Merge remote-tracking branch 'origin/main' into mbg/start-proxy/token-check-fixes

.github/workflows/post-release-mergeback.yml

@@ -131,7 +131,7 @@ jobs:
           echo "::endgroup::"
 
       - name: Generate token
-        uses: actions/create-github-app-token@v2.2.1
+        uses: actions/create-github-app-token@v3.0.0
         id: app-token
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}

.github/workflows/rollback-release.yml

@@ -136,7 +136,7 @@ jobs:
 
       - name: Generate token
         if: github.event_name == 'workflow_dispatch'
-        uses: actions/create-github-app-token@v2.2.1
+        uses: actions/create-github-app-token@v3.0.0
         id: app-token
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}

.github/workflows/update-release-branch.yml

@@ -93,7 +93,7 @@ jobs:
       pull-requests: write # needed to create pull request
     steps:
     - name: Generate token
-      uses: actions/create-github-app-token@v2.2.1
+      uses: actions/create-github-app-token@v3.0.0
       id: app-token
       with:
         app-id: ${{ vars.AUTOMATION_APP_ID }}

CHANGELOG.md

@@ -4,7 +4,17 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 ## [UNRELEASED]
 
-No user facing changes.
+- Reduced the minimum Git version required for [improved incremental analysis](https://github.com/github/roadmap/issues/1158) from 2.38.0 to 2.11.0. [#3767](https://github.com/github/codeql-action/pull/3767)
+
+## 4.34.1 - 20 Mar 2026
+
+- Downgrade default CodeQL bundle version to [2.24.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3) due to issues with a small percentage of Actions and JavaScript analyses. [#3762](https://github.com/github/codeql-action/pull/3762)
+
+## 4.34.0 - 20 Mar 2026
+
+- Added an experimental change which disables TRAP caching when [improved incremental analysis](https://github.com/github/roadmap/issues/1158) is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. [#3569](https://github.com/github/codeql-action/pull/3569)
+- We are rolling out improved incremental analysis to C/C++ analyses that use build mode `none`. We expect this rollout to be complete by the end of April 2026. [#3584](https://github.com/github/codeql-action/pull/3584)
+- Update default CodeQL bundle version to [2.25.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0). [#3585](https://github.com/github/codeql-action/pull/3585)
 
