
+      CODEQL_ACTION_TEST_MODE: true
@@ -18,18 +18,10 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -37,11 +29,6 @@ on:
        default: '>=1.21.0'
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -50,9 +37,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: upload-ref-sha-input-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  upload-ref-sha-input:
    strategy:
@@ -61,8 +45,11 @@ jobs:
        include:
          - os: ubuntu-latest
            version: default
+          - os: macos-latest
+            version: default
+          - os: windows-latest
+            version: default
    name: "Upload-sarif: 'ref' and 'sha' from inputs"
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -70,16 +57,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -87,22 +65,28 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+            github.sha }}
      - name: Build code
        run: ./build.sh
-      # Generate some SARIF we can upload with the upload-sarif step
+  # Generate some SARIF we can upload with the upload-sarif step
      - uses: ./../action/analyze
        with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
          upload: never
      - uses: ./../action/upload-sarif
        with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -1,173 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Test different uses of `upload-sarif`
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: upload-sarif-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
-jobs:
-  upload-sarif:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: default
-            analysis-kinds: code-scanning
-          - os: ubuntu-latest
-            version: default
-            analysis-kinds: code-quality
-          - os: ubuntu-latest
-            version: default
-            analysis-kinds: code-scanning,code-quality
-    name: Test different uses of `upload-sarif`
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          languages: csharp,java,javascript,python
-          analysis-kinds: ${{ matrix.analysis-kinds }}
-      - name: Build code
-        run: ./build.sh
-      # Generate some SARIF we can upload with the upload-sarif step
-      - uses: ./../action/analyze
-        with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
-          upload: never
-          output: ${{ runner.temp }}/results
-
-      - name: |
-          Upload all SARIF files for `analysis-kinds: ${{ matrix.analysis-kinds }}`
-        uses: ./../action/upload-sarif
-        id: upload-sarif
-        with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
-          sarif_file: ${{ runner.temp }}/results
-          category: |
-            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:all-files/
-      - name: 'Fail for missing output from `upload-sarif` step for `code-scanning`'
-        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning)
-        run: exit 1
-      - name: 'Fail for missing output from `upload-sarif` step for `code-quality`'
-        if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)
-        run: exit 1
-
-      - name: Upload single SARIF file for Code Scanning
-        uses: ./../action/upload-sarif
-        id: upload-single-sarif-code-scanning
-        if: contains(matrix.analysis-kinds, 'code-scanning')
-        with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
-          sarif_file: ${{ runner.temp }}/results/javascript.sarif
-          category: |
-            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-scanning/
-      - name: 'Fail for missing output from `upload-single-sarif-code-scanning` step'
-        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)
-        run: exit 1
-      - name: Upload single SARIF file for Code Quality
-        uses: ./../action/upload-sarif
-        id: upload-single-sarif-code-quality
-        if: contains(matrix.analysis-kinds, 'code-quality')
-        with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
-          sarif_file: ${{ runner.temp }}/results/javascript.quality.sarif
-          category: |
-            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-quality/
-      - name: 'Fail for missing output from `upload-single-sarif-code-quality` step'
-        if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)
-        run: exit 1
-
-      - name: Change SARIF file extension
-        if: contains(matrix.analysis-kinds, 'code-scanning')
-        run: mv ${{ runner.temp }}/results/javascript.sarif ${{ runner.temp }}/results/javascript.sarif.json
-      - name: Upload single non-`.sarif` file
-        uses: ./../action/upload-sarif
-        id: upload-single-non-sarif
-        if: contains(matrix.analysis-kinds, 'code-scanning')
-        with:
-          ref: 'refs/heads/main'
-          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
-          sarif_file: ${{ runner.temp }}/results/javascript.sarif.json
-          category: |
-            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:non-sarif/
-      - name: 'Fail for missing output from `upload-single-non-sarif` step'
-        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning)
-        run: exit 1
-    env:
-      CODEQL_ACTION_TEST_MODE: true
@@ -18,18 +18,10 @@ on:
      - synchronize
      - reopened
      - ready_for_review
-  merge_group:
-    types:
-      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -37,11 +29,6 @@ on:
        default: '>=1.21.0'
  workflow_call:
    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
@@ -50,9 +37,6 @@ on:
 defaults:
  run:
    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: with-checkout-path-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
 jobs:
  with-checkout-path:
    strategy:
@@ -61,26 +45,19 @@ jobs:
        include:
          - os: ubuntu-latest
            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
+            version: linked
    name: Use a custom `checkout_path`
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      # This ensures we don't accidentally use the original checkout for any part of the test.
      - name: Check out repository
-        uses: actions/checkout@v6
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -88,15 +65,20 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Delete original checkout
        run: |
          # delete the original checkout so we don't accidentally use it.
          # Actions does not support deleting the current working directory, so we
          # delete the contents of the directory instead.
          rm -rf ./* .github .git
-      # Check out the actions repo again, but at a different location.
-      # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
-      - uses: actions/checkout@v6
+  # Check out the actions repo again, but at a different location.
+  # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
+      - uses: actions/checkout@v5
        with:
          ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
          path: x/y/z/some-path
@@ -104,7 +86,7 @@ jobs:
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          # it's enough to test one compiled language and one interpreted language
+      # it's enough to test one compiled language and one interpreted language
          languages: csharp,javascript
          source-root: x/y/z/some-path/tests/multi-language-repo

@@ -121,30 +103,29 @@ jobs:

      - name: Verify SARIF after upload
        run: |
-          PAYLOAD_FILE="$RUNNER_TEMP/payload-code-scanning.json"
          EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
          EXPECTED_REF="v1.1.0"
          EXPECTED_CHECKOUT_URI_SUFFIX="/x/y/z/some-path/tests/multi-language-repo"

