From 0f4529ee0502c0fb991b0c1cee5b06ac61b0d3b7 Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Mon, 22 Sep 2025 12:28:04 +0200
Subject: [PATCH 01/11] Enable requesting latest nightly with "tools: nightly"

---
 lib/analyze-action.js      | 27 +++++++++++++++++++++++-
 lib/init-action-post.js    | 27 +++++++++++++++++++++++-
 lib/init-action.js         | 27 +++++++++++++++++++++++-
 lib/upload-lib.js          | 27 +++++++++++++++++++++++-
 lib/upload-sarif-action.js | 27 +++++++++++++++++++++++-
 src/setup-codeql.ts        | 43 ++++++++++++++++++++++++++++++++++++++
 6 files changed, 173 insertions(+), 5 deletions(-)

diff --git a/lib/analyze-action.js b/lib/analyze-action.js
index 927bbd8f7..a7c2703c0 100644
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -92051,7 +92051,10 @@ function sanitizeUrlForStatusReport(url2) {
 
 // src/setup-codeql.ts
 var CODEQL_DEFAULT_ACTION_REPOSITORY = "github/codeql-action";
+var CODEQL_NIGHTLIES_REPOSITORY_OWNER = "dsp-testing";
+var CODEQL_NIGHTLIES_REPOSITORY_NAME = "codeql-cli-nightlies";
 var CODEQL_BUNDLE_VERSION_ALIAS = ["linked", "latest"];
+var CODEQL_NIGHTLY_TOOLS_INPUTS = ["nightly", "nightly-latest"];
 function getCodeQLBundleExtension(compressionMethod) {
   switch (compressionMethod) {
     case "gzip":
@@ -92194,7 +92197,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
   return void 0;
 }
 async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, logger) {
-  if (toolsInput && !CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput) && !toolsInput.startsWith("http")) {
+  if (toolsInput && !CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput) && !CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput) && !toolsInput.startsWith("http")) {
     logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
     const compressionMethod2 = inferCompressionMethod(toolsInput);
     if (compressionMethod2 === void 0) {
@@ -92223,6 +92226,9 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
   let cliVersion2;
   let tagName;
   let url2;
+  if (toolsInput !== void 0 && CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput)) {
+    toolsInput = await getNightlyToolsUrl(logger);
+  }
   if (forceShippedTools) {
     cliVersion2 = cliVersion;
     tagName = bundleVersion;
@@ -92506,6 +92512,25 @@ async function useZstdBundle(cliVersion2, tarSupportsZstd) {
 function getTempExtractionDir(tempDir) {
   return path12.join(tempDir, v4_default());
 }
+async function getNightlyToolsUrl(logger) {
+  const zstdAvailability = await isZstdAvailable(logger);
+  const compressionMethod = await useZstdBundle(
+    CODEQL_VERSION_ZSTD_BUNDLE,
+    zstdAvailability.available
+  ) ? "zstd" : "gzip";
+  const release3 = await getApiClient().rest.repos.listReleases({
+    owner: CODEQL_NIGHTLIES_REPOSITORY_OWNER,
+    repo: CODEQL_NIGHTLIES_REPOSITORY_NAME,
+    per_page: 1,
+    page: 1,
+    prerelease: true
+  });
+  const latestRelease = release3.data[0];
+  if (!latestRelease) {
+    throw new Error("Could not find latest nightly release.");
+  }
+  return `https://github.com/${CODEQL_NIGHTLIES_REPOSITORY_OWNER}/${CODEQL_NIGHTLIES_REPOSITORY_NAME}/releases/download/${latestRelease.tag_name}/${getCodeQLBundleName(compressionMethod)}`;
+}
 
 // src/tracer-config.ts
 var fs13 = __toESM(require("fs"));
diff --git a/lib/init-action-post.js b/lib/init-action-post.js
index bc86cec13..a3efb7b37 100644
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -129994,7 +129994,10 @@ function sanitizeUrlForStatusReport(url2) {
 
 // src/setup-codeql.ts
 var CODEQL_DEFAULT_ACTION_REPOSITORY = "github/codeql-action";
+var CODEQL_NIGHTLIES_REPOSITORY_OWNER = "dsp-testing";
+var CODEQL_NIGHTLIES_REPOSITORY_NAME = "codeql-cli-nightlies";
 var CODEQL_BUNDLE_VERSION_ALIAS = ["linked", "latest"];
+var CODEQL_NIGHTLY_TOOLS_INPUTS = ["nightly", "nightly-latest"];
 function getCodeQLBundleExtension(compressionMethod) {
   switch (compressionMethod) {
     case "gzip":
@@ -130137,7 +130140,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
   return void 0;
 }
 async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, logger) {
-  if (toolsInput && !CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput) && !toolsInput.startsWith("http")) {
+  if (toolsInput && !CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput) && !CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput) && !toolsInput.startsWith("http")) {
     logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
     const compressionMethod2 = inferCompressionMethod(toolsInput);
     if (compressionMethod2 === void 0) {
@@ -130166,6 +130169,9 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
   let cliVersion2;
   let tagName;
   let url2;
+  if (toolsInput !== void 0 && CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput)) {
+    toolsInput = await getNightlyToolsUrl(logger);
+  }
   if (forceShippedTools) {
     cliVersion2 = cliVersion;
     tagName = bundleVersion;
@@ -130449,6 +130455,25 @@ async function useZstdBundle(cliVersion2, tarSupportsZstd) {
 function getTempExtractionDir(tempDir) {
   return path12.join(tempDir, v4_default());
 }
+async function getNightlyToolsUrl(logger) {
+  const zstdAvailability = await isZstdAvailable(logger);
+  const compressionMethod = await useZstdBundle(
+    CODEQL_VERSION_ZSTD_BUNDLE,
+    zstdAvailability.available
+  ) ? "zstd" : "gzip";
+  const release3 = await getApiClient().rest.repos.listReleases({
+    owner: CODEQL_NIGHTLIES_REPOSITORY_OWNER,
+    repo: CODEQL_NIGHTLIES_REPOSITORY_NAME,
+    per_page: 1,
+    page: 1,
+    prerelease: true
+  });
+  const latestRelease = release3.data[0];
+  if (!latestRelease) {
+    throw new Error("Could not find latest nightly release.");
+  }
+  return `https://github.com/${CODEQL_NIGHTLIES_REPOSITORY_OWNER}/${CODEQL_NIGHTLIES_REPOSITORY_NAME}/releases/download/${latestRelease.tag_name}/${getCodeQLBundleName(compressionMethod)}`;
+}
 