 ## 4.33.0 - 16 Mar 2026
 

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "4.33.1",
+  "version": "4.34.2",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "4.33.1",
+      "version": "4.34.2",
       "license": "MIT",
       "workspaces": [
         "pr-checks"
@@ -38,7 +38,7 @@
       },
       "devDependencies": {
         "@ava/typescript": "6.0.0",
-        "@eslint/compat": "^2.0.2",
+        "@eslint/compat": "^2.0.3",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^16.0.0",
         "@types/archiver": "^7.0.0",
@@ -62,7 +62,7 @@
         "nock": "^14.0.11",
         "sinon": "^21.0.2",
         "typescript": "^5.9.3",
-        "typescript-eslint": "^8.56.1"
+        "typescript-eslint": "^8.57.0"
       }
     },
     "node_modules/@aashutoshrathi/word-wrap": {
@@ -1364,13 +1364,13 @@
       }
     },
     "node_modules/@eslint/compat": {
-      "version": "2.0.2",
+      "version": "2.0.3",
-      "resolved": "https://registry.npmjs.org/@eslint/compat/-/compat-2.0.2.tgz",
+      "resolved": "https://registry.npmjs.org/@eslint/compat/-/compat-2.0.3.tgz",
-      "integrity": "sha512-pR1DoD0h3HfF675QZx0xsyrsU8q70Z/plx7880NOhS02NuWLgBCOMDL787nUeQ7EWLkxv3bPQJaarjcPQb2Dwg==",
+      "integrity": "sha512-SjIJhGigp8hmd1YGIBwh7Ovri7Kisl42GYFjrOyHhtfYGGoLW6teYi/5p8W50KSsawUPpuLOSmsq1bD0NGQLBw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@eslint/core": "^1.1.0"
+        "@eslint/core": "^1.1.1"
       },
       "engines": {
         "node": "^20.19.0 || ^22.13.0 || >=24"
@@ -1426,9 +1426,9 @@
       }
     },
     "node_modules/@eslint/core": {
-      "version": "1.1.0",
+      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/@eslint/core/-/core-1.1.0.tgz",
+      "resolved": "https://registry.npmjs.org/@eslint/core/-/core-1.1.1.tgz",
-      "integrity": "sha512-/nr9K9wkr3P1EzFTdFdMoLuo1PmIxjmwvPozwoSodjNBdefGujXQUF93u1DDZpEaTuDvMsIQddsd35BwtrW9Xw==",
+      "integrity": "sha512-QUPblTtE51/7/Zhfv8BDwO0qkkzQL7P/aWWbqcf4xWLEYn1oKjdO0gglQBB4GAsu7u6wjijbCmzsUTy6mnk6oQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -2547,17 +2547,17 @@
       "license": "MIT"
     },
     "node_modules/@typescript-eslint/eslint-plugin": {
-      "version": "8.56.1",
+      "version": "8.57.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.56.1.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.57.0.tgz",
-      "integrity": "sha512-Jz9ZztpB37dNC+HU2HI28Bs9QXpzCz+y/twHOwhyrIRdbuVDxSytJNDl6z/aAKlaRIwC7y8wJdkBv7FxYGgi0A==",
+      "integrity": "sha512-qeu4rTHR3/IaFORbD16gmjq9+rEs9fGKdX0kF6BKSfi+gCuG3RCKLlSBYzn/bGsY9Tj7KE/DAQStbp8AHJGHEQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@eslint-community/regexpp": "^4.12.2",
-        "@typescript-eslint/scope-manager": "8.56.1",
+        "@typescript-eslint/scope-manager": "8.57.0",
-        "@typescript-eslint/type-utils": "8.56.1",
+        "@typescript-eslint/type-utils": "8.57.0",
-        "@typescript-eslint/utils": "8.56.1",
+        "@typescript-eslint/utils": "8.57.0",
-        "@typescript-eslint/visitor-keys": "8.56.1",
+        "@typescript-eslint/visitor-keys": "8.57.0",
         "ignore": "^7.0.5",
         "natural-compare": "^1.4.0",
         "ts-api-utils": "^2.4.0"
@@ -2570,7 +2570,7 @@
         "url": "https://opencollective.com/typescript-eslint"
       },
       "peerDependencies": {
-        "@typescript-eslint/parser": "^8.56.1",
+        "@typescript-eslint/parser": "^8.57.0",
         "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
         "typescript": ">=4.8.4 <6.0.0"
       }
@@ -2586,16 +2586,16 @@
       }
     },
     "node_modules/@typescript-eslint/parser": {
-      "version": "8.56.1",
+      "version": "8.57.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.56.1.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.57.0.tgz",
-      "integrity": "sha512-klQbnPAAiGYFyI02+znpBRLyjL4/BrBd0nyWkdC0s/6xFLkXYQ8OoRrSkqacS1ddVxf/LDyODIKbQ5TgKAf/Fg==",
+      "integrity": "sha512-XZzOmihLIr8AD1b9hL9ccNMzEMWt/dE2u7NyTY9jJG6YNiNthaD5XtUHVF2uCXZ15ng+z2hT3MVuxnUYhq6k1g==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/scope-manager": "8.56.1",
+        "@typescript-eslint/scope-manager": "8.57.0",
-        "@typescript-eslint/types": "8.56.1",
+        "@typescript-eslint/types": "8.57.0",
-        "@typescript-eslint/typescript-estree": "8.56.1",
+        "@typescript-eslint/typescript-estree": "8.57.0",
-        "@typescript-eslint/visitor-keys": "8.56.1",
+        "@typescript-eslint/visitor-keys": "8.57.0",
         "debug": "^4.4.3"
       },
       "engines": {
@@ -2629,14 +2629,14 @@
       }
     },
     "node_modules/@typescript-eslint/project-service": {
-      "version": "8.56.1",
+      "version": "8.57.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.56.1.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.57.0.tgz",
-      "integrity": "sha512-TAdqQTzHNNvlVFfR+hu2PDJrURiwKsUvxFn1M0h95BB8ah5jejas08jUWG4dBA68jDMI988IvtfdAI53JzEHOQ==",
+      "integrity": "sha512-pR+dK0BlxCLxtWfaKQWtYr7MhKmzqZxuii+ZjuFlZlIGRZm22HnXFqa2eY+90MUz8/i80YJmzFGDUsi8dMOV5w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/tsconfig-utils": "^8.56.1",
+        "@typescript-eslint/tsconfig-utils": "^8.57.0",
-        "@typescript-eslint/types": "^8.56.1",
+        "@typescript-eslint/types": "^8.57.0",
         "debug": "^4.4.3"
       },
       "engines": {
@@ -2669,14 +2669,14 @@
       }
     },
     "node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.56.1",
+      "version": "8.57.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.56.1.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.57.0.tgz",
-      "integrity": "sha512-YAi4VDKcIZp0O4tz/haYKhmIDZFEUPOreKbfdAN3SzUDMcPhJ8QI99xQXqX+HoUVq8cs85eRKnD+rne2UAnj2w==",
+      "integrity": "sha512-nvExQqAHF01lUM66MskSaZulpPL5pgy5hI5RfrxviLgzZVffB5yYzw27uK/ft8QnKXI2X0LBrHJFr1TaZtAibw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.56.1",
+        "@typescript-eslint/types": "8.57.0",
-        "@typescript-eslint/visitor-keys": "8.56.1"
+        "@typescript-eslint/visitor-keys": "8.57.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2687,9 +2687,9 @@
       }
     },
     "node_modules/@typescript-eslint/tsconfig-utils": {
-      "version": "8.56.1",
+      "version": "8.57.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.56.1.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.57.0.tgz",
-      "integrity": "sha512-qOtCYzKEeyr3aR9f28mPJqBty7+DBqsdd63eO0yyDwc6vgThj2UjWfJIcsFeSucYydqcuudMOprZ+x1SpF3ZuQ==",
+      "integrity": "sha512-LtXRihc5ytjJIQEH+xqjB0+YgsV4/tW35XKX3GTZHpWtcC8SPkT/d4tqdf1cKtesryHm2bgp6l555NYcT2NLvA==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2704,15 +2704,15 @@
       }
     },
     "node_modules/@typescript-eslint/type-utils": {
-      "version": "8.56.1",
+      "version": "8.57.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.56.1.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.57.0.tgz",
-      "integrity": "sha512-yB/7dxi7MgTtGhZdaHCemf7PuwrHMenHjmzgUW1aJpO+bBU43OycnM3Wn+DdvDO/8zzA9HlhaJ0AUGuvri4oGg==",
+      "integrity": "sha512-yjgh7gmDcJ1+TcEg8x3uWQmn8ifvSupnPfjP21twPKrDP/pTHlEQgmKcitzF/rzPSmv7QjJ90vRpN4U+zoUjwQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.56.1",
+        "@typescript-eslint/types": "8.57.0",
-        "@typescript-eslint/typescript-estree": "8.56.1",
+        "@typescript-eslint/typescript-estree": "8.57.0",
-        "@typescript-eslint/utils": "8.56.1",
+        "@typescript-eslint/utils": "8.57.0",
         "debug": "^4.4.3",
         "ts-api-utils": "^2.4.0"
       },
@@ -2747,9 +2747,9 @@
       }
     },
     "node_modules/@typescript-eslint/types": {
-      "version": "8.56.1",
+      "version": "8.57.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.56.1.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.57.0.tgz",
-      "integrity": "sha512-dbMkdIUkIkchgGDIv7KLUpa0Mda4IYjo4IAMJUZ+3xNoUXxMsk9YtKpTHSChRS85o+H9ftm51gsK1dZReY9CVw==",
+      "integrity": "sha512-dTLI8PEXhjUC7B9Kre+u0XznO696BhXcTlOn0/6kf1fHaQW8+VjJAVHJ3eTI14ZapTxdkOmc80HblPQLaEeJdg==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2761,16 +2761,16 @@
       }
     },
     "node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.56.1",
+      "version": "8.57.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.56.1.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.57.0.tgz",
-      "integrity": "sha512-qzUL1qgalIvKWAf9C1HpvBjif+Vm6rcT5wZd4VoMb9+Km3iS3Cv9DY6dMRMDtPnwRAFyAi7YXJpTIEXLvdfPxg==",
+      "integrity": "sha512-m7faHcyVg0BT3VdYTlX8GdJEM7COexXxS6KqGopxdtkQRvBanK377QDHr4W/vIPAR+ah9+B/RclSW5ldVniO1Q==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/project-service": "8.56.1",
+        "@typescript-eslint/project-service": "8.57.0",
-        "@typescript-eslint/tsconfig-utils": "8.56.1",
+        "@typescript-eslint/tsconfig-utils": "8.57.0",
-        "@typescript-eslint/types": "8.56.1",
+        "@typescript-eslint/types": "8.57.0",
-        "@typescript-eslint/visitor-keys": "8.56.1",
+        "@typescript-eslint/visitor-keys": "8.57.0",
         "debug": "^4.4.3",
         "minimatch": "^10.2.2",
         "semver": "^7.7.3",
@@ -2846,16 +2846,16 @@
       }
     },
     "node_modules/@typescript-eslint/utils": {
-      "version": "8.56.1",
+      "version": "8.57.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.56.1.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.57.0.tgz",
-      "integrity": "sha512-HPAVNIME3tABJ61siYlHzSWCGtOoeP2RTIaHXFMPqjrQKCGB9OgUVdiNgH7TJS2JNIQ5qQ4RsAUDuGaGme/KOA==",
+      "integrity": "sha512-5iIHvpD3CZe06riAsbNxxreP+MuYgVUsV0n4bwLH//VJmgtt54sQeY2GszntJ4BjYCpMzrfVh2SBnUQTtys2lQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.9.1",
-        "@typescript-eslint/scope-manager": "8.56.1",
+        "@typescript-eslint/scope-manager": "8.57.0",
-        "@typescript-eslint/types": "8.56.1",
+        "@typescript-eslint/types": "8.57.0",
-        "@typescript-eslint/typescript-estree": "8.56.1"
+        "@typescript-eslint/typescript-estree": "8.57.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2870,13 +2870,13 @@
       }
     },
     "node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.56.1",
+      "version": "8.57.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.56.1.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.57.0.tgz",
-      "integrity": "sha512-KiROIzYdEV85YygXw6BI/Dx4fnBlFQu6Mq4QE4MOH9fFnhohw6wX/OAvDY2/C+ut0I3RSPKenvZJIVYqJNkhEw==",
+      "integrity": "sha512-zm6xx8UT/Xy2oSr2ZXD0pZo7Jx2XsCoID2IUh9YSTFRu7z+WdwYTRk6LhUftm1crwqbuoF6I8zAFeCMw0YjwDg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.56.1",
+        "@typescript-eslint/types": "8.57.0",
         "eslint-visitor-keys": "^5.0.0"
       },
       "engines": {
@@ -5683,21 +5683,9 @@
       "license": "MIT"
     },
     "node_modules/fast-xml-builder": {
-      "version": "1.0.0",
+      "version": "1.1.4",
-      "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.0.0.tgz",
+      "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.4.tgz",
-      "integrity": "sha512-fpZuDogrAgnyt9oDDz+5DBz0zgPdPZz6D4IR7iESxRXElrlGTRkHJ9eEt+SACRJwT0FNFrt71DFQIUFBJfX/uQ==",
+      "integrity": "sha512-f2jhpN4Eccy0/Uz9csxh3Nu6q4ErKxf0XIsasomfOihuSUa3/xw6w8dnOtCDgEItQFJG8KyXPzQXzcODDrrbOg==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/NaturalIntelligence"
-        }
-      ],
-      "license": "MIT"
-    },
-    "node_modules/fast-xml-parser": {
-      "version": "5.4.1",
-      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.4.1.tgz",
-      "integrity": "sha512-BQ30U1mKkvXQXXkAGcuyUA/GA26oEB7NzOtsxCDtyu62sjGw5QraKFhx2Em3WQNjPw9PG6MQ9yuIIgkSDfGu5A==",
       "funding": [
         {
           "type": "github",
@@ -5706,8 +5694,24 @@
       ],
       "license": "MIT",
       "dependencies": {
-        "fast-xml-builder": "^1.0.0",
+        "path-expression-matcher": "^1.1.3"
-        "strnum": "^2.1.2"
+      }
+    },
+    "node_modules/fast-xml-parser": {
+      "version": "5.5.7",
+      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.5.7.tgz",
+      "integrity": "sha512-LteOsISQ2GEiDHZch6L9hB0+MLoYVLToR7xotrzU0opCICBkxOPgHAy1HxAvtxfJNXDJpgAsQN30mkrfpO2Prg==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/NaturalIntelligence"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "fast-xml-builder": "^1.1.4",
+        "path-expression-matcher": "^1.1.3",
+        "strnum": "^2.2.0"
       },
       "bin": {
         "fxparser": "src/cli/cli.js"
@@ -7836,6 +7840,21 @@
         "node": ">=8"
       }
     },
+    "node_modules/path-expression-matcher": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/path-expression-matcher/-/path-expression-matcher-1.1.3.tgz",
+      "integrity": "sha512-qdVgY8KXmVdJZRSS1JdEPOKPdTiEK/pi0RkcT2sw1RhXxohdujUlJFPuS1TSkevZ9vzd3ZlL7ULl1MHGTApKzQ==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/NaturalIntelligence"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
     "node_modules/path-key": {
       "version": "3.1.1",
       "license": "MIT",
@@ -8825,9 +8844,9 @@
       }
     },
     "node_modules/strnum": {
-      "version": "2.1.2",
+      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.1.2.tgz",
+      "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.2.1.tgz",
-      "integrity": "sha512-l63NF9y/cLROq/yqKXSLtcMeeyOfnSQlfMSlzFt/K73oIaD8DGaQWd7Z34X9GPiKqP5rbSh84Hl4bOlLcjiSrQ==",
+      "integrity": "sha512-BwRvNd5/QoAtyW1na1y1LsJGQNvRlkde6Q/ipqqEaivoMdV+B1OMOTVdwR+N/cwVUcIt9PYyHmV8HyexCZSupg==",
       "funding": [
         {
           "type": "github",
@@ -9303,16 +9322,16 @@
       }
     },
     "node_modules/typescript-eslint": {
-      "version": "8.56.1",
+      "version": "8.57.0",
-      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.56.1.tgz",
+      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.57.0.tgz",
-      "integrity": "sha512-U4lM6pjmBX7J5wk4szltF7I1cGBHXZopnAXCMXb3+fZ3B/0Z3hq3wS/CCUB2NZBNAExK92mCU2tEohWuwVMsDQ==",
+      "integrity": "sha512-W8GcigEMEeB07xEZol8oJ26rigm3+bfPHxHvwbYUlu1fUDsGuQ7Hiskx5xGW/xM4USc9Ephe3jtv7ZYPQntHeA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/eslint-plugin": "8.56.1",
+        "@typescript-eslint/eslint-plugin": "8.57.0",
-        "@typescript-eslint/parser": "8.56.1",
+        "@typescript-eslint/parser": "8.57.0",
-        "@typescript-eslint/typescript-estree": "8.56.1",
+        "@typescript-eslint/typescript-estree": "8.57.0",
-        "@typescript-eslint/utils": "8.56.1"
+        "@typescript-eslint/utils": "8.57.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "4.33.1",
+  "version": "4.34.2",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
@@ -45,7 +45,7 @@
   },
   "devDependencies": {
     "@ava/typescript": "6.0.0",
-    "@eslint/compat": "^2.0.2",
+    "@eslint/compat": "^2.0.3",
     "@microsoft/eslint-formatter-sarif": "^3.1.0",
     "@octokit/types": "^16.0.0",
     "@types/archiver": "^7.0.0",
@@ -69,7 +69,7 @@
     "nock": "^14.0.11",
     "sinon": "^21.0.2",
     "typescript": "^5.9.3",
-    "typescript-eslint": "^8.56.1"
+    "typescript-eslint": "^8.57.0"
   },
   "overrides": {
     "@actions/tool-cache": {

src/analyze.test.ts

@@ -10,6 +10,7 @@ import {
   defaultSuites,
   resolveQuerySuiteAlias,
   addSarifExtension,
+  diffRangeExtensionPackContents,
 } from "./analyze";
 import { createStubCodeQL } from "./codeql";
 import { Feature } from "./feature-flags";
@@ -158,3 +159,22 @@ test("addSarifExtension", (t) => {
     t.is(addSarifExtension(RiskAssessment, language), `${language}.csra.sarif`);
   }
 });
+
+test("diffRangeExtensionPackContents", (t) => {
+  const output = diffRangeExtensionPackContents(
+    [
+      {
+        path: "main.js",
+        startLine: 10,
+        endLine: 20,
+      },
+    ],
+    "/checkout/path",
+  );
+
+  const expected = fs.readFileSync(
+    `${__dirname}/../src/testdata/pr-diff-range.yml`,
+    "utf8",
+  );
+  t.deepEqual(output, expected);
+});

src/analyze.ts

@@ -5,7 +5,11 @@ import { performance } from "perf_hooks";
 import * as io from "@actions/io";
 import * as yaml from "js-yaml";
 
-import { getTemporaryDirectory, PullRequestBranches } from "./actions-util";
+import {
+  getTemporaryDirectory,
+  getRequiredInput,
+  PullRequestBranches,
+} from "./actions-util";
 import * as analyses from "./analyses";
 import { setupCppAutobuild } from "./autobuild";
 import { type CodeQL } from "./codeql";
@@ -243,7 +247,12 @@ export async function setupDiffInformedQueryRun(
         `Calculating diff ranges for ${branches.base}...${branches.head}`,
       );
       const diffRanges = await getPullRequestEditedDiffRanges(branches, logger);
-      const packDir = writeDiffRangeDataExtensionPack(logger, diffRanges);
+      const checkoutPath = getRequiredInput("checkout_path");
+      const packDir = writeDiffRangeDataExtensionPack(
+        logger,
+        diffRanges,
+        checkoutPath,
+      );
       if (packDir === undefined) {
         logger.warning(
           "Cannot create diff range extension pack for diff-informed queries; " +
@@ -259,6 +268,46 @@ export async function setupDiffInformedQueryRun(
   );
 }
 
+export function diffRangeExtensionPackContents(
+  ranges: DiffThunkRange[],
+  checkoutPath: string,
+): string {
+  const header = `
+extensions:
+  - addsTo:
+      pack: codeql/util
+      extensible: restrictAlertsTo
+      checkPresence: false
+    data:
+`;
+
+  let data = ranges
+    .map((range) => {
+      // Diff-informed queries expect the file path to be absolute. CodeQL always
+      // uses forward slashes as the path separator, so on Windows we need to
+      // replace any backslashes with forward slashes.
+      const filename = path
+        .join(checkoutPath, range.path)
+        .replaceAll(path.sep, "/");
+
+      // Using yaml.dump() with `forceQuotes: true` ensures that all special
+      // characters are escaped, and that the path is always rendered as a
+      // quoted string on a single line.
+      return (
+        `      - [${yaml.dump(filename, { forceQuotes: true }).trim()}, ` +
+        `${range.startLine}, ${range.endLine}]\n`
+      );
+    })
+    .join("");
+  if (!data) {
+    // Ensure that the data extension is not empty, so that a pull request with
+    // no edited lines would exclude (instead of accepting) all alerts.
+    data = '      - ["", 0, 0]\n';
+  }
+
+  return header + data;
+}
+
 /**
  * Create an extension pack in the temporary directory that contains the file
  * line ranges that were added or modified in the pull request.
@@ -266,12 +315,14 @@ export async function setupDiffInformedQueryRun(
  * @param logger
  * @param ranges The file line ranges, as returned by
  * `getPullRequestEditedDiffRanges`.
+ * @param checkoutPath The path at which the repository was checked out.
  * @returns The absolute path of the directory containing the extension pack, or
  * `undefined` if no extension pack was created.
  */
 function writeDiffRangeDataExtensionPack(
   logger: Logger,
   ranges: DiffThunkRange[] | undefined,
+  checkoutPath: string,
 ): string | undefined {
   if (ranges === undefined) {
     return undefined;
@@ -307,32 +358,10 @@ dataExtensions:
 `,
   );
 
-  const header = `
+  const extensionContents = diffRangeExtensionPackContents(
-extensions:
+    ranges,
-  - addsTo:
+    checkoutPath,
-      pack: codeql/util
+  );
-      extensible: restrictAlertsTo
-      checkPresence: false
-    data:
-`;
-
-  let data = ranges
-    .map(
-      (range) =>
-        // Using yaml.dump() with `forceQuotes: true` ensures that all special
-        // characters are escaped, and that the path is always rendered as a
-        // quoted string on a single line.
-        `      - [${yaml.dump(range.path, { forceQuotes: true }).trim()}, ` +
-        `${range.startLine}, ${range.endLine}]\n`,
-    )
-    .join("");
-  if (!data) {
-    // Ensure that the data extension is not empty, so that a pull request with
-    // no edited lines would exclude (instead of accepting) all alerts.
-    data = '      - ["", 0, 0]\n';
-  }
-
-  const extensionContents = header + data;
   const extensionFilePath = path.join(diffRangeDir, "pr-diff-range.yml");
   fs.writeFileSync(extensionFilePath, extensionContents);
   logger.debug(

src/codeql.ts

@@ -300,19 +300,6 @@ const GHES_MOST_RECENT_DEPRECATION_DATE = "2025-06-19";
 /** The CLI verbosity level to use for extraction in debug mode. */
 const EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
 
