Merge main into wait-for-processing-2.

2022-04-14 08:48:39 +01:00 · 2022-04-14 08:48:39 +01:00 · e7869d541b
commit e7869d541b
parent 9885f86fab 7a12645d7e
92 changed files with 1144 additions and 410 deletions
--- a/.github/workflows/__analyze-ref-input.yml
+++ b/.github/workflows/__analyze-ref-input.yml
@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
    - v2
  pull_request:
    types:
    - opened
@ -69,7 +70,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__debug-artifacts.yml
+++ b/.github/workflows/__debug-artifacts.yml
@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
    - v2
  pull_request:
    types:
    - opened
@ -53,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
@ -70,7 +71,7 @@ jobs:
      run: ./build.sh
    - uses: ./../action/analyze
      id: analysis
-    - uses: actions/download-artifact@v2
+    - uses: actions/download-artifact@v3
      with:
        name: my-debug-artifacts-${{ matrix.os }}-${{ matrix.version }}
    - shell: bash
--- a/.github/workflows/__extractor-ram-threads.yml
+++ b/.github/workflows/__extractor-ram-threads.yml
@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
    - v2
  pull_request:
    types:
    - opened
@ -31,7 +32,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__go-custom-queries.yml
+++ b/.github/workflows/__go-custom-queries.yml
@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
    - v2
  pull_request:
    types:
    - opened
@ -69,13 +70,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
-    - uses: actions/setup-go@v2
+    - uses: actions/setup-go@v3
      with:
        go-version: ^1.13.1
    - uses: ./../action/init
--- a/.github/workflows/__go-custom-tracing-autobuild.yml
+++ b/.github/workflows/__go-custom-tracing-autobuild.yml
@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
    - v2
  pull_request:
    types:
    - opened
@ -53,13 +54,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
-    - uses: actions/setup-go@v2
+    - uses: actions/setup-go@v3
      with:
        go-version: ^1.13.1
    - uses: ./../action/init
--- a/.github/workflows/__go-custom-tracing.yml
+++ b/.github/workflows/__go-custom-tracing.yml
@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
    - v2
  pull_request:
    types:
    - opened
@ -69,13 +70,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
-    - uses: actions/setup-go@v2
+    - uses: actions/setup-go@v3
      with:
        go-version: ^1.13.1
    - uses: ./../action/init
--- a/.github/workflows/__javascript-source-root.yml
+++ b/.github/workflows/__javascript-source-root.yml
@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
    - v2
  pull_request:
    types:
    - opened
@ -35,7 +36,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__ml-powered-queries.yml
+++ b/.github/workflows/__ml-powered-queries.yml
@ -0,0 +1,119 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: PR Check - ML-powered queries
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - v1
    - v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  ml-powered-queries:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: stable-20220120
        - os: macos-latest
          version: stable-20220120
        - os: windows-latest
          version: stable-20220120
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
        - os: windows-latest
          version: cached
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
        - os: windows-latest
          version: latest
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
        - os: windows-latest
          version: nightly-latest
    name: ML-powered queries
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - uses: ./../action/init
      with:
        languages: javascript
        queries: security-extended
        source-root: ./../action/tests/ml-powered-queries-repo
        tools: ${{ steps.prepare-test.outputs.tools-url }}
    - uses: ./../action/analyze
      with:
        output: ${{ runner.temp }}/results
        upload-database: false
      env:
        TEST_MODE: true
    - name: Upload SARIF
      uses: actions/upload-artifact@v3
      with:
        name: ml-powered-queries-${{ matrix.os }}-${{ matrix.version }}.sarif.json
        path: ${{ runner.temp }}/results/javascript.sarif
        retention-days: 7
    - name: Check results
      env:
        IS_WINDOWS: ${{ matrix.os == 'windows-latest' }}
      shell: bash
      run: |
        cd "$RUNNER_TEMP/results"
        # We should run at least the ML-powered queries in `expected_rules`.
        expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss"
        for rule in ${expected_rules}; do
          found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) |
            flatten | .[].id] | any(. == $rule)' javascript.sarif)
          echo "Did find rule '${rule}': ${found_rule}"
          if [[ "${found_rule}" != "true" && "${IS_WINDOWS}" != "true" ]]; then
            echo "Expected SARIF output to contain rule '${rule}', but found no such rule."
            exit 1
          elif [[ "${found_rule}" == "true" && "${IS_WINDOWS}" == "true" ]]; then
            echo "Found rule '${rule}' in the SARIF output which shouldn't have been part of the analysis."
            exit 1
          fi
        done
        # We should have at least one alert from an ML-powered query.
        num_alerts=$(jq '[.runs[0].results[] |
          select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \
          javascript.sarif)
        echo "Found ${num_alerts} alerts from ML-powered queries.";
        if [[ "${num_alerts}" -eq 0 && "${IS_WINDOWS}" != "true" ]]; then
          echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}."
          exit 1
        elif [[ "${num_alerts}" -ne 0 && "${IS_WINDOWS}" == "true" ]]; then
          echo "Expected not to find any alerts from an ML-powered query but found ${num_alerts}."
          exit 1
        fi
    env:
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__multi-language-autodetect.yml
+++ b/.github/workflows/__multi-language-autodetect.yml
@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
    - v2
  pull_request:
    types:
    - opened
@ -53,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__packaging-config-inputs-js.yml
+++ b/.github/workflows/__packaging-config-inputs-js.yml
@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
    - v2
  pull_request:
    types:
    - opened
@ -33,7 +34,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__packaging-config-js.yml
+++ b/.github/workflows/__packaging-config-js.yml
@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
    - v2
  pull_request:
    types:
    - opened
@ -33,7 +34,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__packaging-inputs-js.yml
+++ b/.github/workflows/__packaging-inputs-js.yml
@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
    - v2
  pull_request:
    types:
    - opened
@ -33,7 +34,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__remote-config.yml
+++ b/.github/workflows/__remote-config.yml
@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
    - v2
  pull_request:
    types:
    - opened
@ -69,7 +70,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__rubocop-multi-language.yml
+++ b/.github/workflows/__rubocop-multi-language.yml
@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
    - v2
  pull_request:
    types:
    - opened
@ -41,7 +42,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__split-workflow.yml
+++ b/.github/workflows/__split-workflow.yml
@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
    - v2
  pull_request:
    types:
    - opened
@ -33,7 +34,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__test-autobuild-working-dir.yml
+++ b/.github/workflows/__test-autobuild-working-dir.yml
@ -0,0 +1,67 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: PR Check - Autobuild working directory
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - v1
    - v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  test-autobuild-working-dir:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: latest
    name: Autobuild working directory
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - name: Test setup
      shell: bash
      run: |
        # Make sure that Gradle build succeeds in autobuild-dir ...
        cp -a ../action/tests/java-repo autobuild-dir
        # ... and fails if attempted in the current directory
        echo > build.gradle
    - uses: ./../action/init
      with:
        languages: java
        tools: ${{ steps.prepare-test.outputs.tools-url }}
    - uses: ./../action/autobuild
      with:
        working-directory: autobuild-dir
    - uses: ./../action/analyze
      env:
        TEST_MODE: true
    - name: Check database
      shell: bash
      run: |
        cd "$RUNNER_TEMP/codeql_databases"
        if [[ ! -d java ]]; then
          echo "Did not find a Java database"
          exit 1
        fi
    env:
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__test-local-codeql.yml
+++ b/.github/workflows/__test-local-codeql.yml
@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
    - v2
  pull_request:
    types:
    - opened
@ -31,7 +32,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__test-proxy.yml
+++ b/.github/workflows/__test-proxy.yml
@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
    - v2
  pull_request:
    types:
    - opened
@ -31,7 +32,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__test-ruby.yml
+++ b/.github/workflows/__test-ruby.yml
@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
    - v2
  pull_request:
    types:
    - opened
@ -41,7 +42,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__unset-environment.yml
+++ b/.github/workflows/__unset-environment.yml
@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
    - v2
  pull_request:
    types:
    - opened
@ -41,7 +42,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__upload-ref-sha-input.yml
+++ b/.github/workflows/__upload-ref-sha-input.yml
@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
    - v2
  pull_request:
    types:
    - opened
@ -69,7 +70,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__with-checkout-path.yml
+++ b/.github/workflows/__with-checkout-path.yml
@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
    - v2
  pull_request:
    types:
    - opened
@ -69,13 +70,13 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
      with:
        ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
        path: x/y/z/some-path
--- a/.github/workflows/check-expected-release-files.yml
+++ b/.github/workflows/check-expected-release-files.yml
@ -15,7 +15,7 @@ jobs:
    steps:
      - name: Checkout CodeQL Action
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Check Expected Release Files
        run: |
          bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -2,9 +2,9 @@ name: "CodeQL action"
 on:
  push:
-    branches: [main, v1]
+    branches: [main, v1, v2]
  pull_request:
-    branches: [main, v1]
+    branches: [main, v1, v2]
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
@ -20,7 +20,7 @@ jobs:
      security-events: write
    steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
    - name: Init with default CodeQL bundle from the VM image
      id: init-default
      uses: ./init
@ -75,7 +75,7 @@ jobs:
      security-events: write
    steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
    - uses: ./init
      id: init
      with:
--- a/.github/workflows/post-release-mergeback.yml
+++ b/.github/workflows/post-release-mergeback.yml
@ -34,8 +34,8 @@ jobs:
          GITHUB_CONTEXT: '${{ toJson(github) }}'
        run: echo "$GITHUB_CONTEXT"
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v2
+      - uses: actions/setup-node@v3
      - name: Update git config
        run: |
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@ -2,7 +2,7 @@ name: PR Checks (Basic Checks and Runner)
 on:
  push:
-    branches: [main, v1]
+    branches: [main, v1, v2]
  pull_request:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
@ -16,7 +16,7 @@ jobs:
    timeout-minutes: 45
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Run Lint
        run: npm run-script lint
@ -30,7 +30,7 @@ jobs:
        node-types-version: [12.12, current]
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Update version of @types/node
        if: matrix.node-types-version != 'current'
@ -46,11 +46,13 @@ jobs:
          # `npm install` on Linux.
          npm install
-          git config --global user.email "github-actions@github.com"
+          if [ ! -z "$(git status --porcelain)" ]; then
-          git config --global user.name "github-actions[bot]"
+            git config --global user.email "github-actions@github.com"
-          # The period in `git add --all .` ensures that we stage deleted files too.
+            git config --global user.name "github-actions[bot]"
-          git add --all .
+            # The period in `git add --all .` ensures that we stage deleted files too.
