From 245f6828c4b868031d4f50d96c64c536f031e265 Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Tue, 28 Apr 2026 12:42:42 +0100
Subject: [PATCH] Use a counter instead of Math.random for diagnostic filename
 suffix

---
 lib/analyze-action.js      |  3 ++-
 lib/init-action-post.js    |  3 ++-
 lib/init-action.js         |  3 ++-
 lib/setup-codeql-action.js |  3 ++-
 lib/upload-lib.js          |  3 ++-
 lib/upload-sarif-action.js |  3 ++-
 src/diagnostics.ts         | 16 ++++++++++------
 7 files changed, 22 insertions(+), 12 deletions(-)

diff --git a/lib/analyze-action.js b/lib/analyze-action.js
index 72da44c72..750a0e52d 100644
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -107850,6 +107850,7 @@ function formatDuration(durationMs) {
 // src/diagnostics.ts
 var unwrittenDiagnostics = [];
 var unwrittenDefaultLanguageDiagnostics = [];
+var diagnosticCounter = 0;
 function makeDiagnostic(id, name, data = void 0) {
   return {
     ...data,
@@ -107892,7 +107893,7 @@ function writeDiagnostic(config, language, diagnostic) {
   );
   try {
     (0, import_fs.mkdirSync)(diagnosticsPath, { recursive: true });
-    const uniqueSuffix = Math.floor(Math.random() * 4294967296).toString(16).padStart(8, "0");
+    const uniqueSuffix = (diagnosticCounter++).toString();
     const sanitizedTimestamp = diagnostic.timestamp.replace(
       /[^a-zA-Z0-9.-]/g,
       ""
diff --git a/lib/init-action-post.js b/lib/init-action-post.js
index 9a8363372..3f44bd4d3 100644
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -165769,6 +165769,7 @@ function formatDuration(durationMs) {
 // src/diagnostics.ts
 var unwrittenDiagnostics = [];
 var unwrittenDefaultLanguageDiagnostics = [];
+var diagnosticCounter = 0;
 function makeDiagnostic(id, name, data = void 0) {
   return {
     ...data,
@@ -165811,7 +165812,7 @@ function writeDiagnostic(config, language, diagnostic) {
   );
   try {
     (0, import_fs.mkdirSync)(diagnosticsPath, { recursive: true });
-    const uniqueSuffix = Math.floor(Math.random() * 4294967296).toString(16).padStart(8, "0");
+    const uniqueSuffix = (diagnosticCounter++).toString();
     const sanitizedTimestamp = diagnostic.timestamp.replace(
       /[^a-zA-Z0-9.-]/g,
       ""
diff --git a/lib/init-action.js b/lib/init-action.js
index 3e779fe79..a3c7ab96b 100644
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -105355,6 +105355,7 @@ function formatDuration(durationMs) {
 // src/diagnostics.ts
 var unwrittenDiagnostics = [];
 var unwrittenDefaultLanguageDiagnostics = [];
+var diagnosticCounter = 0;
 function makeDiagnostic(id, name, data = void 0) {
   return {
     ...data,
@@ -105397,7 +105398,7 @@ function writeDiagnostic(config, language, diagnostic) {
   );
   try {
     (0, import_fs.mkdirSync)(diagnosticsPath, { recursive: true });
-    const uniqueSuffix = Math.floor(Math.random() * 4294967296).toString(16).padStart(8, "0");
+    const uniqueSuffix = (diagnosticCounter++).toString();
     const sanitizedTimestamp = diagnostic.timestamp.replace(
       /[^a-zA-Z0-9.-]/g,
       ""
diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js
index 0c492ed45..64e6a317c 100644
--- a/lib/setup-codeql-action.js
+++ b/lib/setup-codeql-action.js
@@ -105425,6 +105425,7 @@ function formatDuration(durationMs) {
 // src/diagnostics.ts
 var unwrittenDiagnostics = [];
 var unwrittenDefaultLanguageDiagnostics = [];
+var diagnosticCounter = 0;
 function makeDiagnostic(id, name, data = void 0) {
   return {
     ...data,
@@ -105467,7 +105468,7 @@ function writeDiagnostic(config, language, diagnostic) {
