Update supported Java version

Merge pull request #18872 from paldepind/rust-ref-mut
Rust: Allow SSA and some data flow for mutable borrows
2026-05-18 05:07:06 +02:00 · 2025-03-04 10:04:35 +00:00 · 2025-03-04 09:25:18 +01:00 · 2025-03-04 08:51:04 +01:00 · 2025-03-03 15:32:15 +01:00 · 2025-03-03 15:32:15 +01:00
2774 changed files with 155103 additions and 79236 deletions
--- a/.bazelrc
+++ b/.bazelrc
@@ -2,6 +2,9 @@ common --enable_platform_specific_config
 # because we use --override_module with `%workspace%`, the lock file is not stable
 common --lockfile_mode=off

+# Build release binaries by default, can be overwritten to in local.bazelrc and set to `fastbuild` or `dbg`
+build --compilation_mode opt
+
 # when building from this repository in isolation, the internal repository will not be found at ..
 # where `MODULE.bazel` looks for it. The following will get us past the module loading phase, so
 # that we can build things that do not rely on that
@@ -9,6 +12,9 @@ common --override_module=semmle_code=%workspace%/misc/bazel/semmle_code_stub

 build --repo_env=CC=clang --repo_env=CXX=clang++

+# print test output, like sembuild does.
+# Set to `errors` if this is too verbose.
+test --test_output all
 # we use transitions that break builds of `...`, so for `test` to work with that we need the following
 test --build_tests_only

--- a/.devcontainer/swift/Dockerfile
+++ b/.devcontainer/swift/Dockerfile
@@ -1,9 +0,0 @@
-# See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.236.0/containers/cpp/.devcontainer/base.Dockerfile
-
-# [Choice] Debian / Ubuntu version (use Debian 11, Ubuntu 18.04/22.04 on local arm64/Apple Silicon): debian-11, debian-10, ubuntu-22.04, ubuntu-20.04, ubuntu-18.04
-FROM mcr.microsoft.com/vscode/devcontainers/cpp:0-ubuntu-22.04
-
-USER root
-ADD root.sh /tmp/root.sh
-ADD update-codeql.sh /usr/local/bin/update-codeql
-RUN bash /tmp/root.sh && rm /tmp/root.sh
--- a/.devcontainer/swift/devcontainer.json
+++ b/.devcontainer/swift/devcontainer.json
@@ -1,25 +0,0 @@
-{
-	"extensions": [
-		"github.vscode-codeql",
-		"hbenl.vscode-test-explorer",
-		"ms-vscode.test-adapter-converter",
-		"slevesque.vscode-zipexplorer",
-		"ms-vscode.cpptools"
-	],
-	"settings": {
-		"files.watcherExclude": {
-			"**/target/**": true
-		},
-		"codeQL.runningQueries.memory": 2048
-	},
-	"build": {
-		"dockerfile": "Dockerfile",
-	},
-	"runArgs": [
-		"--cap-add=SYS_PTRACE",
-		"--security-opt",
-		"seccomp=unconfined"
-	],
-	"remoteUser": "vscode",
-	"onCreateCommand": ".devcontainer/swift/user.sh"
-}
--- a/.devcontainer/swift/root.sh
+++ b/.devcontainer/swift/root.sh
@@ -1,34 +0,0 @@
-set -xe
-
-BAZELISK_VERSION=v1.12.0
-BAZELISK_DOWNLOAD_SHA=6b0bcb2ea15bca16fffabe6fda75803440375354c085480fe361d2cbf32501db
-
-# install git lfs apt source
-curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | bash
-
-# install gh apt source
-(type -p wget >/dev/null || (sudo apt update && sudo apt-get install wget -y)) \
-&& sudo mkdir -p -m 755 /etc/apt/keyrings \
-&& wget -qO- https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null \
-&& sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg \
-&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
-
-apt-get update
-export DEBIAN_FRONTEND=noninteractive
-apt-get -y install --no-install-recommends \
-    zlib1g-dev \
-    uuid-dev \
-    python3-distutils \
-    python3-pip \
-    bash-completion \
-    git-lfs \
-    gh
-
-# Install Bazel
-curl -fSsL -o /usr/local/bin/bazelisk https://github.com/bazelbuild/bazelisk/releases/download/${BAZELISK_VERSION}/bazelisk-linux-amd64
-echo "${BAZELISK_DOWNLOAD_SHA} */usr/local/bin/bazelisk" | sha256sum --check -
-chmod 0755 /usr/local/bin/bazelisk
-ln -s bazelisk /usr/local/bin/bazel
-
-# install latest codeql
-update-codeql
--- a/.devcontainer/swift/update-codeql.sh
+++ b/.devcontainer/swift/update-codeql.sh
@@ -1,20 +0,0 @@
-#!/bin/bash -e
-
-URL=https://github.com/github/codeql-cli-binaries/releases
-LATEST_VERSION=$(curl -L -s -H 'Accept: application/json' $URL/latest | sed -e 's/.*"tag_name":"\([^"]*\)".*/\1/')
-CURRENT_VERSION=v$(codeql version 2>/dev/null | sed -ne 's/.*release \([0-9.]*\)\./\1/p')
-if [[ $CURRENT_VERSION != $LATEST_VERSION ]]; then
-  if [[ $UID != 0 ]]; then
-    echo "update required, please run this script with sudo:"
-    echo "  sudo $0"
-    exit 1
-  fi
-  ZIP=$(mktemp codeql.XXXX.zip)
-  curl -fSqL -o $ZIP $URL/download/$LATEST_VERSION/codeql-linux64.zip
-  unzip -q $ZIP -d /opt
-  rm $ZIP
-  ln -sf /opt/codeql/codeql /usr/local/bin/codeql
-  echo installed version $LATEST_VERSION
-else
-  echo current version $CURRENT_VERSION is up-to-date
-fi
--- a/.devcontainer/swift/user.sh
+++ b/.devcontainer/swift/user.sh
@@ -1,15 +0,0 @@
-set -xe
-
-git lfs install
-
-# add the workspace to the codeql search path
-mkdir -p /home/vscode/.config/codeql
-echo "--search-path /workspaces/codeql" > /home/vscode/.config/codeql/config
-
-# create a swift extractor pack with the current state
-cd /workspaces/codeql
-bazel run swift/create-extractor-pack
-
-#install and set up pre-commit
-python3 -m pip install pre-commit --no-warn-script-location
-$HOME/.local/bin/pre-commit install
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,14 +0,0 @@
-### Pull Request checklist
-
-#### All query authors
-
- [ ] A change note is added if necessary. See [the documentation](https://github.com/github/codeql/blob/main/docs/change-notes.md) in this repository.
- [ ] All new queries have appropriate `.qhelp`. See [the documentation](https://github.com/github/codeql/blob/main/docs/query-help-style-guide.md) in this repository.
- [ ] QL tests are added if necessary. See [Testing custom queries](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/testing-custom-queries) in the GitHub documentation.
- [ ] New and changed queries have correct query metadata. See [the documentation](https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md) in this repository.
-
-#### Internal query authors only
-
- [ ] Autofixes generated based on these changes are valid, only needed if this PR makes significant changes to `.ql`, `.qll`, or `.qhelp` files. See [the documentation](https://github.com/github/codeql-team/blob/main/docs/best-practices/validating-autofix-for-query-changes.md) (internal access required).
- [ ] Changes are validated [at scale](https://github.com/github/codeql-dca/) (internal access required).
- [ ] Adding a new query? Consider also [adding the query to autofix](https://github.com/github/codeml-autofix/blob/main/docs/updating-query-support.md#adding-a-new-query-to-the-query-suite).
--- a/.github/workflows/go-tests-other-os.yml
+++ b/.github/workflows/go-tests-other-os.yml
@@ -3,6 +3,7 @@ on:
  pull_request:
    paths:
      - "go/**"
+      - "!go/documentation/**"
      - "!go/ql/**" # don't run other-os if only ql/ files changed
      - .github/workflows/go-tests-other-os.yml
      - .github/actions/**
--- a/.github/workflows/go-tests.yml
+++ b/.github/workflows/go-tests.yml
@@ -3,6 +3,7 @@ on:
  push:
    paths:
      - "go/**"
+      - "!go/documentation/**"
      - "shared/**"
      - .github/workflows/go-tests.yml
      - .github/actions/**
@@ -13,6 +14,7 @@ on:
  pull_request:
    paths:
      - "go/**"
+      - "!go/documentation/**"      
      - "shared/**"
      - .github/workflows/go-tests.yml
      - .github/actions/**
--- a/.github/workflows/swift.yml
+++ b/.github/workflows/swift.yml
@@ -48,12 +48,6 @@ jobs:
    steps:
      - uses: actions/checkout@v4
      - uses: ./swift/actions/build-and-test
-  build-and-test-linux:
-    if: github.repository_owner == 'github'
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: actions/checkout@v4
-      - uses: ./swift/actions/build-and-test
  qltests-macos:
    if: ${{ github.repository_owner == 'github' && github.event_name == 'pull_request' }}
    needs: build-and-test-macos
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -415,7 +415,6 @@ dependencies = [
 "figment",
 "glob",
 "itertools 0.14.0",
- "log 0.4.22",
 "num-traits",
 "ra_ap_base_db",
 "ra_ap_cfg",
@@ -435,8 +434,10 @@ dependencies = [
 "serde",
 "serde_json",
 "serde_with",
- "stderrlog",
 "toml",
+ "tracing",
+ "tracing-flame",
+ "tracing-subscriber",
 "triomphe",
 ]

@@ -800,12 +801,6 @@ version = "0.3.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d231dfb89cfffdbc30e7fc41579ed6066ad03abda9e567ccafae602b97ec5024"

-[[package]]
-name = "hermit-abi"
-version = "0.4.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fbf6a919d6cf397374f7dfeeea91d974c7c0a7221d0d0f4f20d859d329e53fcc"
-
 [[package]]
 name = "hex"
 version = "0.4.3"
@@ -898,17 +893,6 @@ dependencies = [
 "libc",
 ]

-[[package]]
-name = "is-terminal"
-version = "0.4.13"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "261f68e344040fbd0edea105bef17c66edf46f984ddb1115b775ce31be948f4b"
-dependencies = [
- "hermit-abi 0.4.0",
- "libc",
- "windows-sys 0.52.0",
-]
-
 [[package]]
 name = "is_terminal_polyfill"
 version = "1.70.1"
@@ -1165,7 +1149,7 @@ version = "1.16.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4161fcb6d602d4d2081af7c3a45852d875a03dd337a6bfdd6e06407b61342a43"
 dependencies = [
- "hermit-abi 0.3.9",
+ "hermit-abi",
 "libc",
 ]

@@ -2190,19 +2174,6 @@ version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3"

-[[package]]
-name = "stderrlog"
-version = "0.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "61c910772f992ab17d32d6760e167d2353f4130ed50e796752689556af07dc6b"
-dependencies = [
- "chrono",
- "is-terminal",
- "log 0.4.22",
- "termcolor",
- "thread_local",
-]
-
 [[package]]
 name = "streaming-iterator"
 version = "0.1.9"
@@ -2237,15 +2208,6 @@ dependencies = [
 "syn",
 ]

-[[package]]
-name = "termcolor"
-version = "1.1.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bab24d30b911b2376f3a13cc2cd443142f0c81dda04c118693e35b3835757755"
-dependencies = [
- "winapi-util",
-]
-
 [[package]]
 name = "text-size"
 version = "1.1.1"
@@ -2379,6 +2341,17 @@ dependencies = [
 "valuable",
 ]

+[[package]]
+name = "tracing-flame"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0bae117ee14789185e129aaee5d93750abe67fdc5a9a62650452bfe4e122a3a9"
+dependencies = [
+ "lazy_static",
+ "tracing",
+ "tracing-subscriber",
+]
+
 [[package]]
 name = "tracing-log"
 version = "0.2.0"
--- a/2
+++ b/2
@@ -1,6 +1,6 @@
 MIT License

-Copyright (c) 2006-2020 GitHub, Inc.
+Copyright (c) 2006-2025 GitHub, Inc.

