From cf8b7a6e14d039e1cb0f7b5afbe0f2830bab2c11 Mon Sep 17 00:00:00 2001
From: "Michael B. Gale" <mbg@github.com>
Date: Wed, 12 Nov 2025 11:55:59 +0000
Subject: [PATCH 01/31] Refactor C# cache content paths into a function

---
 lib/analyze-action.js     |  5 ++++-
 lib/init-action.js        |  5 ++++-
 src/dependency-caching.ts | 13 ++++++++++++-
 3 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/lib/analyze-action.js b/lib/analyze-action.js
index fd43a2f778..72943ee05a 100644
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -91069,6 +91069,9 @@ function getJavaDependencyDirs() {
     getJavaTempDependencyDir()
   ];
 }
+function getCsharpDependencyDirs() {
+  return [(0, import_path.join)(os3.homedir(), ".nuget", "packages")];
+}
 async function makePatternCheck(patterns) {
   const globber = await makeGlobber(patterns);
   if ((await globber.glob()).length === 0) {
@@ -91113,7 +91116,7 @@ var defaultCacheConfigs = {
     ])
   },
   csharp: {
-    getDependencyPaths: () => [(0, import_path.join)(os3.homedir(), ".nuget", "packages")],
+    getDependencyPaths: getCsharpDependencyDirs,
     getHashPatterns: getCsharpHashPatterns
   },
   go: {
diff --git a/lib/init-action.js b/lib/init-action.js
index 98c23c88fd..2d361f8f43 100644
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -87256,6 +87256,9 @@ function getJavaDependencyDirs() {
     getJavaTempDependencyDir()
   ];
 }
+function getCsharpDependencyDirs() {
+  return [(0, import_path.join)(os2.homedir(), ".nuget", "packages")];
+}
 async function makePatternCheck(patterns) {
   const globber = await makeGlobber(patterns);
   if ((await globber.glob()).length === 0) {
@@ -87300,7 +87303,7 @@ var defaultCacheConfigs = {
     ])
   },
   csharp: {
-    getDependencyPaths: () => [(0, import_path.join)(os2.homedir(), ".nuget", "packages")],
+    getDependencyPaths: getCsharpDependencyDirs,
     getHashPatterns: getCsharpHashPatterns
   },
   go: {
diff --git a/src/dependency-caching.ts b/src/dependency-caching.ts
index 220f1d5bab..e8c31a0761 100644
--- a/src/dependency-caching.ts
+++ b/src/dependency-caching.ts
@@ -66,6 +66,17 @@ export function getJavaDependencyDirs(): string[] {
   ];
 }
 
+/**
+ * Returns an array of paths of directories on the runner that should be included in a dependency cache
+ * for a C# analysis.
+ *
+ * @returns The paths of directories on the runner that should be included in a dependency cache
+ * for a C# analysis.
+ */
+export function getCsharpDependencyDirs(): string[] {
+  return [join(os.homedir(), ".nuget", "packages")];
+}
+
 /**
  * Checks that there are files which match `patterns`. If there are matching files for any of the patterns,
  * this function returns all `patterns`. Otherwise, `undefined` is returned.
@@ -158,7 +169,7 @@ const defaultCacheConfigs: { [language: string]: CacheConfig } = {
       ]),
   },
   csharp: {
-    getDependencyPaths: () => [join(os.homedir(), ".nuget", "packages")],
+    getDependencyPaths: getCsharpDependencyDirs,
     getHashPatterns: getCsharpHashPatterns,
   },
   go: {

From d854ba6ec02875972a6bd990f236c62b8f6f21a2 Mon Sep 17 00:00:00 2001
From: "Michael B. Gale" <mbg@github.com>
Date: Wed, 12 Nov 2025 11:58:22 +0000
Subject: [PATCH 02/31] Pass `FeatureEnablement` to `getDependencyPaths`

---
 lib/analyze-action.js          | 13 ++++++++-----
 lib/init-action.js             |  8 ++++----
 src/dependency-caching.test.ts |  4 ++--
 src/dependency-caching.ts      | 29 ++++++++++++++++++++++-------
 4 files changed, 36 insertions(+), 18 deletions(-)

diff --git a/lib/analyze-action.js b/lib/analyze-action.js
index 72943ee05a..fb9ec0a2e7 100644
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -91059,7 +91059,7 @@ var CODEQL_DEPENDENCY_CACHE_VERSION = 1;
 function getJavaTempDependencyDir() {
   return (0, import_path.join)(getTemporaryDirectory(), "codeql_java", "repository");
 }
-function getJavaDependencyDirs() {
+async function getJavaDependencyDirs() {
   return [
     // Maven
     (0, import_path.join)(os3.homedir(), ".m2", "repository"),
@@ -91069,7 +91069,7 @@ function getJavaDependencyDirs() {
     getJavaTempDependencyDir()
   ];
 }
-function getCsharpDependencyDirs() {
+async function getCsharpDependencyDirs() {
   return [(0, import_path.join)(os3.homedir(), ".nuget", "packages")];
 }
 async function makePatternCheck(patterns) {
@@ -91120,7 +91120,7 @@ var defaultCacheConfigs = {
     getHashPatterns: getCsharpHashPatterns
   },
   go: {
-    getDependencyPaths: () => [(0, import_path.join)(os3.homedir(), "go", "pkg", "mod")],
+    getDependencyPaths: async () => [(0, import_path.join)(os3.homedir(), "go", "pkg", "mod")],
     getHashPatterns: async () => internal.makePatternCheck(["**/go.sum"])
   }
 };
@@ -91159,7 +91159,7 @@ async function uploadDependencyCaches(codeql, features, config, logger) {
       continue;
     }
     const size = await getTotalCacheSize(
-      cacheConfig.getDependencyPaths(),
+      await cacheConfig.getDependencyPaths(codeql, features),
       logger,
       true
     );
@@ -91176,7 +91176,10 @@ async function uploadDependencyCaches(codeql, features, config, logger) {
     );
     try {
       const start = performance.now();
-      await actionsCache3.saveCache(cacheConfig.getDependencyPaths(), key);
+      await actionsCache3.saveCache(
+        await cacheConfig.getDependencyPaths(codeql, features),
+        key
+      );
       const upload_duration_ms = Math.round(performance.now() - start);
       status.push({
         language,
diff --git a/lib/init-action.js b/lib/init-action.js
index 2d361f8f43..d3f0d35c30 100644
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -87246,7 +87246,7 @@ var CODEQL_DEPENDENCY_CACHE_VERSION = 1;
 function getJavaTempDependencyDir() {
   return (0, import_path.join)(getTemporaryDirectory(), "codeql_java", "repository");
 }
-function getJavaDependencyDirs() {
+async function getJavaDependencyDirs() {
   return [
     // Maven
     (0, import_path.join)(os2.homedir(), ".m2", "repository"),
@@ -87256,7 +87256,7 @@ function getJavaDependencyDirs() {
     getJavaTempDependencyDir()
   ];
 }
-function getCsharpDependencyDirs() {
+async function getCsharpDependencyDirs() {
   return [(0, import_path.join)(os2.homedir(), ".nuget", "packages")];
 }
 async function makePatternCheck(patterns) {
@@ -87307,7 +87307,7 @@ var defaultCacheConfigs = {
     getHashPatterns: getCsharpHashPatterns
   },
   go: {
-    getDependencyPaths: () => [(0, import_path.join)(os2.homedir(), "go", "pkg", "mod")],
+    getDependencyPaths: async () => [(0, import_path.join)(os2.homedir(), "go", "pkg", "mod")],
     getHashPatterns: async () => internal.makePatternCheck(["**/go.sum"])
   }
 };
@@ -87356,7 +87356,7 @@ async function downloadDependencyCaches(codeql, features, languages, logger) {
     );
     const start = performance.now();
     const hitKey = await actionsCache3.restoreCache(
-      cacheConfig.getDependencyPaths(),
+      await cacheConfig.getDependencyPaths(codeql, features),
       primaryKey,
       restoreKeys
     );
diff --git a/src/dependency-caching.test.ts b/src/dependency-caching.test.ts
index eefb8504cd..416b096776 100644
--- a/src/dependency-caching.test.ts
+++ b/src/dependency-caching.test.ts
@@ -126,7 +126,7 @@ test("checkHashPatterns - logs when no patterns match", async (t) => {
   const features = createFeatures([]);
   const messages: LoggedMessage[] = [];
   const config: CacheConfig = {
-    getDependencyPaths: () => [],
+    getDependencyPaths: async () => [],
     getHashPatterns: async () => undefined,
   };
 
@@ -155,7 +155,7 @@ test("checkHashPatterns - returns patterns when patterns match", async (t) => {
     fs.writeFileSync(path.join(tmpDir, "test.java"), "");
 
     const config: CacheConfig = {
-      getDependencyPaths: () => [],
+      getDependencyPaths: async () => [],
       getHashPatterns: async () => makePatternCheck(patterns),
     };
 
diff --git a/src/dependency-caching.ts b/src/dependency-caching.ts
index e8c31a0761..5ee0504371 100644
--- a/src/dependency-caching.ts
+++ b/src/dependency-caching.ts
@@ -20,7 +20,10 @@ import { getErrorMessage, getRequiredEnvParam } from "./util";
  */
 export interface CacheConfig {
   /** Gets the paths of directories on the runner that should be included in the cache. */
-  getDependencyPaths: () => string[];
+  getDependencyPaths: (
+    codeql: CodeQL,
+    features: FeatureEnablement,
+  ) => Promise<string[]>;
   /**
    * Gets an array of glob patterns for the paths of files whose contents affect which dependencies are used
    * by a project. This function also checks whether there are any matching files and returns
@@ -55,7 +58,7 @@ export function getJavaTempDependencyDir(): string {
  * @returns The paths of directories on the runner that should be included in a dependency cache
  * for a Java analysis.
  */
-export function getJavaDependencyDirs(): string[] {
+export async function getJavaDependencyDirs(): Promise<string[]> {
   return [
     // Maven
     join(os.homedir(), ".m2", "repository"),
@@ -66,6 +69,15 @@ export function getJavaDependencyDirs(): string[] {
   ];
 }
 
+/**
+ * Returns a path to a directory intended to be used to store dependencies
+ * for the C# `build-mode: none` extractor.
+ * @returns The path to the directory that should be used by the `build-mode: none` extractor.
+ */
+export function getCsharpTempDependencyDir(): string {
+  return join(getTemporaryDirectory(), "codeql_csharp", "repository");
+}
+
 /**
  * Returns an array of paths of directories on the runner that should be included in a dependency cache
  * for a C# analysis.
@@ -73,7 +85,7 @@ export function getJavaDependencyDirs(): string[] {
  * @returns The paths of directories on the runner that should be included in a dependency cache
  * for a C# analysis.
  */
-export function getCsharpDependencyDirs(): string[] {
+export async function getCsharpDependencyDirs(): Promise<string[]> {
   return [join(os.homedir(), ".nuget", "packages")];
 }
 
@@ -173,7 +185,7 @@ const defaultCacheConfigs: { [language: string]: CacheConfig } = {
     getHashPatterns: getCsharpHashPatterns,
   },
   go: {
-    getDependencyPaths: () => [join(os.homedir(), "go", "pkg", "mod")],
+    getDependencyPaths: async () => [join(os.homedir(), "go", "pkg", "mod")],
     getHashPatterns: async () => internal.makePatternCheck(["**/go.sum"]),
   },
 };
@@ -291,7 +303,7 @@ export async function downloadDependencyCaches(
 
     const start = performance.now();
     const hitKey = await actionsCache.restoreCache(
-      cacheConfig.getDependencyPaths(),
+      await cacheConfig.getDependencyPaths(codeql, features),
       primaryKey,
       restoreKeys,
     );
@@ -387,7 +399,7 @@ export async function uploadDependencyCaches(
     //   with the dependency caches. For this, we could use the Cache API to check whether other workflows
     //   are using the quota and how full it is.
     const size = await getTotalCacheSize(
-      cacheConfig.getDependencyPaths(),
+      await cacheConfig.getDependencyPaths(codeql, features),
       logger,
       true,
     );
@@ -409,7 +421,10 @@ export async function uploadDependencyCaches(
 
     try {
       const start = performance.now();
-      await actionsCache.saveCache(cacheConfig.getDependencyPaths(), key);
+      await actionsCache.saveCache(
+        await cacheConfig.getDependencyPaths(codeql, features),
+        key,
+      );
       const upload_duration_ms = Math.round(performance.now() - start);
 
       status.push({

From a47d04cf9b3e812f4fe0998e5e6ffd3a91cc88f2 Mon Sep 17 00:00:00 2001
From: "Michael B. Gale" <mbg@github.com>
Date: Wed, 12 Nov 2025 11:59:13 +0000
Subject: [PATCH 03/31] Add FF for extra C# cache contents

---
 lib/analyze-action-post.js        | 5 +++++
 lib/analyze-action.js             | 5 +++++
 lib/autobuild-action.js           | 5 +++++
 lib/init-action-post.js           | 5 +++++
 lib/init-action.js                | 5 +++++
 lib/resolve-environment-action.js | 5 +++++
 lib/setup-codeql-action.js        | 5 +++++
 lib/start-proxy-action-post.js    | 5 +++++
 lib/start-proxy-action.js         | 5 +++++
 lib/upload-lib.js                 | 5 +++++
 lib/upload-sarif-action-post.js   | 5 +++++
 lib/upload-sarif-action.js        | 5 +++++
 src/feature-flags.ts              | 6 ++++++
 13 files changed, 66 insertions(+)

diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js
index b30ab9f097..484df244c7 100644
--- a/lib/analyze-action-post.js
+++ b/lib/analyze-action-post.js
@@ -119928,6 +119928,11 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: "2.15.0"
   },
+  ["csharp_cache_bmn" /* CsharpCacheBuildModeNone */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_CACHE_BMN",
+    minimumVersion: void 0
+  },
   ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
diff --git a/lib/analyze-action.js b/lib/analyze-action.js
index fb9ec0a2e7..22d01ab285 100644
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -88658,6 +88658,11 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: "2.15.0"
   },
+  ["csharp_cache_bmn" /* CsharpCacheBuildModeNone */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_CACHE_BMN",
+    minimumVersion: void 0
+  },
   ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js
index d09fe07d82..48485a850d 100644
--- a/lib/autobuild-action.js
+++ b/lib/autobuild-action.js
@@ -83977,6 +83977,11 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: "2.15.0"
   },
+  ["csharp_cache_bmn" /* CsharpCacheBuildModeNone */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_CACHE_BMN",
+    minimumVersion: void 0
+  },
   ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
diff --git a/lib/init-action-post.js b/lib/init-action-post.js
index 1d3c4d5d93..b15b16f377 100644
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -123309,6 +123309,11 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: "2.15.0"
   },
+  ["csharp_cache_bmn" /* CsharpCacheBuildModeNone */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_CACHE_BMN",
+    minimumVersion: void 0
+  },
   ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
diff --git a/lib/init-action.js b/lib/init-action.js
index d3f0d35c30..e351b0205b 100644
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -86072,6 +86072,11 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: "2.15.0"
   },
+  ["csharp_cache_bmn" /* CsharpCacheBuildModeNone */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_CACHE_BMN",
+    minimumVersion: void 0
+  },
   ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js
index 7918ab61f7..766a59c171 100644
--- a/lib/resolve-environment-action.js
+++ b/lib/resolve-environment-action.js
@@ -83968,6 +83968,11 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: "2.15.0"
   },
+  ["csharp_cache_bmn" /* CsharpCacheBuildModeNone */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_CACHE_BMN",
+    minimumVersion: void 0
+  },
   ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js
index c9e95730bf..f00d601e7d 100644
--- a/lib/setup-codeql-action.js
+++ b/lib/setup-codeql-action.js
@@ -83880,6 +83880,11 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: "2.15.0"
   },
+  ["csharp_cache_bmn" /* CsharpCacheBuildModeNone */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_CACHE_BMN",
+    minimumVersion: void 0
+  },
   ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js
index 2386e7c27b..85e0aaeb08 100644
--- a/lib/start-proxy-action-post.js
+++ b/lib/start-proxy-action-post.js
@@ -119334,6 +119334,11 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: "2.15.0"
   },
+  ["csharp_cache_bmn" /* CsharpCacheBuildModeNone */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_CACHE_BMN",
+    minimumVersion: void 0
+  },
   ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js
index 281341e5aa..5613603cb9 100644
--- a/lib/start-proxy-action.js
+++ b/lib/start-proxy-action.js
@@ -99996,6 +99996,11 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: "2.15.0"
   },
+  ["csharp_cache_bmn" /* CsharpCacheBuildModeNone */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_CACHE_BMN",
+    minimumVersion: void 0
+  },
   ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
diff --git a/lib/upload-lib.js b/lib/upload-lib.js
index 2e980ba467..a0d12250c7 100644
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@@ -87034,6 +87034,11 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: "2.15.0"
   },
+  ["csharp_cache_bmn" /* CsharpCacheBuildModeNone */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_CACHE_BMN",
+    minimumVersion: void 0
+  },
   ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js
index 1d2a3a44b3..1d63547086 100644
--- a/lib/upload-sarif-action-post.js
+++ b/lib/upload-sarif-action-post.js
@@ -119500,6 +119500,11 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: "2.15.0"
   },
+  ["csharp_cache_bmn" /* CsharpCacheBuildModeNone */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_CACHE_BMN",
+    minimumVersion: void 0
+  },
   ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js
index 6fd196c32e..1266953f0c 100644
--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
@@ -86830,6 +86830,11 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: "2.15.0"
   },
+  ["csharp_cache_bmn" /* CsharpCacheBuildModeNone */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_CACHE_BMN",
+    minimumVersion: void 0
+  },
   ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
diff --git a/src/feature-flags.ts b/src/feature-flags.ts
index 1334969795..27a3c0f4f7 100644
--- a/src/feature-flags.ts
+++ b/src/feature-flags.ts
@@ -47,6 +47,7 @@ export enum Feature {
   AnalyzeUseNewUpload = "analyze_use_new_upload",
   CleanupTrapCaches = "cleanup_trap_caches",
   CppDependencyInstallation = "cpp_dependency_installation_enabled",
+  CsharpCacheBuildModeNone = "csharp_cache_bmn",
   CsharpNewCacheKey = "csharp_new_cache_key",
   DiffInformedQueries = "diff_informed_queries",
   DisableCsharpBuildless = "disable_csharp_buildless",
@@ -133,6 +134,11 @@ export const featureConfig: Record<
     legacyApi: true,
     minimumVersion: "2.15.0",
   },
+  [Feature.CsharpCacheBuildModeNone]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_CACHE_BMN",
+    minimumVersion: undefined,
+  },
   [Feature.CsharpNewCacheKey]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",

From ecaa6db95a8f53d47a403cf9d16a96daa295f5ff Mon Sep 17 00:00:00 2001
From: "Michael B. Gale" <mbg@github.com>
Date: Thu, 13 Nov 2025 13:40:36 +0000
Subject: [PATCH 04/31] Include `getCsharpTempDependencyDir` in C# caches if FF
 is enabled

---
 lib/analyze-action.js          | 15 +++++++++--
 lib/init-action.js             | 15 +++++++++--
 src/dependency-caching.test.ts | 49 ++++++++++++++++++++++++++++++++++
 src/dependency-caching.ts      | 17 ++++++++++--
 4 files changed, 90 insertions(+), 6 deletions(-)

diff --git a/lib/analyze-action.js b/lib/analyze-action.js
index 22d01ab285..6b0e6b92f6 100644
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -91074,8 +91074,18 @@ async function getJavaDependencyDirs() {
     getJavaTempDependencyDir()
   ];
 }
-async function getCsharpDependencyDirs() {
-  return [(0, import_path.join)(os3.homedir(), ".nuget", "packages")];
+function getCsharpTempDependencyDir() {
+  return (0, import_path.join)(getTemporaryDirectory(), "codeql_csharp", "repository");
+}
+async function getCsharpDependencyDirs(codeql, features) {
+  const dirs = [
+    // Nuget
+    (0, import_path.join)(os3.homedir(), ".nuget", "packages")
+  ];
+  if (await features.getValue("csharp_cache_bmn" /* CsharpCacheBuildModeNone */, codeql)) {
+    dirs.push(getCsharpTempDependencyDir());
+  }
+  return dirs;
 }
 async function makePatternCheck(patterns) {
   const globber = await makeGlobber(patterns);
@@ -91227,6 +91237,7 @@ async function getFeaturePrefix(codeql, features, language) {
     }
   } else if (language === "csharp" /* csharp */) {
     await addFeatureIfEnabled("csharp_new_cache_key" /* CsharpNewCacheKey */);
+    await addFeatureIfEnabled("csharp_cache_bmn" /* CsharpCacheBuildModeNone */);
   }
   if (enabledFeatures.length > 0) {
     return `${createCacheKeyHash(enabledFeatures)}-`;
diff --git a/lib/init-action.js b/lib/init-action.js
index e351b0205b..8d63c95de0 100644
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -87261,8 +87261,18 @@ async function getJavaDependencyDirs() {
     getJavaTempDependencyDir()
   ];
 }
-async function getCsharpDependencyDirs() {
-  return [(0, import_path.join)(os2.homedir(), ".nuget", "packages")];
+function getCsharpTempDependencyDir() {
+  return (0, import_path.join)(getTemporaryDirectory(), "codeql_csharp", "repository");
+}
+async function getCsharpDependencyDirs(codeql, features) {
+  const dirs = [
+    // Nuget
+    (0, import_path.join)(os2.homedir(), ".nuget", "packages")
+  ];
+  if (await features.getValue("csharp_cache_bmn" /* CsharpCacheBuildModeNone */, codeql)) {
+    dirs.push(getCsharpTempDependencyDir());
+  }
+  return dirs;
 }
 async function makePatternCheck(patterns) {
   const globber = await makeGlobber(patterns);
@@ -87398,6 +87408,7 @@ async function getFeaturePrefix(codeql, features, language) {
     }
   } else if (language === "csharp" /* csharp */) {
     await addFeatureIfEnabled("csharp_new_cache_key" /* CsharpNewCacheKey */);
+    await addFeatureIfEnabled("csharp_cache_bmn" /* CsharpCacheBuildModeNone */);
   }
   if (enabledFeatures.length > 0) {
     return `${createCacheKeyHash(enabledFeatures)}-`;
diff --git a/src/dependency-caching.test.ts b/src/dependency-caching.test.ts
index 416b096776..bf2f7ba74d 100644
--- a/src/dependency-caching.test.ts
+++ b/src/dependency-caching.test.ts
@@ -20,6 +20,8 @@ import {
   downloadDependencyCaches,
   CacheHitKind,
   cacheKey,
+  getCsharpDependencyDirs,
+  getCsharpTempDependencyDir,
 } from "./dependency-caching";
 import { Feature } from "./feature-flags";
 import { KnownLanguage } from "./languages";
@@ -38,6 +40,28 @@ function makeAbsolutePatterns(tmpDir: string, patterns: string[]): string[] {
   return patterns.map((pattern) => path.join(tmpDir, pattern));
 }
 
+test("getCsharpDependencyDirs - does not include BMN dir if FF is enabled", async (t) => {
+  await withTmpDir(async (tmpDir) => {
+    process.env["RUNNER_TEMP"] = tmpDir;
+    const codeql = createStubCodeQL({});
+    const features = createFeatures([]);
+
+    const results = await getCsharpDependencyDirs(codeql, features);
+    t.false(results.includes(getCsharpTempDependencyDir()));
+  });
+});
+
+test("getCsharpDependencyDirs - includes BMN dir if FF is enabled", async (t) => {
+  await withTmpDir(async (tmpDir) => {
+    process.env["RUNNER_TEMP"] = tmpDir;
+    const codeql = createStubCodeQL({});
+    const features = createFeatures([Feature.CsharpCacheBuildModeNone]);
+
+    const results = await getCsharpDependencyDirs(codeql, features);
+    t.assert(results.includes(getCsharpTempDependencyDir()));
+  });
+});
+
 test("makePatternCheck - returns undefined if no patterns match", async (t) => {
   await withTmpDir(async (tmpDir) => {
     fs.writeFileSync(path.join(tmpDir, "test.java"), "");
@@ -387,3 +411,28 @@ test("getFeaturePrefix - non-C# - returns '' if CsharpNewCacheKey is enabled", a
     t.deepEqual(result, "", `Expected no feature prefix for ${knownLanguage}`);
   }
 });
+
+test("getFeaturePrefix - C# - returns prefix if CsharpCacheBuildModeNone is enabled", async (t) => {
+  const codeql = createStubCodeQL({});
+  const features = createFeatures([Feature.CsharpCacheBuildModeNone]);
+
+  const result = await getFeaturePrefix(codeql, features, KnownLanguage.csharp);
+  t.notDeepEqual(result, "");
+  t.assert(result.endsWith("-"));
+  // Check the length of the prefix, which should correspond to `cacheKeyHashLength` + 1 for the trailing `-`.
+  t.is(result.length, cacheKeyHashLength + 1);
+});
+
+test("getFeaturePrefix - non-C# - returns '' if CsharpCacheBuildModeNone is enabled", async (t) => {
+  const codeql = createStubCodeQL({});
+  const features = createFeatures([Feature.CsharpCacheBuildModeNone]);
+
+  for (const knownLanguage of Object.values(KnownLanguage)) {
+    // Skip C# since we expect a result for it, which is tested in the previous test.
+    if (knownLanguage === KnownLanguage.csharp) {
+      continue;
+    }
+    const result = await getFeaturePrefix(codeql, features, knownLanguage);
+    t.deepEqual(result, "", `Expected no feature prefix for ${knownLanguage}`);
+  }
+});
diff --git a/src/dependency-caching.ts b/src/dependency-caching.ts
index 5ee0504371..bd39bad751 100644
--- a/src/dependency-caching.ts
+++ b/src/dependency-caching.ts
@@ -85,8 +85,20 @@ export function getCsharpTempDependencyDir(): string {
  * @returns The paths of directories on the runner that should be included in a dependency cache
  * for a C# analysis.
  */
-export async function getCsharpDependencyDirs(): Promise<string[]> {
-  return [join(os.homedir(), ".nuget", "packages")];
+export async function getCsharpDependencyDirs(
+  codeql: CodeQL,
+  features: FeatureEnablement,
+): Promise<string[]> {
+  const dirs = [
+    // Nuget
+    join(os.homedir(), ".nuget", "packages"),
+  ];
+
+  if (await features.getValue(Feature.CsharpCacheBuildModeNone, codeql)) {
+    dirs.push(getCsharpTempDependencyDir());
+  }
+
+  return dirs;
 }
 