-          ACTUAL_COMMIT_OID="$(cat "$PAYLOAD_FILE" | jq -r .commit_oid)"
-          ACTUAL_REF="$(cat "$PAYLOAD_FILE" | jq -r .ref)"
-          ACTUAL_CHECKOUT_URI="$(cat "$PAYLOAD_FILE" | jq -r .checkout_uri)"
+          ACTUAL_COMMIT_OID="$(cat "$RUNNER_TEMP/payload.json" | jq -r .commit_oid)"
+          ACTUAL_REF="$(cat "$RUNNER_TEMP/payload.json" | jq -r .ref)"
+          ACTUAL_CHECKOUT_URI="$(cat "$RUNNER_TEMP/payload.json" | jq -r .checkout_uri)"

          if [[ "$EXPECTED_COMMIT_OID" != "$ACTUAL_COMMIT_OID" ]]; then
            echo "::error Invalid commit oid. Expected: $EXPECTED_COMMIT_OID Actual: $ACTUAL_COMMIT_OID"
-            echo "$PAYLOAD_FILE"
+            echo "$RUNNER_TEMP/payload.json"
            exit 1
          fi

          if [[ "$EXPECTED_REF" != "$ACTUAL_REF" ]]; then
            echo "::error Invalid ref. Expected: '$EXPECTED_REF' Actual: '$ACTUAL_REF'"
-            echo "$PAYLOAD_FILE"
+            echo "$RUNNER_TEMP/payload.json"
            exit 1
          fi

          if [[ "$ACTUAL_CHECKOUT_URI" != *$EXPECTED_CHECKOUT_URI_SUFFIX ]]; then
            echo "::error Invalid checkout URI suffix. Expected suffix: $EXPECTED_CHECKOUT_URI_SUFFIX Actual uri: $ACTUAL_CHECKOUT_URI"
-            echo "$PAYLOAD_FILE"
+            echo "$RUNNER_TEMP/payload.json"
            exit 1
          fi
    env:
@@ -15,14 +15,14 @@ defaults:

 jobs:
  check-expected-release-files:
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest

    permissions:
      contents: read

    steps:
      - name: Checkout CodeQL Action
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Check Expected Release Files
        run: |
          bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"
@@ -4,11 +4,10 @@ on:
  push:
    branches: [main, releases/v*]
  pull_request:
+    branches: [main, releases/v*]
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
-  merge_group:
-    types: [checks_requested]
  schedule:
    # Weekly on Sunday.
    - cron: '30 1 * * 0'
@@ -24,36 +23,40 @@ env:
 jobs:
  # Identify the CodeQL tool versions to use in the analysis job.
  check-codeql-versions:
-    if: github.triggering_actor != 'dependabot[bot]'
    runs-on: ubuntu-latest
    outputs:
      versions: ${{ steps.compare.outputs.versions }}

    permissions:
      contents: read
-      # We currently need `security-events: read` to access feature flags.
-      security-events: read

    steps:
-    - uses: actions/checkout@v6
-    - name: Set up default CodeQL bundle
-      id: setup-default
-      uses: ./setup-codeql
-    - name: Set up linked CodeQL bundle
-      id: setup-linked
-      uses: ./setup-codeql
+    - uses: actions/checkout@v5
+    - name: Init with default CodeQL bundle from the VM image
+      id: init-default
+      uses: ./init
+      with:
+        languages: javascript
+    - name: Remove empty database
+      # allows us to run init a second time
+      run: |
+        rm -rf "$RUNNER_TEMP/codeql_databases"
+    - name: Init with latest CodeQL bundle
+      id: init-latest
+      uses: ./init
      with:
        tools: linked
-    - name: Compare default and linked CodeQL bundle versions
+        languages: javascript
+    - name: Compare default and latest CodeQL bundle versions
      id: compare
      env:
-        CODEQL_DEFAULT: ${{ steps.setup-default.outputs.codeql-path }}
-        CODEQL_LINKED: ${{ steps.setup-linked.outputs.codeql-path }}
+        CODEQL_DEFAULT: ${{ steps.init-default.outputs.codeql-path }}
+        CODEQL_LATEST: ${{ steps.init-latest.outputs.codeql-path }}
      run: |
        CODEQL_VERSION_DEFAULT="$("$CODEQL_DEFAULT" version --format terse)"
-        CODEQL_VERSION_LINKED="$("$CODEQL_LINKED" version --format terse)"
+        CODEQL_VERSION_LATEST="$("$CODEQL_LATEST" version --format terse)"
        echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
-        echo "Linked CodeQL bundle version is $CODEQL_VERSION_LINKED"
+        echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"

        # If we're running on a pull request, run with both bundles, even if `tools: linked` would
        # be the same as `tools: null`. This allows us to make the job for each of the bundles a
@@ -61,7 +64,7 @@ jobs:
        #
        # If we're running on push or schedule, then we can skip running with `tools: linked` when it would be
        # the same as running with `tools: null`.
-        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$GITHUB_EVENT_NAME" != "merge_group" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LINKED" ]]; then
+        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
          VERSIONS_JSON='[null]'
        else
          VERSIONS_JSON='[null, "linked"]'
@@ -72,12 +75,11 @@ jobs:
        echo "versions=${VERSIONS_JSON}" >> $GITHUB_OUTPUT

  analyze-javascript:
-    if: github.triggering_actor != 'dependabot[bot]'
    needs: [check-codeql-versions]
    strategy:
      fail-fast: false
      matrix:
-        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-14,macos-15]
+        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-13,macos-14,macos-15]
        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
    runs-on: ${{ matrix.os }}

@@ -87,13 +89,13 @@ jobs:

    steps:
    - name: Checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@v5
    - name: Initialize CodeQL
      uses: ./init
      id: init
      with:
        languages: javascript
-        config-file: ./.github/codeql/codeql-config-javascript.yml
+        config-file: ./.github/codeql/codeql-config.yml
        tools: ${{ matrix.tools }}
    # confirm steps.init.outputs.codeql-path points to the codeql binary
    - name: Print CodeQL Version
@@ -105,18 +107,13 @@ jobs:
      uses: ./analyze
      with:
        category: "/language:javascript"
-        upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && github.event_name != 'merge_group' && 'always' ) || 'never' }}

-  analyze-other:
-    if: github.triggering_actor != 'dependabot[bot]'
+
+  analyze-actions:
    runs-on: ubuntu-latest

    strategy:
      fail-fast: false
-      matrix:
-        include:
-          - language: actions
-          - language: python

    permissions:
      contents: read
@@ -124,20 +121,36 @@ jobs:

    steps:
    - name: Checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@v5
    - name: Initialize CodeQL
      uses: ./init
      with:
-        languages: ${{ matrix.language }}
-        build-mode: none
-        config: >
-          paths-ignore:
-            - lib
-            - tests
-          queries:
-            - uses: security-and-quality
+        languages: actions
+        config-file: ./.github/codeql/codeql-actions-config.yml
    - name: Perform CodeQL Analysis
      uses: ./analyze
      with:
-        category: "/language:${{ matrix.language }}"
-        upload: ${{ (github.event_name != 'merge_group' && 'always') || 'never' }}
+        category: "/language:actions"
+
+  analyze-python:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+      - name: Initialize CodeQL
+        uses: ./init
+        with:
+          languages: python
+          config-file: ./.github/codeql/codeql-actions-config.yml
+      - name: Perform CodeQL Analysis
+        uses: ./analyze
+        with:
+          category: "/language:python"
@@ -6,13 +6,6 @@ env:
  # Diff informed queries add an additional query filter which is not yet
  # taken into account by these tests.
  CODEQL_ACTION_DIFF_INFORMED_QUERIES: false
-  # Specify overlay enablement manually to ensure stability around the exclude-from-incremental
-  # query filter. Here we only enable for the default code scanning suite.
-  CODEQL_ACTION_OVERLAY_ANALYSIS: true
-  CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT: false
-  CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT: true
-  CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_CHECK: false
-  CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS: true

 on:
  push:
@@ -25,11 +18,9 @@ on:
    - synchronize
    - reopened
    - ready_for_review
-  merge_group:
-    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
+  workflow_dispatch: {}

 defaults:
  run:
@@ -37,7 +28,6 @@ defaults:

 jobs:
  code-scanning-config-tests:
-    if: github.triggering_actor != 'dependabot[bot]'
    continue-on-error: true

    permissions:
@@ -51,10 +41,16 @@ jobs:
        include:
        - os: ubuntu-latest
          version: linked
+        - os: macos-latest
+          version: linked
        - os: ubuntu-latest
          version: default
+        - os: macos-latest
+          version: default
        - os: ubuntu-latest
          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest

    # Code-Scanning config not created because environment variable is not set
    name: Code Scanning Configuration tests
@@ -62,12 +58,12 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@v5

    - name: Set up Node.js
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@v4
      with:
-        node-version: 24
+        node-version: '20'
        cache: 'npm'

    - name: Install dependencies
@@ -79,33 +75,13 @@ jobs:
      with:
        version: ${{ matrix.version }}

-    # On PRs, overlay analysis may change the config that is passed to the CLI.
-    # Therefore, we have two variants of the following test, one for PRs and one for other events.
-    - name: Empty file (non-PR)
-      if: github.event_name != 'pull_request'
+    - name: Empty file
      uses: ./../action/.github/actions/check-codescanning-config
      with:
        expected-config-file-contents: "{}"
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}

-    - name: Empty file (PR)
-      if: github.event_name == 'pull_request'
-      uses: ./../action/.github/actions/check-codescanning-config
-      with:
-        expected-config-file-contents: |
-          {
-            "query-filters": [
-              {
-                "exclude": {
-                  "tags": "exclude-from-incremental"
-                }
-              }
-            ]
-          }
-        languages: javascript
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-
    - name: Packs from input
      if: success() || failure()
      uses: ./../action/.github/actions/check-codescanning-config
@@ -204,13 +180,13 @@ jobs:
      with:
        expected-config-file-contents: |
          {
+            "queries": [
+              { "uses": "./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql" },
+              { "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }
+            ],
            "packs": {
              "javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2", "codeql/javascript-queries" ]
-            },
-            "queries": [
-              { "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" },
-              { "uses": "./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql" }
-            ]
+            }
          }
        languages: javascript
        queries: + ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql
@@ -14,11 +14,9 @@ on:
    - synchronize
    - reopened
    - ready_for_review
-  merge_group:
-    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
+  workflow_dispatch: {}

 defaults:
  run:
@@ -26,7 +24,6 @@ defaults:

 jobs:
  upload-artifacts:
-    if: github.triggering_actor != 'dependabot[bot]'
    strategy:
      fail-fast: false
      matrix:
@@ -41,29 +38,21 @@ jobs:
      CODEQL_ACTION_TEST_MODE: true
    permissions:
      contents: read
-      # We currently need `security-events: read` to access feature flags.
-      security-events: read
    timeout-minutes: 45
    runs-on: ubuntu-latest
    steps:
      - name: Dump GitHub event
        run: cat "${GITHUB_EVENT_PATH}"
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@v5
        with:
          go-version: ^1.13.1
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: '9.x'
-      - name: Assert best-effort artifact scan completed
-        uses: ./../action/.github/actions/verify-debug-artifact-scan-completed
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -81,7 +70,6 @@ jobs:
          expect-error: true
  download-and-check-artifacts:
    name: Download and check debug artifacts after failure in analyze
-    if: github.triggering_actor != 'dependabot[bot]'
    needs: upload-artifacts
    timeout-minutes: 45
    permissions:
@@ -89,7 +77,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@v5
      - name: Check expected artifacts exist
        run: |
          LANGUAGES="cpp csharp go java javascript python"
@@ -13,11 +13,9 @@ on:
    - synchronize
    - reopened
    - ready_for_review
-  merge_group:
-    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
+  workflow_dispatch: {}

 defaults:
  run:
@@ -25,7 +23,6 @@ defaults:

 jobs:
  upload-artifacts:
-    if: github.triggering_actor != 'dependabot[bot]'
    strategy:
      fail-fast: false
      matrix:
@@ -40,26 +37,18 @@ jobs:
    timeout-minutes: 45
    permissions:
      contents: read
-      # We currently need `security-events: read` to access feature flags.
-      security-events: read
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@v5
        with:
          go-version: ^1.13.1
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: '9.x'
-      - name: Assert best-effort artifact scan completed
-        uses: ./../action/.github/actions/verify-debug-artifact-scan-completed
      - uses: ./../action/init
        id: init
        with:
@@ -75,7 +64,6 @@ jobs:
        id: analysis
  download-and-check-artifacts:
    name: Download and check debug artifacts
-    if: github.triggering_actor != 'dependabot[bot]'
    needs: upload-artifacts
    timeout-minutes: 45
    permissions:
@@ -83,7 +71,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@v5
      - name: Check expected artifacts exist
        run: |
          VERSIONS="stable-v2.20.3 default linked nightly-latest"
@@ -1,27 +0,0 @@
-name: Label PR with size
-
-on:
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - edited
-      - ready_for_review
-
-permissions:
-  contents: read
-  pull-requests: write
-
-jobs:
-  sizeup:
-    name: Label PR with size
-    runs-on: ubuntu-slim
-    if: github.event.pull_request.merged != true
-
-    steps:
-      - name: Run sizeup
-        uses: lerebear/sizeup-action@b7beb3dd273e36039e16e48e7bc690c189e61951 # 0.8.12
-        with:
-          token: "${{ secrets.GITHUB_TOKEN }}"
-          configuration-file-path: ".github/sizeup.yml"
@@ -24,7 +24,7 @@ defaults:

 jobs:
  merge-back:
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    environment: Automation
    if: github.repository == 'github/codeql-action'
    env:
@@ -44,13 +44,10 @@ jobs:
          GITHUB_CONTEXT: '${{ toJson(github) }}'
        run: echo "${GITHUB_CONTEXT}"

