Merge branch 'main' into dependabot/npm_and_yarn/ava-7.0.0

2026-05-22 00:00:34 +03:00 · 2026-03-11 19:49:53 +00:00
parent f9f5edb76f 378e4b367d
commit 363219d88d
59 changed files with 245 additions and 129 deletions
@@ -39,10 +39,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: macos-latest
-            version: linked
          - os: ubuntu-latest
            version: linked
+          - os: macos-latest
+            version: linked
          - os: windows-latest
            version: linked
    name: 'Bundle: Caching checks'
@@ -39,10 +39,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: macos-latest
-            version: linked
          - os: ubuntu-latest
            version: linked
+          - os: macos-latest
+            version: linked
          - os: windows-latest
            version: linked
    name: 'Bundle: Zstandard checks'
@@ -51,32 +51,18 @@ jobs:
        include:
          - os: ubuntu-latest
            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
          - os: ubuntu-latest
            version: linked
          - os: macos-latest
@@ -51,32 +51,18 @@ jobs:
        include:
          - os: ubuntu-latest
            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
          - os: ubuntu-latest
            version: linked
          - os: macos-latest
@@ -51,32 +51,18 @@ jobs:
        include:
          - os: ubuntu-latest
            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
          - os: ubuntu-latest
            version: linked
          - os: macos-latest
@@ -59,41 +59,41 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: macos-latest
-            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.17.6
          - os: macos-latest
-            version: stable-v2.18.4
+            version: stable-v2.17.6
          - os: ubuntu-latest
            version: stable-v2.18.4
          - os: macos-latest
-            version: stable-v2.19.4
+            version: stable-v2.18.4
          - os: ubuntu-latest
            version: stable-v2.19.4
          - os: macos-latest
-            version: stable-v2.20.7
+            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.20.7
          - os: macos-latest
-            version: stable-v2.21.4
+            version: stable-v2.20.7
          - os: ubuntu-latest
            version: stable-v2.21.4
          - os: macos-latest
-            version: stable-v2.22.4
+            version: stable-v2.21.4
          - os: ubuntu-latest
            version: stable-v2.22.4
          - os: macos-latest
-            version: default
+            version: stable-v2.22.4
          - os: ubuntu-latest
            version: default
          - os: macos-latest
-            version: linked
+            version: default
          - os: ubuntu-latest
            version: linked
          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
            version: nightly-latest
-          - os: ubuntu-latest
+          - os: macos-latest
            version: nightly-latest
    name: Multi-language repository
    if: github.triggering_actor != 'dependabot[bot]'
@@ -39,10 +39,10 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: default
          - os: ubuntu-latest
            version: linked
+          - os: ubuntu-latest
+            version: default
          - os: ubuntu-latest
            version: nightly-latest
    name: Resolve environment
@@ -29,6 +29,15 @@ jobs:
          fetch-depth: 0
          ref: ${{ env.HEAD_REF }}

+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24
+          cache: 'npm'
+          cache-dependency-path: |
+            package-lock.json
+            pr-checks/package-lock.json
+
      - name: Remove label
        if: github.event_name == 'pull_request'
        env:
@@ -49,9 +58,18 @@ jobs:
          git fetch origin "$BASE_BRANCH"

          # Allow merge conflicts in `lib`, since rebuilding should resolve them.
-          git merge "origin/$BASE_BRANCH" || echo "Merge conflicts detected, continuing."
+          git merge "origin/$BASE_BRANCH"
          MERGE_RESULT=$?

+          if [ "$MERGE_RESULT" -eq 0 ]; then
+            echo "Merge succeeded cleanly."
+          elif [ "$MERGE_RESULT" -eq 1 ]; then
+            echo "Merge conflicts detected (exit code $MERGE_RESULT), continuing."
+          else
+            echo "git merge failed with unexpected exit code $MERGE_RESULT."
+            exit 1
+          fi
+
          if [ "$MERGE_RESULT" -ne 0 ]; then
            echo "merge-in-progress=true" >> $GITHUB_OUTPUT

@@ -104,7 +122,7 @@ jobs:
            # Otherwise, just commit the changes.
            if git rev-parse --verify MERGE_HEAD >/dev/null 2>&1; then
              echo "In progress merge detected, finishing it up."