 /**
@@ -512,6 +524,7 @@ export async function getFeaturePrefix(
     }
   } else if (language === KnownLanguage.csharp) {
     await addFeatureIfEnabled(Feature.CsharpNewCacheKey);
+    await addFeatureIfEnabled(Feature.CsharpCacheBuildModeNone);
   }
 
   // If any features that affect the cache are enabled, return a feature prefix by

From f5f9571d6184d3cf1e2477d1dfc61c7ce88cdf4b Mon Sep 17 00:00:00 2001
From: "Michael B. Gale" <mbg@github.com>
Date: Thu, 13 Nov 2025 14:03:44 +0000
Subject: [PATCH 05/31] Configure temp dependency dir for C# extractor when FF
 is enabled

And also clean it up.
---
 lib/analyze-action-post.js       | 24 ++++++++++++++++--------
 lib/analyze-action.js            | 13 +++++++++----
 src/analyze-action-env.test.ts   | 21 +++++++++++++++------
 src/analyze-action-input.test.ts | 21 +++++++++++++++------
 src/analyze-action-post.ts       | 28 ++++++++++++++++++----------
 src/analyze-action.ts            |  1 +
 src/analyze.ts                   | 22 +++++++++++++++++++---
 7 files changed, 93 insertions(+), 37 deletions(-)

diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js
index 484df244c7..323549b8b1 100644
--- a/lib/analyze-action-post.js
+++ b/lib/analyze-action-post.js
@@ -120768,6 +120768,9 @@ var glob = __toESM(require_glob3());
 function getJavaTempDependencyDir() {
   return (0, import_path.join)(getTemporaryDirectory(), "codeql_java", "repository");
 }
+function getCsharpTempDependencyDir() {
+  return (0, import_path.join)(getTemporaryDirectory(), "codeql_csharp", "repository");
+}
 
 // src/debug-artifacts.ts
 function sanitizeArtifactName(name) {
@@ -120888,14 +120891,19 @@ async function runWrapper() {
         );
       }
     }
-    const javaTempDependencyDir = getJavaTempDependencyDir();
-    if (fs6.existsSync(javaTempDependencyDir)) {
-      try {
-        fs6.rmSync(javaTempDependencyDir, { recursive: true });
-      } catch (error4) {
-        logger.info(
-          `Failed to remove temporary Java dependencies directory: ${getErrorMessage(error4)}`
-        );
+    const tempDependencyDirs = [
+      getJavaTempDependencyDir(),
+      getCsharpTempDependencyDir()
+    ];
+    for (const tempDependencyDir of tempDependencyDirs) {
+      if (fs6.existsSync(tempDependencyDir)) {
+        try {
+          fs6.rmSync(tempDependencyDir, { recursive: true });
+        } catch (error4) {
+          logger.info(
+            `Failed to remove temporary dependencies directory: ${getErrorMessage(error4)}`
+          );
+        }
       }
     }
   } catch (error4) {
diff --git a/lib/analyze-action.js b/lib/analyze-action.js
index 6b0e6b92f6..e5e897ca38 100644
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -91327,7 +91327,7 @@ async function setupPythonExtractor(logger) {
   );
   return;
 }
-async function runExtraction(codeql, config, logger) {
+async function runExtraction(codeql, features, config, logger) {
   for (const language of config.languages) {
     if (dbIsFinalized(config, language, logger)) {
       logger.debug(
@@ -91347,6 +91347,9 @@ async function runExtraction(codeql, config, logger) {
         if (language === "java" /* java */ && config.buildMode === "none" /* None */) {
           process.env["CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_DEPENDENCY_DIR"] = getJavaTempDependencyDir();
         }
+        if (language === "csharp" /* csharp */ && config.buildMode === "none" /* None */ && await features.getValue("csharp_cache_bmn" /* CsharpCacheBuildModeNone */)) {
+          process.env["CODEQL_EXTRACTOR_CSHARP_OPTION_BUILDLESS_DEPENDENCY_DIR"] = getCsharpTempDependencyDir();
+        }
         await codeql.extractUsingBuildMode(config, language);
       } else {
         await codeql.extractScannedLanguage(config, language);
@@ -91372,9 +91375,9 @@ function dbIsFinalized(config, language, logger) {
     return false;
   }
 }
-async function finalizeDatabaseCreation(codeql, config, threadsFlag, memoryFlag, logger) {
+async function finalizeDatabaseCreation(codeql, features, config, threadsFlag, memoryFlag, logger) {
   const extractionStart = import_perf_hooks2.performance.now();
-  await runExtraction(codeql, config, logger);
+  await runExtraction(codeql, features, config, logger);
   const extractionTime = import_perf_hooks2.performance.now() - extractionStart;
   const trapImportStart = import_perf_hooks2.performance.now();
   for (const language of config.languages) {
@@ -91629,7 +91632,7 @@ async function runQueries(sarifFolder, memoryFlag, threadsFlag, diffRangePackDir
     return perQueryAlertCounts;
   }
 }
-async function runFinalize(outputDir, threadsFlag, memoryFlag, codeql, config, logger) {
+async function runFinalize(features, outputDir, threadsFlag, memoryFlag, codeql, config, logger) {
   try {
     await fs12.promises.rm(outputDir, { force: true, recursive: true });
   } catch (error4) {
@@ -91640,6 +91643,7 @@ async function runFinalize(outputDir, threadsFlag, memoryFlag, codeql, config, l
   await fs12.promises.mkdir(outputDir, { recursive: true });
   const timings = await finalizeDatabaseCreation(
     codeql,
+    features,
     config,
     threadsFlag,
     memoryFlag,
@@ -93974,6 +93978,7 @@ async function run() {
     await warnIfGoInstalledAfterInit(config, logger);
     await runAutobuildIfLegacyGoWorkflow(config, logger);
     dbCreationTimings = await runFinalize(
+      features,
       outputDir,
       threads,
       memory,
diff --git a/src/analyze-action-env.test.ts b/src/analyze-action-env.test.ts
index e4960a5803..aecbae4b02 100644
--- a/src/analyze-action-env.test.ts
+++ b/src/analyze-action-env.test.ts
@@ -74,11 +74,20 @@ test("analyze action with RAM & threads from environment variables", async (t) =
     // wait for the action promise to complete before starting verification.
     await analyzeAction.runPromise;
 
-    t.assert(runFinalizeStub.calledOnce);
-    t.deepEqual(runFinalizeStub.firstCall.args[1], "--threads=-1");
-    t.deepEqual(runFinalizeStub.firstCall.args[2], "--ram=4992");
-    t.assert(runQueriesStub.calledOnce);
-    t.deepEqual(runQueriesStub.firstCall.args[2], "--threads=-1");
-    t.deepEqual(runQueriesStub.firstCall.args[1], "--ram=4992");
+    t.assert(
+      runFinalizeStub.calledOnceWith(
+        sinon.match.any,
+        sinon.match.any,
+        "--threads=-1",
+        "--ram=4992",
+      ),
+    );
+    t.assert(
+      runQueriesStub.calledOnceWith(
+        sinon.match.any,
+        "--ram=4992",
+        "--threads=-1",
+      ),
+    );
   });
 });
diff --git a/src/analyze-action-input.test.ts b/src/analyze-action-input.test.ts
index 48fa216ebf..74c03923da 100644
--- a/src/analyze-action-input.test.ts
+++ b/src/analyze-action-input.test.ts
@@ -72,11 +72,20 @@ test("analyze action with RAM & threads from action inputs", async (t) => {
     // wait for the action promise to complete before starting verification.
     await analyzeAction.runPromise;
 
-    t.assert(runFinalizeStub.calledOnce);
-    t.deepEqual(runFinalizeStub.firstCall.args[1], "--threads=-1");
-    t.deepEqual(runFinalizeStub.firstCall.args[2], "--ram=3012");
-    t.assert(runQueriesStub.calledOnce);
-    t.deepEqual(runQueriesStub.firstCall.args[2], "--threads=-1");
-    t.deepEqual(runQueriesStub.firstCall.args[1], "--ram=3012");
+    t.assert(
+      runFinalizeStub.calledOnceWith(
+        sinon.match.any,
+        sinon.match.any,
+        "--threads=-1",
+        "--ram=3012",
+      ),
+    );
+    t.assert(
+      runQueriesStub.calledOnceWith(
+        sinon.match.any,
+        "--ram=3012",
+        "--threads=-1",
+      ),
+    );
   });
 });
diff --git a/src/analyze-action-post.ts b/src/analyze-action-post.ts
index 1f91b4f0fd..ce8ddd31bb 100644
--- a/src/analyze-action-post.ts
+++ b/src/analyze-action-post.ts
@@ -12,7 +12,10 @@ import { getGitHubVersion } from "./api-client";
 import { getCodeQL } from "./codeql";
 import { getConfig } from "./config-utils";
 import * as debugArtifacts from "./debug-artifacts";
-import { getJavaTempDependencyDir } from "./dependency-caching";
+import {
+  getCsharpTempDependencyDir,
+  getJavaTempDependencyDir,
+} from "./dependency-caching";
 import { EnvVar } from "./environment";
 import { getActionsLogger } from "./logging";
 import { checkGitHubVersionInRange, getErrorMessage } from "./util";
@@ -42,17 +45,22 @@ async function runWrapper() {
       }
     }
 
-    // If we analysed Java in build-mode: none, we may have downloaded dependencies
+    // If we analysed Java or C# in build-mode: none, we may have downloaded dependencies
     // to the temp directory. Clean these up so they don't persist unnecessarily
     // long on self-hosted runners.
-    const javaTempDependencyDir = getJavaTempDependencyDir();
-    if (fs.existsSync(javaTempDependencyDir)) {
-      try {
-        fs.rmSync(javaTempDependencyDir, { recursive: true });
-      } catch (error) {
-        logger.info(
-          `Failed to remove temporary Java dependencies directory: ${getErrorMessage(error)}`,
-        );
+    const tempDependencyDirs = [
+      getJavaTempDependencyDir(),
+      getCsharpTempDependencyDir(),
+    ];
+    for (const tempDependencyDir of tempDependencyDirs) {
+      if (fs.existsSync(tempDependencyDir)) {
+        try {
+          fs.rmSync(tempDependencyDir, { recursive: true });
+        } catch (error) {
+          logger.info(
+            `Failed to remove temporary dependencies directory: ${getErrorMessage(error)}`,
+          );
+        }
       }
     }
   } catch (error) {
diff --git a/src/analyze-action.ts b/src/analyze-action.ts
index 3ab1dd1321..0349c13c30 100644
--- a/src/analyze-action.ts
+++ b/src/analyze-action.ts
@@ -315,6 +315,7 @@ async function run() {
     await runAutobuildIfLegacyGoWorkflow(config, logger);
 
     dbCreationTimings = await runFinalize(
+      features,
       outputDir,
       threads,
       memory,
diff --git a/src/analyze.ts b/src/analyze.ts
index cd82ad61b1..dc631ba98f 100644
--- a/src/analyze.ts
+++ b/src/analyze.ts
@@ -10,7 +10,10 @@ import * as analyses from "./analyses";
 import { setupCppAutobuild } from "./autobuild";
 import { type CodeQL } from "./codeql";
 import * as configUtils from "./config-utils";
-import { getJavaTempDependencyDir } from "./dependency-caching";
+import {
+  getCsharpTempDependencyDir,
+  getJavaTempDependencyDir,
+} from "./dependency-caching";
 import { addDiagnostic, makeDiagnostic } from "./diagnostics";
 import {
   DiffThunkRange,
@@ -98,6 +101,7 @@ async function setupPythonExtractor(logger: Logger) {
 
 export async function runExtraction(
   codeql: CodeQL,
+  features: FeatureEnablement,
   config: configUtils.Config,
   logger: Logger,
 ) {
@@ -122,7 +126,7 @@ export async function runExtraction(
           await setupCppAutobuild(codeql, logger);
         }
 
-        // The Java `build-mode: none` extractor places dependencies (.jar files) in the
+        // The Java and C# `build-mode: none` extractors place dependencies in the
         // database scratch directory by default. For dependency caching purposes, we want
         // a stable path that caches can be restored into and that we can cache at the
         // end of the workflow (i.e. that does not get removed when the scratch directory is).
@@ -133,6 +137,15 @@ export async function runExtraction(
           process.env["CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_DEPENDENCY_DIR"] =
             getJavaTempDependencyDir();
         }
+        if (
+          language === KnownLanguage.csharp &&
+          config.buildMode === BuildMode.None &&
+          (await features.getValue(Feature.CsharpCacheBuildModeNone))
+        ) {
+          process.env[
+            "CODEQL_EXTRACTOR_CSHARP_OPTION_BUILDLESS_DEPENDENCY_DIR"
+          ] = getCsharpTempDependencyDir();
+        }
 
         await codeql.extractUsingBuildMode(config, language);
       } else {
@@ -177,13 +190,14 @@ export function dbIsFinalized(
 
 async function finalizeDatabaseCreation(
   codeql: CodeQL,
+  features: FeatureEnablement,
   config: configUtils.Config,
   threadsFlag: string,
   memoryFlag: string,
   logger: Logger,
 ): Promise<DatabaseCreationTimings> {
   const extractionStart = performance.now();
-  await runExtraction(codeql, config, logger);
+  await runExtraction(codeql, features, config, logger);
   const extractionTime = performance.now() - extractionStart;
 
   const trapImportStart = performance.now();
@@ -597,6 +611,7 @@ export async function runQueries(
 }
 
 export async function runFinalize(
+  features: FeatureEnablement,
   outputDir: string,
   threadsFlag: string,
   memoryFlag: string,
@@ -615,6 +630,7 @@ export async function runFinalize(
 
   const timings = await finalizeDatabaseCreation(
     codeql,
+    features,
     config,
     threadsFlag,
     memoryFlag,

From 29e11fdce1ae617d40492467e777f61f2d9fc0c0 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Mon, 24 Nov 2025 09:31:18 +0000
Subject: [PATCH 06/31] Update changelog and version after v4.31.5

---
 CHANGELOG.md      | 4 ++++
 package-lock.json | 4 ++--
 package.json      | 2 +-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 762aa1db86..1359cdfd9c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
+## [UNRELEASED]
+
+No user facing changes.
+
 ## 4.31.5 - 24 Nov 2025
 
 - Update default CodeQL bundle version to 2.23.6. [#3321](https://github.com/github/codeql-action/pull/3321)
diff --git a/package-lock.json b/package-lock.json
index 3ee4a5b89f..4c6ca8624d 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "4.31.5",
+  "version": "4.31.6",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "4.31.5",
+      "version": "4.31.6",
       "license": "MIT",
       "dependencies": {
         "@actions/artifact": "^4.0.0",
diff --git a/package.json b/package.json
index 61317b90ac..22d5817761 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "4.31.5",
+  "version": "4.31.6",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

From 478350182f3269d74025e346d386b05203bda49f Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Mon, 24 Nov 2025 10:55:14 +0000
Subject: [PATCH 07/31] Rebuild

---
 lib/analyze-action-post.js        | 2 +-
 lib/analyze-action.js             | 2 +-
 lib/autobuild-action.js           | 2 +-
 lib/init-action-post.js           | 2 +-
 lib/init-action.js                | 2 +-
 lib/resolve-environment-action.js | 2 +-
 lib/setup-codeql-action.js        | 2 +-
 lib/start-proxy-action-post.js    | 2 +-
 lib/start-proxy-action.js         | 2 +-
 lib/upload-lib.js                 | 2 +-
 lib/upload-sarif-action-post.js   | 2 +-
 lib/upload-sarif-action.js        | 2 +-
 12 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js
index 13589f4965..37725d00bf 100644
--- a/lib/analyze-action-post.js
+++ b/lib/analyze-action-post.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.31.5",
+      version: "4.31.6",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/analyze-action.js b/lib/analyze-action.js
index 6f1a1bf428..8206afce01 100644
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.31.5",
+      version: "4.31.6",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js
index 9a7251809f..d4b7fc1f6d 100644
--- a/lib/autobuild-action.js
+++ b/lib/autobuild-action.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.31.5",
+      version: "4.31.6",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/init-action-post.js b/lib/init-action-post.js
index 89948b8a14..62e78df8a5 100644
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.31.5",
+      version: "4.31.6",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/init-action.js b/lib/init-action.js
index f8407c208d..185510e02e 100644
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.31.5",
+      version: "4.31.6",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js
index 48ebce48f2..cd65a4bf1c 100644
--- a/lib/resolve-environment-action.js
+++ b/lib/resolve-environment-action.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.31.5",
+      version: "4.31.6",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js
index f1182b65c7..780d2cc6de 100644
--- a/lib/setup-codeql-action.js
+++ b/lib/setup-codeql-action.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.31.5",
+      version: "4.31.6",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js
index cdac66bef0..c78e8262a6 100644
--- a/lib/start-proxy-action-post.js
+++ b/lib/start-proxy-action-post.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.31.5",
+      version: "4.31.6",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js
index 3c2490783a..f0d7eb5716 100644
--- a/lib/start-proxy-action.js
+++ b/lib/start-proxy-action.js
@@ -47285,7 +47285,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.31.5",
+      version: "4.31.6",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/upload-lib.js b/lib/upload-lib.js
index 53eaa204e3..de44834ac9 100644
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@@ -28924,7 +28924,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.31.5",
+      version: "4.31.6",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js
index 87ef62a45d..f95b705faf 100644
--- a/lib/upload-sarif-action-post.js
+++ b/lib/upload-sarif-action-post.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.31.5",
+      version: "4.31.6",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js
index 574910f02f..f8ea28a2d0 100644
--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.31.5",
+      version: "4.31.6",
       private: true,
       description: "CodeQL action",
       scripts: {

From e2a623d7cf16cc85bed615db241f461708b7d496 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 24 Nov 2025 17:36:24 +0000
Subject: [PATCH 08/31] Bump the npm-minor group with 3 updates

Bumps the npm-minor group with 3 updates: [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin), [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) and [eslint-plugin-jsdoc](https://github.com/gajus/eslint-plugin-jsdoc).


Updates `@typescript-eslint/eslint-plugin` from 8.46.4 to 8.48.0
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.48.0/packages/eslint-plugin)

Updates `@typescript-eslint/parser` from 8.46.4 to 8.48.0
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.48.0/packages/parser)

