Merge pull request #20346 from github/release-prep/2.23.0

Release preparation for version 2.23.0

.bazelrc

@@ -30,6 +30,9 @@ common --registry=https://bcr.bazel.build
 
 common --@rules_dotnet//dotnet/settings:strict_deps=false
 
+# we only configure a nightly toolchain
+common --@rules_rust//rust/toolchain/channel=nightly
+
 # Reduce this eventually to empty, once we've fixed all our usages of java, and https://github.com/bazel-contrib/rules_go/issues/4193 is fixed
 common --incompatible_autoload_externally="+@rules_java,+@rules_shell"
 

.github/copilot-instructions.md

@@ -0,0 +1,4 @@
+When reviewing code:
+* do not review changes in files with `.expected` extension (they are automatically ensured to be correct).
+* in `.ql` and `.qll` files, do not try to review the code itself as you don't understand the programming language
+  well enough to make comments in these languages. You can still check for typos or comment improvements.

.github/workflows/build-ripunzip.yml

@@ -6,21 +6,21 @@ on:
       ripunzip-version:
         description: "what reference to checktout from google/runzip"
         required: false
-        default: v1.2.1
+        default: v2.0.2
       openssl-version:
         description: "what reference to checkout from openssl/openssl for Linux"
         required: false
-        default: openssl-3.3.0
+        default: openssl-3.5.0
 
 jobs:
   build:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-22.04, macos-13, windows-2019]
+        os: [ubuntu-22.04, macos-13, windows-2022]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           repository: google/ripunzip
           ref: ${{ inputs.ripunzip-version }}
@@ -28,7 +28,7 @@ jobs:
       # see https://github.com/sfackler/rust-openssl/issues/183
       - if: runner.os == 'Linux'
         name: checkout openssl
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           repository: openssl/openssl
           path: openssl

.github/workflows/buildifier.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Check bazel formatting
         uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
         with:

.github/workflows/check-change-note.yml

@@ -16,7 +16,6 @@ on:
       - "shared/**/*.qll"
       - "!**/experimental/**"
       - "!ql/**"
-      - "!rust/**"
       - ".github/workflows/check-change-note.yml"
 
 jobs:

.github/workflows/check-implicit-this.yml

@@ -16,7 +16,7 @@ jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Check that implicit this warnings is enabled for all packs
         shell: bash
         run: |

.github/workflows/check-overlay-annotations.yml

@@ -0,0 +1,23 @@
+name: Check overlay annotations
+
+on:
+  push:
+    branches:
+      - main
+      - 'rc/*'
+  pull_request:
+    branches:
+      - main
+      - 'rc/*'
+
+permissions:
+  contents: read
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - name: Check overlay annotations
+        run: python config/add-overlay-annotations.py --check java
+

.github/workflows/check-qldoc.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 2
 

.github/workflows/check-query-ids.yml

@@ -19,6 +19,6 @@ jobs:
     name: Check query IDs
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Check for duplicate query IDs
         run: python3 misc/scripts/check-query-ids.py

.github/workflows/codegen.yml

@@ -1,34 +0,0 @@
-name: Codegen
-
-on:
-  pull_request:
-    paths:
-      - "misc/bazel/**"
-      - "misc/codegen/**"
-      - "*.bazel*"
-      - .github/workflows/codegen.yml
-      - .pre-commit-config.yaml
-    branches:
-      - main
-      - rc/*
-      - codeql-cli-*
-
-permissions:
-  contents: read
-
-jobs:
-  codegen:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v4
-        with:
-          python-version-file: 'misc/codegen/.python-version'
-      - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
-        name: Check that python code is properly formatted
-        with:
-          extra_args: autopep8 --all-files
-      - name: Run codegen tests
-        shell: bash
-        run: |
-          bazel test //misc/codegen/...

.github/workflows/codeql-analysis.yml

@@ -37,7 +37,7 @@ jobs:
         dotnet-version: 9.0.100
 
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/compile-queries.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest-xl
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Setup CodeQL
         uses: ./.github/actions/fetch-codeql
         with:

.github/workflows/cpp-swift-analysis.yml

@@ -28,7 +28,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/csharp-qltest.yml

@@ -36,10 +36,10 @@ jobs:
   unit-tests:
     strategy:
       matrix:
-        os: [ubuntu-latest, windows-2019]
+        os: [ubuntu-latest, windows-latest]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Setup dotnet
         uses: actions/setup-dotnet@v4
         with:
@@ -55,7 +55,7 @@ jobs:
   stubgentest:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: ./csharp/actions/create-extractor-pack
       - name: Run stub generator tests
         run: |
@@ -66,6 +66,6 @@ jobs:
           # Update existing stubs in the repo with the freshly generated ones
           mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/
           git status
-          codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
+          codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/csv-coverage-metrics.yml

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Setup CodeQL
         uses: ./.github/actions/fetch-codeql
       - name: Create empty database
@@ -51,7 +51,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Setup CodeQL
         uses: ./.github/actions/fetch-codeql
       - name: Create empty database

.github/workflows/csv-coverage-pr-artifacts.yml

@@ -35,11 +35,11 @@ jobs:
           GITHUB_CONTEXT: ${{ toJSON(github.event) }}
         run: echo "$GITHUB_CONTEXT"
       - name: Clone self (github/codeql) - MERGE
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           path: merge
       - name: Clone self (github/codeql) - BASE
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 2
           path: base

.github/workflows/csv-coverage-pr-comment.yml

@@ -24,7 +24,7 @@ jobs:
         GITHUB_CONTEXT: ${{ toJSON(github.event) }}
       run: echo "$GITHUB_CONTEXT"
     - name: Clone self (github/codeql)
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
     - name: Set up Python 3.8
       uses: actions/setup-python@v4
       with:

.github/workflows/csv-coverage-timeseries.yml

@@ -12,11 +12,11 @@ jobs:
 
     steps:
       - name: Clone self (github/codeql)
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           path: script
       - name: Clone self (github/codeql) for analysis
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           path: codeqlModels
           fetch-depth: 0

.github/workflows/csv-coverage-update.yml

@@ -21,7 +21,7 @@ jobs:
           GITHUB_CONTEXT: ${{ toJSON(github.event) }}
         run: echo "$GITHUB_CONTEXT"
       - name: Clone self (github/codeql)
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           path: ql
           fetch-depth: 0

.github/workflows/csv-coverage.yml

@@ -16,11 +16,11 @@ jobs:
 
     steps:
       - name: Clone self (github/codeql)
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           path: script
       - name: Clone self (github/codeql) for analysis
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           path: codeqlModels
           ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}

.github/workflows/fast-forward.yml

@@ -26,7 +26,7 @@ jobs:
           exit 1
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Git config
         shell: bash

.github/workflows/go-tests-other-os.yml

@@ -1,36 +0,0 @@
-name: "Go: Run Tests - Other OS"
-on:
-  pull_request:
-    paths:
-      - "go/**"
-      - "!go/documentation/**"
-      - "!go/ql/**" # don't run other-os if only ql/ files changed
-      - .github/workflows/go-tests-other-os.yml
-      - .github/actions/**
-      - codeql-workspace.yml
-      - MODULE.bazel
-      - .bazelrc
-      - misc/bazel/**
-
-permissions:
-  contents: read
-
-jobs:
-  test-mac:
-    name: Test MacOS
-    runs-on: macos-latest
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v4
-      - name: Run tests
-        uses: ./go/actions/test
-
-  test-win:
-    if: github.repository_owner == 'github'
-    name: Test Windows
-    runs-on: windows-latest-xl
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v4
-      - name: Run tests
-        uses: ./go/actions/test

.github/workflows/go-tests-rtjo.yml

@@ -1,22 +0,0 @@
-name: "Go: Run RTJO Tests"
-on:
-  pull_request:
-    types:
-      - labeled
-
-permissions:
-  contents: read
-
-jobs:
-  test-linux:
-    if: "github.repository_owner == 'github' && github.event.label.name == 'Run: RTJO Language Tests'"
-    name: RTJO Test Linux (Ubuntu)
-    runs-on: ubuntu-latest-xl
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v4
-      - name: Run tests
-        uses: ./go/actions/test
-        with:
-          run-code-checks: true
-          dynamic-join-order-mode: all

.github/workflows/go-tests.yml

@@ -1,20 +1,9 @@
 name: "Go: Run Tests"
 on:
-  push:
-    paths:
-      - "go/**"
-      - "!go/documentation/**"
-      - "shared/**"
-      - .github/workflows/go-tests.yml
-      - .github/actions/**
-      - codeql-workspace.yml
-    branches:
-      - main
-      - "rc/*"
   pull_request:
     paths:
       - "go/**"
-      - "!go/documentation/**"      
+      - "!go/documentation/**"
       - "shared/**"
       - .github/workflows/go-tests.yml
       - .github/actions/**
@@ -33,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest-xl
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Run tests
         uses: ./go/actions/test
         with:

.github/workflows/kotlin-build.yml

@@ -20,7 +20,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - run: |
           bazel query //java/kotlin-extractor/...
           # only build the default version as a quick check that we can build from `codeql`

.github/workflows/mad_modelDiff.yml

@@ -28,12 +28,12 @@ jobs:
         slug: ${{fromJson(github.event.inputs.projects || '["apache/commons-codec", "apache/commons-io", "apache/commons-beanutils", "apache/commons-logging", "apache/commons-fileupload", "apache/commons-lang", "apache/commons-validator", "apache/commons-csv", "apache/dubbo"]' )}}
     steps:
       - name: Clone github/codeql from PR
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         if: github.event.pull_request
         with:
           path: codeql-pr
       - name: Clone github/codeql from main
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           path: codeql-main
           ref: main

.github/workflows/mad_regenerate-models.yml

@@ -30,11 +30,11 @@ jobs:
             ref: "placeholder"
     steps:
       - name: Clone self (github/codeql)
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Setup CodeQL binaries
         uses: ./.github/actions/fetch-codeql
       - name: Clone repositories
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           path: repos/${{ matrix.ref }}
           ref: ${{ matrix.ref }}

.github/workflows/python-tooling.yml

@@ -0,0 +1,35 @@
+name: Python tooling
+
+on:
+  pull_request:
+    paths:
+      - "misc/bazel/**"
+      - "misc/codegen/**"
+      - "misc/scripts/models-as-data/bulk_generate_mad.py"
+      - "*.bazel*"
+      - .github/workflows/codegen.yml
+      - .pre-commit-config.yaml
+    branches:
+      - main
+      - rc/*
+      - codeql-cli-*
+
+permissions:
+  contents: read
+
+jobs:
+  check-python-tooling:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+      - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
+        name: Check that python code is properly formatted
+        with:
+          extra_args: black --all-files
+      - name: Run codegen tests
+        shell: bash
+        run: |
+          bazel test //misc/codegen/...

.github/workflows/qhelp-pr-preview.yml

@@ -43,7 +43,7 @@ jobs:
           if-no-files-found: error
           retention-days: 1
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 2
           persist-credentials: false

.github/workflows/ql-for-ql-build.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest-xl
     steps:
       ### Build the queries ###
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0
       - name: Find codeql

.github/workflows/ql-for-ql-dataset_measure.yml

@@ -25,7 +25,7 @@ jobs:
           - github/codeql
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Find codeql
         id: find-codeql
@@ -46,14 +46,14 @@ jobs:
         env:
           CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
       - name: Checkout ${{ matrix.repo }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           repository: ${{ matrix.repo }}
           path: ${{ github.workspace }}/repo
       - name: Create database
         run: |
           "${CODEQL}" database create \
-          --search-path "${{ github.workspace }}"
+          --search-path "${{ github.workspace }}" \
           --threads 4 \
             --language ql --source-root "${{ github.workspace }}/repo" \
             "${{ runner.temp }}/database"
@@ -75,7 +75,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: measure
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/download-artifact@v4
         with:
           name: measurements

.github/workflows/ql-for-ql-tests.yml

@@ -24,7 +24,7 @@ jobs:
   qltest:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Find codeql
         id: find-codeql
         uses: github/codeql-action/init@main
@@ -64,7 +64,7 @@ jobs:
     needs: [qltest]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Install GNU tar
         if: runner.os == 'macOS'
         run: |

.github/workflows/query-list.yml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
     - name: Clone self (github/codeql)
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
       with:
         path: codeql 
     - name: Set up Python 3.8

.github/workflows/ruby-build.yml

@@ -47,7 +47,7 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Install GNU tar
         if: runner.os == 'macOS'
         run: |
@@ -113,7 +113,7 @@ jobs:
     if: github.repository_owner == 'github'
     runs-on: ubuntu-latest-xl
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Fetch CodeQL
         uses: ./.github/actions/fetch-codeql
       - name: Cache compilation cache
@@ -146,7 +146,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [build, compile-queries]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/download-artifact@v4
         with:
           name: ruby.dbscheme
@@ -209,7 +209,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     needs: [package]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Fetch CodeQL
         uses: ./.github/actions/fetch-codeql
 

.github/workflows/ruby-dataset-measure.yml

@@ -30,14 +30,14 @@ jobs:
         repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - uses: ./.github/actions/fetch-codeql
 
       - uses: ./ruby/actions/create-extractor-pack
 
       - name: Checkout ${{ matrix.repo }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           repository: ${{ matrix.repo }}
           path: ${{ github.workspace }}/repo
@@ -62,7 +62,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: measure
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/download-artifact@v4
         with:
           path: stats

.github/workflows/ruby-qltest-rtjo.yml

@@ -25,7 +25,7 @@ jobs:
     strategy:
       fail-fast: false
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: ./.github/actions/fetch-codeql
       - uses: ./ruby/actions/create-extractor-pack
       - name: Cache compilation cache
@@ -35,6 +35,6 @@ jobs:
           key: ruby-qltest
       - name: Run QL tests
         run: |
-          codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/ruby-qltest.yml

@@ -36,7 +36,7 @@ jobs:
   qlupgrade:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: ./.github/actions/fetch-codeql
       - name: Check DB upgrade scripts
         run: |
@@ -58,7 +58,7 @@ jobs:
     strategy:
       fail-fast: false
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: ./.github/actions/fetch-codeql
       - uses: ./ruby/actions/create-extractor-pack
       - name: Cache compilation cache
@@ -68,6 +68,6 @@ jobs:
           key: ruby-qltest
       - name: Run QL tests
         run: |
-          codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/rust-analysis.yml

@@ -35,7 +35,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
 
     - name: Query latest nightly CodeQL bundle
       shell: bash

.github/workflows/rust.yml

@@ -30,7 +30,7 @@ jobs:
         working-directory: rust/ast-generator
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Inject sources
         shell: bash
         run: |
@@ -53,7 +53,7 @@ jobs:
         working-directory: rust/extractor
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Format
         shell: bash
         run: |
@@ -69,7 +69,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Install CodeQL
         uses: ./.github/actions/fetch-codeql
       - name: Code generation

.github/workflows/swift.yml

@@ -32,11 +32,11 @@ jobs:
     if: github.repository_owner == 'github'
     strategy:
       matrix:
-        runner: [ubuntu-latest, macos-13-xlarge]
+        runner: [ubuntu-latest, macos-15-xlarge]
       fail-fast: false
     runs-on: ${{ matrix.runner }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Setup (Linux)
         if: runner.os == 'Linux'
         run: |
@@ -53,7 +53,7 @@ jobs:
   clang-format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
         name: Check that python code is properly formatted
         with:
@@ -61,7 +61,7 @@ jobs:
   codegen:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: ./.github/actions/fetch-codeql
       - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
         name: Check that QL generated code was checked in
@@ -77,6 +77,6 @@ jobs:
   check-no-override:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Check that no override is present in load.bzl
         run: bazel test ... --test_tag_filters=override --test_output=errors

.github/workflows/sync-files.yml

@@ -17,7 +17,7 @@ jobs:
   sync:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Check synchronized files
         run: python config/sync-files.py
       - name: Check dbscheme fragments

.github/workflows/tree-sitter-extractor-test.yml

@@ -30,7 +30,7 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Check formatting
         run: cargo fmt -- --check
       - name: Run tests
@@ -38,12 +38,12 @@ jobs:
   fmt:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Check formatting
         run: cargo fmt --check
   clippy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Run clippy
         run: cargo clippy -- --no-deps -D warnings -A clippy::new_without_default -A clippy::too_many_arguments

.github/workflows/validate-change-notes.yml

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup CodeQL
         uses: ./.github/actions/fetch-codeql
@@ -31,4 +31,4 @@ jobs:
       - name: Fail if there are any errors with existing change notes
 
         run: |
-          codeql pack release --groups cpp,csharp,java,javascript,python,ruby,-examples,-test,-experimental
+          codeql pack release --groups actions,cpp,csharp,go,java,javascript,python,ruby,shared,swift -examples,-test,-experimental

.github/workflows/zipmerge-test.yml

@@ -18,6 +18,6 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - run: |
           bazel test //misc/bazel/internal/zipmerge:test --test_output=all

.gitignore

@@ -62,6 +62,7 @@ node_modules/
 
 # Temporary folders for working with generated models
 .model-temp
+/mad-generation-build
 
 # bazel-built in-tree extractor packs
 /*/extractor-pack
@@ -71,3 +72,7 @@ node_modules/
 
 # cargo build directory
 /target
+
+# some upgrade/downgrade checks create these files
+**/upgrades/*/*.dbscheme.stats
+**/downgrades/*/*.dbscheme.stats

.pre-commit-config.yaml

@@ -1,5 +1,7 @@
 # See https://pre-commit.com for more information
 # See https://pre-commit.com/hooks.html for more hooks
+default_language_version:
+  python: python3.12
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v3.2.0
@@ -7,18 +9,18 @@ repos:
       - id: trailing-whitespace
         exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
       - id: end-of-file-fixer
-        exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
+        exclude: Cargo.lock$|/test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
 
   - repo: https://github.com/pre-commit/mirrors-clang-format
     rev: v17.0.6
     hooks:
       - id: clang-format
 
-  - repo: https://github.com/pre-commit/mirrors-autopep8
-    rev: v2.0.4
+  - repo: https://github.com/psf/black
+    rev: 25.1.0
     hooks:
-      - id: autopep8
-        files: ^misc/codegen/.*\.py
+      - id: black
+        files: ^(misc/codegen/.*|misc/scripts/models-as-data/.*)\.py$
 