   );
   try {
     (0, import_fs.mkdirSync)(diagnosticsPath, { recursive: true });
-    const uniqueSuffix = Math.floor(Math.random() * 4294967296).toString(16).padStart(8, "0");
+    const uniqueSuffix = (diagnosticCounter++).toString();
     const sanitizedTimestamp = diagnostic.timestamp.replace(
       /[^a-zA-Z0-9.-]/g,
       ""
diff --git a/lib/upload-lib.js b/lib/upload-lib.js
index c34c46ec7..4bd41931b 100644
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@@ -107460,6 +107460,7 @@ function formatDuration(durationMs) {
 // src/diagnostics.ts
 var unwrittenDiagnostics = [];
 var unwrittenDefaultLanguageDiagnostics = [];
+var diagnosticCounter = 0;
 function makeDiagnostic(id, name, data = void 0) {
   return {
     ...data,
@@ -107502,7 +107503,7 @@ function writeDiagnostic(config, language, diagnostic) {
   );
   try {
     (0, import_fs.mkdirSync)(diagnosticsPath, { recursive: true });
-    const uniqueSuffix = Math.floor(Math.random() * 4294967296).toString(16).padStart(8, "0");
+    const uniqueSuffix = (diagnosticCounter++).toString();
     const sanitizedTimestamp = diagnostic.timestamp.replace(
       /[^a-zA-Z0-9.-]/g,
       ""
diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js
index e4b8dbde7..e6ca76b23 100644
--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
@@ -108216,6 +108216,7 @@ var import_fs = require("fs");
 var import_path = __toESM(require("path"));
 var unwrittenDiagnostics = [];
 var unwrittenDefaultLanguageDiagnostics = [];
+var diagnosticCounter = 0;
 function makeDiagnostic(id, name, data = void 0) {
   return {
     ...data,
@@ -108258,7 +108259,7 @@ function writeDiagnostic(config, language, diagnostic) {
   );
   try {
     (0, import_fs.mkdirSync)(diagnosticsPath, { recursive: true });
-    const uniqueSuffix = Math.floor(Math.random() * 4294967296).toString(16).padStart(8, "0");
+    const uniqueSuffix = (diagnosticCounter++).toString();
     const sanitizedTimestamp = diagnostic.timestamp.replace(
       /[^a-zA-Z0-9.-]/g,
       ""
diff --git a/src/diagnostics.ts b/src/diagnostics.ts
index ab9ca4a7a..65e82ce1a 100644
--- a/src/diagnostics.ts
+++ b/src/diagnostics.ts
@@ -72,6 +72,13 @@ let unwrittenDiagnostics: UnwrittenDiagnostic[] = [];
  */
 let unwrittenDefaultLanguageDiagnostics: DiagnosticMessage[] = [];
 
+/**
+ * Counter used to generate a unique suffix for each diagnostic filename, so that
+ * two diagnostics produced within the same millisecond do not overwrite each
+ * other on disk.
+ */
+let diagnosticCounter = 0;
+
 /**
  * Constructs a new diagnostic message with the specified id and name, as well as optional additional data.
  *
@@ -167,12 +174,9 @@ function writeDiagnostic(
     // Create the directory if it doesn't exist yet.
     mkdirSync(diagnosticsPath, { recursive: true });
 
-    // Include a random suffix to avoid filename collisions between diagnostics
-    // produced within the same millisecond. This doesn't need to be
-    // cryptographically secure, so `Math.random` is fine.
-    const uniqueSuffix = Math.floor(Math.random() * 0x100000000)
-      .toString(16)
-      .padStart(8, "0");
+    // Include a monotonically increasing suffix to avoid filename collisions
+    // between diagnostics produced within the same millisecond.
+    const uniqueSuffix = (diagnosticCounter++).toString();
     // We should only need to remove colons, but to be defensive, only allow a restricted set of
     // characters.
     const sanitizedTimestamp = diagnostic.timestamp.replace(