Merge releases/v4 into releases/v3

[github-actions]

Merging e46ed2c into releases/v3.

Conductor for this PR is @mbg.

Contains the following pull requests:

• Store all built-in languages #3811 (@henrymercer)
• Mergeback v4.35.2 refs/heads/releases/v4 into main #3825 (@henrymercer)
• Bump follow-redirects from 1.15.11 to 1.16.0 #3827 (@henrymercer)
• Add workflow to rerun potentially transient failures #3830 (@henrymercer)
• Bump the npm-minor group across 1 directory with 2 updates #3831 (@henrymercer)
• Bump eslint-import-resolver-typescript from 3.8.7 to 4.4.4 #3835 (@henrymercer)
• Update supported GitHub Enterprise Server versions #3837 (@henrymercer)
• Escape "+"s in on.workflow_run.workflows #3839 (@henrymercer)
• Bump the npm-minor group across 1 directory with 3 updates #3840 (@henrymercer)
• Bump uuid from 13.0.0 to 14.0.0 #3847 (@henrymercer)
• Bump fast-xml-parser from 5.5.7 to 5.7.1 #3848 (@henrymercer)
• Simplify writeDiffRangeDataExtensionPack interface #3849 (@henrymercer)
• Private registries: Add support for Cloudsmith and GCP OIDC configurations #3850 (@mbg)
• Add random suffix when writing diagnostics to avoid filename collisions #3852 (@henrymercer)
• Improve connection tests #3853 (@mbg)
• Add log group for downloading overlay-base DB #3856 (@henrymercer)
• Bump @ava/typescript from 6.0.0 to 7.0.0 #3859 (@henrymercer)
• Bump ruby/setup-ruby from 1.301.0 to 1.305.0 in /.github/workflows in the actions-minor group across 1 directory #3862 (@henrymercer)
• Update default bundle to 2.25.3 #3865 (@henrymercer)
• Merge main into releases/v4 #3867 (@mbg)

Please do the following:

• Ensure the CHANGELOG displays the correct version and date.
• Ensure the CHANGELOG includes all relevant, user-facing changes since the last release.
• Check that there are not any unexpected commits being merged into the releases/v3 branch.
• Ensure the docs team is aware of any documentation changes that need to be released.
• Remove and re-add the "Rebuild" label to the PR to trigger just this workflow.
• Wait for the "Rebuild" workflow to push a commit updating the distribution files.
• Mark the PR as ready for review to trigger the full set of PR checks.
• Approve and merge this PR. Make sure Create a merge commit is selected rather than Squash and merge or Rebase and merge.

[github-actions]

Pushed a commit to rebuild the Action. Please mark the PR as ready for review to trigger PR checks.

[Copilot]

Pull request overview

This PR merge-brings changes from releases/v4 into releases/v3, updating the v3 release branch with recent action improvements (private registry enhancements, language typing refactors, diagnostics fixes, dependency/version bumps, and workflow maintenance).

Changes:

• Refactors language handling by replacing KnownLanguage with BuiltInLanguage, adding a curated built-in language/alias source (src/languages/builtin.json) and update tooling.
• Improves private registry support (new OIDC config types, credential validation changes, best-effort reachability checks, and new "replaces-base" propagation).
• Updates dependencies, default bundle/CLI versions, supported GHES minimum, changelog, and adds a “Deflake” workflow to rerun transient CI failures.

