Reimplement resolveExtractor() as wrapper over resolveLanguages()

By wrapping `resolveLanguages()`, which is memoized, we can avoid executing `codeql resolve extractor` several times over the course of an analysis.
Cache the output of codeql resolve languages
2026-06-05 05:14:38 +00:00 · 2026-06-04 08:40:02 -05:00 · 2026-06-04 08:39:58 -05:00 · 2026-06-04 10:56:27 +00:00 · 2026-06-04 10:43:06 +00:00 · 2026-06-04 10:42:59 +00:00
105 changed files with 854 additions and 495 deletions
@@ -16,13 +16,13 @@ runs:
      shell: bash

    - name: Set up Node
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
      with:
        node-version: 24
        cache: 'npm'

    - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
      with:
        python-version: '3.12'

@@ -74,13 +74,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -72,7 +72,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -92,7 +92,7 @@ jobs:
          post-processed-sarif-path: '${{ runner.temp }}/post-processed'

      - name: Upload SARIF files
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: |
            analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
@@ -100,7 +100,7 @@ jobs:
          retention-days: 7

      - name: Upload post-processed SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: |
            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
@@ -110,7 +110,7 @@ jobs:

      - name: Check quality query does not appear in security SARIF
        if: contains(matrix.analysis-kinds, 'code-scanning')
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
          EXPECT_PRESENT: 'false'
@@ -118,7 +118,7 @@ jobs:
          script: ${{ env.CHECK_SCRIPT }}
      - name: Check quality query appears in quality SARIF
        if: contains(matrix.analysis-kinds, 'code-quality')
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          SARIF_PATH: '${{ runner.temp }}/results/javascript.quality.sarif'
          EXPECT_PRESENT: 'true'
@@ -70,13 +70,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -64,9 +64,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Prepare test
@@ -66,9 +66,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install Java
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
        with:
          java-version: ${{ inputs.java-version || '17' }}
          distribution: temurin
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -66,9 +66,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install Java
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
        with:
          java-version: ${{ inputs.java-version || '17' }}
          distribution: temurin
@@ -70,13 +70,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -62,7 +62,7 @@ jobs:
        run: npm install @actions/tool-cache@3
      - name: Check toolcache contains CodeQL
        continue-on-error: true
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            const toolcache = require('@actions/tool-cache');
@@ -75,7 +75,7 @@ jobs:
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Check CodeQL is installed within the toolcache
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            const toolcache = require('@actions/tool-cache');
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -63,7 +63,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            const fs = require('fs');
@@ -73,7 +73,7 @@ jobs:
      - name: Install @actions/tool-cache
        run: npm install @actions/tool-cache@3
      - name: Check toolcache does not contain CodeQL
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            const toolcache = require('@actions/tool-cache');
@@ -92,7 +92,7 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Check CodeQL is installed within the toolcache
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            const toolcache = require('@actions/tool-cache');
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -63,7 +63,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            const fs = require('fs');
@@ -82,13 +82,13 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: ${{ matrix.os }}-zstd-bundle.sarif
          path: ${{ runner.temp }}/results/javascript.sarif
          retention-days: 7
      - name: Check diagnostic with expected tools URL appears in SARIF
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
        with:
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -70,13 +70,13 @@ jobs:
          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: '${{ runner.temp }}/results/javascript.sarif'
          retention-days: 7
      - name: Check config properties appear in SARIF
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
        with:
@@ -50,9 +50,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 20.x
          cache: npm
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -81,13 +81,13 @@ jobs:
          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: '${{ runner.temp }}/results/javascript.sarif'
          retention-days: 7
      - name: Check diagnostics appear in SARIF
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif'
        with:
@@ -74,13 +74,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -102,7 +102,7 @@ jobs:
        with:
          output: '${{ runner.temp }}/results'
      - name: Upload SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: '${{ runner.temp }}/results/javascript.sarif'
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -72,13 +72,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -60,9 +60,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -78,7 +78,7 @@ jobs:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      # Deliberately change Go after the `init` step
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: '1.20'
      - name: Build code
@@ -88,7 +88,7 @@ jobs:
          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Check diagnostic appears in SARIF
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          SARIF_PATH: '${{ runner.temp }}/results/go.sarif'
        with:
@@ -60,9 +60,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -89,7 +89,7 @@ jobs:
          output: '${{ runner.temp }}/results'
          upload-database: false
      - name: Check diagnostic appears in SARIF
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          SARIF_PATH: '${{ runner.temp }}/results/go.sarif'
        with:
@@ -60,9 +60,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -80,9 +80,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -80,9 +80,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -80,9 +80,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -67,7 +67,7 @@ jobs:
        with:
          output: '${{ runner.temp }}/results'
      - name: Upload SARIF
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: '${{ runner.temp }}/results/javascript.sarif'
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -70,13 +70,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -104,13 +104,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -125,7 +125,7 @@ jobs:
        # We need Python 3.13 for older CLI versions because they are not compatible with Python 3.14 or newer.
        # See https://github.com/github/codeql-action/pull/3212
        if: matrix.version != 'nightly-latest' && matrix.version != 'linked'
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: '3.13'

@@ -52,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -74,18 +74,18 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 20.x
          cache: npm
@@ -74,18 +74,18 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 20.x
          cache: npm
@@ -74,18 +74,18 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 20.x
          cache: npm
@@ -74,18 +74,18 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 20.x
          cache: npm
@@ -72,13 +72,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -59,7 +59,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Set up Ruby
-        uses: ruby/setup-ruby@6aaa311d81eba98ae12eaffbcb63296ace0efcde # v1.307.0
+        uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
@@ -60,7 +60,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -58,7 +58,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -80,13 +80,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -54,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -62,7 +62,7 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - uses: ./init
        with:
          languages: javascript
@@ -50,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -74,13 +74,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -72,13 +72,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -70,13 +70,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -77,13 +77,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -71,13 +71,13 @@ jobs:
    steps:
      # This ensures we don't accidentally use the original checkout for any part of the test.
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
@@ -96,7 +96,7 @@ jobs:
          rm -rf ./* .github .git
      # Check out the actions repo again, but at a different location.
      # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
          path: x/y/z/some-path
@@ -26,7 +26,7 @@ jobs:

    steps:
      - name: Checkout CodeQL Action
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Check Expected Release Files
        run: |
          bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"
@@ -35,7 +35,7 @@ jobs:
      security-events: read

    steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
    - name: Set up default CodeQL bundle
      id: setup-default
      uses: ./setup-codeql
@@ -87,7 +87,7 @@ jobs:

    steps:
    - name: Checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
    - name: Initialize CodeQL
      uses: ./init
      id: init
@@ -124,7 +124,7 @@ jobs:

    steps:
    - name: Checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
    - name: Initialize CodeQL
      uses: ./init
      with:
@@ -59,10 +59,10 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

    - name: Set up Node.js
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
      with:
        node-version: 24
        cache: 'npm'
@@ -53,17 +53,17 @@ jobs:
      - name: Dump GitHub event
        run: cat "${GITHUB_EVENT_PATH}"
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ^1.13.1
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: '9.x'
      - name: Assert best-effort artifact scan completed
@@ -94,7 +94,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      - name: Check expected artifacts exist
        run: |
          LANGUAGES="cpp csharp go java javascript python"
@@ -49,17 +49,17 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ^1.13.1
      - name: Install .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
        with:
          dotnet-version: '9.x'
      - name: Assert best-effort artifact scan completed
@@ -87,7 +87,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      - name: Check expected artifacts exist
        run: |
          VERSIONS="stable-v2.20.3 default linked nightly-latest"
@@ -44,14 +44,14 @@ jobs:
          GITHUB_CONTEXT: '${{ toJson(github) }}'
        run: echo "${GITHUB_CONTEXT}"

-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          fetch-depth: 0  # ensure we have all tags and can push commits
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 24
          cache: 'npm'
-      - uses: actions/setup-python@v6
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: '3.12'

@@ -134,7 +134,7 @@ jobs:
          echo "::endgroup::"

      - name: Generate token
-        uses: actions/create-github-app-token@v3.2.0
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -42,10 +42,10 @@ jobs:
        if: runner.os == 'Windows'
        run: git config --global core.autocrlf false

-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: ${{ matrix.node-version }}
          cache: 'npm'
@@ -91,10 +91,10 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 24
          cache: 'npm'
@@ -155,7 +155,7 @@ jobs:

      - name: Upload repo size comment
        if: steps.fetch-base.outcome == 'success'
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: repo-size-comment
          path: ${{ runner.temp }}/repo-size/
@@ -164,7 +164,7 @@ jobs:
      - name: 'Backport: Check out base ref'
        id: checkout-base
        if: ${{ startsWith(github.head_ref, 'backport-') }}
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          ref: ${{ github.base_ref }}

@@ -203,7 +203,7 @@ jobs:

    steps:
      - name: Download repo size comment
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: repo-size-comment
          path: repo-size-comment
@@ -44,7 +44,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          fetch-depth: 0 # Need full history for calculation of diffs

@@ -20,8 +20,8 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Publish immutable release
        id: publish
-        uses: actions/publish-immutable-action@v0.0.4
+        uses: actions/publish-immutable-action@4bc8754ffc40f27910afb20287dbbbb675a4e978 # v0.0.4
@@ -35,11 +35,11 @@ jobs:
    runs-on: windows-latest

    steps:
-    - uses: actions/setup-python@v6
+    - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
      with:
        python-version: 3.12

-    - uses: actions/checkout@v6
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

    - name: Prepare test
      uses: ./.github/actions/prepare-test
@@ -35,10 +35,10 @@ jobs:
      contents: read # This permission is needed to allow the GitHub Actions workflow to read the contents of the repository.
    steps:
    - name: Check out repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

    - name: Install Node.js
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
      with:
        node-version: 24
        cache: npm
@@ -24,13 +24,13 @@ jobs:
      pull-requests: write # needed to comment on the PR
    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          fetch-depth: 0
          ref: ${{ env.HEAD_REF }}

      - name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 24
          cache: 'npm'
@@ -52,7 +52,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          fetch-depth: 0 # Need full history for calculation of diffs

@@ -136,7 +136,7 @@ jobs:

      - name: Generate token
        if: github.event_name == 'workflow_dispatch'
-        uses: actions/create-github-app-token@v3.2.0
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -43,7 +43,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/actions/prepare-test
@@ -51,7 +51,7 @@ jobs:
        version: ${{ matrix.version }}
        use-all-platform-bundle: true
    - name: Install .NET
-      uses: actions/setup-dotnet@v5
+      uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
      with:
        dotnet-version: '9.x'
    - id: init
@@ -33,7 +33,7 @@ jobs:
          GITHUB_CONTEXT: '${{ toJson(github) }}'
        run: echo "$GITHUB_CONTEXT"

-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Update git config
        run: |
@@ -41,12 +41,12 @@ jobs:
          git config --global user.name "github-actions[bot]"

      - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: '3.12'

      - name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 24
          cache: 'npm'
@@ -38,7 +38,7 @@ jobs:
      contents: write # needed to push commits
      pull-requests: write # needed to create pull request
    steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      with:
        fetch-depth: 0  # Need full history for calculation of diffs
    - uses: ./.github/actions/release-initialise
@@ -94,14 +94,14 @@ jobs:
      pull-requests: write # needed to create pull request
    steps:
    - name: Generate token
-      uses: actions/create-github-app-token@v3.2.0
+      uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
      id: app-token
      with:
        app-id: ${{ vars.AUTOMATION_APP_ID }}
        private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}

    - name: Checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      with:
        fetch-depth: 0  # Need full history for calculation of diffs
        token: ${{ steps.app-token.outputs.token }}
@@ -23,13 +23,13 @@ jobs:

    steps:
      - name: Setup Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: "3.13"
      - name: Checkout CodeQL Action
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Checkout Enterprise Releases
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          repository: github/enterprise-releases
          token: ${{ secrets.ENTERPRISE_RELEASE_TOKEN }}
@@ -2,6 +2,10 @@

 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.

+## [UNRELEASED]
+
+- Update default CodeQL bundle version to [2.25.6](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.6). [#3948](https://github.com/github/codeql-action/pull/3948)
+
 ## 4.36.1 - 02 Jun 2026