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -14,7 +14,7 @@ local_path_override(

 # see https://registry.bazel.build/ for a list of available packages

-bazel_dep(name = "platforms", version = "0.0.10")
+bazel_dep(name = "platforms", version = "0.0.11")
 bazel_dep(name = "rules_go", version = "0.50.1")
 bazel_dep(name = "rules_pkg", version = "1.0.1")
 bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
@@ -28,7 +28,7 @@ bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
 bazel_dep(name = "gazelle", version = "0.40.0")
 bazel_dep(name = "rules_dotnet", version = "0.17.4")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
-bazel_dep(name = "rules_rust", version = "0.52.2")
+bazel_dep(name = "rules_rust", version = "0.57.1")
 bazel_dep(name = "zstd", version = "1.5.5.bcr.1")

 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
@@ -53,29 +53,17 @@ use_repo(rust, "rust_toolchains")

 register_toolchains("@rust_toolchains//:all")

-rust_host_tools = use_extension("@rules_rust//rust:extensions.bzl", "rust_host_tools")
-
-# Don't download a second toolchain as host toolchain, make sure this is the same version as above
-# The host toolchain is used for vendoring dependencies.
-rust_host_tools.host_tools(
-    edition = RUST_EDITION,
-    version = RUST_VERSION,
-)
-
 # deps for python extractor
 # keep in sync by running `misc/bazel/3rdparty/update_cargo_deps.sh`
 py_deps = use_extension("//misc/bazel/3rdparty:py_deps_extension.bzl", "p")
 use_repo(
    py_deps,
-    "vendor__anyhow-1.0.44",
-    "vendor__cc-1.0.70",
-    "vendor__clap-2.33.3",
-    "vendor__regex-1.5.5",
-    "vendor__smallvec-1.6.1",
-    "vendor__string-interner-0.12.2",
-    "vendor__thiserror-1.0.29",
-    "vendor__tree-sitter-0.20.4",
-    "vendor__tree-sitter-graph-0.7.0",
+    "vendor_py__anyhow-1.0.95",
+    "vendor_py__cc-1.2.14",
+    "vendor_py__clap-4.5.30",
+    "vendor_py__regex-1.11.1",
+    "vendor_py__tree-sitter-0.20.4",
+    "vendor_py__tree-sitter-graph-0.7.0",
 )

 # deps for ruby+rust
@@ -96,7 +84,6 @@ use_repo(
    "vendor__globset-0.4.15",
    "vendor__itertools-0.14.0",
    "vendor__lazy_static-1.5.0",
-    "vendor__log-0.4.22",
    "vendor__mustache-0.9.0",
    "vendor__num-traits-0.2.19",
    "vendor__num_cpus-1.16.0",
@@ -123,10 +110,10 @@ use_repo(
    "vendor__serde-1.0.217",
    "vendor__serde_json-1.0.135",
    "vendor__serde_with-3.12.0",
-    "vendor__stderrlog-0.6.0",
    "vendor__syn-2.0.96",
    "vendor__toml-0.8.19",
    "vendor__tracing-0.1.41",
+    "vendor__tracing-flame-0.2.0",
    "vendor__tracing-subscriber-0.3.19",
    "vendor__tree-sitter-0.24.6",
    "vendor__tree-sitter-embedded-template-0.23.2",
@@ -218,6 +205,7 @@ use_repo(
    "kotlin-compiler-2.0.0-RC1",
    "kotlin-compiler-2.0.20-Beta2",
    "kotlin-compiler-2.1.0-Beta1",
+    "kotlin-compiler-2.1.20-Beta1",
    "kotlin-compiler-embeddable-1.5.0",
    "kotlin-compiler-embeddable-1.5.10",
    "kotlin-compiler-embeddable-1.5.20",
@@ -232,6 +220,7 @@ use_repo(
    "kotlin-compiler-embeddable-2.0.0-RC1",
    "kotlin-compiler-embeddable-2.0.20-Beta2",
    "kotlin-compiler-embeddable-2.1.0-Beta1",
+    "kotlin-compiler-embeddable-2.1.20-Beta1",
    "kotlin-stdlib-1.5.0",
    "kotlin-stdlib-1.5.10",
    "kotlin-stdlib-1.5.20",
@@ -246,10 +235,11 @@ use_repo(
    "kotlin-stdlib-2.0.0-RC1",
    "kotlin-stdlib-2.0.20-Beta2",
    "kotlin-stdlib-2.1.0-Beta1",
+    "kotlin-stdlib-2.1.20-Beta1",
 )

 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.23.1")
+go_sdk.download(version = "1.24.0")

 go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")
--- a/actions/extractor/BUILD.bazel
+++ b/actions/extractor/BUILD.bazel
@@ -4,7 +4,9 @@ codeql_pkg_files(
    name = "extractor",
    srcs = [
        "codeql-extractor.yml",
-    ] + glob(["tools/**"]),
+        "//:LICENSE",
+    ],
+    exes = glob(["tools/**"]),
    strip_prefix = strip_prefix.from_pkg(),
    visibility = ["//actions:__pkg__"],
 )
--- a/actions/extractor/tools/autobuild-impl.ps1
+++ b/actions/extractor/tools/autobuild-impl.ps1
@@ -2,10 +2,16 @@ if (($null -ne $env:LGTM_INDEX_INCLUDE) -or ($null -ne $env:LGTM_INDEX_EXCLUDE)
    Write-Output 'Path filters set. Passing them through to the JavaScript extractor.' 
 } else {
    Write-Output 'No path filters set. Using the default filters.'
+    # Note: We're adding the `reusable_workflows` subdirectories to proactively
+    # record workflows that were called cross-repo, check them out locally,
+    # and enable an interprocedural analysis across the workflow files.
+    # These workflows follow the convention `.github/reusable_workflows/<nwo>/*.ya?ml`
    $DefaultPathFilters = @(
        'exclude:**/*',
-        'include:.github/workflows/**/*.yml',
-        'include:.github/workflows/**/*.yaml',
+        'include:.github/workflows/*.yml',
+        'include:.github/workflows/*.yaml',
+        'include:.github/reusable_workflows/**/*.yml',
+        'include:.github/reusable_workflows/**/*.yaml',
        'include:**/action.yml',
        'include:**/action.yaml'
    )
--- a/actions/extractor/tools/autobuild.sh
+++ b/actions/extractor/tools/autobuild.sh
@@ -2,10 +2,16 @@

 set -eu

+# Note: We're adding the `reusable_workflows` subdirectories to proactively
+# record workflows that were called cross-repo, check them out locally,
+# and enable an interprocedural analysis across the workflow files.
+# These workflows follow the convention `.github/reusable_workflows/<nwo>/*.ya?ml`
 DEFAULT_PATH_FILTERS=$(cat << END
 exclude:**/*
-include:.github/workflows/**/*.yml
-include:.github/workflows/**/*.yaml
+include:.github/workflows/*.yml
+include:.github/workflows/*.yaml
+include:.github/reusable_workflows/**/*.yml
+include:.github/reusable_workflows/**/*.yaml
 include:**/action.yml
 include:**/action.yaml
 END
--- a/actions/ql/extensions/immutable-actions-list/ext/immutable_actions.yml
+++ b/actions/ql/extensions/immutable-actions-list/ext/immutable_actions.yml
@@ -0,0 +1,28 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: immutableActionsDataModel
+    data:
+      - ["actions/checkout"]
+      - ["actions/cache"]
+      - ["actions/setup-node"]
+      - ["actions/upload-artifact"]
+      - ["actions/setup-python"]
+      - ["actions/download-artifact"]
+      - ["actions/github-script"]
+      - ["actions/setup-java"]
+      - ["actions/setup-go"]
+      - ["actions/upload-pages-artifact"]
+      - ["actions/deploy-pages"]
+      - ["actions/setup-dotnet"]
+      - ["actions/stale"]
+      - ["actions/labeler"]
+      - ["actions/create-github-app-token"]
+      - ["actions/configure-pages"]
+      - ["github/codeql-action/analyze"]
+      - ["github/codeql-action/autobuild"]
+      - ["github/codeql-action/init"]
+      - ["github/codeql-action/resolve-environment"]
+      - ["github/codeql-action/start-proxy"]
+      - ["github/codeql-action/upload-sarif"]
+      - ["octokit/request-action"]
--- a/actions/ql/extensions/immutable-actions-list/qlpack.yml
+++ b/actions/ql/extensions/immutable-actions-list/qlpack.yml
@@ -0,0 +1,14 @@
+# Model pack containing the list of known immutable actions. The Immutable Actions feature is not
+# yet released, so this pack will only be used within GitHub. Once the feature is available to
+# customers, we will move the contents of this pack back into the standard library pack.
+name: codeql/immutable-actions-list
+version: 0.0.1-dev
+library: true
+warnOnImplicitThis: true
+extensionTargets:
+  # We expect to need this model pack even after GA of Actions analysis, so make it compatible with
+  # all future prereleases plus 1.x.x. We should be able to remove this back before we need to
+  # bump the major version to 2.
+  codeql/actions-all: ">=0.4.3 <2.0.0"
+dataExtensions:
+- ext/**/*.yml
--- a/actions/ql/lib/CHANGELOG.md
+++ b/actions/ql/lib/CHANGELOG.md
@@ -1,3 +1,16 @@
+## 0.4.3
+
+### New Features
+
+* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).
+
+## 0.4.2
+
+### Bug Fixes
+
+* Fixed data for vulnerable versions of `actions/download-artifact` and `rlespinasse/github-slug-action` (following GHSA-cxww-7g56-2vh6 and GHSA-6q4m-7476-932w).
+* Improved `untrustedGhCommandDataModel` regex for `gh pr view` and Bash taint analysis in GitHub Actions.
+
 ## 0.4.1

