diff --git a/README.md b/README.md
index f61fdee5c..ec41fa853 100644
--- a/README.md
+++ b/README.md
@@ -2,6 +2,12 @@
 
 This action runs GitHub's industry-leading static analysis engine, CodeQL, against a repository's source code to find security vulnerabilities. It then automatically uploads the results to GitHub so they can be displayed in the repository's security tab. CodeQL runs an extensible set of [queries](https://github.com/semmle/ql), which have been developed by the community and the [GitHub Security Lab](https://securitylab.github.com/) to find common vulnerabilities in your code.
 
+## License
+
+This project is released under the [MIT License](LICENSE).
+
+The underlying CodeQL CLI, used in this action, is licensed under the [GitHub CodeQL Terms and Conditions](https://securitylab.github.com/tools/codeql/license). As such, this action may be used on open source projects hosted on GitHub, and on  private repositories that are owned by an organisation with GitHub Advanced Security enabled.
+
 ## Usage
 
 To get code scanning results from CodeQL analysis on your repo you can use the following workflow as a template:
@@ -137,7 +143,7 @@ env:
 
 to `github/codeql-action/analyze`.
 
-### If you do not use a vendor directory
+#### If you do not use a vendor directory
 
 Dependencies on public repositories should just work. If you have dependencies on private repositories, one option is to use `git config` and a [personal access token](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line) to authenticate when downloading dependencies. Add a section like
 
@@ -163,6 +169,6 @@ dotnet build /p:UseSharedCompilation=false
 
 Version 3 does not require the additional flag.
 
-## License
+### Analysing Go together with other languages on `macos-latest`
 
-This project is released under the [MIT License](LICENSE).
+When running on macos it is currently not possible to analyze Go in conjunction with any of Java, C/C++, or C#. Each language can still be analyzed separately.
\ No newline at end of file
diff --git a/lib/external-queries.js b/lib/external-queries.js
index 253cf2762..90e028938 100644
--- a/lib/external-queries.js
+++ b/lib/external-queries.js
@@ -11,8 +11,9 @@ const core = __importStar(require("@actions/core"));
 const exec = __importStar(require("@actions/exec"));
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
+const util = __importStar(require("./util"));
 async function checkoutExternalQueries(config) {
-    const folder = process.env['RUNNER_WORKSPACE'] || '/tmp/codeql-action';
+    const folder = util.getRequiredEnvParam('RUNNER_WORKSPACE');
     for (const externalQuery of config.externalQueries) {
         core.info('Checking out ' + externalQuery.repository);
         const checkoutLocation = path.join(folder, externalQuery.repository);
diff --git a/lib/util.js b/lib/util.js
index d12a91044..a9d79bb41 100644
--- a/lib/util.js
+++ b/lib/util.js
@@ -15,6 +15,8 @@ const http = __importStar(require("@actions/http-client"));
 const auth = __importStar(require("@actions/http-client/auth"));
 const octokit = __importStar(require("@octokit/rest"));
 const console_log_level_1 = __importDefault(require("console-log-level"));
+const fs = __importStar(require("fs"));
+const os = __importStar(require("os"));
 const path = __importStar(require("path"));
 const sharedEnv = __importStar(require("./shared-environment"));
 /**
@@ -280,3 +282,11 @@ function getToolNames(sarifContents) {
     return Object.keys(toolNames);
 }
 exports.getToolNames = getToolNames;
+// Creates a random temporary directory, runs the given body, and then deletes the directory.
+// Mostly intended for use within tests.
+async function withTmpDir(body) {
+    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'codeql-action-'));
+    await body(tmpDir);
+    fs.rmdirSync(tmpDir, { recursive: true });
+}
+exports.withTmpDir = withTmpDir;
diff --git a/src/external-queries.test.ts b/src/external-queries.test.ts
index 088f3a3fe..a79f3f3e5 100644
--- a/src/external-queries.test.ts
+++ b/src/external-queries.test.ts
@@ -3,15 +3,19 @@ import * as path from "path";
 
 import * as configUtils from "./config-utils";
 import * as externalQueries from "./external-queries";
+import * as util from "./util";
 
 test("checkoutExternalQueries", async () => {
     let config = new configUtils.Config();
     config.externalQueries = [
         new configUtils.ExternalQuery("github/codeql-go", "df4c6869212341b601005567381944ed90906b6b"),
     ];
-    await externalQueries.checkoutExternalQueries(config);
 
-    let destination = process.env["RUNNER_WORKSPACE"] || "/tmp/codeql-action/";
-    // COPYRIGHT file existed in df4c6869212341b601005567381944ed90906b6b but not in master
-    expect(fs.existsSync(path.join(destination, "github", "codeql-go", "COPYRIGHT"))).toBeTruthy();
+    await util.withTmpDir(async tmpDir => {
+        process.env["RUNNER_WORKSPACE"] = tmpDir;
+        await externalQueries.checkoutExternalQueries(config);
+
+        // COPYRIGHT file existed in df4c6869212341b601005567381944ed90906b6b but not in master
+        expect(fs.existsSync(path.join(tmpDir, "github", "codeql-go", "COPYRIGHT"))).toBeTruthy();
+    });
 });
diff --git a/src/external-queries.ts b/src/external-queries.ts
index c9724148d..a478f538b 100644
--- a/src/external-queries.ts
+++ b/src/external-queries.ts
@@ -4,9 +4,10 @@ import * as fs from 'fs';
 import * as path from 'path';
 
 import * as configUtils from './config-utils';
+import * as util from './util';
 
 export async function checkoutExternalQueries(config: configUtils.Config) {
-  const folder = process.env['RUNNER_WORKSPACE'] || '/tmp/codeql-action';
+  const folder = util.getRequiredEnvParam('RUNNER_WORKSPACE');
 
   for (const externalQuery of config.externalQueries) {
     core.info('Checking out ' + externalQuery.repository);
diff --git a/src/util.ts b/src/util.ts
index cfdd2419c..d17571d5d 100644
--- a/src/util.ts
+++ b/src/util.ts
@@ -3,6 +3,8 @@ import * as http from '@actions/http-client';
 import * as auth from '@actions/http-client/auth';
 import * as octokit from '@octokit/rest';
 import consoleLogLevel from 'console-log-level';
+import * as fs from "fs";
+import * as os from 'os';
 import * as path from 'path';
 
 import * as sharedEnv from './shared-environment';
@@ -313,3 +315,11 @@ export function getToolNames(sarifContents: string): string[] {
 
     return Object.keys(toolNames);
 }
+
+// Creates a random temporary directory, runs the given body, and then deletes the directory.
+// Mostly intended for use within tests.
+export async function withTmpDir(body: (tmpDir: string) => Promise<void>) {
+    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'codeql-action-'));
+    await body(tmpDir);
+    fs.rmdirSync(tmpDir, { recursive: true });
+}