 No user facing changes.
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.5",
-  "cliVersion": "2.25.5",
-  "priorBundleVersion": "codeql-bundle-v2.25.4",
-  "priorCliVersion": "2.25.4"
+  "bundleVersion": "codeql-bundle-v2.25.6",
+  "cliVersion": "2.25.6",
+  "priorBundleVersion": "codeql-bundle-v2.25.5",
+  "priorCliVersion": "2.25.5"
 }
@@ -19179,12 +19179,12 @@ var require_lib = __commonJS({
            throw new Error("Client has already been disposed.");
          }
          const parsedUrl = new URL(requestUrl);
-          let info7 = this._prepareRequest(verb, parsedUrl, headers);
+          let info8 = this._prepareRequest(verb, parsedUrl, headers);
          const maxTries = this._allowRetries && RetryableHttpVerbs.includes(verb) ? this._maxRetries + 1 : 1;
          let numTries = 0;
          let response;
          do {
-            response = yield this.requestRaw(info7, data);
+            response = yield this.requestRaw(info8, data);
            if (response && response.message && response.message.statusCode === HttpCodes.Unauthorized) {
              let authenticationHandler;
              for (const handler2 of this.handlers) {
@@ -19194,7 +19194,7 @@ var require_lib = __commonJS({
                }
              }
              if (authenticationHandler) {
-                return authenticationHandler.handleAuthentication(this, info7, data);
+                return authenticationHandler.handleAuthentication(this, info8, data);
              } else {
                return response;
              }
@@ -19217,8 +19217,8 @@ var require_lib = __commonJS({
                  }
                }
              }
-              info7 = this._prepareRequest(verb, parsedRedirectUrl, headers);
-              response = yield this.requestRaw(info7, data);
+              info8 = this._prepareRequest(verb, parsedRedirectUrl, headers);
+              response = yield this.requestRaw(info8, data);
              redirectsRemaining--;
            }
            if (!response.message.statusCode || !HttpResponseRetryCodes.includes(response.message.statusCode)) {
@@ -19247,7 +19247,7 @@ var require_lib = __commonJS({
       * @param info
       * @param data
       */
-      requestRaw(info7, data) {
+      requestRaw(info8, data) {
        return __awaiter2(this, void 0, void 0, function* () {
          return new Promise((resolve13, reject) => {
            function callbackForResult(err, res) {
@@ -19259,7 +19259,7 @@ var require_lib = __commonJS({
                resolve13(res);
              }
            }
-            this.requestRawWithCallback(info7, data, callbackForResult);
+            this.requestRawWithCallback(info8, data, callbackForResult);
          });
        });
      }
@@ -19269,12 +19269,12 @@ var require_lib = __commonJS({
       * @param data
       * @param onResult
       */
-      requestRawWithCallback(info7, data, onResult) {
+      requestRawWithCallback(info8, data, onResult) {
        if (typeof data === "string") {
-          if (!info7.options.headers) {
-            info7.options.headers = {};
+          if (!info8.options.headers) {
+            info8.options.headers = {};
          }
-          info7.options.headers["Content-Length"] = Buffer.byteLength(data, "utf8");
+          info8.options.headers["Content-Length"] = Buffer.byteLength(data, "utf8");
        }
        let callbackCalled = false;
        function handleResult(err, res) {
@@ -19283,7 +19283,7 @@ var require_lib = __commonJS({
            onResult(err, res);
          }
        }
-        const req = info7.httpModule.request(info7.options, (msg) => {
+        const req = info8.httpModule.request(info8.options, (msg) => {
          const res = new HttpClientResponse(msg);
          handleResult(void 0, res);
        });
@@ -19295,7 +19295,7 @@ var require_lib = __commonJS({
          if (socket) {
            socket.end();
          }
-          handleResult(new Error(`Request timeout: ${info7.options.path}`));
+          handleResult(new Error(`Request timeout: ${info8.options.path}`));
        });
        req.on("error", function(err) {
          handleResult(err);
@@ -19331,27 +19331,27 @@ var require_lib = __commonJS({
        return this._getProxyAgentDispatcher(parsedUrl, proxyUrl);
      }
      _prepareRequest(method, requestUrl, headers) {
-        const info7 = {};
-        info7.parsedUrl = requestUrl;
-        const usingSsl = info7.parsedUrl.protocol === "https:";
-        info7.httpModule = usingSsl ? https3 : http;
+        const info8 = {};
+        info8.parsedUrl = requestUrl;
+        const usingSsl = info8.parsedUrl.protocol === "https:";
+        info8.httpModule = usingSsl ? https3 : http;
        const defaultPort = usingSsl ? 443 : 80;
-        info7.options = {};
-        info7.options.host = info7.parsedUrl.hostname;
-        info7.options.port = info7.parsedUrl.port ? parseInt(info7.parsedUrl.port) : defaultPort;
-        info7.options.path = (info7.parsedUrl.pathname || "") + (info7.parsedUrl.search || "");
-        info7.options.method = method;
-        info7.options.headers = this._mergeHeaders(headers);
+        info8.options = {};
+        info8.options.host = info8.parsedUrl.hostname;
+        info8.options.port = info8.parsedUrl.port ? parseInt(info8.parsedUrl.port) : defaultPort;
+        info8.options.path = (info8.parsedUrl.pathname || "") + (info8.parsedUrl.search || "");
+        info8.options.method = method;
+        info8.options.headers = this._mergeHeaders(headers);
        if (this.userAgent != null) {
-          info7.options.headers["user-agent"] = this.userAgent;
+          info8.options.headers["user-agent"] = this.userAgent;
        }
-        info7.options.agent = this._getAgent(info7.parsedUrl);
+        info8.options.agent = this._getAgent(info8.parsedUrl);
        if (this.handlers) {
          for (const handler2 of this.handlers) {
-            handler2.prepareRequest(info7.options);
+            handler2.prepareRequest(info8.options);
          }
        }
-        return info7;
+        return info8;
      }
      _mergeHeaders(headers) {
        if (this.requestOptions && this.requestOptions.headers) {
@@ -21406,7 +21406,7 @@ var require_core = __commonJS({
    exports2.error = error3;
    exports2.warning = warning14;
    exports2.notice = notice;
-    exports2.info = info7;
+    exports2.info = info8;
    exports2.startGroup = startGroup4;
    exports2.endGroup = endGroup4;
    exports2.group = group;
@@ -21503,7 +21503,7 @@ Support boolean input list: \`true | True | TRUE | false | False | FALSE\``);
    function notice(message, properties = {}) {
      (0, command_1.issueCommand)("notice", (0, utils_1.toCommandProperties)(properties), message instanceof Error ? message.toString() : message);
    }
-    function info7(message) {
+    function info8(message) {
      process.stdout.write(message + os7.EOL);
    }
    function startGroup4(name) {
@@ -26853,6 +26853,7 @@ var require_range = __commonJS({
        return this.range;
      }
      parseRange(range) {
+        range = range.replace(BUILDSTRIPRE, "");
        const memoOpts = (this.options.includePrerelease && FLAG_INCLUDE_PRERELEASE) | (this.options.loose && FLAG_LOOSE);
        const memoKey = memoOpts + ":" + range;
        const cached = cache.get(memoKey);
@@ -26935,12 +26936,14 @@ var require_range = __commonJS({
    var SemVer = require_semver();
    var {
      safeRe: re,
+      src,
      t,
      comparatorTrimReplace,
      tildeTrimReplace,
      caretTrimReplace
    } = require_re();
    var { FLAG_INCLUDE_PRERELEASE, FLAG_LOOSE } = require_constants6();
+    var BUILDSTRIPRE = new RegExp(src[t.BUILD], "g");
    var isNullSet = (c) => c.value === "<0.0.0-0";
    var isAny = (c) => c.value === "";
    var isSatisfiable = (comparators, options) => {
@@ -27696,7 +27699,7 @@ var require_subset = __commonJS({
            if (higher === c && higher !== gt) {
              return false;
            }
-          } else if (gt.operator === ">=" && !satisfies2(gt.semver, String(c), options)) {
+          } else if (gt.operator === ">=" && !c.test(gt.semver)) {
            return false;
          }
        }
@@ -27711,7 +27714,7 @@ var require_subset = __commonJS({
            if (lower === c && lower !== lt2) {
              return false;
            }
-          } else if (lt2.operator === "<=" && !satisfies2(lt2.semver, String(c), options)) {
+          } else if (lt2.operator === "<=" && !c.test(lt2.semver)) {
            return false;
          }
        }
@@ -42402,12 +42405,12 @@ var require_operationHelpers = __commonJS({
      if (hasOriginalRequest(request3)) {
        return getOperationRequestInfo(request3[originalRequestSymbol]);
      }
-      let info7 = state_js_1.state.operationRequestMap.get(request3);
-      if (!info7) {
-        info7 = {};
-        state_js_1.state.operationRequestMap.set(request3, info7);
+      let info8 = state_js_1.state.operationRequestMap.get(request3);
+      if (!info8) {
+        info8 = {};
+        state_js_1.state.operationRequestMap.set(request3, info8);
      }
-      return info7;
+      return info8;
    }
  }
 });
@@ -76954,9 +76957,9 @@ var require_reflection_type_check = __commonJS({
    var reflection_info_1 = require_reflection_info();
    var oneof_1 = require_oneof();
    var ReflectionTypeCheck = class {
-      constructor(info7) {
+      constructor(info8) {
        var _a;
-        this.fields = (_a = info7.fields) !== null && _a !== void 0 ? _a : [];
+        this.fields = (_a = info8.fields) !== null && _a !== void 0 ? _a : [];
      }
      prepare() {
        if (this.data)
@@ -77202,8 +77205,8 @@ var require_reflection_json_reader = __commonJS({
    var assert_1 = require_assert();
    var reflection_long_convert_1 = require_reflection_long_convert();
    var ReflectionJsonReader = class {
-      constructor(info7) {
-        this.info = info7;
+      constructor(info8) {
+        this.info = info8;
      }
      prepare() {
        var _a;
@@ -77499,9 +77502,9 @@ var require_reflection_json_writer = __commonJS({
    var reflection_info_1 = require_reflection_info();
    var assert_1 = require_assert();
    var ReflectionJsonWriter = class {
-      constructor(info7) {
+      constructor(info8) {
        var _a;
-        this.fields = (_a = info7.fields) !== null && _a !== void 0 ? _a : [];
+        this.fields = (_a = info8.fields) !== null && _a !== void 0 ? _a : [];
      }
      /**
       * Converts the message to a JSON object, based on the field descriptors.
@@ -77754,8 +77757,8 @@ var require_reflection_binary_reader = __commonJS({
    var reflection_long_convert_1 = require_reflection_long_convert();
    var reflection_scalar_default_1 = require_reflection_scalar_default();
    var ReflectionBinaryReader = class {
-      constructor(info7) {
-        this.info = info7;
+      constructor(info8) {
+        this.info = info8;
      }
      prepare() {
        var _a;
@@ -77928,8 +77931,8 @@ var require_reflection_binary_writer = __commonJS({
    var assert_1 = require_assert();
    var pb_long_1 = require_pb_long();
    var ReflectionBinaryWriter = class {
-      constructor(info7) {
-        this.info = info7;
+      constructor(info8) {
+        this.info = info8;
      }
      prepare() {
        if (!this.fields) {
@@ -78179,9 +78182,9 @@ var require_reflection_merge_partial = __commonJS({
    "use strict";
    Object.defineProperty(exports2, "__esModule", { value: true });
    exports2.reflectionMergePartial = void 0;
-    function reflectionMergePartial(info7, target, source) {
+    function reflectionMergePartial(info8, target, source) {
      let fieldValue, input = source, output;
-      for (let field of info7.fields) {
+      for (let field of info8.fields) {
        let name = field.localName;
        if (field.oneof) {
          const group = input[field.oneof];
@@ -78250,12 +78253,12 @@ var require_reflection_equals = __commonJS({
    Object.defineProperty(exports2, "__esModule", { value: true });
    exports2.reflectionEquals = void 0;
    var reflection_info_1 = require_reflection_info();
-    function reflectionEquals(info7, a, b) {
+    function reflectionEquals(info8, a, b) {
      if (a === b)
        return true;
      if (!a || !b)
        return false;
-      for (let field of info7.fields) {
+      for (let field of info8.fields) {
        let localName = field.localName;
        let val_a = field.oneof ? a[field.oneof][localName] : a[localName];
        let val_b = field.oneof ? b[field.oneof][localName] : b[localName];
@@ -91275,7 +91278,7 @@ var require_async = __commonJS({
        }
      }
      var sortBy$1 = awaitify(sortBy, 3);
-      function timeout(asyncFn, milliseconds, info7) {
+      function timeout(asyncFn, milliseconds, info8) {
        var fn = wrapAsync(asyncFn);
        return initialParams((args, callback) => {
          var timedOut = false;
@@ -91284,8 +91287,8 @@ var require_async = __commonJS({
            var name = asyncFn.name || "anonymous";
            var error3 = new Error('Callback function "' + name + '" timed out.');
            error3.code = "ETIMEDOUT";
-            if (info7) {
-              error3.info = info7;
+            if (info8) {
+              error3.info = info8;
            }
            timedOut = true;
            callback(error3);
@@ -114681,12 +114684,12 @@ var require_lib4 = __commonJS({
            throw new Error("Client has already been disposed.");
          }
          const parsedUrl = new URL(requestUrl);
-          let info7 = this._prepareRequest(verb, parsedUrl, headers);
+          let info8 = this._prepareRequest(verb, parsedUrl, headers);
          const maxTries = this._allowRetries && RetryableHttpVerbs.includes(verb) ? this._maxRetries + 1 : 1;
          let numTries = 0;
          let response;
          do {
-            response = yield this.requestRaw(info7, data);
+            response = yield this.requestRaw(info8, data);
            if (response && response.message && response.message.statusCode === HttpCodes.Unauthorized) {
              let authenticationHandler;
              for (const handler2 of this.handlers) {
@@ -114696,7 +114699,7 @@ var require_lib4 = __commonJS({
                }
              }
              if (authenticationHandler) {
-                return authenticationHandler.handleAuthentication(this, info7, data);
