Remove unused registry types from LANGUAGE_TO_REGISTRY_TYPE

[mbg]

Removes unused registry types from LANGUAGE_TO_REGISTRY_TYPE. Currently we only support private registries for Java (maven_repository), C# (nuget_feed), and Go (git_source, goproxy_server). However, the configuration in LANGUAGE_TO_REGISTRY_TYPE allows other registry types for other languages to be enabled in CodeQL workflows. This may give users the wrong impression that those types of registries are actually supported.

Risk assessment

For internal use only. Please select the risk level of this change:

• Low risk

Which use cases does this change impact?

Workflow types:

• Managed - Impacts users with dynamic workflows (Default Setup, Code Quality, ...).

Products:

• Code Scanning - The changes impact analyses when analysis-kinds: code-scanning.
• Code Quality - The changes impact analyses when analysis-kinds: code-quality.
• Other first-party - The changes impact other first-party analyses.

Environments:

• Dotcom - Impacts CodeQL workflows on github.com and/or GitHub Enterprise Cloud with Data Residency.
• GHES - Impacts CodeQL workflows on GitHub Enterprise Server.

How did/will you validate this change?

• Test repository - This change will be tested on a test repository before merging.
• Unit tests - I am depending on unit test coverage (i.e. tests in .test.ts files).
• End-to-end tests - I am depending on PR checks (i.e. tests in pr-checks).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

• Feature flags - All new or changed code paths can be fully disabled with corresponding feature flags.

How will you know if something goes wrong after this change is released?

• Telemetry - I rely on existing telemetry or have made changes to the telemetry.
  • Dashboards - I will watch relevant dashboards for issues after the release. Consider whether this requires this change to be released at a particular time rather than as part of a regular release.
  • Alerts - New or existing monitors will trip if something goes wrong with this change.

Are there any special considerations for merging or releasing this change?

• No special considerations - This change can be merged at any time.

Merge / deployment checklist

• Confirm this change is backwards compatible with existing workflows.
• Consider adding a changelog entry for this change.
• Confirm the readme and docs have been updated if necessary.

[Copilot]

Pull request overview

This PR introduces a feature-flagged “reduced” registry-type allowlist for the start-proxy action so that only the ecosystems that are actually supported for private registries are considered when filtering credentials.

Changes:

• Add a new StartProxyRemoveUnusedRegistries feature flag and plumb it into start-proxy-action.
• Add a second registry-type mapping (NEW_LANGUAGE_TO_REGISTRY_TYPE) and use it when the feature flag is enabled.
• Add unit tests covering the Actions-language behavior under both mappings.

Reviewed changes

Copilot reviewed 16 out of 16 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/start-proxy.ts	Adds a feature-flag-controlled registry-type mapping used to filter credentials by language.
src/start-proxy.test.ts	Adds tests for getCredentials behavior with KnownLanguage.actions under both mappings.
src/start-proxy-action.ts	Reads the feature flag and passes it into getCredentials.
src/feature-flags.ts	Defines the new StartProxyRemoveUnusedRegistries flag and its config.
lib/*	Generated JS output updates corresponding to the TypeScript changes.

[Copilot]

NEW_LANGUAGE_TO_REGISTRY_TYPE does not include all KnownLanguage values (e.g. cpp, swift). When skipUnusedRegistries is enabled and language is one of these missing keys, registryMapping[language] becomes undefined and the code stops filtering, so all credential types are accepted. If the intent is to only allow registries for Java/C#/Go, consider making the "missing key" case behave like an empty allowlist when skipUnusedRegistries is true (or explicitly add the missing languages with []).

[Copilot]

The new behavior behind skipUnusedRegistries is only tested for KnownLanguage.actions. Adding tests for at least one KnownLanguage value that is currently missing from NEW_LANGUAGE_TO_REGISTRY_TYPE (e.g. cpp or swift) would help catch cases where the "reduced mapping" unintentionally falls back to allowing all credentials for an unlisted language.

Suggested change

	test("getCredentials returns all credentials for Cpp when using LANGUAGE_TO_REGISTRY_TYPE", async (t) => {
	const credentialsInput = toEncodedJSON(mixedCredentials);
	const credentials = startProxyExports.getCredentials(
	getRunnerLogger(true),
	undefined,
	credentialsInput,
	KnownLanguage.cpp,
	false,
	);
	t.is(credentials.length, mixedCredentials.length);
	});
	test("getCredentials returns no credentials for Cpp when using NEW_LANGUAGE_TO_REGISTRY_TYPE", async (t) => {
	const credentialsInput = toEncodedJSON(mixedCredentials);
	const credentials = startProxyExports.getCredentials(
	getRunnerLogger(true),
	undefined,
	credentialsInput,
	KnownLanguage.cpp,
	true,
	);
	t.deepEqual(credentials, []);
	});