 // src/tracer-config.ts
 async function shouldEnableIndirectTracing(codeql, config) {
diff --git a/lib/init-action.js b/lib/init-action.js
index 51b9c5feb..7f3ed776a 100644
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -88668,7 +88668,10 @@ function sanitizeUrlForStatusReport(url) {
 
 // src/setup-codeql.ts
 var CODEQL_DEFAULT_ACTION_REPOSITORY = "github/codeql-action";
+var CODEQL_NIGHTLIES_REPOSITORY_OWNER = "dsp-testing";
+var CODEQL_NIGHTLIES_REPOSITORY_NAME = "codeql-cli-nightlies";
 var CODEQL_BUNDLE_VERSION_ALIAS = ["linked", "latest"];
+var CODEQL_NIGHTLY_TOOLS_INPUTS = ["nightly", "nightly-latest"];
 function getCodeQLBundleExtension(compressionMethod) {
   switch (compressionMethod) {
     case "gzip":
@@ -88811,7 +88814,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
   return void 0;
 }
 async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, logger) {
-  if (toolsInput && !CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput) && !toolsInput.startsWith("http")) {
+  if (toolsInput && !CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput) && !CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput) && !toolsInput.startsWith("http")) {
     logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
     const compressionMethod2 = inferCompressionMethod(toolsInput);
     if (compressionMethod2 === void 0) {
@@ -88840,6 +88843,9 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
   let cliVersion2;
   let tagName;
   let url;
+  if (toolsInput !== void 0 && CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput)) {
+    toolsInput = await getNightlyToolsUrl(logger);
+  }
   if (forceShippedTools) {
     cliVersion2 = cliVersion;
     tagName = bundleVersion;
@@ -89123,6 +89129,25 @@ async function useZstdBundle(cliVersion2, tarSupportsZstd) {
 function getTempExtractionDir(tempDir) {
   return path13.join(tempDir, v4_default());
 }
+async function getNightlyToolsUrl(logger) {
+  const zstdAvailability = await isZstdAvailable(logger);
+  const compressionMethod = await useZstdBundle(
+    CODEQL_VERSION_ZSTD_BUNDLE,
+    zstdAvailability.available
+  ) ? "zstd" : "gzip";
+  const release3 = await getApiClient().rest.repos.listReleases({
+    owner: CODEQL_NIGHTLIES_REPOSITORY_OWNER,
+    repo: CODEQL_NIGHTLIES_REPOSITORY_NAME,
+    per_page: 1,
+    page: 1,
+    prerelease: true
+  });
+  const latestRelease = release3.data[0];
+  if (!latestRelease) {
+    throw new Error("Could not find latest nightly release.");
+  }
+  return `https://github.com/${CODEQL_NIGHTLIES_REPOSITORY_OWNER}/${CODEQL_NIGHTLIES_REPOSITORY_NAME}/releases/download/${latestRelease.tag_name}/${getCodeQLBundleName(compressionMethod)}`;
+}
 
 // src/tracer-config.ts
 var fs13 = __toESM(require("fs"));
diff --git a/lib/upload-lib.js b/lib/upload-lib.js
index 88dc2d589..dc229aa91 100644
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@@ -89822,7 +89822,10 @@ function sanitizeUrlForStatusReport(url2) {
 
 // src/setup-codeql.ts
 var CODEQL_DEFAULT_ACTION_REPOSITORY = "github/codeql-action";
+var CODEQL_NIGHTLIES_REPOSITORY_OWNER = "dsp-testing";
+var CODEQL_NIGHTLIES_REPOSITORY_NAME = "codeql-cli-nightlies";
 var CODEQL_BUNDLE_VERSION_ALIAS = ["linked", "latest"];
+var CODEQL_NIGHTLY_TOOLS_INPUTS = ["nightly", "nightly-latest"];
 function getCodeQLBundleExtension(compressionMethod) {
   switch (compressionMethod) {
     case "gzip":
@@ -89965,7 +89968,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
   return void 0;
 }
 async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, logger) {
-  if (toolsInput && !CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput) && !toolsInput.startsWith("http")) {
+  if (toolsInput && !CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput) && !CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput) && !toolsInput.startsWith("http")) {
     logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
     const compressionMethod2 = inferCompressionMethod(toolsInput);
     if (compressionMethod2 === void 0) {
@@ -89994,6 +89997,9 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
   let cliVersion2;
   let tagName;
   let url2;
+  if (toolsInput !== void 0 && CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput)) {
+    toolsInput = await getNightlyToolsUrl(logger);
+  }
   if (forceShippedTools) {
     cliVersion2 = cliVersion;
     tagName = bundleVersion;
@@ -90277,6 +90283,25 @@ async function useZstdBundle(cliVersion2, tarSupportsZstd) {
 function getTempExtractionDir(tempDir) {
   return path11.join(tempDir, v4_default());
 }
+async function getNightlyToolsUrl(logger) {
+  const zstdAvailability = await isZstdAvailable(logger);
+  const compressionMethod = await useZstdBundle(
+    CODEQL_VERSION_ZSTD_BUNDLE,
+    zstdAvailability.available
+  ) ? "zstd" : "gzip";
+  const release = await getApiClient().rest.repos.listReleases({
+    owner: CODEQL_NIGHTLIES_REPOSITORY_OWNER,
+    repo: CODEQL_NIGHTLIES_REPOSITORY_NAME,
+    per_page: 1,
+    page: 1,
+    prerelease: true
+  });
+  const latestRelease = release.data[0];
+  if (!latestRelease) {
+    throw new Error("Could not find latest nightly release.");
+  }
+  return `https://github.com/${CODEQL_NIGHTLIES_REPOSITORY_OWNER}/${CODEQL_NIGHTLIES_REPOSITORY_NAME}/releases/download/${latestRelease.tag_name}/${getCodeQLBundleName(compressionMethod)}`;
+}
 