+                return authenticationHandler.handleAuthentication(this, info8, data);
              } else {
                return response;
              }
@@ -114719,8 +114722,8 @@ var require_lib4 = __commonJS({
                  }
                }
              }
-              info7 = this._prepareRequest(verb, parsedRedirectUrl, headers);
-              response = yield this.requestRaw(info7, data);
+              info8 = this._prepareRequest(verb, parsedRedirectUrl, headers);
+              response = yield this.requestRaw(info8, data);
              redirectsRemaining--;
            }
            if (!response.message.statusCode || !HttpResponseRetryCodes.includes(response.message.statusCode)) {
@@ -114749,7 +114752,7 @@ var require_lib4 = __commonJS({
       * @param info
       * @param data
       */
-      requestRaw(info7, data) {
+      requestRaw(info8, data) {
        return __awaiter2(this, void 0, void 0, function* () {
          return new Promise((resolve13, reject) => {
            function callbackForResult(err, res) {
@@ -114761,7 +114764,7 @@ var require_lib4 = __commonJS({
                resolve13(res);
              }
            }
-            this.requestRawWithCallback(info7, data, callbackForResult);
+            this.requestRawWithCallback(info8, data, callbackForResult);
          });
        });
      }
@@ -114771,12 +114774,12 @@ var require_lib4 = __commonJS({
       * @param data
       * @param onResult
       */
-      requestRawWithCallback(info7, data, onResult) {
+      requestRawWithCallback(info8, data, onResult) {
        if (typeof data === "string") {
-          if (!info7.options.headers) {
-            info7.options.headers = {};
+          if (!info8.options.headers) {
+            info8.options.headers = {};
          }
-          info7.options.headers["Content-Length"] = Buffer.byteLength(data, "utf8");
+          info8.options.headers["Content-Length"] = Buffer.byteLength(data, "utf8");
        }
        let callbackCalled = false;
        function handleResult(err, res) {
@@ -114785,7 +114788,7 @@ var require_lib4 = __commonJS({
            onResult(err, res);
          }
        }
-        const req = info7.httpModule.request(info7.options, (msg) => {
+        const req = info8.httpModule.request(info8.options, (msg) => {
          const res = new HttpClientResponse(msg);
          handleResult(void 0, res);
        });
@@ -114797,7 +114800,7 @@ var require_lib4 = __commonJS({
          if (socket) {
            socket.end();
          }
-          handleResult(new Error(`Request timeout: ${info7.options.path}`));
+          handleResult(new Error(`Request timeout: ${info8.options.path}`));
        });
        req.on("error", function(err) {
          handleResult(err);
@@ -114833,27 +114836,27 @@ var require_lib4 = __commonJS({
        return this._getProxyAgentDispatcher(parsedUrl, proxyUrl);
      }
      _prepareRequest(method, requestUrl, headers) {
-        const info7 = {};
-        info7.parsedUrl = requestUrl;
-        const usingSsl = info7.parsedUrl.protocol === "https:";
-        info7.httpModule = usingSsl ? https3 : http;
+        const info8 = {};
+        info8.parsedUrl = requestUrl;
+        const usingSsl = info8.parsedUrl.protocol === "https:";
+        info8.httpModule = usingSsl ? https3 : http;
        const defaultPort = usingSsl ? 443 : 80;
-        info7.options = {};
-        info7.options.host = info7.parsedUrl.hostname;
-        info7.options.port = info7.parsedUrl.port ? parseInt(info7.parsedUrl.port) : defaultPort;
-        info7.options.path = (info7.parsedUrl.pathname || "") + (info7.parsedUrl.search || "");
-        info7.options.method = method;
-        info7.options.headers = this._mergeHeaders(headers);
+        info8.options = {};
+        info8.options.host = info8.parsedUrl.hostname;
+        info8.options.port = info8.parsedUrl.port ? parseInt(info8.parsedUrl.port) : defaultPort;
+        info8.options.path = (info8.parsedUrl.pathname || "") + (info8.parsedUrl.search || "");
+        info8.options.method = method;
+        info8.options.headers = this._mergeHeaders(headers);
        if (this.userAgent != null) {
-          info7.options.headers["user-agent"] = this.userAgent;
+          info8.options.headers["user-agent"] = this.userAgent;
        }
-        info7.options.agent = this._getAgent(info7.parsedUrl);
+        info8.options.agent = this._getAgent(info8.parsedUrl);
        if (this.handlers) {
          for (const handler2 of this.handlers) {
-            handler2.prepareRequest(info7.options);
+            handler2.prepareRequest(info8.options);
          }
        }
-        return info7;
+        return info8;
      }
      _mergeHeaders(headers) {
        if (this.requestOptions && this.requestOptions.headers) {
@@ -121241,11 +121244,11 @@ var require_dist_node12 = __commonJS({
    }
    async function wrapRequest2(state, request3, options) {
      const limiter = new Bottleneck2();
-      limiter.on("failed", function(error3, info7) {
+      limiter.on("failed", function(error3, info8) {
        const maxRetries = ~~error3.request.request.retries;
        const after = ~~error3.request.request.retryAfter;
-        options.request.retryCount = info7.retryCount + 1;
-        if (maxRetries > info7.retryCount) {
+        options.request.retryCount = info8.retryCount + 1;
+        if (maxRetries > info8.retryCount) {
          return after * state.retryAfterBaseValue;
        }
      });
@@ -122453,12 +122456,12 @@ var require_lib5 = __commonJS({
            throw new Error("Client has already been disposed.");
          }
          const parsedUrl = new URL(requestUrl);
-          let info7 = this._prepareRequest(verb, parsedUrl, headers);
+          let info8 = this._prepareRequest(verb, parsedUrl, headers);
          const maxTries = this._allowRetries && RetryableHttpVerbs.includes(verb) ? this._maxRetries + 1 : 1;
          let numTries = 0;
          let response;
          do {
-            response = yield this.requestRaw(info7, data);
+            response = yield this.requestRaw(info8, data);
            if (response && response.message && response.message.statusCode === HttpCodes.Unauthorized) {
              let authenticationHandler;
              for (const handler2 of this.handlers) {
@@ -122468,7 +122471,7 @@ var require_lib5 = __commonJS({
                }
              }
              if (authenticationHandler) {
-                return authenticationHandler.handleAuthentication(this, info7, data);
+                return authenticationHandler.handleAuthentication(this, info8, data);
              } else {
                return response;
              }
@@ -122491,8 +122494,8 @@ var require_lib5 = __commonJS({
                  }
                }
              }
-              info7 = this._prepareRequest(verb, parsedRedirectUrl, headers);
-              response = yield this.requestRaw(info7, data);
+              info8 = this._prepareRequest(verb, parsedRedirectUrl, headers);
+              response = yield this.requestRaw(info8, data);
              redirectsRemaining--;
            }
            if (!response.message.statusCode || !HttpResponseRetryCodes.includes(response.message.statusCode)) {
@@ -122521,7 +122524,7 @@ var require_lib5 = __commonJS({
       * @param info
       * @param data
       */
-      requestRaw(info7, data) {
+      requestRaw(info8, data) {
        return __awaiter2(this, void 0, void 0, function* () {
          return new Promise((resolve13, reject) => {
            function callbackForResult(err, res) {
@@ -122533,7 +122536,7 @@ var require_lib5 = __commonJS({
                resolve13(res);
              }
            }
-            this.requestRawWithCallback(info7, data, callbackForResult);
+            this.requestRawWithCallback(info8, data, callbackForResult);
          });
        });
      }
@@ -122543,12 +122546,12 @@ var require_lib5 = __commonJS({
       * @param data
       * @param onResult
       */
-      requestRawWithCallback(info7, data, onResult) {
+      requestRawWithCallback(info8, data, onResult) {
        if (typeof data === "string") {
-          if (!info7.options.headers) {
-            info7.options.headers = {};
+          if (!info8.options.headers) {
+            info8.options.headers = {};
          }
-          info7.options.headers["Content-Length"] = Buffer.byteLength(data, "utf8");
+          info8.options.headers["Content-Length"] = Buffer.byteLength(data, "utf8");
        }
        let callbackCalled = false;
        function handleResult(err, res) {
@@ -122557,7 +122560,7 @@ var require_lib5 = __commonJS({
            onResult(err, res);
          }
        }
-        const req = info7.httpModule.request(info7.options, (msg) => {
+        const req = info8.httpModule.request(info8.options, (msg) => {
          const res = new HttpClientResponse(msg);
          handleResult(void 0, res);
        });
@@ -122569,7 +122572,7 @@ var require_lib5 = __commonJS({
          if (socket) {
            socket.end();
          }
-          handleResult(new Error(`Request timeout: ${info7.options.path}`));
+          handleResult(new Error(`Request timeout: ${info8.options.path}`));
        });
        req.on("error", function(err) {
          handleResult(err);
@@ -122605,27 +122608,27 @@ var require_lib5 = __commonJS({
        return this._getProxyAgentDispatcher(parsedUrl, proxyUrl);
      }
      _prepareRequest(method, requestUrl, headers) {
-        const info7 = {};
-        info7.parsedUrl = requestUrl;
-        const usingSsl = info7.parsedUrl.protocol === "https:";
-        info7.httpModule = usingSsl ? https3 : http;
+        const info8 = {};
+        info8.parsedUrl = requestUrl;
+        const usingSsl = info8.parsedUrl.protocol === "https:";
+        info8.httpModule = usingSsl ? https3 : http;
        const defaultPort = usingSsl ? 443 : 80;
-        info7.options = {};
-        info7.options.host = info7.parsedUrl.hostname;
-        info7.options.port = info7.parsedUrl.port ? parseInt(info7.parsedUrl.port) : defaultPort;
-        info7.options.path = (info7.parsedUrl.pathname || "") + (info7.parsedUrl.search || "");
-        info7.options.method = method;
-        info7.options.headers = this._mergeHeaders(headers);
+        info8.options = {};
+        info8.options.host = info8.parsedUrl.hostname;
+        info8.options.port = info8.parsedUrl.port ? parseInt(info8.parsedUrl.port) : defaultPort;
+        info8.options.path = (info8.parsedUrl.pathname || "") + (info8.parsedUrl.search || "");
+        info8.options.method = method;
+        info8.options.headers = this._mergeHeaders(headers);
        if (this.userAgent != null) {
-          info7.options.headers["user-agent"] = this.userAgent;
+          info8.options.headers["user-agent"] = this.userAgent;
        }
-        info7.options.agent = this._getAgent(info7.parsedUrl);
+        info8.options.agent = this._getAgent(info8.parsedUrl);
        if (this.handlers) {
          for (const handler2 of this.handlers) {
-            handler2.prepareRequest(info7.options);
+            handler2.prepareRequest(info8.options);
          }
        }
-        return info7;
+        return info8;
      }
      _mergeHeaders(headers) {
        if (this.requestOptions && this.requestOptions.headers) {
@@ -124615,10 +124618,10 @@ Support boolean input list: \`true | True | TRUE | false | False | FALSE\``);
      (0, command_1.issueCommand)("notice", (0, utils_1.toCommandProperties)(properties), message instanceof Error ? message.toString() : message);
    }
    exports2.notice = notice;
-    function info7(message) {
+    function info8(message) {
      process.stdout.write(message + os7.EOL);
    }
-    exports2.info = info7;
+    exports2.info = info8;
    function startGroup4(name) {
      (0, command_1.issue)("group", name);
    }
@@ -148062,13 +148065,42 @@ function asHTTPError(arg) {
  return void 0;
 }
 var cachedCodeQlVersion = void 0;
-function cacheCodeQlVersion(version) {
+function isVersionInfo(x) {
+  const candidate = x;
+  return typeof candidate === "object" && candidate !== null && typeof candidate.version === "string" && (candidate.features === void 0 || typeof candidate.features === "object" && candidate.features !== null) && (candidate.overlayVersion === void 0 || typeof candidate.overlayVersion === "number");
+}
+function isPersistedVersionInfo(x) {
+  const candidate = x;
+  return typeof candidate === "object" && candidate !== null && typeof candidate.cmd === "string" && isVersionInfo(candidate.version);
+}
+function cacheCodeQlVersion(cmd, version) {
  if (cachedCodeQlVersion !== void 0) {
    throw new Error("cacheCodeQlVersion() should be called only once");
  }
  cachedCodeQlVersion = version;
+  core3.exportVariable(
+    "CODEQL_ACTION_CLI_VERSION_INFO" /* CODEQL_VERSION_INFO */,
+    JSON.stringify({ cmd, version })
+  );
 }
-function getCachedCodeQlVersion() {
+function getCachedCodeQlVersion(cmd) {
+  if (cachedCodeQlVersion !== void 0) {
+    return cachedCodeQlVersion;
+  }
+  const serialized = process.env["CODEQL_ACTION_CLI_VERSION_INFO" /* CODEQL_VERSION_INFO */];
+  if (!serialized) {
+    return void 0;
+  }
+  let persisted;
+  try {
+    persisted = JSON.parse(serialized);
+  } catch {
+    return void 0;
+  }
+  if (!isPersistedVersionInfo(persisted) || cmd !== void 0 && persisted.cmd !== cmd) {
+    return void 0;
+  }
+  cachedCodeQlVersion = persisted.version;
  return cachedCodeQlVersion;
 }
 async function codeQlVersionAtLeast(codeql, requiredVersion) {
@@ -148366,7 +148398,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.36.1";
+  return "4.36.2";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -148669,11 +148701,11 @@ async function errorRequest(state, octokit, error3, options) {
 }
 async function wrapRequest(state, octokit, request3, options) {
  const limiter = new import_light.default();
-  limiter.on("failed", function(error3, info7) {
+  limiter.on("failed", function(error3, info8) {
    const maxRetries = ~~error3.request.request?.retries;
    const after = ~~error3.request.request?.retryAfter;
-    options.request.retryCount = info7.retryCount + 1;
-    if (maxRetries > info7.retryCount) {
+    options.request.retryCount = info8.retryCount + 1;
+    if (maxRetries > info8.retryCount) {
      return after * state.retryAfterBaseValue;
    }
  });
@@ -148930,8 +148962,8 @@ function wrapApiConfigurationError(e) {
 }