-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
        with:
          fetch-depth: 0  # ensure we have all tags and can push commits
-      - uses: actions/setup-node@v6
-      - uses: actions/setup-python@v6
-        with:
-          python-version: '3.12'
+      - uses: actions/setup-node@v4

      - name: Update git config
        run: |
@@ -123,22 +120,32 @@ jobs:
      - name: Prepare partial Changelog
        env:
          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
+          VERSION: "${{ steps.getVersion.outputs.version }}"
        run: |
-          python .github/workflows/script/prepare_changelog.py CHANGELOG.md > $PARTIAL_CHANGELOG
+          python .github/workflows/script/prepare_changelog.py CHANGELOG.md "$VERSION" > $PARTIAL_CHANGELOG

          echo "::group::Partial CHANGELOG"
          cat $PARTIAL_CHANGELOG
          echo "::endgroup::"

+      - name: Create mergeback branch and PR
+        if: ${{ steps.check.outputs.exists != 'true' && endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }}
+        uses: ./.github/actions/prepare-mergeback-branch
+        with:
+          base: "${{ env.BASE_BRANCH }}"
+          head: "${{ env.HEAD_BRANCH }}"
+          branch: "${{ steps.getVersion.outputs.newBranch }}"
+          version: "${{ steps.getVersion.outputs.version }}"
+          token: "${{ secrets.GITHUB_TOKEN }}"
+
      - name: Generate token
-        uses: actions/create-github-app-token@v3.0.0
+        uses: actions/create-github-app-token@v2.1.1
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}

      - name: Create the GitHub release
-        if: steps.check.outputs.exists != 'true'
        env:
          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
          VERSION: "${{ steps.getVersion.outputs.version }}"
@@ -150,13 +157,3 @@ jobs:
            --latest=false \
            --title "$VERSION" \
            --notes-file "$PARTIAL_CHANGELOG"
-
-      - name: Create mergeback branch and PR
-        if: ${{ endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }}
-        uses: ./.github/actions/prepare-mergeback-branch
-        with:
-          base: "${{ env.BASE_BRANCH }}"
-          head: "${{ env.HEAD_BRANCH }}"
-          branch: "${{ steps.getVersion.outputs.newBranch }}"
-          version: "${{ steps.getVersion.outputs.version }}"
-          token: "${{ secrets.GITHUB_TOKEN }}"
@@ -6,8 +6,6 @@ on:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
-  merge_group:
-    types: [checks_requested]
  workflow_dispatch:

 defaults:
@@ -17,12 +15,10 @@ defaults:
 jobs:
  unit-tests:
    name: Unit Tests
-    if: github.triggering_actor != 'dependabot[bot]'
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
-        node-version: [20, 24]
    permissions:
      contents: read
      security-events: write # needed to upload ESLint results
@@ -34,14 +30,19 @@ jobs:
        if: runner.os == 'Windows'
        run: git config --global core.autocrlf false

-      - uses: actions/checkout@v6
-
+      - uses: actions/checkout@v5
+      
      - name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v4
        with:
-          node-version: ${{ matrix.node-version }}
+          node-version: '20.x'
          cache: 'npm'

+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.11
+
      - name: Install dependencies
        run: |
          # Use the system Bash shell to ensure we can run commands like `npm ci`
@@ -52,60 +53,25 @@ jobs:
      - name: Verify compiled JS up to date
        run: .github/workflows/script/check-js.sh

+      - name: Verify PR checks up to date
+        run: .github/workflows/script/verify-pr-checks.sh
+
      - name: Run unit tests
-        if: always()
        run: npm test

      - name: Lint
-        if: always() && matrix.os != 'windows-latest'
+        if: matrix.os != 'windows-latest'
        run: npm run lint-ci

      - name: Upload sarif
-        uses: github/codeql-action/upload-sarif@v4
-        if: matrix.os == 'ubuntu-latest' && matrix.node-version == 24
+        uses: github/codeql-action/upload-sarif@v3
+        if: matrix.os == 'ubuntu-latest'
        with:
          sarif_file: eslint.sarif
          category: eslint

-  # Verifying the PR checks are up-to-date requires Node 24. The PR checks are not dependent
-  # on the main codebase and therefore do not need to be run as part of the same matrix that
-  # we use for the `unit-tests` job.
-  verify-pr-checks:
-    name: Verify PR checks
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-    runs-on: ubuntu-slim
-    timeout-minutes: 10
-
-    steps:
-      - name: Prepare git (Windows)
-        if: runner.os == 'Windows'
-        run: git config --global core.autocrlf false
-
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Set up Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: 24
-          cache: 'npm'
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Verify PR checks up to date
-        if: always()
-        run: .github/workflows/script/verify-pr-checks.sh
-
-      - name: Run pr-checks tests
-        if: always()
-        working-directory: pr-checks
-        run: npx tsx --test
-
  check-node-version:
-    if: github.triggering_actor != 'dependabot[bot]'
+    if: github.event.pull_request
    name: Check Action Node versions
    runs-on: ubuntu-latest
    timeout-minutes: 45
@@ -116,7 +82,7 @@ jobs:
      contents: read

    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
      - id: head-version
        name: Verify all Actions use the same Node version
        run: |
@@ -131,7 +97,7 @@ jobs:
      - id: checkout-base
        name: 'Backport: Check out base ref'
        if: ${{ startsWith(github.head_ref, 'backport-') }}
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
        with:
          ref: ${{ env.BASE_REF }}

@@ -29,7 +29,7 @@ defaults:
 jobs:
  prepare:
    name: "Prepare release"
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    if: github.repository == 'github/codeql-action'

    permissions:
@@ -44,7 +44,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0 # Need full history for calculation of diffs

@@ -1,10 +1,8 @@
 name: 'Publish Immutable Action Version'

 on:
-  push:
-    tags:
-      # Match version tags, but not the major version tags.
-      - 'v[0-9]+.**'
+  release:
+    types: [published]

 defaults:
  run:
@@ -12,16 +10,30 @@ defaults:

 jobs:
  publish:
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
      packages: write

