Enable only code-scanning

mbg · mbg · commit 257b3d3fc8c4 · 2026-05-12T15:46:28.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,7 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 ## [UNRELEASED]
 
-- An error is now thrown if multiple inputs are provided for the GitHub-internal `analysis-kinds` input. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#3892](https://github.com/github/codeql-action/pull/3892)
+- If multiple inputs are provided for the GitHub-internal `analysis-kinds` input, only `code-scanning` will be enabled. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#3892](https://github.com/github/codeql-action/pull/3892)
 
 ## 4.35.4 - 07 May 2026
 
diff --git a/lib/init-action.js b/lib/init-action.js
diff --git a/src/analyses.test.ts b/src/analyses.test.ts
@@ -16,7 +16,7 @@ import {
 } from "./analyses";
 import { EnvVar } from "./environment";
 import { getRunnerLogger } from "./logging";
-import { createFeatures, setupTests } from "./testing-utils";
+import { createFeatures, RecordingLogger, setupTests } from "./testing-utils";
 import { AssessmentPayload } from "./upload-lib/types";
 import { ConfigurationError } from "./util";
 
@@ -70,19 +70,21 @@ test.serial(
 );
 
 test.serial(
-  "getAnalysisKinds - throws for multiple analysis kinds outside of test mode",
+  "getAnalysisKinds - only use `code-scanning` for multiple analysis kinds outside of test mode",
   async (t) => {
     process.env[EnvVar.TEST_MODE] = "false";
     const features = createFeatures([]);
+    const logger = new RecordingLogger();
     const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
     requiredInputStub
       .withArgs("analysis-kinds")
       .returns("code-scanning,code-quality");
-    await t.throwsAsync(
-      getAnalysisKinds(getRunnerLogger(true), features, true),
-      {
-        instanceOf: ConfigurationError,
-      },
+    const result = await getAnalysisKinds(logger, features, true);
+    t.deepEqual(result, [AnalysisKind.CodeScanning]);
+    t.assert(
+      logger.hasMessage(
+        "Continuing with only `analysis-kinds: code-scanning`.",
+      ),
     );
   },
 );
diff --git a/src/analyses.ts b/src/analyses.ts
@@ -122,17 +122,23 @@ export async function getAnalysisKinds(
     }
   }
 
-  // Throw an error if we have multiple inputs for `analysis-kinds` outside of test mode.
+  // Log an error if we have multiple inputs for `analysis-kinds` outside of test mode,
+  // and enable only `code-scanning`.
   if (
     !isInTestMode() &&
     analysisKinds.length > 1 &&
     !(await features.getValue(Feature.AllowMultipleAnalysisKinds))
   ) {
-    throw new ConfigurationError(
+    logger.error(
       "The `analysis-kinds` input is experimental and for GitHub-internal use only. " +
         "Its behaviour may change at any time or be removed entirely. " +
-        "Specifying multiple values as input is no longer supported.",
+        "Specifying multiple values as input is no longer supported. " +
+        "Continuing with only `analysis-kinds: code-scanning`.",
     );
+
+    // Only enable Code Scanning.
+    cachedAnalysisKinds = [AnalysisKind.CodeScanning];
+    return cachedAnalysisKinds;
   }
 
   // Cache the analysis kinds and return them.