-          git commit -m "Use @types/node=${NODE_TYPES_VERSION}"
+            git add --all .
            git commit -m "Use @types/node=${NODE_TYPES_VERSION}"
          fi
      - name: Check generated JS
        run: .github/workflows/script/check-js.sh
@ -61,7 +63,7 @@ jobs:
    timeout-minutes: 45
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Check node modules up to date
        run: .github/workflows/script/check-node-modules.sh
@ -71,9 +73,9 @@ jobs:
    timeout-minutes: 45
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Set up Python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v3
        with:
          python-version: 3.8
      - name: Install dependencies
@ -93,7 +95,7 @@ jobs:
    timeout-minutes: 45
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: npm run-script test
        run: npm run-script test
@ -104,7 +106,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Build runner
        run: |
@ -133,7 +135,7 @@ jobs:
    runs-on: windows-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Build runner
        run: |
@ -158,7 +160,7 @@ jobs:
    runs-on: macos-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Build runner
        run: |
@ -183,7 +185,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Move codeql-action
        shell: bash
@ -223,7 +225,7 @@ jobs:
    runs-on: windows-2019
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Move codeql-action
        shell: bash
@ -251,7 +253,7 @@ jobs:
          & $Env:CODEQL_RUNNER dotnet build /p:UseSharedCompilation=false
      - name: Upload tracer logs
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
        with:
          name: tracer-logs
          path: ./codeql-runner/compound-build-tracer.log
@ -269,7 +271,7 @@ jobs:
    runs-on: macos-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Move codeql-action
        shell: bash
@ -308,7 +310,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Move codeql-action
        shell: bash
@ -347,7 +349,7 @@ jobs:
    runs-on: windows-2019
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Move codeql-action
        shell: bash
@ -385,7 +387,7 @@ jobs:
    timeout-minutes: 45
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Move codeql-action
        shell: bash
@ -425,7 +427,7 @@ jobs:
    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.base.repo.id == github.event.pull_request.head.repo.id }}
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Build runner
        run: |
@ -446,7 +448,7 @@ jobs:
    timeout-minutes: 45
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Build runner
        run: |
--- a/.github/workflows/python-deps.yml
+++ b/.github/workflows/python-deps.yml
@ -2,7 +2,7 @@ name: Test Python Package Installation on Linux and Mac
 on:
  push:
-    branches: [main, v1]
+    branches: [main, v1, v2]
  pull_request:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
@ -25,7 +25,7 @@ jobs:
    steps:
    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
    - name: Initialize CodeQL
      uses: ./init
@ -71,7 +71,7 @@ jobs:
    steps:
    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
    - name: Initialize CodeQL
      uses: ./init
@ -122,9 +122,9 @@ jobs:
    steps:
    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@v3
      with:
        python-version: ${{ matrix.python_version }}
--- a/.github/workflows/release-runner.yml
+++ b/.github/workflows/release-runner.yml
@ -1,55 +0,0 @@
 name: Release runner
 on:
  workflow_dispatch:
    inputs:
      bundle-tag:
        description: 'Tag of the bundle release (e.g., "codeql-bundle-20200826")'
        required: false
 jobs:
  release-runner:
    timeout-minutes: 45
    runs-on: ubuntu-latest
    env:
      RELEASE_TAG: "${{ github.event.inputs.bundle-tag }}"
    strategy:
      matrix:
        extension: ["linux", "macos", "win.exe"]
    steps:
      - uses: actions/checkout@v2
      - name: Build runner
        run: |
          cd runner
          npm install
          npm run build-runner
      - uses: actions/upload-artifact@v2
        with:
          name: codeql-runner-${{matrix.extension}}
          path: runner/dist/codeql-runner-${{matrix.extension}}
      - name: Resolve Upload URL for the release
        if: ${{ github.event.inputs.bundle-tag != null }}
        id: save_url
        run: |
          UPLOAD_URL=$(curl -sS \
                "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/${RELEASE_TAG}" \
                -H "Accept: application/json" \
                -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" | jq .upload_url | sed s/\"//g)
          echo ${UPLOAD_URL}
          echo "::set-output name=upload_url::${UPLOAD_URL}"
      - name: Upload Platform Package
        if: ${{ github.event.inputs.bundle-tag != null }}
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ steps.save_url.outputs.upload_url }}
          asset_path: runner/dist/codeql-runner-${{matrix.extension}}
          asset_name: codeql-runner-${{matrix.extension}}
          asset_content_type: application/octet-stream
--- a/.github/workflows/split.yml
+++ b/.github/workflows/split.yml
@ -1,74 +0,0 @@
 #
 # Split the CodeQL Bundle into platform bundles
 #
 # Instructions:
 #  1. Upload the new codeql-bundle (codeql-bundle.tar.gz) as an asset of the
 #     release (codeql-bundle-20200826)
 #  2. Take note of the CLI Release used by the bundle (e.g., v2.2.5)
 #  3. Manually launch this workflow file (via the Actions UI) specifying
 #     - The CLI Release (e.g., v2.2.5)
 #     - The release tag (e.g., codeql-bundle-20200826)
 #  4. If everything succeeds you should see 3 new assets.
 #
 name: Split Bundle
 on:
 workflow_dispatch:
    inputs:
      cli-release:
        description: 'CodeQL CLI Release (e.g., "v2.2.5")'
        required: true
      bundle-tag:
        description: 'Tag of the bundle release (e.g., "codeql-bundle-20200826")'
        required: true
 jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 45
    env:
      CLI_RELEASE: "${{ github.event.inputs.cli-release }}"
      RELEASE_TAG: "${{ github.event.inputs.bundle-tag }}"
    strategy:
      fail-fast: false
      matrix:
        platform: ["linux64", "osx64", "win64"]
    steps:
      - name: Resolve Upload URL for the release
        id: save_url
        run: |
          UPLOAD_URL=$(curl -sS \
               "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/${RELEASE_TAG}" \
               -H "Accept: application/json" \
               -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" | jq .upload_url | sed s/\"//g)
          echo ${UPLOAD_URL}
          echo "::set-output name=upload_url::${UPLOAD_URL}"
      - name: Download CodeQL CLI and Bundle
        run: |
          wget --no-verbose "https://github.com/${GITHUB_REPOSITORY}/releases/download/${RELEASE_TAG}/codeql-bundle.tar.gz"
          wget --no-verbose "https://github.com/github/codeql-cli-binaries/releases/download/${CLI_RELEASE}/codeql-${{matrix.platform}}.zip"
      - name: Create Platform Package
        # Replace the codeql-binaries with the platform specific ones
        run: |
          gunzip codeql-bundle.tar.gz
          tar -f codeql-bundle.tar --delete codeql
          unzip -q codeql-${{matrix.platform}}.zip
          tar -f codeql-bundle.tar --append codeql
          gzip codeql-bundle.tar
          mv codeql-bundle.tar.gz codeql-bundle-${{matrix.platform}}.tar.gz
          du -sh codeql-bundle-${{matrix.platform}}.tar.gz
      - name: Upload Platform Package
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ steps.save_url.outputs.upload_url }}
          asset_path: ./codeql-bundle-${{matrix.platform}}.tar.gz
          asset_name: codeql-bundle-${{matrix.platform}}.tar.gz
          asset_content_type: application/tar+gzip
--- a/.github/workflows/update-dependencies.yml
+++ b/.github/workflows/update-dependencies.yml
@ -11,7 +11,7 @@ jobs:
    if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action')
    steps:
    - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Remove PR label
      env:
--- a/.github/workflows/update-release-branch.yml
+++ b/.github/workflows/update-release-branch.yml
@ -23,13 +23,13 @@ jobs:
        GITHUB_CONTEXT: '${{ toJson(github) }}'
      run: echo "$GITHUB_CONTEXT"
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
      with:
        # Need full history so we calculate diffs
        fetch-depth: 0
    - name: Set up Python
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@v3
      with:
        python-version: 3.8
@ -49,7 +49,7 @@ jobs:
        python .github/update-release-branch.py \
          --github-token ${{ secrets.GITHUB_TOKEN }} \
          --repository-nwo ${{ github.repository }} \
-          --mode release-v2 \
+          --mode v2-release \
          --conductor ${GITHUB_ACTOR}
    - name: Update v1 release branch
@ -58,5 +58,5 @@ jobs:
        python .github/update-release-branch.py \
          --github-token ${{ secrets.GITHUB_TOKEN }} \
          --repository-nwo ${{ github.repository }} \
-          --mode release-v1 \
+          --mode v1-release \
          --conductor ${GITHUB_ACTOR}
--- a/.github/workflows/update-supported-enterprise-server-versions.yml
+++ b/.github/workflows/update-supported-enterprise-server-versions.yml
@ -13,13 +13,13 @@ jobs:
    steps:
      - name: Setup Python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v3
        with:
          python-version: "3.7"
      - name: Checkout CodeQL Action
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Checkout Enterprise Releases
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        with:
          repository: github/enterprise-releases
          ssh-key: ${{ secrets.ENTERPRISE_RELEASES_SSH_KEY }}
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,9 +2,23 @@
 ## [UNRELEASED]
 - Add `working-directory` input to the `autobuild` action. [#1024](https://github.com/github/codeql-action/pull/1024)
 - The `analyze` and `upload-sarif` actions will now wait up to 2 minutes for processing to complete after they have uploaded the results so they can report any processing errors that occurred. This behavior can be disabled by setting the `wait-for-processing` action input to `"false"`. [#1007](https://github.com/github/codeql-action/pull/1007)
 ## 2.1.8 - 08 Apr 2022
 - Update default CodeQL bundle version to 2.8.5. [#1014](https://github.com/github/codeql-action/pull/1014)
 - Fix error where the init action would fail due to a GitHub API request that was taking too long to complete [#1025](https://github.com/github/codeql-action/pull/1025)
 ## 2.1.7 - 05 Apr 2022
 - A bug where additional queries specified in the workflow file would sometimes not be respected has been fixed. [#1018](https://github.com/github/codeql-action/pull/1018)
 ## 2.1.6 - 30 Mar 2022
 - [v2+ only] The CodeQL Action now runs on Node.js v16. [#1000](https://github.com/github/codeql-action/pull/1000)
 - Update default CodeQL bundle version to 2.8.4. [#990](https://github.com/github/codeql-action/pull/990)
- The `analyze` and `upload-sarif` actions will now wait up to 2 minutes for processing to complete after they have uploaded the results so they can report any processing errors that occurred. This behavior can be disabled by setting the `wait-for-processing` action input to `"false"`. [#1007](https://github.com/github/codeql-action/pull/1007)
+- Fix a bug where an invalid `commit_oid` was being sent to code scanning when a custom checkout path was being used. [#956](https://github.com/github/codeql-action/pull/956)
 ## 1.1.5 - 15 Mar 2022
@ -22,7 +36,6 @@
 ## 1.1.3 - 23 Feb 2022
 - Fix a bug where the CLR traces can continue tracing even after tracing should be stopped. [#938](https://github.com/github/codeql-action/pull/938)
 - Fix a bug where an invalid `commit_oid` was being sent to code scanning when a custom checkout path was being used. [#956](https://github.com/github/codeql-action/pull/956)
 ## 1.1.2 - 17 Feb 2022
--- a/2
+++ b/2
@ -1 +1,3 @@
 **/* @github/codeql-action-reviewers
 /python-setup/ @github/codeql-python @github/codeql-action-reviewers
--- a/README.md
+++ b/README.md
@ -52,11 +52,11 @@ jobs:
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v1
+        uses: github/codeql-action/init@v2
        # Override language selection by uncommenting this and choosing your languages
        # with:
        #   languages: go, javascript, csharp, python, cpp, java
@ -64,7 +64,7 @@ jobs:
      # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
      # If this step fails, then you should remove it and run the build manually (see below).
      - name: Autobuild
-        uses: github/codeql-action/autobuild@v1
+        uses: github/codeql-action/autobuild@v2
      # ℹ️ Command-line programs to run using the OS shell.
      # 📚 https://git.io/JvXDl
@ -78,14 +78,14 @@ jobs:
      #     make release
      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v1
+        uses: github/codeql-action/analyze@v2
 ```
 If you prefer to integrate this within an existing CI workflow, it should end up looking something like this:
 ```yaml
 - name: Initialize CodeQL
-  uses: github/codeql-action/init@v1
+  uses: github/codeql-action/init@v2
  with:
    languages: go, javascript
@ -95,7 +95,7 @@ If you prefer to integrate this within an existing CI workflow, it should end up
    make release
 - name: Perform CodeQL Analysis
-  uses: github/codeql-action/analyze@v1
+  uses: github/codeql-action/analyze@v2
 ```
 ### Configuration file
@ -103,7 +103,7 @@ If you prefer to integrate this within an existing CI workflow, it should end up
 Use the `config-file` parameter of the `init` action to enable the configuration file. The value of `config-file` is the path to the configuration file you want to use. This example loads the configuration file `./.github/codeql/codeql-config.yml`.
 ```yaml
- uses: github/codeql-action/init@v1
+- uses: github/codeql-action/init@v2
  with:
    config-file: ./.github/codeql/codeql-config.yml
 ```
@ -111,7 +111,7 @@ Use the `config-file` parameter of the `init` action to enable the configuration
 The configuration file can be located in a different repository. This is useful if you want to share the same configuration across multiple repositories. If the configuration file is in a private repository you can also specify an `external-repository-token` option. This should be a personal access token that has read access to any repositories containing referenced config files and queries.