 // src/tracer-config.ts
 async function shouldEnableIndirectTracing(codeql, config) {
diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js
index f603d0aa1..b568039b7 100644
--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
@@ -90523,7 +90523,10 @@ function sanitizeUrlForStatusReport(url2) {
 
 // src/setup-codeql.ts
 var CODEQL_DEFAULT_ACTION_REPOSITORY = "github/codeql-action";
+var CODEQL_NIGHTLIES_REPOSITORY_OWNER = "dsp-testing";
+var CODEQL_NIGHTLIES_REPOSITORY_NAME = "codeql-cli-nightlies";
 var CODEQL_BUNDLE_VERSION_ALIAS = ["linked", "latest"];
+var CODEQL_NIGHTLY_TOOLS_INPUTS = ["nightly", "nightly-latest"];
 function getCodeQLBundleExtension(compressionMethod) {
   switch (compressionMethod) {
     case "gzip":
@@ -90666,7 +90669,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
   return void 0;
 }
 async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, logger) {
-  if (toolsInput && !CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput) && !toolsInput.startsWith("http")) {
+  if (toolsInput && !CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput) && !CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput) && !toolsInput.startsWith("http")) {
     logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
     const compressionMethod2 = inferCompressionMethod(toolsInput);
     if (compressionMethod2 === void 0) {
@@ -90695,6 +90698,9 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
   let cliVersion2;
   let tagName;
   let url2;
+  if (toolsInput !== void 0 && CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput)) {
+    toolsInput = await getNightlyToolsUrl(logger);
+  }
   if (forceShippedTools) {
     cliVersion2 = cliVersion;
     tagName = bundleVersion;
@@ -90978,6 +90984,25 @@ async function useZstdBundle(cliVersion2, tarSupportsZstd) {
 function getTempExtractionDir(tempDir) {
   return path12.join(tempDir, v4_default());
 }
+async function getNightlyToolsUrl(logger) {
+  const zstdAvailability = await isZstdAvailable(logger);
+  const compressionMethod = await useZstdBundle(
+    CODEQL_VERSION_ZSTD_BUNDLE,
+    zstdAvailability.available
+  ) ? "zstd" : "gzip";
+  const release3 = await getApiClient().rest.repos.listReleases({
+    owner: CODEQL_NIGHTLIES_REPOSITORY_OWNER,
+    repo: CODEQL_NIGHTLIES_REPOSITORY_NAME,
+    per_page: 1,
+    page: 1,
+    prerelease: true
+  });
+  const latestRelease = release3.data[0];
+  if (!latestRelease) {
+    throw new Error("Could not find latest nightly release.");
+  }
+  return `https://github.com/${CODEQL_NIGHTLIES_REPOSITORY_OWNER}/${CODEQL_NIGHTLIES_REPOSITORY_NAME}/releases/download/${latestRelease.tag_name}/${getCodeQLBundleName(compressionMethod)}`;
+}
 
 // src/tracer-config.ts
 async function shouldEnableIndirectTracing(codeql, config) {
diff --git a/src/setup-codeql.ts b/src/setup-codeql.ts
index e64a032c9..eb115cc01 100644
--- a/src/setup-codeql.ts
+++ b/src/setup-codeql.ts
@@ -33,8 +33,11 @@ export enum ToolsSource {
 }
 
 export const CODEQL_DEFAULT_ACTION_REPOSITORY = "github/codeql-action";
+const CODEQL_NIGHTLIES_REPOSITORY_OWNER = "dsp-testing";
+const CODEQL_NIGHTLIES_REPOSITORY_NAME = "codeql-cli-nightlies";
 
 const CODEQL_BUNDLE_VERSION_ALIAS: string[] = ["linked", "latest"];
+const CODEQL_NIGHTLY_TOOLS_INPUTS = ["nightly", "nightly-latest"];
 
 function getCodeQLBundleExtension(
   compressionMethod: tar.CompressionMethod,
@@ -277,6 +280,7 @@ export async function getCodeQLSource(
   if (
     toolsInput &&
     !CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput) &&
+    !CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput) &&
     !toolsInput.startsWith("http")
   ) {
     logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
@@ -331,6 +335,13 @@ export async function getCodeQLSource(
    */
   let url: string | undefined;
 
+  if (
+    toolsInput !== undefined &&
+    CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput)
+  ) {
+    toolsInput = await getNightlyToolsUrl(logger);
+  }
+
   if (forceShippedTools) {
     cliVersion = defaults.cliVersion;
     tagName = defaults.bundleVersion;
@@ -771,3 +782,35 @@ async function useZstdBundle(
 function getTempExtractionDir(tempDir: string) {
   return path.join(tempDir, uuidV4());
 }
+
+/**
+ * Get the URL of the latest nightly CodeQL bundle.
+ */
+async function getNightlyToolsUrl(logger: Logger) {
+  const zstdAvailability = await tar.isZstdAvailable(logger);
+  // The nightly is guaranteed to have a zstd bundle
+  const compressionMethod = (await useZstdBundle(
+    CODEQL_VERSION_ZSTD_BUNDLE,
+    zstdAvailability.available,
+  ))
+    ? "zstd"
+    : "gzip";
+
+  // Since nightlies are prereleases, we can't just download the latest release
+  // on the repository. So instead we need to find the latest pre-release
+  // version and construct the download URL from that.
+  const release = await api.getApiClient().rest.repos.listReleases({
+    owner: CODEQL_NIGHTLIES_REPOSITORY_OWNER,
+    repo: CODEQL_NIGHTLIES_REPOSITORY_NAME,
+    per_page: 1,
+    page: 1,
+    prerelease: true,
+  });
+
+  const latestRelease = release.data[0];
+  if (!latestRelease) {
+    throw new Error("Could not find latest nightly release.");
+  }
+
+  return `https://github.com/${CODEQL_NIGHTLIES_REPOSITORY_OWNER}/${CODEQL_NIGHTLIES_REPOSITORY_NAME}/releases/download/${latestRelease.tag_name}/${getCodeQLBundleName(compressionMethod)}`;
+}

From 9e8cbee7cb5403cd5ffcd5b60358922300295b47 Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Mon, 22 Sep 2025 12:30:45 +0200
Subject: [PATCH 02/11] Process nightly CI runs using `tools: nightly`

---
 .github/actions/prepare-test/action.yml | 24 +++++++++---------------
 1 file changed, 9 insertions(+), 15 deletions(-)

diff --git a/.github/actions/prepare-test/action.yml b/.github/actions/prepare-test/action.yml
index 8e8227c3a..ed1171568 100644
--- a/.github/actions/prepare-test/action.yml
+++ b/.github/actions/prepare-test/action.yml
@@ -35,7 +35,10 @@ runs:
       run: |
         set -e # Fail this Action if `gh release list` fails.
 