 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.2.md
+++ b/actions/ql/lib/change-notes/released/0.4.2.md
@@ -0,0 +1,6 @@
+## 0.4.2
+
+### Bug Fixes
+
+* Fixed data for vulnerable versions of `actions/download-artifact` and `rlespinasse/github-slug-action` (following GHSA-cxww-7g56-2vh6 and GHSA-6q4m-7476-932w).
+* Improved `untrustedGhCommandDataModel` regex for `gh pr view` and Bash taint analysis in GitHub Actions.
--- a/actions/ql/lib/change-notes/released/0.4.3.md
+++ b/actions/ql/lib/change-notes/released/0.4.3.md
@@ -0,0 +1,5 @@
+## 0.4.3
+
+### New Features
+
+* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).
--- a/actions/ql/lib/codeql-pack.release.yml
+++ b/actions/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.1
+lastReleaseVersion: 0.4.3
--- a/actions/ql/lib/codeql/actions/Bash.qll
+++ b/actions/ql/lib/codeql/actions/Bash.qll
@@ -81,7 +81,9 @@ class BashShellScript extends ShellScript {
          "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +
            quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
      )
-    )
+    ) and
+    // Only do this for strings that might otherwise disrupt subsequent parsing
+    quotedStr.regexpMatch("[\"'].*[$\n\r'\"" + Bash::separator() + "].*[\"']")
  }

  private predicate rankedQuotedStringReplacements(int i, string old, string new) {
@@ -695,6 +697,19 @@ module Bash {
      not varMatchesRegexTest(script, var2, alphaNumericRegex())
    )
    or
+    exists(string var2, string value2, string var3, string value3 |
+      // VAR2=$(cmd)
+      // VAR3=$VAR2
+      // echo "FIELD=${VAR3:-default}" >> $GITHUB_ENV (field, file_write_value)
+      containsCmdSubstitution(value2, cmd) and
+      script.getAnAssignment(var2, value2) and
+      containsParameterExpansion(value3, var2, _, _) and
+      script.getAnAssignment(var3, value3) and
+      containsParameterExpansion(expr, var3, _, _) and
+      not varMatchesRegexTest(script, var2, alphaNumericRegex()) and
+      not varMatchesRegexTest(script, var3, alphaNumericRegex())
+    )
+    or
    // var reaches the file write directly
    // echo "FIELD=$(cmd)" >> $GITHUB_ENV (field, file_write_value)
    containsCmdSubstitution(expr, cmd)
--- a/actions/ql/lib/codeql/actions/config/Config.qll
+++ b/actions/ql/lib/codeql/actions/config/Config.qll
@@ -126,6 +126,15 @@ predicate vulnerableActionsDataModel(
 */
 predicate immutableActionsDataModel(string action) { Extensions::immutableActionsDataModel(action) }

+/**
+ * MaD models for trusted actions owners
+ * Fields:
+ *    - owner: owner name
+ */
+predicate trustedActionsOwnerDataModel(string owner) {
+  Extensions::trustedActionsOwnerDataModel(owner)
+}
+
 /**
 * MaD models for untrusted git commands
 * Fields:
--- a/actions/ql/lib/codeql/actions/config/ConfigExtensions.qll
+++ b/actions/ql/lib/codeql/actions/config/ConfigExtensions.qll
@@ -63,6 +63,11 @@ extensible predicate vulnerableActionsDataModel(
 */
 extensible predicate immutableActionsDataModel(string action);

+/**
+ * Holds for trusted Actions owners.
+ */
+extensible predicate trustedActionsOwnerDataModel(string owner);
+
 /**
 * Holds for git commands that may introduce untrusted data when called on an attacker controlled branch.
 */
--- a/actions/ql/lib/codeql/actions/controlflow/internal/Cfg.qll
+++ b/actions/ql/lib/codeql/actions/controlflow/internal/Cfg.qll
@@ -134,6 +134,10 @@ private module Implementation implements CfgShared::InputSig<Location> {
  SuccessorType getAMatchingSuccessorType(Completion c) { result = c.getAMatchingSuccessorType() }

  predicate isAbnormalExitType(SuccessorType t) { none() }
+
+  int idOfAstNode(AstNode node) { none() }
+
+  int idOfCfgScope(CfgScope scope) { none() }
 }

 module CfgImpl = CfgShared::Make<Location, Implementation>;
--- a/actions/ql/lib/ext/config/immutable_actions.yml
+++ b/actions/ql/lib/ext/config/immutable_actions.yml
@@ -2,21 +2,9 @@ extensions:
  - addsTo:
      pack: codeql/actions-all
      extensible: immutableActionsDataModel
-    data:
-      - ["actions/checkout"]
-      - ["actions/cache"]
-      - ["actions/setup-node"]
-      - ["actions/upload-artifact"]
-      - ["actions/setup-python"]
-      - ["actions/download-artifact"]
-      - ["actions/github-script"]
-      - ["actions/setup-java"]
-      - ["actions/setup-go"]
-      - ["actions/upload-pages-artifact"]
-      - ["actions/deploy-pages"]
-      - ["actions/setup-dotnet"]
-      - ["actions/stale"]
-      - ["actions/labeler"]
-      - ["actions/create-github-app-token"]
-      - ["actions/configure-pages"]
-      - ["octokit/request-action"]
+    # Since the Immutable Actions feature is not yet available to customers, we won't alert about
+    # any unversioned immutable action references for now. Within GitHub, we'll include the
+    # `codeql/immutable-actions-list` model pack, which will provide the necessary list of actions
+    # for internal use. Once the feature is available to customers, we'll move that list back into
+    # this file.
+    data: []
--- a/actions/ql/lib/ext/config/trusted_actions_owner.yml
+++ b/actions/ql/lib/ext/config/trusted_actions_owner.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo: 
+      pack: codeql/actions-all
+      extensible: trustedActionsOwnerDataModel
+    data:      
+      - ["actions"]
+      - ["github"]
+      - ["advanced-security"]
--- a/actions/ql/lib/ext/config/untrusted_gh_command.yml
+++ b/actions/ql/lib/ext/config/untrusted_gh_command.yml
@@ -7,26 +7,29 @@ extensions:
      # PULL REQUESTS
      #
      # HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')
-      - ["gh\\s+pr\\b.*\\bview\\b.*\\.headRefName.*", "branch,oneline"]
+      - ["gh\\s+pr\\b.*\\bview\\b.*\\bheadRefName\\b", "branch,oneline"]
      # TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)
-      - ["gh\\s+pr\\b.*\\bview\\b.*\\.title.*", "title,oneline"]
+      # TITLE=$(gh pr view $PR_NUMBER --json "title")
+      - ["gh\\s+pr\\b.*\\bview\\b.*\\btitle\\b", "title,oneline"]
      # BODY=$(gh pr view $PR_NUMBER --json body --jq .body)
-      - ["gh\\s+pr\\b.*\\bview\\b.*\\.body.*", "text,multiline"]
+      - ["gh\\s+pr\\b.*\\bview\\b.*\\bbody\\b", "text,multiline"]
      # COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"
-      - ["gh\\s+pr\\b.*\\bview\\b.*\\.comments.*", "text,multiline"]
+      - ["gh\\s+pr\\b.*\\bview\\b.*\\bcomments\\b", "text,multiline"]
      # CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"
-      - ["gh\\s+pr\\b.*\\bview\\b.*\\.files.*", "filename,multiline"]
+      - ["gh\\s+pr\\b.*\\bview\\b.*\\bfiles\\b", "filename,multiline"]
      # AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') 
-      - ["gh\\s+pr\\b.*\\bview\\b.*\\.author.*", "username,oneline"]
+      - ["gh\\s+pr\\b.*\\bview\\b.*\\bauthor\\b", "username,oneline"]
      #
      # ISSUES
      #
      # TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')
-      - ["gh\\s+issue\\b.*\\bview\\b.*\\.title.*", "title,oneline"]
+      # TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,body)
+      # TITLE=$(gh issue view "$ISSUE_NUMBER" --json "title,body")
+      - ["gh\\s+issue\\b.*\\bview\\b.*\\btitle\\b", "title,oneline"]
      # BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body,assignees --jq .body)
-      - ["gh\\s+issue\\b.*\\bview\\b.*\\.body.*", "text,multiline"]
+      - ["gh\\s+issue\\b.*\\bview\\b.*\\bbody\\b", "text,multiline"]
      # COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')
-      - ["gh\\s+issue\\b.*\\bview\\b.*\\.comments.*", "text,multiline"]
+      - ["gh\\s+issue\\b.*\\bview\\b.*\\bcomments\\b", "text,multiline"]
      #
      # API
      #
--- a/actions/ql/lib/ext/config/vulnerable_actions.yml
+++ b/actions/ql/lib/ext/config/vulnerable_actions.yml
@@ -6,38 +6,12 @@ extensions:

      # gh api /repos/actions/download-artifact/tags --jq 'map({name: .name, sha: .commit.sha})' --paginate | jq -r '.[] | "- \"\(.name)\", \"\(.sha)\""'