 ```yaml
- uses: github/codeql-action/init@v1
+- uses: github/codeql-action/init@v2
  with:
    config-file: owner/repo/codeql-config.yml@branch
    external-repository-token: ${{ secrets.EXTERNAL_REPOSITORY_TOKEN }}
@ -122,7 +122,7 @@ For information on how to write a configuration file, see "[Using a custom confi
 If you only want to customise the queries used, you can specify them in your workflow instead of creating a config file, using the `queries` property of the `init` action:
 ```yaml
- uses: github/codeql-action/init@v1
+- uses: github/codeql-action/init@v2
  with:
    queries: <local-or-remote-query>,<another-query>
 ```
@ -130,7 +130,7 @@ If you only want to customise the queries used, you can specify them in your wor
 By default, this will override any queries specified in a config file. If you wish to use both sets of queries, prefix the list of queries in the workflow with `+`:
 ```yaml
- uses: github/codeql-action/init@v1
+- uses: github/codeql-action/init@v2
  with:
    queries: +<local-or-remote-query>,<another-query>
 ```
--- a/autobuild/action.yml
+++ b/autobuild/action.yml
@ -6,6 +6,12 @@ inputs:
    default: ${{ github.token }}
  matrix:
    default: ${{ toJson(matrix) }}
  working-directory:
    description: >-
      Run the autobuilder using this path (relative to $GITHUB_WORKSPACE) as
      working directory. If this input is not set, the autobuilder runs with
      $GITHUB_WORKSPACE as its working directory.
    required: false
 runs:
  using: 'node16'
-  main: '../lib/autobuild-action.js'
+  main: '../lib/autobuild-action.js'
--- a/lib/actions-util.js
+++ b/lib/actions-util.js
@ -357,7 +357,7 @@ async function getWorkflowPath() {
    const repo = repo_nwo[1];
    const run_id = Number((0, util_1.getRequiredEnvParam)("GITHUB_RUN_ID"));
    const apiClient = api.getActionsApiClient();
-    const runsResponse = await apiClient.request("GET /repos/:owner/:repo/actions/runs/:run_id", {
+    const runsResponse = await apiClient.request("GET /repos/:owner/:repo/actions/runs/:run_id?exclude_pull_requests=true", {
        owner,
        repo,
        run_id,
@ -455,7 +455,7 @@ async function getRef() {
        return ref;
    }
    const head = await (0, exports.getCommitOid)(checkoutPath, "HEAD");
-    // in actions/checkout@v2 we can check if git rev-parse HEAD == GITHUB_SHA
+    // in actions/checkout@v2+ we can check if git rev-parse HEAD == GITHUB_SHA
    // in actions/checkout@v1 this may not be true as it checks out the repository
    // using GITHUB_REF. There is a subtle race condition where
    // git rev-parse GITHUB_REF != GITHUB_SHA, so we must check
--- a/lib/actions-util.js.map
+++ b/lib/actions-util.js.map
--- a/lib/analyze.js
+++ b/lib/analyze.js
@ -133,8 +133,7 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
        }
        const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
        try {
-            if (hasPackWithCustomQueries &&
+            if (hasPackWithCustomQueries) {
                !(await util.codeQlVersionAbove(codeql, codeql_1.CODEQL_VERSION_CONFIG_FILES))) {
                logger.info("Performing analysis with custom CodeQL Packs.");
                logger.startGroup(`Downloading custom packs for ${language}`);
                const results = await codeql.packDownload(packsWithVersion);
--- a/lib/analyze.js.map
+++ b/lib/analyze.js.map
--- a/lib/autobuild-action.js
+++ b/lib/autobuild-action.js
@ -52,6 +52,11 @@ async function run() {
        }
        language = (0, autobuild_1.determineAutobuildLanguage)(config, logger);
        if (language !== undefined) {
            const workingDirectory = (0, actions_util_1.getOptionalInput)("working-directory");
            if (workingDirectory) {
                logger.info(`Changing autobuilder working directory to ${workingDirectory}`);
                process.chdir(workingDirectory);
            }
            await (0, autobuild_1.runAutobuild)(language, config, logger);
        }
    }
--- a/lib/autobuild-action.js.map
+++ b/lib/autobuild-action.js.map
@ -1 +1 @@
-{"version":3,"file":"autobuild-action.js","sourceRoot":"","sources":["../src/autobuild-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,iDAMwB;AACxB,2CAAuE;AACvE,6DAA+C;AAE/C,uCAA6C;AAC7C,iCAAqD;AAErD,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AASvC,KAAK,UAAU,yBAAyB,CACtC,SAAe,EACf,YAAsB,EACtB,eAAwB,EACxB,KAAa;IAEb,IAAA,4BAAqB,EAAC,WAAI,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IAEjD,MAAM,MAAM,GAAG,IAAA,+BAAgB,EAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IACxD,MAAM,gBAAgB,GAAG,MAAM,IAAA,qCAAsB,EACnD,WAAW,EACX,MAAM,EACN,SAAS,EACT,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,OAAO,EACd,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,KAAK,CACb,CAAC;IACF,MAAM,YAAY,GAA0B;QAC1C,GAAG,gBAAgB;QACnB,mBAAmB,EAAE,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC;QAC3C,iBAAiB,EAAE,eAAe;KACnC,CAAC;IACF,MAAM,IAAA,+BAAgB,EAAC,YAAY,CAAC,CAAC;AACvC,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IAAI,QAAQ,GAAyB,SAAS,CAAC;IAC/C,IAAI;QACF,IACE,CAAC,CAAC,MAAM,IAAA,+BAAgB,EACtB,MAAM,IAAA,qCAAsB,EAAC,WAAW,EAAE,UAAU,EAAE,SAAS,CAAC,CACjE,CAAC,EACF;YACA,OAAO;SACR;QAED,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,SAAS,CACzC,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;QACF,IAAI,MAAM,KAAK,SAAS,EAAE;YACxB,MAAM,IAAI,KAAK,CACb,yFAAyF,CAC1F,CAAC;SACH;QACD,QAAQ,GAAG,IAAA,sCAA0B,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACtD,IAAI,QAAQ,KAAK,SAAS,EAAE;YAC1B,MAAM,IAAA,wBAAY,EAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;SAC9C;KACF;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CACZ,mIACE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,CACH,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,yBAAyB,CAC7B,SAAS,EACT,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,EAC1B,QAAQ,EACR,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAC1D,CAAC;QACF,OAAO;KACR;IAED,MAAM,yBAAyB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;AACzE,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,4BAA4B,KAAK,EAAE,CAAC,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"autobuild-action.js","sourceRoot":"","sources":["../src/autobuild-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,iDAOwB;AACxB,2CAAuE;AACvE,6DAA+C;AAE/C,uCAA6C;AAC7C,iCAAqD;AAErD,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AASvC,KAAK,UAAU,yBAAyB,CACtC,SAAe,EACf,YAAsB,EACtB,eAAwB,EACxB,KAAa;IAEb,IAAA,4BAAqB,EAAC,WAAI,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IAEjD,MAAM,MAAM,GAAG,IAAA,+BAAgB,EAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IACxD,MAAM,gBAAgB,GAAG,MAAM,IAAA,qCAAsB,EACnD,WAAW,EACX,MAAM,EACN,SAAS,EACT,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,OAAO,EACd,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,KAAK,CACb,CAAC;IACF,MAAM,YAAY,GAA0B;QAC1C,GAAG,gBAAgB;QACnB,mBAAmB,EAAE,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC;QAC3C,iBAAiB,EAAE,eAAe;KACnC,CAAC;IACF,MAAM,IAAA,+BAAgB,EAAC,YAAY,CAAC,CAAC;AACvC,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IAAI,QAAQ,GAAyB,SAAS,CAAC;IAC/C,IAAI;QACF,IACE,CAAC,CAAC,MAAM,IAAA,+BAAgB,EACtB,MAAM,IAAA,qCAAsB,EAAC,WAAW,EAAE,UAAU,EAAE,SAAS,CAAC,CACjE,CAAC,EACF;YACA,OAAO;SACR;QAED,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,SAAS,CACzC,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;QACF,IAAI,MAAM,KAAK,SAAS,EAAE;YACxB,MAAM,IAAI,KAAK,CACb,yFAAyF,CAC1F,CAAC;SACH;QACD,QAAQ,GAAG,IAAA,sCAA0B,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACtD,IAAI,QAAQ,KAAK,SAAS,EAAE;YAC1B,MAAM,gBAAgB,GAAG,IAAA,+BAAgB,EAAC,mBAAmB,CAAC,CAAC;YAC/D,IAAI,gBAAgB,EAAE;gBACpB,MAAM,CAAC,IAAI,CACT,6CAA6C,gBAAgB,EAAE,CAChE,CAAC;gBACF,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;aACjC;YACD,MAAM,IAAA,wBAAY,EAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;SAC9C;KACF;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CACZ,mIACE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,CACH,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,yBAAyB,CAC7B,SAAS,EACT,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,EAC1B,QAAQ,EACR,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAC1D,CAAC;QACF,OAAO;KACR;IAED,MAAM,yBAAyB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;AACzE,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,4BAA4B,KAAK,EAAE,CAAC,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
--- a/lib/codeql.js
+++ b/lib/codeql.js
@ -22,12 +22,11 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getExtraOptions = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.convertToSemVer = exports.getCodeQLURLVersion = exports.setupCodeQL = exports.getCodeQLActionRepository = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_ML_POWERED_QUERIES = exports.CODEQL_VERSION_CONFIG_FILES = exports.CODEQL_VERSION_COUNTS_LINES = exports.CommandInvocationError = void 0;
+exports.getExtraOptions = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.convertToSemVer = exports.getCodeQLURLVersion = exports.setupCodeQL = exports.getCodeQLActionRepository = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_ML_POWERED_QUERIES = exports.CODEQL_VERSION_COUNTS_LINES = exports.CommandInvocationError = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
 const fast_deep_equal_1 = __importDefault(require("fast-deep-equal"));
 const yaml = __importStar(require("js-yaml"));
 const query_string_1 = __importDefault(require("query-string"));
 const semver = __importStar(require("semver"));
 const actions_util_1 = require("./actions-util");
@ -76,7 +75,6 @@ const CODEQL_VERSION_GROUP_RULES = "2.5.5";
 const CODEQL_VERSION_SARIF_GROUP = "2.5.3";
 exports.CODEQL_VERSION_COUNTS_LINES = "2.6.2";
 const CODEQL_VERSION_CUSTOM_QUERY_HELP = "2.7.1";
 exports.CODEQL_VERSION_CONFIG_FILES = "2.8.2"; // Versions before 2.8.2 weren't tolerant to unknown properties
 exports.CODEQL_VERSION_ML_POWERED_QUERIES = "2.7.5";
 /**
 * This variable controls using the new style of tracing from the CodeQL
@ -468,29 +466,6 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                    extraArgs.push(`--trace-process-level=${processLevel || 3}`);
                }
            }
            if (await util.codeQlVersionAbove(codeql, exports.CODEQL_VERSION_CONFIG_FILES)) {
                const configLocation = path.resolve(config.tempDir, "user-config.yaml");
                const augmentedConfig = config.originalUserInput;
                if (config.injectedMlQueries) {
                    // We need to inject the ML queries into the original user input before
                    // we pass this on to the CLI, to make sure these get run.
                    let packString = util_1.ML_POWERED_JS_QUERIES_PACK.packName;
                    if (util_1.ML_POWERED_JS_QUERIES_PACK.version)
                        packString = `${packString}@${util_1.ML_POWERED_JS_QUERIES_PACK.version}`;
                    if (augmentedConfig.packs === undefined)
                        augmentedConfig.packs = [];
                    if (Array.isArray(augmentedConfig.packs)) {
                        augmentedConfig.packs.push(packString);
                    }
                    else {
                        if (!augmentedConfig.packs.javascript)
                            augmentedConfig.packs["javascript"] = [];
                        augmentedConfig.packs["javascript"].push(packString);
                    }
                }
                fs.writeFileSync(configLocation, yaml.dump(augmentedConfig));
                extraArgs.push(`--codescanning-config=${configLocation}`);
            }
            await runTool(cmd, [
                "database",
                "init",
@ -611,9 +586,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            if (extraSearchPath !== undefined) {
                codeqlArgs.push("--additional-packs", extraSearchPath);
            }
-            if (!(await util.codeQlVersionAbove(this, exports.CODEQL_VERSION_CONFIG_FILES))) {
+            codeqlArgs.push(querySuitePath);
                codeqlArgs.push(querySuitePath);
            }
            await runTool(cmd, codeqlArgs);
        },
        async databaseInterpretResults(databasePath, querySuitePaths, sarifFile, addSnippetsFlag, threadsFlag, automationDetailsId) {
@ -640,9 +613,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                codeqlArgs.push("--sarif-category", automationDetailsId);
            }
            codeqlArgs.push(databasePath);
-            if (!(await util.codeQlVersionAbove(this, exports.CODEQL_VERSION_CONFIG_FILES))) {
+            codeqlArgs.push(...querySuitePaths);
                codeqlArgs.push(...querySuitePaths);
            }
            // capture stdout, which contains analysis summaries
            return await runTool(cmd, codeqlArgs);
        },
--- a/lib/codeql.js.map
+++ b/lib/codeql.js.map
--- a/lib/config-utils.js
+++ b/lib/config-utils.js
@ -130,15 +130,18 @@ async function addBuiltinSuiteQueries(languages, codeQL, resultMap, packs, suite
    // If we're running the JavaScript security-extended analysis (or a superset of it), the repo is
    // opted into the ML-powered queries beta, and a user hasn't already added the ML-powered query
    // pack, then add the ML-powered query pack so that we run ML-powered queries.