   - repo: local
     hooks:

CODEOWNERS

@@ -16,7 +16,7 @@
 /java/ql/test-kotlin2/ @github/codeql-kotlin
 
 # Experimental CodeQL cryptography
-**/experimental/quantum/ @github/ps-codeql
+**/experimental/**/quantum/ @github/ps-codeql
 /shared/quantum/ @github/ps-codeql
 
 # CodeQL tools and associated docs

Cargo.toml

@@ -10,8 +10,4 @@ members = [
     "rust/ast-generator",
     "rust/autobuild",
 ]
-
-[patch.crates-io]
-# patch for build script bug preventing bazel build
-# see https://github.com/rust-lang/rustc_apfloat/pull/17
-rustc_apfloat = { git = "https://github.com/redsun82/rustc_apfloat.git", rev = "32968f16ef1b082243f9bf43a3fbd65c381b3e27" }
+exclude = ["mad-generation-build"]

MODULE.bazel

@@ -14,8 +14,8 @@ local_path_override(
 
 # see https://registry.bazel.build/ for a list of available packages
 
-bazel_dep(name = "platforms", version = "0.0.11")
-bazel_dep(name = "rules_go", version = "0.50.1")
+bazel_dep(name = "platforms", version = "1.0.0")
+bazel_dep(name = "rules_go", version = "0.56.1")
 bazel_dep(name = "rules_pkg", version = "1.0.1")
 bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
 bazel_dep(name = "rules_python", version = "0.40.0")
@@ -28,7 +28,7 @@ bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
 bazel_dep(name = "gazelle", version = "0.40.0")
 bazel_dep(name = "rules_dotnet", version = "0.17.4")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
-bazel_dep(name = "rules_rust", version = "0.58.0")
+bazel_dep(name = "rules_rust", version = "0.63.0")
 bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
 
 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
@@ -37,7 +37,11 @@ bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True
 # the versions there are canonical, the versions here are used for CI in github/codeql, as well as for the vendoring of dependencies.
 RUST_EDITION = "2024"
 
-RUST_VERSION = "1.85.0"
+# run buildutils-internal/scripts/fill-rust-sha256s.py when updating (internal repo)
+# a nightly toolchain is required to enable experimental_use_cc_common_link, which we require internally
+# we prefer to run the same version as internally, even if experimental_use_cc_common_link is not really
+# required in this repo
+RUST_VERSION = "nightly/2025-08-01"
 
 rust = use_extension("@rules_rust//rust:extensions.bzl", "rust")
 rust.toolchain(
@@ -47,6 +51,29 @@ rust.toolchain(
         "x86_64-apple-darwin",
         "aarch64-apple-darwin",
     ],
+    # generated by buildutils-internal/scripts/fill-rust-sha256s.py (internal repo)
+    sha256s = {
+        "2025-08-01/rustc-nightly-x86_64-unknown-linux-gnu.tar.xz": "9bbeaf5d3fc7247d31463a9083aa251c995cc50662c8219e7a2254d76a72a9a4",
+        "2025-08-01/rustc-nightly-x86_64-apple-darwin.tar.xz": "c9ea539a8eff0d5d162701f99f9e1aabe14dd0dfb420d62362817a5d09219de7",
+        "2025-08-01/rustc-nightly-aarch64-apple-darwin.tar.xz": "ae83feebbc39cfd982e4ecc8297731fe79c185173aee138467b334c5404b3773",
+        "2025-08-01/rustc-nightly-x86_64-pc-windows-msvc.tar.xz": "9f170c30d802a349be60cf52ec46260802093cb1013ad667fc0d528b7b10152f",
+        "2025-08-01/clippy-nightly-x86_64-unknown-linux-gnu.tar.xz": "9ae5f3cd8f557c4f6df522597c69d14398cf604cfaed2b83e767c4b77a7eaaf6",
+        "2025-08-01/clippy-nightly-x86_64-apple-darwin.tar.xz": "983cb9ee0b6b968188e04ab2d33743d54764b2681ce565e1b3f2b9135c696a3e",
+        "2025-08-01/clippy-nightly-aarch64-apple-darwin.tar.xz": "ed2219dbc49d088225e1b7c5c4390fa295066e071fddaa2714018f6bb39ddbf0",
+        "2025-08-01/clippy-nightly-x86_64-pc-windows-msvc.tar.xz": "911f40ab5cbdd686f40e00965271fe47c4805513a308ed01f30eafb25b448a50",
+        "2025-08-01/cargo-nightly-x86_64-unknown-linux-gnu.tar.xz": "106463c284e48e4904c717471eeec2be5cc83a9d2cae8d6e948b52438cad2e69",
+        "2025-08-01/cargo-nightly-x86_64-apple-darwin.tar.xz": "6ad35c40efc41a8c531ea43235058347b6902d98a9693bf0aed7fc16d5590cef",
+        "2025-08-01/cargo-nightly-aarch64-apple-darwin.tar.xz": "dd28c365e9d298abc3154c797720ad36a0058f131265c9978b4c8e4e37012c8a",
+        "2025-08-01/cargo-nightly-x86_64-pc-windows-msvc.tar.xz": "7b431286e12d6b3834b038f078389a00cac73f351e8c3152b2504a3c06420b3b",
+        "2025-08-01/llvm-tools-nightly-x86_64-unknown-linux-gnu.tar.xz": "e342e305d7927cc288d386983b2bc253cfad3776b113386e903d0b302648ef47",
+        "2025-08-01/llvm-tools-nightly-x86_64-apple-darwin.tar.xz": "e44dd3506524d85c37b3a54bcc91d01378fd2c590b2db5c5974d12f05c1b84d1",
+        "2025-08-01/llvm-tools-nightly-aarch64-apple-darwin.tar.xz": "0c1b5f46dd81be4a9227b10283a0fcaa39c14fea7e81aea6fd6d9887ff6cdc41",
+        "2025-08-01/llvm-tools-nightly-x86_64-pc-windows-msvc.tar.xz": "423e5fd11406adccbc31b8456ceb7375ce055cdf45e90d2c3babeb2d7f58383f",
+        "2025-08-01/rust-std-nightly-x86_64-unknown-linux-gnu.tar.xz": "3c0ceb46a252647a1d4c7116d9ccae684fa5e42aaf3296419febd2c962c3b41d",
+        "2025-08-01/rust-std-nightly-x86_64-apple-darwin.tar.xz": "3be416003cab10f767390a753d1d16ae4d26c7421c03c98992cf1943e5b0efe8",
+        "2025-08-01/rust-std-nightly-aarch64-apple-darwin.tar.xz": "4046ac0ef951cb056b5028a399124f60999fa37792eab69d008d8d7965f389b4",
+        "2025-08-01/rust-std-nightly-x86_64-pc-windows-msvc.tar.xz": "191ed9d8603c3a4fe5a7bbbc2feb72049078dae2df3d3b7d5dedf3abbf823e6e",
+    },
     versions = [RUST_VERSION],
 )
 use_repo(rust, "rust_toolchains")
@@ -71,49 +98,49 @@ use_repo(
 tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
 use_repo(
     tree_sitter_extractors_deps,
-    "vendor_ts__anyhow-1.0.97",
+    "vendor_ts__anyhow-1.0.99",
     "vendor_ts__argfile-0.2.1",
-    "vendor_ts__chalk-ir-0.100.0",
-    "vendor_ts__chrono-0.4.40",
-    "vendor_ts__clap-4.5.35",
+    "vendor_ts__chalk-ir-0.104.0",
+    "vendor_ts__chrono-0.4.41",
+    "vendor_ts__clap-4.5.44",
     "vendor_ts__dunce-1.0.5",
     "vendor_ts__either-1.15.0",
     "vendor_ts__encoding-0.2.33",
     "vendor_ts__figment-0.10.19",
     "vendor_ts__flate2-1.1.0",
-    "vendor_ts__glob-0.3.2",
+    "vendor_ts__glob-0.3.3",
     "vendor_ts__globset-0.4.15",
     "vendor_ts__itertools-0.14.0",
     "vendor_ts__lazy_static-1.5.0",
     "vendor_ts__mustache-0.9.0",
     "vendor_ts__num-traits-0.2.19",
-    "vendor_ts__num_cpus-1.16.0",
-    "vendor_ts__proc-macro2-1.0.94",
+    "vendor_ts__num_cpus-1.17.0",
+    "vendor_ts__proc-macro2-1.0.97",
     "vendor_ts__quote-1.0.40",
-    "vendor_ts__ra_ap_base_db-0.0.273",
-    "vendor_ts__ra_ap_cfg-0.0.273",
-    "vendor_ts__ra_ap_hir-0.0.273",
-    "vendor_ts__ra_ap_hir_def-0.0.273",
-    "vendor_ts__ra_ap_hir_expand-0.0.273",
-    "vendor_ts__ra_ap_hir_ty-0.0.273",
-    "vendor_ts__ra_ap_ide_db-0.0.273",
-    "vendor_ts__ra_ap_intern-0.0.273",
-    "vendor_ts__ra_ap_load-cargo-0.0.273",
-    "vendor_ts__ra_ap_parser-0.0.273",
-    "vendor_ts__ra_ap_paths-0.0.273",
-    "vendor_ts__ra_ap_project_model-0.0.273",
-    "vendor_ts__ra_ap_span-0.0.273",
-    "vendor_ts__ra_ap_stdx-0.0.273",
-    "vendor_ts__ra_ap_syntax-0.0.273",
-    "vendor_ts__ra_ap_vfs-0.0.273",
-    "vendor_ts__rand-0.9.0",
+    "vendor_ts__ra_ap_base_db-0.0.300",
+    "vendor_ts__ra_ap_cfg-0.0.300",
+    "vendor_ts__ra_ap_hir-0.0.300",
+    "vendor_ts__ra_ap_hir_def-0.0.300",
+    "vendor_ts__ra_ap_hir_expand-0.0.300",
+    "vendor_ts__ra_ap_hir_ty-0.0.300",
+    "vendor_ts__ra_ap_ide_db-0.0.300",
+    "vendor_ts__ra_ap_intern-0.0.300",
+    "vendor_ts__ra_ap_load-cargo-0.0.300",
+    "vendor_ts__ra_ap_parser-0.0.300",
+    "vendor_ts__ra_ap_paths-0.0.300",
+    "vendor_ts__ra_ap_project_model-0.0.300",
+    "vendor_ts__ra_ap_span-0.0.300",
+    "vendor_ts__ra_ap_stdx-0.0.300",
+    "vendor_ts__ra_ap_syntax-0.0.300",
+    "vendor_ts__ra_ap_vfs-0.0.300",
+    "vendor_ts__rand-0.9.2",
     "vendor_ts__rayon-1.10.0",
     "vendor_ts__regex-1.11.1",
     "vendor_ts__serde-1.0.219",
-    "vendor_ts__serde_json-1.0.140",
-    "vendor_ts__serde_with-3.12.0",
-    "vendor_ts__syn-2.0.100",
-    "vendor_ts__toml-0.8.20",
+    "vendor_ts__serde_json-1.0.142",
+    "vendor_ts__serde_with-3.14.0",
+    "vendor_ts__syn-2.0.104",
+    "vendor_ts__toml-0.9.5",
     "vendor_ts__tracing-0.1.41",
     "vendor_ts__tracing-flame-0.2.0",
     "vendor_ts__tracing-subscriber-0.3.19",
@@ -124,6 +151,7 @@ use_repo(
     "vendor_ts__tree-sitter-ruby-0.23.1",
     "vendor_ts__triomphe-0.1.14",
     "vendor_ts__ungrammar-1.16.1",
+    "vendor_ts__zstd-0.13.3",
 )
 
