github · henrymercer · Feb 27, 2026 · Feb 27, 2026 · Feb 27, 2026
@@ -31,42 +31,37 @@ jobs:
 
     permissions:
       contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read
 
     steps:
     - uses: actions/checkout@v6
-    - name: Init with default CodeQL bundle from the VM image
-      id: init-default
-      uses: ./init
-      with:
-        languages: javascript
-    - name: Remove empty database
-      # allows us to run init a second time
-      run: |
-        rm -rf "$RUNNER_TEMP/codeql_databases"
-    - name: Init with latest CodeQL bundle
-      id: init-latest
-      uses: ./init
+    - name: Set up default CodeQL bundle
+      id: setup-default
+      uses: ./setup-codeql
+    - name: Set up linked CodeQL bundle
+      id: setup-linked
+      uses: ./setup-codeql
       with:
         tools: linked
-        languages: javascript
-    - name: Compare default and latest CodeQL bundle versions
+    - name: Compare default and linked CodeQL bundle versions
       id: compare
       env:
-        CODEQL_DEFAULT: ${{ steps.init-default.outputs.codeql-path }}
-        CODEQL_LATEST: ${{ steps.init-latest.outputs.codeql-path }}
+        CODEQL_DEFAULT: ${{ steps.setup-default.outputs.codeql-path }}
+        CODEQL_LINKED: ${{ steps.setup-linked.outputs.codeql-path }}
       run: |
         CODEQL_VERSION_DEFAULT="$("$CODEQL_DEFAULT" version --format terse)"
-        CODEQL_VERSION_LATEST="$("$CODEQL_LATEST" version --format terse)"
+        CODEQL_VERSION_LINKED="$("$CODEQL_LINKED" version --format terse)"
         echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
-        echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"
+        echo "Linked CodeQL bundle version is $CODEQL_VERSION_LINKED"
 
         # If we're running on a pull request, run with both bundles, even if `tools: linked` would
         # be the same as `tools: null`. This allows us to make the job for each of the bundles a
         # required status check.
         #
         # If we're running on push or schedule, then we can skip running with `tools: linked` when it would be
         # the same as running with `tools: null`.
-        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$GITHUB_EVENT_NAME" != "merge_group" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
+        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$GITHUB_EVENT_NAME" != "merge_group" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LINKED" ]]; then
           VERSIONS_JSON='[null]'
         else
           VERSIONS_JSON='[null, "linked"]'

@@ -41,6 +41,8 @@ jobs:
       CODEQL_ACTION_TEST_MODE: true
     permissions:
       contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read
     timeout-minutes: 45
     runs-on: ubuntu-latest
     steps:

@@ -40,6 +40,8 @@ jobs:
     timeout-minutes: 45
     permissions:
       contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read
     runs-on: ubuntu-latest
     steps:
       - name: Check out repository

@@ -26,6 +26,8 @@ jobs:
     timeout-minutes: 45
     permissions:
       contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read
     runs-on: windows-latest
 
     steps: