update bundle to 20210421 (CLI 2.5.2)

Ignore non-string values in populateRunAutomationDetails

Add automationdetails id to runs

And explicitly document the advanced --trace-process-name and
--trace-process-level args.

See https://github.com/oasis-tcs/sarif-spec/pull/490
See #418

Note that this changes the sarif spec file. Unless this
change is actually merged in the sarif spec repo, the
version used by the action will be slightly different.

PR checks: Run integration tests against both `tools: null` and `tools: latest`

This allows users to specify a different token for retrieving the
codeql config from a different repository.

Fixes https://github.com/github/advanced-security-field/issues/185

Create a prerequisite job that runs the init step twice, with `tools: null` and `tools: latest`.
Use the outputs of these steps to compare the two CodeQL versions.
Pass the list of distinct tool versions for the analysis job to matrix over.
This lets us test the analysis against both versions, while avoiding duplication
when they are actually the same version.

Create a prerequisite job that runs the init step twice, with `tools: null` and `tools: latest`.
Use the outputs of these steps to compare the two CodeQL versions.
Pass the list of distinct tool versions for the integration tests to use in their matrix strategy.
This avoids redundant test jobs when the default and latest bundles are actually the same version of CodeQL.

`~` is accepted by JSON but not by the Actions context language, so we use `null` to indicate the default version.

…s: latest`

Always test against both the default and latest CodeQL bundle.

This improves test coverage shortly after a CodeQL bundle release, where the latest bundle
may not yet be built into the Actions VM image as the default bundle.

It also saves a manual step during bundle release testing,
since we no longer need to temporarily change the PR checks to `tools: latest`.

There is some redundancy when the latest bundle is the same as the default bundle on the VM image,
but this can be considered a test for the `tools: latest` configuration.

…8n-4.0.1

Bump y18n from 4.0.0 to 4.0.1 in /runner

Bump y18n from 4.0.0 to 4.0.1

Bumps [y18n](https://github.com/yargs/y18n) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/yargs/y18n/releases)
- [Changelog](https://github.com/yargs/y18n/blob/master/CHANGELOG.md)
- [Commits](https://github.com/yargs/y18n/commits)

Signed-off-by: dependabot[bot] <support@github.com>

Bumps [y18n](https://github.com/yargs/y18n) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/yargs/y18n/releases)
- [Changelog](https://github.com/yargs/y18n/blob/master/CHANGELOG.md)
- [Commits](https://github.com/yargs/y18n/commits)

Signed-off-by: dependabot[bot] <support@github.com>

Add special error message case for dependabot

Update CodeQL bundle to 20210326

This reverts commit d8216de.