 http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
@@ -205,6 +233,7 @@ use_repo(
     "kotlin-compiler-2.1.0-Beta1",
     "kotlin-compiler-2.1.20-Beta1",
     "kotlin-compiler-2.2.0-Beta1",
+    "kotlin-compiler-2.2.20-Beta2",
     "kotlin-compiler-embeddable-1.6.0",
     "kotlin-compiler-embeddable-1.6.20",
     "kotlin-compiler-embeddable-1.7.0",
@@ -217,6 +246,7 @@ use_repo(
     "kotlin-compiler-embeddable-2.1.0-Beta1",
     "kotlin-compiler-embeddable-2.1.20-Beta1",
     "kotlin-compiler-embeddable-2.2.0-Beta1",
+    "kotlin-compiler-embeddable-2.2.20-Beta2",
     "kotlin-stdlib-1.6.0",
     "kotlin-stdlib-1.6.20",
     "kotlin-stdlib-1.7.0",
@@ -229,33 +259,34 @@ use_repo(
     "kotlin-stdlib-2.1.0-Beta1",
     "kotlin-stdlib-2.1.20-Beta1",
     "kotlin-stdlib-2.2.0-Beta1",
+    "kotlin-stdlib-2.2.20-Beta2",
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.24.0")
+go_sdk.download(version = "1.25.0")
 
 go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")
 use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")
 
-lfs_files = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_files")
+lfs_archive = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_archive")
 
-lfs_files(
+lfs_archive(
     name = "ripunzip-linux",
-    srcs = ["//misc/ripunzip:ripunzip-linux"],
-    executable = True,
+    src = "//misc/ripunzip:ripunzip-Linux.zip",
+    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
 )
 
-lfs_files(
+lfs_archive(
     name = "ripunzip-windows",
-    srcs = ["//misc/ripunzip:ripunzip-windows.exe"],
-    executable = True,
+    src = "//misc/ripunzip:ripunzip-Windows.zip",
+    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
 )
 
-lfs_files(
+lfs_archive(
     name = "ripunzip-macos",
-    srcs = ["//misc/ripunzip:ripunzip-macos"],
-    executable = True,
+    src = "//misc/ripunzip:ripunzip-macOS.zip",
+    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
 )
 
 register_toolchains(

actions/extractor/codeql-extractor.yml

@@ -6,6 +6,8 @@ column_kind: "utf16"
 unicode_newlines: true
 build_modes:
   - none
+default_queries:
+  - codeql/actions-queries
 file_coverage_languages: []
 github_api_languages: []
 scc_languages: []

actions/ql/integration-tests/query-suite/actions-code-quality-extended.qls.expected

@@ -0,0 +1 @@
+

actions/ql/integration-tests/query-suite/test.py

@@ -2,7 +2,7 @@ import runs_on
 import pytest
 from query_suites import *
 
-well_known_query_suites = ['actions-code-quality.qls', 'actions-security-and-quality.qls', 'actions-security-extended.qls', 'actions-code-scanning.qls']
+well_known_query_suites = ['actions-code-quality.qls', 'actions-code-quality-extended.qls', 'actions-security-and-quality.qls', 'actions-security-extended.qls', 'actions-code-scanning.qls']
 
 @runs_on.posix
 @pytest.mark.parametrize("query_suite", well_known_query_suites)

actions/ql/lib/CHANGELOG.md

@@ -1,3 +1,37 @@
+## 0.4.16
+
+No user-facing changes.
+
+## 0.4.15
+
+No user-facing changes.
+
+## 0.4.14
+
+No user-facing changes.
+
+## 0.4.13
+
+### Bug Fixes
+
+* The `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` queries now exclude artifacts downloaded to `$[{ runner.temp }}` in addition to `/tmp`.
+
+## 0.4.12
+
+### Minor Analysis Improvements
+
+* Fixed performance issues in the parsing of Bash scripts in workflow files,
+  which led to out-of-disk errors when analysing certain workflow files with
+  complex interpolations of shell commands or quoted strings.
+
+## 0.4.11
+
+No user-facing changes.
+
+## 0.4.10
+
+No user-facing changes.
+
 ## 0.4.9
 
 No user-facing changes.

actions/ql/lib/change-notes/released/0.4.10.md

@@ -0,0 +1,3 @@
+## 0.4.10
+
+No user-facing changes.

actions/ql/lib/change-notes/released/0.4.11.md

@@ -0,0 +1,3 @@
+## 0.4.11
+
+No user-facing changes.

actions/ql/lib/change-notes/released/0.4.12.md

@@ -0,0 +1,7 @@
+## 0.4.12
+
+### Minor Analysis Improvements
+
+* Fixed performance issues in the parsing of Bash scripts in workflow files,
+  which led to out-of-disk errors when analysing certain workflow files with
+  complex interpolations of shell commands or quoted strings.

actions/ql/lib/change-notes/released/0.4.13.md

@@ -0,0 +1,5 @@
+## 0.4.13
+
+### Bug Fixes
+
+* The `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` queries now exclude artifacts downloaded to `$[{ runner.temp }}` in addition to `/tmp`.

actions/ql/lib/change-notes/released/0.4.14.md

@@ -0,0 +1,3 @@
+## 0.4.14
+
+No user-facing changes.

actions/ql/lib/change-notes/released/0.4.15.md

@@ -0,0 +1,3 @@
+## 0.4.15
+
+No user-facing changes.

actions/ql/lib/change-notes/released/0.4.16.md

@@ -0,0 +1,3 @@
+## 0.4.16
+
+No user-facing changes.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.9
+lastReleaseVersion: 0.4.16

actions/ql/lib/codeql/actions/Ast.qll

@@ -50,8 +50,8 @@ class Expression extends AstNode instanceof ExpressionImpl {
   string getNormalizedExpression() { result = normalizeExpr(expression) }
 }
 
-/** A common class for `env` in workflow, job or step. */
-abstract class Env extends AstNode instanceof EnvImpl {
+/** An `env` in workflow, job or step. */
+class Env extends AstNode instanceof EnvImpl {
   /** Gets an environment variable value given its name. */
   ScalarValueImpl getEnvVarValue(string name) { result = super.getEnvVarValue(name) }
 

actions/ql/lib/codeql/actions/Bash.qll

@@ -8,35 +8,64 @@ class BashShellScript extends ShellScript {
     )
   }
 
-  private string lineProducer(int i) {
-    result = this.getRawScript().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", i)
+  /**
+   * Gets the line at 0-based index `lineIndex` within this shell script,
+   * assuming newlines as separators.
+   */
+  private string lineProducer(int lineIndex) {
+    result = this.getRawScript().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", lineIndex)
   }
 
