Merge branch 'main' into henrymercer/overlay-no-trap-caching

# Conflicts:
#	lib/start-proxy-action.js

Author: henrymercer

.github/workflows/__bundle-toolcache.yml

@@ -92,14 +92,17 @@ jobs:
           node-version: 24
           cache: 'npm'
 
+      - name: Install dependencies
+        run: npm ci
+
       - name: Verify PR checks up to date
         if: always()
         run: .github/workflows/script/verify-pr-checks.sh
 
       - name: Run pr-checks tests
         if: always()
         working-directory: pr-checks
-        run: npm ci && npx tsx --test
+        run: npx tsx --test
 
   check-node-version:
     if: github.triggering_actor != 'dependabot[bot]'

.github/workflows/__bundle-zstd.yml

@@ -29,6 +29,12 @@ jobs:
           fetch-depth: 0
           ref: ${{ env.HEAD_REF }}
 
+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24
+          cache: 'npm'
+
       - name: Remove label
         if: github.event_name == 'pull_request'
         env:
@@ -49,9 +55,18 @@ jobs:
           git fetch origin "$BASE_BRANCH"
 
           # Allow merge conflicts in `lib`, since rebuilding should resolve them.
-          git merge "origin/$BASE_BRANCH" || echo "Merge conflicts detected, continuing."
+          git merge "origin/$BASE_BRANCH"
           MERGE_RESULT=$?
 
+          if [ "$MERGE_RESULT" -eq 0 ]; then
+            echo "Merge succeeded cleanly."
+          elif [ "$MERGE_RESULT" -eq 1 ]; then
+            echo "Merge conflicts detected (exit code $MERGE_RESULT), continuing."
+          else
+            echo "git merge failed with unexpected exit code $MERGE_RESULT."
+            exit 1
+          fi
+
           if [ "$MERGE_RESULT" -ne 0 ]; then
             echo "merge-in-progress=true" >> $GITHUB_OUTPUT
 
@@ -79,7 +94,7 @@ jobs:
         working-directory: pr-checks
         run: |
           npm ci
-          npx tsx sync_back.ts --verbose
+          npx tsx sync-back.ts --verbose
 
       - name: Generate workflows
         working-directory: pr-checks
@@ -104,7 +119,7 @@ jobs:
             # Otherwise, just commit the changes.
             if git rev-parse --verify MERGE_HEAD >/dev/null 2>&1; then
               echo "In progress merge detected, finishing it up."
-              git merge --continue --no-edit
+              git commit --no-edit
             else
               echo "No in-progress merge detected, committing changes."
               git commit -m "Rebuild"

.github/workflows/__go-tracing-autobuilder.yml

@@ -4,6 +4,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 ## [UNRELEASED]
 
+No user facing changes.
+
+## 4.33.0 - 16 Mar 2026
+
 - Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. [#3562](https://github.com/github/codeql-action/pull/3562)
 
   To opt out of this change:
@@ -12,8 +16,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
   - **User-owned repositories using advanced setup:** Set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
 - Fixed [a bug](https://github.com/github/codeql-action/issues/3555) which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. [#3557](https://github.com/github/codeql-action/pull/3557)
 - The CodeQL Action now loads [custom repository properties](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) on GitHub Enterprise Server, enabling the customization of features such as `github-codeql-disable-overlay` that was previously only available on GitHub.com. [#3559](https://github.com/github/codeql-action/pull/3559)
+- Once [private package registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. [#3563](https://github.com/github/codeql-action/pull/3563)
 - Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". [#3564](https://github.com/github/codeql-action/pull/3564)
 - Added an experimental change which disables TRAP caching when [improved incremental analysis](https://github.com/github/roadmap/issues/1158) is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. [#3569](https://github.com/github/codeql-action/pull/3569)
+- A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. [#3570](https://github.com/github/codeql-action/pull/3570)
 
 ## 4.32.6 - 05 Mar 2026