forcedotcom
diff --git a/‎.eslintrc.json
+4-1 b/‎.eslintrc.json
+4-1
diff --git a/‎.github/workflows/build-scanner-tarball.yml
+4-5 b/‎.github/workflows/build-scanner-tarball.yml
+4-5
diff --git a/‎.github/workflows/create-github-release.yml
+1 b/‎.github/workflows/create-github-release.yml
+1
diff --git a/‎.github/workflows/create-release-branch.yml
+18-6 b/‎.github/workflows/create-release-branch.yml
+18-6
diff --git a/‎.github/workflows/daily-smoke-test.yml
+21-18 b/‎.github/workflows/daily-smoke-test.yml
+21-18
diff --git a/‎.github/workflows/production-heartbeat.yml
+2-12 b/‎.github/workflows/production-heartbeat.yml
+2-12
diff --git a/‎.github/workflows/publish.yml
+1-5 b/‎.github/workflows/publish.yml
+1-5
diff --git a/‎.github/workflows/run-tests.yml
+53-12 b/‎.github/workflows/run-tests.yml
+53-12
diff --git a/‎.github/workflows/validate-pr.yml
+11-4 b/‎.github/workflows/validate-pr.yml
+11-4
diff --git a/‎SHA256.md
+1-1 b/‎SHA256.md
+1-1
@@ -20,5 +20,8 @@
         "**/*.d.ts",
         "src/test",
         "esbuild.js"
-    ]
+    ],
+	"rules": {
+		"@typescript-eslint/no-unused-vars": ["error", {"argsIgnorePattern": "^_"}]
+	}
 }
@@ -6,7 +6,7 @@ on:
         description: "Which branch of the scanner should be built?"
         required: false
         type: string
-        default: "dev"
+        default: "dev-4"
 
 jobs:
   build-tarball:
@@ -25,9 +25,8 @@ jobs:
       - name: 'Check out, build, pack'
         run: |
           # Check out the target branch.
-          git clone https://github.com/forcedotcom/sfdx-scanner.git sfdx-scanner
+          git clone -b ${{ inputs.target-branch }} https://github.com/forcedotcom/sfdx-scanner.git sfdx-scanner
           cd sfdx-scanner
-          git checkout ${{ inputs.target-branch }}
           # Install and build dependencies.
           yarn
           yarn build
@@ -36,5 +35,5 @@ jobs:
       # Upload the tarball as an artifact so it's usable elsewhere.
       - uses: actions/upload-artifact@v4
         with:
-          name: scanner-tarball
-          path: ./**/salesforce-sfdx-scanner-*.tgz
+          name: scanner-tarball-${{ inputs.target-branch }}
+          path: ./**/salesforce-*.tgz
@@ -22,6 +22,7 @@ jobs:
     name: 'Upload VSIX as artifact'
     needs: verify-should-run
     uses: ./.github/workflows/create-vsix-artifact.yml
+    secrets: inherit
   create-github-release:
     runs-on: ubuntu-latest
     needs: create-vsix-artifact
 