Updates `eslint-plugin-jsdoc` from 61.2.1 to 61.4.1
- [Release notes](https://github.com/gajus/eslint-plugin-jsdoc/releases)
- [Changelog](https://github.com/gajus/eslint-plugin-jsdoc/blob/main/.releaserc)
- [Commits](https://github.com/gajus/eslint-plugin-jsdoc/compare/v61.2.1...v61.4.1)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-version: 8.48.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-minor
- dependency-name: "@typescript-eslint/parser"
  dependency-version: 8.48.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-minor
- dependency-name: eslint-plugin-jsdoc
  dependency-version: 61.4.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 package-lock.json | 246 +++++++++++++++++++++++-----------------------
 package.json      |   4 +-
 2 files changed, 125 insertions(+), 125 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 4c6ca8624d..0b3ab5312a 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -46,7 +46,7 @@
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
-        "@typescript-eslint/eslint-plugin": "^8.46.4",
+        "@typescript-eslint/eslint-plugin": "^8.48.0",
         "@typescript-eslint/parser": "^8.41.0",
         "ava": "^6.4.1",
         "esbuild": "^0.27.0",
@@ -55,7 +55,7 @@
         "eslint-plugin-filenames": "^1.3.2",
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
-        "eslint-plugin-jsdoc": "^61.2.1",
+        "eslint-plugin-jsdoc": "^61.4.1",
         "eslint-plugin-no-async-foreach": "^0.1.1",
         "glob": "^11.1.0",
         "nock": "^14.0.10",
@@ -2369,17 +2369,17 @@
       }
     },
     "node_modules/@typescript-eslint/eslint-plugin": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.46.4.tgz",
-      "integrity": "sha512-R48VhmTJqplNyDxCyqqVkFSZIx1qX6PzwqgcXn1olLrzxcSBDlOsbtcnQuQhNtnNiJ4Xe5gREI1foajYaYU2Vg==",
+      "version": "8.48.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.48.0.tgz",
+      "integrity": "sha512-XxXP5tL1txl13YFtrECECQYeZjBZad4fyd3cFV4a19LkAY/bIp9fev3US4S5fDVV2JaYFiKAZ/GRTOLer+mbyQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@eslint-community/regexpp": "^4.10.0",
-        "@typescript-eslint/scope-manager": "8.46.4",
-        "@typescript-eslint/type-utils": "8.46.4",
-        "@typescript-eslint/utils": "8.46.4",
-        "@typescript-eslint/visitor-keys": "8.46.4",
+        "@typescript-eslint/scope-manager": "8.48.0",
+        "@typescript-eslint/type-utils": "8.48.0",
+        "@typescript-eslint/utils": "8.48.0",
+        "@typescript-eslint/visitor-keys": "8.48.0",
         "graphemer": "^1.4.0",
         "ignore": "^7.0.0",
         "natural-compare": "^1.4.0",
@@ -2393,20 +2393,20 @@
         "url": "https://opencollective.com/typescript-eslint"
       },
       "peerDependencies": {
-        "@typescript-eslint/parser": "^8.46.4",
+        "@typescript-eslint/parser": "^8.48.0",
         "eslint": "^8.57.0 || ^9.0.0",
         "typescript": ">=4.8.4 <6.0.0"
       }
     },
     "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.46.4.tgz",
-      "integrity": "sha512-tMDbLGXb1wC+McN1M6QeDx7P7c0UWO5z9CXqp7J8E+xGcJuUuevWKxuG8j41FoweS3+L41SkyKKkia16jpX7CA==",
+      "version": "8.48.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.48.0.tgz",
+      "integrity": "sha512-uGSSsbrtJrLduti0Q1Q9+BF1/iFKaxGoQwjWOIVNJv0o6omrdyR8ct37m4xIl5Zzpkp69Kkmvom7QFTtue89YQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.46.4",
-        "@typescript-eslint/visitor-keys": "8.46.4"
+        "@typescript-eslint/types": "8.48.0",
+        "@typescript-eslint/visitor-keys": "8.48.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2417,9 +2417,9 @@
       }
     },
     "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/types": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.46.4.tgz",
-      "integrity": "sha512-USjyxm3gQEePdUwJBFjjGNG18xY9A2grDVGuk7/9AkjIF1L+ZrVnwR5VAU5JXtUnBL/Nwt3H31KlRDaksnM7/w==",
+      "version": "8.48.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.48.0.tgz",
+      "integrity": "sha512-cQMcGQQH7kwKoVswD1xdOytxQR60MWKM1di26xSUtxehaDs/32Zpqsu5WJlXTtTTqyAVK8R7hvsUnIXRS+bjvA==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2431,21 +2431,20 @@
       }
     },
     "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.46.4.tgz",
-      "integrity": "sha512-7oV2qEOr1d4NWNmpXLR35LvCfOkTNymY9oyW+lUHkmCno7aOmIf/hMaydnJBUTBMRCOGZh8YjkFOc8dadEoNGA==",
+      "version": "8.48.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.48.0.tgz",
+      "integrity": "sha512-ljHab1CSO4rGrQIAyizUS6UGHHCiAYhbfcIZ1zVJr5nMryxlXMVWS3duFPSKvSUbFPwkXMFk1k0EMIjub4sRRQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/project-service": "8.46.4",
-        "@typescript-eslint/tsconfig-utils": "8.46.4",
-        "@typescript-eslint/types": "8.46.4",
-        "@typescript-eslint/visitor-keys": "8.46.4",
+        "@typescript-eslint/project-service": "8.48.0",
+        "@typescript-eslint/tsconfig-utils": "8.48.0",
+        "@typescript-eslint/types": "8.48.0",
+        "@typescript-eslint/visitor-keys": "8.48.0",
         "debug": "^4.3.4",
-        "fast-glob": "^3.3.2",
-        "is-glob": "^4.0.3",
         "minimatch": "^9.0.4",
         "semver": "^7.6.0",
+        "tinyglobby": "^0.2.15",
         "ts-api-utils": "^2.1.0"
       },
       "engines": {
@@ -2460,16 +2459,16 @@
       }
     },
     "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/utils": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.46.4.tgz",
-      "integrity": "sha512-AbSv11fklGXV6T28dp2Me04Uw90R2iJ30g2bgLz529Koehrmkbs1r7paFqr1vPCZi7hHwYxYtxfyQMRC8QaVSg==",
+      "version": "8.48.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.48.0.tgz",
+      "integrity": "sha512-yTJO1XuGxCsSfIVt1+1UrLHtue8xz16V8apzPYI06W0HbEbEWHxHXgZaAgavIkoh+GeV6hKKd5jm0sS6OYxWXQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.7.0",
-        "@typescript-eslint/scope-manager": "8.46.4",
-        "@typescript-eslint/types": "8.46.4",
-        "@typescript-eslint/typescript-estree": "8.46.4"
+        "@typescript-eslint/scope-manager": "8.48.0",
+        "@typescript-eslint/types": "8.48.0",
+        "@typescript-eslint/typescript-estree": "8.48.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2484,13 +2483,13 @@
       }
     },
     "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.46.4.tgz",
-      "integrity": "sha512-/++5CYLQqsO9HFGLI7APrxBJYo+5OCMpViuhV8q5/Qa3o5mMrF//eQHks+PXcsAVaLdn817fMuS7zqoXNNZGaw==",
+      "version": "8.48.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.48.0.tgz",
+      "integrity": "sha512-T0XJMaRPOH3+LBbAfzR2jalckP1MSG/L9eUtY0DEzUyVaXJ/t6zN0nR7co5kz0Jko/nkSYCBRkz1djvjajVTTg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.46.4",
+        "@typescript-eslint/types": "8.48.0",
         "eslint-visitor-keys": "^4.2.1"
       },
       "engines": {
@@ -2563,16 +2562,16 @@
       }
     },
     "node_modules/@typescript-eslint/parser": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.46.4.tgz",
-      "integrity": "sha512-tK3GPFWbirvNgsNKto+UmB/cRtn6TZfyw0D6IKrW55n6Vbs7KJoZtI//kpTKzE/DUmmnAFD8/Ca46s7Obs92/w==",
+      "version": "8.48.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.48.0.tgz",
+      "integrity": "sha512-jCzKdm/QK0Kg4V4IK/oMlRZlY+QOcdjv89U2NgKHZk1CYTj82/RVSx1mV/0gqCVMJ/DA+Zf/S4NBWNF8GQ+eqQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/scope-manager": "8.46.4",
-        "@typescript-eslint/types": "8.46.4",
-        "@typescript-eslint/typescript-estree": "8.46.4",
-        "@typescript-eslint/visitor-keys": "8.46.4",
+        "@typescript-eslint/scope-manager": "8.48.0",
+        "@typescript-eslint/types": "8.48.0",
+        "@typescript-eslint/typescript-estree": "8.48.0",
+        "@typescript-eslint/visitor-keys": "8.48.0",
         "debug": "^4.3.4"
       },
       "engines": {
@@ -2588,14 +2587,14 @@
       }
     },
     "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.46.4.tgz",
-      "integrity": "sha512-tMDbLGXb1wC+McN1M6QeDx7P7c0UWO5z9CXqp7J8E+xGcJuUuevWKxuG8j41FoweS3+L41SkyKKkia16jpX7CA==",
+      "version": "8.48.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.48.0.tgz",
+      "integrity": "sha512-uGSSsbrtJrLduti0Q1Q9+BF1/iFKaxGoQwjWOIVNJv0o6omrdyR8ct37m4xIl5Zzpkp69Kkmvom7QFTtue89YQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.46.4",
-        "@typescript-eslint/visitor-keys": "8.46.4"
+        "@typescript-eslint/types": "8.48.0",
+        "@typescript-eslint/visitor-keys": "8.48.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2606,9 +2605,9 @@
       }
     },
     "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/types": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.46.4.tgz",
-      "integrity": "sha512-USjyxm3gQEePdUwJBFjjGNG18xY9A2grDVGuk7/9AkjIF1L+ZrVnwR5VAU5JXtUnBL/Nwt3H31KlRDaksnM7/w==",
+      "version": "8.48.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.48.0.tgz",
+      "integrity": "sha512-cQMcGQQH7kwKoVswD1xdOytxQR60MWKM1di26xSUtxehaDs/32Zpqsu5WJlXTtTTqyAVK8R7hvsUnIXRS+bjvA==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2620,21 +2619,20 @@
       }
     },
     "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.46.4.tgz",
-      "integrity": "sha512-7oV2qEOr1d4NWNmpXLR35LvCfOkTNymY9oyW+lUHkmCno7aOmIf/hMaydnJBUTBMRCOGZh8YjkFOc8dadEoNGA==",
+      "version": "8.48.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.48.0.tgz",
+      "integrity": "sha512-ljHab1CSO4rGrQIAyizUS6UGHHCiAYhbfcIZ1zVJr5nMryxlXMVWS3duFPSKvSUbFPwkXMFk1k0EMIjub4sRRQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/project-service": "8.46.4",
-        "@typescript-eslint/tsconfig-utils": "8.46.4",
-        "@typescript-eslint/types": "8.46.4",
-        "@typescript-eslint/visitor-keys": "8.46.4",
+        "@typescript-eslint/project-service": "8.48.0",
+        "@typescript-eslint/tsconfig-utils": "8.48.0",
+        "@typescript-eslint/types": "8.48.0",
+        "@typescript-eslint/visitor-keys": "8.48.0",
         "debug": "^4.3.4",
-        "fast-glob": "^3.3.2",
-        "is-glob": "^4.0.3",
         "minimatch": "^9.0.4",
         "semver": "^7.6.0",
+        "tinyglobby": "^0.2.15",
         "ts-api-utils": "^2.1.0"
       },
       "engines": {
@@ -2649,13 +2647,13 @@
       }
     },
     "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.46.4.tgz",
-      "integrity": "sha512-/++5CYLQqsO9HFGLI7APrxBJYo+5OCMpViuhV8q5/Qa3o5mMrF//eQHks+PXcsAVaLdn817fMuS7zqoXNNZGaw==",
+      "version": "8.48.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.48.0.tgz",
+      "integrity": "sha512-T0XJMaRPOH3+LBbAfzR2jalckP1MSG/L9eUtY0DEzUyVaXJ/t6zN0nR7co5kz0Jko/nkSYCBRkz1djvjajVTTg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.46.4",
+        "@typescript-eslint/types": "8.48.0",
         "eslint-visitor-keys": "^4.2.1"
       },
       "engines": {
@@ -2719,14 +2717,14 @@
       }
     },
     "node_modules/@typescript-eslint/project-service": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.46.4.tgz",
-      "integrity": "sha512-nPiRSKuvtTN+no/2N1kt2tUh/HoFzeEgOm9fQ6XQk4/ApGqjx0zFIIaLJ6wooR1HIoozvj2j6vTi/1fgAz7UYQ==",
+      "version": "8.48.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.48.0.tgz",
+      "integrity": "sha512-Ne4CTZyRh1BecBf84siv42wv5vQvVmgtk8AuiEffKTUo3DrBaGYZueJSxxBZ8fjk/N3DrgChH4TOdIOwOwiqqw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/tsconfig-utils": "^8.46.4",
-        "@typescript-eslint/types": "^8.46.4",
+        "@typescript-eslint/tsconfig-utils": "^8.48.0",
+        "@typescript-eslint/types": "^8.48.0",
         "debug": "^4.3.4"
       },
       "engines": {
@@ -2741,9 +2739,9 @@
       }
     },
     "node_modules/@typescript-eslint/project-service/node_modules/@typescript-eslint/types": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.46.4.tgz",
-      "integrity": "sha512-USjyxm3gQEePdUwJBFjjGNG18xY9A2grDVGuk7/9AkjIF1L+ZrVnwR5VAU5JXtUnBL/Nwt3H31KlRDaksnM7/w==",
+      "version": "8.48.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.48.0.tgz",
+      "integrity": "sha512-cQMcGQQH7kwKoVswD1xdOytxQR60MWKM1di26xSUtxehaDs/32Zpqsu5WJlXTtTTqyAVK8R7hvsUnIXRS+bjvA==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2773,9 +2771,9 @@
       }
     },
     "node_modules/@typescript-eslint/tsconfig-utils": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.46.4.tgz",
-      "integrity": "sha512-+/XqaZPIAk6Cjg7NWgSGe27X4zMGqrFqZ8atJsX3CWxH/jACqWnrWI68h7nHQld0y+k9eTTjb9r+KU4twLoo9A==",
+      "version": "8.48.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.48.0.tgz",
+      "integrity": "sha512-WNebjBdFdyu10sR1M4OXTt2OkMd5KWIL+LLfeH9KhgP+jzfDV/LI3eXzwJ1s9+Yc0Kzo2fQCdY/OpdusCMmh6w==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2790,15 +2788,15 @@
       }
     },
     "node_modules/@typescript-eslint/type-utils": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.46.4.tgz",
-      "integrity": "sha512-V4QC8h3fdT5Wro6vANk6eojqfbv5bpwHuMsBcJUJkqs2z5XnYhJzyz9Y02eUmF9u3PgXEUiOt4w4KHR3P+z0PQ==",
+      "version": "8.48.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.48.0.tgz",
+      "integrity": "sha512-zbeVaVqeXhhab6QNEKfK96Xyc7UQuoFWERhEnj3mLVnUWrQnv15cJNseUni7f3g557gm0e46LZ6IJ4NJVOgOpw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.46.4",
-        "@typescript-eslint/typescript-estree": "8.46.4",
-        "@typescript-eslint/utils": "8.46.4",
+        "@typescript-eslint/types": "8.48.0",
+        "@typescript-eslint/typescript-estree": "8.48.0",
+        "@typescript-eslint/utils": "8.48.0",
         "debug": "^4.3.4",
         "ts-api-utils": "^2.1.0"
       },
@@ -2815,14 +2813,14 @@
       }
     },
     "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.46.4.tgz",
-      "integrity": "sha512-tMDbLGXb1wC+McN1M6QeDx7P7c0UWO5z9CXqp7J8E+xGcJuUuevWKxuG8j41FoweS3+L41SkyKKkia16jpX7CA==",
+      "version": "8.48.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.48.0.tgz",
+      "integrity": "sha512-uGSSsbrtJrLduti0Q1Q9+BF1/iFKaxGoQwjWOIVNJv0o6omrdyR8ct37m4xIl5Zzpkp69Kkmvom7QFTtue89YQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.46.4",
-        "@typescript-eslint/visitor-keys": "8.46.4"
+        "@typescript-eslint/types": "8.48.0",
+        "@typescript-eslint/visitor-keys": "8.48.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2833,9 +2831,9 @@
       }
     },
     "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/types": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.46.4.tgz",
-      "integrity": "sha512-USjyxm3gQEePdUwJBFjjGNG18xY9A2grDVGuk7/9AkjIF1L+ZrVnwR5VAU5JXtUnBL/Nwt3H31KlRDaksnM7/w==",
+      "version": "8.48.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.48.0.tgz",
+      "integrity": "sha512-cQMcGQQH7kwKoVswD1xdOytxQR60MWKM1di26xSUtxehaDs/32Zpqsu5WJlXTtTTqyAVK8R7hvsUnIXRS+bjvA==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2847,21 +2845,20 @@
       }
     },
     "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.46.4.tgz",
-      "integrity": "sha512-7oV2qEOr1d4NWNmpXLR35LvCfOkTNymY9oyW+lUHkmCno7aOmIf/hMaydnJBUTBMRCOGZh8YjkFOc8dadEoNGA==",
+      "version": "8.48.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.48.0.tgz",
+      "integrity": "sha512-ljHab1CSO4rGrQIAyizUS6UGHHCiAYhbfcIZ1zVJr5nMryxlXMVWS3duFPSKvSUbFPwkXMFk1k0EMIjub4sRRQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/project-service": "8.46.4",
-        "@typescript-eslint/tsconfig-utils": "8.46.4",
-        "@typescript-eslint/types": "8.46.4",
-        "@typescript-eslint/visitor-keys": "8.46.4",
+        "@typescript-eslint/project-service": "8.48.0",
+        "@typescript-eslint/tsconfig-utils": "8.48.0",
+        "@typescript-eslint/types": "8.48.0",
+        "@typescript-eslint/visitor-keys": "8.48.0",
         "debug": "^4.3.4",
-        "fast-glob": "^3.3.2",
-        "is-glob": "^4.0.3",
         "minimatch": "^9.0.4",
         "semver": "^7.6.0",
+        "tinyglobby": "^0.2.15",
         "ts-api-utils": "^2.1.0"
       },
       "engines": {
@@ -2876,16 +2873,16 @@
       }
     },
     "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/utils": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.46.4.tgz",
-      "integrity": "sha512-AbSv11fklGXV6T28dp2Me04Uw90R2iJ30g2bgLz529Koehrmkbs1r7paFqr1vPCZi7hHwYxYtxfyQMRC8QaVSg==",
+      "version": "8.48.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.48.0.tgz",
+      "integrity": "sha512-yTJO1XuGxCsSfIVt1+1UrLHtue8xz16V8apzPYI06W0HbEbEWHxHXgZaAgavIkoh+GeV6hKKd5jm0sS6OYxWXQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.7.0",
-        "@typescript-eslint/scope-manager": "8.46.4",
-        "@typescript-eslint/types": "8.46.4",
-        "@typescript-eslint/typescript-estree": "8.46.4"
+        "@typescript-eslint/scope-manager": "8.48.0",
+        "@typescript-eslint/types": "8.48.0",
+        "@typescript-eslint/typescript-estree": "8.48.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2900,13 +2897,13 @@
       }
     },
     "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.46.4.tgz",
-      "integrity": "sha512-/++5CYLQqsO9HFGLI7APrxBJYo+5OCMpViuhV8q5/Qa3o5mMrF//eQHks+PXcsAVaLdn817fMuS7zqoXNNZGaw==",
+      "version": "8.48.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.48.0.tgz",
+      "integrity": "sha512-T0XJMaRPOH3+LBbAfzR2jalckP1MSG/L9eUtY0DEzUyVaXJ/t6zN0nR7co5kz0Jko/nkSYCBRkz1djvjajVTTg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.46.4",
+        "@typescript-eslint/types": "8.48.0",
         "eslint-visitor-keys": "^4.2.1"
       },
       "engines": {
@@ -4952,9 +4949,9 @@
       }
     },
     "node_modules/eslint-plugin-jsdoc": {
-      "version": "61.2.1",
-      "resolved": "https://registry.npmjs.org/eslint-plugin-jsdoc/-/eslint-plugin-jsdoc-61.2.1.tgz",
-      "integrity": "sha512-Htacti3dbkNm4rlp/Bk9lqhv+gi6US9jyN22yaJ42G6wbteiTbNLChQwi25jr/BN+NOzDWhZHvCDdrhX0F8dXQ==",
+      "version": "61.4.1",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-jsdoc/-/eslint-plugin-jsdoc-61.4.1.tgz",
+      "integrity": "sha512-3c1QW/bV25sJ1MsIvsvW+EtLtN6yZMduw7LVQNVt72y2/5BbV5Pg5b//TE5T48LRUxoEQGaZJejCmcj3wCxBzw==",
       "dev": true,
       "license": "BSD-3-Clause",
       "dependencies": {
@@ -8304,14 +8301,14 @@
       }
     },
     "node_modules/tinyglobby": {
-      "version": "0.2.12",
-      "resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.12.tgz",
-      "integrity": "sha512-qkf4trmKSIiMTs/E63cxH+ojC2unam7rJ0WrauAzpT3ECNTxGRMlaXxVbfxMUC/w0LaYk6jQ4y/nGR9uBO3tww==",
+      "version": "0.2.15",
+      "resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.15.tgz",
+      "integrity": "sha512-j2Zq4NyQYG5XMST4cbs02Ak8iJUdxRM0XI5QyxXuZOzKOINmWurp3smXu3y5wDcJrptwpSjgXHzIQxR0omXljQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "fdir": "^6.4.3",
-        "picomatch": "^4.0.2"
+        "fdir": "^6.5.0",
+        "picomatch": "^4.0.3"
       },
       "engines": {
         "node": ">=12.0.0"
@@ -8321,11 +8318,14 @@
       }
     },
     "node_modules/tinyglobby/node_modules/fdir": {
-      "version": "6.4.3",
-      "resolved": "https://registry.npmjs.org/fdir/-/fdir-6.4.3.tgz",
-      "integrity": "sha512-PMXmW2y1hDDfTSRc9gaXIuCCRpuoz3Kaz8cUelp3smouvfT632ozg2vrT6lJsHKKOF59YLbOGfAWGUcKEfRMQw==",
+      "version": "6.5.0",
+      "resolved": "https://registry.npmjs.org/fdir/-/fdir-6.5.0.tgz",
+      "integrity": "sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==",
       "dev": true,
       "license": "MIT",
+      "engines": {
+        "node": ">=12.0.0"
+      },
       "peerDependencies": {
         "picomatch": "^3 || ^4"
       },
@@ -8336,9 +8336,9 @@
       }
     },
     "node_modules/tinyglobby/node_modules/picomatch": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.2.tgz",
-      "integrity": "sha512-M7BAV6Rlcy5u+m6oPhAPFgJTzAioX/6B0DxyvDlo9l8+T3nLKbrczg2WLUyzd45L8RqfUMyGPzekbMvX2Ldkwg==",
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
+      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
       "dev": true,
       "license": "MIT",
       "engines": {
diff --git a/package.json b/package.json
index 22d5817761..473701b8f9 100644
--- a/package.json
+++ b/package.json
@@ -61,7 +61,7 @@
     "@types/node-forge": "^1.3.14",
     "@types/semver": "^7.7.1",
     "@types/sinon": "^21.0.0",
-    "@typescript-eslint/eslint-plugin": "^8.46.4",
+    "@typescript-eslint/eslint-plugin": "^8.48.0",
     "@typescript-eslint/parser": "^8.41.0",
     "ava": "^6.4.1",
     "esbuild": "^0.27.0",
@@ -70,7 +70,7 @@
     "eslint-plugin-filenames": "^1.3.2",
     "eslint-plugin-github": "^5.1.8",
     "eslint-plugin-import": "2.29.1",
-    "eslint-plugin-jsdoc": "^61.2.1",
+    "eslint-plugin-jsdoc": "^61.4.1",
     "eslint-plugin-no-async-foreach": "^0.1.1",
     "glob": "^11.1.0",
     "nock": "^14.0.10",

From 514279113a2b4711fb532dad8108e552d5e61471 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Mon, 24 Nov 2025 17:38:19 +0000
Subject: [PATCH 09/31] Rebuild

---
 lib/analyze-action-post.js        | 4 ++--
 lib/analyze-action.js             | 4 ++--
 lib/autobuild-action.js           | 4 ++--
 lib/init-action-post.js           | 4 ++--
 lib/init-action.js                | 4 ++--
 lib/resolve-environment-action.js | 4 ++--
 lib/setup-codeql-action.js        | 4 ++--
 lib/start-proxy-action-post.js    | 4 ++--
 lib/start-proxy-action.js         | 4 ++--
 lib/upload-lib.js                 | 4 ++--
 lib/upload-sarif-action-post.js   | 4 ++--
 lib/upload-sarif-action.js        | 4 ++--
 12 files changed, 24 insertions(+), 24 deletions(-)

diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js
index 37725d00bf..8f6481a506 100644
--- a/lib/analyze-action-post.js
+++ b/lib/analyze-action-post.js
@@ -27688,7 +27688,7 @@ var require_package = __commonJS({
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
-        "@typescript-eslint/eslint-plugin": "^8.46.4",
+        "@typescript-eslint/eslint-plugin": "^8.48.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
         esbuild: "^0.27.0",
@@ -27697,7 +27697,7 @@ var require_package = __commonJS({
         "eslint-plugin-filenames": "^1.3.2",
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
-        "eslint-plugin-jsdoc": "^61.2.1",
+        "eslint-plugin-jsdoc": "^61.4.1",
         "eslint-plugin-no-async-foreach": "^0.1.1",
         glob: "^11.1.0",
         nock: "^14.0.10",
diff --git a/lib/analyze-action.js b/lib/analyze-action.js
index 8206afce01..fd6eb68601 100644
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -27688,7 +27688,7 @@ var require_package = __commonJS({
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
-        "@typescript-eslint/eslint-plugin": "^8.46.4",
+        "@typescript-eslint/eslint-plugin": "^8.48.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
         esbuild: "^0.27.0",
@@ -27697,7 +27697,7 @@ var require_package = __commonJS({
         "eslint-plugin-filenames": "^1.3.2",
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
-        "eslint-plugin-jsdoc": "^61.2.1",
+        "eslint-plugin-jsdoc": "^61.4.1",
         "eslint-plugin-no-async-foreach": "^0.1.1",
         glob: "^11.1.0",
         nock: "^14.0.10",
diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js
index d4b7fc1f6d..29d16b639c 100644
--- a/lib/autobuild-action.js
+++ b/lib/autobuild-action.js
@@ -27688,7 +27688,7 @@ var require_package = __commonJS({
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
-        "@typescript-eslint/eslint-plugin": "^8.46.4",
+        "@typescript-eslint/eslint-plugin": "^8.48.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
         esbuild: "^0.27.0",
@@ -27697,7 +27697,7 @@ var require_package = __commonJS({
         "eslint-plugin-filenames": "^1.3.2",
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
-        "eslint-plugin-jsdoc": "^61.2.1",
+        "eslint-plugin-jsdoc": "^61.4.1",
         "eslint-plugin-no-async-foreach": "^0.1.1",
         glob: "^11.1.0",
         nock: "^14.0.10",
diff --git a/lib/init-action-post.js b/lib/init-action-post.js
index 62e78df8a5..c35e5f24d1 100644
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -27688,7 +27688,7 @@ var require_package = __commonJS({
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
-        "@typescript-eslint/eslint-plugin": "^8.46.4",
+        "@typescript-eslint/eslint-plugin": "^8.48.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
         esbuild: "^0.27.0",
@@ -27697,7 +27697,7 @@ var require_package = __commonJS({
         "eslint-plugin-filenames": "^1.3.2",
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
-        "eslint-plugin-jsdoc": "^61.2.1",
+        "eslint-plugin-jsdoc": "^61.4.1",
         "eslint-plugin-no-async-foreach": "^0.1.1",
         glob: "^11.1.0",
         nock: "^14.0.10",
diff --git a/lib/init-action.js b/lib/init-action.js
index 185510e02e..d60e2dffe1 100644
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -27688,7 +27688,7 @@ var require_package = __commonJS({
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
-        "@typescript-eslint/eslint-plugin": "^8.46.4",
+        "@typescript-eslint/eslint-plugin": "^8.48.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
         esbuild: "^0.27.0",
@@ -27697,7 +27697,7 @@ var require_package = __commonJS({
         "eslint-plugin-filenames": "^1.3.2",
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
-        "eslint-plugin-jsdoc": "^61.2.1",
+        "eslint-plugin-jsdoc": "^61.4.1",
         "eslint-plugin-no-async-foreach": "^0.1.1",
         glob: "^11.1.0",
         nock: "^14.0.10",
diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js
index cd65a4bf1c..6ea61cbb56 100644
--- a/lib/resolve-environment-action.js
+++ b/lib/resolve-environment-action.js
@@ -27688,7 +27688,7 @@ var require_package = __commonJS({
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
-        "@typescript-eslint/eslint-plugin": "^8.46.4",
+        "@typescript-eslint/eslint-plugin": "^8.48.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
         esbuild: "^0.27.0",
@@ -27697,7 +27697,7 @@ var require_package = __commonJS({
         "eslint-plugin-filenames": "^1.3.2",
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
-        "eslint-plugin-jsdoc": "^61.2.1",
+        "eslint-plugin-jsdoc": "^61.4.1",
         "eslint-plugin-no-async-foreach": "^0.1.1",
         glob: "^11.1.0",
         nock: "^14.0.10",
diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js
index 780d2cc6de..906c7d1a54 100644
--- a/lib/setup-codeql-action.js
+++ b/lib/setup-codeql-action.js
@@ -27688,7 +27688,7 @@ var require_package = __commonJS({
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
-        "@typescript-eslint/eslint-plugin": "^8.46.4",
+        "@typescript-eslint/eslint-plugin": "^8.48.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
         esbuild: "^0.27.0",
@@ -27697,7 +27697,7 @@ var require_package = __commonJS({
         "eslint-plugin-filenames": "^1.3.2",
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
-        "eslint-plugin-jsdoc": "^61.2.1",
+        "eslint-plugin-jsdoc": "^61.4.1",
         "eslint-plugin-no-async-foreach": "^0.1.1",
         glob: "^11.1.0",
         nock: "^14.0.10",
diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js
index c78e8262a6..e31470e3e8 100644
--- a/lib/start-proxy-action-post.js
+++ b/lib/start-proxy-action-post.js
@@ -27688,7 +27688,7 @@ var require_package = __commonJS({
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
-        "@typescript-eslint/eslint-plugin": "^8.46.4",
+        "@typescript-eslint/eslint-plugin": "^8.48.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
         esbuild: "^0.27.0",
@@ -27697,7 +27697,7 @@ var require_package = __commonJS({
         "eslint-plugin-filenames": "^1.3.2",
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
-        "eslint-plugin-jsdoc": "^61.2.1",
+        "eslint-plugin-jsdoc": "^61.4.1",
         "eslint-plugin-no-async-foreach": "^0.1.1",
         glob: "^11.1.0",
         nock: "^14.0.10",
diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js
index f0d7eb5716..4b0d9fc6ea 100644
--- a/lib/start-proxy-action.js
+++ b/lib/start-proxy-action.js
@@ -47346,7 +47346,7 @@ var require_package = __commonJS({
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
-        "@typescript-eslint/eslint-plugin": "^8.46.4",
+        "@typescript-eslint/eslint-plugin": "^8.48.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
         esbuild: "^0.27.0",
@@ -47355,7 +47355,7 @@ var require_package = __commonJS({
         "eslint-plugin-filenames": "^1.3.2",
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
-        "eslint-plugin-jsdoc": "^61.2.1",
+        "eslint-plugin-jsdoc": "^61.4.1",
         "eslint-plugin-no-async-foreach": "^0.1.1",
         glob: "^11.1.0",
         nock: "^14.0.10",
diff --git a/lib/upload-lib.js b/lib/upload-lib.js
index de44834ac9..d077e689be 100644
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@@ -28985,7 +28985,7 @@ var require_package = __commonJS({
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
-        "@typescript-eslint/eslint-plugin": "^8.46.4",
+        "@typescript-eslint/eslint-plugin": "^8.48.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
         esbuild: "^0.27.0",
@@ -28994,7 +28994,7 @@ var require_package = __commonJS({
         "eslint-plugin-filenames": "^1.3.2",
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
-        "eslint-plugin-jsdoc": "^61.2.1",
+        "eslint-plugin-jsdoc": "^61.4.1",
         "eslint-plugin-no-async-foreach": "^0.1.1",
         glob: "^11.1.0",
         nock: "^14.0.10",
diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js
index f95b705faf..31ad0d31cd 100644
--- a/lib/upload-sarif-action-post.js
+++ b/lib/upload-sarif-action-post.js
@@ -27688,7 +27688,7 @@ var require_package = __commonJS({
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
-        "@typescript-eslint/eslint-plugin": "^8.46.4",
+        "@typescript-eslint/eslint-plugin": "^8.48.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
         esbuild: "^0.27.0",
@@ -27697,7 +27697,7 @@ var require_package = __commonJS({
         "eslint-plugin-filenames": "^1.3.2",
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
-        "eslint-plugin-jsdoc": "^61.2.1",
+        "eslint-plugin-jsdoc": "^61.4.1",
         "eslint-plugin-no-async-foreach": "^0.1.1",
         glob: "^11.1.0",
         nock: "^14.0.10",
diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js
index f8ea28a2d0..dd50fc65cd 100644
--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
@@ -27688,7 +27688,7 @@ var require_package = __commonJS({
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
-        "@typescript-eslint/eslint-plugin": "^8.46.4",
+        "@typescript-eslint/eslint-plugin": "^8.48.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
         esbuild: "^0.27.0",
@@ -27697,7 +27697,7 @@ var require_package = __commonJS({
         "eslint-plugin-filenames": "^1.3.2",
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
-        "eslint-plugin-jsdoc": "^61.2.1",
+        "eslint-plugin-jsdoc": "^61.4.1",
         "eslint-plugin-no-async-foreach": "^0.1.1",
         glob: "^11.1.0",
         nock: "^14.0.10",

From 6feac2b36a5ca1b9bef24d689424860a700aaf65 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 24 Nov 2025 17:59:04 +0000
Subject: [PATCH 10/31] Bump actions/create-github-app-token

Bumps the actions-minor group with 1 update in the /.github/workflows directory: [actions/create-github-app-token](https://github.com/actions/create-github-app-token).