-/*
- * Deprecated in favor of ToolsFeature.
- *
- * Versions of CodeQL that version-flag certain functionality in the Action.
- * For convenience, please keep these in descending order. Once a version
- * flag is older than the oldest supported version above, it may be removed.
- */
-
-/**
- * Versions 2.17.1+ of the CodeQL CLI support the `--cache-cleanup` option.
- */
-const CODEQL_VERSION_CACHE_CLEANUP = "2.17.1";
-
 /**
  * Set up CodeQL CLI access.
  *
@@ -891,19 +878,13 @@ async function getCodeQLForCmd(
       config: Config,
       cleanupLevel: CleanupLevel,
     ): Promise<void> {
-      const cacheCleanupFlag = (await util.codeQlVersionAtLeast(
-        this,
-        CODEQL_VERSION_CACHE_CLEANUP,
-      ))
-        ? "--cache-cleanup"
-        : "--mode";
       for (const language of config.languages) {
         const databasePath = util.getCodeQLDatabasePath(config, language);
         const codeqlArgs = [
           "database",
           "cleanup",
           databasePath,
-          `${cacheCleanupFlag}=${cleanupLevel}`,
+          `--cache-cleanup=${cleanupLevel}`,
           ...getExtraOptionsFromEnv(["database", "cleanup"]),
         ];
         await runCli(cmd, codeqlArgs);

src/config-utils.test.ts

@@ -26,6 +26,7 @@ import * as overlayStatus from "./overlay/status";
 import { parseRepositoryNwo } from "./repository";
 import {
   setupTests,
+  setupActionsVars,
   mockLanguagesInRepo as mockLanguagesInRepo,
   createFeatures,
   getRecordingLogger,
@@ -64,7 +65,6 @@ function createTestInitConfigInputs(
       configInput: undefined,
       buildModeInput: undefined,
       ramInput: undefined,
-      trapCachingEnabled: false,
       dependencyCachingEnabled: CachingKind.None,
       debugMode: false,
       debugArtifactName: "",
@@ -144,6 +144,8 @@ test.serial("load empty config", async (t) => {
     const logger = getRunnerLogger(true);
     const languages = "javascript,python";
 
+    setupActionsVars(tempDir, tempDir);
+
     const codeql = createStubCodeQL({
       async betterResolveLanguages() {
         return {
@@ -185,6 +187,8 @@ test.serial("load code quality config", async (t) => {
     const logger = getRunnerLogger(true);
     const languages = "actions";
 
+    setupActionsVars(tempDir, tempDir);
+
     const codeql = createStubCodeQL({
       async betterResolveLanguages() {
         return {
@@ -237,6 +241,8 @@ test.serial(
       const logger = getRunnerLogger(true);
       const languages = "javascript";
 
+      setupActionsVars(tempDir, tempDir);
+
       const codeql = createStubCodeQL({
         async betterResolveLanguages() {
           return {
@@ -475,6 +481,8 @@ test.serial("load non-existent input", async (t) => {
 
 test.serial("load non-empty input", async (t) => {
   return await withTmpDir(async (tempDir) => {
+    setupActionsVars(tempDir, tempDir);
+
     const codeql = createStubCodeQL({
       async betterResolveLanguages() {
         return {
@@ -1928,7 +1936,7 @@ test.serial(
   "Fallback due to old git version",
   {
     overlayDatabaseEnvVar: "overlay",
-    gitVersion: new GitVersionInfo("2.30.0", "2.30.0"), // Version below required 2.38.0
+    gitVersion: new GitVersionInfo("2.10.0", "2.10.0"), // Version below required 2.11.0
   },
   {
     disabledReason: OverlayDisabledReason.IncompatibleGit,
@@ -2013,13 +2021,13 @@ for (const language in KnownLanguage) {
 
 // Verify that a language without a per-language overlay feature flag cannot have
 // overlay analysis enabled, even when the base overlay feature flag is on.
-// Using cpp here as it doesn't currently have overlay support — update this if
+// Using swift here as it doesn't currently have overlay support — update this if
-// cpp gains overlay support.
+// swift gains overlay support.
 test.serial(
   checkOverlayEnablementMacro,
   "No overlay analysis for language without per-language overlay feature flag",
   {
-    languages: [KnownLanguage.cpp],
+    languages: [KnownLanguage.swift],
     features: [Feature.OverlayAnalysis],
     isPullRequest: true,
   },
@@ -2055,3 +2063,121 @@ test.serial("getPrimaryAnalysisConfig - Code Scanning + Code Quality", (t) => {
     AnalysisKind.CodeScanning,
   );
 });
+
+test.serial(
+  "isTrapCachingEnabled: explicit input true is respected",
+  async (t) => {
+    return await withTmpDir(async (tmpDir) => {
+      setupActionsVars(tmpDir, tmpDir);
+      sinon
+        .stub(actionsUtil, "getOptionalInput")
+        .withArgs("trap-caching")
+        .returns("true");
+      t.true(
+        await configUtils.isTrapCachingEnabled(
+          createFeatures([]),
+          OverlayDatabaseMode.None,
+        ),
+      );
+    });
+  },
+);
+
+test.serial(
+  "isTrapCachingEnabled: disabled on self-hosted runner by default",
+  async (t) => {
+    return await withTmpDir(async (tmpDir) => {
+      setupActionsVars(tmpDir, tmpDir);
+      sinon
+        .stub(actionsUtil, "getOptionalInput")
+        .withArgs("trap-caching")
+        .returns(undefined);
+      t.false(
+        await configUtils.isTrapCachingEnabled(
+          createFeatures([]),
+          OverlayDatabaseMode.None,
+        ),
+      );
+    });
+  },
+);
+
+test.serial(
+  "isTrapCachingEnabled: enabled on hosted runner by default",
+  async (t) => {
+    return await withTmpDir(async (tmpDir) => {
+      const hostedToolCache = path.join(tmpDir, "hostedtoolcache");
+      setupActionsVars(tmpDir, hostedToolCache);
+      sinon
+        .stub(actionsUtil, "getOptionalInput")
+        .withArgs("trap-caching")
+        .returns(undefined);
+      t.true(
+        await configUtils.isTrapCachingEnabled(
+          createFeatures([]),
+          OverlayDatabaseMode.None,
+        ),
+      );
+    });
+  },
+);
+
+test.serial(
+  "isTrapCachingEnabled: enabled on hosted runner when overlay enabled but feature flag off",
+  async (t) => {
+    return await withTmpDir(async (tmpDir) => {
+      const hostedToolCache = path.join(tmpDir, "hostedtoolcache");
+      setupActionsVars(tmpDir, hostedToolCache);
+      sinon
+        .stub(actionsUtil, "getOptionalInput")
+        .withArgs("trap-caching")
+        .returns(undefined);
+      t.true(
+        await configUtils.isTrapCachingEnabled(
+          createFeatures([]),
+          OverlayDatabaseMode.Overlay,
+        ),
+      );
+    });
+  },
+);
+
+test.serial(
+  "isTrapCachingEnabled: disabled on hosted runner when overlay enabled and feature flag on",
+  async (t) => {
+    return await withTmpDir(async (tmpDir) => {
+      const hostedToolCache = path.join(tmpDir, "hostedtoolcache");
+      setupActionsVars(tmpDir, hostedToolCache);
+      sinon
+        .stub(actionsUtil, "getOptionalInput")
+        .withArgs("trap-caching")
+        .returns(undefined);
+      t.false(
+        await configUtils.isTrapCachingEnabled(
+          createFeatures([Feature.OverlayAnalysisDisableTrapCaching]),
+          OverlayDatabaseMode.Overlay,
+        ),
+      );
+    });
+  },
+);
+
+test.serial(
+  "isTrapCachingEnabled: enabled on hosted runner when overlay is None even with feature flag on",
+  async (t) => {
+    return await withTmpDir(async (tmpDir) => {
+      const hostedToolCache = path.join(tmpDir, "hostedtoolcache");
+      setupActionsVars(tmpDir, hostedToolCache);
+      sinon
+        .stub(actionsUtil, "getOptionalInput")
+        .withArgs("trap-caching")
+        .returns(undefined);
+      t.true(
+        await configUtils.isTrapCachingEnabled(
+          createFeatures([Feature.OverlayAnalysisDisableTrapCaching]),
+          OverlayDatabaseMode.None,
+        ),
+      );
+    });
+  },
+);

src/config-utils.ts

@@ -2,10 +2,12 @@ import * as fs from "fs";
 import * as path from "path";
 import { performance } from "perf_hooks";
 