@@ -60,7 +60,7 @@ jobs:
       - uses: actions/setup-node@v4
         with:
           node-version: 'lts/*' # Always use Node LTS for building dependencies.
-      - run: yarn
+      - run: yarn install --frozen-lockfile
       # Increment the version as desired locally, without actually committing anything.
       - name: Locally increment version
         run: |
@@ -141,9 +141,19 @@ jobs:
           git push -d origin ${NEW_VERSION}-interim
           # Output the release branch name so we can use it in later jobs.
           echo "branch_name=release-$NEW_VERSION" >> "$GITHUB_OUTPUT"
-  # Build the scanner tarball so it can be installed locally when we run tests.
-  build-scanner-tarball:
-    name: 'Build scanner tarball'
+  # Build the scanner tarballs so they can be installed locally when we run tests.
+  build-v4-scanner-tarball:
+    name: 'Build v4 scanner tarball'
+    needs: verify-should-run
+    uses: ./.github/workflows/build-scanner-tarball.yml
+    with:
+      # Note: Using `dev-4` here is technically incorrect. For full completeness's sake, we should probably be
+      # using the branch corresponding to the upcoming scanner release. However, identifying that branch is
+      # non-trivial, and there are unlikely to be major differences between the two that appear in the few days
+      # between creating the branch and releasing it, so it _should_ be fine.
+      target-branch: 'dev-4'
+  build-v5-scanner-tarball:
+    name: 'Build v5 scanner tarball'
     needs: verify-should-run
     uses: ./.github/workflows/build-scanner-tarball.yml
     with:
@@ -155,10 +165,12 @@ jobs:
   # Run all the various tests against the newly created branch.
   test-release-branch:
     name: 'Run unit tests'
-    needs: [build-scanner-tarball, create-release-branch]
+    needs: [build-v4-scanner-tarball, build-v5-scanner-tarball, create-release-branch]
     uses: ./.github/workflows/run-tests.yml
     with:
       # We want to validate the extension against whatever version of the scanner we *plan* to publish,
       # not what's *already* published.
-      use-scanner-tarball: true
+      use-scanner-tarballs: true
+      v4-tarball-suffix: 'dev-4'
+      v5-tarball-suffix: 'dev'
       target-branch: ${{ needs.create-release-branch.outputs.branch-name }}
@@ -4,50 +4,53 @@ on:
   schedule:
     # Cron syntax is "minute[0-59] hour[0-23] date[1-31] month[1-12] day[0-6]". '*' is 'any value', and multiple values
     # can be specified with comma-separated lists. All times are UTC.
-    # So this expression means "run at 13:30 UTC every day". This time was chosen because it corresponds to
-    # 8:30AM CDT, meaning that any issues will be surfaced towards the start of business.
-    - cron: "30 13 * * *"
+    # So this expression means "run at 17:30 UTC every day". This time was chosen because it corresponds to
+    # 9:30AM PST, meaning that any issues will be surfaced on working days when people are likely to be awake and online.
+    - cron: "30 17 * * 1-5"
 
 jobs:
-  # Step 1: Build the scanner tarball so it can be installed locally.
-  build-scanner-tarball:
-    name: 'Build scanner tarball'
+  # Step 1: Build the scanner tarballs so they can be installed locally.
+  build-v4-scanner-tarball:
+    name: 'Build v4 scanner tarball'
+    uses: ./.github/workflows/build-scanner-tarball.yml
+    with:
+      target-branch: 'dev-4'
+  build-v5-scanner-tarball:
+    name: 'Build v5 scanner tarball'
     uses: ./.github/workflows/build-scanner-tarball.yml
     with:
       target-branch: 'dev'
   # Step 2: Actually run the tests.
   smoke-test:
     name: 'Run smoke tests'
-    needs: build-scanner-tarball
+    needs: [build-v4-scanner-tarball, build-v5-scanner-tarball]
     uses: ./.github/workflows/run-tests.yml
     with:
       # For daily builds, we want to make sure we haven't pushed a breaking change
-      # to the scanner's `dev` branch.
-      use-scanner-tarball: true
+      # to the scanner's `dev-4` branch.
+      use-scanner-tarballs: true
+      v4-tarball-suffix: 'dev-4'
+      v5-tarball-suffix: 'dev'
+    secrets: inherit
   # Step 3: Build a VSIX artifact for use if needed.
   create-vsix-artifact:
     name: 'Upload VSIX as artifact'
     uses: ./.github/workflows/create-vsix-artifact.yml
+    secrets: inherit
   # Step 4: Report any problems
   report-problems:
     name: 'Report problems'
     runs-on: ubuntu-latest
-    needs: [build-scanner-tarball, smoke-test, create-vsix-artifact]
+    needs: [build-v4-scanner-tarball, build-v5-scanner-tarball, smoke-test, create-vsix-artifact]
     if: ${{ failure() || cancelled() }}
     steps:
       - name: Report problems
         shell: bash
         env:
-          IS_CRITICAL: ${{ contains(join(steps.*.outcome), 'failure') || contains(join(steps.*.outcome), 'skipped') }}
           RUN_LINK: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
         run: |
-          if [[ ${{ env.IS_CRITICAL }} == true ]]; then
-            ALERT_SEV="critical"
-            ALERT_SUMMARY="Daily smoke test failed on ${{ runner.os }}"
-          else
-            ALERT_SEV="info"
-            ALERT_SUMMARY="Daily smoke test succeeded with retries on ${{ runner.os }}"
-          fi
+          ALERT_SEV="critical"
+          ALERT_SUMMARY="Daily smoke test failed on ${{ runner.os }}"
 
