Merge remote-tracking branch 'origin/main' into sam-robson/overlay-fallback

* origin/main: (40 commits)
  Bump the npm-minor group across 1 directory with 3 updates
  Bump actions/create-github-app-token
  Nit: Tweak JSDoc for `getRawLanguagesNoAutodetect`
  Enable only `code-scanning`
  Use overlay-aware version for code scanning exclusively
  Add changelog entry
  Rebuild
  Bump five transitive dependencies
  Throw error if multiple analysis kinds are specified
  Bump fast-xml-builder from 1.1.5 to 1.2.0
  Improve tests
  Improve error message
  Remove dead code
  Remove `makeOverlayMatchFeatures` indirection
  Add JSDoc for `getRawLanguagesNoAutodetect`
  Enable overlay-aware version selection in `setup-codeql`
  Minor: Introduce constant to avoid duplication
  Improve changelog note
  Rebuild
  Update changelog and version after v4.35.4
  ...

# Conflicts:
#	lib/init-action.js
#	src/diff-informed-analysis-utils.test.ts

Author: sam-robson

.github/workflows/__rubocop-multi-language.yml

@@ -131,7 +131,7 @@ jobs:
           echo "::endgroup::"
 
       - name: Generate token
-        uses: actions/create-github-app-token@v3.1.1
+        uses: actions/create-github-app-token@v3.2.0
         id: app-token
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}

.github/workflows/post-release-mergeback.yml

@@ -136,7 +136,7 @@ jobs:
 
       - name: Generate token
         if: github.event_name == 'workflow_dispatch'
-        uses: actions/create-github-app-token@v3.1.1
+        uses: actions/create-github-app-token@v3.2.0
         id: app-token
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}

.github/workflows/rollback-release.yml

@@ -93,7 +93,7 @@ jobs:
       pull-requests: write # needed to create pull request
     steps:
     - name: Generate token
-      uses: actions/create-github-app-token@v3.1.1
+      uses: actions/create-github-app-token@v3.2.0
       id: app-token
       with:
         app-id: ${{ vars.AUTOMATION_APP_ID }}

.github/workflows/update-release-branch.yml

@@ -19,7 +19,7 @@
     "scope": "javascript, typescript",
     "prefix": "testMacro",
     "body": [
-      "const ${1:nameMacro} = test.macro({",
+      "const ${1:nameMacro} = makeMacro({",
       "  exec: async (t: ExecutionContext<unknown>) => {},",
       "",
       "  title: (providedTitle = \"\") => `${2:common title} - \\${providedTitle}`,",

.vscode/tests.code-snippets

@@ -5,6 +5,12 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 ## [UNRELEASED]
 
 - For performance and accuracy reasons, [improved incremental analysis](https://github.com/github/roadmap/issues/1158) will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. [#3791](https://github.com/github/codeql-action/pull/3791)
+- If multiple inputs are provided for the GitHub-internal `analysis-kinds` input, only `code-scanning` will be enabled. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#3892](https://github.com/github/codeql-action/pull/3892)
+- Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. [#3880](https://github.com/github/codeql-action/pull/3880)
+
+## 4.35.4 - 07 May 2026
+
+- Update default CodeQL bundle version to [2.25.4](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4). [#3881](https://github.com/github/codeql-action/pull/3881)
 
 ## 4.35.3 - 01 May 2026