-    if (languages.includes("javascript") &&
+    if (
    // Disable ML-powered queries on Windows
    process.platform !== "win32" &&
        languages.includes("javascript") &&
        (found === "security-extended" || found === "security-and-quality") &&
-        !((_a = packs.javascript) === null || _a === void 0 ? void 0 : _a.some((pack) => pack.packName === util_1.ML_POWERED_JS_QUERIES_PACK.packName)) &&
+        !((_a = packs.javascript) === null || _a === void 0 ? void 0 : _a.some((pack) => pack.packName === util_1.ML_POWERED_JS_QUERIES_PACK_NAME)) &&
        (await featureFlags.getValue(feature_flags_1.FeatureFlag.MlPoweredQueriesEnabled)) &&
        (await (0, util_1.codeQlVersionAbove)(codeQL, codeql_1.CODEQL_VERSION_ML_POWERED_QUERIES))) {
        if (!packs.javascript) {
            packs.javascript = [];
        }
-        packs.javascript.push(util_1.ML_POWERED_JS_QUERIES_PACK);
+        packs.javascript.push(await (0, util_1.getMlPoweredJsQueriesPack)(codeQL));
        injectedMlQueries = true;
    }
    const suites = languages.map((l) => `${l}-${suiteName}.qls`);
--- a/lib/config-utils.js.map
+++ b/lib/config-utils.js.map
--- a/lib/config-utils.test.js
+++ b/lib/config-utils.test.js
@ -911,11 +911,20 @@ const mlPoweredQueriesMacro = ava_1.default.macro({
        ? `${expectedVersionString} are`
        : "aren't"} loaded for packs: ${packsInput}, queries: ${queriesInput} using CLI v${codeQLVersion} when feature flag is ${isMlPoweredQueriesFlagEnabled ? "enabled" : "disabled"}`,
 });
-// macro, isMlPoweredQueriesFlagEnabled, packsInput, queriesInput, versionString
+// macro, codeQLVersion, isMlPoweredQueriesFlagEnabled, packsInput, queriesInput, expectedVersionString
 // Test that ML-powered queries aren't run on v2.7.4 of the CLI.
 (0, ava_1.default)(mlPoweredQueriesMacro, "2.7.4", true, undefined, "security-extended", undefined);
 // Test that ML-powered queries aren't run when the feature flag is off.
 (0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", false, undefined, "security-extended", undefined);
 // Test that ML-powered queries aren't run when the user hasn't specified that we should run the
 // `security-extended` or `security-and-quality` query suite.
 (0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, undefined, undefined);
-(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, "security-extended", "~0.1.0");
+// Test that ML-powered queries are run on non-Windows platforms running `security-extended`.
-(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, "security-and-quality", "~0.1.0");
+(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, "security-extended", process.platform === "win32" ? undefined : "~0.1.0");
-(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, "codeql/javascript-experimental-atm-queries@0.0.1", "security-and-quality", "0.0.1");
+// Test that ML-powered queries are run on non-Windows platforms running `security-and-quality`.
 (0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, "security-and-quality", process.platform === "win32" ? undefined : "~0.1.0");
 // Test that we don't inject an ML-powered query pack if the user has already specified one.
 (0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, "codeql/javascript-experimental-atm-queries@0.0.1", "security-and-quality", process.platform === "win32" ? undefined : "0.0.1");
 // Test that the ~0.2.0 version of ML-powered queries is run on v2.8.4 of the CLI.
 (0, ava_1.default)(mlPoweredQueriesMacro, "2.8.4", true, undefined, "security-extended", process.platform === "win32" ? undefined : "~0.2.0");
 //# sourceMappingURL=config-utils.test.js.map
--- a/lib/config-utils.test.js.map
+++ b/lib/config-utils.test.js.map
--- a/lib/defaults.json
+++ b/lib/defaults.json
@ -1,3 +1,3 @@
 {
-    "bundleVersion": "codeql-bundle-20220322"
+    "bundleVersion": "codeql-bundle-20220401"
 }
--- a/lib/util.js
+++ b/lib/util.js
@ -22,7 +22,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getMlPoweredJsQueriesStatus = exports.ML_POWERED_JS_QUERIES_PACK = exports.isGoodVersion = exports.delay = exports.bundleDb = exports.codeQlVersionAbove = exports.getCachedCodeQlVersion = exports.cacheCodeQlVersion = exports.isGitHubGhesVersionBelow = exports.isHTTPError = exports.UserError = exports.HTTPError = exports.getRequiredEnvParam = exports.isActions = exports.getMode = exports.enrichEnvironment = exports.initializeEnvironment = exports.Mode = exports.assertNever = exports.getGitHubAuth = exports.apiVersionInRange = exports.DisallowedAPIVersionReason = exports.checkGitHubVersionInRange = exports.getGitHubVersion = exports.GitHubVariant = exports.parseGitHubUrl = exports.getCodeQLDatabasePath = exports.getThreadsFlag = exports.getThreadsFlagValue = exports.getAddSnippetsFlag = exports.getMemoryFlag = exports.getMemoryFlagValue = exports.withTmpDir = exports.getToolNames = exports.getExtraOptionsEnvParam = exports.DEFAULT_DEBUG_DATABASE_NAME = exports.DEFAULT_DEBUG_ARTIFACT_NAME = exports.GITHUB_DOTCOM_URL = void 0;
+exports.getMlPoweredJsQueriesStatus = exports.getMlPoweredJsQueriesPack = exports.ML_POWERED_JS_QUERIES_PACK_NAME = exports.isGoodVersion = exports.delay = exports.bundleDb = exports.codeQlVersionAbove = exports.getCachedCodeQlVersion = exports.cacheCodeQlVersion = exports.isGitHubGhesVersionBelow = exports.isHTTPError = exports.UserError = exports.HTTPError = exports.getRequiredEnvParam = exports.isActions = exports.getMode = exports.enrichEnvironment = exports.initializeEnvironment = exports.Mode = exports.assertNever = exports.getGitHubAuth = exports.apiVersionInRange = exports.DisallowedAPIVersionReason = exports.checkGitHubVersionInRange = exports.getGitHubVersion = exports.GitHubVariant = exports.parseGitHubUrl = exports.getCodeQLDatabasePath = exports.getThreadsFlag = exports.getThreadsFlagValue = exports.getAddSnippetsFlag = exports.getMemoryFlag = exports.getMemoryFlagValue = exports.withTmpDir = exports.getToolNames = exports.getExtraOptionsEnvParam = exports.DEFAULT_DEBUG_DATABASE_NAME = exports.DEFAULT_DEBUG_ARTIFACT_NAME = exports.GITHUB_DOTCOM_URL = void 0;
 const fs = __importStar(require("fs"));
 const os = __importStar(require("os"));
 const path = __importStar(require("path"));
@ -545,24 +545,26 @@ function isGoodVersion(versionSpec) {
    return !BROKEN_VERSIONS.includes(versionSpec);
 }
 exports.isGoodVersion = isGoodVersion;
 exports.ML_POWERED_JS_QUERIES_PACK_NAME = "codeql/javascript-experimental-atm-queries";
 /**
- * The ML-powered JS query pack to add to the analysis if a repo is opted into the ML-powered
+ * Gets the ML-powered JS query pack to add to the analysis if a repo is opted into the ML-powered
 * queries beta.
 */
-exports.ML_POWERED_JS_QUERIES_PACK = {
+async function getMlPoweredJsQueriesPack(codeQL) {
-    packName: "codeql/javascript-experimental-atm-queries",
+    if (await codeQlVersionAbove(codeQL, "2.8.4")) {
-    version: "~0.1.0",
+        return { packName: exports.ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.2.0" };
-};
+    }
    return { packName: exports.ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.1.0" };
 }
 exports.getMlPoweredJsQueriesPack = getMlPoweredJsQueriesPack;
 /**
 * Get information about ML-powered JS queries to populate status reports with.
 *
 * This will be:
 *
- * - The version string if the analysis is using the ML-powered query pack that will be added to the
+ * - The version string if the analysis is using a single version of the ML-powered query pack.
- *   analysis if the repo is opted into the ML-powered queries beta, i.e.
+ * - "latest" if the version string of the ML-powered query pack is undefined. This is unlikely to
- *   {@link ML_POWERED_JS_QUERIES_PACK.version}. If the version string
+ *   occur in practice (see comment below).
 *   {@link ML_POWERED_JS_QUERIES_PACK.version} is undefined, then the status report string will be
 *   "latest", however this shouldn't occur in practice (see comment below).
 * - "false" if the analysis won't run any ML-powered JS queries.
 * - "other" in all other cases.
 *
@ -572,30 +574,25 @@ exports.ML_POWERED_JS_QUERIES_PACK = {
 * version of the CodeQL Action. For instance, we might want to compare the `~0.1.0` and `~0.0.2`
 * version strings.
 *
 * We restrict the set of strings we report here by excluding other version strings and combinations
 * of version strings. We do this to limit the cardinality of the ML-powered JS queries status
 * report field, since some platforms that ingest this status report bill based on the cardinality
 * of its fields.
 *
 * This function lives here rather than in `init-action.ts` so it's easier to test, since tests for
 * `init-action.ts` would each need to live in their own file. See `analyze-action-env.ts` for an
 * explanation as to why this is.
 */
 function getMlPoweredJsQueriesStatus(config) {
-    const mlPoweredJsQueryPacks = (config.packs.javascript || []).filter((pack) => pack.packName === exports.ML_POWERED_JS_QUERIES_PACK.packName);
+    const mlPoweredJsQueryPacks = (config.packs.javascript || []).filter((pack) => pack.packName === exports.ML_POWERED_JS_QUERIES_PACK_NAME);
-    if (mlPoweredJsQueryPacks.length === 0) {
+    switch (mlPoweredJsQueryPacks.length) {
-        return "false";
+        case 1:
            // We should always specify an explicit version string in `getMlPoweredJsQueriesPack`,
            // otherwise we won't be able to make changes to the pack unless those changes are compatible
            // with each version of the CodeQL Action. Therefore in practice we should only hit the
            // `latest` case here when customers have explicitly added the ML-powered query pack to their
            // CodeQL config.
            return mlPoweredJsQueryPacks[0].version || "latest";
        case 0:
            return "false";
        default:
            return "other";
    }
    const firstVersionString = mlPoweredJsQueryPacks[0].version;
    if (mlPoweredJsQueryPacks.length === 1 &&
        exports.ML_POWERED_JS_QUERIES_PACK.version === firstVersionString) {
        // We should always specify an explicit version string in `ML_POWERED_JS_QUERIES_PACK`,
        // otherwise we won't be able to make changes to the pack unless those changes are compatible
        // with each version of the CodeQL Action. Therefore in practice, we should never hit the
        // `latest` case here.
        return exports.ML_POWERED_JS_QUERIES_PACK.version || "latest";
    }
    return "other";
 }
 exports.getMlPoweredJsQueriesStatus = getMlPoweredJsQueriesStatus;
 //# sourceMappingURL=util.js.map
--- a/lib/util.js.map
+++ b/lib/util.js.map
--- a/lib/util.test.js
+++ b/lib/util.test.js
@ -205,32 +205,43 @@ async function mockStdInForAuthExpectError(t, mockLogger, ...text) {
    await t.throwsAsync(async () => util.getGitHubAuth(mockLogger, undefined, true, stdin));
 }
 const ML_POWERED_JS_STATUS_TESTS = [
    // If no packs are loaded, status is false.