    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Publish immutable release
+      - name: Check release name
+        id: check
+        env:
+          RELEASE_NAME: ${{ github.event.release.name }}
+        run: |
+          echo "Release name: ${{ github.event.release.name }}"
+          if [[ $RELEASE_NAME == v* ]]; then
+            echo "This is a CodeQL Action release. Create an Immutable Action"
+            echo "is-action-release=true" >> $GITHUB_OUTPUT
+          else
+            echo "This is a CodeQL Bundle release. Do not create an Immutable Action"
+            echo "is-action-release=false" >> $GITHUB_OUTPUT
+          fi
+      - name: Checking out
+        if: steps.check.outputs.is-action-release == 'true'
+        uses: actions/checkout@v5
+      - name: Publish
+        if: steps.check.outputs.is-action-release == 'true'
        id: publish
        uses: actions/publish-immutable-action@v0.0.4
@@ -7,8 +7,6 @@ on:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
-  merge_group:
-    types: [checks_requested]
  schedule:
    # Weekly on Monday.
    - cron: '0 0 * * 1'
@@ -20,22 +18,19 @@ defaults:

 jobs:
  test-setup-python-scripts:
-    if: github.triggering_actor != 'dependabot[bot]'
    env:
      CODEQL_ACTION_TEST_MODE: true
    timeout-minutes: 45
    permissions:
      contents: read
-      # We currently need `security-events: read` to access feature flags.
-      security-events: read
    runs-on: windows-latest

    steps:
-    - uses: actions/setup-python@v6
+    - uses: actions/setup-python@v5
      with:
        python-version: 3.12

-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v5

    - name: Prepare test
      uses: ./.github/actions/prepare-test
@@ -11,11 +11,9 @@ on:
    - synchronize
    - reopened
    - ready_for_review
-  merge_group:
-    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
+  workflow_dispatch: {}

 defaults:
  run:
@@ -24,19 +22,18 @@ defaults:
 jobs:
  query-filters:
    name: Query Filters Tests
-    if: github.triggering_actor != 'dependabot[bot]'
    timeout-minutes: 45
    runs-on: ubuntu-latest
    permissions:
      contents: read # This permission is needed to allow the GitHub Actions workflow to read the contents of the repository.
    steps:
    - name: Check out repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@v5

    - name: Install Node.js
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@v4
      with:
-        node-version: 24
+        node-version: 20.x
        cache: npm

    - name: Install dependencies
@@ -15,25 +15,15 @@ jobs:
    runs-on: ubuntu-latest
    if: github.event.label.name == 'Rebuild' || github.event_name == 'workflow_dispatch'

-    env:
-      HEAD_REF: ${{ github.event.pull_request.head.ref || github.event.ref }}
-      BASE_BRANCH: ${{ github.event.pull_request.base.ref || 'main' }}
-
    permissions:
      contents: write # needed to push rebuilt commit
      pull-requests: write # needed to comment on the PR
    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0
-          ref: ${{ env.HEAD_REF }}
-
-      - name: Set up Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: 24
-          cache: 'npm'
+          ref: ${{ github.event.pull_request.head.ref || github.event.ref }}

      - name: Remove label
        if: github.event_name == 'pull_request'
@@ -51,22 +41,15 @@ jobs:

      - name: Merge in changes from base branch
        id: merge
+        env:
+          BASE_BRANCH: ${{ github.event.pull_request.base.ref || 'main' }}
        run: |
          git fetch origin "$BASE_BRANCH"

          # Allow merge conflicts in `lib`, since rebuilding should resolve them.
-          git merge "origin/$BASE_BRANCH"
+          git merge "origin/$BASE_BRANCH" || echo "Merge conflicts detected, continuing."
          MERGE_RESULT=$?

-          if [ "$MERGE_RESULT" -eq 0 ]; then
-            echo "Merge succeeded cleanly."
-          elif [ "$MERGE_RESULT" -eq 1 ]; then
-            echo "Merge conflicts detected (exit code $MERGE_RESULT), continuing."
-          else
-            echo "git merge failed with unexpected exit code $MERGE_RESULT."
-            exit 1
-          fi
-
          if [ "$MERGE_RESULT" -ne 0 ]; then
            echo "merge-in-progress=true" >> $GITHUB_OUTPUT

@@ -88,17 +71,17 @@ jobs:
          npm run lint -- --fix
          npm run build

-      - name: Sync back version updates to generated workflows
-        # Only sync back versions on Dependabot update PRs
-        if: startsWith(env.HEAD_REF, 'dependabot/')
-        working-directory: pr-checks
-        run: |
-          npm ci
-          npx tsx sync-back.ts --verbose
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.11

      - name: Generate workflows
-        working-directory: pr-checks
-        run: ./sync.sh
+        run: |
+          cd pr-checks
+          python -m pip install --upgrade pip
+          pip install ruamel.yaml==0.17.31
+          python3 sync.py

      - name: "Merge in progress: Finish merge and push"
        if: steps.merge.outputs.merge-in-progress == 'true'
@@ -119,7 +102,7 @@ jobs:
            # Otherwise, just commit the changes.
            if git rev-parse --verify MERGE_HEAD >/dev/null 2>&1; then
              echo "In progress merge detected, finishing it up."
-              git commit --no-edit
+              git merge --continue
            else
              echo "No in-progress merge detected, committing changes."
              git commit -m "Rebuild"
@@ -10,10 +10,6 @@ on:
        required: true
  # Only for dry-runs of changes to the workflow.
  push:
-    # Don't run dry-run on release branches, to avoid an issue where the
-    # "new" tag determined by the "Prepare release" job already exists.
-    branches-ignore:
-      - releases/v*
    paths:
      - .github/workflows/rollback-release.yml
      - .github/actions/prepare-mergeback-branch/**
@@ -52,7 +48,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0 # Need full history for calculation of diffs

@@ -127,8 +123,9 @@ jobs:
        env:
          NEW_CHANGELOG: "${{ runner.temp }}/new_changelog.md"
          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
+          VERSION: "${{ needs.prepare.outputs.version }}"
        run: |
-          python .github/workflows/script/prepare_changelog.py $NEW_CHANGELOG > $PARTIAL_CHANGELOG
+          python .github/workflows/script/prepare_changelog.py $NEW_CHANGELOG "$VERSION" > $PARTIAL_CHANGELOG

          echo "::group::Partial CHANGELOG"
          cat $PARTIAL_CHANGELOG
@@ -136,7 +133,7 @@ jobs:

      - name: Generate token
        if: github.event_name == 'workflow_dispatch'
-        uses: actions/create-github-app-token@v3.0.0
+        uses: actions/create-github-app-token@v2.1.1
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -1,23 +0,0 @@
-#!/usr/bin/env python3
-import os
-import re
-
-cli_version = os.environ['CLI_VERSION']
-
-# The GitHub Release for the new bundle version.
-bundle_release_url = f"https://github.com/github/codeql-action/releases/tag/codeql-bundle-v{cli_version}"
-# Get the PR number from the PR URL.
-pr_number = os.environ['PR_URL'].split('/')[-1]
-changelog_note = f"- Update default CodeQL bundle version to [{cli_version}]({bundle_release_url}). [#{pr_number}]({os.environ['PR_URL']})"
-
-# If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
-with open('CHANGELOG.md', 'r') as f:
-    changelog = f.read()
-
-changelog = changelog.replace('## [UNRELEASED]\n\nNo user facing changes.', '## [UNRELEASED]\n')
-
-# Add the changelog note to the bottom of the "[UNRELEASED]" section.
-changelog = re.sub(r'\n## (\d+\.\d+\.\d+)', f'{changelog_note}\n\n## \\1', changelog, count=1)
-
-with open('CHANGELOG.md', 'w') as f:
-    f.write(changelog)
@@ -16,18 +16,6 @@ if [ ! -z "$(git status --porcelain)" ]; then
    # If we get a fail here then the PR needs attention
    >&2 echo "Failed: JavaScript files are not up to date. Run 'rm -rf lib && npm run-script build' to update"
    git status
-
-    echo "### Transpiled JS diff" >> $GITHUB_STEP_SUMMARY
-    echo "" >> $GITHUB_STEP_SUMMARY
-    echo '```diff' >> $GITHUB_STEP_SUMMARY
-    git diff --output="$RUNNER_TEMP/js.diff"
-    cat "$RUNNER_TEMP/js.diff" >> $GITHUB_STEP_SUMMARY
-    echo '```' >> $GITHUB_STEP_SUMMARY
-
-    # Reset bundled files to allow other checks to test for changes
-    git checkout lib
-
-    # Fail this check
    exit 1
 fi
 echo "Success: JavaScript files are up to date"
@@ -1,4 +1,3 @@
-#!/usr/bin/env python3
 import os
 import sys

@@ -7,7 +6,7 @@ EMPTY_CHANGELOG = 'No changes.\n\n'
 # Prepare the changelog for the new release
 # This function will extract the part of the changelog that
 # we want to include in the new release.
-def extract_changelog_snippet(changelog_file):
+def extract_changelog_snippet(changelog_file, version_tag):
  output = ''
  if (not os.path.exists(changelog_file)):
    output = EMPTY_CHANGELOG
@@ -16,20 +15,23 @@ def extract_changelog_snippet(changelog_file):
    with open(changelog_file, 'r') as f:
      lines = f.readlines()

-      # Include only the contents of the first section
+      # Include everything up to, but excluding the second heading
      found_first_section = False
-      for line in lines:
+      for i, line in enumerate(lines):
        if line.startswith('## '):
          if found_first_section:
            break
          found_first_section = True
-        elif found_first_section:
-          output += line
+        output += line

-  return output.strip()
+  output += f"See the full [CHANGELOG.md](https://github.com/github/codeql-action/blob/{version_tag}/CHANGELOG.md) for more information."
+
+  return output


-if len(sys.argv) < 2:
-  raise Exception('Expecting argument: changelog_file')
+if len(sys.argv) < 3:
+  raise Exception('Expecting argument: changelog_file version_tag')
 changelog_file = sys.argv[1]
-print(extract_changelog_snippet(changelog_file))
+version_tag = sys.argv[2]
+
+print(extract_changelog_snippet(changelog_file, version_tag))
@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+# Update the required checks based on the current branch.
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+REPO_DIR="$(dirname "$SCRIPT_DIR")"
+GRANDPARENT_DIR="$(dirname "$REPO_DIR")"
+source "$GRANDPARENT_DIR/releases.ini"
+
+if ! gh auth status 2>/dev/null; then
+  gh auth status
+  echo "Failed: Not authorized. This script requires admin access to github/codeql-action through the gh CLI."
+  exit 1
+fi
+
+if [ "$#" -eq 1 ]; then
+  # If we were passed an argument, use that as the SHA
+  GITHUB_SHA="$1"
+elif [ "$#" -gt 1 ]; then
+  echo "Usage: $0 [SHA]"
+  echo "Update the required checks based on the SHA, or main."
+  exit 1
+elif [ -z "$GITHUB_SHA" ]; then
+  # If we don't have a SHA, use main
+  GITHUB_SHA="$(git rev-parse main)"
+fi
+
+echo "Getting checks for $GITHUB_SHA"
+
+# Ignore any checks with "https://", CodeQL, LGTM, Update, and ESLint checks.
+CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") | not)] | unique | sort')"
+
+echo "$CHECKS" | jq
+
+echo "{\"contexts\": ${CHECKS}}" > checks.json
+
+echo "Updating main"
+gh api --silent -X "PATCH" "repos/github/codeql-action/branches/main/protection/required_status_checks" --input checks.json
+
+# list all branchs on origin remote matching releases/v*
+BRANCHES="$(git ls-remote --heads origin 'releases/v*' | sed 's?.*refs/heads/??' | sort -V)"
+
+for BRANCH in $BRANCHES; do
+
+  # strip exact 'releases/v' prefix from $BRANCH using count of characters
+  VERSION="${BRANCH:10}"
+
+  if [ "$VERSION" -lt "$OLDEST_SUPPORTED_MAJOR_VERSION" ]; then
+    echo "Skipping $BRANCH"
+    continue
+  fi
+
+  echo "Updating $BRANCH"
+  gh api --silent -X "PATCH" "repos/github/codeql-action/branches/$BRANCH/protection/required_status_checks" --input checks.json
+done
+
+rm checks.json
@@ -19,15 +19,7 @@ if [ ! -z "$(git status --porcelain)" ]; then
    # If we get a fail here then the PR needs attention
    git diff
    git status
-    >&2 echo "Failed: PR checks are not up to date. Run 'cd pr-checks && ./sync.sh' to update"
-
-    echo "### Generated workflows diff" >> $GITHUB_STEP_SUMMARY
-    echo "" >> $GITHUB_STEP_SUMMARY
-    echo '```diff' >> $GITHUB_STEP_SUMMARY
-    git diff --output="$RUNNER_TEMP/workflows.diff"
-    cat "$RUNNER_TEMP/workflows.diff" >> $GITHUB_STEP_SUMMARY
-    echo '```' >> $GITHUB_STEP_SUMMARY
-
+    >&2 echo "Failed: PR checks are not up to date. Run 'cd pr-checks && python3 sync.py' to update"
    exit 1
 fi
-echo "Success: PR checks are up to date"
+echo "Success: PR checks are up to date"
@@ -13,11 +13,9 @@ on:
    - synchronize
    - reopened
    - ready_for_review
-  merge_group:
-    types: [checks_requested]
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch:
+  workflow_dispatch: {}
 defaults:
  run:
    shell: bash
@@ -30,7 +28,6 @@ jobs:
        - os: ubuntu-latest
          version: nightly-latest
    name: 'CodeQL Bundle All'
-    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
@@ -38,22 +35,18 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@v5
    - name: Prepare test
      id: prepare-test
      uses: ./.github/actions/prepare-test
      with:
        version: ${{ matrix.version }}
        use-all-platform-bundle: true
-    - name: Install .NET
-      uses: actions/setup-dotnet@v5
-      with:
-        dotnet-version: '9.x'
    - id: init
      uses: ./../action/init
      with:
        # We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
-        languages: cpp,csharp,go,java,javascript,python,ruby
+        languages: cpp,csharp,go,java,javascript,python,ruby 
        tools: ${{ steps.prepare-test.outputs.tools-url }}
    - name: Build code
      run: ./build.sh
@@ -20,7 +20,7 @@ defaults:
 jobs:
  update-bundle:
    if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    permissions:
      contents: write # needed to push commits
      pull-requests: write # needed to create pull requests
@@ -33,22 +33,17 @@ jobs:
          GITHUB_CONTEXT: '${{ toJson(github) }}'
        run: echo "$GITHUB_CONTEXT"