Updates `actions/create-github-app-token` from 2.1.4 to 2.2.0
- [Release notes](https://github.com/actions/create-github-app-token/releases)
- [Commits](https://github.com/actions/create-github-app-token/compare/v2.1.4...v2.2.0)

---
updated-dependencies:
- dependency-name: actions/create-github-app-token
  dependency-version: 2.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/post-release-mergeback.yml | 2 +-
 .github/workflows/rollback-release.yml       | 2 +-
 .github/workflows/update-release-branch.yml  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/post-release-mergeback.yml b/.github/workflows/post-release-mergeback.yml
index 1731a78ff9..4be56da522 100644
--- a/.github/workflows/post-release-mergeback.yml
+++ b/.github/workflows/post-release-mergeback.yml
@@ -142,7 +142,7 @@ jobs:
           token: "${{ secrets.GITHUB_TOKEN }}"
 
       - name: Generate token
-        uses: actions/create-github-app-token@v2.1.4
+        uses: actions/create-github-app-token@v2.2.0
         id: app-token
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}
diff --git a/.github/workflows/rollback-release.yml b/.github/workflows/rollback-release.yml
index 8d8e872fa7..a218fd57e4 100644
--- a/.github/workflows/rollback-release.yml
+++ b/.github/workflows/rollback-release.yml
@@ -137,7 +137,7 @@ jobs:
 
       - name: Generate token
         if: github.event_name == 'workflow_dispatch'
-        uses: actions/create-github-app-token@v2.1.4
+        uses: actions/create-github-app-token@v2.2.0
         id: app-token
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}
diff --git a/.github/workflows/update-release-branch.yml b/.github/workflows/update-release-branch.yml
index 830ed7c2a5..74349965b0 100644
--- a/.github/workflows/update-release-branch.yml
+++ b/.github/workflows/update-release-branch.yml
@@ -93,7 +93,7 @@ jobs:
       pull-requests: write # needed to create pull request
     steps:
     - name: Generate token
-      uses: actions/create-github-app-token@v2.1.4
+      uses: actions/create-github-app-token@v2.2.0
       id: app-token
       with:
         app-id: ${{ vars.AUTOMATION_APP_ID }}

From 5bd8069afb7ffe286094a9d3f1026925d4ac7990 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 24 Nov 2025 18:01:10 +0000
Subject: [PATCH 11/31] Bump actions/checkout from 5 to 6 in /.github/workflows

Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/__all-platform-bundle.yml                 | 2 +-
 .github/workflows/__analyze-ref-input.yml                   | 2 +-
 .github/workflows/__autobuild-action.yml                    | 2 +-
 .../__autobuild-direct-tracing-with-working-dir.yml         | 2 +-
 .github/workflows/__autobuild-working-dir.yml               | 2 +-
 .github/workflows/__build-mode-autobuild.yml                | 2 +-
 .github/workflows/__build-mode-manual.yml                   | 2 +-
 .github/workflows/__build-mode-none.yml                     | 2 +-
 .github/workflows/__build-mode-rollback.yml                 | 2 +-
 .github/workflows/__bundle-from-toolcache.yml               | 2 +-
 .github/workflows/__bundle-toolcache.yml                    | 2 +-
 .github/workflows/__bundle-zstd.yml                         | 2 +-
 .github/workflows/__cleanup-db-cluster-dir.yml              | 2 +-
 .github/workflows/__config-export.yml                       | 2 +-
 .github/workflows/__config-input.yml                        | 2 +-
 .github/workflows/__cpp-deptrace-disabled.yml               | 2 +-
 .github/workflows/__cpp-deptrace-enabled-on-macos.yml       | 2 +-
 .github/workflows/__cpp-deptrace-enabled.yml                | 2 +-
 .github/workflows/__diagnostics-export.yml                  | 2 +-
 .github/workflows/__export-file-baseline-information.yml    | 2 +-
 .github/workflows/__extractor-ram-threads.yml               | 2 +-
 .github/workflows/__global-proxy.yml                        | 2 +-
 .github/workflows/__go-custom-queries.yml                   | 2 +-
 .../__go-indirect-tracing-workaround-diagnostic.yml         | 2 +-
 .../__go-indirect-tracing-workaround-no-file-program.yml    | 2 +-
 .github/workflows/__go-indirect-tracing-workaround.yml      | 2 +-
 .github/workflows/__go-tracing-autobuilder.yml              | 2 +-
 .github/workflows/__go-tracing-custom-build-steps.yml       | 2 +-
 .github/workflows/__go-tracing-legacy-workflow.yml          | 2 +-
 .github/workflows/__init-with-registries.yml                | 2 +-
 .github/workflows/__javascript-source-root.yml              | 2 +-
 .github/workflows/__job-run-uuid-sarif.yml                  | 2 +-
 .github/workflows/__language-aliases.yml                    | 2 +-
 .github/workflows/__local-bundle.yml                        | 2 +-
 .github/workflows/__multi-language-autodetect.yml           | 2 +-
 .github/workflows/__overlay-init-fallback.yml               | 2 +-
 .../workflows/__packaging-codescanning-config-inputs-js.yml | 2 +-
 .github/workflows/__packaging-config-inputs-js.yml          | 2 +-
 .github/workflows/__packaging-config-js.yml                 | 2 +-
 .github/workflows/__packaging-inputs-js.yml                 | 2 +-
 .github/workflows/__quality-queries.yml                     | 2 +-
 .github/workflows/__remote-config.yml                       | 2 +-
 .github/workflows/__resolve-environment-action.yml          | 2 +-
 .github/workflows/__rubocop-multi-language.yml              | 2 +-
 .github/workflows/__ruby.yml                                | 2 +-
 .github/workflows/__rust.yml                                | 2 +-
 .github/workflows/__split-workflow.yml                      | 2 +-
 .github/workflows/__start-proxy.yml                         | 2 +-
 .github/workflows/__submit-sarif-failure.yml                | 4 ++--
 .github/workflows/__swift-autobuild.yml                     | 2 +-
 .github/workflows/__swift-custom-build.yml                  | 2 +-
 .github/workflows/__unset-environment.yml                   | 2 +-
 .github/workflows/__upload-ref-sha-input.yml                | 2 +-
 .github/workflows/__upload-sarif.yml                        | 2 +-
 .github/workflows/__with-checkout-path.yml                  | 4 ++--
 .github/workflows/check-expected-release-files.yml          | 2 +-
 .github/workflows/codeql.yml                                | 6 +++---
 .github/workflows/codescanning-config-cli.yml               | 2 +-
 .github/workflows/debug-artifacts-failure-safe.yml          | 2 +-
 .github/workflows/debug-artifacts-safe.yml                  | 2 +-
 .github/workflows/post-release-mergeback.yml                | 2 +-
 .github/workflows/pr-checks.yml                             | 6 +++---
 .github/workflows/prepare-release.yml                       | 2 +-
 .github/workflows/publish-immutable-action.yml              | 2 +-
 .github/workflows/python312-windows.yml                     | 2 +-
 .github/workflows/query-filters.yml                         | 2 +-
 .github/workflows/rebuild.yml                               | 2 +-
 .github/workflows/rollback-release.yml                      | 2 +-
 .github/workflows/test-codeql-bundle-all.yml                | 2 +-
 .github/workflows/update-bundle.yml                         | 2 +-
 .github/workflows/update-release-branch.yml                 | 4 ++--
 .../update-supported-enterprise-server-versions.yml         | 4 ++--
 72 files changed, 80 insertions(+), 80 deletions(-)

diff --git a/.github/workflows/__all-platform-bundle.yml b/.github/workflows/__all-platform-bundle.yml
index e2b5e69fc4..2340be49c7 100644
--- a/.github/workflows/__all-platform-bundle.yml
+++ b/.github/workflows/__all-platform-bundle.yml
@@ -71,7 +71,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__analyze-ref-input.yml b/.github/workflows/__analyze-ref-input.yml
index 9efe4a8c32..161942723a 100644
--- a/.github/workflows/__analyze-ref-input.yml
+++ b/.github/workflows/__analyze-ref-input.yml
@@ -77,7 +77,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__autobuild-action.yml b/.github/workflows/__autobuild-action.yml
index 0e617afe1c..08470bcff9 100644
--- a/.github/workflows/__autobuild-action.yml
+++ b/.github/workflows/__autobuild-action.yml
@@ -61,7 +61,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml b/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml
index c1de5c19de..9607fce187 100644
--- a/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml
+++ b/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml
@@ -63,7 +63,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__autobuild-working-dir.yml b/.github/workflows/__autobuild-working-dir.yml
index 3a3ca9e5f0..e9d1d7d5db 100644
--- a/.github/workflows/__autobuild-working-dir.yml
+++ b/.github/workflows/__autobuild-working-dir.yml
@@ -47,7 +47,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__build-mode-autobuild.yml b/.github/workflows/__build-mode-autobuild.yml
index 878c941a47..87ed95e1ea 100644
--- a/.github/workflows/__build-mode-autobuild.yml
+++ b/.github/workflows/__build-mode-autobuild.yml
@@ -63,7 +63,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__build-mode-manual.yml b/.github/workflows/__build-mode-manual.yml
index 4be0c42d15..c164a1a7b5 100644
--- a/.github/workflows/__build-mode-manual.yml
+++ b/.github/workflows/__build-mode-manual.yml
@@ -67,7 +67,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__build-mode-none.yml b/.github/workflows/__build-mode-none.yml
index 7584f90650..7bb121810f 100644
--- a/.github/workflows/__build-mode-none.yml
+++ b/.github/workflows/__build-mode-none.yml
@@ -49,7 +49,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__build-mode-rollback.yml b/.github/workflows/__build-mode-rollback.yml
index c1f3ccd0c2..e9d85968c4 100644
--- a/.github/workflows/__build-mode-rollback.yml
+++ b/.github/workflows/__build-mode-rollback.yml
@@ -47,7 +47,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__bundle-from-toolcache.yml b/.github/workflows/__bundle-from-toolcache.yml
index 639595af5d..96858acd1d 100644
--- a/.github/workflows/__bundle-from-toolcache.yml
+++ b/.github/workflows/__bundle-from-toolcache.yml
@@ -47,7 +47,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__bundle-toolcache.yml b/.github/workflows/__bundle-toolcache.yml
index de3826b656..59d06b49bf 100644
--- a/.github/workflows/__bundle-toolcache.yml
+++ b/.github/workflows/__bundle-toolcache.yml
@@ -51,7 +51,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__bundle-zstd.yml b/.github/workflows/__bundle-zstd.yml
index f5b1ab3aad..18185ada3f 100644
--- a/.github/workflows/__bundle-zstd.yml
+++ b/.github/workflows/__bundle-zstd.yml
@@ -51,7 +51,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__cleanup-db-cluster-dir.yml b/.github/workflows/__cleanup-db-cluster-dir.yml
index dfe53c67ce..8bf4659ae5 100644
--- a/.github/workflows/__cleanup-db-cluster-dir.yml
+++ b/.github/workflows/__cleanup-db-cluster-dir.yml
@@ -47,7 +47,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__config-export.yml b/.github/workflows/__config-export.yml
index f01c4ae3d3..1c98958544 100644
--- a/.github/workflows/__config-export.yml
+++ b/.github/workflows/__config-export.yml
@@ -49,7 +49,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__config-input.yml b/.github/workflows/__config-input.yml
index 59db10d4d6..2a006be21d 100644
--- a/.github/workflows/__config-input.yml
+++ b/.github/workflows/__config-input.yml
@@ -47,7 +47,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Install Node.js
         uses: actions/setup-node@v6
         with:
diff --git a/.github/workflows/__cpp-deptrace-disabled.yml b/.github/workflows/__cpp-deptrace-disabled.yml
index 1221592366..2116e5c4fa 100644
--- a/.github/workflows/__cpp-deptrace-disabled.yml
+++ b/.github/workflows/__cpp-deptrace-disabled.yml
@@ -51,7 +51,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__cpp-deptrace-enabled-on-macos.yml b/.github/workflows/__cpp-deptrace-enabled-on-macos.yml
index b9669b8703..1039cc3213 100644
--- a/.github/workflows/__cpp-deptrace-enabled-on-macos.yml
+++ b/.github/workflows/__cpp-deptrace-enabled-on-macos.yml
@@ -49,7 +49,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__cpp-deptrace-enabled.yml b/.github/workflows/__cpp-deptrace-enabled.yml
index bf155a64d2..9a57d0041a 100644
--- a/.github/workflows/__cpp-deptrace-enabled.yml
+++ b/.github/workflows/__cpp-deptrace-enabled.yml
@@ -51,7 +51,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__diagnostics-export.yml b/.github/workflows/__diagnostics-export.yml
index 9251e04a8b..8c05b6d92e 100644
--- a/.github/workflows/__diagnostics-export.yml
+++ b/.github/workflows/__diagnostics-export.yml
@@ -49,7 +49,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__export-file-baseline-information.yml b/.github/workflows/__export-file-baseline-information.yml
index 980535c84d..7ebf51f3fa 100644
--- a/.github/workflows/__export-file-baseline-information.yml
+++ b/.github/workflows/__export-file-baseline-information.yml
@@ -71,7 +71,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__extractor-ram-threads.yml b/.github/workflows/__extractor-ram-threads.yml
index 2d8316f52a..09c1cbbf43 100644
--- a/.github/workflows/__extractor-ram-threads.yml
+++ b/.github/workflows/__extractor-ram-threads.yml
@@ -47,7 +47,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__global-proxy.yml b/.github/workflows/__global-proxy.yml
index bd5d64b5f4..35f1f08fc9 100644
--- a/.github/workflows/__global-proxy.yml
+++ b/.github/workflows/__global-proxy.yml
@@ -61,7 +61,7 @@ jobs:
           apt install -y gh
         env: {}
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__go-custom-queries.yml b/.github/workflows/__go-custom-queries.yml
index fe35b5b4d8..32912ee078 100644
--- a/.github/workflows/__go-custom-queries.yml
+++ b/.github/workflows/__go-custom-queries.yml
@@ -69,7 +69,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml
index 061ad42549..b140b13c4a 100644
--- a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml
+++ b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml
@@ -57,7 +57,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml b/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml
index 0a347c65c7..d6cf269d71 100644
--- a/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml
+++ b/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml
@@ -57,7 +57,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__go-indirect-tracing-workaround.yml b/.github/workflows/__go-indirect-tracing-workaround.yml
index bb811d4d51..8b0c3d13da 100644
--- a/.github/workflows/__go-indirect-tracing-workaround.yml
+++ b/.github/workflows/__go-indirect-tracing-workaround.yml
@@ -57,7 +57,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__go-tracing-autobuilder.yml b/.github/workflows/__go-tracing-autobuilder.yml
index 6d4cc91cc9..0d2db37343 100644
--- a/.github/workflows/__go-tracing-autobuilder.yml
+++ b/.github/workflows/__go-tracing-autobuilder.yml
@@ -91,7 +91,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__go-tracing-custom-build-steps.yml b/.github/workflows/__go-tracing-custom-build-steps.yml
index 634b074c08..bbd461c891 100644
--- a/.github/workflows/__go-tracing-custom-build-steps.yml
+++ b/.github/workflows/__go-tracing-custom-build-steps.yml
@@ -91,7 +91,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__go-tracing-legacy-workflow.yml b/.github/workflows/__go-tracing-legacy-workflow.yml
index 8168e3b108..feedfdff5d 100644
--- a/.github/workflows/__go-tracing-legacy-workflow.yml
+++ b/.github/workflows/__go-tracing-legacy-workflow.yml
@@ -91,7 +91,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__init-with-registries.yml b/.github/workflows/__init-with-registries.yml
index bbbc55bf12..8403d63e4e 100644
--- a/.github/workflows/__init-with-registries.yml
+++ b/.github/workflows/__init-with-registries.yml
@@ -52,7 +52,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__javascript-source-root.yml b/.github/workflows/__javascript-source-root.yml
index e6c883966e..97caa3a69e 100644
--- a/.github/workflows/__javascript-source-root.yml
+++ b/.github/workflows/__javascript-source-root.yml
@@ -51,7 +51,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__job-run-uuid-sarif.yml b/.github/workflows/__job-run-uuid-sarif.yml
index b9f3eed911..73cb295fe9 100644
--- a/.github/workflows/__job-run-uuid-sarif.yml
+++ b/.github/workflows/__job-run-uuid-sarif.yml
@@ -47,7 +47,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__language-aliases.yml b/.github/workflows/__language-aliases.yml
index 5f95caa131..b8976bb5da 100644
--- a/.github/workflows/__language-aliases.yml
+++ b/.github/workflows/__language-aliases.yml
@@ -47,7 +47,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__local-bundle.yml b/.github/workflows/__local-bundle.yml
index 3fc89f381a..094f22ebc0 100644
--- a/.github/workflows/__local-bundle.yml
+++ b/.github/workflows/__local-bundle.yml
@@ -77,7 +77,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__multi-language-autodetect.yml b/.github/workflows/__multi-language-autodetect.yml
index 3704cdbf51..8e0b44dbf6 100644
--- a/.github/workflows/__multi-language-autodetect.yml
+++ b/.github/workflows/__multi-language-autodetect.yml
@@ -111,7 +111,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__overlay-init-fallback.yml b/.github/workflows/__overlay-init-fallback.yml
index d85e58aa17..b843b8aac5 100644
--- a/.github/workflows/__overlay-init-fallback.yml
+++ b/.github/workflows/__overlay-init-fallback.yml
@@ -49,7 +49,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__packaging-codescanning-config-inputs-js.yml b/.github/workflows/__packaging-codescanning-config-inputs-js.yml
index 53f280ab96..63875502f2 100644
--- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml
+++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml
@@ -81,7 +81,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Install Node.js
         uses: actions/setup-node@v6
         with:
diff --git a/.github/workflows/__packaging-config-inputs-js.yml b/.github/workflows/__packaging-config-inputs-js.yml
index 2b483b41a3..7a79729718 100644
--- a/.github/workflows/__packaging-config-inputs-js.yml
+++ b/.github/workflows/__packaging-config-inputs-js.yml
@@ -71,7 +71,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Install Node.js
         uses: actions/setup-node@v6
         with:
diff --git a/.github/workflows/__packaging-config-js.yml b/.github/workflows/__packaging-config-js.yml
index d45ca3b369..00a6fc9dae 100644
--- a/.github/workflows/__packaging-config-js.yml
+++ b/.github/workflows/__packaging-config-js.yml
@@ -71,7 +71,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Install Node.js
         uses: actions/setup-node@v6
         with:
diff --git a/.github/workflows/__packaging-inputs-js.yml b/.github/workflows/__packaging-inputs-js.yml
index 41ca571b8c..ec3ef3d5bf 100644
--- a/.github/workflows/__packaging-inputs-js.yml
+++ b/.github/workflows/__packaging-inputs-js.yml
@@ -71,7 +71,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Install Node.js
         uses: actions/setup-node@v6
         with:
diff --git a/.github/workflows/__quality-queries.yml b/.github/workflows/__quality-queries.yml
index 2a30bfcebe..caef10d27a 100644
--- a/.github/workflows/__quality-queries.yml
+++ b/.github/workflows/__quality-queries.yml
@@ -63,7 +63,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__remote-config.yml b/.github/workflows/__remote-config.yml
index 20a308e748..f39b6f6f93 100644
--- a/.github/workflows/__remote-config.yml
+++ b/.github/workflows/__remote-config.yml
@@ -79,7 +79,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__resolve-environment-action.yml b/.github/workflows/__resolve-environment-action.yml
index 2203f3316c..01e242ebb9 100644
--- a/.github/workflows/__resolve-environment-action.yml
+++ b/.github/workflows/__resolve-environment-action.yml
@@ -51,7 +51,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__rubocop-multi-language.yml b/.github/workflows/__rubocop-multi-language.yml
index a5e457bb74..8340feced8 100644
--- a/.github/workflows/__rubocop-multi-language.yml
+++ b/.github/workflows/__rubocop-multi-language.yml
@@ -47,7 +47,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__ruby.yml b/.github/workflows/__ruby.yml
index 769a119253..3050bf7353 100644
--- a/.github/workflows/__ruby.yml
+++ b/.github/workflows/__ruby.yml
@@ -57,7 +57,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__rust.yml b/.github/workflows/__rust.yml
index d788e5226d..352ffdee7d 100644
--- a/.github/workflows/__rust.yml
+++ b/.github/workflows/__rust.yml
@@ -55,7 +55,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__split-workflow.yml b/.github/workflows/__split-workflow.yml
index 3ffb099286..c02385a728 100644
--- a/.github/workflows/__split-workflow.yml
+++ b/.github/workflows/__split-workflow.yml
@@ -77,7 +77,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__start-proxy.yml b/.github/workflows/__start-proxy.yml
index 26f1184608..40a2993cac 100644
--- a/.github/workflows/__start-proxy.yml
+++ b/.github/workflows/__start-proxy.yml
@@ -51,7 +51,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__submit-sarif-failure.yml b/.github/workflows/__submit-sarif-failure.yml
index 7383b52a8d..60c3510204 100644
--- a/.github/workflows/__submit-sarif-failure.yml
+++ b/.github/workflows/__submit-sarif-failure.yml
@@ -52,7 +52,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -60,7 +60,7 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: ./init
         with:
           languages: javascript
diff --git a/.github/workflows/__swift-autobuild.yml b/.github/workflows/__swift-autobuild.yml
index 9d18d0c978..447f4ea9a2 100644
--- a/.github/workflows/__swift-autobuild.yml
+++ b/.github/workflows/__swift-autobuild.yml
@@ -47,7 +47,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__swift-custom-build.yml b/.github/workflows/__swift-custom-build.yml
index a1c5a556ff..49f6558803 100644
--- a/.github/workflows/__swift-custom-build.yml
+++ b/.github/workflows/__swift-custom-build.yml
@@ -71,7 +71,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__unset-environment.yml b/.github/workflows/__unset-environment.yml
index c1a62b1108..2d52f3a800 100644
--- a/.github/workflows/__unset-environment.yml
+++ b/.github/workflows/__unset-environment.yml
@@ -79,7 +79,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__upload-ref-sha-input.yml b/.github/workflows/__upload-ref-sha-input.yml
index 1c2c5975d1..8de95e42ac 100644
--- a/.github/workflows/__upload-ref-sha-input.yml
+++ b/.github/workflows/__upload-ref-sha-input.yml
@@ -77,7 +77,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__upload-sarif.yml b/.github/workflows/__upload-sarif.yml
index 361c8228fc..c4c31e4e47 100644
--- a/.github/workflows/__upload-sarif.yml
+++ b/.github/workflows/__upload-sarif.yml
@@ -84,7 +84,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/__with-checkout-path.yml b/.github/workflows/__with-checkout-path.yml
index 5aa2b631c2..0ebb46432f 100644
--- a/.github/workflows/__with-checkout-path.yml
+++ b/.github/workflows/__with-checkout-path.yml
@@ -77,7 +77,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
@@ -107,7 +107,7 @@ jobs:
           rm -rf ./* .github .git
   # Check out the actions repo again, but at a different location.
   # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
           path: x/y/z/some-path
diff --git a/.github/workflows/check-expected-release-files.yml b/.github/workflows/check-expected-release-files.yml
index a066cbde55..c0dd21af64 100644
--- a/.github/workflows/check-expected-release-files.yml
+++ b/.github/workflows/check-expected-release-files.yml
@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Checkout CodeQL Action
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Check Expected Release Files
         run: |
           bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 24dace33cf..8ea440089d 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -32,7 +32,7 @@ jobs:
       contents: read
 
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
     - name: Init with default CodeQL bundle from the VM image
       id: init-default
       uses: ./init
@@ -91,7 +91,7 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
     - name: Initialize CodeQL
       uses: ./init
       id: init
@@ -128,7 +128,7 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
     - name: Initialize CodeQL
       uses: ./init
       with:
diff --git a/.github/workflows/codescanning-config-cli.yml b/.github/workflows/codescanning-config-cli.yml
index 5ae95f68af..3c97239d5d 100644
--- a/.github/workflows/codescanning-config-cli.yml
+++ b/.github/workflows/codescanning-config-cli.yml
@@ -53,7 +53,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
 
     - name: Set up Node.js
       uses: actions/setup-node@v6
diff --git a/.github/workflows/debug-artifacts-failure-safe.yml b/.github/workflows/debug-artifacts-failure-safe.yml
index 768f88f965..3f710863e7 100644
--- a/.github/workflows/debug-artifacts-failure-safe.yml
+++ b/.github/workflows/debug-artifacts-failure-safe.yml
@@ -45,7 +45,7 @@ jobs:
       - name: Dump GitHub event
         run: cat "${GITHUB_EVENT_PATH}"
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/debug-artifacts-safe.yml b/.github/workflows/debug-artifacts-safe.yml
index e33d70cc3a..7cee73cbe7 100644
--- a/.github/workflows/debug-artifacts-safe.yml
+++ b/.github/workflows/debug-artifacts-safe.yml
@@ -41,7 +41,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Prepare test
         id: prepare-test
         uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/post-release-mergeback.yml b/.github/workflows/post-release-mergeback.yml
index 1731a78ff9..71dae6a3ae 100644
--- a/.github/workflows/post-release-mergeback.yml
+++ b/.github/workflows/post-release-mergeback.yml
@@ -44,7 +44,7 @@ jobs:
           GITHUB_CONTEXT: '${{ toJson(github) }}'
         run: echo "${GITHUB_CONTEXT}"
 