    [[], "false"],
    // If another pack is loaded but not the ML-powered query pack, status is false.
    [[{ packName: "someOtherPack" }], "false"],
    // If the ML-powered query pack is loaded with a specific version, status is that version.
    [
-        [{ packName: "someOtherPack" }, util.ML_POWERED_JS_QUERIES_PACK],
+        [{ packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.1.0" }],
-        util.ML_POWERED_JS_QUERIES_PACK.version,
+        "~0.1.0",
    ],
    [[util.ML_POWERED_JS_QUERIES_PACK], util.ML_POWERED_JS_QUERIES_PACK.version],
    [[{ packName: util.ML_POWERED_JS_QUERIES_PACK.packName }], "other"],
    [
        [{ packName: util.ML_POWERED_JS_QUERIES_PACK.packName, version: "~0.0.1" }],
        "other",
    ],
    [
        [
            { packName: util.ML_POWERED_JS_QUERIES_PACK.packName, version: "0.0.1" },
            { packName: util.ML_POWERED_JS_QUERIES_PACK.packName, version: "0.0.2" },
        ],
        "other",
    ],
    // If the ML-powered query pack is loaded with a specific version and another pack is loaded, the
    // status is the version of the ML-powered query pack.
    [
        [
            { packName: "someOtherPack" },
-            { packName: util.ML_POWERED_JS_QUERIES_PACK.packName },
+            { packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.1.0" },
        ],
        "~0.1.0",
    ],
    // If the ML-powered query pack is loaded without a version, the status is "latest".
    [[{ packName: util.ML_POWERED_JS_QUERIES_PACK_NAME }], "latest"],
    // If the ML-powered query pack is loaded with two different versions, the status is "other".
    [
        [
            { packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "0.0.1" },
            { packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "0.0.2" },
        ],
        "other",
    ],
    // If the ML-powered query pack is loaded with no specific version, and another pack is loaded,
    // the status is "latest".
    [
        [
            { packName: "someOtherPack" },
            { packName: util.ML_POWERED_JS_QUERIES_PACK_NAME },
        ],
        "latest",
    ],
 ];
 for (const [packs, expectedStatus] of ML_POWERED_JS_STATUS_TESTS) {
    const packDescriptions = `[${packs
--- a/lib/util.test.js.map
+++ b/lib/util.test.js.map
--- a/node_modules/.package-lock.json
+++ b/node_modules/.package-lock.json
@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "2.1.6",
+  "version": "2.1.9",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
@ -893,6 +893,14 @@
        "node": ">=8"
      }
    },
    "node_modules/array-uniq": {
      "version": "1.0.3",
      "resolved": "https://registry.npmjs.org/array-uniq/-/array-uniq-1.0.3.tgz",
      "integrity": "sha1-r2rId6Jcx/dOBYiUdThY39sk/bY=",
      "engines": {
        "node": ">=0.10.0"
      }
    },
    "node_modules/array.prototype.flat": {
      "version": "1.2.4",
      "resolved": "https://registry.npmjs.org/array.prototype.flat/-/array.prototype.flat-1.2.4.tgz",
@ -2788,6 +2796,17 @@
        "loc": "dist/cli.js"
      }
    },
    "node_modules/github-linguist/node_modules/array-union": {
      "version": "1.0.2",
      "resolved": "https://registry.npmjs.org/array-union/-/array-union-1.0.2.tgz",
      "integrity": "sha1-mjRBDk9OPaI96jdb5b5w8kd47Dk=",
      "dependencies": {
        "array-uniq": "^1.0.1"
      },
      "engines": {
        "node": ">=0.10.0"
      }
    },
    "node_modules/github-linguist/node_modules/commander": {
      "version": "2.20.3",
      "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ=="
--- a/node_modules/array-uniq/index.js
+++ b/node_modules/array-uniq/index.js
@ -0,0 +1,62 @@
 'use strict';
 // there's 3 implementations written in increasing order of efficiency
 // 1 - no Set type is defined
 function uniqNoSet(arr) {
 	var ret = [];
 	for (var i = 0; i < arr.length; i++) {
 		if (ret.indexOf(arr[i]) === -1) {
 			ret.push(arr[i]);
 		}
 	}
 	return ret;
 }
 // 2 - a simple Set type is defined
 function uniqSet(arr) {
 	var seen = new Set();
 	return arr.filter(function (el) {
 		if (!seen.has(el)) {
 			seen.add(el);
 			return true;
 		}
 		return false;
 	});
 }
 // 3 - a standard Set type is defined and it has a forEach method
 function uniqSetWithForEach(arr) {
 	var ret = [];
 	(new Set(arr)).forEach(function (el) {
 		ret.push(el);
 	});
 	return ret;
 }
 // V8 currently has a broken implementation
 // https://github.com/joyent/node/issues/8449
 function doesForEachActuallyWork() {
 	var ret = false;
 	(new Set([true])).forEach(function (el) {
 		ret = el;
 	});
 	return ret === true;
 }
 if ('Set' in global) {
 	if (typeof Set.prototype.forEach === 'function' && doesForEachActuallyWork()) {
 		module.exports = uniqSetWithForEach;
 	} else {
 		module.exports = uniqSet;
 	}
 } else {
 	module.exports = uniqNoSet;
 }
--- a/node_modules/array-uniq/license
+++ b/node_modules/array-uniq/license
@ -0,0 +1,21 @@
 The MIT License (MIT)
 Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (sindresorhus.com)
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in
 all copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
--- a/node_modules/array-uniq/package.json
+++ b/node_modules/array-uniq/package.json
@ -0,0 +1,37 @@
 {
  "name": "array-uniq",
  "version": "1.0.3",
  "description": "Create an array without duplicates",
  "license": "MIT",
  "repository": "sindresorhus/array-uniq",
  "author": {
    "name": "Sindre Sorhus",
    "email": "sindresorhus@gmail.com",
    "url": "sindresorhus.com"
  },
  "engines": {
    "node": ">=0.10.0"
  },
  "scripts": {
    "test": "xo && ava"
  },
  "files": [
    "index.js"
  ],
  "keywords": [
    "array",
    "arr",
    "set",
    "uniq",
    "unique",
    "es6",
    "duplicate",
    "remove"
  ],
  "devDependencies": {
    "ava": "*",
    "es6-set": "^0.1.0",
    "require-uncached": "^1.0.2",
    "xo": "*"
  }
 }
--- a/node_modules/array-uniq/readme.md
+++ b/node_modules/array-uniq/readme.md
@ -0,0 +1,30 @@
 # array-uniq [![Build Status](https://travis-ci.org/sindresorhus/array-uniq.svg?branch=master)](https://travis-ci.org/sindresorhus/array-uniq)
 > Create an array without duplicates
 It's already pretty fast, but will be much faster when [Set](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Set) becomes available in V8 (especially with large arrays).
 ## Install
 ```
 $ npm install --save array-uniq
 ```
 ## Usage
 ```js
 const arrayUniq = require('array-uniq');
 arrayUniq([1, 1, 2, 3, 3]);
 //=> [1, 2, 3]
 arrayUniq(['foo', 'foo', 'bar', 'foo']);
 //=> ['foo', 'bar']
 ```
 ## License
 MIT © [Sindre Sorhus](https://sindresorhus.com)
--- a/node_modules/github-linguist/node_modules/array-union/index.js
+++ b/node_modules/github-linguist/node_modules/array-union/index.js
@ -0,0 +1,6 @@
 'use strict';
 var arrayUniq = require('array-uniq');
 module.exports = function () {
 	return arrayUniq([].concat.apply([], arguments));
 };
--- a/node_modules/github-linguist/node_modules/array-union/license
+++ b/node_modules/github-linguist/node_modules/array-union/license
@ -0,0 +1,21 @@
 The MIT License (MIT)
 Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (sindresorhus.com)
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in
 all copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
--- a/node_modules/github-linguist/node_modules/array-union/package.json
+++ b/node_modules/github-linguist/node_modules/array-union/package.json
@ -0,0 +1,40 @@
 {
  "name": "array-union",
  "version": "1.0.2",
  "description": "Create an array of unique values, in order, from the input arrays",
  "license": "MIT",
  "repository": "sindresorhus/array-union",
  "author": {
    "name": "Sindre Sorhus",
    "email": "sindresorhus@gmail.com",
    "url": "sindresorhus.com"
  },
  "engines": {
    "node": ">=0.10.0"
  },
  "scripts": {
    "test": "xo && ava"
  },
  "files": [
    "index.js"
  ],
  "keywords": [
    "array",
    "arr",
    "set",
    "uniq",
    "unique",
    "duplicate",
    "remove",
    "union",
    "combine",
    "merge"
  ],
  "dependencies": {
    "array-uniq": "^1.0.1"
  },
  "devDependencies": {
    "ava": "*",
    "xo": "*"
  }
 }
--- a/node_modules/github-linguist/node_modules/array-union/readme.md
+++ b/node_modules/github-linguist/node_modules/array-union/readme.md
@ -0,0 +1,28 @@
 # array-union [![Build Status](https://travis-ci.org/sindresorhus/array-union.svg?branch=master)](https://travis-ci.org/sindresorhus/array-union)
 > Create an array of unique values, in order, from the input arrays
 ## Install
 ```
 $ npm install --save array-union
 ```
 ## Usage
 ```js
 const arrayUnion = require('array-union');
 arrayUnion([1, 1, 2, 3], [2, 3]);
 //=> [1, 2, 3]
 arrayUnion(['foo', 'foo', 'bar'], ['foo']);
 //=> ['foo', 'bar']
 ```
 ## License
 MIT © [Sindre Sorhus](https://sindresorhus.com)
--- a/package-lock.json
+++ b/package-lock.json
@ -1,12 +1,12 @@
 {
  "name": "codeql",
-  "version": "2.1.6",
+  "version": "2.1.9",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "name": "codeql",
-      "version": "2.1.6",
+      "version": "2.1.9",
      "license": "MIT",
      "dependencies": {
        "@actions/artifact": "^1.0.0",
@ -946,6 +946,14 @@
        "node": ">=8"
      }
    },
    "node_modules/array-uniq": {
      "version": "1.0.3",
      "resolved": "https://registry.npmjs.org/array-uniq/-/array-uniq-1.0.3.tgz",
      "integrity": "sha1-r2rId6Jcx/dOBYiUdThY39sk/bY=",
      "engines": {
        "node": ">=0.10.0"
      }
    },
    "node_modules/array.prototype.flat": {
      "version": "1.2.4",
      "resolved": "https://registry.npmjs.org/array.prototype.flat/-/array.prototype.flat-1.2.4.tgz",
@ -2841,6 +2849,17 @@
        "loc": "dist/cli.js"
      }
    },
    "node_modules/github-linguist/node_modules/array-union": {
      "version": "1.0.2",
      "resolved": "https://registry.npmjs.org/array-union/-/array-union-1.0.2.tgz",
      "integrity": "sha1-mjRBDk9OPaI96jdb5b5w8kd47Dk=",
      "dependencies": {
        "array-uniq": "^1.0.1"
      },
      "engines": {
        "node": ">=0.10.0"
      }
    },
    "node_modules/github-linguist/node_modules/commander": {
      "version": "2.20.3",
      "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ=="
@ -6057,6 +6076,11 @@
      "version": "2.1.0",
      "integrity": "sha512-HGyxoOTYUyCM6stUe6EJgnd4EoewAI7zMdfqO+kGjnlZmBDz/cR5pf8r/cR4Wq60sL/p0IkcjUEEPwS3GFrIyw=="
    },
    "array-uniq": {
      "version": "1.0.3",
      "resolved": "https://registry.npmjs.org/array-uniq/-/array-uniq-1.0.3.tgz",
      "integrity": "sha1-r2rId6Jcx/dOBYiUdThY39sk/bY="
    },
    "array.prototype.flat": {
      "version": "1.2.4",
      "resolved": "https://registry.npmjs.org/array.prototype.flat/-/array.prototype.flat-1.2.4.tgz",