-  private predicate cmdSubstitutionReplacement(string cmdSubs, string id, int k) {
-    exists(string line | line = this.lineProducer(k) |
-      exists(int i, int j |
-        cmdSubs =
-          // $() cmd substitution
-          line.regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", i, j)
-              .regexpReplaceAll("^\\$\\(", "")
-              .regexpReplaceAll("\\)$", "") and
-        id = "cmdsubs:" + k + ":" + i + ":" + j
-      )
-      or
-      exists(int i, int j |
-        // `...` cmd substitution
-        cmdSubs =
-          line.regexpFind("\\`[^\\`]+\\`", i, j)
-              .regexpReplaceAll("^\\`", "")
-              .regexpReplaceAll("\\`$", "") and
-        id = "cmd:" + k + ":" + i + ":" + j
-      )
+  private predicate cmdSubstitutionReplacement(string command, string id, int lineIndex) {
+    this.commandInSubstitution(lineIndex, command, id)
+    or
+    this.commandInBackticks(lineIndex, command, id)
+  }
+
+  /**
+   * Holds if there is a command substitution `$(command)` in
+   * the line at `lineIndex` in the shell script,
+   * and `id` is a unique identifier for this command.
+   */
+  private predicate commandInSubstitution(int lineIndex, string command, string id) {
+    exists(int occurrenceIndex, int occurrenceOffset |
+      command =
+        // Look for the command inside a $(...) command substitution
+        this.lineProducer(lineIndex)
+            .regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", occurrenceIndex,
+              occurrenceOffset)
+            // trim starting $( - TODO do this in first regex
+            .regexpReplaceAll("^\\$\\(", "")
+            // trim ending ) - TODO do this in first regex
+            .regexpReplaceAll("\\)$", "") and
+      id = "cmdsubs:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset
     )
   }
 
-  private predicate rankedCmdSubstitutionReplacements(int i, string old, string new) {
-    old = rank[i](string old2 | this.cmdSubstitutionReplacement(old2, _, _) | old2) and
-    this.cmdSubstitutionReplacement(old, new, _)
+  /**
+   * Holds if `command` is a command in backticks `` `...` `` in
+   * the line at `lineIndex` in the shell script,
+   * and `id` is a unique identifier for this command.
+   */
+  private predicate commandInBackticks(int lineIndex, string command, string id) {
+    exists(int occurrenceIndex, int occurrenceOffset |
+      command =
+        this.lineProducer(lineIndex)
+            .regexpFind("\\`[^\\`]+\\`", occurrenceIndex, occurrenceOffset)
+            // trim leading backtick - TODO do this in first regex
+            .regexpReplaceAll("^\\`", "")
+            // trim trailing backtick - TODO do this in first regex
+            .regexpReplaceAll("\\`$", "") and
+      id = "cmd:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset
+    )
+  }
+
+  private predicate rankedCmdSubstitutionReplacements(int i, string command, string commandId) {
+    // rank commands by their unique IDs
+    commandId = rank[i](string c, string id | this.cmdSubstitutionReplacement(c, id, _) | id) and
+    // since we cannot output (command, ID) tuples from the rank operation,
+    // we need to work out the specific command associated with the resulting ID
+    this.cmdSubstitutionReplacement(command, commandId, _)
   }
 
   private predicate doReplaceCmdSubstitutions(int line, int round, string old, string new) {
@@ -64,31 +93,56 @@ class BashShellScript extends ShellScript {
     this.cmdSubstitutionReplacement(result, _, i)
   }
 
+  /**
+   * Holds if `quotedStr` is a string in double quotes in
+   * the line at `lineIndex` in the shell script,
+   * and `id` is a unique identifier for this quoted string.
+   */
+  private predicate doubleQuotedString(int lineIndex, string quotedStr, string id) {
+    exists(int occurrenceIndex, int occurrenceOffset |
+      // double quoted string
+      quotedStr =
+        this.cmdSubstitutedLineProducer(lineIndex)
+            .regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", occurrenceIndex, occurrenceOffset) and
+      id =
+        "qstr:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset + ":" +
+          quotedStr.length() + ":" + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
+    )
+  }
+
+  /**
+   * Holds if `quotedStr` is a string in single quotes in
+   * the line at `lineIndex` in the shell script,
+   * and `id` is a unique identifier for this quoted string.
+   */
+  private predicate singleQuotedString(int lineIndex, string quotedStr, string id) {
+    exists(int occurrenceIndex, int occurrenceOffset |
+      // single quoted string
+      quotedStr =
+        this.cmdSubstitutedLineProducer(lineIndex)
+            .regexpFind("'((?:\\\\.|[^'\\\\])*)'", occurrenceIndex, occurrenceOffset) and
+      id =
+        "qstr:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset + ":" +
+          quotedStr.length() + ":" + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
+    )
+  }
+
   private predicate quotedStringReplacement(string quotedStr, string id) {
-    exists(string line, int k | line = this.cmdSubstitutedLineProducer(k) |
-      exists(int i, int j |
-        // double quoted string
-        quotedStr = line.regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", i, j) and
-        id =
-          "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +
-            quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
-      )
+    exists(int lineIndex |
+      this.doubleQuotedString(lineIndex, quotedStr, id)
       or
-      exists(int i, int j |
-        // single quoted string
-        quotedStr = line.regexpFind("'((?:\\\\.|[^'\\\\])*)'", i, j) and
-        id =
-          "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +
-            quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
-      )
+      this.singleQuotedString(lineIndex, quotedStr, id)
     ) and
     // Only do this for strings that might otherwise disrupt subsequent parsing
     quotedStr.regexpMatch("[\"'].*[$\n\r'\"" + Bash::separator() + "].*[\"']")
   }
 
-  private predicate rankedQuotedStringReplacements(int i, string old, string new) {
-    old = rank[i](string old2 | this.quotedStringReplacement(old2, _) | old2) and
-    this.quotedStringReplacement(old, new)
+  private predicate rankedQuotedStringReplacements(int i, string quotedString, string quotedStringId) {
+    // rank quoted strings by their nearly-unique IDs
+    quotedStringId = rank[i](string s, string id | this.quotedStringReplacement(s, id) | id) and
+    // since we cannot output (string, ID) tuples from the rank operation,
+    // we need to work out the specific string associated with the resulting ID
+    this.quotedStringReplacement(quotedString, quotedStringId)
   }
 
   private predicate doReplaceQuotedStrings(int line, int round, string old, string new) {

actions/ql/lib/codeql/actions/Helper.qll

@@ -72,7 +72,7 @@ string normalizePath(string path) {
       then result = path
       else
         // foo -> GITHUB_WORKSPACE/foo
-        if path.regexpMatch("^[^/~].*")
+        if path.regexpMatch("^[^$/~].*")
         then result = "GITHUB_WORKSPACE/" + path.regexpReplaceAll("/$", "")
         else
           // ~/foo -> ~/foo

actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll

@@ -1,6 +1,7 @@
 private import actions
 private import codeql.actions.TaintTracking
 private import codeql.actions.dataflow.ExternalFlow
+private import codeql.actions.security.ControlChecks
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.DataFlow
 
@@ -65,6 +66,16 @@ class ArgumentInjectionFromMaDSink extends ArgumentInjectionSink {
   override string getCommand() { result = "unknown" }
 }
 
+/**
+ * Gets the event that is relevant for the given node in the context of argument injection.
+ *
+ * This is used to highlight the event in the query results when an alert is raised.
+ */
+Event getRelevantEventInPrivilegedContext(DataFlow::Node node) {
+  inPrivilegedContext(node.asExpr(), result) and
+  not exists(ControlCheck check | check.protects(node.asExpr(), result, "argument-injection"))
+}
+
 /**
  * A taint-tracking configuration for unsafe user input
  * that is used to construct and evaluate a code script.
@@ -88,6 +99,16 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {
       run.getScript().getAnEnvReachingArgumentInjectionSink(var, _, _)
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getLocation()
+    or
+    result = getRelevantEventInPrivilegedContext(sink).getLocation()
+  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */

actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll

@@ -4,6 +4,7 @@ import codeql.actions.DataFlow
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.security.PoisonableSteps
 import codeql.actions.security.UntrustedCheckoutQuery
+import codeql.actions.security.ControlChecks
 
 string unzipRegexp() { result = "(unzip|tar)\\s+.*" }
 
@@ -262,8 +263,10 @@ class ArtifactPoisoningSink extends DataFlow::Node {
 
   ArtifactPoisoningSink() {
     download.getAFollowingStep() = poisonable and
-    // excluding artifacts downloaded to /tmp
+    // excluding artifacts downloaded to the temporary directory
     not download.getPath().regexpMatch("^/tmp.*") and
+    not download.getPath().regexpMatch("^\\$\\{\\{\\s*runner\\.temp\\s*}}.*") and
+    not download.getPath().regexpMatch("^\\$RUNNER_TEMP.*") and
     (
       poisonable.(Run).getScript() = this.asExpr() and
       (
@@ -290,6 +293,16 @@ class ArtifactPoisoningSink extends DataFlow::Node {
   string getPath() { result = download.getPath() }
 }
 
+/**
+ * Gets the event that is relevant for the given node in the context of artifact poisoning.
+ *
+ * This is used to highlight the event in the query results when an alert is raised.
+ */
+Event getRelevantEventInPrivilegedContext(DataFlow::Node node) {
+  inPrivilegedContext(node.asExpr(), result) and
+  not exists(ControlCheck check | check.protects(node.asExpr(), result, "artifact-poisoning"))
+}
+
 /**
  * A taint-tracking configuration for unsafe artifacts
  * that is used may lead to artifact poisoning
@@ -316,6 +329,16 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getLocation()
+    or
+    result = getRelevantEventInPrivilegedContext(sink).getLocation()
+  }
 }
 
 /** Tracks flow of unsafe artifacts that is used in an insecure way. */

actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll

@@ -3,6 +3,8 @@ private import codeql.actions.TaintTracking
 private import codeql.actions.dataflow.ExternalFlow
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.DataFlow
+import codeql.actions.security.ControlChecks
+import codeql.actions.security.CachePoisoningQuery
 
 class CodeInjectionSink extends DataFlow::Node {
   CodeInjectionSink() {
@@ -11,6 +13,46 @@ class CodeInjectionSink extends DataFlow::Node {
   }
 }
 
+/**
+ * Get the relevant event for the sink in CodeInjectionCritical.ql.
+ */
+Event getRelevantCriticalEventForSink(DataFlow::Node sink) {
+  inPrivilegedContext(sink.asExpr(), result) and
+  not exists(ControlCheck check | check.protects(sink.asExpr(), result, "code-injection")) and
+  // exclude cases where the sink is a JS script and the expression uses toJson
+  not exists(UsesStep script |
+    script.getCallee() = "actions/github-script" and
+    script.getArgumentExpr("script") = sink.asExpr() and
+    exists(getAToJsonReferenceExpression(sink.asExpr().(Expression).getExpression(), _))
+  )
+}
+
+/**
+ * Get the relevant event for the sink in CachePoisoningViaCodeInjection.ql.
+ */
+Event getRelevantCachePoisoningEventForSink(DataFlow::Node sink) {
+  exists(LocalJob job |
+    job = sink.asExpr().getEnclosingJob() and
+    job.getATriggerEvent() = result and
+    // job can be triggered by an external user
+    result.isExternallyTriggerable() and
+    // excluding privileged workflows since they can be exploited in easier circumstances
+    // which is covered by `actions/code-injection/critical`
+    not job.isPrivilegedExternallyTriggerable(result) and
+    (
+      // the workflow runs in the context of the default branch
+      runsOnDefaultBranch(result)
+      or
+      // the workflow caller runs in the context of the default branch
+      result.getName() = "workflow_call" and
+      exists(ExternalJob caller |
+        caller.getCallee() = job.getLocation().getFile().getRelativePath() and
+        runsOnDefaultBranch(caller.getATriggerEvent())
+      )
+    )
+  )
+}
+
 /**
  * A taint-tracking configuration for unsafe user input
  * that is used to construct and evaluate a code script.
@@ -35,6 +77,18 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getLocation()
+    or
+    result = getRelevantCriticalEventForSink(sink).getLocation()
+    or
+    result = getRelevantCachePoisoningEventForSink(sink).getLocation()
+  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */

actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll

@@ -3,11 +3,20 @@ private import codeql.actions.TaintTracking
 private import codeql.actions.dataflow.ExternalFlow
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.DataFlow
+import codeql.actions.security.ControlChecks
 
 private class CommandInjectionSink extends DataFlow::Node {
   CommandInjectionSink() { madSink(this, "command-injection") }
 }
 
+/** Get the relevant event for the sink in CommandInjectionCritical.ql. */
+Event getRelevantEventInPrivilegedContext(DataFlow::Node sink) {
+  inPrivilegedContext(sink.asExpr(), result) and
+  not exists(ControlCheck check |
+    check.protects(sink.asExpr(), result, ["command-injection", "code-injection"])
+  )
+}
+
 /**
  * A taint-tracking configuration for unsafe user input
  * that is used to construct and evaluate a system command.
@@ -16,6 +25,16 @@ private module CommandInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getLocation()
+    or
+    result = getRelevantEventInPrivilegedContext(sink).getLocation()
+  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */

actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll

@@ -72,6 +72,25 @@ class EnvPathInjectionFromMaDSink extends EnvPathInjectionSink {
   EnvPathInjectionFromMaDSink() { madSink(this, "envpath-injection") }
 }
 
+/**
+ * Get the relevant event for a sink in EnvPathInjectionCritical.ql where the source type is "artifact".
+ */
+Event getRelevantArtifactEventInPrivilegedContext(DataFlow::Node sink) {
+  inPrivilegedContext(sink.asExpr(), result) and
+  not exists(ControlCheck check |
+    check.protects(sink.asExpr(), result, ["untrusted-checkout", "artifact-poisoning"])
+  ) and
+  sink instanceof EnvPathInjectionFromFileReadSink
+}
+
+/**
+ * Get the relevant event for a sink in EnvPathInjectionCritical.ql where the source type is not "artifact".
+ */
+Event getRelevantNonArtifactEventInPrivilegedContext(DataFlow::Node sink) {
+  inPrivilegedContext(sink.asExpr(), result) and
+  not exists(ControlCheck check | check.protects(sink.asExpr(), result, "code-injection"))
+}
+
 /**
  * A taint-tracking configuration for unsafe user input
  * that is used to construct and evaluate an environment variable.
@@ -108,6 +127,18 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getLocation()
+    or
+    result = getRelevantArtifactEventInPrivilegedContext(sink).getLocation()
+    or
+    result = getRelevantNonArtifactEventInPrivilegedContext(sink).getLocation()
+  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate the PATH environment variable. */

actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll

@@ -126,6 +126,32 @@ class EnvVarInjectionFromMaDSink extends EnvVarInjectionSink {
   EnvVarInjectionFromMaDSink() { madSink(this, "envvar-injection") }
 }
 
+/**
+ * Get the relevant event for a sink in EnvVarInjectionCritical.ql where the source type is "artifact".
+ */
+Event getRelevantArtifactEventInPrivilegedContext(DataFlow::Node sink) {
+  inPrivilegedContext(sink.asExpr(), result) and
+  not exists(ControlCheck check |
+    check
+        .protects(sink.asExpr(), result,
+          ["envvar-injection", "untrusted-checkout", "artifact-poisoning"])
+  ) and
+  (
+    sink instanceof EnvVarInjectionFromFileReadSink or
+    madSink(sink, "envvar-injection")
+  )
+}
+
+/**
+ * Get the relevant event for a sink in EnvVarInjectionCritical.ql where the source type is not "artifact".
+ */
+Event getRelevantNonArtifactEventInPrivilegedContext(DataFlow::Node sink) {
+  inPrivilegedContext(sink.asExpr(), result) and
+  not exists(ControlCheck check |
+    check.protects(sink.asExpr(), result, ["envvar-injection", "code-injection"])
+  )
+}
+
 /**
  * A taint-tracking configuration for unsafe user input
  * that is used to construct and evaluate an environment variable.
@@ -163,6 +189,18 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getLocation()
+    or
+    result = getRelevantArtifactEventInPrivilegedContext(sink).getLocation()
+    or
+    result = getRelevantNonArtifactEventInPrivilegedContext(sink).getLocation()
+  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */

actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll

@@ -214,6 +214,10 @@ private module OutputClobberingConfig implements DataFlow::ConfigSig {
       )
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */

actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll

@@ -16,6 +16,10 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */

actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll

@@ -15,6 +15,10 @@ private module SecretExfiltrationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 /** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */

actions/ql/lib/ext/config/actions_permissions.yml

@@ -22,16 +22,21 @@ extensions:
       - ["actions/stale", "pull-requests: write"]
       - ["actions/attest-build-provenance", "id-token: write"]
       - ["actions/attest-build-provenance", "attestations: write"]
+      - ["actions/deploy-pages", "pages: write"]
+      - ["actions/deploy-pages", "id-token: write"]
+      - ["actions/delete-package-versions", "packages: write"]
       - ["actions/jekyll-build-pages", "contents: read"]
       - ["actions/jekyll-build-pages", "pages: write"]
       - ["actions/jekyll-build-pages", "id-token: write"]
       - ["actions/publish-action", "contents: write"]
-      - ["actions/versions-package-tools", "contents: read"]      
+      - ["actions/versions-package-tools", "contents: read"]
       - ["actions/versions-package-tools", "actions: read"]
-      - ["actions/reusable-workflows", "contents: read"]      
+      - ["actions/reusable-workflows", "contents: read"]
       - ["actions/reusable-workflows", "actions: read"]
+      - ["actions/ai-inference", "contents: read"]
+      - ["actions/ai-inference", "models: read"]
       # TODO: Add permissions for actions/download-artifact
       # TODO: Add permissions for actions/upload-artifact
+      # No permissions needed for actions/upload-pages-artifact
       # TODO: Add permissions for actions/cache
-
-      
+      # No permissions needed for actions/configure-pages

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.9
+version: 0.4.16
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,3 +1,33 @@
+## 0.6.8
+
+No user-facing changes.
+
+## 0.6.7
+
+No user-facing changes.
+
+## 0.6.6
+
+No user-facing changes.
+
+## 0.6.5
+
+No user-facing changes.
+
+## 0.6.4
+
+No user-facing changes.
+
+## 0.6.3
+
+No user-facing changes.
+
+## 0.6.2
+
+### Minor Analysis Improvements
+
+* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.
+
 ## 0.6.1
 
 No user-facing changes.

actions/ql/src/Models/CompositeActionsSinks.ql

@@ -24,6 +24,10 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     sink instanceof CodeInjectionSink and not madSink(sink, "code-injection")
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/CompositeActionsSources.ql

@@ -34,6 +34,10 @@ private module MyConfig implements DataFlow::ConfigSig {
     isSink(node) and
     set instanceof DataFlow::FieldContent
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/CompositeActionsSummaries.ql

@@ -25,6 +25,10 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr())
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/ReusableWorkflowsSinks.ql

@@ -24,6 +24,10 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     sink instanceof CodeInjectionSink and not madSink(sink, "code-injection")
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/ReusableWorkflowsSources.ql

@@ -34,6 +34,10 @@ private module MyConfig implements DataFlow::ConfigSig {
     isSink(node) and
     set instanceof DataFlow::FieldContent
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/ReusableWorkflowsSummaries.ql

@@ -25,6 +25,10 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr())
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.md

@@ -1,6 +1,4 @@
-# Environment Path Injection
-
-## Description
+## Overview
 
 GitHub Actions allow to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file appends a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job.
 
@@ -12,11 +10,11 @@ echo "$HOME/.local/bin" >> $GITHUB_PATH
 
 If an attacker can control the contents of the system PATH, they are able to influence what commands are run in subsequent steps of the same job.
 
-## Recommendations
+## Recommendation
 
 Do not allow untrusted data to influence the system PATH: Avoid using untrusted data sources (e.g., artifact content) to define the system PATH.
 
-## Examples
+## Example
 
 ### Incorrect Usage
 
@@ -36,4 +34,4 @@ If an attacker can manipulate the value being set, such as through artifact down
 
 ## References
 
-- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions)
+- GitHub Docs: [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions).

actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql

@@ -21,18 +21,12 @@ import codeql.actions.security.ControlChecks
 from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink, Event event
 where
   EnvPathInjectionFlow::flowPath(source, sink) and
-  inPrivilegedContext(sink.getNode().asExpr(), event) and
   (
     not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and
-    not exists(ControlCheck check |
-      check.protects(sink.getNode().asExpr(), event, "code-injection")
-    )
+    event = getRelevantNonArtifactEventInPrivilegedContext(sink.getNode())
     or
     source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and
-    not exists(ControlCheck check |
-      check.protects(sink.getNode().asExpr(), event, ["untrusted-checkout", "artifact-poisoning"])
-    ) and
-    sink.getNode() instanceof EnvPathInjectionFromFileReadSink
+    event = getRelevantArtifactEventInPrivilegedContext(sink.getNode())
   )
 select sink.getNode(), source, sink,
   "Potential PATH environment variable injection in $@, which may be controlled by an external user ($@).",

actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.md

@@ -1,6 +1,4 @@
-# Environment Path Injection
-
-## Description
+## Overview
 
 GitHub Actions allow to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file appends a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job.
 
@@ -12,11 +10,11 @@ echo "$HOME/.local/bin" >> $GITHUB_PATH
 
 If an attacker can control the contents of the system PATH, they are able to influence what commands are run in subsequent steps of the same job.
 
-## Recommendations
+## Recommendation
 
 Do not allow untrusted data to influence the system PATH: Avoid using untrusted data sources (e.g., artifact content) to define the system PATH.
 
-## Examples
+## Example
 
 ### Incorrect Usage
 
@@ -36,4 +34,4 @@ If an attacker can manipulate the value being set, such as through artifact down
 
 ## References
 
-- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions)
+- GitHub Docs: [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions).

actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.md

@@ -1,6 +1,4 @@
-# Environment Variable Injection
-
-## Description
+## Overview
 
 GitHub Actions allow to define environment variables by writing to a file pointed to by the `GITHUB_ENV` environment variable:
 
@@ -37,7 +35,7 @@ steps:
 
 If an attacker can control the values assigned to environment variables and there is no sanitization in place, the attacker will be able to inject additional variables by injecting new lines or `{delimiters}`.
 
-## Recommendations
+## Recommendation
 
 1. **Do not allow untrusted data to influence environment variables**:
 
@@ -64,7 +62,7 @@ If an attacker can control the values assigned to environment variables and ther
           } >> "$GITHUB_ENV"
     ```
 
-## Examples
+## Example
 
 ### Example of Vulnerability
 
@@ -113,5 +111,5 @@ An attacker is be able to run arbitrary code by injecting environment variables
 
 ## References
 
-- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions)
-- [GitHub Actions Exploitation: Repo Jacking and Environment Manipulation](https://www.synacktiv.com/publications/github-actions-exploitation-repo-jacking-and-environment-manipulation)
+- GitHub Docs: [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions).
+- Synacktiv: [GitHub Actions Exploitation: Repo Jacking and Environment Manipulation](https://www.synacktiv.com/publications/github-actions-exploitation-repo-jacking-and-environment-manipulation).

actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql

@@ -22,26 +22,15 @@ import codeql.actions.security.ControlChecks
 from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink, Event event
 where
   EnvVarInjectionFlow::flowPath(source, sink) and
-  inPrivilegedContext(sink.getNode().asExpr(), event) and
   // exclude paths to file read sinks from non-artifact sources
   (
     // source is text
     not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and
-    not exists(ControlCheck check |
-      check.protects(sink.getNode().asExpr(), event, ["envvar-injection", "code-injection"])
-    )
+    event = getRelevantNonArtifactEventInPrivilegedContext(sink.getNode())
     or
     // source is an artifact or a file from an untrusted checkout
     source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and
-    not exists(ControlCheck check |
-      check
-          .protects(sink.getNode().asExpr(), event,
-            ["envvar-injection", "untrusted-checkout", "artifact-poisoning"])
-    ) and
-    (
-      sink.getNode() instanceof EnvVarInjectionFromFileReadSink or
-      madSink(sink.getNode(), "envvar-injection")
-    )
+    event = getRelevantArtifactEventInPrivilegedContext(sink.getNode())
   )
 select sink.getNode(), source, sink,
   "Potential environment variable injection in $@, which may be controlled by an external user ($@).",

actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.md

@@ -1,6 +1,4 @@
-# Environment Variable Injection
-
-## Description
+## Overview
 
 GitHub Actions allow to define environment variables by writing to a file pointed to by the `GITHUB_ENV` environment variable:
 
@@ -37,7 +35,7 @@ steps:
 
 If an attacker can control the values assigned to environment variables and there is no sanitization in place, the attacker will be able to inject additional variables by injecting new lines or `{delimiters}`.
 
-## Recommendations
+## Recommendation
 
 1. **Do not allow untrusted data to influence environment variables**:
 
@@ -64,7 +62,7 @@ If an attacker can control the values assigned to environment variables and ther
           } >> "$GITHUB_ENV"
     ```
 
-## Examples
+## Example
 
 ### Example of Vulnerability
 
@@ -113,5 +111,5 @@ An attacker would be able to run arbitrary code by injecting environment variabl
 
 ## References
 
-- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions)
-- [GitHub Actions Exploitation: Repo Jacking and Environment Manipulation](https://www.synacktiv.com/publications/github-actions-exploitation-repo-jacking-and-environment-manipulation)
+- GitHub Docs: [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions).
+- Synacktiv: [GitHub Actions Exploitation: Repo Jacking and Environment Manipulation](https://www.synacktiv.com/publications/github-actions-exploitation-repo-jacking-and-environment-manipulation).

actions/ql/src/Security/CWE-094/CodeInjectionCritical.md

@@ -1,18 +1,16 @@
-# Code Injection in GitHub Actions
-
-## Description
+## Overview
 
 Using user-controlled input in GitHub Actions may lead to code injection in contexts like _run:_ or _script:_.
 
 Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token may have write access to the repository, allowing an attacker to make changes to the repository.
 
-## Recommendations
+## Recommendation
 
 The best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not _${{ env.VAR }}_).
 
 It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.
 
-## Examples
+## Example
 
 ### Incorrect Usage
 

actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql

@@ -22,15 +22,8 @@ import codeql.actions.security.ControlChecks
 from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event
 where
   CodeInjectionFlow::flowPath(source, sink) and
-  inPrivilegedContext(sink.getNode().asExpr(), event) and
-  source.getNode().(RemoteFlowSource).getEventName() = event.getName() and
-  not exists(ControlCheck check | check.protects(sink.getNode().asExpr(), event, "code-injection")) and
-  // exclude cases where the sink is a JS script and the expression uses toJson
-  not exists(UsesStep script |
-    script.getCallee() = "actions/github-script" and
-    script.getArgumentExpr("script") = sink.getNode().asExpr() and
-    exists(getAToJsonReferenceExpression(sink.getNode().asExpr().(Expression).getExpression(), _))
-  )
+  event = getRelevantCriticalEventForSink(sink.getNode()) and
+  source.getNode().(RemoteFlowSource).getEventName() = event.getName()
 select sink.getNode(), source, sink,
   "Potential code injection in $@, which may be controlled by an external user ($@).", sink,
   sink.getNode().asExpr().(Expression).getRawExpression(), event, event.getName()

actions/ql/src/Security/CWE-094/CodeInjectionMedium.md

@@ -1,18 +1,16 @@
-# Code Injection in GitHub Actions
-
-## Description
+## Overview
 
 Using user-controlled input in GitHub Actions may lead to code injection in contexts like _run:_ or _script:_.
 
 Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token may have write access to the repository, allowing an attacker to make changes to the repository.
 
-## Recommendations
+## Recommendation
 
 The best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not _${{ env.VAR }}_).
 
 It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.
 
-## Examples
+## Example
 
 ### Incorrect Usage
 

actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md

@@ -1,13 +1,11 @@
-# Use of Actions with known vulnerabilities
-
-## Description
+## Overview
 
 The security of the workflow and the repository could be compromised by GitHub Actions workflows that utilize GitHub Actions with known vulnerabilities.
 
-## Recommendations
+## Recommendation
 
 Either remove the component from the workflow or upgrade it to a version that is not vulnerable.
 
 ## References
 
-- [GitHub Docs: Keeping your actions up to date with Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot)
+- GitHub Docs: [Keeping your actions up to date with Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot).

actions/ql/src/Security/CWE-275/MissingActionsPermissions.md

@@ -1,12 +1,21 @@
-# Actions Job and Workflow Permissions are not set
-
-## Description
+## Overview
 
 If a GitHub Actions job or workflow has no explicit permissions set, then the repository permissions are used. Repositories created under organizations inherit the organization permissions. The organizations or repositories created before February 2023 have the default permissions set to read-write. Often these permissions do not adhere to the principle of least privilege and can be reduced to read-only, leaving the `write` permission only to a specific types as `issues: write` or `pull-requests: write`.
 
-## Recommendations
+## Recommendation
 
-Add the `permissions` key to the job or the root of workflow (in this case it is applied to all jobs in the workflow that do not have their own `permissions` key) and assign the least privileges required to complete the task:
+Add the `permissions` key to the job or the root of workflow (in this case it is applied to all jobs in the workflow that do not have their own `permissions` key) and assign the least privileges required to complete the task.
+
+## Example
+
+### Incorrect Usage
+
+```yaml
+name: "My workflow"
+# No permissions block
+```
+
+### Correct Usage
 
 ```yaml
 name: "My workflow"
@@ -27,4 +36,4 @@ jobs:
 
 ## References
 
-- [Assigning permissions to jobs](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/assigning-permissions-to-jobs)
+- GitHub Docs: [Assigning permissions to jobs](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/assigning-permissions-to-jobs).

actions/ql/src/Security/CWE-285/ImproperAccessControl.md

@@ -1,14 +1,12 @@
-# Improper Access Control
-
-## Description
+## Overview
 
 Sometimes labels are used to approve GitHub Actions. An authorization check may not be properly implemented, allowing an attacker to mutate the code after it has been reviewed and approved by label.
 
-## Recommendations
+## Recommendation
 
 When using labels, make sure that the code cannot be modified after it has been reviewed and the label has been set.
 
-## Examples
+## Example
 
 ### Incorrect Usage
 
@@ -57,4 +55,4 @@ jobs:
 
 ## References
 
-- [Events that trigger workflows](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target)
+- GitHub Docs: [Events that trigger workflows](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target).

actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.md

@@ -1,14 +1,12 @@
-# Excessive Secrets Exposure
-
-## Description
+## Overview
 
 When the workflow runner cannot determine what secrets are needed to run the workflow, it will pass all the available secrets to the runner including organization and repository secrets. This violates the least privileged principle and increases the impact of a potential vulnerability affecting the workflow.
 
-## Recommendations
+## Recommendation
 
 Only pass those secrets that are needed by the workflow. Avoid using expressions such as `toJSON(secrets)` or dynamically accessed secrets such as `secrets[format('GH_PAT_%s', matrix.env)]` since the workflow will need to receive all secrets to decide at runtime which one needs to be used.
 
-## Examples
+## Example
 
 ### Incorrect Usage
 
@@ -48,5 +46,5 @@ env:
 
 ## References
 
-- [Using secrets in GitHub Actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-encrypted-secrets-in-a-workflow)
-- [Job uses all secrets](https://github.com/boostsecurityio/poutine/blob/main/docs/content/en/rules/job_all_secrets.md)
+- GitHub Docs: [Using secrets in GitHub Actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-encrypted-secrets-in-a-workflow).
+- poutine: [Job uses all secrets](https://github.com/boostsecurityio/poutine/blob/main/docs/content/en/rules/job_all_secrets.md).

actions/ql/src/Security/CWE-312/SecretsInArtifacts.md

@@ -1,6 +1,4 @@
-# Storage of sensitive information in GitHub Actions artifact
-
-## Description
+## Overview
 
 Sensitive information included in a GitHub Actions artifact can allow an attacker to access the sensitive information if the artifact is published.
 
@@ -10,6 +8,8 @@ Only store information that is meant to be publicly available in a GitHub Action
 
 ## Example
 
+### Incorrect Usage
+
 The following example uses `actions/checkout` to checkout code which stores the GITHUB_TOKEN in the \`.git/config\` file and then stores the contents of the \`.git\` repository into the artifact:
 
 ```yaml
@@ -28,6 +28,8 @@ jobs:
           path: .
 ```
 
+### Correct Usage
+
 The issue has been fixed below, where the `actions/upload-artifact` uses a version (v4+) which does not include hidden files or directories into the artifact.
 
 ```yaml

actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.md

@@ -1,14 +1,12 @@
-# Unmasked Secret Exposure
-
-## Description
+## Overview
 
 Secrets derived from other secrets are not known to the workflow runner, and therefore are not masked unless explicitly registered.
 
-## Recommendations
+## Recommendation
 
 Avoid defining non-plain secrets. For example, do not define a new secret containing a JSON object and then read properties out of it from the workflow, since these read values will not be masked by the workflow runner.
 
-## Examples
+## Example
 
 ### Incorrect Usage
 
@@ -34,4 +32,4 @@ Avoid defining non-plain secrets. For example, do not define a new secret contai
 
 ## References
 
-- [Using secrets in GitHub Actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-encrypted-secrets-in-a-workflow)
+- GitHub Docs: [Using secrets in GitHub Actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-encrypted-secrets-in-a-workflow).

actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.md

@@ -1,6 +1,4 @@
-# Cache Poisoning in GitHub Actions
-
-## Description
+## Overview
 
 GitHub Actions cache poisoning is a technique that allows an attacker to inject malicious content into the Action's cache from unprivileged workflow, potentially leading to code execution in privileged workflows.
 
@@ -23,7 +21,7 @@ In GitHub Actions, cache scopes are primarily determined by the branch structure
 
 Due to the above design, if something is cached in the context of the default branch (e.g., `main`), it becomes accessible to any feature branch derived from `main`.
 
-## Recommendations
+## Recommendation
 
 1. Avoid using caching in workflows that handle sensitive operations like releases.
 2. If caching must be used:
@@ -34,7 +32,7 @@ Due to the above design, if something is cached in the context of the default br
 4. Never run untrusted code in the context of the default branch.
 5. Sign the cache value cryptographically and verify the signature before usage.
 
-## Examples
+## Example
 
 ### Incorrect Usage
 
@@ -78,6 +76,6 @@ jobs:
 
 ## References
 
-- [The Monsters in Your Build Cache – GitHub Actions Cache Poisoning](https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/)
-- [GitHub Actions Caching Documentation](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows)
-- [Cache Poisoning in GitHub Actions](https://scribesecurity.com/blog/github-cache-poisoning/)
+- Adnan Khan's Blog: [The Monsters in Your Build Cache – GitHub Actions Cache Poisoning](https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/).
+- GitHub Docs: [GitHub Actions Caching Documentation](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows).
+- Scribe Security Blog: [Cache Poisoning in GitHub Actions](https://scribesecurity.com/blog/github-cache-poisoning/).

actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql

@@ -18,30 +18,13 @@ import codeql.actions.security.CachePoisoningQuery
 import CodeInjectionFlow::PathGraph
 import codeql.actions.security.ControlChecks
 
-from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, LocalJob job, Event event
+from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event
 where
   CodeInjectionFlow::flowPath(source, sink) and
-  job = sink.getNode().asExpr().getEnclosingJob() and
-  job.getATriggerEvent() = event and
-  // job can be triggered by an external user
-  event.isExternallyTriggerable() and
+  event = getRelevantCachePoisoningEventForSink(sink.getNode()) and
   // the checkout is not controlled by an access check
   not exists(ControlCheck check |
     check.protects(source.getNode().asExpr(), event, "code-injection")
-  ) and
-  // excluding privileged workflows since they can be exploited in easier circumstances
-  // which is covered by `actions/code-injection/critical`
-  not job.isPrivilegedExternallyTriggerable(event) and
-  (
-    // the workflow runs in the context of the default branch
-    runsOnDefaultBranch(event)
-    or
-    // the workflow caller runs in the context of the default branch
-    event.getName() = "workflow_call" and
-    exists(ExternalJob caller |
-      caller.getCallee() = job.getLocation().getFile().getRelativePath() and
-      runsOnDefaultBranch(caller.getATriggerEvent())
-    )
   )
 select sink.getNode(), source, sink,
   "Unprivileged code injection in $@, which may lead to cache poisoning ($@).", sink,