 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.25.5";
-var cliVersion = "2.25.5";
+var bundleVersion = "codeql-bundle-v2.25.6";
+var cliVersion = "2.25.6";

 // src/overlay/index.ts
 var fs4 = __toESM(require("fs"));
@@ -149396,6 +149428,11 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: void 0
  },
+  ["force_jgit" /* ForceJGit */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_FORCE_JGIT",
+    minimumVersion: void 0
+  },
  ["force_nightly" /* ForceNightly */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_FORCE_NIGHTLY",
@@ -153873,7 +153910,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
      return cmd;
    },
    async getVersion() {
-      let result = getCachedCodeQlVersion();
+      let result = getCachedCodeQlVersion(cmd);
      if (result === void 0) {
        const output = await runCli(cmd, ["version", "--format=json"], {
          noStreamStdout: true
@@ -153885,12 +153922,12 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            `Invalid JSON output from \`version --format=json\`: ${output}`
          );
        }
-        cacheCodeQlVersion(result);
+        cacheCodeQlVersion(cmd, result);
      }
      return result;
    },
    async printVersion() {
-      await runCli(cmd, ["version", "--format=json"]);
+      core11.info(JSON.stringify(await this.getVersion(), null, 2));
    },
    async supportsFeature(feature) {
      return isSupportedToolsFeature(await this.getVersion(), feature);
@@ -157498,22 +157535,20 @@ function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
  logger.info(`Writing processed SARIF file to ${outputFile}`);
  fs21.writeFileSync(outputFile, sarifPayload);
 }
-var STATUS_CHECK_FREQUENCY_MILLISECONDS = 5 * 1e3;
-var STATUS_CHECK_TIMEOUT_MILLISECONDS = 2 * 60 * 1e3;
+var STATUS_CHECK_INITIAL_BACKOFF_MILLISECONDS = 5 * 1e3;
+var STATUS_CHECK_BACKOFF_MULTIPLIER = 2;
+var STATUS_CHECK_MAX_TRIES = 5;
 async function waitForProcessing(repositoryNwo, sarifID, logger, options = {
  isUnsuccessfulExecution: false
 }) {
  logger.startGroup("Waiting for processing to finish");
  try {
    const client = getApiClient();
-    const statusCheckingStarted = Date.now();
-    while (true) {
-      if (Date.now() > statusCheckingStarted + STATUS_CHECK_TIMEOUT_MILLISECONDS) {
-        logger.warning(
-          "Timed out waiting for analysis to finish processing. Continuing."
-        );
-        break;
-      }
+    let statusCheckBackoff = STATUS_CHECK_INITIAL_BACKOFF_MILLISECONDS;
+    if (process.env["NODE_ENV"] !== "test") {
+      await delay(statusCheckBackoff, { allowProcessExit: false });
+    }
+    for (let statusCheckCount = 1; statusCheckCount <= STATUS_CHECK_MAX_TRIES; statusCheckCount++) {
      let response = void 0;
      try {
        response = await client.request(
@@ -157551,9 +157586,15 @@ ${response.data.errors}`;
      } else {
        assertNever(status);
      }
-      await delay(STATUS_CHECK_FREQUENCY_MILLISECONDS, {
-        allowProcessExit: false
-      });
+      if (statusCheckCount === STATUS_CHECK_MAX_TRIES) {
+        logger.warning(
+          "Timed out waiting for analysis to finish processing. Continuing."
+        );
+        break;
+      } else {
+        statusCheckBackoff *= STATUS_CHECK_BACKOFF_MULTIPLIER;
+        await delay(statusCheckBackoff, { allowProcessExit: false });
+      }
    }
  } finally {
    logger.endGroup();
@@ -159357,6 +159398,9 @@ exec ${goBinaryPath} "$@"`
    if (await features.getValue("disable_kotlin_analysis_enabled" /* DisableKotlinAnalysisEnabled */)) {
      core21.exportVariable("CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN", "true");
    }
+    if (await features.getValue("force_jgit" /* ForceJGit */)) {
+      core21.exportVariable("CODEQL_GIT_BACKEND", "jgit");
+    }
    const kotlinLimitVar = "CODEQL_EXTRACTOR_KOTLIN_OVERRIDE_MAXIMUM_VERSION_LIMIT";
    if (await codeQlVersionAtLeast(codeql, "2.20.3") && !await codeQlVersionAtLeast(codeql, "2.20.4")) {
      core21.exportVariable(kotlinLimitVar, "2.1.20");
@@ -1,12 +1,12 @@
 {
  "name": "codeql",
-  "version": "4.36.1",
+  "version": "4.36.2",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "codeql",
-      "version": "4.36.1",
+      "version": "4.36.2",
      "license": "MIT",
      "workspaces": [
        "pr-checks"
@@ -32,7 +32,7 @@
        "jsonschema": "1.5.0",
        "long": "^5.3.2",
        "node-forge": "^1.4.0",
-        "semver": "^7.8.0",
+        "semver": "^7.8.1",
        "uuid": "^14.0.0"
      },
      "devDependencies": {
@@ -61,7 +61,7 @@
        "nock": "^14.0.15",
        "sinon": "^22.0.0",
        "typescript": "^6.0.3",
-        "typescript-eslint": "^8.59.4"
+        "typescript-eslint": "^8.60.0"
      }
    },
    "node_modules/@aashutoshrathi/word-wrap": {
@@ -2528,17 +2528,17 @@
      "license": "MIT"
    },
    "node_modules/@typescript-eslint/eslint-plugin": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.59.4.tgz",
-      "integrity": "sha512-PegsU+XfyJJNjd4+u/k6f9yTyp0lEXXiPopUNobZcIAUJFGICFLN+sP0Rb3JehVmiij1Ph0dFGYqODoRo/2+6A==",
+      "version": "8.60.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.60.0.tgz",
+      "integrity": "sha512-QYb/sa74/s7OKMbACMjrYnGspj9Hs5YI5aaffSL65UfeBUzVzBJfVo3oWSpbzPurvm7yaCCo2Lk7lVj610HqKw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@eslint-community/regexpp": "^4.12.2",
-        "@typescript-eslint/scope-manager": "8.59.4",
-        "@typescript-eslint/type-utils": "8.59.4",
-        "@typescript-eslint/utils": "8.59.4",
-        "@typescript-eslint/visitor-keys": "8.59.4",
+        "@typescript-eslint/scope-manager": "8.60.0",
+        "@typescript-eslint/type-utils": "8.60.0",
+        "@typescript-eslint/utils": "8.60.0",
+        "@typescript-eslint/visitor-keys": "8.60.0",
        "ignore": "^7.0.5",
        "natural-compare": "^1.4.0",
        "ts-api-utils": "^2.5.0"
@@ -2551,7 +2551,7 @@
        "url": "https://opencollective.com/typescript-eslint"
      },
      "peerDependencies": {
-        "@typescript-eslint/parser": "^8.59.4",
+        "@typescript-eslint/parser": "^8.60.0",
        "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
        "typescript": ">=4.8.4 <6.1.0"
      }
@@ -2567,16 +2567,16 @@
      }
    },
    "node_modules/@typescript-eslint/parser": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.59.4.tgz",
-      "integrity": "sha512-zORHqO/tuhxY1zWuTvMUqddRxpiFJ72xVfcNoWpqdLjs6lfPbuQBJuW4pk+49/uBMy7Ssr4bzgjiKmmDB1UbZQ==",
+      "version": "8.60.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.60.0.tgz",
+      "integrity": "sha512-fcqpj/MyK4sxDPcbe7STNPbpQL4RLZOPWuaTmwZYuc+hJKzRf58yRxfhqGpc6PIq9ZyfSBpfHgmUHmHs0KwHwg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/scope-manager": "8.59.4",
-        "@typescript-eslint/types": "8.59.4",
-        "@typescript-eslint/typescript-estree": "8.59.4",
-        "@typescript-eslint/visitor-keys": "8.59.4",
+        "@typescript-eslint/scope-manager": "8.60.0",
+        "@typescript-eslint/types": "8.60.0",
+        "@typescript-eslint/typescript-estree": "8.60.0",
+        "@typescript-eslint/visitor-keys": "8.60.0",
        "debug": "^4.4.3"
      },
      "engines": {
@@ -2610,14 +2610,14 @@
      }
    },
    "node_modules/@typescript-eslint/project-service": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.59.4.tgz",
-      "integrity": "sha512-Ly00Vu4oAacfDeHp2Zg85ioNG6l8HG+tN1D7J+xTHSxu9y0awYKJ2zH1rFBn8ZSfuGK+7FxK3Cgl3uAz0aZZLg==",
+      "version": "8.60.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.60.0.tgz",
+      "integrity": "sha512-aZu74NNKJeUWqCjDddzdiKaS82dgYgV/vmf+Ui3ZdZejmgfXR/q+pRumgobnQ2cCJTgGTWp4ypiwsuofFubavg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/tsconfig-utils": "^8.59.4",
-        "@typescript-eslint/types": "^8.59.4",
+        "@typescript-eslint/tsconfig-utils": "^8.60.0",
+        "@typescript-eslint/types": "^8.60.0",
        "debug": "^4.4.3"
      },
      "engines": {
@@ -2650,14 +2650,14 @@
      }
    },
    "node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.59.4.tgz",
-      "integrity": "sha512-mUeR/3H1WrTAddJrwut8OoPjfauaztMQmRwV5fQTUyNVJCLiUXXe4lGEyYIL2oFDpP7UtgbGJXCt72wT0z2S3Q==",
+      "version": "8.60.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.60.0.tgz",
+      "integrity": "sha512-pFzqhllJMs+jghLQWzV00ds39xLzuyqPSev5pd8f4Ir0rtKR3ZLUB4/4dhjOFighWb9larvtfJvqL+4yKDI3Xw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.59.4",
-        "@typescript-eslint/visitor-keys": "8.59.4"
+        "@typescript-eslint/types": "8.60.0",
+        "@typescript-eslint/visitor-keys": "8.60.0"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2668,9 +2668,9 @@
      }
    },
    "node_modules/@typescript-eslint/tsconfig-utils": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.59.4.tgz",
-      "integrity": "sha512-DLCpnKgD4alVxTBSKulK+gU1KCqOgUXfDRDXh2mZgzokQKa/70ax93I2uVO3m/LLvIAtWZIFoiifudmIqAxpMA==",
+      "version": "8.60.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.60.0.tgz",
+      "integrity": "sha512-BZPR3RGYlAXnly6ymAxfkVn5rCbZzQNou0rxv3GfWZ8cTQp+hhVd73khbGLAd8k1TlAPLISH337M+tAgAnaJDQ==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2685,15 +2685,15 @@
      }
    },
    "node_modules/@typescript-eslint/type-utils": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.59.4.tgz",
-      "integrity": "sha512-uonTuPAAKr9XaBGqJ3LjYTh72zy5DyGesljO9gtmk/eFW0W1fRHjnwVYKB35Lm8d5Q5CluEW3gPHjTvZTmgrfA==",
+      "version": "8.60.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.60.0.tgz",
+      "integrity": "sha512-SX46wEUtitCpq7AN38HkUU/+zvUpdKf7ephtWAFgckH8O7PQIyL5gvrhQgBLuEYgLfuKWOVvWVskMbuFHAz5xg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.59.4",
-        "@typescript-eslint/typescript-estree": "8.59.4",
-        "@typescript-eslint/utils": "8.59.4",
+        "@typescript-eslint/types": "8.60.0",
+        "@typescript-eslint/typescript-estree": "8.60.0",
+        "@typescript-eslint/utils": "8.60.0",
        "debug": "^4.4.3",
        "ts-api-utils": "^2.5.0"
      },
@@ -2728,9 +2728,9 @@
      }
    },
    "node_modules/@typescript-eslint/types": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.59.4.tgz",
-      "integrity": "sha512-F1o7WJcCq+bc8dwcO/YsSEOudAH8RDtaOhM6wcAQhcUsFhnWQl81JKy48q1hoxAU0qrzM89+31GYh1515Zde3Q==",
+      "version": "8.60.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.60.0.tgz",
+      "integrity": "sha512-AsE7x2XaAK+CVbeih0Fvbn+r1qHxtpLDJ3XUuFcIinT318T90yHMJC+Zgv+jUuDjQQd06HKwxnDu6sz1IcTilA==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2742,16 +2742,16 @@
      }
    },
    "node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.59.4.tgz",
-      "integrity": "sha512-F+RuOmcDXo4+TPdfd/TCLS3m2nw8gE9XXyZLrA3JBfaA5tz9TtdkyD3YJFmPxulyc2cKbEok/CvFE3MgSLWnag==",
+      "version": "8.60.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.60.0.tgz",
+      "integrity": "sha512-3AcZNBGMClm6CXDyo8kYvVGT/sx29sS0oBsIb9oZI2gunA4Vm2M3YHzRLPvsUBBsl+yB5FPtltq7gGH0iTlp9g==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/project-service": "8.59.4",
-        "@typescript-eslint/tsconfig-utils": "8.59.4",
-        "@typescript-eslint/types": "8.59.4",
-        "@typescript-eslint/visitor-keys": "8.59.4",
+        "@typescript-eslint/project-service": "8.60.0",
+        "@typescript-eslint/tsconfig-utils": "8.60.0",
+        "@typescript-eslint/types": "8.60.0",
+        "@typescript-eslint/visitor-keys": "8.60.0",
        "debug": "^4.4.3",
        "minimatch": "^10.2.2",
        "semver": "^7.7.3",
@@ -2827,16 +2827,16 @@
      }
    },
    "node_modules/@typescript-eslint/utils": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.59.4.tgz",
-      "integrity": "sha512-cYXeNAUsG4lJo5dbc1FcKm+JwIWrj1/UpTORsC6tGMjEZ81DYcvIr9/ueikhMa/Y/gDQYGp+YX9/xQrXje5BJw==",
+      "version": "8.60.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.60.0.tgz",
+      "integrity": "sha512-HtXuPfrHTyBDkameWpl+vJb1Uevu2tznAyahM1Oc4AENidCLTPiZDWIo4GfcxNdC/RcfGcadzzkqbRG87dUrQA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@eslint-community/eslint-utils": "^4.9.1",
-        "@typescript-eslint/scope-manager": "8.59.4",
-        "@typescript-eslint/types": "8.59.4",
-        "@typescript-eslint/typescript-estree": "8.59.4"
+        "@typescript-eslint/scope-manager": "8.60.0",
+        "@typescript-eslint/types": "8.60.0",
+        "@typescript-eslint/typescript-estree": "8.60.0"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2851,13 +2851,13 @@
      }
    },
    "node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.59.4.tgz",
-      "integrity": "sha512-U3gxVaDVnuZKhSspW/MzMxE1kq7zOdc072FcSNoqA1I9p8HyKbBFfEHoWckBAMgNMph4MamwS5iTVzFmrnt8TQ==",
+      "version": "8.60.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.60.0.tgz",
+      "integrity": "sha512-9WI52t8ZGLVGrPMBet25yAftqY/n95+zmoUUtJBBQTKDSKUu7OsPTroT2op7U9JatkoRccL0YkWDNMFfC4Sjxg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.59.4",
+        "@typescript-eslint/types": "8.60.0",
        "eslint-visitor-keys": "^5.0.0"
      },
      "engines": {
@@ -8311,9 +8311,9 @@
      }
    },
    "node_modules/semver": {
-      "version": "7.8.0",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.0.tgz",
-      "integrity": "sha512-AcM7dV/5ul4EekoQ29Agm5vri8JNqRyj39o0qpX6vDF2GZrtutZl5RwgD1XnZjiTAfncsJhMI48QQH3sN87YNA==",
+      "version": "7.8.1",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.1.tgz",
+      "integrity": "sha512-rkVq3IXh+4FDGch+KwzX3aV9W3kO54GyEgpvBzSyctDA6Xtd7RJQV1xmXbeQp5v7+VzLOfVqiutSE6GICgPFvg==",
      "license": "ISC",
      "bin": {
        "semver": "bin/semver.js"
@@ -9292,16 +9292,16 @@
      }
    },
    "node_modules/typescript-eslint": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.59.4.tgz",
-      "integrity": "sha512-Rw6+44QNFaXtgHSjPy+Kw8hrJniMYzR85E9yLmOLcfZ91/rz+JXQbDTCmc6ccxMPY6K6PgAq26f0JCBfR7LIPQ==",
+      "version": "8.60.0",
+      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.60.0.tgz",
+      "integrity": "sha512-9f65qWLZdAW9m1JaxBDUHcqRUfL8bkxxXL7XxEfI+F09q56PkBvIfCjLF3yInsDM/BBmwkqmCQdCZe/RYlIWEw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/eslint-plugin": "8.59.4",
-        "@typescript-eslint/parser": "8.59.4",
-        "@typescript-eslint/typescript-estree": "8.59.4",
-        "@typescript-eslint/utils": "8.59.4"
+        "@typescript-eslint/eslint-plugin": "8.60.0",
+        "@typescript-eslint/parser": "8.60.0",
+        "@typescript-eslint/typescript-estree": "8.60.0",
+        "@typescript-eslint/utils": "8.60.0"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "4.36.1",
+  "version": "4.36.2",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -40,7 +40,7 @@
    "jsonschema": "1.5.0",
    "long": "^5.3.2",
    "node-forge": "^1.4.0",
-    "semver": "^7.8.0",
+    "semver": "^7.8.1",
    "uuid": "^14.0.0"
  },
  "devDependencies": {
@@ -69,7 +69,7 @@
    "nock": "^14.0.15",
    "sinon": "^22.0.0",
    "typescript": "^6.0.3",
-    "typescript-eslint": "^8.59.4"
+    "typescript-eslint": "^8.60.0"
  },
  "overrides": {
    "@actions/tool-cache": {
@@ -46,7 +46,7 @@ steps:
      post-processed-sarif-path: "${{ runner.temp }}/post-processed"

  - name: Upload SARIF files
-    uses: actions/upload-artifact@v7
+    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
    with:
      name: |
        analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
@@ -54,7 +54,7 @@ steps:
      retention-days: 7

  - name: Upload post-processed SARIF
-    uses: actions/upload-artifact@v7
+    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
    with:
      name: |
        post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
@@ -64,7 +64,7 @@ steps:

  - name: Check quality query does not appear in security SARIF
    if: contains(matrix.analysis-kinds, 'code-scanning')
-    uses: actions/github-script@v8
+    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
    env:
      SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif"
      EXPECT_PRESENT: "false"
@@ -72,7 +72,7 @@ steps:
      script: ${{ env.CHECK_SCRIPT }}
  - name: Check quality query appears in quality SARIF
    if: contains(matrix.analysis-kinds, 'code-quality')
-    uses: actions/github-script@v8
+    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
    env:
      SARIF_PATH: "${{ runner.temp }}/results/javascript.quality.sarif"
      EXPECT_PRESENT: "true"
@@ -7,7 +7,7 @@ steps:
    run: npm install @actions/tool-cache@3
  - name: Check toolcache contains CodeQL
    continue-on-error: true
-    uses: actions/github-script@v8
+    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
    with:
      script: |
        const toolcache = require('@actions/tool-cache');
@@ -20,7 +20,7 @@ steps:
    with:
      tools: ${{ steps.prepare-test.outputs.tools-url }}
  - name: Check CodeQL is installed within the toolcache
-    uses: actions/github-script@v8
+    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
    with:
      script: |
        const toolcache = require('@actions/tool-cache');
@@ -8,7 +8,7 @@ operatingSystems:
  - windows
 steps:
  - name: Remove CodeQL from toolcache
-    uses: actions/github-script@v8
+    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
    with:
      script: |
        const fs = require('fs');
@@ -18,7 +18,7 @@ steps:
  - name: Install @actions/tool-cache
    run: npm install @actions/tool-cache@3
  - name: Check toolcache does not contain CodeQL
-    uses: actions/github-script@v8
+    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
    with:
      script: |
        const toolcache = require('@actions/tool-cache');
@@ -37,7 +37,7 @@ steps:
      output: ${{ runner.temp }}/results
      upload-database: false
  - name: Check CodeQL is installed within the toolcache
-    uses: actions/github-script@v8
+    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
    with:
      script: |
        const toolcache = require('@actions/tool-cache');
@@ -8,7 +8,7 @@ operatingSystems:
  - windows
 steps:
  - name: Remove CodeQL from toolcache
-    uses: actions/github-script@v8
+    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
    with:
      script: |
        const fs = require('fs');
@@ -27,13 +27,13 @@ steps:
      output: ${{ runner.temp }}/results
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v7
+    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
    with:
      name: ${{ matrix.os }}-zstd-bundle.sarif
      path: ${{ runner.temp }}/results/javascript.sarif
      retention-days: 7
  - name: Check diagnostic with expected tools URL appears in SARIF
-    uses: actions/github-script@v8
+    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
    env:
      SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
    with:
@@ -14,13 +14,13 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v7
+    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
    with:
      name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
      retention-days: 7
  - name: Check config properties appear in SARIF
-    uses: actions/github-script@v8
+    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
    env:
      SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif"
    with:
@@ -27,13 +27,13 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v7
+    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
    with:
      name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
      retention-days: 7
  - name: Check diagnostics appear in SARIF
-    uses: actions/github-script@v8
+    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
    env:
      SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif"
    with:
@@ -23,7 +23,7 @@ steps:
    with:
      output: "${{ runner.temp }}/results"
  - name: Upload SARIF
-    uses: actions/upload-artifact@v7
+    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
    with:
      name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -12,7 +12,7 @@ steps:
      languages: go
      tools: ${{ steps.prepare-test.outputs.tools-url }}
  # Deliberately change Go after the `init` step
-  - uses: actions/setup-go@v6
+  - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
    with:
      go-version: "1.20"
  - name: Build code
@@ -22,7 +22,7 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
  - name: Check diagnostic appears in SARIF
-    uses: actions/github-script@v8
+    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
    env:
      SARIF_PATH: "${{ runner.temp }}/results/go.sarif"
    with:
@@ -23,7 +23,7 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
  - name: Check diagnostic appears in SARIF
-    uses: actions/github-script@v8
+    uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
    env:
      SARIF_PATH: "${{ runner.temp }}/results/go.sarif"
    with:
@@ -12,7 +12,7 @@ steps:
    with:
      output: "${{ runner.temp }}/results"
  - name: Upload SARIF
-    uses: actions/upload-artifact@v7
+    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
    with:
      name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -13,7 +13,7 @@ steps:
    # We need Python 3.13 for older CLI versions because they are not compatible with Python 3.14 or newer.
    # See https://github.com/github/codeql-action/pull/3212
    if: matrix.version != 'nightly-latest' && matrix.version != 'linked'
-    uses: actions/setup-python@v6
+    uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
    with:
      python-version: "3.13"