-        if [[ "$VERSION" == "linked" ]]; then
+        if [[ "$VERSION" == "nightly" || "$VERSION" == "nightly-latest" ]]; then
+          echo "tools-url=nightly" >> "$GITHUB_OUTPUT"
+          exit 0
+        elif [[ "$VERSION" == "linked" ]]; then
           echo "tools-url=linked" >> "$GITHUB_OUTPUT"
           exit 0
         elif [[ "$VERSION" == "default" ]]; then
@@ -43,29 +46,20 @@ runs:
           exit 0
         fi
 
-        if [[ "$VERSION" == "nightly-latest" && "$RUNNER_OS" != "Windows" ]]; then
-          extension="tar.zst"
-        else
-          extension="tar.gz"
-        fi
-
         if [[ "$USE_ALL_PLATFORM_BUNDLE" == "true" ]]; then
-          artifact_name="codeql-bundle.$extension"
+          artifact_name="codeql-bundle.tar.gz"
         elif [[ "$RUNNER_OS" == "Linux" ]]; then
-          artifact_name="codeql-bundle-linux64.$extension"
+          artifact_name="codeql-bundle-linux64.tar.gz"
         elif [[ "$RUNNER_OS" == "macOS" ]]; then
-          artifact_name="codeql-bundle-osx64.$extension"
+          artifact_name="codeql-bundle-osx64.tar.gz"
         elif [[ "$RUNNER_OS" == "Windows" ]]; then
-          artifact_name="codeql-bundle-win64.$extension"
+          artifact_name="codeql-bundle-win64.tar.gz"
         else
           echo "::error::Unrecognized OS $RUNNER_OS"
           exit 1
         fi
 
-        if [[ "$VERSION" == "nightly-latest" ]]; then
-          tag=`gh release list --repo dsp-testing/codeql-cli-nightlies -L 1 | cut -f 3`
-          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/$tag/$artifact_name" >> $GITHUB_OUTPUT
-        elif [[ "$VERSION" == *"nightly"* ]]; then
+        if [[ "$VERSION" == *"nightly"* ]]; then
           version=`echo "$VERSION" | sed -e 's/^.*\-//'`
           echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
         elif [[ "$VERSION" == *"stable"* ]]; then

From 67427c612a3cfa9b370da0473d88fa06455273f4 Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Mon, 22 Sep 2025 12:35:52 +0200
Subject: [PATCH 03/11] Update prepare-test docs

---
 .github/actions/prepare-test/action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/actions/prepare-test/action.yml b/.github/actions/prepare-test/action.yml
index ed1171568..ecabaa69f 100644
--- a/.github/actions/prepare-test/action.yml
+++ b/.github/actions/prepare-test/action.yml
@@ -2,7 +2,7 @@ name: "Prepare test"
 description: Performs some preparation to run tests
 inputs:
   version:
-    description: "The version of the CodeQL CLI to use. Can be 'linked', 'default', 'nightly-latest', 'nightly-YYYYMMDD', or 'stable-vX.Y.Z"
+    description: "The version of the CodeQL CLI to use. Can be 'linked', 'default', 'nightly', 'nightly-latest', 'nightly-YYYYMMDD', or 'stable-vX.Y.Z"
     required: true
   use-all-platform-bundle:
     description: "If true, we output a tools URL with codeql-bundle.tar.gz file rather than platform-specific URL"

From 39be66afb09156757b3eb34e614cb6a5d039bad2 Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Mon, 22 Sep 2025 12:54:19 +0200
Subject: [PATCH 04/11] Add log message

---
 lib/analyze-action.js      | 3 +++
 lib/init-action-post.js    | 3 +++
 lib/init-action.js         | 3 +++
 lib/upload-lib.js          | 3 +++
 lib/upload-sarif-action.js | 3 +++
 src/setup-codeql.ts        | 3 +++
 6 files changed, 18 insertions(+)

diff --git a/lib/analyze-action.js b/lib/analyze-action.js
index a7c2703c0..185d5154c 100644
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -92227,6 +92227,9 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
   let tagName;
   let url2;
   if (toolsInput !== void 0 && CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput)) {
+    logger.info(
+      `Using the latest CodeQL CLI nightly, as requested by 'tools: ${toolsInput}'.`
+    );
     toolsInput = await getNightlyToolsUrl(logger);
   }
   if (forceShippedTools) {
diff --git a/lib/init-action-post.js b/lib/init-action-post.js
index a3efb7b37..601977910 100644
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -130170,6 +130170,9 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
   let tagName;
   let url2;
   if (toolsInput !== void 0 && CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput)) {
+    logger.info(
+      `Using the latest CodeQL CLI nightly, as requested by 'tools: ${toolsInput}'.`
+    );
     toolsInput = await getNightlyToolsUrl(logger);
   }
   if (forceShippedTools) {
diff --git a/lib/init-action.js b/lib/init-action.js
index 7f3ed776a..63d21aded 100644
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -88844,6 +88844,9 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
   let tagName;
   let url;
   if (toolsInput !== void 0 && CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput)) {
+    logger.info(
+      `Using the latest CodeQL CLI nightly, as requested by 'tools: ${toolsInput}'.`
+    );
     toolsInput = await getNightlyToolsUrl(logger);
   }
   if (forceShippedTools) {
diff --git a/lib/upload-lib.js b/lib/upload-lib.js
index dc229aa91..19a978adf 100644
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@@ -89998,6 +89998,9 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
   let tagName;
   let url2;
   if (toolsInput !== void 0 && CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput)) {
+    logger.info(
+      `Using the latest CodeQL CLI nightly, as requested by 'tools: ${toolsInput}'.`
+    );
     toolsInput = await getNightlyToolsUrl(logger);
   }
   if (forceShippedTools) {
diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js
index b568039b7..ff240c273 100644
--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
@@ -90699,6 +90699,9 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
   let tagName;
   let url2;
   if (toolsInput !== void 0 && CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput)) {
+    logger.info(
+      `Using the latest CodeQL CLI nightly, as requested by 'tools: ${toolsInput}'.`
+    );
     toolsInput = await getNightlyToolsUrl(logger);
   }
   if (forceShippedTools) {
diff --git a/src/setup-codeql.ts b/src/setup-codeql.ts
index eb115cc01..ad09d8d60 100644
--- a/src/setup-codeql.ts
+++ b/src/setup-codeql.ts
@@ -339,6 +339,9 @@ export async function getCodeQLSource(
     toolsInput !== undefined &&
     CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput)
   ) {
+    logger.info(
+      `Using the latest CodeQL CLI nightly, as requested by 'tools: ${toolsInput}'.`,
+    );
     toolsInput = await getNightlyToolsUrl(logger);
   }
 