-      #
      # actions/download-artifact
-      - ["actions/download-artifact", "v4.1.6", "9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395", "4.1.7"]
-      - ["actions/download-artifact", "v4.1.5", "8caf195ad4b1dee92908e23f56eeb0696f1dd42d", "4.1.7"]
-      - ["actions/download-artifact", "v4.1.4", "c850b930e6ba138125429b7e5c93fc707a7f8427", "4.1.7"]
-      - ["actions/download-artifact", "v4.1.3", "87c55149d96e628cc2ef7e6fc2aab372015aec85", "4.1.7"]
-      - ["actions/download-artifact", "v4.1.2", "eaceaf801fd36c7dee90939fad912460b18a1ffe", "4.1.7"]
-      - ["actions/download-artifact", "v4.1.1", "6b208ae046db98c579e8a3aa621ab581ff575935", "4.1.7"]
-      - ["actions/download-artifact", "v4.1.0", "f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110", "4.1.7"]
-      - ["actions/download-artifact", "v4.0.0", "7a1cd3216ca9260cd8022db641d960b1db4d1be4", "4.1.7"]
-      - ["actions/download-artifact", "v3.0.2", "9bc31d5ccc31df68ecc42ccf4149144866c47d8a", "4.1.7"]
-      - ["actions/download-artifact", "v3.0.1", "9782bd6a9848b53b110e712e20e42d89988822b7", "4.1.7"]
-      - ["actions/download-artifact", "v3.0.0", "fb598a63ae348fa914e94cd0ff38f362e927b741", "4.1.7"]
-      - ["actions/download-artifact", "v3", "9bc31d5ccc31df68ecc42ccf4149144866c47d8a", "4.1.7"]
-      - ["actions/download-artifact", "v3-node20", "246d7188e736d3686f6d19628d253ede9697bd55", "4.1.7"]
-      - ["actions/download-artifact", "v2.1.1", "cbed621e49e4c01b044d60f6c80ea4ed6328b281", "4.1.7"]
-      - ["actions/download-artifact", "v2.1.0", "f023be2c48cc18debc3bacd34cb396e0295e2869", "4.1.7"]
-      - ["actions/download-artifact", "v2.0.10", "3be87be14a055c47b01d3bd88f8fe02320a9bb60", "4.1.7"]
-      - ["actions/download-artifact", "v2.0.9", "158ca71f7c614ae705e79f25522ef4658df18253", "4.1.7"]
-      - ["actions/download-artifact", "v2.0.8", "4a7a711286f30c025902c28b541c10e147a9b843", "4.1.7"]
-      - ["actions/download-artifact", "v2.0.7", "f144d3c3916a86f4d6b11ff379d17a49d8f85dbc", "4.1.7"]
-      - ["actions/download-artifact", "v2.0.6", "f8e41fbffeebb48c0273438d220bb2387727471f", "4.1.7"]
-      - ["actions/download-artifact", "v2.0.5", "c3f5d00c8784369c43779f3d2611769594a61f7a", "4.1.7"]
-      - ["actions/download-artifact", "v2.0.4", "b3cedea9bed36890c824f4065163b667eeca272b", "4.1.7"]
-      - ["actions/download-artifact", "v2.0.3", "80d2d4023c185001eacb50e37afd7dd667ba8044", "4.1.7"]
-      - ["actions/download-artifact", "v2.0.2", "381af06b4268a1e0ad7b7c7e5a09f1894977120f", "4.1.7"]
-      - ["actions/download-artifact", "v2.0.1", "1ac47ba4b6af92e65d0438b64ce1ea49ce1cc48d", "4.1.7"]
-      - ["actions/download-artifact", "v2.0", "1de1dea89c32dcb1f37183c96fe85cfe067b682a", "4.1.7"]
-      - ["actions/download-artifact", "v2", "cbed621e49e4c01b044d60f6c80ea4ed6328b281", "4.1.7"]
-      - ["actions/download-artifact", "v1.0.0", "18f0f591fbc635562c815484d73b6e8e3980482e", "4.1.7"]
-      - ["actions/download-artifact", "v1", "18f0f591fbc635562c815484d73b6e8e3980482e", "4.1.7"]
-      - ["actions/download-artifact", "1.0.0", "18f0f591fbc635562c815484d73b6e8e3980482e", "4.1.7"]
+      # https://github.com/advisories/GHSA-cxww-7g56-2vh6 Affected versions: >= 4.0.0, < 4.1.3
+      - ["actions/download-artifact", "v4.1.2", "eaceaf801fd36c7dee90939fad912460b18a1ffe", "4.1.3"]
+      - ["actions/download-artifact", "v4.1.1", "6b208ae046db98c579e8a3aa621ab581ff575935", "4.1.3"]
+      - ["actions/download-artifact", "v4.1.0", "f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110", "4.1.3"]
+      - ["actions/download-artifact", "v4.0.0", "7a1cd3216ca9260cd8022db641d960b1db4d1be4", "4.1.3"]

      # tj-actions/changed-files
      # https://github.com/advisories/GHSA-mcph-m25j-8j63
@@ -530,22 +504,13 @@ extensions:
      - ["gradle/gradle-build-action", "v1", "b3afdc78a7849557ab26e243ccf07548086da025", "2.4.2"]

      # rlespinasse/github-slug-action
-      # https://github.com/advisories/GHSA-6q4m-7476-932w
+      # https://github.com/advisories/GHSA-6q4m-7476-932w Affected versions: >= 4.0.0, < 4.4.1
      # CVE-2023-27581
-      - ["rlespinasse/github-slug-action", "v4.4.1", "102b1a064a9b145e56556e22b18b19c624538d94", "4.4.1"]
      - ["rlespinasse/github-slug-action", "v4.4.0", "a362e5fb42057a3a23a62218b050838f1bacca5d", "4.4.1"]
      - ["rlespinasse/github-slug-action", "v4.3.2", "b011e83cf8cb29e22dda828db30586691ae164e4", "4.4.1"]
      - ["rlespinasse/github-slug-action", "v4.3.1", "00198f89920d4454e37e4b27af2b7a8eba79c530", "4.4.1"]
      - ["rlespinasse/github-slug-action", "v4.3.0", "9c3571fd3dba541bfdaebc001482a49a1c1f136a", "4.4.1"]
      - ["rlespinasse/github-slug-action", "v4.2.5", "0141d9b38d1f21c3b3de63229e20b7b0ad7ef0f4", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "v3.9.0", "2daab132aa3a6e23ea9d409f9946b3bf6468cc77", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "v3.8.0", "4a00c29bc1c0a737315b4200af6c6991bb4ace18", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "v3.7.1", "5150a26d43ce06608443c66efea46fc6f3c50d38", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "v3.7.0", "ebfc49c0e9cd081acb7ba0634d8d6a711b4c73cf", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "v3", "2daab132aa3a6e23ea9d409f9946b3bf6468cc77", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "v3.x", "2daab132aa3a6e23ea9d409f9946b3bf6468cc77", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "v2.x", "9d2c65418d6ecbbd3c08e686997b30482e9f4a80", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "v1.1.x", "fbf6d7b9c7af4e8d06135dbc7d774e717d788731", "4.4.1"]
      - ["rlespinasse/github-slug-action", "4.2.5", "0141d9b38d1f21c3b3de63229e20b7b0ad7ef0f4", "4.4.1"]
      - ["rlespinasse/github-slug-action", "4.2.4", "33cd7a701db9c2baf4ad705d930ade51a9f25c14", "4.4.1"]
      - ["rlespinasse/github-slug-action", "4.2.3", "1615fcb48b5315152b3733b7bed1a9f5dfada6e3", "4.4.1"]
@@ -555,25 +520,6 @@ extensions:
      - ["rlespinasse/github-slug-action", "4.1.0", "88f3ee8f6f5d1955de92f1fe2fdb301fd40207c6", "4.4.1"]
      - ["rlespinasse/github-slug-action", "4.0.1", "cd9871b66e11e9562e3f72469772fe100be4c95a", "4.4.1"]
      - ["rlespinasse/github-slug-action", "4.0.0", "bd31a9f564f7930eea1ecfc8d0e6aebc4bc3279f", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "3.6.1", "1bf76b7bc6ef7dc6ba597ff790f956d9082479d7", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "3.6.0", "172fe43594a58b5938e248ec757ada60cdb17e18", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "3.5.1", "016823880d193a56b180527cf7ee52f13c3cfe33", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "3.5.0", "4060fda2690bcebaabcd86db4fbc8e1c2817c835", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "3.4.0", "0c099abd978b382cb650281af13913c1905fdd50", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "3.3.0", "d1880ea5b39f611effb9f3f83f4d35bff34083a6", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "3.2.0", "c8d8ee50d00177c1e80dd57905fc61f81e437279", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "3.1.0", "e4699e49fcf890a3172a02c56ba78d867dbb9fd5", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "3.0.0", "6a873bec5ac11c6d2a11756b8763356da63a8939", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "2.2.0", "9d2c65418d6ecbbd3c08e686997b30482e9f4a80", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "2.1.1", "72cfc4cb1f36c102c48541cb59511a6267e89c95", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "2.1.0", "1172ed1802078eb665a55c252fc180138b907c51", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "2.0.0", "ca9a67fa1f1126b377a9d80dc1ea354284c71d21", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "1.2.0", "fbf6d7b9c7af4e8d06135dbc7d774e717d788731", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "1.1.1", "242e04c2d28ac5db296e5d8203dfd7dc6bcc17a9", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "1.1.0", "881085bcae8c3443a89cc9401f3e1c60fb014ed2", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "1.0.2", "a35a1a486a260cfd99c5b6f8c6034a2929ba9b3f", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "1.0.1", "e46186066296e23235242d0877e2b4fe54003d54", "4.4.1"]
-      - ["rlespinasse/github-slug-action", "1.0.0", "9671420482a6e4c59c06f2d2d9e0605e941b1287", "4.4.1"]

      # Azure/setup-kubectl
      # https://github.com/advisories/GHSA-p756-rfxh-x63h
--- a/actions/ql/lib/qlpack.yml
+++ b/actions/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.1
+version: 0.4.4-dev
 library: true
 warnOnImplicitThis: true
 dependencies:
--- a/actions/ql/src/CHANGELOG.md
+++ b/actions/ql/src/CHANGELOG.md
@@ -1,3 +1,33 @@
+## 0.5.0
+
+### Breaking Changes
+
+* The following queries have been removed from the `code-scanning` and `security-extended` suites.
+  Any existing alerts for these queries will be closed automatically.
+  * `actions/if-expression-always-true/critical`
+  * `actions/if-expression-always-true/high`
+  * `actions/unnecessary-use-of-advanced-config`
+  
+* The following query has been moved from the `code-scanning` suite to the `security-extended`
+  suite. Any existing alerts for this query will be closed automatically unless the analysis is
+  configured to use the `security-extended` suite.
+  * `actions/unpinned-tag`
+* The following queries have been added to the `security-extended` suite.
+  * `actions/unversioned-immutable-action`
+  * `actions/envpath-injection/medium`
+  * `actions/envvar-injection/medium`
+  * `actions/code-injection/medium`
+  * `actions/artifact-poisoning/medium`
+  * `actions/untrusted-checkout/medium`
+
+### Minor Analysis Improvements
+
+* Fixed false positives in the query `actions/unpinned-tag` (CWE-829), which will no longer flag uses of Docker-based GitHub actions pinned by the container's SHA256 digest.
+
+## 0.4.2
+
+No user-facing changes.
+
 ## 0.4.1

 No user-facing changes.
--- a/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
+++ b/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
@@ -2,9 +2,9 @@
 * @name PATH Enviroment Variable built from user-controlled sources
 * @description Building the PATH environment variable from user-controlled sources may alter the execution of following system commands
 * @kind path-problem
- * @problem.severity warning
+ * @problem.severity error
 * @security-severity 5.0
- * @precision high
+ * @precision medium
 * @id actions/envpath-injection/medium
 * @tags actions
 *       security
--- a/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
+++ b/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
@@ -2,9 +2,9 @@
 * @name Enviroment Variable built from user-controlled sources
 * @description Building an environment variable from user-controlled sources may alter the execution of following system commands
 * @kind path-problem
- * @problem.severity warning
+ * @problem.severity error
 * @security-severity 5.0
- * @precision high
+ * @precision medium
 * @id actions/envvar-injection/medium
 * @tags actions
 *       security
--- a/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
+++ b/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
@@ -3,11 +3,12 @@
 * @description Workflows should contain permissions to provide a clear understanding has permissions to run the workflow.
 * @kind problem
 * @security-severity 5.0
- * @problem.severity recommendation
+ * @problem.severity warning
 * @precision high
 * @id actions/missing-workflow-permissions
 * @tags actions
 *       maintainability
+ *       security
 *       external/cwe/cwe-275
 */