@@ -5,7 +5,7 @@ versions:
  - default
 steps:
  - name: Set up Ruby
-    uses: ruby/setup-ruby@6aaa311d81eba98ae12eaffbcb63296ace0efcde # v1.307.0
+    uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
    with:
      ruby-version: 2.6
  - name: Install Code Scanning integration
@@ -21,7 +21,7 @@ permissions:
  security-events: write # needed to upload the SARIF file

 steps:
-  - uses: actions/checkout@v6
+  - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
  - uses: ./init
    with:
      languages: javascript
@@ -14,7 +14,7 @@ steps:
      rm -rf ./* .github .git
  # Check out the actions repo again, but at a different location.
  # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
-  - uses: actions/checkout@v6
+  - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
    with:
      ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
      path: x/y/z/some-path
@@ -188,6 +188,41 @@ const steps = [
    const result = updateSyncTs(syncTsPath, actionVersions);
    assert.equal(result, false);
  });
+
+  await it("updates SHA-pinned pinnedUses references", () => {
+    /** Test updating `pinnedUses(...)` references with new SHA and version */
+    const syncTsContent = `
+const steps = [
+  {
+    uses: pinnedUses(
+      "actions/setup-node",
+      "0000000000000000000000000000000000000000",
+      "v6.0.0",
+    ),
+  },
+];
+`;
+
+    fs.writeFileSync(syncTsPath, syncTsContent);
+
+    const actionVersions = {
+      "actions/setup-node": "48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0",
+    };
+
+    const result = updateSyncTs(syncTsPath, actionVersions);
+    assert.equal(result, true);
+
+    const updatedContent = fs.readFileSync(syncTsPath, "utf8");
+
+    assert.ok(
+      updatedContent.includes('"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e"'),
+    );
+    assert.ok(updatedContent.includes('"v6.4.0"'));
+    assert.ok(
+      !updatedContent.includes("0000000000000000000000000000000000000000"),
+    );
+    assert.ok(!updatedContent.includes('"v6.0.0"'));
+  });
 });

 describe("updateTemplateFiles", async () => {
@@ -68,6 +68,10 @@ export function scanGeneratedWorkflows(
 /**
 * Update hardcoded action versions in pr-checks/sync.ts
 *
+ * Handles both inline `uses: "owner/action@ref"` strings and SHA-pinned
+ * references expressed via the `pinnedUses("owner/action", "<sha>", "version")`
+ * helper.
+ *
 * @param syncTsPath - Path to sync.ts file
 * @param actionVersions - Map of action names to versions (may include comments)
 * @returns True if the file was modified, false otherwise
@@ -87,18 +91,36 @@ export function updateSyncTs(
  for (const [actionName, versionWithComment] of Object.entries(
    actionVersions,
  )) {
-    // Extract just the version part (before any comment) for sync.ts
-    const version = versionWithComment.includes("#")
+    // Split the scanned value into the ref (e.g. a commit SHA) and the optional
+    // trailing version comment (e.g. `v6.0.3`).
+    const ref = versionWithComment.includes("#")
      ? versionWithComment.split("#")[0].trim()
      : versionWithComment.trim();
+    const versionComment = versionWithComment.includes("#")
+      ? versionWithComment.split("#")[1].trim()
+      : "";
+
+    const escaped = actionName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");

    // Look for patterns like uses: "actions/setup-node@v4"
    // Note that this will break if we store an Action uses reference in a
    // variable - that's a risk we're happy to take since in that case the
    // PR checks will just fail.
-    const escaped = actionName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-    const pattern = new RegExp(`(uses:\\s*")${escaped}@(?:[^"]+)(")`, "g");
-    content = content.replace(pattern, `$1${actionName}@${version}$2`);
+    const usesPattern = new RegExp(`(uses:\\s*")${escaped}@(?:[^"]+)(")`, "g");
+    content = content.replace(usesPattern, `$1${actionName}@${ref}$2`);
+
+    // Look for SHA-pinned references expressed via the `pinnedUses` helper, e.g.
+    // `pinnedUses("actions/checkout", "<sha>", "v6.0.3")`, updating both the
+    // pinned ref and the version comment.
+    const pinnedPattern = new RegExp(
+      `(pinnedUses\\(\\s*")${escaped}("\\s*,\\s*")[^"]*("\\s*,\\s*")([^"]*)(")`,
+      "g",
+    );
+    content = content.replace(
+      pinnedPattern,
+      (_match, p1, p2, p3, oldVersion, p5) =>
+        `${p1}${actionName}${p2}${ref}${p3}${versionComment || oldVersion}${p5}`,
+    );
  }

  if (content !== originalContent) {
@@ -7,6 +7,16 @@ import * as yaml from "yaml";

 import { BuiltInLanguage } from "../src/languages";

+/**
+ * Returns a `uses` value for `action` pinned to a commit SHA, with the
+ * human-readable version recorded in a trailing comment.
+ */
+function pinnedUses(action: string, sha: string, version: string): yaml.Scalar {
+  const node = new yaml.Scalar(`${action}@${sha}`);
+  node.comment = ` ${version}`;
+  return node;
+}
+
 /** Known workflow input names. */
 enum KnownInputName {
  GoVersion = "go-version",
@@ -192,7 +202,11 @@ const languageSetups: LanguageSetups = {
    steps: [
      {
        name: "Install Node.js",
-        uses: "actions/setup-node@v6",
+        uses: pinnedUses(
+          "actions/setup-node",
+          "48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e",
+          "v6.4.0",
+        ),
        with: {
          "node-version": defaultLanguageVersions.javascript,
          cache: "npm",
@@ -210,7 +224,11 @@ const languageSetups: LanguageSetups = {
    steps: [
      {
        name: "Install Go",
-        uses: "actions/setup-go@v6",
+        uses: pinnedUses(
+          "actions/setup-go",
+          "4a3601121dd01d1626a1e23e37211e3254c1c06c",
+          "v6.4.0",
+        ),
        with: {
          "go-version": `\${{ inputs.go-version || '${defaultLanguageVersions.go}' }}`,
          // to avoid potentially misleading autobuilder results where we expect it to download
@@ -226,7 +244,11 @@ const languageSetups: LanguageSetups = {
    steps: [
      {
        name: "Install Java",
-        uses: "actions/setup-java@v5",
+        uses: pinnedUses(
+          "actions/setup-java",
+          "be666c2fcd27ec809703dec50e508c2fdc7f6654",
+          "v5.2.0",
+        ),
        with: {
          "java-version": `\${{ inputs.java-version || '${defaultLanguageVersions.java}' }}`,
          distribution: "temurin",
@@ -240,7 +262,11 @@ const languageSetups: LanguageSetups = {
    steps: [
      {
        name: "Install Python",
-        uses: "actions/setup-python@v6",
+        uses: pinnedUses(
+          "actions/setup-python",
+          "a309ff8b426b58ec0e2a45f0f869d46889d02405",
+          "v6.2.0",
+        ),
        with: {
          "python-version": `\${{ inputs.python-version || '${defaultLanguageVersions.python}' }}`,
        },
@@ -253,7 +279,11 @@ const languageSetups: LanguageSetups = {
    steps: [
      {
        name: "Install .NET",
-        uses: "actions/setup-dotnet@v5",
+        uses: pinnedUses(
+          "actions/setup-dotnet",
+          "9a946fdbd5fb07b82b2f5a4466058b876ab72bb2",
+          "v5.3.0",
+        ),
        with: {
          "dotnet-version": `\${{ inputs.dotnet-version || '${defaultLanguageVersions.csharp}' }}`,
        },
@@ -456,7 +486,11 @@ function generateJob(
  const steps: Step[] = [
    {
      name: "Check out repository",
-      uses: "actions/checkout@v6",
+      uses: pinnedUses(
+        "actions/checkout",
+        "df4cb1c069e1874edd31b4311f1884172cec0e10",
+        "v6.0.3",
+      ),
    },
    ...setupInfo.steps,
    {
@@ -523,7 +523,7 @@ async function getCodeQLForCmd(
      return cmd;
    },
    async getVersion() {
-      let result = util.getCachedCodeQlVersion();
+      let result = util.getCachedCodeQlVersion(cmd);
      if (result === undefined) {
        const output = await runCli(cmd, ["version", "--format=json"], {
          noStreamStdout: true,
@@ -535,12 +535,13 @@ async function getCodeQLForCmd(
            `Invalid JSON output from \`version --format=json\`: ${output}`,
          );
        }
-        util.cacheCodeQlVersion(result);
+        util.cacheCodeQlVersion(cmd, result);
      }
      return result;
    },
    async printVersion() {
-      await runCli(cmd, ["version", "--format=json"]);
+      // Reuse the cached version information rather than invoking the CLI again.
+      core.info(JSON.stringify(await this.getVersion(), null, 2));
    },
    async supportsFeature(feature: ToolsFeature) {
      return isSupportedToolsFeature(await this.getVersion(), feature);
@@ -735,21 +736,26 @@ async function getCodeQLForCmd(
      await runCli(cmd, args);
    },
    async resolveLanguages() {
-      const codeqlArgs = [
-        "resolve",
-        "languages",
-        "--format=json",
-        ...getExtraOptionsFromEnv(["resolve", "languages"]),
-      ];
-      const output = await runCli(cmd, codeqlArgs);
+      let result = util.getCachedCodeQlResolveLanguages(cmd);
+      if (result === undefined) {
+        const codeqlArgs = [
+          "resolve",
+          "languages",
+          "--format=json",
+          ...getExtraOptionsFromEnv(["resolve", "languages"]),
+        ];
+        const output = await runCli(cmd, codeqlArgs);