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0  # ensure we have all tags and can push commits
       - uses: actions/setup-node@v6
diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
index 9aa0355c13..5badaab815 100644
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -32,7 +32,7 @@ jobs:
         if: runner.os == 'Windows'
         run: git config --global core.autocrlf false
 
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Set up Node.js
         uses: actions/setup-node@v6
@@ -91,7 +91,7 @@ jobs:
       contents: read
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - id: head-version
         name: Verify all Actions use the same Node version
         run: |
@@ -106,7 +106,7 @@ jobs:
       - id: checkout-base
         name: 'Backport: Check out base ref'
         if: ${{ startsWith(github.head_ref, 'backport-') }}
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           ref: ${{ env.BASE_REF }}
 
diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml
index dad6fce39a..7e9486bb49 100644
--- a/.github/workflows/prepare-release.yml
+++ b/.github/workflows/prepare-release.yml
@@ -44,7 +44,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0 # Need full history for calculation of diffs
 
diff --git a/.github/workflows/publish-immutable-action.yml b/.github/workflows/publish-immutable-action.yml
index c6084573c0..e14bc30bc4 100644
--- a/.github/workflows/publish-immutable-action.yml
+++ b/.github/workflows/publish-immutable-action.yml
@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Publish immutable release
         id: publish
diff --git a/.github/workflows/python312-windows.yml b/.github/workflows/python312-windows.yml
index aa2a034200..8ef1be8667 100644
--- a/.github/workflows/python312-windows.yml
+++ b/.github/workflows/python312-windows.yml
@@ -31,7 +31,7 @@ jobs:
       with:
         python-version: 3.12
 
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Prepare test
       uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/query-filters.yml b/.github/workflows/query-filters.yml
index 3e17d989e4..90e702c934 100644
--- a/.github/workflows/query-filters.yml
+++ b/.github/workflows/query-filters.yml
@@ -29,7 +29,7 @@ jobs:
       contents: read # This permission is needed to allow the GitHub Actions workflow to read the contents of the repository.
     steps:
     - name: Check out repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
 
     - name: Install Node.js
       uses: actions/setup-node@v6
diff --git a/.github/workflows/rebuild.yml b/.github/workflows/rebuild.yml
index e7b9022be9..9740a0d163 100644
--- a/.github/workflows/rebuild.yml
+++ b/.github/workflows/rebuild.yml
@@ -24,7 +24,7 @@ jobs:
       pull-requests: write # needed to comment on the PR
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
           ref: ${{ env.HEAD_REF }}
diff --git a/.github/workflows/rollback-release.yml b/.github/workflows/rollback-release.yml
index 8d8e872fa7..4f419b82b2 100644
--- a/.github/workflows/rollback-release.yml
+++ b/.github/workflows/rollback-release.yml
@@ -52,7 +52,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0 # Need full history for calculation of diffs
 
diff --git a/.github/workflows/test-codeql-bundle-all.yml b/.github/workflows/test-codeql-bundle-all.yml
index 6465d6a1d8..3952882758 100644
--- a/.github/workflows/test-codeql-bundle-all.yml
+++ b/.github/workflows/test-codeql-bundle-all.yml
@@ -36,7 +36,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
     - name: Prepare test
       id: prepare-test
       uses: ./.github/actions/prepare-test
diff --git a/.github/workflows/update-bundle.yml b/.github/workflows/update-bundle.yml
index 184c339fff..951b89066d 100644
--- a/.github/workflows/update-bundle.yml
+++ b/.github/workflows/update-bundle.yml
@@ -33,7 +33,7 @@ jobs:
           GITHUB_CONTEXT: '${{ toJson(github) }}'
         run: echo "$GITHUB_CONTEXT"
 
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Update git config
         run: |
diff --git a/.github/workflows/update-release-branch.yml b/.github/workflows/update-release-branch.yml
index 830ed7c2a5..bd678c6551 100644
--- a/.github/workflows/update-release-branch.yml
+++ b/.github/workflows/update-release-branch.yml
@@ -38,7 +38,7 @@ jobs:
       contents: write # needed to push commits
       pull-requests: write # needed to create pull request
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
       with:
         fetch-depth: 0  # Need full history for calculation of diffs
     - uses: ./.github/actions/release-initialise
@@ -100,7 +100,7 @@ jobs:
         private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
 
     - name: Checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
       with:
         fetch-depth: 0  # Need full history for calculation of diffs
         token: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/update-supported-enterprise-server-versions.yml b/.github/workflows/update-supported-enterprise-server-versions.yml
index 421a63c699..4cead58f4f 100644
--- a/.github/workflows/update-supported-enterprise-server-versions.yml
+++ b/.github/workflows/update-supported-enterprise-server-versions.yml
@@ -27,9 +27,9 @@ jobs:
         with:
           python-version: "3.13"
       - name: Checkout CodeQL Action
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Checkout Enterprise Releases
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           repository: github/enterprise-releases
           token: ${{ secrets.ENTERPRISE_RELEASE_TOKEN }}

From 8484f54a0a681dd8cf94876c4283a3e8ea0e6178 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Mon, 24 Nov 2025 18:02:41 +0000
Subject: [PATCH 12/31] Rebuild

---
 pr-checks/checks/submit-sarif-failure.yml | 2 +-
 pr-checks/checks/with-checkout-path.yml   | 2 +-
 pr-checks/sync.py                         | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/pr-checks/checks/submit-sarif-failure.yml b/pr-checks/checks/submit-sarif-failure.yml
index 97332e4c94..5db63bb813 100644
--- a/pr-checks/checks/submit-sarif-failure.yml
+++ b/pr-checks/checks/submit-sarif-failure.yml
@@ -18,7 +18,7 @@ permissions:
   security-events: write # needed to upload the SARIF file
 
 steps:
-  - uses: actions/checkout@v5
+  - uses: actions/checkout@v6
   - uses: ./init
     with:
       languages: javascript
diff --git a/pr-checks/checks/with-checkout-path.yml b/pr-checks/checks/with-checkout-path.yml
index 5cdd02c0d0..230e342e30 100644
--- a/pr-checks/checks/with-checkout-path.yml
+++ b/pr-checks/checks/with-checkout-path.yml
@@ -14,7 +14,7 @@ steps:
       rm -rf ./* .github .git
   # Check out the actions repo again, but at a different location.
   # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
-  - uses: actions/checkout@v5
+  - uses: actions/checkout@v6
     with:
       ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
       path: x/y/z/some-path
diff --git a/pr-checks/sync.py b/pr-checks/sync.py
index 77816be760..7d412e9b03 100755
--- a/pr-checks/sync.py
+++ b/pr-checks/sync.py
@@ -107,7 +107,7 @@ def writeHeader(checkStream):
     steps = [
         {
             'name': 'Check out repository',
-            'uses': 'actions/checkout@v5'
+            'uses': 'actions/checkout@v6'
         },
     ]
 

From 6b7e963cf11f2f85252e7f46d4aec80ebe55734c Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Wed, 26 Nov 2025 00:18:14 +0000
Subject: [PATCH 13/31] Update supported GitHub Enterprise Server versions

---
 lib/analyze-action-post.js        | 2 +-
 lib/autobuild-action.js           | 2 +-
 lib/init-action-post.js           | 2 +-
 lib/init-action.js                | 2 +-
 lib/resolve-environment-action.js | 2 +-
 lib/setup-codeql-action.js        | 2 +-
 lib/start-proxy-action-post.js    | 2 +-
 lib/upload-sarif-action-post.js   | 2 +-
 src/api-compatibility.json        | 2 +-
 9 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js
index 37725d00bf..a4a863c061 100644
--- a/lib/analyze-action-post.js
+++ b/lib/analyze-action-post.js
@@ -119201,7 +119201,7 @@ var safeDump = renamed("safeDump", "dump");
 var semver = __toESM(require_semver2());
 
 // src/api-compatibility.json
-var maximumVersion = "3.19";
+var maximumVersion = "3.20";
 var minimumVersion = "3.14";
 
 // src/util.ts
diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js
index d4b7fc1f6d..7794e99ef3 100644
--- a/lib/autobuild-action.js
+++ b/lib/autobuild-action.js
@@ -82979,7 +82979,7 @@ var safeDump = renamed("safeDump", "dump");
 var semver = __toESM(require_semver2());
 
 // src/api-compatibility.json
-var maximumVersion = "3.19";
+var maximumVersion = "3.20";
 var minimumVersion = "3.14";
 
 // src/util.ts
diff --git a/lib/init-action-post.js b/lib/init-action-post.js
index 62e78df8a5..e242122a34 100644
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -122099,7 +122099,7 @@ var safeDump = renamed("safeDump", "dump");
 var semver = __toESM(require_semver2());
 
 // src/api-compatibility.json
-var maximumVersion = "3.19";
+var maximumVersion = "3.20";
 var minimumVersion = "3.14";
 
 // src/util.ts
diff --git a/lib/init-action.js b/lib/init-action.js
index 185510e02e..fad222e7c3 100644
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -84289,7 +84289,7 @@ var safeDump = renamed("safeDump", "dump");
 var semver = __toESM(require_semver2());
 
 // src/api-compatibility.json
-var maximumVersion = "3.19";
+var maximumVersion = "3.20";
 var minimumVersion = "3.14";
 
 // src/util.ts
diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js
index cd65a4bf1c..5b74aaa099 100644
--- a/lib/resolve-environment-action.js
+++ b/lib/resolve-environment-action.js
@@ -82979,7 +82979,7 @@ var safeDump = renamed("safeDump", "dump");
 var semver = __toESM(require_semver2());
 
 // src/api-compatibility.json
-var maximumVersion = "3.19";
+var maximumVersion = "3.20";
 var minimumVersion = "3.14";
 
 // src/util.ts
diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js
index 780d2cc6de..2fa301ebb6 100644
--- a/lib/setup-codeql-action.js
+++ b/lib/setup-codeql-action.js
@@ -83035,7 +83035,7 @@ var safeDump = renamed("safeDump", "dump");
 var semver = __toESM(require_semver2());
 
 // src/api-compatibility.json
-var maximumVersion = "3.19";
+var maximumVersion = "3.20";
 var minimumVersion = "3.14";
 
 // src/util.ts
diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js
index c78e8262a6..c2b72f4494 100644
--- a/lib/start-proxy-action-post.js
+++ b/lib/start-proxy-action-post.js
@@ -119198,7 +119198,7 @@ var safeDump = renamed("safeDump", "dump");
 var semver = __toESM(require_semver2());
 
 // src/api-compatibility.json
-var maximumVersion = "3.19";
+var maximumVersion = "3.20";
 var minimumVersion = "3.14";
 
 // src/util.ts
diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js
index f95b705faf..aa4b9e9461 100644
--- a/lib/upload-sarif-action-post.js
+++ b/lib/upload-sarif-action-post.js
@@ -119198,7 +119198,7 @@ var safeDump = renamed("safeDump", "dump");
 var semver = __toESM(require_semver2());
 
 // src/api-compatibility.json
-var maximumVersion = "3.19";
+var maximumVersion = "3.20";
 var minimumVersion = "3.14";
 
 // src/util.ts
diff --git a/src/api-compatibility.json b/src/api-compatibility.json
index bf5f9437b4..b61bbd26d3 100644
--- a/src/api-compatibility.json
+++ b/src/api-compatibility.json
@@ -1 +1 @@
-{"maximumVersion": "3.19", "minimumVersion": "3.14"}
+{"maximumVersion": "3.20", "minimumVersion": "3.14"}

From d8e497a759fbe9fe3e93515527906a5a44aee251 Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Wed, 26 Nov 2025 10:13:41 +0000
Subject: [PATCH 14/31] Update version in package.json too

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 473701b8f9..aa4fad58e3 100644
--- a/package.json
+++ b/package.json
@@ -62,7 +62,7 @@
     "@types/semver": "^7.7.1",
     "@types/sinon": "^21.0.0",
     "@typescript-eslint/eslint-plugin": "^8.48.0",
-    "@typescript-eslint/parser": "^8.41.0",
+    "@typescript-eslint/parser": "^8.48.0",
     "ava": "^6.4.1",
     "esbuild": "^0.27.0",
     "eslint": "^8.57.1",

From 510d25ff7f32e520106b13854aa9ca6278e9fabe Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Wed, 26 Nov 2025 10:15:27 +0000
Subject: [PATCH 15/31] Rebuild

---
 lib/analyze-action-post.js        | 2 +-
 lib/analyze-action.js             | 2 +-
 lib/autobuild-action.js           | 2 +-
 lib/init-action-post.js           | 2 +-
 lib/init-action.js                | 2 +-
 lib/resolve-environment-action.js | 2 +-
 lib/setup-codeql-action.js        | 2 +-
 lib/start-proxy-action-post.js    | 2 +-
 lib/start-proxy-action.js         | 2 +-
 lib/upload-lib.js                 | 2 +-
 lib/upload-sarif-action-post.js   | 2 +-
 lib/upload-sarif-action.js        | 2 +-
 12 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js
index ca5827e6dc..acbcc8d3c3 100644
--- a/lib/analyze-action-post.js
+++ b/lib/analyze-action-post.js
@@ -27689,7 +27689,7 @@ var require_package = __commonJS({
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
         "@typescript-eslint/eslint-plugin": "^8.48.0",
-        "@typescript-eslint/parser": "^8.41.0",
+        "@typescript-eslint/parser": "^8.48.0",
         ava: "^6.4.1",
         esbuild: "^0.27.0",
         eslint: "^8.57.1",
diff --git a/lib/analyze-action.js b/lib/analyze-action.js
index fd6eb68601..72e795fd2d 100644
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -27689,7 +27689,7 @@ var require_package = __commonJS({
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
         "@typescript-eslint/eslint-plugin": "^8.48.0",
-        "@typescript-eslint/parser": "^8.41.0",
+        "@typescript-eslint/parser": "^8.48.0",
         ava: "^6.4.1",
         esbuild: "^0.27.0",
         eslint: "^8.57.1",
diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js
index 27de5551dd..85e882dd20 100644
--- a/lib/autobuild-action.js
+++ b/lib/autobuild-action.js
@@ -27689,7 +27689,7 @@ var require_package = __commonJS({
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
         "@typescript-eslint/eslint-plugin": "^8.48.0",
-        "@typescript-eslint/parser": "^8.41.0",
+        "@typescript-eslint/parser": "^8.48.0",
         ava: "^6.4.1",
         esbuild: "^0.27.0",
         eslint: "^8.57.1",
diff --git a/lib/init-action-post.js b/lib/init-action-post.js
index 89b78b1bf0..3433675d67 100644
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -27689,7 +27689,7 @@ var require_package = __commonJS({
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
         "@typescript-eslint/eslint-plugin": "^8.48.0",
-        "@typescript-eslint/parser": "^8.41.0",
+        "@typescript-eslint/parser": "^8.48.0",
         ava: "^6.4.1",
         esbuild: "^0.27.0",
         eslint: "^8.57.1",
diff --git a/lib/init-action.js b/lib/init-action.js
index 19f8ad5f95..9d59f07dff 100644
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -27689,7 +27689,7 @@ var require_package = __commonJS({
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
         "@typescript-eslint/eslint-plugin": "^8.48.0",
-        "@typescript-eslint/parser": "^8.41.0",
+        "@typescript-eslint/parser": "^8.48.0",
         ava: "^6.4.1",
         esbuild: "^0.27.0",
         eslint: "^8.57.1",
diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js
index 9d71cb5b5c..f69d601533 100644
--- a/lib/resolve-environment-action.js
+++ b/lib/resolve-environment-action.js
@@ -27689,7 +27689,7 @@ var require_package = __commonJS({
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
         "@typescript-eslint/eslint-plugin": "^8.48.0",
-        "@typescript-eslint/parser": "^8.41.0",
+        "@typescript-eslint/parser": "^8.48.0",
         ava: "^6.4.1",
         esbuild: "^0.27.0",
         eslint: "^8.57.1",
diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js
index eb834634fb..273b74c9d8 100644
--- a/lib/setup-codeql-action.js
+++ b/lib/setup-codeql-action.js
@@ -27689,7 +27689,7 @@ var require_package = __commonJS({
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
         "@typescript-eslint/eslint-plugin": "^8.48.0",
-        "@typescript-eslint/parser": "^8.41.0",
+        "@typescript-eslint/parser": "^8.48.0",
         ava: "^6.4.1",
         esbuild: "^0.27.0",
         eslint: "^8.57.1",
diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js
index fa2fbe40ae..88e6f02dd5 100644
--- a/lib/start-proxy-action-post.js
+++ b/lib/start-proxy-action-post.js
@@ -27689,7 +27689,7 @@ var require_package = __commonJS({
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
         "@typescript-eslint/eslint-plugin": "^8.48.0",
-        "@typescript-eslint/parser": "^8.41.0",
+        "@typescript-eslint/parser": "^8.48.0",
         ava: "^6.4.1",
         esbuild: "^0.27.0",
         eslint: "^8.57.1",
diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js
index 4b0d9fc6ea..e8c3e58970 100644
--- a/lib/start-proxy-action.js
+++ b/lib/start-proxy-action.js
@@ -47347,7 +47347,7 @@ var require_package = __commonJS({
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
         "@typescript-eslint/eslint-plugin": "^8.48.0",
-        "@typescript-eslint/parser": "^8.41.0",
+        "@typescript-eslint/parser": "^8.48.0",
         ava: "^6.4.1",
         esbuild: "^0.27.0",
         eslint: "^8.57.1",
diff --git a/lib/upload-lib.js b/lib/upload-lib.js
index d077e689be..74a5a25c61 100644
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@@ -28986,7 +28986,7 @@ var require_package = __commonJS({
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
         "@typescript-eslint/eslint-plugin": "^8.48.0",
-        "@typescript-eslint/parser": "^8.41.0",
+        "@typescript-eslint/parser": "^8.48.0",
         ava: "^6.4.1",
         esbuild: "^0.27.0",
         eslint: "^8.57.1",
diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js
index 027aba977e..2f640ad589 100644
--- a/lib/upload-sarif-action-post.js
+++ b/lib/upload-sarif-action-post.js
@@ -27689,7 +27689,7 @@ var require_package = __commonJS({
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
         "@typescript-eslint/eslint-plugin": "^8.48.0",
-        "@typescript-eslint/parser": "^8.41.0",
+        "@typescript-eslint/parser": "^8.48.0",
         ava: "^6.4.1",
         esbuild: "^0.27.0",
         eslint: "^8.57.1",
diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js
index dd50fc65cd..cfa0cba588 100644
--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
@@ -27689,7 +27689,7 @@ var require_package = __commonJS({
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
         "@typescript-eslint/eslint-plugin": "^8.48.0",
-        "@typescript-eslint/parser": "^8.41.0",
+        "@typescript-eslint/parser": "^8.48.0",
         ava: "^6.4.1",
         esbuild: "^0.27.0",
         eslint: "^8.57.1",

From a6909455e40fa08e7333d16a2055a66b0c90ce47 Mon Sep 17 00:00:00 2001
From: "Michael B. Gale" <mbg@github.com>
Date: Wed, 26 Nov 2025 10:27:48 +0000
Subject: [PATCH 16/31] Remove `push` triggers from workflow collections

---
 .github/workflows/__go.yml | 3 ---
 pr-checks/sync.py          | 5 -----
 2 files changed, 8 deletions(-)

diff --git a/.github/workflows/__go.yml b/.github/workflows/__go.yml
index fb27da710a..76d178b723 100644
--- a/.github/workflows/__go.yml
+++ b/.github/workflows/__go.yml
@@ -8,9 +8,6 @@ env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
 on:
-  push:
-    paths:
-      - .github/workflows/__go.yml
   workflow_dispatch:
     inputs:
       go-version:
diff --git a/pr-checks/sync.py b/pr-checks/sync.py
index 7d412e9b03..ebc37b9f85 100755
--- a/pr-checks/sync.py
+++ b/pr-checks/sync.py
@@ -356,11 +356,6 @@ def writeHeader(checkStream):
                 'GO111MODULE': 'auto'
             },
             'on': {
-                'push': {
-                    'paths': [
-                        f'.github/workflows/__{collection_name}.yml'
-                    ]
-                },
                 'workflow_dispatch': {
                     'inputs': combinedInputs
                 },

From 0c204fc557d5e9ec3da5b1b3770cfa05c19c7da0 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 26 Nov 2025 22:33:20 +0000
Subject: [PATCH 17/31] Bump node-forge from 1.3.1 to 1.3.2

Bumps [node-forge](https://github.com/digitalbazaar/forge) from 1.3.1 to 1.3.2.
- [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md)
- [Commits](https://github.com/digitalbazaar/forge/compare/v1.3.1...v1.3.2)

---
updated-dependencies:
- dependency-name: node-forge
  dependency-version: 1.3.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 package-lock.json | 22 +++++++++++++++++-----
 package.json      |  2 +-
 2 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 0b3ab5312a..c24715d343 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -28,7 +28,7 @@
         "js-yaml": "^4.1.1",
         "jsonschema": "1.4.1",
         "long": "^5.3.2",
-        "node-forge": "^1.3.1",
+        "node-forge": "^1.3.2",
         "semver": "^7.7.3",
         "uuid": "^13.0.0"
       },
@@ -47,7 +47,7 @@
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
         "@typescript-eslint/eslint-plugin": "^8.48.0",
-        "@typescript-eslint/parser": "^8.41.0",
+        "@typescript-eslint/parser": "^8.48.0",
         "ava": "^6.4.1",
         "esbuild": "^0.27.0",
         "eslint": "^8.57.1",
@@ -1798,6 +1798,7 @@
       "resolved": "https://registry.npmjs.org/@octokit/core/-/core-5.2.2.tgz",
       "integrity": "sha512-/g2d4sW9nUDJOMz3mabVQvOGhVa4e/BN/Um7yca9Bb2XTzPPnfTWHWQg+IsEYO7M3Vx+EXvaM/I2pJWIMun1bg==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@octokit/auth-token": "^4.0.0",
         "@octokit/graphql": "^7.1.0",
@@ -2567,6 +2568,7 @@
       "integrity": "sha512-jCzKdm/QK0Kg4V4IK/oMlRZlY+QOcdjv89U2NgKHZk1CYTj82/RVSx1mV/0gqCVMJ/DA+Zf/S4NBWNF8GQ+eqQ==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@typescript-eslint/scope-manager": "8.48.0",
         "@typescript-eslint/types": "8.48.0",
@@ -3161,6 +3163,7 @@
       "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.15.0.tgz",
       "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
       "dev": true,
+      "peer": true,
       "bin": {
         "acorn": "bin/acorn"
       },
@@ -3736,6 +3739,7 @@
         }
       ],
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "caniuse-lite": "^1.0.30001669",
         "electron-to-chromium": "^1.5.41",
@@ -4589,6 +4593,7 @@
       "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.57.1.tgz",
       "integrity": "sha512-ypowyDxpVSYpkXr9WPv2PAZCtNip1Mv5KTW0SCurXv/9iOpcrH9PaqUElksqEB6pChqHGDRCFTyrZlGhnLNGiA==",
       "dev": true,
+      "peer": true,
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.2.0",
         "@eslint-community/regexpp": "^4.6.1",
@@ -4643,6 +4648,7 @@
       "version": "8.3.0",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "bin": {
         "eslint-config-prettier": "bin/cli.js"
       },
@@ -4914,6 +4920,7 @@
       "resolved": "https://registry.npmjs.org/eslint-plugin-import/-/eslint-plugin-import-2.29.1.tgz",
       "integrity": "sha512-BbPC0cuExzhiMo4Ff1BTVwHpjjv28C5R+btTOGaCRC7UEz801up0JadwkeSk5Ued6TG34uaczuVuH6qyy5YUxw==",
       "dev": true,
+      "peer": true,
       "dependencies": {
         "array-includes": "^3.1.7",
         "array.prototype.findlastindex": "^1.2.3",
@@ -6969,9 +6976,10 @@
       }
     },
     "node_modules/node-forge": {
-      "version": "1.3.1",
-      "resolved": "https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz",
-      "integrity": "sha512-dPEtOeMvF9VMcYV/1Wb8CPoVAXtp6MKMlcbAt4ddqmGqUJ6fQZFXkNZNkNlfevtNkGtaSoXf/vNNNSvgrdXwtA==",
+      "version": "1.3.2",
+      "resolved": "https://registry.npmjs.org/node-forge/-/node-forge-1.3.2.tgz",
+      "integrity": "sha512-6xKiQ+cph9KImrRh0VsjH2d8/GXA4FIMlgU4B757iI1ApvcyA9VlouP0yZJha01V+huImO+kKMU7ih+2+E14fw==",
+      "license": "(BSD-3-Clause OR GPL-2.0)",
       "engines": {
         "node": ">= 6.13.0"
       }
@@ -7348,6 +7356,7 @@
       "integrity": "sha512-G+YdqtITVZmOJje6QkXQWzl3fSfMxFwm1tjTyo9exhkmWSqC4Yhd1+lug++IlR2mvRVAxEDDWYkQdeSztajqgg==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "bin": {
         "prettier": "bin/prettier.cjs"
       },
@@ -8341,6 +8350,7 @@
       "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "engines": {
         "node": ">=12"
       },
@@ -8549,6 +8559,7 @@
       "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
       "dev": true,
       "license": "Apache-2.0",
+      "peer": true,
       "bin": {
         "tsc": "bin/tsc",
         "tsserver": "bin/tsserver"
@@ -8622,6 +8633,7 @@
       "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.17.0.tgz",
       "integrity": "sha512-Drp39TXuUlD49F7ilHHCG7TTg8IkA+hxCuULdmzWYICxGXvDXmDmWEjJYZQYgf6l/TFfYNE167m7isnc3xlIEg==",
       "dev": true,
+      "peer": true,
       "dependencies": {
         "@typescript-eslint/scope-manager": "8.17.0",
         "@typescript-eslint/types": "8.17.0",
diff --git a/package.json b/package.json
index aa4fad58e3..14f1e770e6 100644
--- a/package.json
+++ b/package.json
@@ -43,7 +43,7 @@
     "js-yaml": "^4.1.1",
     "jsonschema": "1.4.1",
     "long": "^5.3.2",
-    "node-forge": "^1.3.1",
+    "node-forge": "^1.3.2",
     "semver": "^7.7.3",
     "uuid": "^13.0.0"
   },