--- a/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
+++ b/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
@@ -2,7 +2,8 @@
 * @name Excessive Secrets Exposure
 * @description All organization and repository secrets are passed to the workflow runner.
 * @kind problem
- * @problem.severity recommendation
+ * @precision high
+ * @problem.severity warning
 * @id actions/excessive-secrets-exposure
 * @tags actions
 *       security
--- a/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
+++ b/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
@@ -2,8 +2,8 @@
 * @name Artifact poisoning
 * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps.
 * @kind path-problem
- * @problem.severity warning
- * @precision high
+ * @problem.severity error
+ * @precision medium
 * @security-severity 5.0
 * @id actions/artifact-poisoning/medium
 * @tags actions
--- a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.md
+++ b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.md
@@ -24,4 +24,4 @@ Pinning an action to a full length commit SHA is currently the only way to use a

 ## References

- [Using third-party actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions)
+- [Using third-party actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions)
--- a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
+++ b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
@@ -3,8 +3,8 @@
 * @description Using a tag for a non-immutable Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack.
 * @kind problem
 * @security-severity 5.0
- * @problem.severity recommendation
- * @precision high
+ * @problem.severity warning
+ * @precision medium
 * @id actions/unpinned-tag
 * @tags security
 *       actions
@@ -17,14 +17,23 @@ import codeql.actions.security.UseOfUnversionedImmutableAction
 bindingset[version]
 private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f0-9]{40}$") }

-bindingset[repo]
-private predicate isTrustedOrg(string repo) {
-  repo.matches(["actions", "github", "advanced-security"] + "/%")
+bindingset[nwo]
+private predicate isTrustedOwner(string nwo) {
+  // Gets the segment before the first '/' in the name with owner(nwo) string
+  trustedActionsOwnerDataModel(nwo.substring(0, nwo.indexOf("/")))
 }

-from UsesStep uses, string repo, string version, Workflow workflow, string name
+bindingset[version]
+private predicate isPinnedContainer(string version) {
+  version.regexpMatch("^sha256:[A-Fa-f0-9]{64}$")
+}
+
+bindingset[nwo]
+private predicate isContainerImage(string nwo) { nwo.regexpMatch("^docker://.+") }
+
+from UsesStep uses, string nwo, string version, Workflow workflow, string name
 where
-  uses.getCallee() = repo and
+  uses.getCallee() = nwo and
  uses.getEnclosingWorkflow() = workflow and
  (
    workflow.getName() = name
@@ -32,9 +41,9 @@ where
    not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name
  ) and
  uses.getVersion() = version and
-  not isTrustedOrg(repo) and
-  not isPinnedCommit(version) and
-  not isImmutableAction(uses, repo)
+  not isTrustedOwner(nwo) and
+  not (if isContainerImage(nwo) then isPinnedContainer(version) else isPinnedCommit(version)) and
+  not isImmutableAction(uses, nwo)
 select uses.getCalleeNode(),
-  "Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version +
+  "Unpinned 3rd party Action '" + name + "' step $@ uses '" + nwo + "' with ref '" + version +
    "', not a pinned commit hash", uses, uses.toString()
--- a/actions/ql/src/change-notes/2025-02-27-immutable-actions-list.md
+++ b/actions/ql/src/change-notes/2025-02-27-immutable-actions-list.md
@@ -0,0 +1,7 @@
+---
+category: fix
+---
+* The `actions/unversioned-immutable-action` query will no longer report any alerts, since the
+  Immutable Actions feature is not yet available for customer use. The query remains in the
+  default Code Scanning suites for use internal to GitHub. Once the Immutable Actions feature is
+  available, the query will be updated to report alerts again.
--- a/actions/ql/src/change-notes/released/0.4.2.md
+++ b/actions/ql/src/change-notes/released/0.4.2.md
@@ -0,0 +1,3 @@
+## 0.4.2
+
+No user-facing changes.
--- a/actions/ql/src/change-notes/released/0.5.0.md
+++ b/actions/ql/src/change-notes/released/0.5.0.md
@@ -0,0 +1,25 @@
+## 0.5.0
+
+### Breaking Changes
+
+* The following queries have been removed from the `code-scanning` and `security-extended` suites.
+  Any existing alerts for these queries will be closed automatically.
+  * `actions/if-expression-always-true/critical`
+  * `actions/if-expression-always-true/high`
+  * `actions/unnecessary-use-of-advanced-config`
+  
+* The following query has been moved from the `code-scanning` suite to the `security-extended`
+  suite. Any existing alerts for this query will be closed automatically unless the analysis is
+  configured to use the `security-extended` suite.
+  * `actions/unpinned-tag`
+* The following queries have been added to the `security-extended` suite.
+  * `actions/unversioned-immutable-action`
+  * `actions/envpath-injection/medium`
+  * `actions/envvar-injection/medium`
+  * `actions/code-injection/medium`
+  * `actions/artifact-poisoning/medium`
+  * `actions/untrusted-checkout/medium`
+
+### Minor Analysis Improvements
+
+* Fixed false positives in the query `actions/unpinned-tag` (CWE-829), which will no longer flag uses of Docker-based GitHub actions pinned by the container's SHA256 digest.
--- a/actions/ql/src/codeql-pack.release.yml
+++ b/actions/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.1
+lastReleaseVersion: 0.5.0
--- a/actions/ql/src/codeql-suites/actions-ccr.qls
+++ b/actions/ql/src/codeql-suites/actions-ccr.qls
@@ -0,0 +1 @@
+[]
--- a/actions/ql/src/codeql-suites/actions-code-scanning.qls
+++ b/actions/ql/src/codeql-suites/actions-code-scanning.qls
@@ -1,11 +1,4 @@
 - description: Standard Code Scanning queries for GitHub Actions
- queries: '.'
- include:
-    problem.severity: 
-      - error
-      - recommendation
- exclude:
-    tags contain:
-      - experimental
-      - debug
-      - internal
+- queries: .
+- apply: code-scanning-selectors.yml
+  from: codeql/suite-helpers
--- a/actions/ql/src/codeql-suites/actions-security-extended.qls
+++ b/actions/ql/src/codeql-suites/actions-security-extended.qls
@@ -1,2 +1,4 @@
 - description: Security-extended queries for GitHub Actions
- import: codeql-suites/actions-code-scanning.qls
+- queries: .
+- apply: security-extended-selectors.yml
+  from: codeql/suite-helpers
--- a/actions/ql/src/experimental/Security/CWE-074/OutputClobberingHigh.ql
+++ b/actions/ql/src/experimental/Security/CWE-074/OutputClobberingHigh.ql
--- a/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql
+++ b/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql
--- a/actions/ql/src/experimental/Security/CWE-078/CommandInjectionMedium.ql
+++ b/actions/ql/src/experimental/Security/CWE-078/CommandInjectionMedium.ql
--- a/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.md
+++ b/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.md
--- a/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql
+++ b/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql
--- a/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.md
+++ b/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.md
--- a/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.ql
+++ b/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.ql
--- a/actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql
+++ b/actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql
--- a/actions/ql/src/experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
+++ b/actions/ql/src/experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
--- a/actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
+++ b/actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
--- a/actions/ql/src/experimental/Security/CWE-918/RequestForgery.ql
+++ b/actions/ql/src/experimental/Security/CWE-918/RequestForgery.ql
--- a/actions/ql/src/qlpack.yml
+++ b/actions/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.4.1
+version: 0.5.1-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]
--- a/actions/ql/test/library-tests/.github/workflows/many_strings.yml
+++ b/actions/ql/test/library-tests/.github/workflows/many_strings.yml
@@ -0,0 +1,18 @@
+on:
+  workflow_run:
+    workflows: ["Prev"]
+    types:
+      - completed
+
+jobs:
+  Test:
+    runs-on: ubuntu-latest
+    steps:
+      - run: |
+          # Avoid choking on large chunks of data containing quotes
+          echo '["string1", "string2", "string3", "string4", "string5", "string6", "string7", "string8", "string9", "string10", "string11", "string12", "string13", "string14", "string15", "string16", "string17", "string18", "string19", "string20", "string21", "string22", "string23", "string24", "string25", "string26", "string27", "string28", "string29", "string30", "string31", "string32", "string33", "string34", "string35", "string36", "string37", "string38", "string39", "string40", "string41", "string42", "string43", "string44", "string45", "string46", "string47", "string48", "string49", "string50", "string51", "string52", "string53", "string54", "string55", "string56", "string57", "string58", "string59", "string60", "string61", "string62", "string63", "string64", "string65", "string66", "string67", "string68", "string69", "string70", "string71", "string72", "string73", "string74", "string75", "string76", "string77", "string78", "string79", "string80", "string81", "string82", "string83", "string84", "string85", "string86", "string87", "string88", "string89", "string90", "string91", "string92", "string93", "string94", "string95", "string96", "string97", "string98", "string99", "string100"]'
+          echo "['string1', 'string2', 'string3', 'string4', 'string5', 'string6', 'string7', 'string8', 'string9', 'string10', 'string11', 'string12', 'string13', 'string14', 'string15', 'string16', 'string17', 'string18', 'string19', 'string20', 'string21', 'string22', 'string23', 'string24', 'string25', 'string26', 'string27', 'string28', 'string29', 'string30', 'string31', 'string32', 'string33', 'string34', 'string35', 'string36', 'string37', 'string38', 'string39', 'string40', 'string41', 'string42', 'string43', 'string44', 'string45', 'string46', 'string47', 'string48', 'string49', 'string50', 'string51', 'string52', 'string53', 'string54', 'string55', 'string56', 'string57', 'string58', 'string59', 'string60', 'string61', 'string62', 'string63', 'string64', 'string65', 'string66', 'string67', 'string68', 'string69', 'string70', 'string71', 'string72', 'string73', 'string74', 'string75', 'string76', 'string77', 'string78', 'string79', 'string80', 'string81', 'string82', 'string83', 'string84', 'string85', 'string86', 'string87', 'string88', 'string89', 'string90', 'string91', 'string92', 'string93', 'string94', 'string95', 'string96', 'string97', 'string98', 'string99', 'string100']"
+
+          # Same as above but where each line has an unbalanced internal quote near the end
+          echo '["string1", "string2", "string3", "string4", "string5", "string6", "string7", "string8", "string9", "string10", "string11", "string12", "string13", "string14", "string15", "string16", "string17", "string18", "string19", "string20", "string21", "string22", "string23", "string24", "string25", "string26", "string27", "string28", "string29", "string30", "string31", "string32", "string33", "string34", "string35", "string36", "string37", "string38", "string39", "string40", "string41", "string42", "string43", "string44", "string45", "string46", "string47", "string48", "string49", "string50", "string51", "string52", "string53", "string54", "string55", "string56", "string57", "string58", "string59", "string60", "string61", "string62", "string63", "string64", "string65", "string66", "string67", "string68", "string69", "string70", "string71", "string72", "string73", "string74", "string75", "string76", "string77", "string78", "string79", "string80", "string81", "string82", "string83", "string84", "string85", "string86", "string87", "string88", "string89", "string90", "string91", "string92", "string93", "string94", "string95", "string96", "string97", "string98", "string99", "string100"]"'
+          echo "['string1', 'string2', 'string3', 'string4', 'string5', 'string6', 'string7', 'string8', 'string9', 'string10', 'string11', 'string12', 'string13', 'string14', 'string15', 'string16', 'string17', 'string18', 'string19', 'string20', 'string21', 'string22', 'string23', 'string24', 'string25', 'string26', 'string27', 'string28', 'string29', 'string30', 'string31', 'string32', 'string33', 'string34', 'string35', 'string36', 'string37', 'string38', 'string39', 'string40', 'string41', 'string42', 'string43', 'string44', 'string45', 'string46', 'string47', 'string48', 'string49', 'string50', 'string51', 'string52', 'string53', 'string54', 'string55', 'string56', 'string57', 'string58', 'string59', 'string60', 'string61', 'string62', 'string63', 'string64', 'string65', 'string66', 'string67', 'string68', 'string69', 'string70', 'string71', 'string72', 'string73', 'string74', 'string75', 'string76', 'string77', 'string78', 'string79', 'string80', 'string81', 'string82', 'string83', 'string84', 'string85', 'string86', 'string87', 'string88', 'string89', 'string90', 'string91', 'string92', 'string93', 'string94', 'string95', 'string96', 'string97', 'string98', 'string99', 'string100']'"
--- a/actions/ql/test/library-tests/commands.expected
+++ b/actions/ql/test/library-tests/commands.expected
@@ -25,6 +25,10 @@
 | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 2 echo '${{github.event.issue.body}}' |
 | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 3 echo '${{ github.event.comment.body }}' |
 | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' |
+| .github/workflows/many_strings.yml:11:9:18:1211 | Run Step | echo "['string1', 'string2', 'string3', 'string4', 'string5', 'string6', 'string7', 'string8', 'string9', 'string10', 'string11', 'string12', 'string13', 'string14', 'string15', 'string16', 'string17', 'string18', 'string19', 'string20', 'string21', 'string22', 'string23', 'string24', 'string25', 'string26', 'string27', 'string28', 'string29', 'string30', 'string31', 'string32', 'string33', 'string34', 'string35', 'string36', 'string37', 'string38', 'string39', 'string40', 'string41', 'string42', 'string43', 'string44', 'string45', 'string46', 'string47', 'string48', 'string49', 'string50', 'string51', 'string52', 'string53', 'string54', 'string55', 'string56', 'string57', 'string58', 'string59', 'string60', 'string61', 'string62', 'string63', 'string64', 'string65', 'string66', 'string67', 'string68', 'string69', 'string70', 'string71', 'string72', 'string73', 'string74', 'string75', 'string76', 'string77', 'string78', 'string79', 'string80', 'string81', 'string82', 'string83', 'string84', 'string85', 'string86', 'string87', 'string88', 'string89', 'string90', 'string91', 'string92', 'string93', 'string94', 'string95', 'string96', 'string97', 'string98', 'string99', 'string100']" |
+| .github/workflows/many_strings.yml:11:9:18:1211 | Run Step | echo "['string1', 'string2', 'string3', 'string4', 'string5', 'string6', 'string7', 'string8', 'string9', 'string10', 'string11', 'string12', 'string13', 'string14', 'string15', 'string16', 'string17', 'string18', 'string19', 'string20', 'string21', 'string22', 'string23', 'string24', 'string25', 'string26', 'string27', 'string28', 'string29', 'string30', 'string31', 'string32', 'string33', 'string34', 'string35', 'string36', 'string37', 'string38', 'string39', 'string40', 'string41', 'string42', 'string43', 'string44', 'string45', 'string46', 'string47', 'string48', 'string49', 'string50', 'string51', 'string52', 'string53', 'string54', 'string55', 'string56', 'string57', 'string58', 'string59', 'string60', 'string61', 'string62', 'string63', 'string64', 'string65', 'string66', 'string67', 'string68', 'string69', 'string70', 'string71', 'string72', 'string73', 'string74', 'string75', 'string76', 'string77', 'string78', 'string79', 'string80', 'string81', 'string82', 'string83', 'string84', 'string85', 'string86', 'string87', 'string88', 'string89', 'string90', 'string91', 'string92', 'string93', 'string94', 'string95', 'string96', 'string97', 'string98', 'string99', 'string100']'" |
+| .github/workflows/many_strings.yml:11:9:18:1211 | Run Step | echo '["string1", "string2", "string3", "string4", "string5", "string6", "string7", "string8", "string9", "string10", "string11", "string12", "string13", "string14", "string15", "string16", "string17", "string18", "string19", "string20", "string21", "string22", "string23", "string24", "string25", "string26", "string27", "string28", "string29", "string30", "string31", "string32", "string33", "string34", "string35", "string36", "string37", "string38", "string39", "string40", "string41", "string42", "string43", "string44", "string45", "string46", "string47", "string48", "string49", "string50", "string51", "string52", "string53", "string54", "string55", "string56", "string57", "string58", "string59", "string60", "string61", "string62", "string63", "string64", "string65", "string66", "string67", "string68", "string69", "string70", "string71", "string72", "string73", "string74", "string75", "string76", "string77", "string78", "string79", "string80", "string81", "string82", "string83", "string84", "string85", "string86", "string87", "string88", "string89", "string90", "string91", "string92", "string93", "string94", "string95", "string96", "string97", "string98", "string99", "string100"]"' |
+| .github/workflows/many_strings.yml:11:9:18:1211 | Run Step | echo '["string1", "string2", "string3", "string4", "string5", "string6", "string7", "string8", "string9", "string10", "string11", "string12", "string13", "string14", "string15", "string16", "string17", "string18", "string19", "string20", "string21", "string22", "string23", "string24", "string25", "string26", "string27", "string28", "string29", "string30", "string31", "string32", "string33", "string34", "string35", "string36", "string37", "string38", "string39", "string40", "string41", "string42", "string43", "string44", "string45", "string46", "string47", "string48", "string49", "string50", "string51", "string52", "string53", "string54", "string55", "string56", "string57", "string58", "string59", "string60", "string61", "string62", "string63", "string64", "string65", "string66", "string67", "string68", "string69", "string70", "string71", "string72", "string73", "string74", "string75", "string76", "string77", "string78", "string79", "string80", "string81", "string82", "string83", "string84", "string85", "string86", "string87", "string88", "string89", "string90", "string91", "string92", "string93", "string94", "string95", "string96", "string97", "string98", "string99", "string100"]' |
 | .github/workflows/multiline2.yml:11:9:15:6 | Run Step | echo "CHANGELOGEOF" |
 | .github/workflows/multiline2.yml:11:9:15:6 | Run Step | echo "changelog< |
 | .github/workflows/multiline2.yml:11:9:15:6 | Run Step | echo -e "$FILTERED_CHANGELOG" |
--- a/actions/ql/test/library-tests/test.expected
+++ b/actions/ql/test/library-tests/test.expected
--- a/actions/ql/test/qlpack.yml
+++ b/actions/ql/test/qlpack.yml
@@ -3,6 +3,10 @@ groups: [codeql, test]
 dependencies:
  codeql/actions-all: ${workspace}
  codeql/actions-queries: ${workspace}
+  # Use the `immutable-actions-list` model pack so that we have some actual data to test against.
+  # We can remove this dependency when we incorporate the data from that model pack back into the
+  # standard library pack.
+  codeql/immutable-actions-list: ${workspace}
 extractor: actions
 tests: .
 warnOnImplicitThis: true
--- a/actions/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref
@@ -1 +1 @@
-Security/CWE-074/OutputClobberingHigh.ql
+experimental/Security/CWE-074/OutputClobberingHigh.ql
--- a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref
@@ -1 +1 @@
-Security/CWE-078/CommandInjectionCritical.ql
+experimental/Security/CWE-078/CommandInjectionCritical.ql
--- a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref
@@ -1 +1 @@
-Security/CWE-078/CommandInjectionMedium.ql
+experimental/Security/CWE-078/CommandInjectionMedium.ql
--- a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref
@@ -1 +1 @@
-Security/CWE-088/ArgumentInjectionCritical.ql
+experimental/Security/CWE-088/ArgumentInjectionCritical.ql
--- a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref
@@ -1 +1 @@
-Security/CWE-088/ArgumentInjectionMedium.ql
+experimental/Security/CWE-088/ArgumentInjectionMedium.ql
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml
@@ -6,7 +6,7 @@ on:

 jobs:
  test1:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    outputs:
      job_output: ${{ steps.source.outputs.value }}
    steps:
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml
@@ -491,7 +491,7 @@ jobs:

  send_results:
    name: Send results to webhook
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    if: always()
    needs: [
        setup,
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml
@@ -106,7 +106,27 @@ jobs:
          COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')
          echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT"
      - run: echo "${{ steps.comments.outputs.comments}}"
-
+  pulls3:
+    runs-on: ubuntu-latest
+    steps:
+      - id: title1
+        run: |
+          DETAILS=$(gh pr view $PR_NUMBER --json "title,author,headRefName")
+          TITLE=$(echo $DETAILS | jq -r '.title')
+          echo "title=$TITLE" >> "$GITHUB_OUTPUT"
+      - run: echo "${{ steps.title1.outputs.title}}"
+      - id: title2
+        run: |
+          TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName")
+          TITLE=$(echo $TITLE | jq -r '.title')
+          echo "title=$TITLE" >> "$GITHUB_OUTPUT"
+      - run: echo "${{ steps.title2.outputs.title}}"
+      - id: title3
+        run: |
+          TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)
+          TITLE=$(echo $TITLE | jq -r '.title')
+          echo "title=$TITLE" >> "$GITHUB_OUTPUT"
+      - run: echo "${{ steps.title3.outputs.title}}"