From 48017e960d75ac681bc1a50a0047259940318bea Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Mon, 22 Sep 2025 12:57:53 +0200
Subject: [PATCH 05/11] Add changelog note

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1be12ea80..3cae4a75f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 - We have improved the CodeQL Action's ability to validate that the workflow it is used in does not use different versions of the CodeQL Action for different workflow steps. Mixing different versions of the CodeQL Action in the same workflow is unsupported and can lead to unpredictable results. A warning will now be emitted from the `codeql-action/init` step if different versions of the CodeQL Action are detected in the workflow file. Additionally, an error will now be thrown by the other CodeQL Action steps if they load a configuration file that was generated by a different version of the `codeql-action/init` step. [#3099](https://github.com/github/codeql-action/pull/3099) and [#3100](https://github.com/github/codeql-action/pull/3100)
 - We added support for reducing the size of dependency caches for Java analyses, which will reduce cache usage and speed up workflows. This will be enabled automatically at a later time. [#3107](https://github.com/github/codeql-action/pull/3107)
+- You can now run the latest CodeQL nightly bundle by passing `tools: nightly` to the `init` action. In general, the nightly bundle is unstable and we only recommend running it when directed by GitHub staff. [#3130](https://github.com/github/codeql-action/pull/3130)
 
 ## 3.30.3 - 10 Sep 2025
 

From a25c57cebee462bc9354608581f6151e3899544c Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Mon, 22 Sep 2025 13:20:16 +0200
Subject: [PATCH 06/11] Wrap API call to provide better error message

---
 lib/analyze-action.js      | 28 +++++++++++++++++-----------
 lib/init-action-post.js    | 28 +++++++++++++++++-----------
 lib/init-action.js         | 28 +++++++++++++++++-----------
 lib/upload-lib.js          | 28 +++++++++++++++++-----------
 lib/upload-sarif-action.js | 28 +++++++++++++++++-----------
 src/setup-codeql.ts        | 36 ++++++++++++++++++++----------------
 6 files changed, 105 insertions(+), 71 deletions(-)

diff --git a/lib/analyze-action.js b/lib/analyze-action.js
index 185d5154c..4a11b910f 100644
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -92521,18 +92521,24 @@ async function getNightlyToolsUrl(logger) {
     CODEQL_VERSION_ZSTD_BUNDLE,
     zstdAvailability.available
   ) ? "zstd" : "gzip";
-  const release3 = await getApiClient().rest.repos.listReleases({
-    owner: CODEQL_NIGHTLIES_REPOSITORY_OWNER,
-    repo: CODEQL_NIGHTLIES_REPOSITORY_NAME,
-    per_page: 1,
-    page: 1,
-    prerelease: true
-  });
-  const latestRelease = release3.data[0];
-  if (!latestRelease) {
-    throw new Error("Could not find latest nightly release.");
+  try {
+    const release3 = await getApiClient().rest.repos.listReleases({
+      owner: CODEQL_NIGHTLIES_REPOSITORY_OWNER,
+      repo: CODEQL_NIGHTLIES_REPOSITORY_NAME,
+      per_page: 1,
+      page: 1,
+      prerelease: true
+    });
+    const latestRelease = release3.data[0];
+    if (!latestRelease) {
+      throw new Error("Could not find the latest nightly release.");
+    }
+    return `https://github.com/${CODEQL_NIGHTLIES_REPOSITORY_OWNER}/${CODEQL_NIGHTLIES_REPOSITORY_NAME}/releases/download/${latestRelease.tag_name}/${getCodeQLBundleName(compressionMethod)}`;
+  } catch (e) {
+    throw new Error(
+      `Failed to retrieve the latest nightly release: ${wrapError(e)}`
+    );
   }
-  return `https://github.com/${CODEQL_NIGHTLIES_REPOSITORY_OWNER}/${CODEQL_NIGHTLIES_REPOSITORY_NAME}/releases/download/${latestRelease.tag_name}/${getCodeQLBundleName(compressionMethod)}`;
 }
 
 // src/tracer-config.ts
diff --git a/lib/init-action-post.js b/lib/init-action-post.js
index 601977910..ccb4b8bec 100644
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -130464,18 +130464,24 @@ async function getNightlyToolsUrl(logger) {
     CODEQL_VERSION_ZSTD_BUNDLE,
     zstdAvailability.available
   ) ? "zstd" : "gzip";
-  const release3 = await getApiClient().rest.repos.listReleases({
-    owner: CODEQL_NIGHTLIES_REPOSITORY_OWNER,
-    repo: CODEQL_NIGHTLIES_REPOSITORY_NAME,
-    per_page: 1,
-    page: 1,
-    prerelease: true
-  });
-  const latestRelease = release3.data[0];
-  if (!latestRelease) {
-    throw new Error("Could not find latest nightly release.");
+  try {
+    const release3 = await getApiClient().rest.repos.listReleases({
+      owner: CODEQL_NIGHTLIES_REPOSITORY_OWNER,
+      repo: CODEQL_NIGHTLIES_REPOSITORY_NAME,
+      per_page: 1,
+      page: 1,
+      prerelease: true
+    });
+    const latestRelease = release3.data[0];
+    if (!latestRelease) {
+      throw new Error("Could not find the latest nightly release.");
+    }
+    return `https://github.com/${CODEQL_NIGHTLIES_REPOSITORY_OWNER}/${CODEQL_NIGHTLIES_REPOSITORY_NAME}/releases/download/${latestRelease.tag_name}/${getCodeQLBundleName(compressionMethod)}`;
+  } catch (e) {
+    throw new Error(
+      `Failed to retrieve the latest nightly release: ${wrapError(e)}`
+    );
   }
-  return `https://github.com/${CODEQL_NIGHTLIES_REPOSITORY_OWNER}/${CODEQL_NIGHTLIES_REPOSITORY_NAME}/releases/download/${latestRelease.tag_name}/${getCodeQLBundleName(compressionMethod)}`;
 }
 