From 4822f934e3f8dfd9dfc70074084316471099a0fb Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Wed, 26 Nov 2025 22:34:54 +0000
Subject: [PATCH 18/31] Rebuild

---
 lib/analyze-action-post.js        |  2 +-
 lib/analyze-action.js             |  2 +-
 lib/autobuild-action.js           |  2 +-
 lib/init-action-post.js           |  2 +-
 lib/init-action.js                |  2 +-
 lib/resolve-environment-action.js |  2 +-
 lib/setup-codeql-action.js        |  2 +-
 lib/start-proxy-action-post.js    |  2 +-
 lib/start-proxy-action.js         | 66 ++++++++++++++++++++++++-------
 lib/upload-lib.js                 |  2 +-
 lib/upload-sarif-action-post.js   |  2 +-
 lib/upload-sarif-action.js        |  2 +-
 12 files changed, 62 insertions(+), 26 deletions(-)

diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js
index e152705021..66c01e2a4f 100644
--- a/lib/analyze-action-post.js
+++ b/lib/analyze-action-post.js
@@ -27670,7 +27670,7 @@ var require_package = __commonJS({
         "js-yaml": "^4.1.1",
         jsonschema: "1.4.1",
         long: "^5.3.2",
-        "node-forge": "^1.3.1",
+        "node-forge": "^1.3.2",
         semver: "^7.7.3",
         uuid: "^13.0.0"
       },
diff --git a/lib/analyze-action.js b/lib/analyze-action.js
index 703a47c7d6..431c37513d 100644
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -27670,7 +27670,7 @@ var require_package = __commonJS({
         "js-yaml": "^4.1.1",
         jsonschema: "1.4.1",
         long: "^5.3.2",
-        "node-forge": "^1.3.1",
+        "node-forge": "^1.3.2",
         semver: "^7.7.3",
         uuid: "^13.0.0"
       },
diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js
index 51ead50dec..ede7a9a6d4 100644
--- a/lib/autobuild-action.js
+++ b/lib/autobuild-action.js
@@ -27670,7 +27670,7 @@ var require_package = __commonJS({
         "js-yaml": "^4.1.1",
         jsonschema: "1.4.1",
         long: "^5.3.2",
-        "node-forge": "^1.3.1",
+        "node-forge": "^1.3.2",
         semver: "^7.7.3",
         uuid: "^13.0.0"
       },
diff --git a/lib/init-action-post.js b/lib/init-action-post.js
index b04b27ecf8..5852bbba4c 100644
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -27670,7 +27670,7 @@ var require_package = __commonJS({
         "js-yaml": "^4.1.1",
         jsonschema: "1.4.1",
         long: "^5.3.2",
-        "node-forge": "^1.3.1",
+        "node-forge": "^1.3.2",
         semver: "^7.7.3",
         uuid: "^13.0.0"
       },
diff --git a/lib/init-action.js b/lib/init-action.js
index c6ab60184f..58a789deb5 100644
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -27670,7 +27670,7 @@ var require_package = __commonJS({
         "js-yaml": "^4.1.1",
         jsonschema: "1.4.1",
         long: "^5.3.2",
-        "node-forge": "^1.3.1",
+        "node-forge": "^1.3.2",
         semver: "^7.7.3",
         uuid: "^13.0.0"
       },
diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js
index 6cf6de54c2..e346b6cb35 100644
--- a/lib/resolve-environment-action.js
+++ b/lib/resolve-environment-action.js
@@ -27670,7 +27670,7 @@ var require_package = __commonJS({
         "js-yaml": "^4.1.1",
         jsonschema: "1.4.1",
         long: "^5.3.2",
-        "node-forge": "^1.3.1",
+        "node-forge": "^1.3.2",
         semver: "^7.7.3",
         uuid: "^13.0.0"
       },
diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js
index 01b0ac9e3d..dad178be4f 100644
--- a/lib/setup-codeql-action.js
+++ b/lib/setup-codeql-action.js
@@ -27670,7 +27670,7 @@ var require_package = __commonJS({
         "js-yaml": "^4.1.1",
         jsonschema: "1.4.1",
         long: "^5.3.2",
-        "node-forge": "^1.3.1",
+        "node-forge": "^1.3.2",
         semver: "^7.7.3",
         uuid: "^13.0.0"
       },
diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js
index 64fbae0d0a..fba9c177e7 100644
--- a/lib/start-proxy-action-post.js
+++ b/lib/start-proxy-action-post.js
@@ -27670,7 +27670,7 @@ var require_package = __commonJS({
         "js-yaml": "^4.1.1",
         jsonschema: "1.4.1",
         long: "^5.3.2",
-        "node-forge": "^1.3.1",
+        "node-forge": "^1.3.2",
         semver: "^7.7.3",
         uuid: "^13.0.0"
       },
diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js
index b4834b1cf6..b32d70b20b 100644
--- a/lib/start-proxy-action.js
+++ b/lib/start-proxy-action.js
@@ -24935,7 +24935,7 @@ var require_util8 = __commonJS({
               parts.push("<?>");
             }
             break;
-          // FIXME: do proper formating for numbers, etc
+          // FIXME: do proper formatting for numbers, etc
           //case 'f':
           //case 'd':
           case "%":
@@ -26386,6 +26386,7 @@ var require_asn1 = __commonJS({
       GENERALIZEDTIME: 24,
       BMPSTRING: 30
     };
+    asn1.maxDepth = 256;
     asn1.create = function(tagClass, type2, constructed, value, options) {
       if (forge.util.isArray(value)) {
         var tmp = [];
@@ -26527,6 +26528,9 @@ var require_asn1 = __commonJS({
       if (!("decodeBitStrings" in options)) {
         options.decodeBitStrings = true;
       }
+      if (!("maxDepth" in options)) {
+        options.maxDepth = asn1.maxDepth;
+      }
       if (typeof bytes === "string") {
         bytes = forge.util.createBuffer(bytes);
       }
@@ -26541,6 +26545,9 @@ var require_asn1 = __commonJS({
       return value;
     };
     function _fromDer(bytes, remaining, depth, options) {
+      if (depth >= options.maxDepth) {
+        throw new Error("ASN.1 parsing error: Max depth exceeded.");
+      }
       var start;
       _checkBufferLength(bytes, remaining, 2);
       var b1 = bytes.getByte();
@@ -26716,6 +26723,9 @@ var require_asn1 = __commonJS({
         last = true;
         valueBytes = [];
         value = parseInt(values[i], 10);
+        if (value > 4294967295) {
+          throw new Error("OID value too large; max is 32-bits.");
+        }
         do {
           b = value & 127;
           value = value >>> 7;
@@ -26740,8 +26750,11 @@ var require_asn1 = __commonJS({
       oid = Math.floor(b / 40) + "." + b % 40;
       var value = 0;
       while (bytes.length() > 0) {
+        if (value > 70368744177663) {
+          throw new Error("OID value too large; max is 53-bits.");
+        }
         b = bytes.getByte();
-        value = value << 7;
+        value = value * 128;
         if (b & 128) {
           value += b & 127;
         } else {
@@ -26902,19 +26915,40 @@ var require_asn1 = __commonJS({
           if (v.value && forge.util.isArray(v.value)) {
             var j = 0;
             for (var i = 0; rval && i < v.value.length; ++i) {
-              rval = v.value[i].optional || false;
-              if (obj.value[j]) {
-                rval = asn1.validate(obj.value[j], v.value[i], capture, errors);
-                if (rval) {
-                  ++j;
-                } else if (v.value[i].optional) {
+              var schemaItem = v.value[i];
+              rval = !!schemaItem.optional;
+              var objChild = obj.value[j];
+              if (!objChild) {
+                if (!schemaItem.optional) {
+                  rval = false;
+                  if (errors) {
+                    errors.push("[" + v.name + '] Missing required element. Expected tag class "' + schemaItem.tagClass + '", type "' + schemaItem.type + '"');
+                  }
+                }
+                continue;
+              }
+              var schemaHasTag = typeof schemaItem.tagClass !== "undefined" && typeof schemaItem.type !== "undefined";
+              if (schemaHasTag && (objChild.tagClass !== schemaItem.tagClass || objChild.type !== schemaItem.type)) {
+                if (schemaItem.optional) {
                   rval = true;
+                  continue;
+                } else {
+                  rval = false;
+                  if (errors) {
+                    errors.push("[" + v.name + "] Tag mismatch. Expected (" + schemaItem.tagClass + "," + schemaItem.type + "), got (" + objChild.tagClass + "," + objChild.type + ")");
+                  }
+                  break;
                 }
               }
-              if (!rval && errors) {
-                errors.push(
-                  "[" + v.name + '] Tag class "' + v.tagClass + '", type "' + v.type + '" expected value length "' + v.value.length + '", got "' + obj.value.length + '"'
-                );
+              var childRval = asn1.validate(objChild, schemaItem, capture, errors);
+              if (childRval) {
+                ++j;
+                rval = true;
+              } else if (schemaItem.optional) {
+                rval = true;
+              } else {
+                rval = false;
+                break;
               }
             }
           }
@@ -30955,7 +30989,7 @@ var require_rsa = __commonJS({
           constructed: false,
           capture: "algorithmIdentifier"
         }, {
-          // NULL paramters
+          // NULL parameters
           name: "DigestInfo.DigestAlgorithm.parameters",
           tagClass: asn1.Class.UNIVERSAL,
           type: asn1.Type.NULL,
@@ -31468,7 +31502,7 @@ var require_rsa = __commonJS({
               if (oid === forge.oids.md2 || oid === forge.oids.md5) {
                 if (!("parameters" in capture)) {
                   throw new Error(
-                    "ASN.1 object does not contain a valid RSASSA-PKCS1-v1_5 DigestInfo value. Missing algorithm identifer NULL parameters."
+                    "ASN.1 object does not contain a valid RSASSA-PKCS1-v1_5 DigestInfo value. Missing algorithm identifier NULL parameters."
                   );
                 }
               }
@@ -35665,6 +35699,8 @@ var require_pkcs12 = __commonJS({
         if (macValue.getBytes() !== capture.macDigest) {
           throw new Error("PKCS#12 MAC could not be verified. Invalid password?");
         }
+      } else if (Array.isArray(obj.value) && obj.value.length > 2) {
+        throw new Error("Invalid PKCS#12. macData field present but MAC was not validated.");
       }
       _decodeAuthenticatedSafe(pfx, data.value, strict, password);
       return pfx;
@@ -47328,7 +47364,7 @@ var require_package = __commonJS({
         "js-yaml": "^4.1.1",
         jsonschema: "1.4.1",
         long: "^5.3.2",
-        "node-forge": "^1.3.1",
+        "node-forge": "^1.3.2",
         semver: "^7.7.3",
         uuid: "^13.0.0"
       },
diff --git a/lib/upload-lib.js b/lib/upload-lib.js
index 3be03091e3..78848db809 100644
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@@ -28967,7 +28967,7 @@ var require_package = __commonJS({
         "js-yaml": "^4.1.1",
         jsonschema: "1.4.1",
         long: "^5.3.2",
-        "node-forge": "^1.3.1",
+        "node-forge": "^1.3.2",
         semver: "^7.7.3",
         uuid: "^13.0.0"
       },
diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js
index c4385bbf91..c389b8b0ec 100644
--- a/lib/upload-sarif-action-post.js
+++ b/lib/upload-sarif-action-post.js
@@ -27670,7 +27670,7 @@ var require_package = __commonJS({
         "js-yaml": "^4.1.1",
         jsonschema: "1.4.1",
         long: "^5.3.2",
-        "node-forge": "^1.3.1",
+        "node-forge": "^1.3.2",
         semver: "^7.7.3",
         uuid: "^13.0.0"
       },
diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js
index ef6bb9aaa3..c3ea61b53c 100644
--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
@@ -27670,7 +27670,7 @@ var require_package = __commonJS({
         "js-yaml": "^4.1.1",
         jsonschema: "1.4.1",
         long: "^5.3.2",
-        "node-forge": "^1.3.1",
+        "node-forge": "^1.3.2",
         semver: "^7.7.3",
         uuid: "^13.0.0"
       },

From bd30e753a67b4b7b2cbbd95f1ae2aef4e38e339a Mon Sep 17 00:00:00 2001
From: Kasper Svendsen <kaspersv@github.com>
Date: Thu, 27 Nov 2025 08:34:43 +0100
Subject: [PATCH 19/31] Simplify getOverlayDatabaseMode

---
 src/config-utils.ts | 30 ++++++++++++++----------------
 1 file changed, 14 insertions(+), 16 deletions(-)

diff --git a/src/config-utils.ts b/src/config-utils.ts
index ee9d411982..9dcd520c11 100644
--- a/src/config-utils.ts
+++ b/src/config-utils.ts
@@ -706,22 +706,20 @@ export async function getOverlayDatabaseMode(
         `Setting overlay database mode to ${overlayDatabaseMode} ` +
           `due to insufficient disk space (${diskSpaceMb} MB).`,
       );
-    } else {
-      if (isAnalyzingPullRequest()) {
-        overlayDatabaseMode = OverlayDatabaseMode.Overlay;
-        useOverlayDatabaseCaching = true;
-        logger.info(
-          `Setting overlay database mode to ${overlayDatabaseMode} ` +
-            "with caching because we are analyzing a pull request.",
-        );
-      } else if (await isAnalyzingDefaultBranch()) {
-        overlayDatabaseMode = OverlayDatabaseMode.OverlayBase;
-        useOverlayDatabaseCaching = true;
-        logger.info(
-          `Setting overlay database mode to ${overlayDatabaseMode} ` +
-            "with caching because we are analyzing the default branch.",
-        );
-      }
+    } else if (isAnalyzingPullRequest()) {
+      overlayDatabaseMode = OverlayDatabaseMode.Overlay;
+      useOverlayDatabaseCaching = true;
+      logger.info(
+        `Setting overlay database mode to ${overlayDatabaseMode} ` +
+          "with caching because we are analyzing a pull request.",
+      );
+    } else if (await isAnalyzingDefaultBranch()) {
+      overlayDatabaseMode = OverlayDatabaseMode.OverlayBase;
+      useOverlayDatabaseCaching = true;
+      logger.info(
+        `Setting overlay database mode to ${overlayDatabaseMode} ` +
+          "with caching because we are analyzing the default branch.",
+      );
     }
   }
 

From bd8d26b618c41ab79fd5e145da06af66458ca35b Mon Sep 17 00:00:00 2001
From: Kasper Svendsen <kaspersv@github.com>
Date: Thu, 27 Nov 2025 08:57:21 +0100
Subject: [PATCH 20/31] Overlay: Fall back to full analysis if memory flag is
 low

---
 lib/init-action.js       | 37 +++++++++++++++++++++--------------
 src/config-utils.test.ts | 42 ++++++++++++++++++++++++++++++++++++++++
 src/config-utils.ts      | 12 ++++++++++++
 src/init-action.ts       |  1 +
 4 files changed, 77 insertions(+), 15 deletions(-)

diff --git a/lib/init-action.js b/lib/init-action.js
index c6ab60184f..5486d558b7 100644
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -86920,7 +86920,7 @@ async function isOverlayAnalysisFeatureEnabled(features, codeql, languages, code
   }
   return true;
 }
-async function getOverlayDatabaseMode(codeql, features, languages, sourceRoot, buildMode, codeScanningConfig, logger) {
+async function getOverlayDatabaseMode(codeql, features, languages, sourceRoot, buildMode, ramInput, codeScanningConfig, logger) {
   let overlayDatabaseMode = "none" /* None */;
   let useOverlayDatabaseCaching = false;
   const modeEnv = process.env.CODEQL_OVERLAY_DATABASE_MODE;
@@ -86936,6 +86936,7 @@ async function getOverlayDatabaseMode(codeql, features, languages, sourceRoot, b
     codeScanningConfig
   )) {
     const diskUsage = await checkDiskUsage(logger);
+    const memoryFlagValue = getMemoryFlagValue(ramInput, logger);
     if (diskUsage === void 0 || diskUsage.numAvailableBytes < OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES) {
       const diskSpaceMb = diskUsage === void 0 ? 0 : Math.round(diskUsage.numAvailableBytes / 1e6);
       overlayDatabaseMode = "none" /* None */;
@@ -86943,20 +86944,24 @@ async function getOverlayDatabaseMode(codeql, features, languages, sourceRoot, b
       logger.info(
         `Setting overlay database mode to ${overlayDatabaseMode} due to insufficient disk space (${diskSpaceMb} MB).`
       );
-    } else {
-      if (isAnalyzingPullRequest()) {
-        overlayDatabaseMode = "overlay" /* Overlay */;
-        useOverlayDatabaseCaching = true;
-        logger.info(
-          `Setting overlay database mode to ${overlayDatabaseMode} with caching because we are analyzing a pull request.`
-        );
-      } else if (await isAnalyzingDefaultBranch()) {
-        overlayDatabaseMode = "overlay-base" /* OverlayBase */;
-        useOverlayDatabaseCaching = true;
-        logger.info(
-          `Setting overlay database mode to ${overlayDatabaseMode} with caching because we are analyzing the default branch.`
-        );
-      }
+    } else if (memoryFlagValue < 5 * 1024) {
+      overlayDatabaseMode = "none" /* None */;
+      useOverlayDatabaseCaching = false;
+      logger.info(
+        `Setting overlay database mode to ${overlayDatabaseMode} due to insufficient memory for CodeQL analysis (${memoryFlagValue} MB).`
+      );
+    } else if (isAnalyzingPullRequest()) {
+      overlayDatabaseMode = "overlay" /* Overlay */;
+      useOverlayDatabaseCaching = true;
+      logger.info(
+        `Setting overlay database mode to ${overlayDatabaseMode} with caching because we are analyzing a pull request.`
+      );
+    } else if (await isAnalyzingDefaultBranch()) {
+      overlayDatabaseMode = "overlay-base" /* OverlayBase */;
+      useOverlayDatabaseCaching = true;
+      logger.info(
+        `Setting overlay database mode to ${overlayDatabaseMode} with caching because we are analyzing the default branch.`
+      );
     }
   }
   const nonOverlayAnalysis = {
@@ -87051,6 +87056,7 @@ async function initConfig(features, inputs) {
     config.languages,
     inputs.sourceRoot,
     config.buildMode,
+    inputs.ramInput,
     config.computedConfig,
     logger
   );
@@ -89998,6 +90004,7 @@ async function run() {
       queriesInput: getOptionalInput("queries"),
       packsInput: getOptionalInput("packs"),
       buildModeInput: getOptionalInput("build-mode"),
+      ramInput: getOptionalInput("ram"),
       configFile,
       dbLocation: getOptionalInput("db-location"),
       configInput: getOptionalInput("config"),
diff --git a/src/config-utils.test.ts b/src/config-utils.test.ts
index 7f991ea24c..623eccea72 100644
--- a/src/config-utils.test.ts
+++ b/src/config-utils.test.ts
@@ -59,6 +59,7 @@ function createTestInitConfigInputs(
       dbLocation: undefined,
       configInput: undefined,
       buildModeInput: undefined,
+      ramInput: undefined,
       trapCachingEnabled: false,
       dependencyCachingEnabled: CachingKind.None,
       debugMode: false,
@@ -979,6 +980,7 @@ interface OverlayDatabaseModeTestSetup {
   gitRoot: string | undefined;
   codeScanningConfig: configUtils.UserConfig;
   diskUsage: DiskUsage | undefined;
+  memoryFlagValue: number;
 }
 
 const defaultOverlayDatabaseModeTestSetup: OverlayDatabaseModeTestSetup = {
@@ -995,6 +997,7 @@ const defaultOverlayDatabaseModeTestSetup: OverlayDatabaseModeTestSetup = {
     numAvailableBytes: 50_000_000_000,
     numTotalBytes: 100_000_000_000,
   },
+  memoryFlagValue: 6920,
 };
 
 const getOverlayDatabaseModeMacro = test.macro({
@@ -1037,6 +1040,8 @@ const getOverlayDatabaseModeMacro = test.macro({
           .stub(actionsUtil, "isAnalyzingPullRequest")
           .returns(setup.isPullRequest);
 
+        sinon.stub(util, "getMemoryFlagValue").returns(setup.memoryFlagValue);
+
         // Set up CodeQL mock
         const codeql = mockCodeQLVersion(setup.codeqlVersion);
 
@@ -1063,6 +1068,7 @@ const getOverlayDatabaseModeMacro = test.macro({
           setup.languages,
           tempDir, // sourceRoot
           setup.buildMode,
+          undefined,
           setup.codeScanningConfig,
           logger,
         );
@@ -1225,6 +1231,24 @@ test(
   },
 );
 
+test(
+  getOverlayDatabaseModeMacro,
+  "No overlay-base database on default branch if memory flag is too low",
+  {
+    languages: [KnownLanguage.javascript],
+    features: [
+      Feature.OverlayAnalysis,
+      Feature.OverlayAnalysisCodeScanningJavascript,
+    ],
+    isDefaultBranch: true,
+    memoryFlagValue: 3072,
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+  },
+);
+
 test(
   getOverlayDatabaseModeMacro,
   "No overlay-base database on default branch when code-scanning feature enabled with disable-default-queries",
@@ -1434,6 +1458,24 @@ test(
   },
 );
 
+test(
+  getOverlayDatabaseModeMacro,
+  "No overlay analysis on PR if memory flag is too low",
+  {
+    languages: [KnownLanguage.javascript],
+    features: [
+      Feature.OverlayAnalysis,
+      Feature.OverlayAnalysisCodeScanningJavascript,
+    ],
+    isPullRequest: true,
+    memoryFlagValue: 3072,
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+  },
+);
+
 test(
   getOverlayDatabaseModeMacro,
   "No overlay analysis on PR when code-scanning feature enabled with disable-default-queries",
diff --git a/src/config-utils.ts b/src/config-utils.ts
index 9dcd520c11..fa3bbeb183 100644
--- a/src/config-utils.ts
+++ b/src/config-utils.ts
@@ -44,6 +44,7 @@ import {
   cloneObject,
   isDefined,
   checkDiskUsage,
+  getMemoryFlagValue,
 } from "./util";
 
 export * from "./config/db-config";
@@ -393,6 +394,7 @@ export interface InitConfigInputs {
   dbLocation: string | undefined;
   configInput: string | undefined;
   buildModeInput: string | undefined;
+  ramInput: string | undefined;
   trapCachingEnabled: boolean;
   dependencyCachingEnabled: string | undefined;
   debugMode: boolean;
@@ -661,6 +663,7 @@ export async function getOverlayDatabaseMode(
   languages: Language[],
   sourceRoot: string,
   buildMode: BuildMode | undefined,
+  ramInput: string | undefined,
   codeScanningConfig: UserConfig,
   logger: Logger,
 ): Promise<{
@@ -692,6 +695,7 @@ export async function getOverlayDatabaseMode(
     )
   ) {
     const diskUsage = await checkDiskUsage(logger);
+    const memoryFlagValue = getMemoryFlagValue(ramInput, logger);
     if (
       diskUsage === undefined ||
       diskUsage.numAvailableBytes < OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES
@@ -706,6 +710,13 @@ export async function getOverlayDatabaseMode(
         `Setting overlay database mode to ${overlayDatabaseMode} ` +
           `due to insufficient disk space (${diskSpaceMb} MB).`,
       );
+    } else if (memoryFlagValue < 5 * 1024) {
+      overlayDatabaseMode = OverlayDatabaseMode.None;
+      useOverlayDatabaseCaching = false;
+      logger.info(
+        `Setting overlay database mode to ${overlayDatabaseMode} ` +
+          `due to insufficient memory for CodeQL analysis (${memoryFlagValue} MB).`,
+      );
     } else if (isAnalyzingPullRequest()) {
       overlayDatabaseMode = OverlayDatabaseMode.Overlay;
       useOverlayDatabaseCaching = true;
@@ -873,6 +884,7 @@ export async function initConfig(
       config.languages,
       inputs.sourceRoot,
       config.buildMode,
+      inputs.ramInput,
       config.computedConfig,
       logger,
     );
diff --git a/src/init-action.ts b/src/init-action.ts
index 689ded2fc1..692f0370dd 100644
--- a/src/init-action.ts
+++ b/src/init-action.ts
@@ -324,6 +324,7 @@ async function run() {
       queriesInput: getOptionalInput("queries"),
       packsInput: getOptionalInput("packs"),
       buildModeInput: getOptionalInput("build-mode"),
+      ramInput: getOptionalInput("ram"),
       configFile,
       dbLocation: getOptionalInput("db-location"),
       configInput: getOptionalInput("config"),

From 1ffb7dd0c8bcb456c8ba5e69af148cacf2dbdd5a Mon Sep 17 00:00:00 2001
From: Kasper Svendsen <kaspersv@github.com>
Date: Thu, 27 Nov 2025 12:07:17 +0100
Subject: [PATCH 21/31] Overlay: Add feature flag to skip resource checks