+import * as core from "@actions/core";
 import * as yaml from "js-yaml";
 
 import {
   getActionVersion,
+  getOptionalInput,
   isAnalyzingPullRequest,
   isDynamicWorkflow,
 } from "./actions-util";
@@ -72,6 +74,7 @@ import {
   Result,
   Success,
   Failure,
+  isHostedRunner,
 } from "./util";
 
 /**
@@ -452,7 +455,6 @@ export interface InitConfigInputs {
   configInput: string | undefined;
   buildModeInput: string | undefined;
   ramInput: string | undefined;
-  trapCachingEnabled: boolean;
   dependencyCachingEnabled: string | undefined;
   debugMode: boolean;
   debugArtifactName: string;
@@ -482,7 +484,6 @@ export async function initActionState(
     packsInput,
     buildModeInput,
     dbLocation,
-    trapCachingEnabled,
     dependencyCachingEnabled,
     debugMode,
     debugArtifactName,
@@ -540,13 +541,6 @@ export async function initActionState(
     };
   }
 
-  const { trapCaches, trapCacheDownloadTime } = await downloadCacheWithTime(
-    trapCachingEnabled,
-    codeql,
-    languages,
-    logger,
-  );
-
   // Compute the full Code Scanning configuration that combines the configuration from the
   // configuration file / `config` input with other inputs, such as `queries`.
   const computedConfig = generateCodeScanningConfig(
@@ -569,8 +563,8 @@ export async function initActionState(
     debugMode,
     debugArtifactName,
     debugDatabaseName,
-    trapCaches,
+    trapCaches: {},
-    trapCacheDownloadTime,
+    trapCacheDownloadTime: 0,
     dependencyCachingEnabled: getCachingKind(dependencyCachingEnabled),
     dependencyCachingRestoredKeys: [],
     extraQueryExclusions: [],
@@ -582,7 +576,6 @@ export async function initActionState(
 }
 
 async function downloadCacheWithTime(
-  trapCachingEnabled: boolean,
   codeQL: CodeQL,
   languages: Language[],
   logger: Logger,
@@ -590,13 +583,9 @@ async function downloadCacheWithTime(
   trapCaches: { [language: string]: string };
   trapCacheDownloadTime: number;
 }> {
-  let trapCaches: { [language: string]: string } = {};
+  const start = performance.now();
-  let trapCacheDownloadTime = 0;
+  const trapCaches = await downloadTrapCaches(codeQL, languages, logger);
-  if (trapCachingEnabled) {
+  const trapCacheDownloadTime = performance.now() - start;
-    const start = performance.now();
-    trapCaches = await downloadTrapCaches(codeQL, languages, logger);
-    trapCacheDownloadTime = performance.now() - start;
-  }
   return { trapCaches, trapCacheDownloadTime };
 }
 
@@ -636,6 +625,7 @@ async function loadUserConfig(
  * without an entry will have overlay analysis disabled.
  */
 const OVERLAY_ANALYSIS_FEATURES: Partial<Record<Language, Feature>> = {
+  cpp: Feature.OverlayAnalysisCpp,
   csharp: Feature.OverlayAnalysisCsharp,
   go: Feature.OverlayAnalysisGo,
   java: Feature.OverlayAnalysisJava,
@@ -647,6 +637,7 @@ const OVERLAY_ANALYSIS_FEATURES: Partial<Record<Language, Feature>> = {
 const OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES: Partial<
   Record<Language, Feature>
 > = {
+  cpp: Feature.OverlayAnalysisCodeScanningCpp,
   csharp: Feature.OverlayAnalysisCodeScanningCsharp,
   go: Feature.OverlayAnalysisCodeScanningGo,
   java: Feature.OverlayAnalysisCodeScanningJava,
@@ -1009,6 +1000,50 @@ async function validateOverlayDatabaseMode(
   });
 }
 
+export async function isTrapCachingEnabled(
+  features: FeatureEnablement,
+  overlayDatabaseMode: OverlayDatabaseMode,
+): Promise<boolean> {
+  // If the workflow specified something, always respect that.
+  const trapCaching = getOptionalInput("trap-caching");
+  if (trapCaching !== undefined) return trapCaching === "true";
+
+  // On self-hosted runners which may have slow network access, disable TRAP caching by default.
+  if (!isHostedRunner()) return false;
+
+  // If overlay analysis is enabled, then disable TRAP caching since overlay analysis supersedes it.
+  // This change is gated behind a feature flag.
+  if (
+    overlayDatabaseMode !== OverlayDatabaseMode.None &&
+    (await features.getValue(Feature.OverlayAnalysisDisableTrapCaching))
+  ) {
+    return false;
+  }
+
+  // Otherwise, enable TRAP caching.
+  return true;
+}
+
+async function setCppTrapCachingEnvironmentVariables(
+  config: Config,
+  logger: Logger,
+): Promise<void> {
+  if (config.languages.includes(KnownLanguage.cpp)) {
+    const envVar = "CODEQL_EXTRACTOR_CPP_TRAP_CACHING";
+    if (process.env[envVar]) {
+      logger.info(
+        `Environment variable ${envVar} already set, leaving it unchanged.`,
+      );
+    } else if (config.trapCaches[KnownLanguage.cpp]) {
+      logger.info("Enabling TRAP caching for C/C++.");
+      core.exportVariable(envVar, "true");
+    } else {
+      logger.debug(`Disabling TRAP caching for C/C++.`);
+      core.exportVariable(envVar, "false");
+    }
+  }
+}
+
 function dbLocationOrDefault(
   dbLocation: string | undefined,
   tempDir: string,
@@ -1199,6 +1234,19 @@ export async function initConfig(
       exclude: { tags: "exclude-from-incremental" },
     });
   }
+
+  if (await isTrapCachingEnabled(features, config.overlayDatabaseMode)) {
+    const { trapCaches, trapCacheDownloadTime } = await downloadCacheWithTime(
+      inputs.codeql,
+      config.languages,
+      logger,
+    );
+    config.trapCaches = trapCaches;
+    config.trapCacheDownloadTime = trapCacheDownloadTime;
+  }
+
+  await setCppTrapCachingEnvironmentVariables(config, logger);
+
   return config;
 }
 

src/diff-informed-analysis-utils.test.ts

@@ -188,10 +188,6 @@ test.serial(
 );
 
 function runGetDiffRanges(changes: number, patch: string[] | undefined): any {
-  sinon
-    .stub(actionsUtil, "getRequiredInput")
-    .withArgs("checkout_path")
-    .returns("/checkout/path");
   return exportedForTesting.getDiffRanges(
     {
       filename: "test.txt",
@@ -211,7 +207,7 @@ test.serial("getDiffRanges: file diff too large", async (t) => {
   const diffRanges = runGetDiffRanges(1000000, undefined);
   t.deepEqual(diffRanges, [
     {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
       startLine: 0,
       endLine: 0,
     },
@@ -234,7 +230,7 @@ test.serial(
     ]);
     t.deepEqual(diffRanges, [
       {
-        path: "/checkout/path/test.txt",
+        path: "test.txt",
         startLine: 53,
         endLine: 54,
       },
@@ -274,7 +270,7 @@ test.serial("getDiffRanges: diff thunk with single update range", async (t) => {
   ]);
   t.deepEqual(diffRanges, [
     {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
       startLine: 53,
       endLine: 53,
     },
@@ -296,12 +292,12 @@ test.serial("getDiffRanges: diff thunk with addition ranges", async (t) => {
   ]);
   t.deepEqual(diffRanges, [
     {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
       startLine: 53,
       endLine: 53,
     },
     {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
       startLine: 55,
       endLine: 55,
     },
@@ -328,12 +324,12 @@ test.serial("getDiffRanges: diff thunk with mixed ranges", async (t) => {
   ]);
   t.deepEqual(diffRanges, [
     {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
       startLine: 54,
       endLine: 54,
     },
     {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
       startLine: 57,
       endLine: 58,
     },
@@ -363,12 +359,12 @@ test.serial("getDiffRanges: multiple diff thunks", async (t) => {
   ]);
   t.deepEqual(diffRanges, [
     {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
       startLine: 53,
       endLine: 54,
     },
     {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
       startLine: 153,
       endLine: 154,
     },
@@ -379,7 +375,7 @@ test.serial("getDiffRanges: no diff context lines", async (t) => {
   const diffRanges = runGetDiffRanges(2, ["@@ -30 +50,2 @@", "+1", "+2"]);
   t.deepEqual(diffRanges, [
     {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
       startLine: 50,
       endLine: 51,
     },