-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5

      - name: Update git config
        run: |
          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git config --global user.name "github-actions[bot]"

-      - name: Set up Python
-        uses: actions/setup-python@v6
-        with:
-          python-version: '3.12'
-
      - name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v4
        with:
-          node-version: 24
+          node-version: '20.x'
          cache: 'npm'

      - name: Install dependencies
@@ -57,24 +52,6 @@ jobs:
      - name: Update bundle
        uses: ./.github/actions/update-bundle

-      - name: Bump Action minor version if new CodeQL minor version series
-        id: bump-action-version
-        run: |
-          prior_cli_version=$(jq -r '.priorCliVersion' src/defaults.json)
-          cli_version=$(jq -r '.cliVersion' src/defaults.json)
-
-          prior_minor=$(echo "$prior_cli_version" | cut -d. -f2)
-          current_minor=$(echo "$cli_version" | cut -d. -f2)
-
-          if [[ "$current_minor" != "$prior_minor" ]]; then
-            echo "New CodeQL minor version series ($prior_cli_version -> $cli_version), bumping Action minor version"
-            npm version minor --no-git-tag-version
-            echo "bumped=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "Same minor version series ($prior_cli_version -> $cli_version), skipping Action version bump"
-            echo "bumped=false" >> "$GITHUB_OUTPUT"
-          fi
-
      - name: Rebuild Action
        run: npm run build

@@ -89,19 +66,11 @@ jobs:
      - name: Open pull request
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          ACTION_VERSION_BUMPED: ${{ steps.bump-action-version.outputs.bumped }}
        run: |
          cli_version=$(jq -r '.cliVersion' src/defaults.json)
-          action_version=$(jq -r '.version' package.json)
-
-          pr_body="This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version."
-          if [[ "$ACTION_VERSION_BUMPED" == "true" ]]; then
-            pr_body+=$'\n\n'"Since this is a new CodeQL minor version series, this PR also bumps the Action version to $action_version."
-          fi
-
          pr_url=$(gh pr create \
            --title "Update default bundle to $cli_version" \
-            --body "$pr_body" \
+            --body "This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version." \
            --assignee "$GITHUB_ACTOR" \
            --draft \
          )
@@ -109,8 +78,28 @@ jobs:
          echo "PR_URL=$pr_url" | tee -a "$GITHUB_ENV"

      - name: Create changelog note
+        shell: python
        run: |
-          python .github/workflows/script/bundle_changelog.py
+          import os
+          import re
+
+          # Get the PR number from the PR URL.
+          pr_number = os.environ['PR_URL'].split('/')[-1]
+          changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
+
+          # If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
+          # Use perl to avoid having to escape the newline character.
+
+          with open('CHANGELOG.md', 'r') as f:
+              changelog = f.read()
+
+          changelog = changelog.replace('## [UNRELEASED]\n\nNo user facing changes.', '## [UNRELEASED]\n')
+
+          # Add the changelog note to the bottom of the "[UNRELEASED]" section.
+          changelog = re.sub(r'\n## (\d+\.\d+\.\d+)', f'{changelog_note}\n\n## \\1', changelog, count=1)
+
+          with open('CHANGELOG.md', 'w') as f:
+              f.write(changelog)