@ -7422,6 +7446,14 @@
        "slash2": "^2.0.0"
      },
      "dependencies": {
        "array-union": {
          "version": "1.0.2",
          "resolved": "https://registry.npmjs.org/array-union/-/array-union-1.0.2.tgz",
          "integrity": "sha1-mjRBDk9OPaI96jdb5b5w8kd47Dk=",
          "requires": {
            "array-uniq": "^1.0.1"
          }
        },
        "commander": {
          "version": "2.20.3",
          "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ=="
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "2.1.6",
+  "version": "2.1.9",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
--- a/pr-checks/checks/debug-artifacts.yml
+++ b/pr-checks/checks/debug-artifacts.yml
@ -13,7 +13,7 @@ steps:
    run: ./build.sh
  - uses: ./../action/analyze
    id: analysis
-  - uses: actions/download-artifact@v2
+  - uses: actions/download-artifact@v3
    with:
      name: my-debug-artifacts-${{ matrix.os }}-${{ matrix.version }}
  - shell: bash
--- a/pr-checks/checks/go-custom-queries.yml
+++ b/pr-checks/checks/go-custom-queries.yml
@ -1,7 +1,7 @@
 name: "Go: Custom queries"
 description: "Checks that Go works in conjunction with a config file specifying custom queries"
 steps:
-  - uses: actions/setup-go@v2
+  - uses: actions/setup-go@v3
    with:
      go-version: "^1.13.1"
  - uses: ./../action/init
--- a/pr-checks/checks/go-custom-tracing-autobuild.yml
+++ b/pr-checks/checks/go-custom-tracing-autobuild.yml
@ -4,7 +4,7 @@ os: ["ubuntu-latest", "macos-latest"]
 env:
  CODEQL_EXTRACTOR_GO_BUILD_TRACING: "true"
 steps:
-  - uses: actions/setup-go@v2
+  - uses: actions/setup-go@v3
    with:
      go-version: "^1.13.1"
  - uses: ./../action/init
--- a/pr-checks/checks/go-custom-tracing.yml
+++ b/pr-checks/checks/go-custom-tracing.yml
@ -3,7 +3,7 @@ description: "Checks that Go tracing works"
 env:
  CODEQL_EXTRACTOR_GO_BUILD_TRACING: "true"
 steps:
-  - uses: actions/setup-go@v2
+  - uses: actions/setup-go@v3
    with:
      go-version: "^1.13.1"
  - uses: ./../action/init
--- a/pr-checks/checks/ml-powered-queries.yml
+++ b/pr-checks/checks/ml-powered-queries.yml
@ -0,0 +1,67 @@
 name: "ML-powered queries"
 description: "Tests that ML-powered queries are run with the security-extended suite and that they produce alerts on a test DB"
 versions: [
    # Latest release in 2.7.x series
    "stable-20220120",
    "cached",
    "latest",
    "nightly-latest",
  ]
 # Test on all three platforms since ML-powered queries use native code
 os: ["ubuntu-latest", "macos-latest", "windows-latest"]
 steps:
  - uses: ./../action/init
    with:
      languages: javascript
      queries: security-extended
      source-root: ./../action/tests/ml-powered-queries-repo
      tools: ${{ steps.prepare-test.outputs.tools-url }}
  - uses: ./../action/analyze
    with:
      output: "${{ runner.temp }}/results"
      upload-database: false
    env:
      TEST_MODE: true
  - name: Upload SARIF
    uses: actions/upload-artifact@v3
    with:
      name: ml-powered-queries-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
      retention-days: 7
  - name: Check results
    env:
      IS_WINDOWS: ${{ matrix.os == 'windows-latest' }}
    shell: bash
    run: |
      cd "$RUNNER_TEMP/results"
      # We should run at least the ML-powered queries in `expected_rules`.
      expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss"
      for rule in ${expected_rules}; do
        found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) |
          flatten | .[].id] | any(. == $rule)' javascript.sarif)
        echo "Did find rule '${rule}': ${found_rule}"
        if [[ "${found_rule}" != "true" && "${IS_WINDOWS}" != "true" ]]; then
          echo "Expected SARIF output to contain rule '${rule}', but found no such rule."
          exit 1
        elif [[ "${found_rule}" == "true" && "${IS_WINDOWS}" == "true" ]]; then
          echo "Found rule '${rule}' in the SARIF output which shouldn't have been part of the analysis."
          exit 1
        fi
      done
      # We should have at least one alert from an ML-powered query.
      num_alerts=$(jq '[.runs[0].results[] |
        select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \
        javascript.sarif)
      echo "Found ${num_alerts} alerts from ML-powered queries.";
      if [[ "${num_alerts}" -eq 0 && "${IS_WINDOWS}" != "true" ]]; then
        echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}."
        exit 1
      elif [[ "${num_alerts}" -ne 0 && "${IS_WINDOWS}" == "true" ]]; then
        echo "Expected not to find any alerts from an ML-powered query but found ${num_alerts}."
        exit 1
      fi
--- a/pr-checks/checks/test-autobuild-working-dir.yml
+++ b/pr-checks/checks/test-autobuild-working-dir.yml
@ -0,0 +1,30 @@
 name: "Autobuild working directory"
 description: "Tests working-directory input of autobuild action"
 versions: ["latest"]
 os: ["ubuntu-latest"]
 steps:
  - name: Test setup
    shell: bash
    run: |
      # Make sure that Gradle build succeeds in autobuild-dir ...
      cp -a ../action/tests/java-repo autobuild-dir
      # ... and fails if attempted in the current directory
      echo > build.gradle
  - uses: ./../action/init
    with:
      languages: java
      tools: ${{ steps.prepare-test.outputs.tools-url }}
  - uses: ./../action/autobuild
    with:
      working-directory: autobuild-dir
  - uses: ./../action/analyze
    env:
      TEST_MODE: true
  - name: Check database
    shell: bash
    run: |
      cd "$RUNNER_TEMP/codeql_databases"
      if [[ ! -d java ]]; then
        echo "Did not find a Java database"
        exit 1
      fi
--- a/pr-checks/checks/with-checkout-path.yml
+++ b/pr-checks/checks/with-checkout-path.yml
@ -7,7 +7,7 @@ os: [ubuntu-latest, macos-latest, windows-2019]
 steps:
  # Check out the actions repo again, but at a different location.
  # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
-  - uses: actions/checkout@v2
+  - uses: actions/checkout@v3
    with:
      ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
      path: x/y/z/some-path
--- a/pr-checks/sync.py
+++ b/pr-checks/sync.py
@ -49,7 +49,7 @@ for file in os.listdir('checks'):
    steps = [
        {
            'name': 'Check out repository',
-            'uses': 'actions/checkout@v2'
+            'uses': 'actions/checkout@v3'
        },
        {
            'name': 'Prepare test',
@ -108,7 +108,7 @@ for file in os.listdir('checks'):
            },
            'on': {
                'push': {
-                    'branches': ['main', 'v1']
+                    'branches': ['main', 'v1', 'v2']
                },
                'pull_request': {
                    'types': ["opened", "synchronize", "reopened", "ready_for_review"]
--- a/src/actions-util.ts
+++ b/src/actions-util.ts
@ -424,7 +424,7 @@ async function getWorkflowPath(): Promise<string> {
  const apiClient = api.getActionsApiClient();
  const runsResponse = await apiClient.request(
-    "GET /repos/:owner/:repo/actions/runs/:run_id",
+    "GET /repos/:owner/:repo/actions/runs/:run_id?exclude_pull_requests=true",
    {
      owner,
      repo,
@ -544,7 +544,7 @@ export async function getRef(): Promise<string> {
  const head = await getCommitOid(checkoutPath, "HEAD");
-  // in actions/checkout@v2 we can check if git rev-parse HEAD == GITHUB_SHA
+  // in actions/checkout@v2+ we can check if git rev-parse HEAD == GITHUB_SHA
  // in actions/checkout@v1 this may not be true as it checks out the repository
  // using GITHUB_REF. There is a subtle race condition where
  // git rev-parse GITHUB_REF != GITHUB_SHA, so we must check
--- a/src/analyze.ts
+++ b/src/analyze.ts
@ -6,7 +6,6 @@ import * as yaml from "js-yaml";
 import * as analysisPaths from "./analysis-paths";
 import {
  CODEQL_VERSION_CONFIG_FILES,
  CODEQL_VERSION_COUNTS_LINES,
  CODEQL_VERSION_NEW_TRACING,
  getCodeQL,
@ -238,10 +237,7 @@ export async function runQueries(
    const codeql = await getCodeQL(config.codeQLCmd);
    try {
-      if (
+      if (hasPackWithCustomQueries) {
        hasPackWithCustomQueries &&
        !(await util.codeQlVersionAbove(codeql, CODEQL_VERSION_CONFIG_FILES))
      ) {
        logger.info("Performing analysis with custom CodeQL Packs.");
        logger.startGroup(`Downloading custom packs for ${language}`);
--- a/src/autobuild-action.ts
+++ b/src/autobuild-action.ts
@ -3,6 +3,7 @@ import * as core from "@actions/core";
 import {
  createStatusReportBase,
  getActionsStatus,
  getOptionalInput,
  getTemporaryDirectory,
  sendStatusReport,
  StatusReportBase,
@ -71,6 +72,13 @@ async function run() {
    }
    language = determineAutobuildLanguage(config, logger);
    if (language !== undefined) {
      const workingDirectory = getOptionalInput("working-directory");
      if (workingDirectory) {
        logger.info(
          `Changing autobuilder working directory to ${workingDirectory}`
        );
        process.chdir(workingDirectory);
      }
      await runAutobuild(language, config, logger);
    }
  } catch (error) {
--- a/src/codeql.ts
+++ b/src/codeql.ts
@ -4,7 +4,6 @@ import * as path from "path";
 import * as toolrunner from "@actions/exec/lib/toolrunner";
 import { IHeaders } from "@actions/http-client/interfaces";
 import { default as deepEqual } from "fast-deep-equal";
 import * as yaml from "js-yaml";
 import { default as queryString } from "query-string";
 import * as semver from "semver";
@ -18,7 +17,7 @@ import { Logger } from "./logging";
 import * as toolcache from "./toolcache";
 import { toolrunnerErrorCatcher } from "./toolrunner-error-catcher";
 import * as util from "./util";
-import { isGoodVersion, ML_POWERED_JS_QUERIES_PACK } from "./util";
+import { isGoodVersion } from "./util";
 type Options = Array<string | number | boolean>;
@ -220,7 +219,6 @@ const CODEQL_VERSION_GROUP_RULES = "2.5.5";
 const CODEQL_VERSION_SARIF_GROUP = "2.5.3";
 export const CODEQL_VERSION_COUNTS_LINES = "2.6.2";
 const CODEQL_VERSION_CUSTOM_QUERY_HELP = "2.7.1";
 export const CODEQL_VERSION_CONFIG_FILES = "2.8.2"; // Versions before 2.8.2 weren't tolerant to unknown properties
 export const CODEQL_VERSION_ML_POWERED_QUERIES = "2.7.5";
 /**
@ -735,27 +733,6 @@ async function getCodeQLForCmd(
          extraArgs.push(`--trace-process-level=${processLevel || 3}`);
        }
      }
      if (await util.codeQlVersionAbove(codeql, CODEQL_VERSION_CONFIG_FILES)) {
        const configLocation = path.resolve(config.tempDir, "user-config.yaml");
        const augmentedConfig = config.originalUserInput;
        if (config.injectedMlQueries) {
          // We need to inject the ML queries into the original user input before
          // we pass this on to the CLI, to make sure these get run.