src/diff-informed-analysis-utils.ts

@@ -71,6 +71,7 @@ export async function getDiffInformedAnalysisBranches(
 }
 
 export interface DiffThunkRange {
+  /** Relative path from the repository root, using forward slashes as separators. */
   path: string;
   startLine: number;
   endLine: number;
@@ -112,8 +113,9 @@ export function readDiffRangesJsonFile(
  *
  * @param branches The base and head branches of the pull request.
  * @param logger
- * @returns An array of tuples, where each tuple contains the absolute path of a
+ * @returns An array of tuples, where each tuple contains the relative path of a
- * file, the start line and the end line (both 1-based and inclusive) of an
+ * file (relative to the repository root, as returned by the GitHub compare API),
+ * the start line and the end line (both 1-based and inclusive) of an
  * added or modified range in that file. Returns `undefined` if the action was
  * not triggered by a pull request or if there was an error.
  */
@@ -191,13 +193,6 @@ function getDiffRanges(
   fileDiff: FileDiff,
   logger: Logger,
 ): DiffThunkRange[] | undefined {
-  // Diff-informed queries expect the file path to be absolute. CodeQL always
-  // uses forward slashes as the path separator, so on Windows we need to
-  // replace any backslashes with forward slashes.
-  const filename = path
-    .join(actionsUtil.getRequiredInput("checkout_path"), fileDiff.filename)
-    .replaceAll(path.sep, "/");
-
   if (fileDiff.patch === undefined) {
     if (fileDiff.changes === 0) {
       // There are situations where a changed file legitimately has no diff.
@@ -212,7 +207,7 @@ function getDiffRanges(
     // to a special diff range that covers the entire file.
     return [
       {
-        path: filename,
+        path: fileDiff.filename,
         startLine: 0,
         endLine: 0,
       },
@@ -247,7 +242,7 @@ function getDiffRanges(
       // Any line that does not start with a "+" or "-" terminates the current
       // range of added lines.
       diffRanges.push({
-        path: filename,
+        path: fileDiff.filename,
         startLine: additionRangeStartLine,
         endLine: currentLine - 1,
       });

src/feature-flags.ts

@@ -9,6 +9,7 @@ import * as defaults from "./defaults.json";
 import { Logger } from "./logging";
 import {
   CODEQL_OVERLAY_MINIMUM_VERSION,
+  CODEQL_OVERLAY_MINIMUM_VERSION_CPP,
   CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP,
   CODEQL_OVERLAY_MINIMUM_VERSION_GO,
   CODEQL_OVERLAY_MINIMUM_VERSION_JAVA,
@@ -57,18 +58,18 @@ export enum Feature {
   IgnoreGeneratedFiles = "ignore_generated_files",
   JavaNetworkDebugging = "java_network_debugging",
   OverlayAnalysis = "overlay_analysis",
+  OverlayAnalysisCodeScanningCpp = "overlay_analysis_code_scanning_cpp",
   OverlayAnalysisCodeScanningCsharp = "overlay_analysis_code_scanning_csharp",
   OverlayAnalysisCodeScanningGo = "overlay_analysis_code_scanning_go",
   OverlayAnalysisCodeScanningJava = "overlay_analysis_code_scanning_java",
   OverlayAnalysisCodeScanningJavascript = "overlay_analysis_code_scanning_javascript",
   OverlayAnalysisCodeScanningPython = "overlay_analysis_code_scanning_python",
   OverlayAnalysisCodeScanningRuby = "overlay_analysis_code_scanning_ruby",
+  OverlayAnalysisCpp = "overlay_analysis_cpp",
   OverlayAnalysisCsharp = "overlay_analysis_csharp",
+  /** Disable TRAP caching when overlay analysis is enabled. */
+  OverlayAnalysisDisableTrapCaching = "overlay_analysis_disable_trap_caching",
   OverlayAnalysisGo = "overlay_analysis_go",
-  /** Controls whether the Actions cache is checked for overlay build outcomes. */
-  OverlayAnalysisStatusCheck = "overlay_analysis_status_check",
-  /** Controls whether overlay build failures on are stored in the Actions cache. */
-  OverlayAnalysisStatusSave = "overlay_analysis_status_save",
   OverlayAnalysisJava = "overlay_analysis_java",
   OverlayAnalysisJavascript = "overlay_analysis_javascript",
   OverlayAnalysisPython = "overlay_analysis_python",
@@ -80,6 +81,10 @@ export enum Feature {
   OverlayAnalysisRuby = "overlay_analysis_ruby",
   /** Controls whether hardware checks are skipped for overlay analysis. */
   OverlayAnalysisSkipResourceChecks = "overlay_analysis_skip_resource_checks",
+  /** Controls whether the Actions cache is checked for overlay build outcomes. */
+  OverlayAnalysisStatusCheck = "overlay_analysis_status_check",
+  /** Controls whether overlay build failures on the default branch are stored in the Actions cache. */
+  OverlayAnalysisStatusSave = "overlay_analysis_status_save",
   PythonDefaultIsToNotExtractStdlib = "python_default_is_to_not_extract_stdlib",
   QaTelemetryEnabled = "qa_telemetry_enabled",
   /** Note that this currently only disables baseline file coverage information. */
@@ -197,6 +202,11 @@ export const featureConfig = {
   // Per-language overlay feature flags. Each has minimumVersion set to the
   // minimum CLI version that supports overlay analysis for that language.
   // Only languages that are GA or in staff-ship should have feature flags here.
+  [Feature.OverlayAnalysisCodeScanningCpp]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CPP",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CPP,
+  },
   [Feature.OverlayAnalysisCodeScanningCsharp]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CSHARP",
@@ -227,6 +237,11 @@ export const featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUBY",
     minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY,
   },
+  [Feature.OverlayAnalysisCpp]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CPP",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CPP,
+  },
   [Feature.OverlayAnalysisCsharp]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CSHARP",
@@ -237,16 +252,6 @@ export const featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
     minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO,
   },
-  [Feature.OverlayAnalysisStatusCheck]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_CHECK",
-    minimumVersion: undefined,
-  },
-  [Feature.OverlayAnalysisStatusSave]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_SAVE",
-    minimumVersion: undefined,
-  },
   [Feature.OverlayAnalysisJava]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVA",
@@ -262,15 +267,31 @@ export const featureConfig = {
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON",
     minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON,
   },
+  [Feature.OverlayAnalysisRuby]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUBY",
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY,
+  },
+  // Other overlay-related feature flags
+  [Feature.OverlayAnalysisDisableTrapCaching]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
+    minimumVersion: undefined,
+  },
   [Feature.OverlayAnalysisResourceChecksV2]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
     minimumVersion: undefined,
   },
-  [Feature.OverlayAnalysisRuby]: {
+  [Feature.OverlayAnalysisStatusCheck]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUBY",
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_CHECK",
-    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY,
+    minimumVersion: undefined,
+  },
+  [Feature.OverlayAnalysisStatusSave]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_SAVE",
+    minimumVersion: undefined,
   },
   [Feature.OverlayAnalysisSkipResourceChecks]: {
     defaultValue: false,

src/git-utils.test.ts

@@ -347,9 +347,9 @@ test.serial("getFileOidsUnderPath returns correct file mapping", async (t) => {
   const runGitCommandStub = sinon
     .stub(gitUtils as any, "runGitCommand")
     .resolves(
-      "30d998ded095371488be3a729eb61d86ed721a18_lib/git-utils.js\n" +
+      "100644 30d998ded095371488be3a729eb61d86ed721a18 0\tlib/git-utils.js\n" +
-        "d89514599a9a99f22b4085766d40af7b99974827_lib/git-utils.js.map\n" +
+        "100644 d89514599a9a99f22b4085766d40af7b99974827 0\tlib/git-utils.js.map\n" +
-        "a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96_src/git-utils.ts",
+        "100644 a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96 0\tsrc/git-utils.ts",
     );
 
   const result = await gitUtils.getFileOidsUnderPath("/fake/path");
@@ -362,7 +362,7 @@ test.serial("getFileOidsUnderPath returns correct file mapping", async (t) => {
 