      - name: Push changelog note
        run: |
@@ -0,0 +1,99 @@
+name: Update dependency proxy release assets
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "The tag of CodeQL Bundle release that contains the proxy binaries as release assets"
+        type: string
+        required: true
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  update:
+    name: Update code and create PR
+    timeout-minutes: 15
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed to push the updated files
+      pull-requests: write # needed to create the PR
+    env:
+      RELEASE_TAG: ${{ inputs.tag }}
+    steps:
+      - name: Check release tag format
+        id: checks
+        run: |
+          if ! [[ $RELEASE_TAG =~ ^codeql-bundle-v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            echo "Invalid release tag: expected a CodeQL bundle tag in the 'codeql-bundle-vM.N.P' format."
+            exit 1
+          fi
+
+          echo "target_branch=dependency-proxy/$RELEASE_TAG" >> $GITHUB_OUTPUT
+
+      - name: Check that the release exists
+        env:
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+        run: |
+          (gh release view --repo "$GITHUB_REPOSITORY" --json "assets" "$RELEASE_TAG" && echo "Release found.") || exit 1
+
+      - name: Install Node
+        uses: actions/setup-node@v4
+
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0  # ensure we have all tags and can push commits
+          ref: main
+
+      - name: Update git config
+        run: |
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config --global user.name "github-actions[bot]"
+
+      - name: Update release tag and version
+        run: |
+          NOW=$(date +"%Y%m%d%H%M%S") # only used to make sure we don't fetch stale binaries from the toolcache
+          sed -i "s|https://github.com/github/codeql-action/releases/download/codeql-bundle-v[0-9.]\+/|https://github.com/github/codeql-action/releases/download/$RELEASE_TAG/|g" ./src/start-proxy-action.ts
+          sed -i "s/\"v2.0.[0-9]\+\"/\"v2.0.$NOW\"/g" ./src/start-proxy-action.ts
+
+      - name: Compile TypeScript and commit changes
+        env:
+          TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }}
+        run: |
+          set -exu
+          git checkout -b "$TARGET_BRANCH"
+
+          npm run build
+          git add ./src/start-proxy-action.ts
+          git add ./lib
+          git commit -m "Update release used by \`start-proxy\` action"
+
+      - name: Push changes and open PR
+        env:
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }}
+          PR_FLAG: ${{ (github.event_name == 'workflow_dispatch' && '--draft') || '--dry-run' }}
+        run: |
+          set -exu
+          pr_title="Update release used by \`start-proxy\` to \`$RELEASE_TAG\`"
+          pr_body=$(cat << EOF
+            This PR updates the \`start-proxy\` action to use the private registry proxy binaries that
+            are attached as release assets to the \`$RELEASE_TAG\` release.
+
+
+            Please do the following before merging:
+
+            - [ ] Verify that the changes to the code are correct.
+            - [ ] Mark the PR as ready for review to trigger the CI.
+          EOF
+          )
+
+          git push origin "$TARGET_BRANCH"
+          gh pr create \
+            --head "$TARGET_BRANCH" \
+            --base "main" \
+            --title "${pr_title}" \
+            --body "${pr_body}" \
+            $PR_FLAG
@@ -26,7 +26,7 @@ jobs:

  update:
    timeout-minutes: 45
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    if: github.event_name == 'workflow_dispatch'
    needs: [prepare]
    env:
@@ -38,7 +38,7 @@ jobs:
      contents: write # needed to push commits
      pull-requests: write # needed to create pull request
    steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v5
      with:
        fetch-depth: 0  # Need full history for calculation of diffs
    - uses: ./.github/actions/release-initialise
@@ -77,7 +77,7 @@ jobs:

  backport:
    timeout-minutes: 45
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    environment: Automation
    needs: [prepare]
    if: ${{ (github.event_name == 'push') && needs.prepare.outputs.backport_target_branches != '[]' }}
@@ -93,14 +93,14 @@ jobs:
      pull-requests: write # needed to create pull request
    steps:
    - name: Generate token
-      uses: actions/create-github-app-token@v3.0.0
+      uses: actions/create-github-app-token@v2.1.1
      id: app-token
      with:
        app-id: ${{ vars.AUTOMATION_APP_ID }}
        private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}

    - name: Checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@v5
      with:
        fetch-depth: 0  # Need full history for calculation of diffs
        token: ${{ steps.app-token.outputs.token }}
@@ -4,18 +4,12 @@ on:
  schedule:
    - cron: "0 0 * * *"
  workflow_dispatch:
-  pull_request:
-    branches:
-      - main
-    paths:
-      - .github/workflows/update-supported-enterprise-server-versions.yml
-      - .github/workflows/update-supported-enterprise-server-versions/update.py

 jobs:
  update-supported-enterprise-server-versions:
    name: Update Supported Enterprise Server Versions
    timeout-minutes: 45
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    if: github.repository == 'github/codeql-action'
    permissions:
      contents: write # needed to push commits
@@ -23,18 +17,17 @@ jobs:

    steps:
      - name: Setup Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@v5
        with:
          python-version: "3.13"
      - name: Checkout CodeQL Action
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Checkout Enterprise Releases
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
        with:
          repository: github/enterprise-releases
          token: ${{ secrets.ENTERPRISE_RELEASE_TOKEN }}
          path: ${{ github.workspace }}/enterprise-releases/
-          sparse-checkout: releases.json
      - name: Update Supported Enterprise Server Versions
        run: |
          cd ./.github/workflows/update-supported-enterprise-server-versions/
@@ -42,7 +35,6 @@ jobs:
          pipenv install
          pipenv run ./update.py
          rm --recursive "$ENTERPRISE_RELEASES_PATH"
-          npm ci
          npm run build
        env:
          ENTERPRISE_RELEASES_PATH: ${{ github.workspace }}/enterprise-releases/
@@ -52,33 +44,25 @@ jobs:
          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git config --global user.name "github-actions[bot]"

-      - name: Commit changes
-        id: prepare-commit
+      - name: Commit changes and open PR
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          if [[ -z $(git status --porcelain) ]]; then
            echo "No changes to commit"
-            echo "committed=false" >> $GITHUB_OUTPUT
          else
            git checkout -b update-supported-enterprise-server-versions
            git add .
            git commit --message "Update supported GitHub Enterprise Server versions"
+            git push origin update-supported-enterprise-server-versions

-            echo "committed=true" >> $GITHUB_OUTPUT
+            body="This PR updates the list of supported GitHub Enterprise Server versions, either because a new "
+            body+="version is about to be feature frozen, or because an old release has been deprecated."
+            body+=$'\n\n'
+            body+="If an old release has been deprecated, please follow the instructions in CONTRIBUTING.md to "
+            body+="deprecate the corresponding version of CodeQL."
+
+            gh pr create --draft \
+              --title "Update supported GitHub Enterprise Server versions" \
+              --body "$body"
          fi
-
-      - name: Open PR
-        if: github.event_name != 'pull_request' && steps.prepare-commit.outputs.committed == 'true'
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          git push origin update-supported-enterprise-server-versions
-
-          body="This PR updates the list of supported GitHub Enterprise Server versions, either because a new "
-          body+="version is about to be feature frozen, or because an old release has been deprecated."
-          body+=$'\n\n'
-          body+="If an old release has been deprecated, please follow the instructions in CONTRIBUTING.md to "
-          body+="deprecate the corresponding version of CodeQL."
-
-          gh pr create --draft \
-            --title "Update supported GitHub Enterprise Server versions" \
-            --body "$body"
@@ -8,11 +8,6 @@
    "build": true,
    "lib": true,
  },
-  "search.exclude": {
-    "**/node_modules": true,
-    "build": true,
-    "lib": true,
-  },
  // Installing a new Node package often triggers VS Code's git limit warnings as there is typically
  // an intermediate stage where many files are modified. This setting suppresses these warnings.
  "git.ignoreLimitWarning": true,
--- a/Show More
+++ b/Show More