          let packString = ML_POWERED_JS_QUERIES_PACK.packName;
          if (ML_POWERED_JS_QUERIES_PACK.version)
            packString = `${packString}@${ML_POWERED_JS_QUERIES_PACK.version}`;
          if (augmentedConfig.packs === undefined) augmentedConfig.packs = [];
          if (Array.isArray(augmentedConfig.packs)) {
            augmentedConfig.packs.push(packString);
          } else {
            if (!augmentedConfig.packs.javascript)
              augmentedConfig.packs["javascript"] = [];
            augmentedConfig.packs["javascript"].push(packString);
          }
        }
        fs.writeFileSync(configLocation, yaml.dump(augmentedConfig));
        extraArgs.push(`--codescanning-config=${configLocation}`);
      }
      await runTool(cmd, [
        "database",
        "init",
@ -913,9 +890,7 @@ async function getCodeQLForCmd(
      if (extraSearchPath !== undefined) {
        codeqlArgs.push("--additional-packs", extraSearchPath);
      }
-      if (!(await util.codeQlVersionAbove(this, CODEQL_VERSION_CONFIG_FILES))) {
+      codeqlArgs.push(querySuitePath);
        codeqlArgs.push(querySuitePath);
      }
      await runTool(cmd, codeqlArgs);
    },
    async databaseInterpretResults(
@ -951,9 +926,7 @@ async function getCodeQLForCmd(
        codeqlArgs.push("--sarif-category", automationDetailsId);
      }
      codeqlArgs.push(databasePath);
-      if (!(await util.codeQlVersionAbove(this, CODEQL_VERSION_CONFIG_FILES))) {
+      codeqlArgs.push(...querySuitePaths);
        codeqlArgs.push(...querySuitePaths);
      }
      // capture stdout, which contains analysis summaries
      return await runTool(cmd, codeqlArgs);
    },
--- a/src/config-utils.test.ts
+++ b/src/config-utils.test.ts
@ -1788,7 +1788,8 @@ const mlPoweredQueriesMacro = test.macro({
    }`,
 });
-// macro, isMlPoweredQueriesFlagEnabled, packsInput, queriesInput, versionString
+// macro, codeQLVersion, isMlPoweredQueriesFlagEnabled, packsInput, queriesInput, expectedVersionString
 // Test that ML-powered queries aren't run on v2.7.4 of the CLI.
 test(
  mlPoweredQueriesMacro,
  "2.7.4",
@ -1797,6 +1798,7 @@ test(
  "security-extended",
  undefined
 );
 // Test that ML-powered queries aren't run when the feature flag is off.
 test(
  mlPoweredQueriesMacro,
  "2.7.5",
@ -1805,28 +1807,42 @@ test(
  "security-extended",
  undefined
 );
 // Test that ML-powered queries aren't run when the user hasn't specified that we should run the
 // `security-extended` or `security-and-quality` query suite.
 test(mlPoweredQueriesMacro, "2.7.5", true, undefined, undefined, undefined);
 // Test that ML-powered queries are run on non-Windows platforms running `security-extended`.
 test(
  mlPoweredQueriesMacro,
  "2.7.5",
  true,
  undefined,
  "security-extended",
-  "~0.1.0"
+  process.platform === "win32" ? undefined : "~0.1.0"
 );
 // Test that ML-powered queries are run on non-Windows platforms running `security-and-quality`.
 test(
  mlPoweredQueriesMacro,
  "2.7.5",
  true,
  undefined,
  "security-and-quality",
-  "~0.1.0"
+  process.platform === "win32" ? undefined : "~0.1.0"
 );
 // Test that we don't inject an ML-powered query pack if the user has already specified one.
 test(
  mlPoweredQueriesMacro,
  "2.7.5",
  true,
  "codeql/javascript-experimental-atm-queries@0.0.1",
  "security-and-quality",
-  "0.0.1"
+  process.platform === "win32" ? undefined : "0.0.1"
 );
 // Test that the ~0.2.0 version of ML-powered queries is run on v2.8.4 of the CLI.
 test(
  mlPoweredQueriesMacro,
  "2.8.4",
  true,
  undefined,
  "security-extended",
  process.platform === "win32" ? undefined : "~0.2.0"
 );
--- a/src/config-utils.ts
+++ b/src/config-utils.ts
@ -17,8 +17,9 @@ import { Logger } from "./logging";
 import { RepositoryNwo } from "./repository";
 import {
  codeQlVersionAbove,
  getMlPoweredJsQueriesPack,
  GitHubVersion,
-  ML_POWERED_JS_QUERIES_PACK,
+  ML_POWERED_JS_QUERIES_PACK_NAME,
 } from "./util";
 // Property names from the user-supplied config file.
@ -299,10 +300,12 @@ async function addBuiltinSuiteQueries(
  // opted into the ML-powered queries beta, and a user hasn't already added the ML-powered query
  // pack, then add the ML-powered query pack so that we run ML-powered queries.
  if (
    // Disable ML-powered queries on Windows
    process.platform !== "win32" &&
    languages.includes("javascript") &&
    (found === "security-extended" || found === "security-and-quality") &&
    !packs.javascript?.some(
-      (pack) => pack.packName === ML_POWERED_JS_QUERIES_PACK.packName
+      (pack) => pack.packName === ML_POWERED_JS_QUERIES_PACK_NAME
    ) &&
    (await featureFlags.getValue(FeatureFlag.MlPoweredQueriesEnabled)) &&
    (await codeQlVersionAbove(codeQL, CODEQL_VERSION_ML_POWERED_QUERIES))
@ -310,7 +313,7 @@ async function addBuiltinSuiteQueries(
    if (!packs.javascript) {
      packs.javascript = [];
    }
-    packs.javascript.push(ML_POWERED_JS_QUERIES_PACK);
+    packs.javascript.push(await getMlPoweredJsQueriesPack(codeQL));
    injectedMlQueries = true;
  }
--- a/src/defaults.json
+++ b/src/defaults.json
@ -1,3 +1,3 @@
 {
-  "bundleVersion": "codeql-bundle-20220322"
+  "bundleVersion": "codeql-bundle-20220401"
 }
--- a/src/util.test.ts
+++ b/src/util.test.ts
@ -294,32 +294,43 @@ async function mockStdInForAuthExpectError(
 }
 const ML_POWERED_JS_STATUS_TESTS: Array<[PackWithVersion[], string]> = [
  // If no packs are loaded, status is false.
  [[], "false"],
  // If another pack is loaded but not the ML-powered query pack, status is false.
  [[{ packName: "someOtherPack" }], "false"],
  // If the ML-powered query pack is loaded with a specific version, status is that version.
  [
-    [{ packName: "someOtherPack" }, util.ML_POWERED_JS_QUERIES_PACK],
+    [{ packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.1.0" }],
-    util.ML_POWERED_JS_QUERIES_PACK.version!,
+    "~0.1.0",
  ],
  [[util.ML_POWERED_JS_QUERIES_PACK], util.ML_POWERED_JS_QUERIES_PACK.version!],
  [[{ packName: util.ML_POWERED_JS_QUERIES_PACK.packName }], "other"],
  [
    [{ packName: util.ML_POWERED_JS_QUERIES_PACK.packName, version: "~0.0.1" }],
    "other",
  ],
  [
    [
      { packName: util.ML_POWERED_JS_QUERIES_PACK.packName, version: "0.0.1" },
      { packName: util.ML_POWERED_JS_QUERIES_PACK.packName, version: "0.0.2" },
    ],
    "other",
  ],
  // If the ML-powered query pack is loaded with a specific version and another pack is loaded, the
  // status is the version of the ML-powered query pack.
  [
    [
      { packName: "someOtherPack" },
-      { packName: util.ML_POWERED_JS_QUERIES_PACK.packName },
+      { packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.1.0" },
    ],
    "~0.1.0",
  ],
  // If the ML-powered query pack is loaded without a version, the status is "latest".
  [[{ packName: util.ML_POWERED_JS_QUERIES_PACK_NAME }], "latest"],
  // If the ML-powered query pack is loaded with two different versions, the status is "other".
  [
    [
      { packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "0.0.1" },
      { packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "0.0.2" },
    ],
    "other",
  ],
  // If the ML-powered query pack is loaded with no specific version, and another pack is loaded,
  // the status is "latest".
  [
    [
      { packName: "someOtherPack" },
      { packName: util.ML_POWERED_JS_QUERIES_PACK_NAME },
    ],
    "latest",
  ],
 ];
 for (const [packs, expectedStatus] of ML_POWERED_JS_STATUS_TESTS) {
--- a/src/util.ts
+++ b/src/util.ts
@ -653,25 +653,30 @@ export function isGoodVersion(versionSpec: string) {
  return !BROKEN_VERSIONS.includes(versionSpec);
 }
 export const ML_POWERED_JS_QUERIES_PACK_NAME =
  "codeql/javascript-experimental-atm-queries";
 /**
- * The ML-powered JS query pack to add to the analysis if a repo is opted into the ML-powered
+ * Gets the ML-powered JS query pack to add to the analysis if a repo is opted into the ML-powered
 * queries beta.
 */
-export const ML_POWERED_JS_QUERIES_PACK: PackWithVersion = {
+export async function getMlPoweredJsQueriesPack(
-  packName: "codeql/javascript-experimental-atm-queries",
+  codeQL: CodeQL
-  version: "~0.1.0",
+): Promise<PackWithVersion> {
-};
+  if (await codeQlVersionAbove(codeQL, "2.8.4")) {
    return { packName: ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.2.0" };
  }
  return { packName: ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.1.0" };
 }
 /**
 * Get information about ML-powered JS queries to populate status reports with.
 *
 * This will be:
 *
- * - The version string if the analysis is using the ML-powered query pack that will be added to the
+ * - The version string if the analysis is using a single version of the ML-powered query pack.
- *   analysis if the repo is opted into the ML-powered queries beta, i.e.
+ * - "latest" if the version string of the ML-powered query pack is undefined. This is unlikely to
- *   {@link ML_POWERED_JS_QUERIES_PACK.version}. If the version string
+ *   occur in practice (see comment below).
 *   {@link ML_POWERED_JS_QUERIES_PACK.version} is undefined, then the status report string will be
 *   "latest", however this shouldn't occur in practice (see comment below).
 * - "false" if the analysis won't run any ML-powered JS queries.
 * - "other" in all other cases.
 *
@ -681,32 +686,25 @@ export const ML_POWERED_JS_QUERIES_PACK: PackWithVersion = {
 * version of the CodeQL Action. For instance, we might want to compare the `~0.1.0` and `~0.0.2`
 * version strings.
 *
 * We restrict the set of strings we report here by excluding other version strings and combinations
 * of version strings. We do this to limit the cardinality of the ML-powered JS queries status
 * report field, since some platforms that ingest this status report bill based on the cardinality
 * of its fields.
 *
 * This function lives here rather than in `init-action.ts` so it's easier to test, since tests for
 * `init-action.ts` would each need to live in their own file. See `analyze-action-env.ts` for an
 * explanation as to why this is.