   t.deepEqual(runGitCommandStub.firstCall.args, [
     "/fake/path",
-    ["ls-files", "--recurse-submodules", "--format=%(objectname)_%(path)"],
+    ["ls-files", "--recurse-submodules", "--stage"],
     "Cannot list Git OIDs of tracked files.",
   ]);
 });
@@ -371,9 +371,9 @@ test.serial("getFileOidsUnderPath handles quoted paths", async (t) => {
   sinon
     .stub(gitUtils as any, "runGitCommand")
     .resolves(
-      "30d998ded095371488be3a729eb61d86ed721a18_lib/normal-file.js\n" +
+      "100644 30d998ded095371488be3a729eb61d86ed721a18 0\tlib/normal-file.js\n" +
-        'd89514599a9a99f22b4085766d40af7b99974827_"lib/file with spaces.js"\n' +
+        '100644 d89514599a9a99f22b4085766d40af7b99974827 0\t"lib/file with spaces.js"\n' +
-        'a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96_"lib/file\\twith\\ttabs.js"',
+        '100644 a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96 0\t"lib/file\\twith\\ttabs.js"',
     );
 
   const result = await gitUtils.getFileOidsUnderPath("/fake/path");
@@ -398,9 +398,9 @@ test.serial(
     sinon
       .stub(gitUtils as any, "runGitCommand")
       .resolves(
-        "30d998ded095371488be3a729eb61d86ed721a18_lib/git-utils.js\n" +
+        "100644 30d998ded095371488be3a729eb61d86ed721a18 0\tlib/git-utils.js\n" +
           "invalid-line-format\n" +
-          "a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96_src/git-utils.ts",
+          "100644 a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96 0\tsrc/git-utils.ts",
       );
 
     await t.throwsAsync(

src/git-utils.ts

@@ -14,10 +14,11 @@ import {
 import { ConfigurationError, getRequiredEnvParam } from "./util";
 
 /**
- * Minimum Git version required for overlay analysis. The `git ls-files --format`
+ * Minimum Git version required for overlay analysis. The
- * option, which is used by `getFileOidsUnderPath`, was introduced in Git 2.38.0.
+ * `git ls-files --recurse-submodules` option, which is used by
+ * `getFileOidsUnderPath`, was introduced in Git 2.11.0.
  */
-export const GIT_MINIMUM_VERSION_FOR_OVERLAY = "2.38.0";
+export const GIT_MINIMUM_VERSION_FOR_OVERLAY = "2.11.0";
 
 /**
  * Git version information
@@ -252,24 +253,28 @@ export const getGitRoot = async function (
  *
  * @param basePath A path into the Git repository.
  * @returns a map from file paths (relative to `basePath`) to Git OIDs.
- * @throws {Error} if "git ls-tree" produces unexpected output.
+ * @throws {Error} if "git ls-files" produces unexpected output.
  */
 export const getFileOidsUnderPath = async function (
   basePath: string,
 ): Promise<{ [key: string]: string }> {
   // Without the --full-name flag, the path is relative to the current working
   // directory of the git command, which is basePath.
+  //
+  // We use --stage rather than --format here because --stage has been available since Git 2.11.0,
+  // while --format was only introduced in Git 2.38.0, which would limit overlay rollout.
   const stdout = await runGitCommand(
     basePath,
-    ["ls-files", "--recurse-submodules", "--format=%(objectname)_%(path)"],
+    ["ls-files", "--recurse-submodules", "--stage"],
     "Cannot list Git OIDs of tracked files.",
   );
 
   const fileOidMap: { [key: string]: string } = {};
-  // With --format=%(objectname)_%(path), the output is a list of lines like:
+  // With --stage, the output is a list of lines like:
-  // 30d998ded095371488be3a729eb61d86ed721a18_lib/git-utils.js
+  // 100644 4c51bc1d9e86cd86e01b0f340cb8ce095c33b283 0\tsrc/git-utils.test.ts
-  // d89514599a9a99f22b4085766d40af7b99974827_lib/git-utils.js.map
+  // 100644 6b792ea543ce75d7a8a03df591e3c85311ecb64f 0\tsrc/git-utils.ts
-  const regex = /^([0-9a-f]{40})_(.+)$/;
+  // The fields are: <mode> <oid> <stage>\t<path>
+  const regex = /^[0-9]+ ([0-9a-f]{40}) [0-9]+\t(.+)$/;
   for (const line of stdout.split("\n")) {
     if (line) {
       const match = line.match(regex);

src/init-action.ts

@@ -88,7 +88,6 @@ import {
   getRequiredEnvParam,
   getThreadsFlagValue,
   initializeEnvironment,
-  isHostedRunner,
   ConfigurationError,
   wrapError,
   checkActionVersion,
@@ -362,7 +361,6 @@ async function run(startedAt: Date) {
       configFile,
       dbLocation: getOptionalInput("db-location"),
       configInput: getOptionalInput("config"),
-      trapCachingEnabled: getTrapCachingEnabled(),
       dependencyCachingEnabled: getDependencyCachingEnabled(),
       // Debug mode is enabled if:
       // - The `init` Action is passed `debug: true`.
@@ -613,24 +611,6 @@ async function run(startedAt: Date) {
       core.exportVariable(kotlinLimitVar, "2.1.20");
     }
 
-    if (config.languages.includes(KnownLanguage.cpp)) {
-      const envVar = "CODEQL_EXTRACTOR_CPP_TRAP_CACHING";
-      if (process.env[envVar]) {
-        logger.info(
-          `Environment variable ${envVar} already set. Not en/disabling CodeQL C++ TRAP caching support`,
-        );
-      } else if (
-        getTrapCachingEnabled() &&
-        (await codeQlVersionAtLeast(codeql, "2.17.5"))
-      ) {
-        logger.info("Enabling CodeQL C++ TRAP caching support");
-        core.exportVariable(envVar, "true");
-      } else {
-        logger.info("Disabling CodeQL C++ TRAP caching support");
-        core.exportVariable(envVar, "false");
-      }
-    }
-
     // Restore dependency cache(s), if they exist.
     if (shouldRestoreCache(config.dependencyCachingEnabled)) {
       const dependencyCachingResult = await downloadDependencyCaches(
@@ -644,17 +624,6 @@ async function run(startedAt: Date) {
         dependencyCachingResult.restoredKeys;
     }
 
-    // Suppress warnings about disabled Python library extraction.
-    if (await codeQlVersionAtLeast(codeql, "2.17.1")) {
-      // disabled by default, no warning
-    } else {
-      // disabled by default, prints warning if environment variable is not set
-      core.exportVariable(
-        "CODEQL_EXTRACTOR_PYTHON_DISABLE_LIBRARY_EXTRACTION",
-        "true",
-      );
-    }
-
     if (getOptionalInput("setup-python-dependencies") !== undefined) {
       logger.warning(
         "The setup-python-dependencies input is deprecated and no longer has any effect. We recommend removing any references from your workflows. See https://github.blog/changelog/2024-01-23-codeql-2-16-python-dependency-installation-disabled-new-queries-and-bug-fixes/ for more information.",
@@ -864,18 +833,6 @@ async function loadRepositoryProperties(
   }
 }
 
-function getTrapCachingEnabled(): boolean {
-  // If the workflow specified something always respect that
-  const trapCaching = getOptionalInput("trap-caching");
-  if (trapCaching !== undefined) return trapCaching === "true";
-
-  // On self-hosted runners which may have slow network access, disable TRAP caching by default
-  if (!isHostedRunner()) return false;
-
-  // On hosted runners, enable TRAP caching by default
-  return true;
-}
-
 async function recordZstdAvailability(
   config: configUtils.Config,
   zstdAvailability: ZstdAvailability,

src/overlay/index.ts

@@ -35,6 +35,7 @@ export const CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8";
 