 // src/tracer-config.ts
diff --git a/lib/init-action.js b/lib/init-action.js
index 63d21aded..a5e8991d7 100644
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -89138,18 +89138,24 @@ async function getNightlyToolsUrl(logger) {
     CODEQL_VERSION_ZSTD_BUNDLE,
     zstdAvailability.available
   ) ? "zstd" : "gzip";
-  const release3 = await getApiClient().rest.repos.listReleases({
-    owner: CODEQL_NIGHTLIES_REPOSITORY_OWNER,
-    repo: CODEQL_NIGHTLIES_REPOSITORY_NAME,
-    per_page: 1,
-    page: 1,
-    prerelease: true
-  });
-  const latestRelease = release3.data[0];
-  if (!latestRelease) {
-    throw new Error("Could not find latest nightly release.");
+  try {
+    const release3 = await getApiClient().rest.repos.listReleases({
+      owner: CODEQL_NIGHTLIES_REPOSITORY_OWNER,
+      repo: CODEQL_NIGHTLIES_REPOSITORY_NAME,
+      per_page: 1,
+      page: 1,
+      prerelease: true
+    });
+    const latestRelease = release3.data[0];
+    if (!latestRelease) {
+      throw new Error("Could not find the latest nightly release.");
+    }
+    return `https://github.com/${CODEQL_NIGHTLIES_REPOSITORY_OWNER}/${CODEQL_NIGHTLIES_REPOSITORY_NAME}/releases/download/${latestRelease.tag_name}/${getCodeQLBundleName(compressionMethod)}`;
+  } catch (e) {
+    throw new Error(
+      `Failed to retrieve the latest nightly release: ${wrapError(e)}`
+    );
   }
-  return `https://github.com/${CODEQL_NIGHTLIES_REPOSITORY_OWNER}/${CODEQL_NIGHTLIES_REPOSITORY_NAME}/releases/download/${latestRelease.tag_name}/${getCodeQLBundleName(compressionMethod)}`;
 }
 
 // src/tracer-config.ts
diff --git a/lib/upload-lib.js b/lib/upload-lib.js
index 19a978adf..3d3baed6f 100644
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@@ -90292,18 +90292,24 @@ async function getNightlyToolsUrl(logger) {
     CODEQL_VERSION_ZSTD_BUNDLE,
     zstdAvailability.available
   ) ? "zstd" : "gzip";
-  const release = await getApiClient().rest.repos.listReleases({
-    owner: CODEQL_NIGHTLIES_REPOSITORY_OWNER,
-    repo: CODEQL_NIGHTLIES_REPOSITORY_NAME,
-    per_page: 1,
-    page: 1,
-    prerelease: true
-  });
-  const latestRelease = release.data[0];
-  if (!latestRelease) {
-    throw new Error("Could not find latest nightly release.");
+  try {
+    const release = await getApiClient().rest.repos.listReleases({
+      owner: CODEQL_NIGHTLIES_REPOSITORY_OWNER,
+      repo: CODEQL_NIGHTLIES_REPOSITORY_NAME,
+      per_page: 1,
+      page: 1,
+      prerelease: true
+    });
+    const latestRelease = release.data[0];
+    if (!latestRelease) {
+      throw new Error("Could not find the latest nightly release.");
+    }
+    return `https://github.com/${CODEQL_NIGHTLIES_REPOSITORY_OWNER}/${CODEQL_NIGHTLIES_REPOSITORY_NAME}/releases/download/${latestRelease.tag_name}/${getCodeQLBundleName(compressionMethod)}`;
+  } catch (e) {
+    throw new Error(
+      `Failed to retrieve the latest nightly release: ${wrapError(e)}`
+    );
   }
-  return `https://github.com/${CODEQL_NIGHTLIES_REPOSITORY_OWNER}/${CODEQL_NIGHTLIES_REPOSITORY_NAME}/releases/download/${latestRelease.tag_name}/${getCodeQLBundleName(compressionMethod)}`;
 }
 
 // src/tracer-config.ts
diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js
index ff240c273..5c266dcce 100644
--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
@@ -90993,18 +90993,24 @@ async function getNightlyToolsUrl(logger) {
     CODEQL_VERSION_ZSTD_BUNDLE,
     zstdAvailability.available
   ) ? "zstd" : "gzip";
-  const release3 = await getApiClient().rest.repos.listReleases({
-    owner: CODEQL_NIGHTLIES_REPOSITORY_OWNER,
-    repo: CODEQL_NIGHTLIES_REPOSITORY_NAME,
-    per_page: 1,
-    page: 1,
-    prerelease: true
-  });
-  const latestRelease = release3.data[0];
-  if (!latestRelease) {
-    throw new Error("Could not find latest nightly release.");
+  try {
+    const release3 = await getApiClient().rest.repos.listReleases({
+      owner: CODEQL_NIGHTLIES_REPOSITORY_OWNER,
+      repo: CODEQL_NIGHTLIES_REPOSITORY_NAME,
+      per_page: 1,
+      page: 1,
+      prerelease: true
+    });
+    const latestRelease = release3.data[0];
+    if (!latestRelease) {
+      throw new Error("Could not find the latest nightly release.");
+    }
+    return `https://github.com/${CODEQL_NIGHTLIES_REPOSITORY_OWNER}/${CODEQL_NIGHTLIES_REPOSITORY_NAME}/releases/download/${latestRelease.tag_name}/${getCodeQLBundleName(compressionMethod)}`;
+  } catch (e) {
+    throw new Error(
+      `Failed to retrieve the latest nightly release: ${wrapError(e)}`
+    );
   }
-  return `https://github.com/${CODEQL_NIGHTLIES_REPOSITORY_OWNER}/${CODEQL_NIGHTLIES_REPOSITORY_NAME}/releases/download/${latestRelease.tag_name}/${getCodeQLBundleName(compressionMethod)}`;
 }
 