Show a summary per file

File	Description
tests/multi-language-repo/.github/codeql/codeql-config-packaging.yml	Adds pr-checks to paths-ignore and reorders ignored paths for packaging test config.
tests/multi-language-repo/.github/codeql/codeql-config-packaging2.yml	Adds pr-checks to paths-ignore and reorders ignored paths for packaging test config.
tests/multi-language-repo/.github/codeql/codeql-config-packaging3.yml	Adds pr-checks to paths-ignore and reorders ignored paths for packaging test config.
src/trap-caching.test.ts	Migrates tests from KnownLanguage to BuiltInLanguage.
src/tracer-config.test.ts	Migrates tests from KnownLanguage to BuiltInLanguage.
src/status-report.test.ts	Migrates tests from KnownLanguage to BuiltInLanguage.
src/start-proxy/validation.ts	Introduces shared auth-config extraction/credential cloning for start-proxy inputs.
src/start-proxy/validation.test.ts	Adds unit tests for getAuthConfig across all OIDC schemas and basic auth types.
src/start-proxy/types.ts	Adds JSON-schema-based credential schemas, new OIDC types (Cloudsmith/GCP), and "replaces-base" in registry type.
src/start-proxy/types.test.ts	Adds tests for new narrowing helpers and stringification of new OIDC configs; tightens credential typing in tests.
src/start-proxy/reachability.ts	Adds registry-specific test URL logic, switches to GET, and logs reachability checks in a group with doc link.
src/start-proxy/reachability.test.ts	Extends tests to validate registry-specific appended path behavior.
src/start-proxy/environment.ts	Updates language enum usage to BuiltInLanguage.
src/start-proxy/environment.test.ts	Updates tests and messaging to “built-in languages”.
src/start-proxy.ts	Removes local language parsing and inline auth-config extraction; validates "replaces-base" and uses shared validation helpers.
src/start-proxy.test.ts	Updates tests for new OIDC schema matrix, replaces removed parseLanguage tests, adds "replaces-base" validation tests.
src/start-proxy-action.ts	Switches to parseBuiltInLanguage; adjusts status reporting language handling; passes "replaces-base" output.
src/overlay/caching.test.ts	Updates language enum usage to BuiltInLanguage.
src/languages/index.ts	Introduces BuiltInLanguage, isBuiltInLanguage, and parseBuiltInLanguage using builtin.json.
src/languages/index.test.ts	Adds unit tests for built-in language parsing and enum/data consistency.
src/languages/builtin.json	Adds curated built-in languages list and language aliases.
src/languages.ts	Removes old KnownLanguage/JavaEnvVars definitions (moved to new module).
src/known-language-aliases.json	Removes old alias JSON (superseded by languages/builtin.json).
src/json/testing-util.ts	Adds schema-driven test helpers (makeFromSchema, withSchemaMatrix).
src/json/index.ts	Adds minimal schema/validator framework (Schema, Validator, optional, validateSchema, FromSchema).
src/json/index.test.ts	Adds unit tests for validateSchema required/optional behavior.
src/init.ts	Updates language enum usage to BuiltInLanguage for Python 3.11 install check.
src/init.test.ts	Updates tests to use BuiltInLanguage.
src/init-action.ts	Updates language enum usage; wraps overlay-base cache check in a log group.
src/doc-url.ts	Adds documentation link for private registry diagnostic logs.
src/diagnostics.ts	Avoids diagnostic filename collisions by adding a counter suffix and sanitizing timestamps.
src/dependency-caching.ts	Updates language enum usage to BuiltInLanguage.
src/dependency-caching.test.ts	Updates tests to use BuiltInLanguage.
src/defaults.json	Bumps default CodeQL bundle/CLI versions to 2.25.3 and updates prior versions.
src/database-upload.test.ts	Updates tests to use BuiltInLanguage.
src/config/db-config.test.ts	Updates tests to use BuiltInLanguage.
src/config-utils.ts	Updates internal checks and messaging from “known” to “built-in” language; updates enum usage.
src/config-utils.test.ts	Updates tests to use BuiltInLanguage.
src/codeql.ts	Updates next minimum CodeQL version and GHES deprecation metadata.
src/codeql.test.ts	Updates tests to use BuiltInLanguage.
src/autobuild.ts	Updates language enum usage to BuiltInLanguage.
src/api-compatibility.json	Updates minimum supported GHES API version (3.14 → 3.16).
src/analyze.ts	Simplifies diff-range extension-pack creation interface and logging; removes undefined return for pack creation helper.
src/analyze.test.ts	Updates tests to use BuiltInLanguage.
src/analyze-action.ts	Updates Go extraction output path logic to use BuiltInLanguage.go.
pr-checks/update-builtin-languages.ts	Adds script to regenerate src/languages/builtin.json from the CodeQL CLI.
pr-checks/sync.ts	Updates PR checks generation to use BuiltInLanguage.
pr-checks/config.ts	Adds constant pointing at the built-in languages JSON file path.
pr-checks/checks/rubocop-multi-language.yml	Bumps ruby/setup-ruby pin to v1.305.0.
package.json	Bumps action version to 3.35.3, updates dependency versions, and adjusts transpile invocation.
package-lock.json	Updates lockfile for dependency bumps (including @ava/typescript, uuid, follow-redirects, etc.).
lib/defaults.json	Updates generated defaults JSON to match src/defaults.json.
README.md	Adds an Enterprise Server compatibility row for v4.33.0 / 2.24.3 / GHES 3.21.
CHANGELOG.md	Adds release notes for 3.35.3 with user-facing items from included PRs.
.github/workflows/update-bundle.yml	Updates bundle workflow step to regenerate built-in languages via new script.
.github/workflows/deflake.yml	Adds workflow to rerun failed jobs once for likely-transient failures on main/releases/merge-group.
.github/workflows/__rubocop-multi-language.yml	Updates generated workflow Ruby setup action pin.
.github/codeql/codeql-config-javascript.yml	Fixes YAML formatting and expands paths-ignore patterns for CodeQL config.

Copilot's findings

• Files reviewed: 55/70 changed files
• Comments generated: 1

[Copilot]

@ava/typescript v7 requires Node.js >=22.20 (per its engines field). This repo’s unit test matrix still runs on Node 20, and AVA is configured to use the TypeScript provider (ava.config.mjs), so npm test is likely to fail on Node 20. Consider keeping @ava/typescript on a Node-20-compatible major, or bump the CI Node version floor accordingly (and ensure the action’s supported Node versions align).

Suggested change

	"@ava/typescript": "7.0.0",
	"@ava/typescript": "^6.0.0",