-              git merge --continue --no-edit
+              git commit --no-edit
            else
              echo "No in-progress merge detected, committing changes."
              git commit -m "Rebuild"
@@ -1,7 +1,11 @@
 name: "All-platform bundle"
 description: "Tests using an all-platform CodeQL Bundle"
-operatingSystems: ["ubuntu", "macos", "windows"]
-versions: ["nightly-latest"]
+operatingSystems:
+  - ubuntu
+  - macos
+  - windows
+versions:
+  - nightly-latest
 useAllPlatformBundle: "true"
 installGo: true
 installDotNet: true
@@ -1,7 +1,13 @@
 name: "Analysis kinds"
 description: "Tests basic functionality for different `analysis-kinds` inputs."
-versions: ["linked", "nightly-latest"]
-analysisKinds: ["code-scanning", "code-quality", "code-scanning,code-quality", "risk-assessment"]
+versions:
+  - linked
+  - nightly-latest
+analysisKinds:
+  - code-scanning
+  - code-quality
+  - code-scanning,code-quality
+  - risk-assessment
 env:
  CODEQL_ACTION_RISK_ASSESSMENT_ID: 1
  CHECK_SCRIPT: |
@@ -1,6 +1,7 @@
 name: "Analyze: 'ref' and 'sha' from inputs"
 description: "Checks that specifying 'ref' and 'sha' as inputs works"
-versions: ["default"]
+versions:
+  - default
 installGo: true
 installDotNet: true
 steps:
@@ -1,7 +1,11 @@
 name: "autobuild-action"
 description: "Tests that the C# autobuild action works"
-operatingSystems: ["ubuntu", "macos", "windows"]
-versions: ["linked"]
+operatingSystems:
+  - ubuntu
+  - macos
+  - windows
+versions:
+  - linked
 installDotNet: true
 steps:
  - uses: ./../action/init
@@ -3,8 +3,12 @@ description: >
  An end-to-end integration test of a Java repository built using 'build-mode: autobuild',
  with direct tracing enabled and a custom working directory specified as the input to the
  autobuild Action.
-operatingSystems: ["ubuntu", "windows"]
-versions: ["linked", "nightly-latest"]
+operatingSystems:
+  - ubuntu
+  - windows
+versions:
+  - linked
+  - nightly-latest
 installJava: true
 env:
  CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
@@ -1,6 +1,7 @@
 name: "Autobuild working directory"
 description: "Tests working-directory input of autobuild action"
-versions: ["linked"]
+versions:
+  - linked
 steps:
  - name: Test setup
    run: |
@@ -1,7 +1,11 @@
 name: "Build mode autobuild"
 description: "An end-to-end integration test of a Java repository built using 'build-mode: autobuild'"
-operatingSystems: ["ubuntu", "windows"]
-versions: ["linked", "nightly-latest"]
+operatingSystems:
+  - ubuntu
+  - windows
+versions:
+  - linked
+  - nightly-latest
 installJava: true
 installYq: true
 steps:
@@ -1,6 +1,7 @@
 name: "Build mode manual"
 description: "An end-to-end integration test of a Java repository built using 'build-mode: manual'"
-versions: ["nightly-latest"]
+versions:
+  - nightly-latest
 installGo: true
 installDotNet: true
 steps:
@@ -1,6 +1,8 @@
 name: "Build mode none"
 description: "An end-to-end integration test of a Java repository built using 'build-mode: none'"
-versions: ["linked", "nightly-latest"]
+versions:
+  - linked
+  - nightly-latest
 steps:
  - uses: ./../action/init
    id: init
@@ -1,6 +1,7 @@
 name: "Build mode rollback"
 description: "The build mode is rolled back from none to autobuild when the relevant feature flag is enabled."
-versions: ["nightly-latest"]
+versions:
+  - nightly-latest
 env:
  CODEQL_ACTION_DISABLE_JAVA_BUILDLESS: true
 steps:
@@ -3,8 +3,8 @@ description: "The CodeQL bundle should be cached within the toolcache"
 versions:
  - linked
 operatingSystems:
-  - macos
  - ubuntu
+  - macos
  - windows
 steps:
  - name: Remove CodeQL from toolcache
@@ -3,8 +3,8 @@ description: "A Zstandard CodeQL bundle should be extracted on supported operati
 versions:
  - linked
 operatingSystems:
-  - macos
  - ubuntu
+  - macos
  - windows
 steps:
  - name: Remove CodeQL from toolcache
@@ -1,6 +1,7 @@
 name: "Clean up database cluster directory"
 description: "The database cluster directory is cleaned up if it is not empty."
-versions: ["linked"]
+versions:
+  - linked
 steps:
  - name: Add a file to the database cluster directory
    run: |
@@ -1,6 +1,8 @@
 name: "Config export"
 description: "Tests that the code scanning configuration file is exported to SARIF correctly."
