Log error and only enable code-scanning if multiple analysis kinds are specified

[mbg]

The analysis-kinds input is experimental and for GitHub-internal use only. We provide no support for this input or its functionality.

We stopped using multiple analysis kinds per job months ago and intend to remove support for it entirely to reduce maintenance overheads and code complexity.

This PR logs an error if multiple analysis kinds are requested at the same time outside of our testing environments and only enables code-scanning. Full removal of the related code will follow at a future point.

Risk assessment

For internal use only. Please select the risk level of this change:

• Low risk: Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.

Which use cases does this change impact?

Workflow types:

Managed workflows do not specify multiple inputs for analysis-kinds and advanced setup is unsupported.

Products:

N/A

Environments:

• Dotcom - Impacts CodeQL workflows on github.com and/or GitHub Enterprise Cloud with Data Residency.
• GHES - Impacts CodeQL workflows on GitHub Enterprise Server.

How did/will you validate this change?

• Unit tests - I am depending on unit test coverage (i.e. tests in .test.ts files).
• End-to-end tests - I am depending on PR checks (i.e. tests in pr-checks).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

• Feature flags - All new or changed code paths can be fully disabled with corresponding feature flags.

How will you know if something goes wrong after this change is released?

• Telemetry - I rely on existing telemetry or have made changes to the telemetry.
  • Dashboards - I will watch relevant dashboards for issues after the release. Consider whether this requires this change to be released at a particular time rather than as part of a regular release.
  • Alerts - New or existing monitors will trip if something goes wrong with this change.

Are there any special considerations for merging or releasing this change?

• No special considerations - This change can be merged at any time.

Merge / deployment checklist

• Confirm this change is backwards compatible with existing workflows.
• Consider adding a changelog entry for this change.
• Confirm the readme and docs have been updated if necessary.

[Copilot]

Pull request overview

This PR tightens handling of the experimental analysis-kinds input by disallowing multiple enabled analysis kinds in normal (non-test) runs, with an escape hatch via a new feature flag for internal/testing environments. This reduces maintenance burden ahead of planned removal of multi-kind support.

Changes:

• Pass features into getAnalysisKinds from init-action so multi-kind gating can consult feature enablement.
• Introduce Feature.AllowMultipleAnalysisKinds (default false) to allow multi-kind runs only when explicitly enabled.
• Update getAnalysisKinds to throw a ConfigurationError when multiple analysis kinds are enabled outside test mode, plus add/adjust unit tests.

Show a summary per file

File	Description
src/init-action.ts	Wires features through to getAnalysisKinds calls.
src/feature-flags.ts	Adds new AllowMultipleAnalysisKinds feature flag and config (default disabled).
src/analyses.ts	Enforces single analysis kind outside test mode unless the new feature flag is enabled.
src/analyses.test.ts	Updates tests for new getAnalysisKinds signature and adds coverage for the new error.
lib/upload-sarif-action.js	Generated JS updated to reflect TS changes.
lib/upload-sarif-action-post.js	Generated JS updated to reflect TS changes.
lib/upload-lib.js	Generated JS updated to reflect TS changes.
lib/start-proxy-action.js	Generated JS updated to reflect TS changes.
lib/start-proxy-action-post.js	Generated JS updated to reflect TS changes.
lib/setup-codeql-action.js	Generated JS updated to reflect TS changes.
lib/resolve-environment-action.js	Generated JS updated to reflect TS changes.
lib/init-action-post.js	Generated JS updated to reflect TS changes.
lib/autobuild-action.js	Generated JS updated to reflect TS changes.
lib/analyze-action.js	Generated JS updated to reflect TS changes.
lib/analyze-action-post.js	Generated JS updated to reflect TS changes.

Copilot's findings

• Files reviewed: 5/17 changed files
• Comments generated: 2

[henrymercer]

How about instead treating multiple inputs as just code-scanning instead? If we want to make it an error, I'd suggest we allow a month's deprecation period and in the meantime logging a warning that this will be treated as an error in June? I agree this was marked as an internal input in the action.yml but I don't think we can rely on customers reading that.

[mbg]

@henrymercer I had to resolve some merge conflicts, can you re-approve? Note that there is one tiny code change in the merge commit at 4dc7276#diff-03d2b2bd0e1c4d4ed0fd6ddac8033710b48fb01370983c27b17b3cab5ea0a8ba since your merged PR introduced an extra call to getAnalysisKinds whose signature is changing in this PR.