--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test23.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test23.yml
@@ -3,7 +3,7 @@ on:

 jobs:
  test:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    if: >
      (github.event.workflow_run.event == 'pull_request' ||
      github.event.workflow_run.event == 'pull_request_target') &&
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml
@@ -3,7 +3,7 @@ on:

 jobs:
  test:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
      - name: Run Issue form parser
        id: parse
--- a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
+++ b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
@@ -128,10 +128,14 @@ edges
 | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | provenance |  |
 | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | provenance |  |
 | .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | provenance |  |
+| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [ref] | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | provenance |  |
 | .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | provenance |  |
+| .github/workflows/test11.yml:20:13:20:44 | steps.set-ref.outputs.ref | .github/workflows/test11.yml:19:7:21:4 | Job outputs node [ref] | provenance |  |
 | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | provenance | Config |
 | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | provenance |  |
+| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | .github/workflows/test11.yml:20:13:20:44 | steps.set-ref.outputs.ref | provenance |  |
 | .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | provenance |  |
+| .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | provenance |  |
 | .github/workflows/test14.yml:13:9:16:6 | Run Step: changed-files [files] | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | provenance |  |
 | .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:13:9:16:6 | Run Step: changed-files [files] | provenance |  |
 | .github/workflows/test14.yml:23:9:27:6 | Run Step: changed-files [files] | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | provenance |  |
@@ -199,6 +203,12 @@ edges
 | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | provenance |  |
 | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | provenance |  |
 | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | provenance |  |
+| .github/workflows/test19.yml:112:9:117:6 | Run Step: title1 [title] | .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | provenance |  |
+| .github/workflows/test19.yml:113:14:116:50 | DETAILS=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $DETAILS \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:112:9:117:6 | Run Step: title1 [title] | provenance |  |
+| .github/workflows/test19.yml:118:9:123:6 | Run Step: title2 [title] | .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | provenance |  |
+| .github/workflows/test19.yml:119:14:122:50 | TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:118:9:123:6 | Run Step: title2 [title] | provenance |  |
+| .github/workflows/test19.yml:124:9:129:6 | Run Step: title3 [title] | .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | provenance |  |
+| .github/workflows/test19.yml:125:14:128:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:124:9:129:6 | Run Step: title3 [title] | provenance |  |
 | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | provenance |  |
 | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | provenance |  |
 | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | provenance |  |
@@ -495,11 +505,15 @@ nodes
 | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
 | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
 | .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | semmle.label | Job outputs node [pr_num] |
+| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [ref] | semmle.label | Job outputs node [ref] |
 | .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | semmle.label | steps.set-ref.outputs.pr_num |
+| .github/workflows/test11.yml:20:13:20:44 | steps.set-ref.outputs.ref | semmle.label | steps.set-ref.outputs.ref |
 | .github/workflows/test11.yml:22:9:30:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | semmle.label | Run Step: set-ref [pr_num] |
+| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | semmle.label | Run Step: set-ref [ref] |
 | .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n |
 | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | semmle.label | needs.get-artifacts.outputs.pr_num |
+| .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | semmle.label | needs.get-artifacts.outputs.ref |
 | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | semmle.label | github.event.pull_request.title \|\| "foo" |
 | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | semmle.label | github.event.changes.body.from |
 | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | semmle.label | github.event.changes.title.from |
@@ -606,6 +620,15 @@ nodes
 | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] |
 | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n |
 | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments |
+| .github/workflows/test19.yml:112:9:117:6 | Run Step: title1 [title] | semmle.label | Run Step: title1 [title] |
+| .github/workflows/test19.yml:113:14:116:50 | DETAILS=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $DETAILS \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | DETAILS=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $DETAILS \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | semmle.label | steps.title1.outputs.title |
+| .github/workflows/test19.yml:118:9:123:6 | Run Step: title2 [title] | semmle.label | Run Step: title2 [title] |
+| .github/workflows/test19.yml:119:14:122:50 | TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | semmle.label | steps.title2.outputs.title |
+| .github/workflows/test19.yml:124:9:129:6 | Run Step: title3 [title] | semmle.label | Run Step: title3 [title] |
+| .github/workflows/test19.yml:125:14:128:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | semmle.label | steps.title3.outputs.title |
 | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
 | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
 | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
@@ -767,6 +790,7 @@ subpaths
 | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment |
 | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment |
 | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | ${{ needs.get-artifacts.outputs.pr_num }} | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | ${{ needs.get-artifacts.outputs.ref }} | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | ${{ github.event.pull_request.title \|\| "foo" }} | .github/workflows/test12.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | ${{ github.event.changes.body.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | ${{ github.event.changes.title.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target |
@@ -807,6 +831,9 @@ subpaths
 | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | .github/workflows/test19.yml:113:14:116:50 | DETAILS=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $DETAILS \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | ${{ steps.title1.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | .github/workflows/test19.yml:119:14:122:50 | TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | ${{ steps.title2.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | .github/workflows/test19.yml:125:14:128:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | ${{ steps.title3.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | ${{ steps.parse.outputs.payload }} | .github/workflows/test24.yml:2:3:2:8 | issues | issues |
 | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues |
 | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues |
--- a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
+++ b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
@@ -128,10 +128,14 @@ edges
 | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | provenance |  |
 | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | provenance |  |
 | .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | provenance |  |
+| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [ref] | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | provenance |  |
 | .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | provenance |  |
+| .github/workflows/test11.yml:20:13:20:44 | steps.set-ref.outputs.ref | .github/workflows/test11.yml:19:7:21:4 | Job outputs node [ref] | provenance |  |
 | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | provenance | Config |
 | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | provenance |  |
+| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | .github/workflows/test11.yml:20:13:20:44 | steps.set-ref.outputs.ref | provenance |  |
 | .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | provenance |  |
+| .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | provenance |  |
 | .github/workflows/test14.yml:13:9:16:6 | Run Step: changed-files [files] | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | provenance |  |
 | .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:13:9:16:6 | Run Step: changed-files [files] | provenance |  |
 | .github/workflows/test14.yml:23:9:27:6 | Run Step: changed-files [files] | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | provenance |  |
@@ -199,6 +203,12 @@ edges
 | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | provenance |  |
 | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | provenance |  |
 | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | provenance |  |
+| .github/workflows/test19.yml:112:9:117:6 | Run Step: title1 [title] | .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | provenance |  |
+| .github/workflows/test19.yml:113:14:116:50 | DETAILS=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $DETAILS \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:112:9:117:6 | Run Step: title1 [title] | provenance |  |
+| .github/workflows/test19.yml:118:9:123:6 | Run Step: title2 [title] | .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | provenance |  |
+| .github/workflows/test19.yml:119:14:122:50 | TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:118:9:123:6 | Run Step: title2 [title] | provenance |  |
+| .github/workflows/test19.yml:124:9:129:6 | Run Step: title3 [title] | .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | provenance |  |
+| .github/workflows/test19.yml:125:14:128:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:124:9:129:6 | Run Step: title3 [title] | provenance |  |
 | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | provenance |  |
 | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | provenance |  |
 | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | provenance |  |
@@ -495,11 +505,15 @@ nodes
 | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
 | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
 | .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | semmle.label | Job outputs node [pr_num] |
+| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [ref] | semmle.label | Job outputs node [ref] |
 | .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | semmle.label | steps.set-ref.outputs.pr_num |
+| .github/workflows/test11.yml:20:13:20:44 | steps.set-ref.outputs.ref | semmle.label | steps.set-ref.outputs.ref |
 | .github/workflows/test11.yml:22:9:30:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | semmle.label | Run Step: set-ref [pr_num] |
+| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | semmle.label | Run Step: set-ref [ref] |
 | .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n |
 | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | semmle.label | needs.get-artifacts.outputs.pr_num |
+| .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | semmle.label | needs.get-artifacts.outputs.ref |
 | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | semmle.label | github.event.pull_request.title \|\| "foo" |
 | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | semmle.label | github.event.changes.body.from |
 | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | semmle.label | github.event.changes.title.from |
@@ -606,6 +620,15 @@ nodes
 | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] |
 | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n |
 | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments |
+| .github/workflows/test19.yml:112:9:117:6 | Run Step: title1 [title] | semmle.label | Run Step: title1 [title] |
+| .github/workflows/test19.yml:113:14:116:50 | DETAILS=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $DETAILS \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | DETAILS=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $DETAILS \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | semmle.label | steps.title1.outputs.title |
+| .github/workflows/test19.yml:118:9:123:6 | Run Step: title2 [title] | semmle.label | Run Step: title2 [title] |
+| .github/workflows/test19.yml:119:14:122:50 | TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | semmle.label | steps.title2.outputs.title |
+| .github/workflows/test19.yml:124:9:129:6 | Run Step: title3 [title] | semmle.label | Run Step: title3 [title] |
+| .github/workflows/test19.yml:125:14:128:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | semmle.label | steps.title3.outputs.title |
 | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
 | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
 | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
--- a/actions/ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml
+++ b/actions/ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml
@@ -7,15 +7,15 @@ jobs:
  test1:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/download-artifact@v1
-      - uses: actions/download-artifact@v1.0.0
-      - uses: actions/download-artifact@v2
-      - uses: actions/download-artifact@v2.1.0
-      - uses: actions/download-artifact@v3
-      - uses: actions/download-artifact@v3.0.2
+      - uses: actions/download-artifact@v1 # SECURE
+      - uses: actions/download-artifact@v1.0.0 # SECURE
+      - uses: actions/download-artifact@v2 # SECURE
+      - uses: actions/download-artifact@v2.1.0 # SECURE
+      - uses: actions/download-artifact@v3 # SECURE
+      - uses: actions/download-artifact@v3.0.2 # SECURE
      - uses: actions/download-artifact@v4.1.0
-      - uses: actions/download-artifact@87c55149d96e628cc2ef7e6fc2aab372015aec85 # v4.1.3
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      - uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2  # SECURE
      - uses: actions/download-artifact@v4 # SECURE
      - uses: actions/download-artifact@v4.1.7 # SECURE
      - uses: actions/download-artifact@v4.1.8 # SECURE
--- a/actions/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected
+++ b/actions/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected
@@ -1,9 +1,2 @@
-| .github/workflows/test1.yml:10:9:11:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:10:9:11:6 | Uses Step | v1 | .github/workflows/test1.yml:10:9:11:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:10:9:11:6 | Uses Step | 4.1.7 |
-| .github/workflows/test1.yml:11:9:12:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:11:9:12:6 | Uses Step | v1.0.0 | .github/workflows/test1.yml:11:9:12:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:11:9:12:6 | Uses Step | 4.1.7 |
-| .github/workflows/test1.yml:12:9:13:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:12:9:13:6 | Uses Step | v2 | .github/workflows/test1.yml:12:9:13:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:12:9:13:6 | Uses Step | 4.1.7 |
-| .github/workflows/test1.yml:13:9:14:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:13:9:14:6 | Uses Step | v2.1.0 | .github/workflows/test1.yml:13:9:14:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:13:9:14:6 | Uses Step | 4.1.7 |
-| .github/workflows/test1.yml:14:9:15:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:14:9:15:6 | Uses Step | v3 | .github/workflows/test1.yml:14:9:15:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:14:9:15:6 | Uses Step | 4.1.7 |
-| .github/workflows/test1.yml:15:9:16:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:15:9:16:6 | Uses Step | v3.0.2 | .github/workflows/test1.yml:15:9:16:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:15:9:16:6 | Uses Step | 4.1.7 |
-| .github/workflows/test1.yml:16:9:17:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:16:9:17:6 | Uses Step | v4.1.0 | .github/workflows/test1.yml:16:9:17:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:16:9:17:6 | Uses Step | 4.1.7 |
-| .github/workflows/test1.yml:17:9:18:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:17:9:18:6 | Uses Step | 87c55149d96e628cc2ef7e6fc2aab372015aec85 | .github/workflows/test1.yml:17:9:18:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:17:9:18:6 | Uses Step | 4.1.7 |
-| .github/workflows/test1.yml:18:9:19:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:18:9:19:6 | Uses Step | 9bc31d5ccc31df68ecc42ccf4149144866c47d8a | .github/workflows/test1.yml:18:9:19:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:18:9:19:6 | Uses Step | 4.1.7 |
+| .github/workflows/test1.yml:16:9:17:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:16:9:17:6 | Uses Step | v4.1.0 | .github/workflows/test1.yml:16:9:17:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:16:9:17:6 | Uses Step | 4.1.3 |
+| .github/workflows/test1.yml:17:9:18:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:17:9:18:6 | Uses Step | eaceaf801fd36c7dee90939fad912460b18a1ffe | .github/workflows/test1.yml:17:9:18:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:17:9:18:6 | Uses Step | 4.1.3 |
--- a/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref
@@ -1,2 +1,2 @@
-Security/CWE-200/SecretExfiltration.ql
+experimental/Security/CWE-200/SecretExfiltration.ql