-versions: ["linked", "nightly-latest"]
+versions:
+  - linked
+  - nightly-latest
 steps:
  - uses: ./../action/init
    with:
@@ -1,7 +1,8 @@
 name: "Config input"
 description: "Tests specifying configuration using the config input"
 installNode: true
-versions: ["linked"]
+versions:
+  - linked
 steps:
  - name: Copy queries into workspace
    run: |
@@ -1,6 +1,9 @@
 name: "C/C++: disabling autoinstalling dependencies (Linux)"
 description: "Checks that running C/C++ autobuild with autoinstalling dependencies explicitly disabled works"
-versions: ["linked", "default", "nightly-latest"]
+versions:
+  - linked
+  - default
+  - nightly-latest
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
@@ -1,7 +1,10 @@
 name: "C/C++: autoinstalling dependencies is skipped (macOS)"
 description: "Checks that running C/C++ autobuild with autoinstalling dependencies explicitly enabled is a no-op on macOS"
-operatingSystems: ["macos"]
-versions: ["linked", "nightly-latest"]
+operatingSystems:
+  - macos
+versions:
+  - linked
+  - nightly-latest
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
@@ -1,6 +1,9 @@
 name: "C/C++: autoinstalling dependencies (Linux)"
 description: "Checks that running C/C++ autobuild with autoinstalling dependencies works"
-versions: ["linked", "default", "nightly-latest"]
+versions:
+  - linked
+  - default
+  - nightly-latest
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
@@ -1,6 +1,8 @@
 name: "Diagnostic export"
 description: "Tests that manually added diagnostics are correctly exported to SARIF."
-versions: ["linked", "nightly-latest"]
+versions:
+  - linked
+  - nightly-latest
 env:
  CODEQL_ACTION_EXPORT_DIAGNOSTICS: true
 steps:
@@ -1,7 +1,11 @@
 name: "Export file baseline information"
 description: "Tests that file baseline information is exported when the feature is enabled"
-operatingSystems: ["ubuntu", "macos", "windows"]
-versions: ["nightly-latest"]
+operatingSystems:
+  - ubuntu
+  - macos
+  - windows
+versions:
+  - nightly-latest
 installGo: true
 installDotNet: true
 env:
@@ -1,6 +1,7 @@
 name: "Extractor ram and threads options test"
 description: "Tests passing RAM and threads limits to extractors"
-versions: ["linked"]
+versions:
+  - linked
 steps:
  - uses: ./../action/init
    with:
@@ -1,6 +1,8 @@
 name: "Proxy test"
 description: "Tests using a proxy specified by the https_proxy environment variable"
-versions: ["linked", "nightly-latest"]
+versions:
+  - linked
+  - nightly-latest
 container:
  image: ubuntu:22.04
 services:
@@ -2,7 +2,8 @@ name: "Go: diagnostic when Go is changed after init step"
 description: "Checks that we emit a diagnostic if Go is changed after the init step"
 # only Linux is affected
 # pinned to a version which does not support statically linked binaries for indirect tracing
-versions: ["default"]
+versions:
+  - default
 installGo: true
 collection: go
 steps:
@@ -2,7 +2,8 @@ name: "Go: diagnostic when `file` is not installed"
 description: "Checks that we emit a diagnostic if the `file` program is not installed"
 # only Linux is affected
 # pinned to a version which does not support statically linked binaries for indirect tracing
-versions: ["default"]
+versions:
+  - default
 installGo: true
 collection: go
 steps:
@@ -2,7 +2,8 @@ name: "Go: workaround for indirect tracing"
 description: "Checks that our workaround for indirect tracing for Go 1.21+ on Linux works"
 # only Linux is affected
 # pinned to a version which does not support statically linked binaries for indirect tracing
-versions: ["default"]
+versions:
+  - default
 installGo: true
 collection: go
 steps:
@@ -1,7 +1,13 @@
 name: "Go: tracing with autobuilder step"
 description: "Checks that Go tracing works when using an autobuilder step"
 collection: go
-operatingSystems: ["ubuntu", "macos"]
+operatingSystems:
+  - ubuntu
+  - macos
+osCodeQlVersions:
+  macos:
+    - linked
+    - nightly-latest
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 installGo: true
@@ -1,7 +1,13 @@
 name: "Go: tracing with custom build steps"
 description: "Checks that Go tracing traces the build when using custom build steps"
 collection: go
-operatingSystems: ["ubuntu", "macos"]
+operatingSystems:
+  - ubuntu
+  - macos
+osCodeQlVersions:
+  macos:
+    - linked
+    - nightly-latest
 installGo: true
 steps:
  - uses: ./../action/init
@@ -1,7 +1,13 @@
 name: "Go: tracing with legacy workflow"
 description: "Checks that we run the autobuilder in legacy workflows with neither an autobuild step nor manual build steps"
 collection: go
-operatingSystems: ["ubuntu", "macos"]
+operatingSystems:
+  - ubuntu
+  - macos
+osCodeQlVersions:
+  macos:
+    - linked
+    - nightly-latest
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 installGo: true
@@ -4,12 +4,11 @@
 # basic mechanics of multi-registry auth is working.
 name: "Packaging: Download using registries"
 description: "Checks that specifying a registries block and associated auth works as expected"
-versions: [
-    # This feature is not compatible with older CLIs
-    "default",
-    "linked",
-    "nightly-latest",
-]
+versions:
+  # This feature is not compatible with older CLIs
+  - default
+  - linked
+  - nightly-latest

 permissions:
  contents: read
@@ -1,6 +1,10 @@
 name: "Custom source root"
 description: "Checks that the argument specifying a non-default source root works"
-versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
+# This feature is not compatible with old CLIs
+versions:
+  - linked
+  - default
+  - nightly-latest
 steps:
  - name: Move codeql-action
    run: |
@@ -1,6 +1,7 @@
 name: "Job run UUID added to SARIF"
 description: "Tests that the job run UUID is added to the SARIF output"
-versions: ["nightly-latest"]
+versions:
+  - nightly-latest
 steps:
  - uses: ./../action/init
    id: init
@@ -1,6 +1,7 @@
 name: "Language aliases"
 description: "Tests that language aliases are resolved correctly"
-versions: ["linked"]
+versions:
+  - linked
 steps:
  - uses: ./../action/init
    with:
@@ -1,6 +1,7 @@
 name: "Local CodeQL bundle"
 description: "Tests using a CodeQL bundle from a local file rather than a URL"
-versions: ["linked"]
+versions:
+  - linked
 installGo: true
 installDotNet: true
 steps:
@@ -1,6 +1,8 @@
 name: "Multi-language repository"
-description: "An end-to-end integration test of a multi-language repository using automatic language detection for macOS"
-operatingSystems: ["macos", "ubuntu"]
+description: "An end-to-end integration test of a multi-language repository using automatic language detection"
+operatingSystems:
+  - ubuntu
+  - macos
 env:
  CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
 installGo: true
@@ -1,6 +1,8 @@
 name: "Overlay database init fallback"
 description: "Tests that overlay init action succeeds with non-overlay packs"
-versions: ["linked", "nightly-latest"]
+versions:
+  - linked
+  - nightly-latest
 steps:
  - uses: ./../action/init
    with:
@@ -1,6 +1,10 @@
 name: "Packaging: Config and input passed to the CLI"
 description: "Checks that specifying packages using a combination of a config file and input to the Action works"
-versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
+# This feature is not compatible with old CLIs
+versions:
+  - linked
+  - default
+  - nightly-latest
 installGo: true
 installNode: true
 installDotNet: true
@@ -1,6 +1,10 @@
 name: "Packaging: Config and input"
 description: "Checks that specifying packages using a combination of a config file and input to the Action works"
-versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
+# This feature is not compatible with old CLIs
+versions:
+  - linked
+  - default
+  - nightly-latest
 installGo: true
 installNode: true
 installDotNet: true
@@ -1,6 +1,10 @@
 name: "Packaging: Config file"
 description: "Checks that specifying packages using only a config file works"
-versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
+# This feature is not compatible with old CLIs
+versions:
+  - linked
+  - default
+  - nightly-latest
 installGo: true
 installNode: true
 installDotNet: true
@@ -1,6 +1,10 @@
 name: "Packaging: Action input"
 description: "Checks that specifying packages using the input to the Action works"
-versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
+# This feature is not compatible with old CLIs
+versions:
+  - linked
+  - default
+  - nightly-latest
 installGo: true
 installNode: true
 installDotNet: true
@@ -1,6 +1,9 @@
 name: "Resolve environment"
 description: "Tests that the resolve-environment action works for Go and JavaScript/TypeScript"
-versions: ["default", "linked", "nightly-latest"]
+versions:
+  - linked
+  - default
+  - nightly-latest
 steps:
  - uses: ./../action/init
    with:
@@ -1,7 +1,8 @@
 name: "RuboCop multi-language"
 description: "Tests using RuboCop to analyze a multi-language repository and then using the CodeQL Action to upload the resulting SARIF"