           generate_post_data() {
             cat <<EOF
 
@@ -118,23 +118,13 @@ jobs:
         if: ${{ failure() || cancelled() }}
         shell: bash
         env:
-          # If we're here because steps failed or were skipped, then that's a critical problem. Otherwise it's a normal one.
-          # We can't use the `failure()` or `cancelled()` convenience methods outside of the `if` condition, hence the
-          # `contains()` calls.
-          IS_CRITICAL: ${{ contains(join(steps.*.outcome), 'failure') || contains(join(steps.*.outcome), 'skipped') }}
           # A link to this run, so the PagerDuty assignee can quickly get here.
           RUN_LINK: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
 
         run: |
 
-          if [[ ${{ env.IS_CRITICAL }} == true ]]; then
-            ALERT_SEV="critical"
-            ALERT_SUMMARY="Production heartbeat script failed on ${{ runner.os }}"
-          else
-            # Leaving the else part here to help with running end-to-end sanity test with real alerts being created.
-            ALERT_SEV="info"
-            ALERT_SUMMARY="Production heartbeat script succeeded with retries on ${{ runner.os }}"
-          fi
+          ALERT_SEV="critical"
+          ALERT_SUMMARY="Production heartbeat script failed on ${{ runner.os }}"
           # Define a helper function to create our POST request's data, to sidestep issues with nested quotations.
           generate_post_data() {
           # This is known as a HereDoc, and it lets us declare multi-line input ending when the specified limit string,
 
@@ -58,21 +58,19 @@ jobs:
     with:
       # Before publishing, we want to test the extension against whatever
       # version of the scanner is currently live.
-      use-scanner-tarball: false
+      use-scanner-tarballs: false
 
   publish-vscode:
     name: 'Publish to VSCode Marketplace'
     needs: [ 'run-tests' ]
     runs-on: ubuntu-latest
     env:
       VSCE_PERSONAL_ACCESS_TOKEN: ${{ secrets.VSCE_PERSONAL_ACCESS_TOKEN }}
-      GITHUB_TOKEN: ${{ secrets.SVC_CLI_BOT_GITHUB_TOKEN }}
     steps:
       - name: Checkout the release tag
         uses: actions/checkout@v4
         with:
           ref: ${{ github.event.release.tag_name || inputs.tag }}
-          token: ${{ env.GITHUB_TOKEN }}
       # Set up node and install dependencies.
       - uses: actions/setup-node@v4
         with:
@@ -99,13 +97,11 @@ jobs:
     runs-on: ubuntu-latest
     env:
       IDEE_OVSX_PAT: ${{ secrets.IDEE_OVSX_PAT }}
-      GITHUB_TOKEN: ${{ secrets.SVC_CLI_BOT_GITHUB_TOKEN }}
     steps:
       - name: Checkout the release tag
         uses: actions/checkout@v4
         with:
           ref: ${{ github.event.release.tag_name || inputs.tag }}
-          token: ${{ env.GITHUB_TOKEN }}
       # Set up node and install dependencies.
       - uses: actions/setup-node@v4
         with:
 