---
 lib/analyze-action-post.js        |  5 ++
 lib/analyze-action.js             |  5 ++
 lib/autobuild-action.js           |  5 ++
 lib/init-action-post.js           |  5 ++
 lib/init-action.js                | 42 ++++++++++------
 lib/resolve-environment-action.js |  5 ++
 lib/setup-codeql-action.js        |  5 ++
 lib/start-proxy-action-post.js    |  5 ++
 lib/start-proxy-action.js         |  5 ++
 lib/upload-lib.js                 |  5 ++
 lib/upload-sarif-action-post.js   |  5 ++
 lib/upload-sarif-action.js        |  5 ++
 src/config-utils.test.ts          | 82 +++++++++++++++++++++++++++++++
 src/config-utils.ts               | 58 ++++++++++++++--------
 src/feature-flags.ts              |  6 +++
 15 files changed, 209 insertions(+), 34 deletions(-)

diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js
index e152705021..fc75996bcd 100644
--- a/lib/analyze-action-post.js
+++ b/lib/analyze-action-post.js
@@ -120186,6 +120186,11 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
     minimumVersion: void 0
   },
+  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    minimumVersion: void 0
+  },
   ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
diff --git a/lib/analyze-action.js b/lib/analyze-action.js
index 703a47c7d6..aecec30716 100644
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -88807,6 +88807,11 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
     minimumVersion: void 0
   },
+  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    minimumVersion: void 0
+  },
   ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js
index 51ead50dec..2b65659589 100644
--- a/lib/autobuild-action.js
+++ b/lib/autobuild-action.js
@@ -84126,6 +84126,11 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
     minimumVersion: void 0
   },
+  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    minimumVersion: void 0
+  },
   ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
diff --git a/lib/init-action-post.js b/lib/init-action-post.js
index b04b27ecf8..f83e500325 100644
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -123567,6 +123567,11 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
     minimumVersion: void 0
   },
+  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    minimumVersion: void 0
+  },
   ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
diff --git a/lib/init-action.js b/lib/init-action.js
index 5486d558b7..14cecedd7b 100644
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -86221,6 +86221,11 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
     minimumVersion: void 0
   },
+  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    minimumVersion: void 0
+  },
   ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
@@ -86920,6 +86925,24 @@ async function isOverlayAnalysisFeatureEnabled(features, codeql, languages, code
   }
   return true;
 }
+async function runnerSupportsOverlayAnalysis(ramInput, logger) {
+  const diskUsage = await checkDiskUsage(logger);
+  if (diskUsage === void 0 || diskUsage.numAvailableBytes < OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES) {
+    const diskSpaceMb = diskUsage === void 0 ? 0 : Math.round(diskUsage.numAvailableBytes / 1e6);
+    logger.info(
+      `Setting overlay database mode to ${"none" /* None */} due to insufficient disk space (${diskSpaceMb} MB).`
+    );
+    return false;
+  }
+  const memoryFlagValue = getMemoryFlagValue(ramInput, logger);
+  if (memoryFlagValue < 5 * 1024) {
+    logger.info(
+      `Setting overlay database mode to ${"none" /* None */} due to insufficient memory for CodeQL analysis (${memoryFlagValue} MB).`
+    );
+    return false;
+  }
+  return true;
+}
 async function getOverlayDatabaseMode(codeql, features, languages, sourceRoot, buildMode, ramInput, codeScanningConfig, logger) {
   let overlayDatabaseMode = "none" /* None */;
   let useOverlayDatabaseCaching = false;
@@ -86935,21 +86958,12 @@ async function getOverlayDatabaseMode(codeql, features, languages, sourceRoot, b
     languages,
     codeScanningConfig
   )) {
-    const diskUsage = await checkDiskUsage(logger);
-    const memoryFlagValue = getMemoryFlagValue(ramInput, logger);
-    if (diskUsage === void 0 || diskUsage.numAvailableBytes < OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES) {
-      const diskSpaceMb = diskUsage === void 0 ? 0 : Math.round(diskUsage.numAvailableBytes / 1e6);
-      overlayDatabaseMode = "none" /* None */;
-      useOverlayDatabaseCaching = false;
-      logger.info(
-        `Setting overlay database mode to ${overlayDatabaseMode} due to insufficient disk space (${diskSpaceMb} MB).`
-      );
-    } else if (memoryFlagValue < 5 * 1024) {
+    const performResourceChecks = !await features.getValue(
+      "overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */,
+      codeql
+    );
+    if (performResourceChecks && !await runnerSupportsOverlayAnalysis(ramInput, logger)) {
       overlayDatabaseMode = "none" /* None */;
-      useOverlayDatabaseCaching = false;
-      logger.info(
-        `Setting overlay database mode to ${overlayDatabaseMode} due to insufficient memory for CodeQL analysis (${memoryFlagValue} MB).`
-      );
     } else if (isAnalyzingPullRequest()) {
       overlayDatabaseMode = "overlay" /* Overlay */;
       useOverlayDatabaseCaching = true;
diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js
index 6cf6de54c2..1d30ed9ff9 100644
--- a/lib/resolve-environment-action.js
+++ b/lib/resolve-environment-action.js
@@ -84117,6 +84117,11 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
     minimumVersion: void 0
   },
+  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    minimumVersion: void 0
+  },
   ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js
index 01b0ac9e3d..53f9075221 100644
--- a/lib/setup-codeql-action.js
+++ b/lib/setup-codeql-action.js
@@ -84029,6 +84029,11 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
     minimumVersion: void 0
   },
+  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    minimumVersion: void 0
+  },
   ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js
index 64fbae0d0a..5411f021ef 100644
--- a/lib/start-proxy-action-post.js
+++ b/lib/start-proxy-action-post.js
@@ -119592,6 +119592,11 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
     minimumVersion: void 0
   },
+  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    minimumVersion: void 0
+  },
   ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js
index b4834b1cf6..31f1526c70 100644
--- a/lib/start-proxy-action.js
+++ b/lib/start-proxy-action.js
@@ -100145,6 +100145,11 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
     minimumVersion: void 0
   },
+  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    minimumVersion: void 0
+  },
   ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
diff --git a/lib/upload-lib.js b/lib/upload-lib.js
index 3be03091e3..e026ae89b9 100644
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@@ -87182,6 +87182,11 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
     minimumVersion: void 0
   },
+  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    minimumVersion: void 0
+  },
   ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js
index c4385bbf91..f54ec4495d 100644
--- a/lib/upload-sarif-action-post.js
+++ b/lib/upload-sarif-action-post.js
@@ -119758,6 +119758,11 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
     minimumVersion: void 0
   },
+  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    minimumVersion: void 0
+  },
   ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js
index ef6bb9aaa3..231fac13c6 100644
--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
@@ -86979,6 +86979,11 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
     minimumVersion: void 0
   },
+  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    minimumVersion: void 0
+  },
   ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
diff --git a/src/config-utils.test.ts b/src/config-utils.test.ts
index 623eccea72..d07aacde2e 100644
--- a/src/config-utils.test.ts
+++ b/src/config-utils.test.ts
@@ -1231,6 +1231,28 @@ test(
   },
 );
 
+test(
+  getOverlayDatabaseModeMacro,
+  "Overlay-base database on default branch if runner disk space is too low and skip resource checks flag is enabled",
+  {
+    languages: [KnownLanguage.javascript],
+    features: [
+      Feature.OverlayAnalysis,
+      Feature.OverlayAnalysisCodeScanningJavascript,
+      Feature.OverlayAnalysisSkipResourceChecks,
+    ],
+    isDefaultBranch: true,
+    diskUsage: {
+      numAvailableBytes: 1_000_000_000,
+      numTotalBytes: 100_000_000_000,
+    },
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.OverlayBase,
+    useOverlayDatabaseCaching: true,
+  },
+);
+
 test(
   getOverlayDatabaseModeMacro,
   "No overlay-base database on default branch if memory flag is too low",
@@ -1249,6 +1271,25 @@ test(
   },
 );
 
+test(
+  getOverlayDatabaseModeMacro,
+  "Overlay-base database on default branch if memory flag is too low and skip resource checks flag is enabled",
+  {
+    languages: [KnownLanguage.javascript],
+    features: [
+      Feature.OverlayAnalysis,
+      Feature.OverlayAnalysisCodeScanningJavascript,
+      Feature.OverlayAnalysisSkipResourceChecks,
+    ],
+    isDefaultBranch: true,
+    memoryFlagValue: 3072,
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.OverlayBase,
+    useOverlayDatabaseCaching: true,
+  },
+);
+
 test(
   getOverlayDatabaseModeMacro,
   "No overlay-base database on default branch when code-scanning feature enabled with disable-default-queries",
@@ -1440,6 +1481,28 @@ test(
   },
 );
 
+test(
+  getOverlayDatabaseModeMacro,
+  "Overlay analysis on PR if runner disk space is too low and skip resource checks flag is enabled",
+  {
+    languages: [KnownLanguage.javascript],
+    features: [
+      Feature.OverlayAnalysis,
+      Feature.OverlayAnalysisCodeScanningJavascript,
+      Feature.OverlayAnalysisSkipResourceChecks,
+    ],
+    isPullRequest: true,
+    diskUsage: {
+      numAvailableBytes: 1_000_000_000,
+      numTotalBytes: 100_000_000_000,
+    },
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.Overlay,
+    useOverlayDatabaseCaching: true,
+  },
+);
+
 test(
   getOverlayDatabaseModeMacro,
   "No overlay analysis on PR if we can't determine runner disk space",
@@ -1476,6 +1539,25 @@ test(
   },
 );
 
+test(
+  getOverlayDatabaseModeMacro,
+  "Overlay analysis on PR if memory flag is too low and skip resource checks flag is enabled",
+  {
+    languages: [KnownLanguage.javascript],
+    features: [
+      Feature.OverlayAnalysis,
+      Feature.OverlayAnalysisCodeScanningJavascript,
+      Feature.OverlayAnalysisSkipResourceChecks,
+    ],
+    isPullRequest: true,
+    memoryFlagValue: 3072,
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.Overlay,
+    useOverlayDatabaseCaching: true,
+  },
+);
+
 test(
   getOverlayDatabaseModeMacro,
   "No overlay analysis on PR when code-scanning feature enabled with disable-default-queries",
diff --git a/src/config-utils.ts b/src/config-utils.ts
index fa3bbeb183..4f3fadf662 100644
--- a/src/config-utils.ts
+++ b/src/config-utils.ts
@@ -636,6 +636,38 @@ async function isOverlayAnalysisFeatureEnabled(
   return true;
 }
 
+async function runnerSupportsOverlayAnalysis(
+  ramInput: string | undefined,
+  logger: Logger,
+): Promise<boolean> {
+  const diskUsage = await checkDiskUsage(logger);
+  if (
+    diskUsage === undefined ||
+    diskUsage.numAvailableBytes < OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES
+  ) {
+    const diskSpaceMb =
+      diskUsage === undefined
+        ? 0
+        : Math.round(diskUsage.numAvailableBytes / 1_000_000);
+    logger.info(
+      `Setting overlay database mode to ${OverlayDatabaseMode.None} ` +
+        `due to insufficient disk space (${diskSpaceMb} MB).`,
+    );
+    return false;
+  }
+
+  const memoryFlagValue = getMemoryFlagValue(ramInput, logger);
+  if (memoryFlagValue < 5 * 1024) {
+    logger.info(
+      `Setting overlay database mode to ${OverlayDatabaseMode.None} ` +
+        `due to insufficient memory for CodeQL analysis (${memoryFlagValue} MB).`,
+    );
+    return false;
+  }
+
+  return true;
+}
+
 /**
  * Calculate and validate the overlay database mode and caching to use.
  *
@@ -694,29 +726,15 @@ export async function getOverlayDatabaseMode(
       codeScanningConfig,
     )
   ) {
-    const diskUsage = await checkDiskUsage(logger);
-    const memoryFlagValue = getMemoryFlagValue(ramInput, logger);
+    const performResourceChecks = !(await features.getValue(
+      Feature.OverlayAnalysisSkipResourceChecks,
+      codeql,
+    ));
     if (
-      diskUsage === undefined ||
-      diskUsage.numAvailableBytes < OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES
+      performResourceChecks &&
+      !(await runnerSupportsOverlayAnalysis(ramInput, logger))
     ) {
-      const diskSpaceMb =
-        diskUsage === undefined
-          ? 0
-          : Math.round(diskUsage.numAvailableBytes / 1_000_000);
       overlayDatabaseMode = OverlayDatabaseMode.None;
-      useOverlayDatabaseCaching = false;
-      logger.info(
-        `Setting overlay database mode to ${overlayDatabaseMode} ` +
-          `due to insufficient disk space (${diskSpaceMb} MB).`,
-      );
-    } else if (memoryFlagValue < 5 * 1024) {
-      overlayDatabaseMode = OverlayDatabaseMode.None;
-      useOverlayDatabaseCaching = false;
-      logger.info(
-        `Setting overlay database mode to ${overlayDatabaseMode} ` +
-          `due to insufficient memory for CodeQL analysis (${memoryFlagValue} MB).`,
-      );
     } else if (isAnalyzingPullRequest()) {
       overlayDatabaseMode = OverlayDatabaseMode.Overlay;
       useOverlayDatabaseCaching = true;
diff --git a/src/feature-flags.ts b/src/feature-flags.ts
index 8ea1d4c1a4..2085dccc40 100644
--- a/src/feature-flags.ts
+++ b/src/feature-flags.ts
@@ -76,6 +76,7 @@ export enum Feature {
   OverlayAnalysisRuby = "overlay_analysis_ruby",
   OverlayAnalysisRust = "overlay_analysis_rust",
   OverlayAnalysisSwift = "overlay_analysis_swift",
+  OverlayAnalysisSkipResourceChecks = "overlay_analysis_skip_resource_checks",
   PythonDefaultIsToNotExtractStdlib = "python_default_is_to_not_extract_stdlib",
   QaTelemetryEnabled = "qa_telemetry_enabled",
   UploadOverlayDbToApi = "upload_overlay_db_to_api",
@@ -283,6 +284,11 @@ export const featureConfig: Record<
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
     minimumVersion: undefined,
   },
+  [Feature.OverlayAnalysisSkipResourceChecks]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    minimumVersion: undefined,
+  },
   [Feature.PythonDefaultIsToNotExtractStdlib]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",

From 2f3bbce9a6f0f0daaa2e3e8480b0b9cdd6039cce Mon Sep 17 00:00:00 2001
From: Kasper Svendsen <kaspersv@github.com>
Date: Thu, 27 Nov 2025 15:33:22 +0100
Subject: [PATCH 22/31] Overlay: Introduce overlay memory limit constant

---
 lib/analyze-action-post.js        |  1 +
 lib/analyze-action.js             |  1 +
 lib/autobuild-action.js           |  1 +
 lib/init-action-post.js           |  1 +
 lib/init-action.js                |  3 ++-
 lib/resolve-environment-action.js |  1 +
 lib/setup-codeql-action.js        |  1 +
 lib/start-proxy-action-post.js    |  1 +
 lib/start-proxy-action.js         |  1 +
 lib/upload-lib.js                 |  1 +
 lib/upload-sarif-action-post.js   |  1 +
 lib/upload-sarif-action.js        |  1 +
 src/config-utils.ts               | 10 +++++++++-
 13 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js
index fc75996bcd..69c8cd2370 100644
--- a/lib/analyze-action-post.js
+++ b/lib/analyze-action-post.js
@@ -120226,6 +120226,7 @@ var actionsCache2 = __toESM(require_cache3());
 // src/config-utils.ts
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB = 2e4;
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB * 1e6;
+var OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
 var OVERLAY_ANALYSIS_FEATURES = {
   actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
   cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
diff --git a/lib/analyze-action.js b/lib/analyze-action.js
index aecec30716..f4d98a7ff7 100644
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -89385,6 +89385,7 @@ async function cachePrefix(codeql, language) {
 // src/config-utils.ts
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB = 2e4;
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB * 1e6;
+var OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
 var OVERLAY_ANALYSIS_FEATURES = {
   actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
   cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js
index 2b65659589..7b64276931 100644
--- a/lib/autobuild-action.js
+++ b/lib/autobuild-action.js
@@ -84431,6 +84431,7 @@ var actionsCache2 = __toESM(require_cache3());
 // src/config-utils.ts
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB = 2e4;
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB * 1e6;
+var OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
 var OVERLAY_ANALYSIS_FEATURES = {
   actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
   cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
diff --git a/lib/init-action-post.js b/lib/init-action-post.js
index f83e500325..f26a8a6cde 100644
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -123890,6 +123890,7 @@ var actionsCache2 = __toESM(require_cache3());
 // src/config-utils.ts
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB = 2e4;
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB * 1e6;
+var OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
 var OVERLAY_ANALYSIS_FEATURES = {
   actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
   cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
diff --git a/lib/init-action.js b/lib/init-action.js
index 14cecedd7b..7fc57970e5 100644
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -86668,6 +86668,7 @@ async function cachePrefix(codeql, language) {
 // src/config-utils.ts
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB = 2e4;
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB * 1e6;
+var OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
 async function getSupportedLanguageMap(codeql, logger) {
   const resolveSupportedLanguagesUsingCli = await codeql.supportsFeature(
     "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
@@ -86935,7 +86936,7 @@ async function runnerSupportsOverlayAnalysis(ramInput, logger) {
     return false;
   }
   const memoryFlagValue = getMemoryFlagValue(ramInput, logger);
-  if (memoryFlagValue < 5 * 1024) {
+  if (memoryFlagValue < OVERLAY_MINIMUM_MEMORY_MB) {
     logger.info(
       `Setting overlay database mode to ${"none" /* None */} due to insufficient memory for CodeQL analysis (${memoryFlagValue} MB).`
     );
diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js
index 1d30ed9ff9..4c1ff07350 100644
--- a/lib/resolve-environment-action.js
+++ b/lib/resolve-environment-action.js
@@ -84157,6 +84157,7 @@ var actionsCache2 = __toESM(require_cache3());
 // src/config-utils.ts
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB = 2e4;
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB * 1e6;
+var OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
 var OVERLAY_ANALYSIS_FEATURES = {
   actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
   cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js
index 53f9075221..76baae1afc 100644
--- a/lib/setup-codeql-action.js
+++ b/lib/setup-codeql-action.js
@@ -84602,6 +84602,7 @@ var actionsCache2 = __toESM(require_cache3());
 // src/config-utils.ts
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB = 2e4;
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB * 1e6;
+var OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
 var OVERLAY_ANALYSIS_FEATURES = {
   actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
   cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js
index 5411f021ef..2a299b8974 100644
--- a/lib/start-proxy-action-post.js
+++ b/lib/start-proxy-action-post.js
@@ -119632,6 +119632,7 @@ var actionsCache2 = __toESM(require_cache3());
 // src/config-utils.ts
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB = 2e4;
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB * 1e6;
+var OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
 var OVERLAY_ANALYSIS_FEATURES = {
   actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
   cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js
index 31f1526c70..82458c2188 100644
--- a/lib/start-proxy-action.js
+++ b/lib/start-proxy-action.js
@@ -100185,6 +100185,7 @@ var actionsCache2 = __toESM(require_cache3());
 // src/config-utils.ts
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB = 2e4;
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB * 1e6;
+var OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
 var OVERLAY_ANALYSIS_FEATURES = {
   actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
   cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
diff --git a/lib/upload-lib.js b/lib/upload-lib.js
index e026ae89b9..9e5c8738ee 100644
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@@ -87240,6 +87240,7 @@ var actionsCache2 = __toESM(require_cache3());
 // src/config-utils.ts
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB = 2e4;
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB * 1e6;
+var OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
 var OVERLAY_ANALYSIS_FEATURES = {
   actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
   cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js
index f54ec4495d..42449d2187 100644
--- a/lib/upload-sarif-action-post.js
+++ b/lib/upload-sarif-action-post.js
@@ -119798,6 +119798,7 @@ var actionsCache2 = __toESM(require_cache3());
 // src/config-utils.ts
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB = 2e4;
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB * 1e6;
+var OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
 var OVERLAY_ANALYSIS_FEATURES = {
   actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
   cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js
index 231fac13c6..37dc6bbaff 100644
--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
@@ -87322,6 +87322,7 @@ var actionsCache2 = __toESM(require_cache3());
 // src/config-utils.ts
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB = 2e4;
 var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB * 1e6;
+var OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
 var OVERLAY_ANALYSIS_FEATURES = {
   actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
   cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
diff --git a/src/config-utils.ts b/src/config-utils.ts
index 4f3fadf662..15f56a350c 100644
--- a/src/config-utils.ts
+++ b/src/config-utils.ts
@@ -60,6 +60,14 @@ const OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB = 20000;
 const OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES =
   OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB * 1_000_000;
 
+/**
+ * The minimum memory (in MB) that must be available for CodeQL to perform overlay
+ * analysis. If CodeQL will be given less memory than this threshold, then the
+ * action will not perform overlay analysis unless overlay analysis has been
+ * explicitly enabled via environment variable.
+ */
+const OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
+
 export type RegistryConfigWithCredentials = RegistryConfigNoCredentials & {
   // Token to use when downloading packs from this registry.
   token: string;
@@ -657,7 +665,7 @@ async function runnerSupportsOverlayAnalysis(
   }
 
   const memoryFlagValue = getMemoryFlagValue(ramInput, logger);
-  if (memoryFlagValue < 5 * 1024) {
+  if (memoryFlagValue < OVERLAY_MINIMUM_MEMORY_MB) {
     logger.info(
       `Setting overlay database mode to ${OverlayDatabaseMode.None} ` +
         `due to insufficient memory for CodeQL analysis (${memoryFlagValue} MB).`,

From 8d91fa189dd7a678f4f9b218f0e255362f1097d8 Mon Sep 17 00:00:00 2001
From: Kasper Svendsen <kaspersv@github.com>
Date: Thu, 27 Nov 2025 15:39:50 +0100
Subject: [PATCH 23/31] Rename getMemoryFlagValue

---
 lib/analyze-action.js    |  4 ++--
 lib/init-action.js       |  6 +++---
 src/config-utils.test.ts |  2 +-
 src/config-utils.ts      |  4 ++--
 src/init-action.ts       |  4 ++--
 src/util.ts              | 10 +++++-----
 6 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/lib/analyze-action.js b/lib/analyze-action.js
index f4d98a7ff7..2ba02a47bb 100644
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -87093,7 +87093,7 @@ function getCgroupMemoryLimitBytes(limitFile, logger) {
   );
   return limit;
 }
-function getMemoryFlagValue(userInput, logger) {
+function getCodeQLMemoryLimit(userInput, logger) {
   return getMemoryFlagValueForPlatform(
     userInput,
     getTotalMemoryBytes(logger),
@@ -87101,7 +87101,7 @@ function getMemoryFlagValue(userInput, logger) {
   );
 }
 function getMemoryFlag(userInput, logger) {
-  const megabytes = getMemoryFlagValue(userInput, logger);
+  const megabytes = getCodeQLMemoryLimit(userInput, logger);
   return `--ram=${megabytes}`;
 }
 function getThreadsFlagValue(userInput, logger) {
diff --git a/lib/init-action.js b/lib/init-action.js
index 7fc57970e5..a5dd93847a 100644
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -84396,7 +84396,7 @@ function getCgroupMemoryLimitBytes(limitFile, logger) {
   );
   return limit;
 }
-function getMemoryFlagValue(userInput, logger) {
+function getCodeQLMemoryLimit(userInput, logger) {
   return getMemoryFlagValueForPlatform(
     userInput,
     getTotalMemoryBytes(logger),
@@ -86935,7 +86935,7 @@ async function runnerSupportsOverlayAnalysis(ramInput, logger) {
     );
     return false;
   }
-  const memoryFlagValue = getMemoryFlagValue(ramInput, logger);
+  const memoryFlagValue = getCodeQLMemoryLimit(ramInput, logger);
   if (memoryFlagValue < OVERLAY_MINIMUM_MEMORY_MB) {
     logger.info(
       `Setting overlay database mode to ${"none" /* None */} due to insufficient memory for CodeQL analysis (${memoryFlagValue} MB).`
@@ -90176,7 +90176,7 @@ exec ${goBinaryPath} "$@"`
     }
     core13.exportVariable(
       "CODEQL_RAM",
-      process.env["CODEQL_RAM"] || getMemoryFlagValue(getOptionalInput("ram"), logger).toString()
+      process.env["CODEQL_RAM"] || getCodeQLMemoryLimit(getOptionalInput("ram"), logger).toString()
     );
     core13.exportVariable(
       "CODEQL_THREADS",
diff --git a/src/config-utils.test.ts b/src/config-utils.test.ts
index d07aacde2e..9f4fb8f137 100644
--- a/src/config-utils.test.ts
+++ b/src/config-utils.test.ts
@@ -1040,7 +1040,7 @@ const getOverlayDatabaseModeMacro = test.macro({
           .stub(actionsUtil, "isAnalyzingPullRequest")
           .returns(setup.isPullRequest);
 
-        sinon.stub(util, "getMemoryFlagValue").returns(setup.memoryFlagValue);
+        sinon.stub(util, "getCodeQLMemoryLimit").returns(setup.memoryFlagValue);
 
         // Set up CodeQL mock
         const codeql = mockCodeQLVersion(setup.codeqlVersion);
diff --git a/src/config-utils.ts b/src/config-utils.ts
index 15f56a350c..34d625773d 100644
--- a/src/config-utils.ts
+++ b/src/config-utils.ts
@@ -44,7 +44,7 @@ import {
   cloneObject,
   isDefined,
   checkDiskUsage,
-  getMemoryFlagValue,
+  getCodeQLMemoryLimit,
 } from "./util";
 
 export * from "./config/db-config";
@@ -664,7 +664,7 @@ async function runnerSupportsOverlayAnalysis(
     return false;
   }
 
-  const memoryFlagValue = getMemoryFlagValue(ramInput, logger);
+  const memoryFlagValue = getCodeQLMemoryLimit(ramInput, logger);
   if (memoryFlagValue < OVERLAY_MINIMUM_MEMORY_MB) {
     logger.info(
       `Setting overlay database mode to ${OverlayDatabaseMode.None} ` +
diff --git a/src/init-action.ts b/src/init-action.ts
index 692f0370dd..8fa7899d8f 100644
--- a/src/init-action.ts
+++ b/src/init-action.ts
@@ -75,7 +75,7 @@ import {
   codeQlVersionAtLeast,
   DEFAULT_DEBUG_ARTIFACT_NAME,
   DEFAULT_DEBUG_DATABASE_NAME,
-  getMemoryFlagValue,
+  getCodeQLMemoryLimit,
   getRequiredEnvParam,
   getThreadsFlagValue,
   initializeEnvironment,
@@ -538,7 +538,7 @@ async function run() {
     core.exportVariable(
       "CODEQL_RAM",
       process.env["CODEQL_RAM"] ||
-        getMemoryFlagValue(getOptionalInput("ram"), logger).toString(),
+        getCodeQLMemoryLimit(getOptionalInput("ram"), logger).toString(),
     );
     core.exportVariable(
       "CODEQL_THREADS",
diff --git a/src/util.ts b/src/util.ts
index aefcc5a2af..7bcdb41621 100644
--- a/src/util.ts
+++ b/src/util.ts
@@ -309,13 +309,13 @@ function getCgroupMemoryLimitBytes(
 }
 