 // src/tracer-config.ts
diff --git a/src/setup-codeql.ts b/src/setup-codeql.ts
index ad09d8d60..a9b76ac4d 100644
--- a/src/setup-codeql.ts
+++ b/src/setup-codeql.ts
@@ -799,21 +799,25 @@ async function getNightlyToolsUrl(logger: Logger) {
     ? "zstd"
     : "gzip";
 
-  // Since nightlies are prereleases, we can't just download the latest release
-  // on the repository. So instead we need to find the latest pre-release
-  // version and construct the download URL from that.
-  const release = await api.getApiClient().rest.repos.listReleases({
-    owner: CODEQL_NIGHTLIES_REPOSITORY_OWNER,
-    repo: CODEQL_NIGHTLIES_REPOSITORY_NAME,
-    per_page: 1,
-    page: 1,
-    prerelease: true,
-  });
-
-  const latestRelease = release.data[0];
-  if (!latestRelease) {
-    throw new Error("Could not find latest nightly release.");
+  try {
+    // Since nightlies are prereleases, we can't just download the latest release
+    // on the repository. So instead we need to find the latest pre-release
+    // version and construct the download URL from that.
+    const release = await api.getApiClient().rest.repos.listReleases({
+      owner: CODEQL_NIGHTLIES_REPOSITORY_OWNER,
+      repo: CODEQL_NIGHTLIES_REPOSITORY_NAME,
+      per_page: 1,
+      page: 1,
+      prerelease: true,
+    });
+    const latestRelease = release.data[0];
+    if (!latestRelease) {
+      throw new Error("Could not find the latest nightly release.");
+    }
+    return `https://github.com/${CODEQL_NIGHTLIES_REPOSITORY_OWNER}/${CODEQL_NIGHTLIES_REPOSITORY_NAME}/releases/download/${latestRelease.tag_name}/${getCodeQLBundleName(compressionMethod)}`;
+  } catch (e) {
+    throw new Error(
+      `Failed to retrieve the latest nightly release: ${util.wrapError(e)}`,
+    );
   }
-
-  return `https://github.com/${CODEQL_NIGHTLIES_REPOSITORY_OWNER}/${CODEQL_NIGHTLIES_REPOSITORY_NAME}/releases/download/${latestRelease.tag_name}/${getCodeQLBundleName(compressionMethod)}`;
 }

From 79e0afb9993c23cd5ce669623f86f63e1fd62484 Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Mon, 22 Sep 2025 13:21:11 +0200
Subject: [PATCH 07/11] Run local CodeQL check using linked bundle

---
 .github/workflows/__test-local-codeql.yml | 2 +-
 pr-checks/checks/test-local-codeql.yml    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/__test-local-codeql.yml b/.github/workflows/__test-local-codeql.yml
index f4d46ad3f..c64d636e3 100644
--- a/.github/workflows/__test-local-codeql.yml
+++ b/.github/workflows/__test-local-codeql.yml
@@ -44,7 +44,7 @@ jobs:
       matrix:
         include:
           - os: ubuntu-latest
-            version: nightly-latest
+            version: linked
     name: Local CodeQL bundle
     permissions:
       contents: read
diff --git a/pr-checks/checks/test-local-codeql.yml b/pr-checks/checks/test-local-codeql.yml
index a3c2c6a9c..000655ebd 100644
--- a/pr-checks/checks/test-local-codeql.yml
+++ b/pr-checks/checks/test-local-codeql.yml
@@ -1,6 +1,6 @@
 name: "Local CodeQL bundle"
 description: "Tests using a CodeQL bundle from a local file rather than a URL"
-versions: ["nightly-latest"]
+versions: ["linked"]
 operatingSystems: ["ubuntu"]
 installGo: true
 steps:

From bd516303e17303e4d100205d8fa0e62af2ad07ca Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Mon, 22 Sep 2025 13:32:04 +0200
Subject: [PATCH 08/11] Specify bundle URL in local bundle PR check

---
 .github/workflows/__test-local-codeql.yml | 6 ++----
 pr-checks/checks/test-local-codeql.yml    | 6 ++----
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/__test-local-codeql.yml b/.github/workflows/__test-local-codeql.yml
index c64d636e3..e7f718df8 100644
--- a/.github/workflows/__test-local-codeql.yml
+++ b/.github/workflows/__test-local-codeql.yml
@@ -66,11 +66,9 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Fetch a CodeQL bundle
-        env:
-          CODEQL_URL: ${{ steps.prepare-test.outputs.tools-url }}
+      - name: Fetch latest CodeQL bundle
         run: |
-          wget "$CODEQL_URL"
+          wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst
       - id: init
         uses: ./../action/init
         with:
diff --git a/pr-checks/checks/test-local-codeql.yml b/pr-checks/checks/test-local-codeql.yml
index 000655ebd..1e41e5dd3 100644
--- a/pr-checks/checks/test-local-codeql.yml
+++ b/pr-checks/checks/test-local-codeql.yml
@@ -4,11 +4,9 @@ versions: ["linked"]
 operatingSystems: ["ubuntu"]
 installGo: true
 steps:
-  - name: Fetch a CodeQL bundle
-    env:
-      CODEQL_URL: ${{ steps.prepare-test.outputs.tools-url }}
+  - name: Fetch latest CodeQL bundle
     run: |
-      wget "$CODEQL_URL"
+      wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst
   - id: init
     uses: ./../action/init
     with:

From e2e36b17af26b28a84aead49736fd39e82697984 Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Mon, 22 Sep 2025 13:59:40 +0200
Subject: [PATCH 09/11] Add helper function for reserved tools values