@@ -2,11 +2,21 @@ name: run-tests
 on:
   workflow_call:
     inputs:
-      use-scanner-tarball:
+      use-scanner-tarballs:
         description: 'If true, install scanner via tarball'
         required: false
         type: boolean
         default: false
+      v4-tarball-suffix:
+        description: 'The suffix attached to the name of the v4 tarball'
+        required: false
+        type: string
+        default: 'dev-4'
+      v5-tarball-suffix:
+        description: 'The suffix attached to the name of the v5 tarball'
+        required: false
+        type: string
+        default: 'dev'
       target-branch:
         description: "What branch should be checked out?"
         required: false
@@ -34,6 +44,9 @@ jobs:
         with:
           distribution: 'temurin'
           java-version: '11' # Always use Java v11 for running tests.
+      - uses: actions/setup-python@v5
+        with:
+          python-version: 3.12
       - name: 'Install node module dependencies'
         run: yarn install --frozen-lockfile
       # We'll need to install the CLI tool, since some of the tests
@@ -44,34 +57,62 @@ jobs:
       # of the tests are integration tests.
       # NOTE: SFCA can come from a tarball built in a previous step,
       #       or be installed as the currently-latest version.
-      - name: Download Scanner Tarball
-        if: ${{ inputs.use-scanner-tarball == true }}
-        id: download
+      - name: Download v4 Scanner Tarball
+        if: ${{ inputs.use-scanner-tarballs == true }}
+        id: download-v4
+        uses: actions/download-artifact@v4
+        with:
+          name: scanner-tarball-${{ inputs.v4-tarball-suffix}}
+          # Download the tarball to a subdirectory of HOME, so it's guaranteed
+          # to be somewhere the installation command can see.
+          path: ~/downloads/tarball-v4
+      - name: Install v4 Scanner Tarball
+        if: ${{ inputs.use-scanner-tarballs == true }}
+        shell: bash
+        run: |
+          # Determine the tarball's name.
+          TARBALL_NAME=$(ls ~/downloads/tarball-v4/sfdx-scanner | grep salesforce-.*\\.tgz)
+          echo $TARBALL_NAME
+          # Figure out where the tarball was downloaded to.
+          # To allow compatibility with Windows, replace backslashes with forward slashes
+          # and rip off a leading `C:` if present.
+          DOWNLOAD_PATH=`echo '${{ steps.download-v4.outputs.download-path }}' | tr '\\' '/'`
+          echo $DOWNLOAD_PATH
+          DOWNLOAD_PATH=`[[ $DOWNLOAD_PATH = C* ]] && echo $DOWNLOAD_PATH | cut -d':' -f 2 || echo $DOWNLOAD_PATH`
+          echo $DOWNLOAD_PATH
+          # Pipe in a `y` to simulate agreeing to install an unsigned package. Use a URI of the file's full path.
+          echo y | sf plugins install "file://${DOWNLOAD_PATH}/sfdx-scanner/${TARBALL_NAME}"
+      - name: Download v5 Scanner Tarball
+        if: ${{ inputs.use-scanner-tarballs == true }}
+        id: download-v5
         uses: actions/download-artifact@v4
         with:
-          name: scanner-tarball
+          name: scanner-tarball-${{ inputs.v5-tarball-suffix }}
           # Download the tarball to a subdirectory of HOME, so it's guaranteed
           # to be somewhere the installation command can see.
-          path: ~/downloads/tarball
-      - name: Install Scanner Tarball
-        if: ${{ inputs.use-scanner-tarball == true }}
+          path: ~/downloads/tarball-v5
+      - name: Install v5 Scanner Tarball
+        if: ${{ inputs.use-scanner-tarballs == true }}
         shell: bash
         run: |
           # Determine the tarball's name.
-          TARBALL_NAME=$(ls ~/downloads/tarball/sfdx-scanner | grep salesforce-sfdx-scanner-[0-9]*\\.[0-9]*\\.[0-9]*\\.tgz)
+          TARBALL_NAME=$(ls ~/downloads/tarball-v5/sfdx-scanner | grep salesforce-.*\\.tgz)
           echo $TARBALL_NAME
           # Figure out where the tarball was downloaded to.
           # To allow compatibility with Windows, replace backslashes with forward slashes
           # and rip off a leading `C:` if present.
-          DOWNLOAD_PATH=`echo '${{ steps.download.outputs.download-path }}' | tr '\\' '/'`
+          DOWNLOAD_PATH=`echo '${{ steps.download-v5.outputs.download-path }}' | tr '\\' '/'`
           echo $DOWNLOAD_PATH
           DOWNLOAD_PATH=`[[ $DOWNLOAD_PATH = C* ]] && echo $DOWNLOAD_PATH | cut -d':' -f 2 || echo $DOWNLOAD_PATH`
           echo $DOWNLOAD_PATH
           # Pipe in a `y` to simulate agreeing to install an unsigned package. Use a URI of the file's full path.
           echo y | sf plugins install "file://${DOWNLOAD_PATH}/sfdx-scanner/${TARBALL_NAME}"
-      - name: Install Production scanner
-        if: ${{ inputs.use-scanner-tarball == false }}
+      - name: Install Production scanner v4
+        if: ${{ inputs.use-scanner-tarballs == false }}
         run: sf  plugins install @salesforce/sfdx-scanner
+      - name: Install Production scanner v5
+        if: ${{ inputs.use-scanner-tarballs == false }}
+        run: sf plugins install code-analyzer
       # Run the tests. (Linux and non-Linux need slightly different commands.)
       - name: 'Run Tests (Linux)'
         run: xvfb-run -a yarn test
 