 /**
- * Get the value of the codeql `--ram` flag as configured by the `ram` input.
- * If no value was specified, the total available memory will be used minus a
+ * Get the maximum amount of memory CodeQL is allowed to use. If no limit has been
+ * configured by the user, then the total available memory will be used minus a
  * threshold reserved for the OS.
  *
- * @returns {number} the amount of RAM to use, in megabytes
+ * @returns {number} the amount of RAM CodeQL is allowed to use, in megabytes
  */
-export function getMemoryFlagValue(
+export function getCodeQLMemoryLimit(
   userInput: string | undefined,
   logger: Logger,
 ): number {
@@ -337,7 +337,7 @@ export function getMemoryFlag(
   userInput: string | undefined,
   logger: Logger,
 ): string {
-  const megabytes = getMemoryFlagValue(userInput, logger);
+  const megabytes = getCodeQLMemoryLimit(userInput, logger);
   return `--ram=${megabytes}`;
 }
 

From b02fa13292ce189c02cbb1ba5488f7dbbc8c6b14 Mon Sep 17 00:00:00 2001
From: Kasper Svendsen <kaspersv@github.com>
Date: Thu, 27 Nov 2025 15:42:17 +0100
Subject: [PATCH 24/31] Order feature flags alphabetically

---
 lib/analyze-action-post.js        |  8 ++++----
 lib/analyze-action.js             |  8 ++++----
 lib/autobuild-action.js           |  8 ++++----
 lib/init-action-post.js           |  8 ++++----
 lib/init-action.js                |  8 ++++----
 lib/resolve-environment-action.js |  8 ++++----
 lib/setup-codeql-action.js        |  8 ++++----
 lib/start-proxy-action-post.js    |  8 ++++----
 lib/start-proxy-action.js         |  8 ++++----
 lib/upload-lib.js                 |  8 ++++----
 lib/upload-sarif-action-post.js   |  8 ++++----
 lib/upload-sarif-action.js        |  8 ++++----
 src/feature-flags.ts              | 10 +++++-----
 13 files changed, 53 insertions(+), 53 deletions(-)

diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js
index 69c8cd2370..0577f6b154 100644
--- a/lib/analyze-action-post.js
+++ b/lib/analyze-action-post.js
@@ -120181,14 +120181,14 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
     minimumVersion: void 0
   },
-  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
+  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
     minimumVersion: void 0
   },
-  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
+  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
     minimumVersion: void 0
   },
   ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
diff --git a/lib/analyze-action.js b/lib/analyze-action.js
index 2ba02a47bb..ac60a71e3b 100644
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -88802,14 +88802,14 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
     minimumVersion: void 0
   },
-  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
+  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
     minimumVersion: void 0
   },
-  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
+  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
     minimumVersion: void 0
   },
   ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js
index 7b64276931..0c391dbd82 100644
--- a/lib/autobuild-action.js
+++ b/lib/autobuild-action.js
@@ -84121,14 +84121,14 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
     minimumVersion: void 0
   },
-  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
+  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
     minimumVersion: void 0
   },
-  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
+  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
     minimumVersion: void 0
   },
   ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
diff --git a/lib/init-action-post.js b/lib/init-action-post.js
index f26a8a6cde..f12ac4d896 100644
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -123562,14 +123562,14 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
     minimumVersion: void 0
   },
-  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
+  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
     minimumVersion: void 0
   },
-  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
+  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
     minimumVersion: void 0
   },
   ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
diff --git a/lib/init-action.js b/lib/init-action.js
index a5dd93847a..b89763b9c4 100644
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -86216,14 +86216,14 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
     minimumVersion: void 0
   },
-  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
+  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
     minimumVersion: void 0
   },
-  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
+  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
     minimumVersion: void 0
   },
   ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js
index 4c1ff07350..b39d65f2d8 100644
--- a/lib/resolve-environment-action.js
+++ b/lib/resolve-environment-action.js
@@ -84112,14 +84112,14 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
     minimumVersion: void 0
   },
-  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
+  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
     minimumVersion: void 0
   },
-  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
+  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
     minimumVersion: void 0
   },
   ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js
index 76baae1afc..24f26faca5 100644
--- a/lib/setup-codeql-action.js
+++ b/lib/setup-codeql-action.js
@@ -84024,14 +84024,14 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
     minimumVersion: void 0
   },
-  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
+  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
     minimumVersion: void 0
   },
-  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
+  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
     minimumVersion: void 0
   },
   ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js
index 2a299b8974..8243b3e41a 100644
--- a/lib/start-proxy-action-post.js
+++ b/lib/start-proxy-action-post.js
@@ -119587,14 +119587,14 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
     minimumVersion: void 0
   },
-  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
+  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
     minimumVersion: void 0
   },
-  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
+  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
     minimumVersion: void 0
   },
   ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js
index 82458c2188..cd17b0f156 100644
--- a/lib/start-proxy-action.js
+++ b/lib/start-proxy-action.js
@@ -100140,14 +100140,14 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
     minimumVersion: void 0
   },
-  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
+  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
     minimumVersion: void 0
   },
-  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
+  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
     minimumVersion: void 0
   },
   ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
diff --git a/lib/upload-lib.js b/lib/upload-lib.js
index 9e5c8738ee..9362f4ec53 100644
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@@ -87177,14 +87177,14 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
     minimumVersion: void 0
   },
-  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
+  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
     minimumVersion: void 0
   },
-  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
+  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
     minimumVersion: void 0
   },
   ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js
index 42449d2187..35495da738 100644
--- a/lib/upload-sarif-action-post.js
+++ b/lib/upload-sarif-action-post.js
@@ -119753,14 +119753,14 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
     minimumVersion: void 0
   },
-  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
+  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
     minimumVersion: void 0
   },
-  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
+  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
     minimumVersion: void 0
   },
   ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js
index 37dc6bbaff..77f8a7ad14 100644
--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
@@ -86974,14 +86974,14 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
     minimumVersion: void 0
   },
-  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
+  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
     minimumVersion: void 0
   },
-  ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
+  ["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
     minimumVersion: void 0
   },
   ["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
diff --git a/src/feature-flags.ts b/src/feature-flags.ts
index 2085dccc40..999ed20d7b 100644
--- a/src/feature-flags.ts
+++ b/src/feature-flags.ts
@@ -75,8 +75,8 @@ export enum Feature {
   OverlayAnalysisPython = "overlay_analysis_python",
   OverlayAnalysisRuby = "overlay_analysis_ruby",
   OverlayAnalysisRust = "overlay_analysis_rust",
-  OverlayAnalysisSwift = "overlay_analysis_swift",
   OverlayAnalysisSkipResourceChecks = "overlay_analysis_skip_resource_checks",
+  OverlayAnalysisSwift = "overlay_analysis_swift",
   PythonDefaultIsToNotExtractStdlib = "python_default_is_to_not_extract_stdlib",
   QaTelemetryEnabled = "qa_telemetry_enabled",
   UploadOverlayDbToApi = "upload_overlay_db_to_api",
@@ -279,14 +279,14 @@ export const featureConfig: Record<
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
     minimumVersion: undefined,
   },
-  [Feature.OverlayAnalysisSwift]: {
+  [Feature.OverlayAnalysisSkipResourceChecks]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
     minimumVersion: undefined,
   },
-  [Feature.OverlayAnalysisSkipResourceChecks]: {
+  [Feature.OverlayAnalysisSwift]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
     minimumVersion: undefined,
   },
   [Feature.PythonDefaultIsToNotExtractStdlib]: {

From 58c5954801c246a3975b658372285b37c45de271 Mon Sep 17 00:00:00 2001
From: Kasper Svendsen <kaspersv@github.com>
Date: Thu, 27 Nov 2025 15:45:17 +0100
Subject: [PATCH 25/31] Add comment to runnerSupportsOverlayAnalysis

---
 src/config-utils.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/config-utils.ts b/src/config-utils.ts
index 34d625773d..7376d5aab6 100644
--- a/src/config-utils.ts
+++ b/src/config-utils.ts
@@ -644,6 +644,10 @@ async function isOverlayAnalysisFeatureEnabled(
   return true;
 }
 
+/**
+ * Checks if the runner supports overlay analysis based on available disk space
+ * and the maximum memory CodeQL will be allowed to use.
+ */
 async function runnerSupportsOverlayAnalysis(
   ramInput: string | undefined,
   logger: Logger,

From f7abc748a3da068e17cfd0e1086e8d72e51f17b6 Mon Sep 17 00:00:00 2001
From: "Michael B. Gale" <mbg@github.com>
Date: Fri, 28 Nov 2025 09:12:53 +0000
Subject: [PATCH 26/31] Remove branch filter for PR event in CodeQL workflow

---
 .github/workflows/codeql.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 8ea440089d..999aa6dfd0 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -4,7 +4,6 @@ on:
   push:
     branches: [main, releases/v*]
   pull_request:
-    branches: [main, releases/v*]
     # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
     # by other workflows.
     types: [opened, synchronize, reopened, ready_for_review]

From 88c2ab5eee3b475eef2f7aabf89bd9f052153d91 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Mon, 1 Dec 2025 09:26:09 +0000
Subject: [PATCH 27/31] Update changelog for v4.31.6

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1359cdfd9c..5fe221f689 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,7 +2,7 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
-## [UNRELEASED]
+## 4.31.6 - 01 Dec 2025
 
 No user facing changes.
 

From 249860e3235e6bdecea3b8b67c9e81e09014e6c1 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Mon, 1 Dec 2025 09:52:49 +0000
Subject: [PATCH 28/31] Revert "Update version and changelog for v3.31.5"

This reverts commit 2e2a1cf1efa1744505b377816c8e7d648c93ff8e.
---
 CHANGELOG.md | 27 +++++++++++++++++----------
 package.json |  2 +-
 2 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9a4ea727e4..762aa1db86 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,44 +2,44 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
-## 3.31.5 - 24 Nov 2025
+## 4.31.5 - 24 Nov 2025
 
 - Update default CodeQL bundle version to 2.23.6. [#3321](https://github.com/github/codeql-action/pull/3321)
 
-## 3.31.4 - 18 Nov 2025
+## 4.31.4 - 18 Nov 2025
 
 No user facing changes.
 
-## 3.31.3 - 13 Nov 2025
+## 4.31.3 - 13 Nov 2025
 
 - CodeQL Action v3 will be deprecated in December 2026.  The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see [Upcoming deprecation of CodeQL Action v3](https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/).
 - Update default CodeQL bundle version to 2.23.5. [#3288](https://github.com/github/codeql-action/pull/3288)
 
-## 3.31.2 - 30 Oct 2025
+## 4.31.2 - 30 Oct 2025
 
 No user facing changes.
 
-## 3.31.1 - 30 Oct 2025
+## 4.31.1 - 30 Oct 2025
 
 - The `add-snippets` input has been removed from the `analyze` action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced.
 
-## 3.31.0 - 24 Oct 2025
+## 4.31.0 - 24 Oct 2025
 
 - Bump minimum CodeQL bundle version to 2.17.6. [#3223](https://github.com/github/codeql-action/pull/3223)
 - When SARIF files are uploaded by the `analyze` or `upload-sarif` actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the `upload-sarif` action. For `analyze`, this may affect Advanced Setup for CodeQL users who specify a value other than `always` for the `upload` input. [#3222](https://github.com/github/codeql-action/pull/3222)
 
-## 3.30.9 - 17 Oct 2025
+## 4.30.9 - 17 Oct 2025
 
 - Update default CodeQL bundle version to 2.23.3. [#3205](https://github.com/github/codeql-action/pull/3205)
 - Experimental: A new `setup-codeql` action has been added which is similar to `init`, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#3204](https://github.com/github/codeql-action/pull/3204)
 
-## 3.30.8 - 10 Oct 2025
+## 4.30.8 - 10 Oct 2025
 
 No user facing changes.
 
-## 3.30.7 - 06 Oct 2025
+## 4.30.7 - 06 Oct 2025
 
-No user facing changes.
+- [v4+ only] The CodeQL Action now runs on Node.js v24. [#3169](https://github.com/github/codeql-action/pull/3169)
 
 ## 3.30.6 - 02 Oct 2025
 
@@ -275,13 +275,17 @@ No user facing changes.
 ## 3.26.12 - 07 Oct 2024
 
 - _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.14.5 and earlier. These versions of CodeQL were discontinued on 24 September 2024 alongside GitHub Enterprise Server 3.10, and will be unsupported by CodeQL Action versions 3.27.0 and later and versions 2.27.0 and later. [#2520](https://github.com/github/codeql-action/pull/2520)
+
   - If you are using one of these versions, please update to CodeQL CLI version 2.14.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.
+
   - Alternatively, if you want to continue using a version of the CodeQL CLI between 2.13.5 and 2.14.5, you can replace `github/codeql-action/*@v3` by `github/codeql-action/*@v3.26.11` and `github/codeql-action/*@v2` by `github/codeql-action/*@v2.26.11` in your code scanning workflow to ensure you continue using this version of the CodeQL Action.
 
 ## 3.26.11 - 03 Oct 2024
 
 - _Upcoming breaking change_: Add support for using `actions/download-artifact@v4` to programmatically consume CodeQL Action debug artifacts.
+
   Starting November 30, 2024, GitHub.com customers will [no longer be able to use `actions/download-artifact@v3`](https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/). Therefore, to avoid breakage, customers who programmatically download the CodeQL Action debug artifacts should set the `CODEQL_ACTION_ARTIFACT_V4_UPGRADE` environment variable to `true` and bump `actions/download-artifact@v3` to `actions/download-artifact@v4` in their workflows. The CodeQL Action will enable this behavior by default in early November and workflows that have not yet bumped `actions/download-artifact@v3` to `actions/download-artifact@v4` will begin failing then.
+
   This change is currently unavailable for GitHub Enterprise Server customers, as `actions/upload-artifact@v4` and `actions/download-artifact@v4` are not yet compatible with GHES.
 - Update default CodeQL bundle version to 2.19.1. [#2519](https://github.com/github/codeql-action/pull/2519)
 
@@ -404,9 +408,12 @@ No user facing changes.
 ## 3.25.0 - 15 Apr 2024
 
 - The deprecated feature for extracting dependencies for a Python analysis has been removed. [#2224](https://github.com/github/codeql-action/pull/2224)
+
   As a result, the following inputs and environment variables are now ignored:
+
   - The `setup-python-dependencies` input to the `init` Action
   - The `CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION` environment variable
+
   We recommend removing any references to these from your workflows. For more information, see the release notes for CodeQL Action v3.23.0 and v2.23.0.
 - Automatically overwrite an existing database if found on the filesystem. [#2229](https://github.com/github/codeql-action/pull/2229)
 - Bump the minimum CodeQL bundle version to 2.12.6. [#2232](https://github.com/github/codeql-action/pull/2232)
diff --git a/package.json b/package.json
index 2f9cd849e1..61317b90ac 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "3.31.5",
+  "version": "4.31.5",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

From e439418aabfbfc116068f6210ba245e1d5b870aa Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Mon, 1 Dec 2025 09:52:49 +0000
Subject: [PATCH 29/31] Revert "Rebuild"

This reverts commit c12d7c1f2defa248cf1f6a81d9e2e4bde87cd0c1.
---
 lib/analyze-action-post.js        | 2 +-
 lib/analyze-action.js             | 2 +-
 lib/autobuild-action.js           | 2 +-
 lib/init-action-post.js           | 2 +-
 lib/init-action.js                | 2 +-
 lib/resolve-environment-action.js | 2 +-
 lib/setup-codeql-action.js        | 2 +-
 lib/start-proxy-action-post.js    | 2 +-
 lib/start-proxy-action.js         | 2 +-
 lib/upload-lib.js                 | 2 +-
 lib/upload-sarif-action-post.js   | 2 +-
 lib/upload-sarif-action.js        | 2 +-
 12 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js
index 6c0ec51c71..13589f4965 100644
--- a/lib/analyze-action-post.js
+++ b/lib/analyze-action-post.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.31.5",
+      version: "4.31.5",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/analyze-action.js b/lib/analyze-action.js
index 9686400cd7..6f1a1bf428 100644
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.31.5",
+      version: "4.31.5",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js
index 3bee19b2b0..9a7251809f 100644
--- a/lib/autobuild-action.js
+++ b/lib/autobuild-action.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.31.5",
+      version: "4.31.5",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/init-action-post.js b/lib/init-action-post.js
index 767a6b334a..89948b8a14 100644
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.31.5",
+      version: "4.31.5",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/init-action.js b/lib/init-action.js
index 1cec2410e3..f8407c208d 100644
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.31.5",
+      version: "4.31.5",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js
index 3c63f078b8..48ebce48f2 100644
--- a/lib/resolve-environment-action.js
+++ b/lib/resolve-environment-action.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.31.5",
+      version: "4.31.5",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js
index 368c33175f..f1182b65c7 100644
--- a/lib/setup-codeql-action.js
+++ b/lib/setup-codeql-action.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.31.5",
+      version: "4.31.5",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js
index 84d49fdcc8..cdac66bef0 100644
--- a/lib/start-proxy-action-post.js
+++ b/lib/start-proxy-action-post.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.31.5",
+      version: "4.31.5",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js
index 8b0bbc773c..3c2490783a 100644
--- a/lib/start-proxy-action.js
+++ b/lib/start-proxy-action.js
@@ -47285,7 +47285,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.31.5",
+      version: "4.31.5",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/upload-lib.js b/lib/upload-lib.js
index 31fd9d68bd..53eaa204e3 100644
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@@ -28924,7 +28924,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.31.5",
+      version: "4.31.5",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js
index 646d3e83ae..87ef62a45d 100644
--- a/lib/upload-sarif-action-post.js
+++ b/lib/upload-sarif-action-post.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.31.5",
+      version: "4.31.5",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js
index 6967218cd4..574910f02f 100644
--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.31.5",
+      version: "4.31.5",
       private: true,
       description: "CodeQL action",
       scripts: {

From dbf6819ebd5d23c6127cd3e65d4bb836b9fc3cb4 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Mon, 1 Dec 2025 09:52:51 +0000
Subject: [PATCH 30/31] Update version and changelog for v3.31.6

---
 CHANGELOG.md | 29 +++++++++++------------------
 package.json |  2 +-
 2 files changed, 12 insertions(+), 19 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5fe221f689..231ecb7a3d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,48 +2,48 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
-## 4.31.6 - 01 Dec 2025
+## 3.31.6 - 01 Dec 2025
 
 No user facing changes.
 
-## 4.31.5 - 24 Nov 2025
+## 3.31.5 - 24 Nov 2025
 
 - Update default CodeQL bundle version to 2.23.6. [#3321](https://github.com/github/codeql-action/pull/3321)
 
-## 4.31.4 - 18 Nov 2025
+## 3.31.4 - 18 Nov 2025
 
 No user facing changes.
 
-## 4.31.3 - 13 Nov 2025
+## 3.31.3 - 13 Nov 2025
 
 - CodeQL Action v3 will be deprecated in December 2026.  The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see [Upcoming deprecation of CodeQL Action v3](https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/).
 - Update default CodeQL bundle version to 2.23.5. [#3288](https://github.com/github/codeql-action/pull/3288)
 
-## 4.31.2 - 30 Oct 2025
+## 3.31.2 - 30 Oct 2025
 
 No user facing changes.
 
-## 4.31.1 - 30 Oct 2025
+## 3.31.1 - 30 Oct 2025
 
 - The `add-snippets` input has been removed from the `analyze` action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced.
 
-## 4.31.0 - 24 Oct 2025
+## 3.31.0 - 24 Oct 2025
 
 - Bump minimum CodeQL bundle version to 2.17.6. [#3223](https://github.com/github/codeql-action/pull/3223)
 - When SARIF files are uploaded by the `analyze` or `upload-sarif` actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the `upload-sarif` action. For `analyze`, this may affect Advanced Setup for CodeQL users who specify a value other than `always` for the `upload` input. [#3222](https://github.com/github/codeql-action/pull/3222)
 
-## 4.30.9 - 17 Oct 2025
+## 3.30.9 - 17 Oct 2025
 
 - Update default CodeQL bundle version to 2.23.3. [#3205](https://github.com/github/codeql-action/pull/3205)
 - Experimental: A new `setup-codeql` action has been added which is similar to `init`, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#3204](https://github.com/github/codeql-action/pull/3204)
 
-## 4.30.8 - 10 Oct 2025
+## 3.30.8 - 10 Oct 2025
 
 No user facing changes.
 
-## 4.30.7 - 06 Oct 2025
+## 3.30.7 - 06 Oct 2025
 
-- [v4+ only] The CodeQL Action now runs on Node.js v24. [#3169](https://github.com/github/codeql-action/pull/3169)
+No user facing changes.
 
 ## 3.30.6 - 02 Oct 2025
 
@@ -279,17 +279,13 @@ No user facing changes.
 ## 3.26.12 - 07 Oct 2024
 
 - _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.14.5 and earlier. These versions of CodeQL were discontinued on 24 September 2024 alongside GitHub Enterprise Server 3.10, and will be unsupported by CodeQL Action versions 3.27.0 and later and versions 2.27.0 and later. [#2520](https://github.com/github/codeql-action/pull/2520)
-
   - If you are using one of these versions, please update to CodeQL CLI version 2.14.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.
-
   - Alternatively, if you want to continue using a version of the CodeQL CLI between 2.13.5 and 2.14.5, you can replace `github/codeql-action/*@v3` by `github/codeql-action/*@v3.26.11` and `github/codeql-action/*@v2` by `github/codeql-action/*@v2.26.11` in your code scanning workflow to ensure you continue using this version of the CodeQL Action.
 
 ## 3.26.11 - 03 Oct 2024
 
 - _Upcoming breaking change_: Add support for using `actions/download-artifact@v4` to programmatically consume CodeQL Action debug artifacts.
-
   Starting November 30, 2024, GitHub.com customers will [no longer be able to use `actions/download-artifact@v3`](https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/). Therefore, to avoid breakage, customers who programmatically download the CodeQL Action debug artifacts should set the `CODEQL_ACTION_ARTIFACT_V4_UPGRADE` environment variable to `true` and bump `actions/download-artifact@v3` to `actions/download-artifact@v4` in their workflows. The CodeQL Action will enable this behavior by default in early November and workflows that have not yet bumped `actions/download-artifact@v3` to `actions/download-artifact@v4` will begin failing then.
-
   This change is currently unavailable for GitHub Enterprise Server customers, as `actions/upload-artifact@v4` and `actions/download-artifact@v4` are not yet compatible with GHES.
 - Update default CodeQL bundle version to 2.19.1. [#2519](https://github.com/github/codeql-action/pull/2519)
 
@@ -412,12 +408,9 @@ No user facing changes.
 ## 3.25.0 - 15 Apr 2024
 
 - The deprecated feature for extracting dependencies for a Python analysis has been removed. [#2224](https://github.com/github/codeql-action/pull/2224)
-
   As a result, the following inputs and environment variables are now ignored:
-
   - The `setup-python-dependencies` input to the `init` Action
   - The `CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION` environment variable
-
   We recommend removing any references to these from your workflows. For more information, see the release notes for CodeQL Action v3.23.0 and v2.23.0.
 - Automatically overwrite an existing database if found on the filesystem. [#2229](https://github.com/github/codeql-action/pull/2229)
 - Bump the minimum CodeQL bundle version to 2.12.6. [#2232](https://github.com/github/codeql-action/pull/2232)
diff --git a/package.json b/package.json
index 14f1e770e6..e379ea04fe 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "4.31.6",
+  "version": "3.31.6",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

From 89cb79a131a8a6dde4d0c5c300de8f62bc7fa7e7 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Mon, 1 Dec 2025 09:59:32 +0000
Subject: [PATCH 31/31] Rebuild

---
 lib/analyze-action-post.js        | 2 +-
 lib/analyze-action.js             | 2 +-
 lib/autobuild-action.js           | 2 +-
 lib/init-action-post.js           | 2 +-
 lib/init-action.js                | 2 +-
 lib/resolve-environment-action.js | 2 +-
 lib/setup-codeql-action.js        | 2 +-
 lib/start-proxy-action-post.js    | 2 +-
 lib/start-proxy-action.js         | 2 +-
 lib/upload-lib.js                 | 2 +-
 lib/upload-sarif-action-post.js   | 2 +-
 lib/upload-sarif-action.js        | 2 +-
 12 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js
index 2dd4d601dd..9a172a87d7 100644
--- a/lib/analyze-action-post.js
+++ b/lib/analyze-action-post.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.31.6",
+      version: "3.31.6",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/analyze-action.js b/lib/analyze-action.js
index 1ee89a8320..d18b762275 100644
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.31.6",
+      version: "3.31.6",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js
index 520a42f6a9..77be381954 100644
--- a/lib/autobuild-action.js
+++ b/lib/autobuild-action.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.31.6",
+      version: "3.31.6",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/init-action-post.js b/lib/init-action-post.js
index 841e2eaabc..015acae08f 100644
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.31.6",
+      version: "3.31.6",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/init-action.js b/lib/init-action.js
index 05ee04747a..1a47cf98c0 100644
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.31.6",
+      version: "3.31.6",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js
index 4eee8e6ca3..ec4372d02f 100644
--- a/lib/resolve-environment-action.js
+++ b/lib/resolve-environment-action.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.31.6",
+      version: "3.31.6",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js
index 019d53e311..132d9cb777 100644
--- a/lib/setup-codeql-action.js
+++ b/lib/setup-codeql-action.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.31.6",
+      version: "3.31.6",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js
index 95c4a1ffd5..8c859ea91c 100644
--- a/lib/start-proxy-action-post.js
+++ b/lib/start-proxy-action-post.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.31.6",
+      version: "3.31.6",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js
index 271c38e7ec..ce7fbb168f 100644
--- a/lib/start-proxy-action.js
+++ b/lib/start-proxy-action.js
@@ -47321,7 +47321,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.31.6",
+      version: "3.31.6",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/upload-lib.js b/lib/upload-lib.js
index 5c04f54973..d9ad883bfa 100644
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@@ -28924,7 +28924,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.31.6",
+      version: "3.31.6",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js
index 5fb0b0d77d..69fbcd0142 100644
--- a/lib/upload-sarif-action-post.js
+++ b/lib/upload-sarif-action-post.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.31.6",
+      version: "3.31.6",
       private: true,
       description: "CodeQL action",
       scripts: {
diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js
index 09f6f8d53e..921a7f41ba 100644
--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
@@ -27627,7 +27627,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.31.6",
+      version: "3.31.6",
       private: true,
       description: "CodeQL action",
       scripts: {