--- a/actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref
@@ -1,2 +1,2 @@
-Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
+experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql

--- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml
+++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml
@@ -25,7 +25,7 @@ jobs:
    permissions:                       
      contents: write
    steps:
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4.0.0
        with:
          name: results
      - run: python test.py
--- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml
+++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml
@@ -7,7 +7,7 @@ on:
 jobs:
  test1: 
    if: github.event.comment.body == '@metabase-bot run visual tests'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
      - name: Fetch issue
        uses: octokit/request-action@v2.x
--- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml
+++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml
@@ -7,7 +7,7 @@ on:
 jobs:
  test1:
    if: github.event.comment.body == '@metabase-bot run visual tests'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
      - name: Fetch issue
        uses: octokit/request-action@v2.x
--- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml
+++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml
@@ -9,3 +9,5 @@ jobs:
    - uses: foo/bar
    - uses: foo/bar@v1
    - uses: foo/bar@25b062c917b0c75f8b47d8469aff6c94ffd89abb
+    - uses: docker://foo/bar@latest
+    - uses: docker://foo/bar@sha256:887a259a5a534f3c4f36cb02dca341673c6089431057242cdc931e9f133147e9
--- a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref
@@ -1,2 +1,2 @@
-Security/CWE-829/ArtifactPoisoningPathTraversal.ql
+experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql

--- a/actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected
+++ b/actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected
@@ -32,3 +32,4 @@
 | .github/workflows/test17.yml:20:21:20:63 | sonarsource/sonarcloud-github-action@master | Unpinned 3rd party Action 'Sonar' step $@ uses 'sonarsource/sonarcloud-github-action' with ref 'master', not a pinned commit hash | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Uses Step |
 | .github/workflows/test18.yml:37:21:37:63 | sonarsource/sonarcloud-github-action@master | Unpinned 3rd party Action 'Sonar' step $@ uses 'sonarsource/sonarcloud-github-action' with ref 'master', not a pinned commit hash | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Uses Step |
 | .github/workflows/unpinned_tags.yml:10:13:10:22 | foo/bar@v1 | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step |
+| .github/workflows/unpinned_tags.yml:12:13:12:35 | docker://foo/bar@latest | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'docker://foo/bar' with ref 'latest', not a pinned commit hash | .github/workflows/unpinned_tags.yml:12:7:13:4 | Uses Step | Uses Step |
--- a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
+++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
@@ -299,7 +299,9 @@ edges
 | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step |
 | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step |
 | .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step |
-| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step |
+| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:12:4 | Uses Step |
+| .github/workflows/unpinned_tags.yml:11:7:12:4 | Uses Step | .github/workflows/unpinned_tags.yml:12:7:13:4 | Uses Step |
+| .github/workflows/unpinned_tags.yml:12:7:13:4 | Uses Step | .github/workflows/unpinned_tags.yml:13:7:13:101 | Uses Step |
 | .github/workflows/untrusted_checkout2.yml:7:9:14:6 | Run Step: pr_number | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step |
 | .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step |
 | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step |
--- a/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref
@@ -1 +1 @@
-Security/CWE-918/RequestForgery.ql
+experimental/Security/CWE-918/RequestForgery.ql
--- a/Practice/CodeQL/.github/workflows/should_be_using_advanced_setup.yml
+++ b/Practice/CodeQL/.github/workflows/should_be_using_advanced_setup.yml
@@ -21,9 +21,9 @@ jobs:
      matrix:
        include:
          - language: javascript
-            os: ubuntu-22.04
+            os: ubuntu-24.04
          - language: ruby
-            os: ubuntu-22.04-16core
+            os: ubuntu-24.04-16core

    steps:
      - name: Checkout repository
--- a/codeql-workspace.yml
+++ b/codeql-workspace.yml
@@ -17,7 +17,7 @@ provide:
  - "misc/legacy-support/*/qlpack.yml"
  - "misc/suite-helpers/qlpack.yml"
  - ".github/codeql/extensions/**/codeql-pack.yml"
-
+  - "actions/ql/extensions/**/qlpack.yml"
 versionPolicies:
  default:
    requireChangeNotes: true
--- a/cpp/downgrades/59cb96ca699929b63941e81905f9b8de7eed59a6/old.dbscheme
+++ b/cpp/downgrades/59cb96ca699929b63941e81905f9b8de7eed59a6/old.dbscheme
--- a/cpp/downgrades/59cb96ca699929b63941e81905f9b8de7eed59a6/preprocdirects.ql
+++ b/cpp/downgrades/59cb96ca699929b63941e81905f9b8de7eed59a6/preprocdirects.ql
@@ -0,0 +1,21 @@
+class PreprocessorDirective extends @preprocdirect {
+  string toString() { none() }
+}
+
+class Location extends @location_default {
+  string toString() { none() }
+}
+
+bindingset[kind]
+int getKind(int kind) {
+  if kind = 14
+  then result = 6 // Represent MSFT #import as #include
+  else
+    if kind = 15 or kind = 6
+    then result = 3 // Represent #elifdef and #elifndef as #elif
+    else result = kind
+}
+
+from PreprocessorDirective ppd, int kind, Location l
+where preprocdirects(ppd, kind, l)
+select ppd, getKind(kind), l
--- a/cpp/downgrades/59cb96ca699929b63941e81905f9b8de7eed59a6/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/59cb96ca699929b63941e81905f9b8de7eed59a6/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/59cb96ca699929b63941e81905f9b8de7eed59a6/upgrade.properties
+++ b/cpp/downgrades/59cb96ca699929b63941e81905f9b8de7eed59a6/upgrade.properties
@@ -0,0 +1,3 @@
+description: Support #elifdef, #elifndef and #import
+compatibility: full
+preprocdirects.rel: run preprocdirects.qlo
--- a/cpp/downgrades/e594389175c098d7225683d0fd8cefcc47d84bc1/old.dbscheme
+++ b/cpp/downgrades/e594389175c098d7225683d0fd8cefcc47d84bc1/old.dbscheme
--- a/cpp/downgrades/e594389175c098d7225683d0fd8cefcc47d84bc1/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/e594389175c098d7225683d0fd8cefcc47d84bc1/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/e594389175c098d7225683d0fd8cefcc47d84bc1/upgrade.properties
+++ b/cpp/downgrades/e594389175c098d7225683d0fd8cefcc47d84bc1/upgrade.properties
@@ -0,0 +1,4 @@
+description: Mix typedefs and usings
+compatibility: full
+usertypes.rel: run usertypes.qlo
+usertype_alias_kind.rel: delete
--- a/cpp/downgrades/e594389175c098d7225683d0fd8cefcc47d84bc1/usertypes.ql
+++ b/cpp/downgrades/e594389175c098d7225683d0fd8cefcc47d84bc1/usertypes.ql
@@ -0,0 +1,20 @@
+class UserType extends @usertype {
+  string toString() { none() }
+}
+
+int getTyperefKind(UserType usertype) {
+  usertype_alias_kind(usertype, 0) and
+  result = 5
+  or
+  usertype_alias_kind(usertype, 1) and
+  result = 14
+}
+
+bindingset[kind]
+int getKind(UserType usertype, int kind) {
+  if kind = 18 then result = getTyperefKind(usertype) else result = kind
+}
+
+from UserType usertype, string name, int kind
+where usertypes(usertype, name, kind)
+select usertype, name, getKind(usertype, kind)
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,19 @@
+## 4.0.1
+
+No user-facing changes.
+
+## 4.0.0
+
+### Breaking Changes
+
+* Deleted the deprecated `getAllocatorCall` predicate from `DeleteOrDeleteArrayExpr`, use `getDeallocatorCall` instead.
+
+### New Features
+
+* A new predicate `getOffsetInClass` was added to the `Field` class, which computes the byte offset of a field relative to a given `Class`.
+* New classes `PreprocessorElifdef` and `PreprocessorElifndef` were introduced, which represents the C23/C++23 `#elifdef` and `#elifndef` preprocessor directives.
+* A new class `TypeLibraryImport` was introduced, which represents the `#import` preprocessor directive as used by the Microsoft Visual C++ for importing type libraries.
+
 ## 3.2.0

 ### New Features
--- a/cpp/ql/lib/change-notes/2025-02-20-getbuffersize.md
+++ b/cpp/ql/lib/change-notes/2025-02-20-getbuffersize.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed an issue where the `getBufferSize` predicate in `commons/Buffer.qll` was returning results for references inside `offsetof` expressions, which are not accesses to a buffer.
--- a/cpp/ql/lib/change-notes/2025-02-25-getbuffersize.md
+++ b/cpp/ql/lib/change-notes/2025-02-25-getbuffersize.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Modified the `getBufferSize` predicate in `commons/Buffer.qll` to be more tolerant in some cases involving member variables in a larger struct or class.
--- a/cpp/ql/lib/change-notes/released/4.0.0.md
+++ b/cpp/ql/lib/change-notes/released/4.0.0.md
@@ -0,0 +1,11 @@
+## 4.0.0
+
+### Breaking Changes
+
+* Deleted the deprecated `getAllocatorCall` predicate from `DeleteOrDeleteArrayExpr`, use `getDeallocatorCall` instead.
+
+### New Features
+
+* A new predicate `getOffsetInClass` was added to the `Field` class, which computes the byte offset of a field relative to a given `Class`.
+* New classes `PreprocessorElifdef` and `PreprocessorElifndef` were introduced, which represents the C23/C++23 `#elifdef` and `#elifndef` preprocessor directives.
+* A new class `TypeLibraryImport` was introduced, which represents the `#import` preprocessor directive as used by the Microsoft Visual C++ for importing type libraries.
--- a/Show More
+++ b/Show More