@@ -17,20 +17,27 @@ jobs:
         id: verify_pr_title
   # RUN TESTS
   # Step 1: Build the scanner tarball so it can be installed locally.
-  build_scanner_tarball:
-    name: 'Build scanner tarball'
+  build_v4_scanner_tarball:
+    name: 'Build v4 scanner tarball'
+    uses: ./.github/workflows/build-scanner-tarball.yml
+    with:
+      target-branch: 'dev-4'
+  build_v5_scanner_tarball:
+    name: 'Build v5 scanner tarball'
     uses: ./.github/workflows/build-scanner-tarball.yml
     with:
       target-branch: 'dev'
   # Step 2: Actually run the tests.
   run_tests:
     name: 'Run unit tests'
-    needs: build_scanner_tarball
+    needs: [build_v4_scanner_tarball, build_v5_scanner_tarball]
     uses: ./.github/workflows/run-tests.yml
     with:
       # We want to validate the extension against whatever version of the scanner we
       # *plan* to publish, not what's *already* published.
-      use-scanner-tarball: true
+      use-scanner-tarballs: true
+      v4-tarball-suffix: 'dev-4'
+      v5-tarball-suffix: 'dev'
   # BUILD A VSIX ARTIFACT
   # Additionally, build a VSIX that can be downloaded by the user if needed.
   create-vsix-artifact:
 
@@ -15,7 +15,7 @@ make sure that their SHA values match the values in the list below.
 shasum -a 256 <location_of_the_downloaded_file>
 
 3. Confirm that the SHA in your output matches the value in this list of SHAs.
-   146d022eebef24a355b117ad38713ac53a006f8e74cae178c6364a302878d3bc  ./extensions/sfdx-code-analyzer-vscode-1.2.0.vsix
+   9fd5830fd646e931d9b7156f97c15872e3739b0d5bfe3085fb65128b6829b3f4  ./extensions/sfdx-code-analyzer-vscode-1.3.0.vsix
 4. Change the filename extension for the file that you downloaded from .zip to
    .vsix.