 // Per-language minimum CLI versions for overlay analysis, based on release
 // validation data.
+export const CODEQL_OVERLAY_MINIMUM_VERSION_CPP = "2.25.0";
 export const CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP = "2.24.1";
 export const CODEQL_OVERLAY_MINIMUM_VERSION_GO = "2.24.2";
 export const CODEQL_OVERLAY_MINIMUM_VERSION_JAVA = "2.23.8";

src/testdata/pr-diff-range.yml

@@ -0,0 +1,8 @@
+
+extensions:
+  - addsTo:
+      pack: codeql/util
+      extensible: restrictAlertsTo
+      checkPresence: false
+    data:
+      - ['/checkout/path/main.js', 10, 20]

src/testdata/valid-sarif-diff-filtered.sarif

@@ -0,0 +1,178 @@
+{
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [{
+      "tool": {
+        "driver": {
+          "name": "LGTM.com",
+          "organization": "Semmle",
+          "version": "1.24.0-SNAPSHOT",
+          "rules": [{
+            "id": "js/unused-local-variable",
+            "name": "js/unused-local-variable",
+            "shortDescription": {
+              "text": "Unused variable, import, function or class"
+            },
+            "fullDescription": {
+              "text": "Unused variables, imports, functions or classes may be a symptom of a bug and should be examined carefully."
+            },
+            "defaultConfiguration": {
+              "level": "note"
+            },
+            "properties": {
+              "tags": ["maintainability"],
+              "kind": "problem",
+              "precision": "very-high",
+              "name": "Unused variable, import, function or class",
+              "description": "Unused variables, imports, functions or classes may be a symptom of a bug\n              and should be examined carefully.",
+              "id": "js/unused-local-variable",
+              "problem.severity": "recommendation"
+            }
+          }]
+        }
+      },
+      "results": [{
+        "ruleId": "js/unused-local-variable",
+        "ruleIndex": 0,
+        "message": {
+          "text": "Unused variable foo."
+        },
+        "locations": [{
+          "physicalLocation": {
+            "artifactLocation": {
+              "uri": "main.js",
+              "uriBaseId": "%SRCROOT%",
+              "index": 0
+            },
+            "region": {
+              "startLine": 2,
+              "startColumn": 7,
+              "endColumn": 10
+            }
+          }
+        }],
+        "partialFingerprints": {
+          "primaryLocationLineHash": "39fa2ee980eb94b0:1",
+          "primaryLocationStartColumnFingerprint": "4"
+        }
+      }],
+      "columnKind": "utf16CodeUnits",
+      "properties": {
+        "semmle.formatSpecifier": "2.1.0",
+        "semmle.sourceLanguage": "java"
+      }
+    },
+    {
+      "tool" : {
+        "driver" : {
+          "name" : "CodeQL command-line toolchain",
+          "organization" : "GitHub",
+          "semanticVersion" : "2.0.0",
+          "rules" : [ {
+            "id" : "js/unused-local-variable",
+            "name" : "js/unused-local-variable",
+            "shortDescription" : {
+              "text" : "Unused variable, import, function or class"
+            },
+            "fullDescription" : {
+              "text" : "Unused variables, imports, functions or classes may be a symptom of a bug and should be examined carefully."
+            },
+            "defaultConfiguration" : {
+              "level": "note"
+            },
+            "properties" : {
+              "tags" : [ "maintainability" ],
+              "kind" : "problem",
+              "precision" : "very-high",
+              "name" : "Unused variable, import, function or class",
+              "description" : "Unused variables, imports, functions or classes may be a symptom of a bug\n              and should be examined carefully.",
+              "id" : "js/unused-local-variable",
+              "problem.severity" : "recommendation"
+            }
+          },
+          {
+            "id": "js/inconsistent-use-of-new",
+            "name": "js/inconsistent-use-of-new",
+            "shortDescription": {
+              "text": "Inconsistent use of 'new'"
+            },
+            "fullDescription": {
+              "text": "If a function is intended to be a constructor, it should always be invoked with 'new'. Otherwise, it should always be invoked as a normal function, that is, without 'new'."
+            },
+            "defaultConfiguration": {
+              "level": "note"
+            },
+            "properties": {
+              "tags": [
+                "reliability",
+                "correctness",
+                "language-features"
+              ],
+              "kind": "problem",
+              "precision": "very-high",
+              "problem.severity": "warning"
+            }
+          } ]
+        }
+      },
+      "artifacts" : [ {
+        "location" : {
+          "uri" : "main.js",
+          "uriBaseId" : "%SRCROOT%",
+          "index" : 0
+        }
+      },
+      {
+        "location": {
+          "uri": "src/promiseUtils.js",
+          "uriBaseId": "%SRCROOT%",
+          "index": 1
+        }
+      },
+      {
+        "location": {
+          "uri": "src/LiveQueryClient.js",
+          "uriBaseId": "%SRCROOT%",
+          "index": 2
+        }
+      },
+      {
+        "location": {
+          "uri": "src/ParseObject.js",
+          "uriBaseId": "%SRCROOT%",
+          "index": 3
+        }
+      } ],
+      "results" : [ {
+        "ruleId" : "js/unused-local-variable",
+        "ruleIndex" : 0,
+        "message" : {
+          "text" : "Unused variable foo."
+        },
+        "locations" : [ {
+          "physicalLocation" : {
+            "artifactLocation" : {
+              "uri" : "main.js",
+              "uriBaseId" : "%SRCROOT%",
+              "index" : 0
+            },
+            "region" : {
+              "startLine" : 2,
+              "startColumn" : 7,
+              "endColumn" : 10
+            }
+          }
+        } ],
+        "partialFingerprints" : {
+          "primaryLocationLineHash" : "39fa2ee980eb94b0:1",
+          "primaryLocationStartColumnFingerprint" : "4"
+        }
+      }],
+      "newlineSequences" : [ "\r\n", "\n", "
", "
" ],
+      "columnKind" : "utf16CodeUnits",
+      "properties" : {
+        "semmle.formatSpecifier" : "sarif-latest"
+      }
+    }
+  ]
+}

src/testing-utils.ts

@@ -156,6 +156,7 @@ export const DEFAULT_ACTIONS_VARS = {
   GITHUB_SERVER_URL: "https://github.com",
   GITHUB_SHA: "0".repeat(40),
   GITHUB_WORKFLOW: "test-workflow",
+  RUNNER_NAME: "my-runner",
   RUNNER_OS: "Linux",
 } as const satisfies Record<string, string>;
 

src/upload-lib.test.ts

@@ -9,6 +9,7 @@ import * as sinon from "sinon";
 import * as analyses from "./analyses";
 import { AnalysisKind, CodeQuality, CodeScanning } from "./analyses";
 import * as api from "./api-client";
+import * as diffUtils from "./diff-informed-analysis-utils";
 import { getRunnerLogger, Logger } from "./logging";
 import * as sarif from "./sarif";
 import { setupTests } from "./testing-utils";
@@ -1012,3 +1013,33 @@ for (const analysisKind of analyses.supportedAnalysisKinds) {
     },
   );
 }
+
+function runFilterAlertsByDiffRange(
+  input: Partial<sarif.Log>,
+  diffRanges: diffUtils.DiffThunkRange[],
+): Partial<sarif.Log> {
+  sinon.stub(diffUtils, "readDiffRangesJsonFile").returns(diffRanges);
+  return uploadLib.filterAlertsByDiffRange(getRunnerLogger(true), input);
+}
+
+test.serial(
+  "filterAlertsByDiffRange filters out alerts outside diff-range",
+  (t) => {
+    const input = sarif.readSarifFile(
+      `${__dirname}/../src/testdata/valid-sarif.sarif`,
+    );
+    const actualOutput = runFilterAlertsByDiffRange(input, [
+      {
+        path: "main.js",
+        startLine: 1,
+        endLine: 3,
+      },
+    ]);
+
+    const expectedOutput = sarif.readSarifFile(
+      `${__dirname}/../src/testdata/valid-sarif-diff-filtered.sarif`,
+    );
+
+    t.deepEqual(actualOutput, expectedOutput);
+  },
+);

src/upload-lib.ts

@@ -1039,7 +1039,7 @@ function sanitize(str?: string) {
   return (str ?? "_").replace(/[^a-zA-Z0-9_]/g, "_").toLocaleUpperCase();
 }
 
-function filterAlertsByDiffRange(
+export function filterAlertsByDiffRange(
   logger: Logger,
   sarifLog: Partial<sarif.Log>,
 ): Partial<sarif.Log> {
@@ -1052,8 +1052,6 @@ function filterAlertsByDiffRange(
     return sarifLog;
   }
 
-  const checkoutPath = actionsUtil.getRequiredInput("checkout_path");
-
   for (const run of sarifLog.runs) {
     if (run.results) {
       run.results = run.results.filter((result) => {
@@ -1068,11 +1066,6 @@ function filterAlertsByDiffRange(
           if (!locationUri || locationStartLine === undefined) {
             return false;
           }
-          // CodeQL always uses forward slashes as the path separator, so on Windows we
-          // need to replace any backslashes with forward slashes.
-          const locationPath = path
-            .join(checkoutPath, locationUri)
-            .replaceAll(path.sep, "/");
           // Alert filtering here replicates the same behavior as the restrictAlertsTo
           // extensible predicate in CodeQL. See the restrictAlertsTo documentation
           // https://codeql.github.com/codeql-standard-libraries/csharp/codeql/util/AlertFiltering.qll/predicate.AlertFiltering$restrictAlertsTo.3.html
@@ -1080,7 +1073,7 @@ function filterAlertsByDiffRange(
           // of an alert location.
           return diffRanges.some(
             (range) =>
-              range.path === locationPath &&
+              range.path === locationUri &&
               ((range.startLine <= locationStartLine &&
                 range.endLine >= locationStartLine) ||
                 (range.startLine === 0 && range.endLine === 0)),