-      try {
-        return JSON.parse(output) as ResolveLanguagesOutput;
-      } catch (e) {
-        throw new Error(
-          `Unexpected output from codeql resolve languages: ${e}`,
-        );
+        try {
+          result = JSON.parse(output) as ResolveLanguagesOutput;
+        } catch (e) {
+          throw new Error(
+            `Unexpected output from codeql resolve languages: ${e}`,
+          );
+        }
+        util.cacheCodeQlResolveLanguages(cmd, result);
      }
+      return result;
    },
    async betterResolveLanguages(
      {
@@ -968,32 +974,11 @@ async function getCodeQLForCmd(
      await new toolrunner.ToolRunner(cmd, args).exec();
    },
    async resolveExtractor(language: Language): Promise<string> {
-      // Request it using `format=json` so we don't need to strip the trailing new line generated by
-      // the CLI.
-      let extractorPath = "";
-      await new toolrunner.ToolRunner(
-        cmd,
-        [
-          "resolve",
-          "extractor",
-          "--format=json",
-          `--language=${language}`,
-          "--extractor-include-aliases",
-          ...getExtraOptionsFromEnv(["resolve", "extractor"]),
-        ],
-        {
-          silent: true,
-          listeners: {
-            stdout: (data) => {
-              extractorPath += data.toString();
-            },
-            stderr: (data) => {
-              process.stderr.write(data);
-            },
-          },
-        },
-      ).exec();
-      return JSON.parse(extractorPath) as string;
+      // A previous implementation executed `codeql resolve extractor`.
+      // This can be a bit slow due to the JVM startup cost. Instead, get
+      // the extractor path from resolveLanguages(), which caches its output.
+      const extractors = await this.resolveLanguages();
+      return extractors[language][0];
    },
    async resolveQueriesStartingPacks(queries: string[]): Promise<string[]> {
      const codeqlArgs = [
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.5",
-  "cliVersion": "2.25.5",
-  "priorBundleVersion": "codeql-bundle-v2.25.4",
-  "priorCliVersion": "2.25.4"
+  "bundleVersion": "codeql-bundle-v2.25.6",
+  "cliVersion": "2.25.6",
+  "priorBundleVersion": "codeql-bundle-v2.25.5",
+  "priorCliVersion": "2.25.5"
 }
@@ -17,6 +17,18 @@ export enum EnvVar {
   */
  CLI_VERBOSITY = "CODEQL_VERBOSITY",

+  /**
+   * `PersistedVersionInfo` for the CodeQL CLI, so later Actions steps can reuse it instead of
+   * invoking `codeql version` again.
+   */
+  CODEQL_VERSION_INFO = "CODEQL_ACTION_CLI_VERSION_INFO",
+
+  /**
+   * `ResolveLanguagesOutput` for the CodeQL CLI, so later Actions steps can reuse it instead of
+   * invoking `codeql resolve languages` again.
+   */
+  CODEQL_RESOLVE_LANGUAGES = "CODEQL_ACTION_CLI_RESOLVE_LANGUAGES",
+
  /** Whether the CodeQL Action has invoked the Go autobuilder. */
  DID_AUTOBUILD_GOLANG = "CODEQL_ACTION_DID_AUTOBUILD_GOLANG",

@@ -82,6 +82,11 @@ export enum Feature {
  DisableJavaBuildlessEnabled = "disable_java_buildless_enabled",
  DisableKotlinAnalysisEnabled = "disable_kotlin_analysis_enabled",
  ExportDiagnosticsEnabled = "export_diagnostics_enabled",
+  /**
+   * Emergency override that forces the CodeQL CLI to use the JGit-based Git backend instead of its
+   * default backend selection.
+   */
+  ForceJGit = "force_jgit",
  ForceNightly = "force_nightly",
  IgnoreGeneratedFiles = "ignore_generated_files",
  JavaNetworkDebugging = "java_network_debugging",
@@ -224,6 +229,11 @@ export const featureConfig = {
    legacyApi: true,
    minimumVersion: undefined,
  },
+  [Feature.ForceJGit]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_FORCE_JGIT",
+    minimumVersion: undefined,
+  },
  [Feature.ForceNightly]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_FORCE_NIGHTLY",
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Mario Campos	e34c66b951	Reimplement `resolveExtractor()` as wrapper over `resolveLanguages()` By wrapping `resolveLanguages()`, which is memoized, we can avoid executing `codeql resolve extractor` several times over the course of an analysis.	2026-06-04 08:40:02 -05:00
Mario Campos	d3127b72f7	Cache the output of `codeql resolve languages` Repeated calls to `resolveLanguages()` will only pay the performance penalty of executing `codeql resolve languages` once.	2026-06-04 08:39:58 -05:00
Henry Mercer	dcb947ce15	Merge pull request #3948 from github/update-bundle/codeql-bundle-v2.25.6 Update default bundle to 2.25.6	2026-06-04 10:56:27 +00:00
github-actions[bot]	c251bcefa1	Add changelog note	2026-06-04 10:43:06 +00:00
github-actions[bot]	62953c18b3	Update default bundle to codeql-bundle-v2.25.6	2026-06-04 10:42:59 +00:00
Henry Mercer	423b570baf	Merge pull request #3946 from github/dependabot/npm_and_yarn/npm-minor-5d507a028b Bump the npm-minor group across 1 directory with 2 updates	2026-06-04 10:38:05 +00:00
Henry Mercer	c35d1b1644	Merge pull request #3947 from github/dependabot/github_actions/dot-github/workflows/actions-minor-3d0b6ad432 Bump ruby/setup-ruby from 1.307.0 to 1.310.0 in /.github/workflows in the actions-minor group across 1 directory	2026-06-04 10:10:18 +00:00
Robert	cb1a588b02	Merge pull request #3937 from github/robertbrignull/waitForProcessing_backoff Change waitForProcessing to use exponential backoff	2026-06-04 10:06:49 +00:00
Henry Mercer	ba47406412	Merge pull request #3943 from github/henrymercer/cache-cli-version-info Cache CLI version information across Actions steps	2026-06-04 09:58:34 +00:00
Henry Mercer	5be8119767	Merge pull request #3938 from github/henrymercer/git-client-feature-flag Add FF to force JGit-based Git backend	2026-06-04 09:58:15 +00:00
Robert	6047ac775f	Merge branch 'main' into robertbrignull/waitForProcessing_backoff	2026-06-04 10:35:04 +01:00
github-actions[bot]	af7b8f37ea	Rebuild	2026-06-04 02:43:57 +00:00
dependabot[bot]	3569f75599	Bump ruby/setup-ruby Bumps the actions-minor group with 1 update in the /.github/workflows directory: [ruby/setup-ruby](https://github.com/ruby/setup-ruby). Updates `ruby/setup-ruby` from 1.307.0 to 1.310.0 - [Release notes](https://github.com/ruby/setup-ruby/releases) - [Changelog](https://github.com/ruby/setup-ruby/blob/master/release.rb) - [Commits](https://github.com/ruby/setup-ruby/compare/6aaa311d81eba98ae12eaffbcb63296ace0efcde...afeafc3d1ab54a631816aba4c914a0081c12ff2f) --- updated-dependencies: - dependency-name: ruby/setup-ruby dependency-version: 1.310.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-06-04 02:42:04 +00:00
github-actions[bot]	acb38f7265	Rebuild	2026-06-04 02:40:00 +00:00
dependabot[bot]	dd9e36c0d3	Bump the npm-minor group across 1 directory with 2 updates Bumps the npm-minor group with 2 updates in the / directory: [semver](https://github.com/npm/node-semver) and [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint). Updates `semver` from 7.8.0 to 7.8.1 - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/node-semver/compare/v7.8.0...v7.8.1) Updates `typescript-eslint` from 8.59.4 to 8.60.0 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.60.0/packages/typescript-eslint) --- updated-dependencies: - dependency-name: semver dependency-version: 7.8.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm-minor - dependency-name: typescript-eslint dependency-version: 8.60.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-06-04 02:38:09 +00:00
Henry Mercer	5ccef82244	Address review comments	2026-06-03 18:31:11 +01:00
Henry Mercer	2ceebd64c4	Merge pull request #3945 from github/henrymercer/pin-actions-to-shas Pin first-party Actions to SHAs	2026-06-03 17:09:52 +00:00
Henry Mercer	fd3f10809d	Update sync-back script This is intended as a workaround until https://github.com/github/codeql-action/pull/3556 is merged.	2026-06-03 17:21:10 +01:00
Henry Mercer	87f4948cb0	Pin first-party Actions	2026-06-03 17:19:36 +01:00
Henry Mercer	bab673d0e0	Cache CLI version information across Actions steps	2026-06-02 19:27:05 +01:00
Henry Mercer	8ed7f7c384	Merge pull request #3941 from github/mergeback/v4.36.1-to-main-87557b9c Mergeback v4.36.1 refs/heads/releases/v4 into main	2026-06-02 10:35:51 +00:00
github-actions[bot]	0ad7c1f95e	Rebuild	2026-06-02 10:09:37 +00:00
github-actions[bot]	25c25b5e09	Update changelog and version after v4.36.1	2026-06-02 10:09:22 +00:00
Robert	d40e417f3c	Only do initial wait when not running tests	2026-06-01 16:43:42 +01:00
Henry Mercer	948a63aed1	Add FF to force JGit-based Git backend	2026-06-01 15:20:13 +01:00
Robert	dfc14113e3	Change waitForProcessing to use exponential backoff	2026-05-28 11:15:07 +01:00