---
 lib/analyze-action.js      | 5 ++++-
 lib/init-action-post.js    | 5 ++++-
 lib/init-action.js         | 5 ++++-
 lib/upload-lib.js          | 5 ++++-
 lib/upload-sarif-action.js | 5 ++++-
 src/setup-codeql.ts        | 8 ++++++--
 6 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/lib/analyze-action.js b/lib/analyze-action.js
index 4a11b910f..5534b277f 100644
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -92197,7 +92197,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
   return void 0;
 }
 async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, logger) {
-  if (toolsInput && !CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput) && !CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput) && !toolsInput.startsWith("http")) {
+  if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) {
     logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
     const compressionMethod2 = inferCompressionMethod(toolsInput);
     if (compressionMethod2 === void 0) {
@@ -92540,6 +92540,9 @@ async function getNightlyToolsUrl(logger) {
     );
   }
 }
+function isReservedToolsValue(tools) {
+  return CODEQL_BUNDLE_VERSION_ALIAS.includes(tools) || CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools);
+}
 
 // src/tracer-config.ts
 var fs13 = __toESM(require("fs"));
diff --git a/lib/init-action-post.js b/lib/init-action-post.js
index ccb4b8bec..cbb595720 100644
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -130140,7 +130140,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
   return void 0;
 }
 async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, logger) {
-  if (toolsInput && !CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput) && !CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput) && !toolsInput.startsWith("http")) {
+  if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) {
     logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
     const compressionMethod2 = inferCompressionMethod(toolsInput);
     if (compressionMethod2 === void 0) {
@@ -130483,6 +130483,9 @@ async function getNightlyToolsUrl(logger) {
     );
   }
 }
+function isReservedToolsValue(tools) {
+  return CODEQL_BUNDLE_VERSION_ALIAS.includes(tools) || CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools);
+}
 
 // src/tracer-config.ts
 async function shouldEnableIndirectTracing(codeql, config) {
diff --git a/lib/init-action.js b/lib/init-action.js
index a5e8991d7..c6deda221 100644
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -88814,7 +88814,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
   return void 0;
 }
 async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, logger) {
-  if (toolsInput && !CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput) && !CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput) && !toolsInput.startsWith("http")) {
+  if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) {
     logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
     const compressionMethod2 = inferCompressionMethod(toolsInput);
     if (compressionMethod2 === void 0) {
@@ -89157,6 +89157,9 @@ async function getNightlyToolsUrl(logger) {
     );
   }
 }
+function isReservedToolsValue(tools) {
+  return CODEQL_BUNDLE_VERSION_ALIAS.includes(tools) || CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools);
+}
 
 // src/tracer-config.ts
 var fs13 = __toESM(require("fs"));
diff --git a/lib/upload-lib.js b/lib/upload-lib.js
index 3d3baed6f..365acbae8 100644
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@@ -89968,7 +89968,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
   return void 0;
 }
 async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, logger) {
-  if (toolsInput && !CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput) && !CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput) && !toolsInput.startsWith("http")) {
+  if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) {
     logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
     const compressionMethod2 = inferCompressionMethod(toolsInput);
     if (compressionMethod2 === void 0) {
@@ -90311,6 +90311,9 @@ async function getNightlyToolsUrl(logger) {
     );
   }
 }
+function isReservedToolsValue(tools) {
+  return CODEQL_BUNDLE_VERSION_ALIAS.includes(tools) || CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools);
+}
 
 // src/tracer-config.ts
 async function shouldEnableIndirectTracing(codeql, config) {
diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js
index 5c266dcce..b9079725b 100644
--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
@@ -90669,7 +90669,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
   return void 0;
 }
 async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, logger) {
-  if (toolsInput && !CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput) && !CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput) && !toolsInput.startsWith("http")) {
+  if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) {
     logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
     const compressionMethod2 = inferCompressionMethod(toolsInput);
     if (compressionMethod2 === void 0) {
@@ -91012,6 +91012,9 @@ async function getNightlyToolsUrl(logger) {
     );
   }
 }
+function isReservedToolsValue(tools) {
+  return CODEQL_BUNDLE_VERSION_ALIAS.includes(tools) || CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools);
+}
 
 // src/tracer-config.ts
 async function shouldEnableIndirectTracing(codeql, config) {
diff --git a/src/setup-codeql.ts b/src/setup-codeql.ts
index a9b76ac4d..59556208b 100644
--- a/src/setup-codeql.ts
+++ b/src/setup-codeql.ts
@@ -279,8 +279,7 @@ export async function getCodeQLSource(
 ): Promise<CodeQLToolsSource> {
   if (
     toolsInput &&
-    !CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput) &&
-    !CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput) &&
+    !isReservedToolsValue(toolsInput) &&
     !toolsInput.startsWith("http")
   ) {
     logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
@@ -821,3 +820,8 @@ async function getNightlyToolsUrl(logger: Logger) {
     );
   }
 }
+
+function isReservedToolsValue(tools: string): boolean {
+  return CODEQL_BUNDLE_VERSION_ALIAS.includes(tools) ||
+    CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools);
+}

From 4901f549de916e7b96cb2eaa6c0d86195b16be85 Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Mon, 22 Sep 2025 14:01:09 +0200
Subject: [PATCH 10/11] Lint

---
 src/setup-codeql.ts | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/setup-codeql.ts b/src/setup-codeql.ts
index 59556208b..5a0f671fa 100644
--- a/src/setup-codeql.ts
+++ b/src/setup-codeql.ts
@@ -822,6 +822,8 @@ async function getNightlyToolsUrl(logger: Logger) {
 }
 
 function isReservedToolsValue(tools: string): boolean {
-  return CODEQL_BUNDLE_VERSION_ALIAS.includes(tools) ||
-    CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools);
+  return (
+    CODEQL_BUNDLE_VERSION_ALIAS.includes(tools) ||
+    CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools)
+  );
 }

From 5ab5aef07979436fcc7f5da1f799a5224047d84a Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Mon, 22 Sep 2025 15:48:23 +0200
Subject: [PATCH 11/11] Document `nightly` tools input in `action.yml`

---
 init/action.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/init/action.yml b/init/action.yml
index 49a3cc650..ba5d6efcc 100644
--- a/init/action.yml
+++ b/init/action.yml
@@ -12,6 +12,9 @@ inputs:
       - The URL of a CodeQL Bundle tarball GitHub release asset, or
       - A special value `linked` which uses the version of the CodeQL tools
         that the Action has been bundled with.
+      - A special value `nightly` which uses the latest nightly version of the
+        CodeQL tools. Note that this is unstable and not recommended for
+        production use.
 
       If not specified, the Action will check in several places until it finds
       the CodeQL tools.