github
diff --git a/‎.github/actions/verify-debug-artifact-scan-completed/action.yml‎
Lines changed: 6 additions & 0 deletions b/‎.github/actions/verify-debug-artifact-scan-completed/action.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.github/actions/verify-debug-artifact-scan-completed/index.js‎
Lines changed: 2 additions & 0 deletions b/‎.github/actions/verify-debug-artifact-scan-completed/index.js‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎.github/actions/verify-debug-artifact-scan-completed/post.js‎
Lines changed: 11 additions & 0 deletions b/‎.github/actions/verify-debug-artifact-scan-completed/post.js‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎.github/dependabot.yml‎
Lines changed: 9 additions & 4 deletions b/‎.github/dependabot.yml‎
Lines changed: 9 additions & 4 deletions
diff --git a/‎.github/pull_request_template.md‎
Lines changed: 28 additions & 7 deletions b/‎.github/pull_request_template.md‎
Lines changed: 28 additions & 7 deletions
diff --git a/‎.github/update-release-branch.py‎
Lines changed: 13 additions & 4 deletions b/‎.github/update-release-branch.py‎
Lines changed: 13 additions & 4 deletions
diff --git a/‎.github/workflows/__all-platform-bundle.yml‎
Lines changed: 21 additions & 4 deletions b/‎.github/workflows/__all-platform-bundle.yml‎
Lines changed: 21 additions & 4 deletions
diff --git a/‎.github/workflows/__quality-queries.yml‎ ‎.github/workflows/__analysis-kinds.yml‎.github/workflows/__quality-queries.yml renamed to .github/workflows/__analysis-kinds.yml
Lines changed: 30 additions & 26 deletions b/‎.github/workflows/__quality-queries.yml‎ ‎.github/workflows/__analysis-kinds.yml‎.github/workflows/__quality-queries.yml renamed to .github/workflows/__analysis-kinds.yml
Lines changed: 30 additions & 26 deletions
@@ -0,0 +1,6 @@
+name: Verify that the best-effort debug artifact scan completed
+description: Verifies that the best-effort debug artifact scan completed successfully during tests
+runs:
+  using: node24
+  main: index.js
+  post: post.js
@@ -0,0 +1,2 @@
+// The main step is a no-op, since we can only verify artifact scan completion in the post step.
+console.log("Will verify artifact scan completion in the post step.");
@@ -0,0 +1,11 @@
+// Post step - runs after the workflow completes, when artifact scan has finished
+const process = require("process");
+
+const scanFinished = process.env.CODEQL_ACTION_ARTIFACT_SCAN_FINISHED;
+
+if (scanFinished !== "true") {
+  console.error("Error: Best-effort artifact scan did not complete. Expected CODEQL_ACTION_ARTIFACT_SCAN_FINISHED=true");
+  process.exit(1);
+}
+
+console.log("✓ Best-effort artifact scan completed successfully");
@@ -4,14 +4,15 @@ updates:
     directory: "/"
     schedule:
       interval: weekly
+    cooldown:
+      default-days: 7
+      exclude:
+        - "@actions/*"
     labels:
       - Rebuild
     # Ignore incompatible dependency updates
     ignore:
-      # There is a type incompatibility issue between v0.0.9 and our other dependencies.
-      - dependency-name: "@octokit/plugin-retry"
-        versions: ["~6.0.0"]
-      # This is broken due to the way configuration files have changed. 
+      # This is broken due to the way configuration files have changed.
       # This might be fixed when we move to eslint v9.
       - dependency-name: "eslint-plugin-import"
         versions: [">=2.30.0"]
@@ -28,6 +29,10 @@ updates:
       - "/.github/actions"
     schedule:
       interval: weekly
+    cooldown:
+      default-days: 7
+      exclude:
+        - "actions/*"
     labels:
       - Rebuild
     groups:
 
@@ -18,14 +18,25 @@ For internal use only. Please select the risk level of this change:
 