 # This check doesn't use CodeQL, so the `version` matrix variable is unused.
-versions: ["default"]
+versions:
+  - default
 steps:
  - name: Set up Ruby
    uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0
@@ -1,7 +1,12 @@
 name: "Ruby analysis"
 description: "Tests creation of a Ruby database"
-versions: ["linked", "default", "nightly-latest"]
-operatingSystems: ["ubuntu", "macos"]
+versions:
+  - linked
+  - default
+  - nightly-latest
+operatingSystems:
+  - ubuntu
+  - macos
 steps:
  - uses: ./../action/init
    with:
@@ -1,7 +1,13 @@
 name: "Split workflow"
 description: "Tests a split-up workflow in which we first build a database and later analyze it"
-operatingSystems: ["ubuntu", "macos"]
-versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
+operatingSystems:
+  - ubuntu
+  - macos
+# This feature is not compatible with old CLIs
+versions:
+  - linked
+  - default
+  - nightly-latest
 installGo: true
 installDotNet: true
 steps:
@@ -1,7 +1,11 @@
 name: "Start proxy"
 description: "Tests that the proxy can be initialised on all platforms"
-operatingSystems: ["ubuntu", "macos", "windows"]
-versions: ["linked"]
+operatingSystems:
+  - ubuntu
+  - macos
+  - windows
+versions:
+  - linked
 steps:
  - uses: ./../action/init
    with:
@@ -1,6 +1,9 @@
 name: Submit SARIF after failure
 description: Check that a SARIF file is submitted for the workflow run if it fails
-versions: ["linked", "default", "nightly-latest"]
+versions:
+  - linked
+  - default
+  - nightly-latest

 env:
  # Internal-only environment variable used to indicate that the post-init Action
@@ -1,7 +1,9 @@
 name: "Swift analysis using autobuild"
 description: "Tests creation of a Swift database using autobuild"
-versions: ["nightly-latest"]
-operatingSystems: ["macos"]
+versions:
+  - nightly-latest
+operatingSystems:
+  - macos
 steps:
  - uses: ./../action/init
    id: init
@@ -1,7 +1,11 @@
 name: "Swift analysis using a custom build command"
 description: "Tests creation of a Swift database using custom build"
-versions: ["linked", "default", "nightly-latest"]
-operatingSystems: ["macos"]
+versions:
+  - linked
+  - default
+  - nightly-latest
+operatingSystems:
+  - macos
 installGo: true
 installDotNet: true
 env:
@@ -1,6 +1,7 @@
 name: "Upload-sarif: 'ref' and 'sha' from inputs"
 description: "Checks that specifying 'ref' and 'sha' as inputs works"
-versions: ["default"]
+versions:
+  - default
 installGo: true
 installDotNet: true
 steps:
@@ -1,7 +1,11 @@
 name: "Test different uses of `upload-sarif`"
 description: "Checks that uploading SARIFs to the code quality endpoint works"
-versions: ["default"]
-analysisKinds: ["code-scanning", "code-quality", "code-scanning,code-quality"]
+versions:
+  - default
+analysisKinds:
+  - code-scanning
+  - code-quality
+  - code-scanning,code-quality
 installGo: true
 installDotNet: true
 steps:
@@ -1,6 +1,7 @@
 name: "Use a custom `checkout_path`"
 description: "Checks that a custom `checkout_path` will find the proper commit_oid"
-versions: ["linked"]
+versions:
+  - linked
 installGo: true
 installDotNet: true
 steps:
@@ -38,6 +38,8 @@ interface Specification extends JobSpecification {
  versions?: string[];
  /** Operating system prefixes used to select runner images (e.g. `["ubuntu", "macos"]`). */
  operatingSystems?: string[];
+  /** Per-OS version overrides. If specified for an OS, only those versions are tested on that OS. */
+  osCodeQlVersions?: Record<string, string[]>;
  /** Whether to use the all-platform CodeQL bundle. */
  useAllPlatformBundle?: string;
  /** Values for the `analysis-kinds` matrix dimension. */
@@ -317,6 +319,13 @@ function generateJobMatrix(
    const operatingSystems = checkSpecification.operatingSystems ?? ["ubuntu"];

    for (const operatingSystem of operatingSystems) {
+      // If osCodeQlVersions is set for this OS, only include the specified CodeQL versions.
+      const allowedVersions =
+        checkSpecification.osCodeQlVersions?.[operatingSystem];
+      if (allowedVersions && !allowedVersions.includes(version)) {
+        continue;
+      }
+
      const runnerImagesForOs = runnerImages.filter((image) =>
        image.startsWith(operatingSystem),
      );