 */
 export function getMlPoweredJsQueriesStatus(config: Config): string {
  const mlPoweredJsQueryPacks = (config.packs.javascript || []).filter(
-    (pack) => pack.packName === ML_POWERED_JS_QUERIES_PACK.packName
+    (pack) => pack.packName === ML_POWERED_JS_QUERIES_PACK_NAME
  );
-  if (mlPoweredJsQueryPacks.length === 0) {
+  switch (mlPoweredJsQueryPacks.length) {
-    return "false";
+    case 1:
      // We should always specify an explicit version string in `getMlPoweredJsQueriesPack`,
      // otherwise we won't be able to make changes to the pack unless those changes are compatible
      // with each version of the CodeQL Action. Therefore in practice we should only hit the
      // `latest` case here when customers have explicitly added the ML-powered query pack to their
      // CodeQL config.
      return mlPoweredJsQueryPacks[0].version || "latest";
    case 0:
      return "false";
    default:
      return "other";
  }
  const firstVersionString = mlPoweredJsQueryPacks[0].version;
  if (
    mlPoweredJsQueryPacks.length === 1 &&
    ML_POWERED_JS_QUERIES_PACK.version === firstVersionString
  ) {
    // We should always specify an explicit version string in `ML_POWERED_JS_QUERIES_PACK`,
    // otherwise we won't be able to make changes to the pack unless those changes are compatible
    // with each version of the CodeQL Action. Therefore in practice, we should never hit the
    // `latest` case here.
    return ML_POWERED_JS_QUERIES_PACK.version || "latest";
  }
  return "other";
 }
--- a/tests/java-repo/build.gradle
+++ b/tests/java-repo/build.gradle
@ -0,0 +1,12 @@
 plugins {
    id 'application'
 }
 repositories {
    mavenCentral()
 }
 application {
    mainClass = 'Main'
 }
--- a/tests/java-repo/src/main/java/Main.java
+++ b/tests/java-repo/src/main/java/Main.java
@ -0,0 +1,8 @@
 class Main {
    public static void main(String args[]) {
        if (true) {
            System.out.println("Hello, World!");
        }
    }
 }
--- a/tests/ml-powered-queries-repo/add-note.js
+++ b/tests/ml-powered-queries-repo/add-note.js
@ -0,0 +1,21 @@
 const mongoose = require('mongoose');
 Logger = require('./logger').Logger;
 Note = require('./models/note').Note;
 (async () => {
  if (process.argv.length != 5) {
    Logger.log("Creates a private note.  Usage: node add-note.js <token> <title> <body>")
    return;
  }
  // Open the default mongoose connection
  await mongoose.connect('mongodb://localhost:27017/notes', { useFindAndModify: false });
  const [userToken, title, body] = process.argv.slice(2);
  await Note.create({ title, body, userToken });
  Logger.log(`Created private note with title ${title} and body ${body} belonging to user with token ${userToken}.`);
  await mongoose.connection.close();
 })();
--- a/tests/ml-powered-queries-repo/app.js
+++ b/tests/ml-powered-queries-repo/app.js
@ -0,0 +1,68 @@
 const bodyParser = require('body-parser');
 const express = require('express');
 const mongoose = require('mongoose');
 const notesApi = require('./notes-api');
 const usersApi = require('./users-api');
 const addSampleData = module.exports.addSampleData = async () => {
  const [userA, userB] = await User.create([
    {
      name: "A",
      token: "tokenA"
    },
    {
      name: "B",
      token: "tokenB"
    }
  ]);
  await Note.create([
    {
      title: "Public note belonging to A",
      body: "This is a public note belonging to A",
      isPublic: true,
      ownerToken: userA.token
    },
    {
      title: "Public note belonging to B",
      body: "This is a public note belonging to B",
      isPublic: true,
      ownerToken: userB.token
    },
    {
      title: "Private note belonging to A",
      body: "This is a private note belonging to A",
      ownerToken: userA.token
    },
    {
      title: "Private note belonging to B",
      body: "This is a private note belonging to B",
      ownerToken: userB.token
    }
  ]);
 }
 module.exports.startApp = async () => {
  // Open the default mongoose connection
  await mongoose.connect('mongodb://mongo:27017/notes', { useFindAndModify: false });
  // Drop contents of DB
  mongoose.connection.dropDatabase();
  // Add some sample data
  await addSampleData();
  const app = express();
  app.use(bodyParser.json());
  app.use(bodyParser.urlencoded());
  app.get('/', async (_req, res) => {
    res.send('Hello World');
  });
  app.use('/api/notes', notesApi.router);
  app.use('/api/users', usersApi.router);
  app.listen(3000);
  Logger.log('Express started on port 3000');
 };
--- a/tests/ml-powered-queries-repo/index.js
+++ b/tests/ml-powered-queries-repo/index.js
@ -0,0 +1,7 @@
 const startApp = require('./app').startApp;
 Logger = require('./logger').Logger;
 Note = require('./models/note').Note;
 User = require('./models/user').User;
 startApp();
--- a/tests/ml-powered-queries-repo/logger.js
+++ b/tests/ml-powered-queries-repo/logger.js
@ -0,0 +1,5 @@
 module.exports.Logger = class {
  log(message, ...objs) {
    console.log(message, objs);
  }
 };
--- a/tests/ml-powered-queries-repo/models/note.js
+++ b/tests/ml-powered-queries-repo/models/note.js
@ -0,0 +1,8 @@
 const mongoose = require('mongoose');
 module.exports.Note = mongoose.model('Note', new mongoose.Schema({
  title: String,
  body: String,
  ownerToken: String,
  isPublic: Boolean
 }));
--- a/tests/ml-powered-queries-repo/models/user.js
+++ b/tests/ml-powered-queries-repo/models/user.js
@ -0,0 +1,6 @@
 const mongoose = require('mongoose');
 module.exports.User = mongoose.model('User', new mongoose.Schema({
  name: String,
  token: String
 }));
--- a/tests/ml-powered-queries-repo/notes-api.js
+++ b/tests/ml-powered-queries-repo/notes-api.js
@ -0,0 +1,44 @@
 const express = require('express')
 const router = module.exports.router = express.Router();
 function serializeNote(note) {
  return {
    title: note.title,
    body: note.body
  };
 }
 router.post('/find', async (req, res) => {
  const notes = await Note.find({
    ownerToken: req.body.token
  }).exec();
  res.json({
    notes: notes.map(serializeNote)
  });
 });
 router.get('/findPublic', async (_req, res) => {
  const notes = await Note.find({
    isPublic: true
  }).exec();
  res.json({
    notes: notes.map(serializeNote)
  });
 });
 router.post('/findVisible', async (req, res) => {
  const notes = await Note.find({
    $or: [
      {
        isPublic: true
      },
      {
        ownerToken: req.body.token
      }
    ]
  }).exec();
  res.json({
    notes: notes.map(serializeNote)
  });
 });
--- a/tests/ml-powered-queries-repo/read-notes.js
+++ b/tests/ml-powered-queries-repo/read-notes.js
@ -0,0 +1,37 @@
 const mongoose = require('mongoose');
 Logger = require('./logger').Logger;
 Note = require('./models/note').Note;
 User = require('./models/user').User;
 (async () => {
  if (process.argv.length != 3) {
    Logger.log("Outputs all notes visible to a user.  Usage: node read-notes.js <token>")
    return;
  }
  // Open the default mongoose connection
  await mongoose.connect('mongodb://localhost:27017/notes', { useFindAndModify: false });
  const ownerToken = process.argv[2];
  const user = await User.findOne({
    token: ownerToken
  }).exec();
  const notes = await Note.find({
    $or: [
      { isPublic: true },
      { ownerToken }
    ]
  }).exec();
  notes.map(note => {
    Logger.log("Title:" + note.title);
    Logger.log("By:" + user.name);
    Logger.log("Body:" + note.body);
    Logger.log();
  });
  await mongoose.connection.close();
 })();
--- a/tests/ml-powered-queries-repo/users-api.js
+++ b/tests/ml-powered-queries-repo/users-api.js
@ -0,0 +1,25 @@
 const express = require('express')
 Logger = require('./logger').Logger;
 const router = module.exports.router = express.Router();
 router.post('/updateName', async (req, res) => {
  Logger.log("/updateName called with new name", req.body.name);
  await User.findOneAndUpdate({
    token: req.body.token
  }, {
    name: req.body.name
  }).exec();
  res.json({
    name: req.body.name
  });
 });
 router.post('/getName', async (req, res) => {
  const user = await User.findOne({
    token: req.body.token
  }).exec();
  res.json({
    name: user.name
  });
 });
`@ -1 +1,3 @@`
	`*/ @github/codeql-action-reviewers`	`*/ @github/codeql-action-reviewers`

		`/python-setup/ @github/codeql-python @github/codeql-action-reviewers`
		`@ -1 +1 @@`
			{"version":3,"file":"autobuild-action.js","sourceRoot":"","sources":["../src/autobuild-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,iDAMwB;AACxB,2CAAuE;AACvE,6DAA+C;AAE/C,uCAA6C;AAC7C,iCAAqD;AAErD,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AASvC,KAAK,UAAU,yBAAyB,CACtC,SAAe,EACf,YAAsB,EACtB,eAAwB,EACxB,KAAa;IAEb,IAAA,4BAAqB,EAAC,WAAI,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IAEjD,MAAM,MAAM,GAAG,IAAA,+BAAgB,EAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IACxD,MAAM,gBAAgB,GAAG,MAAM,IAAA,qCAAsB,EACnD,WAAW,EACX,MAAM,EACN,SAAS,EACT,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,OAAO,EACd,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,KAAK,CACb,CAAC;IACF,MAAM,YAAY,GAA0B;QAC1C,GAAG,gBAAgB;QACnB,mBAAmB,EAAE,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC;QAC3C,iBAAiB,EAAE,eAAe;KACnC,CAAC;IACF,MAAM,IAAA,+BAAgB,EAAC,YAAY,CAAC,CAAC;AACvC,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IAAI,QAAQ,GAAyB,SAAS,CAAC;IAC/C,IAAI;QACF,IACE,CAAC,CAAC,MAAM,IAAA,+BAAgB,EACtB,MAAM,IAAA,qCAAsB,EAAC,WAAW,EAAE,UAAU,EAAE,SAAS,CAAC,CACjE,CAAC,EACF;YACA,OAAO;SACR;QAED,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,SAAS,CACzC,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;QACF,IAAI,MAAM,KAAK,SAAS,EAAE;YACxB,MAAM,IAAI,KAAK,CACb,yFAAyF,CAC1F,CAAC;SACH;QACD,QAAQ,GAAG,IAAA,sCAA0B,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACtD,IAAI,QAAQ,KAAK,SAAS,EAAE;YAC1B,MAAM,IAAA,wBAAY,EAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;SAC9C;KACF;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CACZ,mIACE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,CACH,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,yBAAyB,CAC7B,SAAS,EACT,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,EAC1B,QAAQ,EACR,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAC1D,CAAC;QACF,OAAO;KACR;IAED,MAAM,yBAAyB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;AACzE,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,4BAA4B,KAAK,EAAE,CAAC,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}				{"version":3,"file":"autobuild-action.js","sourceRoot":"","sources":["../src/autobuild-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,iDAOwB;AACxB,2CAAuE;AACvE,6DAA+C;AAE/C,uCAA6C;AAC7C,iCAAqD;AAErD,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AASvC,KAAK,UAAU,yBAAyB,CACtC,SAAe,EACf,YAAsB,EACtB,eAAwB,EACxB,KAAa;IAEb,IAAA,4BAAqB,EAAC,WAAI,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IAEjD,MAAM,MAAM,GAAG,IAAA,+BAAgB,EAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IACxD,MAAM,gBAAgB,GAAG,MAAM,IAAA,qCAAsB,EACnD,WAAW,EACX,MAAM,EACN,SAAS,EACT,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,OAAO,EACd,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,KAAK,CACb,CAAC;IACF,MAAM,YAAY,GAA0B;QAC1C,GAAG,gBAAgB;QACnB,mBAAmB,EAAE,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC;QAC3C,iBAAiB,EAAE,eAAe;KACnC,CAAC;IACF,MAAM,IAAA,+BAAgB,EAAC,YAAY,CAAC,CAAC;AACvC,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IAAI,QAAQ,GAAyB,SAAS,CAAC;IAC/C,IAAI;QACF,IACE,CAAC,CAAC,MAAM,IAAA,+BAAgB,EACtB,MAAM,IAAA,qCAAsB,EAAC,WAAW,EAAE,UAAU,EAAE,SAAS,CAAC,CACjE,CAAC,EACF;YACA,OAAO;SACR;QAED,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,SAAS,CACzC,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;QACF,IAAI,MAAM,KAAK,SAAS,EAAE;YACxB,MAAM,IAAI,KAAK,CACb,yFAAyF,CAC1F,CAAC;SACH;QACD,QAAQ,GAAG,IAAA,sCAA0B,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACtD,IAAI,QAAQ,KAAK,SAAS,EAAE;YAC1B,MAAM,gBAAgB,GAAG,IAAA,+BAAgB,EAAC,mBAAmB,CAAC,CAAC;YAC/D,IAAI,gBAAgB,EAAE;gBACpB,MAAM,CAAC,IAAI,CACT,6CAA6C,gBAAgB,EAAE,CAChE,CAAC;gBACF,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;aACjC;YACD,MAAM,IAAA,wBAAY,EAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;SAC9C;KACF;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CACZ,mIACE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,CACH,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,yBAAyB,CAC7B,SAAS,EACT,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,EAC1B,QAAQ,EACR,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAC1D,CAAC;QACF,OAAO;KACR;IAED,MAAM,yBAAyB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;AACzE,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,4BAA4B,KAAK,EAAE,CAAC,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}