 #### Which use cases does this change impact?
 
-<!-- Delete options that don't apply. -->
+<!-- Delete options that don't apply. If in doubt, do not delete an option. -->
+
+Workflow types:
+
+- **Advanced setup** - Impacts users who have custom CodeQL workflows.
+- **Managed** - Impacts users with `dynamic` workflows (Default Setup, Code Quality, ...).
+
+Products:
+
+- **Code Scanning** - The changes impact analyses when `analysis-kinds: code-scanning`.
+- **Code Quality** - The changes impact analyses when `analysis-kinds: code-quality`.
+- **Other first-party** - The changes impact other first-party analyses.
+- **Third-party analyses** - The changes affect the `upload-sarif` action.
+
+Environments:
 
-- **Advanced setup** - Impacts users who have custom workflows.
-- **Default setup** - Impacts users who use default setup.
-- **Code Scanning** - Impacts Code Scanning (i.e. `analysis-kinds: code-scanning`).
-- **Code Quality** - Impacts Code Quality (i.e. `analysis-kinds: code-quality`).
-- **Third-party analyses** - Impacts third-party analyses (i.e. `upload-sarif`).
-- **GHES** - Impacts GitHub Enterprise Server.
+- **Dotcom** - Impacts CodeQL workflows on `github.com` and/or GitHub Enterprise Cloud with Data Residency.
+- **GHES** - Impacts CodeQL workflows on GitHub Enterprise Server.
+- **Testing/None** - This change does not impact any CodeQL workflows in production.
 
 #### How did/will you validate this change?
 
@@ -43,6 +54,7 @@ For internal use only. Please select the risk level of this change:
 
 - **Feature flags** - All new or changed code paths can be fully disabled with corresponding feature flags.
 - **Rollback** - Change can only be disabled by rolling back the release or releasing a new version with a fix.
+- **Development/testing only** - This change cannot cause any failures in production.
 - **Other** - Please provide details.
 
 #### How will you know if something goes wrong after this change is released?
@@ -54,6 +66,15 @@ For internal use only. Please select the risk level of this change:
     - **Alerts** - New or existing monitors will trip if something goes wrong with this change.
 - **Other** - Please provide details.
 
+#### Are there any special considerations for merging or releasing this change?
+
+<!--
+    Consider whether this change depends on a different change in another repository that should be released first.
+-->
+
+- **No special considerations** - This change can be merged at any time.
+- **Special considerations** - This change should only be merged once certain preconditions are met. Please provide details of those or link to this PR from an internal issue.
+
 ### Merge / deployment checklist
 
 - Confirm this change is backwards compatible with existing workflows.
 
@@ -71,8 +71,9 @@ def open_pr(
     body.append('')
     body.append('Contains the following pull requests:')
     for pr in pull_requests:
-      merger = get_merger_of_pr(repo, pr)
-      body.append(f'- #{pr.number} (@{merger})')
+      # Use PR author if they are GitHub staff, otherwise use the merger
+      display_user = get_pr_author_if_staff(pr) or get_merger_of_pr(repo, pr)
+      body.append(f'- #{pr.number} (@{display_user})')
 
   # List all commits not part of a PR
   if len(commits_without_pull_requests) > 0:
@@ -168,6 +169,14 @@ def get_pr_for_commit(commit):
 def get_merger_of_pr(repo, pr):
   return repo.get_commit(pr.merge_commit_sha).author.login
 
+# Get the PR author if they are GitHub staff, otherwise None.
+def get_pr_author_if_staff(pr):
+  if pr.user is None:
+    return None
+  if getattr(pr.user, 'site_admin', False):
+    return pr.user.login
+  return None
+
 def get_current_version():
   with open('package.json', 'r') as f:
     return json.load(f)['version']
@@ -181,9 +190,9 @@ def replace_version_package_json(prev_version, new_version):
       print(line.replace(prev_version, new_version), end='')
     else:
       prev_line_is_codeql = False
-      print(line, end='') 
+      print(line, end='')
     if '\"name\": \"codeql\",' in line:
-        prev_line_is_codeql = True 
+        prev_line_is_codeql = True
 
 def get_today_string():
   today = datetime.datetime.today()
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+// The main step is a no-op, since we can only verify artifact scan completion in the post step.`
	`2`	`+console.log("Will verify artifact scan completion in the post step.");`